Changes
no edit summary
OpenVZ provides you to use either [[veth]] (Virtual eTHernet) or [[venet]] (Virtual NETwork) devices (or both) for in-[[CT]] networking. Here we describe the differences between those devices.
* ''veth'' allows broadcasts in CT, so you can use even a DHCP server inside a CT, or a samba server with domain broadcasts or other such stuff.
* ''veth'' has some security implications, so is not recommended in untrusted environments like for hosting. This It is due normally bridged directly to broadcasts, traffic sniffing, possible IP collisions etcthe host physical ethernet device and so must be treated with the same considerations as a real ethernet device on a standalone host. i.e The CT users can access a ''veth'' device as they would a real ethernet interface. However, the CT's root user can actually ruin your ethernet network with such direct is the only one that has priviledged access to ethernet layerthe ''veth'' device.
* With ''venet'' device, only OpenVZ host node administrator can assign an IP to a CT. With ''veth'' device, network settings can be fully done on CT side by the CT administrator. CT should setup correct gateway, IP/netmask etc. and then a [[HN|node]] admin can only choose where your traffic goes.
* ''veth'' devices can be bridged together and/or with other devices. For example, in host system admin can bridge ''veth'' from 2 CTs with some VLAN eth0.X. In this case, these 2 CTs will be connected to this VLAN.
|-
! Network security
| style="background: #ffdddd" | Low <ref>Due to broadcasts, sniffing and possible IP collisions etcIndependent of host. Each CT must setup its own separate network security.</ref>| style="background: #ddffdd" | High<ref>Controlled by host.</ref>
|-
! Can be used in bridges