I have a question regarding LXD containers networking on a cloud instance (either in openstack or in eucalyptus).
I created some containers in a cloud instance and I used the LXD bridge network. I can access the services of these containers only from inside of the cloud instance.
What I want to achieve is to access the LXD containers’ services from outside of the cloud instance (e.g. without having to SSH connect to the instance).
Does that sound possible?
Perhaps, one possible solution to access specific services of the containers (e.g a webserver) could be port forwarding or defining some iptables rules (just assuming, haven’t tested it).
For instance if one wants to access {container-ip}:80, they can access instead {cloud-floating-ip}:8888 but such a solution doesn’t cover my requirements. What I need is to have access directly to the containers IP addresses from outside of the cloud.
Would it be possible for instance to assign a cloud floating IP address to an LXD container?
I’m not a cloud expert and my understanding is that this differs based on cloud providers and what exact network features you’ve got access to for that given provider.
There are a few options:
If you can get a second network device attached to your cloud instance, then you can pass that directly to your container using nictype=physical in LXD.
If you can get a second internal IP on the host, then you can NAT all traffic to that IP to one of your containers, then get a second floating IP from your provider and point that to the second internal IP
Some cloud providers let you directly get public IPs on your instance, in which case you may be able to request additional public IPs or a public subnet be routed to your instance. You can then route those IPs to specific containers.
If none of those is possible in your environment, then I’m affraid you’re stuck with having to NAT individual ports to your container.
The first option with nictype=physical worked for my case and I tested it in openstack. I am not sure that it will work for other cloud platforms. Provided that they offer the possibility to attach multiple network interfaces to one instance, probably yes.
So, below are the steps I followed:
I attached multiple network interfaces (e.g. eth0, eth1, eth2, etc.) to my cloud instance, each of which can get an IP address via DHCP (e.g. 192.168.2.3, 192.168.2.4 etc.) and each of these IP addresses can be associated with a floating IP.
Then, I installed LXD (tested with version 2.14), I created an LXD container and passed into it an existing physical NIC:
lxc init images:{some_image} c1 # create container c1
lxc config device add c1 eth0 nic nictype=physical parent=eth1 # add eth0 interface to c1 by passing the eth1 NIC from the cloud instance
lxc start c1
As long as the container remains in “RUNNING” state eth1 will not be usable from the host.
The containers list should look similar to the following:
lxc list
+--------+---------+--------------------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+--------+---------+--------------------+------+------------+-----------+
| c1 | RUNNING | 192.168.2.4 (eth0) | | PERSISTENT | 0 |
+--------+---------+--------------------+------+------------+-----------+
Pinging the floating IP which is associated with 192.168.2.4 outside from the cloud succeeded.
Another important thing to note for this particular case is that this will only work if the security group of the cloud instance is properly configured to allow traffic for such usage.