[lxc-users] LXC - Best way to avoid networking changes in a container
Benoit GEORGELIN - Association Web4all
benoit.georgelin at web4all.fr
Fri Jun 26 04:57:02 UTC 2015
Thanks for link.
I'll try something like you discribed. I was expecting something built in Lxc like you suggested later with lxc-user-nic.
I think the routing option is the only one available, like proxmox/openvz is doing I guess.
If was thinking of having a dedicated port with ovs switch configured to only allow a specific mac address/ipv4 to use the port. Whatever the container try setup, only one working configure will be allowed.
Because I'm trying to think in a dynamic way including ipv4 and Mac address allocation for a specific container.
You execute the container and the network configuration is slef secured.
-- envoyé depuis mon téléphone --
De : "Fajar A. Nugraha" <list at fajar.net>
envoyé : 2015-06-26 00:19
à: LXC users mailing-list
Objet: Re: [lxc-users] LXC - Best way to avoid networking changes in a container
On Fri, Jun 26, 2015 at 10:59 AM, Benoit GEORGELIN - Association
Web4all <benoit.georgelin at web4all.fr> wrote:
> Hi,
>
> I'm looking to avoid network changes in an LXC container with root access
> while the system is up and running.
>
> Let's say I have two containers running.
>
> A: 192.168.0.100/24
> B: 192.168.0.200/24
>
> They are both on the same private network but it can be a public network
> too.
> How can I prevent root user from container B to change his IP address and
> user the IP address of container A ?
>
> Container network is built on top of Ovs Switch . Maybe there is a way to
> restrict MAC Address and IP for a specific port ? I did not see any option.
https://lists.linuxcontainers.org/pipermail/lxc-users/2015-February/008553.html
Basically you need routed setup. Do NOT add the container interface to
the switch, but instead use the veth pair directly with IP address and
routes assigned on both ends (host side and container side)
On that setup, all traffic to A's IP is always directed by the host
thru A's veth. It doesn't matter even if some other rogue container
(B) uses that IP, traffic will always be sent to A.
--
Fajar
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150626/0a3bc2cd/attachment.html>
More information about the lxc-users
mailing list