https://wiki.openvz.org/api.php?action=feedcontributions&feedformat=atom&user=TonyOpenVZ Virtuozzo Containers Wiki - User contributions [en]2026-05-02T12:40:40ZUser contributionsMediaWiki 1.31.1https://wiki.openvz.org/index.php?title=VEs_and_HNs_in_same_subnets&diff=14820VEs and HNs in same subnets2013-11-26T13:20:10Z<p>Tony: Added GATEWAY to ifcfg-eth0 example.</p>
<hr />
<div>[[Category:HOWTO]]<br />
[[Category:Networking]]<br />
This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of their own in the same subnets or VLAN as the host. This method makes use of the Virtual Ethernet device and bridges between the host and its containers. This technique has the advantage of allowing IPv6 network configurations to work on both VEs and hosts as they normally would. In particular, both hosts and VEs can use IPv6 autoconfiguration. The network configuration of a VE can be identical to that of a non-VE system.<br />
<br />
In the following example the host has two physical interfaces and we are setting up the network configuration for VE 100. The host IP configuration is moved out of the ethN interface configs and into the brN interface config scripts (ifcfg-br0 and ifcfg-br1). Ie. the host IP configuration will now reside on the brN interfaces instead of the ethN interfaces. The example also assumes IPv4 is configured statically, whereas IPv6 is auto-configured.<br />
<br />
==Configure host bridge interfaces==<br />
<br />
Steps 1 through 4 are done only once on the host.<br />
<br />
1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host.<br />
<br />
/usr/sbin/brctl addbr br0<br />
/usr/sbin/brctl addbr br1<br />
<br />
If the above commands do not work you may need to install the bridge-utils package.<br />
<br />
2. Make note of the existing IP configuration in the hosts ifcfg-ethN files. Also, record the hardware MAC addresses of the ethernet interfaces from the output of 'ifconfig'.<br />
<br />
/sbin/ifconfig eth0<br />
/sbin/ifconfig eth1 <br />
<br />
Then, modify the ifcfg-ethN files on the host so that they ONLY bridge to the corresponding brN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=br0<br />
<br />
Similarly ifcfg-eth1 will look like:<br />
<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=br1<br />
<br />
Note that the ifcfg-ethN files on the host do not contain any IP information anymore.<br />
<br />
3. Create ifcfg-brN files and copy the IP configuration that was previously in the ifcfg-ethN files into ifcfg-brN. Here's what host:/etc/sysconfig/network-scripts/ifcfg-br0 would look like assuming the IPv4 address is assigned statically and IPv6 auto-configuration (SLAAC) is used:<br />
<br />
DEVICE=br0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=aaa.aaa.aaa.aaa<br />
ONBOOT=yes<br />
TYPE=Bridge<br />
MACADDR=mm:mm:mm:mm:mm:mm<br />
<br />
Similarly, ifcfg-br1 should look like:<br />
<br />
DEVICE=br1<br />
BOOTPROTO=static<br />
IPADDR=yyy.yyy.yyy.yyy<br />
NETMASK=bbb.bbb.bbb.bbb<br />
ONBOOT=yes<br />
TYPE=Bridge<br />
MACADDR=nn:nn:nn:nn:nn:nn<br />
<br />
Note that TYPE 'Bridge' is case-sensitive. Otherwise, the bridge interfaces will not initialize correctly during boot.<br />
<br />
The bridge MACADDR should be hard-coded to match the corresponding hardware MAC address of the ethernet interface. Otherwise the default behaviour is to use the lowest MAC address of all the interfaces in the bridge. This is to prevent the bridge MAC and any auto-configured IPv6 address on the bridge interface from changing as VEs are created, started, or stopped.<br />
<br />
4. On the host, do a 'service network restart' and verify the host has both IPv4 and IPv6 connectivity to its brN interfaces.<br />
<br />
==Create the VE veth interfaces==<br />
5. Create the VE as you normally would, except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration.<br />
<br />
/usr/sbin/vzctl create 100 --ostemplate name --hostname name<br />
<br />
However, if the VE already exists, use vzctl to remove any venet devices - they will not be used:<br />
<br />
/usr/sbin/vzctl set 100 --ipdel all --save<br />
<br />
6. For each VE, create ethN devices (ignore warnings about "Container does not have configured veth") on the host:<br />
<br />
/usr/sbin/vzctl set 100 --netif_add eth0 --save<br />
/usr/sbin/vzctl set 100 --netif_add eth1 --save<br />
<br />
The above updates the host /etc/vz/conf/100.conf file with generated MAC addresses for the veth devices. When the VE is started, the veth100.0 and veth100.1 devices will be automatically created on the host.<br />
<br />
==Bridge the host and VE==<br />
7. Next we add the host vethN interfaces to the host bridged interfaces (brN).<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0<br />
<br />
DEVICE=veth100.0<br />
ONBOOT=no<br />
BRIDGE=br0<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.1<br />
<br />
DEVICE=veth100.1<br />
ONBOOT=no<br />
BRIDGE=br1<br />
<br />
To make the above take effect, either start the VE,<br />
<br />
/usr/sbin/vzctl start 100<br />
<br />
Or if it's already started then manually add each VE interface to its corresponding bridge using:<br />
<br />
/usr/sbin/brctl addif br0 veth100.0<br />
/usr/sbin/brctl addif br1 veth100.1<br />
<br />
8. Verify each bridge includes the host interface and the veth interfaces for each VE:<br />
<br />
/usr/sbin/brctl show<br />
<br />
==Configure the VE networking==<br />
9. Enter the VE from the host:<br />
<br />
/usr/sbin/vzctl enter 100<br />
<br />
In the container create the ifcfg network scripts for each interface eth0 and eth1. The ifcfg-ethN files should look like standard ifcfg network scripts for a non-VE host.<br />
<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth0<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth1<br />
<br />
As noted above, the ifcfg-ethN files in the VE should be created to be identical to standard ifcfg-eth* files from a non-virtualized host. A minimum ifcfg-eth0 file using a static IPv4 address would have the following entries:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=yyy.yyy.yyy.yyy<br />
ONBOOT=yes<br />
GATEWAY=zzz.zzz.zzz.zzz <br />
<br />
10. Initialize the interfaces and restart the network service on the container.<br />
<br />
/sbin/ifconfig eth0 0<br />
/sbin/ifconfig eth1 0<br />
/sbin/service network restart<br />
<br />
Alternatively, just restart the VE from the host.<br />
<br />
11. Verify the host and VE have connectivity to each other as well as to the rest of the network.<br />
<br />
==Additional VEs==<br />
12. For each additional VE, start at step #5.<br />
<br />
==Notes on IPv6 autoconfiguration==<br />
If your CT0 is also performing routing duties, you might chance upon the problem that IPv6 stateless autoconfiguration using radvd is not working for the CT's. The description below is specific for a Debian (Lenny) CT0 and Debian (Squeeze) CT.<br />
<br />
First check if your CT is actually receiving any router advertisements (RA's). This can be done by installing radvd (apt-get install radvd) and running radvdump. Simply wait for the next round of RA's from radvd, or trigger it (by restarting radvd on CT0, for example). If you do not receive any RA's there is a more fundamental problem. The following only concerns the scenario where the CT receives RA's but does not configure the network interfaces accordingly. Do not forget to remove the radvd package after checking.<br />
<br />
Because CT0 is performing routing services, all or some values under /proc/sys/net/ipv6/conf/*/forwarding and under /proc/sys/net/ipv6/conf/*/mc_forwarding are set to 1. This appears to override the defaults for these values in the /proc filesystems for the CT's. Unless you explicitly disable forwarding in /etc/sysctl.conf, your CT will also use these values. This means that, to the IPv6 Neighbour Discovery Protocol (NDP) responsible for router advertisements and autoconfiguration, your CT is a router and therefore not allowed to use the RA's to configure the interfaces. To fix this, add or change the following lines to /etc/sysctl.conf '''''on the CT, not on CT0''''':<br />
<pre><br />
net.ipv6.conf.all.forwarding=0<br />
net.ipv6.conf.all.mc_forwarding=0<br />
</pre><br />
<br />
You may also want to explicitly disable IPv4 forwarding since the CT is not a router. To do this, also change the line:<br />
<pre><br />
net.ipv4.ip_forward=0<br />
</pre><br />
<br />
Now reload sysctl on the CT by executing<br />
<pre><br />
sysctl -p<br />
</pre><br />
and you will be good to go. The CT will now autoconfigure the network interfaces the next time it sees an RA.<br />
<br />
NOTE: Due to bug [http://bugzilla.openvz.org/show_bug.cgi?id=1723 1723] this setup might not work: Enabling the routing on CT0 can effectively kill all IPv6 connectivity for the CT, depending on the setup. (This bug is reported to be solved since 2011-06-07, so this shouldn't be an issue anymore.)<br />
<br />
==See also==<br />
* [[IPv6]]<br />
* [[Virtual Ethernet device]]<br />
* [[Differences between venet and veth]]</div>Tonyhttps://wiki.openvz.org/index.php?title=IPv6&diff=14778IPv62013-11-17T04:35:01Z<p>Tony: /* ip6tables */</p>
<hr />
<div>[[Category:HOWTO]]<br />
[[Category:Networking]]<br />
IPv6 works best when veth devices are used to bridge VEs to their host. An IPv6 compliant method of using veth interfaces for VEs can be found in the [[VEs and HNs in same subnets]] article. <br />
<br />
venet devices are not fully IPv6 compliant, but still works if you statically assign IPv6 addresses. They do not properly support MAC addresses and consequently link local addresses and can not play nice with neighbor discovery or router advertisements, router discovery, or auto-conf. They also require additional modifications to the layer 3 forwarding behaviour of the host via sysctl.<br />
