Translation(s): English - Français
Contents
Bridged setup for your container(s) network
There are typically two ways to create a bridged network setup:
host-shared bridge: create a bridge out of your main network interface which will hold both the host's IP and the container's IP addresses.
independent bridge: create a different bridge out of thin air and link your containers together on this bridge, but use forwarding to get it out on the internet or to get traffic into it.
The first type would have direct internet access or network access using a host-supplied or host-network (same subnet) IP address.
This means that the first type can acquire a DHCP lease from the host network. The second type is sitting on its own internal network and is getting ?masqueraded. That means it is sitting behind a NAT firewall and is only getting ports forwarded to it.
Lxc-net uses type 2. An lxc-net configuration is a masqueraded configuration.
Both types of configuration normally use the veth network setup for the container.!!!
The independent bridge (masqueraded bridge)
This second type is what is typically considered to be the ?Masqueraded Bridge. You have an internal subnet that you use on the bridge (and all the containers).
The easiest way in version 2.0 (as included in Stretch) is to use the lxc-net package (component). This is part of the lxc package (real Debian package) starting from Stretch (Debian 9).
Below is an example configuration for lxc-net.
Using lxc-net
The default setup for lxc-net is as follows:
USE_LXC_BRIDGE="true" LXC_BRIDGE="lxcbr0" LXC_ADDR="10.0.3.1" LXC_NETMASK="255.255.255.0" LXC_NETWORK="10.0.3.0/24" LXC_DHCP_RANGE="10.0.3.2,10.0.3.254" LXC_DHCP_MAX="253" LXC_DHCP_CONFILE="" LXC_DOMAIN=""
This information is put in the file /etc/default/lxc-net.
This is also the default configuration for LXC-net as started with Debian Stretch in the default configuration (setup) without the patch applied to it (see the main page)
After creating this file with the required config you can simply start the service with:
systemctl start lxc-net after enabling it with systemctl enable lxc-net. This is covered in the introduction at the Main Page. Commands:
systemctl enable lxc-net systemctl start lxc-net
The service will run at boot and create your bridge for you. This will also add masquerading and forward firewall rules for you using iptables2 calls.
More info on a bridge
Much is covered in ?Masqueraded Bridge.
For Debian Jessie and below (which is what most users will have at this point) you must consult that document if you are not to use lxc-net from Stretch (via Backports).
Host device as bridge
The first type of bridge that was mentioned was the “host-shared bridge”.
The host-shared bridge requires the host's network device to be superseded by a bridge that will include this network device as one of its ports.
auto lxcbr0
iface lxcbr0 inet dhcp
bridge_ports eth0
bridge_fd 0
bridge_maxwait 0would be a typical minimal bridge setup (using dhcp) that supersedes an IP on the main interface (eth0) provided that you have the new fancy "Predictable Network Interface Names" disabled. (Don't forget to regen your initramfs (update-initramfs -u)).
This type of bridge setup has the following features:
it is persisted in the host's /etc/network/interfaces
- the container resides on the same ethernet segment and talks to the same dhcp server as the host.
- the container shares the same network link on the physical interface of the host (eth0).
This requires the bridge-utils package (as does lxc-net).
Edit the host's /etc/network/interfaces in this form:
# Comment out the following:
# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp
auto br0
iface br0 inet dhcp
bridge_ports eth0
bridge_fd 0
bridge_maxwait 0
# uncomment the below and comment the above for static ip setup on the host
#auto br0
#iface br0 inet static
# bridge_ports eth0
# bridge_fd 0
# address <host IP here, e.g. 192.168.1.20>
# netmask 255.255.255.0
# network <network IP here, e.g. 192.168.1.0>
# broadcast <broadcast IP here, e.g. 192.168.1.255>
# gateway <gateway IP address here, e.g. 192.168.1.1>
# # dns-* options are implemented by the resolvconf package, if installed
# dns-nameservers <name server IP address here, e.g. 192.168.1.1>
# dns-search your.search.domain.hereRestart networking:
/etc/init.d/networking restart
The network section in the container's config (stored on the host in /var/lib/lxc/containername/config) may look like this
## Network lxc.utsname = containershostname lxc.network.type = veth lxc.network.flags = up # that's the interface defined above in host's interfaces file lxc.network.link = br0 # name of network device inside the container, # defaults to eth0, you could choose a name freely # lxc.network.name = lxcnet0 lxc.network.hwaddr = 00:FF:AA:00:00:01 # the ip may be set to 0.0.0.0/24 or skip this line # if you like to use a dhcp client inside the container lxc.network.ipv4 = 192.168.1.110/24 # define a gateway to have access to the internet lxc.network.ipv4.gateway = 192.168.1.1
Completing the example above, the container's /etc/network/interfaces may be edited to look like this
auto eth0 iface eth0 inet dhcp #iface eth0 inet static # address <container IP here, e.g. 192.168.1.110> # all other settings like those for the host
Additonal bridge device instead of changing a host device to br0
Features:
- setup manually with brctl
the container's veth virtual ethernet interface accesses the network via the bridge device created on the host. By default, the container is not visable from outside the host.
# script to setup a natted network for lxc guests
CMD_BRCTL=/usr/sbin/brctl
CMD_IFCONFIG=/sbin/ifconfig
CMD_IPTABLES=/sbin/iptables
CMD_ROUTE=/sbin/route
NETWORK_BRIDGE_DEVICE_NAT=lxc-bridge-nat
HOST_NETDEVICE=wlan0
PRIVATE_GW_NAT=192.168.100.1
PRIVATE_NETMASK=255.255.255.0
${CMD_BRCTL} addbr ${NETWORK_BRIDGE_DEVICE_NAT}
${CMD_BRCTL} setfd ${NETWORK_BRIDGE_DEVICE_NAT} 0
${CMD_IFCONFIG} ${NETWORK_BRIDGE_DEVICE_NAT} ${PRIVATE_GW_NAT} netmask ${PRIVATE_NETMASK} promisc up
${CMD_IPTABLES} -t nat -A POSTROUTING -o ${HOST_NETDEVICE} -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Alternative
Features:
persisted in sysctl.conf /etc/sysctl.conf
persisted in interfaces /etc/network/interfaces
Uncomment the following in /etc/sysctl.conf:
# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1
Insert the following in /etc/network/interfaces:
auto lxc-bridge-nat
iface lxc-bridge-nat inet static
bridge_ports none
bridge_fd 0
bridge_maxwait 0
address 192.168.100.1
netmask 255.255.255.0
up iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE- Give this command to enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
The containers /etc/network/interfaces is equal to the one proposed in "Host device as bridge"; if you don't put a dhcp server on the lxc-bridge-nat, the container should now use the static ip configuration
The containers config file now uses lxc-bridge-nat as link, another ip and gateway
lxc.network.link = lxc-bridge-nat lxc.network.ipv4 = 192.168.100.10/24 lxc.network.ipv4.gateway = 192.168.100.1
- The host can connect easily from his original network 192.168.1.0 to the natted one 192.168.100.0
- if you want to access a containers port (e.g. putting an apache inside a container) from outside the host, you have to forward that port from the host to the containers IP
References
http://www.vislab.uq.edu.au/howto/lxc/lxcnetwork.html -> useful resource which shows how to setup bridged and natted networking for your containers
http://box.matto.nl/lxconlaptop.html -> another example for natted networking also applicable for wlan connectivity on laptops