Symptoms

  • OSA brands have been migrated to a new Branding UI node during upgrade to OA 7.0 (see Upgrade Workflow Guide for more details).
  • The Branding node has been deployed as a Virtuozzo container with assigned Frontnet and Backnet interfaces via Virtuozzo container management utilities.
  • Brands are not accessible at the new location over the new IP addresses, the new IPs are not reachable at all
  • The TCP traffic reaches the hardware node, but does not appear inside the Branding container

Cause

Virtuozzo bridge filtering prevents unwanted traffic to be passed to a container, unless the IP configuration is present inside the corresponding ve.conf file. With Branding node, all IP addresses are assigned directly inside the container by OSA, so they are missing from the node perspective and get filtered out.

Resolution

To solve the issue immediately and pass the traffic into the container, run the following command on the node:

# service ebtables stop

To solve the issue permanently, it is needed to remove all public network configuration from the node perspective and manage it inside the container only. To do that, change the container configuration file /etc/vz/conf/$VEID.conf (where VEID is the ID of the container), here is a real-life example:

  • existing configuration:

    NETIF="ifname=eth0,mac=00:18:51:BD:84:6D,host_mac=00:18:51:9A:9D:27,configure=all,network=frontnet,gw=xxx.xxx.182.254,ip=xxx.xxx.182.199/255.255.255.128,ip6;ifname=eth1,mac=00:18:51:86:2E:76,host_mac=00:18:51:AA:CF:FB,network=backnet,ip=yyy.yyy.32.41/255.255.255.0,ip6="
    
  • safe configuration:

    NETIF="ifname=eth0,mac=00:18:51:BD:84:6D,host_mac=00:18:51:9A:9D:27,network=frontnet,gw=,ip=,ip6;ifname=eth1,mac=00:18:51:86:2E:76,host_mac=00:18:51:AA:CF:FB,network=backnet,ip=yyy.yyy.32.41/255.255.255.0,ip6="
    
  • important changes, applied to eth0 interface:

    • remove configure=all pattern
    • remove IP and netmask configuration, leave just ip= and ip6=
    • remove GW configuration, leave just gw=
  • backup all ifcfg-* files inside the container in /etc/sysconfig/network-scripts/ directory and restart the container after the changes have been applied:

    # vzctl restart $VEID
    

Note: with this change, the current network configuration should be preserved and remain untouched inside the container after the restart. So backing up the network configuration fiels is a safety measure in case something goes wrong afterwards, and the settings need to be restored.

Internal content