[Lxc-users] Network interface isolation
jeetu.golani at gmail.com
jeetu.golani at gmail.com
Mon May 14 16:48:29 UTC 2012
Just to add to this discussion for the benefit of someone else that
runs into a similar issue. Tried the following :
>> lxc.network.type = phys
>> lxc.network.link = eth0
This resulted in the container failing to start with :
lxc-start: failed to move 'eth0' to the container : Message too long
lxc-start: failed to create the configured network
lxc-start: failed to spawn 'test1'
lxc-start: Device or resource busy - failed to remove cgroup
'/var/local/cgroup/test1'
As per a previous thread here
http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00249.html
changed to lxc.network.type = macvlan
it all works well now :)....and as Matthijs suggests this now provides
network isolation and a single network interface eth0 in the
container.
Am sure there is a very good reason though I'm still not clear as to
why the default action for the container is to share the network stack
of the host in the absence of explicit specification in the config
file. Could someone please point me to a discussion on this just so I
can get a better understanding of lxc design decisions.
Are there other similar instances where I should make specific mention
in the config file in order to prevent accidental and inadvertent
sharing of resources between host and container?
Thanks again Matthijs and everyone here for all your help :)
Bye for now
Jeetu
ebrain.in | Beehive Computing
Discover and run software from devices around you - share your
software and computing resources. A GPLv3 licensed project.
On Mon, May 14, 2012 at 8:44 PM, jeetu.golani at gmail.com
<jeetu.golani at gmail.com> wrote:
> Thanks so much Matthijs :)....truly appreciate the help :)....will try
> this out :)
>
> Regards,
> Jeetu
> ebrain.in | Beehive Computing
> Discover and run software from devices around you - share your
> software and computing resources. A GPLv3 licensed project.
>
>
> On Mon, May 14, 2012 at 8:07 PM, Matthijs Kooijman <matthijs at stdin.nl> wrote:
>> Hi Jeetu,
>>
>>> I would appreciate if someone could shed light as to if this is normal
>>> and expected behaviour and if so how could I bring about network
>>> isolation within my container.
>> AFAIU, this is normal: If you don't configure any networks within the
>> lxc config file, no network isolation happens and the container shares
>> the same network stack as the host.
>>
>> So it should be sufficient to just add network configuration. For
>> example, to give the container access to (just) the eth0 device:
>>
>> lxc.network.type = phys
>> lxc.network.link = eth0
>>
>> I think these should be sufficient (not using this configuration myself,
>> though).
>>
>> Gr.
>>
>> Matthijs
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>>
>> iEYEARECAAYFAk+xGMIACgkQz0nQ5oovr7xBHwCfad342fvu/73nrI69xIYtSYui
>> cLUAoLy+AHcT7rCejAFpthUZfcyIlft7
>> =zWU7
>> -----END PGP SIGNATURE-----
>>
More information about the lxc-users
mailing list