Re: [Lxc-users] Routing issues
Quoting Rory Campbell-Lange (r...@campbell-lange.net): On 04/06/13, Michael H. Warfield (m...@wittsend.com) wrote: I'd be grateful to know if anyone has some firewall (iptables) advice for allowing traffic to the container? I expect to run another firewall on the container itself. That's probably your FORWARD chain there. Set that policy to ACCEPT and flush all the rules from the FORWARD chain like this: iptables -P FORWARD ACCEPT iptables -F FORWARD FORWARD chain is going to affect packets forwarded over the host's bridge to the containers. The INPUT and OUTPUT chains will affect the packets coming in and going out from the local host's OS interfaces. Depending on your distro, track down your persistent rule storage and make those changes permanent. Fedora prior to firewalld (here we go again), RedHat, and RH derivatives (CentOS et al) are generally in /etc/sysconfig/iptables unless you've also installed one of the sundry firewall toolkits. Ubuntu, I'm not so sure about. I'm using Debian, and I'm using a simple ufw firewall on the host server at present. The iptables -L output is here: http://pastebin.com/QzQKRDX0 I don't have any trouble with the firewall restarting. Thanks very much Rory I think 'ufw status' information will probably be more helpful. -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 03/06/13, Serge Hallyn (serge.hal...@ubuntu.com) wrote: Quoting Rory Campbell-Lange (r...@campbell-lange.net): On 04/06/13, Papp Tamas (tom...@martos.bme.hu) wrote: What is the IP address of the container? The host is on aa.bb.cc.103 (a public net address) and the container is on aa.bb.cc.87. I can get from 87 to 103, but I can't ping the gateway from the container. Hm, here's an idea. Lxc sets /proc/sys/net/ipv4/conf/$link/forwarding. Perhaps that isn't enough. You might echo 1 /proc/sys/net/ipv4/conf/eth0/forwarding and /proc/sys/net/ipv4/ip_forward. But, 1. what does 'route -n' in the container (and on the host) show? 2. when you ping the ip address of your router, what does traceroute (wireshark, whatever) on the host show? Hi Serge Thanks very much for your email. Going through the steps above showed me I had a firewall problem. Dropping the firewall allowed the container to hit the internet. Apologies for this beginner problem. I'd be grateful to know if anyone has some firewall (iptables) advice for allowing traffic to the container? I expect to run another firewall on the container itself. Regards Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 04/06/13, Rory Campbell-Lange (r...@campbell-lange.net) wrote: On 03/06/13, Serge Hallyn (serge.hal...@ubuntu.com) wrote: Quoting Rory Campbell-Lange (r...@campbell-lange.net): On 04/06/13, Papp Tamas (tom...@martos.bme.hu) wrote: The host is on aa.bb.cc.103 (a public net address) and the container is on aa.bb.cc.87. I can get from 87 to 103, but I can't ping the gateway from the container. 1. what does 'route -n' in the container (and on the host) show? 2. when you ping the ip address of your router, what does traceroute (wireshark, whatever) on the host show? Going through the steps above showed me I had a firewall problem. Dropping the firewall allowed the container to hit the internet. Apologies for this beginner problem. I'd be grateful to know if anyone has some firewall (iptables) advice for allowing traffic to the container? I expect to run another firewall on the container itself. It looks like I don't have to drop the firewall on the host if I do the following: for f in /proc/sys/net/bridge/bridge-nf-*; do echo 0 $f; done Reference: http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge#No_traffic_gets_trough_.28except_ARP_and_STP.29 Is this recommended? Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
