Difference between revisions of "Miscellaneous openVZ notes"

From Notes_Wiki
m
m
Line 49: Line 49:
#:<pre>
#:<pre>
#::mkdir -p /dev/net
#::mkdir -p /dev/net
#::mknod /dev/net/tun c 10 200
#::chmod 600 /dev/net/tun
#::chmod 600 /dev/net/tun
#:</pre>
#:</pre>

Revision as of 12:00, 4 April 2014

<yambe:breadcrumb>OpenvZ</yambe:breadcrumb>

Miscellaneous openVZ notes

Enabling iptables modules for container

Enabling iptables conntrack modules in container

By default iptables conntrack modules are not enabled for container. Hence 'state' module does not works properly within a container. To enable use of state module in container use:

vzctl set <CID> --iptables iptable_filter --iptables ip_conntrack --save

Note that this requires container to be stopped and then started again. Also base machine should have the connection tracking modules installed and preferably even in use through base machines firewall.


Enabling iptables nat module for container

By default nat module for iptables in not enabled for container. To enable the module use:

vzctl set <CID> --iptables iptable_nat --save



Source NAT for containers using base machine

Source NAT for containers can be done using base machine to provide LAN/Internet access to container without requiring an additional IP or exposing the container to outside world. To NAT outgoing connections from container use:

iptables -t nat -I POSTROUTING -s <container-private-IP> -o <exit-interface> -j SNAT --to-source <container-ip>


Enabling tun/tap devices for container

To enable tun/tap devices for container (to use container as VPN server) use following steps:

  1. Use following commands with appropriate CID on base machine
    vzctl set <CID> --devnodes net/tun:rw --save
    vzctl set <CID> --devices c:10:200:rw --save
    vzctl set <CID> --capability net_admin:on --save
  2. Use following commands as root user inside container
    mkdir -p /dev/net
    mknod /dev/net/tun c 10 200
    chmod 600 /dev/net/tun
  3. Restart container


Correcting time-zone used in container

If the container image in use is configured for different time-zone then time-zone can be corrected using something like:

    rm -f /etc/localtime
    ln -s /usr/share/zoneinfo/Asia/Kolkata /etc/localtime


Checking process trees of all containers

Command 'pstree -pun | less' on base machine can help in seeing process tree of all containers which includes all container inits and their childrens. This can help in finding information about specific containers. A good way of finding out which init belongs to which container is to use:

lsof 2>&1 | grep <init-pid> | grep -v lsof

so that various files used by that process in base machine can be listed. Now if the given process has opened /vz/root/<CID>/dev/null file then it means it is init process of <CID> container.



<yambe:breadcrumb>OpenvZ</yambe:breadcrumb>