[lxc-users] How to setup a static IP in a container with LX[C|D] 2.0.0.*
Stéphane Graber
stgraber at ubuntu.com
Fri Mar 18 16:29:13 UTC 2016
On Fri, Mar 18, 2016 at 12:15:35PM -0400, Sean McNamara wrote:
> On Fri, Mar 18, 2016 at 12:09 PM, Sean McNamara <smcnam at gmail.com> wrote:
> > On Fri, Mar 18, 2016 at 11:43 AM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> >> Our stance hasn't changed. LXD doesn't know nor care about layer-3
> >> networking, all it does is setup your layer-2.
> >>
> >> Having LXD pre-initialize your network namespace confuses the heck out
> >> of a bunch of distros which expect all network to be unconfigured by the
> >> time they apply their own config (they don't clean things up so
> >> duplicate entries lead to failure).
> >
> >
> > Okay.
> >
> > As someone migrating from OpenVZ (and before that, VMware), one
> > important use case I was expecting of LXD is that of multi-tenant
> > boxes, where you need to give root access to a container to the
> > "tenant", and expect them to adhere to a Terms of Service agreement,
> > but need to have technical mitigations in place, so that even if they
> > decide to violate the ToS (or innocently have their box hacked by a
> > malicious third-party who decides to violate the ToS), access to other
> > containers and the physical box (host OS) is very difficult to
> > impossible (pending any undiscovered vulnerabilities or host-side
> > misconfiguration).
> >
> > As part of that, I was expecting some way to tell LXD to restrict the
> > IP addresses that can be claimed/used by a given container. For
> > instance, if I have a public Internet IPv4 /26 allocated to a physical
> > host by a hosting provider, I'll want to assign only one or two IP
> > addresses to each container. Currently, I can have an LXD container
> > just spuriously decide to use any arbitrary IP, and I haven't found a
> > way to prevent it from doing that if an untrusted user has root access
> > in the container. They can just run ifconfig and specify the IP
> > address they want to use.
> >
> > How can I configure the host environment (LXD or something else on the
> > host, assuming I'm running a very recent Ubuntu 16.04 Beta nightly) so
>
>
> Just wanted to clarify that I am *not* using or intending to use a
> pre-release of 16.04 in a production environment. I'm currently
> satisfied with LXD 0.24 on Ubuntu Server 14.04.4 LTS. I'm not
> currently in a situation where I have untrusted root users with access
> to containers, but I am planning to open up that type of usage in the
> future if LXD turns out to be able to support it. And of course that
> would be using the final release of Ubuntu Server 16.04 LTS.
>
> Thanks,
>
> Sean
Note that the latest 2.0 snapshot is currently available in
trusty-backports so you don't need to be using pre-release 16.04.
We usually update trusty-backports just a couple of hours after pushing
the new version to 16.04.
>
>
> > that no packets can be transmitted to/from the guest unless the guest
> > is using a specific IP or set of IPs? I also want to make sure that no
> > broadcasting is occurring; i.e., the root user in the container should
> > not be able to sniff layer 2 and see all the packets going to all the
> > other containers.
> >
> > ...Or is LXD not suitable for this use case? If it isn't, will it ever be?
> >
> > Thanks,
> >
> > Sean
> >
> >
> >
> >>
> >>
> >> Nevertheless, we have recently allowed the following key through raw.lxc:
> >> - lxc.network.X.ipv4
> >> - lxc.network.X.ipv4.gateway
> >> - lxc.network.X.ipv6
> >> - lxc.network.X.ipv6.gateway
> >>
> >> Note that we require you set the interface index (X above) as mixing
> >> those raw entris with the LXD generated config would otherwise randomly
> >> cause an invalid config and container startup failure.
> >>
> >>
> >> The recommended way to manage IPs with LXD is to do it exactly the same
> >> way you would do it for your VMs or physical machines, so either
> >> configure your DHCP server to give a static lease or configure the
> >> container to use a static IP (you can use lxc file pull/push/edit to do
> >> it on a stopped container).
> >>
> >> On Fri, Mar 18, 2016 at 10:18:33AM -0400, Sean McNamara wrote:
> >>> First of all, there's no such thing as LX[C|D]. You're either using
> >>> LXC or LXD. They're different enough in their configuration and
> >>> operation that you can't ask an "either-or" question. Pick one
> >>> solution and focus on that.
> >>>
> >>> I just wanted to chime in to say that I have this same question. I'm
> >>> stuck using a pre-2.0 release of LXD because it allows me to use the
> >>> "raw.lxc" config parameter to specify the IP settings for the guest.
> >>> This configuration parameter was removed at some point prior to the
> >>> 2.0 RC, so I ended up editing the source code of LXD to bring it back.
> >>> I haven't found any equivalent configuration that works without using
> >>> raw.lxc.
