Re: [lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?
Hi Thomas, Can you list the steps you went through to get it working? I'm in the same boat. thanks. On Fri, May 19, 2017 at 8:31 PM, Thomas Wardwrote: > Thanks to some off-list replies and some help from other online > resources, I've been able to switch this to a bridged method, with the > host interfaces set to 'manual', an inet0 bridge created that is static > IP'd for the host system to have its primary IP, and can have manual IP > assignments to containers on that bridged network for the other > non-primary IPs. I've also kept an `lxdbr0` device from the older > lxd-bridge setup that I still had for NAT'd containers, since I have > more containers than public IPs, and many of the containers don't need > to be on public IPs. > > Thank you to the people who replied to me off-list, but also the people > in general who help people new to LXC/LXD networking get started working > through issues they've run into! > > > Thomas > > > On 05/19/2017 10:01 PM, Thomas Ward wrote: >> Hello. >> >> I've got a VDS from RamNode - which is essentially a KVM VPS with >> dedicated CPUs, and larger RAM capacity. This VDS has three IPs. I'm >> going to obfuscate them here, but essentially the host box is configured >> like this: >> >> >> # The primary network interface >> auto ens3 >> iface ens3 inet static >> address 1.2.3.107 >> netmask 255.255.255.0 >> gateway 1.2.3.1 >> dns-nameserver 8.8.8.8 8.8.4.4 >> >> auto ens3:1 >> iface ens3:2 inet static >> address 1.2.4.17 >> netmask 255.255.255.0 >> gateway 1.2.4.1 >> dns-nameserver 8.8.8.8 8.8.4.4 >> >> auto ens3:2 >> iface ens3:2 inet static >> address 1.2.4.34 >> netmask 255.255.255.0 >> gateway 1.2.4.1 >> dns-nameserver 8.8.8.8 8.8.4.4 >> >> >> Now, I've got a container I'd like to route the 1.2.4.17 to a specific >> container once I've created it, but ens3 is the only actual physical NIC >> on the system, and I don't have the ability to add any more physical NICs. >> >> How would I go about routing 1.2.4.17 to the 'new' container I'm going >> to create? >> >> Note that by default, new containers are attached to an 'lxdbr0' which >> NATs container traffic, this new container would have to reside outside >> that obviously, but I'm not fluent in LXC/LXD networking so a guide >> and/or how-tos for this would be wonderful to have. >> >> >> -- >> >> Thomas >> > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?
Great suggestions from Fajar. A couple more ideas if you only have one public IP on your container: * Use HAProxy on the container’s main IP address with Server Name Identification (SNI) and a local DNS server. This way, all your sites are tied to the same IP address as the container with private addresses behind it. * Use nginx with local DNS lookups. Similar to haproxy except nginx redirects the web requests to the appropriate backend. -Ron > On May 20, 2017, at 9:34 AM, Fajar A. Nugrahawrote: > > On Sat, May 20, 2017 at 10:31 AM, Thomas Ward wrote: > I've been able to switch this to a bridged method, with the > host interfaces set to 'manual', an inet0 bridge created that is static > IP'd for the host system to have its primary IP, and can have manual IP > assignments to containers on that bridged network for the other > non-primary IPs. > > > For sake of completeness: > - converting eth0 to be a slave is the "standard" approach: > https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-network > https://help.ubuntu.com/lts/serverguide/network-configuration.html#bridging > > - an easier approach is to use macvlan. Especially if the host doesn't need > to communicate directly with the container (which should also be what happens > in your case, as it appears the host on the containers are on different > subnet) > https://github.com/lxc/lxd/blob/master/doc/containers.md#type-nic > > - however both approach won't work if your provider limits only ONE mac > address on your port. In this case you'd need either proxy-arp (somewhat > complicated, but possible), or simply use iptables to forward all traffic for > the secondary IP to the container. > > -- > Fajar > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?
On Sat, May 20, 2017 at 10:31 AM, Thomas Wardwrote: > I've been able to switch this to a bridged method, with the > host interfaces set to 'manual', an inet0 bridge created that is static > IP'd for the host system to have its primary IP, and can have manual IP > assignments to containers on that bridged network for the other > non-primary IPs. For sake of completeness: - converting eth0 to be a slave is the "standard" approach: https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-network https://help.ubuntu.com/lts/serverguide/network-configuration.html#bridging - an easier approach is to use macvlan. Especially if the host doesn't need to communicate directly with the container (which should also be what happens in your case, as it appears the host on the containers are on different subnet) https://github.com/lxc/lxd/blob/master/doc/containers.md#type-nic - however both approach won't work if your provider limits only ONE mac address on your port. In this case you'd need either proxy-arp (somewhat complicated, but possible), or simply use iptables to forward all traffic for the secondary IP to the container. -- Fajar ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?
