Difference between revisions of "Miscellaneous openVZ notes"
m |
|||
Line 5: | Line 5: | ||
=Enabling iptables modules for container= | =Enabling iptables modules for container= | ||
Note use of --iptables is deprecated in latest openVZ. iptables can be enabled using: | |||
<pre> | <pre> | ||
vzctl set < | vzctl set <ctid> --netfilter full | ||
</pre> | </pre> | ||
The new setup also disables connection tracking in base machine. This can be re-enabled by editing '<tt>/etc/modprobe.d/openvz.conf</tt>' and change the line to: | |||
<pre> | <pre> | ||
options nf_conntrack ip_conntrack_disable_ve0=0 | |||
</pre> | </pre> | ||
Revision as of 13:52, 17 May 2014
<yambe:breadcrumb>OpenvZ</yambe:breadcrumb>
Miscellaneous openVZ notes
Enabling iptables modules for container
Note use of --iptables is deprecated in latest openVZ. iptables can be enabled using:
vzctl set <ctid> --netfilter full
The new setup also disables connection tracking in base machine. This can be re-enabled by editing '/etc/modprobe.d/openvz.conf' and change the line to:
options nf_conntrack ip_conntrack_disable_ve0=0
Source NAT for containers using base machine
Source NAT for containers can be done using base machine to provide LAN/Internet access to container without requiring an additional IP or exposing the container to outside world. To NAT outgoing connections from container use:
iptables -t nat -I POSTROUTING -s <container-private-IP> -o <exit-interface> -j SNAT --to-source <container-ip>
Enabling tun/tap devices for container
To enable tun/tap devices for container (to use container as VPN server) use following steps:
- Use following commands with appropriate CID on base machine
- vzctl set <CID> --devnodes net/tun:rw --save
- vzctl set <CID> --devices c:10:200:rw --save
- vzctl set <CID> --capability net_admin:on --save
- Use following commands as root user inside container
- mkdir -p /dev/net
- mknod /dev/net/tun c 10 200
- chmod 600 /dev/net/tun
- Restart container
Correcting time-zone used in container
If the container image in use is configured for different time-zone then time-zone can be corrected using something like:
rm -f /etc/localtime ln -s /usr/share/zoneinfo/Asia/Kolkata /etc/localtime
Checking process trees of all containers
Command 'pstree -pun | less' on base machine can help in seeing process tree of all containers which includes all container inits and their childrens. This can help in finding information about specific containers. A good way of finding out which init belongs to which container is to use:
lsof 2>&1 | grep <init-pid> | grep -v lsof
so that various files used by that process in base machine can be listed. Now if the given process has opened /vz/root/<CID>/dev/null file then it means it is init process of <CID> container.
Detecting if current machine or VM or container is using openVZ
To check if current host is using openVZ use following command as root user:
cat /proc/1/status | grep envID
If value is present and is 0 then openVZ is being used and the command was run on base host. Any other envID indicates CTID of the container being used.
Learned from http://christian.hofstaedtler.name/blog/2008/10/detecting-openvz.html
Changing VE_LAYOUT from ploop to simfs
Latest openVZ installations have default VE_LAYOUT as ploop instead of older simfs. If this is not desired then edit '/etc/vz/vz,conf' and set
VE_LAYOUT=simfs
If ploop is desired then ploop package must be installed.
<yambe:breadcrumb>OpenvZ</yambe:breadcrumb>