Quoting Rory Campbell-Lange (r...@campbell-lange.net): On 04/06/13, Rory Campbell-Lange (r...@campbell-lange.net) wrote: On 03/06/13, Serge Hallyn (serge.hal...@ubuntu.com) wrote: Quoting Rory Campbell-Lange (r...@campbell-lange.net): On 04/06/13, Papp Tamas (tom...@martos.bme.hu) wrote: The host is on aa.bb.cc.103 (a public net address) and the container is on aa.bb.cc.87. I can get from 87 to 103, but I can't ping the gateway from the container. 1. what does 'route -n' in the container (and on the host) show? 2. when you ping the ip address of your router, what does traceroute (wireshark, whatever) on the host show? Going through the steps above showed me I had a firewall problem. Dropping the firewall allowed the container to hit the internet. Apologies for this beginner problem. I'd be grateful to know if anyone has some firewall (iptables) advice for allowing traffic to the container? I expect to run another firewall on the container itself. It looks like I don't have to drop the firewall on the host if I do the following: for f in /proc/sys/net/bridge/bridge-nf-*; do echo 0 $f; done Reference: http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge#No_traffic_gets_trough_.28except_ARP_and_STP.29 Is this recommended? Probably not. What is your current firewall trying to do? What does iptables -L; iptables -t nat -L; show? -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On Tue, 2013-06-04 at 11:21 +0100, Rory Campbell-Lange wrote: On 03/06/13, Serge Hallyn (serge.hal...@ubuntu.com) wrote: Quoting Rory Campbell-Lange (r...@campbell-lange.net): On 04/06/13, Papp Tamas (tom...@martos.bme.hu) wrote: What is the IP address of the container? The host is on aa.bb.cc.103 (a public net address) and the container is on aa.bb.cc.87. I can get from 87 to 103, but I can't ping the gateway from the container. Hm, here's an idea. Lxc sets /proc/sys/net/ipv4/conf/$link/forwarding. Perhaps that isn't enough. You might echo 1 /proc/sys/net/ipv4/conf/eth0/forwarding and /proc/sys/net/ipv4/ip_forward. But, 1. what does 'route -n' in the container (and on the host) show? 2. when you ping the ip address of your router, what does traceroute (wireshark, whatever) on the host show? Hi Serge Thanks very much for your email. Going through the steps above showed me I had a firewall problem. Dropping the firewall allowed the container to hit the internet. Apologies for this beginner problem. I'd be grateful to know if anyone has some firewall (iptables) advice for allowing traffic to the container? I expect to run another firewall on the container itself. That's probably your FORWARD chain there. Set that policy to ACCEPT and flush all the rules from the FORWARD chain like this: iptables -P FORWARD ACCEPT iptables -F FORWARD FORWARD chain is going to affect packets forwarded over the host's bridge to the containers. The INPUT and OUTPUT chains will affect the packets coming in and going out from the local host's OS interfaces. Depending on your distro, track down your persistent rule storage and make those changes permanent. Fedora prior to firewalld (here we go again), RedHat, and RH derivatives (CentOS et al) are generally in /etc/sysconfig/iptables unless you've also installed one of the sundry firewall toolkits. Ubuntu, I'm not so sure about. Regards Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 04/06/13, Michael H. Warfield (m...@wittsend.com) wrote: I'd be grateful to know if anyone has some firewall (iptables) advice for allowing traffic to the container? I expect to run another firewall on the container itself. That's probably your FORWARD chain there. Set that policy to ACCEPT and flush all the rules from the FORWARD chain like this: iptables -P FORWARD ACCEPT iptables -F FORWARD FORWARD chain is going to affect packets forwarded over the host's bridge to the containers. The INPUT and OUTPUT chains will affect the packets coming in and going out from the local host's OS interfaces. Depending on your distro, track down your persistent rule storage and make those changes permanent. Fedora prior to firewalld (here we go again), RedHat, and RH derivatives (CentOS et al) are generally in /etc/sysconfig/iptables unless you've also installed one of the sundry firewall toolkits. Ubuntu, I'm not so sure about. I'm using Debian, and I'm using a simple ufw firewall on the host server at present. The iptables -L output is here: http://pastebin.com/QzQKRDX0 I don't have any trouble with the firewall restarting. Thanks very much Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Routing issues