> >>>
> >>> raw.lxc: "lxc.network.ipv4=1.2.3.4/32\nlxc.network.ipv4.gateway=5.6.7.8\nlxc.network.hwaddr=00:11:22:33:44:55\nlxc.network.flags=up
> >>> \ \nlxc.network.mtu=1500\n"
> >>> volatile.eth0.hwaddr: 00:11:22:33:44:55
> >>> volatile.eth0.name: eth1
> >>> devices:
> >>> eth0:
> >>> hwaddr: 00:11:22:33:44:55
> >>> nictype: bridged
> >>> parent: br0
> >>>
> >>> On Ubuntu, you can then set up your bridge as follows in
> >>> /etc/network/interfaces:
> >>>
> >>> auto br0
> >>> iface br0 inet static
> >>> address 1.2.3.4
> >>> netmask 255.255.255.0
> >>> broadcast 5.6.7.8
> >>> gateway 9.10.11.12
> >>> bridge_ports eth0
> >>> bridge_stp off
> >>>
> >>>
> >>> This is fine with LXD 0.24 that was built about a month before the 2.0
> >>> release candidates started hitting (and with edited source code to
> >>> un-block the raw.lxc param) but I'm afraid to upgrade to LXD 2.0
> >>> because I don't know the way forward.
> >>>
> >>> It seems like support for certain basic network topologies are still
> >>> being worked out with LXD. It should be easy, well-documented and
> >>> flexible a la OpenVZ, but it's really not, as far as I have seen. The
> >>> best way to make any progress that I've found thus far is to start
> >>> learning Google Go and reading the source code.
> >>>
> >>> Thanks,
> >>>
> >>> Sean
> >>>
> >>>
> >>>
> >>> On Fri, Mar 18, 2016 at 9:10 AM, Hans Deragon <hans at deragon.biz> wrote:
> >>> > Greetings,
> >>> >
> >>> > Ok, this is ridiculous and I apologize for asking help for such a simple
> >>> > task, but I fail to find the answers by myself. I fail to find proper
> >>> > documentation to setup bridge networking and static IP. Newbie here btw and
> >>> > setup details at the end of this email.
> >>> >
> >>> > I got the container running and with DHCP configured, it has its own IP
> >>> > which the host can address with.
> >>> >
> >>> > Obviously, I attempted to setup the static IP many times following
> >>> > instructions found on many web pages, to no vail. For example, I followed
> >>> > instructions from https://wiki.debian.org/LXC/SimpleBridge. But turns out
> >>> > that I am probably running a different version of LXC and that this page is
> >>> > now obsolete.
> >>> >
> >>> > I went so far to run 'strace lxc restart server2' to realize that
> >>> > /var/lib/lxc/server2/config is not read (server2 is the container). This
> >>> > seams to be confirmed by the post at
> >>> > http://ubuntuforums.org/showthread.php?t=2275372.
> >>> >
> >>> > I found 'man lxc.container.conf'. Seams promising. However, I fail to find
> >>> > within the manual the path where this file should be saved! If you write
> >>> > documentation, please always provide the path where configuration files are
> >>> > supposed to be stored.
> >>> >
> >>> > I created a profile named 'bridged' using commands, but I have not found any
> >>> > option/instruction on how to apply that profile on my existing image. 'lxc
> >>> > start server2' does not provide any option to start the container with a
> >>> > particular profile. BTW, where are profile configuration files stored?
> >>> >
> >>> > I need clear step by step instructions, with full paths on how to set things
> >>> > up and I fail to find any on the web. Anybody has a useful link to suggest?
> >>> >
> >>> > I have a KVM image running (server1) and it works flawlessly with a static
> >>> > IP on my bridge. And it wasn't hard to find instructions on how to set it
> >>> > up. But LXD/LXc is another story.
> >>> >
> >>> > The setup:
> >>> >
> >>> > Host: Ubuntu 14.04 LTS.
> >>> > Container: Ubuntu 14.04 LTS.
> >>> > LXD: 2.0.0~rc3-0ubuntu4~ubuntu14.04.1~ppa1
> >>> > LXC: 2.0.0~rc10-0ubuntu2~ubuntu14.04.1~ppa1
> >>> >
> >>> > Best regards and thanks in advance,
> >>> > Hans Deragon
> >>> > _______________________________________________
> >>> > lxc-users mailing list
> >>> > lxc-users at lists.linuxcontainers.org
> >>> > http://lists.linuxcontainers.org/listinfo/lxc-users
> >>> _______________________________________________
> >>> lxc-users mailing list
> >>> lxc-users at lists.linuxcontainers.org
> >>> http://lists.linuxcontainers.org/listinfo/lxc-users
> >>
> >> --
> >> Stéphane Graber
> >> Ubuntu developer
> >> http://www.ubuntu.com
> >>
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160318/723d3d49/attachment.sig>
More information about the lxc-users
mailing list