[Devel] Re: container-to-host virtual or loopback kind of interface support

Elwin Stelzer Eliazer stelzere at gmail.com
Mon Apr 27 15:00:38 PDT 2009


Thanks Eric for your detailed response.
On the PPP interfaces under namespace, how do i configure them under lxc
config? Are there other types like "veth" and "macvlan" for PPP?

And i believe the container app that opens the /dev/tun gets ownership of
the file handle, and several container apps can open this in parallel, and
they do not interfere. Even if the containers do not have separate rootfs,
this is the case. Please confirm on these.

regards,
Elwin.



On Sun, Apr 26, 2009 at 2:37 PM, Eric W. Biederman <ebiederm at xmission.com>wrote:

> Elwin Stelzer Eliazer <stelzere at gmail.com> writes:
>
> > Thank you for your response.
> >
> > Let me explain my requirements more, and in this context, i would like to
> know
> > your response.
> >
> > A reverse web and applications proxy is the user space application that
> we are
> > virtualizing using network namespace and LXC.
> > Local apache server and other apps are accessed through several sockets
> on
> > 127.0.0.1 now and this has to be virtualized.
> > The proxy under each LXC must handle hundreds of proxied sessions.
> > The socket connections to local web and other apps server are dynamic,
> and
> > corresponds to the dynamic external proxy sessions, and these can not be
> > created upfront.
> >
> > I posted two other questions also, for which i never got a response from
> this
> > list.
> >
> > 1. Can i have netfilter/iptables rules corresponding to each container,
> that
> > has overlapping IP address space? In other words, are netfilter/iptables
> rules
> > handling virtualized as part of network namespace. Some preliminary tests
> seem
> > to work. How do i know the development or proper release status on this
> > feature?
>
> Yes.
>
> The easiest way to know the status is to read the code.
> Short of the that the easiest way to know is to try it.
>
> In the network namespace either the feature should fail gracefully
> in a network namespace or after the code has been updated it should
> work.
>
> By and large all of ipv4 and ipv6 and iptables is expected to work.
>
> > 2. Can the /dev/tun based PPP interface be part of a container? Like veth
> or
> > macvlan what is the type for this?
>
> Yes.  tun/tap is a well tested path.  ppp looks like it has also been
> converted.
>
> > Looking forwards for your suggestions and the options i have for these
> needs
> > using LXC/namespace, as of 2.6.29. Do you still think i can avoid the
> relay
> > daemon?
>
> Apache is creating the connections on demand to your client.  Interesting.
>
> I am too familiar with that setup.  In all honesty the easy thing to
> do would be to have real ip address on something like the 192.168.0.0/16
> network for each virtual machine.
>
> Baring that it is possible to have your proxy receive the connections
> and pass them via a unix domain socket created at the beginning of
> time to your client.  If you have the proxy already it quite possibly
> isn't worth it.
>
> Eric
>
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list