reach lxd container from local network

Question

OS: Ubuntu 15.10
LXD: 2.0.0.rc5

I would like to know how to access a container from another computer on the same local network.

Address of my PC (the LXD host): 192.168.1.112 (enp3s0)
Xenial container: 10.0.3.181 (eth0), 10.0.4.1 (lxcbr0)
Other PC (Fedora 23): 192.168.2.118 (wlp3s0)

I can ping from the other PC to the LXD host and the otherwise.

Answer 1

There's several different ways to accomplish what you want.

1. Forward required ports from host to guest
2. Route networks
3. Bridge devices

Options 1 and 2 require ip-forwarding to be enabled on the host:

# run time:
sudo sysctl -w net.ipv4.ip_forward=1

# permanent:
echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/30-virt-network

Easiest is 1 if you want to access specific service like http (port 80) on guest (you access guest port 80 with host ip-address+port), but you cannot run host services on that same port.

# on lxd host: (-i HOSTDEVICE to lan, usually enp3s0 or eth0)
sudo iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 80 -j DNAT --to 10.0.3.181:80
# making this permanent is left to the reader (because that depends on your choice of fw setup)

Option 2 is more tricky and depends on how much you can modify your network.

Check that (sudo iptables -L -n) says that chain FORWARD (policy ACCEPT) or sudo iptables -I FORWARD -s 192.168.2.118 -j ACCEPT allow it specifically. Now either on the network firewall route 10.0.3.0/24 to your 192.168.1.112 host or test with route on the 192.168.2.118.

sudo ip route add 10.0.3.181 via 192.168.1.112 dev wlp3s0

Third option would bring your lxd guests to your lan as part of the lan. See Instruction converting eth0 (enp3s0 in your case) to bridge how to do it. In short:

1. Create bridge device on host
2. Add eth0 or enp3s0 to that bridge
3. Set host address to bridge (not enp3s0)

4. Bind lxd guest devices to that bridge

   stop network-manager
   brctl addbr br0
   brctl addif br0 enp3s0
   ifconfig enp3s0 up
   ifconfig br0 up
   dhclient br0
   lxc profile edit default
     - change lxcbr0 to br0
   

Answer 2

Another way is to install rinetd and inside /etc/rinetd.conf just specify the forwarding:

192.168.1.112    80      10.0.3.181    80

and restart rinetd.

I think it is more convenient because you can always check which ports are you forwarding and add comments to the file if you want. You can also use it with docker in the same way if you bind to 127.0.0.1 (for example: docker ... -p 127.0.0.1:80:80 ... and UFW will work as expected.

Answer 3

You need to tell the other computer how to reach the container because the other computer is on a different subnet than the container. That is, you need to set up a "route". Below is a sample route you can create on the other computer. It says, "to get to the container (.181) first go through the host (.112) using the device that is on the same network as the host (eth0). If the other computer uses a different device then change accordingly. Note that this route is not permanent; it will not survive a reboot. Google to find how to set up a permanent route.

sudo ip route add 10.0.3.181 via 192.168.1.112 dev eth0