[pve-devel] Request for improvement of Network handling regarding LXC

Tom Weber pve at junkyard.4t2.com
Thu Jul 20 15:50:02 CEST 2017 

Am Donnerstag, den 20.07.2017, 15:00 +0200 schrieb Wolfgang Bumiller:
> On Thu, Jul 20, 2017 at 01:22:58PM +0200, Tom Weber wrote:
> > 
> > Hi there,
> > 
> > i'm currently evaluating the PVE environment as a replacement for
> > my
> > custom KVM+LXC+DRBD setup I'm running so far.
> > 
> > Playing with (privileged) containers I figured that IP
> > configuration is
> > always done from inside the container.
> > 
> > My usual setup is setting the (static) IP of the container from the
> > outside (and applying firewall rules) and dropping capabilities for
> > the
> > container itself so this can't be changed from inside the
> > container.
> > 
> > Currently this seems to be impossible with PVE as it comes.
> > 
> > Attached is a little patch that sets the IP from the 'outside' (if
> > defined as a static one). Once I manually add the lxc.cap.drop
> > lines to
> > the CT config, I can't change this from the inside anymore.
> > 
> > It's only for IPv4 (can't test v6 on this setup) but I think it's
> > rather trivial to add this.
> > 
> > Unless you drop net_admin the CT will still be able to change
> > networking and behave like before - or work with DHCP.
> No objection to adding this as a separate option.
> 
> There's still the idea of adding feature flags to containers floating
> around (initially for allowing things like fuse or mounting of
> network
> shares (nfs, cifs)), and this would definitely be another useful flag
> to add.
> 
> Note that dropping net_admin also prevents containers from
> configuring
> their inner firewall or using tunnels/vpns/etc., so it would
> definitely
> need to be a separate option rather than a general change of behavior
> like in this patch, but you probably know that.

As far as I can see this patch alone wouldn't change the normal
behavior: 
step 1) lxc sets the IP from outside
step 2) container itself sets/overrides the IP from the inside.

Only if I manually add lxc.cap.drop = net_admin to the config of the
container it will prevent step 2.

Preventing the container from messing with networking/firewall settings
is exactly why I want/need this.

A feature switch for this (maybe even in the UI would be nice too) but
thats far beyond my 2 days knowledge of playing with pve :)

  Tom

More information about the pve-devel mailing list