diff --git a/docs/internals/boot.md b/docs/internals/boot.md index 7f01c3fbf..9a426700b 100644 --- a/docs/internals/boot.md +++ b/docs/internals/boot.md @@ -15,3 +15,7 @@ both `node-ready` and `boot` are not actual services, but instead they are there - `zos-debug`: means zos is running in debug mode - `zos-debug-vm`: forces zos to think it's running on a virtual machine. used mainly for development - `disable-gpu`: if provided GPU feature will be disabled on that node +- `vlan:pub`: set the vlan tag of the node private subnet. +- `vlan:priv`: sets the vlan tag of the node public subnet. + +For more details of `VLAN` support in zos please read more [here](network/vlans.md) diff --git a/docs/internals/network/readme.md b/docs/internals/network/readme.md index 0d554dacb..a4e7427cf 100644 --- a/docs/internals/network/readme.md +++ b/docs/internals/network/readme.md @@ -5,4 +5,5 @@ - [definitions of the vocabulary used in the documentation](definitions.md) - [Introduction to networkd, the network manager of 0-OS](introduction.md) - [Detail about the wireguard mesh used to interconnect 0-OS nodes](mesh.md) -- [Documentation for farmer on how to setup the network of their farm](setup_farm_network.md) \ No newline at end of file +- [Documentation for farmer on how to setup the network of their farm](setup_farm_network.md) +- [VLANS](vlans.md) diff --git a/docs/internals/network/vlans.md b/docs/internals/network/vlans.md new file mode 100644 index 000000000..3b0828041 --- /dev/null +++ b/docs/internals/network/vlans.md @@ -0,0 +1,81 @@ +# VLANS + +ZOS support vlans by allowing the farmer to setup vlan for both private and public subnets. + +By default zos uses untagged traffic for both priv and public subnets (for both single or dual nic nodes). In some data centers and cloud providers, they can only provide tagged subnets. + +ZOS can then become VLAN aware by providing optional vlan tags during booting. + +## Private VLAN + +Setting up private vlan forces zos to tag all private traffic with the configured vlan tag. This is possible by providing the `vlan:priv` kernel command line parameter + +> Example `vlan:priv=302` will tag all private traffic with VLAN id `302` + +During boot, zos tries to find the first interface that has ipv4 (over dhcp) normally all interfaces are probed until one of them actually get an IP. If a vlan ID is set, the probing also happen on the proper vlan, then the private default bridge (called `zos`) is then setup correctly with the proper vlan + +``` + ┌────────────────────────────────────┐ + │ NODE │ + │ │ + vlan 302 ┌────┴──┐ │ +───────────┤ Nic ├──────────┐ │ + tagged └────┬──┘ │ │ + │ ┌────┴─────┐ │ + │ │ │ │ + │ │ zos │ pvid 302 │ + │ │ bridge ├──untagged │ + │ │ │ │ + │ │ │ │ + │ └──────────┘ │ + │ │ + │ │ + │ │ + └────────────────────────────────────┘ +``` + +## Public VLAN + +> NOTE: Public VLAN in ZOS is **only** supported in a single nic setup. There is no support in dual nic yet + +Setting up private vlan forces zos to tag all private traffic with the configured vlan tag. This is possible by providing the `vlan:pub` kernel command line parameter + +> Example `vlan:pub=304` will tag all private traffic with VLAN id `304` + +zos internally create a public bridge `br-pub` that can uses a detected ingress link (usually in dual nic setup) or shares +the same link as `zos` bridge by connecting to `br-pub` via a veth pair. + +Single NIC setup + +``` + ┌─────────────────────────────────────────────┐ + │ │ +304 tagged ┌────┴─────┐ │ +───────────┤ NIC ├────────────┐ │ + └────┬─────┘ │ │ + │ │ │ + │ ┌───────┴─────┐ │ + │ │ │ │ + │ │ zos │ │ + │ │ bridge │ │ + │ │ │ │ + │ │ │ │ + │ └───────┬─────┘ │ + │ │ pvid 304 untagged │ + │ │ │ + │ │ │ + │ ┌──────▼─────┐ │ + │ │ │ │ + │ │ br-pub │ │ + │ │ bridge │ │ + │ │ │ │ + │ │ │ │ + │ │ │ │ + │ └────────────┘ │ + │ │ + └─────────────────────────────────────────────┘ +``` + +## Dual NIC setup + +Right now public vlans are not supported in case of dual nic setups. So in case public network is only available on the second nic then it will always be untagged traffic. This means the `vlan:pub` flag is silently ignored diff --git a/pkg/network/bridge/bridge.go b/pkg/network/bridge/bridge.go index e59adb98c..e7a3230f8 100644 --- a/pkg/network/bridge/bridge.go +++ b/pkg/network/bridge/bridge.go @@ -5,6 +5,7 @@ import ( "os" "github.com/pkg/errors" + "github.com/rs/zerolog/log" "github.com/threefoldtech/zos/pkg/network/ifaceutil" "github.com/threefoldtech/zos/pkg/network/options" "github.com/vishvananda/netlink" @@ -103,7 +104,11 @@ func vethName(from, to string) string { // a generated name func Attach(link netlink.Link, bridge *netlink.Bridge, vlan *uint16, name ...string) error { if link.Type() == "device" { - return attachNic(link, bridge, vlan) + if vlan != nil { + log.Warn().Msg("vlan is not supported in dual nic setup") + } + + return attachNic(link, bridge, nil) } else if link.Type() == "bridge" { linkBr := link.(*netlink.Bridge) n := vethName(link.Attrs().Name, bridge.Name)