Re: [lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?

[Joe McDonald]

Hi Thomas,

Can you list the steps you went through to get it working?
I'm in the same boat.

thanks.

On Fri, May 19, 2017 at 8:31 PM, Thomas Ward  wrote:
> Thanks to some off-list replies and some help from other online
> resources, I've been able to switch this to a bridged method, with the
> host interfaces set to 'manual', an inet0 bridge created that is static
> IP'd for the host system to have its primary IP, and can have manual IP
> assignments to containers on that bridged network for the other
> non-primary IPs.  I've also kept an `lxdbr0` device from the older
> lxd-bridge setup that I still had for NAT'd containers, since I have
> more containers than public IPs, and many of the containers don't need
> to be on public IPs.
>
> Thank you to the people who replied to me off-list, but also the people
> in general who help people new to LXC/LXD networking get started working
> through issues they've run into!
>
>
> Thomas
>
>
> On 05/19/2017 10:01 PM, Thomas Ward wrote:
>> Hello.
>>
>> I've got a VDS from RamNode - which is essentially a KVM VPS with
>> dedicated CPUs, and larger RAM capacity.  This VDS has three IPs.  I'm
>> going to obfuscate them here, but essentially the host box is configured
>> like this:
>>
>>
>> # The primary network interface
>> auto ens3
>> iface ens3 inet static
>> address 1.2.3.107
>> netmask 255.255.255.0
>> gateway 1.2.3.1
>> dns-nameserver 8.8.8.8 8.8.4.4
>>
>> auto ens3:1
>> iface ens3:2 inet static
>> address 1.2.4.17
>> netmask 255.255.255.0
>> gateway 1.2.4.1
>> dns-nameserver 8.8.8.8 8.8.4.4
>>
>> auto ens3:2
>> iface ens3:2 inet static
>> address 1.2.4.34
>> netmask 255.255.255.0
>> gateway 1.2.4.1
>> dns-nameserver 8.8.8.8 8.8.4.4
>>
>>
>> Now, I've got a container I'd like to route the 1.2.4.17 to a specific
>> container once I've created it, but ens3 is the only actual physical NIC
>> on the system, and I don't have the ability to add any more physical NICs.
>>
>> How would I go about routing 1.2.4.17 to the 'new' container I'm going
>> to create?
>>
>> Note that by default, new containers are attached to an 'lxdbr0' which
>> NATs container traffic, this new container would have to reside outside
>> that obviously, but I'm not fluent in LXC/LXD networking so a guide
>> and/or how-tos for this would be wonderful to have.
>>
>>
>> --
>>
>> Thomas
>>
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?

[Ron Kelley]

Great suggestions from Fajar.  A couple more ideas if you only have one public 
IP on your container:

* Use HAProxy on the container’s main IP address with Server Name 
Identification (SNI) and a local DNS server.  This way, all your sites are tied 
to the same IP address as the container with private addresses behind it.

* Use nginx with local DNS lookups.  Similar to haproxy except nginx redirects 
the web requests to the appropriate backend.


-Ron

> On May 20, 2017, at 9:34 AM, Fajar A. Nugraha  wrote:
> 
> On Sat, May 20, 2017 at 10:31 AM, Thomas Ward  wrote:
> I've been able to switch this to a bridged method, with the
> host interfaces set to 'manual', an inet0 bridge created that is static
> IP'd for the host system to have its primary IP, and can have manual IP
> assignments to containers on that bridged network for the other
> non-primary IPs.
> 
> 
> For sake of completeness:
> - converting eth0 to be a slave is the "standard" approach:
> https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-network
> https://help.ubuntu.com/lts/serverguide/network-configuration.html#bridging
> 
> - an easier approach is to use macvlan. Especially if the host doesn't need 
> to communicate directly with the container (which should also be what happens 
> in your case, as it appears the host on the containers are on different 
> subnet)
> https://github.com/lxc/lxd/blob/master/doc/containers.md#type-nic
> 
> - however both approach won't work if your provider limits only ONE mac 
> address on your port. In this case you'd need either proxy-arp (somewhat 
> complicated, but possible), or simply use iptables to forward all traffic for 
> the secondary IP to the container.
> 
> -- 
> Fajar
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?

[Fajar A. Nugraha]

On Sat, May 20, 2017 at 10:31 AM, Thomas Ward  wrote:

> I've been able to switch this to a bridged method, with the
>
host interfaces set to 'manual', an inet0 bridge created that is static
> IP'd for the host system to have its primary IP, and can have manual IP
> assignments to containers on that bridged network for the other
> non-primary IPs.



For sake of completeness:
- converting eth0 to be a slave is the "standard" approach:
https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-network
https://help.ubuntu.com/lts/serverguide/network-configuration.html#bridging

- an easier approach is to use macvlan. Especially if the host doesn't need
to communicate directly with the container (which should also be what
happens in your case, as it appears the host on the containers are on
different subnet)
https://github.com/lxc/lxd/blob/master/doc/containers.md#type-nic

- however both approach won't work if your provider limits only ONE mac
address on your port. In this case you'd need either proxy-arp (somewhat
complicated, but possible), or simply use iptables to forward all traffic
for the secondary IP to the container.

-- 
Fajar
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?

[Ingo Baab]

Hello Thomas,

I use a nginx-reverse-proxy for accessing the container(s) webspace(s).

If I need to access something (a specific port) of a container from the
outside world, I use iptables to reach it, in your case i.e. to access your
containers ssh-server (on outside-port 22022) you can use:

interface=ens3
ipt_src_port=22022
ipt_src_port=1.2.3.107
ipt_dst_ip_addr=$your_container_ip
ipt_dst_port=22

sudo iptables -i {$interface} -t nat -A PREROUTING -p tcp -m tcp --dport 
{$ipt_src_port} -j DNAT --to {$ipt_dst_ip_addr}:{$ipt_dst_port}


Hope that helps anybody too..

