vlans and containers

[jazzl0ver]

Hello,

I got stuck with the following:

Two VLANs (1 and 12) are configured on a Proxmox server:

# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:25:90:33:ff:fc brd ff:ff:ff:ff:ff:ff
    inet6 fe80::225:90ff:fe33:fffc/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:25:90:33:ff:fd brd ff:ff:ff:ff:ff:ff
5: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/void
    inet6 fe80::1/128 scope link
       valid_lft forever preferred_lft forever
20: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:25:90:33:ff:fc brd ff:ff:ff:ff:ff:ff
    inet 172.26.1.38/16 brd 172.26.255.255 scope global vmbr0
    inet6 fe80::225:90ff:fe33:fffc/64 scope link
       valid_lft forever preferred_lft forever
21: eth2.1@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:25:90:33:ff:fc brd ff:ff:ff:ff:ff:ff
    inet6 fe80::225:90ff:fe33:fffc/64 scope link
       valid_lft forever preferred_lft forever
22: vmbr12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:25:90:33:ff:fc brd ff:ff:ff:ff:ff:ff
    inet 172.27.1.38/16 scope global vmbr12
    inet6 fe80::225:90ff:fe33:fffc/64 scope link
       valid_lft forever preferred_lft forever
23: eth2.12@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:25:90:33:ff:fc brd ff:ff:ff:ff:ff:ff
    inet6 fe80::225:90ff:fe33:fffc/64 scope link
       valid_lft forever preferred_lft forever
24: tap103i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 22:38:47:41:4a:27 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2038:47ff:fe41:4a27/64 scope link
       valid_lft forever preferred_lft forever
25: tap104i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 4e:43:ab:c8:50:bd brd ff:ff:ff:ff:ff:ff
    inet6 fe80::4c43:abff:fec8:50bd/64 scope link
       valid_lft forever preferred_lft forever

# ip rou
172.27.200.10 dev venet0  scope link
172.26.2.59 dev venet0  scope link
172.26.0.0/16 dev vmbr0  proto kernel  scope link  src 172.26.1.38
172.27.0.0/16 dev vmbr12  proto kernel  scope link  src 172.27.1.38
default via 172.26.1.1 dev vmbr0

# ip rou show table 12
default via 172.27.1.1 dev vmbr12

# ip ru
0:      from all lookup local
32765:  from 172.27.0.0/16 lookup 12
32766:  from all lookup main
32767:  from all lookup default

There are two OpenVZ containers in different VLANs. They use different bridge interfaces - vmbr0 and vmbr12:

# brctl show
bridge name     bridge id               STP enabled     interfaces
vmbr0           8000.00259033fffc       no              eth2.1
                                                        tap103i0
vmbr12          8000.00259033fffc       no              eth2.12
                                                        tap104i0

Here is an output from inside the containers:

# vzctl enter 100
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/void
    inet 127.0.0.1/32 scope host venet0
    inet 172.26.2.59/32 brd 172.26.2.59 scope global venet0:0

# vzctl enter 106
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/void
    inet 127.0.0.1/32 scope host venet0
    inet 172.27.200.10/32 brd 172.27.200.10 scope global venet0:0

Container #100 works OK, while #106 is the issue. I can ping it from the proxmox host itself only. When I try to ping from somewhere else, I see arp requests on vmbr12 and no replies. tcpdump from inside the container keeps silence.

Any ideas what's wrong with it?

Thanks in advance!

 

[mir]

firewall rules or missing route on your net to 172.27.0.0/16?

What does a traceroute from another host/VM reveal?

 

[udo]

Hello,

I got stuck with the following:

...
Here is an output from inside the containers:

# vzctl enter 100
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/void
    inet 127.0.0.1/32 scope host venet0
    inet 172.26.2.59/32 brd 172.26.2.59 scope global venet0:0

# vzctl enter 106
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/void
    inet 127.0.0.1/32 scope host venet0
 [B]   inet 172.27.200.10/32 brd 172.27.200.10 scope global venet0:0[/B]

Container #100 works OK, while #106 is the issue. I can ping it from the proxmox host itself only. When I try to ping from somewhere else, I see arp requests on vmbr12 and no replies. tcpdump from inside the container keeps silence.

Any ideas what's wrong with it?

Thanks in advance!

Hi,
why you don't use bridged network?

Than ip addr looks like this:

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP> mtu 1500 qdisc noop state DOWN 
    link/void 
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN 
    link/ether de:be:3c:2a:52:60 brd ff:ff:ff:ff:ff:ff
    inet 172.20.2.15/24 brd 172.20.2.255 scope global eth0
    inet6 fe80::dcbe:3cff:fe2a:5260/64 scope link 
       valid_lft forever preferred_lft forever

Udo

 

[jazzl0ver]

firewall rules or missing route on your net to 172.27.0.0/16?

What does a traceroute from another host/VM reveal?

firewall - accept policy is everywhere
no issues with routing, since i have a KVM machine in vlan 12 on the same proxmox and it works without issues.

As I told before, traceroute does not work, since the router can't resolve a mac of 172.27.200.10

- - - Updated - - -

Hi,
why you don't use bridged network?
Udo

Well, I actually thought I am using bridged network.. Can you please describe a little bit more of what you mean?
Is yours "ip addr" output from inside the container or proxmox?

 

[jazzl0ver]

Looks like I got what you mean: I should use veth device, not venet (https://openvz.org/Differences_between_venet_and_veth). Thanks for your help!

 

[linum]

With KVM you can add the vid/tag to a network while configuring the VM. The VM has no knowledge about VLAN in this case. I want the same when I use OpenVZ. But I miss the feature to set the vid/tag while configuring network on a vz container. The only way to achive this right now is to create a eth.X device at the host and create a bridge while configuring the vz container. Or even less comfortable use vconfig inside the vz container. Is there a reason why I can't add a vid/tag to a openvz container just the way it is done with kvm?