Jump to navigationJump to search
Related articles
systemd-networkd is a system daemon that manages network configurations. It detects and configures network devices as they appear; it can also create virtual network devices. This service can be especially useful to set up complex network configurations for a container managed by systemd-nspawn or for virtual machines. It also works fine on simple connections.
The systemd package is part of the default Arch installation and contains all needed files to operate a wired network. Wireless adapters, covered later in this article, can be set up by services, such as wpa_supplicant or iwd.
To use systemd-networkd, start/enable systemd-networkd.service
.
It is optional to also start/enable systemd-resolved.service
, which is a network name resolution service to local applications, considering the following points:
All configurations in this section are stored as foo.network
in /etc/systemd/network/
. For a full listing of options and processing order, see #Configuration files and systemd.network(5).
Systemd/udev automatically assigns predictable, stable network interface names for all local Ethernet, WLAN, and WWAN interfaces. Use networkctl list
to list the devices on the system.
After making changes to a configuration file, restart systemd-networkd.service
.
Note:
enp1s0
is the wired adapter and wlp2s0
is the wireless adapter. These names can be different on different systems. It is also possible to use a wildcard, e.g. Name=en*
.DHCP=yes
to accept an IPv4 and IPv6 DHCP request to the [Network]
section.Wired adapter using DHCP
/etc/systemd/network/20-wired.network
[Match] Name=enp1s0 [Network] DHCP=ipv4
Wired adapter using a static IP
/etc/systemd/network/20-wired.network
[Match] Name=enp1s0 [Network] Address=10.1.10.9/24 Gateway=10.1.10.1 DNS=10.1.10.1 #DNS=8.8.8.8
Address=
can be used more than once to configure multiple IPv4 or IPv6 addresses. See #network files or systemd.network(5) for more options.
Wireless adapter
In order to connect to a wireless network with systemd-networkd, a wireless adapter configured with another application such as WPA supplicant or Iwd is required.
/etc/systemd/network/25-wireless.network
[Match] Name=wlp2s0 [Network] DHCP=ipv4
If the wireless adapter has a static IP address, the configuration is the same (except for the interface name) as in a wired adapter.
Wired and wireless adapters on the same machine
This setup will enable a DHCP IP for both a wired and wireless connection making use of the metric directive to allow the kernel to decide on-the-fly which one to use. This way, no connection downtime is observed when the wired connection is unplugged.
The kernel's route metric (same as configured with ip) decides which route to use for outgoing packets, in cases when several match. This will be the case when both wireless and wired devices on the system have active connections. To break the tie, the kernel uses the metric. If one of the connections is terminated, the other automatically wins without there being a gap with nothing configured (ongoing transfers may still not deal with this nicely but that is at a different OSI layer).
Note: The Metric
option is for static routes while the RouteMetric
option is for setups not using static routes. See systemd.network(5) for more details.
/etc/systemd/network/20-wired.network
[Match] Name=enp1s0 [Network] DHCP=ipv4 [DHCP] RouteMetric=10
/etc/systemd/network/25-wireless.network
[Match] Name=wlp2s0 [Network] DHCP=ipv4 [DHCP] RouteMetric=20
Renaming an interface
Instead of editing udev rules, a .link file can be used to rename an interface. A useful example is to set a predictable interface name for a USB-to-Ethernet adapter based on its MAC address, as those adapters are usually given different names depending on which USB port they are plugged into.
/etc/systemd/network/10-ethusb0.link
[Match] MACAddress=12:34:56:78:90:ab [Link] Description=USB to Ethernet Adapter Name=ethusb0
Note: Any user-supplied .link must have a lexically earlier file name than the default config 99-default.link
in order to be considered at all. For example, name the file 10-ethusb0.link
and not ethusb0.link
.
Configuration files are located in /usr/lib/systemd/network
, the volatile runtime network directory /run/systemd/network
and the local administration network directory /etc/systemd/network
. Files in /etc/systemd/network
have the highest priority.
There are three types of configuration files. They all use a format similar to systemd unit files.
They all follow the same rules:
[Match]
section are matched, the profile will be activated[Match]
section means the profile will apply in any case (can be compared to the *
wildcard)Tip:
/usr/lib/systemd/network
in a permanent manner (i.e even after upgrade), place a file with same name in /etc/systemd/network
and symlink it to /dev/null
*
wildcard can be used in VALUE
(e.g en*
will match any Ethernet device), a boolean can be simple written as yes
or no
.1, true, yes, on
for a true boolean, and the values 0, false, no, off
for a false booleanThese files are aimed at setting network configuration variables, especially for servers and containers.
.network files have the following sections: [Match]
, [Link]
, [Network]
, [Address]
, [Route]
, and [DHCP]
. Below are commonly configured keys for each section. See systemd.network(5) for more information and examples.
[Match]
Parameter | Description | Accepted Values | Default Value |
---|---|---|---|
Name= |
Match device names, e.g. en* . By prefixing with ! , the list can be inverted. |
white-space separated device names with globs, logical negation (! ) |
|
MACAddress= |
Match MAC addresses, e.g. MACAddress=01:23:45:67:89:ab 00-11-22-33-44-55 AABB.CCDD.EEFF |
whitespace-separated MAC addresses in full colon-, hyphen- or dot-delimited hexadecimal | |
Host= |
Match the hostname or machine ID of the host. | hostname string with globs, machine ID | |
Virtualization= |
Check whether the system is executed in a virtualized environment. Virtualization=false will only match your host machine, while Virtualization=true matches any container or VM. It is possible to check for a specific virtualization type or implementation. |
boolean, logical negation (! ), type (vm , container ), implementation (qemu , kvm , zvm , vmware , microsoft , oracle , xen , bochs , uml , bhyve , qnx , openvz , lxc , lxc-libvirt , systemd-nspawn , docker , podman , rkt , wsl , acrn ) |
[Link]
MACAddress=
useful for MAC address spoofingMTUBytes=
setting a larger MTU value (e.g. when using jumbo frames) can significantly speed up your network transfersMulticast
allow the usage of multicast on interface(s)[Network]
Parameter | Description | Accepted Values | Default Value |
---|---|---|---|
DHCP= |
Controls DHCPv4 and/or DHCPv6 client support. | boolean, ipv4 , ipv6 |
false |
DHCPServer= |
If enabled, a DHCPv4 server will be started. | boolean | false |
MulticastDNS= |
Enables multicast DNS support. When set to resolve , only resolution is enabled, but not host or service registration and announcement. |
boolean, resolve |
false |
DNSSEC= |
Controls DNSSEC DNS validation support on the link. When set to allow-downgrade , compatibility with non-DNSSEC capable networks is increased, by automatically turning off DNSSEC in this case. |
boolean, allow-downgrade |
false |
DNS= |
Configure static DNS addresses. May be specified more than once. | inet_pton |
|
Domains= |
A list of domains which should be resolved using the DNS servers on this link. more information | domain name, optionally prefixed with a tilde (~ ) |
|
IPForward= |
If enabled, incoming packets on any network interface will be forwarded to any other interfaces according to the routing table. | boolean, ipv4 , ipv6 |
false |
IPv6PrivacyExtensions= |
Configures use of stateless temporary addresses that change over time (see RFC 4941). When prefer-public , enables the privacy extensions, but prefers public addresses over temporary addresses. When kernel , the kernel's default setting will be left in place. |
boolean, prefer-public , kernel |
false |
[Address]
Address=
this option is mandatory unless DHCP is used[Route]
Gateway=
this option is mandatory unless DHCP is usedDestination=
the destination prefix of the route, possibly followed by a slash and the prefix lengthIf Destination
is not present in [Route]
section this section is treated as a default route.
Tip: You can put the Address=
and Gateway=
keys in the [Network]
section as a short-hand if [Address]
section contains only an Address key and [Route]
section contains only a Gateway key.
[DHCP]
Parameter | Description | Accepted Values | Default Value |
---|---|---|---|
UseDNS= |
controls whether the DNS servers advertised by the DHCP server are used | boolean | true |
Anonymize= |
when true, the options sent to the DHCP server will follow the RFC7844 (Anonymity Profiles for DHCP Clients) to minimize disclosure of identifying information | boolean | false |
UseDomains= |
controls whether the domain name received from the DHCP server will be used as DNS search domain. If set to route , the domain name received from the DHCP server will be used for routing DNS queries only, but not for searching. This option can sometimes fix local name resolving when using systemd-resolved |
boolean, route |
false |
These files will create virtual network devices. They have two sections: [Match]
and [NetDev]
. Below are commonly configured keys for each section. See systemd.netdev(5) for more information and examples.
[Match] section
Host=
the hostnameVirtualization=
check if running in a VM[NetDev] section
Most common keys are:
Name=
the interface name. mandatoryKind=
e.g. bridge, bond, vlan, veth, sit, etc. mandatoryThese files are an alternative to custom udev rules and will be applied by udev as the device appears. They have two sections: [Match]
and [Link]
. Below are commonly configured keys for each section. See systemd.link(5) for more information and examples.
Tip: Use # udevadm test-builtin net_setup_link /sys/path/to/network/device
to diagnose problems with .link files.
[Match] section
MACAddress=
the MAC addressHost=
the host nameVirtualization=
Type=
the device type e.g. vlan[Link] section
MACAddressPolicy=
persistent or random addresses, orMACAddress=
a specific addressNote: the system /usr/lib/systemd/network/99-default.link
is generally sufficient for most of the basic cases.
