0
  1. User A has a http server running on host Ubuntu machine with IP "HostIP" and port 8081.
  2. Now user A creates an unprivileged lxc container (container1)
  3. User A logs into lxc-attach -n container1.
  4. Now the root user inside the container1 makes a call like http://HostIP:8081/api call

My question is does this call routes to the host directly or via the lan network. Basically what are the configuration changes need to be done to avoid the lan traffic if the http server is hosted on the host machine.

Our LXC network configuration is:

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:30:d2:42

All the containers are running inside the host computer Ubuntu.

David Foerster
  • 35,754
  • 55
  • 92
  • 145
Surender Panuganti
  • 103
  • 2
  • It depends on the LXC network configuration. There's no way to answer this without more details such as if it's connected with a bridged connection or a NAT'd connection within the computer running all the containers, etc. We need details on the networking layout to answer this. If you don't have any network details, and are asking as pure theory, then this is an unanswerable question due to it being 'too broad' due to not having a specific set of circumstances with regards to the LXC network setup. – Thomas Ward Jul 05 '18 at 21:45
  • Hi Thomas Ward, Thanks for the comments. I have updated the question appropriately. Please suggest. – Surender Panuganti Jul 06 '18 at 15:30
  • Please let me know if the question is appropriate now. Request you to unhold the question as appropriate. – Surender Panuganti Jul 06 '18 at 15:39
  • is the host computer connected to the LAN network for its default route? And how was the LXC bridge set up? (a default Bridge setup?) – Thomas Ward Jul 06 '18 at 15:42
  • We are still missing one bit - how the LXCBR was built. If it's a standard LXC bridge than it's probably just bridged to your LAN network, but if not then it's NAT'd. If you can get the configuration for the LXC bridge that'd help a lot more as well (and if it's got NAT enabled then the answer changes) – Thomas Ward Jul 06 '18 at 17:02
  • Hi Thomas, Thanks for taking care of my query. Yes the host computer is connected to the LAN network of my enterprise. All the containers inside the host computer are connected via the default lxcbr0 bridge provided by the lxc. It should be a NAT'ed network because all my containers have a private IP address in the subnet 10.0.3.0/24. Please let me know if any further details are required. – Surender Panuganti Jul 07 '18 at 10:00
  • One last question: when you indicate the "host" for "HostIP" in the question, do you mean the IP address the host system has on the LAN or the private IP address that it has which is in the 10.0.3.0/24 subnet that the LXC systems share? – Thomas Ward Jul 07 '18 at 18:36
  • I meant the IP address of the host system when I connect the host computer to the lan network. – Surender Panuganti Jul 08 '18 at 07:03

1 Answers1

1

To summarize the details you stated to me so I can answer this:

  • LXC network bridge is set up to be a NAT'd connection
  • LXC network bridge is not directly connected to the LAN network that the host system is on

With this information in hand, your answer is: Possibly. And it depends entirely on the host computer and whether it's smart enough to not route traffic to the LAN address from the LXC bridge over the LAN network first. (Which isn't always the case)

When you use the IP address of the host computer that it has for the LAN, it is entirely possible that your computer will be stupid and not properly route the packet, meaning the packet headed to the host computer on the LAN address (and not the private IP range for the LXC network) might get transmitted to the rest of the LAN. This isn't uncommon, but it's definitely not what you're after.

When working with LXC/LXD guests connected to the host, you should be using the Gateway IP address from the guests (effectively the private IP address on the LXC/LXD bridge that the host computer has, so that it can NAT route traffic to other destinations properly) when intending traffic to go directly from the containers to the host and vice-versa. This way, the traffic headed from your guest to your host (and vice versa) never leaves your computer, since it knows the routes to the guest and the host respectively over that NAT'd link.

If your subnet for your bridge is 192.168.230.0/24 for example, and the LXC guest has an IP of 192.168.230.10, while your host computer has 192.168.230.1 so it behaves as a router for the guests (this is the typical NAT bridge setup, but with different IP ranges), then you should be using 192.168.230.1 in place of the LAN address of the host system to avoid data leaking to the LAN network.

Thomas Ward
  • 72,494
  • 30
  • 173
  • 237