Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-10 Thread Hans Feldt 

On 06/05/2013 02:40 PM, Serge Hallyn wrote:
 Now my question, could not lxc (at boot) setup a fixed MAC addr for the host 
 port?

 Yeah, given how bad this was for libvirt/qemu I'm surprised I've not seen
 this happen in lxc - but I haven't, and noone else has reported it.

 Since you mention lxcbr0, I assume you're using ubuntu?  Until we

Yes 12.04 and 13.04

 (somehow - netcf?) implement a distro-agnostic lxc bridge upstream, this
 is not an upstream issue, but an ubuntu package issue.

 Have you actually seen a hang as a result of this?  If so, then please

Yes but not a permanent one. Just until the arp cache times out. But 
long enough to fail my test case...

For testing purposes I have a set of lxc systems that communicate with 
each other as well as the host. The problem occurs when I reboot an lxc 
system and another lxc system tries to communicate with the host. The 
host might have changed mac addr and ...

 open a bug at https://bugs.launchpad.net/ubuntu/+source/lxc/+filebug
 as it should be trivially fixable in /etc/init/lxc-net.conf.

OK will do.

/Hans


 -serge



--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-10 Thread Hans Feldt 

On 06/05/2013 06:26 PM, Serge Hallyn wrote:

 BUT I just did some testing, and even as I watch lxcbr0's addr go down
 when starting a new container, my ssh to the container which had the
 higher macaddr doesn't hiccough.

the problem appears in the other direction, container to host

/Hans

--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-10 Thread Serge Hallyn 
Quoting Hans Feldt (hans.fe...@ericsson.com):
 open a bug at https://bugs.launchpad.net/ubuntu/+source/lxc/+filebug
 as it should be trivially fixable in /etc/init/lxc-net.conf.
 
 OK will do.

Cool, thanks, I'll track it there.

--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-05 Thread Serge Hallyn 
 Now my question, could not lxc (at boot) setup a fixed MAC addr for the host 
 port?

Yeah, given how bad this was for libvirt/qemu I'm surprised I've not seen
this happen in lxc - but I haven't, and noone else has reported it.

Since you mention lxcbr0, I assume you're using ubuntu?  Until we
(somehow - netcf?) implement a distro-agnostic lxc bridge upstream, this
is not an upstream issue, but an ubuntu package issue.

Have you actually seen a hang as a result of this?  If so, then please
open a bug at https://bugs.launchpad.net/ubuntu/+source/lxc/+filebug
as it should be trivially fixable in /etc/init/lxc-net.conf.

-serge

--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-05 Thread Michael H. Warfield 
On Wed, 2013-06-05 at 07:40 -0500, Serge Hallyn wrote: 
  Now my question, could not lxc (at boot) setup a fixed MAC addr for the 
  host port?

 Yeah, given how bad this was for libvirt/qemu I'm surprised I've not seen
 this happen in lxc - but I haven't, and noone else has reported it.

Actually, this has come up on both the -devel list and here, the last
time about a year and a half ago:

On the -devel list...

Subject: Set high byte of mac addresses for host veth devices to 0xfe

It had a patch and referenced an open bug associated with it:

random veth device MAC addresses cause bridge problems - ID: 3411497
https://sourceforge.net/tracker/index.php?func=detailaid=3411497group_id=163076atid=826303

Christian Seiler included a proposed patch with his original posting to
the -devel list back in November of 2011 where he set the high order
byte to FE for a private locally administered MAC and some discussion
ensued.  After a couple of bug fixes, it was Acked it on 01/03/2012.

It looks like it was applied.  Right around line 3109 of src/lxc/conf.c:

static int setup_private_host_hw_addr(char *veth1)

   ...

   ifr.ifr_hwaddr.sa_data[0] = 0xfe;
   err = ioctl(sockfd, SIOCSIFHWADDR, ifr);
   close(sockfd);

The bug is still open.  Is this not working?  What version did it go
into?  Someone should probably close that bug with an annotation.  Looks
to have been fixed in the 0.8.0 release.

Seems to be working for me:

ip addr ls 

 ...

