[lxc-users] "mesh networking" for lxc containers (similar to weave)?

2015-06-19 Thread Tomasz Chmielewski 
Are there any solutions which would let one build "mesh networking" for 
lxc containers, similar to what weave does for docker?


Assumptions:

- multiple servers (hosts) which are not in the same subnet (i.e. in 
different DCs in different countries),
- containers share the same subnet (i.e. 10.0.0.0/8), no matter on which 
host they are running
- if container is migrated to a different host, it is still reachable on 
the same IP address without any changes in the networking



I suppose the solution would run only once on each of the hosts, rather 
than in each container.


Is there something similar for lxc?

--
Tomasz Chmielewski
http://wpkg.org

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] "mesh networking" for lxc containers (similar to weave)?

2015-06-19 Thread Christoph Lehmann 
There is no magic with lxcs networking. Its just a bridge and some iptables 
rules for NAT and a dhcp server.

You can setup a bridge on your public interface, configure the container to use 
that bridge and do the same on your second host.

Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski :
>Are there any solutions which would let one build "mesh networking" for
>
>lxc containers, similar to what weave does for docker?
>
>Assumptions:
>
>- multiple servers (hosts) which are not in the same subnet (i.e. in 
>different DCs in different countries),
>- containers share the same subnet (i.e. 10.0.0.0/8), no matter on
>which 
>host they are running
>- if container is migrated to a different host, it is still reachable
>on 
>the same IP address without any changes in the networking
>
>
>I suppose the solution would run only once on each of the hosts, rather
>
>than in each container.
>
>Is there something similar for lxc?
>
>-- 
>Tomasz Chmielewski
>http://wpkg.org
>
>___
>lxc-users mailing list
>lxc-users@lists.linuxcontainers.org
>http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] "mesh networking" for lxc containers (similar to weave)?

2015-06-19 Thread Tomasz Chmielewski 
I know this is just "normal networking", however, there are at least two 
issues with your suggestions:


- it assumes the hosts are in the same subnet (say, connected to the 
same switch), so it won't work if the hosts have two different public 
IPs (i.e. 46.1.2.3 and 124.8.9.10)


- with just two hosts, you may overcome the above limitation with some 
VPN magic; however, it becomes problematic as the number of hosts grows 
(imagine 10 or more hosts, trying to set it up without SPOF / central 
VPN server; ideally, the hosts should talk to themselves using the 
shortest paths possible)



Therefore, I'm asking if there is any better "magic", as you say, for 
lxc networking?
Possibly it could be achieved with tinc, running on hosts only - 
http://www.tinc-vpn.org/ - but haven't really used it.

And maybe people have other ideas?

--
Tomasz Chmielewski
http://wpkg.org


On 2015-06-20 03:20, Christoph Lehmann wrote:

There is no magic with lxcs networking. Its just a bridge and some
iptables rules for NAT and a dhcp server.

 You can setup a bridge on your public interface, configure the
container to use that bridge and do the same on your second host.

Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski
:


Are there any solutions which would let one build "mesh networking"
for
lxc containers, similar to what weave does for docker?

Assumptions:

- multiple servers (hosts) which are not in the same subnet (i.e. in

different DCs in different countries),
- containers share the same subnet (i.e. 10.0.0.0/8 [1]), no matter
on which
host they are running
- if container is migrated to a different host, it is still
reachable on
the same IP address without any changes in the networking

I suppose the solution would run only once on each of the hosts,
rather
than in each container.

Is there something similar for lxc?


 --
 Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
gesendet.
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] "mesh networking" for lxc containers (similar to weave)?

2015-06-19 Thread Janjaap Bos 
Yes, ZeroTier provides peer-to-peer virtual networking. It is cloud /
container / virtualiser agnostic. It will work anywhere and we use it for
connecting containers & vm's across clouds. Also to provide access to users
on Windows / OSX.

Within the container you need access to the /dev/net/tun device and
depending on the flavour (lxc / lxd / docker) net_admin capabilities.

