OpenVZ Forum


Home » Mailing lists » Users » How to assign a public IP to a VE ?
How to assign a public IP to a VE ? [message #43912] Sat, 29 October 2011 00:39 Go to next message
U.Mutlu is currently offline  U.Mutlu
Messages: 12
Registered: October 2011
Junior Member
From: *parallels.com
Hi,
how can I assign a public IP to an openVZ VE?
What tasks do I need to do on the HN and on the VE?

The HN already has a public IP and it's working ok.
Now I got a 2nd public IP and need to use it for the VE
(unfortunately that 2nd IP is from a different net than the first IP, if that matters).

When I assign the 2nd IP to eth0 or to venet0 on the HN then
it works fine on the HN, but I need to assign it to the VE,
and here I don't know how to do the assignment and the routing.

If someone has a similar setup (HN and VE: Debian 5 or 6, and using venet)
please let me know your solution, thx.
Re: How to assign a public IP to a VE ? [message #43913 is a reply to message #43912] Sat, 29 October 2011 02:29 Go to previous messageGo to next message
Gary Wallis is currently offline  Gary Wallis
Messages: 15
Registered: July 2011
Junior Member
From: *parallels.com
Sounds like a general networking vlan and/or bonding issue. But make
sure that these /etc/vz/vz.conf parameters are set correctly:

# The name of the device whose IP address will be used as source IP for CT.
# By default automatically assigned.
#VE_ROUTE_SRC_DEV="eth0"

# Controls which interfaces to send ARP requests and modify APR tables on.
#NEIGHBOUR_DEVS=detect

## Fail if there is another machine in the network with the same IP
ERROR_ON_ARPFAIL="no"


Also check the output of

# route -n

Make sure default gw (0.0.0.0) is on the correct device and that this
device is plugged into the correct switch port.
Re: How to assign a public IP to a VE ? [message #43914 is a reply to message #43913] Sat, 29 October 2011 08:51 Go to previous messageGo to next message
U.Mutlu is currently offline  U.Mutlu
Messages: 12
Registered: October 2011
Junior Member
From: *parallels.com
Gary Wallis wrote, On 2011-10-29 04:29:
> Sounds like a general networking vlan and/or bonding issue. But make sure that these /etc/vz/vz.conf parameters are set correctly:
>
> # The name of the device whose IP address will be used as source IP for CT.
> # By default automatically assigned.
> #VE_ROUTE_SRC_DEV="eth0"
>
> # Controls which interfaces to send ARP requests and modify APR tables on.
> #NEIGHBOUR_DEVS=detect

tried also with "all"

> ## Fail if there is another machine in the network with the same IP
> ERROR_ON_ARPFAIL="no"

Have it already so

> Also check the output of
>
> # route -n
>
> Make sure default gw (0.0.0.0) is on the correct device and that this device is plugged into the correct switch port.

The main IP is XXX.XXX.132.147/24, and the GW is XXX.XXX.132.1 .
The 2nd IP is XXX.XXX.131.15 .

The goal is to assign the 2nd IP to the VE.
Let's start on the HN. Is the following setup on the HN correct?

# ip a l
root@s7:/tmp# ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:1b:21:ad:7b:d3 brd ff:ff:ff:ff:ff:ff
inet XXX.XXX.132.147/24 brd XXX.XXX.132.255 scope global eth0
inet XXX.XXX.131.15/24 brd XXX.XXX.131.255 scope global eth0:0
3: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/void

# ip r l
XXX.XXX.132.0/24 dev eth0 proto kernel scope link src XXX.XXX.132.147
XXX.XXX.131.0/24 dev eth0 proto kernel scope link src XXX.XXX.131.15
default via XXX.XXX.132.1 dev eth0

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
XXX.XXX.132.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
XXX.XXX.131.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 XXX.XXX.132.1 0.0.0.0 UG 0 0 0 eth0

Both IPs can be pinged from outside.
If that's correct on the HN, then how should the /etc/network/interfaces on the VE look like?
Re: How to assign a public IP to a VE ? (SOLVED) [message #43922 is a reply to message #43914] Sun, 30 October 2011 12:12 Go to previous messageGo to next message
U.Mutlu is currently offline  U.Mutlu
Messages: 12
Registered: October 2011
Junior Member
From: *parallels.com
Problem solved!
(problem was how to assign a public IP to a VE)

It was a firewall issue on the HN, because in my firewall script
the default iptables target for FORWARD was set to DROP. After changing
this to ACCEPT things work fine.
(now I must recheck my security guidelines on whether and which other
implications this change can have...)

