Every VM deployed on the ThreeFold network is equipped with at least one virtual network interface (NIC). We usually call this the “Wireguard” interface because it can be used for communication in WireGuard private networks between VMs or for users to connect to the VM. But this interface also plays an important role in VMs that don’t have a public IP assigned to them—it serves as the gateway to the public internet as the default route.
When a public IP is assigned to a VM and there’s no need for communication over Wireguard, then this default interface is just something extra. While that normally causes no issues, we have received some questions from users about whether it’s possible to deploy a VM without it because this causes an inconvenience with the use of certain software inside the VM.
It’s not possible to remove the interface entirely, and I’d rather not pursue this as a feature in Zos and our interfaces due to the additional complexity it would add. But with just a bit of knowledge about how our full VMs handle network config, it is possible to disable the extra interface such that it shouldn’t get in the way.
Get yourself a full VM with public IP
This method is only applicable to full VMs (Ubuntu for this example), and if you want your VM to retain access to the public internet, it will need a public IP. Ideally you equip the VM with both IPv4 and IPv6 addresses if the node you are deploying on supports it. Otherwise you might lose IPv6 capability via this method.
In a default configuration, the network configuration cascades like this at the first boot of the VM:
-
cloud-init
reads the network config supplied by Zos via a small attached virtual disk -
cloud-init
then outputs anetplan
config -
netplan
ultimately supplies a configuration tosystemd-networkd
which manages the NICs
On each subsequent boot, only the third step is performed. That means that by editing the netplan
config, we can permanently change how the system sets up its networking.
Edit the netplan config
Using your editor of choice, open the netplan
config generated by cloud-init
. For example:
nano /etc/netplan/50-cloud-init.yaml
Here’s what it might look like right after deployment, with the Wireguard interface at eth0
:
# This file is generated from information provided by the datasource. Changes
# to it will not persist across an instance reboot. To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
eth0:
addresses:
- 10.20.4.2/24
- fd57:5564:6964:4::2/64
dhcp4: false
gateway4: 10.20.4.1
match:
macaddress: e6:f9:aa:71:e3:79
nameservers:
addresses:
- 8.8.8.8
- 1.1.1.1
- 2001:4860:4860::8888
routes:
- to: 10.20.0.0/16
via: 10.20.4.1
- to: 100.64.0.0/16
via: 10.20.4.1
eth1:
addresses:
- 185.206.122.147/24
- 2a10:b600:1:0:c23:eeff:fe83:a236/64
dhcp4: false
gateway4: 185.206.122.1
gateway6: fe80::2e0:ecff:fe7b:7a67
match:
macaddress: 0e:23:ee:83:a2:36
I will make two changes to this file. First, I will move the name server block from eth0
down to eth1
, to make sure that DNS continues to work. Then I will remove the eth0
block entirely. Here’s the result:
network:
ethernets:
eth1:
addresses:
- 185.206.122.147/24
- 2a10:b600:1:0:c23:eeff:fe83:a236/64
dhcp4: false
gateway4: 185.206.122.1
gateway6: fe80::2e0:ecff:fe7b:7a67
match:
macaddress: 0e:23:ee:83:a2:36
nameservers:
addresses:
- 8.8.8.8
- 1.1.1.1
- 2001:4860:4860::8888
If you have Yggdrasil or Mycelium active on the VM, there will be additional network interfaces below eth1
. Just leave those as they are if that’s the case.
Reboot and check
Now you can reboot the VM, and when it comes back eth0
(it’s been renamed to ens3
) should be in a down and non configured state:
It would be good to verify that you still have internet access by running some command that depends on it, like apt update
.
Now if you’re sharp, you will have noticed there is a comment in the netplan
config file that says that changes are not persisted across reboots. In my experience that was not the case, but your mileage may vary. If you want to be extra safe, or if you happen to notice that that the config has reverted in your case, just follow the instructions given to prevent cloud-init
from performing network config again.
Conclusion
Today we saw how just a bit of knowledge about how the network configuration is happening on ThreeFold VMs can help to achieve the desire outcome in this case. I hope this helps!