<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><br>
I expect to see all trafic mirrored from our edge router (cisco)
to the Wan, indeed not trafic source and dest to my CT !<br>
<br>
That CTprobe as been transfered from an openvz6 host to that new
openv7 <br>
on the vz6 there was no brigde, the host eth1 interface was
directly monted/affected to the CT, like this<br>
<br>
NETIF="ifname=eth0,bridge=br0.11,mac=00:18:51:1B:26:98,host_ifname=veth11030.0,host_mac=00:18:51:E6:D6:45"<br>
<b>NETDEV="eth1"</b><br>
<br>
yes on the host side, either on the physical interface (em3)
directly pluged to the mirrored port on the cisco or the
associated bridge (brs0) I do see all in/out trafic of all users
trafic<br>
<pre wrap="">[host] # tcpdump -i em3 -n
10:40:58.767042 IP 193.51.224.142.https > 147.157.103.21.54757: UDP, length 1350</pre>
[host]# brctl show<br>
<b>brs0 8000.14187769840c no em3</b><b><br>
</b><b>
veth42ba2f55</b><br>
<br>
<pre wrap="">[host] # prlsrvctl net list
Network ID Type Bound To Bridge Slave interfaces
Host-Only host-only virbr0
<b>probenet bridged em3 brs0 veth42ba2f55 </b></pre>
but neither on the host nor on the CT I cannot see all trafic ,
but only protocol/braodcats or xcat, it seems as if trafic is
filtered ... ?<b><br>
<br>
</b>examples<b><br>
<br>
</b>[host] # tcpdump -i veth42ba2f55 -n <br>
tcpdump: WARNING: veth42ba2f55: no IPv4 address assigned<br>
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode<br>
listening on veth42ba2f55, link-type EN10MB (Ethernet), capture
size 65535 bytes<br>
17:17:34.279194 ARP, Request who-has 193.51.41.10 tell
193.51.41.1, length 46<br>
17:17:34.343210 ARP, Request who-has 193.51.41.43 tell
193.51.41.1, length 46<br>
17:17:34.451152 IP 193.51.41.36.hsrp > 224.0.0.102.hsrp: HSRPv1<b><br>
<br>
</b>CT-11030 /# tcpdump -i eth1 -n <br>
tcpdump: WARNING: eth1: no IPv4 address assigned<br>
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode<br>
listening on eth1, link-type EN10MB (Ethernet), capture size 96
bytes<br>
17:19:00.184782 arp who-has 193.51.41.34 tell 193.51.41.1<br>
17:19:00.296277 802.1d config 8001.00:26:99:64:c0:80.9688 root
8001.00:21:56:1c:3f:80 pathcost 1 age 1 max 20 hello 2 fdelay 15 <br>
17:19:00.296641 00:25:84:f1:3f:9b > 01:00:0c:cc:cc:cd SNAP
Unnumbered, ui, Flags [Command], length 50<br>
17:19:00.370773 arp who-has 193.51.41.42 tell 193.51.41.1<br>
<b><br>
</b>[host]# prlctl list -if CTprobe | grep net1<br>
net1 (+) dev='veth42ba2f55' ifname='eth1' network='probenet'
mac=001C42BA2F45<b> preventpromisc=on</b> mac_filter=off
ip_filter=off nameservers= searchdomains=<br>
<b><br>
</b>is the preventpromisc=on my problem, how to change it to off
? <br>
as <br>
<pre wrap=""># prlctl set CTprobe --device-set net1 --preventpromisc no</pre>
doesn't work ? <br>
<br>
regards .<b><br>
<br>
<br>
</b>Le 19/10/2016 14:33, Vasily Averin a écrit :<br>
</div>
<blockquote
cite="mid:fe60db35-0ab2-ef8b-3706-a0dec738a70e@virtuozzo.com"
type="cite">
<pre wrap="">Dear Jehan,
could you please clarify, which kind of traffic you expect to see inside container ?
Are you sure it is present on host side on according vethX interface?
I think bridge on host can do not route alien traffic to this interface.
IIRC there is some setting on bridge settings that enables "promisc" mode,
but by default bridge does not route all traffic to all attached interfaces.
