[Users] firewalld in vz 7 CT doesn't work anymore

Jehan Procaccia Jehan.Procaccia at it-sudparis.eu
Wed May 3 02:28:32 PDT 2017 

Yes that the only change I can remember of  (yum update inside a centos 
7 CT)

Le 03/05/2017 à 11:05, Konstantin Khorenko a écrit :
> Hi Jehan,
>
> please clarify - what exactly did you update?
>
> Did you perform "yum update" inside a CentOS 7 Container?
>
> Thank you.
>
> -- 
> Best regards,
>
> Konstantin Khorenko,
> Virtuozzo Linux Kernel Team
>
> On 05/03/2017 11:23 AM, Jehan Procaccia wrote:
>> Hello
>>
>> since last update (apparently) my CT with firewalld doesn't work anymore
>>
>> CT-db256406 ~# systemctl status firewalld.service
>> ● firewalld.service - firewalld - dynamic firewall daemon
>>    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; 
>> enabled; vendor preset: enabled)
>>    Active: active (running) since Wed 2017-05-03 08:16:42 UTC; 7s ago
>>      Docs: man:firewalld(1)
>>  Main PID: 759 (firewalld)
>>    CGroup: /system.slice/firewalld.service
>>            └─759 /usr/bin/python -Es /usr/sbin/firewalld --nofork 
>> --nopid --debug=8
>>
>> May 03 08:16:41 smtpe systemd[1]: Starting firewalld - dynamic 
>> firewall daemon...
>> May 03 08:16:42 smtpe systemd[1]: Started firewalld - dynamic 
>> firewall daemon.
>> May 03 08:16:42 smtpe firewalld[759]: WARNING: 
>> '/usr/sbin/ebtables-restore --noflush' failed:
>> May 03 08:16:42 smtpe firewalld[759]: ERROR: COMMAND_FAILED
>>
>> I did set prlctl set CTname --netfilter stateful on the host, it 
>> worked fine for the last 6 mounths , but now it fails
>>
>> # rpm -q firewalld
>> firewalld-0.4.3.2-8.1.el7_3.2.noarch
>> # cat /etc/redhat-release
>> CentOS Linux release 7.3.1611 (Core)
>> # uname -a
>> Linux smtpe 3.10.0 #1 SMP Tue Dec 20 13:52:43 MSK 2016 x86_64 x86_64 
>> x86_64 GNU/Linux
>>
>> these are the last hundred of lines in /var/log/firewalld in debug=4 
>> mode
>>
>> # grep debug /etc/sysconfig/firewalld
>> # possible values: --debug
>> FIREWALLD_ARGS='--debug=4'
>>
>> ...
>>
>> 2017-05-03 07:53:22 DEBUG2: <class 
>> 'firewall.core.ebtables.ebtables'>: /usr/sbin/ebtables-restore 
>> /run/firewalld/temp.aC9x_O: 411
>>        1: *filter
>>        2: -F
>>        3: -X
>>        4: -Z
>>        5: -N INPUT_direct -P RETURN
>>        6: -I INPUT 1 -j INPUT_direct
>>        7: -N OUTPUT_direct -P RETURN
>>        8: -I OUTPUT 1 -j OUTPUT_direct
>>        9: -N FORWARD_direct -P RETURN
>>       10: -I FORWARD 1 -j FORWARD_direct
>>       11: *broute
>>       12: -F
>>       13: -X
>>       14: -Z
>>       15: *nat
>>       16: -F
>>       17: -X
>>       18: -Z
>>       19: -N PREROUTING_direct -P RETURN
>>       20: -I PREROUTING 1 -j PREROUTING_direct
>>       21: -N POSTROUTING_direct -P RETURN
>>       22: -I POSTROUTING 1 -j POSTROUTING_direct
>>       23: -N OUTPUT_direct -P RETURN
>>       24: -I OUTPUT 1 -j OUTPUT_direct
>> 2017-05-03 07:53:22 WARNING: '*/usr/sbin/ebtables-restore --noflush' 
>> failed: *
>> 2017-05-03 07:53:22 DEBUG2: <class 
>> 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables-restore 
>> /run/firewalld/temp.MDuwzR: 1384
>>        1: *filter
>>        2: -D OUTPUT -j OUTPUT_direct
>>        3: -X OUTPUT_direct
>>        4: -D FORWARD -j REJECT --reject-with icmp-host-prohibited
>>        5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
>>        6: -D FORWARD -j FORWARD_OUT_ZONES
>>        7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
>>        8: -D FORWARD -j FORWARD_IN_ZONES
>>        9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
>>       10: -D FORWARD -j FORWARD_direct
>>       11: -D FORWARD -i lo -j ACCEPT
>>       12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j 
>> ACCEPT
>>       13: -X FORWARD_OUT_ZONES
>>       14: -X FORWARD_OUT_ZONES_SOURCE
>>       15: -X FORWARD_IN_ZONES
>>       16: -X FORWARD_IN_ZONES_SOURCE
>>       17: -X FORWARD_direct
>>       18: -D INPUT -j REJECT --reject-with icmp-host-prohibited
>>       19: -D INPUT -m conntrack --ctstate INVALID -j DROP
