systemd-networkd

systemd-networkd 是一個管理網絡配置的系統守護進程。它會在網絡設備出現時檢測和配置它們；它還可以創建虛擬網絡設備。這個服務非常適合於為 systemd-nspawn 管理的容器或者虛擬機創建複雜的網絡配置。如果只是簡單網絡的配置，它也同樣能勝任。

This setup will enable a DHCP IP for both a wired and wireless connection making use of the metric directive to allow the kernel to decide on-the-fly which one to use. This way, no connection downtime is observed when the wired connection is unplugged.

The kernel's route metric (same as configured with ip) decides which route to use for outgoing packets, in cases when several match. This will be the case when both wireless and wired devices on the system have active connections. To break the tie, the kernel uses the metric. If one of the connections is terminated, the other automatically wins without there being a gap with nothing configured (ongoing transfers may still not deal with this nicely but that is at a different OSI layer).

注意： The Metric option is for static routes while the RouteMetric option is for setups not using static routes. See systemd.network(5) for more details.

/etc/systemd/network/20-wired.network

[Match]
Name=enp1s0

[Network]
DHCP=ipv4

[DHCP]
RouteMetric=10

/etc/systemd/network/25-wireless.network

[Match]
Name=wlp2s0

[Network]
DHCP=ipv4

[DHCP]
RouteMetric=20

網絡接口重命名[編輯 | 編輯原始碼]

作為更改設備名稱的替代方案，systemd 使用.link文件用於接口重命名。常見的例子是基於 MAC 地址給一個 USB 接口以太網適配器設置一個可預見的接口名稱。這類設備依其連接到不同 USB 接口而具有不同的接口名稱。

/etc/systemd/network/10-ethusb0.link

[Match]
MACAddress=12:34:56:78:90:ab

[Link]
Description=USB to Ethernet Adapter
Name=ethusb0

注意： 任何由用户提供的.link文件名必須是依字典順序先於默認配置文件名99-default.link才能生效。例如，必須是10-ethusb0.link而不能是 ethusb0.link。

配置文件[編輯 | 編輯原始碼]

配置文件位於 /usr/lib/systemd/network，非持久化的運行時網絡配置目錄位於 /run/systemd/network ，本地管理網絡配置位於 /etc/systemd/network。/etc/systemd/network 中的配置文件具有最高優先級。

配置文件有三類。它們均使用類似於 systemd 單元文件的格式。

.network 文件，為匹配的設備提供一個網絡配置
.netdev 文件，為匹配的環境創建一個虛擬網絡設備
.link 文件，當網絡設備出現時，udev 將查找第一個匹配的.link文件

它們均遵循下列規則：

如果位於[Match]小節的全部條件相匹配，配置項將被激活
一個空的[Match]小節意味着配置項適用任何情況（相當於*通配符）
所有配置文件將按字典順序集中保存和處理，不管它們在目錄中的實際順序如何。
同名文件將彼此替換

提示：

要永久覆蓋 /usr/lib/systemd/network 中系統提供的文件（即升級之後仍覆蓋），請在 /etc/systemd/network 中放置一個具有相同名稱的文件並將其符號連結到 /dev/null
星號（*）通配符可以在 VALUE 中使用（例如 en* 將匹配任何以太網設備），布爾值可以簡單地寫為 yes 或 no。
根據這個線索的討論，最佳實踐是 to setup specific container network settings inside the container with networkd configuration files.
Systemd 使用1, true, yes, on作為邏輯「真」值，0, false, no, off作為邏輯「假」值

network 文件[編輯 | 編輯原始碼]

這類文件用於設置網絡配置變量，尤其適用於伺服器和容器。

.network文件含有下列小節：[Match]、[Link]、[Network]、[Address]、[Route]以及[DHCP]。下列為每小節的通用配置。詳情及範例請參閱systemd.network(5)。

[Match] 小節[編輯 | 編輯原始碼]

MACAddress= 由空白字符分割的網卡硬件地址列表
Name= 由空白字符分割的設備名列表，可以包含集合字符（如：en*）。使用前綴字符!禁用列表中的名字。
Host= 機器的主機名
Virtualization= 檢查系統是否運行於虛擬化環境。Virtualization=no選項值表示僅應用於物理主機，Virtualization=yes選項值表示應用於任何容器或虛擬機。

[Link] 小節[編輯 | 編輯原始碼]

