9:40 a.m.
Hi,
sorry if this question is bad. You are allowed to flame me for this :)
I would like to create a container which is basically connected to two
separate VLANs and does some sort of bridging between them.
I also would like to be able to assign IP addresses from inside the
container, because I would like to assign IP addresses via keepalived.
The reason, why I would like to do it that way is to reduce cross traffic
between hosts.
I have three hosts, that are attached to a public VLAN. All three hosts got
a public IP address, which needs to be assigned to another host in case of
something is going wrong.
HAProxy picks up the request on the public VLAN and forwards it to the
underlying backend, which is in the same container. This backend talks to a
storage cluster via the private VLAN.
The container host is a ubuntu 20.04 with Podman 3.4.2
What I did until now:
- create two additional networks [1]
- create a container [2]
But now I have the problem that I am not allowed to add an IP address from
inside the container [3]
I also don't know if I have a conceptual error in the whole thing, because
it is a strange thing to use containers as a VM replacement.
But currently I just don't know better.
Hope someone can help me.
---
A more in depth description of what I try to solve:
I have a ceph cluster that serves s3 traffic via radosgw.
radosgw talks to all the physical disks in the cluster directly. So it does
the discribution of objects.
To do TLS termination, some basic HTTP header manipulation, and other HTTP
related stuff a HAProxy is sitting in front of the radosgw.
I don't want to have a public IP address directly on a storage host,
because misconfiguration happen and this is something I want to avoid.
So I thought I could spin up a container on some storage server, map the
public VLAN and the private storage VLAN into the container and combine
HAProxy and radosgw into one unit.
Now there is the problem with public availablity. I want to used DNS load
balancing for the HAproxy. So every HAProxy gets it's own public IP
address. But when one ore more HAproxy instance fail (there are so many
things that can go south) I would like to add the IP address to another
container.
Here comes keepalived, which does VRRP from inside the containers and when
some container stop anouncing it is available, another host spins up the IP
address, and starts to serve it.
And because I am struggling with even those simple tasks, I don't want to
even try k8s/k3s. Also I think k8s/k3s have a lot of cross traffic between
the instances, which might kill the performance really hard.
---
[1]
$ podman network create --disable-dns --driver=macvlan -o parent=bond0.50
--subnet 10.64.1.0/24 public
$ podman network create --disable-dns --driver=macvlan -o parent=bond0.43
--subnet 10.64.2.0/24 management
[2]
$ podman run --detach --hostname=frontend-`hostname` --name
frontend-`hostname -s` \
--mount=type=bind,source=/opt/frontend/etc/haproxy,destination=/etc/haproxy,ro
\
--mount=type=bind,source=/opt/frontend/etc/ssl/frontend,destination=/etc/ssl/frontend,ro
\
--network=podman,public,management \
-it ubuntu:20.04 /bin/bash
[3]
root@frontend-0cc47a6df14e:/# ip addr add 192.168.0.1/24 dev eth2
RTNETLINK answers: Operation not permitted
Best wishes
Boris
4:57 p.m.
On 7/31/23 09:40, Boris Behrens wrote:
Try
--cap-add net-admin
And you should be allowed to modify the IPs inside of the container.
Hi,
sorry if this question is bad. You are allowed to flame me for this :)
I would like to create a container which is basically connected to two
separate VLANs and does some sort of bridging between them.
I also would like to be able to assign IP addresses from inside the
container, because I would like to assign IP addresses via keepalived.
The reason, why I would like to do it that way is to reduce cross
traffic between hosts.
I have three hosts, that are attached to a public VLAN. All three
hosts got a public IP address, which needs to be assigned to another
host in case of something is going wrong.
HAProxy picks up the request on the public VLAN and forwards it to the
underlying backend, which is in the same container. This backend talks
to a storage cluster via the private VLAN.
The container host is a ubuntu 20.04 with Podman 3.4.2
What I did until now:
- create two additional networks [1]
- create a container [2]
But now I have the problem that I am not allowed to add an IP address
from inside the container [3]
I also don't know if I have a conceptual error in the whole thing,
because it is a strange thing to use containers as a VM replacement.
But currently I just don't know better.
Hope someone can help me.
---
A more in depth description of what I try to solve:
I have a ceph cluster that serves s3 traffic via radosgw.
radosgw talks to all the physical disks in the cluster directly. So it
does the discribution of objects.
To do TLS termination, some basic HTTP header manipulation, and other
HTTP related stuff a HAProxy is sitting in front of the radosgw.
I don't want to have a public IP address directly on a storage host,
because misconfiguration happen and this is something I want to avoid.
So I thought I could spin up a container on some storage server, map
the public VLAN and the private storage VLAN into the container and
combine HAProxy and radosgw into one unit.
Now there is the problem with public availablity. I want to used DNS
load balancing for the HAproxy. So every HAProxy gets it's own public
IP address. But when one ore more HAproxy instance fail (there are so
many things that can go south) I would like to add the IP address to
another container.
Here comes keepalived, which does VRRP from inside the containers and
when some container stop anouncing it is available, another host spins
up the IP address, and starts to serve it.
And because I am struggling with even those simple tasks, I don't want
to even try k8s/k3s. Also I think k8s/k3s have a lot of cross traffic
between the instances, which might kill the performance really hard.
---
[1]
$ podman network create --disable-dns --driver=macvlan -o
parent=bond0.50 --subnet 10.64.1.0/24 <http://10.64.1.0/24> public
$ podman network create --disable-dns --driver=macvlan -o
parent=bond0.43 --subnet 10.64.2.0/24 <http://10.64.2.0/24> management
[2]
$ podman run --detach --hostname=frontend-`hostname` --name
frontend-`hostname -s` \
--mount=type=bind,source=/opt/frontend/etc/haproxy,destination=/etc/haproxy,ro
\
--mount=type=bind,source=/opt/frontend/etc/ssl/frontend,destination=/etc/ssl/frontend,ro
\
--network=podman,public,management \
-it ubuntu:20.04 /bin/bash
[3]
root@frontend-0cc47a6df14e:/# ip addr add 192.168.0.1/24
<http://192.168.0.1/24> dev eth2
RTNETLINK answers: Operation not permitted
Best wishes
Boris
_______________________________________________
Podman mailing list --podman(a)lists.podman.io
To unsubscribe send an email topodman-leave(a)lists.podman.io
4:51 a.m.
That was easy. Thanks.
Am Di., 1. Aug. 2023 um 22:59 Uhr schrieb Daniel Walsh <dwalsh(a)redhat.com>:
On 7/31/23 09:40, Boris Behrens wrote:
Try
--cap-add net-admin
And you should be allowed to modify the IPs inside of the container.
Hi,
sorry if this question is bad. You are allowed to flame me for this :)
I would like to create a container which is basically connected to two
separate VLANs and does some sort of bridging between them.
I also would like to be able to assign IP addresses from inside the
container, because I would like to assign IP addresses via keepalived.
The reason, why I would like to do it that way is to reduce cross traffic
between hosts.
I have three hosts, that are attached to a public VLAN. All three hosts
got a public IP address, which needs to be assigned to another host in case
of something is going wrong.
HAProxy picks up the request on the public VLAN and forwards it to the
underlying backend, which is in the same container. This backend talks to a
storage cluster via the private VLAN.
The container host is a ubuntu 20.04 with Podman 3.4.2
What I did until now:
- create two additional networks [1]
- create a container [2]
But now I have the problem that I am not allowed to add an IP address from
inside the container [3]
I also don't know if I have a conceptual error in the whole thing, because
it is a strange thing to use containers as a VM replacement.
But currently I just don't know better.
Hope someone can help me.
---
A more in depth description of what I try to solve:
I have a ceph cluster that serves s3 traffic via radosgw.
radosgw talks to all the physical disks in the cluster directly. So it
does the discribution of objects.
To do TLS termination, some basic HTTP header manipulation, and other HTTP
related stuff a HAProxy is sitting in front of the radosgw.
I don't want to have a public IP address directly on a storage host,
because misconfiguration happen and this is something I want to avoid.
So I thought I could spin up a container on some storage server, map the
public VLAN and the private storage VLAN into the container and combine
HAProxy and radosgw into one unit.
Now there is the problem with public availablity. I want to used DNS load
balancing for the HAproxy. So every HAProxy gets it's own public IP
address. But when one ore more HAproxy instance fail (there are so many
things that can go south) I would like to add the IP address to another
container.
Here comes keepalived, which does VRRP from inside the containers and when
some container stop anouncing it is available, another host spins up the IP
address, and starts to serve it.
And because I am struggling with even those simple tasks, I don't want to
even try k8s/k3s. Also I think k8s/k3s have a lot of cross traffic between
the instances, which might kill the performance really hard.
---
[1]
$ podman network create --disable-dns --driver=macvlan -o parent=bond0.50
--subnet 10.64.1.0/24 public
$ podman network create --disable-dns --driver=macvlan -o parent=bond0.43
--subnet 10.64.2.0/24 management
[2]
$ podman run --detach --hostname=frontend-`hostname` --name
frontend-`hostname -s` \
--mount=type=bind,source=/opt/frontend/etc/haproxy,destination=/etc/haproxy,ro
\
--mount=type=bind,source=/opt/frontend/etc/ssl/frontend,destination=/etc/ssl/frontend,ro
\
--network=podman,public,management \
-it ubuntu:20.04 /bin/bash
[3]
root@frontend-0cc47a6df14e:/# ip addr add 192.168.0.1/24 dev eth2
RTNETLINK answers: Operation not permitted
Best wishes
Boris
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
--
Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im
groüen Saal.
479
days inactive
481
days old
2 comments
2 participants
participants (2)
-
Boris Behrens -
Daniel Walsh