[pve-devel] Request for improvement of Network handling regarding LXC
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Jul 20 15:00:14 CEST 2017
On Thu, Jul 20, 2017 at 01:22:58PM +0200, Tom Weber wrote:
> Hi there,
>
> i'm currently evaluating the PVE environment as a replacement for my
> custom KVM+LXC+DRBD setup I'm running so far.
>
> Playing with (privileged) containers I figured that IP configuration is
> always done from inside the container.
>
> My usual setup is setting the (static) IP of the container from the
> outside (and applying firewall rules) and dropping capabilities for the
> container itself so this can't be changed from inside the container.
>
> Currently this seems to be impossible with PVE as it comes.
>
> Attached is a little patch that sets the IP from the 'outside' (if
> defined as a static one). Once I manually add the lxc.cap.drop lines to
> the CT config, I can't change this from the inside anymore.
>
> It's only for IPv4 (can't test v6 on this setup) but I think it's
> rather trivial to add this.
>
> Unless you drop net_admin the CT will still be able to change
> networking and behave like before - or work with DHCP.
No objection to adding this as a separate option.
There's still the idea of adding feature flags to containers floating
around (initially for allowing things like fuse or mounting of network
shares (nfs, cifs)), and this would definitely be another useful flag
to add.
Note that dropping net_admin also prevents containers from configuring
their inner firewall or using tunnels/vpns/etc., so it would definitely
need to be a separate option rather than a general change of behavior
like in this patch, but you probably know that.
> Regards,
> Tom
>
> --- /usr/share/perl5/PVE/LXC.pm.orig 2017-07-20 12:03:52.949344829 +0200
> +++ /usr/share/perl5/PVE/LXC.pm 2017-07-20 14:12:09.022119871 +0200
> @@ -428,6 +428,11 @@
> $raw .= "lxc.network.type = veth\n";
> $raw .= "lxc.network.veth.pair = veth${vmid}i${ind}\n";
> $raw .= "lxc.network.hwaddr = $d->{hwaddr}\n" if defined($d->{hwaddr});
> + if (defined($d->{ip}) and ($d->{ip} ne "dhcp")) {
> + $raw .= "lxc.network.ipv4 = $d->{ip}\n";
> + $raw .= "lxc.network.ipv4.gateway = $d->{gw}\n" if defined($d->{gw});
> + $raw .= "lxc.network.flags = up\n" if defined($d->{ip});
> + }
> $raw .= "lxc.network.name = $d->{name}\n" if defined($d->{name});
> $raw .= "lxc.network.mtu = $d->{mtu}\n" if defined($d->{mtu});
> }
More information about the pve-devel
mailing list