[lxc-users] LXC - Best way to avoid networking changes in a container

Benoit GEORGELIN - Association Web4all benoit.georgelin at web4all.fr
Fri Jun 26 13:20:03 UTC 2015


Hi Fajar, 

If the container have this setting 

lxc.network.type = veth 
lxc.network.flags = up 
lxc.network.hwaddr = 00:16:3e:2e:51:17 
lxc.network.veth.pair = veth-cont1-0 
lxc.network.ipv4 = 209.126.100.172/32 
lxc.network.ipv4.gateway = 10.0.0.1 


And the root user in the container change the file /etc/network/interfaces to something else than

iface eth0 inet manual

Does the container configuration will be still the one used or the new ip address configured in the container will be talking to the network though the veth ?



Cordialement, 


----- Mail original -----
De: "Fajar A. Nugraha" <list at fajar.net>
À: "lxc-users" <lxc-users at lists.linuxcontainers.org>
Envoyé: Vendredi 26 Juin 2015 01:47:31
Objet: Re: [lxc-users] LXC - Best way to avoid networking changes in a	container

On Fri, Jun 26, 2015 at 11:57 AM, Benoit GEORGELIN - Association 
Web4all <benoit.georgelin at web4all.fr> wrote: 
> Thanks for link. 
> 
> I'll try something like you discribed. I was expecting something built in 
> Lxc like you suggested later with lxc-user-nic. 
> I think the routing option is the only one available, like proxmox/openvz 
> is doing I guess. 
> 
> If was thinking of having a dedicated port with ovs switch configured to 
> only allow a specific mac address/ipv4 to use the port. Whatever the 
> container try setup, only one working configure will be allowed. 
> 
> Because I'm trying to think in a dynamic way including ipv4 and Mac address 
> allocation for a specific container. 
> You execute the container and the network configuration is slef secured. 


Something like this also works on container config file for privileged 
container: 

lxc.network.type = veth 
lxc.network.flags = up 
lxc.network.hwaddr = 00:16:3e:2e:51:17 
lxc.network.veth.pair = veth-cont1-0 
lxc.network.ipv4 = 209.126.100.172/32 
lxc.network.ipv4.gateway = 10.0.0.1 

The benefit of this approach is that all settings is done from the host side. 

When specifying it like that (mac and ip on config file), the 
container OS should leave the active ip/routes as is (e.g. "iface eth0 
inet manual" on container's /etc/network/interfaces). You still need 
to setup the host side of veth pair (veth-cont1-0 in the example) in 
hosts's network configuration (e.g. hosts's /etc/network/interfaces). 

-- 
Fajar 
_______________________________________________ 
lxc-users mailing list 
lxc-users at lists.linuxcontainers.org 
http://lists.linuxcontainers.org/listinfo/lxc-users 


More information about the lxc-users mailing list