[Lxc-users] networking query

Daniel Lezcano daniel.lezcano at free.fr
Thu Jul 29 09:32:12 UTC 2010 

On 07/29/2010 01:47 AM, Andy Billington wrote:
> Firstly, am just starting to look at LXC as a possible migration from 
> OpenSolaris, so excuse me if question is obvious.
> Reading what I have found so far, it seems clear that with a bridged 
> interface on the global side, the Containers can all have separate 
> network info (different IPs, subnets) and so on. The question I have 
> is can each container run an independent, totally isolated IP stack 
> (like OpenSolaris Crossbow) including completely separate routing 
> tables and IPSec configurations?

Yes, each container has its own private network stack, the 
virtualization begins at the L2 layer. The container will have its own 
network interfaces. From the linux kernel point of view, it was modified 
to dynamically allocate a new kernel stack with a syscall.

I don't use ipsec within a container, but as far as I remember that was 
implemented 2 years ago right after pushing the core network 
virtualization, so I think it is supported per container so far.

> The problem I'm investigating is that I currently have two Zones in 
> Solaris, call them Z1 (10.1.1.1/24) and Z2 (10.1.2.1/24). These then 
> talk to customer networks via IPSec; call them Customer1 and 
> Customer2. The "fun" part is the Customer networking: Customer1 uses 
> 192.168.1.0/24 as their internal range (ie. "behind" the VPN tunnel, 
> my IPSec emerges on 192.168.1.252), and Customer2 uses 192.168.0.0/16 
> as their internal range. So, overlapping ranges.

ok.

> Z1 talks to Customer1, Z2 talks to Customer2, it is critical they 
> cannot "see" each other. Crossbow is doing it just fine; 

I am not sure to understand "the cannot see each other", can you 
elaborate a bit ?

> can LXC do the same thing?

I never tried this configuration but at the first glance, I think the 
linux kernel support that.
Maybe someone on this mailing list tried that ...

If you expect LXC to do the VPN setup for you, that is not (yet) supported.

If you expect to run a virtualized system like ubuntu inside a 
container, you can configure this system to create a vpn/ipsec by 
installing openvpn and whatever you need like any real host for your 
configuration. This is about an appliance to be created (there are some 
basic appliance available for lxc you can improve).

> If LXC can do it, are there any gotcha's or suggestions as to the best 
> choice for IPSec setup / configuration?#

For testing that, I suggest to create an ubuntu system (on ubuntu host) 
via the command:

lxc-create -n Z1 -f lxc.conf -t ubuntu

where lxc.conf is:

lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up

Assuming you have a bridge br0 setup on your host with your nic attached 
to it.

Then start the container:

lxc-start -n Z1

You will get a console, and you can log into with user: root / pwd: root

At this point you can install/configure your container with openvpn.

Hope that helps
   -- Daniel

More information about the lxc-users mailing list