<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">I did that already , setting "no"
instead of "off" , but it seems the same , no success :-( <br>
<br>
I have now doubt on <b>preventpromisc=on </b>which I cannot set
to off :-( <b><br>
<br>
</b> [host]# prlctl list -if CTprobe | grep net1<br>
net1 (+) dev='veth42ba2f55' ifname='eth1' network='probenet'
mac=001C42BA2F45<b> preventpromisc=on</b> mac_filter=off
ip_filter=off nameservers= searchdomains=<br>
<br>
<br>
Le 19/10/2016 13:36, Dmitry Mishin a écrit :<br>
</div>
<blockquote cite="mid:D42D33FC.10554A%25dim@virtuozzo.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>Hello,</div>
<div><br>
</div>
<div>Please try after 'prlctl set CTprobe --device-set net1
--macfilter off'</div>
<div><br>
</div>
<div>Thank you,</div>
<div>Dmitry.</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span><<a
moz-do-not-send="true"
href="mailto:users-bounces@openvz.org"><a class="moz-txt-link-abbreviated" href="mailto:users-bounces@openvz.org">users-bounces@openvz.org</a></a>>
on behalf of Jehan Procaccia <<a moz-do-not-send="true"
href="mailto:jehan.procaccia@tem-tsp.eu">jehan.procaccia@tem-tsp.eu</a>><br>
<span style="font-weight:bold">Reply-To: </span>OpenVZ users
<<a moz-do-not-send="true" href="mailto:users@openvz.org">users@openvz.org</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday 19
October 2016 12:05<br>
<span style="font-weight:bold">To: </span>OpenVZ users <<a
moz-do-not-send="true" href="mailto:users@openvz.org"><a class="moz-txt-link-abbreviated" href="mailto:users@openvz.org">users@openvz.org</a></a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Users]
vlan and bridge network interface in openVZ/virtuozzo 7<br>
</div>
<div><br>
</div>
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"
style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0
0 0 5;">
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello<br>
<br>
I'am back to my vlan/brige/vm-interface ...<br>
although it works fine for my containers primary
interfaces (eth0) <br>
I have a specific container that has 2 interfaces, the
second beeing for a probe on the network (tcpdump, snort
etc ...)
<br>
unfortunatly only minimal trafic seems to be forwarded
into the container on that second interface , not all ,
I do see the wall trafic within the physical interface
and its bridge on the physical host, but not on the veth
into the CT !?.<br>
<br>
here's the physical and config situation: on the
physical host I plug the cisco mirrored outbound/Wan
interface to em3 (physical interface on the host)<br>
<br>
I created a virtual network for that probe attached to
em3 and associated to bridge brs0<br>
<br>
# prlsrvctl net add probenet --type bridged --ifname em3<br>
# prlsrvctl net list <br>
Network ID Type Bound To
Bridge Slave interfaces<br>
Host-Only host-only
virbr0 <br>
<b>probenet bridged em3
brs0 veth42ba2f55 </b><br>
...<br>
<br>
my CT 2nd interface (eth1, eth0 beeing the 1st one) is
attached to that network <br>
<br>
# prlctl set CTprobe --netif_add eth1<br>
# prlctl set CTprobe --ifname eth1 --network probenet<br>
<br>
my problem is that a tcpdump -i em3 or bsr0 on the
physical host do show all traffic on my outbound cisco
Wan mirrored interface<br>
here is a very small sample (hundred of packats per
secondes ...)<br>
# tcpdump -i brs0 -n<br>
10:40:58.767042 IP 193.51.224.142.https >
147.157.103.21.54757: UDP, length 1350<br>
10:40:58.767062 IP 193.51.224.42.https >
147.157.161.85.50813: Flags [.], seq 2056788:2058248,
ack 511, win 1650, length 1460<br>
10:40:58.841239 IP 193.157.24.26.hsrp >
224.0.0.102.hsrp: HSRPv1<br>
10:40:59.075644 IP 193.157.24.25.hsrp >
224.0.0.102.hsrp: HSRPv1<br>
10:40:59.801310 ARP, Request who-has 193.157.24.30 tell
193.157.41.1, length 46<br>
<br>
if I do the same tcpdump -i veth42ba2f55 or inside the
CTprobe -i eth1 , only protocol trafic seems to pass
through (STP,ARP,HSRP...), no users payload (https, ssh
etc ...) , and only a dozen packets per seconds (they
were hundreds on the brs0 or em3)
<br>
<br>
# tcpdump -i veth42ba2f55 -n <br>
10:45:30.918642 STP 802.1d, Config, Flags [none],
bridge-id 8d52.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.213516 ARP, Request who-has 193.157.41.45 tell
193.157.41.1, length 46<br>
10:45:31.281744 ARP, Request who-has 193.157.41.17 tell
193.157.41.1, length 46<br>
10:45:31.332678 IP 193.157.41.236 > 224.0.0.13:
PIMv2, Hello, length 38<br>
10:45:31.383549 ARP, Request who-has 193.157.41.31 tell
193.157.41.1, length 46<br>
10:45:31.456594 ARP, Request who-has 193.157.41.34 tell
193.157.41.1, length 46<br>
10:45:31.458344 STP 802.1d, Config, Flags [none],
bridge-id 89ce.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.458898 STP 802.1d, Config, Flags [none],
bridge-id 8168.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.654835 STP 802.1d, Config, Flags [none],
bridge-id 89da.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.655039 STP 802.1d, Config, Flags [none],
bridge-id 89cf.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.709254 IP 193.157.41.35.hsrp >
224.0.0.102.hsrp: HSRPv1<br>
10:45:31.966666 STP 802.1d, Config, Flags [none],
bridge-id 89d0.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.993787 CDPv2, ttl: 180s, Device-ID
'core.ispint.fr', length 405<br>
<br>
Is the CT veth filtering trafic ? or cannot cope with
the volume ? <br>
it is strange though that no payload/users trafic, only
protocol (Xcast/broadcast ?) trafic pass from brs0 to
veth42ba2f55 or inside the CTprobe eth1<br>
Am I missing a "capability" ? <br>
<br>
Regards .<br>
<br>
Le 10/10/2016 21:24, Jehan Procaccia a écrit :<br>
</div>
<blockquote cite="mid:57FBEAF4.9090600@tem-tsp.eu"
type="cite">Indeed ! <br>
that was that last setting missing: <br>
<br>
prlctl set MyCT11 --ifname eth0 --network vlan11 <br>
<br>
now vlans works fine <br>
Just note that I had to add NM_CONTROLLED="no" to all mi
ifcfg-xxx definition files, otherwise network restart
failed to start them
<br>
<br>
regards . <br>
<br>
<br>
<br>
Le 10/10/2016 09:12, Vasily Averin a écrit : <br>
<blockquote type="cite">Dear Jehan, <br>
<br>
Virtuozzo 7 have nice documentaion on
docs.virtuozzo.com <br>
<br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge">http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge</a><br>
<br>
in your case you need to bind container interface to
newly-created bridge by using follwing command:
<br>
<br>
prlctl set MyCT11 --ifname eth0 --network vlan11 <br>
<br>
Thank you, <br>
Vasily Averin <br>
<br>
On 09.10.2016 22:37, Jehan Procaccia wrote: <br>
<blockquote type="cite">I found a method to configure
bridge and vlan based on RHEL docs :
<br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html</a><br>
<br>
in order not to mess with current config
automatically configured by virtuozzo7 installer on
em1 and em2 with repective bridges br0 en br1, I
plugged a 3rd interface on the server (fiber) p2p2 :
<br>
<br>
[network-scripts]# cat ifcfg-p2p2 <br>
TYPE=Ethernet <br>
BOOTPROTO=none <br>
NAME=p2p2 <br>
UUID=9188d131-21b1-4ee9-8205-c893b4a4fc44 <br>
DEVICE=p2p2 <br>
ONBOOT=yes <br>
<br>
then the associated subinterface for vlan11 as
described in RHEL7 doc <br>
<br>
# cat ifcfg-p2p2*.11* <br>
DEVICE=p2p2.11 <br>
BOOTPROTO=none <br>
ONBOOT=yes <br>
VLAN=yes <br>
BRIDGE="br11" <br>
<br>
and finally the bridge for that vlan <br>
<br>
# cat ifcfg-br11 <br>
DEVICE="br11" <br>
NAME="p2p2.11" <br>
ONBOOT=yes <br>
NETBOOT=yes <br>
IPV6INIT=yes <br>
BOOTPROTO=dhcp <br>
TYPE="Bridge" <br>
DELAY="2" <br>
STP="off" <br>
<br>
# ip -d link show p2p2.11 <br>
41: p2p2.11@p2p2:
<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc noqueue master br11 state UP mode DEFAULT
<br>
link/ether f4:e9:d4:91:c4:33 brd
ff:ff:ff:ff:ff:ff promiscuity 1 <br>
vlan protocol 802.1Q id 11 <REORDER_HDR>
addrgenmode none <br>
<br>
# ip -d link show br11 <br>
42: br11: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc noqueue state UP mode DEFAULT
<br>
link/ether f4:e9:d4:91:c4:33 brd
ff:ff:ff:ff:ff:ff promiscuity 0 <br>
bridge addrgenmode none <br>
<br>
<br>
Now I can add my virtual network attached to the
p2p2.11 interface (or should I have chosed br11 !?)
