IPv6 Networking and LXC Containers

IPv6 Networking and LXC Containers - Printable Version

+- Post4VPS Forum | Free VPS Provider (https://post4vps.com)
+-- Forum: VPS Discussion (https://post4vps.com/Forum-VPS-Discussion)
+--- Forum: Tutorials (https://post4vps.com/Forum-Tutorials)
+--- Thread: IPv6 Networking and LXC Containers (/Thread-IPv6-Networking-and-LXC-Containers)

IPv6 Networking and LXC Containers - Mr.Monkey - 06-04-2017

For some of us, we like to keep things good and organized. We like to keep tabs on different containers, that could very well be running apps that might be incompatible or a headache to others. To some of us, we'd like to keep other users isolated if we share our main host.

Setting LXC networking can a be a little cumbersome, if not, maddening if you do not have one of the distros that automatically set the networking interface for containers. (Most Debian and Ubuntu distributions set up a NAT interface for you).

(from here, we assume you've installed LXC 1.0 or any 1.# version)
1.Introduction:

Let us say that you have a distribution that doesn't have the packages that automatically set lxcbr0 or another interface to NAT and network containers on.

A example configuration is shown below, written in /etc/default/lxc-net

Code:
USE_LXC_BRIDGE="true"

LXC_BRIDGE="lxcbr0"

LXC_ADDR="10.0.3.1"

LXC_NETMASK="255.255.255.0"

LXC_NETWORK="10.0.3.0/24"

LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"

LXC_DHCP_MAX="253"

LXC_DHCP_CONFILE=""

LXC_DOMAIN=""

Being a bridge, it will bridge and act as NAT for the system. When the configuration is placed within this file, LXC will automatically enabled and place the iptable rules to make it work. From here, you can edit any setting you want, such as networking prefixes to be shared between containers. Once this file is placed, you can execute:

Code:
systemctl enable lxc-net

systemctl start lxc-net

To make the configuration stick.

2. Introduce IPv6 to containers.
Once you've gotten a container online with its own IPv4 network, you can setup and even make IPv6 only containers. To check the current containers, and their addresses, you can use the

Code:
lxc-ls --fancy

command.
Example output:

Code:
NAME          STATE    IPV4       IPV6                  AUTOSTART

-----------------------------------------------------------------------

ContainerOne  RUNNING  10.0.3.15  -                     NO

ContainerTwo  STOPPED  -          -                     NO

2.1 Do you even v6, bro?
Before we dive in, bringing the holy version 6 of networking to your young containers, we need to even CHECK if you have IPv6. Some providers offer native IPv6, but others do not. This guide will only apply to those who receive a routed prefix such as a /64. Many providers offer single /128 (or 1 IPv6) and can request some more, but this guide will be for networking as a whole prefix, and quite frankly I've never dealt with that before. Commonly systems that are more than capable to being conatiner'd (and worth to be conainter'd) usually are offered a /64 to /48s.
2.2 The Hurricane Electric tunnel.
Let us assume that you do not have a IPv6 prefix routed to your container, and resort to the use of a tunnel. If you do, we are going to have to make some notes on the website. (We are going to assume that you've already successfully tunneled IPv6 to your system)
In this example, I am using this picture I found on the internet because I managed to lock myself out of my account while making this:
[Image: TunnelBrokerIPv6.png]

What we need to pay attention to is, Routed /64 and Client IPv6 address. Now, we are going to check your ifconfig, which in this exmaple is this:

Code:
he-ipv6   Link encap:IPv6-in-IPv4

          inet6 addr: fe80::a89:17a3/64 Scope:Link

          inet6 addr: 2001:470:27:37e::2/64 Scope:Global

          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1

          RX packets:121471 errors:0 dropped:0 overruns:0 frame:0

          TX packets:122942 errors:0 dropped:1 overruns:0 carrier:0

          collisions:0 txqueuelen:1

          RX bytes:111781007 (111.7 MB)  TX bytes:71983914 (71.9 MB)

What you need to note, is that address. This is where we are going to shove IPv6 traffic through, and make as gateway.
To help understand this, I've made this diagram:

Code:
         .-~~~-.

