IP Subnet for container

Hey, is it possible to assign a complete subnet to a container? Like the bridge has the subnet 10.30.0.0/16 and say i create a container that listens to 10.30.10.0/24?

You could add an ipv4.routes entry on the container’s NIC (usually called eth0) which will then have the host route that subnet to the container.

Something like lxc config device override CONTAINER eth0 ipv4.routes=10.30.10.0/24 should do it.

Will try it, thanks!

Based on the additional context from:

This is unlikely to work as-is.

Assuming you have reconfigured docker0 to be 10.30.10.0/24, then the command @stgraber suggests will add a static route on your LXD host that will direct packets for 10.30.10.0/24 into the LXD managed bridge internal.

However in order for packets to arrive at the container with the docker0 bridge it will require that the container with the docker0 bridge responds to ARP requests for 10.30.10.0/24 on its eth0 interface.

By default Linux will respond to ARP requests for IPs bound to any of its interfaces, meaning that you should be able to reach 10.30.10.1 (the docker0 bridge address).

For just reaching the 10.30.10.1 IP this may be enough.

However any docker container with an IP in 10.30.10.0/24 connected to the docker0 bridge will not be known by the container and thus it will not respond to ARP requests on its eth0.

What you would need to reach the entire of 10.30.10.0/24 from the LXD host is to add a static route that specifies that packets be forwarded directly to the LXD container’s IP and not depend on ARP resolution of the targetted IP.

To do this you would need to run a manual command such as:

sudo ip r add 10.30.10.0/24 via <LXD container's IP> dev internal

LXD does not currently support NIC level routing for bridged NICs, the ipv{n}.routes settings behave the same as the equivalent settings on the bridge network itself.

I haven’t had the time to test this solution here jet. I already have configured routing via ip r add as you mentioned and it works, but i thought there might another, “simpler”, way.

But, if i use 10.30.10.1 for the containers eth0 ip and 10.30.10.0/24 for the docker0 net wouldn’t that create a conflict? Can i say that docker0 should use a subnet that starts at 10.30.10.2?

Based on your earlier post, your container would have an IP in the 10.30.0.0/16 subnet that is part of the internal bridge on its eth0 interface, and this is the IP you would use in the via in your static route in the LXD host.

Then it would also have 10.30.10.1 on the docker0 interface inside the container.

Effectively the container would be acting as a router between 10.30.0.0/16 and 10.30.10.0/24.

Its still not ideal though as the 10.30.10.0/24 subnet overlaps with the 10.30.0.0/16 subnet, even though you’ve added a more specific route on the LXD host, you would need to ensure that no IPs on your LXD host in the internal network ever use an IP in the 10.30.10.0/24 subnet as otherwise the static route you’ve added will prevent them from being reachable.

I think they will not overlap as i always set the lxd container ips manually. But using 10.30.10.1 for the lxd container and 10.30.10.0/24 for the docker0 net should be no problem?

OK as long as you’re preventing overlap thats fine.

You need to be more specific when talking about the container’s IPs here.

“But using 10.30.10.1 for the lxd container and 10.30.10.0/24 for the docker0 net should be no problem” - this doesn’t really make sense I’m afraid :slight_smile:

Your container will need to have 2 IPs, one IP on its eth0 interface in the subnet 10.30.0.0/16 (but not in the subnet 10.30.10.0/24). In your original image here Hide container network interfaces from host - #3 by DreamTexX it had the IP 10.30.163.116. This is the IP you’ll use in the static route’s via section.

The container will then have another IP, 10.30.10.1/24 on its docker0 interface.

Your container cannot use the IP 10.30.0.1 on its eth0 interface as that is being used by the internal bridge interface on the LXD host.

The static route will then say “reach 10.30.10.0/24 via the container’s IP on the internal bridge (10.30.163.116)”.

yeah, sounds logical that i cannot use an ip from the docker subnet for the lxd container :sweat_smile:. Thank you very much!