[lxc-users] LXC - Best way to avoid networking changes in a container

[Serge Hallyn]

Quoting Fajar A. Nugraha (list at fajar.net):
> On Fri, Jun 26, 2015 at 8:20 PM, Benoit GEORGELIN - Association
> Web4all <benoit.georgelin at web4all.fr> wrote:
> > Hi Fajar,
> >
> > If the container have this setting
> >
> > lxc.network.type = veth
> > lxc.network.flags = up
> > lxc.network.hwaddr = 00:16:3e:2e:51:17
> > lxc.network.veth.pair = veth-cont1-0
> > lxc.network.ipv4 = 209.126.100.172/32
> > lxc.network.ipv4.gateway = 10.0.0.1
> >
> >
> > And the root user in the container change the file /etc/network/interfaces to something else than
> >
> > iface eth0 inet manual
> >
> > Does the container configuration will be still the one used or the new ip address configured in the container will be talking to the network though the veth ?
> 
> 
> The container config lines above makes lxc-start configure necessary
> IP and routes. If the container has its own configuration, it will
> override the current active ip/routes.
> 
> If the container root user change its configuration (e.g
> /etc/network/interfaces) to use the SAME IP/routes (like in my
> previous link), it would obviously still work.
> 
> If the container root user change it to use another container (e.g.
> container B)'s IP address, then AFAIK the host will simply ignore it.
> At least that what happens on my tests.

If you really want to have the container not change its networking, I suppose
you could either not grant it CAP_NET_ADMIN, or you could create a network
namespace for the container, set it up, and then run the container inside
that with 'lxc.network.type = none' in the container configuration.

Otherwise, using ebtables/iptables to lock the container's veth to its mac
and ip seem the best ways.  It may be worth adding a new network_up hook
which is sent the names of the host-side nics, and run from the host
network namespace (obiously requiring root), to easily script setting these.