[[Category:HOWTO]][[Category:Networking]]This describes a method of setting up networking for a host and its VEssuch that the networking configuration for the VEs can be configuredexactly as if the VEs were standalone hosts of their own in the samesubnets or VLAN as the host. This method makes use of the VirtualEthernet device and bridges between the host and its containers. Thistechnique has the advantage of allowing IPv6 network configurations towork on both VEs and hosts as they normally would. In particular, both hostsand VEs can use IPv6 autoconfiguration. The network configuration of a VEcan be identical to that of a non-VE system.

In the following example the host has two physical interfaces and we aresetting up the network configuration for VE 100. The host IPconfiguration is moved out of the ethN interface configs and into thevzbrN brN interface config scripts (ifcfg-vzbr0 br0 and ifcfg-vzbr1br1). Ie. thehost IP configuration will now reside on the vzbrN brN interfaces instead ofthe ethN interfaces. The example also assumes IPv4 is configured statically, whereas IPv6 is auto-configured.

1. (Optional) Verify that you can create a ==Configure host bridge interfaces for eachphysical interface on the host.==

1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host.  /usr/sbin/brctl addbr br0 /usr/sbin/brctl addbr br1 If the above commands do not work you may need to install the bridge-utils package. 2. Make note of the existing IP configuration in the hosts ifcfg-ethNfiles. Also, record the hardware MAC addresses of the ethernet interfaces from the output of 'ifconfig'.  /sbin/ifconfig eth0 /sbin/ifconfig eth1  Then, modify the ifcfg-ethN files on the host so that they ONLYbridge to the corresponding vzbrN brN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like:

BRIDGE=vzbr0br0

BRIDGE=vzbr1br1

Note that the ifcfg-ethN files on the host do not contain any IPinformation anymore.

3. Create ifcfg-vzbrN brN files and copy the IP configuration that waspreviously in the ifcfg-ethN files into ifcfg-vzbrNbrN. Here's whathost:/etc/sysconfig/network-scripts/ifcfg-vzbr0 br0 would look like assumingthe IPv4 address is assigned statically and IPv6 auto-configuration(SLAAC) is used:

DEVICE=vzbr0br0

TYPE=bridgeBridge MACADDR=mm:mm:mm:mm:mm:mm

Similarly, ifcfg-vzbr1 br1 should look like:

DEVICE=vzbr1br1

TYPE=Bridge MACADDR=nn:nn:nn:nn:nn:nn Note that TYPE 'Bridge' is case-sensitive. Otherwise, the bridgeinterfaces will not initialize correctly during boot.

4The bridge MACADDR should be hard-coded to match the corresponding hardware MAC address of the ethernet interface. On Otherwise the host, do a 'service network restart' and verify default behaviour is to use the lowest MAC address of all the interfaces in the bridge. This is to prevent the host hasboth IPv4 bridge MAC and any auto-configured IPv6 connectivity to its vzbrN interfacesaddress on the bridge interface from changing as VEs are created, started, or stopped.

54. Create On the VE as you normally would except host, do NOT specify any IPaddress, just a 'service network restart' and verify the hostname. Specifying an IP address during VE creationcreates an unwanted venet interface which is not used in thisconfigurationhost has both IPv4 and IPv6 connectivity to its brN interfaces.

==Create the VE veth interfaces==5. Create the VE as you normally would, except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration.  /usr/sbin/vzctl create 100 --ostemplate name --hostname name However, if the VE already exists, use vzctl to remove any venet devices - they will not be used:

6. For each VE, create ethN devices (ignore warnings about "Containerdoes not have configured veth") on the host:

/usr/sbin/vzctl set 100 --netif_add eth0--save /usr/sbin/vzctl set 100 --netif_add eth1--save

The above creates corresponding veth100.0 and veth100.1 devices on thehost and updates the host /etc/vz/conf/100.conf file with generated MACaddresses for the veth devices. When the VE is started, the veth100.0 and veth100.1 devices will be automatically created on the host.

