Home » Mailing lists » Users » several nics on the hn
| several nics on the hn [message #43677] |
Thu, 06 October 2011 13:02  |
Daniel Bauer
Messages: 37
Registered: February 2006
|
Member |
|
|
Hello,
I've several nics on the hostnode. Only the internal service nic have an
internal IP. The other nics are without IPs and connected to different
internal subnets and public www.
I've read the differences between venet and veth
http://wiki.openvz.org/Differences_between_venet_and_veth
and want to use venet, but only venet0 is active in the hn, I think this
is connected to eth0, but how to access the other nics?
Thanks
Daniel
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: several nics on the hn [message #43687 is a reply to message #43682] |
Thu, 06 October 2011 17:44  |
samiam
Messages: 15
Registered: July 2011
|
Junior Member |
|
|
> When you start mixing class Cs, venet, veth and what have you, is when you
> see forum postings.
I should note there is a RTFM on having different containers use
different interfaces:
http://wiki.openvz.org/Source_based_routing
However, what is missing is a RTFM on having a single container use
different interfaces to route to different IP ranges. For example, a
host that is a router with separate interfaces to 192.168.1.0/24 and
192.168.42.0/24, as well as a gateway to the internet, and we want a
container on this host to access all three networks (for example, a
container running Squid as a web proxy).
Another example which has been annoying me: Having an OpenVZ container
inside of a VirtualBox guest. I would like to have my OpenVZ
container be accessible from both my host and access both the internet
at the same time, in a way that does not require a bridged interface.
[1] VirtualBox uses one interface to access the internet (10.0.4.X)
and another interface that the host can use to connect to the guest
(192.168.56.X). The OpenVZ container can connect to one or the other,
but not both at the same time.
I just did a STFW to find a way to resolve this problem and only got
other reports of people with similar issues, such as
http://forum.openvz.org/index.php?t=msg&goto=9978&
So, here's my question: Is there a page out there which details
exactly how to have an OpenVZ container use two or more different
interfaces on the host machine?
- Sam
[1] The VirtualBox issue can be somewhat resolved by having the
VirtualBox guest also have a bridged interface, and having the OpenVZ
container use said bridged interface. This, alas, doesn't work when
there isn't a DHCP server on the network to connect to, such as when
I'm on a plane or somewhere else without WiFi.
|
|
|
|
| Re: several nics on the hn [message #43689 is a reply to message #43680] |
Thu, 06 October 2011 20:13 |
Daniel Bauer
Messages: 37
Registered: February 2006
|
Member |
|
|
Hi Esmé,
> What's your setup? You have 1 'internal' NIC with an IP-address and
> other
> NIC's without IP-address who you want to connect inside a container,
> for
> what purpose?
I've several nets:
1. internal service net, only available from/for the hostnode
2. internal LAN with intranet services for my users
3. DMZ
4. external IPs
The host node should only be accessible in net 1, I don't want any
routing or firewalling inside the hn, there should be no connection f.e.
to net 4
> If you use veth you could theoretically set up a bridge with one of
> those
> devices, that would be easiest in my opinion. But why would you
> consist on
> venet?
In the mentioned article the are two advantages: security and
performance
> Probably with a little bit more information we can help you a bit
> further.
Thanks
Daniel
> -----Oorspronkelijk bericht-----
> Van: users-bounces@openvz.org [mailto:users-bounces@openvz.org] Namens
> Daniel Bauer
> Verzonden: donderdag 6 oktober 2011 15:02
> Aan: users@openvz.org
> Onderwerp: [Users] several nics on the hn
>
> Hello,
>
> I've several nics on the hostnode. Only the internal service nic have
> an
> internal IP. The other nics are without IPs and connected to different
> internal subnets and public www.
>
> I've read the differences between venet and veth
> http://wiki.openvz.org/Differences_between_venet_and_veth
> and want to use venet, but only venet0 is active in the hn, I think
> this is
> connected to eth0, but how to access the other nics?
