On Tue, Sep 15, 2015 at 6:00 PM, Tom Eastep <[email protected]> wrote:
> Maybe I'm missing something but how can I expect the LXC containers to > > reach any OTHER host other than the one the containers are running on? > > > > Without the promiscous mode, containers can only see each other and the > > host but nothing else, therefore it's required or is there any other > > option here? > > I simply configure each container with a default route via the IP > address of the bridge. > But this is already the case, that's why I'm confused here :-) According to the "shorewall dump" I submitted lately, here's a typical example : On the HOST, "vbridge" interface is configured as "10.88.5.254/24" and no gateway of course, it uses the gateway configured with "eth0" which is the internet access. "vbridge" also get an aliased IP address to be used by the local DNS server (simple rule : 1 service per IP to isolate things and get consistent configurations) A typical LXC have this stanza in /etc/network/interfaces auto eth0 iface eth0 inet static address 10.88.5.10 netmask 255.255.255.0 network 10.88.5.0 broadcast 10.88.5.255 gateway 10.88.5.254 So everything is in place with a small detail remaining : If "vbridge" isn't set to promiscous mode, there's no way a packets gets out of the container. Besides, when on a LAN environment, if a container's network isn't configured, issuing a "dhclient eth0" never gets a reply from the DHCP server because no packet ever reaches it. So, am I really that wrong? Do I fail to see something which seems obvious to you? :-) -- ObNox
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