7: vethNoBHvN: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast 
master lxcbr0 state UP qlen 1000
link/ether fe:57:fa:34:4c:35 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc57:faff:fe34:4c35/64 scope link 
   valid_lft forever preferred_lft forever
9: vethFmslRq: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast 
master lxcbr0 state UP qlen 1000
link/ether fe:a8:39:d6:c2:ee brd ff:ff:ff:ff:ff:ff
inet6 fe80::fca8:39ff:fed6:c2ee/64 scope link 
   valid_lft forever preferred_lft forever
11: vethhw7OZw: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast 
master lxcbr0 state UP qlen 1000
link/ether fe:6b:8e:9d:f2:4f brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc6b:8eff:fe9d:f24f/64 scope link 
   valid_lft forever preferred_lft forever

So this shouldn't be happening if all of the host side MAC addresses are
beginning with fe:.  What version of the lxc tools is in play here?
0.7.5 dates back to August of 2011 and would have predated that fix.
There's still a lot of distros with 0.7.5 still running around out
there.

It was also discussed here under these threads here in this forum from
around the time time frame (about a year and a half ago):

Subject: New LXC Creation Script: lxc-ubuntu-x
Subject: seeing a network pause when starting and stopping LXCs - how
do I stop this ?

Yes, I had seen the bug show up.  It causes the network to hang, but
only for a half a minute or less as the ARP caches settle.  If you have
frequent starting and stopping of containers, it can be a PITA.  My
solution was to assign a high vendor field (top 3 bytes) using some
safe vendor value that was above my host card vendor value.

I seem to recall some discussion a few years ago about also trying to
get an official MAC vendor code assigned to this project in one of the
earlier discussions.  I don't think that went anywhere and I'm having a
problem finding it now.  I do remember participating in that discussion
as well.  I seem to recall that it was decided not to do this even
though some other projects such as VMware and, maybe, VirtualBox did
chose this route.

 Since you mention lxcbr0, I assume you're using ubuntu?  Until we
 (somehow - netcf?) implement a distro-agnostic lxc bridge upstream, this
 is not an upstream issue, but an ubuntu package issue.

 Have you actually seen a hang as a result of this?  If so, then please
 open a bug at https://bugs.launchpad.net/ubuntu/+source/lxc/+filebug
 as it should be trivially fixable in /etc/init/lxc-net.conf.

See above.  Opened on 09/19/2011 and still open.  You'll find I
commented in the bug the same day.  There's been other discussions in
several forum, including including these.

I believe it has also come up on the OpenVZ forum (and is where a lot of
my earlier information originated) and has been mentioned in some of the
kernel lists, probably the net list.

There is a reason it works that way, mostly because the bridge has to
have an address and it has to be an address on the bridge so the kernel
can know what's on the bridge and what's foreign to the bridge in order
to manage local routing.  So, it has to pick something.  But, if you
delete an interface from the bridge and the bridge is using that
address, it has to pick another.  The rule the followed was to always
choose the lowest.

The only downside to assigning a static bridge address to the bridge is
the chance of that associated interface ever being deleted from the
bridge.  I think you also loose that static state if certain bridge

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-05 Thread Serge Hallyn 
Quoting Michael H. Warfield (m...@wittsend.com):
 On Wed, 2013-06-05 at 07:40 -0500, Serge Hallyn wrote: 
   Now my question, could not lxc (at boot) setup a fixed MAC addr for the 
   host port?
 
  Yeah, given how bad this was for libvirt/qemu I'm surprised I've not seen
  this happen in lxc - but I haven't, and noone else has reported it.
 
 Actually, this has come up on both the -devel list and here, the last
 time about a year and a half ago:
 
 On the -devel list...
 
 Subject: Set high byte of mac addresses for host veth devices to 0xfe
 
 It had a patch and referenced an open bug associated with it:
 
 random veth device MAC addresses cause bridge problems - ID: 3411497
 https://sourceforge.net/tracker/index.php?func=detailaid=3411497group_id=163076atid=826303
 
 Christian Seiler included a proposed patch with his original posting to
 the -devel list back in November of 2011 where he set the high order
 byte to FE for a private locally administered MAC and some discussion
 ensued.  After a couple of bug fixes, it was Acked it on 01/03/2012.
 
 It looks like it was applied.  Right around line 3109 of src/lxc/conf.c:
 
 static int setup_private_host_hw_addr(char *veth1)
 
...
 
ifr.ifr_hwaddr.sa_data[0] = 0xfe;
err = ioctl(sockfd, SIOCSIFHWADDR, ifr);
close(sockfd);

yes and it does this.  The point is that lxcbr0 is not tied to any
physical nic.  So the first container you start, however high the
macaddr is, lxcbr0 takes its mac.  If the next container gets a
lower macaddr, lxcbr0's macaddr drops.

