Home / server / Questions / 550541
Accepted
Vojtěch
Asked: 2013-11-05 04:35:01 +0800 CST

Assigning IPs to OpenVZ containers

  • 772

I have recently bought myself a physical server and I am trying to create containers which would have their IPs.

The physical machine has both IPv4 and IPv6 addresses. I have accessible another IPv4 and some other IPv6 addresses which I would like to assign to the container. I managed to assign the addresses as follows:

# vzctl set 101 --ipadd 144.76.195.252 --save

I can ping to the machine from the physical machine, but not from the outside world. This also applies to the IPv6 I assigned as well.

This is ifconfig of the physical machine:

eth0      Link encap:Ethernet  HWaddr d4:3d:7e:ec:e0:04
          inet addr:144.76.195.232  Bcast:144.76.195.255  Mask:255.255.255.224
          inet6 addr: 2a01:4f8:200:71e7::2/64 Scope:Global
          inet6 addr: fe80::d63d:7eff:feec:e004/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:217895 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16779 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:322481419 (307.5 MiB)  TX bytes:1672628 (1.5 MiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet6 addr: fe80::1/128 Scope:Link
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:12 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:3 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1108 (1.0 KiB)  TX bytes:1108 (1.0 KiB)

This is ifconfig of the OpenVZ container:

# ifconfig

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: 2a01:4f8:200:71e7::3/64 Scope:Global
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:12 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1108 (1.0 KiB)  TX bytes:1108 (1.0 KiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:144.76.195.252  P-t-P:144.76.195.252  Bcast:144.76.195.252  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

What do I need to do to have the container accessible from the outside world? What could I have forgotten?

Thanks.

networking

1 Answers

  1. Best Answer

    Decision about routing or bridging are functional more than technical; there are pros and cons and its a choice. I prefer routing if I have only one interface, because this way let me having a single point of control (the HN) and on it, I can put some iptables or extra-protection for container which are not by default accessible from the Internet. If you prefer routing, you need to make sure the value of net.ipv4.conf.all.forwarding = 1 (run the command sysctl -a | grep forward). If not, echo 1 > /proc/sys/net/ipv4/ip_forward; (but won't survive a reboot) or add the line

    net.ipv4.conf.all.forwarding = 1

    in /etc/sysctl.conf and run sysctl -P after. Usually, one route instead of bridging because it allows NAT, which helps when lacking of IP4 addresses, but this is not your case, you have at least two of them.

    On the other hand, bridging puts your HN and your VPS equal to equal. You can do this directly on the Internet because you seems to have enough IP addresses. You may need then extra protection on each container (iptables on each container and on host for instance).

    To come back to your (routing) problem, if setting ip_forward to 1 does not help; try arp -an (sees if it resolves at this point) from both HN and VPS and tcpdump to get more details, when the packets are lost? at layer 2 or 3?

    About IPv6, I really don't know :/

    • 4