Containers veth bridge, getting started
I started to put together Easy Containers in January 2017, and this website was extremely helpful:
http://blog.z3bra.org/2016/03/hand-crafted-containers.html
...lovely clear grass-roots explanation. At that time, I did not
bother about 'network namespace', just using the host network namespace
in the containers -- which makes things very simple, just have to copy
/etc/resolv.conf into a container, and we have Internet access. I do
drop 'network capabilities', so it is reasonably secure.
Forward to now, and I am experimenting with a container having its
own network namespace. The above link has a example, setting up a
'virtual ethernet' bridge. It requires the "netns" option for the 'ip'
utility, which the Busybox ip applet does not have, so had to install
the full 'ip' from the 'iproute2' package -- the 'ip' is 430KB
unfortunately.
Here is what I did, follow the example from above link:
# brctl addbr br0
# brctl addif br0 eth0
# dhcpcd br0
br0: waiting for carrier
br0: carrier acquired
br0: adding address fe80::4ea2:f3b9:2318:6773
DUID 00:01:00:01:13:43:3e:ca:c0:55:e9:0f:eb:00
br0: IAID e8:0f:ec:00
br0: soliciting a DHCP lease
br0: offered 192.168.1.3 from 192.168.1.1
br0: leased 192.168.1.3 for 7200 seconds
br0: adding route to 192.168.1.0/24
br0: adding default route via 192.168.1.1
forked to background, child pid 5414
# ip netns add handcraft
# ip link add veth1 type veth peer name eth1
RTNETLINK answers: File exists
# ip link set eth1 netns handcraft
# brctl addif br0 veth1
brctl: iface veth1: No such device
# ip link add veth2 type veth peer name eth2
# ip link set eth2 netns handcraft
# brctl addif br0 veth2
# ip link set veth2 up
# ip netns exec dhcpcd eth2
Cannot open network namespace "dhcpcd": No such file or directory
# ip netns exec handcraft dhcpcd eth2
eth2: waiting for carrier
eth2: carrier acquired
eth2: adding address fe80::b4b:efa7:15f7:d3d0
DUID 00:01:00:01:13:43:3e:ca:c0:55:e9:0f:eb:00
eth2: IAID d4:a8:e2:56
eth2: soliciting a DHCP lease
eth2: soliciting an IPv6 router
eth2: offered 192.168.1.4 from 192.168.1.1
eth2: probing address 192.168.1.4/24
eth2: leased 192.168.1.4 for 7200 seconds
eth2: adding route to 192.168.1.0/24
eth2: adding default route via 192.168.1.1
forked to background, child pid 6996
#
Along the way, got two errors, but was able to fix. I don't know why
it objected to "veth1". The second error is due to a syntax error in the
example, which I sorted out by reading this excellent page:
https://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/
Now to run my container. The container rootfs is already setup, with
/etc/resolv.conf copied-in, just a matter of chrooting into it. Using
pflask:
# ip netns exec handcraft pflask --keepenv --mount=bind:/tmp/.X11-unix/X0:/tmp/.X11-unix/X0 --no-ipcns --no-netns \
--caps=all,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,-setpcap,-mknod,-sys_module,-sys_nice,-sys_resource \
--no-userns --chroot=/mnt/sdc2/containers/sh0/container -- /ec-run sh0 sakura
...I have not specified a network namespace for pflask, instead have prefixed as shown in blue text.
Inside the container, I expect 'eth2' to be accessible:
# ifconfig
eth2 Link encap:Ethernet HWaddr 9A:45:D4:A9:E2:57
inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe81::b4b:efa6:15f7:d3d0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:104 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39782 (38.8 KiB) TX bytes:1737 (1.6 KiB)
# ping google.com
PING google.com (172.217.167.78): 56 data bytes
64 bytes from 172.217.167.78: seq=0 ttl=49 time=82.916 ms
...yay!
Notice no 'lo' interface, would have to set that up. But, do I need it?
Tags: easy