[Users] vlan and bridge network interface in openVZ/virtuozzo 7 + preventpromisc + vzctl netif_add
Jehan Procaccia
jehan.procaccia at tem-tsp.eu
Mon Nov 7 13:36:42 PST 2016
hello,
your sample command misses the CT name after the "set" I guess ?
so I added it as follows:
# vzctl set*CTprobe *--netif_add eth2 --host_ifname em3
Configure veth device(s): eth2
ioctl SIOCSVENET em3: Opération non supportée
WARNING: Settings were not saved. On next start the original values will
be applied. Use --save to save the settings in the configuration file.
something wrong ... em3 is the host real source of the cisco mirrored
port, eth2 is the 2nd interface I want to add to my CT
did I miss something ?
thanks .
Le 07/11/2016 08:07, Vasily Averin a écrit :
> Dear Jehan,
> fyi: I've moved physical device into container by using command
> vzctl set --netif_add eth0 --host_ifname eth0
>
> On 07.11.2016 09:08, Vasily Averin wrote:
>> Dear Jehan,
>>
>> probably you can tune bridge somehow.
>> alternatively you can move physical device into container's network namespace.
>>
>> I need to clarify is it implemented in Virtuozzo SDK or prlctl,
>> however even if it is not ready yet you can try to use following command on host after start the container.
>>
>> ip set ethX netns <CTid>
>>
>> At the first glance this should work, however we did not tested it.
>> I expect the interface should be moved back to host after CT stop,
>> but probably some additional actions will be required here too.
>>
>> Please let us know about any results of your experiments.
>>
>> Thank you,
>> Vasily Averin
>>
>> On 04.11.2016 00:07, Jehan Procaccia wrote:
>>> ok, then how can I have VM or CT that act as a probe and receives all trafic from a mirror WAN router interface ?
>>> is there a way to bypass a bridge, by pluging the physical interface
>>> that receives all mirroed trafic directly to the VM/CT , is it
>>> possible ?
>>>
>>> Thanks .
>>>
>>> Le 02/11/2016 18:33, Vasily Averin a écrit :
>>>> Dear Jehan,
>>>> as far as I understand incoming packets are filtered by bridge,
>>>> it have list of known MAC addresses and forward external packets to internal interface
>>>> broadcasts and packets addressed to MACs related to given interface.
>>>>
>>>> brctl showmacs brX
>>>>
>>>> So the settings of CT/VM interfaces do not takes into account on this stage.
>>>>
>>>> THank you,
>>>> Vasily Averin
>>>>
>>>> On 02.11.2016 13:56, Jehan Procaccia wrote:
>>>>> Hello
>>>>>
>>>>> I am still lock on setting *preventpromisc=off* in my CT .
>>>>> I did ask for it:
>>>>>
>>>>> # prlctl set CTprobe --device-set net1 --preventpromisc no
>>>>>
>>>>> no way, preventpromisc keeps beeing set to on
>>>>>
>>>>> [host]# prlctl list -if CTprobe | grep net1
>>>>>
>>>>> net1 (+) dev='veth42ba2f55' ifname='eth1' network='probenet'
>>>>> mac=001C42BA2F45*preventpromisc=on* mac_filter=off
>>>>> ip_filter=off nameservers= searchdomains=
>>>>>
>>>>> *
>>>>> *Vasily, when you said :*
>>>>>
>>>>> *
>>>>>
>>>>> 19/10/2016 11:29, Vasily Averin wrote :
>>>>> from man prlctl ("set" section)
>>>>>
>>>>> preventpromisc: determines if the specified network adapter should reject packages not addressed
>>>>> to its virtual environment. If set to "yes", the adapter will drop packages not addressed to its
>>>>> virtual environment.
>>>>>
>>>>> *In pcs6 it was affected VMs only*, and at present I'm not sure was it fully intergrated into vz7 or not.
>>>>>
>>>>>
>>>>> could it be that it is not integrated in vz7 ? or perhaps not in CT, but could work in VM ?
>>>>>
>>>>> regards .
>>>>>
>>>>>
>>>>> Le 19/10/2016 17:27, Jehan Procaccia a écrit :
>>>>>> I expect to see all trafic mirrored from our edge router (cisco) to the Wan, indeed not trafic source and dest to my CT !
