Re: [lxc-users] mesh networking for lxc containers (similar to weave)?
First, i would say that I only read about Canonical's FAN yesterday so have no insight into what it can or can't do. This spring I spent time looking at various solutions for network overlays because of my interest in SDN and LXC. My use-case requirements were: 1. to *be able to interconnect LXC containers on any server on any Cloud* or private DataCenter 2. *be simple* to install configure 3. *be full-mesh* without requiring any super-node in the network 4. provide layer 2 (L2) support thus supporting BOTH...* IPv4 -and- IPv6* 5. *support multi-tenancy *use 6. *transparency to firewall NAT * 7. *be open source * For SDN use VxLAN is problematic because of its usual requirement for multicast to be enabled in the network which for most ISPs or Cloud environments is not available. Yes, there are some unicast VxLAN solutions now but they almost all (AFAIK) require use of proprietary networking hardware (cisco, juniper).I've not used Flannel yet but I do not believe it requires multicast. So I began looking at various full mesh VPN solutions including: - ControlTier - required a super-node - Tinc - fairly complex setup/configuration - others. I also examined CJDNS but learned it may not be appropriate for my use case because of the way its architected. A side benefit of a full-mesh VPN Network Overlay was that all the traffic would be encrypted. After looking at various full-mesh vpn solutions I found and used *PeerVPN*. PeerVPN: - was created by a recent PHD (Tobias Volk) - was implemented in C is fast - is open source - is self-learning full-mesh vpn - provides strong encryption - and worked great with LXC but also with with Docker and other container technologies. Because PeerVPN is an L2 VPN it also can support: - both IPv4 and IPv6 (simple configuration) - use of routing protocols over it - implementation use of VxLAN later when I get time - multi-tenancy use Because I wanted to interconnect LXC between any IaaS Cloud the PeerVPN encryption would ensure the security of the traffic. This worked extremely well and met all of use-case requirements. PeerVPN was simple to configure setup (only 5 or 6 commands)... maybe 10 if you configure *both* IPv4 and IPv6. Its also a self-learning full mesh vpn w/no super-node requirement. I documented all of this on a blog post where I hope I have provided enough info.I had input from the author (Tobias Volk) and others who had read it. Proof-of-Concept Secure Mesh VPN Network Interconnect for LXC containers in Multiple IaaS Clouds https://bmullan.wordpress.com/ My testing of this included LXC containers running on host Servers on AWS and Digital Ocean Clouds as well as a local server. No machine required more than 5-6 simple config commands for either IPv4 -or- IPv6 and maybe 10 commands total if using both. The full mesh VPN learned new nodes quickly and quickly provided an any-to-any connection, usually within a few seconds). With the advent of LXD capabilities for remote LXC management/control the PeerVPN solution also presents a simple solution to a complex problem in a multi-cloud environment. Brian ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] mesh networking for lxc containers (similar to weave)?
On Tue, Jun 23, 2015 at 8:12 AM, brian mullan bmullan.m...@gmail.com wrote: First, i would say that I only read about Canonical's FAN yesterday so have no insight into what it can or can't do. This spring I spent time looking at various solutions for network overlays because of my interest in SDN and LXC. My use-case requirements were: to be able to interconnect LXC containers on any server on any Cloud or private DataCenter be simple to install configure be full-mesh without requiring any super-node in the network provide layer 2 (L2) support thus supporting BOTH... IPv4 -and- IPv6 support multi-tenancy use transparency to firewall NAT be open source For SDN use VxLAN is problematic because of its usual requirement for multicast to be enabled in the network which for most ISPs or Cloud environments is not available. Yes, there are some unicast VxLAN solutions now but they almost all (AFAIK) require use of proprietary networking hardware (cisco, juniper).I've not used Flannel yet but I do not believe it requires multicast. So I began looking at various full mesh VPN solutions including: ControlTier - required a super-node Tinc - fairly complex setup/configuration others. I also examined CJDNS but learned it may not be appropriate for my use case because of the way its architected. A side benefit of a full-mesh VPN Network Overlay was that all the traffic would be encrypted. After looking at various full-mesh vpn solutions I found and used PeerVPN. PeerVPN: was created by a recent PHD (Tobias Volk) was implemented in C is fast is open source is self-learning full-mesh vpn provides strong encryption and worked great with LXC but also with with Docker and other container technologies. Because PeerVPN is an L2 VPN it also can support: both IPv4 and IPv6 (simple configuration) use of routing protocols over it implementation use of VxLAN later when I get time multi-tenancy use Because I wanted to interconnect LXC