Lxc container public access

Madhu_chamara · August 7, 2024, 5:47am

Is there anyway or supportive networking setup to access lxc container ip directly from public internet except ip forwarding or use proxy?

candlerb · August 7, 2024, 6:16am

Yes, many. You could set up an incus-managed bridge with public IPs, and static-route it. You could connect containers to an existing bridge with public IPs. You could add a public loopback address to an incus container, and use a /32 static route to forward it to the container.

Madhu_chamara · August 14, 2024, 4:55am

Thanks for the reply.Your suggested way can integrate with lxd containers or need to completely use incus instead of lxd?

candlerb · August 14, 2024, 5:26am

I don’t use lxd any more, I can only speak for incus.

Madhu_chamara · August 14, 2024, 6:12am

But still your steps allocate private ip to container right?Because when i create new bridge and attach it to container that bridge have private ip range.But my requirment is what ever ip allocate to container should be directly accessible through internet from anywhere.

candlerb · August 14, 2024, 6:24am

No, apart from the third option, which was to use private IP on container and add a public loopback address.

The first two options were:

set up an incus-managed bridge with public IPs, and static-route it.
connect containers to an existing bridge with public IPs.

Neither of those options use any private IPs at all.

ChuJiani · August 14, 2024, 8:36am

How about macvlan or sr-iov networks types? When a container is attached to a network of either type, it will be at the same level with the host machine from external sight. It can be assigned with a public IP, if you have one.

Take macvlan for an example:

incus network create test-macvlan --type macvlan parent=<physical_interface>
incus create images:debian/12 instance-with-macvlan --network test-macvlan

You can then configure the network suite inside the container after booting it up. It will connect “directly” to the switch or router that the host machine is connected to.

Madhu_chamara · August 14, 2024, 8:52am

i tried this but container getting stop automatically.in my incus network list shows below

+-----------------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+---------------+
|         NAME          |  STATE  |         IPV4          |                     IPV6                      |   TYPE    | SNAPSHOTS |   LOCATION    |
+-----------------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+---------------+
| instance-with-macvlan | STOPPED |                       |                                               | CONTAINER | 0         |               |
+-----------------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+---------------+

+--------------+----------+---------+-----------------+---------------------------+-------------+---------+---------+
|     NAME     |   TYPE   | MANAGED |      IPV4       |           IPV6            | DESCRIPTION | USED BY |  STATE  |
+--------------+----------+---------+-----------------+---------------------------+-------------+---------+---------+
| eth0         | physical | NO      |                 |                           |             | 1       |         |
+--------------+----------+---------+-----------------+---------------------------+-------------+---------+---------+
| eth1         | physical | NO      |                 |                           |             | 0       |         |
+--------------+----------+---------+-----------------+---------------------------+-------------+---------+---------+
| my-bridge    | bridge   | YES     | 10.120.186.1/24 | fd42:2132:cf3d:4d93::1/64 |             | 1       | CREATED |
+--------------+----------+---------+-----------------+---------------------------+-------------+---------+---------+
| test-macvlan | macvlan  | YES     |                 |                           |             | 1       | CREATED |
+--------------+----------+---------+-----------------+---------------------------+-------------+---------+---------+

ChuJiani · August 14, 2024, 8:56am

Starting it may fix?

incus start instance-with-macvlan

Also you can use launch instead of create to start it upon creation.

incus launch images:debian/12 instance-with-macvlan --network test-macvlan

Madhu_chamara · August 14, 2024, 9:07am

Thanks i missed it.when i exec to container and tried to ping to google seems it’s not resolving.is that expected behavior of macvlan?i’m unable to download ot update packages inside container

ChuJiani · August 14, 2024, 9:21am

That seems not to be a macvlan issue. How does your host machine connect to the internet? Maybe you can refer to the host’s network configuration and do something similar inside the container.

As for debian/12 image, the default network suite is systemd-networkd, and you need to configure files under /etc/systemd/network/.

Madhu_chamara · August 14, 2024, 9:32am

I’m using just a digital ocean vm.but container works with bridge network can ping to google

simos · August 14, 2024, 9:57am

When you use macvlan or another type of Incus networking to give public IPs to instances, your network should be able to provide such additional public IP addresses. Either automatically (through DHCP), or manually by setting a static IP configuration.

In your case with Digital Ocean you need to do the necessary legwork to obtain valid additional public IP addresses. You definitely pay for additional public IPv4 addresses (I think it comes to around $5 per month).

xlmnxp · August 14, 2024, 11:56am

for me I added Yggdrasil Subnet address and used Bridge46 service
https://www.reddit.com/r/ipv6/comments/1e9w7wp

and exposed my service to internet: https://test-bridge46.sy.sa/