==Bridge the host and VE==7. Next we add the host vethN interfaces to the host bridgedinterfaces (vzbrNbrN).

ONBOOT=yesno BRIDGE=vzbr0br0

ONBOOT=yesno BRIDGE=vzbr1br1 To make the above take effect, either start the VE,  /usr/sbin/vzctl start 100

To make the above take effect, either do another Or if it'service network restart'on the host, or s already started then manually add each VE interface to its corresponding bridgeby runningusing:

/usr/sbin/brctl addif vzbr0 br0 veth100.0 /usr/sbin/brctl addif vzbr1 br1 veth100.1

8. Verify each bridge includes the host interface and the veth interfaces for each VE:

==Configure the VE networking==9. In Enter the container create VE from the ifcfg network scripts for each interfaceeth0 and eth1. The scripts should look like standard ifcfg networkscripts for a host.:

After entering In the container create the ifcfg network scripts for each interface eth0 and eth1. The ifcfg-ethN files should look like standard ifcfg network scripts for a non-VE:host.

As noted above, the ifcfg-ethN files in the VE should be created to be identical tostandard ifcfg-eth* files containing any required IP configuration infofrom a non-virtualized host. A minimum ifcfg-eth0 file using a static IPv4 address would have the following entries:

DEVICE=eth0 BOOTPROTO=static IPADDR=xxx.xxx.xxx.xxx NETMASK=yyy.yyy.yyy.yyy ONBOOT=yes GATEWAY=zzz.zzz.zzz.zzz  10. Initialize the interfaces and restart the network service on thecontainer.

11. Add FORWARD ACCEPT statements to Verify the host iptables and ip6tables forVE have connectivity to each other as well as to the rest of the network. ==Additional VEs==12. For each additional VE IPv4 and , start at step #5. ==Notes on IPv6 autoconfiguration==If your CT0 is also performing routing duties, you might chance upon the problem that IPv6 addressstateless autoconfiguration using radvd is not working for the CT's. You do NOT need to enable any special network forwarding via sysctlThe description below is specific for a Debian (Lenny) CT0 and Debian (Squeeze) CT.

iptables: -A FORWARD -First check if your CT is actually receiving any router advertisements (RA's xxx).xxxThis can be done by installing radvd (apt-get install radvd) and running radvdump.xxxSimply wait for the next round of RA's from radvd, or trigger it (by restarting radvd on CT0, for example).xxx -j ACCEPT -A FORWARD -d xxxIf you do not receive any RA's there is a more fundamental problem.xxxThe following only concerns the scenario where the CT receives RA's but does not configure the network interfaces accordingly.xxxDo not forget to remove the radvd package after checking.xxx -j ACCEPT

ip6tablesBecause CT0 is performing routing services, all or some values under /proc/sys/net/ipv6/conf/*/forwarding and under /proc/sys/net/ipv6/conf/*/mc_forwarding are set to 1. This appears to override the defaults for these values in the /proc filesystems for the CT's. Unless you explicitly disable forwarding in /etc/sysctl.conf, your CT will also use these values. This means that, to the IPv6 Neighbour Discovery Protocol (NDP) responsible for router advertisements and autoconfiguration, your CT is a router and therefore not allowed to use the RA's to configure the interfaces. To fix this, add or change the following lines to /etc/sysctl.conf '''''on the CT, not on CT0''''': -A FORWARD -s xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT<pre>net.ipv6.conf.all.forwarding=0net.ipv6.conf.all.mc_forwarding=0 -A FORWARD -d xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT</pre>

Then restart both iptables and ip6tables on You may also want to explicitly disable IPv4 forwarding since the hostCT is not a router. To do this, also change the line:<pre>net.ipv4.ip_forward=0</pre>

12NOTE: Due to bug [http://bugzilla.openvz.org/show_bug. Verify cgi?id=1723 1723] this setup might not work: Enabling the host and VE have routing on CT0 can effectively kill all IPv6 connectivity to each other as well as to for the rest of CT, depending on the networksetup. (This bug is reported to be solved since 2011-06-07, so this shouldn't be an issue anymore.)