How isolated is the lxc container from the host and or other containers?

I currently utilize LXD with the default network bridge br0 … and use Juju to orchestrate/automate the software which gets installed and setup within the containers… my question is… how isolated or safe is it… if I have a need to keep two environments or sets of containers isolated network-wise ?

reason I am asking is… I want to have two sets of LXD environments… and looking if it is safe to put the two into the same host… but not let them talk to eachother…

here’s my setup as of now

Would it be possible to say…

move the Mac Mini’s LXD containers and postgresql instance … onto the same Ubuntu LTS server… but keep the two LXD networks separate?

EDIT: Is the move to perhaps instantiate two LXD bridges… would that introduce a layer of ISOLATION ?

Yeah, two different bridges would likely be best here, you can then easily setup firewall rules between those networks either by using LXD’s network ACLs or good old fashion iptables.

1 Like

thank you @stgraber , just one question

you can then easily setup firewall rules between those networks

is that done in … LXD’s networking tools ? or in the hosts IPTABLES? once again thanks for taking a look

lxc network acl can be used for some basic network to network ACLs, alternatively you can achieve the same through the host’s iptables.