[Lxc-users] networking query
Andy Billington
andy at andybillington.com
Thu Jul 29 09:43:41 UTC 2010
On 29/07/2010 10:32, Daniel Lezcano wrote:
> On 07/29/2010 01:47 AM, Andy Billington wrote:
>> Firstly, am just starting to look at LXC as a possible migration from
>> OpenSolaris, so excuse me if question is obvious.
>> Reading what I have found so far, it seems clear that with a bridged
>> interface on the global side, the Containers can all have separate
>> network info (different IPs, subnets) and so on. The question I have
>> is can each container run an independent, totally isolated IP stack
>> (like OpenSolaris Crossbow) including completely separate routing
>> tables and IPSec configurations?
>
> Yes, each container has its own private network stack, the
> virtualization begins at the L2 layer. The container will have its own
> network interfaces. From the linux kernel point of view, it was
> modified to dynamically allocate a new kernel stack with a syscall.
>
> I don't use ipsec within a container, but as far as I remember that
> was implemented 2 years ago right after pushing the core network
> virtualization, so I think it is supported per container so far.
>
>> The problem I'm investigating is that I currently have two Zones in
>> Solaris, call them Z1 (10.1.1.1/24) and Z2 (10.1.2.1/24). These then
>> talk to customer networks via IPSec; call them Customer1 and
>> Customer2. The "fun" part is the Customer networking: Customer1 uses
>> 192.168.1.0/24 as their internal range (ie. "behind" the VPN tunnel,
>> my IPSec emerges on 192.168.1.252), and Customer2 uses 192.168.0.0/16
>> as their internal range. So, overlapping ranges.
>
> ok.
>
>> Z1 talks to Customer1, Z2 talks to Customer2, it is critical they
>> cannot "see" each other. Crossbow is doing it just fine;
>
> I am not sure to understand "the cannot see each other", can you
> elaborate a bit ?
>
Z1 and Customer1 traffic must be able to route between each other, but
not reach either Z2 or Customer2
>> can LXC do the same thing?
>
> I never tried this configuration but at the first glance, I think the
> linux kernel support that.
> Maybe someone on this mailing list tried that ...
>
> If you expect LXC to do the VPN setup for you, that is not (yet)
> supported.
That's fine
>
> If you expect to run a virtualized system like ubuntu inside a
> container, you can configure this system to create a vpn/ipsec by
> installing openvpn and whatever you need like any real host for your
> configuration. This is about an appliance to be created (there are
> some basic appliance available for lxc you can improve).
>
Got to be a full IPSec implementation, as in the future some Cisco IOS
endpoints are joining in. Was going to use Racoon/ IPsec-tools ?
>> If LXC can do it, are there any gotcha's or suggestions as to the
>> best choice for IPSec setup / configuration?#
>
> For testing that, I suggest to create an ubuntu system (on ubuntu
> host) via the command:
>
> lxc-create -n Z1 -f lxc.conf -t ubuntu
>
> where lxc.conf is:
>
> lxc.network.type=veth
> lxc.network.link=br0
> lxc.network.flags=up
>
> Assuming you have a bridge br0 setup on your host with your nic
> attached to it.
>
> Then start the container:
>
> lxc-start -n Z1
>
> You will get a console, and you can log into with user: root / pwd: root
>
> At this point you can install/configure your container with openvpn.
>
> Hope that helps
> -- Daniel
>
Thankyou! One completely unrelated question: is there an LXC way to
de-duplicate on storage for Containers? The Z1 virtual machine and the
Z2 virtual machine will be 95% identical, so I don't really want to have
disks eaten up with two copies of identical files.
Andy
More information about the lxc-users
mailing list