From: Bjoern Steinbrink (bjoern.steinbrink_at_isp4p.net)
Date: Sun 26 Sep 2004 - 17:24:39 BST
On So, 2004-09-26 at 17:14, Gilles wrote:
> > >
> > > Can I create a second purely virtual net inside H2, say 192.168.3.0 ?
> > > [Where I would put e.g. a "mysql" vserver, with address 192.168.3.55.]
> >
> > if you do not accept/route packets for the 192.168.3.0/24
> > you can assign those IPs to for example the dummy0 interface
> > (what interface doesn't matter actually) and use it on
> > the host only ...
>
> Ooh, *that* was a piece I was missing; thanks.
>
> [I use Debian.] I added something like the following in
> /etc/network/interfaces
> on the host:
>
> iface dummy0 inet static
> address 192.168.3.1
> netmask 255.255.255.0
> broadcast 192.168.3.255
> gateway 192.168.1.10
>
> (1)
> But, when the interface is brought up, there is an error message:
>
> SIOCADDRT: Network is unreachable
> Failed to bring up dummy0.
>
> This is probably related to the ifupdown Debian scripts, as "ifconfig"
> shows the interface (and networking with a 192.168.3.2 vserver is OK).
> Do you have some clues?
ifup fails if any of the calls fails, in this case the route call fails,
probably you didn't bring up the interface that makes 192.168.1.10
reachable _before_ you bring up dummy0
>
> (2)
> I'm still confused, because I don't understand why routing just works (but
> probably not as I expect)!
outgoing packages just take the interface that offers a route to the
destination, the gateway entry in your /etc/network/interfaces is not
necessary, packages 'originating from dummy0' will go through eth0
anyways, if they're going to, for example, 192.168.1.20.
Within the host no routing occurs, routing just decides through which
interface a packet is sent out (and through which gateway).
hmm... i guess that also explains the stuff below, right?
>
> In the above dummy0 config, I thought that I was setting up a virtual
> gateway for the 192.168.3.0 virtual subnet. [192.168.1.10 is the address
> of "eth0" on the host.]
>
> But "route -n" within the vserver shows:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 dummy0
> 127.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 dummy0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 0.0.0.0 192.168.1.20 0.0.0.0 UG 0 0 0 eth0
>
> [Note: This is not exactly the right output, because I had set up a bridged
> ethernet in order to provide connectivity to a UML, so that "eth0" is really
> "br0", but if I understood the explanations, "br0" effectively replaces "eth0"
> on the host (anyway it has the IP address that was associated with "eth0" when
> there was no bridge).]
>
> 192.168.1.20 is the address of the *other* physical machine (the one connected
> to the Internet via its second nic), so that's the host default gateway), but
> that's also the vserver default gateway (!), whereas I had imagined that the
> vserver packets would have gone out through dummy0, to be routed by the
> 192.168.3.1 gateway.
>
> Obviously, it's a wrong expectation. Then, what is *really* going on?
>
>
> > > > but all communication on the same host
> > > > will happen via lo (see More Documentation on the
> > > > linux-vserver wiki), so you have to keep that in mind.
>
> What does that imply? Security problem?
>
>
> > http://archives.linux-vserver.org/200311/0470.html
> > http://list.linux-vserver.org/archive/vserver/msg06615.html
> > http://list.linux-vserver.org/archive/vserver/msg06631.html
> > http://list.linux-vserver.org/archive/vserver/msg06667.html
> > http://vserver.13thfloor.at/Stuff/VServer-IP-Setup-0.1.txt
>
> You ask many questions in there ;-) Is there a place where you
> collected the answers/conclusions?
>
>
> > > > vmware and QEMU or Bochs use a separate kernel (similar
> > > > to that what UML does) and communicate via tun/tap
> > >
> > > Is it possible to have the same kind of communication between
> > > vservers?
> >
> > possible yes, implemented no, because it doesn't
> > make much sense to feed network data through some
> > userspace pipe ...
>
> Euh... Some explanation/doc to clarify that point?
>
>
> Thanks for your patience,
> Gilles
Bjoern
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver