1

I'm trying different network configurations between LXC containers to learn something and have fun.

I've just found out that two containers can communicate with just a veth pair, so I'd like to know from experts why all the tutorials show procedures that include a bridge in the host conected to the veth ends.

I though a simple veth pair could easily replace a MACvlan bridge mode where the host can't communicate with the containers.
Are there some security implications?

Whare are the real advantages of Linux Bridges and Open vSwitches with this configuration (only two namespaces)?

JumpAlways
  • 143
  • 3
  • 9

1 Answers1

2

This isn't normally done because connecting only two instances directly together with a veth pair isn't very useful. We use bridging as a virtual switch so that we can reasonably connect many instances to the same external and host-only networks. Even in cases where you're only running two containers, it's typical to have to expand real-world implementations at some point.

There aren't many security implications with what you describe, at least no more than when connecting your veth pair to a bridge.

Spooler
  • 7,016
  • 16
  • 29
  • Yeah, I though that guides try to describe more real world scenarios. I'd like to know only if there's something wrong in connecting two containers or namespaces with a veth pair without bridges or switches. In terms of security, but also in term of performance and traffic handling (MAC associations, flooding, ...) since in this case I want to connect only 2 containers. – JumpAlways Feb 13 '17 at 02:20
  • MAC associations would be handled by ARP between the two hosts if you're planning on using layer 3 addressing. Flooding would be handled by the Ethernet protocols or by whatever you have running above that, so it wouldn't be any different. Performance would be similar if not *maybe* slightly better than through a bridge (since we don't have to inspect packets going into a bridge for traffic flow). I doubt you'd see a difference with even heavy use, though. As always, test and see. – Spooler Feb 13 '17 at 02:43
  • Thank you. Only one question, veths aren't already layer 2? – JumpAlways Feb 13 '17 at 03:00
  • Yeah, they're layer 2 as is bridging. – Spooler Feb 13 '17 at 03:33