9.2.5 About Veth and Macvlan

By default, the lxc-oracle template script sets up networking by setting up a veth bridge. In this mode, a container obtains its IP address from the dnsmasq server that libvirtd runs on the private virtual bridge network (virbr0) between the container and the host. The host allows a container to connect to the rest of the network by using NAT rules in iptables, but these rules do not allow incoming connections to the container. Both the host and other containers on the veth bridge have network access to the container via the bridge.

Figure 9.1 illustrates a host system with two containers that are connected via the veth bridge virbr0.

Figure 9.1 Network Configuration of Containers Using a Veth Bridge

The diagram illustrates a host system with two containers that are connected via the veth bridge virbr0. The host uses NAT rules to allow the containers to connect to the rest of the network via eth0, but these rules do not allow incoming connections to the container.


If you want to allow network connections from outside the host to be able to connect to the container, the container needs to have an IP address on the same network as the host. One way to achieve this configuration is to use a macvlan bridge to create an independent logical network for the container. This network is effectively an extension of the local network that is connected the host's network interface. External systems can access the container as though it were an independent system on the network, and the container has network access to other containers that are configured on the bridge and to external systems. The container can also obtain its IP address from an external DHCP server on your local network. However, unlike a veth bridge, the host system does not have network access to the container.

Figure 9.2 illustrates a host system with two containers that are connected via a macvlan bridge.

Figure 9.2 Network Configuration of Containers Using a Macvlan Bridge

The diagram illustrates a host system with two containers that are connected via a macvlan bridge, which is effectively an extension of the network that is connected via eth0.


If you do not want containers to be able to see each other on the network, you can configure the Virtual Ethernet Port Aggregator (VEPA) mode of macvlan. Figure 9.3 illustrates a host system with two containers that are separately connected to a network by a macvlan VEPA. In effect, each container is connected directly to the network, but neither container can access the other container nor the host via the network.

Figure 9.3 Network Configuration of Containers Using a Macvlan VEPA

The diagram illustrates a host system with two containers that are separately connected by a macvlan VEPA to the network.


For information about configuring macvlan, see Section 9.2.6, “Modifying a Container to Use Macvlan” and the lxc.conf(5) manual page.