VM Networking improvements #237
Comments
|
Solving this issue as well would be handy: #18 |
|
I've been looking at point 1, on making the ip addresses RFC1918 compliant. The easy way obviously would be to limit the vm_id generated to be limited to 4096 (assigning /24 networks out of 172.16.0.0/12 gives 12 bits to work with) and then modifying the guest_ip and host_ip functions in firecracker/microvm.py to f"172.{16 + self.vm_id // 256}.{self.vm_id % 256}.1". There are 2 issues with that:
I would propose as a solution to make two new settings, VM_ADDRESS_POOL and VM_NETWORK_SIZE. This would make everything more flexible on a host per host basis. However, this would mean passing those settings to the MicroVM class, which doesn't seem to be cleanest either. Therefor I would propose to move the calculation of the ip addresses out of firecracker/microvm.py and into functions called by the create_a_vm() function. This seems cleaner as the VM logic itself has no business determining the IP addresses, but should be a function in the supervisor anyway. Additionally, this would make it easier in the future when looking at using a single tap interface per user, as at that point more knowledge about other VMs is required to determine which IP address to hand out, which is clearly a supervisor task. |
|
That reads like the right way to go ! 👍 |
Since iptables is deprecated, a move to the replacement nftables was implemented in this change. This is in line with various network improvements that are ongoing as discussed in Issue aleph-im#237. The use of nftables will facilitate some future enhancements, especially related to IPv6 support. At the same time, this commit refactors all the networking and firewall code into its own package "network", as multiple packages were depending on making network changes. The new package is now an interface for all networking related tasks.
Since iptables is deprecated, a move to the replacement nftables was implemented in this change. This is in line with various network improvements that are ongoing as discussed in Issue aleph-im#237. The use of nftables will facilitate some future enhancements, especially related to IPv6 support. At the same time, this commit refactors all the networking and firewall code into its own package "network", as multiple packages were depending on making network changes. The new package is now an interface for all networking related tasks.
Since iptables is deprecated, a move to the replacement nftables was implemented in this change. This is in line with various network improvements that are ongoing as discussed in Issue aleph-im#237. The use of nftables will facilitate some future enhancements, especially related to IPv6 support. At the same time, this commit refactors all the networking and firewall code into its own package "network", as multiple packages were depending on making network changes. The new package is now an interface for all networking related tasks.
|
Did some research into sharing the tap interface between multiple hosts. As I understand it currently, this would require the tap interface to be set with the option multi_queue, but this currently is not supported by Firecracker: |
Refactor: Move from iptables to nft as iptables is deprecated Since iptables is deprecated, a move to the replacement nftables was implemented in this change. This is in line with various network improvements that are ongoing as discussed in Issue #237. The use of nftables will facilitate some future enhancements, especially related to IPv6 support. At the same time, this commit refactors all the networking and firewall code into its own package "network", as multiple packages were depending on making network changes. The new package is now an interface for all networking related tasks. Co-authored-by: Hugo Herter <[email protected]>
With contributions from @tomribbens
1. IP ranges used by VMs should be updated because they are not following RFC1918
2. Network configuration commands are changed from
iptablestonftPort forwarding - from a public IPv4 port on the host to a port on the guest
Dedicated issue: As a VM developer, I would like to talk with a VM using raw TCP sockets #148
Related: Feature: IPv4 port mapping could not be defined aleph-message#30
IPv6 access to every virtual machine
Dedicated issue: VMs don't have IPv6 access #221
A Wireguard VPN between virtual machines from the same user, across hosts.
Notes
Include (and improve) the cleanup of network configuration on VM stop and on supervisor crash/start.
The text was updated successfully, but these errors were encountered: