Re: AW: AW: [vserver] Using loopback for guest-guest and guest-host communication but still remapping:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: AW: AW: [vserver] Using loopback for guest-guest and guest-host communication but still remapping

From: Gordan Bobic <gordan_at_bobich.net>
Date: Wed 29 Feb 2012 - 12:47:10 GMT
Message-ID: <4F4E1E4E.30601@bobich.net>

Fiedler Roman wrote:
>> -----Ursprüngliche Nachricht-----
>> Von: Gordan Bobic [mailto:gordan@bobich.net]
>>
>> Fiedler Roman wrote:
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: Gordan Bobic [mailto:gordan@bobich.net]
>>>>
>>>>> Fiedler Roman wrote:
>>>>> ....
>>>>> I'm trying to configure networking on a machine, where we cannot use any
>>>>> private network for internal communication because I might need to receive
>>>>> traffic from that network. So I can only use loopback, one private IP-Range IP
>>>>> (server external IP) and I do not want to grab one public IP-range for internal
>>>>> communication if avoidable.
>> ....
>>> Connect from guest to 127.0.1.1:80 is still remapped to 127.0.2.1, which is
>>> guest itself. So no connection to host via lo possible.
>> You are using 127/8 subnet on the dummy device - that won't work. You
>> need a non-loopback IP range on the dummy interface, e.g. 192.168/16.
>
> Thanks for your reply. I already used configuration with non-127 dummy interface
> and they are working. In current use case (description above), I have the problem,
> that organization cannot tell me, which private network is not in use at their
> location. Since I cannot handle requests from their network if I bind IPs to local
> interface, I was trying to do it without need of any other IPs than from range
> 127.0.0.0/8.

That is most unfortunate, but I don't see a workaround - they will have
to find a suitable small private subnet in 10/8, 172.16/12 or 192.168/16
that you can use. But since that subnet will never be routable outside
the machine itself, you can re-use it on all similar servers.

> Things I could try:
> * Convince organization to find a free private IPv4-Net because vserver needs it

That's about the size of it. If they are using up all of the private
ranges they should either be moving to IPv6 (if they really are using
them all) or they are grossly mismanaging their internal private IP
allocations.

> * Try to live without remap, doing the 127/8 splitting by hand, fixing hardcoded 127.0.0.1 programs manually.

I'm not convinced that will actually work - 127/8 shouldn't leave the
guest sandbox.

> * Use some other range, e.g. 0.0.0.0/24, and hope not running into problems
> * Modify local routing table to try to get it working though

Indeed, you'll have to configure the routing table and iptables rules on
the host appropriately.

> * Use IPv6 private net on dummy and IPv4 for external traffic.

Is there such a thing as private IPv6 subnets?

> * Use iptables mangle or nat and mark to remap external requests from IP-Range also bound to local interface.

Sorry, not sure I quite follow what you think you can do here. Can you
elaborate?

Gordan
Received on Wed Feb 29 12:47:20 2012

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 29 Feb 2012 - 12:47:20 GMT by hypermail 2.1.8