[Lxc-users] Nested container networking problem
Serge Hallyn
serge.hallyn at canonical.com
Mon Feb 11 17:05:54 UTC 2013
Quoting Randy Wilson (randyedwilson at gmail.com):
> Hi,
>
> Here's a brief summary of the issue, as this is quite a lengthy post:
>
> * Ubuntu 12.04 host with eth0 bridged with br0 and lxcbr0 not used
> * Ubuntu 12.04 container configured with macvlan,
> lxc-container-with-nesting AppArmor profile running LXC with lxcbr0
> configured on 10.16.0.1/12
> * Ubuntu 12.04 nested container with veth configured on 10.16.4.76/12
> with default AppArmor profile
> * Nested container's external communication is received by the remote
> end but the response is not routed back from the first container to
> the nested container.
>
>
> The full details:
>
> I've followed Stéphane Graber's excellent guide to create a nested
> container on Ubuntu 12.04:
>
> https://www.stgraber.org/2012/05/04/lxc-in-ubuntu-12-04-lts/
>
> The only difference with my setup is that the host does not make use
> of the lxcbr0 bridge and the first level container uses macvlan
> networking:
>
> host# cat /etc/network/interfaces
> ...
> iface eth0 inet manual
>
> auto br0
> iface br0 inet static
> address xx.xx.xx.12
> netmask 255.255.255.0
> gateway xx.xx.xx.1
> dns-nameservers 8.8.8.8
> bridge_ports eth0
> ...
>
> host# cat /var/lib/lxc/first/config
> lxc.network.type = macvlan
> lxc.network.macvlan.mode = bridge
> lxc.network.link = br0
This is your problem. Yes, the first container works - and I'm
surprised that it does, actually
The nested container will work fine if you don't bridge eth0. It's
not just network containers that fail, manually creating a veth pair
and passing into a fresh network namespace also results in inability
to reach the host from the new net_ns.
I don't know whether this would be a bug in the bridging or macvlan
code, or just a result of the weirdness that is macvlan.
-serge
More information about the lxc-users
mailing list