From: Chris Wilson (chris_at_netservers.co.uk)
Date: Thu 15 Apr 2004 - 15:50:57 BST
> Herbert helped me to trace down the problem: We are running
> the master server and the vservers in different ip subnets:
Yes, that is _exactly_ what we are doing.
> (ip from the iproute2 suite) you can figure out which of the ip alias
> interfaces are "secondary". These ip aliases will be removed if you
> shut down the corresponding primary interface.
I did check, and noticed the difference, but I wasn't sure about the
significance of it, except to try to rearrange the order of addresses to
make a different one master.
> we had some problems with nasty side effects when stopping
> one specific vserver: all other vservers on the same master lost
> their network connectivity.
Well, we didn't lose all of them, but quite a few.
> The kernel ip stack treats the first ip address within a "scope"
> as primary and deletes all secondary ip addresses within
> this scope when the primary address is taken down.
Ouch, that is a very nasty thing for it to do. Maybe we should be using
"ip addr add" and "ip addr del" to add/remove addresses instead of
ifconfig'ing interfaces up and down? Is this (mis)"feature" related to
backwards compatibility with the old way of doing aliases?
> (ifconfig doesn't show the primary/secondary feature, but ip from
> iproute2 does)
Yes, we have only a few primary addresses, and many secondaries.
I have to discuss it with my boss, but your solution looks interesting,
although non-standard. If this really is the problem, then two other
solutions pose themselves.
Change the main IP address of the master server to be in the same subnet
as the vservers (not scalable, what happens when we run out of addresses
in this subnet?)
Add a VLAN interface for each vserver, to isolate them (and fix the
problems with getting the wrong netmask due to the scripts' assumptions
that the master is in the same subnet as the vservers). Does this also
make CAP_NET_RAW somewhat safer? (are you still restricted to the same
physical interface that your address is bound to, or can you spoof/listen
to any packets on any interface that you want?)
Thanks very much for your help,
-- _ __ __ _ / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver