VMmanager OVZ: Networks

From ISPWiki
Jump to: navigation, search

Venet

VMmanager OVZ uses the network device venet that is created by default by OpenVZ kernel. For more details please refer to the official documentation at https://openvz.org/Venet.

Execute the following command to assign an IP address to a specific container:

vzctl set CTID --ipadd IPaddr --save

The script (provided by OpenVZ for each operating system) for adding the IP-address is started. Currently, IP addresses are added as aliases (venet0:0 , etc.)

Iptables

The following iptables/ip6tables rules are added while installing VMmanager OVZ and adding cluster nodes on CentOS:

  • packets forwarding is activated
 iptables -I FORWARD -p all -j ACCEPT
 ip6tables -I FORWARD -p all -j ACCEPT

Execute the command "iptables -vnL FORWARD" to view current settings:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
43428 2922K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

and "ip6tables -vnL FORWARD":

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                
  • NFS ports are accepted (Network File System)
iptables -I INPUT 1 -p tcp --dport 111 -j ACCEPT
iptables -I INPUT 2 -p udp --dport 111 -j ACCEPT
iptables -I INPUT 3 -p tcp --dport 2049 -j ACCEPT
iptables -I INPUT 4 -p udp --dport 2049 -j ACCEPT

execute the same command for ip6tables.

Execute the command "iptables -vnL INPUT" to view current settings:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:111 
    6   504 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:111 
  141 20272 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2049 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:2049 

and "ip6tables -vnL INPUT":

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                tcp dpt:111 
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                udp dpt:111 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                tcp dpt:2049 
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                udp dpt:2049

Private addresses on containers


1) You should use addresses from one network on container and host node. To get an access to containers network and host node you should use addresses from one subnet. If you use private addresses on containers, add the same address to the host node. For our testing server with CentOS, we created a stand-alone /etc/sysconfig/network-scripts/ifcfg-eth0:0, indicating the address, mask, and gateway. 2) If you use iptables
If you use private addresses for containers and you want to provide an access to the Internet for these containers you have to set SNAT. From Internet to container you have to set DNAT. You can find more information on OpenVZ official resource - https://openvz.org/Nat

For SNAT you should use POSTROUTING:

  1. iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address

where src_net - container address; ip_address - host node address.

For DNAT you should use PREROUTING:

  1. iptables -t nat -A PREROUTING -p tcp -d ip_address --dport port_num -i eth0 -j DNAT --to-destination ve_address:dst_port_num

where ve_address -container address, dst_port_num - port, which is used by available service, ip_address - host node address, port_num - host node port, which is responsible for redirecting (Warning, if some services use this port, this port will be unavailable).