systemd-networkd (简体中文)

systemd-networkd 是一个管理网络配置的系统守护进程。它会在网络设备出现时检测和配置；它还可以创建虚拟网络设备。这个服务对被 systemd-nspawn 管理的容器或者虚拟机的复杂网络配置尤其有用，同样也适用于简单的网络配置。

翻译状态：本文是 Systemd-networkd 的翻译。上次翻译日期：2020-06-25。如果英文版本有所更改，则您可以帮助同步翻译。

基本用法

是默认 Arch 安装的一部分，包含操作有线网络所需的所有文件。无线适配器可以通过其他服务（比如 wpa_supplicant 或者 iwd）来配置，本文后面的部分也会介绍相关内容。

必需的服务和设置

start/enable 以使用 systemd-networkd。

start/enable 是可选的，它为本地应用程序提供网络名称（DNS）解析服务。是否使用它可以考虑下面几条：

如果 .network 文件中指定了 DNS 条目，systemd-resolved 服务是必需的
它能够自动地从 DHCP 客户端获取 DNS 地址
请搞明白 resolv.conf 和 systemd-resolved 如何互相影响，以便正确配置要使用的 DNS 服务器。更多相关信息可以参见 systemd-resolved
注意：即使没有启用 systemd-networkd， systemd-resolved 也能够提供服务。

配置样例

在本节中，所有配置都存储为在 /etc/systemd/network/ 目录下形如的文件。有关选项的完整列表和处理顺序可以参考 #配置文件和。

Systemd/udev 会自动为所有本地以太网、WLAN 和 WWAN 接口分配可预测且稳定的网络接口名。使用以列出系统上所有设备。

在修改了配置文件之后，restart 以使得它们生效。

注意：

配置文件中指定的选项区分大小写。
在下面的示例中，enp1s0 是有线适配器，wlp2s0 是无线适配器。他们的名字在不同系统上可能会有不同的名字。也可以使用通配符，例如，Name=en*。
如果想要禁用 IPv6 的话，参考 IPv6#systemd-networkd。
在 [Network] 段设置 DHCP=yes 来同时接收 IPv4 和 IPv6 DHCP 请求。

使用静态 IP 的有线适配器

能够被使用多次来指定多个 IPv4 或者 IPv6 地址。

参见 #network 文件或者了解更多配置项。

无线适配器

为了能够使用 systemd-networkd 连接一个无线网络，需要一个被其他应用，比如 wpa_supplicant 或 Iwd，配置好的无线适配器。

如果无线适配器有一个静态地址，它的配置（除了接口的名字）跟有线适配器是一样的。

同一台机器上的有线和无线适配器

This setup will enable a DHCP IP for both a wired and wireless connection making use of the metric directive to allow the kernel to decide on-the-fly which one to use. This way, no connection downtime is observed when the wired connection is unplugged.

The kernel's route metric (same as configured with ip) decides which route to use for outgoing packets, in cases when several match. This will be the case when both wireless and wired devices on the system have active connections. To break the tie, the kernel uses the metric. If one of the connections is terminated, the other automatically wins without there being a gap with nothing configured (ongoing transfers may still not deal with this nicely but that is at a different OSI layer).

/etc/systemd/network/25-wireless.network

[Match]
Name=wlp2s0

[Network]
DHCP=ipv4

[DHCP]
RouteMetric=20

网络接口重命名

作为更改设备名称的替代方案，systemd 使用.link文件用于接口重命名。常见的例子是基于 MAC 地址给一个 USB 接口以太网适配器设置一个可预见的接口名称。这类设备依其连接到不同 USB 接口而具有不同的接口名称。

配置文件

配置文件位于，非持久化的运行时网络配置目录位于，本地管理网络配置位于 /etc/systemd/network。/etc/systemd/network 中的配置文件具有最高优先级。

配置文件有三类。它们均使用类似于 systemd 单元文件的格式。

.network 文件，为匹配的设备提供一个网络配置
.netdev 文件，为匹配的环境创建一个虚拟网络设备
.link 文件，当网络设备出现时，udev 将查找第一个匹配的.link文件

它们均遵循下列规则：

如果位于小节的全部条件相匹配，配置项将被激活
一个空的小节意味着配置项适用任何情况（相当于通配符）
所有配置文件将按字典顺序集中保存和处理，不管它们在目录中的实际顺序如何。
同名文件将彼此替换

network 文件

这类文件用于设置网络配置变量，尤其适用于服务器和容器。

.network文件含有下列小节：、、[Network]、、以及。下列为每小节的通用配置。详情及范例请参阅。

[Match] 小节

由空白字符分割的网卡硬件地址列表
由空白字符分割的设备名列表，可以包含集合字符（如：）。使用前缀字符禁用列表中的名字。
Host= 机器的主机名
检查系统是否运行于虚拟化环境。选项值表示仅应用于物理主机，选项值表示应用于任何容器或虚拟机。

[Link] 小节

useful for MAC address spoofing
setting a larger MTU value (e.g. when using jumbo frames) can significantly speed up your network transfers
Multicast allow the usage of multicast on interface(s)

[Network] 小节

参数	说明	值类型	默认值
	Controls DHCPv4 and/or DHCPv6 client support.	boolean, ,
	If enabled, a DHCPv4 server will be started.	boolean
	Enables multicast DNS support. When set to `resolve`, only resolution is enabled, but not host or service registration and announcement.	boolean, `resolve`
	Controls DNSSEC DNS validation support on the link. When set to , compatibility with non-DNSSEC capable networks is increased, by automatically turning off DNSSEC in this case.	boolean,
	Configure static DNS addresses. May be specified more than once.
	A list of domains which should be resolved using the DNS servers on this link. more information	domain name, optionally prefixed with a tilde (`~`)
	If enabled, incoming packets on any network interface will be forwarded to any other interfaces according to the routing table.	boolean, ,
	Configures use of stateless temporary addresses that change over time (see RFC 4941). When , enables the privacy extensions, but prefers public addresses over temporary addresses. When , the kernel's default setting will be left in place.	boolean, ,

[Address] 小节

这个选项必选，除非使用了 DHCP。

[Route] 小节

这个选项必选，除非使用了 DHCP
Destination= 路由的目的地前缀，可能后接一个斜线字符和前缀长度

如果选项没有出现在小节，本节将视为默认路由。

[DHCP] 小节

参数	说明	值类型	默认值
	controls whether the DNS servers advertised by the DHCP server are used	布尔值
	when true, the options sent to the DHCP server will follow the RFC7844 (Anonymity Profiles for DHCP Clients) to minimize disclosure of identifying information	布尔值
	controls whether the domain name received from the DHCP server will be used as DNS search domain. If set to `route`, the domain name received from the DHCP server will be used for routing DNS queries only, but not for searching. This option can sometimes fix local name resolving when using systemd-resolved	布尔值，`route`

netdev 文件

这类文件将创建虚拟网络设备。包含两个小节：和。下列为每小节的通用配置。详情及范例请参阅。

[Match] 小节

Host= 主机名
检查是否运行于虚拟机中

[NetDev] 小节

最通用的配置为：

接口名称。必须提供
例如：bridge, bond, vlan, veth, sit，等等。必须提供

link 文件

These files are an alternative to custom udev rules and will be applied by udev as the device appears. They have two sections: and . Below are commonly configured keys for each section. See for more information and examples.

提示： Use # udevadm test-builtin net_setup_link /sys/path/to/network/device to diagnose problems with .link files.

[Match] 小节

the MAC address
Host= the host name
the device type e.g. vlan

[Link] 小节

persistent or random addresses, or
a specific address

容器下的应用

The service is available with . You will want to enable and start the unit on the host and container.

For debugging purposes, it is strongly advised to install the , net-tools, and packages.

If you are using systemd-nspawn, you may need to modify the and append boot options to the line. Please refer to for an exhaustive list of options.

Note that if you want to take advantage of automatic DNS configuration from DHCP, you need to enable and symlink to . See systemd-resolved.service(8) for more details.

Before you start to configure your container network, it is useful to:

disable all your netctl (host and container), dhcpcd (host and container), systemd-networkd (container only) and (host only) services to avoid potential conflicts and to ease debugging
make sure packet forwarding is enabled if you want to let containers access the internet. Make sure that your .network file does not accidentally turn off forwarding because if you do not have a setting in it, will turn off forwarding on this interface, even if you have it enabled globally.
make sure you do not have any iptables rules which can block traffic
when the daemon is started the systemd command displays the status of network interfaces.

For the set-up described below,

we will limit the output of the command to the concerned interfaces
we assume the host is your main OS you are booting to and the container is your guest virtual machine
all interface names and IP addresses are only examples

基本 DHCP 网络

This setup will enable a DHCP IP for host and container. In this case, both systems will share the same IP as they share the same interfaces.

/etc/systemd/network/''MyDhcp''.network

[Match]
Name=en*

[Network]
DHCP=ipv4

Then, enable and start on your container.

You can of course replace by the full name of your ethernet device given by the output of the command.

on host and container:

By default, hostname received from the DHCP server will be used as the transient hostname.

To change it add in section

If you did not want to configure a DNS in and want to rely on DHCP for setting it up, you need to enable and symlink to

# ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

See systemd-resolved.service(8) for more details.

桥接端口

First, create a virtual bridge interface. We tell systemd to create a device named br0 that functions as an ethernet bridge.

/etc/systemd/network/''MyBridge''.netdev

[NetDev]
Name=br0
Kind=bridge

Restart to have systemd create the bridge.

On host and container:

Note that the interface br0 is listed but is still DOWN at this stage.

