Bug#574522: clarification of proxy_arp settings
On 19 Mar 2010, at 06:49, Ola Lundqvist wrote: However the documentation should also be better described. Suggestions on this is highly welcome. Yes, and the primary question is when proxy_arp should be used. I've scouted the net and came up with the following: proxy_arp=0 - http://wiki.openvz.org/Quick_installation http://wiki.openvz.org/Using_veth_and_brctl_for_protecting_HN_and_saving_IP_addresses proxy_arp=1 - http://wiki.openvz.org/Virtual_Ethernet_device http://ckdake.com/content/2008/vlans-in-openvz.html make sure that proxy_arp and forwarding are enabled for bond0.10 in /proc/sys/net/ipv4/conf/bond0.10/ https://gforge.inria.fr/tracker/index.php?func=detailaid=8459group_id=411atid=5117 Ambigous --- http://en.gentoo-wiki.com/wiki/OpenVZ_VLAN echo 1 /proc/sys/net/ipv4/conf/$x/proxy_arp and then later I doubt that echo 1 /proc/sys/net/ipv4/conf/$x/proxy_arp is actually needed, at least I've never used it and everything works fine without proxy arp. I even have: net.ipv4.conf.default.proxy_arp = 0 http://forum.openvz.org/index.php?t=msggoto=10089 The funny thing is it doesnt matter if i set the proxy arp to 0 or 1 in the conf-file, networking within the vz is with both options possible. Summary: -- The openvz wiki recommends proxy_arp=0 in some cases, and in some proxy_arp=1. External sites recommend proxy_arp=1 and then some present varying experiences. Some discussions are based on the debian warning message itself, so there is some feedback loop involved as well :-). The cause for the debian proxy_arp=1 setting seems to be bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=387762 I have a similar setup; one private and one public address on the host node, and then other public addresses for the guests. This works without proxy_arp enabled. Worse, enabling proxy_arp produced arpsend warnings and possibly other problems. Maybe something else has changed from 2006 until now such that proxy_arp is not needed? If only openvz.org is trusted, it seems proxy_arp should only be used when using veth devices, and not venet devices. Perhaps you could contact upstream to get a more definite answer. BR Stefan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574522: clarification of proxy_arp settings
Hi Kir and others in the openvz team There are some uncertainties on how to set the proxy_arp setting. I assume it is needed whenever the interface needs to announce its ip address to the outside network (i.e. when the host do not act as router), but I'm not 100% in which cases that is. Can you shed some light on this? For more information, see http://bugs.debian.org/574522 Best regards, // Ola On Fri, Mar 26, 2010 at 07:11:32AM +0100, Stefan Alfredsson wrote: On 19 Mar 2010, at 06:49, Ola Lundqvist wrote: However the documentation should also be better described. Suggestions on this is highly welcome. Yes, and the primary question is when proxy_arp should be used. I've scouted the net and came up with the following: proxy_arp=0 - http://wiki.openvz.org/Quick_installation http://wiki.openvz.org/Using_veth_and_brctl_for_protecting_HN_and_saving_IP_addresses proxy_arp=1 - http://wiki.openvz.org/Virtual_Ethernet_device http://ckdake.com/content/2008/vlans-in-openvz.html make sure that proxy_arp and forwarding are enabled for bond0.10 in /proc/sys/net/ipv4/conf/bond0.10/ https://gforge.inria.fr/tracker/index.php?func=detailaid=8459group_id=411atid=5117 Ambigous --- http://en.gentoo-wiki.com/wiki/OpenVZ_VLAN echo 1 /proc/sys/net/ipv4/conf/$x/proxy_arp and then later I doubt that echo 1 /proc/sys/net/ipv4/conf/$x/proxy_arp is actually needed, at least I've never used it and everything works fine without proxy arp. I even have: net.ipv4.conf.default.proxy_arp = 0 http://forum.openvz.org/index.php?t=msggoto=10089 The funny thing is it doesnt matter if i set the proxy arp to 0 or 1 in the conf-file, networking within the vz is with both options possible. Summary: -- The openvz wiki recommends proxy_arp=0 in some cases, and in some proxy_arp=1. External sites recommend proxy_arp=1 and then some present varying experiences. Some discussions are based on the debian warning message itself, so there is some feedback loop involved as well :-). The cause for the debian proxy_arp=1 setting seems to be bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=387762 I have a similar setup; one private and one public address on the host node, and then other public addresses for the guests. This works without proxy_arp enabled. Worse, enabling proxy_arp produced arpsend warnings and possibly other problems. Maybe something else has changed from 2006 until now such that proxy_arp is not needed? If only openvz.org is trusted, it seems proxy_arp should only be used when using veth devices, and not venet devices. Perhaps you could contact upstream to get a more definite answer. BR Stefan -- - Ola Lundqvist --- / o...@debian.org Annebergsslingan 37 \ | o...@inguza.com 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574522: clarification of proxy_arp settings
