Hi Dan,


I've just started working with LXC so this how I am doing it and maybe some one else can fill in any areas I've left out.

If you are going to have a local LAN and outside WAN connection than you will need two ethernet cards ( 1 for each network )

Unless you already have a router setup that can punch a hole into your local network's firewall creating a DMZ connection for that container.


What I have been doing is creating a bridge on the host with a static ip.

Then each container is configured to it's own static ip address inside the container's /etc/network/interface config doc

If you check out this mailing list's archive for the last week or so you will find an example of most of my config files I used in this test.

The problem I was having is the gateway on a container was not loading .

So I ending up writing a simple Ubuntu startup script to manually load the gateway settings at the container's OS boot time.

For now it does the job until I can figure out why.


Bellow are the document paths to most config files you will need to deal with.

There are plenty of good blog post out on the web that will give you deeper details.



Finally you may want to check out this project to see it might make all the above easier for your needs. http://lxc-webpanel.github.io

I looked at it but ended up doing all manual configurations, as I wanted to better understand LXC structure for now.


Good luck.
-Kevin



Host ( create bridge )
/etc/network/interfaces


/etc/sysctl.conf
net.ipv4.ip_forward = 1


/etc/lxc/lxc.conf

/etc/default/lxc


/var/lib/lxc/containers_name/config

/var/lib/lxc/conatianers_name/rootfs/etc/network/interfaces

I should also add that much of lxc files are created for you when creating the container as you stated earlier.

All I've been doing is tweaking these pre fab files to work in a bridged static ip mode vs dhcp mode.



In other words you are not going to have to be writing all the config files from square one.

Rather tweaking and adding a few lines here and there.


-Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130731/be3e7416/attachment.html>

On Wed, 31 Jul 2013 20:24:42 -0700
To keep things simple, let's for now distinguish the following 2 scenarios: (1)
LXC host is just another machine on the LAN, i.e. it can get IP from a DHCP
server or has a static IP, but is not a gateway for other real machines; (2)
LXC host is a gateway/router for the LAN.

Please note that I only used LXC on non-debian systemd-based distros, so I can
tell you in detail how to do the following using systemd services, but not
upstart. Also, I have no idea about ubuntu filesystem structure.

Scenario (1)
------------
Let's assume that the host interface is "eth_host". TL;DR: you have to turn
your host into a switch.

* Stop and disable all networking on the host, i.e. eth_host has no IP.
* Create a bridge on the host, e.g. "br0", add "eth_host" to it, and make
sure that your LXC configuration is aware of this bridge (for a default
configuration you should have lxc.network.type=veth and lxc.network.link=br0
in the container config). This bridge has to be enabled on boot, so write an
init (or upstart job) file (ubuntu probably has some templates for this).
* Enable networking on the bridge "br0", not "eth_host". This means that "br0"
will get an IP in the same way "eth_host" did. Modify your networking files
accordingly.
* Start containers and configure their networking. For example, if the host
uses DHCP, use DHCP inside the containers as well.

Your host and containers will now look identical for other machines on the
LAN. For example in case of DHCP, they will all get IPs from the server. Make
sure that you protect the containers with a firewall.

Scenario (2)
------------
Let's assume that the gateway has 2 interfaces "eth_lan" and "eth_wan" for the
LAN and WAN respectively, and you want to run several containers on this
gateway. Typically there is a DHCP server listening on "eth_lan" which itself
has a static IP. Your goal is achieved using similar steps as in the previous
case: again create a bridge "br0", add "eth_lan" to it, give "br0" the static
IP that "eth_lan" had, and tell DHCP server to listen on "br0". Then, proceed
as in Scenario (1). Now containers will appear as real hosts on the LAN.

HTH,
Leonid.
--
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130801/35b8f871/attachment.pgp>

Besides having multiple nics or bridging the container with the host's
eth0, you can also simply forward the ports you want to the container.
If only one container will use a given port on the machine then you can
forward port X on eth0 to port X on the 10.0.3.$(container), else you
can use custom ports.

(Or use ipv6 :)

-serge

Ok... sounds like you might be in a situation I am in/was in..

