[Users] firewall capability in openVZ/virtuozzo 7

Jehan Procaccia jehan.procaccia at tem-tsp.eu
Tue Oct 11 03:22:46 PDT 2016


ok, that works fine with that:

# prlctl set MyCT11 --netfilter stateful
Set netfilter: stateful
The CT has been successfully configured.

and it is saved

# grep -i netfilter /vz/private/1d268e70-3597-4508-9e2a-903fc06b02a2/ve.conf
NETFILTER="stateful"

inside the CT now I can issue firewall-cmd

CT-1d268e70 /# firewall-cmd --get-active-zones
public
   interfaces: eth0

Great !

Now, I realized that on the host machine, if I start firewalld I am 
locked out of my ssh session :-(
although ssh service is open on all interfaces !

# firewall-cmd --zone=public --list-all
public (default, active)
   interfaces: br0 br1 br10 br11  em1 em2 p2p2 p2p2.11
   sources:
   services: dhcpv6-client ssh
   ports:
   masquerade: no
   forward-ports:
   icmp-blocks:
   rich rules:

I missed something again ?

regards .

Le 11/10/2016 11:04, Vasily Averin a écrit :
> Dear Jehan,
>
> OpenVZ container does  not require to enable additional capabilities,
> default settings allows to use iptables inside container.
>
> However by default netfilter is restricted,
> most likely you need to change it by using "prlctl set --netfilter"
>
>         --netfilter <disabled|stateless|stateful|full>
>             Restrict access to iptable modules inside the Container.  The  fol-
>             lowing modes are available:
>             disabled  -- no modules are allowed.
>             stateless  --  (default)  all modules except NAT and conntracks are
>             allowed.
>             stateful  -- all modules except NAT are allowed.
>             full      -- all modules are allowed.
>
>
> btw. prlctl works as "vzctl --save" in any cases, it saves the setting in configs.
>
> Thank you,
> 	Vasily Averin
>
> On 10.10.2016 22:42, Jehan Procaccia wrote:
>> hello
>>
>> by default firewalld doesn't work on a fresh install container (centos7-x64)
>>
>> docs says:
>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall
>> I guess I need to enable net_admin
>> net_admin     Allows the administration of IP firewalls and accounting.     off
>> as it it by default set to off
>>
>> but the command is deprecated
>> # vzctl set MyCT11 --capability net_admin --save
>> Warning: The --capability option is deprecated
>>
>> So I used prlctl (not proposed in the doc above !?)
>>
>> # prlctl set MyCT11 --capability net_admin:on
>> Set capabilities: NET_ADMIN:on
>> The CT has been successfully configured.
>>
>> but still in the CT
>> /# firewall-cmd --get-active-zones
>> nothing
>> /# firewall-cmd --reload
>> Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by that name.
>> as if NET_ADMIN capability is not save permanently in the CT definition
>>
>> what is the equivalent of vzctl --save with prlctl ?
>> or I mess somewhere else ?
>>
>> Regards .
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://lists.openvz.org/mailman/listinfo/users
>>





More information about the Users mailing list