[Devel] Re: container-to-host virtual or loopback kind of interface support

Eric W. Biederman ebiederm at xmission.com
Sun Apr 26 14:37:37 PDT 2009


Elwin Stelzer Eliazer <stelzere at gmail.com> writes:

> Thank you for your response.
>
> Let me explain my requirements more, and in this context, i would like to know
> your response.
>
> A reverse web and applications proxy is the user space application that we are
> virtualizing using network namespace and LXC.
> Local apache server and other apps are accessed through several sockets on
> 127.0.0.1 now and this has to be virtualized.
> The proxy under each LXC must handle hundreds of proxied sessions.
> The socket connections to local web and other apps server are dynamic, and
> corresponds to the dynamic external proxy sessions, and these can not be
> created upfront.
>
> I posted two other questions also, for which i never got a response from this
> list.
>
> 1. Can i have netfilter/iptables rules corresponding to each container, that
> has overlapping IP address space? In other words, are netfilter/iptables rules
> handling virtualized as part of network namespace. Some preliminary tests seem
> to work. How do i know the development or proper release status on this
> feature?

Yes.

The easiest way to know the status is to read the code.
Short of the that the easiest way to know is to try it.

In the network namespace either the feature should fail gracefully
in a network namespace or after the code has been updated it should
work.

By and large all of ipv4 and ipv6 and iptables is expected to work.

> 2. Can the /dev/tun based PPP interface be part of a container? Like veth or
> macvlan what is the type for this?

Yes.  tun/tap is a well tested path.  ppp looks like it has also been converted.

> Looking forwards for your suggestions and the options i have for these needs
> using LXC/namespace, as of 2.6.29. Do you still think i can avoid the relay
> daemon?

Apache is creating the connections on demand to your client.  Interesting.

I am too familiar with that setup.  In all honesty the easy thing to
do would be to have real ip address on something like the 192.168.0.0/16
network for each virtual machine.

Baring that it is possible to have your proxy receive the connections
and pass them via a unix domain socket created at the beginning of
time to your client.  If you have the proxy already it quite possibly
isn't worth it.

Eric
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list