I use LXC to test a few things... and mainly as a "development system(s)" for
web servers

ie: I assign a LXC container to each client... may not be the best from a lot
of perspectives, but for me it allows for a certain sanity and order of
things...

I like you just let LXC create things.

Kubuntu derived custom distro based on 12.04 LTR & lxc 0.7.5

I needed a way for clients to look at "their server" and check progress of
development....

Simple solution in *SOME* of the standard routers LinkSys, Netgear etc. is
just set up a static route for the 10.x.x.x subnet that your LXC containers
are on to point to the bridge host

example:

If your LXC-HOST is: 192.168.0.10 and your LXC subnet is 10.0.3.x and your LXC
lxcbr0 = 10.0.3.1

then setup a static route in your router

to send all of 10.0.3/24 to 10.0.3.1 and then let the LXC host forward on...

You can forward ports for things like Apache, MySQL etc... or what ever to
10.0.3.IP and again the lxcbr figures out and forwards it on....

That worked great till I upgraded my router to a newer model and then this new
router ONLY ALLOWS for the forwarded IP to be WITHIN THE /24 of the LAN...
URRRRRGRGGGHHH! In some stroke of brilliance or "bug resolution" they closed
this "loophole/feature (bug)."

So What to do? ? ?

I changed the static route to forward to the LXC-HOST IP ie: 192.168.0.10 and
then the LXC-HOST figures out to route 10.0.3.x to what ever LXC container...

That works great for INTERNAL connections... BUT when clients wanted to review
development... how to get the port forwarded for say Apache to their
container? ?

Forwarding port 80 to the LAN IP of the LXC HOST will NOT work it...

Enter

rinetd

It basically can forward IP/PORT to NEWIP/PORT ie:

192.168.0.11 80 10.0.3.200 80

So I " sudo apt-get install rinetd " on a machine that has nothing special
running on it... It probably could even go on the LXC-HOST.. but I chose NOT
to do this so as not to risk FUBAR'ng the LXC host and its routing etc....

So the rinted machine is 192.168.0.11 and then setup the router to forward
port 80 to 192.168.0.11 and then rinetd forwards this to the LXC container of
my choice.

This solves the problem... Client can remotely view their server progress, I
can connect to the containers internally, I can connect remotely.

Cisco IOS based routers could set up routing much easier as IOS is much more
powerful and doesn't restrict the destination IP like newer routers.

Something like:

ip nat inside source static tcp 10.0.3.2 80 WAN IP 80 extendable
ip nat inside source static tcp 10.0.3.2 443 WAN IP 443 extendable
ip nat inside source static tcp 10.0.3.2 3306 WAN IP 3306 extendable

etc...

And routing like the older router

ip route 10.10.3.0 255.255.255.0 10.10.3.1

Or what ever your LXC setup is

ip route LXC-SUBNET NETMASK LXCBR0 IP


Again, I chose this route v. changing any LXC container setups from what was
generated... Mainly as too new at the time I devised this plan to LXC.. I come
from a world of VMWare Server, ESXi and Player VM's and getting the VM's on
the LAN works differently in "VMWARE BRIDGE" v. LXC BRIDGE. WAY DIFFERENT. In
that in VMWare Bridge the VM/Container gets an IP from the LAN and from its
DHCP etc. just like it was a real physical machine on the LAN.. Now I am sure
there probably is some way to edit the LXC container configs to do this... but
in reading this thread and somethings it doesn't seem like this is supported
or wise... That is MY OPINION and INTERPRETATION, subject to being totally
wrong. I have a setup that works for the resources I have till I find a nice
used Cisco device that meets my needs....

Here:

http://dvpn.sourceforge.net/old/firewall-rules.txt

That's the firewall ruleset I did a decade ago for setting up a cheesy
VPN that forwarded all connections for an address range to a daemon
running on loopback that would look up the original destination
(getsockopt(SO_ORIGINAL_DEST)), figure out which server handled that
subset of the address range (comments in /etc/hosts acted as a VPN
config file), ssh there, and run netcat to complete the connection.

I had to use source NAT _and_ destination NAT, for both local
connections and remote connections, in order to make that work. I still
find it a handy cheat sheet for beating iptables into submission...

Rob