<html><head><meta name="Generator" content="Z-Push"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body><SPAN style="font-size: 11pt"><div style="font-family:Calibri, Arial, Helvetica, sans-serif; font-size:12pt; color:#1F497D"><div>Thanks for link. </div><div><br></div><div>I'll try something like you discribed. I was expecting something built in Lxc like you suggested later with lxc-user-nic. </div><div>I think the routing option is the only one available, like proxmox/openvz is doing I guess.</div><div><br></div><div>If was thinking of having a dedicated port with ovs switch configured to only allow a specific mac address/ipv4 to use the port. Whatever the container try setup, only one working configure will be allowed.</div><div><br></div><div>Because I'm trying to think in a dynamic way including ipv4 and Mac address allocation for a specific container. </div><div>You execute the container and the network configuration is slef secured.</div><div><br></div>
<div><br></div>
<div id="signature-x" style="-webkit-user-select:none; font-family:Calibri, Arial, Helvetica, sans-serif; font-size:12pt; color:#1F497D"><i style="font-family: sans-serif;">-- envoyé depuis mon téléphone --</i></div></div><div id="quoted_header" style="clear:both;"><br/><div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><span style="font-size:11.0pt;font-family:'Calibri','sans-serif'"><b>De :</b> "Fajar A. Nugraha" <list@fajar.net> <br><b>envoyé :</b> 2015-06-26 00:19 <br><b>à:</b> LXC users mailing-list <br><b>Objet:</b> Re: [lxc-users] LXC - Best way to avoid networking changes in a container<br></span></div></div><br type='attribution'></SPAN>On Fri, Jun 26, 2015 at 10:59 AM, Benoit GEORGELIN - Association<BR>Web4all <benoit.georgelin@web4all.fr> wrote:<BR>> Hi,<BR>><BR>> I'm looking to avoid network changes in an LXC container with root access<BR>> while the system is up and running.<BR>><BR>> Let's say I have two containers running.<BR>><BR>> A: 192.168.0.100/24<BR>> B: 192.168.0.200/24<BR>><BR>> They are both on the same private network but it can be a public network<BR>> too.<BR>> How can I prevent root user from container B to change his IP address and<BR>> user the IP address of container A ?<BR>><BR>> Container network is built on top of Ovs Switch . Maybe there is a way to<BR>> restrict MAC Address and IP for a specific port ? I did not see any option.<BR><BR>https://lists.linuxcontainers.org/pipermail/lxc-users/2015-February/008553.html<BR><BR>Basically you need routed setup. Do NOT add the container interface to<BR>the switch, but instead use the veth pair directly with IP address and<BR>routes assigned on both ends (host side and container side)<BR><BR>On that setup, all traffic to A's IP is always directed by the host<BR>thru A's veth. It doesn't matter even if some other rogue container<BR>(B) uses that IP, traffic will always be sent to A.<BR><BR>-- <BR>Fajar<BR>_______________________________________________<BR>lxc-users mailing list<BR>lxc-users@lists.linuxcontainers.org<BR>http://lists.linuxcontainers.org/listinfo/lxc-users</body></html>