MACAddress= useful for MAC address spoofing
MTUBytes= setting a larger MTU value (e.g. when using jumbo frames) can significantly speed up your network transfers
Multicast allow the usage of multicast on interface(s)

[Network] 小節[編輯 | 編輯原始碼]

參數	説明	值類型	默認值
`DHCP=`	Controls DHCPv4 and/or DHCPv6 client support.	boolean, `ipv4`, `ipv6`	`false`
`DHCPServer=`	If enabled, a DHCPv4 server will be started.	boolean	`false`
`MulticastDNS=`	Enables multicast DNS support. When set to `resolve`, only resolution is enabled, but not host or service registration and announcement.	boolean, `resolve`	`false`
`DNSSEC=`	Controls DNSSEC DNS validation support on the link. When set to `allow-downgrade`, compatibility with non-DNSSEC capable networks is increased, by automatically turning off DNSSEC in this case.	boolean, `allow-downgrade`	`false`
`DNS=`	Configure static DNS addresses. May be specified more than once.	`inet_pton`
`Domains=`	A list of domains which should be resolved using the DNS servers on this link. more information	domain name, optionally prefixed with a tilde (`~`)
`IPForward=`	If enabled, incoming packets on any network interface will be forwarded to any other interfaces according to the routing table.	boolean, `ipv4`, `ipv6`	`false`
`IPv6PrivacyExtensions=`	Configures use of stateless temporary addresses that change over time (see RFC 4941). When `prefer-public`, enables the privacy extensions, but prefers public addresses over temporary addresses. When `kernel`, the kernel's default setting will be left in place.	boolean, `prefer-public`, `kernel`	`false`

[Address] 小節[編輯 | 編輯原始碼]

Address= 這個選項必選，除非使用了 DHCP。

[Route] 小節[編輯 | 編輯原始碼]

Gateway= 這個選項必選，除非使用了 DHCP
Destination= 路由的目的地前綴，可能後接一個斜線字符和前綴長度

如果Destination選項沒有出現在[Route]小節，本節將視為默認路由。

提示：如果[Address]小節僅包含 Address 選項值並且[Route]小節僅包含 Gateway 選項值，可以把這兩項放在[Network]小節中以簡化配置。

[DHCP] 小節[編輯 | 編輯原始碼]

參數	説明	值類型	默認值
`UseDNS=`	controls whether the DNS servers advertised by the DHCP server are used	布爾值	`true`
`Anonymize=`	when true, the options sent to the DHCP server will follow the RFC7844 (Anonymity Profiles for DHCP Clients) to minimize disclosure of identifying information	布爾值	`false`
`UseDomains=`	controls whether the domain name received from the DHCP server will be used as DNS search domain. If set to `route`, the domain name received from the DHCP server will be used for routing DNS queries only, but not for searching. This option can sometimes fix local name resolving when using systemd-resolved	布爾值，`route`	`false`

netdev 文件[編輯 | 編輯原始碼]

這類文件將創建虛擬網絡設備。包含兩個小節：[Match] 和 [NetDev]。下列為每小節的通用配置。詳情及範例請參閱systemd.netdev(5)。

[Match] 小節[編輯 | 編輯原始碼]

Host= 主機名
Virtualization= 檢查是否運行於虛擬機中

[NetDev] 小節[編輯 | 編輯原始碼]

最通用的配置為：

Name= 接口名稱。必須提供
Kind= 例如：bridge, bond, vlan, veth, sit，等等。必須提供

link 文件[編輯 | 編輯原始碼]

These files are an alternative to custom udev rules and will be applied by udev as the device appears. They have two sections: [Match] and [Link]. Below are commonly configured keys for each section. See systemd.link(5) for more information and examples.

提示：Use # udevadm test-builtin net_setup_link /sys/path/to/network/device to diagnose problems with .link files.

[Match] 小節[編輯 | 編輯原始碼]

MACAddress= the MAC address
Host= the host name
Virtualization=
Type= the device type e.g. vlan

[Link] 小節[編輯 | 編輯原始碼]

MACAddressPolicy= persistent or random addresses, or
MACAddress= a specific address

注意： the system /usr/lib/systemd/network/99-default.link is generally sufficient for most of the basic cases.

容器下的應用[編輯 | 編輯原始碼]

The service is available with systemd^包. You will want to enable and start the systemd-networkd.service unit on the host and container.

For debugging purposes, it is strongly advised to 安裝 the bridge-utils^包, net-tools^包, and iproute2^包 packages.

If you are using systemd-nspawn, you may need to modify the systemd-nspawn@.service and append boot options to the ExecStart line. Please refer to systemd-nspawn(1) for an exhaustive list of options.

Note that if you want to take advantage of automatic DNS configuration from DHCP, you need to enable systemd-resolved and symlink /run/systemd/resolve/resolv.conf to /etc/resolv.conf. See systemd-resolved.service(8) for more details.

Before you start to configure your container network, it is useful to:

disable all your netctl (host and container), dhcpcd (host and container), systemd-networkd (container only) and systemd-nspawn@.service (host only) services to avoid potential conflicts and to ease debugging
make sure packet forwarding is enabled if you want to let containers access the internet. Make sure that your .network file does not accidentally turn off forwarding because if you do not have a IPForward=1 setting in it, systemd-networkd will turn off forwarding on this interface, even if you have it enabled globally.
make sure you do not have any iptables rules which can block traffic
when the daemon is started the systemd networkctl command displays the status of network interfaces.

For the set-up described below,

we will limit the output of the ip a command to the concerned interfaces
we assume the host is your main OS you are booting to and the container is your guest virtual machine
all interface names and IP addresses are only examples

基本 DHCP 網絡[編輯 | 編輯原始碼]

This setup will enable a DHCP IP for host and container. In this case, both systems will share the same IP as they share the same interfaces.

/etc/systemd/network/MyDhcp.network

[Match]
Name=en*

[Network]
DHCP=ipv4

Then, enable and start systemd-networkd.service on your container.

You can of course replace en* by the full name of your ethernet device given by the output of the ip link command.

on host and container:

$ ip a

2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 14:da:e9:b5:7a:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.72/24 brd 192.168.1.255 scope global enp7s0
       valid_lft forever preferred_lft forever
    inet6 fe80::16da:e9ff:feb5:7a88/64 scope link 
       valid_lft forever preferred_lft forever

By default, hostname received from the DHCP server will be used as the transient hostname.

To change it add UseHostname=false in section [DHCPv4]

/etc/systemd/network/MyDhcp.network

[DHCPv4]
UseHostname=false

If you did not want to configure a DNS in /etc/resolv.conf and want to rely on DHCP for setting it up, you need to enable systemd-resolved.service and symlink /run/systemd/resolve/resolv.conf to /etc/resolv.conf

# ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

See systemd-resolved.service(8) for more details.

注意： Users accessing a system partition via /usr/bin/arch-chroot from arch-install-scripts^包, will need to create the symlink outside of the chroot, on the mounted partition. This is due to arch-chroot linking the file to the live environment.

DHCP 用於兩個獨立 IP[編輯 | 編輯原始碼]

橋接端口[編輯 | 編輯原始碼]

First, create a virtual bridge interface. We tell systemd to create a device named br0 that functions as an ethernet bridge.

/etc/systemd/network/MyBridge.netdev

[NetDev]
Name=br0
Kind=bridge

Restart systemd-networkd.service to have systemd create the bridge.

On host and container:

$ ip a

3: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether ae:bd:35:ea:0c:c9 brd ff:ff:ff:ff:ff:ff

Note that the interface br0 is listed but is still DOWN at this stage.

綁定以太網到橋接端口[編輯 | 編輯原始碼]

The next step is to add to the newly created bridge a network interface. In the example below, we add any interface that matches the name en* into the bridge br0.

/etc/systemd/network/bind.network

[Match]
Name=en*

[Network]
Bridge=br0

The ethernet interface must not have DHCP or an IP address associated as the bridge requires an interface to bind to with no IP: modify the corresponding /etc/systemd/network/MyEth.network accordingly to remove the addressing.

橋接網絡[編輯 | 編輯原始碼]

Now that the bridge has been created and has been bound to an existing network interface, the IP configuration of the bridge interface must be specified. This is defined in a third .network file, the example below uses DHCP.

/etc/systemd/network/mybridge.network

[Match]
Name=br0

[Network]
DHCP=ipv4

添加選項以引導容器[編輯 | 編輯原始碼]

As we want to give a separate IP for host and container, we need to Disconnect networking of the container from the host. To do this, add this option --network-bridge=br0 to your container boot command.

