2

I rent a dedicated server and want to use LXC instead of KVM. I want to buy IPs for every single container. For now i have two external IPs:

  • 193.X.X.30/32
  • 213.X.X.31/32

I prefer a routing solution instead of NAT.

My last try is like this:

              -------------------
              |     INTERNET    |
              -------------------
                       |
                       V
----------------------------------------------
|  -------------------      -------  [HOST]  |
|  | br0: 193.X.X.30 | <--- | em1 |          |
|  -------------------      -------          |
|           |                                |
|           V                                |
|  -------------------                       |
|  |    vethXXXX     |                       |
|  -------------------                       |
|           |                                |
|           V                                |
|  --------------------------------------    |
|  |  --------------------  [CONTAINER] |    |
|  |  | eth0: 213.X.X.31 |              |    |
|  |  --------------------              |    |
|  |                                    |    |
|  --------------------------------------    |
----------------------------------------------

Network configuration on my host:

auto br0
iface br0 inet static
  bridge_ports    em1
  bridge_fd       0
  address         193.X.X.30
  netmask         255.255.255.0
  gateway         193.X.X.1
  dns-nameservers 8.8.8.8 8.8.4.4

My container configuration:

lxc.network.type = veth
lxc.network.link = br0
lxc.network.ipv4 = 213.X.X.31/24
lxc.network.ipv4.gateway = 213.X.X.1

My container network configuration:

auto eth0
iface eth0 inet static
   address   213.X.X.31
   netmask   255.255.255.0
   gateway   213.X.X.1

   dns-nameservers 8.8.8.8
   dns-nameservers 8.8.4.4

I didn't succeeded to connect the containers directly. What should be the right configuration/topology that the containers successfully host services like Web/Mail/DNS.

Improve this question
7
  • You could, if you had two physical NICs on the host, assign one to the container. However, the way I do this is by employing netfilter (iptables). You can then in the PREROUTING chain of the nat use -j DNAT to forward distinct incoming requests on the external IP to the LXC guest. Allows me to only let relevant services through. For this, however, the container has two NICs, statically configured. One on an internal subnet, the other the external IP. No interface on the host has the (secondary) external IP assigned. We purely do it by routing. Forwarding has to be enabled for IPv4. Commented Apr 30, 2015 at 8:09
  • In LXC you can even use the hook scripts (see man lcx.container.conf) to add and remove the netfilter rules. And btw, buying individual IPv4 addresses for every single container is probably overkill - especially if the services running on them don't overlap. Putting a jailed proxy on the host or into a dedicated guest will go a long way in using IPv4 addresses economically. Commented Apr 30, 2015 at 8:12
  • What is the actual question you have? Commented Apr 30, 2015 at 8:17
  • I add static routing and ARP record. route add 213.X.X.31 vethXXXX and arp -s 213.X.X.31 00:16:3e:aa:bb:cc. Then change the gateway of container to 193.X.X.1 finally i can ping the container. But i ping the 213.X.X.31 reply comes from 193.X.X.30 Commented Apr 30, 2015 at 8:48
  • @Erathiel configuration doesn't work. Commented Apr 30, 2015 at 9:07

1 Answer 1

Reset to default
1

I don't know this is the right way or best solution but it works without NAT. The network topology is the same. We have one physical NIC (em1) and multiple IP for every container. Maybe later i can buy a subnet. But for now i'll buy 4 - 5 IPs.

              -------------------
              |     INTERNET    |
              -------------------
                       |
                       V
----------------------------------------------
|  -------------------      -------  [HOST]  |
|  | br0: 193.X.X.30 | <--- | em1 |          |
|  -------------------      -------          |
|           |                                |
|           V                                |
|  -------------------                       |
|  | vethMyContainer |                       |
|  -------------------                       |
|           |                                |
|           V                                |
|  --------------------------------------    |
|  |  --------------------  [CONTAINER] |    |
|  |  | eth0: 213.X.X.31 |              |    |
|  |  --------------------              |    |
|  |                                    |    |
|  --------------------------------------    |
----------------------------------------------

This is my network configuration on host (/etc/network/interfaces):

auto lo
iface lo inet loopback    

auto br0
iface br0 inet static
  bridge_ports    em1
  bridge_fd       0
  address         193.X.X.30
  netmask         255.255.255.0
  gateway         193.X.X.1
  dns-nameservers 8.8.8.8 8.8.4.4

Configuration file for the container (/var/lib/lxc/my-container/config):

lxc.include                      = /usr/share/lxc/config/ubuntu.common.conf
lxc.rootfs                       = /var/lib/lxc/my-container/rootfs
lxc.utsname                      = my-container
lxc.arch                         = amd64
lxc.network.type                 = veth
lxc.network.veth.pair            = vethMyContainer
lxc.network.link                 = br0
lxc.network.ipv4                 = 213.X.X.31/32
lxc.network.ipv4.gateway         = 193.X.X.1
lxc.network.script.up            = /var/lib/lxc/my-container/script-up.sh
lxc.network.flags                = up
lxc.network.hwaddr               = 00:16:3e:aa:bb:cc
lxc.cgroup.memory.limit_in_bytes = 2048M

We must name our veth device. Because we will use the name in script file. Packages cannot automatically route from br0 to veth device. So i add a routing rule and my ARP table couldn't update automatically. So i added a static ARP record.

The script file (/var/lib/lxc/my-container/script-up.sh):

#!/bin/bash

route del 213.X.X.31 br0
route add 213.X.X.31 br0

The network configuration on my container:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

So i can ping directly to my container without using NAT. I'll update answer if i find a way not to use arp and route commands.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.