[lxc-users] LXC - Best way to avoid networking changes in a container

Fajar A. Nugraha list at fajar.net
Fri Jun 26 05:47:31 UTC 2015


On Fri, Jun 26, 2015 at 11:57 AM, Benoit GEORGELIN - Association
Web4all <benoit.georgelin at web4all.fr> wrote:
> Thanks for link.
>
> I'll try something like you discribed. I was expecting something built in
> Lxc like you suggested later with lxc-user-nic.
> I think the routing option is the only one available,  like proxmox/openvz
> is doing I guess.
>
> If was thinking of having a dedicated port with ovs switch configured to
> only allow a specific mac address/ipv4 to use the port. Whatever the
> container try setup,  only one working configure will be allowed.
>
> Because I'm trying to think in a dynamic way including ipv4 and Mac address
> allocation for a specific container.
> You execute the container and the network configuration is slef secured.


Something like this also works on container config file for privileged
container:

lxc.network.type = veth
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:2e:51:17
lxc.network.veth.pair = veth-cont1-0
lxc.network.ipv4 = 209.126.100.172/32
lxc.network.ipv4.gateway = 10.0.0.1

The benefit of this approach is that all settings is done from the host side.

When specifying it like that (mac and ip on config file), the
container OS should leave the active ip/routes as is (e.g. "iface eth0
inet manual" on container's /etc/network/interfaces). You still need
to setup the host side of veth pair (veth-cont1-0 in the example) in
hosts's network configuration (e.g. hosts's /etc/network/interfaces).

-- 
Fajar


More information about the lxc-users mailing list