From a47357a6e8b26c9fd24b8fdf11e7c1e5bcfc2715 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 3 Apr 2011 10:27:52 -0700 Subject: [PATCH] Re-add LXC doc Signed-off-by: Tom Eastep --- docs/LXC.xml | 156 +++++++++++++++++++++++++++++++++++ docs/images/Network2011a.dia | Bin 0 -> 5722 bytes 2 files changed, 156 insertions(+) create mode 100644 docs/LXC.xml create mode 100644 docs/images/Network2011a.dia diff --git a/docs/LXC.xml b/docs/LXC.xml new file mode 100644 index 000000000..7eaa3ec07 --- /dev/null +++ b/docs/LXC.xml @@ -0,0 +1,156 @@ + + +
+ + + + LXC and Shorewall + + + + Tom + + Eastep + + + + + + + 2011 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Background + + LXC (http://lxc.sourceforge.net/) is + a set of user-space tools for managing the container capabilities that + have been in the Linux Kernel since 2.6.27. + + This short article describes how I've implemented LXC here at + shorewall.net, with emphasis on the networking and firewall + aspects. +
+ +
+ Overview of a Working Configuration + + The following diagram shows the network at shorewall.net in the + spring of 2011. + + + + As shown in that diagram, the LXC containers are bridged to br0. + Here are the relevant configuration entries. + + /etc/network/interfaces: + + # +# LXC bridge +# +auto br0 +iface br0 inet static + bridge_ports none + bridge_fd 0 + address 70.90.191.121 + broadcast 0.0.0.0 + netmask 255.255.255.255 + post-up ip route add 70.90.191.124/31 dev br0 + +iface br0 inet6 static + address 2001:470:b:227::41 + netmask 124 + + + /etc/lxc/mail.conflxc.network.type=veth +lxc.network.link=br0 +lxc.network.flags=up + +lxc.network.ipv4=70.90.191.124/29 +lxc.network.ipv6=2001:470:b:227::42/124 + +… + + /etc/lxc/server.conflxc.network.type=veth +lxc.network.link=br0 +lxc.network.flags=up + +lxc.network.ipv4=70.90.191.125/29 +lxc.network.ipv6=2001:470:b:227::43/124 + +… + + Note that I have subnetted 2001:470:b:227::/64 with a /124 + (2001:470:b:227::40/124) assigned to the bridge. To make those addresses + accessible from the LOC zone, the following entries are required in + /etc/shorewall6/proxyndp: + + #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT +2001:470:b:227::41 - eth1 Yes Yes +2001:470:b:227::42 - eth1 Yes Yes +2001:470:b:227::43 - eth1 Yes Yes + + + The entries in the LXC .conf files are expected to configure eth0 in + the LXC containers; they do, sort of. In both of the + containers, no ipv6 default route was assigned. I corrected that by adding + this entry in /etc/sysctl.conf in both + containers: + + net.ipv6.conf.all.forwarding=0 + + + I then added this stanza to /etc/radvd.conf on + the host: + + interface br0{ + AdvSendAdvert on; + MinRtrAdvInterval 300; + MaxRtrAdvInterval 505; + AdvDefaultLifetime 9000; + + route ::/0 { + AdvRouteLifetime infinity; + }; +}; + + + Curiosly, LXC gives container mail's eth0 this somewhat odd + configuration, and fails to add a default ipv4 route: + + 14: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 + link/ether 4e:56:66:11:3c:6b brd ff:ff:ff:ff:ff:ff + inet 70.90.191.124/29 brd 70.90.191.120 scope global eth0 + inet6 2001:470:b:227::42/124 scope global + valid_lft forever preferred_lft forever + inet6 fe80::4c56:66ff:fe11:3c6b/64 scope link + valid_lft forever preferred_lft forever + + + So in that container's /etc/rc.local, I also + have: + + ip route add default via 70.90.191.121 + + With the exception of the entries in + /etc/shorewall6/proxyndp. the Shorewall and + Shorewall6 configurations are fairly conventional three-interface setups. + In both configurations, the interfaces file entry for + br0 has the option specified. +
+
diff --git a/docs/images/Network2011a.dia b/docs/images/Network2011a.dia new file mode 100644 index 0000000000000000000000000000000000000000..47cf54ee05059001fc864e53346914e0cf8b2d6a GIT binary patch literal 5722 zcmV-g7NzMQiwFP!000021MOX1bK5wUeb=v0xgWNtN``Uq4QrCAPI|j%w~|cPrhBrr zFD}|N;PL|HI;oP^;ReU~;qfgbRrtW2J zom1b&)78`7+)ieRJ0!ioT|1=WJox`7#}r4++(F~3mp{CT(=?v`kY85u<>UFvF18XV zy@{q*$#@;hwa+MT3`Qik_)=gbr%dxjyX+5leptBCVd18Sg-d2>rafoou=OkI`th%MIjTKlHeLd+*gWx!l}&myW17 z%UyDrUY~vO)Li-5?>(LUb23ZLM{(KJC*!oW)8Dsq`qihCG5F)p8(Kqtw#p&m(!?