The service is available with systemd. You will want to enable and start the systemd-networkd.service
unit on the host and container.
For debugging purposes, it is strongly advised to install the bridge-utils, net-tools, and iproute2 packages.
If you are using systemd-nspawn, you may need to modify the [email protected]
and append boot options to the ExecStart
line. Please refer to systemd-nspawn(1) for an exhaustive list of options.
Note that if you want to take advantage of automatic DNS configuration from DHCP, you need to enable systemd-resolved
and symlink /run/systemd/resolve/resolv.conf
to /etc/resolv.conf
. See systemd-resolved.service(8) for more details.
Before you start to configure your container network, it is useful to:
[email protected]
(host only) services to avoid potential conflicts and to ease debuggingIPForward=1
setting in it, systemd-networkd
will turn off forwarding on this interface, even if you have it enabled globally.networkctl
command displays the status of network interfaces.For the set-up described below,
ip a
command to the concerned interfacesThis setup will enable a DHCP IP for host and container. In this case, both systems will share the same IP as they share the same interfaces.
/etc/systemd/network/MyDhcp.network
[Match] Name=en* [Network] DHCP=ipv4
Then, enable and start systemd-networkd.service
on your container.
You can of course replace en*
by the full name of your ethernet device given by the output of the ip link
command.
$ ip a
2: enp7s0:mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 14:da:e9:b5:7a:88 brd ff:ff:ff:ff:ff:ff inet 192.168.1.72/24 brd 192.168.1.255 scope global enp7s0 valid_lft forever preferred_lft forever inet6 fe80::16da:e9ff:feb5:7a88/64 scope link valid_lft forever preferred_lft forever
By default, hostname received from the DHCP server will be used as the transient hostname.
To change it add UseHostname=false
in section [DHCPv4]
/etc/systemd/network/MyDhcp.network
[DHCPv4] UseHostname=false
If you did not want to configure a DNS in /etc/resolv.conf
and want to rely on DHCP for setting it up, you need to enable systemd-resolved.service
and symlink /run/systemd/resolve/resolv.conf
to /etc/resolv.conf
# ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
See systemd-resolved.service(8) for more details.
Note: Users accessing a system partition via /usr/bin/arch-chroot
from arch-install-scripts, will need to create the symlink outside of the chroot, on the mounted partition. This is due to arch-chroot linking the file to the live environment.
Bridge interface
First, create a virtual bridge interface. We tell systemd to create a device named br0 that functions as an ethernet bridge.
/etc/systemd/network/MyBridge.netdev
[NetDev] Name=br0 Kind=bridge
Restart systemd-networkd.service
to have systemd create the bridge.
On host and container:
$ ip a
3: br0:mtu 1500 qdisc noop state DOWN group default link/ether ae:bd:35:ea:0c:c9 brd ff:ff:ff:ff:ff:ff
Note that the interface br0 is listed but is still DOWN at this stage.
Bind ethernet to bridge
The next step is to add to the newly created bridge a network interface. In the example below, we add any interface that matches the name en* into the bridge br0.
/etc/systemd/network/bind.network
[Match] Name=en* [Network] Bridge=br0
The ethernet interface must not have DHCP or an IP address associated as the bridge requires an interface to bind to with no IP: modify the corresponding /etc/systemd/network/MyEth.network
accordingly to remove the addressing.
Bridge network
Now that the bridge has been created and has been bound to an existing network interface, the IP configuration of the bridge interface must be specified. This is defined in a third .network file, the example below uses DHCP.
/etc/systemd/network/mybridge.network
[Match] Name=br0 [Network] DHCP=ipv4
Add option to boot the container
As we want to give a separate IP for host and container, we need to Disconnect networking of the container from the host. To do this, add this option --network-bridge=br0
to your container boot command.
# systemd-nspawn --network-bridge=br0 -bD /path_to/my_container
Result
$ ip a
3: br0:mtu 1500 qdisc noqueue state UP group default link/ether 14:da:e9:b5:7a:88 brd ff:ff:ff:ff:ff:ff inet 192.168.1.87/24 brd 192.168.1.255 scope global br0 valid_lft forever preferred_lft forever inet6 fe80::16da:e9ff:feb5:7a88/64 scope link valid_lft forever preferred_lft forever 6: vb-MyContainer: mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000 link/ether d2:7c:97:97:37:25 brd ff:ff:ff:ff:ff:ff inet6 fe80::d07c:97ff:fe97:3725/64 scope link valid_lft forever preferred_lft forever
$ ip a
2: host0:mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 5e:96:85:83:a8:5d brd ff:ff:ff:ff:ff:ff inet 192.168.1.73/24 brd 192.168.1.255 scope global host0 valid_lft forever preferred_lft forever inet6 fe80::5c96:85ff:fe83:a85d/64 scope link valid_lft forever preferred_lft forever
Notice
br0
on the host, and one for host0
in the containervb-MyContainer
in the host and host0
in the container. This comes as a result of the --network-bridge=br0
option. This option implies another option, --network-veth
. This means a virtual Ethernet link has been created between host and container.host0
comes from the system /usr/lib/systemd/network/80-container-host0.network
file.$ brctl show
bridge name bridge id STP enabled interfaces br0 8000.14dae9b57a88 no enp7s0 vb-MyContainer
the above command output confirms we have a bridge with two interfaces binded to.
