Tag Archives: openvz

I’m trying to setup ipv6 for a debian node with openvz kernel. First step is setting up the host node to use ipv6. The next step is to create ipv6-only containers. For my experiment, I chose Dacentec dedicated server. Dacentec is a great provider with a lot of choices in the budget dedicated server segment.

A /48 ipv6 block is an optional free addon for the server.
After opening a support ticket, I received the following details:

Network 2607:5400:048d:0000::/48
Gateway 2607:5400:048d:0000::1/48

ssh into the server and check the interfaces file:

cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth2
iface eth2 inet static
        address 148.126.187.10
        netmask 255.255.255.248
        network 148.126.187.8
        broadcast 148.126.187.15
        gateway 148.126.187.9
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 199.255.156.3
        dns-search droidzone.in
        up ip addr add 148.126.187.14 dev eth2
        up ip addr add 148.126.187.12 dev eth2
        up ip addr add 148.126.187.13 dev eth2

Here, 148.126.187.10 is the primary address of the host node. 148.126.187.12, 148.126.187.13 and 148.126.187.14 are additional IPv4s that I purchased to set up containers. Anyway this is not relevant, as we’re currently attempting to create ipv6-only containers.

Dacentec provided me the following /48 ipv6 block:

Network 2107:5200:058d:0000::/48
Gateway 2107:5200:058d:0000::1/48

I then modified my file:

emacs /etc/network/interfaces

and added the following:

iface eth2 inet6 static
	address 2107:5200:058d:0000::2
	netmask 64
	  up ip -6 route add default via 2107:5200:058d:0000::1 dev eth2
	  down ip -6 route del default via 2107:5200:058d:0000::1 dev eth2	

The final file looks like this:

auto lo
iface lo inet loopback
allow-hotplug eth2
iface eth2 inet static
        address 148.126.187.10
        netmask 255.255.255.248
        network 148.126.187.8
        broadcast 148.126.187.15
        gateway 148.126.187.9
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 199.255.156.3
        dns-search droidzone.in
        up ip addr add 148.126.187.14 dev eth2
        up ip addr add 148.126.187.12 dev eth2
        up ip addr add 148.126.187.13 dev eth2
iface eth2 inet6 static
	address 2107:5200:058d:0000::2
	netmask 64
	  up ip -6 route add default via 2107:5200:058d:0000::1 dev eth2
	  down ip -6 route del default via 2107:5200:058d:0000::1 dev eth2

Now do the following:

ipdown eth2 && ifup eth2

If you do just a ipdown eth2, you’ll find that your ssh shell exists, and you’ll no longer be able to connect to it. Only a restart will solve it, unless you have a KVM or IPMI to bring back the interface online.

Next up:
Creating ipv6-only containers

Creating ipv6-only containers
With the above configuration, I then added the ip address pool from 2107:5200:058d:0000::4 to 2107:5200:058d:0000::10, to the OpenVZ web panel. Alternately, you can use Promox or the command line vzctl tool.

Then I created a vps, assigning the ip: 2107:5200:058d:0000::4.
I entered the container from the node with:

vzctl enter 2

Edited resolv.conf to have the following:

nameserver 2001:4860:4860::8888

I found that I could not ping ipv4 addresses any more, but could ping ipv6 with ease:

# ping6 ipv6.google.com
PING ipv6.google.com(yv-in-x71.1e100.net) 56 data bytes
64 bytes from yv-in-x71.1e100.net: icmp_seq=1 ttl=54 time=9.77 ms
64 bytes from yv-in-x71.1e100.net: icmp_seq=2 ttl=54 time=9.74 ms
64 bytes from yv-in-x71.1e100.net: icmp_seq=3 ttl=54 time=9.74 ms

To add ipv6 addresses to containers,
Edit /etc/sysctl.conf so that it contains:

net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv6.conf.default.proxy_ndp = 1
net.ipv6.conf.all.proxy_ndp = 1

The final file contains:

net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv6.conf.default.proxy_ndp = 1
net.ipv6.conf.all.proxy_ndp = 1
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

Activate the new configuration with:

sysctl -p

Now you can assign ipv6 to containers with:

vzctl set <VEID> --ipadd 2107:xxx:xxx::xxx --save

You can enter the vm with

vzctl enter <VEID>

Now, add an ipv6 dns to resolv.conf:

vi /etc/resolv.conf
nameserver 2001:4860:4860::8888

Issue:

#nmap --script ssl-enum-ciphers -p 443 server.droidzone.in

Starting Nmap 6.00 ( http://nmap.org ) at 2015-05-18 23:15 IST
route_dst_netlink: can't find interface "venet0"

Fix:
Add the --unprivileged option.

#nmap --script ssl-enum-ciphers -p 443 server.droidzone.in --unprivileged

Starting Nmap 6.00 ( http://nmap.org ) at 2015-05-18 23:16 IST
Nmap scan report for server.droidzone.in (104.28.29.30)
Host is up (0.0091s latency).
Other addresses for server.droidzone.in (not scanned): 104.28.28.30
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|_  Least strength = strong

Nmap done: 1 IP address (1 host up) scanned in 2.55 seconds

First, you’d need to install Debian on your server. For DelimiterVPS, go to https://clients.delimitervps.com/clientarea.php, and login to your account.
Choose the Reinstall server option.
Under ‘Installation Profile’, choose ‘Debian Wheezy’.
Choose a good enough root password. From personal experience, I’d avoid special characters in my root password. I had setup a very complex password once, and found that it was not accepted by the ssh login shell. It’s likely that WHMCS does not escape special characters very well.
Choose ‘Provision Server (Warning)’.

