Hello,
I’m a bit confused about how containers work with VLANs. There’re vlan and macvlan options and with LXC 5.0 there’re now VLANs for veth.
E.g., I have two containers, each in a different subnet (VLAN):
Container 1: 192.168.1.0/24, VLAN 1
Container 2: 192.168.2.0/24, VLAN 2
I want both of them to use the same physical interface on the host, how can I do this?
Are you talking about LXC or LXD?
About LXC.
LXD supports using macvlan NIC type with vlan setting (see Instance configuration - LXD documentation). What this does is to create a vlan interface ontop of the specified parent interface (if it doesn’t already exist), and then setup a macvlan interface ontop of that.
In this way it allows multiple instance NICs to connect to the same parent vlan interface.
In LXC you could achieve the same solution by manually creating the vlan interfaces on the parent interface, and then using the macvlan device type to connect to the vlan interface as the link for your instances.
Alternatively you can setup a manual bridge and connect your physical interface to it, and then use bridge type devices in your LXC config using the lxc.net.[i].veth.vlan.id setting to specify which VLAN the container should use on the bridge.
Thanks, I also have a question about macvlan private mode. Man page says:
In private mode, the device never communicates with any other device on the same upper_dev (default)
Does this mean the physical interface sends packets outside when containers communicate with each other?
This is available in LXC 5.0 only, right?
Private mode means all frames are sent out of the physical interface even if they are destined for a MAC address associated with another macvlan interface on the same link. This effectively stops communication between container NICs on the same parent link.
Correct only in 5.0