Re: [Lxc-users] port numbers for containers
On Thu, Aug 12, 2010 at 10:29, Daniel Lezcano dlezc...@fr.ibm.com wrote: Answering to your question, if you do lxc.network.type=macvlan, the network stack will be private to your container. Hi Daniel, not sure I understand your response: with macvlan option, you cannot access to the container from outside? What means private network stack ? -- Sebastien Douche sdou...@gmail.com Twitter: http://bit.ly/afkrK (agile, lean, python, open source) -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] port numbers for containers
On 08/19/2010 02:33 PM, Sebastien Douche wrote: On Thu, Aug 12, 2010 at 10:29, Daniel Lezcanodlezc...@fr.ibm.com wrote: Answering to your question, if you do lxc.network.type=macvlan, the network stack will be private to your container. Hi Daniel, not sure I understand your response: with macvlan option, you cannot access to the container from outside? With the macvlan network configuration (lxc.network.type=macvlan), the container will use a specific network device which is faster and simpler to configure than the veth, but the network traffic won't go to the host or the other containers on the same host. Only direct access to your real network will happen. What means private network stack ? From the point of view of the system (the kernel services), the different system resources are splitted and separated into a base brick called a 'namespace'. There are the pid namespace, the network namespace, the ipc namespace, the mount namespace, etc ... When you boot your system (not a container), the loopback and the network devices are created. These are setup by the system by assigning IP addresses. The routes and the route cache, the hash tables for udp, tcp, raw, etc ... port mappings, iptables, etc ... are created and setup by your system (automatically by the kernel) or by userland scripts at boot time. When you create a network namespace, this occurs again giving you a new loopback instances as well as a new route tables, new hash tables for tcp udp. Because these resource mustn't overlap with the system, they are isolated, which means a process running in this namespace can not see the network of another namespace (eg. the host). This is why we say a private network stack because it belongs to a set of processes and a process can only have a namespace at a time. As I know I am often not very clear :) I would recommend this document http://lxc.sourceforge.net/doc/sigops/appcr.pdf -- Daniel -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] port numbers for containers
On 08/12/2010 01:05 AM, Nirmal Guhan wrote: On Wed, Aug 11, 2010 at 11:05 AM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Nirmal Guhan (vavat...@gmail.com): On Wed, Aug 11, 2010 at 5:06 AM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Nirmal Guhan (vavat...@gmail.com): Hi, Want to know if port numbers are virtualized for containers or do the containers and host share the port space ? Please let me know. Wrong layer. If the container shares a network namespace with the host, then it shares its networking. If it has its own network namespace, then it has its own entire network stack. So no, 'port space' isn't virtualized.vs.shared, but the network devices are. Thanks. How do I configure the container to have its own network stack? I did cat /etc/lxc-basic.conf EOF lxc.network.type=veth lxc.network.link=virbr0 lxc.network.flags=up EOF lxc-create -n ubuntu1 -f /etc/lxc-basic.conf -t ubuntu Thanks. If I do macvlan, I assume there is no separate network namespace and hence ports will be shared and otherwise(veth) not ? If you specify a lxc.network.type=type, you will have automatically a new network stack. That means your own interfaces, ip addresses, routes, iptables, ports, etc ... As Serge explained, the network isolation/virtualization acts at the layer2, meaning it *begins* at the layer2, so the upper network layer will be virtualized too. When you have a new network stack, your port numbers will not overlap with the system or the other containers. For example, you can launch several sshd or httpd in different containers without conflicting with the port 22 or 80. If you don't specify lxc.network.type, your container will share the network stack with the host, hence if the host is running sshd, you won't be able to start another sshd in the container because they will conflict on port 22. Answering to your question, if you do lxc.network.type=macvlan, the network stack will be private to your container. -- Daniel -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] port numbers for containers
Hi, Want to know if port numbers are virtualized for containers or do the containers and host share the port space ? Please let me know. --Nirmal -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] port numbers for containers
Quoting Nirmal Guhan (vavat...@gmail.com): Hi, Want to know if port numbers are virtualized for containers or do the containers and host share the port space ? Please let me know. Wrong layer. If the container shares a network namespace with the host, then it shares its networking. If it has its own network namespace, then it has its own entire network stack. So no, 'port space' isn't virtualized.vs.shared, but the network devices are. -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] port numbers for containers
On Wed, Aug 11, 2010 at 11:05 AM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Nirmal Guhan (vavat...@gmail.com): On Wed, Aug 11, 2010 at 5:06 AM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Nirmal Guhan (vavat...@gmail.com): Hi, Want to know if port numbers are virtualized for containers or do the containers and host share the port space ? Please let me know. Wrong layer. If the container shares a network namespace with the host, then it shares its networking. If it has its own network namespace, then it has its own entire network stack. So no, 'port space' isn't virtualized.vs.shared, but the network devices are. Thanks. How do I configure the container to have its own network stack? I did cat /etc/lxc-basic.conf EOF lxc.network.type=veth lxc.network.link=virbr0 lxc.network.flags=up EOF lxc-create -n ubuntu1 -f /etc/lxc-basic.conf -t ubuntu Thanks. If I do macvlan, I assume there is no separate network namespace and hence ports will be shared and otherwise(veth) not ? --Nirmal -serge -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users