我刚开始尝试使用 LXC 容器。我能够创建一个容器并启动它,但我无法让 dhcp 为容器分配 IP 地址。如果我分配一个静态地址,容器可以 ping 主机 IP,但不能 ping 主机 IP 之外。
主机是CentOS 6.5,客机是Ubuntu 14.04LTS,我使用的是lxc-create -t download -n cn-01命令下载的模板。
如果我尝试获取与主机位于同一子网上的 IP 地址,我认为我不需要用于伪装的 IP 表规则,但我还是添加了它。IP 转发也是一样。
我从以下来源手动编译了 LXChttps://linuxcontainers.org/downloads/lxc-1.0.4.tar.gz
主机操作系统版本
#> cat /etc/redhat-release
CentOS release 6.5 (Final)
#> uname -a
Linux localhost.localdomain 2.6.32-431.20.3.el6.x86_64 #1 SMP Thu Jun 19 21:14:45 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
容器配置
#> cat /usr/local/var/lib/lxc/cn-01/config
# Template used to create this container: /usr/local/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)
# Distribution configuration
lxc.include = /usr/local/share/lxc/config/ubuntu.common.conf
lxc.arch = x86_64
# Container specific configuration
lxc.rootfs = /usr/local/var/lib/lxc/cn-01/rootfs
lxc.utsname = cn-01
# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
LXC default.confu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:12:30:f2 brd ff:ff:ff:ff:f
#> cat /usr/local/etc/lxc/default.conf
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
#> lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-2.6.32-431.20.3.el6.x86_64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: /usr/local/bin/lxc-checkconfig: line 103: [: too many arguments
enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: /usr/local/bin/lxc-checkconfig: line 118: [: -gt: unary operator expected
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/local/bin/lxc-checkconfig
网络配置(主机)
#> cat /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=dhcp
ONBOOT=yes
#> cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
USERCTL=no
BRIDGE=br0
#> cat /etc/networks
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
#> ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:12:30:f2 brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fe12:30f2/64 scope link
valid_lft forever preferred_lft forever
3: pan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
link/ether 42:7e:43:b3:61:c5 brd ff:ff:ff:ff:ff:ff
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:0c:29:12:30:f2 brd ff:ff:ff:ff:ff:ff
inet 10.60.70.121/24 brd 10.60.70.255 scope global br0
inet6 fe80::20c:29ff:fe12:30f2/64 scope link
valid_lft forever preferred_lft forever
12: vethT6BGL2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fe:a1:69:af:50:17 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fca1:69ff:feaf:5017/64 scope link
valid_lft forever preferred_lft forever
#> brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000c291230f2 no eth0
vethT6BGL2
pan0 8000.000000000000 no
#> cat /proc/sys/net/ipv4/ip_forward
1
# Generated by iptables-save v1.4.7 on Fri Jul 11 15:11:36 2014
*nat
:PREROUTING ACCEPT [34:6287]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jul 11 15:11:36 2014
网络配置(容器)
#> cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
#> ip a s
11: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:69:fb:42:ee:d7 brd ff:ff:ff:ff:ff:ff
inet6 fe80::69:fbff:fe42:eed7/64 scope link
valid_lft forever preferred_lft forever
13: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
答案1
无流量通过(ARP 和 STP 除外)
您的内核可能启用了以太网过滤(ebtables、bridge-nf、arptables),并且流量被过滤。禁用此功能的最简单方法是转到 /proc/sys/net/bridge。检查其中的 bridge-nf-* 条目是否设置为 1;如果是,请将其设置为零并重试。
cd /proc/sys/net/bridge
ls bridge-nf-call-arptables bridge-nf-call-iptables bridge-nf-call-ip6tables bridge-nf-filter-vlan-tagged
for f in bridge-nf-*; do echo 0 > $f; done
答案2
这是您在 VMware 下使用的虚拟化网络的限制。Bridge 增加了虚拟机使用自己的 MAC 出现在网络上的可能性。但虚拟机管理程序对这些额外的 MAC 一无所知。在 VirtualBox 下,可以通过进入虚拟机的网络设置并允许桥接接口上的混杂模式来解决此问题。VMware 中存在类似的选项,涉及设置 vmnet 接口的权限。您还可以使用 VMware 中现有的磁盘 VMDK 文件在 VirtualBox 中创建新的虚拟机。