You can download it at https://www.zerotier.com or build it from
https://github.com/zerotier/ZeroTierOne

Since it is peer-to-peer there is very little overhead. Packets destined
for local peers will stay within the local net. You can create very large
distributed flat ether networks. Great for the type of cloud backplane you
described.

Also, this enables you to live migrate instances while maintaining their
network configuration.

2015-06-20 3:37 GMT+02:00 Tomasz Chmielewski :

> I know this is just "normal networking", however, there are at least two
> issues with your suggestions:
>
> - it assumes the hosts are in the same subnet (say, connected to the same
> switch), so it won't work if the hosts have two different public IPs (i.e.
> 46.1.2.3 and 124.8.9.10)
>
> - with just two hosts, you may overcome the above limitation with some VPN
> magic; however, it becomes problematic as the number of hosts grows
> (imagine 10 or more hosts, trying to set it up without SPOF / central VPN
> server; ideally, the hosts should talk to themselves using the shortest
> paths possible)
>
>
> Therefore, I'm asking if there is any better "magic", as you say, for lxc
> networking?
> Possibly it could be achieved with tinc, running on hosts only -
> http://www.tinc-vpn.org/ - but haven't really used it.
> And maybe people have other ideas?
>
> --
> Tomasz Chmielewski
> http://wpkg.org
>
>
> On 2015-06-20 03:20, Christoph Lehmann wrote:
>
>> There is no magic with lxcs networking. Its just a bridge and some
>> iptables rules for NAT and a dhcp server.
>>
>>  You can setup a bridge on your public interface, configure the
>> container to use that bridge and do the same on your second host.
>>
>> Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski
>> :
>>
>>  Are there any solutions which would let one build "mesh networking"
>>> for
>>> lxc containers, similar to what weave does for docker?
>>>
>>> Assumptions:
>>>
>>> - multiple servers (hosts) which are not in the same subnet (i.e. in
>>>
>>> different DCs in different countries),
>>> - containers share the same subnet (i.e. 10.0.0.0/8 [1]), no matter
>>> on which
>>> host they are running
>>> - if container is migrated to a different host, it is still
>>> reachable on
>>> the same IP address without any changes in the networking
>>>
>>> I suppose the solution would run only once on each of the hosts,
>>> rather
>>> than in each container.
>>>
>>> Is there something similar for lxc?
>>>
>>
>>  --
>>  Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
>> gesendet.
>> ___
>> lxc-users mailing list
>> lxc-users@lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] "mesh networking" for lxc containers (similar to weave)?

2015-06-22 Thread Luis M. Ibarra 
Have you checked Fan?

http://blog.dustinkirkland.com/2015/06/the-bits-have-hit-fan.html?m=1


2015-06-20 2:16 GMT-04:00 Janjaap Bos :

> Yes, ZeroTier provides peer-to-peer virtual networking. It is cloud /
> container / virtualiser agnostic. It will work anywhere and we use it for
> connecting containers & vm's across clouds. Also to provide access to users
> on Windows / OSX.
>
> Within the container you need access to the /dev/net/tun device and
> depending on the flavour (lxc / lxd / docker) net_admin capabilities.
>
> You can download it at https://www.zerotier.com or build it from
> https://github.com/zerotier/ZeroTierOne
>
> Since it is peer-to-peer there is very little overhead. Packets destined
> for local peers will stay within the local net. You can create very large
> distributed flat ether networks. Great for the type of cloud backplane you
> described.
>
> Also, this enables you to live migrate instances while maintaining their
> network configuration.
>
> 2015-06-20 3:37 GMT+02:00 Tomasz Chmielewski :
>
>> I know this is just "normal networking", however, there are at least two
>> issues with your suggestions:
>>
>> - it assumes the hosts are in the same subnet (say, connected to the same
>> switch), so it won't work if the hosts have two different public IPs (i.e.
>> 46.1.2.3 and 124.8.9.10)
>>
>> - with just two hosts, you may overcome the above limitation with some
>> VPN magic; however, it becomes problematic as the number of hosts grows
>> (imagine 10 or more hosts, trying to set it up without SPOF / central VPN
>> server; ideally, the hosts should talk to themselves using the shortest
>> paths possible)
>>
>>
>> Therefore, I'm asking if there is any better "magic", as you say, for lxc
>> networking?
>> Possibly it could be achieved with tinc, running on hosts only -
>> http://www.tinc-vpn.org/ - but haven't really used it.
>> And maybe people have other ideas?
>>
>> --
>> Tomasz Chmielewski
>> http://wpkg.org
>>
>>
>> On 2015-06-20 03:20, Christoph Lehmann wrote:
>>
>>> There is no magic with lxcs networking. Its just a bridge and some
>>> iptables rules for NAT and a dhcp server.
>>>
>>>  You can setup a bridge on your public interface, configure the
>>> container to use that bridge and do the same on your second host.
>>>
>>> Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski
>>> :
>>>
>>>  Are there any solutions which would let one build "mesh networking"
 for
 lxc containers, similar to what weave does for docker?

