[Users] vlan and bridge network interface in openVZ/virtuozzo 7

Jehan Procaccia jehan.procaccia at tem-tsp.eu
Wed Oct 19 09:54:09 PDT 2016


I did that already , setting  "no" instead of "off" , but it seems the 
same , no success :-(

I have now doubt on *preventpromisc=on *which I cannot set to off :-( *

* [host]# prlctl list -if CTprobe  | grep net1
   net1 (+) dev='veth42ba2f55' ifname='eth1' network='probenet' 
mac=001C42BA2F45*preventpromisc=on* mac_filter=off ip_filter=off 
nameservers= searchdomains=

Le 19/10/2016 13:36, Dmitry Mishin a écrit :
> Hello,
>
> Please try after 'prlctl set CTprobe --device-set net1 --macfilter off'
>
> Thank you,
> Dmitry.
>
> From: <users-bounces at openvz.org <mailto:users-bounces at openvz.org>> on 
> behalf of Jehan Procaccia <jehan.procaccia at tem-tsp.eu 
> <mailto:jehan.procaccia at tem-tsp.eu>>
> Reply-To: OpenVZ users <users at openvz.org <mailto:users at openvz.org>>
> Date: Wednesday 19 October 2016 12:05
> To: OpenVZ users <users at openvz.org <mailto:users at openvz.org>>
> Subject: Re: [Users] vlan and bridge network interface in 
> openVZ/virtuozzo 7
>
>     Hello
>
>     I'am back to my vlan/brige/vm-interface ...
>     although it works fine for my containers primary interfaces (eth0)
>     I have a specific container that has 2 interfaces, the second
>     beeing for a probe on the network (tcpdump, snort etc ...)
>     unfortunatly only minimal trafic seems to be forwarded into the
>     container on that second interface , not all , I do see the wall
>     trafic within the physical interface and its bridge on the
>     physical host, but not on the veth into the CT !?.
>
>     here's the physical and config situation: on the physical host I
>     plug the cisco mirrored outbound/Wan interface to em3 (physical
>     interface on the host)
>
>     I created a virtual network for that probe attached to em3 and
>     associated to bridge brs0
>
>     # prlsrvctl net add probenet --type bridged --ifname em3
>     # prlsrvctl net list
>     Network ID        Type      Bound To Bridge         Slave interfaces
>     Host-Only         host-only virbr0
>     *probenet         bridged   em3 brs0           veth42ba2f55 *
>     ...
>
>     my CT 2nd interface (eth1, eth0 beeing the 1st one) is attached to
>     that network
>
>     # prlctl set CTprobe --netif_add eth1
>     # prlctl set CTprobe --ifname eth1 --network probenet
>
>     my problem is that a tcpdump -i em3 or bsr0 on the physical host
>     do show all traffic on my outbound cisco Wan mirrored interface
>     here is a very small sample (hundred of packats per secondes ...)
