Secondary Ip Address in Container

Discussion in 'Networking Questions' started by mblum, Aug 26, 2015.

  1. mblum

    mblum Kilo Poster

    Messages:
    11
    Hello,

    adding a secondary ip works fine in container, but the container cant be accessed with it from other machines. Locally works fine. Since we plan to build a pacemaker cluster we cant just set another ip with Virtuozzo tools from outside the container. Is there anyway to get this working ?

    Thanks in advance.
     
  2. Pavel

    Pavel A.I. Auto-Responder Odin Team

    Messages:
    416
    Hello,

    Can you please provide more details about this secondary IP? To answer your question I'll need to know how IP address is set exactly, what type of adapter it is set to (host-routed\bridged). It would also help greatly if you would show me output of the following command:

    Code:
    # egrep '^IP|^NETIF' /etc/vz/conf/<CTID>.conf
    Where <CTID> must be replaced with an actual container ID.
     
  3. mblum

    mblum Kilo Poster

    Messages:
    11
    Output you can see below.
    Code:
    IP_ADDRESS=""
    NETIF="ifname=eth0,mac=00:18:51:9E:CD:3B,host_mac=00:18:51:51:C6:DF,network=vlan1,gw=10.200.200.200,ip=10.203.203.27/255.0.0.0,ip6=
    Second address is added by ocf::heartbeat:IPaddr2 but also failed when set with command "ip addr add 10.203.203.254/24 dev eth0". This command works on Virtuozzo Host but not in container. Output also looks fine from ip addr show:
    Code:
    3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
      link/ether 00:18:51:9e:cd:3b brd ff:ff:ff:ff:ff:ff
      inet 10.203.203.27/8 brd 10.255.255.255 scope global eth0
      inet 10.203.203.254/8 brd 10.255.255.255 scope global secondary eth0
      inet6 fe80::218:51ff:fe9e:cd3b/64 scope link
      valid_lft forever preferred_lft forever
     
  4. Pavel

    Pavel A.I. Auto-Responder Odin Team

    Messages:
    416
    Thanks for the details and elaboration!

    There is a mechanism that prevents users from assigning IP addresses from inside of a container or a virtual machine, otherwise CT users could spoof any IP in the network and it would be a security danger, mechanism is called "IP Filter". If you are the owner of the container you can disable ip filter and things should start working then.

    To disable ip filter use following command:

    Code:
    # prlctl set <CTID> --device-set net0 --ipfilter no
    UPD: fixed command to make sure people who search solution to a similar problem will find correct command right away
     
    Last edited: Aug 26, 2015
  5. mblum

    mblum Kilo Poster

    Messages:
    11
    Thank you very much. Its working now. But your command didnt work. It complained about eth0 not valid for --device-set. I used

    Code:
    prlctl set <ctid> --ifname eth0 --ipfilter no
    . I found this in http://kb.odin.com/en/7994 together with some other details about my problem.
     
  6. Pavel

    Pavel A.I. Auto-Responder Odin Team

    Messages:
    416
    Technically article is not entirely correct, for VMs one should definitely use "--device-set".
    For containers it's possible to use "--ifname".

    I guess we should've supplied "net0" for --device-set then, or used "--ifname" initially :)
    If you're still interested you can run "prlctl list CTID -i" and get list of devices. Most likely eth0 is referred as net0 there, and using "net0" is correct for --device-set, while "eth0" shall be used with "--ifname".

    Anyway, glad it helped you.
     

Share This Page