diff --git a/doc/container.md b/doc/container.md index 59aca114b..eb6de6233 100644 --- a/doc/container.md +++ b/doc/container.md @@ -668,6 +668,12 @@ set: For an example of both, see the next section. +> [!IMPORTANT] +> **VETH Pair Limitation:** When using VETH pairs with containers, at least +> one side of the pair must remain in the host namespace. It is currently +> not possible to create VETH pairs where both ends are assigned to different +> containers. One end must always be accessible from the host. + [^3]: Something which the container bridge network type does behind the scenes with one end of an automatically created VETH pair. diff --git a/src/confd/yang/confd/infix-if-container.yang b/src/confd/yang/confd/infix-if-container.yang index f496aa4ff..2a2e1bd98 100644 --- a/src/confd/yang/confd/infix-if-container.yang +++ b/src/confd/yang/confd/infix-if-container.yang @@ -59,7 +59,11 @@ submodule infix-if-container { identity host { base container-network; - description "Host device, e.g., one end of a VETH pair or other host interface."; + description "Host device, e.g., one end of a VETH pair or other host interface. + + Note: When using VETH pairs, at least one side must remain in the + host namespace. Both ends of a VETH pair cannot be assigned to + different containers."; } /* diff --git a/src/confd/yang/confd/infix-if-veth.yang b/src/confd/yang/confd/infix-if-veth.yang index bd29d4343..d997ba360 100644 --- a/src/confd/yang/confd/infix-if-veth.yang +++ b/src/confd/yang/confd/infix-if-veth.yang @@ -13,7 +13,11 @@ submodule infix-if-veth { organization "KernelKit"; contact "kernelkit@googlegroups.com"; - description "Linux virtual Ethernet pair extension for ietf-interfaces."; + description "Linux virtual Ethernet pair extension for ietf-interfaces. + + Note: When using VETH pairs with containers, at least one side + of the pair must remain in the host namespace. Both ends of a + VETH pair cannot be assigned to different containers."; revision 2023-06-05 { description "Initial revision.";