>>>>>>
>>>>>> That CTprobe as been transfered from an openvz6 host to that new openv7
>>>>>> on the vz6 there was no brigde, the host eth1 interface was directly monted/affected to the CT, like this
>>>>>>
>>>>>> NETIF="ifname=eth0,bridge=br0.11,mac=00:18:51:1B:26:98,host_ifname=veth11030.0,host_mac=00:18:51:E6:D6:45"
>>>>>> *NETDEV="eth1"*
>>>>>>
>>>>>> yes on the host side, either on the physical interface (em3) directly pluged to the mirrored port on the cisco or the associated bridge (brs0) I do see all in/out trafic of all users trafic
>>>>>> [host] # tcpdump -i em3 -n
>>>>>> 10:40:58.767042 IP 193.51.224.142.https > 147.157.103.21.54757: UDP, length 1350
>>>>>> [host]# brctl show
>>>>>> *brs0 8000.14187769840c no em3**
>>>>>> ** veth42ba2f55*
>>>>>>
>>>>>> [host] # prlsrvctl net list
>>>>>> Network ID Type Bound To Bridge Slave interfaces
>>>>>> Host-Only host-only virbr0
>>>>>> *probenet bridged em3 brs0 veth42ba2f55 *
>>>>>> but neither on the host nor on the CT I cannot see all trafic , but only protocol/braodcats or xcat, it seems as if trafic is filtered ... ?*
>>>>>>
>>>>>> *examples*
>>>>>>
>>>>>> *[host] # tcpdump -i veth42ba2f55 -n
>>>>>> tcpdump: WARNING: veth42ba2f55: no IPv4 address assigned
>>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>>>>> listening on veth42ba2f55, link-type EN10MB (Ethernet), capture size 65535 bytes
>>>>>> 17:17:34.279194 ARP, Request who-has 193.51.41.10 tell 193.51.41.1, length 46
>>>>>> 17:17:34.343210 ARP, Request who-has 193.51.41.43 tell 193.51.41.1, length 46
>>>>>> 17:17:34.451152 IP 193.51.41.36.hsrp > 224.0.0.102.hsrp: HSRPv1*
>>>>>>
>>>>>> *CT-11030 /# tcpdump -i eth1 -n
>>>>>> tcpdump: WARNING: eth1: no IPv4 address assigned
>>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>>>>> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
>>>>>> 17:19:00.184782 arp who-has 193.51.41.34 tell 193.51.41.1
>>>>>> 17:19:00.296277 802.1d config 8001.00:26:99:64:c0:80.9688 root 8001.00:21:56:1c:3f:80 pathcost 1 age 1 max 20 hello 2 fdelay 15
>>>>>> 17:19:00.296641 00:25:84:f1:3f:9b > 01:00:0c:cc:cc:cd SNAP Unnumbered, ui, Flags [Command], length 50
>>>>>> 17:19:00.370773 arp who-has 193.51.41.42 tell 193.51.41.1
>>>>>> *
>>>>>> *[host]# prlctl list -if CTprobe | grep net1
>>>>>> net1 (+) dev='veth42ba2f55' ifname='eth1' network='probenet' mac=001C42BA2F45*preventpromisc=on* mac_filter=off ip_filter=off nameservers= searchdomains=
>>>>>> *
>>>>>> *is the preventpromisc=on my problem, how to change it to off ?
>>>>>> as
>>>>>> # prlctl set CTprobe --device-set net1 --preventpromisc no
>>>>>> doesn't work ?
>>>>>>
>>>>>> regards .*
>>>>>>
>>>>>>
>>>>>> *Le 19/10/2016 14:33, Vasily Averin a écrit :
>>>>>>> Dear Jehan,
>>>>>>>
>>>>>>> could you please clarify, which kind of traffic you expect to see inside container ?
>>>>>>> Are you sure it is present on host side on according vethX interface?
>>>>>>>
>>>>>>> I think bridge on host can do not route alien traffic to this interface.
>>>>>>> IIRC there is some setting on bridge settings that enables "promisc" mode,
>>>>>>> but by default bridge does not route all traffic to all attached interfaces.
