22
edits
Changes
m
1) # We have limited range of IP adresses addresses granted by ISP. We want to assign as much many granted IPs to VEs containers as possible.We do not want to protect VEs containers from Internet.2) # We want to protect the [[HN ]] OS (VE0[[CT]]0) from Internet and make it possible to manage VEs containers from VE0 [[CT0]] within local area network.
Task This task can be effectively solved performed by setting up the configuration presented on in Figure 1. Figure 1: Effective configuration. 10.0.98.96-10.0.98.X - range of IP-adresses granted by ISP, 192.168.1.136 - IP address from LAN
VEID CTID NPROC STATUS IP_ADDR HOSTNAME
<pre> DEVICE=eth1 #BOOTPROTO=dhcp <<== commentout HWADDR=XX:XX:XX:XX:XX:XX ONBOOT=yes</pre>
<pre> [HN]# /etc/init.d/network restart</pre>
<pre> [HN]# ifconfig eth1 0 [HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/forwarding [HN]# echo 0 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
append Category HOWTO & Networking
Configuration described below has been suggested by Ugo123. AppreciatesThank you.
Consider we are facing the following task:
Assume we have a [[HN ]] with 2 ethernet Ethernet cards (interfaces eth0 and eth1), OpenVZ kernel 2.6.18-028stab033, vzctl version 3.0.16,bridge-utils version 1.1. OpenVZ installation process is covered by http://wiki.openvz.org/Quick_installationin [[quick installation]].
Figure 1: Effective configuration. 10.0.98.96-10.0.98.X - range of IP addresses granted by ISP, 192.168.1.136 - IP address from LAN
[[Image:fig.jpg]]
Initial ifconfig output of HN is the following:
RX bytes:2078718 (1.9 MiB) TX bytes:2078718 (1.9 MiB)
</pre>
Let us pass step through the setup process step by step.
1) Create 2 VEs containers on the HN as described in http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf.
For testing purposes I've used opensuse-10 precreated template from openvz.org:
<pre>
[HN]# wget http://download.openvz.org/template/precreated/opensuse-10-i386-default.tar.gz
</pre>
Create VE container 101 and assign it one of the IP adresses addresses obtained from ISP:
<pre>
[HN]# vzctl create 101 --ostemplate opensuse-10-i386-default --ipadd 10.0.98.96
[HN]# vzctl set 101 --userpasswd root:XXX --save
</pre>
And do the same for VE CT 102 ... VE CT N. When ready - start VEscontainers:
<pre>
[HN]# vzctl start 101
[HN]# vzlist -a
101 4 running 10.0.98.96 -
102 4 running 10.0.98.97 -
</pre>
2) By default VEs containers use venet device for networking (http://wiki.openvz.org/Venetsee [[venet]]). But currentconfiguration requires using alternative networking - through veth devices (http://wiki.openvz.org/Virtual_Ethernet_devicesee [[Virtual Ethernet device]]).Switch VE CT 101 to veth by doing the following:
MAC address needed by eth0 of VE CT 101 and veth101.0 should be generated by easymac:
<pre>
[HN]# wget http://www.easyvmx.com/software/easymac.sh
[HN]# echo 0 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp
</pre>
Enter VE the container and tune ifconfig within VEthe container:
<pre>
[VE CT 101]# vzctl enter 101[VE CT 101]# ifconfig venet0:0 down[VE CT 101]# ifconfig venet0 down[VE CT 101]# ifconfig eth0 0[VE CT 101]# ip addr add 10.0.98.96 dev eth0[VE CT 101]# ip route add default dev eth0
</pre>
The same (whole item 2) should be done for VE CT 102 .. VE . CT N.
3) Now we should eliminate the IP address on eth1:
[HN]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
Edit like this:
and save changes (:wq).
And turn off forwarding and proxy_arp for eth1.
</pre>
4) Create br0 bridge uniting eth1, veth101.0, ..., vethN.0:
[HN]# echo 0 > /proc/sys/net/ipv4/conf/br0/proxy_arp
</pre>
This is very important action. If skipped - , network
can be broken on further steps due to incoming arp-requests provoked storm.
Now plug eth1 of HN into network wall outlet provided by ISP and carry out the following testing:
- It should be tested that VEs containers are accessible from Internet:
<pre>
[INET]# ssh root@10.0.98.96
[VE CT 101]# ...
</pre>
- HN is not accessible from Internet:
inaccessible
</pre>
- VEs containers can be managed from HN:
<pre>
[HN]# vzctl enter 101
[VE CT 101]# ...
</pre>
- VEs VE containers CT 101, VE CT 102 .. VE CT N "see" each other (ping).
If all the steps are done as written, it should work.
Enjoy.
[[Category: HOWTO]]
[[Category:Networking]]
