Re: [Vserver] Bug/Issue with Routing, Multiple NICs and vServers
On Fri February 10 2006 02:50, Herbert Poetzl wrote: > On Fri, Feb 10, 2006 at 08:58:05AM +0100, Oliver Welter wrote: > > Hi Folks, > > > > I encounter several problems regarding routing with a vServer host that > > has mutliple networks. > > - - - - snip > > if you want a shizophrenic host which can handle separate > networks, you simply have to configure that properly, in > your case that means to create two tables which contain > the separate network entries and only put the 'shared' net > in the main table, then have appropriate rules decide which > table to choose from, based on the source ip > > this is nothing Linux-VServer specific, it is the way how > linux networking works and it will not change without some > kind of network stack virtualization, which will be done > in the upcoming ngnet ... > > best, > Herbert > Warning - - not tried in real operation - - Enable the bridging code in your kernel config... Add all of your nics to the bridge... Set up your IP tables to send anything 'out of box' to the bridge... Use the bridge rules to block/route/whatever things to proper nic. Last time I used the bridging rules (before adopted in stock kernel), there was not a 'drop on the floor' target... So configure the 'dummy network device' into your kernel - you can use that as a '/dev/null' in the bridge rules. Careful - such a setup can become incomprehensible in a hurry. Mike ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] build method
On Fri, Feb 10, 2006 at 03:00:11PM +0530, sukrit wrote: > On Fri, 2006-02-10 at 08:40 +0100, Herbert Poetzl wrote: > > On Fri, Feb 10, 2006 at 11:55:38AM +0530, sukrit wrote: > > > I'm using vserver-2.0.1 on CentOS. I got the patch in and created a > > > number of vservers using the "legacy" method, as I wanted the vservers > > > > vserver build -m legacy ? > > Well this is what vserver -build --help says: > > legacy ... the "old" copy-all-from-host method, which requires the > old legacy vserver-legacy script; with this > method the cfg-options will be ignored > > > > > > well, I'd start with creating a new style config for > > that guest or at least fixing up the legacy config > > > > you can create a new config with the skeleton method > > and then copy over your guest data into the created > > skeleton ... > > > > Got a doc on that? I used to just create my vservers by doing "#vserver > vsname build" in my 2.4 deployment of vservers. What would the simplest > thing equivalent to that be in the new version of vservers? All It want > to do is to for my vservers to be something similar to my base machine. well, I have no idea why this isn't part of the tools yet, so you probably have to ask Enrico about the detailed motivation, but, I'd suggest to do it like this: - reserve space on your /vservers partition for a template - dump/restore or cp -va or whatever, your existing host system there - cleanup the template with simple chroot, i.e. remove packages and stuff you won't need in a guest, adjust the startup/shutdown scripts to avoid hardware stuff - clear out /proc and /dev inside the template now this is only required once, and will save you a lot of space later ... to create a new guest, use the 'skeleton' method with all the desired config options, then copy over the template into the skeleton guest dir HTH, Herbert > Sukrit.D. > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] build method
On Fri, 2006-02-10 at 08:40 +0100, Herbert Poetzl wrote: > On Fri, Feb 10, 2006 at 11:55:38AM +0530, sukrit wrote: > > I'm using vserver-2.0.1 on CentOS. I got the patch in and created a > > number of vservers using the "legacy" method, as I wanted the vservers > > vserver build -m legacy ? Well this is what vserver -build --help says: legacy ... the "old" copy-all-from-host method, which requires the old legacy vserver-legacy script; with this method the cfg-options will be ignored > > well, I'd start with creating a new style config for > that guest or at least fixing up the legacy config > > you can create a new config with the skeleton method > and then copy over your guest data into the created > skeleton ... > Got a doc on that? I used to just create my vservers by doing "#vserver vsname build" in my 2.4 deployment of vservers. What would the simplest thing equivalent to that be in the new version of vservers? All It want to do is to for my vservers to be something similar to my base machine. Sukrit.D. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Bug/Issue with Routing, Multiple NICs and vServers
On Fri, Feb 10, 2006 at 08:58:05AM +0100, Oliver Welter wrote: > Hi Folks, > > I encounter several problems regarding routing with a vServer host that > has mutliple networks. > > I have a host which occupies three networks, my guest has IPs only in > two of them resulting in the problem, that guest is unable to ping the > third network under certain circumstances. > > When I try to ping the third network, the packets are emitted with > source address from the first activated network (so, the lowest number > in the interface directory) - in my case this is an internal maintenance > LAN and I get packets that are unroutable. > The packets are routed to teh target but are discarded there because > they come in via the external NIC (third network) but have a source > adderss that belongs to the internal NIC. > > I hope anybody understands this description - but I cant describe it > better... > > The workaround for now is, to setup the IP belonging to the default > route of the host as first in the vServer. It also works when I > discard all network-routes from the hosts routing table and adress > this by source based routing policies. > > But I assume that it would be best, when the implementation of vServer > network-management hides all routes that are not accessible by the > guest. 'hiding' those routes (as in proc or for ip route) is not a real problem, but that will not help you in any way, the routing decisions are solely based on the view the host has of the network, as the network stack is not virtualized but shared. you can not simply 'hide' routes from routing cache and fib database ... if you want a shizophrenic host which can handle separate networks, you simply have to configure that properly, in your case that means to create two tables which contain the separate network entries and only put the 'shared' net in the main table, then have appropriate rules decide which table to choose from, based on the source ip this is nothing Linux-VServer specific, it is the way how linux networking works and it will not change without some kind of network stack virtualization, which will be done in the upcoming ngnet ... best, Herbert > Oliver > > -- > Diese Nachricht wurde digital unterschrieben > oliwel's public key: http://www.oliwel.de/oliwel.crt > Basiszertifikat: http://www.ldv.ei.tum.de/page72 > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