>>>>>>>
>>>>>>> Thank you,
>>>>>>> Vasily Averin
>>>>>>> On 19.10.2016 13:16, Jehan Procaccia wrote:
>>>>>>>> indeed macfilter, ipfilter and preventpromisc were set to "on"
>>>>>>>>
>>>>>>>> # prlctl list -if CTprobe | grep net
>>>>>>>> venet0 (+) type='routed'
>>>>>>>> net0 (+) dev='veth11030.0' ifname='eth0' network='vlan11' mac=0018511B4688 preventpromisc=on mac_filter=on ip_filter=on nameservers= searchdomains= ips='192.168.11.30/255.255.255.0 '
>>>>>>>> *net1 (+) dev='veth42ba2f55' ifname='eth1' network='sondereve' mac=001C42BA2F45 preventpromisc=on mac_filter=on ip_filter=on* nameservers= searchdomains=
>>>>>>>>
>>>>>>>> I set them to "no"
>>>>>>>>
>>>>>>>> # prlctl set CTprobe --device-set net1 --ipfilter no
>>>>>>>> # prlctl set CTprobe --device-set net1 --preventpromisc no
>>>>>>>> # prlctl set CTprobe --device-set net1 --macfilter no
>>>>>>>>
>>>>>>>> now they are off , exept preventpromisc which keeps beeing set to on ?
>>>>>>>>
>>>>>>>> # prlctl list -if CTprobe | grep net1
>>>>>>>> net1 (+) dev='veth42ba2f55' ifname='eth1' network='sondereve' mac=001C42BA2F45 *preventpromisc=on* mac_filter=off ip_filter=off nameservers= searchdomains=
>>>>>>>>
>>>>>>>> I cannot set it to off !?
>>>>>>>> I did edit the CTprobe /etc/vz/conf/ file explicitly adding mac_filter=off,ip_filter=off,*preventpromisc=off*
>>>>>>>>
>>>>>>>> no way, my eth1 container interface only sees filtered trafic .
>>>>>>>>
>>>>>>>> I did nothing regarding the attached bridge (em3 ->*brs0* -> veth42ba2f55) , as I don't see any "mac-filter" in vzctl command help (only netfilter, not mac)
>>>>>>>> # vzctl --help | grep filter
>>>>>>>> [--netfilter <disabled|stateless|stateful|full>]
>>>>>>>>
>>>>>>>> is it the preventpromisc=off "bug" that drops packets, or the mac-filter on the bridge which might be not set ?
>>>>>>>> indeed it seems as if the container current config drops packets that are not address to it , for a probe it is a problem as by definition for a probe packets are not addreed to him !.
>>>>>>>>
>>>>>>>> regards .
>>>>>>>>
>>>>>>>>
>>>>>>>> Le 19/10/2016 11:29, Vasily Averin a écrit :
>>>>>>>>> Dear Jehan,
>>>>>>>>>
>>>>>>>>> 1)
>>>>>>>>> # prlctl list -if vvs.vz7.kdev | grep net0
>>>>>>>>> net0 (+) dev='veth5147a7b3' ifname='eth0' network='Bridged' mac=00185147A7B3 preventpromisc=on mac_filter=on ip_filter=on nameservers= searchdomains= dhcp='yes'
>>>>>>>>>
>>>>>>>>> from man prlctl ("set" section)
>>>>>>>>> ipfilter: determines if the specified network adapter is configured to filter network packages by
>>>>>>>>> IP address. If set to "yes", the adapter is allowed to send packages only from IPs in the network
>>>>>>>>> adapter's IP addresses list.
>>>>>>>>> macfilter: determines if the specified network adapter is configured to filter network packages by
>>>>>>>>> MAC address. If set to "yes", the adapter is allowed to send packages only from its own MAC
>>>>>>>>> address.
>>>>>>>>> preventpromisc: determines if the specified network adapter should reject packages not addressed
>>>>>>>>> to its virtual environment. If set to "yes", the adapter will drop packages not addressed to its
>>>>>>>>> virtual environment.
>>>>>>>>>
>>>>>>>>> In pcs6 it was affected VMs only, and at present I'm not sure was it fully intergrated into vz7 or not.
>>>>>>>>>
>>>>>>>>> 2) vzctl also have filter setting for bridged interfaces
>>>>>>>>> man vzctl:
>>>>>>>>> --mac_filter on|off - enable/disable packets filtering by MAC address and MAC changing on veth
>>>>>>>>> device inside CT.