绑定以太网到桥接端口

The next step is to add to the newly created bridge a network interface. In the example below, we add any interface that matches the name en* into the bridge br0.

The ethernet interface must not have DHCP or an IP address associated as the bridge requires an interface to bind to with no IP: modify the corresponding accordingly to remove the addressing.

桥接网络

Now that the bridge has been created and has been bound to an existing network interface, the IP configuration of the bridge interface must be specified. This is defined in a third .network file, the example below uses DHCP.

添加选项以引导容器

As we want to give a separate IP for host and container, we need to Disconnect networking of the container from the host. To do this, add this option --network-bridge=br0 to your container boot command.

# systemd-nspawn --network-bridge=br0 -bD /path_to/my_container

成果

在宿主机上

在容器中

注意

we have now one IP address for on the host, and one for in the container
two new interfaces have appeared: in the host and in the container. This comes as a result of the --network-bridge=br0 option. This option implies another option, --network-veth. This means a virtual Ethernet link has been created between host and container.
the DHCP address on comes from the system file.
on host

the above command output confirms we have a bridge with two interfaces binded to.

在宿主机上

在容器中

the above command outputs confirm we have activated and interfaces with an IP address and Gateway 192.168.1.254. The gateway address has been automatically grabbed by systemd-networkd

静态 IP 网络

Setting a static IP for each device can be helpful in case of deployed web services (e.g FTP, http, SSH). Each device will keep the same MAC address across reboots if your system file has the MACAddressPolicy=persistent option (it has by default). Thus, you will easily route any service on your Gateway to the desired device.

The following configuration needs to be done for this setup:

on host

The configuration is very similar to that of #DHCP 用于两个独立 IP. First, a virtual bridge interface needs to be created and the main physical interface needs to be bound to it. This task can be accomplished with the following two files, with contents equal to those available at the DHCP section.

/etc/systemd/network/MyBridge.netdev
/etc/systemd/network/MyEth.network

Next, you need to configure the IP and DNS of the newly created virtual bridge interface. The following MyBridge.network provides an example configuration:

on container

First, we shall get rid of the system file, which provides a DHCP configuration for the default network interface of the container. To do it in a permanent way (e.g. even after upgrades), do the following on the container. This will mask the file since files of the same name in /etc/systemd/network take priority over . Keep in mind that this file can be kept if you only want a static IP on the host, and want the IP address of your containers to be assigned via DHCP.

# ln -sf /dev/null /etc/systemd/network/80-container-host0.network

Then, configure an static IP for the default network interface and enable and start on your container. An example configuration is provided below:

交互界面及桌面集成

无论是命令行或是图形桌面，systemd-networkd都没有相应的交互式管理界面。但某些工具可以显示当前网络状态、接收通知或提供无线网络配置界面的功能：

networkctl （命令行）提供简单的网络接口状态展示。

如果networkd配置了wpa_supplicant，那么wpa_cli 和 wpa_gui 都提供了动态关联和配置 WLAN 接口的功能。

networkd-notify-git^AUR 可以生成简单的接口状态改变的通知消息（如：连接/断开以及重新关联等）。

后台进程允许执行一个脚本以响应网络接口状态变化事件，类似于NetworkManager-dispatcher。

systemd-resolved作为 DNS 解析器，命令可以将当前 DNS 服务器的信息做可视化呈现。

排错

引导时的“挂载”服务失败

If running services like Samba/NFS which fail if they are started before the network is up, you may want to enable the . This is, however, rarely necessary because most networked daemons start up okay, even if the network has not been configured yet.

systemd-resolve 不搜索本地域

systemd-resolved may not search the local domain when given just the hostname, even when UseDomains=yes or is present in the appropriate .network file, and that file produces the expected in . You can run or to check if the search domains are actually being picked up.

Possible workarounds:

Disable LLMNR to let systemd-resolved immediately continue with appending the DNS suffixes
Trim 's database (e.g., by removing option after resolve service)
Switch to using fully-qualified domain names
Use /etc/hosts to resolve hostnames
Fall back to using glibc's instead of using systemd's resolve

Connected second PC unable to use bridged LAN

First PC have two LAN. Second PC have one LAN and connected to first PC. Lets go second PC to give all access to LAN after bridged interface:

# sysctl net.bridge.bridge-nf-filter-pppoe-tagged=0
# sysctl net.bridge.bridge-nf-filter-vlan-tagged=0
# sysctl net.bridge.bridge-nf-call-ip6tables=0
# sysctl net.bridge.bridge-nf-call-iptables=0
# sysctl net.bridge.bridge-nf-call-arptables=0

参阅

systemd.networkd man page
Tom Gundersen, main systemd-networkd developer, G+ home page
Tom Gundersen posts on Core OS blog
How to set up systemd-networkd with wpa_supplicant (WonderWoofy's walkthrough on Arch forums)

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.