<br />
== Configure the Node ==<br />
In order for IPv6 to work for containers you must have a fully functioning IPv6 interface on the host node.<br />
<br />
== CentOS Node Configuration for IPv6 ==<br />
<br />
<pre>Add the below to the file /etc/sysconfig/network<br />
<br />
NETWORKING_IPV6=yes<br />
IPV6FORWARDING=yes<br />
IPV6_DEFAULTDEV=eth0<br />
IPV6_DEFAULTGW=aaaa:bbbb:a01a::1<br />
IPV6_AUTOCONF=no<br />
<br />
Add the below to the file /etc/sysconfig/network-scripts/ifcfg-ethX X being your interface number<br />
<br />
IPV6INIT=yes<br />
IPV6ADDR=aaaa:bbbb:cccc:0000:0100::1<br />
<br />
/etc/sysctl.conf also needs<br />
<br />
net.ipv6.conf.default.forwarding = 1<br />
net.ipv6.conf.all.forwarding = 1<br />
net.ipv6.conf.all.proxy_ndp = 1<br />
</pre><br />
<br />
<br />
== venet example ==<br />
(tests done on CentOS kernel 2.6.18-194.26.1.el5.028stab079.2)<br />
<br />
=== Adding an IPv6 address to a container ===<br />
<pre><br />
# vzctl set <id> --ipadd <ipv6_addr> --save<br />
</pre><br />
<br />
In my tests, the container had to be restarted before it would respond to ICMP6 echo requests.<br />
<br />
In other tests on 2.6.32-042stab044.11 kernel, container failed to receive Neighbor Solicitation requests and replies, so I had to enable proxy_ndp:<br />
<br />
<pre><br />
# sysctl -w net.ipv6.conf.all.proxy_ndp=1<br />
</pre><br />
<br />
(and later add appropriate line to /etc/sysctl.conf).<br />
<br />
=== Removing an IPv6 address from a container ===<br />
<pre><br />
# vzctl set <id> --ipdel <ipv6_addr> --save<br />
</pre><br />
<br />
Removal is effective immediately and the host stops replying to echo requests.<br />
<br />
==ip6tables==<br />
If you will be using connection tracking in any container ip6tables firewall rules (i.e. '-m state --state'), you'll need to enable additional kernel modules in the host /etc/vz.conf. Add 'ipt_state' to IPTABLES and 'nf_conntrack_ipv6' to IP6TABLES. They should look something like this:<br />
<br />
<pre><br />
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state"<br />
<br />
IP6TABLES="ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT nf_conntrack_ipv6"<br />
</pre><br />
<br />
==See also==<br />
* [[Virtual Ethernet device]]<br />
* [[Differences between venet and veth]]<br />
<br />
== External Links ==<br />
* A user success story / howto on SixXS wiki [https://www.sixxs.net/wiki/User:JNN2-SIXXS/OpenVZ].</div>Tonyhttps://wiki.openvz.org/index.php?title=IPv6&diff=14777IPv62013-11-17T04:29:01Z<p>Tony: Added connection state kernel modules needed for ip6tables.</p>
<hr />
<div>[[Category:HOWTO]]<br />
[[Category:Networking]]<br />
IPv6 works best when veth devices are used to bridge VEs to their host. An IPv6 compliant method of using veth interfaces for VEs can be found in the [[VEs and HNs in same subnets]] article. <br />
<br />
venet devices are not fully IPv6 compliant, but still works if you statically assign IPv6 addresses. They do not properly support MAC addresses and consequently link local addresses and can not play nice with neighbor discovery or router advertisements, router discovery, or auto-conf. They also require additional modifications to the layer 3 forwarding behaviour of the host via sysctl.<br />
<br />
== Configure the Node ==<br />
In order for IPv6 to work for containers you must have a fully functioning IPv6 interface on the host node.<br />
<br />
== CentOS Node Configuration for IPv6 ==<br />
<br />
<pre>Add the below to the file /etc/sysconfig/network<br />
<br />
NETWORKING_IPV6=yes<br />
IPV6FORWARDING=yes<br />
IPV6_DEFAULTDEV=eth0<br />
IPV6_DEFAULTGW=aaaa:bbbb:a01a::1<br />
IPV6_AUTOCONF=no<br />
<br />
Add the below to the file /etc/sysconfig/network-scripts/ifcfg-ethX X being your interface number<br />
<br />
IPV6INIT=yes<br />
IPV6ADDR=aaaa:bbbb:cccc:0000:0100::1<br />
<br />
/etc/sysctl.conf also needs<br />
<br />
net.ipv6.conf.default.forwarding = 1<br />
net.ipv6.conf.all.forwarding = 1<br />
net.ipv6.conf.all.proxy_ndp = 1<br />
</pre><br />
<br />
<br />
== venet example ==<br />
(tests done on CentOS kernel 2.6.18-194.26.1.el5.028stab079.2)<br />
<br />
=== Adding an IPv6 address to a container ===<br />
<pre><br />
# vzctl set <id> --ipadd <ipv6_addr> --save<br />
</pre><br />
<br />
In my tests, the container had to be restarted before it would respond to ICMP6 echo requests.<br />
<br />
In other tests on 2.6.32-042stab044.11 kernel, container failed to receive Neighbor Solicitation requests and replies, so I had to enable proxy_ndp:<br />
<br />
<pre><br />
# sysctl -w net.ipv6.conf.all.proxy_ndp=1<br />
</pre><br />
<br />
(and later add appropriate line to /etc/sysctl.conf).<br />
<br />
=== Removing an IPv6 address from a container ===<br />
<pre><br />
# vzctl set <id> --ipdel <ipv6_addr> --save<br />
</pre><br />
<br />
Removal is effective immediately and the host stops replying to echo requests.<br />
<br />
==ip6tables==<br />
If you will be using connection tracking in ip6tables (i.e. '-m state --state'), you'll need to enable extra kernel modules in the host /etc/vz.conf. Add 'ipt_state' to IPTABLES and 'nf_conntrack_ipv6' to IP6TABLES. They should look something like this:<br />
<br />
<pre><br />
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state"<br />
<br />
IP6TABLES="ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT nf_conntrack_ipv6"<br />
</pre><br />
<br />
==See also==<br />
* [[Virtual Ethernet device]]<br />
* [[Differences between venet and veth]]<br />
<br />
== External Links ==<br />
* A user success story / howto on SixXS wiki [https://www.sixxs.net/wiki/User:JNN2-SIXXS/OpenVZ].</div>Tonyhttps://wiki.openvz.org/index.php?title=VEs_and_HNs_in_same_subnets&diff=12673VEs and HNs in same subnets2012-07-15T12:01:14Z<p>Tony: /* Configure host bridge interfaces */</p>
<hr />
<div>[[Category:HOWTO]]<br />
[[Category:Networking]]<br />
This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of their own in the same subnets or VLAN as the host. This method makes use of the Virtual Ethernet device and bridges between the host and its containers. This technique has the advantage of allowing IPv6 network configurations to work on both VEs and hosts as they normally would. In particular, both hosts and VEs can use IPv6 autoconfiguration. The network configuration of a VE can be identical to that of a non-VE system.<br />
<br />
In the following example the host has two physical interfaces and we are setting up the network configuration for VE 100. The host IP configuration is moved out of the ethN interface configs and into the brN interface config scripts (ifcfg-br0 and ifcfg-br1). Ie. the host IP configuration will now reside on the brN interfaces instead of the ethN interfaces. The example also assumes IPv4 is configured statically, whereas IPv6 is auto-configured.<br />
<br />
==Configure host bridge interfaces==<br />
1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host.<br />
<br />
/usr/sbin/brctl addbr br0<br />
/usr/sbin/brctl addbr br1<br />
<br />
If the above commands do not work you may need to install the bridge-utils package.<br />
<br />
2. Make note of the existing IP configuration in the hosts ifcfg-ethN files. Then, modify the ifcfg-ethN files on the host so that they ONLY bridge to the corresponding brN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=br0<br />
<br />
Similarly ifcfg-eth1 will look like:<br />
<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=br1<br />
<br />
Note that the ifcfg-ethN files on the host do not contain any IP information anymore.<br />
<br />
3. Create ifcfg-brN files and copy the IP configuration that was previously in the ifcfg-ethN files into ifcfg-brN. Here's what host:/etc/sysconfig/network-scripts/ifcfg-br0 would look like assuming the IPv4 address is assigned statically and IPv6 auto-configuration (SLAAC) is used:<br />
<br />
DEVICE=br0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=aaa.aaa.aaa.aaa<br />
ONBOOT=yes<br />
TYPE=Bridge<br />
<br />
Similarly, ifcfg-br1 should look like:<br />
<br />
DEVICE=br1<br />
BOOTPROTO=static<br />
IPADDR=yyy.yyy.yyy.yyy<br />
NETMASK=bbb.bbb.bbb.bbb<br />
ONBOOT=yes<br />
TYPE=Bridge<br />
<br />
Note that TYPE 'Bridge' is case-sensitive. Otherwise, the bridge interfaces will not initialize correctly during boot.<br />
<br />
4. On the host, do a 'service network restart' and verify the host has both IPv4 and IPv6 connectivity to its brN interfaces.<br />
<br />
==Create the VE veth interfaces==<br />
5. Create the VE as you normally would, except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration.<br />
<br />
/usr/sbin/vzctl create 100 --ostemplate name --hostname name<br />
<br />
However, if the VE already exists, use vzctl to remove any venet devices - they will not be used:<br />
<br />
/usr/sbin/vzctl set 100 --ipdel all --save<br />
<br />
6. For each VE, create ethN devices (ignore warnings about "Container does not have configured veth") on the host:<br />
<br />
/usr/sbin/vzctl set 100 --netif_add eth0 --save<br />
/usr/sbin/vzctl set 100 --netif_add eth1 --save<br />
<br />
The above updates the host /etc/vz/conf/100.conf file with generated MAC addresses for the veth devices. When the VE is started, the veth100.0 and veth100.1 devices will be automatically created on the host.<br />
<br />
==Bridge the host and VE==<br />
7. Next we add the host vethN interfaces to the host bridged interfaces (brN).<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0<br />
<br />
DEVICE=veth100.0<br />
ONBOOT=no<br />
BRIDGE=br0<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.1<br />
<br />
