Notes on migration to incus:
Setup: persistent containers/VMs designed for enterprise systems (e.g. not kubernetes)
Note that it is recommended that in the br0 definition you specify the actual macaddress to avoid incus containers suddenly not being able to resolve from time to time.
/etc/netplan/01-default-core.yaml
network:
version: 2
renderer: networkd
ethernets:
# opaque ID for physical interfaces with match rules
# only referred to by other stanzas
enp1s0:
dhcp4: false
dhcp6: false
bridges:
br0:
interfaces: [enp1s0]
addresses: [X.Y.Z.W/24]
dhcp4: false
macaddress: <specify actual mac address>
routes:
- to: default
via: X.Y.Z.1
nameservers:
search: [ottenheimer.com]
addresses: [X.Y.Z.1]
parameters:
stp: true
forward-delay: 4
Test that you are using nftables and not iptables with "nft list ruleset" and you should get something like this
$sudo nft list ruleset
table inet incus {
chain pstrt.incusbr0 {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.3.145.0/24 ip daddr != 10.3.145.0/24 masquerade
}
chain fwd.incusbr0 {
type filter hook forward priority filter; policy accept;
ip version 4 oifname "incusbr0" accept
ip version 4 iifname "incusbr0" accept
}
chain in.incusbr0 {
type filter hook input priority filter; policy accept;
iifname "incusbr0" tcp dport 53 accept
iifname "incusbr0" udp dport 53 accept
iifname "incusbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
iifname "incusbr0" udp dport 67 accept
}
chain out.incusbr0 {
type filter hook output priority filter; policy accept;
oifname "incusbr0" tcp sport 53 accept
oifname "incusbr0" udp sport 53 accept
oifname "incusbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
oifname "incusbr0" udp sport 67 accept
}
Creating Bridge network profile for machines exposed on lan for incus to attach to
Creating VLAN 1 for IAAS setup
incus network create incusbr1 --type=bridge ipv4.address=10.X.Y.Z/24 ipv4.dhcp=false ipv6.address= none
- Log in to post comments