AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
 View Only
  • 1.  WPAR network configuration

    Posted Mon November 30, 2015 07:33 AM

    Originally posted by: 23F1_Pavel_Simonovsky


    Hi

    Task is as follows:

    Building automation systems of checks (to raise as soon as possible the required number of accounts with an installed product with minimal involvement of IT). It looks that Wpar - is perfect framework for such purpose. You get clean environment for your install - no used accounts , no used ports… Instead of cleaning up account - you simply stop and destroy WPAR.

    But -  I faced 2 problems that I do not know how to solve:

     

    The first - more simple.I have LPAR on which I have a root ... I created there WPAR. 

    Address of LPAR -  10.64.72.174

    Address  of WPAR  -  10.64.72.222. mask - 255.255.255.0

    When starting   WPAR  - pops up:

    Warning

    ckwpar :  0960-125  network . address :  10.64. 72.222/ 255.255. 255.0  is  not  in  the  same  network  as  any  of  the  global  interfaces .

    But. The network works.  WPAR can be connected from any computer on the network without a problem and can connect other comps in network ... Why it happens?  

     

    The second and more interesting question. The ideal from my point of view would be the situation - similar to a way Vbox with Nat adapter works. That means - using VBOX you get  a virtual machine invisible from "outside" ... It gets (on your host machine) address 10.0.2.15

    And there is a mechanism for port forwarding - by which I say "port 2222 on my host machine(LPAR) - is forwarded to port 22 on a virtual machine(WPAR)" ... And thus - without creating any new addresses (which requires constant coordination with the IT - to not create duplications with address already existing somewhere or planned to be allocated for some machines) I will let developers work through the network on those machine referring host machine address, but through different port (say 2222 instead of 22 to connect virtual machine via SSH) 
    Is this (or similar) configuration possible with the WPAR on AIX?
      


    #AIX-Forum


  • 2.  Re: WPAR network configuration

    Posted Tue December 01, 2015 09:34 AM

    Originally posted by: DaveMarquardt


    For the first issue, I agree, that's strange, seems like a bug in ckwpar.

    For the second question, if I understand correctly, you'd like to give your WPAR some private IP address, and use network address and port translation, aka NAPT, to direct traffic to and from the WPAR. There is a port of IPFilter to AIX, see "IP Filters" at http://www-03.ibm.com/systems/power/software/aix/expansionpack/table.html.


    #AIX-Forum


  • 3.  Re: WPAR network configuration

    Posted Tue December 01, 2015 09:59 AM

    Originally posted by: 23F1_Pavel_Simonovsky


    Hi Dave.

    Yep - that is exactly what I want. To assign WPAR some private IP address accessible  only from HOST LPAR and tunnel all network traffic to and from WPAR through HOST(LAPR)  network address using address and port forwarding at HOST machine.

    I will research your link! 10x a alot!


    #AIX-Forum


  • 4.  Re: WPAR network configuration

    Posted Tue December 01, 2015 10:18 AM

    Originally posted by: Wouter Liefting


    I'm not sure this is going to work out of the box.

    On whole-host virtualization solutions such as VMWare ESX or PowerVM/LPAR, the hypervisor implements a virtual network switch, and then bridges this virtual network switch to the outside world using a software bridge (SEA in VIO-speak). Leave out the software bridge and you've got an isolated network. Obviously all your VMs/LPARs on that switch will have access to it, plus your hypervisor/VIOs. So you can do what you describe here.

    With WPAR technology there is no such isolated network. Instead, the IPs of the WPARs are aliased onto existing network adapters in the global environment. That gives connectivity to the outside world. But there is no isolated network or software bridge involved. (*)

    If you want your WPARs on an isolated network, with some sort of firewalling/port forwarding to gain access, you will need to set this up outside of the WPAR context. You can for instance set up your AIX LPAR with a whole bunch of virtual ethernet adapters on an isolated network managed by PowerVM (PowerVM Hypervisor Virtual Switch). You then assign these virtual ethernet adapters as-is to your WPAR. (So you're not configuring them in AIX and alias the WPAR IP on top of them, but instead assign the whole device to a WPAR, using the mkwpar -D command.)

    You can then use another AIX system, or the VIO server, to do the port forwarding onto this isolated network.

    Hope this helps.

    (*) Incidentally, if you assign an IP address to a WPAR but this IP address does not fall in any of the networks to which the host AIX system is connected to (as determined by the AIX IP/subnetmask combo), the mkwpar/chwpar command will not be able to figure out onto which adapter this WPAR IP address needs to be aliased. So this may be where your warning/error is coming from. Apparently, and fortunately for you, the code somehow picked the right ethernet adapter for the alias, so things work. But do make sure things will keep on working in the future, use the -N interface=... parameter to force the IP aliasing to happen on that particular interface.


    #AIX-Forum


  • 5.  Re: WPAR network configuration

    Posted Tue December 01, 2015 10:44 AM

    Originally posted by: Wouter Liefting


    While on my way home I was thinking about a different solution, which may or may not work.

    Setup your host AIX system with one extra virtual ethernet adapter and make sure this virtual ethernet adapter is connected to a VLAN that is NOT bridged to the outside world by the VIO server. Make sure that all your WPARs (except the one listed below) have their IP aliased onto this network adapter.

    In order to gain external access to your WPARs you now have two choices.

    1. Give the AIX host (the "Global" environment) an IP address on this adapter too, which must match the IP range used by the WPARs. Do not enable IP forwarding but instead use the IP firewall tools (see link above) to setup port forwarding from the external AIX IP interface to the proper WPAR IP address.

    2. Do not give AIX an IP address on this network, but setup an additional WPAR that has two network interfaces. One is IP aliased onto the Global environment interface that is connected to the outside world, one is connected to the isolated interface. You then setup port forwarding within this firewall WPAR. (I have to admit though that I'm not sure whether the firewalling tools can be installed and used inside a WPAR. They integrate tightly with the kernel so it may not work at all, or you may need to give your WPAR some additional privileges so that it can load these kernel modules.)

    Once again, you are still relying on some external means (in this case an isolated virtual ethernet adapter) to act as your isolated network. You cannot do this completely inside the WPAR context.


    #AIX-Forum


  • 6.  Re: WPAR network configuration

    Posted Wed April 05, 2017 06:44 PM

    Originally posted by: aixunix33


    I have a similar problem

     had configured the wpar with a separate(different from my network) ip.

    I use ipfitler for nat

    From wpar I can ping other machines

    and even internet ip.

    From other machine I cannot ping

    and telnet/ssh the ip of wpar.

    I use this configuration

    mkwpar -h wpar2 -l -i -r -N  interface=en0 address=10.6.0.1 netmask=255.255.255.0 -n wpar2

     


    #AIX-Forum