Re: [vserver] host route visible to guests - is this normal?:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: [vserver] host route visible to guests - is this normal?

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Sun 31 Jan 2010 - 21:23:49 GMT
Message-ID: <20100131212349.GE14282@MAIL.13thfloor.at>

On Sat, Jan 30, 2010 at 10:47:50PM -0500, Mark Lagace wrote:
> Hi folks,

> I've just recently set up vserver and had a question regarding
> networking behaviour for guests. A few more details of the setup are
> further below, but essentially I followed the advice from the wiki
> (http://www.linux-vserver.org/Networking_vserver_guests) for setting up
> networking on the guest OS.

> The host has a single ethernet connection (eth0) with ip 192.168.0.150
> and a default gateway of 192.168.0.1. I set up the dummy0 interface on
> the host with the ip 10.1.1.1/8 and set the guest to use dummy0 and the
> ip 10.1.1.10/8 using the /etc/vservers/[vservername]/interfaces/0/[dev,
> ip, prefix] entries. I then set the nat entries with iptables on the
> host to NAT the guest vserver address. (i.e. iptables -t nat -A
> POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j SNAT --to-source
> 192.168.0.150).

> Everything works - at least the guest has network access and the reverse
> works fine too (i.e. routing outside ports to the guest). The question I
> have is more related to the separation of the guest and host. On the
> guest (despite being assigned the dummy0 interface and 10.0.0.0/8
> address range, I can still see the route using the 192.168.0.0/24
> network. Is this "normal"?

known issue, will be fixed soon, I hope ...

> On the guest:
> Output from ip link show:
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UNKNOWN
> link/ether 62:8b:5d:13:37:6f brd ff:ff:ff:ff:ff:ff
>
> Output from ip addr show:
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UNKNOWN
> link/ether 62:8b:5d:13:37:6f brd ff:ff:ff:ff:ff:ff
> inet 10.1.1.10/8 brd 10.255.255.255 scope global secondary dummy0

> Output from ip route show:
> 192.168.0.0/24 dev if2 proto kernel scope link src 192.168.0.150
> 10.0.0.0/8 dev dummy0 proto kernel scope link src 10.1.1.1
> 127.0.0.0/8 dev lo scope link
> default via 192.168.0.1 dev if2

> In particular, the last part concerns me - the default via 192.168.0.1
> is the host's default route. I would have assumed the guest should have
> a default route based on the 10.1.1.10 ip address that it was assigned.
> The output from the link and addr queries seems to suggest this (and
> loopback) are the only addresses it knows about, so where is the
> 192.168.0.1 coming from if not the host?

routing happens on the host, i.e. there is no guest specific
routing tables or so, unless you use network namespaces

i.e. you have to handle different routing requirements via
multiple routing tables (on the host)

best,
Herbert

> Mark
>
> --
> More info if it happens to be relevant...
>
> host and guest are gentoo
> kernel version: linux-2.6.31.11-vs2.3.0.36.28-grsec2.1.14
> util-vserver version: util-vserver-0.30.216_pre2864
> HIDE_NETIF is in the cflags and nflags in the configuration directory
>
> ip outputs on the host (while the guest is running - if the guest is
> stopped the secondary address on dummy0 disappears):
> ip link show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UNKNOWN qlen 1000
> link/ether 90:e6:ba:cc:b7:70 brd ff:ff:ff:ff:ff:ff
> 3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UNKNOWN
> link/ether 62:8b:5d:13:37:6f brd ff:ff:ff:ff:ff:ff
>
> ip addr show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UNKNOWN qlen 1000
> link/ether 90:e6:ba:cc:b7:70 brd ff:ff:ff:ff:ff:ff
> inet 192.168.0.150/24 brd 192.168.0.255 scope global eth0
> 3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UNKNOWN
> link/ether 62:8b:5d:13:37:6f brd ff:ff:ff:ff:ff:ff
> inet 10.1.1.1/8 brd 10.255.255.255 scope global dummy0
> inet 10.1.1.10/8 brd 10.255.255.255 scope global secondary dummy0
>
> ip route show
> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.150
> 10.0.0.0/8 dev dummy0 proto kernel scope link src 10.1.1.1
> 127.0.0.0/8 dev lo scope link
> default via 192.168.0.1 dev eth0
>
>
>
Received on Sun Jan 31 21:24:05 2010

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sun 31 Jan 2010 - 21:24:07 GMT by hypermail 2.1.8