nareshovの日記

A post to record list of changes that were made to the configuration to get networking to work within the VZ containers on a managed hardware node.

Softlayer provisions CentOS machines with two bonded network interfaces: bond0 connected to their private network and bond1 to the public. We got a “portable” private network subnet and got them converted to “routed to subnet” so that all IPs in that subnet are usable (instead of 3 of them getting reserved into a broadcast IP, gateway IP and broadcast IP).

OpenVZ sends ARP requests when it’s trying to initialise a container and the interface to which the requests are to be sent has to be explicitly specified in this multi-network case. So, fix the NEIGHBOUR_DEVS variable in /etc/vz/vz.conf before you pick IPs from your portable subnet pool and start assigning it to your containers.

With that, you should be able to ping these containers from other nodes in your primary private subnet and vice versa. But you won’t be able to ping public IPs from within the containers yet. This doesn’t require you to assign public IPs to the containers too. A NAT rule on the host node should fix this: iptables -t nat -A POSTROUTING -o bond1 -j MASQUERADE

Took me a while to recall/realise that the lack of ARP requests in SL’s network was necessary. The NAT rule was something I found later on on the internet.