Talk:LXC: Difference between revisions
(→What Works, What Doesnt: iptables works inside a container) |
(Found the problem in udhcp.default script - each guest now has networking, no sys mounting, and individual firewall rules.) |
||
| Line 2: | Line 2: | ||
= Alternative Network Setup = | = Alternative Network Setup = | ||
These are notes on macvlan on a box with real vlans. The goal here is to have the host on a management vlan, and several guests each on other vlans. There's no need for the host to talk to the guests. | These are notes on macvlan on a box with real vlans. The goal here is to have the host on a management vlan, and several guests each on other vlans. There's no need for the host to talk to the guests. The host resides on the "OOB" network, and if the host needs to talk to a guest, it does so with lxc-console, like having a KVM. Each guest should get its address from the DHCP server on the appropriate vlan.Something like this: | ||
Setup: | Setup: | ||
| Line 17: | Line 17: | ||
|- | |- | ||
| guest3 | | guest3 | ||
| dhcp (different address) | | dhcp on vlan64 (different address) | ||
|} | |} | ||
| Line 45: | Line 45: | ||
* Here's /etc/lxc/lxc.conf | * Here's /etc/lxc/lxc.conf | ||
lxc.network.type = macvlan | lxc.network.type = macvlan | ||
# Allow guests on the same vlan to see each other | |||
lxc.network.link = eth0.65 | lxc.network.macvlan.mode = bridge | ||
lxc.network.name = eth0 | lxc.network.link = eth0.65 | ||
# lxc.network.flags = up | lxc.network.name = eth0 | ||
# lxc.network.ipv4 = 0.0.0.0 # | # lxc.network.hwaddr = de:ad:be:ef:c0:00 # macvlan will make one up, but possible if wanted | ||
# lxc.network.flags = up # Do NOT bring up the interface, we will do so within the container | |||
# lxc.network.ipv4 = 0.0.0.0 # Do NOT assign an address, we do so within the container | |||
# Capabilities to drop (for instance, to stop the guest from mounting sys) | |||
# Taken from http://sourceforge.net/mailarchive/message.php?msg_id=28285704 | |||
# sys_boot is not listed here, as it causes problems when the host tries to stop the guest | |||
# If you trust the guest, then you can get by without dropping capabilities | |||
lxc.cap.drop= sys_admin audit_control audit_write fsetid ipc_lock | |||
lxc.cap.drop= ipc_owner lease linux_immutable mac_admin mac_override mknod setfcap | |||
lxc.cap.drop= setpcap sys_module sys_nice sys_pacct sys_ptrace sys_rawio | |||
lxc.cap.drop= sys_tty_config sys_time | |||
* Create the guests | * Create the guests | ||
for a in `seq 1 3`; do | for a in `seq 1 3`; do | ||
| Line 57: | Line 70: | ||
* vi /var/lib/lxc/guest2/config | * vi /var/lib/lxc/guest2/config | ||
change lxc.network.link to eth0.129 | change lxc.network.link to eth0.129 | ||
* Start and enter the first guest (this is where the fun starts) | * Start and enter the first guest (this is where the fun starts) | ||
/etc/init.d/lxc.guest1 start | /etc/init.d/lxc.guest1 start | ||
| Line 64: | Line 76: | ||
=== Fun inside the guest === | === Fun inside the guest === | ||
If you just start networking, you'll get: | |||
cat: can't open '/sys/class/net/eth0/ifindex': No such file or directory | cat: can't open '/sys/class/net/eth0/ifindex': No such file or directory | ||
/usr/share/udhcpc/default.script: line 125: arithmetic syntax error | /usr/share/udhcpc/default.script: line 125: arithmetic syntax error | ||
/usr/share/udhcpc/default.script: line 125: arithmetic syntax error | /usr/share/udhcpc/default.script: line 125: arithmetic syntax error | ||
This is because /sys is not mounted, and we don't [http://blog.bofh.it/debian/id_413 really want to do that]. | |||
Fortunately, there's a simple fix: | |||
--- /usr/share/udhcpc/default.script.orig | |||
+++ /usr/share/udhcpc/default.script | |||
@@ -39,7 +39,7 @@ | |||
} | |||
if_index() { | |||
* Let's | - cat /sys/class/net/$interface/ifindex | ||
+ cat /sys/class/net/$interface/ifindex || echo 0 | |||
} | |||
calc_metric() { | |||
* Let's make the /etc/network/interfaces proper | |||
guest1:~# cat - << EOF >/etc/network/interfaces | guest1:~# cat - << EOF >/etc/network/interfaces | ||
auto lo | |||
iface lo inet loopback | iface lo inet loopback | ||
auto eth0 | auto eth0 | ||
iface eth0 inet dhcp | iface eth0 inet dhcp | ||
hostname guest1 | hostname guest1 | ||
EOF | EOF | ||
* And add networking: | |||
guest1:~# rc-update add networking | |||
* And test | |||
ctrl-a q | ctrl-a q | ||
lxchost# /etc/init.d/lxc.guest1 restart | lxchost# /etc/init.d/lxc.guest1 restart | ||
lxchost# lxc-console -n guest1 | lxchost# lxc-console -n guest1 | ||
* We have Networking! | * We have Networking! | ||
* Repeat the configuration for guest2 and 3 | * Repeat the patch and configuration for guest2 and 3 | ||
=== What Works, What Doesnt === | === What Works, What Doesnt === | ||
