fedora public bridge configs

README.md

Container / VM Bridging

About

Traditionally virtual machines and containers are exposed on a bridge which is solely available behind a single IP address exposed behind network/port address translation (NAT/PAT). This is, in general an acceptable practice but leads to some configuration challenges when testing out technologies like network booting of hosts, firewalling, equal cost multipath, etc.

This configuration will allow a user to move the IP address of the host to an internal bridge and put containers and VMs on this same bridge to allow these assets layer 2 access to the outside network. The containers/VMs will not have the "normal" utilities for address configuration and will use the same process that the underying host would for IP address management (IPAM). This is to say that if the host uses DHCP, the containers should have this available. If the host utilizes static addressing, likely the guest will need to do the same.

Visualization

Below is a diagram showing a sample configuration. In this example, the normative configuation is on the left hand side while the bridged configuration is on the right. In this, the guest on the right hand side may use an address within the same subnet as the underlying host as it is in the same broadcast domain.

Configuration Mechanisms

ifcfg files

On systems which use sysconfig style configuration files use the examples below for including the prefix sysconfig- and placed in the path /etc/sysconfig/network-scripts/. These files will create an in kernel virtual bridge named br0. To this bridge, a physical NIC named enp2s0 will be attached.

systemd networkd units

On systems which use systemd networkd configuration can be completed using the example config files with the path prefix networkd- and placed in the path /etc/systemd/networkd/. These files will create a netdev device (layer 2) for the in kernel bridge br0, attach the device (layer 2) enp1s0 to the bridge br0, and finally assign an IP address to the device br0 (layer 3).

Gotchas

As you are connecting a (virtual) switch to an upstream switchport care must be taken to avoid switching loops. This is why spanning tree is configured on br0 with a high (read: low) priority, so as to avoid the device becoming the root bridge of a network. As such attempting to configure bonding/teaming for the network with multiple network interfaces is possible, but should be done carefully.

networkd-00_br0.netdev

# /etc/systemd/network/00_br0.netdev
[Match]

[NetDev]
Name=br0
Kind=bridge

networkd-01_enp1s0.network

# /etc/systemd/network/01_enp1s0.network
[Match]
Name=enp1s0

[Network]
Bridge=br0
IPv6AcceptRouterAdvertisements=no

networkd-02_virbr0.network

# /etc/systemd/network/02_br0.network
[Match]
Name=br0

[Network]
Address=192.168.1.10/24
Gateway=192.168.1.1
DNS=8.8.8.8
DNS=8.8.4.4

Address=2001::192/64
Gateway=2001::1
DNS=2001:4860:4860::8888
DNS=2001:4860:4860::8844

sysconfig-ifcfg-br0

# /etc/sysconfig/network-scripts/ifcfg-br0
# Virtual interface which will comprise of the addressable ethernet interface for the host
NAME=br0
DEVICE=br0
UUID=25568cad-af6d-456d-a6c4-6607427a2d31
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
STP=yes
#IPV6ADDR_SECONDARIES=2001::192/64
ZONE=FedoraWorkstation
DELAY=2
BRIDGING_OPTS=priority=32768
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

sysconfig-ifcfg-enp0s0

# /etc/sysconfig/network-scripts/ifcfg-enp0s0
# Replace this with your actual mac address
HWADDR=52:54:00:02:7c:88
TYPE=Ethernet
NAME=enp2s0
UUID=4d31208d-999e-4821-9d0a-a186cf67bf77
ONBOOT=yes
BRIDGE=br0
AUTOCONNECT_PRIORITY=-999
ZONE=trusted