Right now I have:

lxcbr0Link encap:Ethernet  HWaddr fe:02:72:77:79:ff  
vethtdjU5K Link encap:Ethernet  HWaddr fe:02:72:77:79:ff  

-serge

--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-05 Thread Michael H. Warfield 
On Wed, 2013-06-05 at 09:30 -0500, Serge Hallyn wrote: 
 Quoting Michael H. Warfield (m...@wittsend.com):
  On Wed, 2013-06-05 at 07:40 -0500, Serge Hallyn wrote: 
Now my question, could not lxc (at boot) setup a fixed MAC addr for the 
host port?
  
   Yeah, given how bad this was for libvirt/qemu I'm surprised I've not seen
   this happen in lxc - but I haven't, and noone else has reported it.
  
  Actually, this has come up on both the -devel list and here, the last
  time about a year and a half ago:
  
  On the -devel list...
  
  Subject: Set high byte of mac addresses for host veth devices to 0xfe
  
  It had a patch and referenced an open bug associated with it:
  
  random veth device MAC addresses cause bridge problems - ID: 3411497
  https://sourceforge.net/tracker/index.php?func=detailaid=3411497group_id=163076atid=826303
  
  Christian Seiler included a proposed patch with his original posting to
  the -devel list back in November of 2011 where he set the high order
  byte to FE for a private locally administered MAC and some discussion
  ensued.  After a couple of bug fixes, it was Acked it on 01/03/2012.
  
  It looks like it was applied.  Right around line 3109 of src/lxc/conf.c:
  
  static int setup_private_host_hw_addr(char *veth1)
  
 ...
  
 ifr.ifr_hwaddr.sa_data[0] = 0xfe;
 err = ioctl(sockfd, SIOCSIFHWADDR, ifr);
 close(sockfd);

 yes and it does this.  The point is that lxcbr0 is not tied to any
 physical nic.  So the first container you start, however high the
 macaddr is, lxcbr0 takes its mac.  If the next container gets a
 lower macaddr, lxcbr0's macaddr drops.

 Right now I have:

 lxcbr0Link encap:Ethernet  HWaddr fe:02:72:77:79:ff  
 vethtdjU5K Link encap:Ethernet  HWaddr fe:02:72:77:79:ff  

Oh, yeah...  I'm always using bridged mode with the host ethernet
address on the bridge, so that's never a problem.  You're right.  The
NAT mode is problematical there because it's not anchored to a physical
interface.

I think someone, at one point in those earlier threads, was suggesting
that they were using a dummy interface or a dummy container as a place
holder to lock the interface address for that reason.  I just happen to
have enough IPv4 addresses, personally, that I bridge everything and
never really need to NAT anything where I can avoid it.  :-P

Of course, in a server environment, where you are hosting a farm of
virtual servers, you would almost always want global public addresses on
the servers, I would imagine.

You're still going to have the problem that, if you shut down the
container that the bridge is using for the address, the address is going
to shift, static or not.  The address of the bridge must be an address
of an interface on the bridge or you are going to have routing problems.
That was made clear in some discussion on some of the kernel mailing
lists.  How do you deal with that then?  Do you designate a container
that must never be shut down or the bridge hangs?

You could load the dummy module and bridge a dummy interface to the
bridge.  That would guarantee a MAC address lower than the fe: private
addresses of the bridge and would be cheaper than a dummy container.
I've done that before a long time ago.

(We should still close that old bug, however.)

 -serge

 --
 How ServiceNow helps IT people transform IT departments:
 1. A cloud service to automate IT design, transition and operations
 2. Dashboards that offer high-level views of enterprise services
 3. A single system of record for all IT processes
 http://p.sf.net/sfu/servicenow-d2d-j

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  m...@wittsend.com
   /\/\|=mhw=|\/\/  | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9  | An optimist believes we live in the best of all
 PGP Key: 0x674627FF| possible worlds.  A pessimist is sure of it!


signature.asc
Description: This is a digitally signed message part
--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-05 Thread Michael H. Warfield 
On Wed, 2013-06-05 at 15:17 +, Jäkel, Guido wrote: 
 yes and it does this.  The point is that lxcbr0 is not tied to any
 physical nic.  So the first container you start, however high the
 macaddr is, lxcbr0 takes its mac.  If the next container gets a
 lower macaddr, lxcbr0's macaddr drops.

 This lxcbr0 is special to Ubuntu, right? And if not to a physical NIC, to 
 what is this bridge connected to on the host?

Not to the best of my knowledge.  It should be a simple bridge.

