container-to-host virtual or loopback kind of interface support

container-to-host virtual or loopback kind of interface support

[Elwin Stelzer Eliazer]

Hi,

I am trying to use network namespace for virtualizing some socket
applications i already have.
These applications interact with Apache through 'lo' 127.0.0.1:nnn sockets
now.
When i virtualize, i do not want to run Apache inside the container, and has
to be outside.
I can not use any non-127.x.x.x IP address for this purpose, or have any
separate "host-only" kind of internal network.
I would appreciate if someone can let me know the options i have to
accomplish this, with network namespace, and 2.6.29 or 2.6.30.

Thanks.

cheers,
Elwin.

Re: container-to-host virtual or loopback kind of interface support

[Serge E. Hallyn]

Quoting Elwin Stelzer Eliazer (stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> Hi,
> 
> I am trying to use network namespace for virtualizing some socket
> applications i already have.
> These applications interact with Apache through 'lo' 127.0.0.1:nnn sockets
> now.
> When i virtualize, i do not want to run Apache inside the container, and has
> to be outside.
> I can not use any non-127.x.x.x IP address for this purpose, or have any
> separate "host-only" kind of internal network.
> I would appreciate if someone can let me know the options i have to
> accomplish this, with network namespace, and 2.6.29 or 2.6.30.

So to be clear, what you want is to have an application in a separate
network namespace from apache, but talking over a shared loopback?

Can you use a veth tunnel pair?  You don't have to tie them to a
bridge so the socket app won't be on the public net.

-serge

Re: container-to-host virtual or loopback kind of interface support

[Elwin Stelzer Eliazer]

On Apr 9, 2009, at 6:57 AM, "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> wrote:

> Quoting Elwin Stelzer Eliazer (stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
>> Hi,
>>
>> I am trying to use network namespace for virtualizing some socket
>> applications i already have.
>> These applications interact with Apache through 'lo' 127.0.0.1:nnn  
>> sockets
>> now.
>> When i virtualize, i do not want to run Apache inside the  
>> container, and has
>> to be outside.
>> I can not use any non-127.x.x.x IP address for this purpose, or  
>> have any
>> separate "host-only" kind of internal network.
>> I would appreciate if someone can let me know the options i have to
>> accomplish this, with network namespace, and 2.6.29 or 2.6.30.
>
> So to be clear, what you want is to have an application in a separate
> network namespace from apache, but talking over a shared loopback?
>

Yes. But I am not very specific about the loopback.

> Can you use a veth tunnel pair?  You don't have to tie them to a
> bridge so the socket app won't be on the public net.
>
> -serge

Yes I can do without the bridge. But what IP address for the veth? Can  
it be a 127.x.x.x? My solution cannot have a regular public or private  
ip that can interfere with external network. The reason I mentioned  
bridge was it will reduce the ip subnet needed to one. If you can  
suggest a solution that leverages 127.x.x.x it will be useful.

Thanks,
Elwin.

Re: container-to-host virtual or loopback kind of interface support

[Serge E. Hallyn]

Quoting Elwin Stelzer Eliazer (stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
>
> On Apr 9, 2009, at 6:57 AM, "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> wrote:
>
>> Quoting Elwin Stelzer Eliazer (stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
>>> Hi,
>>>
>>> I am trying to use network namespace for virtualizing some socket
>>> applications i already have.
>>> These applications interact with Apache through 'lo' 127.0.0.1:nnn  
>>> sockets
>>> now.
>>> When i virtualize, i do not want to run Apache inside the container, 
>>> and has
>>> to be outside.
>>> I can not use any non-127.x.x.x IP address for this purpose, or have 
>>> any
>>> separate "host-only" kind of internal network.
>>> I would appreciate if someone can let me know the options i have to
>>> accomplish this, with network namespace, and 2.6.29 or 2.6.30.
>>
>> So to be clear, what you want is to have an application in a separate
>> network namespace from apache, but talking over a shared loopback?
>>
>
> Yes. But I am not very specific about the loopback.
>
>> Can you use a veth tunnel pair?  You don't have to tie them to a
>> bridge so the socket app won't be on the public net.
>>
>> -serge
>
> Yes I can do without the bridge. But what IP address for the veth? Can  
> it be a 127.x.x.x? My solution cannot have a regular public or private  
> ip that can interfere with external network. The reason I mentioned  
> bridge was it will reduce the ip subnet needed to one. If you can  
> suggest a solution that leverages 127.x.x.x it will be useful.

