[lxc-users] How to setup a static IP in a container with LX[C|D] 2.0.0.*

Stéphane Graber stgraber at ubuntu.com
Fri Mar 18 16:33:46 UTC 2016


On Fri, Mar 18, 2016 at 12:15:35PM -0400, Sean McNamara wrote:
> On Fri, Mar 18, 2016 at 12:09 PM, Sean McNamara <smcnam at gmail.com> wrote:
> > On Fri, Mar 18, 2016 at 11:43 AM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> >> Our stance hasn't changed. LXD doesn't know nor care about layer-3
> >> networking, all it does is setup your layer-2.
> >>
> >> Having LXD pre-initialize your network namespace confuses the heck out
> >> of a bunch of distros which expect all network to be unconfigured by the
> >> time they apply their own config (they don't clean things up so
> >> duplicate entries lead to failure).
> >
> >
> > Okay.
> >
> > As someone migrating from OpenVZ (and before that, VMware), one
> > important use case I was expecting of LXD is that of multi-tenant
> > boxes, where you need to give root access to a container to the
> > "tenant", and expect them to adhere to a Terms of Service agreement,
> > but need to have technical mitigations in place, so that even if they
> > decide to violate the ToS (or innocently have their box hacked by a
> > malicious third-party who decides to violate the ToS), access to other
> > containers and the physical box (host OS) is very difficult to
> > impossible (pending any undiscovered vulnerabilities or host-side
> > misconfiguration).
> >
> > As part of that, I was expecting some way to tell LXD to restrict the
> > IP addresses that can be claimed/used by a given container. For
> > instance, if I have a public Internet IPv4 /26 allocated to a physical
> > host by a hosting provider, I'll want to assign only one or two IP
> > addresses to each container. Currently, I can have an LXD container
> > just spuriously decide to use any arbitrary IP, and I haven't found a
> > way to prevent it from doing that if an untrusted user has root access
> > in the container. They can just run ifconfig and specify the IP
> > address they want to use.
> >
> > How can I configure the host environment (LXD or something else on the
> > host, assuming I'm running a very recent Ubuntu 16.04 Beta nightly) so
> 
> 
> Just wanted to clarify that I am *not* using or intending to use a
> pre-release of 16.04 in a production environment. I'm currently
> satisfied with LXD 0.24 on Ubuntu Server 14.04.4 LTS. I'm not
> currently in a situation where I have untrusted root users with access
> to containers, but I am planning to open up that type of usage in the
> future if LXD turns out to be able to support it. And of course that
> would be using the final release of Ubuntu Server 16.04 LTS.
> 
> Thanks,
> 
> Sean
> 
> 
> > that no packets can be transmitted to/from the guest unless the guest
> > is using a specific IP or set of IPs? I also want to make sure that no
> > broadcasting is occurring; i.e., the root user in the container should
> > not be able to sniff layer 2 and see all the packets going to all the
> > other containers.
> >
> > ...Or is LXD not suitable for this use case? If it isn't, will it ever be?

As LXD doesn't configure the bridge itself but just lets you use any
bridge that you want, this is currently outside the scope of LXD itself.

That being said, if you use our OpenStack plugin, nova-lxd, then it will
let you integrate LXD containers with whatever SDN your OpenStack
deployment is using (openvswtich by default) in which mode LXD
containers will be bound to the restrictions applied to their virtual
switch port just as you would get when running a virtual machine on
OpenStack.

You could probably do something similar without using full openstack by
installing openvswitch, configuring it the way you like then telling LXD
to use that instead of the default minimal bridge it uses (lxcbr0).


> >
> > Thanks,
> >
> > Sean
> >
> >
> >
> >>
> >>
> >> Nevertheless, we have recently allowed the following key through raw.lxc:
> >>  - lxc.network.X.ipv4
> >>  - lxc.network.X.ipv4.gateway
> >>  - lxc.network.X.ipv6
> >>  - lxc.network.X.ipv6.gateway
> >>
> >> Note that we require you set the interface index (X above) as mixing
> >> those raw entris with the LXD generated config would otherwise randomly
> >> cause an invalid config and container startup failure.
> >>
> >>
> >> The recommended way to manage IPs with LXD is to do it exactly the same
> >> way you would do it for your VMs or physical machines, so either
> >> configure your DHCP server to give a static lease or configure the
> >> container to use a static IP (you can use lxc file pull/push/edit to do
> >> it on a stopped container).
> >>
> >> On Fri, Mar 18, 2016 at 10:18:33AM -0400, Sean McNamara wrote:
> >>> First of all, there's no such thing as LX[C|D]. You're either using
> >>> LXC or LXD. They're different enough in their configuration and
> >>> operation that you can't ask an "either-or" question. Pick one
> >>> solution and focus on that.
> >>>
> >>> I just wanted to chime in to say that I have this same question. I'm
> >>> stuck using a pre-2.0 release of LXD because it allows me to use the
> >>> "raw.lxc" config parameter to specify the IP settings for the guest.
> >>> This configuration parameter was removed at some point prior to the
> >>> 2.0 RC, so I ended up editing the source code of LXD to bring it back.
> >>> I haven't found any equivalent configuration that works without using
> >>> raw.lxc.
> >>>
> >>> raw.lxc: "lxc.network.ipv4=1.2.3.4/32\nlxc.network.ipv4.gateway=5.6.7.8\nlxc.network.hwaddr=00:11:22:33:44:55\nlxc.network.flags=up
> >>>     \ \nlxc.network.mtu=1500\n"
> >>>   volatile.eth0.hwaddr: 00:11:22:33:44:55
> >>>   volatile.eth0.name: eth1
> >>> devices:
> >>>   eth0:
> >>>     hwaddr: 00:11:22:33:44:55
> >>>     nictype: bridged
> >>>     parent: br0
> >>>
> >>> On Ubuntu, you can then set up your bridge as follows in
> >>> /etc/network/interfaces:
> >>>
> >>> auto br0
> >>> iface br0 inet static
> >>>         address 1.2.3.4
> >>>         netmask 255.255.255.0
> >>>         broadcast 5.6.7.8
> >>>         gateway 9.10.11.12
> >>>         bridge_ports eth0
> >>>         bridge_stp off
> >>>
> >>>
> >>> This is fine with LXD 0.24 that was built about a month before the 2.0
> >>> release candidates started hitting (and with edited source code to
> >>> un-block the raw.lxc param) but I'm afraid to upgrade to LXD 2.0
> >>> because I don't know the way forward.
> >>>
> >>> It seems like support for certain basic network topologies are still
> >>> being worked out with LXD. It should be easy, well-documented and
> >>> flexible a la OpenVZ, but it's really not, as far as I have seen. The
> >>> best way to make any progress that I've found thus far is to start
> >>> learning Google Go and reading the source code.
> >>>
> >>> Thanks,
> >>>
> >>> Sean
> >>>
> >>>
> >>>
> >>> On Fri, Mar 18, 2016 at 9:10 AM, Hans Deragon <hans at deragon.biz> wrote:
> >>> > Greetings,
> >>> >
> >>> > Ok, this is ridiculous and I apologize for asking help for such a simple
> >>> > task, but I fail to find the answers by myself.  I fail to find proper
> >>> > documentation to setup bridge networking and static IP.  Newbie here btw and
> >>> > setup details at the end of this email.
> >>> >
> >>> > I got the container running and with DHCP configured, it has its own IP
> >>> > which the host can address with.
> >>> >
> >>> > Obviously, I attempted to setup the static IP many times following
> >>> > instructions found on many web pages, to no vail.  For example, I followed
> >>> > instructions from https://wiki.debian.org/LXC/SimpleBridge.  But turns out
> >>> > that I am probably running a different version of LXC and that this page is
> >>> > now obsolete.
> >>> >
> >>> > I went so far to run 'strace lxc restart server2' to realize that
> >>> > /var/lib/lxc/server2/config is not read (server2 is the container).  This
> >>> > seams to be confirmed by the post at
> >>> > http://ubuntuforums.org/showthread.php?t=2275372.
> >>> >
> >>> > I found 'man lxc.container.conf'.  Seams promising.  However, I fail to find
> >>> > within the manual the path where this file should be saved!  If you write
> >>> > documentation, please always provide the path where configuration files are
> >>> > supposed to be stored.
> >>> >
> >>> > I created a profile named 'bridged' using commands, but I have not found any
> >>> > option/instruction on how to apply that profile on my existing image.  'lxc
> >>> > start server2' does not provide any option to start the container with a
> >>> > particular profile.  BTW, where are profile configuration files stored?
> >>> >
> >>> > I need clear step by step instructions, with full paths on how to set things
> >>> > up and I fail to find any on the web.  Anybody has a useful link to suggest?
> >>> >
> >>> > I have a KVM image running (server1) and it works flawlessly with a static
> >>> > IP on my bridge.  And it wasn't hard to find instructions on how to set it
> >>> > up.  But LXD/LXc is another story.
> >>> >
> >>> > The setup:
> >>> >
> >>> > Host:       Ubuntu 14.04 LTS.
> >>> > Container:  Ubuntu 14.04 LTS.
> >>> > LXD:        2.0.0~rc3-0ubuntu4~ubuntu14.04.1~ppa1
> >>> > LXC:        2.0.0~rc10-0ubuntu2~ubuntu14.04.1~ppa1
> >>> >
> >>> > Best regards and thanks in advance,
> >>> > Hans Deragon
> >>> > _______________________________________________
> >>> > lxc-users mailing list
> >>> > lxc-users at lists.linuxcontainers.org
> >>> > http://lists.linuxcontainers.org/listinfo/lxc-users
> >>> _______________________________________________
> >>> lxc-users mailing list
> >>> lxc-users at lists.linuxcontainers.org
> >>> http://lists.linuxcontainers.org/listinfo/lxc-users
> >>
> >> --
> >> Stéphane Graber
> >> Ubuntu developer
> >> http://www.ubuntu.com
> >>
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160318/3ff6a104/attachment.sig>


More information about the lxc-users mailing list