<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <article> <!--$Id$--> <articleinfo> <title>LXC and Shorewall</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <copyright> <year>2011</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <section> <title>Background</title> <para>LXC (<ulink url="http://lxc.sourceforge.net/">http://lxc.sourceforge.net/</ulink>) is a set of user-space tools for managing the container capabilities that have been in the Linux Kernel since 2.6.27.</para> <para>This short article describes how I've implemented LXC here at shorewall.net, with emphasis on the networking and firewall aspects.</para> </section> <section> <title>Overview of a Working Configuration</title> <para>The following diagram shows the network at shorewall.net in the spring of 2011.</para> <graphic align="center" fileref="images/Network2011a.png" /> <para>As shown in that diagram, the LXC containers are bridged to br0. Here are the relevant configuration entries.</para> <para><filename>/etc/network/interfaces:</filename></para> <programlisting># # LXC bridge # auto br0 iface br0 inet static bridge_ports none bridge_fd 0 address 70.90.191.121 broadcast 0.0.0.0 netmask 255.255.255.255 post-up ip route add 70.90.191.124/31 dev br0 iface br0 inet6 static address 2001:470:b:227::41 netmask 124 </programlisting> <para><filename>/etc/lxc/mail.conf</filename><programlisting>lxc.network.type=veth lxc.network.link=br0 lxc.network.flags=up lxc.network.ipv4=70.90.191.124/29 lxc.network.ipv6=2001:470:b:227::42/124 …</programlisting></para> <para><filename>/etc/lxc/server.conf</filename><programlisting>lxc.network.type=veth lxc.network.link=br0 lxc.network.flags=up lxc.network.ipv4=70.90.191.125/29 lxc.network.ipv6=2001:470:b:227::43/124 …</programlisting></para> <para>Note that I have subnetted 2001:470:b:227::/64 with a /124 (2001:470:b:227::40/124) assigned to the bridge. To make those addresses accessible from the LOC zone, the following entries are required in /etc/shorewall6/proxyndp:</para> <programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 2001:470:b:227::41 - eth1 Yes Yes 2001:470:b:227::42 - eth1 Yes Yes 2001:470:b:227::43 - eth1 Yes Yes </programlisting> <para>The entries in the LXC .conf files are expected to configure eth0 in the LXC containers; they do, <emphasis>sort of</emphasis>. In both of the containers, no ipv6 default route was assigned. I corrected that by adding this entry in <filename>/etc/sysctl.conf</filename> in both containers:</para> <programlisting>net.ipv6.conf.all.forwarding=0 </programlisting> <para>I then added this stanza to <filename>/etc/radvd.conf</filename> on the host:</para> <programlisting>interface br0{ AdvSendAdvert on; MinRtrAdvInterval 300; MaxRtrAdvInterval 505; AdvDefaultLifetime 9000; route ::/0 { AdvRouteLifetime infinity; }; }; </programlisting> <para>Curiosly, LXC gives container mail's eth0 this somewhat odd configuration, and fails to add a default ipv4 route:</para> <programlisting>14: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 4e:56:66:11:3c:6b brd ff:ff:ff:ff:ff:ff inet 70.90.191.124/29 <emphasis role="bold">brd 70.90.191.120</emphasis> scope global eth0 inet6 2001:470:b:227::42/124 scope global valid_lft forever preferred_lft forever inet6 fe80::4c56:66ff:fe11:3c6b/64 scope link valid_lft forever preferred_lft forever </programlisting> <para>So in that container's<filename> /etc/rc.local</filename>, I also have:</para> <programlisting>ip route add default via 70.90.191.121</programlisting> <para>With the exception of the entries in <filename>/etc/shorewall6/proxyndp</filename>. the Shorewall and Shorewall6 configurations are fairly conventional three-interface setups. In both configurations, the <filename>interfaces</filename> file entry for br0 has the <option>routeback</option> option specified.</para> </section> </article>