DEVICE=veth100.1<br />
ONBOOT=no<br />
BRIDGE=br1<br />
<br />
To make the above take effect, either start the VE,<br />
<br />
/usr/sbin/vzctl start 100<br />
<br />
Or if it's already started then manually add each VE interface to its corresponding bridge using:<br />
<br />
/usr/sbin/brctl addif br0 veth100.0<br />
/usr/sbin/brctl addif br1 veth100.1<br />
<br />
8. Verify each bridge includes the host interface and the veth interfaces for each VE:<br />
<br />
/usr/sbin/brctl show<br />
<br />
==Configure the VE networking==<br />
9. Enter the VE from the host:<br />
<br />
/usr/sbin/vzctl enter 100<br />
<br />
In the container create the ifcfg network scripts for each interface eth0 and eth1. The ifcfg-ethN files should look like standard ifcfg network scripts for a non-VE host.<br />
<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth0<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth1<br />
<br />
As noted above, the ifcfg-ethN files in the VE should be created to be identical to standard ifcfg-eth* files from a non-virtualized host. A minimum ifcfg-eth0 file using a static IPv4 address would have the following entries:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=yyy.yyy.yyy.yyy<br />
ONBOOT=yes<br />
<br />
10. Initialize the interfaces and restart the network service on the container.<br />
<br />
/sbin/ifconfig eth0 0<br />
/sbin/ifconfig eth1 0<br />
/sbin/service network restart<br />
<br />
Alternatively, just restart the VE from the host.<br />
<br />
11. Verify the host and VE have connectivity to each other as well as to the rest of the network.<br />
<br />
==Additional VEs==<br />
12. For each additional VE, start at step #5.<br />
<br />
==Notes on IPv6 autoconfiguration==<br />
If your CT0 is also performing routing duties, you might chance upon the problem that IPv6 stateless autoconfiguration using radvd is not working for the CT's. The description below is specific for a Debian (Lenny) CT0 and Debian (Squeeze) CT.<br />
<br />
First check if your CT is actually receiving any router advertisements (RA's). This can be done by installing radvd (apt-get install radvd) and running radvdump. Simply wait for the next round of RA's from radvd, or trigger it (by restarting radvd on CT0, for example). If you do not receive any RA's there is a more fundamental problem. The following only concerns the scenario where the CT receives RA's but does not configure the network interfaces accordingly. Do not forget to remove the radvd package after checking.<br />
<br />
Because CT0 is performing routing services, all or some values under /proc/sys/net/ipv6/conf/*/forwarding and under /proc/sys/net/ipv6/conf/*/mc_forwarding are set to 1. This appears to override the defaults for these values in the /proc filesystems for the CT's. Unless you explicitly disable forwarding in /etc/sysctl.conf, your CT will also use these values. This means that, to the IPv6 Neighbour Discovery Protocol (NDP) responsible for router advertisements and autoconfiguration, your CT is a router and therefore not allowed to use the RA's to configure the interfaces. To fix this, add or change the following lines to /etc/sysctl.conf '''''on the CT, not on CT0''''':<br />
<pre><br />
net.ipv6.conf.all.forwarding=0<br />
net.ipv6.conf.all.mc_forwarding=0<br />
</pre><br />
<br />
You may also want to explicitly disable IPv4 forwarding since the CT is not a router. To do this, also change the line:<br />
<pre><br />
net.ipv4.ip_forward=0<br />
</pre><br />
<br />
Now reload sysctl on the CT by executing<br />
<pre><br />
sysctl -p<br />
</pre><br />
and you will be good to go. The CT will now autoconfigure the network interfaces the next time it sees an RA.<br />
<br />
NOTE: Due to bug [http://bugzilla.openvz.org/show_bug.cgi?id=1723 1723] this setup might not work: Enabling the routing on CT0 can effectively kill all IPv6 connectivity for the CT, depending on the setup. (This bug is reported to be solved since 2011-06-07, so this shouldn't be an issue anymore.)<br />
<br />
==See also==<br />
* [[IPv6]]<br />
* [[Virtual Ethernet device]]<br />
* [[Differences between venet and veth]]</div>Tonyhttps://wiki.openvz.org/index.php?title=VEs_and_HNs_in_same_subnets&diff=12672VEs and HNs in same subnets2012-07-15T11:59:18Z<p>Tony: Renaming of openvz-centric bridge interface names to generic interface names.</p>
<hr />
<div>[[Category:HOWTO]]<br />
[[Category:Networking]]<br />
This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of their own in the same subnets or VLAN as the host. This method makes use of the Virtual Ethernet device and bridges between the host and its containers. This technique has the advantage of allowing IPv6 network configurations to work on both VEs and hosts as they normally would. In particular, both hosts and VEs can use IPv6 autoconfiguration. The network configuration of a VE can be identical to that of a non-VE system.<br />
<br />
In the following example the host has two physical interfaces and we are setting up the network configuration for VE 100. The host IP configuration is moved out of the ethN interface configs and into the brN interface config scripts (ifcfg-br0 and ifcfg-br1). Ie. the host IP configuration will now reside on the brN interfaces instead of the ethN interfaces. The example also assumes IPv4 is configured statically, whereas IPv6 is auto-configured.<br />
<br />
==Configure host bridge interfaces==<br />
1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host.<br />
<br />
/usr/sbin/brctl addbr br0<br />
/usr/sbin/brctl addbr br1<br />
<br />
If the above commands do not work you may need to install the bridge-utils package.<br />
<br />
2. Make note of the existing IP configuration in the hosts ifcfg-ethN files. Then, modify the ifcfg-ethN files on the host so that they ONLY bridge to the corresponding brN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=br0<br />
<br />
Similarly ifcfg-eth1 will look like:<br />
<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=br1<br />
<br />
Note that the ifcfg-ethN files on the host do not contain any IP information anymore.<br />
<br />
3. Create ifcfg-brN files and copy the IP configuration that was previously in the ifcfg-ethN files into ifcfg-brN. Here's what host:/etc/sysconfig/network-scripts/ifcfg-br0 would look like assuming the IPv4 address is assigned statically and IPv6 auto-configuration (SLAAC) is used:<br />
<br />
DEVICE=br0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=aaa.aaa.aaa.aaa<br />
ONBOOT=yes<br />
TYPE=Bridge<br />
<br />
Similarly, ifcfg-br1 should look like:<br />
<br />
DEVICE=br1<br />
BOOTPROTO=static<br />
IPADDR=yyy.yyy.yyy.yyy<br />
NETMASK=bbb.bbb.bbb.bbb<br />
ONBOOT=yes<br />
TYPE=Bridge<br />
<br />
Note that TYPE 'Bridge' is case-sensitive.<br />
<br />
4. On the host, do a 'service network restart' and verify the host has both IPv4 and IPv6 connectivity to its brN interfaces.<br />
<br />
==Create the VE veth interfaces==<br />
5. Create the VE as you normally would, except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration.<br />
<br />
/usr/sbin/vzctl create 100 --ostemplate name --hostname name<br />
<br />
However, if the VE already exists, use vzctl to remove any venet devices - they will not be used:<br />
<br />
/usr/sbin/vzctl set 100 --ipdel all --save<br />
<br />
6. For each VE, create ethN devices (ignore warnings about "Container does not have configured veth") on the host:<br />
<br />
/usr/sbin/vzctl set 100 --netif_add eth0 --save<br />
/usr/sbin/vzctl set 100 --netif_add eth1 --save<br />
<br />
The above updates the host /etc/vz/conf/100.conf file with generated MAC addresses for the veth devices. When the VE is started, the veth100.0 and veth100.1 devices will be automatically created on the host.<br />
<br />
==Bridge the host and VE==<br />
7. Next we add the host vethN interfaces to the host bridged interfaces (brN).<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0<br />
<br />
DEVICE=veth100.0<br />
ONBOOT=no<br />
BRIDGE=br0<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.1<br />
<br />
DEVICE=veth100.1<br />
ONBOOT=no<br />
BRIDGE=br1<br />
<br />
To make the above take effect, either start the VE,<br />
<br />
/usr/sbin/vzctl start 100<br />
<br />
Or if it's already started then manually add each VE interface to its corresponding bridge using:<br />
<br />
/usr/sbin/brctl addif br0 veth100.0<br />
/usr/sbin/brctl addif br1 veth100.1<br />
<br />
8. Verify each bridge includes the host interface and the veth interfaces for each VE:<br />
<br />
/usr/sbin/brctl show<br />
<br />
==Configure the VE networking==<br />
9. Enter the VE from the host:<br />
<br />
/usr/sbin/vzctl enter 100<br />
<br />
In the container create the ifcfg network scripts for each interface eth0 and eth1. The ifcfg-ethN files should look like standard ifcfg network scripts for a non-VE host.<br />
<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth0<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth1<br />
<br />
As noted above, the ifcfg-ethN files in the VE should be created to be identical to standard ifcfg-eth* files from a non-virtualized host. A minimum ifcfg-eth0 file using a static IPv4 address would have the following entries:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=yyy.yyy.yyy.yyy<br />
ONBOOT=yes<br />
<br />
10. Initialize the interfaces and restart the network service on the container.<br />
<br />
/sbin/ifconfig eth0 0<br />
/sbin/ifconfig eth1 0<br />
/sbin/service network restart<br />
<br />
Alternatively, just restart the VE from the host.<br />
<br />
11. Verify the host and VE have connectivity to each other as well as to the rest of the network.<br />
<br />
==Additional VEs==<br />