# systemd-nspawn --network-bridge=br0 -bD /path_to/my_container

成果[編輯 | 編輯原始碼]

在宿主機上

$ ip a

3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 14:da:e9:b5:7a:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.87/24 brd 192.168.1.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::16da:e9ff:feb5:7a88/64 scope link 
       valid_lft forever preferred_lft forever
6: vb-MyContainer: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether d2:7c:97:97:37:25 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::d07c:97ff:fe97:3725/64 scope link 
       valid_lft forever preferred_lft forever

在容器中

$ ip a

2: host0: <BROADCAST,MULTICAST,ALLMULTI,AUTOMEDIA,NOTRAILERS,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 5e:96:85:83:a8:5d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.73/24 brd 192.168.1.255 scope global host0
       valid_lft forever preferred_lft forever
    inet6 fe80::5c96:85ff:fe83:a85d/64 scope link 
       valid_lft forever preferred_lft forever

注意[編輯 | 編輯原始碼]

we have now one IP address for br0 on the host, and one for host0 in the container
two new interfaces have appeared: vb-MyContainer in the host and host0 in the container. This comes as a result of the --network-bridge=br0 option. This option implies another option, --network-veth. This means a virtual Ethernet link has been created between host and container.
the DHCP address on host0 comes from the system /usr/lib/systemd/network/80-container-host0.network file.
on host

$ brctl show

bridge name	bridge id		STP enabled	interfaces
br0		8000.14dae9b57a88	no		enp7s0
							vb-MyContainer

the above command output confirms we have a bridge with two interfaces binded to.

在宿主機上

$ ip route

default via 192.168.1.254 dev br0 
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.87

在容器中

$ ip route

default via 192.168.1.254 dev host0 
192.168.1.0/24 dev host0  proto kernel  scope link  src 192.168.1.73

the above command outputs confirm we have activated br0 and host0 interfaces with an IP address and Gateway 192.168.1.254. The gateway address has been automatically grabbed by systemd-networkd

$ cat /run/systemd/resolve/resolv.conf

nameserver 192.168.1.254

靜態 IP 網絡[編輯 | 編輯原始碼]

Setting a static IP for each device can be helpful in case of deployed web services (e.g FTP, http, SSH). Each device will keep the same MAC address across reboots if your system /usr/lib/systemd/network/99-default.link file has the MACAddressPolicy=persistent option (it has by default). Thus, you will easily route any service on your Gateway to the desired device.

The following configuration needs to be done for this setup:

on host

The configuration is very similar to that of #DHCP 用於兩個獨立 IP. First, a virtual bridge interface needs to be created and the main physical interface needs to be bound to it. This task can be accomplished with the following two files, with contents equal to those available at the DHCP section.

/etc/systemd/network/MyBridge.netdev
/etc/systemd/network/MyEth.network

Next, you need to configure the IP and DNS of the newly created virtual bridge interface. The following MyBridge.network provides an example configuration:

/etc/systemd/network/MyBridge.network

[Match]
Name=br0

[Network]
DNS=192.168.1.254
Address=192.168.1.87/24
Gateway=192.168.1.254

on container

First, we shall get rid of the system /usr/lib/systemd/network/80-container-host0.network file, which provides a DHCP configuration for the default network interface of the container. To do it in a permanent way (e.g. even after systemd^包 upgrades), do the following on the container. This will mask the file /usr/lib/systemd/network/80-container-host0.network since files of the same name in /etc/systemd/network take priority over /usr/lib/systemd/network. Keep in mind that this file can be kept if you only want a static IP on the host, and want the IP address of your containers to be assigned via DHCP.

# ln -sf /dev/null /etc/systemd/network/80-container-host0.network

Then, configure an static IP for the default host0 network interface and enable and start systemd-networkd.service on your container. An example configuration is provided below:

/etc/systemd/network/MyVeth.network

[Match]
Name=host0

[Network]
DNS=192.168.1.254
Address=192.168.1.94/24
Gateway=192.168.1.254

交互界面及桌面集成[編輯 | 編輯原始碼]

無論是命令行或是圖形桌面，systemd-networkd都沒有相應的交互式管理界面。但某些工具可以顯示當前網絡狀態、接收通知或提供無線網絡配置界面的功能：

networkctl （命令行）提供簡單的網絡接口狀態展示。

如果networkd配置了wpa_supplicant，那麼wpa_cli 和 wpa_gui 都提供了動態關聯和配置 WLAN 接口的功能。

networkd-notify-git^AUR 可以生成簡單的接口狀態改變的通知消息（如：連接/斷開以及重新關聯等）。

networkd-dispatcher^AUR 後台進程允許執行一個腳本以響應網絡接口狀態變化事件，類似於NetworkManager-dispatcher。

systemd-resolved作為 DNS 解析器，resolvectl status命令可以將當前 DNS 伺服器的信息做可視化呈現。

排錯[編輯 | 編輯原始碼]