$ ip route
default via 192.168.1.254 dev br0 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.87
$ ip route
default via 192.168.1.254 dev host0 192.168.1.0/24 dev host0 proto kernel scope link src 192.168.1.73
the above command outputs confirm we have activated br0
and host0
interfaces with an IP address and Gateway 192.168.1.254. The gateway address has been automatically grabbed by systemd-networkd
$ cat /run/systemd/resolve/resolv.conf
nameserver 192.168.1.254
Setting a static IP for each device can be helpful in case of deployed web services (e.g FTP, http, SSH). Each device will keep the same MAC address across reboots if your system /usr/lib/systemd/network/99-default.link
file has the MACAddressPolicy=persistent
option (it has by default). Thus, you will easily route any service on your Gateway to the desired device.
The following configuration needs to be done for this setup:
The configuration is very similar to that of #DHCP with two distinct IP. First, a virtual bridge interface needs to be created and the main physical interface needs to be bound to it. This task can be accomplished with the following two files, with contents equal to those available at the DHCP section.
/etc/systemd/network/MyBridge.netdev /etc/systemd/network/MyEth.network
Next, you need to configure the IP and DNS of the newly created virtual bridge interface. The following MyBridge.network provides an example configuration:
/etc/systemd/network/MyBridge.network
[Match] Name=br0 [Network] DNS=192.168.1.254 Address=192.168.1.87/24 Gateway=192.168.1.254
First, we shall get rid of the system /usr/lib/systemd/network/80-container-host0.network
file, which provides a DHCP configuration for the default network interface of the container. To do it in a permanent way (e.g. even after systemd upgrades), do the following on the container. This will mask the file /usr/lib/systemd/network/80-container-host0.network
since files of the same name in /etc/systemd/network
take priority over /usr/lib/systemd/network
. Keep in mind that this file can be kept if you only want a static IP on the host, and want the IP address of your containers to be assigned via DHCP.
# ln -sf /dev/null /etc/systemd/network/80-container-host0.network
Then, configure an static IP for the default host0
network interface and enable and start systemd-networkd.service
on your container. An example configuration is provided below:
/etc/systemd/network/MyVeth.network
[Match] Name=host0 [Network] DNS=192.168.1.254 Address=192.168.1.94/24 Gateway=192.168.1.254
systemd-networkd does not have a proper interactive management interface neither via command-line nor graphical. Still, some tools are available to either display the current state of the network, receive notifications or interact with the wireless configuration:
resolvectl status
.If running services like Samba/NFS which fail if they are started before the network is up, you may want to enable the systemd-networkd-wait-online.service
. This is, however, rarely necessary because most networked daemons start up okay, even if the network has not been configured yet.
This article or section is a candidate for moving to systemd-resolved.
Notes: The problem is with systemd-resolved. (Discuss in Talk:Systemd-networkd#)
systemd-resolved may not search the local domain when given just the hostname, even when UseDomains=yes
or Domains=[domain-list]
is present in the appropriate .network file, and that file produces the expected search [domain-list]
in resolv.conf
. You can run networkctl status
or resolvectl status
to check if the search domains are actually being picked up.
Possible workarounds:
/etc/nsswitch.conf
's hosts
database (e.g., by removing [!UNAVAIL=return]
option after resolve
service)/etc/hosts
to resolve hostnamesdns
instead of using systemd's resolve
This article or section is a candidate for moving to Network configuration.
Notes: Not specific to systemd-networkd. (Discuss in Talk:Systemd-networkd#)
First PC have two LAN. Second PC have one LAN and connected to first PC. Lets go second PC to give all access to LAN after bridged interface:
This article or section needs expansion.
Reason: Explain what the settings actually do. (Discuss in Talk:Systemd-networkd#)
# sysctl net.bridge.bridge-nf-filter-pppoe-tagged=0 # sysctl net.bridge.bridge-nf-filter-vlan-tagged=0 # sysctl net.bridge.bridge-nf-call-ip6tables=0 # sysctl net.bridge.bridge-nf-call-iptables=0 # sysctl net.bridge.bridge-nf-call-arptables=0
Categories: