Difference between revisions of "VEs and HNs in same subnets"
(New page: This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of ...) |
|||
| Line 1: | Line 1: | ||
| − | This describes a method of setting up networking for a host and its VEs | + | This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of their own in the same subnets or VLAN as the host. This method makes use of the Virtual Ethernet device and bridges between the host and its containers. This technique has the advantage of allowing IPv6 network configurations to work on both VEs and hosts as they normally would. In particular, both hosts and VEs can use IPv6 autoconfiguration. The network configuration of a VE can be identical to that of a non-VE system. |
| − | such that the networking configuration for the VEs can be configured | ||
| − | exactly as if the VEs were standalone hosts of their own in the same | ||
| − | subnets or VLAN as the host. This method makes use of the Virtual | ||
| − | Ethernet device and bridges between the host and its containers. This | ||
| − | technique has the advantage of allowing IPv6 network configurations to | ||
| − | work on VEs and hosts as they normally would. In particular, both hosts | ||
| − | and VEs can use IPv6 autoconfiguration. The network configuration of a VE | ||
| − | can be identical to that of a non-VE system. | ||
| − | In the following example the host has two physical interfaces and we are | + | In the following example the host has two physical interfaces and we are setting up the network configuration for VE 100. The host IP configuration is moved out of the ethN interface configs and into the vzbrN interface config scripts (ifcfg-vzbr0 and ifcfg-vzbr1). Ie. the host IP configuration will now reside on the vzbrN interfaces instead of the ethN interfaces. |
| − | setting up the network configuration for VE 100. The host IP | ||
| − | configuration is moved out of the ethN interface configs and into the | ||
| − | vzbrN interface config scripts (ifcfg-vzbr0 and ifcfg-vzbr1). Ie. the | ||
| − | host IP configuration will now reside on the vzbrN interfaces instead of | ||
| − | the ethN interfaces. | ||
| − | 1. (Optional) Verify that you can create a bridge interfaces for each | + | 1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host. |
| − | physical interface on the host. | ||
/usr/sbin/brctl addbr vzbr0 | /usr/sbin/brctl addbr vzbr0 | ||
/usr/sbin/brctl addbr vzbr1 | /usr/sbin/brctl addbr vzbr1 | ||
| − | 2. Make note of the existing IP configuration in the hosts ifcfg-ethN | + | 2. Make note of the existing IP configuration in the hosts ifcfg-ethN files. Then, modify the ifcfg-ethN files on the host so that they ONLY bridge to the corresponding vzbrN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like: |
| − | files. Then, modify the ifcfg-ethN files on the host so that they ONLY | ||
| − | bridge to the corresponding vzbrN interface. | ||
| − | /etc/sysconfig/network-scripts/ifcfg-eth0 should look like: | ||
DEVICE=eth0 | DEVICE=eth0 | ||
| Line 39: | Line 22: | ||
BRIDGE=vzbr1 | BRIDGE=vzbr1 | ||
| − | Note that the ifcfg-ethN files on the host do not contain any IP | + | Note that the ifcfg-ethN files on the host do not contain any IP information anymore. |
| − | information anymore. | ||
| − | 3. Create ifcfg-vzbrN files and copy the IP configuration that was | + | 3. Create ifcfg-vzbrN files and copy the IP configuration that was previously in the ifcfg-ethN files into ifcfg-vzbrN. Here's what host:/etc/sysconfig/network-scripts/ifcfg-vzbr0 would look like assuming the IPv4 address is assigned statically and IPv6 auto-configuration (SLAAC) is used: |
| − | previously in the ifcfg-ethN files into ifcfg-vzbrN. Here's what | ||
| − | host:/etc/sysconfig/network-scripts/ifcfg-vzbr0 would look like assuming | ||
| − | the IPv4 address is assigned statically and IPv6 auto-configuration | ||
| − | (SLAAC) is used: | ||
DEVICE=vzbr0 | DEVICE=vzbr0 | ||
| Line 64: | Line 42: | ||
TYPE=bridge | TYPE=bridge | ||
| − | 4. On the host, do a 'service network restart' and verify the host has | + | 4. On the host, do a 'service network restart' and verify the host has both IPv4 and IPv6 connectivity to its vzbrN interfaces. |
| − | both IPv4 and IPv6 connectivity to its vzbrN interfaces. | ||
| − | 5. Create the VE as you normally would except do NOT specify any IP | + | 5. Create the VE as you normally would except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration. |
| − | address, just the hostname. Specifying an IP address during VE creation | ||
| − | creates an unwanted venet interface which is not used in this | ||
| − | configuration. | ||
| − | However, if the VE already exists, remove any venet devices - they will | + | However, if the VE already exists, remove any venet devices - they will not be used: |
