06-04-2017, 10:59 PM
For some of us, we like to keep things good and organized. We like to keep tabs on different containers, that could very well be running apps that might be incompatible or a headache to others. To some of us, we'd like to keep other users isolated if we share our main host.
Setting LXC networking can a be a little cumbersome, if not, maddening if you do not have one of the distros that automatically set the networking interface for containers. (Most Debian and Ubuntu distributions set up a NAT interface for you).
(from here, we assume you've installed LXC 1.0 or any 1.# version)
1.Introduction:
Let us say that you have a distribution that doesn't have the packages that automatically set lxcbr0 or another interface to NAT and network containers on.
A example configuration is shown below, written in /etc/default/lxc-net
Being a bridge, it will bridge and act as NAT for the system. When the configuration is placed within this file, LXC will automatically enabled and place the iptable rules to make it work. From here, you can edit any setting you want, such as networking prefixes to be shared between containers. Once this file is placed, you can execute:
To make the configuration stick.
2. Introduce IPv6 to containers.
Once you've gotten a container online with its own IPv4 network, you can setup and even make IPv6 only containers. To check the current containers, and their addresses, you can use the
command.
Example output:
2.1 Do you even v6, bro?
Before we dive in, bringing the holy version 6 of networking to your young containers, we need to even CHECK if you have IPv6. Some providers offer native IPv6, but others do not. This guide will only apply to those who receive a routed prefix such as a /64. Many providers offer single /128 (or 1 IPv6) and can request some more, but this guide will be for networking as a whole prefix, and quite frankly I've never dealt with that before. Commonly systems that are more than capable to being conatiner'd (and worth to be conainter'd) usually are offered a /64 to /48s.
2.2 The Hurricane Electric tunnel.
Let us assume that you do not have a IPv6 prefix routed to your container, and resort to the use of a tunnel. If you do, we are going to have to make some notes on the website. (We are going to assume that you've already successfully tunneled IPv6 to your system)
In this example, I am using this picture I found on the internet because I managed to lock myself out of my account while making this:
![[Image: TunnelBrokerIPv6.png]](https://wiki.mikrotik.com/images/6/60/TunnelBrokerIPv6.png)
What we need to pay attention to is, Routed /64 and Client IPv6 address. Now, we are going to check your ifconfig, which in this exmaple is this:
What you need to note, is that address. This is where we are going to shove IPv6 traffic through, and make as gateway.
To help understand this, I've made this diagram:
In order to provide connectivity to your LXC nodes, you also have to act as a router. So, enable this command:
Which will allow your server to act as a router. Now, we need to get back to lxcbr0 or the interface that we've have set, we need to make it have a address. If we follow the next diagram, we can see now how the packets will follow suite:
See that we needed to address lxcbr0 a address to make it a gateway for the containers. How? We do these two commands
Now, since we have this in place, all you need to do is make the container connect to this network, by editing the /etc/network/interfaces file after the DHCP IPv4 (inet dhcp) option.
And, restart networking. If all goes well, a simple ping6 google.com should give you results.
2.3 Native IPv6 connections.
This guide is going to assume you have the bear minimum of a /64. Although this could very well be done with other amounts, a /64 is ideal within the RFCs rules for networking. It is the same principle, but you have to note of your routed netmask or amount of IPv6.
In this case, it is as copy paste as before. You need to find your routed IPv6 address(es). The diffrence here is that you are not routed another prefix in between another:
To check the addresses you can and cannot address, use this tool:
http://www.gestioip.net/cgi-bin/subnet_calculator.cgi
Example:
My example ifconfig (in this case, I am offered a /112)
![[Image: v6howto.JPG]](http://monkey.eu.org/rand/images/v6howto.JPG)
![[Image: v6howto2.jpg]](http://monkey.eu.org/rand/images/v6howto2.jpg)
Usually, the network interface will always start with the first address listed. So, use the second address to assign to it to the lxcbr0 interface. The size of the network is shown after the address within ifconfig.
So, then, we substitute the address and sizes into the following commands.
Then, the containers can allocate everything else after :1
Troubleshooting:
If you have a no route to host problem, make sure that ALL traffic is correctly gateway'd.
If there is no route to host within the host system, and pinging outside of the system does not work, try:
If there is not route within a container, check if the gateway was set correct and same to lxcbr0's or the interface used by LXC.
Check if you can ping the lxcbr0 interface, if you can't, you've incorrectly setup the IPv6 connection somewhere between the container and host system. If the container can ping the host system, via the gateway (or can ping the gateway), then try this command within the container:
Any other problem, consult with Google, as these are few of the problems I have encountered using this.
Setting LXC networking can a be a little cumbersome, if not, maddening if you do not have one of the distros that automatically set the networking interface for containers. (Most Debian and Ubuntu distributions set up a NAT interface for you).
(from here, we assume you've installed LXC 1.0 or any 1.# version)
1.Introduction:
Let us say that you have a distribution that doesn't have the packages that automatically set lxcbr0 or another interface to NAT and network containers on.
A example configuration is shown below, written in /etc/default/lxc-net
Code: (Select All)
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
LXC_DHCP_CONFILE=""
LXC_DOMAIN=""Code: (Select All)
systemctl enable lxc-net
systemctl start lxc-net2. Introduce IPv6 to containers.