  .- ~ ~-(       )_ _

 /                     ~ -.

|   The Internet            \ ==> HE.net's router (tunnel)   ==>  Your server (he-ipv6)              

 \  (And cat videos)        .'      (2001:470:23:37e::1/64)    (2001:470:23:37e::2/64)   

   ~- . _____________ . -~

In order to provide connectivity to your LXC nodes, you also have to act as a router. So, enable this command:

Code:
sysctl -w net.ipv6.conf.all.forwarding=1

Which will allow your server to act as a router. Now, we need to get back to lxcbr0 or the interface that we've have set, we need to make it have a address. If we follow the next diagram, we can see now how the packets will follow suite:

Code:
.-~~~-.

  .- ~ ~-(       )_ _

 /                     ~ -.

|   The Internet            \ ==> HE.net's router   ==> Your server               ==> lxcbr0                

 \  (And cat videos)        .'      (2001:470:23:37e::1/64)    (2001:470:23:37e::2/64)       2001:470:28:37e::1/64     

   ~- . _____________ . -~

See that we needed to address lxcbr0 a address to make it a gateway for the containers. How? We do these two commands

Code:
ip a a 2001:470:23:37e::1 dev lxcbr0 # adds a address to lxcbr0

ip r a 2001:470:23:37e::/64 dev lxcbr0 # adds the global address

Now, since we have this in place, all you need to do is make the container connect to this network, by editing the /etc/network/interfaces file after the DHCP IPv4 (inet dhcp) option.

Code:
iface eth0 inet6 static

address 2001:470:28:37e::2 #container's desired address

netmask 128 # google netmask ammounts, 128 equals to 1 IPv6.

gateway 2001:470:28:37e::1 #lxcbr0, this is acting as gateway because it is.

And, restart networking. If all goes well, a simple ping6 google.com should give you results.
2.3 Native IPv6 connections.
This guide is going to assume you have the bear minimum of a /64. Although this could very well be done with other amounts, a /64 is ideal within the RFCs rules for networking. It is the same principle, but you have to note of your routed netmask or amount of IPv6.
In this case, it is as copy paste as before. You need to find your routed IPv6 address(es). The diffrence here is that you are not routed another prefix in between another:

Code:
         .-~~~-.

  .- ~ ~-(       )_ _

 /                     ~ -.

|   The Internet            \ ==> Your server   ==> lxcbr0                ==> Conatiner

 \  (And cat videos)        .'      (2001:470:23:37e::1/64)    (2001:470:23:37e::2/64)      (2001:470:23:37e::3/64)      

   ~- . _____________ . -~

To check the addresses you can and cannot address, use this tool:
http://www.gestioip.net/cgi-bin/subnet_calculator.cgi

Example:
My example ifconfig (in this case, I am offered a /112)

Code:
eth0      Link encap:Ethernet  HWaddr 02:00:c0:a8:64:4b

          inet addr:192.168.100.75  Bcast:0.0.0.0  Mask:255.255.255.0

          inet6 addr: 2001:41d0:1:777c:200:xxx:xxx:0/112 Scope:Global

          inet6 addr: fe80::c0ff:fea8:644b/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:74 errors:0 dropped:0 overruns:0 frame:0

          TX packets:67 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:10516 (10.5 KB)  TX bytes:8893 (8.8 KB)

Usually, the network interface will always start with the first address listed. So, use the second address to assign to it to the lxcbr0 interface. The size of the network is shown after the address within ifconfig.

Code:
inet6 addr: 2001:41d0:1:777c:200:xxx:xxx:0/112

So, then, we substitute the address and sizes into the following commands.

Code:
ip a a 2001:41d0:1:777c:200:xxx:xxx:1/112 dev lxcbr0 # act as gateway for containers

ip r a 2001:41d0:1:777c:200:xxx:xxx:/112 dev lxcbr0 # network allowed for the conatiners

Then, the containers can allocate everything else after :1

Troubleshooting:
If you have a no route to host problem, make sure that ALL traffic is correctly gateway'd.
If there is no route to host within the host system, and pinging outside of the system does not work, try:

Code:
ip r a 2000::/3 via (he-ipv6's address, or eth0 address for native connections)

If there is not route within a container, check if the gateway was set correct and same to lxcbr0's or the interface used by LXC.
Check if you can ping the lxcbr0 interface, if you can't, you've incorrectly setup the IPv6 connection somewhere between the container and host system. If the container can ping the host system, via the gateway (or can ping the gateway), then try this command within the container:

Code:
ip r a 2000::/3 via (container's IPv6 gateway)

Any other problem, consult with Google, as these are few of the problems I have encountered using this.