5.2. Networking Modes in Virtuozzo Hybrid Server

This section describes networking modes available in Virtuozzo Hybrid Server.

In Virtuozzo Hybrid Server, any virtual machine or container can operate in one of the two networking modes: host-routed or bridged.

5.2.1. Container Network Modes

This section describes bridged and host-routed network modes for containers.

Note

IPSec connections inside containers are supported.

5.2.1.1. Host-Routed Mode for Containers

By default, a new container starts operating in the host-routed mode. In this mode, the container uses a special network adapter, venet0, to communicate with the server where it resides, with the other containers on the server, and with computers on external networks. The figure below demonstrates an example network configuration where all containers are set to work in the host-routed mode.

../_images/container_venet_mode.png

In this configuration:

  • Containers #1, #2, and #3 use the venet0 adapter as the default gateway to send and receive data to/from other networks. They also use this adapter to exchange the traffic between themselves.

  • When containers #1, #2, and #3 start, the server creates ARP and routing entries for them in its ARP and routing tables. You can view the current ARP and routing entries on a server using the arp -n and route -n commands. For example:

    # arp -n
    Address              HWtype   HWaddress            Flags Mask      Iface
    10.30.0.4            ether    00:1a:e2:c7:17:c1    C               enp0s5
    10.30.23.162         ether    70:71:bc:42:f6:a0    C               enp0s5
    192.168.200.101      *        *                    MP              enp0s5
    192.168.200.102      *        *                    MP              enp0s5
    192.168.200.103      *        *                    MP              enp0s5
    # route -n
    Kernel IP routing table
    Destination       Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.200.101   *               255.255.255.255 UH    1000   0        0 venet0
    192.168.200.102   *               255.255.255.255 UH    1000   0        0 venet0
    192.168.200.103   *               255.255.255.255 UH    1000   0        0 venet0
    10.30.0.0         *               255.255.0.0     U     0      0        0 enp0s5
    default           virtuozzo.com   0.0.0.0         UG    0      0        0 enp0s5
    

    As you can see, the ARP and routing tables contain entries about IP addresses 192.168.200.101, 192.168.200.102, and 192.168.200.103 that belong to containers #1, #2 and #3.

  • All container outgoing network traffic goes to the venet0 adapter and is forwarded via the enp0s5 physical adapter to the destination, according to the routing table of the server.

  • All container incoming network traffic is also processed by the venet0 adapter. Consider the following situation:

    1. Computer X on the local network wants to send a data packet to container #1 with IP address 192.168.200.101, so it issues an ARP request which computer has this IP address.

    2. The server hosting container #1 replies with its MAC address.

    3. Computer X sends the data packet to the indicated MAC address.

    4. The server receives the packet and transmits it to venet0 that forwards the packet to container #1.

5.2.1.2. Bridged Mode for Containers

The default network adapter of a container can operate in the host-routed mode only. You can, however, create additional virtual adapters in containers and make them operate in the bridged network mode. The following figure shows an example network configuration where containers #1 and #2 are set to work in the bridged mode.

../_images/veth_mode_cts.png

In this configuration:

  • Container #1 and container #2 have separate virtual adapters consisting of two network interfaces:

    • A netif<X> interface in the container (netif1 and netif2 in the figure). This interface represents a counterpart of a physical network adapter installed on a standalone server. Like any other physical adapter, it has a MAC address, can be assigned one or more IP addresses, included in different networks, and so on.

    • A veth interface on the hardware node (veth26bc47f6.1 and vethcdb87d9e.1 in the figure). This interface is mostly used to maintain the communication between the hardware node and Ethernet interfaces in containers.

      Note

      To simplify things, virtual adapters operating in the bridged mode are called veth adapters, though it is not quite correct from the technical point of view.

    Both interfaces are closely linked to each other, so a data packet entering one interface always comes out from the other one.

  • Containers #1 and #2 keep their own ARP and routing tables that they consult when sending or receiving data.

  • The veth adapters of both containers are bridged through the bridge br0 to the physical network adapter enp0s5.

  • All container outgoing traffic comes via the veth adapters to the bridge and are then transmitted through the enp0s5 physical adapter to the destination, according to the routing tables stored in the containers.

  • All incoming data packets for container #1 and #2 reach the enp0s5 physical adapter first and are then sent through the bridge to the veth adapter of the destination container.

5.2.2. Virtual Machine Network Modes

This section describes bridged and host-routed network modes for virtual machines.