I have (with Rob van der Hoeven's help) setup a Debian Wheezy container on a Wheezy host. This worked well. I can ssh into the main host from the lxc host. However I cannot hit the internet from the lxc host. I'd be grateful for some pointers. At present I have the following configuration on the host: auto br0 iface br0 inet static bridge_ports eth0 bridge_fd 0 address aa.bb.cc.103 netmask 255.255.255.192 gateway aa.bb.cc.65 and the following in the container config: lxc.utsname = wheezy05 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.ipv4 = aa.bb.cc.87/26 lxc.network.hwaddr = 00:1E:83:8D:7C:25 with the following in wheezy05's /etc/network/interfaces file: auto eth0 # iface eth0 inet dhcp iface eth0 inet static address aa.bb.cc.87 netmask 255.255.255.192 gateway aa.bb.cc.65 One specific issue I found: * it looks like the container address is assigned at startup and the 'interfaces' network stanza is not run -- I have to assign the gateway by hand Many thanks Rory -- Rory Campbell-Lange r...@campbell-lange.net -- Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with 2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 06/03/2013 06:55 PM, Rory Campbell-Lange wrote: I have (with Rob van der Hoeven's help) setup a Debian Wheezy container on a Wheezy host. This worked well. I can ssh into the main host from the lxc host. However I cannot hit the internet from the lxc host. I'd be grateful for some pointers. At present I have the following configuration on the host: auto br0 iface br0 inet static bridge_ports eth0 bridge_fd 0 address aa.bb.cc.103 netmask 255.255.255.192 gateway aa.bb.cc.65 and the following in the container config: lxc.utsname = wheezy05 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.ipv4 = aa.bb.cc.87/26 lxc.network.hwaddr = 00:1E:83:8D:7C:25 with the following in wheezy05's /etc/network/interfaces file: auto eth0 # iface eth0 inet dhcp iface eth0 inet static address aa.bb.cc.87 netmask 255.255.255.192 gateway aa.bb.cc.65 One specific issue I found: * it looks like the container address is assigned at startup and the 'interfaces' network stanza is not run -- I have to assign the gateway by hand So you can or can not hit the internet? It's not clear, what your problem is exactly It's also not clear, which one you mean by 'lxc host'. Do you really mean the machine, where containers are running, or lxc host is actually the guest? You don't need to use lxc.network.ipv4, if you setup the network from the container. tamas -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 04/06/13, Papp Tamas (tom...@martos.bme.hu) wrote: On 06/03/2013 06:55 PM, Rory Campbell-Lange wrote: I can ssh into the main host from the lxc host. However I cannot hit the internet from the lxc host. I'd be grateful for some pointers. At present I have the following configuration on the host: auto br0 iface br0 inet static bridge_ports eth0 bridge_fd 0 address aa.bb.cc.103 netmask 255.255.255.192 gateway aa.bb.cc.65 and the following in the container config: lxc.utsname = wheezy05 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.ipv4 = aa.bb.cc.87/26 lxc.network.hwaddr = 00:1E:83:8D:7C:25 with the following in wheezy05's /etc/network/interfaces file: auto eth0 # iface eth0 inet dhcp iface eth0 inet static address aa.bb.cc.87 netmask 255.255.255.192 gateway aa.bb.cc.65 One specific issue I found: * it looks like the container address is assigned at startup and the 'interfaces' network stanza is not run -- I have to assign the gateway by hand So you can or can not hit the internet? It's not clear, what your problem is exactly It's also not clear, which one you mean by 'lxc host'. Do you really mean the machine, where containers are running, or lxc host is actually the guest? You don't need to use lxc.network.ipv4, if you setup the network from the container. Hi Tamas Thanks very much for your email. First of all thanks very much for the note about the lxc.network.ipv4 paramenter -- I disabled that and routing seems to be fine. My question was unclear -- sorry! My host is on the internet. I can ssh from the guest to the host over the bridge, but I can't route out of the subnet. Do I need iptables masquerading on the host in this scenario? host 'ip addr' output with the guest running: 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000 link/ether 00:e0:81:4c:bc:f6 brd ff:ff:ff:ff:ff:ff 