if I do that will the configuration of the interface on the host (which does not seem to be DHCP assigned) follow? And how is the netmask calculated? What if I only want to give out addresses with DHCP in a small part of the network that I want to work?
That leads directly into the second issue. What is the most sane way to get a static ip on a guest? Just let the dhcp thing assign the same address every time (an 8 year old post on serverfault says it can be done by putting lines in /etc/lxc/dnsmasq.conf, is that still the way?) or configure the guests with a static address outside the range DHCP uses, but within the network configured on the brdige?
What range is used can’t be a client setting (clients can have conflicting settings).
Where do you believe the appropriate subnet should be whitelisted? I’ve made firewall rules for more than 20 years, so I don’t expect any problems making a simple setup like this should be work.
As nobody gave an answer that made sense, I looked a little deeper.
Seeing that the lxc-net systemd service executes /usr/libexec/lxc/lxc-net which is just a shell script I looked at that. And it says:
# These can be overridden in /etc/default/lxc
# or in /etc/default/lxc-net
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_BRIDGE_MAC="00:16:3e:00:00:00"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
LXC_DHCP_CONFILE=""
LXC_DHCP_PING="true"
LXC_DOMAIN=""
That’s all the settings I need to change (and more).
And a little thing more: LXC_DHCP_MAX affects the number of leases dnsmasq handles, it doesn’t affect the addresses given out in any way, so there’s no point in setting it when you just want to use a different range.
I’m not sure if you’re using LXD, if you are, this post is for you:
What I do is to completely ignore LXD/LXC networking configurations and setup my own bridge and then manually create a unit inside the container’s /etc/systemd/network/ folder in order to handle networking. Here is a full example:
Create the bridge manually, by adding this two units to your host’s network:
Now you’ll have a bridge cbr0 that doesn’t do any DHCP and has the IP 10.10.125.1 assigned to the host. I also configured the IPForward and IPMasquerade parameters for obvious reasons.
Setup LXD/LXC to use that bridge:
||Would you like to use LXD clustering? (yes/no) [default=no]: no|
|---|---|
||Do you want to configure a new storage pool? (yes/no) [default=yes]: no|
||Would you like to connect to a MAAS server? (yes/no) [default=no]: no|
||Would you like to create a new local network bridge? (yes/no) [default=yes]: no|
||Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: yes|
||Name of the existing bridge or host interface: cbr0|
||Would you like the LXD server to be available over the network? (yes/no) [default=no]: no|
||Would you like stale cached images to be updated automatically? (yes/no) [default=yes] no|
||Would you like a YAML lxd init preseed to be printed? (yes/no) [default=no]: yes|
Anyways I’m upgrading very old setups to new things and what I described was my typical old solution. I’m about to test how lxc config device override web-server eth0 ipv4.address=10.0.30.10 can replace that manual setup…
Another thing I’m very interested is instead of using iptables to do port forwards use LXD’s proxy device in NAT mode (essentially writes iptables rules for us) to mange that. Type: proxy - LXD documentation