[lxc-users] "mesh networking" for lxc containers (similar to weave)?
brian mullan
bmullan.mail at gmail.com
Tue Jun 23 13:12:30 UTC 2015
First, i would say that I only read about Canonical's FAN yesterday so have
no insight into what it can or can't do.
This spring I spent time looking at various solutions for network overlays
because of my interest in SDN and LXC.
My use-case "requirements" were:
1. to *be able to interconnect LXC containers on any server on any Cloud*
or private DataCenter
2. *be simple* to install & configure
3. *be full-mesh* without requiring any "super-node" in the network
4. provide layer 2 (L2) support thus supporting BOTH...* IPv4 -and- IPv6*
5. *support multi-tenancy *use
6.
*transparency to firewall & NAT *
7.
*be open source *
For SDN use VxLAN is problematic because of its usual requirement for
multicast to be enabled in the network which for most ISPs or Cloud
environments is not available.
Yes, there are some unicast VxLAN solutions now but they almost all (AFAIK)
require use of proprietary networking hardware (cisco, juniper). I've
not used Flannel yet but I do not believe it requires multicast.
So I began looking at various full mesh VPN solutions including:
- ControlTier - required a "super-node"
- Tinc - fairly complex setup/configuration
- others.
I also examined CJDNS but learned it may not be appropriate for my use case
because of the way its architected.
A side benefit of a full-mesh VPN Network Overlay was that all the traffic
would be encrypted.
After looking at various full-mesh vpn solutions I found and used *PeerVPN*.
PeerVPN:
- was created by a recent PHD (Tobias Volk)
- was implemented in C & is fast
- is open source
- is self-learning full-mesh vpn
- provides strong encryption
- and worked great with LXC but also with with Docker and other
container technologies.
Because PeerVPN is an L2 VPN it also can support:
- both IPv4 and IPv6 (simple configuration)
- use of routing protocols over it
- implementation & use of VxLAN later when I get time
- multi-tenancy use
Because I wanted to interconnect LXC between any IaaS Cloud the PeerVPN
encryption would ensure the security of the traffic.
This worked extremely well and met all of "use-case" requirements.
PeerVPN was simple to configure & setup (only 5 or 6 commands)... maybe 10
if you configure *both* IPv4 and IPv6. Its also a self-learning full mesh
vpn w/no super-node requirement.
I documented all of this on a blog post where I hope I have provided enough
info. I had input from the author (Tobias Volk) and others who had read
it.
Proof-of-Concept Secure Mesh VPN Network Interconnect for LXC containers in
Multiple IaaS Clouds <https://bmullan.wordpress.com/>
My testing of this included LXC containers running on "host" Servers on AWS
and Digital Ocean Clouds as well as a local server.
No machine required more than 5-6 simple config commands for either IPv4
-or- IPv6 and maybe 10 commands total if using both.
The full mesh VPN learned new nodes quickly and quickly provided an
any-to-any connection, usually within a few seconds).
With the advent of LXD capabilities for remote LXC management/control the
PeerVPN solution also presents a simple solution to a complex problem in a
multi-cloud environment.
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150623/90602149/attachment.html>
More information about the lxc-users
mailing list