>
> Thanks
> Daniel
>
|
|
|
|
|
|
| Re: several nics on the hn [message #43691 is a reply to message #43678] |
Thu, 06 October 2011 20:19 |
Daniel Bauer
Messages: 37
Registered: February 2006
|
Member |
|
|
Hello Gary,
> Edit your:
>
> /etc/vz/vz.conf
>
> Specifically the VE_ROUTE_SRC_DEV value
>
> ...
> # The name of the device whose IP address will be used as source IP
> for CT.
> # By default automatically assigned.
> #VE_ROUTE_SRC_DEV="eth0"
I see that I could change this value, but not add an venet(1,2,3). I
understand howto use veth, but then I loose the advantages of the venet
...
Thanks
Daniel
> Daniel Bauer wrote:
>> Hello,
>>
>> I've several nics on the hostnode. Only the internal service nic have
>> an
>> internal IP. The other nics are without IPs and connected to
>> different
>> internal subnets and public www.
>>
>> I've read the differences between venet and veth
>> http://wiki.openvz.org/Differences_between_venet_and_veth
>> and want to use venet, but only venet0 is active in the hn, I think
>> this
>> is connected to eth0, but how to access the other nics?
>>
>> Thanks
>> Daniel
>>
|
|
|
|
| RE: several nics on the hn [message #43697 is a reply to message #43689] |
Fri, 07 October 2011 08:23 |
Esm
Messages: 15
Registered: August 2011
|
Junior Member |
|
|
Hey Daniel,
When you want to use this kind of configuration:
---internal---> | hn | VEID 1
---NIC 2----> | | VEID 2
---NIC 3----> | | VEID 3
And what you try is, f.e., to have the internal NIC only connecting to the
hn, and NIC 2 to VEID 3 and NIC 3 to VEID 2, then you probably will need to
route and firewall your config if you stick to venet.
Using a bridged setup would mean the same security implications as using the
setup above (firewalled). So that's not something to worry about.
If you've any questions, please let us know.
Esmé
-----Oorspronkelijk bericht-----
Van: users-bounces@openvz.org [mailto:users-bounces@openvz.org] Namens
Daniel Bauer
Verzonden: donderdag 6 oktober 2011 22:14
Aan: users@openvz.org
Onderwerp: Re: [Users] several nics on the hn
Hi Esmé,
> What's your setup? You have 1 'internal' NIC with an IP-address and
> other NIC's without IP-address who you want to connect inside a
> container, for what purpose?
I've several nets:
1. internal service net, only available from/for the hostnode 2. internal
LAN with intranet services for my users 3. DMZ 4. external IPs
The host node should only be accessible in net 1, I don't want any routing
or firewalling inside the hn, there should be no connection f.e.
to net 4
> If you use veth you could theoretically set up a bridge with one of
> those
> devices, that would be easiest in my opinion. But why would you
> consist on
> venet?
In the mentioned article the are two advantages: security and
performance
> Probably with a little bit more information we can help you a bit
> further.
Thanks
Daniel
> -----Oorspronkelijk bericht-----
> Van: users-bounces@openvz.org [mailto:users-bounces@openvz.org] Namens
> Daniel Bauer
> Verzonden: donderdag 6 oktober 2011 15:02
> Aan: users@openvz.org
> Onderwerp: [Users] several nics on the hn
>
> Hello,
>
> I've several nics on the hostnode. Only the internal service nic have
> an
> internal IP. The other nics are without IPs and connected to different
> internal subnets and public www.
>
> I've read the differences between venet and veth
> http://wiki.openvz.org/Differences_between_venet_and_veth
> and want to use venet, but only venet0 is active in the hn, I think
> this is
> connected to eth0, but how to access the other nics?
>
> Thanks
> Daniel
>
|
|
|
|
|
|
|
|
| Re: several nics on the hn [message #43703 is a reply to message #43697] |
Fri, 07 October 2011 10:48 |
Daniel Bauer
Messages: 37
Registered: February 2006
|
Member |
|
|
Hi Esmé,
From: "Esmé de Wolf" <esme@elements.nl>
> When you want to use this kind of configuration:
>
> ---internal---> | hn | VEID 1
> ---NIC 2----> | | VEID 2
> ---NIC 3----> | | VEID 3
>
> And what you try is, f.e., to have the internal NIC only connecting to
> the
> hn, and NIC 2 to VEID 3 and NIC 3 to VEID 2, then you probably will
> need to
> route and firewall your config if you stick to venet.