>>>>>>>>>
>>>>>>>>> Thank you,
>>>>>>>>> Vasily Averin
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 19.10.2016 12:05, Jehan Procaccia wrote:
>>>>>>>>>> Hello
>>>>>>>>>>
>>>>>>>>>> I'am back to my vlan/brige/vm-interface ...
>>>>>>>>>> although it works fine for my containers primary interfaces (eth0)
>>>>>>>>>> I have a specific container that has 2 interfaces, the second beeing for a probe on the network (tcpdump, snort etc ...)
>>>>>>>>>> unfortunatly only minimal trafic seems to be forwarded into the container on that second interface , not all , I do see the wall trafic within the physical interface and its bridge on the physical host, but not on the veth into the CT !?.
>>>>>>>>>>
>>>>>>>>>> here's the physical and config situation: on the physical host I plug the cisco mirrored outbound/Wan interface to em3 (physical interface on the host)
>>>>>>>>>>
>>>>>>>>>> I created a virtual network for that probe attached to em3 and associated to bridge brs0
>>>>>>>>>>
>>>>>>>>>> # prlsrvctl net add probenet --type bridged --ifname em3
>>>>>>>>>> # prlsrvctl net list
>>>>>>>>>> Network ID Type Bound To Bridge Slave interfaces
>>>>>>>>>> Host-Only host-only virbr0
>>>>>>>>>> *probenet bridged em3 brs0 veth42ba2f55 *
>>>>>>>>>> ...
>>>>>>>>>>
>>>>>>>>>> my CT 2nd interface (eth1, eth0 beeing the 1st one) is attached to that network
>>>>>>>>>> # prlctl set CTprobe --netif_add eth1
>>>>>>>>>> # prlctl set CTprobe --ifname eth1 --network probenet
>>>>>>>>>>
>>>>>>>>>> my problem is that a tcpdump -i em3 or bsr0 on the physical host do show all traffic on my outbound cisco Wan mirrored interface
>>>>>>>>>> here is a very small sample (hundred of packats per secondes ...)
>>>>>>>>>> # tcpdump -i brs0 -n
>>>>>>>>>> 10:40:58.767042 IP 193.51.224.142.https > 147.157.103.21.54757: UDP, length 1350
>>>>>>>>>> 10:40:58.767062 IP 193.51.224.42.https > 147.157.161.85.50813: Flags [.], seq 2056788:2058248, ack 511, win 1650, length 1460
>>>>>>>>>> 10:40:58.841239 IP 193.157.24.26.hsrp > 224.0.0.102.hsrp: HSRPv1
>>>>>>>>>> 10:40:59.075644 IP 193.157.24.25.hsrp > 224.0.0.102.hsrp: HSRPv1
>>>>>>>>>> 10:40:59.801310 ARP, Request who-has 193.157.24.30 tell 193.157.41.1, length 46
>>>>>>>>>>
>>>>>>>>>> if I do the same tcpdump -i veth42ba2f55 or inside the CTprobe -i eth1 , only protocol trafic seems to pass through (STP,ARP,HSRP...), no users payload (https, ssh etc ...) , and only a dozen packets per seconds (they were hundreds on the brs0 or em3)
>>>>>>>>>>
>>>>>>>>>> # tcpdump -i veth42ba2f55 -n
>>>>>>>>>> 10:45:30.918642 STP 802.1d, Config, Flags [none], bridge-id 8d52.00:20:56:1e:a6:80.8040, length 42
>>>>>>>>>> 10:45:31.213516 ARP, Request who-has 193.157.41.45 tell 193.157.41.1, length 46
>>>>>>>>>> 10:45:31.281744 ARP, Request who-has 193.157.41.17 tell 193.157.41.1, length 46
>>>>>>>>>> 10:45:31.332678 IP 193.157.41.236 > 224.0.0.13: PIMv2, Hello, length 38
>>>>>>>>>> 10:45:31.383549 ARP, Request who-has 193.157.41.31 tell 193.157.41.1, length 46
>>>>>>>>>> 10:45:31.456594 ARP, Request who-has 193.157.41.34 tell 193.157.41.1, length 46
>>>>>>>>>> 10:45:31.458344 STP 802.1d, Config, Flags [none], bridge-id 89ce.00:20:56:1e:a6:80.8040, length 42
>>>>>>>>>> 10:45:31.458898 STP 802.1d, Config, Flags [none], bridge-id 8168.00:20:56:1e:a6:80.8040, length 42
>>>>>>>>>> 10:45:31.654835 STP 802.1d, Config, Flags [none], bridge-id 89da.00:20:56:1e:a6:80.8040, length 42
>>>>>>>>>> 10:45:31.655039 STP 802.1d, Config, Flags [none], bridge-id 89cf.00:20:56:1e:a6:80.8040, length 42
>>>>>>>>>> 10:45:31.709254 IP 193.157.41.35.hsrp > 224.0.0.102.hsrp: HSRPv1
>>>>>>>>>> 10:45:31.966666 STP 802.1d, Config, Flags [none], bridge-id 89d0.00:20:56:1e:a6:80.8040, length 42
>>>>>>>>>> 10:45:31.993787 CDPv2, ttl: 180s, Device-ID 'core.ispint.fr', length 405
>>>>>>>>>>
>>>>>>>>>> Is the CT veth filtering trafic ? or cannot cope with the volume ?
