OpenVZ multiple networks on CTs

networkingopenvzrouting

I have Hardware Node (HN) which has 2 physical interfaces (eth0, eth1). I'm playing with OpenVZ and want to let my containers (CTs) have access to both of those interfaces. I'm using basic configuration – venet. CTs are fine to access eth0 (public interface). But I can't get CTs to get access to eth1 (private network). I tried:

# on HN
vzctl set 101 --ipadd 192.168.1.101 --save
vzctl enter 101
ping 192.168.1.2 # no response here
ifconfig # on CT returns lo (127.0.0.1), venet0 (127.0.0.1), venet0:0 (95.168.xxx.xxx), venet0:1 (192.168.1.101)

I believe that the main problem is that all packets flows through eth0 on HN (figured out using tcpdump). So the problem might be in routes on HN.

Or is my logic here all wrong? I just need access to both interfaces (networks) on HN from CTs. Nothing complicated.

Best Answer

Same problem, but different solution. The two ports were not connected to the same network and needed to appear from the IP address of the virtual machine, so masquerading did not work.

The main issue here is that the openvz container sets the subnet of all of the ips on venet to 255.255.255.255. There is no preference of one interface. There is no preference on which router it should go through, so it sometimes uses eth0, and sometimes uses eth1. The result was random failures for certain IP addresses when the request goes out on the wrong interface.

One solution was to add a route that specified the source like so:

ip route add 10.20.0.0/16 dev venet0 src 10.20.0.xxx
ip route add a.b.c.241/24 dev venet0 src a.b.c.xxx

I found that the simplest solution for now was to set set the subnets just after they've been brought up (on an ubuntu/debian container in /etc/network/if-up.d):

#!/bin/sh
if [ "$IFACE" = "venet0:1" ]; then
        ifconfig venet0:1 netmask 255.255.0.0 up
fi
if [ "$IFACE" = "venet0:0" ]; then
        ifconfig venet0:0 netmask 255.255.255.0 up
fi
exit 0

Both solutions should have the same affect. Both solutions makes me a little concerned that when accessing the internet (to update or for DNS), it may unintentionally use the 10.x.x.x address that has no route to the internet. The default route is default via 192.0.2.1 dev venet0, so I'm not quite sure how it gets to there, but it appears to work as intended after several reboots of both the container and the host.

UPDATE For a more rubust solution: I used bash to check the IP and figure out what subnet to add it to.

Ubuntu/Debian (/etc/network/if-up.d):

#!/bin/bash
if [ "${IF_ADDRESS:0:6}" = "xx.yy." ]; then
        echo "AlReece45: $IFACE, IP Address $IF_ADDRESS marked as internal"
        ifconfig "$IFACE" netmask 255.255.0.0 up
fi
if [ "${IF_ADDRESS:0:11}" = "xxx.yy.zzz." ]; then
        echo "AlReece45: $IFACE, IP address $IF_ADDRESS marked as external"
        ifconfig "$IFACE" netmask 255.255.255.0 up
fi
exit 0

CentOS/Redhat (/sbin/ifup-local):

#!/bin/bash
IFACE="$1"
IF_ADDRESS=$(ifconfig $IFACE | grep "inet addr" | awk '{print $2}' | cut -d':' -f2);
if [ "${IF_ADDRESS:0:6}" = "xx.yy." ]; then
        echo "AlReece45: $1, IP Address $IF_ADDRESS marked as internal"
        ifconfig "$1" netmask 255.255.0.0 up
fi
if [ "${IF_ADDRESS:0:11}" = "xxx.yy.zzz." ]; then
        echo "AlReece45: $1, IP address $IF_ADDRESS marked as external"
        ifconfig "$1" netmask 255.255.255.0 up
fi
exit 0
Related Topic