On 09/15/2015 03:42 PM, Ob Noxious wrote: > On Tue, Sep 15, 2015 at 6:00 PM, Tom Eastep <[email protected] > <mailto:[email protected]>> wrote: > > > Maybe I'm missing something but how can I expect the LXC containers to > > reach any OTHER host other than the one the containers are running on? > > > > Without the promiscous mode, containers can only see each other and the > > host but nothing else, therefore it's required or is there any other > > option here? > > I simply configure each container with a default route via the IP > address of the bridge. > > > But this is already the case, that's why I'm confused here :-) According > to the "shorewall dump" I submitted lately, here's a typical example : > >
On the HOST, "vbridge" interface is configured as "10.88.5.254/24 > <http://10.88.5.254/24>" and no gateway of course, it uses the gateway > configured with "eth0" which is the internet access. "vbridge" also get > an aliased IP address to be used by the local DNS server (simple rule : > 1 service per IP to isolate things and get consistent configurations) > > A typical LXC have this stanza in /etc/network/interfaces > auto eth0 > iface eth0 inet static > address 10.88.5.10 > netmask 255.255.255.0 > network 10.88.5.0 > broadcast 10.88.5.255 > gateway 10.88.5.254 > > So everything is in place with a small detail remaining : If "vbridge" > isn't set to promiscous mode, there's no way a packets gets out of the > container. I've been running containers for three years now and have never had to place the bridge in promiscuous mode to give the containers full internet access. > > Besides, when on a LAN environment, if a container's network isn't > configured, issuing a "dhclient eth0" never gets a reply from the DHCP > server because no packet ever reaches it. I can only tell you that it works here. I just removed the static IPv4 configuration from one container, configured the interface in the container to use DHCP, configured my DHCP server to serve the bridge, added the 'dhcp' option to the bridge in /etc/shorewall/interfaces and restarted the container. It gets an IPv4 address without difficulty. > > So, am I really that wrong? Do I fail to see something which seems > obvious to you? :-) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