>>>>>>>>>> it is strange though that no payload/users trafic, only protocol (Xcast/broadcast ?) trafic pass from brs0 to veth42ba2f55 or inside the CTprobe eth1
>>>>>>>>>> Am I missing a "capability" ?
>>>>>>>>>>
>>>>>>>>>> Regards .
>>>>>>>>>>
>>>>>>>>>> Le 10/10/2016 21:24, Jehan Procaccia a écrit :
>>>>>>>>>>> Indeed !
>>>>>>>>>>> that was that last setting missing:
>>>>>>>>>>>
>>>>>>>>>>> prlctl set MyCT11 --ifname eth0 --network vlan11
>>>>>>>>>>>
>>>>>>>>>>> now vlans works fine
>>>>>>>>>>> Just note that I had to add NM_CONTROLLED="no" to all mi ifcfg-xxx definition files, otherwise network restart failed to start them
>>>>>>>>>>>
>>>>>>>>>>> regards .
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Le 10/10/2016 09:12, Vasily Averin a écrit :
>>>>>>>>>>>> Dear Jehan,
>>>>>>>>>>>>
>>>>>>>>>>>> Virtuozzo 7 have nice documentaion on docs.virtuozzo.com
>>>>>>>>>>>>
>>>>>>>>>>>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge
>>>>>>>>>>>>
>>>>>>>>>>>> in your case you need to bind container interface to newly-created bridge by using follwing command:
>>>>>>>>>>>>
>>>>>>>>>>>> prlctl set MyCT11 --ifname eth0 --network vlan11
>>>>>>>>>>>>
>>>>>>>>>>>> Thank you,
>>>>>>>>>>>> Vasily Averin
>>>>>>>>>>>>
>>>>>>>>>>>> On 09.10.2016 22:37, Jehan Procaccia wrote:
>>>>>>>>>>>>> I found a method to configure bridge and vlan based on RHEL docs :
>>>>>>>>>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html
>>>>>>>>>>>>>
>>>>>>>>>>>>> in order not to mess with current config automatically configured by virtuozzo7 installer on em1 and em2 with repective bridges br0 en br1, I plugged a 3rd interface on the server (fiber) p2p2 :
>>>>>>>>>>>>>
>>>>>>>>>>>>> [network-scripts]# cat ifcfg-p2p2
>>>>>>>>>>>>> TYPE=Ethernet
>>>>>>>>>>>>> BOOTPROTO=none
>>>>>>>>>>>>> NAME=p2p2
>>>>>>>>>>>>> UUID=9188d131-21b1-4ee9-8205-c893b4a4fc44
>>>>>>>>>>>>> DEVICE=p2p2
>>>>>>>>>>>>> ONBOOT=yes
>>>>>>>>>>>>>
>>>>>>>>>>>>> then the associated subinterface for vlan11 as described in RHEL7 doc
>>>>>>>>>>>>>
>>>>>>>>>>>>> # cat ifcfg-p2p2*.11*
>>>>>>>>>>>>> DEVICE=p2p2.11
>>>>>>>>>>>>> BOOTPROTO=none
>>>>>>>>>>>>> ONBOOT=yes
>>>>>>>>>>>>> VLAN=yes
>>>>>>>>>>>>> BRIDGE="br11"
>>>>>>>>>>>>>
>>>>>>>>>>>>> and finally the bridge for that vlan
>>>>>>>>>>>>>
>>>>>>>>>>>>> # cat ifcfg-br11
>>>>>>>>>>>>> DEVICE="br11"
>>>>>>>>>>>>> NAME="p2p2.11"
>>>>>>>>>>>>> ONBOOT=yes
>>>>>>>>>>>>> NETBOOT=yes
>>>>>>>>>>>>> IPV6INIT=yes
>>>>>>>>>>>>> BOOTPROTO=dhcp
>>>>>>>>>>>>> TYPE="Bridge"
>>>>>>>>>>>>> DELAY="2"
>>>>>>>>>>>>> STP="off"
>>>>>>>>>>>>>
>>>>>>>>>>>>> # ip -d link show p2p2.11
>>>>>>>>>>>>> 41: p2p2.11 at p2p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br11 state UP mode DEFAULT
