<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello<br>
<br>
I'am back to my vlan/brige/vm-interface ...<br>
although it works fine for my containers primary interfaces (eth0)
<br>
I have a specific container that has 2 interfaces, the second
beeing for a probe on the network (tcpdump, snort etc ...) <br>
unfortunatly only minimal trafic seems to be forwarded into the
container on that second interface , not all , I do see the wall
trafic within the physical interface and its bridge on the
physical host, but not on the veth into the CT !?.<br>
<br>
here's the physical and config situation: on the physical host I
plug the cisco mirrored outbound/Wan interface to em3 (physical
interface on the host)<br>
<br>
I created a virtual network for that probe attached to em3 and
associated to bridge brs0<br>
<br>
# prlsrvctl net add probenet --type bridged --ifname em3<br>
# prlsrvctl net list <br>
Network ID Type Bound To Bridge Slave
interfaces<br>
Host-Only host-only
virbr0 <br>
<b>probenet bridged em3 brs0
veth42ba2f55 </b><br>
...<br>
<br>
my CT 2nd interface (eth1, eth0 beeing the 1st one) is attached to
that network <br>
<br>
# prlctl set CTprobe --netif_add eth1<br>
# prlctl set CTprobe --ifname eth1 --network probenet<br>
<br>
my problem is that a tcpdump -i em3 or bsr0 on the physical host
do show all traffic on my outbound cisco Wan mirrored interface<br>
here is a very small sample (hundred of packats per secondes ...)<br>
# tcpdump -i brs0 -n<br>
10:40:58.767042 IP 193.51.224.142.https > 147.157.103.21.54757:
UDP, length 1350<br>
10:40:58.767062 IP 193.51.224.42.https > 147.157.161.85.50813:
Flags [.], seq 2056788:2058248, ack 511, win 1650, length 1460<br>
10:40:58.841239 IP 193.157.24.26.hsrp > 224.0.0.102.hsrp:
HSRPv1<br>
10:40:59.075644 IP 193.157.24.25.hsrp > 224.0.0.102.hsrp:
HSRPv1<br>
10:40:59.801310 ARP, Request who-has 193.157.24.30 tell
193.157.41.1, length 46<br>
<br>
if I do the same tcpdump -i veth42ba2f55 or inside the CTprobe -i
eth1 , only protocol trafic seems to pass through
(STP,ARP,HSRP...), no users payload (https, ssh etc ...) , and
only a dozen packets per seconds (they were hundreds on the brs0
or em3) <br>
<br>
# tcpdump -i veth42ba2f55 -n <br>
10:45:30.918642 STP 802.1d, Config, Flags [none], bridge-id
8d52.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.213516 ARP, Request who-has 193.157.41.45 tell
193.157.41.1, length 46<br>
10:45:31.281744 ARP, Request who-has 193.157.41.17 tell
193.157.41.1, length 46<br>
10:45:31.332678 IP 193.157.41.236 > 224.0.0.13: PIMv2, Hello,
length 38<br>
10:45:31.383549 ARP, Request who-has 193.157.41.31 tell
193.157.41.1, length 46<br>
10:45:31.456594 ARP, Request who-has 193.157.41.34 tell
193.157.41.1, length 46<br>
10:45:31.458344 STP 802.1d, Config, Flags [none], bridge-id
89ce.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.458898 STP 802.1d, Config, Flags [none], bridge-id
8168.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.654835 STP 802.1d, Config, Flags [none], bridge-id
89da.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.655039 STP 802.1d, Config, Flags [none], bridge-id
89cf.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.709254 IP 193.157.41.35.hsrp > 224.0.0.102.hsrp:
HSRPv1<br>
10:45:31.966666 STP 802.1d, Config, Flags [none], bridge-id
89d0.00:20:56:1e:a6:80.8040, length 42<br>
10:45:31.993787 CDPv2, ttl: 180s, Device-ID 'core.ispint.fr',
length 405<br>
<br>
Is the CT veth filtering trafic ? or cannot cope with the volume ?
<br>
it is strange though that no payload/users trafic, only protocol
(Xcast/broadcast ?) trafic pass from brs0 to veth42ba2f55 or
inside the CTprobe eth1<br>
Am I missing a "capability" ? <br>
<br>
Regards .<br>
<br>
Le 10/10/2016 21:24, Jehan Procaccia a écrit :<br>
</div>
<blockquote cite="mid:57FBEAF4.9090600@tem-tsp.eu" type="cite">Indeed
!