Thank you,
Vasily Averin
On 19.10.2016 13:16, Jehan Procaccia wrote:
</pre>
<blockquote type="cite">
<pre wrap="">indeed macfilter, ipfilter and preventpromisc were set to "on"
# prlctl list -if CTprobe | grep net
venet0 (+) type='routed'
net0 (+) dev='veth11030.0' ifname='eth0' network='vlan11' mac=0018511B4688 preventpromisc=on mac_filter=on ip_filter=on nameservers= searchdomains= ips='192.168.11.30/255.255.255.0 '
*net1 (+) dev='veth42ba2f55' ifname='eth1' network='sondereve' mac=001C42BA2F45 preventpromisc=on mac_filter=on ip_filter=on* nameservers= searchdomains=
I set them to "no"
# prlctl set CTprobe --device-set net1 --ipfilter no
# prlctl set CTprobe --device-set net1 --preventpromisc no
# prlctl set CTprobe --device-set net1 --macfilter no
now they are off , exept preventpromisc which keeps beeing set to on ?
# prlctl list -if CTprobe | grep net1
net1 (+) dev='veth42ba2f55' ifname='eth1' network='sondereve' mac=001C42BA2F45 *preventpromisc=on* mac_filter=off ip_filter=off nameservers= searchdomains=
I cannot set it to off !?
I did edit the CTprobe /etc/vz/conf/ file explicitly adding mac_filter=off,ip_filter=off,*preventpromisc=off*
no way, my eth1 container interface only sees filtered trafic .
I did nothing regarding the attached bridge (em3 ->*brs0* -> veth42ba2f55) , as I don't see any "mac-filter" in vzctl command help (only netfilter, not mac)
# vzctl --help | grep filter
[--netfilter <disabled|stateless|stateful|full>]
is it the preventpromisc=off "bug" that drops packets, or the mac-filter on the bridge which might be not set ?
indeed it seems as if the container current config drops packets that are not address to it , for a probe it is a problem as by definition for a probe packets are not addreed to him !.
regards .
Le 19/10/2016 11:29, Vasily Averin a écrit :
</pre>
<blockquote type="cite">
<pre wrap="">Dear Jehan,
1)
# prlctl list -if vvs.vz7.kdev | grep net0
net0 (+) dev='veth5147a7b3' ifname='eth0' network='Bridged' mac=00185147A7B3 preventpromisc=on mac_filter=on ip_filter=on nameservers= searchdomains= dhcp='yes'
from man prlctl ("set" section)
ipfilter: determines if the specified network adapter is configured to filter network packages by
IP address. If set to "yes", the adapter is allowed to send packages only from IPs in the network
adapter's IP addresses list.
macfilter: determines if the specified network adapter is configured to filter network packages by
MAC address. If set to "yes", the adapter is allowed to send packages only from its own MAC
address.
preventpromisc: determines if the specified network adapter should reject packages not addressed
to its virtual environment. If set to "yes", the adapter will drop packages not addressed to its
virtual environment.
In pcs6 it was affected VMs only, and at present I'm not sure was it fully intergrated into vz7 or not.
2) vzctl also have filter setting for bridged interfaces
man vzctl:
--mac_filter on|off - enable/disable packets filtering by MAC address and MAC changing on veth
device inside CT.
Thank you,
Vasily Averin
On 19.10.2016 12:05, Jehan Procaccia wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello
I'am back to my vlan/brige/vm-interface ...
although it works fine for my containers primary interfaces (eth0)
I have a specific container that has 2 interfaces, the second beeing for a probe on the network (tcpdump, snort etc ...)
unfortunatly only minimal trafic seems to be forwarded into the container on that second interface , not all , I do see the wall trafic within the physical interface and its bridge on the physical host, but not on the veth into the CT !?.
here's the physical and config situation: on the physical host I plug the cisco mirrored outbound/Wan interface to em3 (physical interface on the host)
I created a virtual network for that probe attached to em3 and associated to bridge brs0
# prlsrvctl net add probenet --type bridged --ifname em3
# prlsrvctl net list
Network ID Type Bound To Bridge Slave interfaces
Host-Only host-only virbr0
*probenet bridged em3 brs0 veth42ba2f55 *
...
my CT 2nd interface (eth1, eth0 beeing the 1st one) is attached to that network
# prlctl set CTprobe --netif_add eth1
# prlctl set CTprobe --ifname eth1 --network probenet
my problem is that a tcpdump -i em3 or bsr0 on the physical host do show all traffic on my outbound cisco Wan mirrored interface
here is a very small sample (hundred of packats per secondes ...)
