Editing Using veth and brctl for protecting HN and saving IP addresses

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 1: Line 1:
Configuration described below has been suggested by Ugo123. Thank you.
+
Configuration described below has been suggested by Ugo123. Appreciates.
  
 
Consider we are facing the following task:
 
Consider we are facing the following task:
  
# We have limited range of IP addresses granted by ISP. We want to assign as many granted IPs to containers as possible. We do not want to protect containers from Internet.
+
1) We have limited range of IP adresses granted by ISP.  
# We want to protect the [[HN]] OS ([[CT]]0) from Internet and make it possible to manage containers from [[CT0]] within local area network.
+
We want to assign as much granted IPs to VEs as possible.
 +
We do not want to protect VEs from Internet.
 +
2) We want to protect the HN OS (VE0) from Internet and make it possible to manage VEs from VE0 within local area network.
  
Assume we have a [[HN]] with 2 Ethernet cards (interfaces eth0 and eth1), OpenVZ kernel 2.6.18-028stab033, vzctl version 3.0.16,
+
Assume we have a HN with 2 ethernet cards (interfaces eth0 and eth1), OpenVZ kernel 2.6.18-028stab033, vzctl version 3.0.16,
bridge-utils version 1.1. OpenVZ installation process is covered in [[quick installation]].
+
bridge-utils version 1.1. OpenVZ installation process is covered by http://wiki.openvz.org/Quick_installation.
  
This task can be effectively performed by setting up the configuration presented in Figure 1.
+
Task can be effectively solved by setting up the configuration presented on Figure 1.
 +
 
 +
Figure 1: Effective configuration. 10.0.98.96-10.0.98.X - range of IP-adresses granted by ISP, 192.168.1.136 - IP address from LAN
  
Figure 1: Effective configuration. 10.0.98.96-10.0.98.X - range of IP addresses granted by ISP, 192.168.1.136 - IP address from LAN
 
  
[[Image:fig.jpg]]
 
  
 
Initial ifconfig output of HN is the following:
 
Initial ifconfig output of HN is the following:
Line 47: Line 49:
 
           RX bytes:2078718 (1.9 MiB)  TX bytes:2078718 (1.9 MiB)
 
           RX bytes:2078718 (1.9 MiB)  TX bytes:2078718 (1.9 MiB)
 
</pre>
 
</pre>
Let us step through the setup process.
+
Let us pass through the setup process step by step.
  
1) Create 2 containers on the HN as described in http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf.
+
1) Create 2 VEs on the HN as described in http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf.
 
For testing purposes I've used opensuse-10 precreated template from openvz.org:
 
For testing purposes I've used opensuse-10 precreated template from openvz.org:
 
<pre>
 
<pre>
Line 55: Line 57:
 
[HN]# wget http://download.openvz.org/template/precreated/opensuse-10-i386-default.tar.gz
 
[HN]# wget http://download.openvz.org/template/precreated/opensuse-10-i386-default.tar.gz
 
</pre>
 
</pre>
Create container 101 and assign it one of the IP addresses obtained from ISP:
+
Create VE 101 and assign it one of the IP adresses obtained from ISP:
 
<pre>
 
<pre>
 
[HN]# vzctl create 101 --ostemplate opensuse-10-i386-default --ipadd 10.0.98.96
 
[HN]# vzctl create 101 --ostemplate opensuse-10-i386-default --ipadd 10.0.98.96
 
[HN]# vzctl set 101 --userpasswd root:XXX --save
 
[HN]# vzctl set 101 --userpasswd root:XXX --save
 
</pre>
 
</pre>
And do the same for CT 102 ... CT N. When ready - start containers:
+
And do the same for VE 102 ... VE N. When ready - start VEs:
 
<pre>
 
<pre>
 
[HN]# vzctl start 101
 
[HN]# vzctl start 101
 
[HN]# vzlist -a
 
[HN]# vzlist -a
       CTID     NPROC STATUS  IP_ADDR        HOSTNAME
+
       VEID     NPROC STATUS  IP_ADDR        HOSTNAME
 
       101          4 running 10.0.98.96      -
 
       101          4 running 10.0.98.96      -
 
       102          4 running 10.0.98.97      -
 
       102          4 running 10.0.98.97      -
 
</pre>
 
</pre>
2) By default containers use venet device for networking (see [[venet]]). But current
+
2) By default VEs use venet device for networking (http://wiki.openvz.org/Venet). But current
configuration requires using alternative networking - through veth devices (see [[Virtual Ethernet device]]).
+
configuration requires using alternative networking - through veth devices (http://wiki.openvz.org/Virtual_Ethernet_device).
Switch CT 101 to veth by doing the following:
+
Switch VE 101 to veth by doing the following:
  
MAC address needed by eth0 of CT 101 and veth101.0 should be generated by easymac:
+
MAC address needed by eth0 of VE 101 and veth101.0 should be generated by easymac:
 
