Managing LXC containers in EC2
I have an EC2 instance running inside a VPC. I need to run a service inside a LXC container started in that instance and to make the service available to the outside world.
I have therefore created a bridge (br0) and used the following /etc/network/interfaces file to get the IP address provided by EC2 (10.0.3.1) associated to the bridge:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet manual
auto br0
iface br0 inet dhcp
netmask 255.255.0.0
bridge_ports eth1
bridge_stp off
bridge_maxwait 0
post-up brctl setfd br0 0
This is what I get from ifconfig:
br0 Link encap:Ethernet HWaddr 16:2b:ae:07:29:82
inet addr:10.0.3.1 Bcast:10.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::142b:aeff:fe07:2982/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1026 (1.0 KB) TX bytes:1238 (1.2 KB)
eth0 Link encap:Ethernet HWaddr 16:2b:ae:0a:db:b6
inet addr:10.0.67.62 Bcast:10.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::142b:aeff:fe0a:dbb6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:229 errors:0 dropped:0 overruns:0 frame:0
TX packets:217 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:25889 (25.8 KB) TX bytes:23330 (23.3 KB)
Interrupt:27
eth1 Link encap:Ethernet HWaddr 16:2b:ae:07:29:82
inet6 addr: fe80::142b:aeff:fe07:2982/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1222 (1.2 KB) TX bytes:1798 (1.7 KB)
Interrupt:28
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
The problem here is that I cannot reach the LXC container, which has IP address 10.0.3.2:
user@ip-10-0-67-62:~$ ping 10.0.3.2
PING 10.0.3.2 (10.0.3.2) 56(84) bytes of data.
From 10.0.67.62 icmp_seq=1 Destination Host Unreachable
...
Any hint or suggestion on how to debug this would be much appreciated.
UPDATE: Output from ip route:
$ ip route
default via 10.0.0.1 dev eth0 metric 100
10.0.0.0/16 dev eth0 proto kernel scope link src 10.0.67.62
10.0.0.0/16 dev br0 proto kernel scope link src 10.0.3.1
UPDATE: Output from iptables -nvL:
$ iptables -nvL
Chain INPUT (policy DROP 13 packets, 416 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2195 129K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
88029 130M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 26680 packets, 1669K bytes)
pkts bytes target prot opt in out source destination
Solution 1:
This bridge connect the lxc container with the server hosts, but it has not networking output.
So you can forward the traffic form eth0 to br0 with iptables or tunnels.
the ips that you show are the host, the guest system has other ip that you have to configure, The container is other host, with other network interface connected with a virtual private network.
internet <------>eth0 (host) br0 <---virtual private network >---< eth0(container)