What do you get for this command?

brctl show

A bridge doesn 
 --
 How ServiceNow helps IT people transform IT departments:
 1. A cloud service to automate IT design, transition and operations
 2. Dashboards that offer high-level views of enterprise services
 3. A single system of record for all IT processes
 http://p.sf.net/sfu/servicenow-d2d-j
 ___
 Lxc-users mailing list
 Lxc-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/lxc-users
 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  m...@wittsend.com
   /\/\|=mhw=|\/\/  | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9  | An optimist believes we live in the best of all
 PGP Key: 0x674627FF| possible worlds.  A pessimist is sure of it!


signature.asc
Description: This is a digitally signed message part
--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-05 Thread Michael H. Warfield 
Crap...  Bumped the keyboard and this one got away from me prematurely.

On Wed, 2013-06-05 at 11:23 -0400, Michael H. Warfield wrote: 
 On Wed, 2013-06-05 at 15:17 +, Jäkel, Guido wrote: 
  yes and it does this.  The point is that lxcbr0 is not tied to any
  physical nic.  So the first container you start, however high the
  macaddr is, lxcbr0 takes its mac.  If the next container gets a
  lower macaddr, lxcbr0's macaddr drops.

  This lxcbr0 is special to Ubuntu, right? And if not to a physical
 NIC, to what is this bridge connected to on the host?

 Not to the best of my knowledge.  It should be a simple bridge.

 What do you get for this command?

 brctl show

 A bridge doesn 

A bridge doesn't have to be attach to a device.  A bridge is its own
logical entity in the kernel to which you may attach devices.  You can
not attach a bridge to something else.  You can only attach something
else to the bridge.  There's a difference.

In the case of a NATing configuration, you set up a bridge (name it
whatever you want) and attach the containers to it.  Then you use the
NAT modules to route between the bridge and the external interface while
NATing the addresses.  I use lxcbr0 on my Fedora hosts.  It's just a
bridge.

I could see where Ubuntu might have some preconfigured setups for this
purpose where I have to set them up by hand in Fedora.  That's just a
matter of the distro specific support scripts.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  m...@wittsend.com
   /\/\|=mhw=|\/\/  | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9  | An optimist believes we live in the best of all
 PGP Key: 0x674627FF| possible worlds.  A pessimist is sure of it!


signature.asc
Description: This is a digitally signed message part
--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-05 Thread Michael H. Warfield 
On Wed, 2013-06-05 at 06:23 +, Hans Feldt wrote:
 It is a fact that the bridge takes the lowest MAC address from the
 attached ports for the host port. See for example
 http://backreference.org/2010/07/28/linux-bridge-mac-addresses-and-dynamic-ports/

 Thus if a container is restarted, the host port can potentially change
 its MAC address and containers will have a stale ARP cache. This of
 course causes problem for communication container-host.

 Tested the workaround mentioned in the link but then I got problem
 with network manager on a later Ubuntu version. Then I tried using a
 dummy container and reusing its MAC addr for the host port. Works
 but...

 Now my question, could not lxc (at boot) setup a fixed MAC addr for
 the host port?

There's a gotcha in there.  You can not set an arbitrary MAC address on
a bridge.  It can only be the MAC address of an attached interface.  It
has to do with how packets are routed down in the kernel and determining
if a packet is to be handled locally on the bridge or not.  It also may
have some ties in to the spanning tree algorithm protocol logic (whether
you are using STP or have it enabled or not).  If you set it to a fixed
MAC address of a container, you can't stop or reboot that container
without losing that static assignment on the bridge.

A dummy container is one option, if you don't have a host hardware
interface connected to the bridge.  But you need one with a MAC address
lower than any of the others.  Another alternative is to use a dummy
interface...

modprobe dummy
brctl addif lxcbr0 dummy0

The dummy0 interface doesn't even need to be up or have an IP address
assigned to it.

Since the container host-local addresses will all be private (fe:...)
and the dummy0 interface will have something lower, you should be good
to go.

 Thanks,
 Hans

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  m...@wittsend.com
   /\/\|=mhw=|\/\/  | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9  | An optimist believes we live in the best of all
 PGP Key: 0x674627FF| possible worlds.  A pessimist is sure of it!


signature.asc
Description: This is a digitally signed message part
--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-05 Thread Serge Hallyn 
Quoting Michael H. Warfield (m...@wittsend.com):
 Crap...  Bumped the keyboard and this one got away from me prematurely.
 
