[Users] vlan and bridge network interface in openVZ/virtuozzo 7
Jehan Procaccia
jehan.procaccia at tem-tsp.eu
Wed Oct 19 03:16:42 PDT 2016
indeed macfilter, ipfilter and preventpromisc were set to "on"
# prlctl list -if CTprobe | grep net
venet0 (+) type='routed'
net0 (+) dev='veth11030.0' ifname='eth0' network='vlan11'
mac=0018511B4688 preventpromisc=on mac_filter=on ip_filter=on
nameservers= searchdomains= ips='192.168.11.30/255.255.255.0 '
*net1 (+) dev='veth42ba2f55' ifname='eth1' network='sondereve'
mac=001C42BA2F45 preventpromisc=on mac_filter=on ip_filter=on*
nameservers= searchdomains=
I set them to "no"
# prlctl set CTprobe --device-set net1 --ipfilter no
# prlctl set CTprobe --device-set net1 --preventpromisc no
# prlctl set CTprobe --device-set net1 --macfilter no
now they are off , exept preventpromisc which keeps beeing set to on ?
# prlctl list -if CTprobe | grep net1
net1 (+) dev='veth42ba2f55' ifname='eth1' network='sondereve'
mac=001C42BA2F45 *preventpromisc=on* mac_filter=off ip_filter=off
nameservers= searchdomains=
I cannot set it to off !?
I did edit the CTprobe /etc/vz/conf/ file explicitly adding
mac_filter=off,ip_filter=off,*preventpromisc=off*
no way, my eth1 container interface only sees filtered trafic .
I did nothing regarding the attached bridge (em3 ->*brs0* ->
veth42ba2f55) , as I don't see any "mac-filter" in vzctl command help
(only netfilter, not mac)
# vzctl --help | grep filter
[--netfilter <disabled|stateless|stateful|full>]
is it the preventpromisc=off "bug" that drops packets, or the
mac-filter on the bridge which might be not set ?
indeed it seems as if the container current config drops packets that
are not address to it , for a probe it is a problem as by definition for
a probe packets are not addreed to him !.
regards .
Le 19/10/2016 11:29, Vasily Averin a écrit :
> Dear Jehan,
>
> 1)
> # prlctl list -if vvs.vz7.kdev | grep net0
> net0 (+) dev='veth5147a7b3' ifname='eth0' network='Bridged' mac=00185147A7B3 preventpromisc=on mac_filter=on ip_filter=on nameservers= searchdomains= dhcp='yes'
>
> from man prlctl ("set" section)
> ipfilter: determines if the specified network adapter is configured to filter network packages by
> IP address. If set to "yes", the adapter is allowed to send packages only from IPs in the network
> adapter's IP addresses list.
> macfilter: determines if the specified network adapter is configured to filter network packages by
> MAC address. If set to "yes", the adapter is allowed to send packages only from its own MAC
> address.
> preventpromisc: determines if the specified network adapter should reject packages not addressed
> to its virtual environment. If set to "yes", the adapter will drop packages not addressed to its
> virtual environment.
>
> In pcs6 it was affected VMs only, and at present I'm not sure was it fully intergrated into vz7 or not.
>
> 2) vzctl also have filter setting for bridged interfaces
> man vzctl:
> --mac_filter on|off - enable/disable packets filtering by MAC address and MAC changing on veth
> device inside CT.
>
> Thank you,
> Vasily Averin
>
>
> On 19.10.2016 12:05, Jehan Procaccia wrote:
>> Hello
>>
>> I'am back to my vlan/brige/vm-interface ...
>> although it works fine for my containers primary interfaces (eth0)
>> I have a specific container that has 2 interfaces, the second beeing for a probe on the network (tcpdump, snort etc ...)
>> unfortunatly only minimal trafic seems to be forwarded into the container on that second interface , not all , I do see the wall trafic within the physical interface and its bridge on the physical host, but not on the veth into the CT !?.