severity 574522 minor thanks Hi Stefan Warning code removed. The remaining part of this bug is to update the documentation as well. This is the reason for lowering the priority. Best regards, // Ola On Thu, Mar 18, 2010 at 08:54:12PM +0100, Stefan Alfredsson wrote: Package: vzctl Version: 3.0.23-8 There seems to be confusion about the setting of the sysctl proxy_arp key. On one hand, http://wiki.openvz.org/Quick_installation has net.ipv4.conf.default.proxy_arp = 0 But when starting a VE with vzctl, I get the error message vps-net_add WARNING: Function proxy_arp for eth0 is set to 0. See /usr/share/doc/vzctl/README.Debian Indeed, README.Debian is also ambiguous on this point. Both variants are used. If you want network access for the virtual server then you need to enable IP forwarding. ... proxy_arp=0 ... If you want the virtual server to directly access the network you need to enable proxy_arp... proxy_arp=1 Does perhaps directly access refer to veth rather than venet devices? In that case this whole think might make sense. However, after setting up a second server on the same network I get address in use errors: Starting container ... Container is mounted Adding IP address(es): 10.158.117.145 arpsend: 10.158.117.145 is detected on another computer : 00:18:fe:fb:32:02 The .145 is not configured on the other host, but rather the proxy_arp setting causes it to reply to the arp query. This will cause problems unless there is only one server on the subnet. But maybe the bug is elsewhere. Why would openvz proxy requests for addresses that are not configured? Maybe the semantic of proxy_arp has changed between kernel versions? Regards, Stefan -- - Ola Lundqvist --- / o...@debian.org Annebergsslingan 37 \ | o...@inguza.com 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574522: clarification of proxy_arp settings
Package: vzctl Version: 3.0.23-8 There seems to be confusion about the setting of the sysctl proxy_arp key. On one hand, http://wiki.openvz.org/Quick_installation has net.ipv4.conf.default.proxy_arp = 0 But when starting a VE with vzctl, I get the error message vps-net_add WARNING: Function proxy_arp for eth0 is set to 0. See /usr/share/doc/vzctl/README.Debian Indeed, README.Debian is also ambiguous on this point. Both variants are used. If you want network access for the virtual server then you need to enable IP forwarding. ... proxy_arp=0 ... If you want the virtual server to directly access the network you need to enable proxy_arp... proxy_arp=1 Does perhaps directly access refer to veth rather than venet devices? In that case this whole think might make sense. However, after setting up a second server on the same network I get address in use errors: Starting container ... Container is mounted Adding IP address(es): 10.158.117.145 arpsend: 10.158.117.145 is detected on another computer : 00:18:fe:fb:32:02 The .145 is not configured on the other host, but rather the proxy_arp setting causes it to reply to the arp query. This will cause problems unless there is only one server on the subnet. But maybe the bug is elsewhere. Why would openvz proxy requests for addresses that are not configured? Maybe the semantic of proxy_arp has changed between kernel versions? Regards, Stefan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574522: clarification of proxy_arp settings
Hi Stefan Yes you are right. This is indeed ambiguous on this point. This warning is also Debian specific, and should be simply removed. However the documentation should also be better described. Suggestions on this is highly welcome. Best regards, // Ola On Thu, Mar 18, 2010 at 08:54:12PM +0100, Stefan Alfredsson wrote: Package: vzctl Version: 3.0.23-8 There seems to be confusion about the setting of the sysctl proxy_arp key. On one hand, http://wiki.openvz.org/Quick_installation has net.ipv4.conf.default.proxy_arp = 0 But when starting a VE with vzctl, I get the error message vps-net_add WARNING: Function proxy_arp for eth0 is set to 0. See /usr/share/doc/vzctl/README.Debian Indeed, README.Debian is also ambiguous on this point. Both variants are used. If you want network access for the virtual server then you need to enable IP forwarding. ... proxy_arp=0 ... If you want the virtual server to directly access the network you need to enable proxy_arp... proxy_arp=1 Does perhaps directly access refer to veth rather than venet devices? In that case this whole think might make sense. However, after setting up a second server on the same network I get address in use errors: Starting container ... Container is mounted Adding IP address(es): 10.158.117.145 arpsend: 10.158.117.145 is detected on another computer : 00:18:fe:fb:32:02 The .145 is not configured on the other host, but rather the proxy_arp setting causes it to reply to the arp query. This will cause problems unless there is only one server on the subnet. But maybe the bug is elsewhere. Why would openvz proxy requests for addresses that are not configured? Maybe the semantic of proxy_arp has changed between kernel versions? Regards, Stefan -- - Ola Lundqvist --- / o...@debian.org Annebergsslingan 37 \ | o...@inguza.com 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org