Page MenuHomeVyOS Platform
Create Task
Maniphest T6644

Allow containers to be on multiple networks
Open, WishlistPublicFEATURE REQUEST
Actions

Description

Currently VyOS is limited to putting a container on 1 network

yzguy@test# compare
[container name]
+ test {
+     arguments "tail -f /dev/null"
+     image "docker.io/library/debian:12"
+     network NET1 {
+     }
+     network NET2 {
+     }
+ }

[edit]
yzguy@test# commit
[ container ]
Only one network can be specified for container "test"!

[[container]] failed
Commit failed

It's completely possible to do this in podman now, unsure what version it was added

yzguy@test# sudo dpkg -l podman
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version             Architecture Description
+++-==============-===================-============-==========================================
ii  podman         4.3.1+ds1-8+deb12u1 amd64        engine to run OCI-based containers in Pods

yzguy@test# run show version
Version:          VyOS 1.5-rolling-202407171706
podman run -d --name=test --network NET1 --network NET1 -d debian:12 tail -f /dev/null
podman exec -it test bash
apt update && apt install iproute2
 
root@f8713834b9ea:/# ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128
eth0@if22        UP             169.254.12.5/24 fd00:169:254:c::5/64 fe80::44e0:12ff:fe59:ca5e/64
eth1@if24        UP             10.0.12.4/24 fd00:0:c0de:c::4/64 fe80::7:6bff:feaa:f81c/64

root@f8713834b9ea:/# ip -br route
default via 10.0.12.1 dev eth1 proto static metric 100
default via 169.254.12.1 dev eth0 proto static metric 100
10.0.12.0/24 dev eth1 proto kernel scope link src 10.0.12.4
169.254.12.0/24 dev eth0 proto kernel scope link src 169.254.12.5

Now one issue that will come up is the container will get a default route from both interfaces so it will load balance across them, so likely need a mechanism to modify the metric and/or disable default route on a network in a container. I'm sure there is other "duplicate" issues that might come up as well, eg DNS resolvers that may have to be addressed

root@f8713834b9ea:/# ip route get 1.1.1.1
1.1.1.1 via 10.0.12.1 dev eth1 src 10.0.12.4 uid 0
    cache
root@f8713834b9ea:/# ip route get 1.1.1.1
1.1.1.1 via 169.254.12.1 dev eth0 src 169.254.12.5 uid 0
    cache
root@f8713834b9ea:/# ip route get 1.1.1.1
1.1.1.1 via 10.0.12.1 dev eth1 src 10.0.12.4 uid 0
    cache

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)