Editing Using veth and brctl for protecting HN and saving IP addresses
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | Configuration described below has been suggested by Ugo123. | + | Configuration described below has been suggested by Ugo123. Appreciates. |
Consider we are facing the following task: | Consider we are facing the following task: | ||
− | + | 1) We have limited range of IP adresses granted by ISP. | |
− | + | We want to assign as much granted IPs to VEs as possible. | |
+ | We do not want to protect VEs from Internet. | ||
+ | 2) We want to protect the HN OS (VE0) from Internet and make it possible to manage VEs from VE0 within local area network. | ||
− | Assume we have a | + | Assume we have a HN with 2 ethernet cards (interfaces eth0 and eth1), OpenVZ kernel 2.6.18-028stab033, vzctl version 3.0.16, |
− | bridge-utils version 1.1. OpenVZ installation process is covered | + | bridge-utils version 1.1. OpenVZ installation process is covered by http://wiki.openvz.org/Quick_installation. |
− | + | Task can be effectively solved by setting up the configuration presented on Figure 1. | |
+ | |||
+ | Figure 1: Effective configuration. 10.0.98.96-10.0.98.X - range of IP-adresses granted by ISP, 192.168.1.136 - IP address from LAN | ||
− | |||
− | |||
Initial ifconfig output of HN is the following: | Initial ifconfig output of HN is the following: | ||
Line 47: | Line 49: | ||
RX bytes:2078718 (1.9 MiB) TX bytes:2078718 (1.9 MiB) | RX bytes:2078718 (1.9 MiB) TX bytes:2078718 (1.9 MiB) | ||
</pre> | </pre> | ||
− | Let us | + | Let us pass through the setup process step by step. |
− | 1) Create 2 | + | 1) Create 2 VEs on the HN as described in http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf. |
For testing purposes I've used opensuse-10 precreated template from openvz.org: | For testing purposes I've used opensuse-10 precreated template from openvz.org: | ||
<pre> | <pre> | ||
Line 55: | Line 57: | ||
[HN]# wget http://download.openvz.org/template/precreated/opensuse-10-i386-default.tar.gz | [HN]# wget http://download.openvz.org/template/precreated/opensuse-10-i386-default.tar.gz | ||
</pre> | </pre> | ||
− | Create | + | Create VE 101 and assign it one of the IP adresses obtained from ISP: |
<pre> | <pre> | ||
[HN]# vzctl create 101 --ostemplate opensuse-10-i386-default --ipadd 10.0.98.96 | [HN]# vzctl create 101 --ostemplate opensuse-10-i386-default --ipadd 10.0.98.96 | ||
[HN]# vzctl set 101 --userpasswd root:XXX --save | [HN]# vzctl set 101 --userpasswd root:XXX --save | ||
</pre> | </pre> | ||
− | And do the same for | + | And do the same for VE 102 ... VE N. When ready - start VEs: |
<pre> | <pre> | ||
[HN]# vzctl start 101 | [HN]# vzctl start 101 | ||
[HN]# vzlist -a | [HN]# vzlist -a | ||
− | + | VEID NPROC STATUS IP_ADDR HOSTNAME | |
101 4 running 10.0.98.96 - | 101 4 running 10.0.98.96 - | ||
102 4 running 10.0.98.97 - | 102 4 running 10.0.98.97 - | ||
</pre> | </pre> | ||
− | 2) By default | + | 2) By default VEs use venet device for networking (http://wiki.openvz.org/Venet). But current |
− | configuration requires using alternative networking - through veth devices ( | + | configuration requires using alternative networking - through veth devices (http://wiki.openvz.org/Virtual_Ethernet_device). |
− | Switch | + | Switch VE 101 to veth by doing the following: |
− | MAC address needed by eth0 of | + | MAC address needed by eth0 of VE 101 and veth101.0 should be generated by easymac: |
<pre> | <pre> | ||
[HN]# wget http://www.easyvmx.com/software/easymac.sh | [HN]# wget http://www.easyvmx.com/software/easymac.sh | ||
Line 89: | Line 91: | ||
[HN]# echo 0 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp | [HN]# echo 0 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp | ||
</pre> | </pre> | ||
− | Enter | + | Enter VE and tune ifconfig within VE: |
<pre> | <pre> | ||
− | [ | + | [VE 101]# vzctl enter 101 |
− | [ | + | [VE 101]# ifconfig venet0:0 down |
− | [ | + | [VE 101]# ifconfig venet0 down |
− | [ | + | [VE 101]# ifconfig eth0 0 |
− | [ | + | [VE 101]# ip addr add 10.0.98.96 dev eth0 |
− | [ | + | [VE 101]# ip route add default dev eth0 |
</pre> | </pre> | ||
− | The same (whole item 2) should be done for | + | The same (whole item 2) should be done for VE 102 .. VE N. |
3) Now we should eliminate the IP address on eth1: | 3) Now we should eliminate the IP address on eth1: | ||
− | + | [HN]# vim /etc/sysconfig/network-scripts/ifcfg-eth1 | |
− | |||
Edit like this: | Edit like this: | ||
− | + | <pre> | |
− | + | DEVICE=eth1 | |
− | + | #BOOTPROTO=dhcp <<== comment | |
− | + | HWADDR=XX:XX:XX:XX:XX:XX | |
− | + | ONBOOT=yes | |
+ | </pre> | ||
and save changes (:wq). | and save changes (:wq). | ||
− | + | <pre> | |
− | + | [HN]# /etc/init.d/network restart | |
− | + | </pre> | |
And turn off forwarding and proxy_arp for eth1. | And turn off forwarding and proxy_arp for eth1. | ||
− | + | <pre> | |
− | + | [HN]# ifconfig eth1 0 | |
− | + | [HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/forwarding | |
− | + | [HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/proxy_arp | |
</pre> | </pre> | ||
4) Create br0 bridge uniting eth1, veth101.0, ..., vethN.0: | 4) Create br0 bridge uniting eth1, veth101.0, ..., vethN.0: | ||
Line 132: | Line 134: | ||
[HN]# echo 0 > /proc/sys/net/ipv4/conf/br0/proxy_arp | [HN]# echo 0 > /proc/sys/net/ipv4/conf/br0/proxy_arp | ||
</pre> | </pre> | ||
− | This is very important action. If skipped | + | This is very important action. If skipped - network |
can be broken on further steps due to incoming arp-requests provoked storm. | can be broken on further steps due to incoming arp-requests provoked storm. | ||
Line 193: | Line 195: | ||
Now plug eth1 of HN into network wall outlet provided by ISP and carry out the following testing: | Now plug eth1 of HN into network wall outlet provided by ISP and carry out the following testing: | ||
− | - It should be tested that | + | - It should be tested that VEs are accessible from Internet: |
<pre> | <pre> | ||
[INET]# ssh root@10.0.98.96 | [INET]# ssh root@10.0.98.96 | ||
− | [ | + | [VE 101]# ... |
</pre> | </pre> | ||
- HN is not accessible from Internet: | - HN is not accessible from Internet: | ||
Line 203: | Line 205: | ||
inaccessible | inaccessible | ||
</pre> | </pre> | ||
− | - | + | - VEs can be managed from HN: |
<pre> | <pre> | ||
[HN]# vzctl enter 101 | [HN]# vzctl enter 101 | ||
− | [ | + | [VE 101]# ... |
</pre> | </pre> | ||
− | - | + | - VEs VE 101, VE 102 .. VE N "see" each other (ping). |
If all the steps are done as written, it should work. | If all the steps are done as written, it should work. | ||
Enjoy. | Enjoy. | ||
− | |||
− | |||
− |