On 07/29/2010 01:47 AM, Andy Billington wrote: > Firstly, am just starting to look at LXC as a possible migration from > OpenSolaris, so excuse me if question is obvious. > Reading what I have found so far, it seems clear that with a bridged > interface on the global side, the Containers can all have separate > network info (different IPs, subnets) and so on. The question I have > is can each container run an independent, totally isolated IP stack > (like OpenSolaris Crossbow) including completely separate routing > tables and IPSec configurations?
Yes, each container has its own private network stack, the virtualization begins at the L2 layer. The container will have its own network interfaces. From the linux kernel point of view, it was modified to dynamically allocate a new kernel stack with a syscall. I don't use ipsec within a container, but as far as I remember that was implemented 2 years ago right after pushing the core network virtualization, so I think it is supported per container so far. > The problem I'm investigating is that I currently have two Zones in > Solaris, call them Z1 (10.1.1.1/24) and Z2 (10.1.2.1/24). These then > talk to customer networks via IPSec; call them Customer1 and > Customer2. The "fun" part is the Customer networking: Customer1 uses > 192.168.1.0/24 as their internal range (ie. "behind" the VPN tunnel, > my IPSec emerges on 192.168.1.252), and Customer2 uses 192.168.0.0/16 > as their internal range. So, overlapping ranges. ok. > Z1 talks to Customer1, Z2 talks to Customer2, it is critical they > cannot "see" each other. Crossbow is doing it just fine; I am not sure to understand "the cannot see each other", can you elaborate a bit ? > can LXC do the same thing? I never tried this configuration but at the first glance, I think the linux kernel support that. Maybe someone on this mailing list tried that ... If you expect LXC to do the VPN setup for you, that is not (yet) supported. If you expect to run a virtualized system like ubuntu inside a container, you can configure this system to create a vpn/ipsec by installing openvpn and whatever you need like any real host for your configuration. This is about an appliance to be created (there are some basic appliance available for lxc you can improve). > If LXC can do it, are there any gotcha's or suggestions as to the best > choice for IPSec setup / configuration?# For testing that, I suggest to create an ubuntu system (on ubuntu host) via the command: lxc-create -n Z1 -f lxc.conf -t ubuntu where lxc.conf is: lxc.network.type=veth lxc.network.link=br0 lxc.network.flags=up Assuming you have a bridge br0 setup on your host with your nic attached to it. Then start the container: lxc-start -n Z1 You will get a console, and you can log into with user: root / pwd: root At this point you can install/configure your container with openvpn. Hope that helps -- Daniel ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
