[Users] vlan and bridge network interface in openVZ/virtuozzo 7
Jehan Procaccia
jehan.procaccia at tem-tsp.eu
Wed Oct 19 02:05:25 PDT 2016
Hello
I'am back to my vlan/brige/vm-interface ...
although it works fine for my containers primary interfaces (eth0)
I have a specific container that has 2 interfaces, the second beeing for
a probe on the network (tcpdump, snort etc ...)
unfortunatly only minimal trafic seems to be forwarded into the
container on that second interface , not all , I do see the wall trafic
within the physical interface and its bridge on the physical host, but
not on the veth into the CT !?.
here's the physical and config situation: on the physical host I plug
the cisco mirrored outbound/Wan interface to em3 (physical interface on
the host)
I created a virtual network for that probe attached to em3 and
associated to bridge brs0
# prlsrvctl net add probenet --type bridged --ifname em3
# prlsrvctl net list
Network ID Type Bound To Bridge Slave interfaces
Host-Only host-only virbr0
*probenet bridged em3 brs0 veth42ba2f55 *
...
my CT 2nd interface (eth1, eth0 beeing the 1st one) is attached to that
network
# prlctl set CTprobe --netif_add eth1
# prlctl set CTprobe --ifname eth1 --network probenet
my problem is that a tcpdump -i em3 or bsr0 on the physical host do show
all traffic on my outbound cisco Wan mirrored interface
here is a very small sample (hundred of packats per secondes ...)
# tcpdump -i brs0 -n
10:40:58.767042 IP 193.51.224.142.https > 147.157.103.21.54757: UDP,
length 1350
10:40:58.767062 IP 193.51.224.42.https > 147.157.161.85.50813: Flags
[.], seq 2056788:2058248, ack 511, win 1650, length 1460
10:40:58.841239 IP 193.157.24.26.hsrp > 224.0.0.102.hsrp: HSRPv1
10:40:59.075644 IP 193.157.24.25.hsrp > 224.0.0.102.hsrp: HSRPv1
10:40:59.801310 ARP, Request who-has 193.157.24.30 tell 193.157.41.1,
length 46
if I do the same tcpdump -i veth42ba2f55 or inside the CTprobe -i eth1 ,
only protocol trafic seems to pass through (STP,ARP,HSRP...), no users
payload (https, ssh etc ...) , and only a dozen packets per seconds
(they were hundreds on the brs0 or em3)
# tcpdump -i veth42ba2f55 -n
10:45:30.918642 STP 802.1d, Config, Flags [none], bridge-id
8d52.00:20:56:1e:a6:80.8040, length 42
10:45:31.213516 ARP, Request who-has 193.157.41.45 tell 193.157.41.1,
length 46
10:45:31.281744 ARP, Request who-has 193.157.41.17 tell 193.157.41.1,
length 46
10:45:31.332678 IP 193.157.41.236 > 224.0.0.13: PIMv2, Hello, length 38
10:45:31.383549 ARP, Request who-has 193.157.41.31 tell 193.157.41.1,
length 46
10:45:31.456594 ARP, Request who-has 193.157.41.34 tell 193.157.41.1,
length 46
10:45:31.458344 STP 802.1d, Config, Flags [none], bridge-id
89ce.00:20:56:1e:a6:80.8040, length 42
10:45:31.458898 STP 802.1d, Config, Flags [none], bridge-id
8168.00:20:56:1e:a6:80.8040, length 42
10:45:31.654835 STP 802.1d, Config, Flags [none], bridge-id
89da.00:20:56:1e:a6:80.8040, length 42
10:45:31.655039 STP 802.1d, Config, Flags [none], bridge-id
89cf.00:20:56:1e:a6:80.8040, length 42
10:45:31.709254 IP 193.157.41.35.hsrp > 224.0.0.102.hsrp: HSRPv1
10:45:31.966666 STP 802.1d, Config, Flags [none], bridge-id
89d0.00:20:56:1e:a6:80.8040, length 42
10:45:31.993787 CDPv2, ttl: 180s, Device-ID 'core.ispint.fr', length 405
Is the CT veth filtering trafic ? or cannot cope with the volume ?
it is strange though that no payload/users trafic, only protocol
(Xcast/broadcast ?) trafic pass from brs0 to veth42ba2f55 or inside the
CTprobe eth1
Am I missing a "capability" ?