12. For each additional VE, start at step #5.<br />
<br />
==Notes on IPv6 autoconfiguration==<br />
If your CT0 is also performing routing duties, you might chance upon the problem that IPv6 stateless autoconfiguration using radvd is not working for the CT's. The description below is specific for a Debian (Lenny) CT0 and Debian (Squeeze) CT.<br />
<br />
First check if your CT is actually receiving any router advertisements (RA's). This can be done by installing radvd (apt-get install radvd) and running radvdump. Simply wait for the next round of RA's from radvd, or trigger it (by restarting radvd on CT0, for example). If you do not receive any RA's there is a more fundamental problem. The following only concerns the scenario where the CT receives RA's but does not configure the network interfaces accordingly. Do not forget to remove the radvd package after checking.<br />
<br />
Because CT0 is performing routing services, all or some values under /proc/sys/net/ipv6/conf/*/forwarding and under /proc/sys/net/ipv6/conf/*/mc_forwarding are set to 1. This appears to override the defaults for these values in the /proc filesystems for the CT's. Unless you explicitly disable forwarding in /etc/sysctl.conf, your CT will also use these values. This means that, to the IPv6 Neighbour Discovery Protocol (NDP) responsible for router advertisements and autoconfiguration, your CT is a router and therefore not allowed to use the RA's to configure the interfaces. To fix this, add or change the following lines to /etc/sysctl.conf '''''on the CT, not on CT0''''':<br />
<pre><br />
net.ipv6.conf.all.forwarding=0<br />
net.ipv6.conf.all.mc_forwarding=0<br />
</pre><br />
<br />
You may also want to explicitly disable IPv4 forwarding since the CT is not a router. To do this, also change the line:<br />
<pre><br />
net.ipv4.ip_forward=0<br />
</pre><br />
<br />
Now reload sysctl on the CT by executing<br />
<pre><br />
sysctl -p<br />
</pre><br />
and you will be good to go. The CT will now autoconfigure the network interfaces the next time it sees an RA.<br />
<br />
NOTE: Due to bug [http://bugzilla.openvz.org/show_bug.cgi?id=1723 1723] this setup might not work: Enabling the routing on CT0 can effectively kill all IPv6 connectivity for the CT, depending on the setup. (This bug is reported to be solved since 2011-06-07, so this shouldn't be an issue anymore.)<br />
<br />
==See also==<br />
* [[IPv6]]<br />
* [[Virtual Ethernet device]]<br />
* [[Differences between venet and veth]]</div>Tonyhttps://wiki.openvz.org/index.php?title=VEs_and_HNs_in_same_subnets&diff=12671VEs and HNs in same subnets2012-07-15T11:57:51Z<p>Tony: Renamed openvz-centric bridge interface names to more generic names.</p>
<hr />
<div>[[Category:HOWTO]]<br />
[[Category:Networking]]<br />
This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of their own in the same subnets or VLAN as the host. This method makes use of the Virtual Ethernet device and bridges between the host and its containers. This technique has the advantage of allowing IPv6 network configurations to work on both VEs and hosts as they normally would. In particular, both hosts and VEs can use IPv6 autoconfiguration. The network configuration of a VE can be identical to that of a non-VE system.<br />
<br />
In the following example the host has two physical interfaces and we are setting up the network configuration for VE 100. The host IP configuration is moved out of the ethN interface configs and into the brN interface config scripts (ifcfg-br0 and ifcfg-br1). Ie. the host IP configuration will now reside on the brN interfaces instead of the ethN interfaces. The example also assumes IPv4 is configured statically, whereas IPv6 is auto-configured.<br />
<br />
==Configure host bridge interfaces==<br />
1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host.<br />
<br />
/usr/sbin/brctl addbr br0<br />
/usr/sbin/brctl addbr br1<br />
<br />
If the above commands do not work you may need to install the bridge-utils package.<br />
<br />
2. Make note of the existing IP configuration in the hosts ifcfg-ethN files. Then, modify the ifcfg-ethN files on the host so that they ONLY bridge to the corresponding brN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=br0<br />
<br />
Similarly ifcfg-eth1 will look like:<br />
<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=br1<br />
<br />
Note that the ifcfg-ethN files on the host do not contain any IP information anymore.<br />
<br />
3. Create ifcfg-brN files and copy the IP configuration that was previously in the ifcfg-ethN files into ifcfg-brN. Here's what host:/etc/sysconfig/network-scripts/ifcfg-br0 would look like assuming the IPv4 address is assigned statically and IPv6 auto-configuration (SLAAC) is used:<br />
<br />
DEVICE=br0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=aaa.aaa.aaa.aaa<br />
ONBOOT=yes<br />
TYPE=Bridge<br />
<br />
Similarly, ifcfg-br1 should look like:<br />
<br />
DEVICE=br1<br />
BOOTPROTO=static<br />
IPADDR=yyy.yyy.yyy.yyy<br />
NETMASK=bbb.bbb.bbb.bbb<br />
ONBOOT=yes<br />
TYPE=Bridge<br />
<br />
Note that TYPE 'Bridge' is case-sensitive.<br />
<br />
4. On the host, do a 'service network restart' and verify the host has both IPv4 and IPv6 connectivity to its brN interfaces.<br />
<br />
==Create the VE veth interfaces==<br />
5. Create the VE as you normally would, except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration.<br />
<br />
/usr/sbin/vzctl create 100 --ostemplate name --hostname name<br />
<br />
However, if the VE already exists, use vzctl to remove any venet devices - they will not be used:<br />
<br />
/usr/sbin/vzctl set 100 --ipdel all --save<br />
<br />
6. For each VE, create ethN devices (ignore warnings about "Container does not have configured veth") on the host:<br />
<br />
/usr/sbin/vzctl set 100 --netif_add eth0 --save<br />
/usr/sbin/vzctl set 100 --netif_add eth1 --save<br />
<br />
The above updates the host /etc/vz/conf/100.conf file with generated MAC addresses for the veth devices. When the VE is started, the veth100.0 and veth100.1 devices will be automatically created on the host.<br />
<br />
==Bridge the host and VE==<br />
7. Next we add the host vethN interfaces to the host bridged interfaces (vzbrN).<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0<br />
<br />
DEVICE=veth100.0<br />
ONBOOT=no<br />
BRIDGE=vzbr0<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.1<br />
<br />
DEVICE=veth100.1<br />
ONBOOT=no<br />
BRIDGE=br1<br />
<br />
To make the above take effect, either start the VE,<br />
<br />
/usr/sbin/vzctl start 100<br />
<br />
Or if it's already started then manually add each VE interface to its corresponding bridge using:<br />
<br />
/usr/sbin/brctl addif br0 veth100.0<br />
/usr/sbin/brctl addif br1 veth100.1<br />
<br />
8. Verify each bridge includes the host interface and the veth interfaces for each VE:<br />
<br />
/usr/sbin/brctl show<br />
<br />
==Configure the VE networking==<br />
9. Enter the VE from the host:<br />
<br />
/usr/sbin/vzctl enter 100<br />
<br />
In the container create the ifcfg network scripts for each interface eth0 and eth1. The ifcfg-ethN files should look like standard ifcfg network scripts for a non-VE host.<br />
<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth0<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth1<br />
<br />
As noted above, the ifcfg-ethN files in the VE should be created to be identical to standard ifcfg-eth* files from a non-virtualized host. A minimum ifcfg-eth0 file using a static IPv4 address would have the following entries:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=yyy.yyy.yyy.yyy<br />
ONBOOT=yes<br />
<br />
10. Initialize the interfaces and restart the network service on the container.<br />
<br />
/sbin/ifconfig eth0 0<br />
/sbin/ifconfig eth1 0<br />
/sbin/service network restart<br />
<br />
Alternatively, just restart the VE from the host.<br />
<br />
11. Verify the host and VE have connectivity to each other as well as to the rest of the network.<br />
<br />
==Additional VEs==<br />
12. For each additional VE, start at step #5.<br />
<br />
==Notes on IPv6 autoconfiguration==<br />
If your CT0 is also performing routing duties, you might chance upon the problem that IPv6 stateless autoconfiguration using radvd is not working for the CT's. The description below is specific for a Debian (Lenny) CT0 and Debian (Squeeze) CT.<br />
<br />
First check if your CT is actually receiving any router advertisements (RA's). This can be done by installing radvd (apt-get install radvd) and running radvdump. Simply wait for the next round of RA's from radvd, or trigger it (by restarting radvd on CT0, for example). If you do not receive any RA's there is a more fundamental problem. The following only concerns the scenario where the CT receives RA's but does not configure the network interfaces accordingly. Do not forget to remove the radvd package after checking.<br />
<br />
Because CT0 is performing routing services, all or some values under /proc/sys/net/ipv6/conf/*/forwarding and under /proc/sys/net/ipv6/conf/*/mc_forwarding are set to 1. This appears to override the defaults for these values in the /proc filesystems for the CT's. Unless you explicitly disable forwarding in /etc/sysctl.conf, your CT will also use these values. This means that, to the IPv6 Neighbour Discovery Protocol (NDP) responsible for router advertisements and autoconfiguration, your CT is a router and therefore not allowed to use the RA's to configure the interfaces. To fix this, add or change the following lines to /etc/sysctl.conf '''''on the CT, not on CT0''''':<br />
<pre><br />
net.ipv6.conf.all.forwarding=0<br />