>     # tcpdump -i brs0 -n
>     10:40:58.767042 IP 193.51.224.142.https > 147.157.103.21.54757:
>     UDP, length 1350
>     10:40:58.767062 IP 193.51.224.42.https > 147.157.161.85.50813:
>     Flags [.], seq 2056788:2058248, ack 511, win 1650, length 1460
>     10:40:58.841239 IP 193.157.24.26.hsrp > 224.0.0.102.hsrp: HSRPv1
>     10:40:59.075644 IP 193.157.24.25.hsrp > 224.0.0.102.hsrp: HSRPv1
>     10:40:59.801310 ARP, Request who-has 193.157.24.30 tell
>     193.157.41.1, length 46
>
>     if I do the same tcpdump -i veth42ba2f55 or inside the CTprobe -i
>     eth1 , only protocol trafic seems to pass through
>     (STP,ARP,HSRP...), no users payload (https, ssh etc ...) , and
>     only a dozen packets per seconds (they were hundreds on the brs0
>     or em3)
>
>     # tcpdump -i veth42ba2f55 -n
>     10:45:30.918642 STP 802.1d, Config, Flags [none], bridge-id
>     8d52.00:20:56:1e:a6:80.8040, length 42
>     10:45:31.213516 ARP, Request who-has 193.157.41.45 tell
>     193.157.41.1, length 46
>     10:45:31.281744 ARP, Request who-has 193.157.41.17 tell
>     193.157.41.1, length 46
>     10:45:31.332678 IP 193.157.41.236 > 224.0.0.13: PIMv2, Hello,
>     length 38
>     10:45:31.383549 ARP, Request who-has 193.157.41.31 tell
>     193.157.41.1, length 46
>     10:45:31.456594 ARP, Request who-has 193.157.41.34 tell
>     193.157.41.1, length 46
>     10:45:31.458344 STP 802.1d, Config, Flags [none], bridge-id
>     89ce.00:20:56:1e:a6:80.8040, length 42
>     10:45:31.458898 STP 802.1d, Config, Flags [none], bridge-id
>     8168.00:20:56:1e:a6:80.8040, length 42
>     10:45:31.654835 STP 802.1d, Config, Flags [none], bridge-id
>     89da.00:20:56:1e:a6:80.8040, length 42
>     10:45:31.655039 STP 802.1d, Config, Flags [none], bridge-id
>     89cf.00:20:56:1e:a6:80.8040, length 42
>     10:45:31.709254 IP 193.157.41.35.hsrp > 224.0.0.102.hsrp: HSRPv1
>     10:45:31.966666 STP 802.1d, Config, Flags [none], bridge-id
>     89d0.00:20:56:1e:a6:80.8040, length 42
>     10:45:31.993787 CDPv2, ttl: 180s, Device-ID 'core.ispint.fr',
>     length 405
>
>     Is the CT veth filtering trafic ? or cannot cope with the volume ?
>     it is strange though that no payload/users trafic, only protocol
>     (Xcast/broadcast ?) trafic pass from brs0 to veth42ba2f55 or
>     inside the CTprobe eth1
>     Am I  missing a "capability" ?
>
>     Regards .
>
>     Le 10/10/2016 21:24, Jehan Procaccia a écrit :
>>     Indeed !
>>     that was that last setting missing:
>>
>>     prlctl set MyCT11 --ifname eth0 --network vlan11
>>
>>     now vlans works fine
>>     Just note that I had to add NM_CONTROLLED="no" to all mi
>>     ifcfg-xxx definition files, otherwise network restart failed to
>>     start them
>>
>>     regards .
>>
>>
>>
>>     Le 10/10/2016 09:12, Vasily Averin a écrit :
>>>     Dear Jehan,
>>>
>>>     Virtuozzo 7 have nice documentaion on docs.virtuozzo.com
>>>
>>>     http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge
>>>
>>>     in your case you need to bind container interface to
>>>     newly-created bridge by using follwing command:
>>>
>>>     prlctl set MyCT11 --ifname eth0 --network vlan11
>>>
>>>     Thank you,
>>>         Vasily Averin
>>>
>>>     On 09.10.2016 22:37, Jehan Procaccia wrote:
>>>>     I found a method to configure bridge and vlan based on RHEL docs :
>>>>     https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html
>>>>
>>>>     in order not to mess with current config automatically
>>>>     configured by virtuozzo7 installer on em1 and em2 with
>>>>     repective bridges br0 en br1, I plugged a 3rd interface on the
>>>>     server (fiber) p2p2 :
