On Tue, Oct 20, 2015 at 6:11 PM, Akshay Karle <[email protected]> wrote:
> It would help to know, what level of isolation you're thinking about? >> What is the final end goal? >> > > I'm currently looking at ways to prevent any container from having the > ability to discover other containers in the network and sniff their packets > sent, which if sent over an unencrypted protocol (http for example) might > be harmful as it could expose data. > > "Discover" and "sniff other container's packets" are two different things. For example, on a routed setup where each container gets a /32 address, they can still ping each other (thus discovering the others exist), but they can't sniff traffic other than their own > I'm now considering setting up iptable rules on the host to achieve this > but don't have much experience with iptables so will do my research now to > see what is needed to setup the right iptable rules. > > You mentioned you tried creating bridges for each container? Combine that with direct /32 routing and proxyarp, and you pretty much confine each container to their own /32 address space. They will not be able to sniff other containers traffic. They won't even be able to use another IP address other than the one assigned to them. I believe there was also similar-resultng technique with openvswitch(?) discussed some time ago on this list. Perhaps you can find it on the list archives, I don't have the link handy right now. -- Fajar
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
