[pve-devel] Request for improvement of Network handling regarding LXC

[Tom Weber]

Hi there,

i'm currently evaluating the PVE environment as a replacement for my
custom KVM+LXC+DRBD setup I'm running so far.

Playing with (privileged) containers I figured that IP configuration is
always done from inside the container.

My usual setup is setting the (static) IP of the container from the
outside (and applying firewall rules) and dropping capabilities for the
container itself so this can't be changed from inside the container.

Currently this seems to be impossible with PVE as it comes.

Attached is a little patch that sets the IP from the 'outside' (if
defined as a static one). Once I manually add the lxc.cap.drop lines to
the CT config, I can't change this from the inside anymore.

It's only for IPv4 (can't test v6 on this setup) but I think it's
rather trivial to add this.

Unless you drop net_admin the CT will still be able to change
networking and behave like before - or work with DHCP.

Regards,
  Tom

--- /usr/share/perl5/PVE/LXC.pm.orig	2017-07-20 12:03:52.949344829 +0200
+++ /usr/share/perl5/PVE/LXC.pm	2017-07-20 14:12:09.022119871 +0200
@@ -428,6 +428,11 @@
 	$raw .= "lxc.network.type = veth\n";
 	$raw .= "lxc.network.veth.pair = veth${vmid}i${ind}\n";
 	$raw .= "lxc.network.hwaddr = $d->{hwaddr}\n" if defined($d->{hwaddr});
+	if (defined($d->{ip}) and ($d->{ip} ne "dhcp")) {
+		$raw .= "lxc.network.ipv4 = $d->{ip}\n";
+		$raw .= "lxc.network.ipv4.gateway = $d->{gw}\n" if defined($d->{gw});
+		$raw .= "lxc.network.flags = up\n" if defined($d->{ip});
+	}
 	$raw .= "lxc.network.name = $d->{name}\n" if defined($d->{name});
 	$raw .= "lxc.network.mtu = $d->{mtu}\n" if defined($d->{mtu});
     }