net.ipv6.conf.all.mc_forwarding=0<br />
</pre><br />
<br />
You may also want to explicitly disable IPv4 forwarding since the CT is not a router. To do this, also change the line:<br />
<pre><br />
net.ipv4.ip_forward=0<br />
</pre><br />
<br />
Now reload sysctl on the CT by executing<br />
<pre><br />
sysctl -p<br />
</pre><br />
and you will be good to go. The CT will now autoconfigure the network interfaces the next time it sees an RA.<br />
<br />
NOTE: Due to bug [http://bugzilla.openvz.org/show_bug.cgi?id=1723 1723] this setup might not work: Enabling the routing on CT0 can effectively kill all IPv6 connectivity for the CT, depending on the setup. (This bug is reported to be solved since 2011-06-07, so this shouldn't be an issue anymore.)<br />
<br />
==See also==<br />
* [[IPv6]]<br />
* [[Virtual Ethernet device]]<br />
* [[Differences between venet and veth]]</div>Tonyhttps://wiki.openvz.org/index.php?title=VEs_and_HNs_in_same_subnets&diff=12670VEs and HNs in same subnets2012-07-15T11:56:09Z<p>Tony: Added note about case-sensitive Bridge TYPE and renamed openvz-centric bridge interface names to more generic names.</p>
<hr />
<div>[[Category:HOWTO]]<br />
[[Category:Networking]]<br />
This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of their own in the same subnets or VLAN as the host. This method makes use of the Virtual Ethernet device and bridges between the host and its containers. This technique has the advantage of allowing IPv6 network configurations to work on both VEs and hosts as they normally would. In particular, both hosts and VEs can use IPv6 autoconfiguration. The network configuration of a VE can be identical to that of a non-VE system.<br />
<br />
In the following example the host has two physical interfaces and we are setting up the network configuration for VE 100. The host IP configuration is moved out of the ethN interface configs and into the vzbrN interface config scripts (ifcfg-vzbr0 and ifcfg-vzbr1). Ie. the host IP configuration will now reside on the vzbrN interfaces instead of the ethN interfaces. The example also assumes IPv4 is configured statically, whereas IPv6 is auto-configured.<br />
<br />
==Configure host bridge interfaces==<br />
1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host.<br />
<br />
/usr/sbin/brctl addbr br0<br />
/usr/sbin/brctl addbr br1<br />
<br />
If the above commands do not work you may need to install the bridge-utils package.<br />
<br />
2. Make note of the existing IP configuration in the hosts ifcfg-ethN files. Then, modify the ifcfg-ethN files on the host so that they ONLY bridge to the corresponding brN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=br0<br />
<br />
Similarly ifcfg-eth1 will look like:<br />
<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=br1<br />
<br />
Note that the ifcfg-ethN files on the host do not contain any IP information anymore.<br />
<br />
3. Create ifcfg-brN files and copy the IP configuration that was previously in the ifcfg-ethN files into ifcfg-brN. Here's what host:/etc/sysconfig/network-scripts/ifcfg-br0 would look like assuming the IPv4 address is assigned statically and IPv6 auto-configuration (SLAAC) is used:<br />
<br />
DEVICE=br0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=aaa.aaa.aaa.aaa<br />
ONBOOT=yes<br />
TYPE=Bridge<br />
<br />
Similarly, ifcfg-br1 should look like:<br />
<br />
DEVICE=br1<br />
BOOTPROTO=static<br />
IPADDR=yyy.yyy.yyy.yyy<br />
NETMASK=bbb.bbb.bbb.bbb<br />
ONBOOT=yes<br />
TYPE=Bridge<br />
<br />
Note that TYPE 'Bridge' is case-sensitive.<br />
<br />
4. On the host, do a 'service network restart' and verify the host has both IPv4 and IPv6 connectivity to its brN interfaces.<br />
<br />
==Create the VE veth interfaces==<br />
5. Create the VE as you normally would, except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration.<br />
<br />
/usr/sbin/vzctl create 100 --ostemplate name --hostname name<br />
<br />
However, if the VE already exists, use vzctl to remove any venet devices - they will not be used:<br />
<br />
/usr/sbin/vzctl set 100 --ipdel all --save<br />
<br />
6. For each VE, create ethN devices (ignore warnings about "Container does not have configured veth") on the host:<br />
<br />
/usr/sbin/vzctl set 100 --netif_add eth0 --save<br />
/usr/sbin/vzctl set 100 --netif_add eth1 --save<br />
<br />
The above updates the host /etc/vz/conf/100.conf file with generated MAC addresses for the veth devices. When the VE is started, the veth100.0 and veth100.1 devices will be automatically created on the host.<br />
<br />
==Bridge the host and VE==<br />
7. Next we add the host vethN interfaces to the host bridged interfaces (vzbrN).<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0<br />
<br />
DEVICE=veth100.0<br />
ONBOOT=no<br />
BRIDGE=vzbr0<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.1<br />
<br />
DEVICE=veth100.1<br />
ONBOOT=no<br />
BRIDGE=vzbr1<br />
<br />
To make the above take effect, either start the VE,<br />
<br />
/usr/sbin/vzctl start 100<br />
<br />
Or if it's already started then manually add each VE interface to its corresponding bridge using:<br />
<br />
/usr/sbin/brctl addif vzbr0 veth100.0<br />
/usr/sbin/brctl addif vzbr1 veth100.1<br />
<br />
8. Verify each bridge includes the host interface and the veth interfaces for each VE:<br />
<br />
/usr/sbin/brctl show<br />
<br />
==Configure the VE networking==<br />
9. Enter the VE from the host:<br />
<br />
/usr/sbin/vzctl enter 100<br />
<br />
In the container create the ifcfg network scripts for each interface eth0 and eth1. The ifcfg-ethN files should look like standard ifcfg network scripts for a non-VE host.<br />
<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth0<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth1<br />
<br />
As noted above, the ifcfg-ethN files in the VE should be created to be identical to standard ifcfg-eth* files from a non-virtualized host. A minimum ifcfg-eth0 file using a static IPv4 address would have the following entries:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=yyy.yyy.yyy.yyy<br />
ONBOOT=yes<br />
<br />
10. Initialize the interfaces and restart the network service on the container.<br />
<br />
/sbin/ifconfig eth0 0<br />
/sbin/ifconfig eth1 0<br />
/sbin/service network restart<br />
<br />
Alternatively, just restart the VE from the host.<br />
<br />
11. Verify the host and VE have connectivity to each other as well as to the rest of the network.<br />
<br />
==Additional VEs==<br />
12. For each additional VE, start at step #5.<br />
<br />
==Notes on IPv6 autoconfiguration==<br />
If your CT0 is also performing routing duties, you might chance upon the problem that IPv6 stateless autoconfiguration using radvd is not working for the CT's. The description below is specific for a Debian (Lenny) CT0 and Debian (Squeeze) CT.<br />
<br />
First check if your CT is actually receiving any router advertisements (RA's). This can be done by installing radvd (apt-get install radvd) and running radvdump. Simply wait for the next round of RA's from radvd, or trigger it (by restarting radvd on CT0, for example). If you do not receive any RA's there is a more fundamental problem. The following only concerns the scenario where the CT receives RA's but does not configure the network interfaces accordingly. Do not forget to remove the radvd package after checking.<br />
<br />
Because CT0 is performing routing services, all or some values under /proc/sys/net/ipv6/conf/*/forwarding and under /proc/sys/net/ipv6/conf/*/mc_forwarding are set to 1. This appears to override the defaults for these values in the /proc filesystems for the CT's. Unless you explicitly disable forwarding in /etc/sysctl.conf, your CT will also use these values. This means that, to the IPv6 Neighbour Discovery Protocol (NDP) responsible for router advertisements and autoconfiguration, your CT is a router and therefore not allowed to use the RA's to configure the interfaces. To fix this, add or change the following lines to /etc/sysctl.conf '''''on the CT, not on CT0''''':<br />
<pre><br />
net.ipv6.conf.all.forwarding=0<br />
net.ipv6.conf.all.mc_forwarding=0<br />
</pre><br />
<br />
You may also want to explicitly disable IPv4 forwarding since the CT is not a router. To do this, also change the line:<br />
<pre><br />
net.ipv4.ip_forward=0<br />
</pre><br />
<br />
Now reload sysctl on the CT by executing<br />
<pre><br />
sysctl -p<br />
</pre><br />
and you will be good to go. The CT will now autoconfigure the network interfaces the next time it sees an RA.<br />
<br />
NOTE: Due to bug [http://bugzilla.openvz.org/show_bug.cgi?id=1723 1723] this setup might not work: Enabling the routing on CT0 can effectively kill all IPv6 connectivity for the CT, depending on the setup. (This bug is reported to be solved since 2011-06-07, so this shouldn't be an issue anymore.)<br />
<br />
==See also==<br />
* [[IPv6]]<br />
* [[Virtual Ethernet device]]<br />
* [[Differences between venet and veth]]</div>Tonyhttps://wiki.openvz.org/index.php?title=IPv6&diff=8102IPv62010-01-25T01:52:14Z<p>Tony: </p>
<hr />
<div>[[Category:HOWTO]]<br />
[[Category:Networking]]<br />
IPv6 works best when veth devices are used to bridge VEs to their host. A Networking HOWTO illustrating an IPv6 compliant method of using veth interfaces for VEs can be found in the [[VEs and HNs in same subnets]] article. <br />
<br />
venet devices are not fully IPv6 compliant. They do not properly support MAC addresses and consequently link local addresses and can not play nice with neighbor discovery or router advertisements, router discovery, or auto-conf. They also require additional modifications to the layer 3 forwarding behaviour of the host via sysctl.<br />
