[Users] firewall capability in openVZ/virtuozzo 7

Jehan Procaccia jehan.procaccia at tem-tsp.eu
Tue Oct 11 04:53:41 PDT 2016 

ok that worked :
#  cat /etc/modprobe.d/vz.conf
options vzevent reboot_event=1
options nf_conntrack *ip_conntrack_disable_ve0=0
*
# systemctl start firewalld.service
doesn't break my ssh session anymore

after setting *ip_conntrack_disable_ve0=0
*I restarted the full system *,* pehaps there was a way to reload vz 
services without full restart ? *
*
thanks .*
*
Le 11/10/2016 12:32, Vasily Averin a écrit :
> By default we disable conntracks on host
>
> # cat /etc/modprobe.d/vz.conf
> options nf_conntrack ip_conntrack_disable_ve0=1
>
> It protects host from in "conntrack overflow" situation:
> when all conntracks on host are in use host admin is unable to connect on host via ssh.
>
> Please feel free to enable it, it is quite safe for many cases.
>
> Thank you,
> 	Vasily Averin
>
> On 11.10.2016 13:22, Jehan Procaccia wrote:
>> ok, that works fine with that:
>>
>> # prlctl set MyCT11 --netfilter stateful
>> Set netfilter: stateful
>> The CT has been successfully configured.
>>
>> and it is saved
>>
>> # grep -i netfilter /vz/private/1d268e70-3597-4508-9e2a-903fc06b02a2/ve.conf
>> NETFILTER="stateful"
>>
>> inside the CT now I can issue firewall-cmd
>>
>> CT-1d268e70 /# firewall-cmd --get-active-zones
>> public
>>    interfaces: eth0
>>
>> Great !
>>
>> Now, I realized that on the host machine, if I start firewalld I am locked out of my ssh session :-(
>> although ssh service is open on all interfaces !
>>
>> # firewall-cmd --zone=public --list-all
>> public (default, active)
>>    interfaces: br0 br1 br10 br11  em1 em2 p2p2 p2p2.11
>>    sources:
>>    services: dhcpv6-client ssh
>>    ports:
>>    masquerade: no
>>    forward-ports:
>>    icmp-blocks:
>>    rich rules:
>>
>> I missed something again ?
>>
>> regards .
>>
>> Le 11/10/2016 11:04, Vasily Averin a écrit :
>>> Dear Jehan,
>>>
>>> OpenVZ container does  not require to enable additional capabilities,
>>> default settings allows to use iptables inside container.
>>>
>>> However by default netfilter is restricted,
>>> most likely you need to change it by using "prlctl set --netfilter"
>>>
>>>          --netfilter <disabled|stateless|stateful|full>
>>>              Restrict access to iptable modules inside the Container.  The  fol-
>>>              lowing modes are available:
>>>              disabled  -- no modules are allowed.
>>>              stateless  --  (default)  all modules except NAT and conntracks are
>>>              allowed.
>>>              stateful  -- all modules except NAT are allowed.
>>>              full      -- all modules are allowed.
>>>
>>>
>>> btw. prlctl works as "vzctl --save" in any cases, it saves the setting in configs.
>>>
>>> Thank you,
>>>      Vasily Averin
>>>
>>> On 10.10.2016 22:42, Jehan Procaccia wrote:
>>>> hello
>>>>
>>>> by default firewalld doesn't work on a fresh install container (centos7-x64)
>>>>
>>>> docs says:
>>>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall
>>>> I guess I need to enable net_admin
>>>> net_admin     Allows the administration of IP firewalls and accounting.     off
>>>> as it it by default set to off
>>>>
>>>> but the command is deprecated
>>>> # vzctl set MyCT11 --capability net_admin --save
>>>> Warning: The --capability option is deprecated
>>>>
>>>> So I used prlctl (not proposed in the doc above !?)
>>>>
>>>> # prlctl set MyCT11 --capability net_admin:on
>>>> Set capabilities: NET_ADMIN:on
>>>> The CT has been successfully configured.
>>>>
>>>> but still in the CT
>>>> /# firewall-cmd --get-active-zones
>>>> nothing
>>>> /# firewall-cmd --reload
>>>> Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by that name.
>>>> as if NET_ADMIN capability is not save permanently in the CT definition
>>>>
>>>> what is the equivalent of vzctl --save with prlctl ?
>>>> or I mess somewhere else ?
>>>>
>>>> Regards .
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openvz.org
>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>
>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20161011/740f10f8/attachment-0001.html>

More information about the Users mailing list