[lxc-users] Containers have network issues when their host uses a bonded interface
Fajar A. Nugraha
list at fajar.net
Tue Sep 15 06:02:46 UTC 2015
On Mon, Sep 14, 2015 at 8:56 PM, Peter Steele <pwsteele at gmail.com> wrote:
> We will have to do some thorough testing with the 4.2 (or possibly 4.1)
> kernel over the next few weeks to make sure this kernel doesn't introduce
> new issues.
That would seem like the best option for you.
> new issues. Our only other option would be to fall back to KVM instead of
> containers and that's not something we really want to do.
Assuming your problem is caused by bridging the veth interface,
there's an alternate networking setup with proxyarp + route that might
work. It doesn't use bridge, and only works for privileged containers.
Example on my ubuntu host/container:
###
# On host's /etc/network/interfaces:
auto veth-trusty-0
iface veth-trusty-0 inet static
address 10.0.0.1/32
pointopoint A.B.C.D
# On host's /etc/sysctl.d/50-eth0-proxy_arp.conf:
net.ipv4.conf.eth0.proxy_arp=1
# On container's config (e.g. /var/lib/lxc/trusty/config):
###
lxc.network.type = veth
lxc.network.flags = up
# don't use lxc.network.link
# use unique persistent mac and veth pair name
lxc.network.hwaddr = 00:16:3e:61:31:b3
lxc.network.veth.pair=veth-trusty-0
# set IP address and gateway on config file
# with host's veth pair IP as gateway
lxc.network.ipv4 = A.B.C.D/32
lxc.network.ipv4.gateway = 10.0.0.1
# On container's /etc/network/interfaces:
###
# don't configure eth0 here, keep whatever
# set by the host
auto eth0
iface eth0 inet manual
A.B.C.D is the container's public interface, which is on the same
network (/24 in my case) as the host
10.0.0.1/32 in that example is whatever private IP address you'll use
on the host-side of veth pair (you can use the same IP for all the
host-side veth pair)
How it works:
- host route traffic for containers thru its veth pair, courtesy of
pointopoint setup
- container is isolated on its own /32, everything is routed thru the
host (thus the container is restricted to that IP address)
- host sets up proxyarp so that other computers on the same network
can see the container (with the host's MAC)
--
Fajar
More information about the lxc-users
mailing list