I'm hosting several VPS using linux-vserver. Now I want to switch to LXC. So far it looks promising, but I wonder how to setup networking. Especially which interface type to use and how to configure it.
This is my setup/ what I need:
- The host has a single IP it gets using DHCP on boot.
- I'd like to assign (multiple) static ip addreses to each guest using its config file.
- The ip addresses should be world reachable (they are public ip addresses).
- The guest should not be able to assign/setup ip addresses I did not specify in its config file.
- Ideally the guest would be able to use iptables, openvpn, etc..
I also wonder how to add/ remove ip addresses to/ from a running guest?
Thanks in advance, Corin
I suppose the answer came too late but if it could anyway help...
vserver and lxc handle network different way:
Think of vserver like an IP alias over an existing interface (i.e. does not involve complex route process on the machine in other words ip_forward is not needed).
LXC, by using several interface type (phys, veth, vlan, macvlan) allow more sophisticated network. In other word it allow you to virtualize a part of the network. have a look on this post: veth, macvlan or maybe sth else?
in vserver network configuration is mainly made on host side (/etc/vserver/) in LXC, layer 2 is mainly configured on host side while layer 3 (IP, dhcp etc) is mainly configured on guest side (via /etc/network/interface).
From lxc.conf (5) lxc a way to configure IP on host side with lxc.network.ipv4=... But from my understanding this configuration is overrided by guest configuration.
There is a "lxc.cap.drop" that limit guest capabilities and it may limit IP assignment but I have not tested it.
Changing IP of guest from host without login on guest does not seems possible for me.
iptables rules could be defined on host of course, but it could be set on guest side too. There are some limitation about logging message that may be logged on host side. But there is different space for iptables in host and guest (i.e. a iptables rules defined on guest won't be shown on host and vice-versa).
Regarding openvpn, I don't know. It might be tricky since openvpn may try to set up a tun/tap interface in a lxc environment.