Hello,
Please try after 'prlctl set CTprobe --device-set net1 --macfilter off'
Thank you,
Dmitry.
From: <users-boun...@openvz.org <mailto:users-boun...@openvz.org>> on
behalf of Jehan Procaccia <jehan.procac...@tem-tsp.eu
<mailto:jehan.procac...@tem-tsp.eu>>
Reply-To: OpenVZ users <users@openvz.org <mailto:users@openvz.org>>
Date: Wednesday 19 October 2016 12:05
To: OpenVZ users <users@openvz.org <mailto:users@openvz.org>>
Subject: Re: [Users] vlan and bridge network interface in
openVZ/virtuozzo 7
Hello
I'am back to my vlan/brige/vm-interface ...
although it works fine for my containers primary interfaces (eth0)
I have a specific container that has 2 interfaces, the second
beeing for a probe on the network (tcpdump, snort etc ...)
unfortunatly only minimal trafic seems to be forwarded into the
container on that second interface , not all , I do see the wall
trafic within the physical interface and its bridge on the
physical host, but not on the veth into the CT !?.
here's the physical and config situation: on the physical host I
plug the cisco mirrored outbound/Wan interface to em3 (physical
interface on the host)
I created a virtual network for that probe attached to em3 and
associated to bridge brs0
# prlsrvctl net add probenet --type bridged --ifname em3
# prlsrvctl net list
Network ID Type Bound To Bridge Slave interfaces
Host-Only host-only virbr0
*probenet bridged em3 brs0 veth42ba2f55 *
...
my CT 2nd interface (eth1, eth0 beeing the 1st one) is attached to
that network
# prlctl set CTprobe --netif_add eth1
# prlctl set CTprobe --ifname eth1 --network probenet
my problem is that a tcpdump -i em3 or bsr0 on the physical host
do show all traffic on my outbound cisco Wan mirrored interface
here is a very small sample (hundred of packats per secondes ...)
# tcpdump -i brs0 -n
10:40:58.767042 IP 193.51.224.142.https > 147.157.103.21.54757:
UDP, length 1350
10:40:58.767062 IP 193.51.224.42.https > 147.157.161.85.50813:
Flags [.], seq 2056788:2058248, ack 511, win 1650, length 1460
10:40:58.841239 IP 193.157.24.26.hsrp > 224.0.0.102.hsrp: HSRPv1
10:40:59.075644 IP 193.157.24.25.hsrp > 224.0.0.102.hsrp: HSRPv1
10:40:59.801310 ARP, Request who-has 193.157.24.30 tell
193.157.41.1, length 46
if I do the same tcpdump -i veth42ba2f55 or inside the CTprobe -i
eth1 , only protocol trafic seems to pass through
(STP,ARP,HSRP...), no users payload (https, ssh etc ...) , and
only a dozen packets per seconds (they were hundreds on the brs0
or em3)
# tcpdump -i veth42ba2f55 -n
10:45:30.918642 STP 802.1d, Config, Flags [none], bridge-id
8d52.00:20:56:1e:a6:80.8040, length 42
10:45:31.213516 ARP, Request who-has 193.157.41.45 tell
193.157.41.1, length 46
10:45:31.281744 ARP, Request who-has 193.157.41.17 tell
193.157.41.1, length 46
10:45:31.332678 IP 193.157.41.236 > 224.0.0.13: PIMv2, Hello,
length 38
10:45:31.383549 ARP, Request who-has 193.157.41.31 tell
193.157.41.1, length 46
10:45:31.456594 ARP, Request who-has 193.157.41.34 tell
193.157.41.1, length 46
10:45:31.458344 STP 802.1d, Config, Flags [none], bridge-id
89ce.00:20:56:1e:a6:80.8040, length 42
10:45:31.458898 STP 802.1d, Config, Flags [none], bridge-id
8168.00:20:56:1e:a6:80.8040, length 42
10:45:31.654835 STP 802.1d, Config, Flags [none], bridge-id
89da.00:20:56:1e:a6:80.8040, length 42
10:45:31.655039 STP 802.1d, Config, Flags [none], bridge-id
89cf.00:20:56:1e:a6:80.8040, length 42
10:45:31.709254 IP 193.157.41.35.hsrp > 224.0.0.102.hsrp: HSRPv1
10:45:31.966666 STP 802.1d, Config, Flags [none], bridge-id
89d0.00:20:56:1e:a6:80.8040, length 42
10:45:31.993787 CDPv2, ttl: 180s, Device-ID 'core.ispint.fr',
length 405
Is the CT veth filtering trafic ? or cannot cope with the volume ?
it is strange though that no payload/users trafic, only protocol
(Xcast/broadcast ?) trafic pass from brs0 to veth42ba2f55 or
inside the CTprobe eth1
Am I missing a "capability" ?
Regards .
Le 10/10/2016 21:24, Jehan Procaccia a écrit :
Indeed !
that was that last setting missing:
prlctl set MyCT11 --ifname eth0 --network vlan11
now vlans works fine
Just note that I had to add NM_CONTROLLED="no" to all mi
ifcfg-xxx definition files, otherwise network restart failed to
start them
regards .
