6,534
edits
Changes
+networking
== Miscellaneous topics ==
[[Image:CT-networking.png|right]]
=== Networking ===
Each container have their own network stack. This includes network device(s), routing table, firewall rules (iptables), network caches, hash tables, etc.
Three major modes of operation are possible.
==== Route-based (venet) ====
This mode works in Layer 3 (network layer) of [[w:OSI model]]. That means that a container have a MAC-less network device (called <code>venet</code>), with the host system acting as a router. Each IP packet is traversing both host and container's IP stack.
The major features of this setup are:
* '''High security'''. It's the host system administrator who specifies container IP(s) and routing rule(s).
* '''High control'''. Host system administrator fully controls container networking, by means of routing, firewall, traffic shaper etc.
* '''NOARP'''. A container can not use broadcasts or multicasts (since these features are on Level 2 and require a MAC address).
==== Bridge-based (veth) ====
This mode works in OSI Layer 2. For container, a Virtual Ethernet (<code>veth</code>) device is used. This device can be thought of as a pipe with two ends -- one end in the host system and another end in a CT, so if a packet goes to one end it will come out from the other end. The host system acts as a bridge, so veth is usually bridged together with eth0 or similar interface.
The major features of this setup are:
* '''High configurability''': container administrator can setup all the networking.
* '''Ability to use broadcasts/multicasts'''
==== Real network device in a container ====
Host system administrator can move a network device (such as <code>eth1</code>) into a container. Container administrator can then manage it as usual.
Major features are:
* Best performance
* Low security
* Container is tied to hardware
=== Limitations ===
* Container does not have direct access to hardware such as hard drive, network card, or a PCI device. Such access can be granted by host system administrator if needed.
=== OpenVZ host system scope ===
From the host system, all containers processes are visible.