On 29/07/2010 10:32, Daniel Lezcano wrote: > On 07/29/2010 01:47 AM, Andy Billington wrote: >> Firstly, am just starting to look at LXC as a possible migration from >> OpenSolaris, so excuse me if question is obvious. >> Reading what I have found so far, it seems clear that with a bridged >> interface on the global side, the Containers can all have separate >> network info (different IPs, subnets) and so on. The question I have >> is can each container run an independent, totally isolated IP stack >> (like OpenSolaris Crossbow) including completely separate routing >> tables and IPSec configurations? > > Yes, each container has its own private network stack, the > virtualization begins at the L2 layer. The container will have its own > network interfaces. From the linux kernel point of view, it was > modified to dynamically allocate a new kernel stack with a syscall. > > I don't use ipsec within a container, but as far as I remember that > was implemented 2 years ago right after pushing the core network > virtualization, so I think it is supported per container so far. > >> The problem I'm investigating is that I currently have two Zones in >> Solaris, call them Z1 (10.1.1.1/24) and Z2 (10.1.2.1/24). These then >> talk to customer networks via IPSec; call them Customer1 and >> Customer2. The "fun" part is the Customer networking: Customer1 uses >> 192.168.1.0/24 as their internal range (ie. "behind" the VPN tunnel, >> my IPSec emerges on 192.168.1.252), and Customer2 uses 192.168.0.0/16 >> as their internal range. So, overlapping ranges. > > ok. > >> Z1 talks to Customer1, Z2 talks to Customer2, it is critical they >> cannot "see" each other. Crossbow is doing it just fine; > > I am not sure to understand "the cannot see each other", can you > elaborate a bit ? > Z1 and Customer1 traffic must be able to route between each other, but not reach either Z2 or Customer2 >> can LXC do the same thing? > > I never tried this configuration but at the first glance, I think the > linux kernel support that. > Maybe someone on this mailing list tried that ... > > If you expect LXC to do the VPN setup for you, that is not (yet) > supported. That's fine > > If you expect to run a virtualized system like ubuntu inside a > container, you can configure this system to create a vpn/ipsec by > installing openvpn and whatever you need like any real host for your > configuration. This is about an appliance to be created (there are > some basic appliance available for lxc you can improve). > Got to be a full IPSec implementation, as in the future some Cisco IOS endpoints are joining in. Was going to use Racoon/ IPsec-tools ? >> If LXC can do it, are there any gotcha's or suggestions as to the >> best choice for IPSec setup / configuration?# > > For testing that, I suggest to create an ubuntu system (on ubuntu > host) via the command: > > lxc-create -n Z1 -f lxc.conf -t ubuntu > > where lxc.conf is: > > lxc.network.type=veth > lxc.network.link=br0 > lxc.network.flags=up > > Assuming you have a bridge br0 setup on your host with your nic > attached to it. > > Then start the container: > > lxc-start -n Z1 > > You will get a console, and you can log into with user: root / pwd: root > > At this point you can install/configure your container with openvpn. > > Hope that helps > -- Daniel > Thankyou! One completely unrelated question: is there an LXC way to de-duplicate on storage for Containers? The Z1 virtual machine and the Z2 virtual machine will be 95% identical, so I don't really want to have disks eaten up with two copies of identical files.
Andy ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