>>
>> here's the physical and config situation: on the physical host I plug the cisco mirrored outbound/Wan interface to em3 (physical interface on the host)
>>
>> I created a virtual network for that probe attached to em3 and associated to bridge brs0
>>
>> # prlsrvctl net add probenet --type bridged --ifname em3
>> # prlsrvctl net list
>> Network ID Type Bound To Bridge Slave interfaces
>> Host-Only host-only virbr0
>> *probenet bridged em3 brs0 veth42ba2f55 *
>> ...
>>
>> my CT 2nd interface (eth1, eth0 beeing the 1st one) is attached to that network
>>
>> # prlctl set CTprobe --netif_add eth1
>> # prlctl set CTprobe --ifname eth1 --network probenet
>>
>> my problem is that a tcpdump -i em3 or bsr0 on the physical host do show all traffic on my outbound cisco Wan mirrored interface
>> here is a very small sample (hundred of packats per secondes ...)
>> # tcpdump -i brs0 -n
>> 10:40:58.767042 IP 193.51.224.142.https > 147.157.103.21.54757: UDP, length 1350
>> 10:40:58.767062 IP 193.51.224.42.https > 147.157.161.85.50813: Flags [.], seq 2056788:2058248, ack 511, win 1650, length 1460
>> 10:40:58.841239 IP 193.157.24.26.hsrp > 224.0.0.102.hsrp: HSRPv1
>> 10:40:59.075644 IP 193.157.24.25.hsrp > 224.0.0.102.hsrp: HSRPv1
>> 10:40:59.801310 ARP, Request who-has 193.157.24.30 tell 193.157.41.1, length 46
>>
>> if I do the same tcpdump -i veth42ba2f55 or inside the CTprobe -i eth1 , only protocol trafic seems to pass through (STP,ARP,HSRP...), no users payload (https, ssh etc ...) , and only a dozen packets per seconds (they were hundreds on the brs0 or em3)
>>
>> # tcpdump -i veth42ba2f55 -n
>> 10:45:30.918642 STP 802.1d, Config, Flags [none], bridge-id 8d52.00:20:56:1e:a6:80.8040, length 42
>> 10:45:31.213516 ARP, Request who-has 193.157.41.45 tell 193.157.41.1, length 46
>> 10:45:31.281744 ARP, Request who-has 193.157.41.17 tell 193.157.41.1, length 46
>> 10:45:31.332678 IP 193.157.41.236 > 224.0.0.13: PIMv2, Hello, length 38
>> 10:45:31.383549 ARP, Request who-has 193.157.41.31 tell 193.157.41.1, length 46
>> 10:45:31.456594 ARP, Request who-has 193.157.41.34 tell 193.157.41.1, length 46
>> 10:45:31.458344 STP 802.1d, Config, Flags [none], bridge-id 89ce.00:20:56:1e:a6:80.8040, length 42
>> 10:45:31.458898 STP 802.1d, Config, Flags [none], bridge-id 8168.00:20:56:1e:a6:80.8040, length 42
>> 10:45:31.654835 STP 802.1d, Config, Flags [none], bridge-id 89da.00:20:56:1e:a6:80.8040, length 42
>> 10:45:31.655039 STP 802.1d, Config, Flags [none], bridge-id 89cf.00:20:56:1e:a6:80.8040, length 42
>> 10:45:31.709254 IP 193.157.41.35.hsrp > 224.0.0.102.hsrp: HSRPv1
>> 10:45:31.966666 STP 802.1d, Config, Flags [none], bridge-id 89d0.00:20:56:1e:a6:80.8040, length 42
>> 10:45:31.993787 CDPv2, ttl: 180s, Device-ID 'core.ispint.fr', length 405
>>
>> Is the CT veth filtering trafic ? or cannot cope with the volume ?
>> it is strange though that no payload/users trafic, only protocol (Xcast/broadcast ?) trafic pass from brs0 to veth42ba2f55 or inside the CTprobe eth1
>> Am I missing a "capability" ?
>>
>> Regards .
>>
>> Le 10/10/2016 21:24, Jehan Procaccia a écrit :
>>> Indeed !
>>> that was that last setting missing:
>>>
>>> prlctl set MyCT11 --ifname eth0 --network vlan11
>>>
>>> now vlans works fine
>>> Just note that I had to add NM_CONTROLLED="no" to all mi ifcfg-xxx definition files, otherwise network restart failed to start them
>>>
>>> regards .