引導時的「掛載」服務失敗[編輯 | 編輯原始碼]

If running services like Samba/NFS which fail if they are started before the network is up, you may want to enable the systemd-networkd-wait-online.service. This is, however, rarely necessary because most networked daemons start up okay, even if the network has not been configured yet.

systemd-resolve 不搜索本地域[編輯 | 編輯原始碼]

systemd-resolved may not search the local domain when given just the hostname, even when UseDomains=yes or Domains=[domain-list] is present in the appropriate .network file, and that file produces the expected search [domain-list] in resolv.conf. You can run networkctl status or resolvectl status to check if the search domains are actually being picked up.

Possible workarounds:

Disable LLMNR to let systemd-resolved immediately continue with appending the DNS suffixes
Trim /etc/nsswitch.conf's hosts database (e.g., by removing [!UNAVAIL=return] option after resolve service)
Switch to using fully-qualified domain names
Use /etc/hosts to resolve hostnames
Fall back to using glibc's dns instead of using systemd's resolve

Connected second PC unable to use bridged LAN[編輯 | 編輯原始碼]

First PC have two LAN. Second PC have one LAN and connected to first PC. Lets go second PC to give all access to LAN after bridged interface:

# sysctl net.bridge.bridge-nf-filter-pppoe-tagged=0
# sysctl net.bridge.bridge-nf-filter-vlan-tagged=0
# sysctl net.bridge.bridge-nf-call-ip6tables=0
# sysctl net.bridge.bridge-nf-call-iptables=0
# sysctl net.bridge.bridge-nf-call-arptables=0

參閱[編輯 | 編輯原始碼]

systemd.networkd man page
Tom Gundersen, main systemd-networkd developer, G+ home page
Tom Gundersen posts on Core OS blog
How to set up systemd-networkd with wpa_supplicant (WonderWoofy's walkthrough on Arch forums)

systemd-networkd

基本用法[編輯 | 編輯原始碼]

必需的服務和設置[編輯 | 編輯原始碼]

配置樣例[編輯 | 編輯原始碼]

使用 DHCP 的有線適配器[編輯 | 編輯原始碼]

使用靜態 IP 的有線適配器[編輯 | 編輯原始碼]

無線適配器[編輯 | 編輯原始碼]

同一台機器上的有線和無線適配器[編輯 | 編輯原始碼]

網絡接口重命名[編輯 | 編輯原始碼]

配置文件[編輯 | 編輯原始碼]

network 文件[編輯 | 編輯原始碼]

[Match] 小節[編輯 | 編輯原始碼]

[Link] 小節[編輯 | 編輯原始碼]

[Network] 小節[編輯 | 編輯原始碼]

[Address] 小節[編輯 | 編輯原始碼]

[Route] 小節[編輯 | 編輯原始碼]

[DHCP] 小節[編輯 | 編輯原始碼]

netdev 文件[編輯 | 編輯原始碼]

[Match] 小節[編輯 | 編輯原始碼]

[NetDev] 小節[編輯 | 編輯原始碼]

link 文件[編輯 | 編輯原始碼]

[Match] 小節[編輯 | 編輯原始碼]

[Link] 小節[編輯 | 編輯原始碼]

容器下的應用[編輯 | 編輯原始碼]

基本 DHCP 網絡[編輯 | 編輯原始碼]

DHCP 用於兩個獨立 IP[編輯 | 編輯原始碼]

橋接端口[編輯 | 編輯原始碼]

綁定以太網到橋接端口[編輯 | 編輯原始碼]

橋接網絡[編輯 | 編輯原始碼]

添加選項以引導容器[編輯 | 編輯原始碼]

成果[編輯 | 編輯原始碼]

注意[編輯 | 編輯原始碼]

靜態 IP 網絡[編輯 | 編輯原始碼]

交互界面及桌面集成[編輯 | 編輯原始碼]

排錯[編輯 | 編輯原始碼]

引導時的「掛載」服務失敗[編輯 | 編輯原始碼]

systemd-resolve 不搜索本地域[編輯 | 編輯原始碼]

Connected second PC unable to use bridged LAN[編輯 | 編輯原始碼]

參閱[編輯 | 編輯原始碼]