[lxc-users] Macvlan

Fajar A. Nugraha list at fajar.net
Sat May 30 23:27:39 UTC 2015


On Sun, May 31, 2015 at 3:22 AM, Dave Smith <dave.smith at candata.com> wrote:
> I am trying to setup a public IP via macvlan to a container. The host has a
> public IP and then 2 extra static public IP's on one physical interface
> (bond1) that is assigned to it by my upstream vendor. In my config I have

Did your upstream provider allow additional mac address on your switch port?

>
> lxc.network.type = macvlan
> lxc.network.flags = up
> lxc.network.link = bond1
> lxc.network.name = eth0
> lxc.network.ipv4 = x.x.x.x/32 x.x.x.x
> lxc.network.ipv4.gateway = x.x.x.x
>
> where x.x.x.x is the public static IP I want to use


Assuming you have lxcbr0 (should be automatically created), try this

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.ipv4 = x.x.x.x/32
lxc.network.ipv4.gateway = 10.0.3.1

... where 10.0.3.1 is lxcbr0's IP address. This will work if:
- your provider route the additional IP thru your main IP. Should be
the case if your main IP and additional IP is on different subnet
- you disable any networking setup on the container's OS side, since
you already set it up on lxc config file.
- on the host side, you run "ip route add x.x.x.x/32 dev lxcbr0" (or
something similar) to tell the host that container's IP is reachable
thru lxcbr0

> netstat -nr
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt
> Iface
> 0.0.0.0         x.x.x.x    0.0.0.0         UG        0 0          0 eth0

There should be an additional entry, saying how to reach the gateway
from the container. Something like this

# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.3.1        0.0.0.0         UG        0 0          0 eth0
10.0.3.1        0.0.0.0         255.255.255.255 UH        0 0          0 eth0


>
>  ip -d link show eth0
> 56: eth0 at if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc
> noqueue state UNKNOWN
>     link/ether e6:9d:bf:fb:95:c7 brd ff:ff:ff:ff:ff:ff
>     macvlan  mode private
>
>
> Now when I ping out from my container ( to google.ca) I see the packet going
> out and coming back (using tcpdump -e ) on the bond1 interface but my
> container never receives it. There are no iptables rules on either the host
> or in the container.
>


If you use macvlan or bridge the hosts's public interface (eth0,
bond0, etc), then you wouldn't use /32. You'd use the same netmask and
gateway as you do on the host, and your provider will need to allow
more than 1 mac on your port. This way the container will be just like
any other physical host on the same broadcast network as the host
(e.g. /24).

If you CAN'T use the same netmask and gateway as the host (e.g. when
your provider gives additional IPs that are on different subnet), then
you CAN'T use macvlan (or bridge the host's public interface). Use
routed setup like my example instead. You can either use lxcbr0,
create your own bridge, or use a bridgeless veth setup (not covered
here, search the archives for details).

-- 
Fajar


More information about the lxc-users mailing list