Article ID: 119955, created on Feb 3, 2014, last review on May 10, 2014

  • Applies to:
  • Virtuozzo 6.0

Symptoms

What is "weak" private network?

What is "global" private network?

What is the difference between those two?

Resolution

Private Networks

Private Networks isolate IP addresses added to a Private network from all other IPs. For more details refer to the corresponding section of documentation.

Example:

There are four containers:

[root@pcs-1 ~]# prlctl list -o name,ip
NAME                             IP_ADDR
101                              10.111.11.101  
102                              10.111.11.102  
103                              10.111.11.103  
104                              10.111.11.104  

Containers 101 and 102 are added to Private Network PrivNet1, containers 103 and 104 are added to Private Network PrivNet2:

[root@pcs-1 ~]# prlsrvctl privnet list
Name              G Netmasks
PrivNet1            10.111.11.101 10.111.11.102 
PrivNet2            10.111.11.103 10.111.11.104

In this case containers 101 and 102 can ping each other

[root@pcs-1 ~]# prlctl exec 101 ping -c 1 -w 1 10.111.11.102
PING 10.111.11.102 (10.111.11.102) 56(84) bytes of data.
64 bytes from 10.111.11.102: icmp_seq=1 ttl=64 time=0.051 ms

--- 10.111.11.102 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.051/0.051/0.051/0.000 ms

[root@pcs-1 ~]# prlctl exec 102 ping -c 1 -w 1 10.111.11.101
PING 10.111.11.101 (10.111.11.101) 56(84) bytes of data.
64 bytes from 10.111.11.101: icmp_seq=1 ttl=64 time=0.043 ms

--- 10.111.11.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms

But those cannot ping 103 or 104:

[root@pcs-1 ~]# prlctl exec 102 ping -c 1 -w 1 10.111.11.103
PING 10.111.11.103 (10.111.11.103) 56(84) bytes of data.

--- 10.111.11.103 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms

[root@pcs-1 ~]# prlctl exec 101 ping -c 1 -w 1 10.111.11.104
PING 10.111.11.104 (10.111.11.104) 56(84) bytes of data.

--- 10.111.11.104 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms

Neither of containers can access external hosts:

[root@pcs-1 ~]# prlctl exec 101 ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms

[root@pcs-1 ~]# prlctl exec 103 ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10001ms

Weak Private Networks

Weak Private Networks work on top of regular Private Network functionality.

If the Private Network is marked as "weak" then IPs in this network are able to access other IPs except for those which are added to other private networks.

Example:

Let's modify previous case and make PrivNet1 a "weak" private network:

[root@pcs-1 ~]# prlsrvctl privnet set PrivNet1 -a '*'
[root@pcs-1 ~]# prlsrvctl privnet list
Name              G Netmasks
PrivNet1            10.111.11.101 10.111.11.102 * 
PrivNet2            10.111.11.103 10.111.11.104 

Now containers 101 and 102 can access external hosts:

[root@pcs-1 ~]# prlctl exec 101 ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=214 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 214ms
rtt min/avg/max/mdev = 214.130/214.130/214.130/0.000 ms

[root@pcs-1 ~]# prlctl exec 102 ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=414 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 414ms
rtt min/avg/max/mdev = 414.201/414.201/414.201/0.000 ms

While still being isolate from the other Private Network:

[root@pcs-1 ~]# prlctl exec 101 ping -c 1 10.111.11.103
PING 10.111.11.103 (10.111.11.103) 56(84) bytes of data.

--- 10.111.11.103 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms

[root@pcs-1 ~]# prlctl exec 104 ping -c 1 10.111.11.102
PING 10.111.11.102 (10.111.11.102) 56(84) bytes of data.

--- 10.111.11.102 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10001ms

Global Private Networks

Global networks also work on top of regular Private Network functionality.

Meaning of global network is opposite to "weak" Private Network - all IPs included into a Global Private Network become isolated from each other, unless added to the same private network.

Example:

Let's remove all private networks from the previous step and create one Global Private Network:

[root@pcs-1 ~]# prlsrvctl privnet del PrivNet1
[root@pcs-1 ~]# prlsrvctl privnet del PrivNet2
[root@pcs-1 ~]# prlsrvctl privnet new GlobalPrivNet
[root@pcs-1 ~]# prlsrvctl privnet set GlobalPrivNet -a 10.111.11.0/24 --global yes
[root@pcs-1 ~]# prlsrvctl privnet list
Name              G Netmasks
GlobalPrivNet     x 10.111.11.0/24 

Now all containers are not able to ping each other:

[root@pcs-1 ~]# prlctl exec 101 ping -c 1 10.111.11.102
PING 10.111.11.102 (10.111.11.102) 56(84) bytes of data.

--- 10.111.11.102 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms

[root@pcs-1 ~]# prlctl exec 101 ping -c 1 10.111.11.103
PING 10.111.11.103 (10.111.11.103) 56(84) bytes of data.

--- 10.111.11.103 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10001ms

[root@pcs-1 ~]# prlctl exec 101 ping -c 1 10.111.11.104
PING 10.111.11.104 (10.111.11.104) 56(84) bytes of data.

--- 10.111.11.104 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms

But if we create another Private Network then members of this network will be able to access each other while being isolated from other IPs:

[root@pcs-1 ~]# prlsrvctl privnet new PrivNet1 -a 10.111.11.101 -a 10.111.11.102
[root@pcs-1 ~]# prlsrvctl privnet list
Name              G Netmasks
GlobalPrivNet     x 10.111.11.0/24 
PrivNet1            10.111.11.101 10.111.11.102 

[root@pcs-1 ~]# prlctl exec 101 ping -c 1 10.111.11.102
PING 10.111.11.102 (10.111.11.102) 56(84) bytes of data.
64 bytes from 10.111.11.102: icmp_seq=1 ttl=64 time=0.138 ms

--- 10.111.11.102 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.138/0.138/0.138/0.000 ms

[root@pcs-1 ~]# prlctl exec 101 ping -c 1 10.111.11.103
PING 10.111.11.103 (10.111.11.103) 56(84) bytes of data.

--- 10.111.11.103 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 10000ms

c62e8726973f80975db0531f1ed5c6a2 2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef

Email subscription for changes to this article
Save as PDF