github twitter linkedin rss
LXD container-only networks
May 25, 2017
2 minutes read

I was playing a bit with LXD networking in versions 2.3+ (2.13 in my case), where a new network management API was introduced (here is explained pretty clear).

In our test deployment we have two containers (A and B ) and, due to the nature of our application, we want to do a port forwarding from the host to B, but through A.

First attempt

The setup that we did is more or less:

+-------------------------------------+
| +-------------+     +-------------+ |
| |A container  |     |B container  | |
| |             |     |             | |
| |    +--->eth1+---> |eth1         | |
| |  eth0       |     |      eth0   | |
| +----+--------+     +-------------+ |
|      ^                              |
|      |                              |
|      +                              |
|     lxdbr0                  Host    |
+-------------------------------------+

where eth0 interfaces are attached to default lxdbr0 network and eth1 to a new bridged network:

lxc network create lxdbr1
lxc network attach lxdbr1 A default eth1
lxc network attach lxdbr1 B default eth1

In the host, we created a port forwarding (using iptables) to the IP address of B’s eth1 interface. By default, the port forwarding will go from the host to B containers, routed through lxdbr1 bridge. For solving this issue, our first idea was to remove in the host the default route to lxdbr1 subnet and to add another one through A:

ip route delete <lxdbr1 subnet>
ip route add <lxdbr1 subnet> via <A's eht0 IP address>

It works, but it is not a good idea, as lxd recreates the routes in each restart.

Not managed networks

The trick here is to not use the new network management and, as is explained in the comments of this blog, to add a NIC device directly to the containers:

 lxc config device add A eth1 nic nictype=bridged parent=isolatedbr name=eth1
 lxc config device add B eth1 nic nictype=bridged parent=isolatedbr name=eth1

where isolatebr is a bridge that we created:

 sudo brctl addbr isolatedbr

Now, we have to manually configure the interfaces (or add them to /etc/network/interfaces):

 lxc exec A ip a add <A's eth1 IP address> dev eth1
 lxc exec A ip link set eth1 up
 lxc exec B ip a add <B's eth1 IP address> dev eth1
 lxc exec B ip link set eth1 up

And to up the bridge:

 ip link set isolatedbr up

And now it should work:

 lxc exec A ping <B's eth1 IP address>

Back to posts


comments powered by Disqus