I would like to run OpenVZ containers, using the venet device on different networks.
I normally host containers on a private network, protected with firewalls, but I also need for some of these containers to bypass the firewalls and use a different routing/gateway.
I managed to achieve a half-baked setup that works by modifying the routing tables on the proxmox server to use policy based roting as follows:
1. Add an interface for the proxmox server on each network. I'm not sure if an IP is required, but I put one IP on each server.
2. Add a routing table to /etc/iproute2/rt_tables in case it's not there
3. Add a rule and routing table for each vz container with
ip rule add from $ip table vztable
ip rule add to $ip table vztable
ip route add $ip/32 dev venet0 table vztable
This is easily done when the containers are bound to the same proxmox server, but this setup is cumbersome to keep on a cluster with migrating containers.
It would be nice to modify the openvz network scripts to account for the creation/deletion of rules to and from the ip of the container as per the above schema.
Any hints on where to act will be appreciated (I admin I have not tried to dig into the vz documentation).
Thank you.
I normally host containers on a private network, protected with firewalls, but I also need for some of these containers to bypass the firewalls and use a different routing/gateway.
I managed to achieve a half-baked setup that works by modifying the routing tables on the proxmox server to use policy based roting as follows:
1. Add an interface for the proxmox server on each network. I'm not sure if an IP is required, but I put one IP on each server.
2. Add a routing table to /etc/iproute2/rt_tables in case it's not there
3. Add a rule and routing table for each vz container with
ip rule add from $ip table vztable
ip rule add to $ip table vztable
ip route add $ip/32 dev venet0 table vztable
This is easily done when the containers are bound to the same proxmox server, but this setup is cumbersome to keep on a cluster with migrating containers.
It would be nice to modify the openvz network scripts to account for the creation/deletion of rules to and from the ip of the container as per the above schema.
Any hints on where to act will be appreciated (I admin I have not tried to dig into the vz documentation).
Thank you.