<br />
veth devices do require iptables and ip6tables exceptions on the host for each VE address.<br />
<br />
= See also =<br />
* [[Differences between venet and veth]]</div>Tonyhttps://wiki.openvz.org/index.php?title=IPv6&diff=8101IPv62010-01-25T01:39:55Z<p>Tony: New page: Category:HOWTO Category:Networking IPv6 works best when veth devices are used to bridge VEs to their host. A Networking HOWTO illustrating an IPv6 compliant method of using veth i...</p>
<hr />
<div>[[Category:HOWTO]]<br />
[[Category:Networking]]<br />
IPv6 works best when veth devices are used to bridge VEs to their host. A Networking HOWTO illustrating an IPv6 compliant method of using veth interfaces for VEs can be found in the [[VEs and HNs in same subnets]] article. <br />
<br />
venet devices are not fully IPv6 compliant. They do not properly support MAC addresses and consequently link local addresses and can not play nice with neighbor discovery or router advertisements, router discovery, or auto-conf. <br />
<br />
= See also =<br />
* [[Differences between venet and veth]]</div>Tonyhttps://wiki.openvz.org/index.php?title=VEs_and_HNs_in_same_subnets&diff=8100VEs and HNs in same subnets2010-01-25T01:17:14Z<p>Tony: </p>
<hr />
<div>[[Category:HOWTO]]<br />
[[Category:Networking]]<br />
This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of their own in the same subnets or VLAN as the host. This method makes use of the Virtual Ethernet device and bridges between the host and its containers. This technique has the advantage of allowing IPv6 network configurations to work on both VEs and hosts as they normally would. In particular, both hosts and VEs can use IPv6 autoconfiguration. The network configuration of a VE can be identical to that of a non-VE system.<br />
<br />
In the following example the host has two physical interfaces and we are setting up the network configuration for VE 100. The host IP configuration is moved out of the ethN interface configs and into the vzbrN interface config scripts (ifcfg-vzbr0 and ifcfg-vzbr1). Ie. the host IP configuration will now reside on the vzbrN interfaces instead of the ethN interfaces.<br />
<br />
1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host.<br />
<br />
/usr/sbin/brctl addbr vzbr0<br />
/usr/sbin/brctl addbr vzbr1<br />
<br />
If the above commands do not work you may need to install the bridge-utils package.<br />
<br />
2. Make note of the existing IP configuration in the hosts ifcfg-ethN files. Then, modify the ifcfg-ethN files on the host so that they ONLY bridge to the corresponding vzbrN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=vzbr0<br />
<br />
Similarly ifcfg-eth1 will look like:<br />
<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=vzbr1<br />
<br />
Note that the ifcfg-ethN files on the host do not contain any IP information anymore.<br />
<br />
3. Create ifcfg-vzbrN files and copy the IP configuration that was previously in the ifcfg-ethN files into ifcfg-vzbrN. Here's what host:/etc/sysconfig/network-scripts/ifcfg-vzbr0 would look like assuming the IPv4 address is assigned statically and IPv6 auto-configuration (SLAAC) is used:<br />
<br />
DEVICE=vzbr0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=aaa.aaa.aaa.aaa<br />
ONBOOT=yes<br />
TYPE=bridge<br />
<br />
Similarly, ifcfg-vzbr1 should look like:<br />
<br />
DEVICE=vzbr1<br />
BOOTPROTO=static<br />
IPADDR=yyy.yyy.yyy.yyy<br />
NETMASK=bbb.bbb.bbb.bbb<br />
ONBOOT=yes<br />
TYPE=bridge<br />
<br />
4. On the host, do a 'service network restart' and verify the host has both IPv4 and IPv6 connectivity to its vzbrN interfaces.<br />
<br />
5. Create the VE as you normally would except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration.<br />
<br />
However, if the VE already exists, remove any venet devices - they will not be used:<br />
<br />
/usr/sbin/vzctl set 100 --ipdel all --save<br />
<br />
6. For each VE, create ethN devices (ignore warnings about "Container does not have configured veth") on the host:<br />
<br />
/usr/sbin/vzctl set 100 --netif_add eth0<br />
/usr/sbin/vzctl set 100 --netif_add eth1<br />
<br />
The above creates corresponding veth100.0 and veth100.1 devices on the host and updates the host /etc/vz/conf/100.conf file with generated MAC addresses for the veth devices.<br />
<br />
7. Next we add the host vethN interfaces to the host bridged interfaces (vzbrN).<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0<br />
<br />
DEVICE=veth100.0<br />
ONBOOT=yes<br />
BRIDGE=vzbr0<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.1<br />
<br />
DEVICE=veth100.1<br />
ONBOOT=yes<br />
BRIDGE=vzbr1<br />
<br />
To make the above take effect, either do another 'service network restart' on the host, or manually add each VE interface to its corresponding bridge by running:<br />
<br />
/usr/sbin/brctl addif vzbr0 veth100.0<br />
/usr/sbin/brctl addif vzbr1 veth100.1<br />
<br />
8. Verify each bridge includes the host interface and the veth interfaces for each VE:<br />
<br />
/usr/sbin/brctl show<br />
<br />
9. In the container create the ifcfg network scripts for each interface eth0 and eth1. The scripts should look like standard ifcfg network scripts for a host.<br />
<br />
/usr/sbin/vzctl enter 100<br />
<br />
After entering the VE:<br />
<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth0<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth1<br />
<br />
As noted above, the ifcfg-ethN files in the VE should be created to be identical to standard ifcfg-eth* files from a non-virtualized host.<br />
<br />
10. Initialize the interfaces and restart the network service on the container.<br />
<br />
/sbin/ifconfig eth0 0<br />
/sbin/ifconfig eth1 0<br />
/sbin/service network restart<br />
<br />
Alternatively, just restart the VE from the host.<br />
<br />
11. Add FORWARD ACCEPT statements to the host iptables and ip6tables for each VE IPv4 and IPv6 address. You do NOT need to enable any special network forwarding via sysctl.<br />
<br />
iptables:<br />
-A FORWARD -s xxx.xxx.xxx.xxx -j ACCEPT<br />
-A FORWARD -d xxx.xxx.xxx.xxx -j ACCEPT<br />
<br />
ip6tables:<br />
-A FORWARD -s xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT<br />
-A FORWARD -d xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT<br />
<br />
Then restart both iptables and ip6tables on the host:<br />
<br />
service iptables restart<br />
service ip6tables restart<br />
<br />
12. Verify the host and VE have connectivity to each other as well as to the rest of the network.<br />
<br />
13. For each additional VE, start at step #5.<br />
<br />
== See also ==<br />
* [[Virtual network device]]<br />
* [[Differences between venet and veth]]</div>Tonyhttps://wiki.openvz.org/index.php?title=VEs_and_HNs_in_same_subnets&diff=8099VEs and HNs in same subnets2010-01-25T01:07:55Z<p>Tony: </p>
<hr />
<div>[[Category:HOWTO]]<br />
[[Category:Networking]]<br />
This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of their own in the same subnets or VLAN as the host. This method makes use of the Virtual Ethernet device and bridges between the host and its containers. This technique has the advantage of allowing IPv6 network configurations to work on both VEs and hosts as they normally would. In particular, both hosts and VEs can use IPv6 autoconfiguration. The network configuration of a VE can be identical to that of a non-VE system.<br />
<br />
In the following example the host has two physical interfaces and we are setting up the network configuration for VE 100. The host IP configuration is moved out of the ethN interface configs and into the vzbrN interface config scripts (ifcfg-vzbr0 and ifcfg-vzbr1). Ie. the host IP configuration will now reside on the vzbrN interfaces instead of the ethN interfaces.<br />
<br />
1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host.<br />
<br />
/usr/sbin/brctl addbr vzbr0<br />
/usr/sbin/brctl addbr vzbr1<br />
<br />
2. Make note of the existing IP configuration in the hosts ifcfg-ethN files. Then, modify the ifcfg-ethN files on the host so that they ONLY bridge to the corresponding vzbrN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=vzbr0<br />
<br />
Similarly ifcfg-eth1 will look like:<br />
<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=vzbr1<br />
<br />
Note that the ifcfg-ethN files on the host do not contain any IP information anymore.<br />
<br />
3. Create ifcfg-vzbrN files and copy the IP configuration that was previously in the ifcfg-ethN files into ifcfg-vzbrN. Here's what host:/etc/sysconfig/network-scripts/ifcfg-vzbr0 would look like assuming the IPv4 address is assigned statically and IPv6 auto-configuration (SLAAC) is used:<br />
<br />
DEVICE=vzbr0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=aaa.aaa.aaa.aaa<br />
ONBOOT=yes<br />
TYPE=bridge<br />
<br />
Similarly, ifcfg-vzbr1 should look like:<br />
<br />
DEVICE=vzbr1<br />
BOOTPROTO=static<br />
IPADDR=yyy.yyy.yyy.yyy<br />
NETMASK=bbb.bbb.bbb.bbb<br />
ONBOOT=yes<br />
TYPE=bridge<br />
<br />
4. On the host, do a 'service network restart' and verify the host has both IPv4 and IPv6 connectivity to its vzbrN interfaces.<br />
<br />
5. Create the VE as you normally would except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration.<br />
<br />
However, if the VE already exists, remove any venet devices - they will not be used:<br />
<br />
/usr/sbin/vzctl set 100 --ipdel all --save<br />
<br />
6. For each VE, create ethN devices (ignore warnings about "Container does not have configured veth") on the host:<br />
<br />
/usr/sbin/vzctl set 100 --netif_add eth0<br />
/usr/sbin/vzctl set 100 --netif_add eth1<br />
<br />
