[Users] firewall capability in openVZ/virtuozzo 7
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Oct 11 01:47:32 PDT 2016
Hi Jehan,
you don't need to configure any capabilities in Virtuozzo 7 anymore as user namespaces are used in vz7 now.
Yes, documentation contains outdated description, we'll update docs soon:
https://bugs.openvz.org/browse/OVZ-6802
And in your case most probably you just need to enable conntracks for Container:
# prlctl set MyCT --netfilter stateful
or if you need NAT as well:
# prlctl set MyCT --netfilter full
Hope that helps.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 10/10/2016 10:42 PM, Jehan Procaccia wrote:
> hello
>
> by default firewalld doesn't work on a fresh install container
> (centos7-x64)
>
> docs says:
> http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall
> I guess I need to enable net_admin
> net_admin Allows the administration of IP firewalls and accounting.
> off
> as it it by default set to off
>
> but the command is deprecated
> # vzctl set MyCT11 --capability net_admin --save
> Warning: The --capability option is deprecated
>
> So I used prlctl (not proposed in the doc above !?)
>
> # prlctl set MyCT11 --capability net_admin:on
> Set capabilities: NET_ADMIN:on
> The CT has been successfully configured.
>
> but still in the CT
> /# firewall-cmd --get-active-zones
> nothing
> /# firewall-cmd --reload
> Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match
> by that name.
> as if NET_ADMIN capability is not save permanently in the CT definition
>
> what is the equivalent of vzctl --save with prlctl ?
> or I mess somewhere else ?
>
> Regards .
More information about the Users
mailing list