This series does the bare minimum required to support the network
inteface type=direct for LXC containers, using macvlan devices
as the implementation. There is a slight complication though...
For bridged container NICs we create a veth pair of devices. One
of the devices lives host side, and is enslaved in a bridge. The
other veth device gets moved to the container namespace to form
the eth0. So we both both a host & container side device visible.
For direct container NICS we create a macvlan device, which is
moved to the container namespace. There is no host side interface
that is dedicated for the container - only the general ethernet
device the macvlan is bound to. Since there is no host side
interface for the container we are unable to create network
filter rules, or network bandwidth controls. In addition while
we could perform the 8021.Qb{gh} association during container
startup, before moving the macvlan device to the container namespace,
we can't perform any disassociation on container shutdown. By the
time we see the container has shutdown, the macvlan device has
already been killed off.
The inability to setup iptables/tc rules against devices that
are only visible in the container namespace is arguably a flaw
in the Linux kernel's namespace code support for iptables/tc.
There ought to be a syntax for iptables/tc to write rules which
affect NICs in other namespaces
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list