Re: [Lxc-users] Mixing public and private IPs for guests - network configuration?
On 5/21/2011 7:48 PM, Benjamin Kiessling wrote: Hi, Indeed this is not a virtualization specific problem. You want your host to operate as a router for the other two IP addresses and, depending on the configuration of OVH, ARP-Proxy the whole stuff. Assuming you want have PUB-IP1 on the host and want to assign PUB-IP2 to the container (lets say with veths). Just assign PUB-IP1 to your host (ip addr a PUB-IP1 dev ethN), add the route for PUB-IP2 to the veth of the container on the host (ip r a PUB-IP2 dev vethN), add PUB-IP2 to the interface in the container (ip addr a PUB-IP2 dev vethContainer) and set a default route over PUB-IP1 in the container (ip r a PUB-IP1/32 dev vethContainer ip r a default via PUB-IP1 dev vethContainer). Enable Routing (/proc/sys/net/ipv4/ip_forward) and if OVH uses reverse path filtering proxy-arp (/proc/sys/net/ipv4/conf/$DEV/proxy_arp) on the host. That should do it. You could use a bridge and still reach all containers (the bridge would have the address PUB-IP1 and would include all veths and the physical device) but it'll complicate the setup if NAT is required for certain containers. Just set the routes explicitly for each container veth. Regards, Benjamin Kiessling I'm not the OP but just wanted to say this was good stuff and I appreciate a handy run-down like that. -- bkw -- What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Mixing public and private IPs for guests - network configuration?
And what about using the virtual Mac address service provided by OVH ? Here is a brief description on how to configure your server : 1) IP failover and virtual Mac address Let's consider your host public IP address is 91.123.123.123, and your guests public IP failover addresses are 91.2.2.2 (GUEST1) and 91.3.3.3 (GUEST2). From your OVH Manager, assign a virtual Mac address to each of your IP failover. Select the VMware type (OVH type should also work, but I haven't yet tested). Let's assume your virtual Mac addresses for each IP failover are : GUEST1: 91.2.2.2 --- 00:50:56:0a:2a:aa GUEST2: 91.3.3.3 --- 00:50:56:0b:3b:bb 2) Host network configuration Then, set up your host network by editing the /etc/network/interfaces, and replacing the eth0 by a br0 interface. Your file should look like this : # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback auto br0 iface br0 inet static address 91.123.123.123 netmask 255.255.255.0 gateway 91.123.123.254 network 91.123.123.0 broadcast 91.123.123.255 bridge_ports eth0 bridge_stp off bridge_maxwait 5 bridge_fd 0 Don't forget to restart your network (/etc/init.d/networking restart). 3) Guest configuration file Once your host network new configuration is up, edit the network part of your guest's configuration file (/var/lib/lxc/GUEST/config) with the IP failover and Mac adresses : lxc.utsname = GUEST1 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth0 lxc.network.veth.pair = vethGUEST1 lxc.network.ipv4 = 91.2.2.2 lxc.network.hwaddr = 00:50:56:0a:2a:aa And for GUEST2: lxc.utsname = GUEST2 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth0 lxc.network.veth.pair = vethGUEST2 lxc.network.ipv4 = 91.3.3.3 lxc.network.hwaddr = 00:50:56:0b:3b:bb 4) Guest network configuration Then, add eth0 interface to your guest's /etc/network/interfaces file. The default gateway IP address should be the same as your host's one (for OVH servers, just replace the last byte of your host IP address by 254 (91.123.123.254 in my example) : auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 91.2.2.2 netmask 255.255.255.255 broadcast 91.2.2.2 post-up route add 91.123.123.254 dev eth0 post-up route add default gw 91.123.123.254 post-down route del 91.123.123.254 dev eth0 post-down route del default gw 91.123.123.254 That's it :-) Just be aware that with this set-up, all IP routing is performed by OVH router, that is when the host discusses with guests, datas will first pass through OVH network, and then go back to your server. If you feel this a privacy/security problem, you can't use the above set-up, and have no other choice but creating an internal private network between your host and your guests (if you can read French, just have a look at my (ugly) draft web page (www.delloye.org), where I describe how to configure it). Regards, Olivier -- What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Mixing public and private IPs for guests - network configuration?
Hi, Indeed this is not a virtualization specific problem. You want your host to operate as a router for the other two IP addresses and, depending on the configuration of OVH, ARP-Proxy the whole stuff. Assuming you want have PUB-IP1 on the host and want to assign PUB-IP2 to the container (lets say with veths). Just assign PUB-IP1 to your host (ip addr a PUB-IP1 dev ethN), add the route for PUB-IP2 to the veth of the container on the host (ip r a PUB-IP2 dev vethN), add PUB-IP2 to the interface in the container (ip addr a PUB-IP2 dev vethContainer) and set a default route over PUB-IP1 in the container (ip r a PUB-IP1/32 dev vethContainer ip r a default via PUB-IP1 dev vethContainer). Enable Routing (/proc/sys/net/ipv4/ip_forward) and if OVH uses reverse path filtering proxy-arp (/proc/sys/net/ipv4/conf/$DEV/proxy_arp) on the host. That should do it. You could use a bridge and still reach all containers (the bridge would have the address PUB-IP1 and would include all veths and the physical device) but it'll complicate the setup if NAT is required for certain containers. Just set the routes explicitly for each container veth. Regards, Benjamin Kiessling signature.asc Description: Digital signature -- What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Mixing public and private IPs for guests - network configuration?
On Sun, May 22, 2011 at 01:48:12AM +0200, Benjamin Kiessling wrote: Indeed this is not a virtualization specific problem. You want your host to operate as a router for the other two IP addresses and, depending on the configuration of OVH, ARP-Proxy the whole stuff. Since the hoster is thankfully routing the second and third IP address to the first, Proxy ARP is not needed. I would use simple routing like this: Be the official addresse 192.0.2.4/28, 192.0.2.200 and 192.0.2.220. This is deliberately chosen so that the second and third addresses are not in the same IP network as the first. The host has eth0 to connect to the outside, and br0 to connect to the guests. eth0 and br0 are _NOT_ bridged together. This is what, for example, VMware, calls host only networking. The guests are configured to have their local eth0 bridged to the hosts's br0. Configure the host: ip addr add dev eth0 192.0.2.4/28 brd + ip route add default via defaultgw ip addr add dev br0 172.16.0.1/24 brd + ip route add to 192.0.2.200 via 172.16.0.2 ip route add to 192.0.2.220 via 172.16.0.3 echo 1 /proc/sys/net/ipv4/ip_forward Configure guest1: ip addr add dev eth0 172.16.0.2/4 brd + ip addr add dev eth0 192.0.2.200/32 ip route add default via 172.16.0.1 Configure guest2: ip addr add dev eth0 172.16.0.3/4 brd + ip addr add dev eth0 192.0.2.220/32 ip route add default via 172.16.0.1 This basically builds an RFC1918-numbered transfer network between the host and the guests (thus saving an IP address which would be needed for the host's internal interface otherwise) and instructs the host to forward packets for the guest's official IPs to their site local IP addresses. The second ip addr add statement on the guests tells them that they need to accept packets for their official IP addresses as well. Have you considered IPv6? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 -- What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
