Re: How do containers tie to multiple IP's on a NIC?

[Whit Blauvelt <whit-M6G8SDWvnhfby3iVrkZq2A@public.gmane.org>]

On Sun, Jul 04, 2010 at 09:49:31PM +0200, Daniel Lezcano wrote:

> Well  ... please don't consider what I will suggest as "preaching
> for its parish" ;)

In English, "Preaching to the choir."

> I would recommend to use the lxc tools, preferably the 0.7.1
> version. 

Will do.

> These tools allow to do what you are expecting that is assign several Ip
> addresses to the same virtual nic.

Ah, then what I need to understand is the relationship of the virtual NIC to
the real NIC. That is, some of what I set up is multi-purpose boxes, where
the single machine functions as an iptables firewall, perhaps multi-homed to
two ISPs, with 3 real NICs, one for the IP block assigned by each ISP, and
one for the LAN - which might also have more than on IP on it. But these
aren't just firewalls. They tend to serve a website or two, perhaps ftp,
smtp, dns - spread over serveral of the IPs. They're also doing SNAT and
DNAT for systems behind them.

It would make all sorts of sense to be adding containers to these systems,
in terms of security, isolation, and the flexibility to easily migrate
services to other servers. But unlike the more usual virtualization
instance, where someone has a dozen different boxes and wants to consolidate
them, I'm already fully consolidated. What I need to do is split things
apart more, so they can go into containers, but still consolidated on boxes
which continue to be multi-purpose, and where each single NIC may have over
a dozen IPs assigned to it, but as a rule from within a single block per
NIC.

I've seen discussions elsewhere (using Google to try to find hints for this)
where people have given a machine two IPs on the same LAN by actually using
two physical NICs (and then need to play STP tricks). My attitude is "Why
use two pieces of hardware where one can do the job?"

Time for some trial-and-error with lxc tools.

Regards,
Whit