Actually is there any reason you can't use a unix socket?

-serge

Re: container-to-host virtual or loopback kind of interface support

[Elwin Stelzer Eliazer]

On Thu, Apr 9, 2009 at 12:14 PM, Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> wrote:

> Quoting Elwin Stelzer Eliazer (stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> >
> > On Apr 9, 2009, at 6:57 AM, "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> wrote:
> >
> >> Quoting Elwin Stelzer Eliazer (stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> >>> Hi,
> >>>
> >>> I am trying to use network namespace for virtualizing some socket
> >>> applications i already have.
> >>> These applications interact with Apache through 'lo' 127.0.0.1:nnn
> >>> sockets
> >>> now.
> >>> When i virtualize, i do not want to run Apache inside the container,
> >>> and has
> >>> to be outside.
> >>> I can not use any non-127.x.x.x IP address for this purpose, or have
> >>> any
> >>> separate "host-only" kind of internal network.
> >>> I would appreciate if someone can let me know the options i have to
> >>> accomplish this, with network namespace, and 2.6.29 or 2.6.30.
> >>
> >> So to be clear, what you want is to have an application in a separate
> >> network namespace from apache, but talking over a shared loopback?
> >>
> >
> > Yes. But I am not very specific about the loopback.
> >
> >> Can you use a veth tunnel pair?  You don't have to tie them to a
> >> bridge so the socket app won't be on the public net.
> >>
> >> -serge
> >
> > Yes I can do without the bridge. But what IP address for the veth? Can
> > it be a 127.x.x.x? My solution cannot have a regular public or private
> > ip that can interfere with external network. The reason I mentioned
> > bridge was it will reduce the ip subnet needed to one. If you can
> > suggest a solution that leverages 127.x.x.x it will be useful.
>
> Actually is there any reason you can't use a unix socket?
>
> -serge
>

Apache listens on IP sockets.
I am proceeding with a solution having a process outside container that will
relay IPC messages to the network space sockets outside the container into
127.x.x.x.

I have another question on netfilter/iptables under namespace; will post it
on a separate thread.

Thanks for your answers.

cheers,
Elwin.

Re: container-to-host virtual or loopback kind of interface support

[Eric W. Biederman]

Elwin Stelzer Eliazer <stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
>
> Apache listens on IP sockets.
> I am proceeding with a solution having a process outside container that will
> relay IPC messages to the network space sockets outside the container into
> 127.x.x.x.

You can also just pass in the socket if you want.

> I have another question on netfilter/iptables under namespace; will post it
> on a separate thread.
>
> Thanks for your answers.

Eric

Re: container-to-host virtual or loopback kind of interface support

[Elwin Stelzer Eliazer]

Can you explain your answer more on what you refer as "pass in the socket"? To
my understanding, apache listens only on TCP/IP sockets.

thanks,
Elwin.

On Sat, Apr 25, 2009 at 12:27 AM, Eric W. Biederman
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>wrote:

> Elwin Stelzer Eliazer <stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
> >
> > Apache listens on IP sockets.
> > I am proceeding with a solution having a process outside container that
> will
> > relay IPC messages to the network space sockets outside the container
> into
> > 127.x.x.x.
>
> You can also just pass in the socket if you want.
>
> > I have another question on netfilter/iptables under namespace; will post
> it
> > on a separate thread.
> >
> > Thanks for your answers.
>
> Eric
>

Re: container-to-host virtual or loopback kind of interface support

[Eric W. Biederman]

Elwin Stelzer Eliazer <stelzere@gmail.com> writes:

> Can you explain your answer more on what you refer as "pass in the socket"? 
> To my understanding, apache listens only on TCP/IP sockets.

