[lxc-users] Network connection on a Debian unstable host

Fajar A. Nugraha list at fajar.net
Mon Mar 23 03:34:44 UTC 2015 

On Sun, Mar 22, 2015 at 10:53 PM, Geordie <geordi at kos.net> wrote:
> /etc/lxc/default.conf
> lxc.utsname =lsmb1
> lxc.network.type=veth
> lxc.network.flags=up
> lxc.network.link=br0
> lxc.network.hwaddr=ac:de:48:00:00:15

is the a unique MAC address?
If you're unsure, just leave it empty.

> lxc.network.ipv4=10.0.0.15

ip address is not what you usually put on /etc/lxc/default.conf.

I'd actually recommend you do NOT specify that at all, and setup
networking on the host's /etc/network/interfaces

>
> /etc/network/interfaces
> # The loopback network interface

> iface br0 inet static
>   bridge_ports eth0
>   bridge_fd 0
>   address   10.0.0.15
>   netmask   255.255.255.0
>   network   10.0.0.0
>   broadcast 10.0.0.255
>   gateway   10.0.0.1

So you set static IP on the host?

Then the easiest way is to also use static IP setup on the container.

> lxc.network.hwaddr = ac:de:48:00:00:15
> lxc.network.ipv4 = 10.0.0.15/8

>
> /var/lib/lxc/lsmb1/rootfs/etc/network/interfaces
>
> auto lo
> iface lo inet loopback
>
> auto eth0
> iface eth0 inet dhcp

See my earlier comment.
Do you have dhcp server enable on your network? If yes, then simply
remove lxc.network.ipv4 (and possibly lxc.network.hwaddr) from
container config file. If not, then remove those lines, AND change
/var/lib/lxc/lsmb1/rootfs/etc/network/interfaces to use static IP.

>
> I can ping the container, and ssh from the container to another
> computer on the lan. I cannot access the WAN  from the container when I
> ssh  to the host  from the container I get the hosts root at laptop:~# I
> find that strange

Either:
- you did not setup default gateway on the container (basic networking
issue, see debian man page)
- you haven't enable /proc/sys/net/ipv4/ip_forward on the host

>
> lxc: Installed: 1:1.0.7-1 Kernel: 3.16.0-4-amd64 x86_64 (64 bit) Debian
> Unstable
>
> So what is needed to connect to the internet and I will admit that my
> iptables-foo knowledge is severely lacking

You shouldn't need iptables for that setup if your default rule is ACCEPT.

If you know how to build from source, lxc-1.1.1 should have better
support for debian, including an init script that creates lxcbr0. Very
useful if you ONLY want a NAT setup (container can access anything,
outside host can't access the container directly)

-- 
Fajar

More information about the lxc-users mailing list