>>>
>>>
>>>
>>> Le 10/10/2016 09:12, Vasily Averin a écrit :
>>>> Dear Jehan,
>>>>
>>>> Virtuozzo 7 have nice documentaion on docs.virtuozzo.com
>>>>
>>>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge
>>>>
>>>> in your case you need to bind container interface to newly-created bridge by using follwing command:
>>>>
>>>> prlctl set MyCT11 --ifname eth0 --network vlan11
>>>>
>>>> Thank you,
>>>> Vasily Averin
>>>>
>>>> On 09.10.2016 22:37, Jehan Procaccia wrote:
>>>>> I found a method to configure bridge and vlan based on RHEL docs :
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html
>>>>>
>>>>> in order not to mess with current config automatically configured by virtuozzo7 installer on em1 and em2 with repective bridges br0 en br1, I plugged a 3rd interface on the server (fiber) p2p2 :
>>>>>
>>>>> [network-scripts]# cat ifcfg-p2p2
>>>>> TYPE=Ethernet
>>>>> BOOTPROTO=none
>>>>> NAME=p2p2
>>>>> UUID=9188d131-21b1-4ee9-8205-c893b4a4fc44
>>>>> DEVICE=p2p2
>>>>> ONBOOT=yes
>>>>>
>>>>> then the associated subinterface for vlan11 as described in RHEL7 doc
>>>>>
>>>>> # cat ifcfg-p2p2*.11*
>>>>> DEVICE=p2p2.11
>>>>> BOOTPROTO=none
>>>>> ONBOOT=yes
>>>>> VLAN=yes
>>>>> BRIDGE="br11"
>>>>>
>>>>> and finally the bridge for that vlan
>>>>>
>>>>> # cat ifcfg-br11
>>>>> DEVICE="br11"
>>>>> NAME="p2p2.11"
>>>>> ONBOOT=yes
>>>>> NETBOOT=yes
>>>>> IPV6INIT=yes
>>>>> BOOTPROTO=dhcp
>>>>> TYPE="Bridge"
>>>>> DELAY="2"
>>>>> STP="off"
>>>>>
>>>>> # ip -d link show p2p2.11
>>>>> 41: p2p2.11 at p2p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br11 state UP mode DEFAULT
>>>>> link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff promiscuity 1
>>>>> vlan protocol 802.1Q id 11 <REORDER_HDR> addrgenmode none
>>>>>
>>>>> # ip -d link show br11
>>>>> 42: br11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
>>>>> link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff promiscuity 0
>>>>> bridge addrgenmode none
>>>>>
>>>>>
>>>>> Now I can add my virtual network attached to the p2p2.11 interface (or should I have chosed br11 !?)
>>>>>
>>>>> # prlsrvctl net add vlan11 --type bridged --ifname p2p2.11
>>>>> # prlsrvctl net list
>>>>> Network ID Type Bound To Bridge Slave interfaces
>>>>> Bridged bridged em2 br1
>>>>> Host-Only host-only virbr0
>>>>> vlan11 bridged p2p2.11 br11
>>>>>
>>>>> # brctl show
>>>>> bridge name bridge id STP enabled interfaces
>>>>> br0 8000.14187769840a yes em1
>>>>> br1 8000.14187769840b no em2
>>>>> br11 8000.f4e9d495c432 no p2p2.11
>>>>> host-routed 8000.000000000000 no
>>>>> virbr0 8000.52540064dd31 no virbr0-nic
>>>>>
>>>>> create a container MyCT11
>>>>> # prlctl create MyCT11 --vmtype ct
>>>>> ...
>>>>> Processing metadata for centos-7-x86_64
>>>>> ...The Container has been successfully created.
