Hello Timh,
From: "Timh B" <[email protected]>
On Fri, October 7, 2011 12:46, Daniel Bauer wrote:
It's an really interesting solution. I've to look at the VLAN
technic,
because I've never used it.
One thing was, that nobody - only the HN - could change the IP for a
CT.
This issue couldn't be solved by VLAN or veth, so I thought to use
venet.
Now I think I'll prefer the bultin veth technic to solve my problem
right now.
I would also suggest you go this path, configure your "dedicated"
hn-nic
(for this example, let's say it's eth0) as usual with the ip-address
you
want.
Example (debian):
iface eth0 inet static
address x.y.z.n
netmask x.x.x.0
gateway x.y.z.n
iface eth1 inet manual
iface eth1.100 inet manual
vlan_raw_device eth0
iface eth1.200 inet manual
vlan_raw_device eth0
iface vmbr100 inet manual
bridge_ports eth1.100
bridge_stp off
bridge_fd 0
iface vmbr200 inet manual
bridge_ports eth1.200
bridge_stp off
bridge_fd 0
--
Then, when creating your ct's you simple omit the --ipaddress flag on
vzctl command and run vzctl <VEID> set --save --netif_add
eth0,,,,vmbr100
and configure "eth0" within the CT.
This will put the ct-network in vlan100 on (hn) eth1 (which as you can
see, has no ip-address configured) on the bridge vmbr100 as
veth<VEID>.0
(confirm with "brctl show"). Note: you will have to configure your
switch
to send the vlan as "tagged" to the eth1 interface.
For your security concerns I suggest you look into mac-filtering or
maybe
check for mismatches between mac and ip addresses you have configured
for
the CT, the --netif_add command will generate a mac-address or you can
set
one manually.
The veth<VEID>.0 interface will also show up in the HN and you can do
firewalling with something like this;
-A OUTPUT -o veth<VEID>.0 -s <IP> -j ACCEPT
-A OUTPUT -o veth<VEID>.0 -j DROP
(You will have to check the iptables-commands as I wrote them from the
top
of my head!)
Thanks a lot for this explanation.
Daniel
_______________________________________________
Users mailing list
[email protected]
https://openvz.org/mailman/listinfo/users