>>>>>>>>>>>>> link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff promiscuity 1
>>>>>>>>>>>>> vlan protocol 802.1Q id 11 <REORDER_HDR> addrgenmode none
>>>>>>>>>>>>>
>>>>>>>>>>>>> # ip -d link show br11
>>>>>>>>>>>>> 42: br11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
>>>>>>>>>>>>> link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff promiscuity 0
>>>>>>>>>>>>> bridge addrgenmode none
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Now I can add my virtual network attached to the p2p2.11 interface (or should I have chosed br11 !?)
>>>>>>>>>>>>>
>>>>>>>>>>>>> # prlsrvctl net add vlan11 --type bridged --ifname p2p2.11
>>>>>>>>>>>>> # prlsrvctl net list
>>>>>>>>>>>>> Network ID Type Bound To Bridge Slave interfaces
>>>>>>>>>>>>> Bridged bridged em2 br1
>>>>>>>>>>>>> Host-Only host-only virbr0
>>>>>>>>>>>>> vlan11 bridged p2p2.11 br11
>>>>>>>>>>>>>
>>>>>>>>>>>>> # brctl show
>>>>>>>>>>>>> bridge name bridge id STP enabled interfaces
>>>>>>>>>>>>> br0 8000.14187769840a yes em1
>>>>>>>>>>>>> br1 8000.14187769840b no em2
>>>>>>>>>>>>> br11 8000.f4e9d495c432 no p2p2.11
>>>>>>>>>>>>> host-routed 8000.000000000000 no
>>>>>>>>>>>>> virbr0 8000.52540064dd31 no virbr0-nic
>>>>>>>>>>>>>
>>>>>>>>>>>>> create a container MyCT11
>>>>>>>>>>>>> # prlctl create MyCT11 --vmtype ct
>>>>>>>>>>>>> ...
>>>>>>>>>>>>> Processing metadata for centos-7-x86_64
>>>>>>>>>>>>> ...The Container has been successfully created.
>>>>>>>>>>>>>
>>>>>>>>>>>>> now I add an interface to my CT so that it will be in vlan11
>>>>>>>>>>>>>
>>>>>>>>>>>>> # prlctl set MyCT11 --netif_add eth0
>>>>>>>>>>>>> # prlctl set MyCT11 --ifname eth0 --ipadd 192.168.11.10/24
>>>>>>>>>>>>> # prlctl set MyCT11 --ifname eth0 --gw 192.168.11.1
>>>>>>>>>>>>>
>>>>>>>>>>>>> entering the CT an pinging the gateway unfortunatly fails
>>>>>>>>>>>>>
>>>>>>>>>>>>> CT-bad098d8 /# ping 192.168.11.1
>>>>>>>>>>>>> PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
>>>>>>>>>>>>> ^C
>>>>>>>>>>>>> --- 192.168.11.1 ping statistics ---
>>>>>>>>>>>>> 3 packets transmitted, 0 received, 100% packet loss, time 1999ms
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> the pb seems that that new CT seems to be attached to an other bridge
>>>>>>>>>>>>>
>>>>>>>>>>>>> # prlsrvctl net list
>>>>>>>>>>>>> Network ID Type Bound To Bridge Slave interfaces
>>>>>>>>>>>>> Bridged bridged em2 *br1 * *veth4250fe85 *
>>>>>>>>>>>>> Host-Only host-only virbr0
>>>>>>>>>>>>> vlan11 bridged p2p2.11 br11
>>>>>>>>>>>>>
>>>>>>>>>>>>> not to vlan11 network on br11
>>>>>>>>>>>>>
>>>>>>>>>>>>> I guess I missed something , where did I went wrong ?
