Re: how to create bridge on main interface?

On 2021-03-23 16:42 +0100, Thomas Haller wrote:
On Tue, 2021-03-23 at 15:28 +0100, Jan Hutař via networkmanager-list

Hopefully this is good place to ask. If not, please suggest something

For quite some time I'm trying to figure out how to create a bridge
using main network interface (the only one which is routable to the

I have tried these Ansible tasks:

     - name: "Get {{ public_nic }} connection name"
       shell: nmcli --terse device | grep "^{{ public_nic }}:" | cut -d
':' -f 4
       register: public_connection_cmd
     - name: "Extract {{ public_nic }} connection name"
         public_connection: "{{
public_connection_cmd.stdout_lines|first|trim }}"

     - name: "Create brpublic bridge connection"
         conn_name: brpublic
         ifname: brpublic
         type: bridge
         stp: no
         state: present

     - name: "Put {{ public_nic }} device into brpublic"
         conn_name: brpublic-slave
         ifname: "{{ public_nic }}"
         type: bridge-slave
         master: brpublic
         state: present

     - name: "Remove old {{ public_nic }} connection"
         conn_name: "{{ public_connection }}"
         state: absent
       when: "public_connection != '' and public_connection !=

This is the ansible module "nmcli". I am not familiar with that, it
might be fine though. FYI, there is also


Thank you for the feedback.

I did not knew about linux-system-roles/network, will try!

but this breaks the network on the last task.

I have also tried these two ways via "shell":

     set -xe

     old_connection=$( nmcli --terse device | grep "^{{ public_nic }}:"
| cut -d ':' -f 4 )

while not a big difference, I'd do:

 old_connection="$(nmcli -g DEVICE,CON-UUID device | sed -n 's/^{{ public_nic }}://p')"

Oh, yes, seems bit safer. Unfortunately looks like nmcli Ansible module
do not support connection UUID as a "con-name" (at least it is not
documented), so I can not use it everywhere.

     nmcli con add type bridge con-name brpublic ifname brpublic
     ###nmcli con add type bridge-slave con-name brpublic-slave ifname
"{{ public_nic }}" master brpublic
     nmcli connection modify "$old_connection" master brpublic

nmcli connection modify uuid "$old_connection" master brpublic

     ###if [ -n "$old_connection" -a "$old_connection" != 'brpublic-
slave' ]; then
     ###    nmcli c delete "$old_connection"

     nmcli con up brpublic

if the port profile "$old_connection" was already activated, then this
script does not change anything about that.

Your script modifies "$old_connection", but modifying a profile only
does that. If the profile is currently active, then those changes only
take effect after activating the profile again (with `nmcli connection
up uuid "$old_connection"`).

Aaah, so this was the missing bit.

This concept of "profile" is something I have seen reffered from various
docs, but have not seen it explained like this.

For now this works for me:

    - name: "Setup brpublic via shell as we need to do it atomicaly ;-)"
      shell: |
        set -xe

        # Get connection name for the interface
        old_connection=$( nmcli -g DEVICE,CON-UUID device | sed -n 's/^{{ public_nic }}://p' )

        # Create bridge
        nmcli con add \
          type bridge \
          ifname brpublic \
          autoconnect yes \
          stp no \
          con-name brpublic

        # Add public_nic into the bridge
        nmcli con delete \
          uuid "$old_connection"
        nmcli con add \
          type bridge-slave \
          ifname "{{ public_nic }}" \
          master brpublic \
          con-name brpublic-slave

        # Make sure it is up
        nmcli con up \

Is it better to modify $old_connection and then `nmcli connection up
uuid "$old_connection"`? Would connection type auto update to
"bridge-slave", or will it remain "ethernet" if I go the `nmcli modify
...` route?

but this fails as well (script works, but at the end according to `ip
a` IP
is still on the main interface, not on "brpublic").

Mine end goal is to have VM on that bridge that can be accessible from
outside network.

What is the right way to do that remotely?

That sounds doable. But I'd suggest to test the script under
circumstances where you can easily recover from looking connections.

Yeh, I enjoyed nice time in server's remote virtual console :-)

Thank you,

Jan Hutar   Performance Engineering
jhutar redhat com     Red Hat, Inc.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]