[Lxc-users] port numbers for containers
Daniel Lezcano
daniel.lezcano at free.fr
Thu Aug 19 22:25:19 UTC 2010
On 08/19/2010 02:33 PM, Sebastien Douche wrote:
> On Thu, Aug 12, 2010 at 10:29, Daniel Lezcano<dlezcano at fr.ibm.com> wrote:
>
>> Answering to your question, if you do lxc.network.type=macvlan, the
>> network stack will be private to your container.
>>
> Hi Daniel,
> not sure I understand your response: with macvlan option, you cannot
> access to the container from outside?
With the macvlan network configuration (lxc.network.type=macvlan), the
container will use a specific network device which is faster and simpler
to configure than the veth, but the network traffic won't go to the host
or the other containers on the same host. Only direct access to your
real network will happen.
> What means "private network
> stack" ?
>
From the point of view of the system (the kernel services), the
different system resources are splitted and separated into a base brick
called a 'namespace'. There are the pid namespace, the network
namespace, the ipc namespace, the mount namespace, etc ...
When you boot your system (not a container), the loopback and the
network devices are created. These are setup by the system by assigning
IP addresses. The routes and the route cache, the hash tables for udp,
tcp, raw, etc ... port mappings, iptables, etc ... are created and setup
by your system (automatically by the kernel) or by userland scripts at
boot time.
When you create a network namespace, this occurs again giving you a new
loopback instances as well as a new route tables, new hash tables for
tcp udp. Because these resource mustn't overlap with the system, they
are isolated, which means a process running in this namespace can not
see the network of another namespace (eg. the host). This is why we say
a "private network stack" because it belongs to a set of processes and a
process can only have a namespace at a time.
As I know I am often not very clear :) I would recommend this document
http://lxc.sourceforge.net/doc/sigops/appcr.pdf
-- Daniel
More information about the lxc-users
mailing list