<pre>
 
<pre>
 
[HN]# wget http://www.easyvmx.com/software/easymac.sh
 
[HN]# wget http://www.easyvmx.com/software/easymac.sh
Line 89: Line 91:
 
[HN]# echo 0 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp
 
[HN]# echo 0 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp
 
</pre>
 
</pre>
Enter the container and tune ifconfig within the container:
+
Enter VE and tune ifconfig within VE:
 
<pre>
 
<pre>
[CT 101]# vzctl enter 101
+
[VE 101]# vzctl enter 101
[CT 101]# ifconfig venet0:0 down
+
[VE 101]# ifconfig venet0:0 down
[CT 101]# ifconfig venet0 down
+
[VE 101]# ifconfig venet0 down
[CT 101]# ifconfig eth0 0
+
[VE 101]# ifconfig eth0 0
[CT 101]# ip addr add 10.0.98.96 dev eth0
+
[VE 101]# ip addr add 10.0.98.96 dev eth0
[CT 101]# ip route add default dev eth0
+
[VE 101]# ip route add default dev eth0
 
</pre>
 
</pre>
The same (whole item 2) should be done for CT 102 ... CT N.
+
The same (whole item 2) should be done for VE 102 .. VE N.
 
3) Now we should eliminate the IP address on eth1:
 
3) Now we should eliminate the IP address on eth1:
 
+
[HN]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
[HN]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
 
  
 
Edit like this:
 
Edit like this:
DEVICE=eth1
+
<pre>
#BOOTPROTO=dhcp                  <<== comment out
+
DEVICE=eth1
HWADDR=XX:XX:XX:XX:XX:XX
+
#BOOTPROTO=dhcp                  <<== comment
ONBOOT=yes
+
HWADDR=XX:XX:XX:XX:XX:XX
 
+
ONBOOT=yes
 +
</pre>
 
and save changes (:wq).
 
and save changes (:wq).
 
+
<pre>
[HN]# /etc/init.d/network restart
+
[HN]# /etc/init.d/network restart
 
+
</pre>
 
And turn off forwarding and proxy_arp for eth1.
 
And turn off forwarding and proxy_arp for eth1.
 
+
<pre>
[HN]# ifconfig eth1 0
+
[HN]# ifconfig eth1 0
[HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/forwarding
+
[HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/forwarding
[HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
+
[HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
 
</pre>
 
</pre>
 
4) Create br0 bridge uniting eth1, veth101.0, ..., vethN.0:
 
4) Create br0 bridge uniting eth1, veth101.0, ..., vethN.0:
Line 132: Line 134:
 
[HN]# echo 0 > /proc/sys/net/ipv4/conf/br0/proxy_arp
 
[HN]# echo 0 > /proc/sys/net/ipv4/conf/br0/proxy_arp
 
</pre>
 
</pre>
This is very important action. If skipped, network
+
This is very important action. If skipped - network
 
can be broken on further steps due to incoming arp-requests provoked storm.
 
can be broken on further steps due to incoming arp-requests provoked storm.
  
Line 193: Line 195:
 
Now plug eth1 of HN into network wall outlet provided by ISP and carry out the following testing:
 
Now plug eth1 of HN into network wall outlet provided by ISP and carry out the following testing:
  
- It should be tested that containers are accessible from Internet:
+
- It should be tested that VEs are accessible from Internet:
 
<pre>
 
<pre>
 
[INET]# ssh root@10.0.98.96
 
[INET]# ssh root@10.0.98.96
[CT 101]#  ...
+
[VE 101]#  ...
 
</pre>
 
</pre>
 
- HN is not accessible from Internet:
 
- HN is not accessible from Internet:
Line 203: Line 205:
 
inaccessible
 
inaccessible
 
</pre>
 
</pre>
- containers can be managed from HN:
+
- VEs can be managed from HN:
 
<pre>
 
<pre>
 
[HN]# vzctl enter 101
 
[HN]# vzctl enter 101
[CT 101]# ...
+
[VE 101]# ...
 
</pre>
 
</pre>
- containers CT 101, CT 102 .. CT N "see" each other (ping).
+
- VEs VE 101, VE 102 .. VE N "see" each other (ping).
  
 
If all the steps are done as written, it should work.
 
If all the steps are done as written, it should work.
 
Enjoy.
 
Enjoy.
 
[[Category: HOWTO]]
 
[[Category:Networking]]
 

Please note that all contributions to OpenVZ Virtuozzo Containers Wiki may be edited, altered, or removed by other contributors. If you don't want your writing to be edited mercilessly, then don't submit it here.
 If you are going to add external links to an article, read the External links policy first!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)
Retrieved from "https://wiki.openvz.org/Using_veth_and_brctl_for_protecting_HN_and_saving_IP_addresses"