
Debian Virtualization: LXC Network Isolation - barabum
http://l3net.wordpress.com/2013/08/25/debian-virtualization-lxc-network-isolation/
======
justincormack
Its much easier to just start using ipv6 once you start assigning interfaces
to VMs and lxc boxes.

Although there are still a few services on ipv4 only. Github I am looking at
you.

------
__mp
It's a pretty easy thing to do with libvirt. I usually create a nginx vhost
that routes websites to different virtual machines.

These virtual machines usually run one application are managed by puppet and
are sometimes located on different subnets.

------
senthilnayagam
I believe Docker creates a bridge network as well for LXC

------
contingencies
The _network setup_ graphic here is misleading in that the actual delineation
between the network resources on the guest and host is something that occurs
through _network namespaces_ , and has nothing to do with the IP addressing
pictured.

The bridge layer here is dubious. The author routes from that elsewhere at
layer3 using iptables, though in practice other people often join a real
network interface to the same bridge as guests to grant external connectivity,
resulting in a proxy-ARP type situation. In IMHO there's little point in using
bridges in either case ... it's better to just do iptables from the guest
_veth_ interface directly. Why? Unexpected Layer2 interactions at the bridging
device, either between host and guest or between multiple guests are avoided.
In addition, uptime is _instant_ versus _sometimes delayed_ (depending upon
spanning tree configuration and other such ancient ethernetty-cruft). Finally,
by keeping in-container connectivity assumptions at layer 3 you ensure greater
portability to alternative virtualization platforms and/or cloud-based
providers.

In short, great to see more people experimenting with LXC, but consider not
doing the connectivity this way.

