On Wed, Sep 16, 2015 at 7:51 PM, Tom Eastep <[email protected]> wrote:
I've been running containers for three years now and have never had to
> place the bridge in promiscuous mode to give the containers full
> internet access.
>
I would like that too but currently, I can't figure a way to achieve this.
> I can only tell you that it works here. I just removed the static IPv4
> configuration from one container, configured the interface in the
> container to use DHCP, configured my DHCP server to serve the bridge,
> added the 'dhcp' option to the bridge in /etc/shorewall/interfaces and
> restarted the container. It gets an IPv4 address without difficulty.
>
Are you running Debian? All my hosts are Ubuntu Server which use AppArmor
to harden the security and prevent "root" to sneak out of the container.
Could it be related?
I can't think of anything that different from your setup. All I know is,
for the time being, I must use promiscous mode on the brigde to be able to
reach anything outside the bridge.
Or, could it simply be a matter of architecture? I could replicate the
setup I have on real servers with a KVM virtual machine running Ubuntu
Server 14.04. Here are the results :
KVM with eth0 bridged to 'vbridge' : No need to use promisc mode,
everything works. Here, each LXC container reaches the rest of the LAN
directly (layer 2). DHCP works, etc.
KVM with eth0 strictly for internet access and 'vbridge' created using
"brctl addbr vbridge". Next, few "ip" commands to set the MAC address of
vbridge and the IP address. All containers have their default route via the
"vbridge" IP address. With this setup, each LXC container connected to
"vbridge" can reach another LXC but that's all!
- LXC <=> LXC : OK
- LXC <=> Host : No
- Other host in same segment <=> LXC : No
putting vbridge in promisc mode and everything described above gets a OK! I
believe that in this scenario, the containers are routed (layer 3) to the
outside world.
I've done that to keep things separate and except the "promisc" part which
proves to be midly problematic, everything works fine.
Should I switch back to the first mode and brigde eth0 directly? I find it
a bit ugly on dedicated servers where your eth0 gets the public, world
accessible IP address. The dedicated server provider could snoop into
LXC-to-LXC traffic by listening on the physical switch port at the other
end of eth0 whereas with an internal 'vbridge', he could only see
inbound/outbound traffic.
--
ObNox
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
