[lxc-users] LXC - Best way to avoid networking changes in a container
Fajar A. Nugraha
list at fajar.net
Fri Jun 26 04:18:50 UTC 2015
On Fri, Jun 26, 2015 at 10:59 AM, Benoit GEORGELIN - Association
Web4all <benoit.georgelin at web4all.fr> wrote:
> Hi,
>
> I'm looking to avoid network changes in an LXC container with root access
> while the system is up and running.
>
> Let's say I have two containers running.
>
> A: 192.168.0.100/24
> B: 192.168.0.200/24
>
> They are both on the same private network but it can be a public network
> too.
> How can I prevent root user from container B to change his IP address and
> user the IP address of container A ?
>
> Container network is built on top of Ovs Switch . Maybe there is a way to
> restrict MAC Address and IP for a specific port ? I did not see any option.
https://lists.linuxcontainers.org/pipermail/lxc-users/2015-February/008553.html
Basically you need routed setup. Do NOT add the container interface to
the switch, but instead use the veth pair directly with IP address and
routes assigned on both ends (host side and container side)
On that setup, all traffic to A's IP is always directed by the host
thru A's veth. It doesn't matter even if some other rogue container
(B) uses that IP, traffic will always be sent to A.
--
Fajar
More information about the lxc-users
mailing list