[lxc-devel] Networking and LXD

[Tom Denham]

> -----Original Message-----
> From: Serge Hallyn [mailto:serge.hallyn at ubuntu.com]
> Sent: Monday, September 28, 2015 7:42 AM
> To: Tom Denham
> Cc: LXC development mailing-list
> Subject: Re: [lxc-devel] Networking and LXD
> 
> Quoting Tom Denham (Tom.Denham at metaswitch.com):
> > I'm going to need to digest this a bit more but my initial concern is that lxd
> relies on bridges for networking whereas Calico is more L3 focused.
> >
> > The way Calico works is similar to what you described below
> > * Create a veth
> > * Put one end in the netns and leave the other in the host netns
> > * But don't connect the host end to a bridge
> > * Instead, we program rules into the linux routing tables to forward
> > the packets to the correct destination (and program IPTABLES rules to
> > enforce policy)
> >
> > Make sense?
> 
> That shouldn't be a problem.  Lxd and lxd do not "rely on bridges", it's just one
> way to configure them.  Well, it's kind of a standard way so it's nice in that it
> allows the bridge to be created and configured once, and then the containers to
> be hooked up in a standard way (reducing the special cases in the lxc code).
> 
> The simplest way to try out calico, it sounds like, would be to use a
> lxc.network.script.up script to do the routing table setup after the veths have
> been setup.  I.e.:
> 
> # Network configuration
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.script.up = /usr/local/bin/calicosetup lxc.network.hwaddr =
> 00:16:3e:a6:74:7f
> 
> (see lxc.container.conf(5) for details on how script.up works;  in particular the
> nic name on the host will be the fourth arg)
> 
> The only downside to this would be that unprivileged users wouldn't (without
> changes) be able to do it, but for lxd that's not an issue.
> 
> -serge


Thanks Serge, that sounds like what I was looking for. I'll have a go at a simple integration and let you know how I get on.

Tom