Difference between revisions of "Miscellaneous openVZ notes"

From Notes_Wiki
m
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
<yambe:breadcrumb>OpenvZ</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Virtualization tools]] > [[OpenvZ]] > [[Miscellaneous openVZ notes]]
=Miscellaneous openVZ notes=


==Enabling iptables modules for container==


=Enabling iptables modules for container=
Note use of --iptables is deprecated in latest openVZ.  iptables can be enabled using:
 
 
==Enabling iptables conntrack modules in container==
 
By default iptables conntrack modules are not enabled for container. Hence '<tt>state</tt>' module does not works properly within a container. To enable use of state module in container use:
<pre>
<pre>
vzctl set &lt;CID&gt; --iptables iptable_filter --iptables ip_conntrack --save
vzctl set &lt;ctid&gt; --netfilter full
</pre>
</pre>
 
The new setup also disables connection tracking in base machine. This can be re-enabled by editing '<tt>/etc/modprobe.d/openvz.conf</tt>' and change the line to:
Note that this requires container to be stopped and then started again. Also base machine should have the connection tracking modules installed and preferably even in use through base machines firewall.
 
 
 
==Enabling iptables nat module for container==
 
By default nat module for iptables in not enabled for container. To enable the module use:
<pre>
<pre>
vzctl set &lt;CID&gt; --iptables iptable_nat --save
options nf_conntrack ip_conntrack_disable_ve0=0
</pre>
</pre>






 
==Source NAT for containers using base machine==
 
=Source NAT for containers using base machine=


Source NAT for containers can be done using base machine to provide LAN/Internet access to container without requiring an additional IP or exposing the container to outside world. To NAT outgoing connections from container use:  
Source NAT for containers can be done using base machine to provide LAN/Internet access to container without requiring an additional IP or exposing the container to outside world. To NAT outgoing connections from container use:  
Line 37: Line 23:




=Enabling tun/tap devices for container=
==Enabling tun/tap devices for container==


To enable tun/tap devices for container (to use container as VPN server) use following steps:
To enable tun/tap devices for container (to use container as VPN server) use following steps:
Line 56: Line 42:




=Correcting time-zone used in container=
==Finding container for a given base machine process==


If the container image in use is configured for different time-zone then time-zone can be corrected using something like:
Command '<tt>pstree -pun | less</tt>' on base machine can help in seeing process tree of all containers which includes all container inits and their childrens.  This can help in finding process id of init of container under which given process has been startedOnce init process id for given container is known, container ID can be determined using:
<pre>
    rm -f /etc/localtime
    ln -s /usr/share/zoneinfo/Asia/Kolkata /etc/localtime
</pre>
 
 
 
=Checking process trees of all containers=
 
Command '<tt>pstree -pun | less</tt>' on base machine can help in seeing process tree of all containers which includes all container inits and their childrens.  This can help in finding information about specific containersA good way of finding out which init belongs to which container is to use:
<pre>
<pre>
lsof 2>&1 | grep <init-pid> | grep -v lsof
lsof 2>&1 | grep <init-pid> | grep -v lsof
Line 76: Line 52:




=Detecting if current machine or VM or container is using openVZ=
==Detecting if current machine or VM or container is using openVZ==


To check if current host is using openVZ use following command as root user:
To check if current host is using openVZ use following command as root user:
Line 87: Line 63:




=Changing VE_LAYOUT from ploop to simfs=
==Changing VE_LAYOUT from ploop to simfs==


Latest openVZ installations have default VE_LAYOUT as ploop instead of older simfs.  If this is not desired then edit '<tt>/etc/vz/vz,conf</tt>' and set
Latest openVZ installations have default VE_LAYOUT as ploop instead of older simfs.  If this is not desired then edit '<tt>/etc/vz/vz.conf</tt>' and set
<pre>
<pre>
VE_LAYOUT=simfs
VE_LAYOUT=simfs
Line 96: Line 72:




<yambe:breadcrumb>OpenvZ</yambe:breadcrumb>
==Change CTID of container==
 
To change CTID of container use following steps:
#Stop container with &lt;old-ctid&gt;
#Rename /etc/vz/conf/&lt;old-ctid&gt;.conf to /etc/vz/conf/&lt;new-ctid&gt;.conf
#Edit /etc/vz/conf/&lt;new-ctid&gt;.conf and change virtual-interface name to new CTID if such name is present
#Rename /vz/private/&lt;old-ctid&gt; to /vz/private/&lt;new-ctid&gt;
#Rename /vz/root/&lt;old-ctid&gt; to /vz/root/&lt;new-ctid&gt;
#Start container with &lt;new-ctid&gt;
 
 
 
 
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Virtualization tools]] > [[OpenvZ]] > [[Miscellaneous openVZ notes]]

Latest revision as of 13:10, 24 August 2022

Home > CentOS > CentOS 6.x > Virtualization tools > OpenvZ > Miscellaneous openVZ notes

Enabling iptables modules for container

Note use of --iptables is deprecated in latest openVZ. iptables can be enabled using: 

vzctl set <ctid> --netfilter full

The new setup also disables connection tracking in base machine. This can be re-enabled by editing '/etc/modprobe.d/openvz.conf' and change the line to: 

options nf_conntrack ip_conntrack_disable_ve0=0


Source NAT for containers using base machine

Source NAT for containers can be done using base machine to provide LAN/Internet access to container without requiring an additional IP or exposing the container to outside world. To NAT outgoing connections from container use: 

iptables -t nat -I POSTROUTING -s <container-private-IP> -o <exit-interface> -j SNAT --to-source <container-ip>


Enabling tun/tap devices for container

To enable tun/tap devices for container (to use container as VPN server) use following steps:

  1. Use following commands with appropriate CID on base machine 
    vzctl set <CID> --devnodes net/tun:rw --save
    

    vzctl set <CID> --devices c:10:200:rw --save
    

    vzctl set <CID> --capability net_admin:on --save
  2. Use following commands as root user inside container 
    mkdir -p /dev/net
    

    mknod /dev/net/tun c 10 200
    

    chmod 600 /dev/net/tun
  3. Restart container


Finding container for a given base machine process

Command 'pstree -pun | less' on base machine can help in seeing process tree of all containers which includes all container inits and their childrens. This can help in finding process id of init of container under which given process has been started. Once init process id for given container is known, container ID can be determined using: 

lsof 2>&1 | grep <init-pid> | grep -v lsof

so that various files used by that process in base machine can be listed. Now if the given process has opened /vz/root/<CID>/dev/null file then it means it is init process of <CID> container.


Detecting if current machine or VM or container is using openVZ

To check if current host is using openVZ use following command as root user: 

cat /proc/1/status | grep envID

If value is present and is 0 then openVZ is being used and the command was run on base host. Any other envID indicates CTID of the container being used.

Learned from http://christian.hofstaedtler.name/blog/2008/10/detecting-openvz.html


Changing VE_LAYOUT from ploop to simfs

Latest openVZ installations have default VE_LAYOUT as ploop instead of older simfs. If this is not desired then edit '/etc/vz/vz.conf' and set 

VE_LAYOUT=simfs

If ploop is desired then ploop package must be installed.


Change CTID of container

To change CTID of container use following steps:

  1. Stop container with <old-ctid>
  2. Rename /etc/vz/conf/<old-ctid>.conf to /etc/vz/conf/<new-ctid>.conf
  3. Edit /etc/vz/conf/<new-ctid>.conf and change virtual-interface name to new CTID if such name is present
  4. Rename /vz/private/<old-ctid> to /vz/private/<new-ctid>
  5. Rename /vz/root/<old-ctid> to /vz/root/<new-ctid>
  6. Start container with <new-ctid>



Home > CentOS > CentOS 6.x > Virtualization tools > OpenvZ > Miscellaneous openVZ notes

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Miscellaneous_openVZ_notes&oldid=6872"