Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Moving your router inside container

667 Aufrufe

Veröffentlicht am

This was a BoF session at Linux Plumbers 2017

Veröffentlicht in: Ingenieurwesen
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Moving your router inside container

  1. 1. Moving your routing inside container Marian Marinov <mm@siteground.com>
  2. 2. I'm running 2 routers inside containers for the past 2 years Marian Marinov <mm@siteground.com>
  3. 3. Disclaimer: - my home router have 3 ISPs, two of which with BGP sessions and I have my own /24 and /56 prefixes - my office routers have at least two ISPs, BGP and their own v4 and v6 prefixes Marian Marinov <mm@siteground.com>
  4. 4. Why would you move your router inside a container? ● Isolating the routing from the other parts of the system ● Solving problems with non-routed IPs ● Solving problems with wrong outgoing addresses on multihomed routers ● Simplifying your firewall setup Marian Marinov <mm@siteground.com>
  5. 5. If your routing table is similar to this: # ip route show default via 12.63.16.1 dev eth0 12.63.16.0/24 dev eth0 proto kernel scope link src 12.63.16.99 127.0.0.0/8 dev lo scope link Marian Marinov <mm@siteground.com>
  6. 6. If your routing table is similar to this: # ip route show default via 12.63.16.1 dev eth0 12.63.16.0/24 dev eth0 proto kernel scope link src 12.63.16.99 127.0.0.0/8 dev lo scope link You don't have any problems :) Marian Marinov <mm@siteground.com>
  7. 7. But the moment you get two or more ISPs, you get something like this: root@hydra:~# ip rule list 0: from all lookup local 32761: from 77.104.187.0/24 lookup telepoint 32762: from 194.12.255.42 lookup evolink 32763: from 91.139.184.0/22 lookup bulsat 32764: from 46.40.126.131 lookup bulsat 32765: from 78.142.5.137 lookup bulsat 32766: from all lookup main 32767: from all lookup default Marian Marinov <mm@siteground.com>
  8. 8. At that point, the problems start to show up: ● Services such as DNS servers choose the wrong outgoing IP when making outgoing connections ● Simple commands like ping require parameters to get the correct result Marian Marinov <mm@siteground.com>
  9. 9. At that point, the problems start to show up: ● Services such as DNS servers choose the wrong outgoing IP when making outgoing connections ● Simple commands like ping require parameters to get the correct result Marian Marinov <mm@siteground.com>
  10. 10. Moving the router inside its own container solves this! By separating the actual routing from the rest of the services, all services now choose the correct(working) routes Now your DNS and/or VPN can not, by accident, select the wrong source IPs. Marian Marinov <mm@siteground.com>
  11. 11. So what exactly means to move your router inside a container? Marian Marinov <mm@siteground.com>
  12. 12. Let's say you have a machine with 3 Ethernet cards: eth0 - your home/office network eth1 - ISP1 eth2 - ISP2 Marian Marinov <mm@siteground.com>
  13. 13. What you need to do is: 1. create a new netns # ip netns add router 2. create a veth pair between the host and the new netns # ip link add veth0 type veth peer name veth1 # ip link set veth1 netns router # ip netns exec router ip link set veth1 name eth3 3. move all eth devices to the router netns(this will drop the connectivity) # for i in {0..2}; do ip link set eth$i netns router; done 4. setup the IP addresses inside the new netns 5. setup the routing Marian Marinov <mm@siteground.com>
  14. 14. Now, all traffic that should go trough the VPN should be routed via eth3 and also your services, such as DNS should be routed via eth3. The firewall becomes much simpler for the services and for the router, as it is now split and you would never hit the problems with non- routable IPs Marian Marinov <mm@siteground.com>
  15. 15. If you want to put your BGP inside the new netns, you simply have to start your BGP daemon(Quagga, Bird, OpenBGPd) inside the new netns: # ip netns exec router /bin/bash # bird Marian Marinov <mm@siteground.com>

×