All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OpenVZ networking help
dhamaniasad
Member
I've been struggling with this problem for the past week, but no matter what I try, I keep running into dead ends.
I have a dedicated server running OpenVZ on CentOS 6.4, kernel 2.6.32-042stab081.5 #1 SMP Mon Sep 30 16:52:24 MSK 2013 x86_64 x86_64 x86_64 GNU/Linux
My server has 5 IPv4 addresses assigned to it, and I've assigned a /64 from tunnelbroker.net using this guide.
I am running 30+ containers with only IPv6 addresses running on this server, and all of the addresses that have been assigned to containers are can be pinged from the internet, and the ones that are unassigned can't, but that is the expected behaviour.
I'm having two problems now;
1> IPv6. All of the containers, every single one of them, is unable to connect to the outside internet from within the container. The IP's can be pinged from the outside internet fine, but they can't connect to the outside internet themselves.
For example; # ping6 google.com
unknown host
This seems to work though; # ping6 2001:4860:4860::8888; 2001:4860:4860::8844
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=55 time=19.6 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=55 time=19.6 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=55 time=19.6 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=55 time=19.6 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=55 time=19.7 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=6 ttl=55 time=19.7 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=7 ttl=55 time=19.5 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=8 ttl=55 time=19.6 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=9 ttl=55 time=19.6 ms
^Z
[1]+ Stopped ping6 2001:4860:4860::8888
But that's the Google DNS IPv6 address, and I am likely using Google DNS on the server, so I can ping that address. I seriously don't know whats happening.
This is the only IPv6 address I can ping.
For example; ping6 2620:0:1cfe:face:b00c::3
PING 2620:0:1cfe:face:b00c::3(2620:0:1cfe:face:b00c::3) 56 data bytes
From 2620:0:1cff:dead:beef::2cc icmp_seq=1 Destination unreachable: Address unreachable
From 2620:0:1cff:dead:beef::2cc icmp_seq=2 Destination unreachable: Address unreachable
From 2620:0:1cff:dead:beef::2cc icmp_seq=3 Destination unreachable: Address unreachable
From 2620:0:1cff:dead:beef::2cc icmp_seq=4 Destination unreachable: Address unreachable
From 2620:0:1cff:dead:beef::2cc icmp_seq=5 Destination unreachable: Address unreachable
From 2620:0:1cff:dead:beef::2cc icmp_seq=6 Destination unreachable: Address unreachable
From 2620:0:1cff:dead:beef::2cc icmp_seq=7 Destination unreachable: Address unreachable
^Z
[2]+ Stopped ping6 2620:0:1cfe:face:b00c::3
So I can't ping any other address, apart from the Google DNS address.
On the host node though, I can ping all IPv6 addresses and hostnames, normally, so I won't post the log for that.
Ok, now it seems that I can ping IP addresses from within the containers;
# ping6 2620:0:1cff:dead:beef::2cc
PING 2620:0:1cff:dead:beef::2cc(2620:0:1cff:dead:beef::2cc) 56 data bytes
64 bytes from 2620:0:1cff:dead:beef::2cc: icmp_seq=1 ttl=58 time=11.8 ms
64 bytes from 2620:0:1cff:dead:beef::2cc: icmp_seq=2 ttl=58 time=12.0 ms
64 bytes from 2620:0:1cff:dead:beef::2cc: icmp_seq=3 ttl=58 time=11.9 ms
^Z
[2]+ Stopped ping6 2620:0:1cff:dead:beef::2cc
And
/# ping6 2001:420:80:1:c:15c0:d06:f00d
PING 2001:420:80:1:c:15c0:d06:f00d(2001:420:80:1:c:15c0:d06:f00d) 56 data bytes
64 bytes from 2001:420:80:1:c:15c0:d06:f00d: icmp_seq=1 ttl=244 time=86.8 ms
64 bytes from 2001:420:80:1:c:15c0:d06:f00d: icmp_seq=2 ttl=244 time=77.2 ms
64 bytes from 2001:420:80:1:c:15c0:d06:f00d: icmp_seq=3 ttl=244 time=76.1 ms
64 bytes from 2001:420:80:1:c:15c0:d06:f00d: icmp_seq=4 ttl=244 time=76.2 ms
64 bytes from 2001:420:80:1:c:15c0:d06:f00d: icmp_seq=5 ttl=244 time=76.0 ms
^Z
[2]+ Stopped ping6 2001:420:80:1:c:15c0:d06:f00d
But I can't ping hostnames nevertheless.
So that is my first problem, regarding hostname resolution.
