Managing LXC containers in EC2

Question

I have an EC2 instance running inside a VPC. I need to run a service inside a LXC container started in that instance and to make the service available to the outside world.

I have therefore created a bridge (br0) and used the following /etc/network/interfaces file to get the IP address provided by EC2 (10.0.3.1) associated to the bridge:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet manual

auto br0
iface br0 inet dhcp
  netmask 255.255.0.0
  bridge_ports eth1
  bridge_stp off
  bridge_maxwait 0
  post-up brctl setfd br0 0

This is what I get from ifconfig:

br0       Link encap:Ethernet  HWaddr 16:2b:ae:07:29:82  
          inet addr:10.0.3.1  Bcast:10.0.255.255  Mask:255.255.0.0
          inet6 addr: fe80::142b:aeff:fe07:2982/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1026 (1.0 KB)  TX bytes:1238 (1.2 KB)

eth0      Link encap:Ethernet  HWaddr 16:2b:ae:0a:db:b6  
          inet addr:10.0.67.62  Bcast:10.0.255.255  Mask:255.255.0.0
          inet6 addr: fe80::142b:aeff:fe0a:dbb6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:229 errors:0 dropped:0 overruns:0 frame:0
          TX packets:217 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:25889 (25.8 KB)  TX bytes:23330 (23.3 KB)
          Interrupt:27 

eth1      Link encap:Ethernet  HWaddr 16:2b:ae:07:29:82  
          inet6 addr: fe80::142b:aeff:fe07:2982/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1222 (1.2 KB)  TX bytes:1798 (1.7 KB)
          Interrupt:28 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

The problem here is that I cannot reach the LXC container, which has IP address 10.0.3.2:

user@ip-10-0-67-62:~$ ping 10.0.3.2
PING 10.0.3.2 (10.0.3.2) 56(84) bytes of data.
From 10.0.67.62 icmp_seq=1 Destination Host Unreachable
...

Any hint or suggestion on how to debug this would be much appreciated.

UPDATE: Output from ip route:

$ ip route
default via 10.0.0.1 dev eth0  metric 100 
10.0.0.0/16 dev eth0  proto kernel  scope link  src 10.0.67.62
10.0.0.0/16 dev br0  proto kernel  scope link  src 10.0.3.1

UPDATE: Output from iptables -nvL:

$ iptables -nvL
Chain INPUT (policy DROP 13 packets, 416 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 2195  129K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
88029  130M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 26680 packets, 1669K bytes)
 pkts bytes target     prot opt in     out     source               destination

What's the output of `ip route ` and `iptables -nvL`? – mgorven Mar 15 '13 at 17:28 — mgorven, Mar 15 '13 at 17:28
Question updated with the information you've requested. – Roberto Aloi Mar 15 '13 at 19:07 — Roberto Aloi, Mar 15 '13 at 19:07

Brigo · Answer 1 · 2013-03-15T19:41:11.377

This bridge connect the lxc container with the server hosts, but it has not networking output.

So you can forward the traffic form eth0 to br0 with iptables or tunnels.

the ips that you show are the host, the guest system has other ip that you have to configure, The container is other host, with other network interface connected with a virtual private network.

internet <------>eth0 (host) br0 <---virtual private network >---< eth0(container)

Managing LXC containers in EC2

1 Answers1

Linked