Open main menu

OpenVZ Virtuozzo Containers Wiki β


append Category HOWTO & Networking
Configuration described below has been suggested by Ugo123. AppreciatesThank you.
Consider we are facing the following task:
1) # We have limited range of IP adresses addresses granted by ISP. We want to assign as much many granted IPs to containers as possible.We do not want to protect containers from Internet.2) # We want to protect the [[HN ]] OS (CT0[[CT]]0) from Internet and make it possible to manage containers from [[CT0 ]] within local area network.
Assume we have a [[HN ]] with 2 ethernet Ethernet cards (interfaces eth0 and eth1), OpenVZ kernel 2.6.18-028stab033, vzctl version 3.0.16,bridge-utils version 1.1. OpenVZ installation process is covered by [[quick installation]].
Task This task can be effectively solved performed by setting up the configuration presented on in Figure 1.
Figure 1: Effective configuration. - range of IP-adresses addresses granted by ISP, - IP address from LAN
RX bytes:2078718 (1.9 MiB) TX bytes:2078718 (1.9 MiB)
Let us pass step through the setup process step by step.
1) Create 2 containers on the HN as described in
[HN]# wget
Create VE container 101 and assign it one of the IP adresses addresses obtained from ISP:
[HN]# vzctl create 101 --ostemplate opensuse-10-i386-default --ipadd
[HN]# vzctl set 101 --userpasswd root:XXX --save
And do the same for VE CT 102 ... VE CT N. When ready - start containers:
[HN]# vzctl start 101
102 4 running -
2) By default containers use venet device for networking ( [[venet]]). But currentconfiguration requires using alternative networking - through veth devices ( [[Virtual Ethernet device]]).Switch VE CT 101 to veth by doing the following:
MAC address needed by eth0 of VE CT 101 and veth101.0 should be generated by easymac:
[HN]# wget
[HN]# echo 0 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp
Enter VE the container and tune ifconfig within VEthe container:
[VE CT 101]# vzctl enter 101[VE CT 101]# ifconfig venet0:0 down[VE CT 101]# ifconfig venet0 down[VE CT 101]# ifconfig eth0 0[VE CT 101]# ip addr add dev eth0[VE CT 101]# ip route add default dev eth0
The same (whole item 2) should be done for VE CT 102 .. VE . CT N.
3) Now we should eliminate the IP address on eth1:
  [HN]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
Edit like this:
<pre> DEVICE=eth1 #BOOTPROTO=dhcp <<== commentout HWADDR=XX:XX:XX:XX:XX:XX ONBOOT=yes</pre>
and save changes (:wq).
<pre> [HN]# /etc/init.d/network restart</pre>
And turn off forwarding and proxy_arp for eth1.
<pre> [HN]# ifconfig eth1 0 [HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/forwarding [HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
4) Create br0 bridge uniting eth1, veth101.0, ..., vethN.0:
[HN]# echo 0 > /proc/sys/net/ipv4/conf/br0/proxy_arp
This is very important action. If skipped - , network
can be broken on further steps due to incoming arp-requests provoked storm.
[INET]# ssh root@
[VE CT 101]# ...
- HN is not accessible from Internet:
[HN]# vzctl enter 101
[VE CT 101]# ...
- containers VE CT 101, VE CT 102 .. VE CT N "see" each other (ping).
If all the steps are done as written, it should work.
[[Category: HOWTO]]