>
> Using a bridged setup would mean the same security implications as
> using the
> setup above (firewalled). So that's not something to worry about.
I think I do it with veth, also if I prefered the venet interface,
because nobody could change the IP inside the CT.
Thanks
Daniel
> -----Oorspronkelijk bericht-----
> Van: users-bounces@openvz.org [mailto:users-bounces@openvz.org] Namens
> Daniel Bauer
> Verzonden: donderdag 6 oktober 2011 22:14
> Aan: users@openvz.org
> Onderwerp: Re: [Users] several nics on the hn
>
> Hi Esmé,
>
>> What's your setup? You have 1 'internal' NIC with an IP-address and
>> other NIC's without IP-address who you want to connect inside a
>> container, for what purpose?
>
> I've several nets:
> 1. internal service net, only available from/for the hostnode 2.
> internal
> LAN with intranet services for my users 3. DMZ 4. external IPs
>
> The host node should only be accessible in net 1, I don't want any
> routing
> or firewalling inside the hn, there should be no connection f.e.
> to net 4
>
>
>> If you use veth you could theoretically set up a bridge with one of
>> those
>> devices, that would be easiest in my opinion. But why would you
>> consist on
>> venet?
>
> In the mentioned article the are two advantages: security and
> performance
>
>
>> Probably with a little bit more information we can help you a bit
>> further.
>
>
> Thanks
> Daniel
>
>
>> -----Oorspronkelijk bericht-----
>> Van: users-bounces@openvz.org [mailto:users-bounces@openvz.org]
>> Namens
>> Daniel Bauer
>> Verzonden: donderdag 6 oktober 2011 15:02
>> Aan: users@openvz.org
>> Onderwerp: [Users] several nics on the hn
>>
>> Hello,
>>
>> I've several nics on the hostnode. Only the internal service nic have
>> an
>> internal IP. The other nics are without IPs and connected to
>> different
>> internal subnets and public www.
>>
>> I've read the differences between venet and veth
>> http://wiki.openvz.org/Differences_between_venet_and_veth
>> and want to use venet, but only venet0 is active in the hn, I think
>> this is
>> connected to eth0, but how to access the other nics?
>>
>> Thanks
>> Daniel
>>
|
|
|
|
| Re: Re: several nics on the hn [message #43706 is a reply to message #43702] |
Fri, 07 October 2011 12:06 |
Timh B
Messages: 3
Registered: June 2011
|
Junior Member |
|
|
Daniel,
On Fri, October 7, 2011 12:46, Daniel Bauer wrote:
> It's an really interesting solution. I've to look at the VLAN technic,
> because I've never used it.
>
> One thing was, that nobody - only the HN - could change the IP for a CT.
> This issue couldn't be solved by VLAN or veth, so I thought to use
> venet.
>
> Now I think I'll prefer the bultin veth technic to solve my problem
> right now.
>
I would also suggest you go this path, configure your "dedicated" hn-nic
(for this example, let's say it's eth0) as usual with the ip-address you
want.
Example (debian):
iface eth0 inet static
address x.y.z.n
netmask x.x.x.0
gateway x.y.z.n
iface eth1 inet manual
iface eth1.100 inet manual
vlan_raw_device eth0
iface eth1.200 inet manual
vlan_raw_device eth0
iface vmbr100 inet manual
bridge_ports eth1.100
bridge_stp off
bridge_fd 0
iface vmbr200 inet manual
bridge_ports eth1.200
bridge_stp off
bridge_fd 0
--
Then, when creating your ct's you simple omit the --ipaddress flag on
vzctl command and run vzctl <VEID> set --save --netif_add eth0,,,,vmbr100
and configure "eth0" within the CT.
