Editing Using veth and brctl for protecting HN and saving IP addresses

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 1: Line 1:
Configuration described below has been suggested by Ugo123. Thank you.
+
Configuration described below has been suggested by Ugo123. Appreciates.
  
 
Consider we are facing the following task:
 
Consider we are facing the following task:
  
# We have limited range of IP addresses granted by ISP. We want to assign as many granted IPs to containers as possible. We do not want to protect containers from Internet.
+
1) We have limited range of IP adresses granted by ISP.  
# We want to protect the [[HN]] OS ([[CT]]0) from Internet and make it possible to manage containers from [[CT0]] within local area network.
+
We want to assign as much granted IPs to containers as possible.
 +
We do not want to protect containers from Internet.
 +
2) We want to protect the HN OS (VE0) from Internet and make it possible to manage containers from VE0 within local area network.
  
Assume we have a [[HN]] with 2 Ethernet cards (interfaces eth0 and eth1), OpenVZ kernel 2.6.18-028stab033, vzctl version 3.0.16,
+
Assume we have a HN with 2 ethernet cards (interfaces eth0 and eth1), OpenVZ kernel 2.6.18-028stab033, vzctl version 3.0.16,
bridge-utils version 1.1. OpenVZ installation process is covered in [[quick installation]].
+
bridge-utils version 1.1. OpenVZ installation process is covered by http://wiki.openvz.org/Quick_installation.
  
This task can be effectively performed by setting up the configuration presented in Figure 1.
+
Task can be effectively solved by setting up the configuration presented on Figure 1.
  
Figure 1: Effective configuration. 10.0.98.96-10.0.98.X - range of IP addresses granted by ISP, 192.168.1.136 - IP address from LAN
+
Figure 1: Effective configuration. 10.0.98.96-10.0.98.X - range of IP-adresses granted by ISP, 192.168.1.136 - IP address from LAN
  
 
[[Image:fig.jpg]]
 
[[Image:fig.jpg]]
Line 47: Line 49:
 
           RX bytes:2078718 (1.9 MiB)  TX bytes:2078718 (1.9 MiB)
 
           RX bytes:2078718 (1.9 MiB)  TX bytes:2078718 (1.9 MiB)
 
</pre>
 
</pre>
Let us step through the setup process.
+
Let us pass through the setup process step by step.
  
 
1) Create 2 containers on the HN as described in http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf.
 
1) Create 2 containers on the HN as described in http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf.
Line 55: Line 57:
 
[HN]# wget http://download.openvz.org/template/precreated/opensuse-10-i386-default.tar.gz
 
[HN]# wget http://download.openvz.org/template/precreated/opensuse-10-i386-default.tar.gz
 
</pre>
 
</pre>
Create container 101 and assign it one of the IP addresses obtained from ISP:
+
Create VE 101 and assign it one of the IP adresses obtained from ISP:
 
<pre>
 
<pre>
 
[HN]# vzctl create 101 --ostemplate opensuse-10-i386-default --ipadd 10.0.98.96
 
[HN]# vzctl create 101 --ostemplate opensuse-10-i386-default --ipadd 10.0.98.96
 
[HN]# vzctl set 101 --userpasswd root:XXX --save
 
[HN]# vzctl set 101 --userpasswd root:XXX --save
 
</pre>
 
</pre>
And do the same for CT 102 ... CT N. When ready - start containers:
+
And do the same for VE 102 ... VE N. When ready - start containers:
 
<pre>
 
<pre>
 
[HN]# vzctl start 101
 
[HN]# vzctl start 101
Line 68: Line 70:
 
       102          4 running 10.0.98.97      -
 
       102          4 running 10.0.98.97      -
 
</pre>
 
</pre>
2) By default containers use venet device for networking (see [[venet]]). But current
+
2) By default containers use venet device for networking (http://wiki.openvz.org/Venet). But current
configuration requires using alternative networking - through veth devices (see [[Virtual Ethernet device]]).
+
configuration requires using alternative networking - through veth devices (http://wiki.openvz.org/Virtual_Ethernet_device).
Switch CT 101 to veth by doing the following:
+
Switch VE 101 to veth by doing the following:
  
MAC address needed by eth0 of CT 101 and veth101.0 should be generated by easymac:
+
MAC address needed by eth0 of VE 101 and veth101.0 should be generated by easymac:
 
