[lxc-users] Router inside LXC with "lxc.network.type = phys" to the WAN-port
Thomas Huber
miraculli at gmail.com
Thu Jan 30 15:29:09 UTC 2014
> On Thu, Jan 30, 2014 at 5:21 PM, Thomas Huber <miraculli at gmail.com> wrote:
>
> > Hi out there,
> >
> > is it a good idea to setup a kind of virtual router inside a LXC?
> > I got a server with dual 1Gbit Nic and the server should run several
> > services.
> > I also would like to use it as a router and a thought it would be quite
> > nice to set it up inside a LXC by mapping the WAN-port with
> > "lxc.network.type = phys" to the Container.
> >
> > first of all: is this a good idea?
> >
> >
> I suggest you try it, and see if it works for your case.
>
> In my case, I tested using phys for a while on a container for a somewhat
> busy webserver. It worked fine initially, but the problem came when I
> shutdown the container. The container is gone, but the interface was not
> visible on the host again. Which makes it impossible to restart container.
>
> I ended up reverting to veth instead. Using that same container, the veth
> (on the host side) was not deleted when the container was destroyed, but I
> can force-destroy it using "ip link del" and "lxc.network.script.down".
>
>
>
> > second: is it possible
>
>
> possible, yes. As long as the needed iptables modules are already loaded on
> the host side.
>
>
> > to do all the firewalling inside the LXC or is it better (more secure) to
> > do this at the host?
> >
> >
> That is what I usually do.
>
> --
> FAN
Thanks for your reply…
so you think, it´s no problem to map the WAN-port as „veth"
just to avoid misunderstanding, you usually do what? Run the firewall inside LXC or on the host.
—
mirac
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140130/153d5e97/attachment.html>
More information about the lxc-users
mailing list