Editing Using veth and brctl for protecting HN and saving IP addresses
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | Configuration described below has been suggested by Ugo123. | + | Configuration described below has been suggested by Ugo123. Appreciates. |
Consider we are facing the following task: | Consider we are facing the following task: | ||
− | + | 1) We have limited range of IP adresses granted by ISP. | |
− | + | We want to assign as much granted IPs to containers as possible. | |
+ | We do not want to protect containers from Internet. | ||
+ | 2) We want to protect the HN OS (VE0) from Internet and make it possible to manage containers from VE0 within local area network. | ||
− | Assume we have a | + | Assume we have a HN with 2 ethernet cards (interfaces eth0 and eth1), OpenVZ kernel 2.6.18-028stab033, vzctl version 3.0.16, |
− | bridge-utils version 1.1. OpenVZ installation process is covered | + | bridge-utils version 1.1. OpenVZ installation process is covered by http://wiki.openvz.org/Quick_installation. |
− | + | Task can be effectively solved by setting up the configuration presented on Figure 1. | |
− | Figure 1: Effective configuration. 10.0.98.96-10.0.98.X - range of IP | + | Figure 1: Effective configuration. 10.0.98.96-10.0.98.X - range of IP-adresses granted by ISP, 192.168.1.136 - IP address from LAN |
[[Image:fig.jpg]] | [[Image:fig.jpg]] | ||
Line 47: | Line 49: | ||
RX bytes:2078718 (1.9 MiB) TX bytes:2078718 (1.9 MiB) | RX bytes:2078718 (1.9 MiB) TX bytes:2078718 (1.9 MiB) | ||
</pre> | </pre> | ||
− | Let us | + | Let us pass through the setup process step by step. |
1) Create 2 containers on the HN as described in http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf. | 1) Create 2 containers on the HN as described in http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf. | ||
Line 55: | Line 57: | ||
[HN]# wget http://download.openvz.org/template/precreated/opensuse-10-i386-default.tar.gz | [HN]# wget http://download.openvz.org/template/precreated/opensuse-10-i386-default.tar.gz | ||
</pre> | </pre> | ||
− | Create | + | Create VE 101 and assign it one of the IP adresses obtained from ISP: |
<pre> | <pre> | ||
[HN]# vzctl create 101 --ostemplate opensuse-10-i386-default --ipadd 10.0.98.96 | [HN]# vzctl create 101 --ostemplate opensuse-10-i386-default --ipadd 10.0.98.96 | ||
[HN]# vzctl set 101 --userpasswd root:XXX --save | [HN]# vzctl set 101 --userpasswd root:XXX --save | ||
</pre> | </pre> | ||
− | And do the same for | + | And do the same for VE 102 ... VE N. When ready - start containers: |
<pre> | <pre> | ||
[HN]# vzctl start 101 | [HN]# vzctl start 101 | ||
Line 68: | Line 70: | ||
102 4 running 10.0.98.97 - | 102 4 running 10.0.98.97 - | ||
</pre> | </pre> | ||
− | 2) By default containers use venet device for networking ( | + | 2) By default containers use venet device for networking (http://wiki.openvz.org/Venet). But current |
− | configuration requires using alternative networking - through veth devices ( | + | configuration requires using alternative networking - through veth devices (http://wiki.openvz.org/Virtual_Ethernet_device). |
− | Switch | + | Switch VE 101 to veth by doing the following: |
− | MAC address needed by eth0 of | + | MAC address needed by eth0 of VE 101 and veth101.0 should be generated by easymac: |
<pre> | <pre> | ||
[HN]# wget http://www.easyvmx.com/software/easymac.sh | [HN]# wget http://www.easyvmx.com/software/easymac.sh | ||
Line 89: | Line 91: | ||
[HN]# echo 0 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp | [HN]# echo 0 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp | ||
</pre> | </pre> | ||
− | Enter | + | Enter VE and tune ifconfig within VE: |
<pre> | <pre> | ||
− | [ | + | [VE 101]# vzctl enter 101 |
− | [ | + | [VE 101]# ifconfig venet0:0 down |
− | [ | + | [VE 101]# ifconfig venet0 down |
− | [ | + | [VE 101]# ifconfig eth0 0 |
− | [ | + | [VE 101]# ip addr add 10.0.98.96 dev eth0 |
− | [ | + | [VE 101]# ip route add default dev eth0 |
</pre> | </pre> | ||
− | The same (whole item 2) should be done for | + | The same (whole item 2) should be done for VE 102 .. VE N. |
3) Now we should eliminate the IP address on eth1: | 3) Now we should eliminate the IP address on eth1: | ||
− | + | [HN]# vim /etc/sysconfig/network-scripts/ifcfg-eth1 | |
− | |||
Edit like this: | Edit like this: | ||
− | + | <pre> | |
− | + | DEVICE=eth1 | |
− | + | #BOOTPROTO=dhcp <<== comment | |
− | + | HWADDR=XX:XX:XX:XX:XX:XX | |
− | + | ONBOOT=yes | |
+ | </pre> | ||
and save changes (:wq). | and save changes (:wq). | ||
− | + | <pre> | |
− | + | [HN]# /etc/init.d/network restart | |
− | + | </pre> | |
And turn off forwarding and proxy_arp for eth1. | And turn off forwarding and proxy_arp for eth1. | ||
− | + | <pre> | |
− | + | [HN]# ifconfig eth1 0 | |
− | + | [HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/forwarding | |
− | + | [HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/proxy_arp | |
</pre> | </pre> | ||
4) Create br0 bridge uniting eth1, veth101.0, ..., vethN.0: | 4) Create br0 bridge uniting eth1, veth101.0, ..., vethN.0: | ||
Line 132: | Line 134: | ||
[HN]# echo 0 > /proc/sys/net/ipv4/conf/br0/proxy_arp | [HN]# echo 0 > /proc/sys/net/ipv4/conf/br0/proxy_arp | ||
</pre> | </pre> | ||
− | This is very important action. If skipped | + | This is very important action. If skipped - network |
can be broken on further steps due to incoming arp-requests provoked storm. | can be broken on further steps due to incoming arp-requests provoked storm. | ||
Line 196: | Line 198: | ||
<pre> | <pre> | ||
[INET]# ssh root@10.0.98.96 | [INET]# ssh root@10.0.98.96 | ||
− | [ | + | [VE 101]# ... |
</pre> | </pre> | ||
- HN is not accessible from Internet: | - HN is not accessible from Internet: | ||
Line 206: | Line 208: | ||
<pre> | <pre> | ||
[HN]# vzctl enter 101 | [HN]# vzctl enter 101 | ||
− | [ | + | [VE 101]# ... |
</pre> | </pre> | ||
− | - containers | + | - containers VE 101, VE 102 .. VE N "see" each other (ping). |
If all the steps are done as written, it should work. | If all the steps are done as written, it should work. | ||
Enjoy. | Enjoy. | ||
− | |||
− | |||
− |