This will put the ct-network in vlan100 on (hn) eth1 (which as you can
see, has no ip-address configured) on the bridge vmbr100 as veth<VEID>.0
(confirm with "brctl show"). Note: you will have to configure your switch
to send the vlan as "tagged" to the eth1 interface.
For your security concerns I suggest you look into mac-filtering or maybe
check for mismatches between mac and ip addresses you have configured for
the CT, the --netif_add command will generate a mac-address or you can set
one manually.
The veth<VEID>.0 interface will also show up in the HN and you can do
firewalling with something like this;
-A OUTPUT -o veth<VEID>.0 -s <IP> -j ACCEPT
-A OUTPUT -o veth<VEID>.0 -j DROP
(You will have to check the iptables-commands as I wrote them from the top
of my head!)
Good luck!
-- Timh
|
|
|
|
|
|
|
|
|
|
| Re: Re: several nics on the hn [message #43717 is a reply to message #43706] |
Sat, 08 October 2011 09:39 |
Daniel Bauer
Messages: 37
Registered: February 2006
|
Member |
|
|
Hello Timh,
From: "Timh B" <timh@shiwebs.net>
> On Fri, October 7, 2011 12:46, Daniel Bauer wrote:
>> It's an really interesting solution. I've to look at the VLAN
>> technic,
>> because I've never used it.
>>
>> One thing was, that nobody - only the HN - could change the IP for a
>> CT.
>> This issue couldn't be solved by VLAN or veth, so I thought to use
>> venet.
>>
>> Now I think I'll prefer the bultin veth technic to solve my problem
>> right now.
>>
>
> I would also suggest you go this path, configure your "dedicated"
> hn-nic
> (for this example, let's say it's eth0) as usual with the ip-address
> you
> want.
>
> Example (debian):
> iface eth0 inet static
> address x.y.z.n
> netmask x.x.x.0
> gateway x.y.z.n
>
> iface eth1 inet manual
>
> iface eth1.100 inet manual
> vlan_raw_device eth0
>
> iface eth1.200 inet manual
> vlan_raw_device eth0
>
> iface vmbr100 inet manual
> bridge_ports eth1.100
> bridge_stp off
> bridge_fd 0
>
> iface vmbr200 inet manual
> bridge_ports eth1.200
> bridge_stp off
> bridge_fd 0
>
> --
>
> Then, when creating your ct's you simple omit the --ipaddress flag on
> vzctl command and run vzctl <VEID> set --save --netif_add
> eth0,,,,vmbr100
> and configure "eth0" within the CT.
>
> This will put the ct-network in vlan100 on (hn) eth1 (which as you can
> see, has no ip-address configured) on the bridge vmbr100 as
> veth<VEID>.0
> (confirm with "brctl show"). Note: you will have to configure your
> switch
> to send the vlan as "tagged" to the eth1 interface.
>
> For your security concerns I suggest you look into mac-filtering or
> maybe
> check for mismatches between mac and ip addresses you have configured
> for
> the CT, the --netif_add command will generate a mac-address or you can
> set
> one manually.
>
> The veth<VEID>.0 interface will also show up in the HN and you can do
> firewalling with something like this;
>
> -A OUTPUT -o veth<VEID>.0 -s <IP> -j ACCEPT
> -A OUTPUT -o veth<VEID>.0 -j DROP
>
> (You will have to check the iptables-commands as I wrote them from the
> top
> of my head!)
Thanks a lot for this explanation.
Daniel
|
|
|
|
|
|
| suPHP problem [message #43739 is a reply to message #43697] |
Wed, 12 October 2011 11:50 |
Steffan
Messages: 6
Registered: February 2011
|
Junior Member |
|
|
When enabling suphp im getting the message that the site is using php 5.1.6
But im using solarspeed 5.2.13
Looking in the vsites php.ini file I see
extension_dir = "/home/solarspeed/php/lib/"
so look slike the righgt php.ini is there
so what is wrong ?
thanxs
|
|
|
|
Goto Forum:
Current Time: Mon Jun 16 13:52:02 GMT 2025
Total time taken to generate the page: 0.02209 seconds
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
