0

The end goal is to have a macvlan interface set up within a Podman container. I have the following Dockerfile

FROM docker.io/library/debian:bookworm-slim
RUN apt-get --yes install systemd
RUN systemctl set-default multi-user.target
CMD ["/lib/systemd/systemd"]

If I then run this in privileged mode (detached) and attach a shell to the running container (as root), I can set up a macvlan interface called macvlan1 on the default tap interface using iproute2:

# apt install iproute2
# ip link add macvlan1 link tap0 type macvlan mode bridge

However, I want to avoid this, and I think it should be possible using systemd-networkd, but I'm not having much luck. I've tried the following .network and .netdev files (which I have tested to work on my host machine):

### 99-test.network
[Match]
Name=tap0

[Network]
MACVLAN=macvlan1

### 99-test.netdev
[Match]
# Empty

[NetDev]
Name=macvlan1
Kind=macvlan

[MACVLAN]
Mode=bridge

I update my Dockerfile like so:

FROM docker.io/library/debian:bookworm-slim
COPY 99-test.network /lib/systemd/network
COPY 99-test.netdev /lib/systemd/network
RUN apt-get --yes install systemd
RUN systemctl set-default multi-user.target
RUN systemctl enable systemd-networkd
CMD ["/lib/systemd/systemd"]

But when I start up the container, I see no macvlan interface created. If I look at the output of systemctl status systemd-networkd there are no logs or error messages suggesting that it's attempted to read the .network and .netdev files. The only clue I have is that when I run networkctl on my host machine, it shows the physical interfaces as unmanaged in the SETUP column whereas in the container, it shows all interfaces as pending (including for a manually-created macvlan interface).

Is what I'm trying to do possible with systemd in Podman? If not, why not?

Improve this question
2
  • 1
    A setup running systemd and trying to manually manage the network configuration sounds much more like a virtual machine to me; a Docker container is normally a wrapper around only a single process, and the container runtime normally manages the entire network environment (and a lot of other things systemd normally tries to handle). Would a VM better meet your needs here? Commented Oct 31, 2023 at 11:20
  • I am aware that I'm abusing Docker containers a bit here. Thanks for your advice. but a VM is too heavyweight for me. Commented Oct 31, 2023 at 11:40

2 Answers 2

Reset to default
0

You can set up a --driver macvlan network (configurable with --options) outside the container as a podman network. Then "plug it in" to the podman container with --network <name>.

To avoid manual setup steps, see also Podman Quadlet usage with [Container] Network=<name>.network and [Network] Driver=macvlan for augmented systemd unit files. (Note that Quadlet *.network units are completely separate from systemd-networkd *.network files.)

This way Podman resources and unit files are set up on the host, keeping the container light-weight. There is no need to install systemd in the container, which would then become "too heavy".

Also consider running the container and macvlan network in rootless mode, either as yourself or as systemd services from a separate unprivileged loginctl enable-linger user.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

If you want something medium-weight, between virtual machine and container, consider systemd-nspawn. Can be used to spawn "machines" from full distribution images, or minimal directories. With the machine in place, you can run individual commands, shells, or perform a full --boot.

This solution sets up and manages network interfaces from the host. You can spawn a new machine with --network-macvlan=<device> to create a separate network.

Control the machine with machinectl. You can machinectl enable to autostart [email protected], which implies --boot.

Spawning a machine which uses systemd as PID 1 allows certain synergies. You can then use other systemd tools with --machine directly from the host machine. One example is systemctl --machine: sudo systemctl --machine my-user@my-machine status.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.