LXC L3 network isolation, yes/no ?, how ?

Eric W. Biederman ebiederm at xmission.com
Tue Nov 1 12:20:01 UTC 2011


Toerless Eckert <Toerless.Eckert at Informatik.Uni-Erlangen.de> writes:

> Thanks, Eric
>
> How do i configure eg: an LXC container to use a specific network name space XXXX ?
>
> Also: if an app within some LXC container does a socket() and then a 
> bind(..INADDR_ANY...) how does the kernel know which subset of IP interfaces
> it should bind to ? does the process context have a network name space
> ?

The network namespace.

> And how do i create per namespace routing tables ?

Just like nomral.  From inside the network namespace you setup your
routing tables.

> Example or pointer to docs would be great. or just walk me through the rough
> outline of my use case...:
>
>   - create container e0procs, configure just the physical eth0 interface into it ??
>     - without assigning an IP address ?
>     - run a dhcp daemon from withing container e0proces and that
>       will correctly get ip address/mask and default route configured in a
>       routing table solely used by container e0procs ?
>     - container e0procs DHCPd will also populate containerized /etc/resolv.conf with
>       eth0 domain prefix/DNS-servers...
>
>   - same approach for container c1procs, confgiure phys eth1 interface into it,
>     start DHCP daemon inside container inside it, get routing table and dNS
>     for container c1procs from it.
>
> Is that it ? Of not, then how. If yes, then what type of routing table would
> i actually see outside of the containers ? And back to the original question,
> would socket(), bind(INADDR_ANY) from inside the containers work correctly ?


Yes.  bind(INADDR_ANY) works correctly inside a network namespace.

A network namespace is from an application perspective like having a
separate copy of the networking stack.  

Eric


More information about the Containers mailing list