Same problem, but different solution. The two ports were not connected to the same network and needed to appear from the IP address of the virtual machine, so masquerading did not work.
The main issue here is that the openvz container sets the subnet of all of the ips on venet to 255.255.255.255. There is no preference of one interface. There is no preference on which router it should go through, so it sometimes uses eth0, and sometimes uses eth1. The result was random failures for certain IP addresses when the request goes out on the wrong interface.
One solution was to add a route that specified the source like so:
ip route add 10.20.0.0/16 dev venet0 src 10.20.0.xxx
ip route add a.b.c.241/24 dev venet0 src a.b.c.xxx
I found that the simplest solution for now was to set set the subnets just after they've been brought up (on an ubuntu/debian container in /etc/network/if-up.d):
#!/bin/sh
if [ "$IFACE" = "venet0:1" ]; then
ifconfig venet0:1 netmask 255.255.0.0 up
fi
if [ "$IFACE" = "venet0:0" ]; then
ifconfig venet0:0 netmask 255.255.255.0 up
fi
exit 0
Both solutions should have the same affect. Both solutions makes me a little concerned that when accessing the internet (to update or for DNS), it may unintentionally use the 10.x.x.x address that has no route to the internet. The default route is default via 192.0.2.1 dev venet0
, so I'm not quite sure how it gets to there, but it appears to work as intended after several reboots of both the container and the host.
UPDATE
For a more rubust solution: I used bash to check the IP and figure out what subnet to add it to.
Ubuntu/Debian (/etc/network/if-up.d):
#!/bin/bash
if [ "${IF_ADDRESS:0:6}" = "xx.yy." ]; then
echo "AlReece45: $IFACE, IP Address $IF_ADDRESS marked as internal"
ifconfig "$IFACE" netmask 255.255.0.0 up
fi
if [ "${IF_ADDRESS:0:11}" = "xxx.yy.zzz." ]; then
echo "AlReece45: $IFACE, IP address $IF_ADDRESS marked as external"
ifconfig "$IFACE" netmask 255.255.255.0 up
fi
exit 0
CentOS/Redhat (/sbin/ifup-local):
#!/bin/bash
IFACE="$1"
IF_ADDRESS=$(ifconfig $IFACE | grep "inet addr" | awk '{print $2}' | cut -d':' -f2);
if [ "${IF_ADDRESS:0:6}" = "xx.yy." ]; then
echo "AlReece45: $1, IP Address $IF_ADDRESS marked as internal"
ifconfig "$1" netmask 255.255.0.0 up
fi
if [ "${IF_ADDRESS:0:11}" = "xxx.yy.zzz." ]; then
echo "AlReece45: $1, IP address $IF_ADDRESS marked as external"
ifconfig "$1" netmask 255.255.255.0 up
fi
exit 0
Best Answer
To make the host's IPsec tunnels available to your containers, you need to run this in your container :
This will disable the IPSEC policy (SPD) checks on the VZ's interface. This needs to be adapt if veth devices are used in the container.
For more details see: