Add bridge mode networking#1463
Conversation
|
This is an early RFC of the feature. It requires the |
|
@torarnv Sorry for not getting back on the other issues yet, I have a large backlog.. 😆 But, what you point out is essentially why we haven't taken a stab at this yet. We'd have to figure out how we can go about the entitlement deficiencies and we hadn't explored too deeply. |
|
Thanks @dcantah! No rush, just wanted to try this out for myself locally, and for now this solves my immediate need 😄 But would be cool to upstream at some point! For the entitlement, I assume it won't be a problem to get it blessed for the releases 😉 So the challenge we have to solve is setting the GH release pipeline of this repo up with the right certs/profiles, and ensuring local devs do not pull the feature in accidentally. I don't know how the Homebrew formula is going to deal with it, but I guess they'd either need to pull the binary releases from this repo, or live without the bridged network feature. I'm happy to look further into this if you think there's a path forward for upstreaming this. Let me know if you have other comments/concerns with the code as is. Thanks! |
torarnv
force-pushed
the
add-bridge-mode-networking
branch
from
2aa9d21 to
4c81ffc
Compare
|
@torarnv I'm glad you took a crack at it. As Danny mentioned, we're going to be slammed this month with more basic work, so we won't be in a place where we can merge it soon. However, this change is an excellent architecture driver. We're in the midst of refactoring the network model to clean up the separation of concerns between client, API server, and network plugin (we're doing this for runtime as well). We need to work out the best way to represent configuration for different network modes, and this needs to work in a scenario where there are additional (builtin or third party) network plugins. Since you have an additional mode here, we can refine this PR and the main together to allow bridged mode to slot in cleanly. Let's start on that front. Once I have #1421 merged and make a few of the simpler network changes, let's sort out what the config model might like. We can either follow up in here on this, or back in #489. |
|
Totally understandable @jglogan ! 😅 Happy to use this PR as inspiration/discussion for how to do this properly at some point. Some random things that came to mind when working on this:
Let's discuss further when #1421 and related changes land 🤝 |
torarnv
force-pushed
the
add-bridge-mode-networking
branch
from
4c81ffc to
a6b9c06
Compare
- NetworkMode.bridge ("bridge") variant
- NetworkConfiguration.hostInterface for the host physical interface
- Attachment.ipv4Address and .ipv4Gateway made optional; bridge
attachments carry no pre-allocated IP (assigned via DHCP at runtime)
- Update all call sites and tests for optional IP fields
For each bridge attachment (ipv4Address == nil) at interface index n, append ip=:::::eth<n>:dhcp to the kernel cmdline before booting the VM. The kernel's built-in DHCP client (CONFIG_IP_PNP_DHCP=y) acquires the lease before userspace starts, so no DHCP binary is needed in the rootfs. We also pass the hostname to the DHCP server. getAllocatedAttachments() is moved before VZVirtualMachineManager creation so interface indices are known when the cmdline is finalized.
Implements the vmnet plugin side of bridge networking: a new BridgedVmnetNetwork actor that uses placeholder subnets (no IP pool), a .bridged Variant in the plugin helper, and bridge-aware allocation in NetworkService (MAC-only attachments, no allocator). The host interface name is forwarded to the runtime as XPC additional data.
Maps bridge network attachments to BridgedNetworkInterface by reading the host interface name from the XPC additional data payload forwarded by BridgedVmnetNetwork.
The entitlement requires an Apple-blessed provisioning profile, so it must not be included in default ad-hoc signed builds. Add a bridge-mode entitlements variant and select it via ENABLE_BRIDGE_NETWORKING=1. Builds without the entitlement that try to run containers with a bridge mode network will get an error: Using VZBridgedNetworkDeviceAttachment in a process that lacks the “com.apple.vm.networking” entitlement."
torarnv
force-pushed
the
add-bridge-mode-networking
branch
from
9be2ccb to
bc1144c
Compare
|
Please check out also the adoption of the PR on top of the current state of the main branch with added support for helper-based bridging support. This allows to avoid using the entitlement completely during development while also having the option to work directly with bridged networking (because I actually need it right now 😂). I imagine also that it is quite okay to have a less optimal performance during testing or even in general, e.g. in my current case where I just would simply bridge a container to a VLAN network interface, but Docker for Mac seems to basically obstruct people from using the features offered by the Virtualization Framework - or basically the entire VM (see also here, here and here - if someone is interested - had to take their entire virtualization service apart to set simple settings on the VM :-/). And this is exactly where container is amazingly different. See #1622 P.S.: @torarnv your idea with having the kernel negotiate the DHCP lease and then also retrieve the nameservers from there without having a dedicated DHCP client in the init container is really amazing. This is quite elegant and simple :) |
4 participants
Type of Change
Motivation and Context
Bridged networking can be useful for example for mDNS/Bonjour, LAN-visible services without port forwarding, or simply to have the LAN/router manage the IPs of the containers.
Fixes #489
Testing