[Lxc-users] networking query

[Andy Billington]

On 29/07/2010 10:32, Daniel Lezcano wrote:
> On 07/29/2010 01:47 AM, Andy Billington wrote:
>> Firstly, am just starting to look at LXC as a possible migration from 
>> OpenSolaris, so excuse me if question is obvious.
>> Reading what I have found so far, it seems clear that with a bridged 
>> interface on the global side, the Containers can all have separate 
>> network info (different IPs, subnets) and so on. The question I have 
>> is can each container run an independent, totally isolated IP stack 
>> (like OpenSolaris Crossbow) including completely separate routing 
>> tables and IPSec configurations?
>
> Yes, each container has its own private network stack, the 
> virtualization begins at the L2 layer. The container will have its own 
> network interfaces. From the linux kernel point of view, it was 
> modified to dynamically allocate a new kernel stack with a syscall.
>
> I don't use ipsec within a container, but as far as I remember that 
> was implemented 2 years ago right after pushing the core network 
> virtualization, so I think it is supported per container so far.
>
>> The problem I'm investigating is that I currently have two Zones in 
>> Solaris, call them Z1 (10.1.1.1/24) and Z2 (10.1.2.1/24). These then 
>> talk to customer networks via IPSec; call them Customer1 and 
>> Customer2. The "fun" part is the Customer networking: Customer1 uses 
>> 192.168.1.0/24 as their internal range (ie. "behind" the VPN tunnel, 
>> my IPSec emerges on 192.168.1.252), and Customer2 uses 192.168.0.0/16 
>> as their internal range. So, overlapping ranges.
>
> ok.
>
>> Z1 talks to Customer1, Z2 talks to Customer2, it is critical they 
>> cannot "see" each other. Crossbow is doing it just fine; 
>
> I am not sure to understand "the cannot see each other", can you 
> elaborate a bit ?
>
Z1 and Customer1 traffic must be able to route between each other, but 
not reach either Z2 or Customer2
>> can LXC do the same thing?
>
> I never tried this configuration but at the first glance, I think the 
> linux kernel support that.
> Maybe someone on this mailing list tried that ...
>
> If you expect LXC to do the VPN setup for you, that is not (yet) 
> supported.
That's fine
>
> If you expect to run a virtualized system like ubuntu inside a 
> container, you can configure this system to create a vpn/ipsec by 
> installing openvpn and whatever you need like any real host for your 
> configuration. This is about an appliance to be created (there are 
> some basic appliance available for lxc you can improve).
>
Got to be a full IPSec implementation, as in the future some Cisco IOS 
endpoints are joining in. Was going to use Racoon/ IPsec-tools ?
>> If LXC can do it, are there any gotcha's or suggestions as to the 
>> best choice for IPSec setup / configuration?#
>
> For testing that, I suggest to create an ubuntu system (on ubuntu 
> host) via the command:
>
> lxc-create -n Z1 -f lxc.conf -t ubuntu
>
> where lxc.conf is:
>
> lxc.network.type=veth
> lxc.network.link=br0
> lxc.network.flags=up
>
> Assuming you have a bridge br0 setup on your host with your nic 
> attached to it.
>
> Then start the container:
>
> lxc-start -n Z1
>
> You will get a console, and you can log into with user: root / pwd: root
>
> At this point you can install/configure your container with openvpn.
>
> Hope that helps
>   -- Daniel
>
Thankyou! One completely unrelated question: is there an LXC way to 
de-duplicate on storage for Containers? The Z1 virtual machine and the 
Z2 virtual machine will be 95% identical, so I don't really want to have 
disks eaten up with two copies of identical files.

Andy