6,534
edits
Changes
VE -> container, CT; fix adress->address; use indentation instead of PRE in some cases
Consider we are facing the following task:
1) We have limited range of IP adresses addresses granted by ISP.
We want to assign as much granted IPs to containers as possible.
We do not want to protect containers from Internet.
2) We want to protect the HN OS (CT0) from Internet and make it possible to manage containers from CT0 within local area network.
Assume we have a HN with 2 ethernet Ethernet cards (interfaces eth0 and eth1), OpenVZ kernel 2.6.18-028stab033, vzctl version 3.0.16,bridge-utils version 1.1. OpenVZ installation process is covered by http://wiki.openvz.org/Quick_installationin [[quick installation]].
Task can be effectively solved by setting up the configuration presented on Figure 1.
Figure 1: Effective configuration. 10.0.98.96-10.0.98.X - range of IP-adresses addresses granted by ISP, 192.168.1.136 - IP address from LAN
[[Image:fig.jpg]]
[HN]# wget http://download.openvz.org/template/precreated/opensuse-10-i386-default.tar.gz
</pre>
Create VE container 101 and assign it one of the IP adresses addresses obtained from ISP:
<pre>
[HN]# vzctl create 101 --ostemplate opensuse-10-i386-default --ipadd 10.0.98.96
[HN]# vzctl set 101 --userpasswd root:XXX --save
</pre>
And do the same for VE CT 102 ... VE CT N. When ready - start containers:
<pre>
[HN]# vzctl start 101
102 4 running 10.0.98.97 -
</pre>
2) By default containers use venet device for networking (http://wiki.openvz.org/Venetsee [[venet]]). But currentconfiguration requires using alternative networking - through veth devices (http://wiki.openvz.org/Virtual_Ethernet_devicesee [[Virtual Ethernet device]]).Switch VE CT 101 to veth by doing the following:
MAC address needed by eth0 of VE CT 101 and veth101.0 should be generated by easymac:
<pre>
[HN]# wget http://www.easyvmx.com/software/easymac.sh
[HN]# echo 0 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp
</pre>
Enter VE the container and tune ifconfig within VEthe container:
<pre>
[VE CT 101]# vzctl enter 101[VE CT 101]# ifconfig venet0:0 down[VE CT 101]# ifconfig venet0 down[VE CT 101]# ifconfig eth0 0[VE CT 101]# ip addr add 10.0.98.96 dev eth0[VE CT 101]# ip route add default dev eth0
</pre>
The same (whole item 2) should be done for VE CT 102 .. VE . CT N.
3) Now we should eliminate the IP address on eth1:
[HN]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
Edit like this:
and save changes (:wq).
And turn off forwarding and proxy_arp for eth1.
</pre>
4) Create br0 bridge uniting eth1, veth101.0, ..., vethN.0:
[HN]# echo 0 > /proc/sys/net/ipv4/conf/br0/proxy_arp
</pre>
This is very important action. If skipped - , network
can be broken on further steps due to incoming arp-requests provoked storm.
<pre>
[INET]# ssh root@10.0.98.96
[VE CT 101]# ...
</pre>
- HN is not accessible from Internet:
<pre>
[HN]# vzctl enter 101
[VE CT 101]# ...
</pre>
- containers VE CT 101, VE CT 102 .. VE CT N "see" each other (ping).
If all the steps are done as written, it should work.
Enjoy.