Regards .
Le 10/10/2016 21:24, Jehan Procaccia a écrit :
> Indeed !
> that was that last setting missing:
>
> prlctl set MyCT11 --ifname eth0 --network vlan11
>
> now vlans works fine
> Just note that I had to add NM_CONTROLLED="no" to all mi ifcfg-xxx
> definition files, otherwise network restart failed to start them
>
> regards .
>
>
>
> Le 10/10/2016 09:12, Vasily Averin a écrit :
>> Dear Jehan,
>>
>> Virtuozzo 7 have nice documentaion on docs.virtuozzo.com
>>
>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge
>>
>>
>> in your case you need to bind container interface to newly-created
>> bridge by using follwing command:
>>
>> prlctl set MyCT11 --ifname eth0 --network vlan11
>>
>> Thank you,
>> Vasily Averin
>>
>> On 09.10.2016 22:37, Jehan Procaccia wrote:
>>> I found a method to configure bridge and vlan based on RHEL docs :
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html
>>>
>>>
>>> in order not to mess with current config automatically configured by
>>> virtuozzo7 installer on em1 and em2 with repective bridges br0 en
>>> br1, I plugged a 3rd interface on the server (fiber) p2p2 :
>>>
>>> [network-scripts]# cat ifcfg-p2p2
>>> TYPE=Ethernet
>>> BOOTPROTO=none
>>> NAME=p2p2
>>> UUID=9188d131-21b1-4ee9-8205-c893b4a4fc44
>>> DEVICE=p2p2
>>> ONBOOT=yes
>>>
>>> then the associated subinterface for vlan11 as described in RHEL7 doc
>>>
>>> # cat ifcfg-p2p2*.11*
>>> DEVICE=p2p2.11
>>> BOOTPROTO=none
>>> ONBOOT=yes
>>> VLAN=yes
>>> BRIDGE="br11"
>>>
>>> and finally the bridge for that vlan
>>>
>>> # cat ifcfg-br11
>>> DEVICE="br11"
>>> NAME="p2p2.11"
>>> ONBOOT=yes
>>> NETBOOT=yes
>>> IPV6INIT=yes
>>> BOOTPROTO=dhcp
>>> TYPE="Bridge"
>>> DELAY="2"
>>> STP="off"
>>>
>>> # ip -d link show p2p2.11
>>> 41: p2p2.11 at p2p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>> noqueue master br11 state UP mode DEFAULT
>>> link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff promiscuity 1
>>> vlan protocol 802.1Q id 11 <REORDER_HDR> addrgenmode none
>>>
>>> # ip -d link show br11
>>> 42: br11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
>>> state UP mode DEFAULT
>>> link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff promiscuity 0
>>> bridge addrgenmode none
>>>
>>>
>>> Now I can add my virtual network attached to the p2p2.11 interface
>>> (or should I have chosed br11 !?)
>>>
>>> # prlsrvctl net add vlan11 --type bridged --ifname p2p2.11
>>> # prlsrvctl net list
>>> Network ID Type Bound To Bridge Slave interfaces
>>> Bridged bridged em2 br1
>>> Host-Only host-only virbr0
>>> vlan11 bridged p2p2.11 br11
>>>
>>> # brctl show
>>> bridge name bridge id STP enabled interfaces
>>> br0 8000.14187769840a yes em1
>>> br1 8000.14187769840b no em2
>>> br11 8000.f4e9d495c432 no p2p2.11
>>> host-routed 8000.000000000000 no
>>> virbr0 8000.52540064dd31 no virbr0-nic
>>>
>>> create a container MyCT11
>>> # prlctl create MyCT11 --vmtype ct
>>> ...
>>> Processing metadata for centos-7-x86_64
>>> ...The Container has been successfully created.