The above creates corresponding veth100.0 and veth100.1 devices on the host and updates the host /etc/vz/conf/100.conf file with generated MAC addresses for the veth devices.<br />
<br />
7. Next we add the host vethN interfaces to the host bridged interfaces (vzbrN).<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0<br />
<br />
DEVICE=veth100.0<br />
ONBOOT=yes<br />
BRIDGE=vzbr0<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.1<br />
<br />
DEVICE=veth100.1<br />
ONBOOT=yes<br />
BRIDGE=vzbr1<br />
<br />
To make the above take effect, either do another 'service network restart' on the host, or manually add each VE interface to its corresponding bridge by running:<br />
<br />
/usr/sbin/brctl addif vzbr0 veth100.0<br />
/usr/sbin/brctl addif vzbr1 veth100.1<br />
<br />
8. Verify each bridge includes the host interface and the veth interfaces for each VE:<br />
<br />
/usr/sbin/brctl show<br />
<br />
9. In the container create the ifcfg network scripts for each interface eth0 and eth1. The scripts should look like standard ifcfg network scripts for a host.<br />
<br />
/usr/sbin/vzctl enter 100<br />
<br />
After entering the VE:<br />
<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth0<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth1<br />
<br />
As noted above, the ifcfg-ethN files in the VE should be created to be identical to standard ifcfg-eth* files from a non-virtualized host.<br />
<br />
10. Initialize the interfaces and restart the network service on the container.<br />
<br />
/sbin/ifconfig eth0 0<br />
/sbin/ifconfig eth1 0<br />
/sbin/service network restart<br />
<br />
Alternatively, just restart the VE from the host.<br />
<br />
11. Add FORWARD ACCEPT statements to the host iptables and ip6tables for each VE IPv4 and IPv6 address. You do NOT need to enable any special network forwarding via sysctl.<br />
<br />
iptables:<br />
-A FORWARD -s xxx.xxx.xxx.xxx -j ACCEPT<br />
-A FORWARD -d xxx.xxx.xxx.xxx -j ACCEPT<br />
<br />
ip6tables:<br />
-A FORWARD -s xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT<br />
-A FORWARD -d xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT<br />
<br />
Then restart both iptables and ip6tables on the host:<br />
<br />
service iptables restart<br />
service ip6tables restart<br />
<br />
12. Verify the host and VE have connectivity to each other as well as to the rest of the network.<br />
<br />
13. For each additional VE, start at step #5.<br />
<br />
== See also ==<br />
* [[Virtual network device]]<br />
* [[Differences between venet and veth]]</div>Tonyhttps://wiki.openvz.org/index.php?title=VEs_and_HNs_in_same_subnets&diff=8098VEs and HNs in same subnets2010-01-25T00:59:25Z<p>Tony: </p>
<hr />
<div>[{Category:Networking]]<br />
This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of their own in the same subnets or VLAN as the host. This method makes use of the Virtual Ethernet device and bridges between the host and its containers. This technique has the advantage of allowing IPv6 network configurations to work on both VEs and hosts as they normally would. In particular, both hosts and VEs can use IPv6 autoconfiguration. The network configuration of a VE can be identical to that of a non-VE system.<br />
<br />
In the following example the host has two physical interfaces and we are setting up the network configuration for VE 100. The host IP configuration is moved out of the ethN interface configs and into the vzbrN interface config scripts (ifcfg-vzbr0 and ifcfg-vzbr1). Ie. the host IP configuration will now reside on the vzbrN interfaces instead of the ethN interfaces.<br />
<br />
1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host.<br />
<br />
/usr/sbin/brctl addbr vzbr0<br />
/usr/sbin/brctl addbr vzbr1<br />
<br />
2. Make note of the existing IP configuration in the hosts ifcfg-ethN files. Then, modify the ifcfg-ethN files on the host so that they ONLY bridge to the corresponding vzbrN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=vzbr0<br />
<br />
Similarly ifcfg-eth1 will look like:<br />
<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=vzbr1<br />
<br />
Note that the ifcfg-ethN files on the host do not contain any IP information anymore.<br />
<br />
3. Create ifcfg-vzbrN files and copy the IP configuration that was previously in the ifcfg-ethN files into ifcfg-vzbrN. Here's what host:/etc/sysconfig/network-scripts/ifcfg-vzbr0 would look like assuming the IPv4 address is assigned statically and IPv6 auto-configuration (SLAAC) is used:<br />
<br />
DEVICE=vzbr0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=aaa.aaa.aaa.aaa<br />
ONBOOT=yes<br />
TYPE=bridge<br />
<br />
Similarly, ifcfg-vzbr1 should look like:<br />
<br />
DEVICE=vzbr1<br />
BOOTPROTO=static<br />
IPADDR=yyy.yyy.yyy.yyy<br />
NETMASK=bbb.bbb.bbb.bbb<br />
ONBOOT=yes<br />
TYPE=bridge<br />
<br />
4. On the host, do a 'service network restart' and verify the host has both IPv4 and IPv6 connectivity to its vzbrN interfaces.<br />
<br />
5. Create the VE as you normally would except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration.<br />
<br />
However, if the VE already exists, remove any venet devices - they will not be used:<br />
<br />
/usr/sbin/vzctl set 100 --ipdel all --save<br />
<br />
6. For each VE, create ethN devices (ignore warnings about "Container does not have configured veth") on the host:<br />
<br />
/usr/sbin/vzctl set 100 --netif_add eth0<br />
/usr/sbin/vzctl set 100 --netif_add eth1<br />
<br />
The above creates corresponding veth100.0 and veth100.1 devices on the host and updates the host /etc/vz/conf/100.conf file with generated MAC addresses for the veth devices.<br />
<br />
7. Next we add the host vethN interfaces to the host bridged interfaces (vzbrN).<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0<br />
<br />
DEVICE=veth100.0<br />
ONBOOT=yes<br />
BRIDGE=vzbr0<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.1<br />
<br />
DEVICE=veth100.1<br />
ONBOOT=yes<br />
BRIDGE=vzbr1<br />
<br />
To make the above take effect, either do another 'service network restart' on the host, or manually add each VE interface to its corresponding bridge by running:<br />
<br />
/usr/sbin/brctl addif vzbr0 veth100.0<br />
/usr/sbin/brctl addif vzbr1 veth100.1<br />
<br />
8. Verify each bridge includes the host interface and the veth interfaces for each VE:<br />
<br />
/usr/sbin/brctl show<br />
<br />
9. In the container create the ifcfg network scripts for each interface eth0 and eth1. The scripts should look like standard ifcfg network scripts for a host.<br />
<br />
/usr/sbin/vzctl enter 100<br />
<br />
After entering the VE:<br />
<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth0<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth1<br />
<br />
As noted above, the ifcfg-ethN files in the VE should be created to be identical to standard ifcfg-eth* files from a non-virtualized host.<br />
<br />
10. Initialize the interfaces and restart the network service on the container.<br />
<br />
/sbin/ifconfig eth0 0<br />
/sbin/ifconfig eth1 0<br />
/sbin/service network restart<br />
<br />
Alternatively, just restart the VE from the host.<br />
<br />
11. Add FORWARD ACCEPT statements to the host iptables and ip6tables for each VE IPv4 and IPv6 address. You do NOT need to enable any special network forwarding via sysctl.<br />
<br />
iptables:<br />
-A FORWARD -s xxx.xxx.xxx.xxx -j ACCEPT<br />
-A FORWARD -d xxx.xxx.xxx.xxx -j ACCEPT<br />
<br />
ip6tables:<br />
-A FORWARD -s xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT<br />
-A FORWARD -d xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT<br />
<br />
Then restart both iptables and ip6tables on the host:<br />
<br />
service iptables restart<br />
service ip6tables restart<br />
<br />
12. Verify the host and VE have connectivity to each other as well as to the rest of the network.<br />
<br />
13. For each additional VE, start at step #5.</div>Tonyhttps://wiki.openvz.org/index.php?title=VEs_and_HNs_in_same_subnets&diff=8097VEs and HNs in same subnets2010-01-25T00:53:04Z<p>Tony: </p>
<hr />
<div>This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of their own in the same subnets or VLAN as the host. This method makes use of the Virtual Ethernet device and bridges between the host and its containers. This technique has the advantage of allowing IPv6 network configurations to work on both VEs and hosts as they normally would. In particular, both hosts and VEs can use IPv6 autoconfiguration. The network configuration of a VE can be identical to that of a non-VE system.<br />
<br />
In the following example the host has two physical interfaces and we are setting up the network configuration for VE 100. The host IP configuration is moved out of the ethN interface configs and into the vzbrN interface config scripts (ifcfg-vzbr0 and ifcfg-vzbr1). Ie. the host IP configuration will now reside on the vzbrN interfaces instead of the ethN interfaces.<br />
<br />
1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host.<br />
<br />
/usr/sbin/brctl addbr vzbr0<br />
/usr/sbin/brctl addbr vzbr1<br />
<br />
2. Make note of the existing IP configuration in the hosts ifcfg-ethN files. Then, modify the ifcfg-ethN files on the host so that they ONLY bridge to the corresponding vzbrN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=vzbr0<br />
<br />
Similarly ifcfg-eth1 will look like:<br />
<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=vzbr1<br />
<br />
Note that the ifcfg-ethN files on the host do not contain any IP information anymore.<br />
<br />
