[Lxc-users] appropriate architecture for two sets of containers on one host

Mike sourceforge at good-with-numbers.com
Thu Mar 14 03:04:43 UTC 2013


Guido, thanks for the reply.

Guido Jäkel wrote:
> if your separate networks are already organized with VLANs externally, 
> then you might use it (like me) in the following way:
> 
> -{vlan-trunk}--[eth0]--+--[vlaNNN]--{vlanNNN}--[brNNN]--+--[veth.c1|eth0]
>                        |                                +--[veth.c2|eth0]
>                        +--[vlanMMM]--....
> 
> On your host, attach vlan adapters to the physical interface. This 
> will switch the into promicuous mode (L2-Mode) and needs not IP (L3) 
> configuration. Each vlan interfaces will untrunk one vlan. Then 
> connect bridges to this vlan interfaces. Also, as the bridge is a L2 
> device, it needs no IP configuration. But you may use the bridge's IP 
> configuration parameters to access this net on the host; think it as 
> an additional virtual network card which is already connected to the 
> bridge. But normaly, you dont't wont that and use an additional vlan 
> here. Attach an additional vlan adapter to the eth0 for this and 
> assign the hosts IP config to it.

That's where I was headed.

I already use VLANs at the switch with PVIDs, as a security mechanism to 
separate traffic: between the firewall and each internal computer, from 
all other internal computers.  So the original configuration was:

+-------------------------------+
|+----+                         |
||    |------------+ c1         |
|| c1 | eth0/.17.3 |---\        |
||    |------------+  +-----+   |------------+
|+----+               | br1 |---| eth1/.17.2 |-----
|+----+               +-----+   |------------+
||    |------------+    |       |
|| c2 | eth0/.17.4 |---/        |
||    |------------+ c2         |
|+----+                         |
+-------------------------------+

with all the traffic going through the switch on VLAN 17.  So that 
became:

+------------------------------------------------+
|+----+                                          |
||    |------------+ c1                          |
|| c1 | eth0/.17.3 |---\                         |
||    |------------+  +--------+   +---------+   |------------+
|+----+               | br1.17 |---| eth1.17 |---| eth1/.17.2 |-----
|+----+               +--------+   +---------+   |------------+
||    |------------+    |                        |
|| c2 | eth0/.17.4 |---/                         |
||    |------------+ c2                          |
|+----+                                          |
+------------------------------------------------+

dropping the PVID from the switch.  But when I added another VLAN:

+------------------------------------------------+
|+----+                                          |
||    |------------+ c1                          |
|| c1 | eth0/.17.3 |---\                         |
||    |------------+  +--------+   +---------+   |------------+
|+----+               | br1.17 |---| eth1.17 |---| eth1/.17.2 |-----
|+----+               +--------+   +---------+ | |------------+
||    |------------+    |                      | |
|| c2 | eth0/.17.4 |---/                       | |
||    |------------+ c2                        | |
|+----+                                        | |
|                     +--------+   +---------+ | |
|                     | br1.18 |---| eth1.18 |-/ |
|                     +--------+   +---------+   |
+------------------------------------------------+

with

---------------------------------------------
iface eth1.18 inet manual

auto br1.18
iface br1.18 inet static
	bridge_ports eth1.18
	bridge_maxwait 0
	bridge_fd 0
	bridge_stp off
	address 192.168.18.2
	netmask 255.255.255.0
	gateway 192.168.18.1
	dns...

iface eth1.17 inet manual

auto br1.17
iface br1.17 inet static
	bridge_ports eth1.17
	bridge_maxwait 0
	bridge_fd 0
	bridge_stp off
	address 192.168.17.2
	netmask 255.255.255.0
	gateway 192.168.17.1
	dns...
---------------------------------------------

in /etc/network/interfaces, I got two default routes:

---------------------------------------------
host$ ip route show
192.168.18.0/24 dev br1.18  proto kernel  scope link  src 192.168.18.2 
192.168.17.0/24 dev br1.17  proto kernel  scope link  src 192.168.17.2 
default via 192.168.17.1 dev br1.17 
default via 192.168.18.1 dev br1.18 
---------------------------------------------

I'm curious how you configured yours.

> On the host's route, you need to switch the port for the host to 
> trunked vlan mode as if you will interconnect switches. And you should 
> prune the vlan trunk to the vlans you need to reduce the (broadcast) 
> traffic to the hosts interface.

I removed the PVID on the switch port, and placed the port into VLANs 17 
& 18.  Something I need to do on the host, too?  Not sure what 
configuration you're referring to there.

> But you may also do it without using vlans and may good-old subnets 
> for separation. Then, just connect one bridge to the eth0 of the host 
> and also attach the veths of the containers to it. Here you probably 
> want to assign an IP to the bridge for accessing host. Note that the 
> access to the subnet here is "selected" only by the IP configuration 
> inside the container.

I assume by "IP configuration" you mean "iptables configuration".




More information about the lxc-users mailing list