Once you've gotten a container online with its own IPv4 network, you can setup and even make IPv6 only containers. To check the current containers, and their addresses, you can use the
Code: (Select All)
lxc-ls --fancyExample output:
Code: (Select All)
NAME STATE IPV4 IPV6 AUTOSTART
-----------------------------------------------------------------------
ContainerOne RUNNING 10.0.3.15 - NO
ContainerTwo STOPPED - - NOBefore we dive in, bringing the holy version 6 of networking to your young containers, we need to even CHECK if you have IPv6. Some providers offer native IPv6, but others do not. This guide will only apply to those who receive a routed prefix such as a /64. Many providers offer single /128 (or 1 IPv6) and can request some more, but this guide will be for networking as a whole prefix, and quite frankly I've never dealt with that before. Commonly systems that are more than capable to being conatiner'd (and worth to be conainter'd) usually are offered a /64 to /48s.
2.2 The Hurricane Electric tunnel.
Let us assume that you do not have a IPv6 prefix routed to your container, and resort to the use of a tunnel. If you do, we are going to have to make some notes on the website. (We are going to assume that you've already successfully tunneled IPv6 to your system)
In this example, I am using this picture I found on the internet because I managed to lock myself out of my account while making this:
What we need to pay attention to is, Routed /64 and Client IPv6 address. Now, we are going to check your ifconfig, which in this exmaple is this:
Code: (Select All)
he-ipv6 Link encap:IPv6-in-IPv4
inet6 addr: fe80::a89:17a3/64 Scope:Link
inet6 addr: 2001:470:27:37e::2/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:121471 errors:0 dropped:0 overruns:0 frame:0
TX packets:122942 errors:0 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:111781007 (111.7 MB) TX bytes:71983914 (71.9 MB)To help understand this, I've made this diagram:
Code: (Select All)
.-~~~-.
.- ~ ~-( )_ _
/ ~ -.
| The Internet \ ==> HE.net's router (tunnel) ==> Your server (he-ipv6)
\ (And cat videos) .' (2001:470:23:37e::1/64) (2001:470:23:37e::2/64)
~- . _____________ . -~Code: (Select All)
sysctl -w net.ipv6.conf.all.forwarding=1Code: (Select All)
.-~~~-.
.- ~ ~-( )_ _
/ ~ -.
| The Internet \ ==> HE.net's router ==> Your server ==> lxcbr0
\ (And cat videos) .' (2001:470:23:37e::1/64) (2001:470:23:37e::2/64) 2001:470:28:37e::1/64
~- . _____________ . -~See that we needed to address lxcbr0 a address to make it a gateway for the containers. How? We do these two commands
Code: (Select All)
ip a a 2001:470:23:37e::1 dev lxcbr0 # adds a address to lxcbr0
ip r a 2001:470:23:37e::/64 dev lxcbr0 # adds the global addressCode: (Select All)
iface eth0 inet6 static
address 2001:470:28:37e::2 #container's desired address
netmask 128 # google netmask ammounts, 128 equals to 1 IPv6.
gateway 2001:470:28:37e::1 #lxcbr0, this is acting as gateway because it is.And, restart networking. If all goes well, a simple ping6 google.com should give you results.
2.3 Native IPv6 connections.
This guide is going to assume you have the bear minimum of a /64. Although this could very well be done with other amounts, a /64 is ideal within the RFCs rules for networking. It is the same principle, but you have to note of your routed netmask or amount of IPv6.
In this case, it is as copy paste as before. You need to find your routed IPv6 address(es). The diffrence here is that you are not routed another prefix in between another:
Code: (Select All)
.-~~~-.
.- ~ ~-( )_ _
/ ~ -.
| The Internet \ ==> Your server ==> lxcbr0 ==> Conatiner
\ (And cat videos) .' (2001:470:23:37e::1/64) (2001:470:23:37e::2/64) (2001:470:23:37e::3/64)
~- . _____________ . -~To check the addresses you can and cannot address, use this tool:
http://www.gestioip.net/cgi-bin/subnet_calculator.cgi
Example:
My example ifconfig (in this case, I am offered a /112)
Code: (Select All)
eth0 Link encap:Ethernet HWaddr 02:00:c0:a8:64:4b
inet addr:192.168.100.75 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: 2001:41d0:1:777c:200:xxx:xxx:0/112 Scope:Global
inet6 addr: fe80::c0ff:fea8:644b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:74 errors:0 dropped:0 overruns:0 frame:0
TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10516 (10.5 KB) TX bytes:8893 (8.8 KB)Usually, the network interface will always start with the first address listed. So, use the second address to assign to it to the lxcbr0 interface. The size of the network is shown after the address within ifconfig.
Code: (Select All)
inet6 addr: 2001:41d0:1:777c:200:xxx:xxx:0/112So, then, we substitute the address and sizes into the following commands.
Code: (Select All)
ip a a 2001:41d0:1:777c:200:xxx:xxx:1/112 dev lxcbr0 # act as gateway for containers
ip r a 2001:41d0:1:777c:200:xxx:xxx:/112 dev lxcbr0 # network allowed for the conatinersTroubleshooting:
If you have a no route to host problem, make sure that ALL traffic is correctly gateway'd.
If there is no route to host within the host system, and pinging outside of the system does not work, try:
Code: (Select All)
ip r a 2000::/3 via (he-ipv6's address, or eth0 address for native connections)Check if you can ping the lxcbr0 interface, if you can't, you've incorrectly setup the IPv6 connection somewhere between the container and host system. If the container can ping the host system, via the gateway (or can ping the gateway), then try this command within the container:
Code: (Select All)
ip r a 2000::/3 via (container's IPv6 gateway)