Ie. the solution was to change this from
iptables -P FORWARD DROP
to
iptables -P FORWARD ACCEPT
(for testing one can of course also completeley disable the iptables firewall)

And do not assign the IP in question to the HN, rather just
let it assign/manage by vzctl when it creates/starts the VE.

This solution uses the default venet0 only, ie. no veth, no bridging etc.,
no "source routing via kernel routing table" etc., not even any additional normal routing! :-)
(Beware: there is much garbage info floating around on the net about the venet0 device;
maybe this is due to very old versions of vzctl used...)

My environment:
HN: Debian 6 (squeeze), but using a newer vzctl from either the upcoming Debian 7 (wheezy/testing)
or from http://download.openvz.org/utils/vzctl/current/; I've vzctl version 3.0.29.3.
Kernel: 2.6.32-5-openvz-amd64 (linux-image-2.6.32-5-openvz-amd64 from the debian repository)
VE: debian-6.0-i386-minimal from http://wiki.openvz.org/Download/template/precreated
(I so far tested only this one, the other ones should work too I think)

People still having problems setting up openvz can contact me (help @ mutluit.com)
if having a similar environment (ie. Debian 6 on HN+VE, using venet, not veth),
maybe I can help if time permits...

--
U.Mutlu
www.mutluit.com
Re: How to assign a public IP to a VE ? (SOLVED) [message #43924 is a reply to message #43922] Sun, 30 October 2011 16:04 Go to previous message
U.Mutlu is currently offline  U.Mutlu
Messages: 12
Registered: October 2011
Junior Member
From: *parallels.com
U.Mutlu wrote, On 2011-10-30 13:12:
> Problem solved!
> (problem was how to assign a public IP to a VE)
>
> It was a firewall issue on the HN, because in my firewall script
> the default iptables target for FORWARD was set to DROP. After changing
> this to ACCEPT things work fine.
> (now I must recheck my security guidelines on whether and which other
> implications this change can have...)
>
> Ie. the solution was to change this from
> iptables -P FORWARD DROP
> to
> iptables -P FORWARD ACCEPT
> (for testing one can of course also completeley disable the iptables firewall)

Now I improved the above solution to this more secure solution:
iptables -P FORWARD DROP
iptables -A FORWARD -s w.x.y.z -j ACCEPT
iptables -A FORWARD -d w.x.y.z -j ACCEPT

where w.x.y.z is the IP for the VE.
(I could have also make it "w.x.y.z/24" but IMO it's not neccessary
since no broadcasts are supposed to go over that link).

> And do not assign the IP in question to the HN, rather just
> let it assign/manage by vzctl when it creates/starts the VE.
>
> This solution uses the default venet0 only, ie. no veth, no bridging etc.,
> no "source routing via kernel routing table" etc., not even any additional normal routing! :-)
> (Beware: there is much garbage info floating around on the net about the venet0 device;
> maybe this is due to very old versions of vzctl used...)
>
> My environment:
> HN: Debian 6 (squeeze), but using a newer vzctl from either the upcoming Debian 7 (wheezy/testing)
> or from http://download.openvz.org/utils/vzctl/current/; I've vzctl version 3.0.29.3.
> Kernel: 2.6.32-5-openvz-amd64 (linux-image-2.6.32-5-openvz-amd64 from the debian repository)
> VE: debian-6.0-i386-minimal from http://wiki.openvz.org/Download/template/precreated
> (I so far tested only this one, the other ones should work too I think)
>
> People still having problems setting up openvz can contact me (help @ mutluit.com)
> if having a similar environment (ie. Debian 6 on HN+VE, using venet, not veth),
> maybe I can help if time permits...
>
> --
> U.Mutlu
> www.mutluit.com
Previous Topic: Using DRBD inside containers
Next Topic: check_openvz_beans: Nagios Plugin for OpenVZ beancounters
Goto Forum:
  


Current Time: Thu May 24 19:07:36 GMT 2018