 Assumptions:

 - multiple servers (hosts) which are not in the same subnet (i.e. in

 different DCs in different countries),
 - containers share the same subnet (i.e. 10.0.0.0/8 [1]), no matter
 on which
 host they are running
 - if container is migrated to a different host, it is still
 reachable on
 the same IP address without any changes in the networking

 I suppose the solution would run only once on each of the hosts,
 rather
 than in each container.

 Is there something similar for lxc?

>>>
>>>  --
>>>  Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
>>> gesendet.
>>> ___
>>> lxc-users mailing list
>>> lxc-users@lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>
>>
>> ___
>> lxc-users mailing list
>> lxc-users@lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>



-- 
Luis M. Ibarra
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] "mesh networking" for lxc containers (similar to weave)?

2015-06-23 Thread brian mullan 
First, i would say that I only read about Canonical's FAN yesterday so have
no insight into what it can or can't do.

This spring I spent time looking at various solutions for network overlays
because of my interest in SDN and LXC.

My use-case "requirements" were:

   1. to *be able to interconnect LXC containers on any server on any Cloud*
   or private DataCenter
   2. *be simple* to install & configure
   3. *be full-mesh* without requiring any "super-node" in the network
   4. provide layer 2 (L2) support thus supporting BOTH...* IPv4 -and- IPv6*
   5. *support multi-tenancy *use
   6.
*transparency to firewall & NAT *
   7.
*be open source *

For SDN use VxLAN is problematic because of its usual requirement for
multicast to be enabled in the network which for most ISPs or Cloud
environments is not available.

Yes, there are some unicast VxLAN solutions now but they almost all (AFAIK)
require use of proprietary networking hardware (cisco, juniper).I've
not used Flannel yet but I do not believe it requires multicast.

So I began looking at various full mesh VPN solutions including:

   - ControlTier - required a "super-node"
   - Tinc - fairly complex setup/configuration
   - others.

I also examined CJDNS but learned it may not be appropriate for my use case
because of the way its architected.

A side benefit of a full-mesh VPN Network Overlay was that all the traffic
would be encrypted.

After looking at various full-mesh vpn solutions I found and used *PeerVPN*.


PeerVPN:

   - was created by a recent PHD (Tobias Volk)
   - was implemented in C & is fast
   - is open source
   - is self-learning full-mesh vpn
   - provides strong encryption
   - and worked great with  LXC but also with with Docker and other
   container technologies.

Because PeerVPN is an L2 VPN it also can support:

   - both IPv4 and IPv6 (simple configuration)
   - use of routing protocols over it
   - implementation & use of VxLAN later when I get time
   - multi-tenancy use

Because I wanted to interconnect LXC between any IaaS Cloud the PeerVPN
encryption would ensure the security of the traffic.

This worked extremely well and met all of "use-case" requirements.

PeerVPN was simple to configure & setup (only 5 or 6 commands)... maybe 10
if you configure *both* IPv4 and IPv6.   Its also a self-learning full mesh
vpn w/no super-node requirement.

I documented all of this on a blog post where I hope I have provided enough
info.I had input from the author (Tobias Volk) and others who had read
it.

