[Lxc-users] port numbers for containers

Daniel Lezcano dlezcano at fr.ibm.com
Thu Aug 12 08:29:07 UTC 2010 

On 08/12/2010 01:05 AM, Nirmal Guhan wrote:
> On Wed, Aug 11, 2010 at 11:05 AM, Serge Hallyn
> <serge.hallyn at canonical.com>  wrote:
>> Quoting Nirmal Guhan (vavatutu at gmail.com):
>>> On Wed, Aug 11, 2010 at 5:06 AM, Serge Hallyn
>>> <serge.hallyn at canonical.com>  wrote:
>>>> Quoting Nirmal Guhan (vavatutu at gmail.com):
>>>>> Hi,
>>>>>
>>>>> Want to know if port numbers are virtualized for containers or do the
>>>>> containers and host share the port space ? Please let me know.
>>>>
>>>> Wrong layer.  If the container shares a network namespace with the
>>>> host, then it shares its networking.  If it has its own network
>>>> namespace, then it has its own entire network stack.  So no, 'port
>>>> space' isn't virtualized.vs.shared, but the network devices are.
>>>>
>>> Thanks. How do I configure the container to have its own network stack?
>>
>> I did
>>
>> cat>>  /etc/lxc-basic.conf<<  EOF
>> lxc.network.type=veth
>> lxc.network.link=virbr0
>> lxc.network.flags=up
>> EOF
>>
>> lxc-create -n ubuntu1 -f /etc/lxc-basic.conf -t ubuntu
>
> Thanks. If I do macvlan, I assume there is no separate network
> namespace and hence ports will be shared and otherwise(veth) not ?

If you specify a lxc.network.type=<type>, you will have automatically a 
new network stack. That means your own interfaces, ip addresses, routes, 
iptables, ports, etc ...

As Serge explained, the network isolation/virtualization acts at the 
layer2, meaning it *begins* at the layer2, so the upper network layer 
will be virtualized too.

When you have a new network stack, your port numbers will not overlap 
with the system or the other containers. For example, you can launch 
several sshd or httpd in different containers without conflicting with 
the port 22 or 80.

If you don't specify lxc.network.type, your container will share the 
network stack with the host, hence if the host is running sshd, you 
won't be able to start another sshd in the container because they will 
conflict on port 22.

Answering to your question, if you do lxc.network.type=macvlan, the 
network stack will be private to your container.

  -- Daniel

More information about the lxc-users mailing list