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:e0:81:4c:bc:f7 brd ff:ff:ff:ff:ff:ff inet 192.168.9.9/27 brd 192.168.9.31 scope global eth1 inet6 fe80::2e0:81ff:fe4c:bcf7/64 scope link valid_lft forever preferred_lft forever 4: br0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc noqueue state UP link/ether 00:e0:81:4c:bc:f6 brd ff:ff:ff:ff:ff:ff inet aa.bb.cc.103/26 brd aa.bb.cc.127 scope global br0 inet6 fe80::2e0:81ff:fe4c:bcf6/64 scope link valid_lft forever preferred_lft forever 36: vethklhgjT: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000 link/ether fe:ae:36:71:d7:2b brd ff:ff:ff:ff:ff:ff inet6 fe80::fcae:36ff:fe71:d72b/64 scope link valid_lft forever preferred_lft forever Regards Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 06/04/2013 12:52 AM, Rory Campbell-Lange wrote: Hi Tamas Thanks very much for your email. First of all thanks very much for the note about the lxc.network.ipv4 paramenter -- I disabled that and routing seems to be fine. My question was unclear -- sorry! My host is on the internet. I can ssh from the guest to the host over the bridge, but I can't route out of the subnet. Do I need iptables masquerading on the host in this scenario? host 'ip addr' output with the guest running: 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000 link/ether 00:e0:81:4c:bc:f6 brd ff:ff:ff:ff:ff:ff 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:e0:81:4c:bc:f7 brd ff:ff:ff:ff:ff:ff inet 192.168.9.9/27 brd 192.168.9.31 scope global eth1 inet6 fe80::2e0:81ff:fe4c:bcf7/64 scope link valid_lft forever preferred_lft forever 4: br0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc noqueue state UP link/ether 00:e0:81:4c:bc:f6 brd ff:ff:ff:ff:ff:ff inet aa.bb.cc.103/26 brd aa.bb.cc.127 scope global br0 inet6 fe80::2e0:81ff:fe4c:bcf6/64 scope link valid_lft forever preferred_lft forever 36: vethklhgjT: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000 link/ether fe:ae:36:71:d7:2b brd ff:ff:ff:ff:ff:ff inet6 fe80::fcae:36ff:fe71:d72b/64 scope link valid_lft forever preferred_lft forever What is the IP address of the container? If it's a private address and you want NAT, then the container should be linked to another iface. Either to a dummy iface or eth1. So your leave eth0 untouched and create br1 with eth1 and choose an IP for the container from 192.168.9.9/27. Then setup the machine as gateway (ip_forward, NAT/MASQ). AFAIK, you can also choose a different network type, but I've never used. Cheers, tamas -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 04/06/13, Papp Tamas (tom...@martos.bme.hu) wrote: What is the IP address of the container? The host is on aa.bb.cc.103 (a public net address) and the container is on aa.bb.cc.87. I can get from 87 to 103, but I can't ping the gateway from the container. If it's a private address and you want NAT, then the container should be linked to another iface. Either to a dummy iface or eth1. I'm trying to do everything over br0 with fixed ip addresses, like http://wiki.debian.org/LXC/SimpleBridge So your leave eth0 untouched and create br1 with eth1 and choose an IP for the container from 192.168.9.9/27. Then setup the machine as gateway (ip_forward, NAT/MASQ). I'll give those a go if the br0/eth0 arrangement I'm trying doesn't work. I'm not keen to forward ports from the host, if I can avoid it. AFAIK, you can also choose a different network type, but I've never used. Regards Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
Quoting Rory Campbell-Lange (r...@campbell-lange.net): On 04/06/13, Papp Tamas (tom...@martos.bme.hu) wrote: What is the IP address of the container? The host is on aa.bb.cc.103 (a public net address) and the container is on aa.bb.cc.87. I can get from 87 to 103, but I can't ping the gateway from the container. Hm, here's an idea. Lxc sets /proc/sys/net/ipv4/conf/$link/forwarding. Perhaps that isn't enough. You might echo 1 /proc/sys/net/ipv4/conf/eth0/forwarding and /proc/sys/net/ipv4/ip_forward. But, 1. what does 'route -n' in the container (and on the host) show? 2. when you ping the ip address of your router, what does traceroute (wireshark, whatever) on the host show? -serge -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
