[lxc-users] Internal networking of containers

Shidan shidan at gmail.com
Fri Sep 19 21:29:54 UTC 2014


First I spoke to soon (by saying the problem is fixed with dnat for the
output chain), now I can now ping the containers from the host and visa
versa but not container to container using the containers external IP.

Regarding your method, if you have IP aliases for the external addresses
for the containers, the mac address will not be the containers address but
the hosts and will get filtered by a significant number of upstream
switches depending on their configuration ... so in this case you will need
to use something like ebtables and put your switch in promiscuous mode,
which I can't do. I can't use macvlan either as I am running unprivileged
containers and it seems to be me it's not a very tested feature either.

So now I have:

                iptables  -t nat -D POSTROUTING -s <internal_ip> ! -d
10.0.3.0/24 -o eth0 -j SNAT --to-source <external_ip>
                iptables  -t nat -D PREROUTING -d <external_ip> -i eth0 -j
DNAT --to-destination <internal_ip>
                iptables  -t nat -D OUTPUT -d <external_ip> -j DNAT
--to-destination <internal_ip>

What am I missing for container to container addressing using the external
IPs?

-- Shidan Gouran

On Fri, Sep 19, 2014 at 12:51 AM, Dave Pedu <lxc at davepedu.com> wrote:
>
> Instead of using iptables, you can give a container an network interface
(for a total of two).
>
> On my system I have an ethernet bridge, br0, with the host's main
interface on in. Then, in a container's config -
>
> # primary, public interface 192.168.1.x from my router
> lxc.network.type = veth
> lxc.network.hwaddr = 00:16:3e:e1:92:a3
> lxc.network.link = br0
> lxc.network.flags = up
> lxc.network.name = eth0
> lxc.network.veth.pair = vethplex0
>
> # second, private interface 10.0.3.x
> lxc.network.type = veth
> lxc.network.hwaddr = 00:16:3e:e1:92:a4
> lxc.network.link = lxcbr0
> lxc.network.flags = up
> lxc.network.name = eth1
> lxc.network.veth.pair = vethplex1
>
>
> On 2014-09-18 21:19, Shidan wrote:
>>
>> Just figured it out a fix, I think. For containers to address each
>> other by both external and internal IPs, I set the DNAT rule on the
>> OUTPUT and PREROUTING chain, instead of just on the PREROUTING as
>> above.
>>
>> On Thu, Sep 18, 2014 at 11:03 PM, Shidan <shidan at gmail.com> wrote:
>>
>>> I think the case of having a 1 to 1 assignment of external IPs to
>>> containers is an important use case to document somewhere.
>>>
>>> On Thu, Sep 18, 2014 at 12:09 PM, Shidan <shidan at gmail.com> wrote:
>>>
>>>> Hello I have multiple external IP addresses and set up iptables so
>>>> that each container is assigned one external IP on the lxcbr0
>>>> NATed bridge in a 1 to 1 fashion similar to this example:
>>>>
>>>> root at SERVER:/var/log# iptables -t nat -L
>>>> Chain PREROUTING (policy ACCEPT)
>>>> target     prot opt source               destination
>>>>
>>>> DNAT       all  --  anywhere
>>>>   188.227.224.138     to:10.0.3.2
>>>> DNAT       all  --  anywhere
>>>>   188.227.224.139     to:10.0.3.3
>>>>
>>>> Chain INPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>>
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>>
>>>>
>>>> Chain POSTROUTING (policy ACCEPT)
>>>> target     prot opt source               destination
>>>>
>>>> SNAT       all  --  10.0.3.2            !10.0.3.0/24
>>>> [1]          to:188.227.224.138
>>>> SNAT       all  --  10.0.3.3            !10.0.3.0/24
>>>> [1]          to:188.227.224.139
>>>>
>>>> Now when I try to access a container from another container, I am
>>>> just hitting the host, so for ssh for example, even if I try the
>>>> IPs 188.227.224.139 or 10.0.3.3 from the 10.0.3.2 container I
>>>> will actually connect to the physical hosts SSH daemon. Everything
>>>> works fine from one connecting from/to external machines.
>>>>
>>>> What am I doing wrong.
>>
>>
>>
>>
>> Links:
>> ------
>> [1] http://10.0.3.0/24
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140919/9c15cad6/attachment.html>


More information about the lxc-users mailing list