[lxc-users] networking and permissions questions

Joe McDonald ideafilter at gmail.com
Mon Apr 27 23:53:03 UTC 2015 

Hi,

I have 5 publicly routed ips from my isp.
On the host (Ubuntu 14.04.2 LTS)
Have /etc/network/interfaces as so:

# The loopback network interface
auto lo p4p1
iface lo inet loopback
iface p4p1 inet manual

auto br0
iface br0 inet static
  bridge_ports p4p1
  bridge_stp off
  bridge_fd 0
  bridge_maxwait 0

  address 104.250.137.138
  netmask 255.255.255.248
  gateway 104.250.137.137
  dns-nameservers 8.8.8.8
#-----------------------------------

I create a user (lxcuser) that will have unprivileged containers.

When I create containers, I edit (as user lxcuser):
~/.local/share/lxc/$container/config
and change:
lxc.network.ipv4 = $ipnumber
i.e.
lxc.network.ipv4 = 104.250.137.141

I also change
~/.local/share/lxc/$container/rootfs/etc/network/interfaces
and put in there like:

# The loopback network interface
auto lo
iface lo inet loopback

#auto eth0
#iface eth0 inet dhcp

auto eth0
iface eth0 inet static
address 104.250.137.141
gateway 104.250.137.137
netmask 255.255.255.248
#--------------------------------------------

I have a couple of containers running and it shows:

lxc-ls --fancy
NAME         STATE    IPV4                              IPV6  GROUPS
AUTOSTART
-------------------------------------------------------------------------------
ubpdns       RUNNING  104.250.137.139                   -     -       NO
ubsharedweb  RUNNING  104.250.137.141, 104.250.137.141  -     -       NO

a few questions:

1) Do I need to specify this IP in both the
config file and the rootfs/etc/network/interfaces file?
Is there a better way to do this?

2) why does one container (ubsharedweb) show the same IP address twice?

3) How is user lxcuser able to just take whatever IP's it wants?
I have: "lxcuser veth lxcbr0 100" in /etc/lxc/lxc-usernet
So I'm guessing that is how it can do it, but how can I
constrain lxcuser to only use IP's within a certain range?

4) starting up a container (ubuntu 14.04) takes about 8 seconds, I can
then lxc-attach to it.  But it takes a couple of minutes before
I can ssh into it.  Is this normal?

5) in ~/.local/share/lxc I see:
drwxrwx---  3  296608 lxcuser  4096 Apr 27 16:08 ubsharedweb
should that container directory be owned by lxcuser or is 296608
the correct user id?  all container directories are the same
except for one which is lxcuser:lxcuser.  I don't know why the
one is different.

thanks in advance,
-joe

More information about the lxc-users mailing list