* Pro | * Pro | ||
** Each guest has its own mac address | ** Each guest has its own mac address | ||
** | ** Network connectivity between each guest | ||
** No communication allowed between host and guests (this is a plus in our case - managment vlan != user vlan) | ** No communication allowed between host and guests (this is a plus in our case - managment vlan != user vlan) | ||
** if iptables modules are loaded in the host, each guest can create its own iptables rules (awall for all! sweet) | ** if iptables modules are loaded in the host, each guest can create its own iptables rules (awall for all! sweet) | ||
* Con | * Con | ||
** | ** No communication allowed between host and guests because we are not using a bridge interface (this is a plus in our case - managment vlan != user vlan) | ||
Revision as of 03:29, 25 February 2013
Alternative Network Setup
These are notes on macvlan on a box with real vlans. The goal here is to have the host on a management vlan, and several guests each on other vlans. There's no need for the host to talk to the guests. The host resides on the "OOB" network, and if the host needs to talk to a guest, it does so with lxc-console, like having a KVM. Each guest should get its address from the DHCP server on the appropriate vlan.Something like this:
Setup:
| host | dhcp on vlan 8 |
| guest1 | dhcp on vlan 64 |
| guest2 | dhcp on vlan 129 |
| guest3 | dhcp on vlan64 (different address) |
- Host's /etc/network/interfaces file
auto lo
iface lo inet loopback
# MGMT vlan
auto eth0.8
iface eth0.8 inet dhcp
hostname lxchost
# USR vlan - we bring it up, but dont assign an address
auto eth0.65
iface eth0.65 inet manual
up ip link set $IFACE addr de:ad:be:ef:ca:fe
up ip link set $IFACE up
down ip link set $IFACE down
# VoIP vlan - we bring it up, but dont assign an address
auto eth0.129
iface eth0.129 inet manual
up ip link set $IFACE addr 0f:f1:ce:c0:ff:ee
up ip link set $IFACE up
down ip link set $IFACE down
- Here's /etc/lxc/lxc.conf
lxc.network.type = macvlan
# Allow guests on the same vlan to see each other
lxc.network.macvlan.mode = bridge
lxc.network.link = eth0.65
lxc.network.name = eth0
# lxc.network.hwaddr = de:ad:be:ef:c0:00 # macvlan will make one up, but possible if wanted
# lxc.network.flags = up # Do NOT bring up the interface, we will do so within the container
# lxc.network.ipv4 = 0.0.0.0 # Do NOT assign an address, we do so within the container
# Capabilities to drop (for instance, to stop the guest from mounting sys)
# Taken from http://sourceforge.net/mailarchive/message.php?msg_id=28285704
# sys_boot is not listed here, as it causes problems when the host tries to stop the guest
# If you trust the guest, then you can get by without dropping capabilities
lxc.cap.drop= sys_admin audit_control audit_write fsetid ipc_lock
lxc.cap.drop= ipc_owner lease linux_immutable mac_admin mac_override mknod setfcap
lxc.cap.drop= setpcap sys_module sys_nice sys_pacct sys_ptrace sys_rawio
lxc.cap.drop= sys_tty_config sys_time
- Create the guests
for a in `seq 1 3`; do
lxc-create -n guest${a} -f /etc/lxc/lxc.conf -t alpine
ln -s /etc/init.d/lxc /etc/init.d/lxc.guest${a}
done
- vi /var/lib/lxc/guest2/config
change lxc.network.link to eth0.129
- Start and enter the first guest (this is where the fun starts)
/etc/init.d/lxc.guest1 start lxc-console -n guest1
Fun inside the guest
If you just start networking, you'll get:
cat: can't open '/sys/class/net/eth0/ifindex': No such file or directory /usr/share/udhcpc/default.script: line 125: arithmetic syntax error /usr/share/udhcpc/default.script: line 125: arithmetic syntax error
This is because /sys is not mounted, and we don't really want to do that.
Fortunately, there's a simple fix:
--- /usr/share/udhcpc/default.script.orig
+++ /usr/share/udhcpc/default.script
@@ -39,7 +39,7 @@
}
if_index() {
- cat /sys/class/net/$interface/ifindex
+ cat /sys/class/net/$interface/ifindex || echo 0
}
calc_metric() {
- Let's make the /etc/network/interfaces proper
guest1:~# cat - << EOF >/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
hostname guest1
EOF
- And add networking:
guest1:~# rc-update add networking
- And test
ctrl-a q lxchost# /etc/init.d/lxc.guest1 restart lxchost# lxc-console -n guest1
- We have Networking!
- Repeat the patch and configuration for guest2 and 3
What Works, What Doesnt
- Pro
- Each guest has its own mac address
- Network connectivity between each guest
- No communication allowed between host and guests (this is a plus in our case - managment vlan != user vlan)
- if iptables modules are loaded in the host, each guest can create its own iptables rules (awall for all! sweet)
- Con
- No communication allowed between host and guests because we are not using a bridge interface (this is a plus in our case - managment vlan != user vlan)