On Fri, Mar 18, 2016 at 12:15:35PM -0400, Sean McNamara wrote: > On Fri, Mar 18, 2016 at 12:09 PM, Sean McNamara <smc...@gmail.com> wrote: > > On Fri, Mar 18, 2016 at 11:43 AM, Stéphane Graber <stgra...@ubuntu.com> > > wrote: > >> Our stance hasn't changed. LXD doesn't know nor care about layer-3 > >> networking, all it does is setup your layer-2. > >> > >> Having LXD pre-initialize your network namespace confuses the heck out > >> of a bunch of distros which expect all network to be unconfigured by the > >> time they apply their own config (they don't clean things up so > >> duplicate entries lead to failure). > > > > > > Okay. > > > > As someone migrating from OpenVZ (and before that, VMware), one > > important use case I was expecting of LXD is that of multi-tenant > > boxes, where you need to give root access to a container to the > > "tenant", and expect them to adhere to a Terms of Service agreement, > > but need to have technical mitigations in place, so that even if they > > decide to violate the ToS (or innocently have their box hacked by a > > malicious third-party who decides to violate the ToS), access to other > > containers and the physical box (host OS) is very difficult to > > impossible (pending any undiscovered vulnerabilities or host-side > > misconfiguration). > > > > As part of that, I was expecting some way to tell LXD to restrict the > > IP addresses that can be claimed/used by a given container. For > > instance, if I have a public Internet IPv4 /26 allocated to a physical > > host by a hosting provider, I'll want to assign only one or two IP > > addresses to each container. Currently, I can have an LXD container > > just spuriously decide to use any arbitrary IP, and I haven't found a > > way to prevent it from doing that if an untrusted user has root access > > in the container. They can just run ifconfig and specify the IP > > address they want to use. > > > > How can I configure the host environment (LXD or something else on the > > host, assuming I'm running a very recent Ubuntu 16.04 Beta nightly) so > > > Just wanted to clarify that I am *not* using or intending to use a > pre-release of 16.04 in a production environment. I'm currently > satisfied with LXD 0.24 on Ubuntu Server 14.04.4 LTS. I'm not > currently in a situation where I have untrusted root users with access > to containers, but I am planning to open up that type of usage in the > future if LXD turns out to be able to support it. And of course that > would be using the final release of Ubuntu Server 16.04 LTS. > > Thanks, > > Sean
Note that the latest 2.0 snapshot is currently available in trusty-backports so you don't need to be using pre-release 16.04. We usually update trusty-backports just a couple of hours after pushing the new version to 16.04. > > > > that no packets can be transmitted to/from the guest unless the guest > > is using a specific IP or set of IPs? I also want to make sure that no > > broadcasting is occurring; i.e., the root user in the container should > > not be able to sniff layer 2 and see all the packets going to all the > > other containers. > > > > ...Or is LXD not suitable for this use case? If it isn't, will it ever be? > > > > Thanks, > > > > Sean > > > > > > > >> > >> > >> Nevertheless, we have recently allowed the following key through raw.lxc: > >> - lxc.network.X.ipv4 > >> - lxc.network.X.ipv4.gateway > >> - lxc.network.X.ipv6 > >> - lxc.network.X.ipv6.gateway > >> > >> Note that we require you set the interface index (X above) as mixing > >> those raw entris with the LXD generated config would otherwise randomly > >> cause an invalid config and container startup failure. > >> > >> > >> The recommended way to manage IPs with LXD is to do it exactly the same > >> way you would do it for your VMs or physical machines, so either > >> configure your DHCP server to give a static lease or configure the > >> container to use a static IP (you can use lxc file pull/push/edit to do > >> it on a stopped container). > >> > >> On Fri, Mar 18, 2016 at 10:18:33AM -0400, Sean McNamara wrote: > >>> First of all, there's no such thing as LX[C|D]. You're either using > >>> LXC or LXD. They're different enough in their configuration and > >>> operation that you can't ask an "either-or" question. Pick one > >>> solution and focus on that. > >>> > >>> I just wanted to chime in to say that I have this same question. I'm > >>> stuck using a pre-2.0 release of LXD because it allows me to use the > >>> "raw.lxc" config parameter to specify the IP settings for the guest. > >>> This configuration parameter was removed at some point prior to the > >>> 2.0 RC, so I ended up editing the source code of LXD to bring it back. > >>> I haven't found