OpenVZ container networking

coelhoapm · 10-23-2012, 06:38 AM

Hi all,

First of all apologize for all my newbie-ness but i am really a newbie when it comes to virtualization.

I am trying to get an openvz container working to work, although without success.

I have installed openvz in a centos 6.3 box successfully, along with the openvz panel and have created 2 containers successfully, all with valid public ip addresses.

Both containers can access the internet OK but, I can only ping them from the hardware node, but not from the internet

Also I can ssh both containers from the hardware node but not from the internet.

Does anyone has an idea of what am I missing here?

Thanks in advance.

wpeckham · 10-23-2012, 03:46 PM

I love OpenVZ, but there are some interesting bits.
Did you follow the how-to pages form the WIKI or OpenVZ site? You need to have the firewall downon the host node, and add some lines to sysctl to allow the networking to work properly. (and generally disable SELINUX as well.)

Your question does not answer many of the questions we will ahve about "how did you get here, exactly...?" so you might want to add some detail.

coelhoapm · 10-23-2012, 04:15 PM

Thanks wpeckham.

As for detail, here it goes...

*HN*
[root@poseidon ~]# ifconfig -a
eth0 Link encap:Ethernet HWaddr F4:6D:04:21:1A:9A
inet addr:31.170.106.60 Bcast:31.170.106.60 Mask:255.255.255.255
inet6 addr: fe80::f66d:4ff:fe21:1a9a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:749365 errors:0 dropped:0 overruns:0 frame:0
TX packets:395633 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1098857285 (1.0 GiB) TX bytes:31377326 (29.9 MiB)
Interrupt:25 Base address:0xc000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:241734 errors:0 dropped:0 overruns:0 frame:0
TX packets:241734 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:39684098 (37.8 MiB) TX bytes:39684098 (37.8 MiB)

venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6 addr: fe80::1/128 Scope:Link
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:514 (514.0 b) TX bytes:68 (68.0 b)

[root@poseidon ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:hbci

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere

*Container 1*
root@burger:/# ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:400 (400.0 B) TX bytes:400 (400.0 B)

venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:68 (68.0 B) TX bytes:68 (68.0 B)

venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:31.170.106.67 P-t-P:31.170.106.67 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

*Container 2*
[root@hotdog /]# ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:31.170.106.86 P-t-P:31.170.106.86 Bcast:31.170.106.86 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

***

SELinux is disabled on HN, and I have followed OpenVZ wiki install instructions.

***

HN /etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 1

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296

# We do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

*******

Hope this information can help you to help me

Thanks in advance.

wpeckham · 10-25-2012, 11:17 AM

You have IPTABLE running on the host node. With those rules the best you can hope for is that it will be spinning like make running in circles to make sure it goes nowhere. Why not shut it down? Make sure that firewall is totally disabled. (Use /usr/bin/system-config-firewall or /usr/bin/system-config-firewall-tui on RHEL style systems.)