• Download: Network Virtualization

• In this workshop we will configure containers with various networking setups.
• As virtualization technologies, we will use both LXC and libvirt_lxc.
• Please run all setups as root.
• In order for a setup to be considered valid / working, you must have connectivity to the Internet (pinging google.com should work).
• Before running any setup, please check that you have an interface (e.g. eth0) that has connectivity to the internet.
• If during your setups you get the error:

error: Failed to connect socket to '/var/run/libvirt/libvirt-sock': Connection refused
error: failed to connect to the hypervisor

make sure your hypervisor (the libvirtd process) is running. If not, start it with

libvirtd -d

For each setup, you will do the following steps:

• Open a container shell - this is not a system container, it is just a shell process in an isolated environment.

Details follow for both LXC and Libvirt.

• Check the networking configuration:

~# ifconfig

• If needed, run dhclient in order to get an IP for the container interface. Be sure to kill it once you have an IP so it won't remain hanging in the backgroud (and prevent a container from exiting successfully):

~# dhclient eth0
~# /usr/bin/pkill dhclient

• Check Internet connectivity:

~# ping google.com

• Where relevant (e.g. the host has a different IP than the container) try pinging the host.

* Close the container shell.

Details follow for both LXC and Libvirt.

• Open a container shell - this will be done using lxc-execute which will start a shell in an isolated environment. This is configured using a certain configuration file that is different for each networking scenario:

~# lxc-execute -n foo -f config-file.conf -- /bin/sh

• Close the container shell - this is done running exit in the shell. No further cleanup is needed.

• Open a container shell - you will need to define, start and console to a domain. The domain is defined from an XML file, which is different for each networking scenario:

~# virsh -c lxc:/// define foo.xml
Domain foo defined from foo.xml
 
~# virsh -c lxc:/// start foo
Domain foo started
 
~# virsh -c lxc:/// console foo
Connected to domain foo
Escape character is ^]
#

• Close the container shell - you need to run exit in the console and undefine the domain. You may also escape the console, destroy and undefine the domain.

~# virsh -c lxc:/// destroy foo
Domain foo destroyed
 
~# virsh -c lxc:/// undefine foo
Domain foo has been undefined

For this setup, all the steps are provided. For future setups, only the configuration file (LXC) / XML file (Libvirt) will be provied, along with some preliminary host setup. This way, the tutorial becomes less redundant.

root@smackdab:~# vim lxc-shared.conf
root@smackdab:~# cat lxc-shared.conf
# Container with non-virtualized network
lxc.utsname = delta
root@smackdab:~# lxc-execute -n foo -f lxc-shared.conf -- /bin/sh
#
#
#
#
# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 08:00:27:28:d3:b7
          inet addr:10.171.74.12  Bcast:10.171.75.255  Mask:255.255.254.0
          inet6 addr: fe80::a00:27ff:fe28:d3b7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9998 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2919 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1273604 (1.2 MiB)  TX bytes:449114 (438.5 KiB)
 
# ping google.com
PING google.com (173.194.41.98) 56(84) bytes of data.
 
# exit
/bin/sh: 7: Cannot set tty process group (No such process)
root@smackdab:~#

root@smackdab:~# vim foo.xml
root@smackdab:~# cat foo.xml
<domain type='lxc'>
  <name>foo</name>
  <memory>500000</memory>
 
  <os>
    <type>exe</type>
    <init>/bin/sh</init>
  </os>
 
  <devices>
    <console type='pty'/>
  </devices>
</domain>
root@smackdab:~# virsh -c lxc:/// define foo.xml
Domain foo defined from foo.xml
 
root@smackdab:~# virsh -c lxc:/// start foo
Domain foo started
 
root@smackdab:~# virsh -c lxc:/// console foo
Connected to domain foo
Escape character is ^]
#
#
#
# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 08:00:27:28:d3:b7
          inet addr:10.171.74.12  Bcast:10.171.75.255  Mask:255.255.254.0
          inet6 addr: fe80::a00:27ff:fe28:d3b7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10318 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3102 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1303848 (1.2 MiB)  TX bytes:474880 (463.7 KiB)
 
# ping google.com
PING google.com (173.194.41.97) 56(84) bytes of data.
 
# exit
root@smackdab:~# virsh -c lxc:/// undefine foo
Domain foo has been undefined
 
root@smackdab:~#

In this setup, we will assign a network interface to a container. This will “dissappear” from the host machine - when running the container, you may check that the interface is not present on the host anymore (from a different root terminal).

root@smackdab:~# vim lxc-phys.conf
root@smackdab:~# cat lxc-phys.conf
# Container with network virtualized using a physical network device with name
# 'eth0'
lxc.utsname = gamma
lxc.network.type = phys
lxc.network.flags = up
lxc.network.link = eth0

The version of Libvirt running on the host machines does not provide the possibility to assign a networking interface private to a container. Functionality has been implemented, though, and will be included in future versions of Libvirt.

In this setup you will configure container networking using Virtual Ethernet Bridging. When testing connectivity, test with both the Internet and the host IP.

Please run the following setup on your host machine:

root@smackdab:~# brctl addbr br0
root@smackdab:~# brctl addif br0 eth0
root@smackdab:~# ifconfig eth0 0.0.0.0 up
root@smackdab:~# ifconfig br0 up
root@smackdab:~# dhclient br0

root@smackdab:~# vim lxc-veth.conf
root@smackdab:~# cat lxc-veth.conf
# Container with network virtualized using a pre-configured bridge named br0 and
# veth pair virtual network devices
lxc.utsname = beta
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0

root@smackdab:~# vim foo.xml
root@smackdab:~# cat foo.xml
<domain type='lxc'>
  <name>foo</name>
  <memory>500000</memory>
 
  <os>
    <type>exe</type>
    <init>/bin/sh</init>
  </os>
 
  <devices>
    <console type='pty'/>
    <interface type="bridge">
      <source bridge="br0" />
    </interface>
  </devices>
</domain>

Please restore the networking setup of your machine by running the following commands:

root@smackdab:~# ifconfig br0 down
root@smackdab:~# brctl delbr br0
root@smackdab:~# dhclient eth0

In this setup you will configure container networking using MAC VLAN tagging. When testing connectivity, test with both the Internet and the host IP.

Please put your host interface into promiscuous mode

root@smackdab:~# ifconfig eth0 promisc

root@smackdab:~# vim lxc-macvlan.conf
root@smackdab:~# cat lxc-macvlan.conf
# Container with network virtualized using the macvlan device driver
lxc.utsname = alpha
lxc.network.type = macvlan
lxc.network.flags = up
lxc.network.link = eth0

root@smackdab:~# vim foo.xml
root@smackdab:~# cat foo.xml
<domain type='lxc'>
  <name>foo</name>
  <memory>500000</memory>
 
  <os>
    <type>exe</type>
    <init>/bin/sh</init>
  </os>
 
  <devices>
    <console type='pty'/>
    <interface type="direct">
      <source dev="eth0" mode="bridge" />
    </interface>
  </devices>
</domain>

NOTE: libvirt may fail when stopping the container:

error: Failed to destroy domain foo
error: End of file while reading data: Input/output error

Please restart the hypervisor if you encounter this error.

Please remove the host interface from promiscuous mode:

root@smackdab:~# ifconfig eth0 -promisc