 On Wed, 2013-06-05 at 11:23 -0400, Michael H. Warfield wrote: 
  On Wed, 2013-06-05 at 15:17 +, Jäkel, Guido wrote: 
   yes and it does this.  The point is that lxcbr0 is not tied to any
   physical nic.  So the first container you start, however high the
   macaddr is, lxcbr0 takes its mac.  If the next container gets a
   lower macaddr, lxcbr0's macaddr drops.
 
   This lxcbr0 is special to Ubuntu, right? And if not to a physical
  NIC, to what is this bridge connected to on the host?
 
  Not to the best of my knowledge.  It should be a simple bridge.
 
  What do you get for this command?
 
  brctl show
 
  A bridge doesn 
 
 A bridge doesn't have to be attach to a device.  A bridge is its own
 logical entity in the kernel to which you may attach devices.  You can
 not attach a bridge to something else.  You can only attach something
 else to the bridge.  There's a difference.
 
 In the case of a NATing configuration, you set up a bridge (name it
 whatever you want) and attach the containers to it.  Then you use the
 NAT modules to route between the bridge and the external interface while
 NATing the addresses.  I use lxcbr0 on my Fedora hosts.  It's just a
 bridge.
 
 I could see where Ubuntu might have some preconfigured setups for this
 purpose where I have to set them up by hand in Fedora.  That's just a
 matter of the distro specific support scripts.

Right.  And we *could* attach a dummy device with mac starting with
something lower.

BUT I just did some testing, and even as I watch lxcbr0's addr go down
when starting a new container, my ssh to the container which had the
higher macaddr doesn't hiccough.

Perhaps it'll be a problem when connected from an outside host (through
port forwarding).  In that case I'll happily do the dummy if hack.  But
it seems possible that it just isn't needed.  (And since the iptables rule
is --to-destination an ip address, I'm thinking it won't be)

-serge

--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-05 Thread Michael H. Warfield 
On Wed, 2013-06-05 at 11:26 -0500, Serge Hallyn wrote: 
 Quoting Michael H. Warfield (m...@wittsend.com):
  Crap...  Bumped the keyboard and this one got away from me prematurely.
  
  On Wed, 2013-06-05 at 11:23 -0400, Michael H. Warfield wrote: 
   On Wed, 2013-06-05 at 15:17 +, Jäkel, Guido wrote: 
yes and it does this.  The point is that lxcbr0 is not tied to any
physical nic.  So the first container you start, however high the
macaddr is, lxcbr0 takes its mac.  If the next container gets a
lower macaddr, lxcbr0's macaddr drops.
  
This lxcbr0 is special to Ubuntu, right? And if not to a physical
   NIC, to what is this bridge connected to on the host?
  
   Not to the best of my knowledge.  It should be a simple bridge.
  
   What do you get for this command?
  
   brctl show
  
   A bridge doesn 
  
  A bridge doesn't have to be attach to a device.  A bridge is its own
  logical entity in the kernel to which you may attach devices.  You can
  not attach a bridge to something else.  You can only attach something
  else to the bridge.  There's a difference.
  
  In the case of a NATing configuration, you set up a bridge (name it
  whatever you want) and attach the containers to it.  Then you use the
  NAT modules to route between the bridge and the external interface while
  NATing the addresses.  I use lxcbr0 on my Fedora hosts.  It's just a
  bridge.
  
  I could see where Ubuntu might have some preconfigured setups for this
  purpose where I have to set them up by hand in Fedora.  That's just a
  matter of the distro specific support scripts.
 
 Right.  And we *could* attach a dummy device with mac starting with
 something lower.

 BUT I just did some testing, and even as I watch lxcbr0's addr go down
 when starting a new container, my ssh to the container which had the
 higher macaddr doesn't hiccough.

Hmmm...  It would be interesting to see what you get from arp -a on
the host and the container before and after that.  It would also be
interesting to see what happens if you ssh to a container with the
higher address first and then bring up a container with a lower mac
address and see if it impacts the existing connection.

It really all depends on how the host is managing the arp table and, if
the MAC address changes, how does the bridge change impact the arp
table.

In the case of ssh'ing to a container from the host, the host would
still have the correct arp entry for the container which would
facilitate the delivery of the initial SYN.  The container would have an
incorrect entry but that should correct itself as soon as that new
packet arrives connecting from the host, invalidating the containers arp
table entry, I would think.

It should also correct the MAC table entries for the bridge (used by the
STP) if it originates from the interface that changed.  It works the
same way over an eitherswitch externally.  The moment a packet is sent
with a new from MAC address, the switch (bridge) remembers what port
(attachment) that MAC address was last seen on and enters it into it's
mac switch table.

