Networking was probably my first concern when I approached LXD. I didn't accept the idea that the default LXD configuration made use of bridged networking. Essentially all the traffic needed to pass through the adapter and all the container services where hidden behind the host. I discovered soon how this setup could be an advantage:

  • You have one ip hosting multiple services
  • Single containers don't need custom firewalls
  • It is possible to set network limits

The best way to proxy that traffic is obviously with an Nginx server. I know people tend to recommend Haproxy for its advanced features, but I felt it would be overkill for a home use. Nginx configuration is that simple and documentation is just amazingly organized and updated.

However, There are cases when you want to have the container ip available on lan. It could be for example that you want to access the service directly online without a proxy server in between or you want to access services like ssh that don't play well with proxy.

Finding the right configuration to expose the container without hacking the underlying bridge took me ages

At the same time the solution is so straight forward and simple. We will change configuration of the container profile from bridget to maclan. In this way the dhcp server will assign an ip. Better details can be found at here.

First run sudo lxc profile list to list the available profiles. You should find the default and docker profiles. Well we will create a new profile for the containers that needs to be exposed. As such we will call it "exposed".

Now copy the default profile to exposed with sudo lxc profile copy default exposed. You can list again the profiles to check if it was created successfully. Edit the exposed profile by sudo lxc profile edit exposed. The result should look as follow:

config: {}
description: a profile to expose a container as a different ip on lan
devices:
  eth0:
    name: eth0
    nictype: macvlan
    parent: eno1
    type: nic
name: exposed

Once created the profile, we need to apply it to the desired container. To do so run sudo lxc profile apply containerName exposed.

Conclusion

In short this guide help you get your head around with LXD and networking. However, there are outstanding issues with macvlan (see this github thread). Essentially because it is not a bridged macvlan, host and containers are not able to communicate.

If you had the chance to read this guide I had probably saved you time from looking to the most exotic solutions available over the internet that usually require to hack your host networking configurations with the risk to break something.