Hello, Please try after 'prlctl set CTprobe --device-set net1 --macfilter off'
Thank you, Dmitry. From: <users-boun...@openvz.org<mailto:users-boun...@openvz.org>> on behalf of Jehan Procaccia <jehan.procac...@tem-tsp.eu<mailto:jehan.procac...@tem-tsp.eu>> Reply-To: OpenVZ users <users@openvz.org<mailto:users@openvz.org>> Date: Wednesday 19 October 2016 12:05 To: OpenVZ users <users@openvz.org<mailto:users@openvz.org>> Subject: Re: [Users] vlan and bridge network interface in openVZ/virtuozzo 7 Hello I'am back to my vlan/brige/vm-interface ... although it works fine for my containers primary interfaces (eth0) I have a specific container that has 2 interfaces, the second beeing for a probe on the network (tcpdump, snort etc ...) unfortunatly only minimal trafic seems to be forwarded into the container on that second interface , not all , I do see the wall trafic within the physical interface and its bridge on the physical host, but not on the veth into the CT !?. here's the physical and config situation: on the physical host I plug the cisco mirrored outbound/Wan interface to em3 (physical interface on the host) I created a virtual network for that probe attached to em3 and associated to bridge brs0 # prlsrvctl net add probenet --type bridged --ifname em3 # prlsrvctl net list Network ID Type Bound To Bridge Slave interfaces Host-Only host-only virbr0 probenet bridged em3 brs0 veth42ba2f55 ... my CT 2nd interface (eth1, eth0 beeing the 1st one) is attached to that network # prlctl set CTprobe --netif_add eth1 # prlctl set CTprobe --ifname eth1 --network probenet my problem is that a tcpdump -i em3 or bsr0 on the physical host do show all traffic on my outbound cisco Wan mirrored interface here is a very small sample (hundred of packats per secondes ...) # tcpdump -i brs0 -n 10:40:58.767042 IP 193.51.224.142.https > 147.157.103.21.54757: UDP, length 1350 10:40:58.767062 IP 193.51.224.42.https > 147.157.161.85.50813: Flags [.], seq 2056788:2058248, ack 511, win 1650, length 1460 10:40:58.841239 IP 193.157.24.26.hsrp > 224.0.0.102.hsrp: HSRPv1 10:40:59.075644 IP 193.157.24.25.hsrp > 224.0.0.102.hsrp: HSRPv1 10:40:59.801310 ARP, Request who-has 193.157.24.30 tell 193.157.41.1, length 46 if I do the same tcpdump -i veth42ba2f55 or inside the CTprobe -i eth1 , only protocol trafic seems to pass through (STP,ARP,HSRP...), no users payload (https, ssh etc ...) , and only a dozen packets per seconds (they were hundreds on the brs0 or em3) # tcpdump -i veth42ba2f55 -n 10:45:30.918642 STP 802.1d, Config, Flags [none], bridge-id 8d52.00:20:56:1e:a6:80.8040, length 42 10:45:31.213516 ARP, Request who-has 193.157.41.45 tell 193.157.41.1, length 46 10:45:31.281744 ARP, Request who-has 193.157.41.17 tell 193.157.41.1, length 46 10:45:31.332678 IP 193.157.41.236 > 224.0.0.13: PIMv2, Hello, length 38 10:45:31.383549 ARP, Request who-has 193.157.41.31 tell 193.157.41.1, length 46 10:45:31.456594 ARP, Request who-has 193.157.41.34 tell 193.157.41.1, length 46 10:45:31.458344 STP 802.1d, Config, Flags [none], bridge-id 89ce.00:20:56:1e:a6:80.8040, length 42 10:45:31.458898 STP 802.1d, Config, Flags [none], bridge-id 8168.00:20:56:1e:a6:80.8040, length 42 10:45:31.654835 STP 802.1d, Config, Flags [none], bridge-id 89da.00:20:56:1e:a6:80.8040, length 42 10:45:31.655039 STP 802.1d, Config, Flags [none], bridge-id 89cf.00:20:56:1e:a6:80.8040, length 42 10:45:31.709254 IP 193.157.41.35.hsrp > 224.0.0.102.hsrp: HSRPv1 10:45:31.966666 STP 802.1d, Config, Flags [none], bridge-id 89d0.00:20:56:1e:a6:80.8040, length 42 10:45:31.993787 CDPv2, ttl: 180s, Device-ID 'core.ispint.fr', length 405 Is the CT veth filtering trafic ? or cannot cope with the volume ? it is strange though that no payload/users trafic, only protocol (Xcast/broadcast ?) trafic pass from brs0 to veth42ba2f55 or inside the CTprobe eth1 Am I missing a "capability" ? Regards . Le 10/10/2016 21:24, Jehan Procaccia a écrit : Indeed ! that was that last setting missing: prlctl set MyCT11 --ifname eth0 --network vlan11 now vlans works fine Just note that I had to add NM_CONTROLLED="no" to all mi ifcfg-xxx definition files, otherwise network restart failed to start them regards . Le 10/10/2016 09:12, Vasily Averin a écrit : Dear Jehan, Virtuozzo 7 have nice documentaion on docs.virtuozzo.com http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html?highlight=bridge in your case you need to bind container interface to newly-created bridge by using follwing command: prlctl set MyCT11 --ifname eth0 --network vlan11 Thank you, Vasily Averin On 09.10.2016 22:37, Jehan Procaccia wrote: I found a method to configure bridge and vlan based on RHEL docs : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_Command_Line_Interface.html in order not to mess with current config automatically configured by virtuozzo7 installer on em1 and em2 with repective bridges br0 en br1, I plugged a 3rd interface on the server (fiber) p2p2 : [network-scripts]# cat ifcfg-p2p2 TYPE=Ethernet BOOTPROTO=none NAME=p2p2 UUID=9188d131-21b1-4ee9-8205-c893b4a4fc44 