[libvirt-users] KVM-Docker-Networking using TAP and MACVLAN
Lars Lindstrom
lars.lindstrom at gmx.at
Wed Mar 13 22:40:51 UTC 2019
On 3/13/19 2:26 PM, Martin Kletzander wrote:
> IIUC, you are using the tap0 device, but it is not plugged anywhere.
> By that I
> mean there is one end that you created and passed through into the VM,
> but there
> is no other end of that. I can think of some complicated ways how to
> do what
> you are trying to, but hopefully the above explanation will move you
> forward and
> you'll figure out something better than what I'm thinking about right
> now. What
> usually helps me is to think of a way this would be done with hardware
> and
> replicate that as most of the technology is modelled after HW anyway. Or
> someone else will have a better idea.
>
> Before sending it I just thought, wouldn't it be possible to just have
> a veth
> pair instead of the tap device? one end would go to the VM and the
> other one
> would be used for the containers' macvtaps...
What I am trying to achieve is the most performant way to connect a set
of containers to the KVM while having proper isolation. As the Linux
bridge does not support port isolation I started with a 'bridge'
networking and MACVLAN using a VLAN for each container, but this comes
at the cost of bridging and the VLAN trunk on the KVM side. The simplest
(and hopefully therefore most performant) solution I could come up with
was using a 'virtio' NIC in the KVM, with 'direct' connection in 'vepa'
mode to 'some other end' on the host, TAP in its simplest form, which
Docker then uses for its MACVLAN network.
I am not quite sure if I understood you correctly with the 'other end'.
With the given configuration I would expect that one end of the TAP
device is connected to the NIC in the KVM (and it actually is, it has an
IP address assigned in the KVM and is serving the web configurator) and
the other end is connected to the MACVLAN network of Docker. If this is
not how TAP works, how do I then provide a 'simple virtual NIC' which
has one end in the KVM itself and the other on the host (without using
bridging or alike). I always thought then when using 'bridge' network
libvirt does exactly that, it creates a TAP device on the host and
assigns it to a bridge.
According to the man page I have to specify both interfaces when
creating the 'vdev' device, but how would I do that on the host with one
end being in the KVM?
br Lars
More information about the libvirt-users
mailing list