>>>>>>>>>>>>> anyone has a full scenario to enable vlan through bridge mode in CT (and VM) ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> regards .
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html
>>>>>>>>>>>>>
>>>>>>>>>>>>> Le 07/10/2016 19:22, Jehan Procaccia a écrit :
>>>>>>>>>>>>>> hello
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> based on https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html
>>>>>>>>>>>>>> it is not clear to me how to create virtual networks associated to vlans ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On a fresly installed Virtuozzo Linux release 7.2 (3515) on a host with 2 activated interfaces (em1 and em2) in trunk mode (cisco terminology switchport trunk, allowed vlan 10,11,12, native 10) I cannot find out how to create networks dedicated to a vlan
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I tried :
>>>>>>>>>>>>>> # prlsrvctl net add vlan11 --type bridged --ifname em2
>>>>>>>>>>>>>> Failed to add Virtual Network vlan11: This network adapter is already in use. Please select another network adapter and try again.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I suspect that because em2 is already bridge to br1, it cannot be bridged anymore ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Or should I create a /etc/sysconfig/network-scripts/ifcfg-em2.11 to have a interface dedicated to vlan11 :
>>>>>>>>>>>>>> # cat ifcfg-em2.11
>>>>>>>>>>>>>> DEVICE=em2.11
>>>>>>>>>>>>>> ONBOOT=yes
>>>>>>>>>>>>>> TYPE=Ethernet
>>>>>>>>>>>>>> BOOTPROTO=none
>>>>>>>>>>>>>> VLAN=yes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> an then try to: /prlsrvctl net add vlan11 --type bridged --ifname em2.11/ ?
>>>>>>>>>>>>>> unfortunatly after /systemctl restart network/ , system complains with :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Bringing up interface em2.11: Error: Connection activation failed: No suitable device found for this connection.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> as anymone succeed in configuring CT and VM attached to vlan (in bridge mode as I want full feature network with multicast/broacast) ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> PS : few more information of the actual network config on the system :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # ip addr | grep LOWER_UP
>>>>>>>>>>>>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
>>>>>>>>>>>>>> 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP qlen 1000
>>>>>>>>>>>>>> 3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br1 state UP qlen 1000
>>>>>>>>>>>>>> 8: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
>>>>>>>>>>>>>> 22: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
>>>>>>>>>>>>>> 23: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # prlsrvctl net list
>>>>>>>>>>>>>> Network ID Type Bound To Bridge Slave interfaces
>>>>>>>>>>>>>> Bridged bridged em2 br1
>>>>>>>>>>>>>> Host-Only host-only virbr0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> it strange that em1 and br0 doesn't show up here !?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # brctl show
>>>>>>>>>>>>>> bridge name bridge id STP enabled interfaces
>>>>>>>>>>>>>> br0 8000.14187769840a no em1
>>>>>>>>>>>>>> br1 8000.14187769840b no em2
>>>>>>>>>>>>>> host-routed 8000.000000000000 no
>>>>>>>>>>>>>> virbr0 8000.52540064dd31 no virbr0-nic
>>>>>>>>>>>>>> virbr2 8000.52540085818e no virbr2-nic
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Users mailing list
>>>>>>>>>>>>>> Users at openvz.org
>>>>>>>>>>>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Users mailing list
>>>>>>>>>>>>> Users at openvz.org
>>>>>>>>>>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Users mailing list
>>>>>>>>>>> Users at openvz.org
>>>>>>>>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users at openvz.org
>>>>>>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at openvz.org
>>>>>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at openvz.org
>>>>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at openvz.org
>>>>>> https://lists.openvz.org/mailman/listinfo/users
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openvz.org
>>>> https://lists.openvz.org/mailman/listinfo/users
>>> _______________________________________________
>>> Users mailing list
>>> Users at openvz.org
>>> https://lists.openvz.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20161107/74d9d7d6/attachment-0001.html>
More information about the Users
mailing list