What would be interesting to know is how the container sees it, since
his arp table entry for the host is then wrong if he initiates a packet
first, after the change.  It could be that the tap/bridge connection
from container to host bridge would clear that up quickly.

 Perhaps it'll be a problem when connected from an outside host (through
 port forwarding).  In that case I'll happily do the dummy if hack.  But
 it seems possible that it just isn't needed.  (And since the iptables rule
 is --to-destination an ip address, I'm thinking it won't be)

Yeah, since the host exposed IP and MAC are not changing, it shouldn't
be, in the external case with NAT as you describe.  The external systems
will only be referencing the external IP address for which the MAC
doesn't change and the ARP tables are perfectly coherent, externally.
So NAT w/ port forwarding to a container should be covered.

It's where the MAC address of the host interface changes (because it's
attached to a bridge) where you get into trouble in the external case.
But, we have that case covered now with the fixes that are in-place
since 0.8.0 (assuming the OP is on a recent enough version of the lxc
tools).

So both of those should be covered.

That really just leaves the host - container case (container -
container should be a trivial non-issue).  Then I think it's an issue of
which side of the bridge is issuing the first packet after the MAC
address changes and what does the bridge logic do about it.  Seems like
a corner case to me.  I also don't know what role STP has in this game.
On my fedora system, my lxcbr0 bridge has STP disabled but the virbr0
bridge (used by libvirt and setup by default) has it enabled and I have
no idea why.  It's possible that these symptoms could vary depending on
that setting.  I've definitely heard it mentioned before.

Oh, and this is likely to get really ugly with IPv6.  With the host

Re: [Lxc-users] lxcbr0 MAC addr issue

2013-06-05 Thread Serge Hallyn 
Quoting Michael H. Warfield (m...@wittsend.com):
 On Wed, 2013-06-05 at 11:26 -0500, Serge Hallyn wrote: 
  Quoting Michael H. Warfield (m...@wittsend.com):
   Crap...  Bumped the keyboard and this one got away from me prematurely.
   
   On Wed, 2013-06-05 at 11:23 -0400, Michael H. Warfield wrote: 
On Wed, 2013-06-05 at 15:17 +, Jäkel, Guido wrote: 
 yes and it does this.  The point is that lxcbr0 is not tied to any
 physical nic.  So the first container you start, however high the
 macaddr is, lxcbr0 takes its mac.  If the next container gets a
 lower macaddr, lxcbr0's macaddr drops.
   
 This lxcbr0 is special to Ubuntu, right? And if not to a physical
NIC, to what is this bridge connected to on the host?
   
Not to the best of my knowledge.  It should be a simple bridge.
   
What do you get for this command?
   
brctl show
   
A bridge doesn 
   
   A bridge doesn't have to be attach to a device.  A bridge is its own
   logical entity in the kernel to which you may attach devices.  You can
   not attach a bridge to something else.  You can only attach something
   else to the bridge.  There's a difference.
   
   In the case of a NATing configuration, you set up a bridge (name it
   whatever you want) and attach the containers to it.  Then you use the
   NAT modules to route between the bridge and the external interface while
   NATing the addresses.  I use lxcbr0 on my Fedora hosts.  It's just a
   bridge.
   
   I could see where Ubuntu might have some preconfigured setups for this
   purpose where I have to set them up by hand in Fedora.  That's just a
   matter of the distro specific support scripts.
  
  Right.  And we *could* attach a dummy device with mac starting with
  something lower.
 
  BUT I just did some testing, and even as I watch lxcbr0's addr go down
  when starting a new container, my ssh to the container which had the
  higher macaddr doesn't hiccough.
 
 Hmmm...  It would be interesting to see what you get from arp -a on

Uh, well - with one container started, I get

? (10.0.3.182) at 00:16:3e:1a:33:6c [ether] on lxcbr0
static.65.5.9.176.clients.your-server.de (176.9.5.65) at 00:26:88:76:1c:05 
[ether] on eth0

Note that lxcbr0 and the container's veth are HWaddr fe:ab:34:b2:2f:cc.
So I guess the reason it doesn't matter is that lxcbr0 is not an
endpoint for anything.  The endpoint is always the other veth endpoint.

 the host and the container before and after that.  It would also be
 interesting to see what happens if you ssh to a container with the
 higher address first and then bring up a container with a lower mac
 address and see if it impacts the existing connection.

(I did both.)

-serge

--
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users