[lxc-devel] Networking and LXD
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Sep 28 14:42:02 UTC 2015
Quoting Tom Denham (Tom.Denham at metaswitch.com):
> I'm going to need to digest this a bit more but my initial concern is that lxd relies on bridges for networking whereas Calico is more L3 focused.
>
> The way Calico works is similar to what you described below
> * Create a veth
> * Put one end in the netns and leave the other in the host netns
> * But don't connect the host end to a bridge
> * Instead, we program rules into the linux routing tables to forward the packets to the correct destination (and program IPTABLES rules to enforce policy)
>
> Make sense?
That shouldn't be a problem. Lxd and lxd do not "rely on bridges", it's
just one way to configure them. Well, it's kind of a standard way so it's
nice in that it allows the bridge to be created and configured once, and
then the containers to be hooked up in a standard way (reducing the special
cases in the lxc code).
The simplest way to try out calico, it sounds like, would be to use a
lxc.network.script.up script to do the routing table setup after the veths
have been setup. I.e.:
# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.script.up = /usr/local/bin/calicosetup
lxc.network.hwaddr = 00:16:3e:a6:74:7f
(see lxc.container.conf(5) for details on how script.up works; in
particular the nic name on the host will be the fourth arg)
The only downside to this would be that unprivileged users wouldn't
(without changes) be able to do it, but for lxd that's not an issue.
-serge
More information about the lxc-devel
mailing list