| − | not be used: | ||
/usr/sbin/vzctl set 100 --ipdel all --save | /usr/sbin/vzctl set 100 --ipdel all --save | ||
| − | 6. For each VE, create ethN devices (ignore warnings about "Container | + | 6. For each VE, create ethN devices (ignore warnings about "Container does not have configured veth") on the host: |
| − | does not have configured veth") on the host: | ||
/usr/sbin/vzctl set 100 --netif_add eth0 | /usr/sbin/vzctl set 100 --netif_add eth0 | ||
/usr/sbin/vzctl set 100 --netif_add eth1 | /usr/sbin/vzctl set 100 --netif_add eth1 | ||
| − | The above creates corresponding veth100.0 and veth100.1 devices on the | + | The above creates corresponding veth100.0 and veth100.1 devices on the host and updates the host /etc/vz/conf/100.conf file with generated MAC addresses for the veth devices. |
| − | host and updates the host /etc/vz/conf/100.conf file with generated MAC | ||
| − | addresses for the veth devices. | ||
| − | 7. Next we add the host vethN interfaces to the host bridged | + | 7. Next we add the host vethN interfaces to the host bridged interfaces (vzbrN). |
| − | interfaces (vzbrN). | ||
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0 | Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0 | ||
| Line 102: | Line 71: | ||
BRIDGE=vzbr1 | BRIDGE=vzbr1 | ||
| − | To make the above take effect, either do another 'service network restart' | + | To make the above take effect, either do another 'service network restart' on the host, or manually add each VE interface to its corresponding bridge by running: |
| − | on the host, or manually add each VE interface to its corresponding bridge | ||
| − | by running: | ||
/usr/sbin/brctl addif vzbr0 veth100.0 | /usr/sbin/brctl addif vzbr0 veth100.0 | ||
/usr/sbin/brctl addif vzbr1 veth100.1 | /usr/sbin/brctl addif vzbr1 veth100.1 | ||
| − | 8. Verify each bridge includes the host interface and the veth interfaces | + | 8. Verify each bridge includes the host interface and the veth interfaces for each VE: |
| − | for each VE: | ||
/usr/sbin/brctl show | /usr/sbin/brctl show | ||
| − | 9. In the container create the ifcfg network scripts for each interface | + | 9. In the container create the ifcfg network scripts for each interface eth0 and eth1. The scripts should look like standard ifcfg network scripts for a host. |
| − | eth0 and eth1. The scripts should look like standard ifcfg network | ||
| − | scripts for a host. | ||
/usr/sbin/vzctl enter 100 | /usr/sbin/vzctl enter 100 | ||
| Line 125: | Line 89: | ||
vi /etc/sysconfig/network-scripts/ifcfg-eth1 | vi /etc/sysconfig/network-scripts/ifcfg-eth1 | ||
| − | As noted above, the ifcfg-ethN files in the VE should be identical to | + | As noted above, the ifcfg-ethN files in the VE should be created to be identical to standard ifcfg-eth* files from a non-virtualized host. |
| − | standard ifcfg-eth* files | ||
| − | 10. Initialize the interfaces and restart the network service on the | + | 10. Initialize the interfaces and restart the network service on the container. |
| − | container. | ||
/sbin/ifconfig eth0 0 | /sbin/ifconfig eth0 0 | ||
| Line 137: | Line 99: | ||
Alternatively, just restart the VE from the host. | Alternatively, just restart the VE from the host. | ||
| − | 11. Add FORWARD ACCEPT statements to the host iptables and ip6tables for | + | 11. Add FORWARD ACCEPT statements to the host iptables and ip6tables for each VE IPv4 and IPv6 address. You do NOT need to enable any special network forwarding via sysctl. |
| − | each VE IPv4 and IPv6 address. You do NOT need to enable any special | ||
| − | network forwarding via sysctl. | ||
iptables: | iptables: | ||
| Line 154: | Line 114: | ||
service ip6tables restart | service ip6tables restart | ||
| − | 12. Verify the host and VE have connectivity to each other as well as to | + | 12. Verify the host and VE have connectivity to each other as well as to the rest of the network. |
| − | the rest of the network. | ||
13. For each additional VE, start at step #5. | 13. For each additional VE, start at step #5. | ||
Revision as of 00:53, 25 January 2010
This describes a method of setting up networking for a host and its VEs such that the networking configuration for the VEs can be configured exactly as if the VEs were standalone hosts of their own in the same subnets or VLAN as the host. This method makes use of the Virtual Ethernet device and bridges between the host and its containers. This technique has the advantage of allowing IPv6 network configurations to work on both VEs and hosts as they normally would. In particular, both hosts and VEs can use IPv6 autoconfiguration. The network configuration of a VE can be identical to that of a non-VE system.
