Re: [lxc-users] Filtering container traffic with iptables on host
Hi Leonid, I would like more details. Currently I have a very basic setup and only a few containers, but is in production and works great. Before growing the amount of containers to manage I'm trying to read/learn as much as I can. On 10/1/2017 7:04 PM, Leonid Isaev wrote: > If you are still interested, I can explain in more detail how we manage > containers here... > > HTH, > L. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Filtering container traffic with iptables on host
On Fri, Sep 29, 2017 at 02:23:40PM +0200, Björn Fischer wrote: > Hello LXC-Users, > > here at the CeBiTec, Bielefeld University, I'm currently looking > into replacements for Solaris zones. Now that you can even use > Docker in unprivileged LXD containers, an LXD based solution > seems to be a candidate for larger deployment. > > But there still is one issue I have with LXD containers. I want > to be able to filter traffic from and to specific LXD containers > on the host with iptables. I approached this using cgroups and > net_cls. While this works for processes on the host, it does not > work for processes in containers. Containers are like separate machines and can be managed as such. If each container has an IP address, why can't you hide them behind the host via NAT and manage connections to them in iptables' FORWARD chain. Alternatively, you can create an iptables ruleset on the host and mount it inside a container. For instance, in archlinux the mountpoint will be rootfs/etc/iptables/iptables.rules and in fedora -- rootfs/etc/sysconfig/iptables. Of course, this is assuming default service/init script. If you are still interested, I can explain in more detail how we manage containers here... HTH, L. -- Leonid Isaev ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] preventing multiple networks to connect to each other?
On 2017-10-02 03:25, Mike Wright wrote: On 10/01/2017 10:59 AM, Tomasz Chmielewski wrote: I would like to have several networks on the same host - so I've created them with: # lxc network create br-testing # lxc network create br-staging Then edited to match: # lxc network show br-staging config: ipv4.address: 10.191.0.1/24 ipv4.dhcp.ranges: 10.191.0.50-10.191.0.254 ipv4.nat: "false" # lxc network show br-testing config: ipv4.address: 10.190.0.1/24 ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254 ipv4.nat: "false" The problem is I'd like these network to be separated - i.e. containers using br-staging bridge should not be able to connect to br-testing containers, and the other way around. Both networks should be able to connect to hosts in the internet. Is there any easy switch for that? So far, one thing which works is write my own iptables rules, but that gets messy with more networks. Is there any reason to keep them on the same subnet? They are not the same subnets (one is 10.190.0.1/24, the other is 10.191.0.1/24). How about: to the host 10.191.0.0/23 (or larger), then the subnets: 10.191.0.0/24 and 10.191.1.0/24. Then iptables could easily block them from each other: -s 10.191.0.0/24 -d 10.191.1.0/24 -j DROP and -s 10.191.1.0/24 -d 10.191.0.0/24 -d DROP. Like this, it won't work, because LXD adds iptables rules which pass all kinds of traffic between the networks. Also, you can see how the number of combinations grow if the number of network grow. Also, filtering by IP will not be secure in some environments - i.e. if a user in a container adds an IP from a different network, the rules will no longer apply. So we need to filter on the interface. So I figured I need to set: config: ipv4.address: 10.190.0.1/24 ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254 ipv4.firewall: "false" # < important Then add firewall rules which allow internet connectivity, and prevent cross-bridge traffic. But would be cool if we were able to do it somehow in LXD network configuration. Tomasz Chmielewski https://lxadm.com ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] preventing multiple networks to connect to each other?
On 10/01/2017 10:59 AM, Tomasz Chmielewski wrote: I would like to have several networks on the same host - so I've created them with: # lxc network create br-testing # lxc network create br-staging Then edited to match: # lxc network show br-staging config: ipv4.address: 10.191.0.1/24 ipv4.dhcp.ranges: 10.191.0.50-10.191.0.254 ipv4.nat: "false" # lxc network show br-testing config: ipv4.address: 10.190.0.1/24 ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254 ipv4.nat: "false" The problem is I'd like these network to be separated - i.e. containers using br-staging bridge should not be able to connect to br-testing containers, and the other way around. Both networks should be able to connect to hosts in the internet. Is there any easy switch for that? So far, one thing which works is write my own iptables rules, but that gets messy with more networks. Is there any reason to keep them on the same subnet? How about: to the host 10.191.0.0/23 (or larger), then the subnets: 10.191.0.0/24 and 10.191.1.0/24. Then iptables could easily block them from each other: -s 10.191.0.0/24 -d 10.191.1.0/24 -j DROP and -s 10.191.1.0/24 -d 10.191.0.0/24 -d DROP. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] preventing multiple networks to connect to each other?
I would like to have several networks on the same host - so I've created them with: # lxc network create br-testing # lxc network create br-staging Then edited to match: # lxc network show br-staging config: ipv4.address: 10.191.0.1/24 ipv4.dhcp.ranges: 10.191.0.50-10.191.0.254 ipv4.nat: "false" # lxc network show br-testing config: ipv4.address: 10.190.0.1/24 ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254 ipv4.nat: "false" The problem is I'd like these network to be separated - i.e. containers using br-staging bridge should not be able to connect to br-testing containers, and the other way around. Both networks should be able to connect to hosts in the internet. Is there any easy switch for that? So far, one thing which works is write my own iptables rules, but that gets messy with more networks. Tomasz Chmielewski https://lxadm.com ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] No certificate when adding remote
I've setup my own PKI infrastructure for my LXD hosts and I'm trying to add a remote, but I'm getting an error about no certificate being provided: lxc remote add blllxd03 https://blllxd03.appendata.net:8443 Admin password for blllxd03: error: No client certificate provided If I run it with debug I see this after entering the trust password: [...] Admin password for blllxd03: INFO[10-01|11:50:41] Sending request to LXD etag= method=POST url=https://blllxd03.appendata.net:8443/1.0/certificates DBUG[10-01|11:50:41] { "name": "", "type": "client", "certificate": "", "password": "XXX" } DBUG[10-01|11:50:41] Trying to remove /home/lxduser/.config/lxc/servercerts/blllxd03.crt error: No client certificate provided Why would the remote not send its certificate? I have the files: server.ca, server.crt, and server.key in /var/lib/lxd/ for both the server and the remote. I replaced the the default files with my own. I can verify with OpenSSL that all the certs are valid and signed by the CA. Thanks, Joshua Schaeffer ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users