>>       20: -D INPUT -j INPUT_ZONES
>>       21: -D INPUT -j INPUT_ZONES_SOURCE
>>       22: -D INPUT -j INPUT_direct
>>       23: -D INPUT -i lo -j ACCEPT
>>       24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>>       25: -X INPUT_ZONES
>>       26: -X INPUT_ZONES_SOURCE
>>       27: -X INPUT_direct
>>       28: -Z
>>       29: -X
>>       30: -F
>>       31: COMMIT
>>       32: *raw
>>       33: -D OUTPUT -j OUTPUT_direct
>>       34: -X OUTPUT_direct
>>       35: -D PREROUTING -j PREROUTING_direct
>>       36: -X PREROUTING_direct
>>       37: -Z
>>       38: -X
>>       39: -F
>>       40: COMMIT
>>       41: *mangle
>>       42: -D FORWARD -j FORWARD_direct
>>       43: -X FORWARD_direct
>>       44: -D OUTPUT -j OUTPUT_direct
>>       45: -X OUTPUT_direct
>>       46: -D INPUT -j INPUT_direct
>>       47: -X INPUT_direct
>>       48: -D POSTROUTING -j POSTROUTING_direct
>>       49: -X POSTROUTING_direct
>>       50: -D PREROUTING -j PREROUTING_ZONES
>>       51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
>>       52: -X PREROUTING_ZONES
>>       53: -X PREROUTING_ZONES_SOURCE
>>       54: -D PREROUTING -j PREROUTING_direct
>>       55: -X PREROUTING_direct
>>       56: -Z
>>       57: -X
>>       58: -F
>>       59: COMMIT
>>
>> 2017-05-03 07:53:22 DEBUG2: <class 
>> 'firewall.core.ipXtables.ip6tables'>:*/usr/sbin/ip6tables-restore 
>> /run/firewalld/temp.xFcRvF:* 1384
>>        1: *filter
>>        2: -D OUTPUT -j OUTPUT_direct
>>        3: -X OUTPUT_direct
>>        4: -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
>>        5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
>>        6: -D FORWARD -j FORWARD_OUT_ZONES
>>        7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
>>        8: -D FORWARD -j FORWARD_IN_ZONES
>>        9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
>>       10: -D FORWARD -j FORWARD_direct
>>       11: -D FORWARD -i lo -j ACCEPT
>>       12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j 
>> ACCEPT
>>       13: -X FORWARD_OUT_ZONES
>>       14: -X FORWARD_OUT_ZONES_SOURCE
>>       15: -X FORWARD_IN_ZONES
>>       16: -X FORWARD_IN_ZONES_SOURCE
>>       17: -X FORWARD_direct
>>       18: -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
>>       19: -D INPUT -m conntrack --ctstate INVALID -j DROP
>>       20: -D INPUT -j INPUT_ZONES
>>       21: -D INPUT -j INPUT_ZONES_SOURCE
>>       22: -D INPUT -j INPUT_direct
>>       23: -D INPUT -i lo -j ACCEPT
>>       24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>>       25: -X INPUT_ZONES
>>       26: -X INPUT_ZONES_SOURCE
>>       27: -X INPUT_direct
>>       28: -Z
>>       29: -X
>>       30: -F
>>       31: COMMIT
>>       32: *raw
>>       33: -D OUTPUT -j OUTPUT_direct
>>       34: -X OUTPUT_direct
>>       35: -D PREROUTING -j PREROUTING_direct
>>       36: -X PREROUTING_direct
>>       37: -Z
>>       38: -X
>>       39: -F
>>       40: COMMIT
>>       41: *mangle
>>       42: -D FORWARD -j FORWARD_direct
>>       43: -X FORWARD_direct
>>       44: -D OUTPUT -j OUTPUT_direct
>>       45: -X OUTPUT_direct
>>       46: -D INPUT -j INPUT_direct
>>       47: -X INPUT_direct
>>       48: -D POSTROUTING -j POSTROUTING_direct
>>       49: -X POSTROUTING_direct
>>       50: -D PREROUTING -j PREROUTING_ZONES
>>       51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
>>       52: -X PREROUTING_ZONES
>>       53: -X PREROUTING_ZONES_SOURCE
>>       54: -D PREROUTING -j PREROUTING_direct
>>       55: -X PREROUTING_direct
>>       56: -Z
>>       57: -X
>>       58: -F
>>       59: COMMIT
>> 2017-05-03 07:53:22*ERROR: COMMAND_FAILED*
>> 2017-05-03 07:53:22 DEBUG1: GetAll('org.fedoraproject.FirewallD1')
>> ....
>>
>> any help greatly appreciated !
>>
>> Thanks
>>
>> PS: perhaps related : https://bugs.centos.org/view.php?id=12450 ?
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://lists.openvz.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users

More information about the Users mailing list