Proof-of-Concept Secure Mesh VPN Network Interconnect for LXC containers in
Multiple IaaS Clouds 

My testing of this included LXC containers running on "host" Servers on AWS
and Digital Ocean Clouds as well as a local server.

No machine required more than 5-6 simple config commands for either IPv4
-or- IPv6 and maybe 10 commands total if using both.

The full mesh VPN learned new nodes quickly and quickly provided an
any-to-any connection, usually within a few seconds).

With the advent of LXD capabilities for remote LXC management/control the
PeerVPN solution also presents a simple solution to a complex problem in a
multi-cloud environment.

Brian
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] "mesh networking" for lxc containers (similar to weave)?

2015-06-23 Thread Dustin Kirkland 
On Tue, Jun 23, 2015 at 8:12 AM, brian mullan  wrote:
> First, i would say that I only read about Canonical's FAN yesterday so have
> no insight into what it can or can't do.
>
> This spring I spent time looking at various solutions for network overlays
> because of my interest in SDN and LXC.
>
> My use-case "requirements" were:
>
> to be able to interconnect LXC containers on any server on any Cloud or
> private DataCenter
> be simple to install & configure
> be full-mesh without requiring any "super-node" in the network
> provide layer 2 (L2) support thus supporting BOTH... IPv4 -and- IPv6
> support multi-tenancy use
> transparency to firewall & NAT
> be open source
>
> For SDN use VxLAN is problematic because of its usual requirement for
> multicast to be enabled in the network which for most ISPs or Cloud
> environments is not available.
>
> Yes, there are some unicast VxLAN solutions now but they almost all (AFAIK)
> require use of proprietary networking hardware (cisco, juniper).I've not
> used Flannel yet but I do not believe it requires multicast.
>
> So I began looking at various full mesh VPN solutions including:
>
> ControlTier - required a "super-node"
> Tinc - fairly complex setup/configuration
> others.
>
> I also examined CJDNS but learned it may not be appropriate for my use case
> because of the way its architected.
>
> A side benefit of a full-mesh VPN Network Overlay was that all the traffic
> would be encrypted.
>
> After looking at various full-mesh vpn solutions I found and used PeerVPN.
>
> PeerVPN:
>
> was created by a recent PHD (Tobias Volk)
> was implemented in C & is fast
> is open source
> is self-learning full-mesh vpn
> provides strong encryption
> and worked great with  LXC but also with with Docker and other container
> technologies.
>
> Because PeerVPN is an L2 VPN it also can support:
>
> both IPv4 and IPv6 (simple configuration)
> use of routing protocols over it
> implementation & use of VxLAN later when I get time
> multi-tenancy use
>
> Because I wanted to interconnect LXC between any IaaS Cloud the PeerVPN
> encryption would ensure the security of the traffic.
>
> This worked extremely well and met all of "use-case" requirements.
>
> PeerVPN was simple to configure & setup (only 5 or 6 commands)... maybe 10
> if you configure both IPv4 and IPv6.   Its also a self-learning full mesh
> vpn w/no super-node requirement.
>
> I documented all of this on a blog post where I hope I have provided enough
> info.I had input from the author (Tobias Volk) and others who had read
> it.
>
> Proof-of-Concept Secure Mesh VPN Network Interconnect for LXC containers in
> Multiple IaaS Clouds
>
> My testing of this included LXC containers running on "host" Servers on AWS
> and Digital Ocean Clouds as well as a local server.
>
> No machine required more than 5-6 simple config commands for either IPv4
> -or- IPv6 and maybe 10 commands total if using both.
>
> The full mesh VPN learned new nodes quickly and quickly provided an
> any-to-any connection, usually within a few seconds).
>
> With the advent of LXD capabilities for remote LXC management/control the
> PeerVPN solution also presents a simple solution to a complex problem in a
> multi-cloud environment.

Thanks for sending this along, Brian.  The Fan does address most of
your requirements, but perhaps not as completely as your PeerVPN
solution.  Thanks for the links and information.  I'm always happy to
learn about solutions in this space.

Cheers,
Dustin
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users