5.2.2.1. Bridged Mode for Virtual Machines

By default, a new virtual machine is created with a network adapter that operates in the bridged mode. The figure below demonstrates an example network configuration where two virtual machines, VM #1 and VM #2, are configured to work in the bridged mode.

../_images/vm_bridged_mode.png

In this configuration:

  • Each virtual machine has a separate virtual adapter that exposes two interfaces: (1) an ethX interface in the virtual machine (eth0 in the figure) and a vme interface on the server (vme7b9a73a1 and vme4980d06a in the figure). Both interfaces are closely linked to each other, which means that an IP packet entering one interface always comes out of the other one. An eth adapter has a MAC address, can be assigned one or more IP addresses, belong to different network environments, and so on.

    Note

    To simplify things, virtual adapters operating in the bridged mode are called vme adapters, though it is not quite correct from the technical point of view.

  • VM #1 and VM #2 keep their own ARP and routing tables that they consult when sending or receiving data.

  • The virtual adapters of both virtual machines are bridged through the bridge br0 to the physical network adapter enp0s5.

  • All outgoing data packets are sent from the virtual machines through the bridge and enp0s5 physical adapter to the destination, according to their routing tables.

  • All incoming data packets for VM #1 and VM #2 reach the enp0s5 physical adapter first and are then transmitted through the bridge to the vme interface of the destination virtual machine.

5.2.2.2. Host-Routed Mode for Virtual Machines

The other network mode a virtual machine can work in is the host-routed mode. The figure below demonstrates an example network configuration where two virtual machines, VM #1 and VM #2, are set to operate in the host-routed mode.

../_images/host_routed_vm.png

In this configuration:

  • Each virtual machine also has a virtual adapter exposing two interfaces: an eth interface in the virtual machine and a vme interface on the server.

  • Unlike the bridged mode, the ARP entries for VM #1 and VM #2 are stored on the server rather than in the virtual machines themselves. The server creates these ARP entries and saves them to its ARP table when VM #1 and VM #2 start. You can use the arp -n command to view the current ARP entries on a server, for example:

    # arp -n
    Address         HWtype  HWaddress               Flags Mask      Iface
    10.30.0.4       ether   00:1a:e2:c7:17:c1       C               eth0
    10.30.23.162    ether   70:71:bc:42:f6:a0       C               eth0
    192.168.200.201 *       *                       MP              eth0
    192.168.200.202 *       *                       MP              eth0
    
  • Along with ARP entries, the server also creates routing entries for both virtual machines. So when the server receives a data packet destined for IP address 192.168.200.201, it knows that the packet must be forwarded to the vme7b9a73a1 interface of VM #1.

  • The server handles all incoming traffic for both virtual machines. Consider the following situation:

    1. Computer X on the network wants to send a data packet to VM #1 with IP address 192.168.200.201, so it issues an ARP request which computer has this IP address.

    2. The server replies with its own MAC address.

    3. Computer X sends the data packet to the indicated MAC address.

    4. The enp0s5 physical adapter receives the packet and routes it to the vme7b9a73a1 interface of VM #1.

  • All outgoing network traffic sent from VM #1 and VM #2 are routed through the default gateway to the enp0s5 adapter on the server. The default gateway for host-routed virtual machines is automatically assigned the IP address of 169.254.0.1. This special IP address is taken from the Automatic Private IP Addressing (APIPA) range and used exclusively to deliver data packets from virtual machines to the server.

5.2.3. Differences Between Host-Routed and Bridged Network Modes

The bridged network mode demonstrates a number of differences as compared to the host-routed one:

  • Each veth or vme virtual adapter has a MAC address assigned to it while a host-routed adapter does not have any. Thanks to this fact:

    • Any virtual machine or container can see all broadcast and multicast packets received from or sent to the selected network adapter on the hardware node.

    • Using bridged virtual adapters, you can host DHCP or Samba servers in virtual machines and containers.

  • There is no more need to assign all network settings (IP addresses, subnet mask, gateway, and so on) to virtual machines and containers from the server. All network parameters can be set from inside virtual machines and containers.

  • veth and vme adapters can be bridged among themselves and with other devices. If several veth and vme adapters are united into a bridge, this bridge can be used to handle network traffic for the virtual machines and containers whose veth and vme adapters are included in the bridge.

  • Due to the fact that veth and vme adapters act as full members on the network (rather than “hidden” beyond virtual networks adapters on the server), they are more prone to security vulnerabilities: traffic sniffing, IP address collisions, and so on. Therefore, veth and vme adapters are recommended for use in trusted network environments only.