LXC。容器的 IP 来自与主机相同的网络
LXC. Container's IP from the same network as host
我正在尝试 LXC。现在我想从与 LXC 主机相同的网络为来宾(容器)分配 IP。作为主机 OS 我使用 Ubuntu 14.04.3,作为访客 - Ubuntu 15.10.
LXC主机使用我家路由器上网(默认网关),LXC主机有IP-192.168.1.50(网络-192.168.1.0/ 24) 和网关(路由器)地址 - 192.168.1.1.
所以现在我想将来自同一网络的 192.168.1.51 分配给 LXC 来宾。为此,我在主机 LXC 机器上配置了 br0 接口:
root@lxc-host:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet manual
auto br0
iface br0 inet static
address 192.168.1.50
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8
bridge_ports eth0
bridge_stp off
bridge_fd 0
bridge_maxwait 0
此配置后互联网和内部网络正常工作:
root@lxc-host:~# ifconfig
br0 Link encap:Ethernet HWaddr 08:00:27:5a:39:b5
inet addr:192.168.1.50 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe5a:39b5/64 Scope:Link
inet6 addr: fdee:cbcd:a595:0:a00:27ff:fe5a:39b5/64 Scope:Global
inet6 addr: fdee:cbcd:a595:0:91b8:6067:2b5c:e58d/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5001 errors:0 dropped:0 overruns:0 frame:0
TX packets:2094 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:613920 (613.9 KB) TX bytes:307810 (307.8 KB)
eth0 Link encap:Ethernet HWaddr 08:00:27:5a:39:b5
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4964 errors:0 dropped:0 overruns:0 frame:0
TX packets:2109 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:681460 (681.4 KB) TX bytes:316156 (316.1 KB)
...
root@lxc-host:~#
根据this docs,我已经将容器配置(u1 是我的ubuntu 容器)更改为这样的视图:
root@lxc-host:~# cat /var/lib/lxc/u1/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)
# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.arch = x86_64
# Container specific configuration
lxc.rootfs = /var/lib/lxc/u1/rootfs
lxc.utsname = u1
# Network configuration
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:a1:c2:fe
lxc.network.ipv4 = 192.168.1.51/24
# define a gateway to have access to the internet
lxc.network.ipv4.gateway = 192.168.1.1
现在容器的网络配置如下所示:
root@lxc-host:~# cat /var/lib/lxc/u1/rootfs/etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.51
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8
root@lxc-host:~#
容器重启后,eth0真正使用192.168.1.51,容器可以ping LXC主机IP 192.168.1.50但不能ping 任何其他 IP,包括网关 192.168.1.1 等内部 IP。
root@u1:~# ip a
1: lo...
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:a1:c2:fe brd ff:ff:ff:ff:ff:ff
inet 192.168.1.51/24 brd 192.168.1.255 scope global eth0
...
root@u1:~# ping 192.168.1.50
PING 192.168.1.50 (192.168.1.50) 56(84) bytes of data.
64 bytes from 192.168.1.50: icmp_seq=1 ttl=64 time=0.064 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=64 time=0.064 ms
^C
--- 192.168.1.50 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.064/0.064/0.064/0.000 ms
root@u1:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
From 192.168.1.51 icmp_seq=1 Destination Host Unreachable
From 192.168.1.51 icmp_seq=2 Destination Host Unreachable
From 192.168.1.51 icmp_seq=3 Destination Host Unreachable
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2999ms
pipe 3
root@u1:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
root@u1:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
root@u1:~#
我哪里错了? Apparmor 已停止,LXC 主机上的 iptables 是干净的。
这个问题与 Virtualbox 可视化有关(但我知道有些人在使用 Hyper-V 时会遇到这样的问题)。
在这种情况下,LXC 似乎无法共享 br0 接口。
有了真正的硬件,我再也没有问题了。
如果您是 LXC 的新手,我建议您阅读 Stephane Graber 的 10 部分博客系列:
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/
并且 Flockport 已经建立了一个很棒的网站,其中包含很多 LXC 主题,尤其是从 MACVlan 到 VxLAN 再到 VPN 等 LXC 网络。
我正在尝试 LXC。现在我想从与 LXC 主机相同的网络为来宾(容器)分配 IP。作为主机 OS 我使用 Ubuntu 14.04.3,作为访客 - Ubuntu 15.10.