<br>
that was that last setting missing:
<br>
<br>
prlctl set MyCT11 --ifname eth0 --network vlan11
<br>
<br>
now vlans works fine
<br>
Just note that I had to add NM_CONTROLLED="no" to all mi ifcfg-xxx
definition files, otherwise network restart failed to start them
<br>
<br>
regards .
<br>
<br>
<br>
<br>
Le 10/10/2016 09:12, Vasily Averin a écrit :
<br>
<blockquote type="cite">Dear Jehan,
<br>
<br>
Virtuozzo 7 have nice documentaion on docs.virtuozzo.com
<br>
<br>
<a class="moz-txt-link-freetext" href="http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge">http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge</a>
<br>
<br>
in your case you need to bind container interface to
newly-created bridge by using follwing command:
<br>
<br>
prlctl set MyCT11 --ifname eth0 --network vlan11
<br>
<br>
Thank you,
<br>
Vasily Averin
<br>
<br>
On 09.10.2016 22:37, Jehan Procaccia wrote:
<br>
<blockquote type="cite">I found a method to configure bridge and
vlan based on RHEL docs :
<br>
<a class="moz-txt-link-freetext" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html</a>
<br>
<br>
in order not to mess with current config automatically
configured by virtuozzo7 installer on em1 and em2 with
repective bridges br0 en br1, I plugged a 3rd interface on the
server (fiber) p2p2 :
<br>
<br>
[network-scripts]# cat ifcfg-p2p2
<br>
TYPE=Ethernet
<br>
BOOTPROTO=none
<br>
NAME=p2p2
<br>
UUID=9188d131-21b1-4ee9-8205-c893b4a4fc44
<br>
DEVICE=p2p2
<br>
ONBOOT=yes
<br>
<br>
then the associated subinterface for vlan11 as described in
RHEL7 doc
<br>
<br>
# cat ifcfg-p2p2*.11*
<br>
DEVICE=p2p2.11
<br>
BOOTPROTO=none
<br>
ONBOOT=yes
<br>
VLAN=yes
<br>
BRIDGE="br11"
<br>
<br>
and finally the bridge for that vlan
<br>
<br>
# cat ifcfg-br11
<br>
DEVICE="br11"
<br>
NAME="p2p2.11"
<br>
ONBOOT=yes
<br>
NETBOOT=yes
<br>
IPV6INIT=yes
<br>
BOOTPROTO=dhcp
<br>
TYPE="Bridge"
<br>
DELAY="2"
<br>
STP="off"
<br>
<br>
# ip -d link show p2p2.11
<br>
41: p2p2.11@p2p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu
1500 qdisc noqueue master br11 state UP mode DEFAULT
<br>
link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff
promiscuity 1
<br>
vlan protocol 802.1Q id 11 <REORDER_HDR>
addrgenmode none
<br>
<br>
# ip -d link show br11
<br>
42: br11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc noqueue state UP mode DEFAULT
<br>
link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff
promiscuity 0
<br>
bridge addrgenmode none
<br>
<br>
<br>
Now I can add my virtual network attached to the p2p2.11
interface (or should I have chosed br11 !?)
<br>
<br>
# prlsrvctl net add vlan11 --type bridged --ifname p2p2.11
<br>
# prlsrvctl net list
<br>
Network ID Type Bound To Bridge
Slave interfaces
<br>
Bridged bridged em2 br1
<br>
Host-Only host-only virbr0
<br>
vlan11 bridged p2p2.11 br11
<br>
<br>
# brctl show
<br>
bridge name bridge id STP enabled interfaces
<br>
br0 8000.14187769840a yes em1
<br>
br1 8000.14187769840b no em2
<br>
br11 8000.f4e9d495c432 no p2p2.11
<br>
host-routed 8000.000000000000 no
<br>
virbr0 8000.52540064dd31 no virbr0-nic
<br>
<br>
create a container MyCT11
<br>
# prlctl create MyCT11 --vmtype ct
<br>
...
<br>
Processing metadata for centos-7-x86_64
<br>
...The Container has been successfully created.