I don't know your entire workflow, and I wasn't talking about modifying
apache.

However it is possible to pass sockets between network namespaces if you
do the proper things when you set them up at the beginning.  So instead
of a relay daemon you could open the socket you will use to talk to
apache and pass it to your application, over a unix domain socket,
or if you can possible at the creation of the network namespace.

Eric
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

Re: container-to-host virtual or loopback kind of interface support

[Elwin Stelzer Eliazer]

Thank you for your response.
Let me explain my requirements more, and in this context, i would like to
know your response.

A reverse web and applications proxy is the user space application that we
are virtualizing using network namespace and LXC.
Local apache server and other apps are accessed through several sockets on
127.0.0.1 now and this has to be virtualized.
The proxy under each LXC must handle hundreds of proxied sessions.
The socket connections to local web and other apps server are dynamic, and
corresponds to the dynamic external proxy sessions, and these can not be
created upfront.

I posted two other questions also, for which i never got a response from
this list.

1. Can i have netfilter/iptables rules corresponding to each container, that
has overlapping IP address space? In other words, are netfilter/iptables
rules handling virtualized as part of network namespace. Some preliminary
tests seem to work. How do i know the development or proper release status
on this feature?

2. Can the /dev/tun based PPP interface be part of a container? Like veth or
macvlan what is the type for this?

Looking forwards for your suggestions and the options i have for these needs
using LXC/namespace, as of 2.6.29. Do you still think i can avoid the relay
daemon?

Your clear answers on these will be appreciated.

Thanks in advance.

regards,
Elwin.


On Sat, Apr 25, 2009 at 11:51 AM, Eric W. Biederman
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>wrote:

> Elwin Stelzer Eliazer <stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
>
> > Can you explain your answer more on what you refer as "pass in the
> socket"?
> > To my understanding, apache listens only on TCP/IP sockets.
>
> I don't know your entire workflow, and I wasn't talking about modifying
> apache.
>
> However it is possible to pass sockets between network namespaces if you
> do the proper things when you set them up at the beginning.  So instead
> of a relay daemon you could open the socket you will use to talk to
> apache and pass it to your application, over a unix domain socket,
> or if you can possible at the creation of the network namespace.
>
> Eric
>

Re: container-to-host virtual or loopback kind of interface support

[Eric W. Biederman]

Elwin Stelzer Eliazer <stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:

> Thank you for your response.
>
> Let me explain my requirements more, and in this context, i would like to know
> your response.
>
> A reverse web and applications proxy is the user space application that we are
> virtualizing using network namespace and LXC.
> Local apache server and other apps are accessed through several sockets on
> 127.0.0.1 now and this has to be virtualized.
> The proxy under each LXC must handle hundreds of proxied sessions.
> The socket connections to local web and other apps server are dynamic, and
> corresponds to the dynamic external proxy sessions, and these can not be
> created upfront.
>
> I posted two other questions also, for which i never got a response from this
> list.
>
> 1. Can i have netfilter/iptables rules corresponding to each container, that
> has overlapping IP address space? In other words, are netfilter/iptables rules
> handling virtualized as part of network namespace. Some preliminary tests seem
> to work. How do i know the development or proper release status on this
> feature?

Yes.

The easiest way to know the status is to read the code.
Short of the that the easiest way to know is to try it.

In the network namespace either the feature should fail gracefully
in a network namespace or after the code has been updated it should
work.

By and large all of ipv4 and ipv6 and iptables is expected to work.

> 2. Can the /dev/tun based PPP interface be part of a container? Like veth or
> macvlan what is the type for this?

Yes.  tun/tap is a well tested path.  ppp looks like it has also been converted.

> Looking forwards for your suggestions and the options i have for these needs
> using LXC/namespace, as of 2.6.29. Do you still think i can avoid the relay
> daemon?

Apache is creating the connections on demand to your client.  Interesting.

I am too familiar with that setup.  In all honesty the easy thing to
do would be to have real ip address on something like the 192.168.0.0/16
network for each virtual machine.

Baring that it is possible to have your proxy receive the connections
and pass them via a unix domain socket created at the beginning of
time to your client.  If you have the proxy already it quite possibly
isn't worth it.

Eric

Re: container-to-host virtual or loopback kind of interface support

[Elwin Stelzer Eliazer]

Thanks Eric for your detailed response.
On the PPP interfaces under namespace, how do i configure them under lxc
config? Are there other types like "veth" and "macvlan" for PPP?

And i believe the container app that opens the /dev/tun gets ownership of
the file handle, and several container apps can open this in parallel, and
they do not interfere. Even if the containers do not have separate rootfs,
this is the case. Please confirm on these.

regards,
Elwin.



On Sun, Apr 26, 2009 at 2:37 PM, Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>wrote:

> Elwin Stelzer Eliazer <stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
>
> > Thank you for your response.
> >
> > Let me explain my requirements more, and in this context, i would like to
> know
> > your response.
> >
> > A reverse web and applications proxy is the user space application that
> we are
> > virtualizing using network namespace and LXC.
> > Local apache server and other apps are accessed through several sockets
> on
> > 127.0.0.1 now and this has to be virtualized.
> > The proxy under each LXC must handle hundreds of proxied sessions.
> > The socket connections to local web and other apps server are dynamic,
> and
> > corresponds to the dynamic external proxy sessions, and these can not be
> > created upfront.
> >
> > I posted two other questions also, for which i never got a response from
> this
> > list.
> >
> > 1. Can i have netfilter/iptables rules corresponding to each container,
> that
> > has overlapping IP address space? In other words, are netfilter/iptables
> rules
> > handling virtualized as part of network namespace. Some preliminary tests
> seem
> > to work. How do i know the development or proper release status on this
> > feature?
>
> Yes.
>
> The easiest way to know the status is to read the code.
> Short of the that the easiest way to know is to try it.
>
> In the network namespace either the feature should fail gracefully
> in a network namespace or after the code has been updated it should
> work.
>
> By and large all of ipv4 and ipv6 and iptables is expected to work.
>
> > 2. Can the /dev/tun based PPP interface be part of a container? Like veth
> or
> > macvlan what is the type for this?
>
> Yes.  tun/tap is a well tested path.  ppp looks like it has also been
> converted.
>
> > Looking forwards for your suggestions and the options i have for these
> needs
> > using LXC/namespace, as of 2.6.29. Do you still think i can avoid the
> relay
> > daemon?
>
> Apache is creating the connections on demand to your client.  Interesting.
>
> I am too familiar with that setup.  In all honesty the easy thing to
> do would be to have real ip address on something like the 192.168.0.0/16
> network for each virtual machine.
>
> Baring that it is possible to have your proxy receive the connections
> and pass them via a unix domain socket created at the beginning of
> time to your client.  If you have the proxy already it quite possibly
> isn't worth it.
>
> Eric
>

Re: container-to-host virtual or loopback kind of interface support

[Eric W. Biederman]

Elwin Stelzer Eliazer <stelzere-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:

> Thanks Eric for your detailed response.
>
> On the PPP interfaces under namespace, how do i configure them under lxc
> config? Are there other types like "veth" and "macvlan" for PPP?

veth and macvlan are created with
ip link add .... type veth ....
ip link add .... type macvlan ...

ppp is created normally.

I have never run lxc and find it's interface inflexible for my needs so I don't
know the specifics there.

> And i believe the container app that opens the /dev/tun gets ownership of the
> file handle, and several container apps can open this in parallel, and they do
> not interfere. Even if the containers do not have separate rootfs, this is the
> case. Please confirm on these.

It is the tun SETIFF ioctl that specifies which interface a tun device connect to.
But yes several tun/tap  work just in a container.

 Eric