Hello Thomas, I use a nginx-reverse-proxy for accessing the container(s) webspace(s). If I need to access something (a specific port) of a container from the outside world, I use iptables to reach it, in your case i.e. to access your containers ssh-server (on outside-port 22022) you can use: interface=ens3 ipt_src_port=22022 ipt_src_port=1.2.3.107 ipt_dst_ip_addr=$your_container_ip ipt_dst_port=22 sudo iptables -i {$interface} -t nat -A PREROUTING -p tcp -m tcp --dport {$ipt_src_port} -j DNAT --to {$ipt_dst_ip_addr}:{$ipt_dst_port} Hope that helps anybody too.. PS: I use LXD/LXC to highly separate wordpress-installations from each other. If anybody on the list is also doing nginx-webhosting within containers, I am highly interested on others experiences and contacts, - I am highly satisfied how far LXD/LXC has developed so far. If you are working in the same 'field' you can contact me for exchange. Greetings from Germany, Ingo Baab https://baab.de Am 20.05.2017 um 04:01 schrieb Thomas Ward: Hello. I've got a VDS from RamNode - which is essentially a KVM VPS with dedicated CPUs, and larger RAM capacity. This VDS has three IPs. I'm going to obfuscate them here, but essentially the host box is configured like this: # The primary network interface auto ens3 iface ens3 inet static address 1.2.3.107 netmask 255.255.255.0 gateway 1.2.3.1 dns-nameserver 8.8.8.8 8.8.4.4 auto ens3:1 iface ens3:2 inet static address 1.2.4.17 netmask 255.255.255.0 gateway 1.2.4.1 dns-nameserver 8.8.8.8 8.8.4.4 auto ens3:2 iface ens3:2 inet static address 1.2.4.34 netmask 255.255.255.0 gateway 1.2.4.1 dns-nameserver 8.8.8.8 8.8.4.4 Now, I've got a container I'd like to route the 1.2.4.17 to a specific container once I've created it, but ens3 is the only actual physical NIC on the system, and I don't have the ability to add any more physical NICs. How would I go about routing 1.2.4.17 to the 'new' container I'm going to create? Note that by default, new containers are attached to an 'lxdbr0' which NATs container traffic, this new container would have to reside outside that obviously, but I'm not fluent in LXC/LXD networking so a guide and/or how-tos for this would be wonderful to have. -- Thomas ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?
Thanks to some off-list replies and some help from other online resources, I've been able to switch this to a bridged method, with the host interfaces set to 'manual', an inet0 bridge created that is static IP'd for the host system to have its primary IP, and can have manual IP assignments to containers on that bridged network for the other non-primary IPs. I've also kept an `lxdbr0` device from the older lxd-bridge setup that I still had for NAT'd containers, since I have more containers than public IPs, and many of the containers don't need to be on public IPs. Thank you to the people who replied to me off-list, but also the people in general who help people new to LXC/LXD networking get started working through issues they've run into! Thomas On 05/19/2017 10:01 PM, Thomas Ward wrote: > Hello. > > I've got a VDS from RamNode - which is essentially a KVM VPS with > dedicated CPUs, and larger RAM capacity. This VDS has three IPs. I'm > going to obfuscate them here, but essentially the host box is configured > like this: > > > # The primary network interface > auto ens3 > iface ens3 inet static > address 1.2.3.107 > netmask 255.255.255.0 > gateway 1.2.3.1 > dns-nameserver 8.8.8.8 8.8.4.4 > > auto ens3:1 > iface ens3:2 inet static > address 1.2.4.17 > netmask 255.255.255.0 > gateway 1.2.4.1 > dns-nameserver 8.8.8.8 8.8.4.4 > > auto ens3:2 > iface ens3:2 inet static > address 1.2.4.34 > netmask 255.255.255.0 > gateway 1.2.4.1 > dns-nameserver 8.8.8.8 8.8.4.4 > > > Now, I've got a container I'd like to route the 1.2.4.17 to a specific > container once I've created it, but ens3 is the only actual physical NIC > on the system, and I don't have the ability to add any more physical NICs. > > How would I go about routing 1.2.4.17 to the 'new' container I'm going > to create? > > Note that by default, new containers are attached to an 'lxdbr0' which > NATs container traffic, this new container would have to reside outside > that obviously, but I'm not fluent in LXC/LXD networking so a guide > and/or how-tos for this would be wonderful to have. > > > -- > > Thomas > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?
Hello. I've got a VDS from RamNode - which is essentially a KVM VPS with dedicated CPUs, and larger RAM capacity. This VDS has three IPs. I'm going to obfuscate them here, but essentially the host box is configured like this: # The primary network interface auto ens3 iface ens3 inet static address 1.2.3.107 netmask 255.255.255.0 gateway 1.2.3.1 dns-nameserver 8.8.8.8 8.8.4.4 auto ens3:1 iface ens3:2 inet static address 1.2.4.17 netmask 255.255.255.0 gateway 1.2.4.1 dns-nameserver 8.8.8.8 8.8.4.4 auto ens3:2 iface ens3:2 inet static address 1.2.4.34 netmask 255.255.255.0 gateway 1.2.4.1 dns-nameserver 8.8.8.8 8.8.4.4 Now, I've got a container I'd like to route the 1.2.4.17 to a specific container once I've created it, but ens3 is the only actual physical NIC on the system, and I don't have the ability to add any more physical NICs. How would I go about routing 1.2.4.17 to the 'new' container I'm going to create? Note that by default, new containers are attached to an 'lxdbr0' which NATs container traffic, this new container would have to reside outside that obviously, but I'm not fluent in LXC/LXD networking so a guide and/or how-tos for this would be wonderful to have. -- Thomas ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users