[lxc-users] Fun with lxc.network.type=phys

Fajar A. Nugraha list at fajar.net
Wed Jan 21 12:40:32 UTC 2015 

On Wed, Jan 21, 2015 at 7:09 PM, scrumpyjack <scrumpyjack at me.com> wrote:

> Yes, i want to give a /32 to a container.
>
> If i stick to
>
> lxc.network.type = macvlan
> lxc.network.flags = up
> lxc.network.link = eth0
> lxc.network.name = eth1
> lxc.network.ipv4 = 21.45.463.23/32 (fake IP, obvs)
> lxc.network.ipv4.gateway = 21.45.463.23
>
> would you expect that to work?
>
>

Nope.

Your main mistake is that you thought since the /32 IP works in the host
(e.g. when used as "eth0:1"), it would automagically work inside the
container, the host would simply "know" where to route the packet. It
doesn't work that way. Network-wise, the host and the container are two
separate entities, which might have a private link (i.e. thru a private
bridge or something).

The generic explanation of a working setup can be "stolen" from xen wiki:
http://wiki.xen.org/wiki/Vif-route
Basically they use a combination of /32, specific route, and proxy arp. I
use a similar but slightly different method.

This is on ubuntu server. The host has 100.0.0.10/24, router is on
100.0.0.1, the container is on 100.0.0.11 (fake IPs, of course).
The host communicates with the container thru a PRIVATE bridge with IP
192.168.124.1 (note that this IP doesn't even have to be in the same
network as host and container's IP)

Relevant part of host's /etc/network/interfaces
###
auto eth0
iface eth0 inet static
address 100.0.0.10
netmask 255.255.255.0
gateway 100.0.0.1
# this part functions similar as proxy arp, force eth0 to accepts packets
# destined for the container's IP using static arp
up arp -i eth0 -Ds 100.0.0.11 eth0 pub || true

# this is an internal bridge used to connect the host to the container
auto br0
iface br0 inet manual
bridge_ports none
bridge_maxwait 0
bridge_stp off
bridge_fd 0
# add specific route for the container IP
up ip route add 100.0.0.11/32 dev br0 || true
###


Relevant part of container config. Note that this only sets the bridge and
persistent vif mac & name.
###
lxc.network.type=veth
lxc.network.link=br0
lxc.network.veth.pair=veth-c1-0
lxc.network.flags=up
lxc.network.hwaddr = 00:16:3E:FD:46:25
###


Relevant part of container's /etc/network/interfaces
###
auto eth0
iface eth0 inet static
        address 100.0.0.11
        netmask 255.255.255.255
# force route for host's br0
up ip route add 192.168.124.1 dev eth0
# ... and use it for default route
up ip route add default via 192.168.124.1
###


Relevant output of several commands in the host
###
# ip route
...
default via 100.0.0.1 dev eth0
100.0.0.0/24 dev eth0  proto kernel  scope link  src 100.0.0.10
100.0.0.11 dev br0  scope link
...

# arp -n
Address                  HWtype  HWaddress           Flags Mask
 Iface
...
100.0.0.11            ether   00:16:3e:fd:46:25   C                     br0
100.0.0.11            *       <from_interface>    MP                    eth0
...

# brctl show
bridge name bridge id STP enabled interfaces
...
br0 8000.feb01cb4ee91 no veth-c1-0
...
###

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150121/8430f0e5/attachment.html>

More information about the lxc-users mailing list