if we have to run the containers in vrf we need to run the containerd in that vrf
however my requirement is that we might run containers in multiple vrf
in that case what is the best way to run containerd daemon ?
is there any solution for this ?
For what? what is vrf? Isn’t a containerd forum better suited?
ok will post in dockerEngine forum
VRF is virtual routing and forwarding , ability to have multiple routing table instances on single router
also it separate network namespace for each VRF instances
The way you present your case and the lack of a big picutre, I am confident to say: I would be surprised if someoing is going to reply …
Hope you will find a solution for whatever it is you are looing for.
let me create the complete picture of my requirement ,so that you can explain me
Generally some docker container to be reachable from external network via public interface and this interface are in management VRF
some other containers are running in default VRF ( internal ) and should NOT be externally reachable
flag ipv4/tcp_l3mdev_accept is disable so that packets received in a VRF context are only handled by a application bound to the VRF
few observation
containerd when launch in management VRF spins container in that VRF it means application inside it is reachable from external network
the container need to be spin in network host mode .
currently when I run containerd daemon in management VRF all the containers run in mgmt VRF .
now containerized application running in management VRF should be reachable from external network as public interface is in management network
we should also be able to run other the container in default vrf what is the way to achieve this .
Hi vishalwc, I have a similar requirement to implement a multi-VRF container . In ase you have got a solution as of now, Can you help me pls?
For “leader” suprise -)…
vishalwc, unfortunately docker does not have something for vrf support. The first problems you have - unable run docker-proxy in any network spaces instead default (grt). The second problems is SandboxKey (see docker inspect your container) everytimes generated and connected only to default.
You can attach your vrf interface to the docker container directly (ip link set netns [container's netns] dev [iface]). In this case you will use vrf interface inside container.
Of cource nothing about simultaneous using (different ports to different containers, etc).
More comfortable could be using runc: Managing Containers in runC - Selectel Blog
But anyway this all not enough -)). Look into Tungsten fabric
1 Like