At this point, go back to the email you received from DelimiterVPS, and read the part about KVM/ILO Configuration. You can login to ILO and watch the installation progress. Once installation is done, Proxmox is supposed to be up and running at https://yourip::8006. However we need a couple of steps and a reboot before we can use it.

Run the following:

cat << EOF > /etc/apt/sources.list.d/openvz-rhel6.list
deb http://download.openvz.org/debian wheezy main
EOF
wget http://ftp.openvz.org/debian/archive.key
apt-key add archive.key
apt-get update

Install OpenVZ kernel:

apt-get install linux-image-openvz-amd64

First, you have to remove the default Linux kernel, and set the OpenVZ kernel to start at boot.
Run the following from the shell:

apt-get remove linux-image-amd64 linux-image-3.2.0-4-amd64 linux-base
update-grub

You’ll notice that openvz based kernels have now been added to grub (the bootloader).

Enable IP forwarding and other rules are setup:
Edit the file /etc/sysctl.conf, and uncomment/add (Remove the # at the beginning) the following lines:

# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# We do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

run the following:

sysctl -p
apt-get install vzctl vzquota ploop vzstats

Now, restart the server.

reboot

Run the following:

wget -O - http://ovz-web-panel.googlecode.com/svn/installer/ai.sh | sh

After some time the installation may stop with the following message:
Fatal error: Panel requires Ruby 1.8 (Ruby 1.9 is not supported).

Run:

update-alternatives --config ruby
# update-alternatives --config ruby
There are 2 choices for the alternative ruby (providing /usr/bin/ruby).

  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /usr/bin/ruby1.9.1   51        auto mode
  1            /usr/bin/ruby1.8     50        manual mode
  2            /usr/bin/ruby1.9.1   51        manual mode

Press enter to keep the current choice[*], or type selection number: 1

Now rerun the installation:

wget -O - http://ovz-web-panel.googlecode.com/svn/installer/ai.sh | sh

At the end, you will get the message:

Panel should be available at:
http://x.droidzone.in:3000
Default credentials: admin/admin

Now login, and change the default password.

You can now install OpenVZ templates(Physical servers>Localhost>OS Templates>Install new OS Template).
Assign ips to the pool (Ip Addresses>Create new IP pool). Add the IPs assigned to you. You may need to buy more from your provider.

To create a VPS:
Localhost>Virtual servers list>Create virtual server

Creating a custom template.
Provision a VPS using a default template.
Login to the VPS, setup everything including resolvconf, tzdata, locales, dialog, .bashrc etc.

vzctl stop 1
vzctl set 1 --ipdel all --save
cd /var/lib/vz/private/1
tar --numeric-owner -czf /var/lib/vz/template/cache/debian-7.0-x86_64-minimal-custom.tar.gz .

Change default port and enable SSL on Openvz web panel:
Change the following in /etc/owp.conf:

# web server port
PORT=3000

to

PORT=2096

and

# SSL support, on - enable, off - disable
SSL=off

to

SSL=on

Restart the service. Now it is accessible at https://yourdomain.com:2096

I chose 2096 because it is one of the ports that Cloudflare supports and thus you get a free SSL support with Cloudflare.

Create a symlink to /vz because most of the vz tools expects the OpenVZ folders to reside there. This step is not necessary, but can eliminate further problems when other vz related components are installed.

ln -s /var/lib/vz /vz

You also probably need to change:

#NEIGHBOUR_DEVS="detect"

to

NEIGHBOUR_DEVS="all"

at /etc/vz/vz.conf

and do a

service vz restart

For Reference, my network config on node is as below:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
        address 157.266.186.60
        netmask 255.255.255.192
        network 157.266.186.0
        broadcast 157.266.186.63
        gateway 157.266.186.62
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 8.8.8.8
        dns-search droidzone.in

And my two addon ips are:

157.266.187.162/32
157.266.187.163/32

Obviously the ips have been scrambled.

You may face this error while installing openvz web panel.

Fatal error: Panel requires Ruby 1.8 (Ruby 1.9 is not supported).

Fix:

# update-alternatives --config ruby
There are 2 choices for the alternative ruby (providing /usr/bin/ruby).

  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /usr/bin/ruby1.9.1   51        auto mode
  1            /usr/bin/ruby1.8     50        manual mode
  2            /usr/bin/ruby1.9.1   51        manual mode

Press enter to keep the current choice[*], or type selection number: 1
update-alternatives: using /usr/bin/ruby1.8 to provide /usr/bin/ruby (ruby) in manual mode

And rerun the installer:

wget -O - http://ovz-web-panel.googlecode.com/svn/installer/ai.sh | sh

After getting my own dedicated server, I found myself repeating certain tasks on the container every time, like setting my locale, timezone, adding aliases to .bashrc, updating and upgrading packages. I thought it was time I had a go at customizing my own Debian minimal template.

Here’s how to go about modifying an openvz template.

First, create a container in proxmox, let its container id be 100.
Set the IP and other details in the Proxmox panel, inclluding choosing which template it is to be based on.

Start the container:

vzctl start 100

Check that network is ok:

vzctl exec 100 ping -n -c 1 google.com

Enter the container:

vzctl enter 100

Now do all that you have to do on the container, including modifying the apt sources list, setting timezone, installing any additional programs or removing existing ones, adding any public keys etc.

Remove logs like .bash_history.

Once you’re done, exit the container.

exit

Stop the container and remove its IP:

vzctl stop 100
vzctl set 100 --ipdel all --save

Now create the new template file:

cd /vz/private/100
tar --numeric-owner -czf /vz/template/cache/debian-7.0-x86_64_India.tar.gz .

Clean up:

vzctl destroy 100
rm -f /etc/vz/conf/100.conf.destroyed

Reference:
OpenVZ Wiki

Changing password for a container:
vzctl set 101 –userpasswd root:test