[lxc-users] veth in unprivileged containers and proxy arp

Fajar A. Nugraha list at fajar.net
Mon Apr 4 09:26:05 UTC 2016


On Mon, Apr 4, 2016 at 1:22 AM, Witold Filipczyk <gglater62 at gmail.com> wrote:
> Hi, I don't know too much about lxc and networks.
>
> I've got some questions to https://lists.linuxcontainers.org/pipermail/lxc-users/2015-February/008553.html
> There is a host with a few public IPs.
> sysctl.conf:
> net.ipv4.ip_forward=1
> net.ipv4.conf.eth0.proxy_arp=1
>
> For every IP something like this:
>
> /etc/network/interfaces.d/$IP
> auto vc1


I believe distros with systemd would wait untill all "auto" entries
are up. Better use "allow-hotplug" instead


> iface vc1 inet static
>     address 172.16.0.1/32
>     scope link
>     pointopoint $IP
>     post-down vcdown vc1
>     post-up vcup vc1
>
> vc2,and so on
>
> vcdown and vcup do exit 0
>
> The problem is that after lxc-stop and lxc-start sometimes there are errors like this:
> lxc-start 20160403180712.290 ERROR    lxc_conf - conf.c:instantiate_veth:2677 - failed to create veth pair (vc1 and vethQJ3XAQ): File exists
>
> How to speedup "closing" and "opening" vc1 and ensure that lxc-stop/lxc-start will succeed?


There's a bug where old veth interface is not destroyed quickly-enough
when the container is shut down. This only becomes apparent when you
use static veth pair name. I haven't encountered this bug on 2.0.0-rc
though.

In the mean time, you can use something like this in container config file:

lxc.network.script.down = /etc/lxc/script/net-down

where /etc/lxc/script/net-down (or wherever you decide to put the script) is:
#!/bin/bash
/sbin/ip link del "$5"

for more details, run "man lxc.container.conf", search
"lxc.network.script.down". Basically the script force-delete the old
veth interface when the container is down.

-- 
Fajar


More information about the lxc-users mailing list