# tcpdump -i brs0 -n
10:40:58.767042 IP 193.51.224.142.https > 147.157.103.21.54757: UDP, length 1350
10:40:58.767062 IP 193.51.224.42.https > 147.157.161.85.50813: Flags [.], seq 2056788:2058248, ack 511, win 1650, length 1460
10:40:58.841239 IP 193.157.24.26.hsrp > 224.0.0.102.hsrp: HSRPv1
10:40:59.075644 IP 193.157.24.25.hsrp > 224.0.0.102.hsrp: HSRPv1
10:40:59.801310 ARP, Request who-has 193.157.24.30 tell 193.157.41.1, length 46
if I do the same tcpdump -i veth42ba2f55 or inside the CTprobe -i eth1 , only protocol trafic seems to pass through (STP,ARP,HSRP...), no users payload (https, ssh etc ...) , and only a dozen packets per seconds (they were hundreds on the brs0 or em3)
# tcpdump -i veth42ba2f55 -n
10:45:30.918642 STP 802.1d, Config, Flags [none], bridge-id 8d52.00:20:56:1e:a6:80.8040, length 42
10:45:31.213516 ARP, Request who-has 193.157.41.45 tell 193.157.41.1, length 46
10:45:31.281744 ARP, Request who-has 193.157.41.17 tell 193.157.41.1, length 46
10:45:31.332678 IP 193.157.41.236 > 224.0.0.13: PIMv2, Hello, length 38
10:45:31.383549 ARP, Request who-has 193.157.41.31 tell 193.157.41.1, length 46
10:45:31.456594 ARP, Request who-has 193.157.41.34 tell 193.157.41.1, length 46
10:45:31.458344 STP 802.1d, Config, Flags [none], bridge-id 89ce.00:20:56:1e:a6:80.8040, length 42
10:45:31.458898 STP 802.1d, Config, Flags [none], bridge-id 8168.00:20:56:1e:a6:80.8040, length 42
10:45:31.654835 STP 802.1d, Config, Flags [none], bridge-id 89da.00:20:56:1e:a6:80.8040, length 42
10:45:31.655039 STP 802.1d, Config, Flags [none], bridge-id 89cf.00:20:56:1e:a6:80.8040, length 42
10:45:31.709254 IP 193.157.41.35.hsrp > 224.0.0.102.hsrp: HSRPv1
10:45:31.966666 STP 802.1d, Config, Flags [none], bridge-id 89d0.00:20:56:1e:a6:80.8040, length 42
10:45:31.993787 CDPv2, ttl: 180s, Device-ID 'core.ispint.fr', length 405
Is the CT veth filtering trafic ? or cannot cope with the volume ?
it is strange though that no payload/users trafic, only protocol (Xcast/broadcast ?) trafic pass from brs0 to veth42ba2f55 or inside the CTprobe eth1
Am I missing a "capability" ?
Regards .
Le 10/10/2016 21:24, Jehan Procaccia a écrit :
</pre>
<blockquote type="cite">
<pre wrap="">Indeed !
that was that last setting missing:
prlctl set MyCT11 --ifname eth0 --network vlan11
now vlans works fine
Just note that I had to add NM_CONTROLLED="no" to all mi ifcfg-xxx definition files, otherwise network restart failed to start them
regards .
Le 10/10/2016 09:12, Vasily Averin a écrit :
</pre>
<blockquote type="cite">
<pre wrap="">Dear Jehan,
Virtuozzo 7 have nice documentaion on docs.virtuozzo.com
<a class="moz-txt-link-freetext" href="http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge">http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge</a>
in your case you need to bind container interface to newly-created bridge by using follwing command:
prlctl set MyCT11 --ifname eth0 --network vlan11
Thank you,
Vasily Averin
On 09.10.2016 22:37, Jehan Procaccia wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I found a method to configure bridge and vlan based on RHEL docs :
<a class="moz-txt-link-freetext" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html</a>
in order not to mess with current config automatically configured by virtuozzo7 installer on em1 and em2 with repective bridges br0 en br1, I plugged a 3rd interface on the server (fiber) p2p2 :
[network-scripts]# cat ifcfg-p2p2
TYPE=Ethernet
BOOTPROTO=none
NAME=p2p2
UUID=9188d131-21b1-4ee9-8205-c893b4a4fc44
DEVICE=p2p2
ONBOOT=yes
then the associated subinterface for vlan11 as described in RHEL7 doc
# cat ifcfg-p2p2*.11*
DEVICE=p2p2.11
BOOTPROTO=none
ONBOOT=yes
VLAN=yes
BRIDGE="br11"
and finally the bridge for that vlan
# cat ifcfg-br11
DEVICE="br11"
NAME="p2p2.11"
ONBOOT=yes
NETBOOT=yes
IPV6INIT=yes
BOOTPROTO=dhcp
TYPE="Bridge"
DELAY="2"
STP="off"
# ip -d link show p2p2.11
41: p2p2.11@p2p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br11 state UP mode DEFAULT
link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff promiscuity 1
vlan protocol 802.1Q id 11 <REORDER_HDR> addrgenmode none
# ip -d link show br11
42: br11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff promiscuity 0
bridge addrgenmode none
Now I can add my virtual network attached to the p2p2.11 interface (or should I have chosed br11 !?)