<br>
<br>
now I add an interface to my CT so that it will be in vlan11
<br>
<br>
# prlctl set MyCT11 --netif_add eth0
<br>
# prlctl set MyCT11 --ifname eth0 --ipadd 192.168.11.10/24
<br>
# prlctl set MyCT11 --ifname eth0 --gw 192.168.11.1
<br>
<br>
entering the CT an pinging the gateway unfortunatly fails
<br>
<br>
CT-bad098d8 /# ping 192.168.11.1
<br>
PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
<br>
^C
<br>
--- 192.168.11.1 ping statistics ---
<br>
3 packets transmitted, 0 received, 100% packet loss, time
1999ms
<br>
<br>
<br>
the pb seems that that new CT seems to be attached to an other
bridge
<br>
<br>
# prlsrvctl net list
<br>
Network ID Type Bound To Bridge
Slave interfaces
<br>
Bridged bridged em2 *br1 *
*veth4250fe85 *
<br>
Host-Only host-only virbr0
<br>
vlan11 bridged p2p2.11 br11
<br>
<br>
not to vlan11 network on br11
<br>
<br>
I guess I missed something , where did I went wrong ?
<br>
anyone has a full scenario to enable vlan through bridge mode
in CT (and VM) ?
<br>
<br>
regards .
<br>
<br>
<a class="moz-txt-link-freetext" href="http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html">http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html</a>
<br>
<br>
Le 07/10/2016 19:22, Jehan Procaccia a écrit :
<br>
<blockquote type="cite">hello
<br>
<br>
based on
<a class="moz-txt-link-freetext" href="https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html">https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html</a><br>
it is not clear to me how to create virtual networks
associated to vlans ?
<br>
<br>
On a fresly installed Virtuozzo Linux release 7.2 (3515) on
a host with 2 activated interfaces (em1 and em2) in trunk
mode (cisco terminology switchport trunk, allowed vlan
10,11,12, native 10) I cannot find out how to create
networks dedicated to a vlan
<br>
<br>
I tried :
<br>
# prlsrvctl net add vlan11 --type bridged --ifname em2
<br>
Failed to add Virtual Network vlan11: This network adapter
is already in use. Please select another network adapter and
try again.
<br>
<br>
I suspect that because em2 is already bridge to br1, it
cannot be bridged anymore ?
<br>
<br>
Or should I create a
/etc/sysconfig/network-scripts/ifcfg-em2.11 to have a
interface dedicated to vlan11 :
<br>
# cat ifcfg-em2.11
<br>
DEVICE=em2.11
<br>
ONBOOT=yes
<br>
TYPE=Ethernet
<br>
BOOTPROTO=none
<br>
VLAN=yes
<br>
<br>
an then try to: /prlsrvctl net add vlan11 --type bridged
--ifname em2.11/ ?
<br>
unfortunatly after /systemctl restart network/ , system
complains with :
<br>
<br>
Bringing up interface em2.11: Error: Connection activation
failed: No suitable device found for this connection.
<br>
<br>
as anymone succeed in configuring CT and VM attached to vlan
(in bridge mode as I want full feature network with
multicast/broacast) ?
<br>
<br>
Thanks .
<br>
<br>
PS : few more information of the actual network config on
the system :
<br>
<br>
# ip addr | grep LOWER_UP
<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
state UNKNOWN
<br>
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc mq master br0 state UP qlen 1000
<br>
3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc mq master br1 state UP qlen 1000
<br>
8: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP>
mtu 1500 qdisc noqueue state UNKNOWN
<br>
22: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc noqueue state UP
<br>
23: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc noqueue state UP
<br>
<br>
# prlsrvctl net list
<br>
Network ID Type Bound To Bridge
Slave interfaces
<br>
Bridged bridged em2 br1
<br>
Host-Only host-only virbr0
<br>
<br>
it strange that em1 and br0 doesn't show up here !?
<br>
<br>
# brctl show
<br>
bridge name bridge id STP enabled interfaces
<br>
br0 8000.14187769840a no em1
<br>
br1 8000.14187769840b no em2
<br>
host-routed 8000.000000000000 no
<br>
virbr0 8000.52540064dd31 no virbr0-nic
<br>
virbr2 8000.52540085818e no virbr2-nic
<br>
<br>
<br>
<br>
<br>
_______________________________________________
<br>
Users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
<br>
</blockquote>
<br>
<br>
_______________________________________________
<br>
Users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
<br>
<br>
</blockquote>
</blockquote>
<br>
<br>
<br>
_______________________________________________
<br>
Users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
<br>
</blockquote>
<br>
</body>
</html>