between any IaaS Cloud the PeerVPN encryption would ensure the security of the traffic. This worked extremely well and met all of use-case requirements. PeerVPN was simple to configure setup (only 5 or 6 commands)... maybe 10 if you configure both IPv4 and IPv6. Its also a self-learning full mesh vpn w/no super-node requirement. I documented all of this on a blog post where I hope I have provided enough info.I had input from the author (Tobias Volk) and others who had read it. Proof-of-Concept Secure Mesh VPN Network Interconnect for LXC containers in Multiple IaaS Clouds My testing of this included LXC containers running on host Servers on AWS and Digital Ocean Clouds as well as a local server. No machine required more than 5-6 simple config commands for either IPv4 -or- IPv6 and maybe 10 commands total if using both. The full mesh VPN learned new nodes quickly and quickly provided an any-to-any connection, usually within a few seconds). With the advent of LXD capabilities for remote LXC management/control the PeerVPN solution also presents a simple solution to a complex problem in a multi-cloud environment. Thanks for sending this along, Brian. The Fan does address most of your requirements, but perhaps not as completely as your PeerVPN solution. Thanks for the links and information. I'm always happy to learn about solutions in this space. Cheers, Dustin ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] mesh networking for lxc containers (similar to weave)?
Have you checked Fan? http://blog.dustinkirkland.com/2015/06/the-bits-have-hit-fan.html?m=1 2015-06-20 2:16 GMT-04:00 Janjaap Bos janjaap...@gmail.com: Yes, ZeroTier provides peer-to-peer virtual networking. It is cloud / container / virtualiser agnostic. It will work anywhere and we use it for connecting containers vm's across clouds. Also to provide access to users on Windows / OSX. Within the container you need access to the /dev/net/tun device and depending on the flavour (lxc / lxd / docker) net_admin capabilities. You can download it at https://www.zerotier.com or build it from https://github.com/zerotier/ZeroTierOne Since it is peer-to-peer there is very little overhead. Packets destined for local peers will stay within the local net. You can create very large distributed flat ether networks. Great for the type of cloud backplane you described. Also, this enables you to live migrate instances while maintaining their network configuration. 2015-06-20 3:37 GMT+02:00 Tomasz Chmielewski man...@wpkg.org: I know this is just normal networking, however, there are at least two issues with your suggestions: - it assumes the hosts are in the same subnet (say, connected to the same switch), so it won't work if the hosts have two different public IPs (i.e. 46.1.2.3 and 124.8.9.10) - with just two hosts, you may overcome the above limitation with some VPN magic; however, it becomes problematic as the number of hosts grows (imagine 10 or more hosts, trying to set it up without SPOF / central VPN server; ideally, the hosts should talk to themselves using the shortest paths possible) Therefore, I'm asking if there is any better magic, as you say, for lxc networking? Possibly it could be achieved with tinc, running on hosts only - http://www.tinc-vpn.org/ - but haven't really used it. And maybe people have other ideas? -- Tomasz Chmielewski http://wpkg.org On 2015-06-20 03:20, Christoph Lehmann wrote: There is no magic with lxcs networking. Its just a bridge and some iptables rules for NAT and a dhcp server. You can setup a bridge on your public interface, configure the container to use that bridge and do the same on your second host. Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski man...@wpkg.org: Are there any solutions which would let one build mesh networking for lxc containers, similar to what weave does for docker? Assumptions: - multiple servers (hosts) which are not in the same subnet (i.e. in different DCs in different countries), - containers share the same subnet (i.e. 10.0.0.0/8 [1]), no matter on which host they are running - if container is migrated to a different host, it is still reachable on the same IP address without any changes in the networking I suppose the solution would run only once on each of the hosts, rather than in each container. Is there something similar for lxc? -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users -- Luis M. Ibarra ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] mesh networking for lxc containers (similar to weave)?
Are there any solutions which would let one build mesh networking for lxc containers, similar to what weave does for docker? Assumptions: - multiple servers (hosts) which are not in the same subnet (i.e. in different DCs in different countries), - containers share the same subnet (i.e. 10.0.0.0/8), no matter on which host they are running - if container is migrated to a different host, it is still reachable on the same IP address without any changes in the networking I suppose the solution would run only once on each of the hosts, rather than in each container. Is there something similar for lxc? -- Tomasz Chmielewski http://wpkg.org ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users