howto

Network Guide

SSH keyauth

--- plantSSHKey.sh ---
#!/bin/bash
SSHKEY=cat ~/.ssh/id_rsa.pub

if [ "$(ping -q -c1 $1)" ]; then
    echo "Host $1: UP"
fi


echo "Installing SSH key: $1"
ssh $1 "echo $SSHKEY >> .ssh/authorized_keys"

HOSTN=ssh $1 "hostname"
echo "Verifying login: $HOSTN"

exit 0
--- plantSSHKey.sh ---

ssh-keygen -t rsa
./plantSSHKey.sh host_name_or_ip

Policy routing

Currently mixing VENET VMs on different subnets require source routing rules setup on each HN - for correct gateway routes for every subnet used - as venet devices are point-2-point and take routes from HN routing table. If HN default gateway is in different subnet than this VENET VM - then source routing policy is needed for directing VENET VMs from other subnets to correct gateways.

Policy routing implementation involves 3-steps for every subnet used:

  1. Every HN must have IP from every subnet used as vmbr0:N alias
  2. Add policy routing tables names to /etc/iproute2/rt_tables - on all HNs
  3. Add policy routing rules and routes to every vmbr0 alias - on all HNs

The following example steps represent situation with 3 subnets:

  • HNs have 192.168.2.0/24 subnet
  • VENET lan1 VMs have 10.0.0.0/16 subnet
  • VENET lan2 VMs have 192.168.3.0/24 subnet

Step1: adding alias IPs on HN for lan1, lan2 subnets

cat << EOF > /etc/sysconfig/network-scripts/ifcfg-vmbr0:0
ONBOOT=yes
DEVICE=vmbr0:0
BOOTPROTO="static"
IPADDR="10.0.0.50"
NETMASK="255.255.0.0"
EOF

cat << EOF > /etc/sysconfig/network-scripts/ifcfg-vmbr0:1
ONBOOT=yes
DEVICE=vmbr0:1
BOOTPROTO="static"
IPADDR="192.168.3.50"
NETMASK="255.255.255.0"
EOF

Step2: adding route table names

cat << EOF >> /etc/iproute2/rt_tables
1 	lan1
2	lan2
EOF

Step3: adding policy routing rules and routes

cat << EOF > /etc/sysconfig/network-scripts/rule-vmbr0:0
from 10.0.0.0/16 iif venet0 table lan2
EOF

cat << EOF > /etc/sysconfig/network-scripts/route-vmbr0:0
default via 10.0.0.254 dev vmbr0 table lan2
EOF

cat << EOF > /etc/sysconfig/network-scripts/rule-vmbr0:1
from 192.168.3.0/24 iif venet0 table lan1
EOF

cat << EOF > /etc/sysconfig/network-scripts/route-vmbr0:1
default via 192.168.3.254 dev vmbr0 table lan1
EOF

ifup vmbr0:0
ifup vmbr0:1

# Verify policy routes

ip rule show
ip route show table lan1
ip route show table lan2

Handling multiple subnets inside VENET VM

If wanting to have multiple IPs from separate subnets inside single VENET VM - then proper routes must be added inside that VM also.

# Adding primary IP as venet0:0 (as seen inside VM)
vzctl set $VEID --ipadd 10.0.0.100 --save

# Adding secondary IP as venet0:1 (as seen inside VM)
vzctl set $VEID --ipadd 192.168.2.100 --save

# NB! You must route 192.168.2.0 and 10.0.0.0 subnets properly on HN as described in previous chapter!
# Setup proper route also inside VM for secondary subnet - otherwise outgoing packets will follow 10.0.0.0 subnet default route!
route add -net 192.168.2.0 netmask 255.255.255.0 dev venet0:1

# Make route configuration persistent (add to /etc/rc.local or create distro specific route config file)