>>>>
>>>>     [network-scripts]# cat ifcfg-p2p2
>>>>     TYPE=Ethernet
>>>>     BOOTPROTO=none
>>>>     NAME=p2p2
>>>>     UUID=9188d131-21b1-4ee9-8205-c893b4a4fc44
>>>>     DEVICE=p2p2
>>>>     ONBOOT=yes
>>>>
>>>>     then the associated subinterface for vlan11 as described in
>>>>     RHEL7 doc
>>>>
>>>>     # cat ifcfg-p2p2*.11*
>>>>     DEVICE=p2p2.11
>>>>     BOOTPROTO=none
>>>>     ONBOOT=yes
>>>>     VLAN=yes
>>>>     BRIDGE="br11"
>>>>
>>>>     and finally the bridge for that vlan
>>>>
>>>>     # cat ifcfg-br11
>>>>     DEVICE="br11"
>>>>     NAME="p2p2.11"
>>>>     ONBOOT=yes
>>>>     NETBOOT=yes
>>>>     IPV6INIT=yes
>>>>     BOOTPROTO=dhcp
>>>>     TYPE="Bridge"
>>>>     DELAY="2"
>>>>     STP="off"
>>>>
>>>>     # ip -d link show p2p2.11
>>>>     41: p2p2.11 at p2p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
>>>>     qdisc noqueue master br11 state UP mode DEFAULT
>>>>          link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff
>>>>     promiscuity 1
>>>>          vlan protocol 802.1Q id 11 <REORDER_HDR> addrgenmode none
>>>>
>>>>     # ip -d link show br11
>>>>     42: br11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>>>     noqueue state UP mode DEFAULT
>>>>          link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff
>>>>     promiscuity 0
>>>>          bridge addrgenmode none
>>>>
>>>>
>>>>     Now I can add my virtual network attached to the p2p2.11
>>>>     interface (or should I have chosed  br11 !?)
>>>>
>>>>     #  prlsrvctl net add vlan11 --type bridged --ifname p2p2.11
>>>>     # prlsrvctl net list
>>>>     Network ID        Type      Bound To Bridge         Slave
>>>>     interfaces
>>>>     Bridged           bridged   em2            br1
>>>>     Host-Only         host-only                virbr0
>>>>     vlan11            bridged   p2p2.11        br11
>>>>
>>>>     # brctl show
>>>>     bridge name    bridge id        STP enabled interfaces
>>>>     br0        8000.14187769840a    yes        em1
>>>>     br1        8000.14187769840b    no        em2
>>>>     br11        8000.f4e9d495c432    no        p2p2.11
>>>>     host-routed        8000.000000000000    no
>>>>     virbr0        8000.52540064dd31    no virbr0-nic
>>>>
>>>>     create a container MyCT11
>>>>     # prlctl create MyCT11 --vmtype ct
>>>>     ...
>>>>     Processing metadata for centos-7-x86_64
>>>>     ...The Container has been successfully created.
>>>>
>>>>     now I add an interface to my CT so that it will be in vlan11
>>>>
>>>>     # prlctl set MyCT11 --netif_add eth0
>>>>     # prlctl set MyCT11 --ifname eth0 --ipadd 192.168.11.10/24
>>>>     # prlctl set MyCT11 --ifname eth0 --gw 192.168.11.1
>>>>
>>>>     entering the CT an pinging the gateway unfortunatly fails
>>>>
>>>>     CT-bad098d8 /# ping 192.168.11.1
>>>>     PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
>>>>     ^C
>>>>     --- 192.168.11.1 ping statistics ---
>>>>     3 packets transmitted, 0 received, 100% packet loss, time 1999ms
>>>>
>>>>
>>>>     the pb seems that that new CT seems to be attached to an other
>>>>     bridge
>>>>
>>>>     # prlsrvctl net list
>>>>     Network ID        Type      Bound To Bridge         Slave
>>>>     interfaces
>>>>     Bridged           bridged   em2            *br1 *     
>>>>     *veth4250fe85   *
>>>>     Host-Only         host-only                virbr0
>>>>     vlan11            bridged   p2p2.11        br11
>>>>
>>>>     not to vlan11 network on br11
>>>>
>>>>     I guess I missed something , where did I went wrong ?
>>>>     anyone has a full scenario to enable vlan through bridge mode
>>>>     in CT (and VM) ?
>>>>
>>>>     regards .