^B z`wtOU^W-v~Z85XuV=B&cT^x3@t<_hL+qGfxuT}=^3}O`B$J65UuO5f$e(`_{#_2~F zY4UmT=}DVR&i^;QNQ;|&pGM=$XnNT{?!TIRIePR%oEMT@zBu{^U2d$^+jA##Jh;|c zx045xGQ#O!)X5IK z*~P^5#y8PzI=Ow)A))AytZ9b?N+@%7D+#xTd+d@K5QPj#0}S0bW)))tLlmX5CiCCK zX>_#3UA#;#QlCA)jTYQ#XeO3hr6d)~NTZnrkA0sL_pG!4W2|*(w(bLR5oNsX#wY>0 z{DKBxNHFs)egMAeL3~U`qa7fY=d7M1vt?~HOYcYVDnLA*-xLpKE#@eVKKE+BQF42B zJ((tdPR408+IVv-(*b+KII>KW3x6Q9`8m#+#7DIosg)ssHyr|)B2)nzFhK+Z=5Y+j zkaC=%i!`X?%>mOyG2UVRZ>9Od01yU%FaU%Bpw0jwT8IIRW3B;c=fZj&05YT;XXwI9 zt#AOKL|WeM0HAsEg#jQ80AT9^RyZ)PG{HbIRkc|fcN5{Cl zU>wP4;d2al01_648T(s1086;Cs_r!1czhO*FSFaJbCV@r{o=aZp^Vog^)0m5l;r$# zTx$sUgq#^Tlbx-daq%zx>u7w5tBUlfpH4EzrvLb_FOJOG^D6l*6u)J#{A0VmF1m6> zdoGZ;ei)amkf;`-amzuVHz7Fp8jW+JoD-4xEt>KnB3r@G%sfv_G88IhP}h(xKeL!pS2 zDqAX7hWR$+%KI!?Bvfw9Q;=O4W6(82*0hl!o9bUTu;fK}{M*#Efs51DT_e-jHDW}| zfny=B>thZ?7=tj(8Z!h%T>NDROcGA(MwQPZJZ{)}yG6!KNiH7$D36gb3xRM5ghL>F z_(1rH)AD=#B`u+P+t~Z2L~CURZh-cwPkMx*QVt(K8OmzHrr01`n11D$s%M$)G*~)r zWn)6cmV^yD-YVO4mR|;h-}gU8H_7PUT~9Qg9rd&RnYkkQPyZf|KF4U&Pdn!RSFpzQ zrKD_DNLe%kT{gkp&9DyEY81cIFi;058YNfbo4EXeRuJhX<#(BQdA~04IlH84PUi=q zB%m#5CS8y&iP4@VlNkzAkZC3*u4!Y$t?I^Zhoq$U@zk|^Pg7zk3NZ;V*<;RqIu)9p zo}V(NPfrCu0VaAszWMLh{nt3?x`BWCm#@fXW}VKCUrk1r-z2A%nsK1CE>c=!88|b9 zxtP!p?bFEuq7+8d#zj?f$OSPx->Jc57u>A3(Z#FD7@5|K1!2YcV};s@%&5Q zJ)!=q_doal`F7Ty&c|bSe9r|)@wETXWSY*S(W}XqULdvuIcp`x{4MYre0RLoSWV9~ z;rU(@;&Ta=2_l77=$;vaN=o1obu^53f!A;adv-tTfB3K8Ii>GakCk!97t{shtMW>LO`1)_-f~mkYwV*YJ`PW?W2$b6lY15Ezl*d^1hzuFoBk zu|A;uCf8r~e*BP(FDG|1=V{H-2%WQ!@eChHH2O>LkMsFBo%jDUa(~_Tl5szBE?O_J z+F@9&%#Z`8b&=CV3rn`ra4~Q(pcd5nl{5oLi%1}(9fBlO((JRTEo(j~xg{Utf14Hb z7GlQ3#Eg~p8Tjhi@zp|M^8O|ojr!N~^D@Sg?dbj(&X6kYdl#PNInIy+QATBZ7nEk* z-i6n^`F4?-2%;s|U@0|B385GdQj;Jx2~v}9R%%kAkA>z+Z%a7E?Qo0;<~1FTLt@e( z5Z7D|5m=gxD>b9O_gqxoX4RoNhu6KXuF7LKsl;25$5!qhg~mc}6baza%Q&%q^9N)| zInI!wG3WUMpwsyST4}zpeKfc-!IcTFOugy0<~t-TW~b!12<~-{1nw218Ru&%aR@*q z2cn8jC^~+f$Fnrdv>kS)t<*HbG~2VAX4`3-J2Y4L1F;%sUa1R5to5ru0}gh9gmguf zhTPGk(s$TZb)Th&GA32C3k!SQ8wHOWw)yT5JL<}v^6l&qu5cU}Z6WIfAGp!ntM;G( z0W&P#S*F7_o3PEM)cS%V{n;+SeMqM9D4xywF0L)#>dl~q4S-7Gau`tQvx>Dh9&Z6I}!d%;`)7_ z@~Dip8Y`29B3vsr5X5R=KBvJmB$)vXg>hU(#Q-y|GtuFUr>!*KE-@HG-IKKfGu2Zt zAdJ^(a4VK714D?xLJSsSuxA;AwUfOalbVATb<1+>9D;E+(1c2+v)t{1GtA}AI8b(o z-0dZISvkL@s~ya7#hd4a=lQ&?B+PSSc&-Nm!!kJ(f+$>9kVL5GPiH^B z{h#lWm|)f41n<05YKvhBp^L->Ez}cNXbj-U!Xq(RqA{O4aH5T)Cg)@+nWGx$Ko;bG zybj!S5N;|r$G}ZpuW(jgFJ?