Translation(s): English - Français


Bridged setup for your container(s) network

There are typically two ways to create a bridged network setup:

  1. Create a bridge out of your main network interface, and assign it the IP address you normally would have on your main interface, so that you can use it for the bridge and for the containers as well.
  2. Create a different bridge that is independent of your main interface but that gets traffic forwarded to it (and from it).

The remainder of this introduction covers only part 2.

The masqueraded bridge

This second type is what is typically considered to be the Masqueraded Bridge. You have an internal subnet that you use on the bridge (and all the containers).

The easiest way in version 2.0 (as included in Stretch) is to use the lxc-net package (component). This is part of the lxc package (real Debian package) starting from Stretch (Debian 9) (you can find a wallpaper here ;-)).

Below is an example configuration for lxc-net.

Using lxc-net

The default setup for lxc-net is as follows:

USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
LXC_DHCP_CONFILE=""
LXC_DOMAIN=""

This information is put in the file /etc/default/lxc-net.

This is also the default configuration for LXC-net as started with Debian Stretch in the default configuration (setup) without the patch applied to it (see the main page)

After creating this file with the required config you can simply start the service with:

systemctl start lxc-net after enabling it with systemctl enable lxc-net. This is covered in the introduction at the Main Page. Commands:

systemctl enable lxc-net
systemctl start lxc-net

The service will run at boot and create your bridge for you. This will also add masquerading and forward firewall rules for you using iptables2 calls.

More info on a bridge

Much is covered in Masqueraded Bridge.

For Debian Jessie and below (which is what most users will have at this point) you must consult that document if you are not to use lxc-net from Stretch (via Backports).

Host device as bridge

The first type of bridge that was mentioned was the “host-shared bridge”.

The host-shared bridge requires the host's network device to be superseded by a bridge that will include this network device as one of its ports.

auto lxcbr0
iface lxcbr0 inet dhcp
    bridge_ports eth0
    bridge_fd 0
    bridge_maxwait 0

would be a typical minimal bridge setup (using dhcp) that supersedes an IP on the main interface (eth0) provided that you have the new fancy "Predictable Network Interface Names" disabled. (Don't forget to regen your initramfs (update-initramfs -u) and reboot).

This type of bridge setup has the following features:

This requires the bridge-utils package (as does lxc-net).

Edit the host's /etc/network/interfaces in this form:

# Comment out the following:
# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp

auto br0
iface br0 inet dhcp
        bridge_ports eth0
        bridge_fd 0
        bridge_maxwait 0

# uncomment the below and comment the above for static ip setup on the host
#auto br0
#iface br0 inet static
#       bridge_ports eth0
#       bridge_fd 0
#       address <host IP here, e.g. 192.168.1.20>
#       netmask 255.255.255.0
#       network <network IP here, e.g. 192.168.1.0>
#       broadcast <broadcast IP here, e.g. 192.168.1.255>
#       gateway <gateway IP address here, e.g. 192.168.1.1>
#       # dns-* options are implemented by the resolvconf package, if installed
#       dns-nameservers <name server IP address here, e.g. 192.168.1.1>
#       dns-search your.search.domain.here

Restart networking:

/etc/init.d/networking restart

## Network
lxc.utsname = containershostname
lxc.network.type = veth
lxc.network.flags = up

# that's the interface defined above in host's interfaces file
lxc.network.link = br0

# name of network device inside the container,
# defaults to eth0, you could choose a name freely
# lxc.network.name = lxcnet0 

lxc.network.hwaddr = 00:FF:AA:00:00:01

# the ip may be set to 0.0.0.0/24 or skip this line
# if you like to use a dhcp client inside the container
lxc.network.ipv4 = 192.168.1.110/24

# define a gateway to have access to the internet
lxc.network.ipv4.gateway = 192.168.1.1

auto eth0
iface eth0 inet dhcp
#iface eth0 inet static
#       address <container IP here, e.g. 192.168.1.110>
#       all other settings like those for the host

Additonal bridge device instead of changing a host device to br0

Features:

# script to setup a natted network for lxc guests
CMD_BRCTL=/usr/sbin/brctl
CMD_IFCONFIG=/sbin/ifconfig
CMD_IPTABLES=/sbin/iptables
CMD_ROUTE=/sbin/route
NETWORK_BRIDGE_DEVICE_NAT=lxc-bridge-nat
HOST_NETDEVICE=wlan0
PRIVATE_GW_NAT=192.168.100.1
PRIVATE_NETMASK=255.255.255.0

${CMD_BRCTL} addbr ${NETWORK_BRIDGE_DEVICE_NAT}
${CMD_BRCTL} setfd ${NETWORK_BRIDGE_DEVICE_NAT} 0
${CMD_IFCONFIG} ${NETWORK_BRIDGE_DEVICE_NAT} ${PRIVATE_GW_NAT} netmask ${PRIVATE_NETMASK} promisc up
${CMD_IPTABLES} -t nat -A POSTROUTING -o ${HOST_NETDEVICE} -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Alternative

Features:

Uncomment the following in /etc/sysctl.conf:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Insert the following in /etc/network/interfaces:

auto lxc-bridge-nat
iface lxc-bridge-nat inet static
        bridge_ports none
        bridge_fd 0
        bridge_maxwait 0
        address 192.168.100.1
        netmask 255.255.255.0
        up iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

lxc.network.link = lxc-bridge-nat
lxc.network.ipv4 = 192.168.100.10/24
lxc.network.ipv4.gateway = 192.168.100.1

References