[lxc-users] Network isolation in unprivileged containers

Andrey Repin anrdaemon at yandex.ru
Mon Oct 19 20:36:22 UTC 2015


Greetings, Akshay Karle!

> I've been looking at ways to isolate the network of each unprivileged
> container that I create. I was thinking of putting each container in it's
> own vlan or creating a macvlan in private mode. I haven't had success with
> either. I also tried creating bridges for every container and attaching veth
> pairs of the container to them, and after doing this I was still able to
> ping the other containers from inside a container. 

It would help to know, what level of isolation you're thinking about?
What is the final end goal?

> I did go through some old threads that mentioned that macvlans and vlans
> are not available for unprivileged containers. Is this still the case?

Most likely so.

> If so, has anyone had success with network isolation for each container? Can
> you please share ways to achieve this?


-- 
With best regards,
Andrey Repin
Monday, October 19, 2015 23:35:24

Sorry for my terrible english...


More information about the lxc-users mailing list