Wednesday, 28 January 2015

Working procedure of VZ containers

EZ templates are part and parcel of the Parallels Virtuozzo Containers philosophy because theyprovide a way of sharing resources among lots of Containers, thus enabling huge savings in terms of disk space and memory. For example, when you install and cache an OS template on the Hardware Node, Parallels Virtuozzo Containers creates the /vz/template/<name_of_the_OS> directory containing all the OS files that can be shared among Containers. When a Container based on this template is created, it contains only symlinks
to the OS template files. These symlinks occupy very little space on the hard disk. They are situated in the so-called private area of the Container. The corresponding directory is /vz/private/<CT_ID>. The private area of a Container contains not only symlinks to the necessary template files, but also the copy-on-write area of the Container (the area for storing the information about those changes that the Container makes to the template files; this information
pertains only to the given directory) and all the private Container files. When the Container is started, this private area is mounted as Virtuozzo File System (VZFS) to the /vz/root/<CT_ID> directory. This directory is seen as the root directory from within the Container. And, which is the pivot of it all, thanks to the VZFS, the symlinks of the Container private area are seen as real files

Thus, the most important directories in the /vz partition are the following:
/vz/template - contains OS and application files shared among Containers;
/vz/private - contains VZFS symlinks to template files;
/vz/root - contains Container mounted symlinks and all other Container files.
The relation of these directories may be represented as below:

/vz/template (real files)  /vz/private (symlinks)  /vz/root (symlinks seen as real files in / for the Container)

Tuesday, 27 January 2015

provide access for container using private ips to Internet[NAT]

How to provide access for container to Internet

To enable the containers, which have only internal IP addresses, to access the Internet, SNAT (Source Network Address Translation, also known as IP masquerading) should be configured on theHardware Node. This is ensured by the standard Linux iptables utility. To perform a simple SNAT setup, execute the following command on the Hardware Node:
# iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address
where src_net is a range of IP addresses of containers to be translated by SNAT, and ip_address is the external IP address of your Hardware Node. The format of src_net is xx.xx.xx.xx/xx (CIDR notation). For example:
# iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to ip_address
Multiple rules are allowed, for example, in case you wish to specify several ranges of IP addresses. If you are using a number of physical network interfaces on the Node, you may need to specify a different interface for outgoing connections, e.g. -o eth2.
To make all IP addresses to be translated by SNAT (not only the ones of containers with private addresses), you should type the following string:
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address


For Debian hardware node, you may need to allow a forward rule. The table still being the default table (filter) but the chain is FORWARD:
# iptables -A FORWARD -s -j ACCEPT
# iptables -A FORWARD -d -j ACCEPT
For default RedHat/CentOS firewall, allow outgoing connections from your containers, for example:
# iptables -A RH-Firewall-1-INPUT -s -j ACCEPT
# iptables-save > /etc/sysconfig/iptables
# service iptables restart


Make sure in-CT nameserver is set. The easiest way to do it is:
# vzctl set $CTID --nameserver inherit


Now you should be able to reach internet from your container:
# vzctl exec $CTID ping

[edit]How to provide access from Internet to a container

In addition, to make some services in container with private IP address be accessible from the Internet, DNAT (Destination Network Address Translation) should be configured on the Hardware Node. To perform a simple DNAT setup, execute the following command on the Hardware Node:
# iptables -t nat -A PREROUTING -p tcp -d ip_address --dport port_num \
  -i eth0 -j DNAT --to-destination ve_address:dst_port_num 
where ve_address is an IP address of the container, dst_port_num is a tcp port which requires service use, ip_address is the external (public) IP address of your Hardware Node, and port_num is a tcp port of Hardware Node, which will be used for Internet connections to private container service. Note that this setup makes the service which is using port_num on the Hardware Node be unaccessible from the Internet. Also note that SNAT translation is required too.
For example, if you need a web server in a container to be accessible from outside and, at the same time, keep a web server on the Hardware Node be accessible, use the following config:
# iptables -t nat -A PREROUTING -p tcp -d ip_address --dport 8080 \
  -i eth0 -j DNAT --to-destination ve_address:80
# iptables -t nat -A POSTROUTING -s ve_address -o eth0 -j SNAT --to ip_address
After applying this, you'll see container' web server at http://ip_address:8080/.