[lxc-users] Packet flow from application running in container to physical NIC transmission

Jäkel, Guido G.Jaekel at dnb.de
Fri Jun 27 11:51:49 UTC 2014


Dear Mohit,

Please look out for some slide shows or blog articles about LXC. Maybe the following may help you to master the first hurdles, too:


* The "templates" are used to set up a (more-or-less) key-ready root filesystem of some Linux distribution. They wil act as a bootstraper and will download the files for a distribution. But you may also build up such a root file system by hand or other tools. Especially you may clone existing root filesystems or use things like snapshot techniques to have a prepared state.

* This root file system -- together with the configuration concerning the provided resources -- is used to drive an instance of an Container. Simply spoken, you need this booth for each container you want to start on you host.

* The thing called Container is a phenotype, it behaves like some kind of an independent virtual machine. But the genotype is just a set of namespaces for different kernel resources like process id's or stuff forming the network stack. Such namespace features are available in the Linux kernel since a longer time and may be used separately e.g. to control resources of a single task. But the basic idea of LXC is: Get a bunch of all this namespaces using a certain name and then start the unix root process (init) within -- voila, you get a Container with this name. It will start like any "normal" Linux at the point where the service daemons will start.

* Within such an Container, you then may (in the simples case: must) install the software you need, because without special attention the Container are totally independent. But in the most commons usecase this is exactly what you want (or expect).

* To interface an Container with the real world, you typically would provide both, hardware and software resources to it in an abstract way: The Container don't need to care about hardware devices, drivers or something like this. It may don't need even to mount file system because they a passed ready-to use in. You get some network interface and it's may be typically ready to use because it's configured from outside at start of the Container. That's the convenience usecase; if you have special needs you may "incorporate" control of software and hardware resources for exclusive use into an Container.


I'm not sure what you understand by the term "developers perspective" (of the networking). I would say, the developers point of view to the networking layer is a set of system calls and there's no difference within an container. If you say, the network setup is admin level, then even on a normal Unix your borderline is on handling with sockets.

From the network admin point of view, a LXC container mostly use the virtual ethernet device (veth) as a phenotypical linkage between the Host (appearing e.g. as veth...) and the Container (appearing e.g. as eth0). In it's genotype, this is like a direct virtual L2 connection between the network namespaces of the container and the host. But because it's all within the same kernel and the same stack, to my knowledge there is no real packet flow but just a namespace relabeling. In a typical setup, one have attached the host side of the veth's to a software bridge which is also attached to an "real" NIC on the host.

greetings

Guido


>-----Original Message-----
>From: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] On Behalf Of Mohit Saxena
>Sent: Friday, June 27, 2014 11:35 AM
>To: lxc-users at lists.linuxcontainers.org
>Subject: [lxc-users] Packet flow from application running in container to physical NIC transmission
>
>Hi all,
>
>I am a new bee to Linux containers, I am trying to understand the networking from the container to physical NIC. Could any
>one you please point me to some materials on this which will help from a developer perspective.
>
>I had got a lot of material but all of those are from and Network admin perspective, no where they talked about the
>internals within the containers.
>
>Till now what I understand is, when we start a new container using a predefined template, that template will help in
>understanding the library dependencies.
>
>But it will not start a new kernel within the Container and the application's from the container will still use the Host Linux
>kernel for operation.
>
>In that manner Linux kernel has inbuilt Network Stack, so all the containers will still use the same stack, is it possible to
>use a different network stack within the container.
>
>--
>Thanks & Regards,
>Mohit Prakash Saxena
>Citrix R & D India Pvt. Ltd.
># 23 Residency Road,
>Bangalore - 560 025
>Tel: +91 80 6734 2000 / 1068
>Fax: +91 80 6734 2001 / Mb: +91 90368 98569
>Email: mohitprakash.saxena at citrix.com
>www.citrix.com


More information about the lxc-users mailing list