How to create LXC system containers to isolate services
This week’s TechMail was How to create LXC system containers to isolate services which goes into further details on using LXC, using an OpenVZ template to create a new LXC container for use, and a brief rundown on how to configure it, start it, etc.
Pascal Dupuis
Great article. Now I would like to go further. Let’s say that I have a computer with two ethernet cards, branched on a DSL modem. I would like to have normal traffic running through one card, and create a DMZ zone, accessible only inside a lxc container, through the other card. How can I specify that packets originating from the container should be routed through a specific interface ?
Mar 10, 2010 @ 04:43:06vdanen
Hi Pascal. I don’t have the ability to test this to make sure, but you should be able to bind the LXC container to a specific interface. If you look at the linked article, you can see that in the example /etc/lxc-centos.conf there is the “lxc.network.link = br0″, so really what you should be able to do is set the bridge onto the Ethernet interface you want (look at the first LXC article for how to do that with brctl and friends). I believe that should do what you need/want.
Mar 10, 2010 @ 13:13:38Pascal Dupuis
Hello Vincent,
first of all, a bridge is required, to make it possible to attach the new veth device. Now I came to a strange problem:
real: br0 spans interface eth1; eth1 connected to a router through network 172.0.0.0; router is 172.0.0.1; br0 has address 172.0.0.2
virtual: is designed to use interface eth0, with address 172.0.0.4
I launch the virtual machine, then, from the real machine,
ssh user@172.0.0.4 succeeds, I can login, su to root, then set a default route via router 172.0.0.1 using eth0
The problem is that, from a session on the real machine, ‘ping 172.0.0.1′ works; while inside the container it doesn’t. Any idea why ?
Regards
Pascal
Mar 15, 2010 @ 15:02:52vdanen
Hmmm… good question. Can the container ping anything else? Without actually having access to the system to look at it, I can’t really what is going on there. I’d see first if the container can ping anything else. Can you ping the container from the other side?
Mar 15, 2010 @ 15:30:06Pascal Dupuis
Host can ping and ssh to container, container can ping and ssh to host; host can ping router through bridge, but container can’t ping anything other than host using its virtual interface ???
Mar 16, 2010 @ 13:41:32