@njsd8Hd`TSZ=O?yt+tUjWzL(Oa#`i5nhwUWgyPhu`*!+s6t)B zuwlBw0K@E47rCevk+vLILOs`w$Y2Z+!i9JXOt68B0vVNCV4$Ne(ou7vy>SlmKojGc zjtUr-(NXci2099KRAGUEj=D%kttjZTJSf(4)#e2bx41f&e=-C_V5GoE6-F2+sf(1P z+bB0M02DlH&$R})bIL99(E?HjItp}DVSs^+y2wV2HTk)p;&pF-hQP7%yTpC-RE9b1 zKtm;#7Z|9E4Afi_?);K$_Qq#;R$w3t7`Uj5T+~>p zEey%G&U)pd90Yf~%Hac|3XV}=qY4uYY}7?I;w>!b1D3F6o>%iB=bvmXKLZrOGYVW( zVSs^)y2wSMg_Zo=Y2lt1@)^o&wagasb3_@~D6mnL2?jdqA|16My$0N&;azzRsID!9 z*N7;C?mAFWx%mYu>LL|2mR&PNC{8VF&l<-91~QRj@xca>V_>5S3k-DBMLKFMxfYHU zWHyQ8*EcF~Aoq?QP=kLI7^%_-10{8llA7m2mn5qqrabRUD`050Ev@)qf`=6NsKNpR z9d(h8YzsMT^?-WcC7Ywk~oP*De|NH$NWEef#*^T|Y_ST|8LOQxM8 z@}M^gbW~x2fsLLW8@-FuyUFyEBcl&Ly~7f0pUMcSc^Yj=m^BvbvT~o9Y6}?Wl3Q-g zkU4TvN;iPrx%^uB9hOY07ME09V!f-{QlqJ9MJE3RnOZ}rRYA_Ilz`i-ejF_S*dC~U zw`?pz=8PE3zw0cOdrou6Kw^q=l-qDDuc0NPc0+LUYjPExCu#rvU6Nj0hvd))TKO(F z&TqkE`0kQJ%fEJ=`fG4ZiELtmE2Xt}Dz5E|HQH*+-M9nS;-7Y7!M$^bCT!UiX+V&rHMjSx zx?Kx$tt|FV4#|E%<@L9BsKEW4d9kz>_f`k1a)NH}Hm$75y+gt5T3{uWxjjIY)aS0% zY`YCAI|Q++jbQ~O0j1dBSP+ox00Rqf0^C{zw3-SzgiPA)+&E6GXmkbTf$P@rcAo%u zCB*%YaT>ePCany0H^xW1hr2CJ#nri*($IJBLX&ln*W=&)%(otDSs=V)C|n1wDjeQ6 zNw+!hE)R4U_`adgv}eQz^39S#2nnO{UW;gk*c( zcuA0Ei4b50$INvvOB+lgJ7c-HUB9$PB=7NvV$1P}DY^9x;w-P>%wi!TbDc}ZdqrEZ zdR~MW2N>%e593r3f&oCb``--)X#QFl{f(?fw9%lutwi81Wh;Sm1NqT)2U~-6?s3|&5nkdt$Irn$}{(F#Wd@ZR)rO}4T^=CS{o`3UX zBSWolv2hA^;KVB614TGU2|l-HbF@v&Qlgl|?b*(`R9Yjlfx30NcHg00b)V&4FJ*ui zYC+XZqOlqiRz`%a?{D51%GHkp+u7e-Wyi9OQUV&lJzpj)<9^EtfD~xQnhOvHYYK1% zXvoZ3<2%(r<&BmfN+riDH9`yBHA~j3vl{eS*>aT|+C2F)BN9{ZDzDpLK|7CAafd?z zI3OPj%EZ7Dv}*JG_rU&=Oyj#~H0u2vpC>M+dH=6@9RC^jethqOt?Xa=?pgI8KB=&s z|3Imu%j`F7=I`KUe$_a0v||;HX~KNwB4dG>&R`t%e|l=x2ROWEa@@=jmtCi^Xr7yItW%QR1#G~h)0 zjU_Y(L;-^tNSHEuAc^H&$d%-X3wjzW&JwUdfGvMwOP_dPufwp{s?7$!tBcgtI3G1L z=!0`dC4LJCIWJ2y1QM7;DMuCVyXQ||?v(K8XGOW6#e$!8I6te@M1!mK?D%S-;8{$# zln|DtEf5xE45u}{@|8oO*;FmJ%nms&MsS`Ll@VOk171<=?4Z}#=j`QLoz`2gRHw5p zaaNK#7ZreVu!2GZtTj?v0aMN;*79-IO7aGIZMWRmMy*b*B)W6|S#&o;tmifA)j07|9<6$L6PH^4wfT_hvfJeV*RLjH0YlC3;k^m|QJ|wr8w`Zh zMM7#U&KDXLI5-9ERdkWVpwxBvfGBj}qrgX1CK&jri+t2rZ!aVSDjkWnC`D*Fpu^z69kU7X%wVV&dt zho9bIl9Nv*bYz-qtX