>>>>>
>>>>> now I add an interface to my CT so that it will be in vlan11
>>>>>
>>>>> # prlctl set MyCT11 --netif_add eth0
>>>>> # prlctl set MyCT11 --ifname eth0 --ipadd 192.168.11.10/24
>>>>> # prlctl set MyCT11 --ifname eth0 --gw 192.168.11.1
>>>>>
>>>>> entering the CT an pinging the gateway unfortunatly fails
>>>>>
>>>>> CT-bad098d8 /# ping 192.168.11.1
>>>>> PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
>>>>> ^C
>>>>> --- 192.168.11.1 ping statistics ---
>>>>> 3 packets transmitted, 0 received, 100% packet loss, time 1999ms
>>>>>
>>>>>
>>>>> the pb seems that that new CT seems to be attached to an other bridge
>>>>>
>>>>> # prlsrvctl net list
>>>>> Network ID Type Bound To Bridge Slave interfaces
>>>>> Bridged bridged em2 *br1 * *veth4250fe85 *
>>>>> Host-Only host-only virbr0
>>>>> vlan11 bridged p2p2.11 br11
>>>>>
>>>>> not to vlan11 network on br11
>>>>>
>>>>> I guess I missed something , where did I went wrong ?
>>>>> anyone has a full scenario to enable vlan through bridge mode in CT (and VM) ?
>>>>>
>>>>> regards .
>>>>>
>>>>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html
>>>>>
>>>>> Le 07/10/2016 19:22, Jehan Procaccia a écrit :
>>>>>> hello
>>>>>>
>>>>>> based on https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html
>>>>>> it is not clear to me how to create virtual networks associated to vlans ?
>>>>>>
>>>>>> On a fresly installed Virtuozzo Linux release 7.2 (3515) on a host with 2 activated interfaces (em1 and em2) in trunk mode (cisco terminology switchport trunk, allowed vlan 10,11,12, native 10) I cannot find out how to create networks dedicated to a vlan
>>>>>>
>>>>>> I tried :
>>>>>> # prlsrvctl net add vlan11 --type bridged --ifname em2
>>>>>> Failed to add Virtual Network vlan11: This network adapter is already in use. Please select another network adapter and try again.
>>>>>>
>>>>>> I suspect that because em2 is already bridge to br1, it cannot be bridged anymore ?
>>>>>>
>>>>>> Or should I create a /etc/sysconfig/network-scripts/ifcfg-em2.11 to have a interface dedicated to vlan11 :
>>>>>> # cat ifcfg-em2.11
>>>>>> DEVICE=em2.11
>>>>>> ONBOOT=yes
>>>>>> TYPE=Ethernet
>>>>>> BOOTPROTO=none
>>>>>> VLAN=yes
>>>>>>
>>>>>> an then try to: /prlsrvctl net add vlan11 --type bridged --ifname em2.11/ ?
>>>>>> unfortunatly after /systemctl restart network/ , system complains with :
>>>>>>
>>>>>> Bringing up interface em2.11: Error: Connection activation failed: No suitable device found for this connection.
>>>>>>
>>>>>> as anymone succeed in configuring CT and VM attached to vlan (in bridge mode as I want full feature network with multicast/broacast) ?
>>>>>>
>>>>>> Thanks .
>>>>>>
>>>>>> PS : few more information of the actual network config on the system :
>>>>>>
>>>>>> # ip addr | grep LOWER_UP
>>>>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
>>>>>> 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP qlen 1000
>>>>>> 3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br1 state UP qlen 1000
>>>>>> 8: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
>>>>>> 22: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
>>>>>> 23: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
>>>>>>
>>>>>> # prlsrvctl net list
>>>>>> Network ID Type Bound To Bridge Slave interfaces
>>>>>> Bridged bridged em2 br1
>>>>>> Host-Only host-only virbr0
>>>>>>
>>>>>> it strange that em1 and br0 doesn't show up here !?
>>>>>>
>>>>>> # brctl show
>>>>>> bridge name bridge id STP enabled interfaces
>>>>>> br0 8000.14187769840a no em1
>>>>>> br1 8000.14187769840b no em2
>>>>>> host-routed 8000.000000000000 no
>>>>>> virbr0 8000.52540064dd31 no virbr0-nic
>>>>>> virbr2 8000.52540085818e no virbr2-nic
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at openvz.org
>>>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at openvz.org
>>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openvz.org
>>> https://lists.openvz.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20161019/87658b1f/attachment-0001.html>
More information about the Users
mailing list