5.2. Networking Modes in Virtuozzo Hybrid Server¶
This section describes networking modes available in Virtuozzo Hybrid Server.
In Virtuozzo Hybrid Server, any virtual machine or container can operate in one of the two networking modes: host-routed or bridged.
5.2.1. Container Network Modes¶
This section describes bridged and host-routed network modes for containers.
Note
IPSec connections inside containers are supported.
5.2.1.1. Host-Routed Mode for Containers¶
By default, a new container starts operating in the host-routed mode. In this mode, the container uses a special network adapter, venet0, to communicate with the server where it resides, with the other containers on the server, and with computers on external networks. The figure below demonstrates an example network configuration where all containers are set to work in the host-routed mode.
In this configuration:
Containers #1, #2, and #3 use the
venet0adapter as the default gateway to send and receive data to/from other networks. They also use this adapter to exchange the traffic between themselves.When containers #1, #2, and #3 start, the server creates ARP and routing entries for them in its ARP and routing tables. You can view the current ARP and routing entries on a server using the
arp -nandroute -ncommands. For example:# arp -n Address HWtype HWaddress Flags Mask Iface 10.30.0.4 ether 00:1a:e2:c7:17:c1 C enp0s5 10.30.23.162 ether 70:71:bc:42:f6:a0 C enp0s5 192.168.200.101 * * MP enp0s5 192.168.200.102 * * MP enp0s5 192.168.200.103 * * MP enp0s5 # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.200.101 * 255.255.255.255 UH 1000 0 0 venet0 192.168.200.102 * 255.255.255.255 UH 1000 0 0 venet0 192.168.200.103 * 255.255.255.255 UH 1000 0 0 venet0 10.30.0.0 * 255.255.0.0 U 0 0 0 enp0s5 default virtuozzo.com 0.0.0.0 UG 0 0 0 enp0s5
As you can see, the ARP and routing tables contain entries about IP addresses 192.168.200.101, 192.168.200.102, and 192.168.200.103 that belong to containers #1, #2 and #3.
All container outgoing network traffic goes to the
venet0adapter and is forwarded via theenp0s5physical adapter to the destination, according to the routing table of the server.All container incoming network traffic is also processed by the
venet0adapter. Consider the following situation:Computer X on the local network wants to send a data packet to container #1 with IP address 192.168.200.101, so it issues an ARP request which computer has this IP address.
The server hosting container #1 replies with its MAC address.
Computer X sends the data packet to the indicated MAC address.
The server receives the packet and transmits it to
venet0that forwards the packet to container #1.
5.2.1.2. Bridged Mode for Containers¶
The default network adapter of a container can operate in the host-routed mode only. You can, however, create additional virtual adapters in containers and make them operate in the bridged network mode. The following figure shows an example network configuration where containers #1 and #2 are set to work in the bridged mode.
In this configuration:
Container #1 and container #2 have separate virtual adapters consisting of two network interfaces:
A
netif<X>interface in the container (netif1 and netif2 in the figure). This interface represents a counterpart of a physical network adapter installed on a standalone server. Like any other physical adapter, it has a MAC address, can be assigned one or more IP addresses, included in different networks, and so on.A
vethinterface on the hardware node (veth26bc47f6.1 and vethcdb87d9e.1 in the figure). This interface is mostly used to maintain the communication between the hardware node and Ethernet interfaces in containers.Note
To simplify things, virtual adapters operating in the bridged mode are called
vethadapters, though it is not quite correct from the technical point of view.
Both interfaces are closely linked to each other, so a data packet entering one interface always comes out from the other one.
Containers #1 and #2 keep their own ARP and routing tables that they consult when sending or receiving data.
The
vethadapters of both containers are bridged through the bridgebr0to the physical network adapterenp0s5.All container outgoing traffic comes via the
vethadapters to the bridge and are then transmitted through theenp0s5physical adapter to the destination, according to the routing tables stored in the containers.All incoming data packets for container #1 and #2 reach the
enp0s5physical adapter first and are then sent through the bridge to thevethadapter of the destination container.
5.2.2. Virtual Machine Network Modes¶
This section describes bridged and host-routed network modes for virtual machines.
