[PLUG] Networking in Linux Containers

Tue Jan 7 21:44:17 UTC 2014

OK, just wanted to follow up:

The problem was with my network topology, not with the configuration. I
don't think any of the network diagnosis tools were really going to help me
find the problem, either, as the design was just too broken...  Here's the
thought process that ended up leading me to the solution:

I mapped out the network, using a block diagram and lines indicating the
network interfaces and routes.  I then mentally "Pinged" each device from
all the other devices, realizing how each device's routing table would
decide where to send the packet...  By doing so, I discovered that one
device actually had 2 IP addresses, and to get from one to the other, the
routing tables would simply end up dropping the packet as undeliverable.

Two solutions existed from there: Either 1) give each network it's own
subnet, complete with their own IP addresses and default gateways, which
probably would have worked (And will probably be what I do in the future on
the laptops that may host their own virtual machines); or 2) create a
bridge interface for the "Internal" network, bridging it to eth1, have the
DHCP server and firewall listen to it, and then have the Linux Containers
connect directly to that bridge using the LXC veth drivers.

The second solution worked perfectly, and should have been the approach I
tried from the beginning.  I just wanted to share the concept of network
mapping that helped me diagnose the problem, in case anyone ever stumbles
across this thread with a similar problem...

On Fri, Jan 3, 2014 at 1:42 PM, Tyrell Jentink <tyrell at jentink.net> wrote:

> Thanks for the hints:  I'm fairly new to diagnosing networking problems
> beyond "Did you check the cables, and make sure everything was turned on?,"
> and all the tools I can get towards the goal of being a better network
> admin are useful to me.
>
> However, later in the evening, I discovered that even pinging the host
> from inside the linux container was dropping a startling and unpredictable
> number of packets: At one point I was dropping 10% of my ping requests, at
> another I only dropped 16 out of 900... Both are abysmal, considering the
> packets were NEVER ACTUALLY LEAVING THE PHYSICAL MACHINE!  So clearly
> SOMETHING wasn't working in my macvlan configuration.  I'm also still
> trying to figure out all of these different virtual networking
> technologies;  I'm fairly certain that my problem pertains to the
> configuration of macvlan I had, as I had configured both the host and the
> client as macvlans rather than as macvtaps, Or Something Like That... I'm
> still not sure I understand macvlan, as it's not terribly well documented
> with relationship to Linux Containers.
>
> That's where I gave up for the evening.
>
> Now I'm back to researching macvlan and macvtaps...  I suspect the
> solution will become something along the lines of having three seperate
> networks: Internet facing, Intranet facing, and then a virtual Linux
> Container facing network, and I'll just bridge them all together with
> firewall rules...  At least that way the host is only networking using
> physical NICs, and the virtual clients aren't messing with them.
>
>
> On Fri, Jan 3, 2014 at 12:48 PM, Mike C. <mconnors1 at gmail.com> wrote:
>
>> <snip>
>>
>> > I am experimenting with Linux Containers, as I would like to run several
>> > web servers without the overhead of proper virtualization.  I am using
>> > Oracle Linux 6.5 on both the host and the container.  I never got
>> static IP
>> > addresses to work, so I instead gave the container a fixed reservation
>> from
>> > the DHCP server.  It is now getting the desired IP address, and it's
>> > populating /etc/resolv.conf with the appropriate DNS servers.  I am
>> able to
>> > SSH into the container, and ping around the local network and the
>> internet
>> > from the container, but by IP only. DNS lookups work on all clients on
>> the
>> > network, and from the host, but not from the containers; To be clear: I
>> can
>> > ping Google by IP address, but ping won't resolve the hostname if I try
>> > pinging google.com.
>> >
>> > I do not have a local DNS (yet); That will come later when I install
>> > IdM/FreeIPA.  Right now, the DHCP server is issuing 8.8.8.8 and 8.8.4.4
>> as
>> > the DNS servers, and that works on all of the network clients in the
>> house
>> > EXCEPT the Linux Containers. <snip>
>> >
>>
>> Hey Tyrell - The first thing I'd suggest doing is to verify that you can
>> send a DNS request and receive a DNS response to/fro an Internet DNS
>> server. You can do this by running the "nslookup" command from a terminal
>> prompt.
>>
>> You can do this 2 ways. If you don't set the server, nslookup will attempt
>> to make the query from the DNS servers specified in /etc/resolv.conf.
>>
>> Even though your DHCP is configured with DNS server parameters, each DHCP
>> client has to request the DNS server ip addrs from the DHCP server.
>>
>> So it could be that what's in the /etc/resolv.conf in the LXC container is
>> not what you think it should be.
>>
>> So I would set the DNS server with "server 8.8.8.8" after you enter the
>> nslookup command. Then at the ">" prompt just enter in yahoo.com or
>> whatever for the dns lookup test.
>>
>>  e.g.
>>
>> > $ nslookup
>> >
>> > > server 8.8.8.8
>> >
>> > Default server: 8.8.8.8
>> >
>> > Address: 8.8.8.8#53
>> >
>> > > yahoo.com
>> >
>> > Server: 8.8.8.8
>> >
>> > Address: 8.8.8.8#53
>> >
>> >
>> >> Non-authoritative answer:
>> >
>> > Name: yahoo.com
>> >
>> > Address: 98.139.183.24
>> >
>> > Name: yahoo.com
>> >
>> > Address: 98.138.253.109
>> >
>> > Name: yahoo.com
>> >
>> > Address: 206.190.36.45
>> >
>> >
>> > HTH!
>> _______________________________________________
>> PLUG mailing list
>> PLUG at lists.pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>>
>
>
>