From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sun 26 Sep 2004 - 23:28:44 BST
On Sun, Sep 26, 2004 at 11:58:59PM +0200, Gilles wrote:
>
> > Oops, I mixed up interfaces and aliases. What ifup tries to do is to set
> > a default route for packets originating from dummy0 (so that they would
> > actually leave through dummy0, for each and every target address). The
> > problem is, that dummy0 can't 'directly' reach 192.168.1.10 since this
> > address does not belong dummy0's subnet. This will therefore always
> > fail.
>
> What can I do so that "ifup" doesn't attempt to do that?
>
> > Because there is no separate routing for the vserver. The routing
> > happens inside the (shared) kernel.
>
> Yes, as Herbert told, the strong point/main point of vserver is sharing
> resources.
>
> Eventually, it would imply that it is *not* possible the simulate the
> behaviour of a physical subnet by a virtual one. Am I right?
it's still unclear to me what 'simulating the behaviour
of a physical subnet by a virtual one' means, and of what
use it would be, maybe giving some examples what you would
be able to do with that, but currently can't do with the
vserver networking would be a good idea ...
> > Even if you can't see the interface
> > in the vserver, it is still available for routing.
>
> Actually the interfaces *can* be seen from inside the vserver.
> Anyway, it would be even more confusing if it were hidden...
yes, as long as you do not use VXF_HIDE_NETIF ;)
> > no routing occurs on the local host
> > [...]
> > Therefore no packets actually leave through dummy0, it's
> > either eth0 for outgoing traffic or lo for traffic that's stays on the
> > host.
>
> Hence could I simply not bring up dummy0 on the host?
> I've just tried it: no connectivity! Why?
> So: the interface is needed to have connectivity, yet no
> packets flows through it. Strange, isn't it?
no it's not strange, well, not stranger than the linux
network stack is ...
you should always keep in mind, addresses ar not interfaces
and interfaces are not addresses, and routing is something
completely orthogonal ;)
> Finally, is it completely useless to set up this virtual network, as
> opposed to simply give the vservers addresses on the existing
> 192.168.1.0 network?
can't really answer that one, as I did not understand
why you are doing it in the first place ...
> In the global (partly virtual, partly physical) network, are all
> packets (even those that originate from one vserver and targetted
> to another vserver inside the same host) seen by every hosts
> (even the other physical machines)?
packets from one vserver to a different vserver on the
same host are identical to packets from the host sent
to itself, they travel via lo, do never leave the host
and arrive immediately (that's what lo does for us)
> If yes, than it would seem more secure to set up a virtual
> subnet, so that traffic between vservers does not leak outside
> the host.
okay, guess you have to explain what a 'virtual subnet'
is and why/how this could help containing packets
(not to say that they won't leave the host, see above)
> If not ...
... then maybe we should start synchronizing nomenclature
before this get's more confusing than necessary ...
TIA,
Herbert
> Gilles
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver