[lxc-users] Network space visibility in containers
steve at linuxsuite.org
steve at linuxsuite.org
Wed Jul 6 16:04:49 UTC 2016
> How are these containers networked together? Are you using a Bridges on
> the host or are you just bringing up new interfaces on the host?
I have a bridge for each interface. No interfaces on the host
have
IP's except br1. Use veth in config
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br1
#lxc.network.hwaddr = fe:41:31:7f:5c:d6
lxc.network.veth.pair = admn101-1
lxc.network.ipv4 = 10.2.3.101/16
lxc.network.ipv4.gateway = 10.2.1.2
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br4
#lxc.network.hwaddr = fe:41:31:7f:5c:d6
lxc.network.veth.pair = admn101-4
lxc.network.ipv4 = 10.5.3.101/16
[root at lxc100 ~]$ brctl show
bridge name bridge id STP enabled interfaces
br1 8000.0024e85d25ea no admn101-1
em1
mfs101-1
br2 8000.0024e85d25ec no em2
mfs101-2
br3 8000.0024e85d25ee no em3
mfs101-3
br4 8000.0024e85d25f0 no admn101-4
em4
mfs101-4
br5 8000.00151778923c no admn101-5
em5
>
> On 07/06/2016 10:24 AM, steve at linuxsuite.org wrote:
>> Howdy!
>>
>> I have a number of containers running. Is it expected that
>> information about the network of other containers is "visible".. for
>> example
>>
>> the container admn-101 has ip 10.2.3.101
>>
>> [root at admn-101 admn-101]# netstat -an|grep LIST
>> tcp 0 0 0.0.0.0:514 0.0.0.0:*
>> LISTEN
>> tcp 0 0 10.2.3.101:22 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:25 0.0.0.0:*
>> LISTEN
>> tcp 0 0 :::514 :::*
>> LISTEN
>> unix 2 [ ACC ] STREAM LISTENING 69697909
>> @/com/ubuntu/upstart
>>
>> The other container on the host has ip 10.5.5.101
>>
>> [root at admn-101 admn-101]# netstat -an
>> Active Internet connections (servers and established)
>> Proto Recv-Q Send-Q Local Address Foreign Address
>> State
>> tcp 0 0 0.0.0.0:514 0.0.0.0:*
>> LISTEN
>> tcp 0 0 10.5.5.101:443 103.14.89.19:10165
>> SYN_RECV
>> tcp 0 0 10.5.5.101:443 114.77.25.146:50649
>> SYN_RECV
>> tcp 0 0 10.5.5.101:443 96.53.94.194:51060
>> SYN_RECV
>> tcp 0 0 10.5.5.101:443 96.53.94.194:51051
>> SYN_RECV
>> tcp 0 0 10.5.5.101:443 122.106.235.197:61016
>> SYN_RECV
>> tcp 0 0 10.5.5.101:443 84.74.55.62:63064
>> SYN_RECV
>> tcp 0 0 10.5.5.101:443 39.110.173.3:6985
>> SYN_RECV
>> tcp 0 0 10.5.5.101:443 96.53.94.194:50958
>> SYN_RECV
>> tcp 0 0 10.5.5.101:443 171.99.169.231:53917
>> SYN_RECV
>> tcp 0 0 10.5.5.101:443 96.53.94.194:51018
>> SYN_RECV
>> tcp 0 0 10.5.5.101:443 116.15.8.112:64049
>> SYN_RECV
>> tcp 0 0 10.5.5.101:443 71.56.250.124:58672
>> SYN_RECV
>> tcp 0 0 10.2.3.101:22 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:25 0.0.0.0:*
>> LISTEN
>> tcp 0 0 10.2.3.101:22 10.2.1.2:48356
>> ESTABLISHED
>> tcp 0 0 :::514 :::*
>> LISTEN
>> udp 0 0 0.0.0.0:514 0.0.0.0:*
>> udp 0 0 :::514 :::*
>>
>> Why is information about 10.5.5.101 visable??? Is this
>> expected?
>> shouldn't cgroup limit this visibility??
>>
>> Also iptables in admn-101 logs packets from 10.5.5.101 but only
>> some???
>>
>> [root at admn-101 admn-101]# tail -f kern
>> kern.warning: Jul 6 10:22:06 admn-101 kernel:IN= OUT=eth3
>> SRC=10.5.5.101
>> DST=52.0.92.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46910 DF PROTO=TCP
>> SPT=34378 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
>> kern.warning: Jul 6 10:22:06 admn-101 kernel:IN= OUT=eth3
>> SRC=10.5.5.101
>> DST=52.7.169.28 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49586 DF PROTO=TCP
>> SPT=57832 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
>> kern.warning: Jul 6 10:22:07 admn-101 kernel:IN= OUT=eth3
>> SRC=10.5.5.101
>> DST=52.7.169.28 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53263 DF PROTO=TCP
>> SPT=57856 DPT=443 WINDOW=4600 RES=0x0SNUG= <4>IN= OUT=eth3
>> SRC=10.5.5.101
>> DST=52.0.92.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=866 DF PROTO=TCP
>> SPT=34456 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
>> kern.info: Jul 6 10:22:12 admn-101 kernel:1209.6LN6 O=x0PE=x0TL6 D673D
>> RT=TPST366DT43WNO=40 E=x0SNUG= <4>IN= OUT=eth3 SRC=10.5.5.101
>> DST=52.7.169.28 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60707 DF PROTO=TCP
>> SPT=58190 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
>>
>>
>>
>>
>>
>> root at admn-101 # ifconfig
>> eth0 Link encap:Ethernet HWaddr 52:D0:AF:B6:9D:16
>> inet addr:10.2.3.101 Bcast:10.2.255.255 Mask:255.255.0.0
>> inet6 addr: fe80::50d0:afff:feb6:9d16/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:6758 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:814 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:1270156 (1.2 MiB) TX bytes:150528 (147.0 KiB)
>>
>> eth1 Link encap:Ethernet HWaddr 3E:43:D5:B7:2C:DF
>> inet addr:10.5.3.101 Bcast:10.5.255.255 Mask:255.255.0.0
>> inet6 addr: fe80::3c43:d5ff:feb7:2cdf/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:12 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:828 (828.0 b) TX bytes:468 (468.0 b)
>>
>> eth2 Link encap:Ethernet HWaddr EA:78:BC:50:BD:CF
>> inet addr:10.1.3.101 Bcast:10.1.255.255 Mask:255.255.0.0
>> inet6 addr: fe80::e878:bcff:fe50:bdcf/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:122 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:13242 (12.9 KiB) TX bytes:468 (468.0 b)
>>
>> lo Link encap:Local Loopback
>> inet addr:127.0.0.1 Mask:255.0.0.0
>> inet6 addr: ::1/128 Scope:Host
>> UP LOOPBACK RUNNING MTU:65536 Metric:1
>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>>
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list