2> IPv4 NAT. I haven't touched any configuration files or anything for IPv4 setup for the containers yet, I was thinking it would work by sharing the hosts IPv4 address anyways, but that doesn't work out for me.
ping google.com
ping: unknown host google.com
I tried adding local IPv4 to the containers;
vzctl set 69 --ipadd 10.0.0.1 --save
Adding IP address(es): 10.0.0.1
arpsend: 10.0.0.1 is detected on another computer : 00:04:9b:f2:b0:00
vps-net_add WARNING: arpsend -c 1 -w 1 -D -e 10.0.0.1 eth0 FAILED
CT configuration saved to /etc/vz/conf/69.conf
And
# vzctl set 69 --ipadd 192.168.100.100 --save
Adding IP address(es): 192.168.100.100
arpsend: 192.168.100.100 is detected on another computer : 00:04:9b:f2:b0:00
vps-net_add WARNING: arpsend -c 1 -w 1 -D -e 192.168.100.100 eth0 FAILED
CT configuration saved to /etc/vz/conf/69.conf
And
# vzctl set 69 --ipadd 172.17.200.200 --save
Adding IP address(es): 172.17.200.200
arpsend: 172.17.200.200 is detected on another computer : 00:04:9b:f2:b0:00
vps-net_add WARNING: arpsend -c 1 -w 1 -D -e 172.17.200.200 eth0 FAILED
CT configuration saved to /etc/vz/conf/69.conf
So no matter what local IP address I try to add, it gives me this error. I can add public IPv4 addresses out of the pool of 5 addresses that I have without any problems, and once added, it works perfectly fine. Only local addresses seem to give me the problem, though I haven't tried another subnet apart from the ones listed above.
My basic aim here is to allow the containers to connect and interact with the IPv4 internet by sharing one of my host IP addresses, preferably the main one. So being able to wget/ping/etc for IPv4 only hostnames and IPs.
Apart from that, I also want to setup IPv4 port forwarding locally, like :19001 forwards to 10.10.10.10:80 or something similar, so the IPv6 only containers can setup IPv4 services like HTTP or a VPN on the container using a non-standard port on my hosts ip addresses. So a specific port on the hosts IPv4 address forwards to a specific port on the containers local IPv4 address. But the port forwarding is secondary for now.
Any help will be greatly appreciated.
(PS: Sorry for the long post :P)
Comments
TL;DR, but:
What's in /etc/resolv.conf of a container?
What's in "ip6tables -L -n" on the host node?
In /etc/resolv.conf of container:
nameserver 8.8.8.8ip6tables -L -n on host node:
ip6tables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
So if you don't have ipv4 connectivity inside the VPS, you should use a DNS server over ipv6.
These are google's public resolvers over ipv6:
2001:4860:4860::8888
2001:4860:4860::8844
If you fix the resolv.conf of the container you should be able to ping6 ipv6.google.com
/etc/vz/vz.conf NEIGHBOUR_DEVS=all?
try this:
sysctl net.ipv6.conf.all.forwarding=1
nano /etc/sysctl.conf
uncomment line #net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
ifup HETunnel #(or what ever is name for your tunnel)
and for local ip add rule:
iptables -t nat -A POSTROUTING -s vm_local_IP_pool -o eth0 -j SNAT --to your_server_ip_addressWhere vm_local_IP_pool is for example 10.0.0.0/25 and your_server_ip_address is your main public IPv4 address.
Guys, he can ping just fine. He can't resolve - because he only has ipv6 connectivity, but has ipv4 resolvers listed in /etc/resolv.conf. He needs resolvers reachable over ipv6.
Tried that, didn't work. Still stays the same. > @Vpscraze said:
# Uncomment to limit CT IP ARP announces only to network interfaceshaving IPs within the same IP network as a container IP.
Leave commented out to use all interfaces.
NEIGHBOUR_DEVS=detect
nano /etc/sysctl.conf
uncomment line #net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
ifup HETunnel #(or what ever is name for your tunnel)
Tried the IPv6 one, didn't work. Still the same problem.
What do you mean by "still the same". Do it and then try ping6 ipv6.google.com. Does it work?
Yes, it still says unknown host
Can you paste your fixed resolv.conf ?
And also the exact command that is giving you "unknown host".
nameserver 8.8.8.8
nameserver 2001:4860:4860::8888
Command is ping6 google.com (it works on the host node)
remove the nameserver 8.8.8.8 and leave only the second line, then try again.
Started working now, thankfully. I'm using the precreated OpenVZ templates available on their website, aren't they supposed to work with IPv6 right away?
@dhamaniasad resolv.conf is not part of the template, it is overwritten by the OpenVZ scripts every time when the VPS is started.
And how do I prevent that from happening? And how do I setup a single resolv.conf for all containers?
For instance see the container configuration (/etc/vz/conf/XXXX.conf) and fix the NAMESERVER line there.
Alright, and when making new VPSes, how do I make sure new containers are assigned the same nameserver automatically?
How are you creating the new containers? Some control panel, or manually?
Also is this node only for ipv6-only VPSes or are you going to have also ipv4 VPSes?
I am using OpenVZ-web-panel for creating the VPSes, waiting for Feathur to come out. ipv6 only.
Ok, the shell script that generates the resolv.conf every time is in /etc/vz/dists/scripts/set_dns.sh
Use your imagination with it
Wow, I ran out of imagination power with that file :P