Am Donnerstag, den 20.07.2017, 15:00 +0200 schrieb Wolfgang Bumiller: > On Thu, Jul 20, 2017 at 01:22:58PM +0200, Tom Weber wrote: > > > > Hi there, > > > > i'm currently evaluating the PVE environment as a replacement for > > my > > custom KVM+LXC+DRBD setup I'm running so far. > > > > Playing with (privileged) containers I figured that IP > > configuration is > > always done from inside the container. > > > > My usual setup is setting the (static) IP of the container from the > > outside (and applying firewall rules) and dropping capabilities for > > the > > container itself so this can't be changed from inside the > > container. > > > > Currently this seems to be impossible with PVE as it comes. > > > > Attached is a little patch that sets the IP from the 'outside' (if > > defined as a static one). Once I manually add the lxc.cap.drop > > lines to > > the CT config, I can't change this from the inside anymore. > > > > It's only for IPv4 (can't test v6 on this setup) but I think it's > > rather trivial to add this. > > > > Unless you drop net_admin the CT will still be able to change > > networking and behave like before - or work with DHCP. > No objection to adding this as a separate option. > > There's still the idea of adding feature flags to containers floating > around (initially for allowing things like fuse or mounting of > network > shares (nfs, cifs)), and this would definitely be another useful flag > to add. > > Note that dropping net_admin also prevents containers from > configuring > their inner firewall or using tunnels/vpns/etc., so it would > definitely > need to be a separate option rather than a general change of behavior > like in this patch, but you probably know that.
As far as I can see this patch alone wouldn't change the normal behavior: step 1) lxc sets the IP from outside step 2) container itself sets/overrides the IP from the inside. Only if I manually add lxc.cap.drop = net_admin to the config of the container it will prevent step 2. Preventing the container from messing with networking/firewall settings is exactly why I want/need this. A feature switch for this (maybe even in the UI would be nice too) but thats far beyond my 2 days knowledge of playing with pve :) Tom _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