DEVICE=p2p2 ONBOOT=yes then the associated subinterface for vlan11 as described in RHEL7 doc # cat ifcfg-p2p2*.11* DEVICE=p2p2.11 BOOTPROTO=none ONBOOT=yes VLAN=yes BRIDGE="br11" and finally the bridge for that vlan # cat ifcfg-br11 DEVICE="br11" NAME="p2p2.11" ONBOOT=yes NETBOOT=yes IPV6INIT=yes BOOTPROTO=dhcp TYPE="Bridge" DELAY="2" STP="off" # ip -d link show p2p2.11 41: p2p2.11@p2p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br11 state UP mode DEFAULT link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff promiscuity 1 vlan protocol 802.1Q id 11 <REORDER_HDR> addrgenmode none # ip -d link show br11 42: br11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT link/ether f4:e9:d4:91:c4:33 brd ff:ff:ff:ff:ff:ff promiscuity 0 bridge addrgenmode none Now I can add my virtual network attached to the p2p2.11 interface (or should I have chosed br11 !?) # prlsrvctl net add vlan11 --type bridged --ifname p2p2.11 # prlsrvctl net list Network ID Type Bound To Bridge Slave interfaces Bridged bridged em2 br1 Host-Only host-only virbr0 vlan11 bridged p2p2.11 br11 # brctl show bridge name bridge id STP enabled interfaces br0 8000.14187769840a yes em1 br1 8000.14187769840b no em2 br11 8000.f4e9d495c432 no p2p2.11 host-routed 8000.000000000000 no virbr0 8000.52540064dd31 no virbr0-nic create a container MyCT11 # prlctl create MyCT11 --vmtype ct ... Processing metadata for centos-7-x86_64 ...The Container has been successfully created. now I add an interface to my CT so that it will be in vlan11 # prlctl set MyCT11 --netif_add eth0 # prlctl set MyCT11 --ifname eth0 --ipadd 192.168.11.10/24 # prlctl set MyCT11 --ifname eth0 --gw 192.168.11.1 entering the CT an pinging the gateway unfortunatly fails CT-bad098d8 /# ping 192.168.11.1 PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data. ^C --- 192.168.11.1 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms the pb seems that that new CT seems to be attached to an other bridge # prlsrvctl net list Network ID Type Bound To Bridge Slave interfaces Bridged bridged em2 *br1 * *veth4250fe85 * Host-Only host-only virbr0 vlan11 bridged p2p2.11 br11 not to vlan11 network on br11 I guess I missed something , where did I went wrong ? anyone has a full scenario to enable vlan through bridge mode in CT (and VM) ? regards . http://docs.virtuozzo.com/virtuozzo_7_users_guide/managing-network/configuring-virtual-machines-and-containers-in-bridged-mode.html Le 07/10/2016 19:22, Jehan Procaccia a écrit : hello based on https://docs.openvz.org/openvz_users_guide.webhelp/_configuring_virtual_machines_and_containers_in_bridged_mode.html it is not clear to me how to create virtual networks associated to vlans ? On a fresly installed Virtuozzo Linux release 7.2 (3515) on a host with 2 activated interfaces (em1 and em2) in trunk mode (cisco terminology switchport trunk, allowed vlan 10,11,12, native 10) I cannot find out how to create networks dedicated to a vlan I tried : # prlsrvctl net add vlan11 --type bridged --ifname em2 Failed to add Virtual Network vlan11: This network adapter is already in use. Please select another network adapter and try again. I suspect that because em2 is already bridge to br1, it cannot be bridged anymore ? Or should I create a /etc/sysconfig/network-scripts/ifcfg-em2.11 to have a interface dedicated to vlan11 : # cat ifcfg-em2.11 DEVICE=em2.11 ONBOOT=yes TYPE=Ethernet BOOTPROTO=none VLAN=yes an then try to: /prlsrvctl net add vlan11 --type bridged --ifname em2.11/ ? unfortunatly after /systemctl restart network/ , system complains with : Bringing up interface em2.11: Error: Connection activation failed: No suitable device found for this connection. as anymone succeed in configuring CT and VM attached to vlan (in bridge mode as I want full feature network with multicast/broacast) ? Thanks . PS : few more information of the actual network config on the system : # ip addr | grep LOWER_UP 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP qlen 1000 3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br1 state UP qlen 1000 8: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN 22: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 23: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP # prlsrvctl net list Network ID Type Bound To Bridge Slave interfaces Bridged bridged em2 br1 Host-Only host-only virbr0 it strange that em1 and br0 doesn't show up here !? # brctl show bridge name bridge id STP enabled interfaces br0 8000.14187769840a no em1 br1 8000.14187769840b no em2 host-routed 8000.000000000000 no virbr0 8000.52540064dd31 no virbr0-nic virbr2 8000.52540085818e no virbr2-nic _______________________________________________ Users mailing list Users@openvz.org<mailto:Users@openvz.org> https://lists.openvz.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@openvz.org<mailto:Users@openvz.org> https://lists.openvz.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@openvz.org<mailto:Users@openvz.org> https://lists.openvz.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