<br>
<br>
# prlsrvctl net add vlan11 --type bridged --ifname
p2p2.11 <br>
# prlsrvctl net list <br>
Network ID Type Bound To
Bridge Slave interfaces <br>
Bridged bridged em2 br1 <br>
Host-Only host-only virbr0 <br>
vlan11 bridged p2p2.11 br11 <br>
<br>
# brctl show <br>
bridge name bridge id STP enabled
interfaces <br>
br0 8000.14187769840a yes em1 <br>
br1 8000.14187769840b no em2 <br>
br11 8000.f4e9d495c432 no p2p2.11 <br>
host-routed 8000.000000000000 no <br>
virbr0 8000.52540064dd31 no
virbr0-nic <br>
<br>
create a container MyCT11 <br>
# prlctl create MyCT11 --vmtype ct <br>
... <br>
Processing metadata for centos-7-x86_64 <br>
...The Container has been successfully created. <br>
<br>
now I add an interface to my CT so that it will be
in vlan11 <br>
<br>
# prlctl set MyCT11 --netif_add eth0 <br>
# prlctl set MyCT11 --ifname eth0 --ipadd
192.168.11.10/24 <br>
# prlctl set MyCT11 --ifname eth0 --gw 192.168.11.1
<br>
<br>
entering the CT an pinging the gateway unfortunatly
fails <br>
<br>
CT-bad098d8 /# ping 192.168.11.1 <br>
PING 192.168.11.1 (192.168.11.1) 56(84) bytes of
data. <br>
^C <br>
--- 192.168.11.1 ping statistics --- <br>
3 packets transmitted, 0 received, 100% packet loss,
time 1999ms <br>
<br>
<br>
the pb seems that that new CT seems to be attached
to an other bridge <br>
<br>
# prlsrvctl net list <br>
Network ID Type Bound To
Bridge Slave interfaces <br>
Bridged bridged em2 *br1
* *veth4250fe85 * <br>
Host-Only host-only virbr0 <br>
vlan11 bridged p2p2.11 br11 <br>
<br>
not to vlan11 network on br11 <br>
<br>
I guess I missed something , where did I went wrong
? <br>
anyone has a full scenario to enable vlan through
bridge mode in CT (and VM) ? <br>
<br>
regards . <br>
<br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html">http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html</a><br>
<br>
Le 07/10/2016 19:22, Jehan Procaccia a écrit : <br>
<blockquote type="cite">hello <br>
<br>
based on <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html">https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html</a><br>
it is not clear to me how to create virtual
networks associated to vlans ? <br>
<br>
On a fresly installed Virtuozzo Linux release 7.2
(3515) on a host with 2 activated interfaces (em1
and em2) in trunk mode (cisco terminology
switchport trunk, allowed vlan 10,11,12, native
10) I cannot find out how to create networks
dedicated to a vlan
<br>
<br>
I tried : <br>
# prlsrvctl net add vlan11 --type bridged --ifname
em2 <br>
Failed to add Virtual Network vlan11: This network
adapter is already in use. Please select another
network adapter and try again.
<br>
<br>
I suspect that because em2 is already bridge to
br1, it cannot be bridged anymore ?
<br>
<br>
Or should I create a
/etc/sysconfig/network-scripts/ifcfg-em2.11 to
have a interface dedicated to vlan11 :
<br>
# cat ifcfg-em2.11 <br>
DEVICE=em2.11 <br>
ONBOOT=yes <br>
TYPE=Ethernet <br>
BOOTPROTO=none <br>
VLAN=yes <br>
<br>
an then try to: /prlsrvctl net add vlan11 --type
bridged --ifname em2.11/ ? <br>
unfortunatly after /systemctl restart network/ ,
system complains with : <br>
<br>
Bringing up interface em2.11: Error: Connection
activation failed: No suitable device found for
this connection.
<br>
<br>
as anymone succeed in configuring CT and VM
attached to vlan (in bridge mode as I want full
feature network with multicast/broacast) ?
<br>
<br>
Thanks . <br>
<br>
PS : few more information of the actual network
config on the system : <br>
<br>
# ip addr | grep LOWER_UP <br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
qdisc noqueue state UNKNOWN <br>
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc mq master br0 state UP qlen 1000
<br>
3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc mq master br1 state UP qlen 1000
<br>
8: venet0:
<BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP>
mtu 1500 qdisc noqueue state UNKNOWN
<br>
22: br0: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc noqueue state UP <br>
23: br1: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc noqueue state UP <br>
<br>
# prlsrvctl net list <br>
Network ID Type Bound To
Bridge Slave interfaces <br>
Bridged bridged em2 br1 <br>
Host-Only host-only virbr0
<br>
<br>
it strange that em1 and br0 doesn't show up here
!? <br>
<br>
# brctl show <br>
bridge name bridge id STP enabled
interfaces <br>
br0 8000.14187769840a no em1 <br>
br1 8000.14187769840b no em2 <br>
host-routed 8000.000000000000 no <br>
virbr0 8000.52540064dd31 no
virbr0-nic <br>
virbr2 8000.52540085818e no
virbr2-nic <br>
<br>
<br>
<br>
<br>
_______________________________________________ <br>
Users mailing list <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Users@openvz.org">Users@openvz.org</a><br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a><br>
</blockquote>
<br>
<br>
_______________________________________________ <br>
Users mailing list <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Users@openvz.org">Users@openvz.org</a><br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a><br>
<br>
</blockquote>
</blockquote>
<br>
<br>
<br>
_______________________________________________ <br>
Users mailing list <br>
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Users@openvz.org">Users@openvz.org</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a><br>
</blockquote>
<br>
</div>
</div>
</blockquote>
</span>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>