[Lxc-users] lxcbr0 versus virbr0 (Ubuntu)

Christoph Mitasch cmitasch at thomas-krenn.com
Thu Nov 8 18:54:41 UTC 2012


I started to run LXC in production with Ubuntu 12.04 a few months ago. Without any problems so far too.

See my comments to your questions inline:

> Reading https://help.ubuntu.com/12.04/serverguide/lxc.html it says
> one can use lxcbr0 or virbr0 for bridging, but without further
> explanation.

> What is "better"? Or is lxcbr0 only for NAT?
> Is virbr0 the successor of br0?
> Probably I am missing some basic documentation...

See /etc/default/lxc for a short explanation of lxcbr0.
My experience was that this ensures that a newly created container without any network configuration has outgoing access to the network/Internet.

See /etc/init/lxc-net.conf for details. Actually a minimal DHCP + MASQUERADING environment is set up in the network using dnsmasq and iptables.

I'm not using the lxcbr0 bridge, it's just nice for fresh installations where you have Internet access automatically after installing.

If you set your own network bridge (lxc.network.type=veth,lxc.network.link=br0,lxc.network.flags=up) for a container everything should work for you as in the past.

> The new server has six GbE interfaces and I have set up "ethernet
> bonding":
> three real interfaces build one virtual interface.
> I have successfully assigned a single test-IP to bond1:
> root at vms3:~# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref
>    Use Iface
>         UG    100    0
>        0 bond0
>   U     0      0
>        0 lxcbr0
>   U     0      0
>        0 bond1
> U     0      0
>        0 bond0
>     U     1000   0
>        0 bond0
> (lxcbr0 was automaticaly started when I installed lxc)

I've setup my bridge using /etc/network/interfaces. You can disable lxcbr0 if you don't like it in /etc/default/lxc.
# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your
# containers.  Set to "false" if you'll use virbr0 or another existing
# bridge, or mavlan to your host's NIC.

I would also like to point out the new apparmor profile that is automatically assigend to containers since Ubuntu 12.04. That enhances the security of the containers.


PS: I just came back from a great LinuxCon in Barcelona. I did a presentation about LXC there. If you're interested:

More information about the lxc-users mailing list