Re: [vserver] How to make VServer-Guest to use other NIC than the VServer-Host

From: Adrian Reyer <are_at_lihas.de>
Date: Thu 02 Sep 2010 - 17:47:26 BST
Message-ID: <20100902164726.GA17547@lihas.de>

Hi Marcus,

On Thu, Sep 02, 2010 at 02:55:35PM +0200, Marcus Mülbüsch wrote:
> I have a server with two NICs. I'd like to have the host use one
> of the NICs (with a 192.168.1.x-address), while the Guest uses the
> other NIC only (with a 192.168.2.x).

You achieve this by assigning the IP of that 2nd NIC to the guest and
use an alternate routing table for all traffic originating from that
IP. In this alternate routing table, just make sure there is no route
for the 192.168.1.x network.

> This sort of puts the guest into the DMZ, while I can reach the
> host in the internal net, and then enter the guest.

This is only valid for hosts/guests that are on different hardware.
Everything on the same machine only seperated by namespaces withh
communicate happily over the internal network, no matter which
addresses/routes should be used/seen

> - The second NIC (eth1) is not assigned an IP address on the host.

All nics are assigned an IP on the host, you can't have a VServer see an
IP the host won't see.

> - The VServer is assigned eth1 as its one and only NIC.

It can only be assigned an IP

> - Now, when the VServer is started, something "interesting" happens
> - Even though eth0 is not activated, it shows up with "ip route
> show", though as "if1"

they always do.

> Especially annoying is the fact that the default gateway is the
> one of the Vserver Host. No wonder it doesn't work.

This is why you need to trick it with seperate routing tables and use
'ip rule' or similar to choose the right one.

> I could change the routing on the host, using "ip route del" and
> "ip route add". However that would mean to give the guest
> "NET_ADMIN" capability; which means it is a very bad idea.

ip route ... table YOURGREATTABLENAME
YOURGREATTABLENAME you would define in /etc/iproute2/rt_tables on a
debian system.
Then you use
ip rule add from VSERVERIP table YOURGREATTABLENAME
This is ritten by heart, syntax might differ, but you get the idea.

Regards,
        Adrian

-- 
LiHAS - Adrian Reyer - Hessenwiesenstraße 10 - D-70565 Stuttgart
Fon: +49 (7 11) 78 28 50 90 - Fax:  +49 (7 11) 78 28 50 91
Mail: lihas_at_lihas.de - Web: http://lihas.de
Linux, Netzwerke, Consulting & Support - USt-ID: DE 227 816 626 Stuttgart
Received on Thu Sep 2 17:48:12 2010
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 02 Sep 2010 - 17:48:12 BST by hypermail 2.1.8