首頁 » lxc » lxd

6 lxd networking

由 datahunter 在 五, 10/02/2023 - 16:11 發表

最後更新: 2023-02-13

目錄

  • Managed network
  • Net 的類型
  • FanNetworking
  • fanctl
  • LXD fan Settings
  • Bridge Network Usage
  • Bridge Settings
  • OVN network
  • Network ACLs
  • Network forward
  • Proxy Device

Managed network

 

lxc network [create|edit|set]

Types: Bridge network, OVN network

 

Net 的類型

 

 

Macvlan network

Macvlan is a virtual LAN that you can use if you want to assign several IP addresses to the same network interface
You can then assign IP addresses based on the randomly generated MAC addresses.

SR-IOV network

It is a hardware standard that allows a single network card port to appear as several vnic in a virtualized environment.

 

 

FanNetworking

 

The fan system can be considered “address expansion

A mapping between a smaller network address space and a larger one

which assigns subnets from the larger one to IP addresses on the smaller one,

and enables automatic and simple tunnelling and routing between systems on the larger address space.

/16 network -> /8 network

mathematically related to the primary (or underlay/smaller) IP

i.e.

  • Underlay ip: 192.168.88.241/24
  • Overlay ip: 240.241.0.1/8

 

fanctl

 

# mappings are limited to /8 on /16
# The host bind to the .1 address(default)

fanctl up 10.0.0.0/8 172.16.3.4/16

# 刪除

fanctl down 10.0.0.0/8 172.16.3.4/16

# determines whether there is a dnsmasq configured on this fan subnet
fanctl up 10.0.0.0/8 172.16.3.4/16 dhcp

# This adds 4 additional addresses to the bridge for host use, 10.1.0.1-10.1.0.4
fanctl up 10.0.0.0/8 172.16.3.4/16 host-reserve 4

# Persistent Configuration

/etc/network/interfaces

iface eth0 static
    address 172.16.3.4
    netmask 255.255.0.0
    up fanctl up 10.0.0.0/8 172.16.3.4/16
    down fanctl down 10.0.0.0/8 172.16.3.4/16

 

LXD fan Settings

 

fan.type: vxlan(default) or ipip

fan.overlay_subnet: 240.0.0.0/8

fan.underlay_subnet: CIDR / auto        # 只可以在建立 Network 時設定

 

Bridge Network Usage

# Use an existing network interface by adding it as a network device to your instance.

lxc config device add <instance_name> <device_name> nic nictype=<nic_type> ...

* This network interface is outside of LXD control.

i.e.

lxc config device add <instance_name> eth0 nic nictype=bridged parent=br0

# add lxd managed network

lxc network attach <network_name> <instance_name> <device_name>

As a general recommendation:

LXD on a single system or in a public cloud
    => use a Bridge network, possibly in connection with the Ubuntu Fan.

LXD in your own private cloud
    => use an OVN network.

 

Bridge Settings

 

bridge.mode                       # standard / fan

ipv4.dhcp.expiry: 1h           # When to expire DHCP leases

ipv4.nat.address                 # The source address used for outbound traffic from the bridge

dns.domain (Default: lxd)    # Domain to advertise to DHCP clients and use for DNS resolution

lxc network create lxdbr0 -t bridge

Disable ipv6

lxc network set lxdbr0 ipv6.address=none

lxc network set lxdbr0 ipv6.dhcp=false

lxc network set lxdbr0 ipv6.nat=false

設定 subnet 及 outgoing ip

lxc network set lxdbr0 ipv4.address=10.0.0.1/24

lxc network set lxdbr0 ipv4.nat.address=192.168.88.244

lxc network set lxdbr0 ipv4.dhcp.expiry=7d

查看

lxc network show lxdbr0

Verify

ip route | grep br0              # IP, Route
ps aux | grep lxdbr0            # DNS, DHCP

lxc info | grep firewall:
nft list ruleset

# To attach the network my-network to the instance my-instance as eth0 device
# shortcut for adding a NIC device to an instance

lxc network attach my-network my-instance eth0

Set Fix IP for instance

lxc config device set c1 eth0 ipv4.address 10.99.10.42

相當於

lxc config device add <instance_name> <device_name> nic network=<network_name>

lxc config device add c1 eth0 nic network=10.99.10.42

 

TYPE: STATIC / DYNAMIC

lxc network list-leases lxdbr0

 

OVN network

 

www.ovn.org

network types: ovn

By default, all connections from the OVN logical networks are NATed to an IP allocated from the uplink network.

 

Network ACLs

 

Network ACLs can be assigned directly to the NIC of an instance or to a network.

Create an ACL

lxc network acl create <ACL_name> [configuration_options...]

Add or remove rules

lxc network acl rule add <ACL_name> <direction> [properties...]

* a default reject rule is added to the NIC.
   (lxc config device set <instance_name> <device_name> security.acls.default.ingress.action=allow)

* Bridge: cannot be used for to create intra-bridge firewalls

* Baseline network service rules are added before ACL rules(INPUT/OUTPUT)

properties:
action: allow, reject or drop
state: enabled(default), disabled or logged
description
source
destination
protocol: icmp4, icmp6, tcp, udp
source_port
destination_port
icmp_code

# --force to the command to delete all matching rules.

lxc network acl rule remove <ACL_name> <direction> [properties...]

lxc network acl show-log <ACL_name>

# ACL in YAML format for editing

lxc network acl edit <ACL_name>

lxc network set <network_name> security.acls="<ACL_name>"

lxc config device set <instance_name> <device_name> security.acls="<ACL_name>"

 

Network forward

 

 * Network forwards are available for the OVN network and the Bridge network

lxc network forward create <network_name> <listen_address> [configuration_options...]

i.e.

lxc network list

lxc network forward create lxdbr0 192.168.88.244

* Each forward is assigned to a network
* It requires a single external listen address

Checking

lxc network forward list lxdbr0

+----------------+-------------+------------------------+-------+-------------+
| LISTEN ADDRESS | DESCRIPTION | DEFAULT TARGET ADDRESS | PORTS |  LOCATION   |
+----------------+-------------+------------------------+-------+-------------+
| 192.168.88.244 |             |                        | 0     | lxd-i.local |
+----------------+-------------+------------------------+-------+-------------+

lxc network forward show lxdbr0 192.168.88.244

description: ""
config: {}
ports: []
listen_address: 192.168.88.244
location: lxd-i.local

Default target address by adding the "target_address=<IP_address>"

* Any traffic that does not match a port specification is forwarded to this address

lxc network forward set lxdbr0 192.168.88.244 target_address=10.0.0.11

lxc network forward list lxdbr0

+----------------+-------------+------------------------+-------+-------------+
| LISTEN ADDRESS | DESCRIPTION | DEFAULT TARGET ADDRESS | PORTS |  LOCATION   |
+----------------+-------------+------------------------+-------+-------------+
| 192.168.88.244 |             | 10.0.0.11              | 0     | lxd-i.local |
+----------------+-------------+------------------------+-------+-------------+

Other Operation

lxc network forward edit <network_name> <listen_address>

lxc network forward delete <network_name> <listen_address>

lxc network forward port add <network_name> <listen_address> <protocol> <listen_ports> <target_address> [<target_ports>]

Port properties

protocol, listen_port, target_address, target_port, description

 

Proxy Device

 

proxy devices name: http-forward

lxc config device add c1 http-forward proxy \
    listen=tcp:0.0.0.0:80 connect=tcp:127.0.0.1:80

 

 

 

»
  • 瀏覽次數: 471

Creative Commons license icon Creative Commons license icon