Re: [vserver] host route visible to guests - is this normal?

From: Mark Lagace <vserver_at_grandpoobah.ca>
Date: Mon 01 Feb 2010 - 02:39:53 GMT
Message-ID: <1264991993.2061.7.camel@vladimir>

Thanks Herbert. I was intending to set up the multiple routing tables on
the host in any case - I was mostly concerned that I had set up some
vserver settings incorrectly and was inadvertently passing more info to
the guests than I intended to.

Cheers,

Mark.

On Sun, 2010-01-31 at 22:23 +0100, Herbert Poetzl wrote:
> On Sat, Jan 30, 2010 at 10:47:50PM -0500, Mark Lagace wrote:
> > Hi folks,
>
> > I've just recently set up vserver and had a question regarding
> > networking behaviour for guests. A few more details of the setup are
> > further below, but essentially I followed the advice from the wiki
> > (http://www.linux-vserver.org/Networking_vserver_guests) for setting up
> > networking on the guest OS.
>
> > The host has a single ethernet connection (eth0) with ip 192.168.0.150
> > and a default gateway of 192.168.0.1. I set up the dummy0 interface on
> > the host with the ip 10.1.1.1/8 and set the guest to use dummy0 and the
> > ip 10.1.1.10/8 using the /etc/vservers/[vservername]/interfaces/0/[dev,
> > ip, prefix] entries. I then set the nat entries with iptables on the
> > host to NAT the guest vserver address. (i.e. iptables -t nat -A
> > POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j SNAT --to-source
> > 192.168.0.150).
>
> > Everything works - at least the guest has network access and the reverse
> > works fine too (i.e. routing outside ports to the guest). The question I
> > have is more related to the separation of the guest and host. On the
> > guest (despite being assigned the dummy0 interface and 10.0.0.0/8
> > address range, I can still see the route using the 192.168.0.0/24
> > network. Is this "normal"?
>
> known issue, will be fixed soon, I hope ...
>
> > On the guest:
> > Output from ip link show:
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > 3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> > UNKNOWN
> > link/ether 62:8b:5d:13:37:6f brd ff:ff:ff:ff:ff:ff
> >
> > Output from ip addr show:
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > 3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> > UNKNOWN
> > link/ether 62:8b:5d:13:37:6f brd ff:ff:ff:ff:ff:ff
> > inet 10.1.1.10/8 brd 10.255.255.255 scope global secondary dummy0
>
> > Output from ip route show:
> > 192.168.0.0/24 dev if2 proto kernel scope link src 192.168.0.150
> > 10.0.0.0/8 dev dummy0 proto kernel scope link src 10.1.1.1
> > 127.0.0.0/8 dev lo scope link
> > default via 192.168.0.1 dev if2
>
> > In particular, the last part concerns me - the default via 192.168.0.1
> > is the host's default route. I would have assumed the guest should have
> > a default route based on the 10.1.1.10 ip address that it was assigned.
> > The output from the link and addr queries seems to suggest this (and
> > loopback) are the only addresses it knows about, so where is the
> > 192.168.0.1 coming from if not the host?
>
> routing happens on the host, i.e. there is no guest specific
> routing tables or so, unless you use network namespaces
>
> i.e. you have to handle different routing requirements via
> multiple routing tables (on the host)
>
> best,
> Herbert
>
> > Mark
> >
> > --
> > More info if it happens to be relevant...
> >
> > host and guest are gentoo
> > kernel version: linux-2.6.31.11-vs2.3.0.36.28-grsec2.1.14
> > util-vserver version: util-vserver-0.30.216_pre2864
> > HIDE_NETIF is in the cflags and nflags in the configuration directory
> >
> > ip outputs on the host (while the guest is running - if the guest is
> > stopped the secondary address on dummy0 disappears):
> > ip link show
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> > state UNKNOWN qlen 1000
> > link/ether 90:e6:ba:cc:b7:70 brd ff:ff:ff:ff:ff:ff
> > 3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> > UNKNOWN
> > link/ether 62:8b:5d:13:37:6f brd ff:ff:ff:ff:ff:ff
> >
> > ip addr show
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> > state UNKNOWN qlen 1000
> > link/ether 90:e6:ba:cc:b7:70 brd ff:ff:ff:ff:ff:ff
> > inet 192.168.0.150/24 brd 192.168.0.255 scope global eth0
> > 3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> > UNKNOWN
> > link/ether 62:8b:5d:13:37:6f brd ff:ff:ff:ff:ff:ff
> > inet 10.1.1.1/8 brd 10.255.255.255 scope global dummy0
> > inet 10.1.1.10/8 brd 10.255.255.255 scope global secondary dummy0
> >
> > ip route show
> > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.150
> > 10.0.0.0/8 dev dummy0 proto kernel scope link src 10.1.1.1
> > 127.0.0.0/8 dev lo scope link
> > default via 192.168.0.1 dev eth0
> >
> >
> >
>
Received on Mon Feb 1 02:40:15 2010

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 01 Feb 2010 - 02:40:16 GMT by hypermail 2.1.8