PS: I use LXD/LXC to highly separate wordpress-installations from each 
other.
If anybody on the list is also doing nginx-webhosting within containers, 
I am
highly interested on others experiences and contacts, - I am highly 
satisfied

how far LXD/LXC has developed so far. If you are working in the same 'field'
you can contact me for exchange.

Greetings from Germany,
Ingo Baab https://baab.de

Am 20.05.2017 um 04:01 schrieb Thomas Ward:

Hello.

I've got a VDS from RamNode - which is essentially a KVM VPS with
dedicated CPUs, and larger RAM capacity.  This VDS has three IPs.  I'm
going to obfuscate them here, but essentially the host box is configured
like this:


# The primary network interface
auto ens3
iface ens3 inet static
 address 1.2.3.107
 netmask 255.255.255.0
 gateway 1.2.3.1
 dns-nameserver 8.8.8.8 8.8.4.4

auto ens3:1
iface ens3:2 inet static
 address 1.2.4.17
 netmask 255.255.255.0
 gateway 1.2.4.1
 dns-nameserver 8.8.8.8 8.8.4.4

auto ens3:2
iface ens3:2 inet static
 address 1.2.4.34
 netmask 255.255.255.0
 gateway 1.2.4.1
 dns-nameserver 8.8.8.8 8.8.4.4


Now, I've got a container I'd like to route the 1.2.4.17 to a specific
container once I've created it, but ens3 is the only actual physical NIC
on the system, and I don't have the ability to add any more physical NICs.

How would I go about routing 1.2.4.17 to the 'new' container I'm going
to create?

Note that by default, new containers are attached to an 'lxdbr0' which
NATs container traffic, this new container would have to reside outside
that obviously, but I'm not fluent in LXC/LXD networking so a guide
and/or how-tos for this would be wonderful to have.


--

Thomas

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?

[Thomas Ward]

Thanks to some off-list replies and some help from other online
resources, I've been able to switch this to a bridged method, with the
host interfaces set to 'manual', an inet0 bridge created that is static
IP'd for the host system to have its primary IP, and can have manual IP
assignments to containers on that bridged network for the other
non-primary IPs.  I've also kept an `lxdbr0` device from the older
lxd-bridge setup that I still had for NAT'd containers, since I have
more containers than public IPs, and many of the containers don't need
to be on public IPs.

Thank you to the people who replied to me off-list, but also the people
in general who help people new to LXC/LXD networking get started working
through issues they've run into!


Thomas


On 05/19/2017 10:01 PM, Thomas Ward wrote:
> Hello.
>
> I've got a VDS from RamNode - which is essentially a KVM VPS with
> dedicated CPUs, and larger RAM capacity.  This VDS has three IPs.  I'm
> going to obfuscate them here, but essentially the host box is configured
> like this:
>
>
> # The primary network interface
> auto ens3
> iface ens3 inet static
> address 1.2.3.107
> netmask 255.255.255.0
> gateway 1.2.3.1
> dns-nameserver 8.8.8.8 8.8.4.4
>
> auto ens3:1
> iface ens3:2 inet static
> address 1.2.4.17
> netmask 255.255.255.0
> gateway 1.2.4.1
> dns-nameserver 8.8.8.8 8.8.4.4
>
> auto ens3:2
> iface ens3:2 inet static
> address 1.2.4.34
> netmask 255.255.255.0
> gateway 1.2.4.1
> dns-nameserver 8.8.8.8 8.8.4.4
>
>
> Now, I've got a container I'd like to route the 1.2.4.17 to a specific
> container once I've created it, but ens3 is the only actual physical NIC
> on the system, and I don't have the ability to add any more physical NICs.
>
> How would I go about routing 1.2.4.17 to the 'new' container I'm going
> to create?
>
> Note that by default, new containers are attached to an 'lxdbr0' which
> NATs container traffic, this new container would have to reside outside
> that obviously, but I'm not fluent in LXC/LXD networking so a guide
> and/or how-tos for this would be wonderful to have.
>
>
> --
>
> Thomas
>

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?

[Thomas Ward]

Hello.

I've got a VDS from RamNode - which is essentially a KVM VPS with
dedicated CPUs, and larger RAM capacity.  This VDS has three IPs.  I'm
going to obfuscate them here, but essentially the host box is configured
like this:


# The primary network interface
auto ens3
iface ens3 inet static
address 1.2.3.107
netmask 255.255.255.0
gateway 1.2.3.1
dns-nameserver 8.8.8.8 8.8.4.4

auto ens3:1
iface ens3:2 inet static
address 1.2.4.17
netmask 255.255.255.0
gateway 1.2.4.1
dns-nameserver 8.8.8.8 8.8.4.4

auto ens3:2
iface ens3:2 inet static
address 1.2.4.34
netmask 255.255.255.0
gateway 1.2.4.1
dns-nameserver 8.8.8.8 8.8.4.4


Now, I've got a container I'd like to route the 1.2.4.17 to a specific
container once I've created it, but ens3 is the only actual physical NIC
on the system, and I don't have the ability to add any more physical NICs.

How would I go about routing 1.2.4.17 to the 'new' container I'm going
to create?

Note that by default, new containers are attached to an 'lxdbr0' which
NATs container traffic, this new container would have to reside outside
that obviously, but I'm not fluent in LXC/LXD networking so a guide
and/or how-tos for this would be wonderful to have.


--

Thomas

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users