In the following example the host has two physical interfaces and we are setting up the network configuration for VE 100. The host IP configuration is moved out of the ethN interface configs and into the vzbrN interface config scripts (ifcfg-vzbr0 and ifcfg-vzbr1). Ie. the host IP configuration will now reside on the vzbrN interfaces instead of the ethN interfaces.
1. (Optional) Verify that you can create a bridge interfaces for each physical interface on the host.
/usr/sbin/brctl addbr vzbr0
/usr/sbin/brctl addbr vzbr1
2. Make note of the existing IP configuration in the hosts ifcfg-ethN files. Then, modify the ifcfg-ethN files on the host so that they ONLY bridge to the corresponding vzbrN interface. /etc/sysconfig/network-scripts/ifcfg-eth0 should look like:
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
BRIDGE=vzbr0
Similarly ifcfg-eth1 will look like:
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
BRIDGE=vzbr1
Note that the ifcfg-ethN files on the host do not contain any IP information anymore.
3. Create ifcfg-vzbrN files and copy the IP configuration that was previously in the ifcfg-ethN files into ifcfg-vzbrN. Here's what host:/etc/sysconfig/network-scripts/ifcfg-vzbr0 would look like assuming the IPv4 address is assigned statically and IPv6 auto-configuration (SLAAC) is used:
DEVICE=vzbr0
BOOTPROTO=static
IPADDR=xxx.xxx.xxx.xxx
NETMASK=aaa.aaa.aaa.aaa
ONBOOT=yes
TYPE=bridge
Similarly, ifcfg-vzbr1 should look like:
DEVICE=vzbr1
BOOTPROTO=static
IPADDR=yyy.yyy.yyy.yyy
NETMASK=bbb.bbb.bbb.bbb
ONBOOT=yes
TYPE=bridge
4. On the host, do a 'service network restart' and verify the host has both IPv4 and IPv6 connectivity to its vzbrN interfaces.
5. Create the VE as you normally would except do NOT specify any IP address, just the hostname. Specifying an IP address during VE creation creates an unwanted venet interface which is not used in this configuration.
However, if the VE already exists, remove any venet devices - they will not be used:
/usr/sbin/vzctl set 100 --ipdel all --save
6. For each VE, create ethN devices (ignore warnings about "Container does not have configured veth") on the host:
/usr/sbin/vzctl set 100 --netif_add eth0
/usr/sbin/vzctl set 100 --netif_add eth1
The above creates corresponding veth100.0 and veth100.1 devices on the host and updates the host /etc/vz/conf/100.conf file with generated MAC addresses for the veth devices.
7. Next we add the host vethN interfaces to the host bridged interfaces (vzbrN).
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.0
DEVICE=veth100.0
ONBOOT=yes
BRIDGE=vzbr0
Create host:/etc/sysconfig/network-scripts/ifcfg-veth100.1
DEVICE=veth100.1
ONBOOT=yes
BRIDGE=vzbr1
To make the above take effect, either do another 'service network restart' on the host, or manually add each VE interface to its corresponding bridge by running:
/usr/sbin/brctl addif vzbr0 veth100.0
/usr/sbin/brctl addif vzbr1 veth100.1
8. Verify each bridge includes the host interface and the veth interfaces for each VE:
/usr/sbin/brctl show
9. In the container create the ifcfg network scripts for each interface eth0 and eth1. The scripts should look like standard ifcfg network scripts for a host.
/usr/sbin/vzctl enter 100
After entering the VE:
vi /etc/sysconfig/network-scripts/ifcfg-eth0
vi /etc/sysconfig/network-scripts/ifcfg-eth1
As noted above, the ifcfg-ethN files in the VE should be created to be identical to standard ifcfg-eth* files from a non-virtualized host.
10. Initialize the interfaces and restart the network service on the container.
/sbin/ifconfig eth0 0
/sbin/ifconfig eth1 0
/sbin/service network restart
Alternatively, just restart the VE from the host.
11. Add FORWARD ACCEPT statements to the host iptables and ip6tables for each VE IPv4 and IPv6 address. You do NOT need to enable any special network forwarding via sysctl.
iptables:
-A FORWARD -s xxx.xxx.xxx.xxx -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.xxx -j ACCEPT
ip6tables:
-A FORWARD -s xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT
-A FORWARD -d xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -j ACCEPT
Then restart both iptables and ip6tables on the host:
service iptables restart
service ip6tables restart
12. Verify the host and VE have connectivity to each other as well as to the rest of the network.
13. For each additional VE, start at step #5.
