This tutorial is running under a vps with the following :
- Memory 2 GB
- Disk Space 20 GB
- 4 Cpu core
- Virtualization KVM
- Operating System CentOS 6 64bit
- 1 IPv4
- /64 IPv6 tunneled from HE
The basic idea is to be able to create an OpenVZ VM inside a KVM VPS.
VM connection to the internet is using NAT trough the eth0 of the KVM VPS, so the OpenVZ VM have direct access to the internet.
Connection from the internet to the OpenVZ VM using port forwarding, which set by IPTABLES.
This tutorial is based from :
- http://dony-ramansyah.blogspot.com/2011/10/install-openvz-untuk-layanan-vps-di.html
- http://wiki.openvz.org/Using_NAT_for_container_with_private_IPs
Installing basic webserver
1 |
# yum install httpd php |
Preparing OpenVZ Repository
Add the following repository from OpenVZ to Centos 6
1 2 3 |
# cd /etc/yum.repos.d # wget http://download.openvz.org/openvz.repo # rpm –import http://download.openvz.org/RPM-GPG-Key-OpenVZ |
Installing OpenVZ Kernel
1 2 |
# yum install vzkernel # yum install vzctl vzquota |
Modifying sysctl.conf
1 |
# nano /etc/sysctl.conf |
Add the following line :
1 2 3 4 5 6 7 8 |
net.ipv4.ip_forward = 1 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.all.rp_filter = 1 kernel.sysrq = 1 net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.conf.default.forwarding=1 |
Activate the modification
1 |
# sysctl -p |
Modifying the vz.conf
1 |
# nano /etc/vz/vz.conf |
Find the following line, and change the value to “all”
1 |
NEIGHBOUR_DEVS=all |
Disable SELINUX in Centos
1 |
# nano /etc/sysconfig/selinux |
Find SELINUX line, and change the value to “disabled”
1 2 3 4 5 6 7 8 9 10 |
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. # disabled – No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted – Targeted processes are protected, # mls – Multi Level Security protection. SELINUXTYPE=targeted |
Installing OpenVZ Web Panel for managing the OpenVZ
1 2 |
# wget http://ovz-web-panel.googlecode.com/svn/installer/ai.sh # sh ai.sh |
Wait until installation complete, and you will see something like http://ip.address.of.vps:3000.
Setting iptables
Next, we make some modification to permit acl for port 3000 in the iptables
1 |
# nano /etc/sysconfig/iptables |
Add the following lines :
1 |
-A INPUT -m state –state NEW -m tcp -p tcp –dport 3000 -j ACCEPT |
Restart the iptables :
1 |
# /etc/init.d/iptables restart |
Installing OS template for the OpenVZ
1 |
# cd /vz/template/cache |
Download all the OS you need here
1 |
http://download.openvz.org/template/precreated/ |
Example :
1 |
# wget http://download.openvz.org/template/precreated/ubuntu-11.04-x86.tar.gz |
Restart your Centos server
1 |
# reboot |
Verify that the KVM VPS is using the new OpenVZ kernel
1 |
# uname -arm |
Managing trough OpenVZ Web Panel
1 |
http://your.vps.ip.address:3000 |
Default username is admin, default password is admin. By using OpenVZ Web Panel, we can add manage the VM, such creation, editing setting, deletion, etc.
Adding IP Pools to the VM
From the OpenVZ Web Panel, click on the left side, and add the IP Pools, since we only have 1 IPv4, we need to add the private IP to the VM, for example 192.168.1.1 – 192.168.1.255 or 10.10.10.1 – 10.10.10.255
Next, click on the left side, on the localhost, create your first VM, with the veid for example 101, choose the OS template, assign the private IP to the VM, set the disk space, memory, etc.
How to provide access for container to the internet
To give internet access for container to the internet, we need to set IPTABLES with SNAT to the VM. Here, our KVM VPS is using eth0 with the IP address for example 194.68.40.216.
We can set SNAT for each VM, but for the fastest way, lets set SNAT for each IP :
1 |
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address |
ip_address is the vps IP address, so it would be :
1 |
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 194.68.40.216 |