Re: [Users] centos 7
It used to work, that's how I set up my openvz server at first. That was the standard method: install centos, then install openvz. But now, they have created a specialized distro called vzlnux. It's based on centos 7, and looks and feels just like centos 7, but has the container and virtualization hosting built in. You have to install openvz linux now, if you want a new openvz server. https://openvz.org/ Jake On Wed, Apr 1, 2020 at 11:26 AM mattias wrote: > is this guide realy working? > > > https://devopspoints.com/centos-7-setting-up-openvz-virtualization-on-centos-7.html > > litle to much deps problem with yum > > ___ > Users mailing list > Users@openvz.org > https://lists.openvz.org/mailman/listinfo/users > ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] CentOS 7 image, ModSecurity and Fail2Ban?
> In brief: > * OpenVZ 6 (2.6.32-x kernels) does not allow to use ipset inside Containers > (it's just not virtualized) > * OpenVZ 7 (3.10.0-x kernels) does have ipset virtualized => it works inside > Containers. > > If you try fail2ban in OpenVZ 7, please post here the results. :) > > Hope that helps. Thanks Konstantin and Scott. I appreciate the responses, especially when the questions are open-ended, non-specific, and mostly crummy. Are there any recommendations for fail2ban-like functionality in the down-level kernel? Perhaps another package I am not aware of? Jeff ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] CentOS 7 image, ModSecurity and Fail2Ban?
Greetings, - Original Message - > Are there any recommendations for fail2ban-like functionality in the > down-level kernel? Perhaps another package I am not aware of? Well, I'm ignorant about parsing web logs and taking action so your particular question / use case I'm not familiar with. For brute force ssh attacks, denyhosts (that only works with rsyslog logs so far as I know) works for EL6 hosts just fine by putting/removing lines in /etc/hosts.deny... so it works completely without iptables much less ipset. TYL, -- Scott Dowdle 704 Church Street Belgrade, MT 59714 (406)388-0827 [home] (406)994-3931 [work] ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] CentOS 7 image, ModSecurity and Fail2Ban?
I use some fail2ban for brute force ssh attacks in OpenVZ/6 with no problem, but running only one instance on HardwareNode and parsing containers' logs. El 03/06/16 a les 20:46, Jeffrey Walton ha escrit: >> In brief: >> * OpenVZ 6 (2.6.32-x kernels) does not allow to use ipset inside Containers >> (it's just not virtualized) >> * OpenVZ 7 (3.10.0-x kernels) does have ipset virtualized => it works inside >> Containers. >> >> If you try fail2ban in OpenVZ 7, please post here the results. :) >> >> Hope that helps. > > Thanks Konstantin and Scott. I appreciate the responses, especially > when the questions are open-ended, non-specific, and mostly crummy. > > Are there any recommendations for fail2ban-like functionality in the > down-level kernel? Perhaps another package I am not aware of? > > Jeff > ___ > Users mailing list > Users@openvz.org > https://lists.openvz.org/mailman/listinfo/users > ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] CentOS 7 image, ModSecurity and Fail2Ban?
Hi Jeff, Scott,
we did not check if fail2ban works, but if fail2ban uses ipset, following info
can be useful for you:
https://bugs.openvz.org/browse/OVZ-5736
In brief:
* OpenVZ 6 (2.6.32-x kernels) does not allow to use ipset inside Containers
(it's just not virtualized)
* OpenVZ 7 (3.10.0-x kernels) does have ipset virtualized => it works inside
Containers.
If you try fail2ban in OpenVZ 7, please post here the results. :)
Hope that helps.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 06/02/2016 03:19 AM, Scott Dowdle wrote:
Greetings,
- Original Message -
Has anyone experienced any problems with OpenVZ, CentOS 7 and
fail2ban?
I haven't done a lot with firewalls inside of containers... although I have started using
firewalld lately on a few EL7 containers and it seems to work just fine even with live
migration... making sure to "vzctl set {ctid} --netfilter {stateful | full}".
You have to ensure that any OpenVZ needed hostnode / container settings are configured
properly.
As you probably know fail2ban uses ipset... and I'm not sure ipset works in a
container. The only thing I've used fail2ban for is sshd brute force
protection... and in most of my containers I either turn sshd off (and access
it via the host node with vzctl enter) or I run sshd on a port other than 22
(eliminating most ssh brute force attacks)... so I haven't had the need to run
fail2ban in a container.
