mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-27 10:03:41 +01:00
a47357a6e8
Signed-off-by: Tom Eastep <teastep@shorewall.net>
157 lines
4.9 KiB
XML
157 lines
4.9 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>LXC and Shorewall</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2011</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Background</title>
|
|
|
|
<para>LXC (<ulink
|
|
url="http://lxc.sourceforge.net/">http://lxc.sourceforge.net/</ulink>) is
|
|
a set of user-space tools for managing the container capabilities that
|
|
have been in the Linux Kernel since 2.6.27.</para>
|
|
|
|
<para>This short article describes how I've implemented LXC here at
|
|
shorewall.net, with emphasis on the networking and firewall
|
|
aspects.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Overview of a Working Configuration</title>
|
|
|
|
<para>The following diagram shows the network at shorewall.net in the
|
|
spring of 2011.</para>
|
|
|
|
<graphic align="center" fileref="images/Network2011a.png" />
|
|
|
|
<para>As shown in that diagram, the LXC containers are bridged to br0.
|
|
Here are the relevant configuration entries.</para>
|
|
|
|
<para><filename>/etc/network/interfaces:</filename></para>
|
|
|
|
<programlisting>#
|
|
# LXC bridge
|
|
#
|
|
auto br0
|
|
iface br0 inet static
|
|
bridge_ports none
|
|
bridge_fd 0
|
|
address 70.90.191.121
|
|
broadcast 0.0.0.0
|
|
netmask 255.255.255.255
|
|
post-up ip route add 70.90.191.124/31 dev br0
|
|
|
|
iface br0 inet6 static
|
|
address 2001:470:b:227::41
|
|
netmask 124
|
|
</programlisting>
|
|
|
|
<para><filename>/etc/lxc/mail.conf</filename><programlisting>lxc.network.type=veth
|
|
lxc.network.link=br0
|
|
lxc.network.flags=up
|
|
|
|
lxc.network.ipv4=70.90.191.124/29
|
|
lxc.network.ipv6=2001:470:b:227::42/124
|
|
|
|
…</programlisting></para>
|
|
|
|
<para><filename>/etc/lxc/server.conf</filename><programlisting>lxc.network.type=veth
|
|
lxc.network.link=br0
|
|
lxc.network.flags=up
|
|
|
|
lxc.network.ipv4=70.90.191.125/29
|
|
lxc.network.ipv6=2001:470:b:227::43/124
|
|
|
|
…</programlisting></para>
|
|
|
|
<para>Note that I have subnetted 2001:470:b:227::/64 with a /124
|
|
(2001:470:b:227::40/124) assigned to the bridge. To make those addresses
|
|
accessible from the LOC zone, the following entries are required in
|
|
/etc/shorewall6/proxyndp:</para>
|
|
|
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
|
2001:470:b:227::41 - eth1 Yes Yes
|
|
2001:470:b:227::42 - eth1 Yes Yes
|
|
2001:470:b:227::43 - eth1 Yes Yes
|
|
</programlisting>
|
|
|
|
<para>The entries in the LXC .conf files are expected to configure eth0 in
|
|
the LXC containers; they do, <emphasis>sort of</emphasis>. In both of the
|
|
containers, no ipv6 default route was assigned. I corrected that by adding
|
|
this entry in <filename>/etc/sysctl.conf</filename> in both
|
|
containers:</para>
|
|
|
|
<programlisting>net.ipv6.conf.all.forwarding=0
|
|
</programlisting>
|
|
|
|
<para>I then added this stanza to <filename>/etc/radvd.conf</filename> on
|
|
the host:</para>
|
|
|
|
<programlisting>interface br0{
|
|
AdvSendAdvert on;
|
|
MinRtrAdvInterval 300;
|
|
MaxRtrAdvInterval 505;
|
|
AdvDefaultLifetime 9000;
|
|
|
|
route ::/0 {
|
|
AdvRouteLifetime infinity;
|
|
};
|
|
};
|
|
</programlisting>
|
|
|
|
<para>Curiosly, LXC gives container mail's eth0 this somewhat odd
|
|
configuration, and fails to add a default ipv4 route:</para>
|
|
|
|
<programlisting>14: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
|
|
link/ether 4e:56:66:11:3c:6b brd ff:ff:ff:ff:ff:ff
|
|
inet 70.90.191.124/29 <emphasis role="bold">brd 70.90.191.120</emphasis> scope global eth0
|
|
inet6 2001:470:b:227::42/124 scope global
|
|
valid_lft forever preferred_lft forever
|
|
inet6 fe80::4c56:66ff:fe11:3c6b/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
</programlisting>
|
|
|
|
<para>So in that container's<filename> /etc/rc.local</filename>, I also
|
|
have:</para>
|
|
|
|
<programlisting>ip route add default via 70.90.191.121</programlisting>
|
|
|
|
<para>With the exception of the entries in
|
|
<filename>/etc/shorewall6/proxyndp</filename>. the Shorewall and
|
|
Shorewall6 configurations are fairly conventional three-interface setups.
|
|
In both configurations, the <filename>interfaces</filename> file entry for
|
|
br0 has the <option>routeback</option> option specified.</para>
|
|
</section>
|
|
</article>
|