>>>
>>> now I add an interface to my CT so that it will be in vlan11
>>>
>>> # prlctl set MyCT11 --netif_add eth0
>>> # prlctl set MyCT11 --ifname eth0 --ipadd 192.168.11.10/24
>>> # prlctl set MyCT11 --ifname eth0 --gw 192.168.11.1
>>>
>>> entering the CT an pinging the gateway unfortunatly fails
>>>
>>> CT-bad098d8 /# ping 192.168.11.1
>>> PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
>>> ^C
>>> --- 192.168.11.1 ping statistics ---
>>> 3 packets transmitted, 0 received, 100% packet loss, time 1999ms
>>>
>>>
>>> the pb seems that that new CT seems to be attached to an other bridge
>>>
>>> # prlsrvctl net list
>>> Network ID Type Bound To Bridge Slave interfaces
>>> Bridged bridged em2 *br1 * *veth4250fe85 *
>>> Host-Only host-only virbr0
>>> vlan11 bridged p2p2.11 br11
>>>
>>> not to vlan11 network on br11
>>>
>>> I guess I missed something , where did I went wrong ?
>>> anyone has a full scenario to enable vlan through bridge mode in CT
>>> (and VM) ?
>>>
>>> regards .
>>>
>>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html
>>>
>>>
>>> Le 07/10/2016 19:22, Jehan Procaccia a écrit :
>>>> hello
>>>>
>>>> based on
>>>> https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html
>>>> it is not clear to me how to create virtual networks associated to
>>>> vlans ?
>>>>
>>>> On a fresly installed Virtuozzo Linux release 7.2 (3515) on a host
>>>> with 2 activated interfaces (em1 and em2) in trunk mode (cisco
>>>> terminology switchport trunk, allowed vlan 10,11,12, native 10) I
>>>> cannot find out how to create networks dedicated to a vlan
>>>>
>>>> I tried :
>>>> # prlsrvctl net add vlan11 --type bridged --ifname em2
>>>> Failed to add Virtual Network vlan11: This network adapter is
>>>> already in use. Please select another network adapter and try again.
>>>>
>>>> I suspect that because em2 is already bridge to br1, it cannot be
>>>> bridged anymore ?
>>>>
>>>> Or should I create a /etc/sysconfig/network-scripts/ifcfg-em2.11 to
>>>> have a interface dedicated to vlan11 :
>>>> # cat ifcfg-em2.11
>>>> DEVICE=em2.11
>>>> ONBOOT=yes
>>>> TYPE=Ethernet
>>>> BOOTPROTO=none
>>>> VLAN=yes
>>>>
>>>> an then try to: /prlsrvctl net add vlan11 --type bridged --ifname
>>>> em2.11/ ?
>>>> unfortunatly after /systemctl restart network/ , system complains
>>>> with :
>>>>
>>>> Bringing up interface em2.11: Error: Connection activation failed:
>>>> No suitable device found for this connection.
>>>>
>>>> as anymone succeed in configuring CT and VM attached to vlan (in
>>>> bridge mode as I want full feature network with multicast/broacast) ?
>>>>
>>>> Thanks .
>>>>
>>>> PS : few more information of the actual network config on the system :
>>>>
>>>> # ip addr | grep LOWER_UP
>>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
>>>> 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master
>>>> br0 state UP qlen 1000
>>>> 3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master
>>>> br1 state UP qlen 1000
>>>> 8: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc
>>>> noqueue state UNKNOWN
>>>> 22: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
>>>> state UP
>>>> 23: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
>>>> state UP
>>>>
>>>> # prlsrvctl net list
>>>> Network ID Type Bound To Bridge Slave interfaces
>>>> Bridged bridged em2 br1
>>>> Host-Only host-only virbr0
>>>>
>>>> it strange that em1 and br0 doesn't show up here !?
>>>>
>>>> # brctl show
>>>> bridge name bridge id STP enabled interfaces
>>>> br0 8000.14187769840a no em1
>>>> br1 8000.14187769840b no em2
>>>> host-routed 8000.000000000000 no
>>>> virbr0 8000.52540064dd31 no virbr0-nic
>>>> virbr2 8000.52540085818e no virbr2-nic
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openvz.org
>>>> https://lists.openvz.org/mailman/listinfo/users
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openvz.org
>>> https://lists.openvz.org/mailman/listinfo/users
>>>
>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20161019/e3d5101a/attachment-0001.html>
More information about the Users
mailing list