[Lxc-users] Network interface isolation

Fajar A. Nugraha list at fajar.net
Tue May 15 05:13:10 UTC 2012


On Tue, May 15, 2012 at 10:22 AM, jeetu.golani at gmail.com
<jeetu.golani at gmail.com> wrote:
> Hi Fajar,
>
> Thanks for your response.
>
> I used the debian template and the config file does not (as far as I
> can tell) have any network related stanzas. Unfortunately this default
> behaviour lead to the network stack being shared between the host and
> the container as pointed out by Matthijs.

In Ubuntu host at least, AFAIK using lxc templates will include
network configuration from /etc/lxc/lxc.conf, which includes these
lines

lxc.network.type=veth
lxc.network.link=lxcbr0
lxc.network.flags=up

>
> Therefore, I was wondering if there are any other namespaces I should
> explicitly isolate so as to prevent them being inadvertently shared
> between host and container.

Again, the resulting config file provides a good starting point. On
ubuntu precise host, using ubuntu template denies ALL devices (which
should include host's eth) from the guest container except from ones
specifically allowed

#==========
lxc.cgroup.devices.deny = a
# Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
#lxc.cgroup.devices.allow = c 4:0 rwm
#lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
#fuse
lxc.cgroup.devices.allow = c 10:229 rwm
#tun
lxc.cgroup.devices.allow = c 10:200 rwm
#full
lxc.cgroup.devices.allow = c 1:7 rwm
#hpet
lxc.cgroup.devices.allow = c 10:228 rwm
#kvm
lxc.cgroup.devices.allow = c 10:232 rwm
#==================

-- 
Fajar




More information about the lxc-users mailing list