>>>>
>>>>     http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html
>>>>
>>>>     Le 07/10/2016 19:22, Jehan Procaccia a écrit :
>>>>>     hello
>>>>>
>>>>>     based on
>>>>>     https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html
>>>>>     it is not clear to me how to create virtual networks
>>>>>     associated to  vlans ?
>>>>>
>>>>>     On a fresly installed Virtuozzo Linux release 7.2 (3515) on a
>>>>>     host with 2 activated interfaces (em1 and em2) in trunk mode
>>>>>     (cisco terminology switchport trunk, allowed vlan 10,11,12,
>>>>>     native 10) I cannot find out how to create networks dedicated
>>>>>     to a vlan
>>>>>
>>>>>     I tried :
>>>>>     # prlsrvctl net add vlan11 --type bridged --ifname em2
>>>>>     Failed to add Virtual Network vlan11: This network adapter is
>>>>>     already in use. Please select another network adapter and try
>>>>>     again.
>>>>>
>>>>>     I suspect that because em2 is already bridge to br1, it cannot
>>>>>     be bridged anymore ?
>>>>>
>>>>>     Or should I create a
>>>>>     /etc/sysconfig/network-scripts/ifcfg-em2.11 to have a
>>>>>     interface dedicated to vlan11 :
>>>>>     # cat ifcfg-em2.11
>>>>>     DEVICE=em2.11
>>>>>     ONBOOT=yes
>>>>>     TYPE=Ethernet
>>>>>     BOOTPROTO=none
>>>>>     VLAN=yes
>>>>>
>>>>>     an then try to: /prlsrvctl net add vlan11 --type bridged
>>>>>     --ifname em2.11/ ?
>>>>>     unfortunatly after /systemctl restart network/ , system
>>>>>     complains with :
>>>>>
>>>>>     Bringing up interface em2.11:  Error: Connection activation
>>>>>     failed: No suitable device found for this connection.
>>>>>
>>>>>     as anymone succeed in configuring CT and VM attached to vlan
>>>>>     (in bridge mode as I want full feature network with
>>>>>     multicast/broacast) ?
>>>>>
>>>>>     Thanks .
>>>>>
>>>>>     PS : few more information of the actual network config on the
>>>>>     system :
>>>>>
>>>>>     # ip addr | grep LOWER_UP
>>>>>     1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
>>>>>     UNKNOWN
>>>>>     2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>>     master br0 state UP qlen 1000
>>>>>     3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>>     master br1 state UP qlen 1000
>>>>>     8: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500
>>>>>     qdisc noqueue state UNKNOWN
>>>>>     22: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>>>>     noqueue state UP
>>>>>     23: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>>>>     noqueue state UP
>>>>>
>>>>>     # prlsrvctl net list
>>>>>     Network ID        Type      Bound To Bridge         Slave
>>>>>     interfaces
>>>>>     Bridged           bridged   em2            br1
>>>>>     Host-Only         host-only                virbr0
>>>>>
>>>>>     it strange that em1 and br0 doesn't show up here !?
>>>>>
>>>>>     # brctl show
>>>>>     bridge name    bridge id        STP enabled interfaces
>>>>>     br0        8000.14187769840a    no        em1
>>>>>     br1        8000.14187769840b    no        em2
>>>>>     host-routed        8000.000000000000    no
>>>>>     virbr0        8000.52540064dd31    no virbr0-nic
>>>>>     virbr2        8000.52540085818e    no virbr2-nic
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     Users mailing list
>>>>>     Users at openvz.org
>>>>>     https://lists.openvz.org/mailman/listinfo/users
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Users mailing list
>>>>     Users at openvz.org
>>>>     https://lists.openvz.org/mailman/listinfo/users
>>>>
>>
>>
>>
>>     _______________________________________________
>>     Users mailing list
>>     Users at openvz.org
>>     https://lists.openvz.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20161019/216065eb/attachment-0001.html>


More information about the Users mailing list