If ipset works with the netfilter set correctly (I haven't verified)... you also have to
make sure to configure fail2ban (from EPEL) so it looks at the appropriate logs. Are you
using rsyslog? Are you using journald in persistent storage mode without rsyslog? And
then there are also a handful of services (like apache / httpd) that do their own logging
and use neither journald nor rsyslog. The default fail2ban backend of "auto"
has not always worked for me... even on physical hosts.
Anyway, there are lots of moving pieces and I haven't given you a complete
answer, but there are some of the pieces.
TYL,
___
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
Re: [Users] CentOS 7 image, ModSecurity and Fail2Ban?
Greetings,
- Original Message -
> Has anyone experienced any problems with OpenVZ, CentOS 7 and
> fail2ban?
I haven't done a lot with firewalls inside of containers... although I have
started using firewalld lately on a few EL7 containers and it seems to work
just fine even with live migration... making sure to "vzctl set {ctid}
--netfilter {stateful | full}". You have to ensure that any OpenVZ needed
hostnode / container settings are configured properly.
As you probably know fail2ban uses ipset... and I'm not sure ipset works in a
container. The only thing I've used fail2ban for is sshd brute force
protection... and in most of my containers I either turn sshd off (and access
it via the host node with vzctl enter) or I run sshd on a port other than 22
(eliminating most ssh brute force attacks)... so I haven't had the need to run
fail2ban in a container.
If ipset works with the netfilter set correctly (I haven't verified)... you
also have to make sure to configure fail2ban (from EPEL) so it looks at the
appropriate logs. Are you using rsyslog? Are you using journald in persistent
storage mode without rsyslog? And then there are also a handful of services
(like apache / httpd) that do their own logging and use neither journald nor
rsyslog. The default fail2ban backend of "auto" has not always worked for
me... even on physical hosts.
Anyway, there are lots of moving pieces and I haven't given you a complete
answer, but there are some of the pieces.
TYL,
--
Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]
___
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
Re: [Users] centos-7-x86_64-minimal.tar.gz template - production ready ?
Greetings, - Original Message - Is template centos-7-x86_64-minimal.tar.gz production ready or not? Is exists known bugs or incompatibilities, compare to variant of centos-6-x86_64-minimal.tar.gz template? For example, incompatibilities between new software from this template and old Linux kernel, used on hardware node and present in container? I'm aware of a bug with regards to how the hostname is stored (it's in /etc/sysconfig/network rather than /etc/hostname) and the non-functionality of hostnamectl: https://bugzilla.openvz.org/show_bug.cgi?id=3051 ... but other than that it is functional to the best of my knowledge. So far as whether older kernels are compatible with new OS Templates... again, they should be... but you didn't say what specific kernel you were using. I'm not running any systems with the OpenVZ EL5-based kernel so I can't speak to that... but they have been keeping that updated with a release that came out today. You can run the EL6-based OpenVZ kernel on EL5-based hosts I believe... but really, why not do a fresh install on the host of the latest-greatest? TYL, -- Scott Dowdle 704 Church Street Belgrade, MT 59714 (406)388-0827 [home] (406)994-3931 [work] ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] centos-7-x86_64-minimal.tar.gz template - production ready ?
