Miscellaneous openVZ notes

From Notes_Wiki
Revision as of 13:52, 17 May 2014 by Saurabh (talk | contribs)

<yambe:breadcrumb>OpenvZ</yambe:breadcrumb>

Miscellaneous openVZ notes

Enabling iptables modules for container

Note use of --iptables is deprecated in latest openVZ. iptables can be enabled using: 

vzctl set <ctid> --netfilter full

The new setup also disables connection tracking in base machine. This can be re-enabled by editing '/etc/modprobe.d/openvz.conf' and change the line to: 

options nf_conntrack ip_conntrack_disable_ve0=0


Source NAT for containers using base machine

Source NAT for containers can be done using base machine to provide LAN/Internet access to container without requiring an additional IP or exposing the container to outside world. To NAT outgoing connections from container use: 

iptables -t nat -I POSTROUTING -s <container-private-IP> -o <exit-interface> -j SNAT --to-source <container-ip>


Enabling tun/tap devices for container

To enable tun/tap devices for container (to use container as VPN server) use following steps:

  1. Use following commands with appropriate CID on base machine 
    vzctl set <CID> --devnodes net/tun:rw --save
    

    vzctl set <CID> --devices c:10:200:rw --save
    

    vzctl set <CID> --capability net_admin:on --save
  2. Use following commands as root user inside container 
    mkdir -p /dev/net
    

    mknod /dev/net/tun c 10 200
    

    chmod 600 /dev/net/tun
  3. Restart container


Correcting time-zone used in container

If the container image in use is configured for different time-zone then time-zone can be corrected using something like: 

    rm -f /etc/localtime
    ln -s /usr/share/zoneinfo/Asia/Kolkata /etc/localtime


Checking process trees of all containers

Command 'pstree -pun | less' on base machine can help in seeing process tree of all containers which includes all container inits and their childrens. This can help in finding information about specific containers. A good way of finding out which init belongs to which container is to use: 

lsof 2>&1 | grep <init-pid> | grep -v lsof

so that various files used by that process in base machine can be listed. Now if the given process has opened /vz/root/<CID>/dev/null file then it means it is init process of <CID> container.


Detecting if current machine or VM or container is using openVZ

To check if current host is using openVZ use following command as root user: 

cat /proc/1/status | grep envID

If value is present and is 0 then openVZ is being used and the command was run on base host. Any other envID indicates CTID of the container being used.

Learned from http://christian.hofstaedtler.name/blog/2008/10/detecting-openvz.html


Changing VE_LAYOUT from ploop to simfs

Latest openVZ installations have default VE_LAYOUT as ploop instead of older simfs. If this is not desired then edit '/etc/vz/vz,conf' and set 

VE_LAYOUT=simfs

If ploop is desired then ploop package must be installed.


<yambe:breadcrumb>OpenvZ</yambe:breadcrumb>

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Miscellaneous_openVZ_notes&oldid=1706"