3. Create ifcfg-vzbrN files and copy the IP configuration that was previously in the ifcfg-ethN files into ifcfg-vzbrN. Here's what host:/etc/sysconfig/network-scripts/ifcfg-vzbr0 would look like assuming the IPv4 address is assigned statically and IPv6 auto-configuration (SLAAC) is used:<br />
<br />
DEVICE=vzbr0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=aaa.aaa.aaa.aaa<br />
ONBOOT=yes<br />
TYPE=bridge<br />
<br />
Similarly, ifcfg-vzbr1 should look like:<br />
<br />
DEVICE=vzbr1<br />
BOOTPROTO=static<br />
IPADDR=yyy.yyy.yyy.yyy<br />
NETMASK=bbb.bbb.bbb.bbb<br />
ONBOOT=yes<br />
TYPE=bridge<br />
<br />
4. On the host, do a 'service network restart' and verify the host has both IPv4 and IPv6 connectivity to its vzbrN interfaces.<br />
<br />
5. Create the VE as you normally would except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration.<br />
<br />
However, if the VE already exists, remove any venet devices - they will not be used:<br />
<br />
/usr/sbin/vzctl set 100 --ipdel all --save<br />
<br />
6. For each VE, create ethN devices (ignore warnings about "Container does not have configured veth") on the host:<br />
<br />
/usr/sbin/vzctl set 100 --netif_add eth0<br />
/usr/sbin/vzctl set 100 --netif_add eth1<br />
<br />
The above creates corresponding veth100.0 and veth100.1 devices on the host and updates the host /etc/vz/conf/100.conf file with generated MAC addresses for the veth devices.<br />
<br />
7. Next we add the host vethN interfaces to the host bridged interfaces (vzbrN).<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0<br />
<br />
DEVICE=veth100.0<br />
ONBOOT=yes<br />
BRIDGE=vzbr0<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.1<br />
<br />
DEVICE=veth100.1<br />
ONBOOT=yes<br />
BRIDGE=vzbr1<br />
<br />
To make the above take effect, either do another 'service network restart' on the host, or manually add each VE interface to its corresponding bridge by running:<br />
<br />
/usr/sbin/brctl addif vzbr0 veth100.0<br />
/usr/sbin/brctl addif vzbr1 veth100.1<br />
<br />
8. Verify each bridge includes the host interface and the veth interfaces for each VE:<br />
<br />
/usr/sbin/brctl show<br />
<br />
9. In the container create the ifcfg network scripts for each interface eth0 and eth1. The scripts should look like standard ifcfg network scripts for a host.<br />
<br />
/usr/sbin/vzctl enter 100<br />
<br />
After entering the VE:<br />
<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth0<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth1<br />
<br />
As noted above, the ifcfg-ethN files in the VE should be created to be identical to standard ifcfg-eth* files from a non-virtualized host.<br />
<br />
10. Initialize the interfaces and restart the network service on the container.<br />
<br />
/sbin/ifconfig eth0 0<br />
/sbin/ifconfig eth1 0<br />
/sbin/service network restart<br />
<br />
Alternatively, just restart the VE from the host.<br />
<br />
11. Add FORWARD ACCEPT statements to the host iptables and ip6tables for each VE IPv4 and IPv6 address. You do NOT need to enable any special network forwarding via sysctl.<br />
<br />
iptables:<br />
-A FORWARD -s xxx.xxx.xxx.xxx -j ACCEPT<br />
-A FORWARD -d xxx.xxx.xxx.xxx -j ACCEPT<br />
<br />
ip6tables:<br />
-A FORWARD -s xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT<br />
-A FORWARD -d xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT<br />
<br />
Then restart both iptables and ip6tables on the host:<br />
<br />
service iptables restart<br />
service ip6tables restart<br />
<br />
12. Verify the host and VE have connectivity to each other as well as to the rest of the network.<br />
<br />
13. For each additional VE, start at step #5.</div>Tonyhttps://wiki.openvz.org/index.php?title=VEs_and_HNs_in_same_subnets&diff=8096VEs and HNs in same subnets2010-01-25T00:34:12Z<p>Tony: New page: This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of ...</p>
<hr />
<div>This describes a method of setting up networking for a host and its VEs<br />
such that the networking configuration for the VEs can be configured<br />
exactly as if the VEs were standalone hosts of their own in the same<br />
subnets or VLAN as the host. This method makes use of the Virtual<br />
Ethernet device and bridges between the host and its containers. This<br />
technique has the advantage of allowing IPv6 network configurations to<br />
work on VEs and hosts as they normally would. In particular, both hosts<br />
and VEs can use IPv6 autoconfiguration. The network configuration of a VE<br />
can be identical to that of a non-VE system.<br />
<br />
In the following example the host has two physical interfaces and we are<br />
setting up the network configuration for VE 100. The host IP<br />
configuration is moved out of the ethN interface configs and into the<br />
vzbrN interface config scripts (ifcfg-vzbr0 and ifcfg-vzbr1). Ie. the<br />
host IP configuration will now reside on the vzbrN interfaces instead of<br />
the ethN interfaces.<br />
<br />
1. (Optional) Verify that you can create a bridge interfaces for each<br />
physical interface on the host.<br />
<br />
/usr/sbin/brctl addbr vzbr0<br />
/usr/sbin/brctl addbr vzbr1<br />
<br />
2. Make note of the existing IP configuration in the hosts ifcfg-ethN<br />
files. Then, modify the ifcfg-ethN files on the host so that they ONLY<br />
bridge to the corresponding vzbrN interface. <br />
/etc/sysconfig/network-scripts/ifcfg-eth0 should look like:<br />
<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=vzbr0<br />
<br />
Similarly ifcfg-eth1 will look like:<br />
<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BRIDGE=vzbr1<br />
<br />
Note that the ifcfg-ethN files on the host do not contain any IP<br />
information anymore.<br />
<br />
3. Create ifcfg-vzbrN files and copy the IP configuration that was<br />
previously in the ifcfg-ethN files into ifcfg-vzbrN. Here's what<br />
host:/etc/sysconfig/network-scripts/ifcfg-vzbr0 would look like assuming<br />
the IPv4 address is assigned statically and IPv6 auto-configuration<br />
(SLAAC) is used:<br />
<br />
DEVICE=vzbr0<br />
BOOTPROTO=static<br />
IPADDR=xxx.xxx.xxx.xxx<br />
NETMASK=aaa.aaa.aaa.aaa<br />
ONBOOT=yes<br />
TYPE=bridge<br />
<br />
Similarly, ifcfg-vzbr1 should look like:<br />
<br />
DEVICE=vzbr1<br />
BOOTPROTO=static<br />
IPADDR=yyy.yyy.yyy.yyy<br />
NETMASK=bbb.bbb.bbb.bbb<br />
ONBOOT=yes<br />
TYPE=bridge<br />
<br />
4. On the host, do a 'service network restart' and verify the host has<br />
both IPv4 and IPv6 connectivity to its vzbrN interfaces.<br />
<br />
5. Create the VE as you normally would except do NOT specify any IP<br />
address, just the hostname. Specifying an IP address during VE creation<br />
creates an unwanted venet interface which is not used in this<br />
configuration.<br />
<br />
However, if the VE already exists, remove any venet devices - they will <br />
not be used:<br />
<br />
/usr/sbin/vzctl set 100 --ipdel all --save<br />
<br />
6. For each VE, create ethN devices (ignore warnings about "Container<br />
does not have configured veth") on the host:<br />
<br />
/usr/sbin/vzctl set 100 --netif_add eth0<br />
/usr/sbin/vzctl set 100 --netif_add eth1<br />
<br />
The above creates corresponding veth100.0 and veth100.1 devices on the<br />
host and updates the host /etc/vz/conf/100.conf file with generated MAC<br />
addresses for the veth devices.<br />
<br />
7. Next we add the host vethN interfaces to the host bridged<br />
interfaces (vzbrN).<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0<br />
<br />
DEVICE=veth100.0<br />
ONBOOT=yes<br />
BRIDGE=vzbr0<br />
<br />
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.1<br />
<br />
DEVICE=veth100.1<br />
ONBOOT=yes<br />
BRIDGE=vzbr1<br />
<br />
To make the above take effect, either do another 'service network restart'<br />
on the host, or manually add each VE interface to its corresponding bridge<br />
by running:<br />
<br />
/usr/sbin/brctl addif vzbr0 veth100.0<br />
/usr/sbin/brctl addif vzbr1 veth100.1<br />
<br />
8. Verify each bridge includes the host interface and the veth interfaces <br />
for each VE:<br />
<br />
/usr/sbin/brctl show<br />
<br />
9. In the container create the ifcfg network scripts for each interface<br />
eth0 and eth1. The scripts should look like standard ifcfg network<br />
scripts for a host.<br />
<br />
/usr/sbin/vzctl enter 100<br />
<br />
After entering the VE:<br />
<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth0<br />
vi /etc/sysconfig/network-scripts/ifcfg-eth1<br />
<br />
As noted above, the ifcfg-ethN files in the VE should be identical to<br />
standard ifcfg-eth* files containing any required IP configuration info.<br />
<br />
10. Initialize the interfaces and restart the network service on the<br />
container.<br />
<br />
/sbin/ifconfig eth0 0<br />
/sbin/ifconfig eth1 0<br />
/sbin/service network restart<br />
<br />
Alternatively, just restart the VE from the host.<br />
<br />
11. Add FORWARD ACCEPT statements to the host iptables and ip6tables for<br />
each VE IPv4 and IPv6 address. You do NOT need to enable any special <br />
network forwarding via sysctl.<br />
<br />
iptables:<br />
-A FORWARD -s xxx.xxx.xxx.xxx -j ACCEPT<br />
-A FORWARD -d xxx.xxx.xxx.xxx -j ACCEPT<br />
<br />
ip6tables:<br />
-A FORWARD -s xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT<br />
-A FORWARD -d xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT<br />
<br />
Then restart both iptables and ip6tables on the host:<br />
<br />
service iptables restart<br />
service ip6tables restart<br />
<br />
12. Verify the host and VE have connectivity to each other as well as to <br />
the rest of the network.<br />
<br />
13. For each additional VE, start at step #5.</div>Tony