Re: [pve-devel] Request for improvement of Network handling regarding LXC
Am Donnerstag, den 20.07.2017, 15:00 +0200 schrieb Wolfgang Bumiller: > On Thu, Jul 20, 2017 at 01:22:58PM +0200, Tom Weber wrote: > > > > Hi there, > > > > i'm currently evaluating the PVE environment as a replacement for > > my > > custom KVM+LXC+DRBD setup I'm running so far. > > > > Playing with (privileged) containers I figured that IP > > configuration is > > always done from inside the container. > > > > My usual setup is setting the (static) IP of the container from the > > outside (and applying firewall rules) and dropping capabilities for > > the > > container itself so this can't be changed from inside the > > container. > > > > Currently this seems to be impossible with PVE as it comes. > > > > Attached is a little patch that sets the IP from the 'outside' (if > > defined as a static one). Once I manually add the lxc.cap.drop > > lines to > > the CT config, I can't change this from the inside anymore. > > > > It's only for IPv4 (can't test v6 on this setup) but I think it's > > rather trivial to add this. > > > > Unless you drop net_admin the CT will still be able to change > > networking and behave like before - or work with DHCP. > No objection to adding this as a separate option. > > There's still the idea of adding feature flags to containers floating > around (initially for allowing things like fuse or mounting of > network > shares (nfs, cifs)), and this would definitely be another useful flag > to add. > > Note that dropping net_admin also prevents containers from > configuring > their inner firewall or using tunnels/vpns/etc., so it would > definitely > need to be a separate option rather than a general change of behavior > like in this patch, but you probably know that. As far as I can see this patch alone wouldn't change the normal behavior: step 1) lxc sets the IP from outside step 2) container itself sets/overrides the IP from the inside. Only if I manually add lxc.cap.drop = net_admin to the config of the container it will prevent step 2. Preventing the container from messing with networking/firewall settings is exactly why I want/need this. A feature switch for this (maybe even in the UI would be nice too) but thats far beyond my 2 days knowledge of playing with pve :) Tom ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] Request for improvement of Network handling regarding LXC
On Thu, Jul 20, 2017 at 01:22:58PM +0200, Tom Weber wrote: > Hi there, > > i'm currently evaluating the PVE environment as a replacement for my > custom KVM+LXC+DRBD setup I'm running so far. > > Playing with (privileged) containers I figured that IP configuration is > always done from inside the container. > > My usual setup is setting the (static) IP of the container from the > outside (and applying firewall rules) and dropping capabilities for the > container itself so this can't be changed from inside the container. > > Currently this seems to be impossible with PVE as it comes. > > Attached is a little patch that sets the IP from the 'outside' (if > defined as a static one). Once I manually add the lxc.cap.drop lines to > the CT config, I can't change this from the inside anymore. > > It's only for IPv4 (can't test v6 on this setup) but I think it's > rather trivial to add this. > > Unless you drop net_admin the CT will still be able to change > networking and behave like before - or work with DHCP. No objection to adding this as a separate option. There's still the idea of adding feature flags to containers floating around (initially for allowing things like fuse or mounting of network shares (nfs, cifs)), and this would definitely be another useful flag to add. Note that dropping net_admin also prevents containers from configuring their inner firewall or using tunnels/vpns/etc., so it would definitely need to be a separate option rather than a general change of behavior like in this patch, but you probably know that. > Regards, > Tom > > --- /usr/share/perl5/PVE/LXC.pm.orig 2017-07-20 12:03:52.949344829 +0200 > +++ /usr/share/perl5/PVE/LXC.pm 2017-07-20 14:12:09.022119871 +0200 > @@ -428,6 +428,11 @@ > $raw .= "lxc.network.type = veth\n"; > $raw .= "lxc.network.veth.pair = veth${vmid}i${ind}\n"; > $raw .= "lxc.network.hwaddr = $d->{hwaddr}\n" if defined($d->{hwaddr}); > + if (defined($d->{ip}) and ($d->{ip} ne "dhcp")) { > + $raw .= "lxc.network.ipv4 = $d->{ip}\n"; > + $raw .= "lxc.network.ipv4.gateway = $d->{gw}\n" if > defined($d->{gw}); > + $raw .= "lxc.network.flags = up\n" if defined($d->{ip}); > + } > $raw .= "lxc.network.name = $d->{name}\n" if defined($d->{name}); > $raw .= "lxc.network.mtu = $d->{mtu}\n" if defined($d->{mtu}); > } ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] Request for improvement of Network handling regarding LXC
Am Donnerstag, den 20.07.2017, 13:31 +0200 schrieb Michael Rasmussen: > On Thu, 20 Jul 2017 13:22:58 +0200 > Tom Weberwrote: > > > > > + if (defined($d->{ip}) and ($d->{ip} ne "dhcp")) { > > + $raw .= "lxc.network.ipv4 = $d->{ip}\n"; > > + $raw .= "lxc.network.ipv4.gateway = $d->{gw}\n" if > > defined($d->{gw}); > > + $raw .= "lxc.network.flags = up\n" if defined($d- > > >{ip}); > The if defined($d->{ip}) in this line is not needed since this is > already true when entering this condition. Indeed. restover from the first version which didn't have the bigger if block with dhcp checking. thanks, Tom ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] Request for improvement of Network handling regarding LXC
On Thu, 20 Jul 2017 13:22:58 +0200 Tom Weberwrote: > + if (defined($d->{ip}) and ($d->{ip} ne "dhcp")) { > + $raw .= "lxc.network.ipv4 = $d->{ip}\n"; > + $raw .= "lxc.network.ipv4.gateway = $d->{gw}\n" if > defined($d->{gw}); > + $raw .= "lxc.network.flags = up\n" if defined($d->{ip}); The if defined($d->{ip}) in this line is not needed since this is already true when entering this condition. -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael rasmussen cc http://pgp.mit.edu:11371/pks/lookup?op=get=0xD3C9A00E mir datanom net http://pgp.mit.edu:11371/pks/lookup?op=get=0xE501F51C mir miras org http://pgp.mit.edu:11371/pks/lookup?op=get=0xE3E80917 -- /usr/games/fortune -es says: Cats, no less liquid than their shadows, offer no angles to the wind. pgpdpaWNTS9kJ.pgp Description: OpenPGP digital signature ___ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel