[lxc-users] re Networking issues with LXC containers in EC2

Peter Steele pwsteele at gmail.com
Tue Jan 12 16:43:50 UTC 2016 

On 01/12/2016 06:35 AM, brian mullan wrote:
> Peter
>
> On AWS unless you are using VPC I don't think you can use secondary 
> addresses because AWS won't route any of that traffic.  Also with your 
> addresses routing would be affected by the split-horizon problem with 
> the same network on 2 sides.
>
> You probably know this ... but on AWS each instance has a Public & a 
> Private IP address.
>
> If ec2-server1  pings  ec2-server2's Public IP address...
>
> Inside EC2 AWS redirects your server1 to server2 pings to the Private 
> IP of server2 not the Public IP even though that's what you input to 
> the ping command.  EC2 inter-instance traffic is always to/from the 
> Private IP addresses.
>
> This can be useful & save $$ because traffic internal to EC2 doesn't 
> get charged to you like outbound  or inbound traffic from the Internet 
> does.
>
> I install PeerVPN (www.peervpn.net <http://www.peervpn.net>) on my AWS 
> servers to support inter-server LXC communications.   Its dead simple 
> to setup, its auto-learning & full mesh vpn and you can then 
> interconnect not only LXC on multiple AWS servers but on different 
> Clouds like AWS & Digital Ocean and/or your own servers at home/office.
>
> It also doesn't require firewall changes beyond what you already use.
>
> Flockport did a nice writeup on how to install/use PeerVPN 
> <https://www.flockport.com/build-layer2-and-layer-3-overlay-networks-with-peervpn/>also. 
> Maybe that will help.
>

Brian, thanks for this pointer. It looks like this is what we'll need to 
solve our networking issues. However, I followed through Flockport's L2 
example and configured peervpn on my two EC2 hosts but I still cannot 
ping containers across hosts. If I could indulge on your expertise I'd 
appreciate some pointers.

The peervpn config file for host 1's config file looks like this:

     networkname PEERVPN
     psk mypasswd
     enabletunneling yes
     interface peervpn0
     ifconfig4 10.0.0.11/24
     port 7000
     initpeers 10.0.0.108 7000

and host 2's config looks like this:

     networkname PEERVPN
     psk mypasswd
     enabletunneling yes
     interface peervpn0
     ifconfig4 10.0.0.12/24
     port 7000

The IP address 10.0.0.108 is the private IP that is assigned to eth0 of 
host 2. Should I use this address the host's public IP instead? I did 
try this but I was still not able to ping containers across my two hosts.

 From what I can tell peervpn is working correctly. A peervnp0 interface 
has been created on host 1 and assigned address 10.0.0.11, and a 
peervpn0 interface has been created on host 2 and assigned address 
10.0.0.12. The output from peervpn on host 1 shows that it has 
successfully connected to host 2:

     opening sockets...
        IPv4/UDP: ok.
        IPv6/UDP: ok.
     opening TAP device...
        device "peervpn0": ok.
        done.
     preparing P2P engine...
        done.

     Client ID: 
7701546D9169C314678310CC92AE22AFDBD0A66F2A39417644C0FC99DF498CB8
     Network ID: 
EDE14D183315365CF171564C2BDEDFE3BA51310352EBDBE1CDF49FAF662CF5BB

     entering main loop...

     [0] 0 peers connected.
     [0] resolving 10.0.0.108:7000...
                  done.
     [12] 1 peers connected.

The output from peervpn on host 2 also shows that one peer has 
connected, so it appears that my configuration is correct. Is there 
something else that's needed on the containers? The container IPs are 
all statically assigned and I don't need DHCP/dnsmasq support.

Any advice would be appreciated.

Peter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160112/27b91648/attachment.html>

More information about the lxc-users mailing list