[Lxc-users] local subnet

Bretton Woods woods.bretton at yahoo.co.uk
Sat Aug 3 23:04:23 UTC 2013


Apols, my usual norm is tangental but seems I have gone worse... :)

I have been thinking of LXC in terms of server services where the case is often that servers and clients are on the same subnet.

Kerberos and authentication, Cups and various others not exactly true but simple same subnet routing.

I guess the bridge and another subnet was chosen purely to stop clashes with the physical host subnet.

My mind was mulling over the idea of a samba4, proxy, email... lxc containers all running isolated but authenticating via kerb and samba4.

That way I could use a single server and as the system grows its quite simple to hop from container to dedicated server.
 




________________________________
 From: Michael H. Warfield <mhw at WittsEnd.com>
To: Bretton Woods <woods.bretton at yahoo.co.uk> 
Cc: mhw at WittsEnd.com; "lxc-users at lists.sourceforge.net" <lxc-users at lists.sourceforge.net> 
Sent: Saturday, 3 August 2013, 23:04
Subject: Re: [Lxc-users] local subnet
 

On Sat, 2013-08-03 at 22:23 +0100, Bretton Woods wrote: 
> the answer is probably yes.
> 
> 
> is it possible to create a container without a network bridge that is
> on the same subnet as the host?

I believe that is what "macvlan" was suppose to be for but I never had a
good experience with it (ongoing host to container issue that may or may
not have been resolved in the kernel - I gave up long ago).  I generally
used bridged, one way or another.
> 
> In fact why do we always create a bridge and another subnet?

I don't understand this question.  You have two parts which are
orthogonal.

Quite literally, the only differences between "bridged mode", "nat
mode", and "routed mode" is whether the host interface is a member of
the bridge and your router/nat configurations.

If the host interface is a member of the common bridge, you are in a
fully bridged mode and you don't need another subnet and your guests are
part of the hosts subnet.

If it's not, you're generally (default) assigning a private address to
the bridge and using NAT (nat mode) or (very rare) assigning a global
unicast IPv4 block to the bridge and using true routing for "routed
mode" with static routes on your host.

The key to all three modes is that bridge, which acts as an internal
etherswitch on the host (some literature even refers to it as a virtual
lan).  So the "and another subnet" actually only applies to two of those
three modes (and routed mode is so rare, I'm tempted to say it doesn't
really count).

also, If you really REALLY want to get bitching complex, you can use a
hybrid mode with IPv4 and IPv6 where IPv4 is routed / nated and IPv6 is
bridged directly.  Then your IPv4 networking is on separate subnets but
your IPv6 routing is on a flat SLA (IPv6 subnet) and managed by the
common router and it's RA's (router advertisements).  That requires
creative use of the mac level firewalling (ebtables) and is not
recommended unless you're a real masochistic experimenter like I am.

> bretton
> 
> 
> Just one of those thoughts :)
> 
Interesting thoughts but you have other options.  What you are referring
to is merely the default.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130804/ae44e1ab/attachment.html>


More information about the lxc-users mailing list