<pre>
 
<pre>
 
[HN]# wget http://www.easyvmx.com/software/easymac.sh
 
[HN]# wget http://www.easyvmx.com/software/easymac.sh
Line 89: Line 91:
 
[HN]# echo 0 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp
 
[HN]# echo 0 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp
 
</pre>
 
</pre>
Enter the container and tune ifconfig within the container:
+
Enter VE and tune ifconfig within VE:
 
<pre>
 
<pre>
[CT 101]# vzctl enter 101
+
[VE 101]# vzctl enter 101
[CT 101]# ifconfig venet0:0 down
+
[VE 101]# ifconfig venet0:0 down
[CT 101]# ifconfig venet0 down
+
[VE 101]# ifconfig venet0 down
[CT 101]# ifconfig eth0 0
+
[VE 101]# ifconfig eth0 0
[CT 101]# ip addr add 10.0.98.96 dev eth0
+
[VE 101]# ip addr add 10.0.98.96 dev eth0
[CT 101]# ip route add default dev eth0
+
[VE 101]# ip route add default dev eth0
 
</pre>
 
</pre>
The same (whole item 2) should be done for CT 102 ... CT N.
+
The same (whole item 2) should be done for VE 102 .. VE N.
 
3) Now we should eliminate the IP address on eth1:
 
3) Now we should eliminate the IP address on eth1:
 
+
[HN]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
[HN]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
 
  
 
Edit like this:
 
Edit like this:
DEVICE=eth1
+
<pre>
#BOOTPROTO=dhcp                  <<== comment out
+
DEVICE=eth1
HWADDR=XX:XX:XX:XX:XX:XX
+
#BOOTPROTO=dhcp                  <<== comment
ONBOOT=yes
+
HWADDR=XX:XX:XX:XX:XX:XX
 
+
ONBOOT=yes
 +
</pre>
 
and save changes (:wq).
 
and save changes (:wq).
 
+
<pre>
[HN]# /etc/init.d/network restart
+
[HN]# /etc/init.d/network restart
 
+
</pre>
 
And turn off forwarding and proxy_arp for eth1.
 
And turn off forwarding and proxy_arp for eth1.
 
+
<pre>
[HN]# ifconfig eth1 0
+
[HN]# ifconfig eth1 0
[HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/forwarding
+
[HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/forwarding
[HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
+
[HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
 
</pre>
 
</pre>
 
4) Create br0 bridge uniting eth1, veth101.0, ..., vethN.0:
 
4) Create br0 bridge uniting eth1, veth101.0, ..., vethN.0:
Line 132: Line 134:
 
[HN]# echo 0 > /proc/sys/net/ipv4/conf/br0/proxy_arp
 
[HN]# echo 0 > /proc/sys/net/ipv4/conf/br0/proxy_arp
 
</pre>
 
</pre>
This is very important action. If skipped, network
+
This is very important action. If skipped - network
 
can be broken on further steps due to incoming arp-requests provoked storm.
 
can be broken on further steps due to incoming arp-requests provoked storm.
  
Line 196: Line 198:
 
<pre>
 
<pre>
 
[INET]# ssh root@10.0.98.96
 
[INET]# ssh root@10.0.98.96
[CT 101]#  ...
+
[VE 101]#  ...
 
</pre>
 
</pre>
 
- HN is not accessible from Internet:
 
- HN is not accessible from Internet:
Line 206: Line 208:
 
<pre>
 
<pre>
 
[HN]# vzctl enter 101
 
[HN]# vzctl enter 101
[CT 101]# ...
+
[VE 101]# ...
 
</pre>
 
</pre>
- containers CT 101, CT 102 .. CT N "see" each other (ping).
+
- containers VE 101, VE 102 .. VE N "see" each other (ping).
  
 
If all the steps are done as written, it should work.
 
If all the steps are done as written, it should work.
 
Enjoy.
 
Enjoy.
 
[[Category: HOWTO]]
 
[[Category:Networking]]
 

Please note that all contributions to OpenVZ Virtuozzo Containers Wiki may be edited, altered, or removed by other contributors. If you don't want your writing to be edited mercilessly, then don't submit it here.
 If you are going to add external links to an article, read the External links policy first!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)
Retrieved from "https://wiki.openvz.org/Using_veth_and_brctl_for_protecting_HN_and_saving_IP_addresses"