Skip to main content

Networking In LXC

Had been trying to create multiple vm containers and make them reachable from the existing infrastructure switches.
So basically I will explain about my host system
My host system has two interfaces em1 and em2. em1 is attached to two vlan switch ports 211 and 103. So my interface looks like em1, em1.211, em1.103 and em2. em2 is reachable through my network.

1)Networking via veth:
I created a bridge interface br0 and attached it with em1.211 and em1.103. Now the containers use veth to bridge with br0 using veth pair. The usual flow of data will be

from outer world to container
em1.x(picks up in promisc mode)->br0->host veth pair->container

from outer world to host
em2(picks up packet as em1 has no ip)->host


2)Networking via macvlan:

Macvlan is a kernel feature which allows an interface to have multiple hw address and ip. So by default macvlan creates a new interface(virtual of an existing interface) with hw and ip addr pairs and then moves that interface to containers. If the link interface is given as br0 for config file with network type being vlan, the data flow here will be

from outer world to container
em1.x->br0->macvlan of container

But between containers communication as host do arp request for a container's ip when a request comes from another container in the network. But the requested container is behind the host and wont receive the arp packet. Communication between host and container is possible with the second interface of the host.

If macvlan type is made bridged, then containers packets with in themselves will be broadcasted to all macvlan interface and thereby making communication between containers possible. This method helps to get rid of veth pair interfaces on the host system, but the kernel needs to remember hardware address of all containers for inter vm communications

Comments

Post a Comment

Popular posts from this blog

The server, me and the conversation

We were moving a project from AWS to our co-located DC. We have setup KVMs scheduled by Cloudstack for each of the component in the architecture. The KVMs used local storage. The VMs are provisioned with more than required resources because we have the opinion that in our DC scaling during peak load and then downscaling doesn't offer much benefits financially as we are anyways paying for the hardware in advance and its also powered on. Its going to be idle if not used. Now we found something interesting our latency in co-located DC was 2 times more than in AWS. The time for first byte at our load balancer in aws was 60ms average and at our DC was 112ms. We started our debugging mission, Mission Conquer-AWS. All the servers are newer Dell hardwares. So the initially intuition was virtualisation is causing the issue. Conversation with the Hypervisor We started with CPU optimisation, we started using the host-passthrough mode of CPU in libvirt so VMs dont see QEMU emulated CPUs,
Post a Comment
Read more

How we have systematically improved the roads our packets travel to help data imports and exports flourish

This blog post is an account of how we have toiled over the years to improve the throughput of our interDC tunnels. I joined this company around 2012. We were scaling aggressively then. We quickly expanded to 4 DCs with a mixture of AWS and colocation. Our primary DC is connected to all these new DCs via IPSEC tunnels established from SRX. The SRX model we had, had an IPSEC throughput of 350Mbps. Around December 2015 we saturated the SRX. Buying SRX was an option on the table. Buying one with 2Gbps throughput would have cut the story short. The tech team didn't see it happening. I don't have an answer to the question, "Is it worth spending time in solving a problem if a solution is already available out of box?" This project helped us in improving our critical thinking and in experiencing the theoretical network fundamentals on live traffic, but also caused us quite a bit of fatigue due to management overhead. Cutting short the philosophy, lets jump to the story.
8 comments
Read more

Ptrace

Ptrace is a nice setup ( some people call dirty setup) on linux to debug running processes. This ptrace in sys/ptrace.h is used by strace and gdb. To trace a child process, the child process should call PTRACE_TRACEME. The kernel during each system call(or execution of each instruction) checks if the process is traced. If it is traced, it issues a SIGTRAP, the parent process if in wait() state, will get a signal. The parent issues a SIGSTOP to hold current state of child and can access the registers and memory of child using PEEKDATA and alter the values in register and memory using POKEDATA. Once the required job is done, parent will allow the child to run with a SIGCONT signal. Since one can access registers, the next instruction to be executed can be easily found using instruction pointer, this comes in handy when we need to set breakpoints while debugging. The entire code base can also be changed using ptrace. PTRACE_ATTACH attaches a running process. It does some hack to become
1 comment
Read more