Le 10/10/2016 09:12, Vasily Averin a écrit :
Dear Jehan,
Virtuozzo 7 have nice documentaion on docs.virtuozzo.com
http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge
in your case you need to bind container interface to
newly-created bridge by using follwing command:
prlctl set MyCT11 --ifname eth0 --network vlan11
Thank you,
Vasily Averin
On 09.10.2016 22:37, Jehan Procaccia wrote:
I found a method to configure bridge and vlan based on RHEL docs :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html
in order not to mess with current config automatically
configured by virtuozzo7 installer on em1 and em2 with
repective bridges br0 en br1, I plugged a 3rd interface on the
server (fiber) p2p2 :
[network-scripts]# cat ifcfg-p2p2
TYPE=Ethernet
BOOTPROTO=none
NAME=p2p2
UUID=9188d131-21b1-4ee9-8205-c893b4a4fc44
DEVICE=p2p2
ONBOOT=yes
then the associated subinterface for vlan11 as described in
RHEL7 doc
# cat ifcfg-p2p2*.11*
DEVICE=p2p2.11
BOOTPROTO=none
ONBOOT=yes
VLAN=yes
BRIDGE="br11"
and finally the bridge for that vlan
# cat ifcfg-br11
DEVICE="br11"
NAME="p2p2.11"
ONBOOT=yes
NETBOOT=yes
IPV6INIT=yes
BOOTPROTO=dhcp
TYPE="Bridge"
DELAY="2"
STP="off"
# ip -d link show p2p2.11
41: p2p2.11@p2p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc noqueue master br11 state UP mode DEFAULT
link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff
promiscuity 1
vlan protocol 802.1Q id 11 <REORDER_HDR> addrgenmode none
# ip -d link show br11
42: br11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP mode DEFAULT
link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff
promiscuity 0
bridge addrgenmode none
Now I can add my virtual network attached to the p2p2.11
interface (or should I have chosed br11 !?)
# prlsrvctl net add vlan11 --type bridged --ifname p2p2.11
# prlsrvctl net list
Network ID Type Bound To Bridge Slave
interfaces
Bridged bridged em2 br1
Host-Only host-only virbr0
vlan11 bridged p2p2.11 br11
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.14187769840a yes em1
br1 8000.14187769840b no em2
br11 8000.f4e9d495c432 no p2p2.11
host-routed 8000.000000000000 no
virbr0 8000.52540064dd31 no virbr0-nic
create a container MyCT11
# prlctl create MyCT11 --vmtype ct
...
Processing metadata for centos-7-x86_64
...The Container has been successfully created.
now I add an interface to my CT so that it will be in vlan11
# prlctl set MyCT11 --netif_add eth0
# prlctl set MyCT11 --ifname eth0 --ipadd 192.168.11.10/24
# prlctl set MyCT11 --ifname eth0 --gw 192.168.11.1
entering the CT an pinging the gateway unfortunatly fails
CT-bad098d8 /# ping 192.168.11.1
PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
^C
--- 192.168.11.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
the pb seems that that new CT seems to be attached to an other
bridge
# prlsrvctl net list
Network ID Type Bound To Bridge Slave
interfaces
Bridged bridged em2 *br1 *
*veth4250fe85 *
Host-Only host-only virbr0
vlan11 bridged p2p2.11 br11
not to vlan11 network on br11
I guess I missed something , where did I went wrong ?
anyone has a full scenario to enable vlan through bridge mode
in CT (and VM) ?
regards .
http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html
Le 07/10/2016 19:22, Jehan Procaccia a écrit :
hello
based on
https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html
it is not clear to me how to create virtual networks
associated to vlans ?
On a fresly installed Virtuozzo Linux release 7.2 (3515) on a
host with 2 activated interfaces (em1 and em2) in trunk mode
(cisco terminology switchport trunk, allowed vlan 10,11,12,
native 10) I cannot find out how to create networks dedicated
to a vlan
I tried :
# prlsrvctl net add vlan11 --type bridged --ifname em2
Failed to add Virtual Network vlan11: This network adapter is
already in use. Please select another network adapter and try
again.
I suspect that because em2 is already bridge to br1, it cannot
be bridged anymore ?
Or should I create a
/etc/sysconfig/network-scripts/ifcfg-em2.11 to have a
interface dedicated to vlan11 :
# cat ifcfg-em2.11
DEVICE=em2.11
ONBOOT=yes
TYPE=Ethernet
BOOTPROTO=none
VLAN=yes
an then try to: /prlsrvctl net add vlan11 --type bridged
--ifname em2.11/ ?
unfortunatly after /systemctl restart network/ , system
complains with :
Bringing up interface em2.11: Error: Connection activation
failed: No suitable device found for this connection.
as anymone succeed in configuring CT and VM attached to vlan
(in bridge mode as I want full feature network with
multicast/broacast) ?
Thanks .
PS : few more information of the actual network config on the
system :
# ip addr | grep LOWER_UP
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
master br0 state UP qlen 1000
3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
master br1 state UP qlen 1000
8: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500
qdisc noqueue state UNKNOWN
22: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP
23: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP
# prlsrvctl net list
Network ID Type Bound To Bridge Slave
interfaces
Bridged bridged em2 br1
Host-Only host-only virbr0
it strange that em1 and br0 doesn't show up here !?
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.14187769840a no em1
br1 8000.14187769840b no em2
host-routed 8000.000000000000 no
virbr0 8000.52540064dd31 no virbr0-nic
virbr2 8000.52540085818e no virbr2-nic
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
