[Users] firewall capability in openVZ/virtuozzo 7

Vasily Averin vvs at virtuozzo.com
Tue Oct 11 05:01:31 PDT 2016


You was need to re-load nf_conntrack module in this case.
you was need to stop all containers, if they use conntracks, then stop  firewall on host,
than I expect you can unload nf_conntrack module.

But this case is special, you was need to do it only once.

On 11.10.2016 14:53, Jehan Procaccia wrote:
> ok that worked :
> #  cat /etc/modprobe.d/vz.conf
> options vzevent reboot_event=1
> options nf_conntrack *ip_conntrack_disable_ve0=0
> *
> # systemctl start firewalld.service
> doesn't break my ssh session anymore
> 
> after setting *ip_conntrack_disable_ve0=0
> *I restarted the full system *,* pehaps there was a way to reload vz services without full restart ? *
> *
> thanks .*
> *
> Le 11/10/2016 12:32, Vasily Averin a écrit :
>> By default we disable conntracks on host
>>
>> # cat /etc/modprobe.d/vz.conf
>> options nf_conntrack ip_conntrack_disable_ve0=1
>>
>> It protects host from in "conntrack overflow" situation:
>> when all conntracks on host are in use host admin is unable to connect on host via ssh.
>>
>> Please feel free to enable it, it is quite safe for many cases.
>>
>> Thank you,
>> 	Vasily Averin
>>
>> On 11.10.2016 13:22, Jehan Procaccia wrote:
>>> ok, that works fine with that:
>>>
>>> # prlctl set MyCT11 --netfilter stateful
>>> Set netfilter: stateful
>>> The CT has been successfully configured.
>>>
>>> and it is saved
>>>
>>> # grep -i netfilter /vz/private/1d268e70-3597-4508-9e2a-903fc06b02a2/ve.conf
>>> NETFILTER="stateful"
>>>
>>> inside the CT now I can issue firewall-cmd
>>>
>>> CT-1d268e70 /# firewall-cmd --get-active-zones
>>> public
>>>   interfaces: eth0
>>>
>>> Great !
>>>
>>> Now, I realized that on the host machine, if I start firewalld I am locked out of my ssh session :-(
>>> although ssh service is open on all interfaces !
>>>
>>> # firewall-cmd --zone=public --list-all
>>> public (default, active)
>>>   interfaces: br0 br1 br10 br11  em1 em2 p2p2 p2p2.11
>>>   sources:
>>>   services: dhcpv6-client ssh
>>>   ports:
>>>   masquerade: no
>>>   forward-ports:
>>>   icmp-blocks:
>>>   rich rules:
>>>
>>> I missed something again ?
>>>
>>> regards .
>>>
>>> Le 11/10/2016 11:04, Vasily Averin a écrit :
>>>> Dear Jehan,
>>>>
>>>> OpenVZ container does  not require to enable additional capabilities,
>>>> default settings allows to use iptables inside container.
>>>>
>>>> However by default netfilter is restricted,
>>>> most likely you need to change it by using "prlctl set --netfilter"
>>>>
>>>>         --netfilter <disabled|stateless|stateful|full>
>>>>             Restrict access to iptable modules inside the Container.  The  fol-
>>>>             lowing modes are available:
>>>>             disabled  -- no modules are allowed.
>>>>             stateless  --  (default)  all modules except NAT and conntracks are
>>>>             allowed.
>>>>             stateful  -- all modules except NAT are allowed.
>>>>             full      -- all modules are allowed.
>>>>
>>>>
>>>> btw. prlctl works as "vzctl --save" in any cases, it saves the setting in configs.
>>>>
>>>> Thank you,
>>>>     Vasily Averin
>>>>
>>>> On 10.10.2016 22:42, Jehan Procaccia wrote:
>>>>> hello
>>>>>
>>>>> by default firewalld doesn't work on a fresh install container (centos7-x64)
>>>>>
>>>>> docs says:
>>>>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall
>>>>> I guess I need to enable net_admin
>>>>> net_admin     Allows the administration of IP firewalls and accounting.     off
>>>>> as it it by default set to off
>>>>>
>>>>> but the command is deprecated
>>>>> # vzctl set MyCT11 --capability net_admin --save
>>>>> Warning: The --capability option is deprecated
>>>>>
>>>>> So I used prlctl (not proposed in the doc above !?)
>>>>>
>>>>> # prlctl set MyCT11 --capability net_admin:on
>>>>> Set capabilities: NET_ADMIN:on
>>>>> The CT has been successfully configured.
>>>>>
>>>>> but still in the CT
>>>>> /# firewall-cmd --get-active-zones
>>>>> nothing
>>>>> /# firewall-cmd --reload
>>>>> Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by that name.
>>>>> as if NET_ADMIN capability is not save permanently in the CT definition
>>>>>
>>>>> what is the equivalent of vzctl --save with prlctl ?
>>>>> or I mess somewhere else ?
>>>>>
>>>>> Regards .
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at openvz.org
>>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>>
>>>
>>>
> 


More information about the Users mailing list