# prlsrvctl net add vlan11 --type bridged --ifname p2p2.11
# prlsrvctl net list
Network ID Type Bound To Bridge Slave interfaces
Bridged bridged em2 br1
Host-Only host-only virbr0
vlan11 bridged p2p2.11 br11
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.14187769840a yes em1
br1 8000.14187769840b no em2
br11 8000.f4e9d495c432 no p2p2.11
host-routed 8000.000000000000 no
virbr0 8000.52540064dd31 no virbr0-nic
create a container MyCT11
# prlctl create MyCT11 --vmtype ct
...
Processing metadata for centos-7-x86_64
...The Container has been successfully created.
now I add an interface to my CT so that it will be in vlan11
# prlctl set MyCT11 --netif_add eth0
# prlctl set MyCT11 --ifname eth0 --ipadd 192.168.11.10/24
# prlctl set MyCT11 --ifname eth0 --gw 192.168.11.1
entering the CT an pinging the gateway unfortunatly fails
CT-bad098d8 /# ping 192.168.11.1
PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
^C
--- 192.168.11.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
the pb seems that that new CT seems to be attached to an other bridge
# prlsrvctl net list
Network ID Type Bound To Bridge Slave interfaces
Bridged bridged em2 *br1 * *veth4250fe85 *
Host-Only host-only virbr0
vlan11 bridged p2p2.11 br11
not to vlan11 network on br11
I guess I missed something , where did I went wrong ?
anyone has a full scenario to enable vlan through bridge mode in CT (and VM) ?
regards .
<a class="moz-txt-link-freetext" href="http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html">http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html</a>
Le 07/10/2016 19:22, Jehan Procaccia a écrit :
</pre>
<blockquote type="cite">
<pre wrap="">hello
based on <a class="moz-txt-link-freetext" href="https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html">https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html</a>
it is not clear to me how to create virtual networks associated to vlans ?
On a fresly installed Virtuozzo Linux release 7.2 (3515) on a host with 2 activated interfaces (em1 and em2) in trunk mode (cisco terminology switchport trunk, allowed vlan 10,11,12, native 10) I cannot find out how to create networks dedicated to a vlan
I tried :
# prlsrvctl net add vlan11 --type bridged --ifname em2
Failed to add Virtual Network vlan11: This network adapter is already in use. Please select another network adapter and try again.
I suspect that because em2 is already bridge to br1, it cannot be bridged anymore ?
Or should I create a /etc/sysconfig/network-scripts/ifcfg-em2.11 to have a interface dedicated to vlan11 :
# cat ifcfg-em2.11
DEVICE=em2.11
ONBOOT=yes
TYPE=Ethernet
BOOTPROTO=none
VLAN=yes
an then try to: /prlsrvctl net add vlan11 --type bridged --ifname em2.11/ ?
unfortunatly after /systemctl restart network/ , system complains with :
Bringing up interface em2.11: Error: Connection activation failed: No suitable device found for this connection.
as anymone succeed in configuring CT and VM attached to vlan (in bridge mode as I want full feature network with multicast/broacast) ?
Thanks .
PS : few more information of the actual network config on the system :
# ip addr | grep LOWER_UP
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP qlen 1000
3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br1 state UP qlen 1000
8: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
22: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
23: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
# prlsrvctl net list
Network ID Type Bound To Bridge Slave interfaces
Bridged bridged em2 br1
Host-Only host-only virbr0
it strange that em1 and br0 doesn't show up here !?
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.14187769840a no em1
br1 8000.14187769840b no em2
host-routed 8000.000000000000 no
virbr0 8000.52540064dd31 no virbr0-nic
virbr2 8000.52540085818e no virbr2-nic
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
</blockquote>
<pre wrap="">
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
</blockquote>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>