On Sun, Mar 4, 2018 at 5:27 PM, Marat Khalili <m...@rqc.ru> wrote:
> On 04/03/18 02:26, Steven Spencer wrote:
>
> Honestly, unless I'm spinning up a container on my local desktop, I always
> use the routed method. Because our organization always thinks of a container
> as a separate machine, it makes the build pretty similar whether the machine
> is on the LAN or WAN side of the network. It does, of course, require that
> each container run its own firewall, but that's what we would do with any
> machine on our network.
>
> Can you please elaborate on your setup?It always seemed like administrative
> hassle to me. Outside routers need to known how to find your container. I
> can see three ways, each has it's drawbacks:
>
> 1. Broadcast container MACs outside, but L3-route packets inside the server
> instead of L2-bridging. Seems clean but I don't know how to do it in [bare]
> Linux.
Here's one way to do it, with manual networking setup in lxd (making
this automated and converting this to lxc is left as an exercise for
readers. I don't use lxc anymore).
Environment:
- host eth0 is 10.0.3.117/24 with router on 10.0.3.1 (this is actually
an lxd container with nesting enabled, which should behave like a
baremetal lxd host for this purpose)
- guest container name is 'c1' (which is a nested container in this case)
- host will use proxyarp to broadcast c1's MAC
- c1 will use routed setup using veth and p2p ip
- c1 will see a network interface called 'c-c1' instead of 'eth0'
- c1 will use 10.0.3.201
- host side of veth pair will be called 'h-c1', and use 10.0.0.1 (can
be any unused IP in your network, can be used multiple times on
different veths)
Setup in host:
### start with "c1" stopped
### enable proxyarp and ip forwarding
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward
### create veth pair
ip link add dev h-c1 type veth peer name c-c1
### setup veth pair on host side
ip ad add 10.0.0.1 dev h-c1 peer 10.0.3.201 scope link
ip link set dev h-c1 up
### configure c1 to use the created veth pair. "lxc config edit c1",
then add these lines in "device" section.
### use "eth0" as section name so that it replace "eth0" inherited
from the profile
devices:
eth0:
name: c-c1
nictype: physical
parent: c-c1
type: nic
### start the container
lxc start c1
Setup in c1:
### setup veth pair
ip ad add 10.0.3.201 peer 10.0.0.1 dev c-c1
ip link set dev c-c1 up
ip r add default via 10.0.0.1
### test connectivity with router
ping -n -c 1 10.0.3.1
--
Fajar
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
