Weekly status #30

Weekly status for the week of the 8th to the 15th of January 2018.

Introduction

The main highlight for this week was the inclusion of the new proxy device in LXD, thanks to the hard work of some University of Texas students!

The rest of the time was spent fixing a number of bugs, working on various bits of kernel work, getting the upcoming clustering work to go through our CI process and preparing for a number of planning meetings that are going on this week.

Upcoming conferences and events

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

LXC

LXCFS

  • Nothing to report

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

  • Nothing to report (build farm was offline)

Snap

  • Nothing to report (build farm was offline)
2 Likes

Hello Stéphane

Added support for a new proxy device, allowing for tcp redirection (7). https://github.com/lxc/lxd/pull/4106

Can you explain the use case behind it and how it would replace (or complement?) iptables rules running on the host to redirect traffic to containers?
This new feature seem quite interesting but I fail to understand what it enables.

Best,
D.

I am not Stéphane.

The new proxy device, as you said, allows LXD to redirect TCP traffic to containers. A connection to the host IP address on a specific port, is redirected to a specified container at a specific port.

Doing this instead with iptables is quite cumbersome. You have to use iptables-persistent which has very low usability.

The new functionality takes case of the most common case (TCP) and there is a bug report to enhance it, https://github.com/lxc/lxd/issues/4167

Here is a glimpse of the documentation, https://github.com/lxc/lxd/pull/4106/commits/da423b2f40a7bf3f44636182af378f23ea234ba9

To test it now, there is a snap in the candidate section. Install on non-production systems with

snap instal --channel=candidate lxd

You’d need the edge snap for this feature, candidate is stable + cherry-picks.

The proxy device is indeed meant as an easy way to forward traffic to the container without needing to interact with the local firewall. Though note that if iptables is an option for you, this should be favored as it’d have a much lower overhead than the proxy device.

The proxy device also has the potential to forward between unix sockets and tcp sockets, which could be very interesting to some users, though that part hasn’t been implemented yet.

The other case where the proxy device provides something that you can’t do with iptables is in the case where your containers are connected to a different network than their host. iptables only works if the host is the gateway for the containers, if it’s not, then you can’t do it. The proxy device doesn’t suffer from this limitation and will let you forward across subnets and networks just fine.

One such example would be a container which only has a loopback device with 127.0.0.1 set on it. You could run an apache webserver on it inside the container and have a proxy device forward some IP of the host to 127.0.0.1:80 in the container. All that despite not having any actual networking in the container.