5.2.2.1. Bridged Mode for Virtual Machines¶
By default, a new virtual machine is created with a network adapter that operates in the bridged mode. The figure below demonstrates an example network configuration where two virtual machines, VM #1 and VM #2, are configured to work in the bridged mode.
In this configuration:
Each virtual machine has a separate virtual adapter that exposes two interfaces: (1) an
ethXinterface in the virtual machine (eth0in the figure) and avmeinterface on the server (vme7b9a73a1andvme4980d06ain the figure). Both interfaces are closely linked to each other, which means that an IP packet entering one interface always comes out of the other one. An eth adapter has a MAC address, can be assigned one or more IP addresses, belong to different network environments, and so on.Note
To simplify things, virtual adapters operating in the bridged mode are called
vmeadapters, though it is not quite correct from the technical point of view.VM #1 and VM #2 keep their own ARP and routing tables that they consult when sending or receiving data.
The virtual adapters of both virtual machines are bridged through the bridge
br0to the physical network adapterenp0s5.All outgoing data packets are sent from the virtual machines through the bridge and
enp0s5physical adapter to the destination, according to their routing tables.All incoming data packets for VM #1 and VM #2 reach the
enp0s5physical adapter first and are then transmitted through the bridge to the vme interface of the destination virtual machine.
5.2.2.2. Host-Routed Mode for Virtual Machines¶
The other network mode a virtual machine can work in is the host-routed mode. The figure below demonstrates an example network configuration where two virtual machines, VM #1 and VM #2, are set to operate in the host-routed mode.
In this configuration:
Each virtual machine also has a virtual adapter exposing two interfaces: an
ethinterface in the virtual machine and avmeinterface on the server.Unlike the bridged mode, the ARP entries for VM #1 and VM #2 are stored on the server rather than in the virtual machines themselves. The server creates these ARP entries and saves them to its ARP table when VM #1 and VM #2 start. You can use the
arp -ncommand to view the current ARP entries on a server, for example:# arp -n Address HWtype HWaddress Flags Mask Iface 10.30.0.4 ether 00:1a:e2:c7:17:c1 C eth0 10.30.23.162 ether 70:71:bc:42:f6:a0 C eth0 192.168.200.201 * * MP eth0 192.168.200.202 * * MP eth0
Along with ARP entries, the server also creates routing entries for both virtual machines. So when the server receives a data packet destined for IP address 192.168.200.201, it knows that the packet must be forwarded to the
vme7b9a73a1interface of VM #1.The server handles all incoming traffic for both virtual machines. Consider the following situation:
Computer X on the network wants to send a data packet to VM #1 with IP address 192.168.200.201, so it issues an ARP request which computer has this IP address.
The server replies with its own MAC address.
Computer X sends the data packet to the indicated MAC address.
The
enp0s5physical adapter receives the packet and routes it to thevme7b9a73a1interface of VM #1.
All outgoing network traffic sent from VM #1 and VM #2 are routed through the default gateway to the
enp0s5adapter on the server. The default gateway for host-routed virtual machines is automatically assigned the IP address of 169.254.0.1. This special IP address is taken from the Automatic Private IP Addressing (APIPA) range and used exclusively to deliver data packets from virtual machines to the server.
5.2.3. Differences Between Host-Routed and Bridged Network Modes¶
The bridged network mode demonstrates a number of differences as compared to the host-routed one:
Each
vethorvmevirtual adapter has a MAC address assigned to it while a host-routed adapter does not have any. Thanks to this fact:Any virtual machine or container can see all broadcast and multicast packets received from or sent to the selected network adapter on the hardware node.
Using bridged virtual adapters, you can host DHCP or Samba servers in virtual machines and containers.
There is no more need to assign all network settings (IP addresses, subnet mask, gateway, and so on) to virtual machines and containers from the server. All network parameters can be set from inside virtual machines and containers.
vethandvmeadapters can be bridged among themselves and with other devices. If severalvethandvmeadapters are united into a bridge, this bridge can be used to handle network traffic for the virtual machines and containers whosevethandvmeadapters are included in the bridge.Due to the fact that
vethandvmeadapters act as full members on the network (rather than “hidden” beyond virtual networks adapters on the server), they are more prone to security vulnerabilities: traffic sniffing, IP address collisions, and so on. Therefore,vethandvmeadapters are recommended for use in trusted network environments only.