Linux – docker/lxc bridged networking

linuxlxc

I have this server (the host) which has 1000 external ip addresses. I created a docker container running squid3 and I need to use those ip addresses. I can enable forwarding from the host but that just forwards the request to the local docker ip which screws up my squid ACLs since squid sees the internal ip instead of the external one.

My question is as follows, how do I play with docker or lxc (docker has lxc directives via -lxc-conf=) so that I can see my host's external ip addresses in my container (running ifconfig for example). Right now docker starts with it's own isolated network so it's unusable to me.

The host external ip addresses are assigned to interface p1p1.

I tried running it with -lxc-conf="lxc.network.type = phys" -lxc-conf="lxc.network.link = p1p1" but that completely messes my hosts interface and even kicks me out of ssh.

Any idea what I'm doing wrong?

Best Answer

the pipework can help you.

Connect a container to a local physical interface

Let's pretend that you want to run two Hipache instances, listening on real interfaces eth2 and eth3, using specific (public) IP addresses. Easy!

pipework eth2 $(docker run -d hipache /usr/sbin/hipache) 50.19.169.157
pipework eth3 $(docker run -d hipache /usr/sbin/hipache) 107.22.140.5

Note that this will use macvlan subinterfaces, so you can actually put multiple containers on the same physical interface.

I think this is what you need.

Related Solutions

Debian – veth, macvlan or maybe sth else

Well this interesting, I'm playing with a vserver and I do not really understand how it works with eth and dummy.

Whatever, in your case, I think you need to enable ip forwarding.

sysctl -w net.ipv4.conf.all.forwarding=1

Check /etc/sysctl.conf to make it permanent

Naming interface that come into the bridge is a good idea if you want to know who is who. In the lxc config file:

lxc.network.veth.pair=eth0-guest1

network in lxc allow more sophisticated networking. For example, you could simulate a real "proxy" with 2 virtual interface, one on a bridge (say br0) connected to internet (public IPs, dmz, whatever) another (say br1) connected to the "internal services"

 .-----------.
 | host eth0 |<----.
 '-----------'     |
         .-------------------.                  .-------------------.
         | br0 (public IP)   |                  | br1 (10.1.1.1/24) |
         '-------------------'                  '-------------------'
                   ^            .--------------------.    ^
                   '------------|    guest squid     |----|
                                '--------------------'    |
                                     .---------------.    |
                                     | guest apache1 |----'
                                     '---------------'    |
                                     .---------------.    |
                                     | guest apache2 |----'
                                     '---------------'    |
                                                 .----------------.
                                                 | guest database |
                                                 '----------------'

Note: for a second virtual ethernet interface, just repeat the lxc.network... stanza

Iptables – Bridging LXC containers to host eth0 so they can have a public IP

A better way to make your change permanent is to use sysctl instead of writing to /proc directly since that is the standard way to configure kernel parameters at runtime so they are set correctly at next boot:

# cat >> /etc/sysctl.d/99-bridge-nf-dont-pass.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
EOF
# service procps start

As for the answer to the question in your update...

bridge-netfilter (or bridge-nf) is a very simple bridge for IPv4/IPv6/ARP packets (even in 802.1Q VLAN or PPPoE headers) that provides the functionality for a stateful transparent firewall, but more advanced functionality like transparent IP NAT is provided by passing those packets to arptables/iptables for further processing-- however even if the more advanced features of arptables/iptables is not need, passing packets to those programs is still turned on by default in the kernel module and must be turned off explicitly using sysctl.

What are they here for? These kernel configuration options are here to either pass (1) or don't pass (0) packets to arptables/iptables as described in the bridge-nf FAQ:

As of kernel version 2.6.1, there are three sysctl entries for bridge-nf behavioral control (they can be found under /proc/sys/net/bridge/):
bridge-nf-call-arptables - pass (1) or don't pass (0) bridged ARP traffic to arptables' FORWARD chain.
bridge-nf-call-iptables - pass (1) or don't pass (0) bridged IPv4 traffic to iptables' chains.
bridge-nf-call-ip6tables - pass (1) or don't pass (0) bridged IPv6 traffic to ip6tables' chains.
bridge-nf-filter-vlan-tagged - pass (1) or don't pass (0) bridged vlan-tagged ARP/IP traffic to arptables/iptables.

Is it safe to disable all bridge-nf-*? Yes, it is not only safe to do so, but there is a recommendation for distributions to turn it off by default to help people avoid confusion for the kind of problem you encountered:

In practice, this can lead to serious confusion where someone creates a bridge and finds that some traffic isn't being forwarded across the bridge. Because it's so unexpected that IP firewall rules apply to frames on a bridge, it can take quite some time to figure out what's going on.

and to increase security:

I still think the risk with bridging is higher, especially in the presence of virtualisation. Consider the scenario where you have two VMs on the one host, each with a dedicated bridge with the intention that neither should know anything about the other's traffic.

With conntrack running as part of bridging, the traffic can now cross over which is a serious security hole.

UPDATE: May 2015

If you are running a kernel older than 3.18, then you may be subject to the old behavior of bridge filtering enabled by default; if you newer than 3.18, then you can still be bitten by this if you've loaded the bridge module and haven't disabled the bridge filtering. See:

https://bugzilla.redhat.com/show_bug.cgi?id=634736#c44

After all these years of asking for the default of bridge filtering to be "disabled" and the change being refused by the kernel maintainers, now the filtering has been moved into a separate module that isn't loaded (by default) when the bridge module is loaded, effectively making the default "disabled". Yay!

I think this is in the kernel as of 3.17 (It definitely is in kernel 3.18.7-200.fc21, and appears to be in git prior to the tag "v3.17-rc4")

Best Answer

Related Solutions

Debian – veth, macvlan or maybe sth else

Iptables – Bridging LXC containers to host eth0 so they can have a public IP

Related Topic