LXC L3 network isolation, yes/no ?, how ?
Eric W. Biederman
ebiederm at xmission.com
Tue Nov 1 12:20:01 UTC 2011
Toerless Eckert <Toerless.Eckert at Informatik.Uni-Erlangen.de> writes:
> Thanks, Eric
>
> How do i configure eg: an LXC container to use a specific network name space XXXX ?
>
> Also: if an app within some LXC container does a socket() and then a
> bind(..INADDR_ANY...) how does the kernel know which subset of IP interfaces
> it should bind to ? does the process context have a network name space
> ?
The network namespace.
> And how do i create per namespace routing tables ?
Just like nomral. From inside the network namespace you setup your
routing tables.
> Example or pointer to docs would be great. or just walk me through the rough
> outline of my use case...:
>
> - create container e0procs, configure just the physical eth0 interface into it ??
> - without assigning an IP address ?
> - run a dhcp daemon from withing container e0proces and that
> will correctly get ip address/mask and default route configured in a
> routing table solely used by container e0procs ?
> - container e0procs DHCPd will also populate containerized /etc/resolv.conf with
> eth0 domain prefix/DNS-servers...
>
> - same approach for container c1procs, confgiure phys eth1 interface into it,
> start DHCP daemon inside container inside it, get routing table and dNS
> for container c1procs from it.
>
> Is that it ? Of not, then how. If yes, then what type of routing table would
> i actually see outside of the containers ? And back to the original question,
> would socket(), bind(INADDR_ANY) from inside the containers work correctly ?
Yes. bind(INADDR_ANY) works correctly inside a network namespace.
A network namespace is from an application perspective like having a
separate copy of the networking stack.
Eric
More information about the Containers
mailing list