Hi everybody,
I am currently working in the process of isolation between the container and the host.
During this process, I try to remove as much capabilities as possible to the containers.
One of the capabilities I am currently blocking on is the CAP_NET_ADMIN : "Perform various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables)."
In order to be able to drop this capabilities, the network configuration should be done from outside the container. With lxc < 0.8, we are unable to set inside the container configuration file the default gateway. This has been added since.
Do you think I can rely on the fact that users have a lxc > 0.8 and use this features ?
If not, I am not sure of how I can proceed.
I tried a configuration in which we make the container believe that the whole internet is accessible without router, by activating routing and ProxyArp on the host. I'm currently stuck in this way. The problem is that when I set the ip to be for example "10.0.3.10/0" , I don't have a the route setted. (the same behavior appearsh with "ip addr add 10.0.3.10/0 dev eth0")..
Here is what I expect to have :
~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
For information I got this behavior on ubuntu 12.04 with a 3.2.0-29 kernel
If I add manually this default route inside the container, this works, but can't be done without NET_ADMIN capabilities.
What do you think about this ? Is lxc >= 0.8 OK ? Do you know another solution ? Should be give NET_ADMIN capabilities ?
Max