[lxc-users] Cannot create a macvlan private bridge on lx

[Jäkel, Guido]

Dear Anjali,

you'll know that a bridge acts at network layer 2, i.e. dealing just with the MACs.

In the typical usecase you want to bridge the hosts outside network to the containers. To archive this, you attach the hostside of the containers virtual NICs (which you can imagine as a "short wire" between the namespaces) to the bridge and also the hosts real NIC. While attaching to the bridge, the NICs are switches to "promiscuous mode", i.e. they don't care of matching IP addresses at layer 3 and accept any packet.

But now, how to connect the host with the outerworld, where to place the hosts layer 3 config? That's why you put this parameter set to the Linux software bridge: To act as an outgoing device of the hosts "IP stack".

If you leave this empty, the bridge is isolated from the host. If you don't attach a physical NIC to the bridge, it's isolated from the outer world.

From that Serge suggested to instanciate a bridge, attach the parties to it (layer 2) and choose some adequate layer3 network configuration to route IP traffic between them.


BTW: If you're dealing with VLANs, you may "first" attach vlan devices to your physical NIC on a trunk and "then" attach a couple of bridges to this vlan devices. This will allow you to host isolated sets of containers in different VLAN's, e.g. for staging purposes.

Guido

>-----Original Message-----
>From: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] On Behalf Of Anjali Kulkarni
>Sent: Wednesday, August 13, 2014 7:40 PM
>To: LXC users mailing-list
>Subject: Re: [lxc-users] Cannot create a macvlan private bridge on lx
>
>Yes, but does this not go through the host? That is, the host's
>eth0(management) has to be in this bridge? I want to be able to create
>multiple such bridges, so I cannot add the eth0 of host to every such
>bridge..
>This works already, I want a "private" bridge between VM and container,
>which does not go through the host.
>
>Anjali