[Lxc-users] local subnet

Michael H. Warfield mhw at WittsEnd.com
Sat Aug 3 22:04:36 UTC 2013


On Sat, 2013-08-03 at 22:23 +0100, Bretton Woods wrote: 
> the answer is probably yes.
> 
> 
> is it possible to create a container without a network bridge that is
> on the same subnet as the host?

I believe that is what "macvlan" was suppose to be for but I never had a
good experience with it (ongoing host to container issue that may or may
not have been resolved in the kernel - I gave up long ago).  I generally
used bridged, one way or another.
> 
> In fact why do we always create a bridge and another subnet?

I don't understand this question.  You have two parts which are
orthogonal.

Quite literally, the only differences between "bridged mode", "nat
mode", and "routed mode" is whether the host interface is a member of
the bridge and your router/nat configurations.

If the host interface is a member of the common bridge, you are in a
fully bridged mode and you don't need another subnet and your guests are
part of the hosts subnet.

If it's not, you're generally (default) assigning a private address to
the bridge and using NAT (nat mode) or (very rare) assigning a global
unicast IPv4 block to the bridge and using true routing for "routed
mode" with static routes on your host.

The key to all three modes is that bridge, which acts as an internal
etherswitch on the host (some literature even refers to it as a virtual
lan).  So the "and another subnet" actually only applies to two of those
three modes (and routed mode is so rare, I'm tempted to say it doesn't
really count).

also, If you really REALLY want to get bitching complex, you can use a
hybrid mode with IPv4 and IPv6 where IPv4 is routed / nated and IPv6 is
bridged directly.  Then your IPv4 networking is on separate subnets but
your IPv6 routing is on a flat SLA (IPv6 subnet) and managed by the
common router and it's RA's (router advertisements).  That requires
creative use of the mac level firewalling (ebtables) and is not
recommended unless you're a real masochistic experimenter like I am.

> bretton
> 
> 
> Just one of those thoughts :)
> 
Interesting thoughts but you have other options.  What you are referring
to is merely the default.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130803/3e684049/attachment.pgp>


More information about the lxc-users mailing list