Correct way to add IP4/6 to Virtuozzo containers (was: Dedicated IP added to container inaccessible)

Discussion in 'Plesk Automation Suggestions and Feedback' started by SteveITS, Apr 21, 2015.

  1. SteveITS

    SteveITS Tera Poster

    Messages:
    277
    I tried to set up a site with a "dedicated" IP without SSL, and ran into this problem again. The new IPs (v4 or v6) are not reachable, pingable, or traceroutable from outside the container, even from its PCS hardware node.

    This is what I get after adding the address in PPA:
    Code:
    # cat ifcfg-eth0
    DEVICE="eth0"
    ONBOOT="yes"
    BOOTPROTO=static
    IPADDR="x.x.194.15"
    NETMASK="255.255.255.128"
    GATEWAY="x.x.194.1"
    IPV6_DEFAULTGW="aaaa:bbbb:0:4c::1"
    IPV6INIT=yes
    IPV6ADDR_SECONDARIES='aaaa:bbbb:0:4c::1:15/64 aaaa:bbbb:0:4c::2:0/64 aaaa:bbbb:0:4c::2:1/64 aaaa:bbbb:0:4c::2:2/64'
    
    # cat ifcfg-eth0:0
    DEVICE=eth0:0
    ONBOOT=yes
    NETMASK=255.255.255.128
    IPADDR=x.x.194.100
    
    By contrast, if I add an IP address through PVA, it is pingable. Note the differences, namely that PVA's ifcfg-eth0:0 has "BOOTPROTO=static" and the IPs double quoted. For those testing at home also note that PVA removed the existing IPv6 addresses (that it didn't know about).
    Code:
    # cat ifcfg-eth0
    DEVICE="eth0"
    ONBOOT="yes"
    BOOTPROTO="static"
    GATEWAY="x.x.194.1"
    IPV6_DEFAULTGW="aaaa:bbbb:0:4c::1"
    IPV6INIT="yes"
    DHCPV6C="no"
    IPADDR="x.x.194.15"
    NETMASK="255.255.255.128"
    IPV6ADDR_SECONDARIES="aaaa:bbbb:0:4c::1:15/64"
    
    # cat ifcfg-eth0:0
    DEVICE=eth0:0
    ONBOOT=yes
    BOOTPROTO=static
    IPADDR="x.x.194.50"
    NETMASK="255.255.255.128"
    Could that make a difference? Any other ideas as to why I can't seem to get secondary IPs to work?
     
    Last edited: Apr 21, 2015
  2. Starl1ght

    Starl1ght Just a cat

    Messages:
    81
  3. SteveITS

    SteveITS Tera Poster

    Messages:
    277
    Hi Denis,

    I realized on the drive home I didn't explain that I was using bridged mode on the containers/service nodes. In a PVA forum thread I posted that I tried using the default routed mode but even without PPA installed I couldn't communicate using IPv6 so I found bridged mode works.

    I've been all over the docs. :( One beef I have with that FAQ/doc is the line "IP addresses from the pool may be granted as dedicated (exclusive) or shared," which doesn't explain that PPA will not use a dedicated IP pool. I even tried creating a site with the web node having only a dedicated IP pool assigned, and the site using a dedicated IPv4, and the PPA task failed saying there was no shared pool available.

    So that FAQ implies that using bridged mode in a container should work...?
     
  4. Starl1ght

    Starl1ght Just a cat

    Messages:
    81
    FAQ implies, that IPs should be pre-allocated before using them in PPA.
     
  5. SteveITS

    SteveITS Tera Poster

    Messages:
    277
    Ah, well that would fit then. I hope Parallels updates the FAQ and doc page to remove the "host-routed" verbiage or else add "bridged mode" references so people understand that it applies to both connection types. I can make a comment in the doc page but can't change the FAQ.
     
  6. SteveITS

    SteveITS Tera Poster

    Messages:
    277
    Hopefully also IP allocation will be updated in PPA 12, so PPA and PVA can coexist. I've seen several references recommending installing PPA in Cloud Server but 1) wasn't even sure that FAQ reference applied to the old Virtuozzo, or PCS 6, or both, and 2) none of the references recommending PCS said IP allocation wouldn't work.
     
  7. SteveITS

    SteveITS Tera Poster

    Messages:
    277
    I'm running into this again and it would be SO MUCH EASIER to manage if I could create one IPv4 pool and one IPv6 pool to use across all service node VPS containers. As it is I have already wasted an IP because the original pool allocated had four IPv4s and they shrunk to three, removing one in the middle. I can't reclaim it without moving their subscription to a different IP address on the same node.

    So, it seems the only logical way to avoid this is to create an IP pool for each IPv4 address and allocate and remove them from service node VPS containers as necessary. For IPv6 at least we have an entire block so we can allocate 16 or 32 at a time, and leave most of them unused.

    Also, the FAQ has not yet been updated to state that this is required for "bridged mode" containers as well. I didn't look up the documentation but at least I left a comment there.
     
  8. SteveITS

    SteveITS Tera Poster

    Messages:
    277
  9. SteveITS

    SteveITS Tera Poster

    Messages:
    277
    They've removed user comments from the PPA documentation pages so my comment about PPA not working with bridged mode either was removed.

    However I have some good news!

    After working with Virtuozzo support, and reading between the lines a bit for the explanation, it seems that if either Parallels Virtual Automation or prlctl or vzctl are used to configure a bridged network interface for a container, the tools start adding rules on the host to allow the IP/MAC address. That is why PPA can't add IP addresses on its own, because it tries and doesn't know to set up the rules on the host. And apparently they have a bug where if too many IPv6 addresses are added it runs off the rails, messes up the rules, or something and you can't add more via their tools.

    However, if you do not use those tools to configure the network, you can get PPA to allocate addresses on its own. Steps:
    1. Create container in PVA with no network interface, DNS or gateway
    2. Add network interface from the Virtuozzo hardware node:
      • vzctl set containerNameOrID --save --netif_add eth0
      • vzctl set containerNameOrID --save --ifname eth0 --network BridgedNetworkName
    3. Enter container shell prompt via prlctl enter containerNameOrID
    4. Edit /etc/resolv.conf to add nameservers
    5. Edit /etc/sysconfig/network-scripts/ifcfg-eth0 to set the primary IPv4, netmask, gateway, IPv6 gateway, etc.
    6. Run service network restart
    7. Add service node to PPA
    8. Add your one giant IPv6 pool (shared among all service nodes) to this service node
    Now any time you add a webspace with a dedicated IPv6 address it will add to the node and work just fine.

    In other words if Virtuozzo tools are never used to manage IP addresses for the container, and the container is using bridged mode networking, anything you manually set up will just work.
     

Share This Page