On Sun, May 31, 2015 at 3:22 AM, Dave Smith <[email protected]> wrote: > I am trying to setup a public IP via macvlan to a container. The host has a > public IP and then 2 extra static public IP's on one physical interface > (bond1) that is assigned to it by my upstream vendor. In my config I have
Did your upstream provider allow additional mac address on your switch port? > > lxc.network.type = macvlan > lxc.network.flags = up > lxc.network.link = bond1 > lxc.network.name = eth0 > lxc.network.ipv4 = x.x.x.x/32 x.x.x.x > lxc.network.ipv4.gateway = x.x.x.x > > where x.x.x.x is the public static IP I want to use Assuming you have lxcbr0 (should be automatically created), try this lxc.network.type = veth lxc.network.flags = up lxc.network.link = lxcbr0 lxc.network.ipv4 = x.x.x.x/32 lxc.network.ipv4.gateway = 10.0.3.1 ... where 10.0.3.1 is lxcbr0's IP address. This will work if: - your provider route the additional IP thru your main IP. Should be the case if your main IP and additional IP is on different subnet - you disable any networking setup on the container's OS side, since you already set it up on lxc config file. - on the host side, you run "ip route add x.x.x.x/32 dev lxcbr0" (or something similar) to tell the host that container's IP is reachable thru lxcbr0 > netstat -nr > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt > Iface > 0.0.0.0 x.x.x.x 0.0.0.0 UG 0 0 0 eth0 There should be an additional entry, saying how to reach the gateway from the container. Something like this # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.3.1 0.0.0.0 UG 0 0 0 eth0 10.0.3.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 > > ip -d link show eth0 > 56: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc > noqueue state UNKNOWN > link/ether e6:9d:bf:fb:95:c7 brd ff:ff:ff:ff:ff:ff > macvlan mode private > > > Now when I ping out from my container ( to google.ca) I see the packet going > out and coming back (using tcpdump -e ) on the bond1 interface but my > container never receives it. There are no iptables rules on either the host > or in the container. > If you use macvlan or bridge the hosts's public interface (eth0, bond0, etc), then you wouldn't use /32. You'd use the same netmask and gateway as you do on the host, and your provider will need to allow more than 1 mac on your port. This way the container will be just like any other physical host on the same broadcast network as the host (e.g. /24). If you CAN'T use the same netmask and gateway as the host (e.g. when your provider gives additional IPs that are on different subnet), then you CAN'T use macvlan (or bridge the host's public interface). Use routed setup like my example instead. You can either use lxcbr0, create your own bridge, or use a bridgeless veth setup (not covered here, search the archives for details). -- Fajar _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
