Enable LXC neworking in Debian Jessie, Fedora 21 and others

The LXC packages in Ubuntu ships enable LXC networking properly. This is basically done by a init script called lxc-net which setups the lxcbr0 bridge and a number of iptables rule to set up networking. The Flockport LXC packages for Wheezy do the same.

Debian Jessie ships with an updated version of LXC 1.06 but does not set up the LXC networking by default. Neither so the Fedora or CentOS LXC packages.

Debian Jessie
It's actually quite simple and we will show you how. First download the lxc-net script here and follow the instructions below.

apt-get install lxc dnsmasq-base bridge-utils
touch /etc/default/lxc
echo 'USE_LXC_BRIDGE="true"' > /etc/default/lxc
cp lxc-net /etc/init.d/
chmod +x lxc-net
systemctl enable lxc-net
systemctl start lxc-net
systemctl status lxc-net

To ensure containers created have the lxcbr0 bridge enabled by default add the config below to /etc/lxc/default.conf

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx

And that's it. This should enable the lxcbr0 bridge which will be available for container networking.

Fedora 21 and CentOS 7
For Fedora and others there is an expectation to use the virbr0 bridge set up by libvirt which is similar to the lxcbr0 bridge in functionality. You can do that or if you don't have libvirt installed you can set up the lxcbr0 bridge for containers.

First make sure LXC, dnsmasq, iptables-services and bridge-utils is installed.

yum install lxc lxc-templates lxc-extras dnsmasq bridge-utils iptables-services

Next we need to create 2 systemd service units. lxc-net service and lxc-dhcp.service at /etc/systemd/system/  like below. These will perform a similar role to the lxc-net init script in Debian and Ubuntu.

First /etc/systemd/system/lxc-net.service

[Unit]
Description=Bridge interface for LXC Containers

[Service]
Type=oneshot

# Bring up bridge interface
ExecStart=/sbin/brctl addbr lxcbr0
ExecStart=/sbin/ip address add 10.0.3.1/24 dev lxcbr0
ExecStart=/sbin/ip link set lxcbr0 up

RemainAfterExit=yes

# Bring bridge interface down
ExecStop=/sbin/ip link set lxcbr0 down
ExecStop=/sbin/brctl delbr lxcbr0

then /etc/systemd/system/lxc-dhcp.service

[Unit]
Requires=lxc-net.service
Requires=sys-devices-virtual-net-lxcbr0.device
After=sys-devices-virtual-net-lxcbr0.device

[Service]
ExecStart=/sbin/dnsmasq \
            --dhcp-leasefile=/var/run/lxc-dnsmasq.leases \
            --user=nobody \
            --group=nobody \
            --keep-in-foreground \
            --listen-address=10.0.3.1 \
            --except-interface=lo \
            --bind-interfaces \
            --dhcp-range=10.0.3.2,10.0.3.254

[Install]
WantedBy=default.target

Now let's enable the services

systemctl enable lxc-net.service
systemctl enable lxc-dhcp.service
systemctl start lxc-net.service
systemctl start lxc-dhcp service
systemctl enable iptables
systemctl start iptables

Now we need to set up some iptables rules and make them persistent. Create a new file lxc-net with the iptables rules below.

iptables -I INPUT -i lxcbr0 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i lxcbr0 -p tcp --dport 67 -j ACCEPT
iptables -I INPUT -i lxcbr0 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i lxcbr0 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i lxcbr0 -j ACCEPT
iptables -I FORWARD -o lxcbr0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
iptables -t mangle -A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

Let's execute the script
chmod +x lxc-net && ./lxc-net

Now save them so they are reloaded on boot

/sbin/service iptables save

Next add the line below to /etc/sysctl.conf to enable ip forwarding in the kernel.

net.ipv4.ip_forward = 1

That's it. The lxcbr0 bridge with the proper iptables rules should be available for your containers. To ensure containers created have the lxcbr0 bridge enabled by default add the config below to /etc/lxc/default.conf

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx

Further Resources

Flockport App Store

Flockport LXC Guides

Recommended Posts
Showing 6 comments
  • beaufils

    For Debian Jessie another way of activating the network should be more simple as described in https://wiki.debian.org/LXC/LibVirtDefaultNetwork.

    The idea is to use the bridge set up by libvirt instead of creating one just for lxc.

    I did not test it yet but it seems very simple :

    apt-get install libvirt-bin
    # Modify /etc/libvirt/qemu/networks/default.xml if needed (NAT forward for instance)
    virsh net-start default

    Then set-up your default container in `/etc/lxc/default.conf` by adding

    lxc.network.type = veth
    lxc.network.link = virbr0
    lxc.network.flags = up
    lxc.network.hwaddr = 00:FF:AA:xx:xx:xx
    lxc.network.ipv4 = 0.0.0.0/24

    • admin

      Hi, yes, you can install the libvirt-bin package and use the virbr0 bridge. It will work perfectly. You can change the LXC bridge config in /etc/default/lxc or in the individual container config file.

      A nat bridge is relatively easy to setup. The lxc-net script is a bash init script that does that. It also setups the iptables rules for masquerading. We have shared details on how the lxc-net script works in one of the networking guides.

      Basically this is what the script does. It adds a lxcbr0 bridge, then assigns a 10.0.3.1/24 IP to it, then configures dnsmasq to serve the 10.0.3.0/24 subnet on the lxcbr0 bridge, and finally setups iptables masquerading rules the 10.0.3.0/24 subnet. This is nearly identical to the virbr0 bridge, only the virbr0 bridge is setup on the 192.168.122.0/24 subnet by the libvirt tools.

  • beaufils

    Could you make the `lxc-net` script file downloadable without being logged in so that it could be used in installation script by a simple `curl` or `wget` call?

    • admin

      Hi beaufils, its supposed to be downloadable without the need to login. Let me recheck.

  • PeterSteele

    Is all of this necessary? I am currently using libvirt-lxc under CentOS 7 to create and manage containers and I want to migrate to the Canonical LXC tools (since Redhat is retiring the libvirt tools). I do not have any iptables configured at all, and I have my containers running with bridged networking, each with their own static IPs, and each able to access not only each other but the external internet as well. I've been trying to find the equivalent config needed for Canonical LXC and it seems I get a different set of instructions on every page I visit. Is there any definitive guide to bridged networking for LXC?

  • admin

    Hi Peter, Unfortunately it is. I am not sure how you have your network setup. Usually with a NAT bridge and both virbr0 and lxcbr0 are NAT bridges, masquerading is required for external internet access for containers or VMs connecting to these interfaces.

    In the case of virbr0 and lxcbr0 dnsmasq is also configured for DHCP on these bridges. Initially lxc-net was an upstart script. We customized it for Debian Wheezy and sysvinit. Now distributions are moving to Systemd. For CentOS 7 the lxc-net script will not work as Cent0S is using Systemd, thus this guide.

Leave a Comment

Login

Register | Lost your password?