5

So according to the documentation on the Ubuntu LXC documentation the following statement can be found at the time of this writing:

A NIC can only exist in one namespace at a time, so a physical NIC passed into the container is not usable on the host.

Now one can have a single physical network card (NIC) share several IPs like this in /etc/network/interfaces (Debian/Ubuntu):

auto eth0 eth0:1
iface eth0 inet static
    address 192.168.0.100/24
    gateway 192.168.0.1
iface eth0:1 inet static
    address 192.168.0.200
    netmask 255.255.255.0

The same can be done with the respective configuration on other distros as well.

Now the question: can eth0 and eth0:1 be assigned to different namespaces or will assigning either one limit the other to the same namespace automatically?

Improve this question

1 Answer 1

Reset to default
1

It should be possible to assign eth0 and eth0:1 to different namespaces, but keep in mind there are security implications because you are exposing physical network device to your container.

Because of that, I would just use veth and bridge. Create a bridge br0 and bridge it with eth0 device by default. Then configure your lxc container like this:

lxc.network.type=veth
lxc.network.ipv4=192.168.0.200
lxc.network.link=br0

This will have the same result, but you will use a virtual Ethernet interface for the container and you will also be able to access the same network that your LXC host is in because of the bridge.

Improve this answer
5
  • Thanks. What would be the security implications, though?
    – 0xC0000022L
    Commented May 5, 2014 at 9:24
  • One more thing. "Should" means you don't actually know and I need to try, or "should" means it should work on recent enough versions or so?
    – 0xC0000022L
    Commented May 5, 2014 at 9:40
  • @0xC0000022L - always try but in this case it sounds like it's not 100% known.
    – slm
    Commented May 5, 2014 at 11:28
  • @0xC0000022L should means that I don't actually know and you need to try it. The interfaces which are assigned to LXC guests art not visible from LXC Host usually. As it is same physical interface, you could expect different results. Regarding security, I know some cases that when you make host network devices usable in the container and also use upstart as init, halt in a container can shut down the host. This is the case with none network type.
    – ek9
    Commented May 5, 2014 at 12:29
  • @edvinas.me: upstart, yes. You're right. I remember now. Thanks.
    – 0xC0000022L
    Commented May 5, 2014 at 12:31

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.