any equivalent configuration that works without using > >>> raw.lxc. > >>> > >>> raw.lxc: > >>> "lxc.network.ipv4=1.2.3.4/32\nlxc.network.ipv4.gateway=5.6.7.8\nlxc.network.hwaddr=00:11:22:33:44:55\nlxc.network.flags=up > >>> \ \nlxc.network.mtu=1500\n" > >>> volatile.eth0.hwaddr: 00:11:22:33:44:55 > >>> volatile.eth0.name: eth1 > >>> devices: > >>> eth0: > >>> hwaddr: 00:11:22:33:44:55 > >>> nictype: bridged > >>> parent: br0 > >>> > >>> On Ubuntu, you can then set up your bridge as follows in > >>> /etc/network/interfaces: > >>> > >>> auto br0 > >>> iface br0 inet static > >>> address 1.2.3.4 > >>> netmask 255.255.255.0 > >>> broadcast 5.6.7.8 > >>> gateway 9.10.11.12 > >>> bridge_ports eth0 > >>> bridge_stp off > >>> > >>> > >>> This is fine with LXD 0.24 that was built about a month before the 2.0 > >>> release candidates started hitting (and with edited source code to > >>> un-block the raw.lxc param) but I'm afraid to upgrade to LXD 2.0 > >>> because I don't know the way forward. > >>> > >>> It seems like support for certain basic network topologies are still > >>> being worked out with LXD. It should be easy, well-documented and > >>> flexible a la OpenVZ, but it's really not, as far as I have seen. The > >>> best way to make any progress that I've found thus far is to start > >>> learning Google Go and reading the source code. > >>> > >>> Thanks, > >>> > >>> Sean > >>> > >>> > >>> > >>> On Fri, Mar 18, 2016 at 9:10 AM, Hans Deragon <h...@deragon.biz> wrote: > >>> > Greetings, > >>> > > >>> > Ok, this is ridiculous and I apologize for asking help for such a simple > >>> > task, but I fail to find the answers by myself. I fail to find proper > >>> > documentation to setup bridge networking and static IP. Newbie here > >>> > btw and > >>> > setup details at the end of this email. > >>> > > >>> > I got the container running and with DHCP configured, it has its own IP > >>> > which the host can address with. > >>> > > >>> > Obviously, I attempted to setup the static IP many times following > >>> > instructions found on many web pages, to no vail. For example, I > >>> > followed > >>> > instructions from https://wiki.debian.org/LXC/SimpleBridge. But turns > >>> > out > >>> > that I am probably running a different version of LXC and that this > >>> > page is > >>> > now obsolete. > >>> > > >>> > I went so far to run 'strace lxc restart server2' to realize that > >>> > /var/lib/lxc/server2/config is not read (server2 is the container). > >>> > This > >>> > seams to be confirmed by the post at > >>> > http://ubuntuforums.org/showthread.php?t=2275372. > >>> > > >>> > I found 'man lxc.container.conf'. Seams promising. However, I fail to > >>> > find > >>> > within the manual the path where this file should be saved! If you > >>> > write > >>> > documentation, please always provide the path where configuration files > >>> > are > >>> > supposed to be stored. > >>> > > >>> > I created a profile named 'bridged' using commands, but I have not > >>> > found any > >>> > option/instruction on how to apply that profile on my existing image. > >>> > 'lxc > >>> > start server2' does not provide any option to start the container with a > >>> > particular profile. BTW, where are profile configuration files stored? > >>> > > >>> > I need clear step by step instructions, with full paths on how to set > >>> > things > >>> > up and I fail to find any on the web. Anybody has a useful link to > >>> > suggest? > >>> > > >>> > I have a KVM image running (server1) and it works flawlessly with a > >>> > static > >>> > IP on my bridge. And it wasn't hard to find instructions on how to set > >>> > it > >>> > up. But LXD/LXc is another story. > >>> > > >>> > The setup: > >>> > > >>> > Host: Ubuntu 14.04 LTS. > >>> > Container: Ubuntu 14.04 LTS. > >>> > LXD: 2.0.0~rc3-0ubuntu4~ubuntu14.04.1~ppa1 > >>> > LXC: 2.0.0~rc10-0ubuntu2~ubuntu14.04.1~ppa1 > >>> > > >>> > Best regards and thanks in advance, > >>> > Hans Deragon > >>> > _______________________________________________ > >>> > lxc-users mailing list > >>> > lxc-users@lists.linuxcontainers.org > >>> > http://lists.linuxcontainers.org/listinfo/lxc-users > >>> _______________________________________________ > >>> lxc-users mailing list > >>> lxc-users@lists.linuxcontainers.org > >>> http://lists.linuxcontainers.org/listinfo/lxc-users > >> > >> -- > >> Stéphane Graber > >> Ubuntu developer > >> http://www.ubuntu.com > >> > >> _______________________________________________ > >> lxc-users mailing list > >> lxc-users@lists.linuxcontainers.org > >> http://lists.linuxcontainers.org/listinfo/lxc-users > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: PGP signature
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