LXC主机使用我家路由器上网(默认网关),LXC主机有IP-192.168.1.50(网络-192.168.1.0/ 24) 和网关(路由器)地址 - 192.168.1.1.
所以现在我想将来自同一网络的 192.168.1.51 分配给 LXC 来宾。为此,我在主机 LXC 机器上配置了 br0 接口:
root@lxc-host:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet manual
auto br0
iface br0 inet static
address 192.168.1.50
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8
bridge_ports eth0
bridge_stp off
bridge_fd 0
bridge_maxwait 0
此配置后互联网和内部网络正常工作:
root@lxc-host:~# ifconfig
br0 Link encap:Ethernet HWaddr 08:00:27:5a:39:b5
inet addr:192.168.1.50 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe5a:39b5/64 Scope:Link
inet6 addr: fdee:cbcd:a595:0:a00:27ff:fe5a:39b5/64 Scope:Global
inet6 addr: fdee:cbcd:a595:0:91b8:6067:2b5c:e58d/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5001 errors:0 dropped:0 overruns:0 frame:0
TX packets:2094 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:613920 (613.9 KB) TX bytes:307810 (307.8 KB)
eth0 Link encap:Ethernet HWaddr 08:00:27:5a:39:b5
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4964 errors:0 dropped:0 overruns:0 frame:0
TX packets:2109 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:681460 (681.4 KB) TX bytes:316156 (316.1 KB)
...
root@lxc-host:~#
根据this docs,我已经将容器配置(u1 是我的ubuntu 容器)更改为这样的视图:
root@lxc-host:~# cat /var/lib/lxc/u1/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)
# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.arch = x86_64
# Container specific configuration
lxc.rootfs = /var/lib/lxc/u1/rootfs
lxc.utsname = u1
# Network configuration
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:a1:c2:fe
lxc.network.ipv4 = 192.168.1.51/24
# define a gateway to have access to the internet
lxc.network.ipv4.gateway = 192.168.1.1
现在容器的网络配置如下所示:
root@lxc-host:~# cat /var/lib/lxc/u1/rootfs/etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.51
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8
root@lxc-host:~#
容器重启后,eth0真正使用192.168.1.51,容器可以ping LXC主机IP 192.168.1.50但不能ping 任何其他 IP,包括网关 192.168.1.1 等内部 IP。
root@u1:~# ip a
1: lo...
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:a1:c2:fe brd ff:ff:ff:ff:ff:ff
inet 192.168.1.51/24 brd 192.168.1.255 scope global eth0
...
root@u1:~# ping 192.168.1.50
PING 192.168.1.50 (192.168.1.50) 56(84) bytes of data.
64 bytes from 192.168.1.50: icmp_seq=1 ttl=64 time=0.064 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=64 time=0.064 ms
^C
--- 192.168.1.50 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.064/0.064/0.064/0.000 ms
root@u1:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
From 192.168.1.51 icmp_seq=1 Destination Host Unreachable
From 192.168.1.51 icmp_seq=2 Destination Host Unreachable
From 192.168.1.51 icmp_seq=3 Destination Host Unreachable
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2999ms
pipe 3
root@u1:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
root@u1:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
root@u1:~#
我哪里错了? Apparmor 已停止,LXC 主机上的 iptables 是干净的。
这个问题与 Virtualbox 可视化有关(但我知道有些人在使用 Hyper-V 时会遇到这样的问题)。
在这种情况下,LXC 似乎无法共享 br0 接口。
有了真正的硬件,我再也没有问题了。
如果您是 LXC 的新手,我建议您阅读 Stephane Graber 的 10 部分博客系列:
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/
并且 Flockport 已经建立了一个很棒的网站,其中包含很多 LXC 主题,尤其是从 MACVlan 到 VxLAN 再到 VPN 等 LXC 网络。