[lxc-users] "mesh networking" for lxc containers (similar to weave)?

Dustin Kirkland kirkland at canonical.com
Tue Jun 23 20:42:52 UTC 2015


On Tue, Jun 23, 2015 at 8:12 AM, brian mullan <bmullan.mail at gmail.com> wrote:
> First, i would say that I only read about Canonical's FAN yesterday so have
> no insight into what it can or can't do.
>
> This spring I spent time looking at various solutions for network overlays
> because of my interest in SDN and LXC.
>
> My use-case "requirements" were:
>
> to be able to interconnect LXC containers on any server on any Cloud or
> private DataCenter
> be simple to install & configure
> be full-mesh without requiring any "super-node" in the network
> provide layer 2 (L2) support thus supporting BOTH... IPv4 -and- IPv6
> support multi-tenancy use
> transparency to firewall & NAT
> be open source
>
> For SDN use VxLAN is problematic because of its usual requirement for
> multicast to be enabled in the network which for most ISPs or Cloud
> environments is not available.
>
> Yes, there are some unicast VxLAN solutions now but they almost all (AFAIK)
> require use of proprietary networking hardware (cisco, juniper).    I've not
> used Flannel yet but I do not believe it requires multicast.
>
> So I began looking at various full mesh VPN solutions including:
>
> ControlTier - required a "super-node"
> Tinc - fairly complex setup/configuration
> others.
>
> I also examined CJDNS but learned it may not be appropriate for my use case
> because of the way its architected.
>
> A side benefit of a full-mesh VPN Network Overlay was that all the traffic
> would be encrypted.
>
> After looking at various full-mesh vpn solutions I found and used PeerVPN.
>
> PeerVPN:
>
> was created by a recent PHD (Tobias Volk)
> was implemented in C & is fast
> is open source
> is self-learning full-mesh vpn
> provides strong encryption
> and worked great with  LXC but also with with Docker and other container
> technologies.
>
> Because PeerVPN is an L2 VPN it also can support:
>
> both IPv4 and IPv6 (simple configuration)
> use of routing protocols over it
> implementation & use of VxLAN later when I get time
> multi-tenancy use
>
> Because I wanted to interconnect LXC between any IaaS Cloud the PeerVPN
> encryption would ensure the security of the traffic.
>
> This worked extremely well and met all of "use-case" requirements.
>
> PeerVPN was simple to configure & setup (only 5 or 6 commands)... maybe 10
> if you configure both IPv4 and IPv6.   Its also a self-learning full mesh
> vpn w/no super-node requirement.
>
> I documented all of this on a blog post where I hope I have provided enough
> info.    I had input from the author (Tobias Volk) and others who had read
> it.
>
> Proof-of-Concept Secure Mesh VPN Network Interconnect for LXC containers in
> Multiple IaaS Clouds
>
> My testing of this included LXC containers running on "host" Servers on AWS
> and Digital Ocean Clouds as well as a local server.
>
> No machine required more than 5-6 simple config commands for either IPv4
> -or- IPv6 and maybe 10 commands total if using both.
>
> The full mesh VPN learned new nodes quickly and quickly provided an
> any-to-any connection, usually within a few seconds).
>
> With the advent of LXD capabilities for remote LXC management/control the
> PeerVPN solution also presents a simple solution to a complex problem in a
> multi-cloud environment.

Thanks for sending this along, Brian.  The Fan does address most of
your requirements, but perhaps not as completely as your PeerVPN
solution.  Thanks for the links and information.  I'm always happy to
learn about solutions in this space.

Cheers,
Dustin


More information about the lxc-users mailing list