On 16.09.2014 19:35, Scott Dowdle wrote: Is template centos-7-x86_64-minimal.tar.gz production ready or not? Is exists known bugs or incompatibilities, compare to variant of centos-6-x86_64-minimal.tar.gz template? For example, incompatibilities between new software from this template and old Linux kernel, used on hardware node and present in container? I'm aware of a bug with regards to how the hostname is stored (it's in /etc/sysconfig/network rather than /etc/hostname) and the non-functionality of hostnamectl: https://bugzilla.openvz.org/show_bug.cgi?id=3051 ... but other than that it is functional to the best of my knowledge. Ok, thanks! So far as whether older kernels are compatible with new OS Templates... again, they should be... but you didn't say what specific kernel you were using. I'm not running any systems with the OpenVZ EL5-based kernel so I can't speak to that... but they have been keeping that updated with a release that came out today. Hardware Node: CentOS 6 with latest OpenVZ kernel based on Kernel branch RHEL6, 042stab093.4 and so on. You can run the EL6-based OpenVZ kernel on EL5-based hosts I believe... but really, why not do a fresh install on the host of the latest-greatest? Latest version of OpenVZ based on Kernel branch RHEL7 not available yet. So, on hardware node I must use CentOS6 and OpenVZ kernel based on RHEL6 -- Best regards, Gena ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] Centos 7
Greetings, - Original Message - https://openvz.org/Quick_installation Any install guides for Centos 7 yet? Nope. There isn't an EL7-based OpenVZ kernel (yet)... and the EL6-based one will not work (so far as I know) on EL7. TYL, -- Scott Dowdle 704 Church Street Belgrade, MT 59714 (406)388-0827 [home] (406)994-3931 [work] ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] Centos 7
It will probably be a few months before they have anything available for the RHEL7 kernel (3.10) and even longer for it to become stable. Ploop also doesn't support XFS so time will tell if that will change or you'll have to continue with ext4. On 9/11/2014 11:32 AM, Matt wrote: https://openvz.org/Quick_installation Any install guides for Centos 7 yet? ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] Centos 7
It will probably be a few months before they have anything available for the RHEL7 kernel (3.10) and even longer for it to become stable. Ploop also doesn't support XFS so time will tell if that will change or you'll have to continue with ext4. Need to update a server with a crashed hard drive so thought if I could I would roll out Centos 7, guessing not. Does XFS gain much over EXT4 anyway though? https://openvz.org/Quick_installation Any install guides for Centos 7 yet? ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] CentOS 7 OS Template now in contrib
Scott, thanks for your contributions. Your work is greatly appreciated! Did you consider putting the build scripts into a github repository? Hopefully, others could contribute to them or re-use them with more ease. On another matter, I'm reluctant to use contributed templates I don't know the source of, at least not in production. Ideally, each contributed template really should have a link to a post or a wiki page, describing it in more detail. Best regards On Tue, Jul 8, 2014 at 5:00 PM, Scott Dowdle dow...@montanalinux.org wrote: Greetings, - Original Message Benjamin Henrion bhenrion at ffii.org - I think at some point Openvz.org should provide trusted builds like docker is doing. Ok, I'll bite. What is a Docker Trusted Build? Whatever those are, I'm sure the OpenVZ official OS Templates are the equivalent. In several of OS Templates I contribute (Fedora 20, CentOS 6 and 7, SL 6 [7 ASAP], Oracle EL 6 [7 ASAP]), the build scripts are included within the OS Template (/root/create-*.sh) so the user can build their own from scratch if desired. At least we could get good docs on how those images are built. There are fairly good docs sprinkled throughout the wiki but it varies from distro to distro. I'd guess that the vast majority of OS Templates come from various chroot build environment programs that many distros have now. Provide those programs with a list of packages and they download them from the distro's official repositories, extract them into a install root directory, and then when done, makes some minor changes for containerization (fix up /etc/fstab, eliminate unneeded gettys, etc). It probably works best when you are building distro X from within distro X. For the contributed OS Templates, there is supposed to be a corresponding forum post with build details but very few people seem to follow that including myself. I need to get better at that. TYL, -- Scott Dowdle 704 Church Street Belgrade, MT 59714 (406)388-0827 [home] (406)994-3931 [work] ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] CentOS 7 OS Template now in contrib
Greetings, - Original Message Mark Johanson - I downloaded and looking in the template, but did not see your build script. Was curious what it entailed as we are looking into making some new more app specialized templates for our environment. With 7 just being released, I figured I would start working on those. However, with my knowledge of actual template building new I was interested in seeing how someone else was doing them. Would it be possible to get the build script to look at? Thanks, root@solusvm root #pwd /vz/template/cache/temp/root root@solusvm root #ls -al total 28 dr-xr-x--- 2 root root 4096 Jul 8 11:18 . dr-xr-xr-x 18 root root 4096 Jul 8 11:17 .. -rw-r--r-- 1 root root 18 Dec 28 2013 .bash_logout -rw-r--r-- 1 root root 176 Dec 28 2013 .bash_profile -rw-r--r-- 1 root root 176 Dec 28 2013 .bashrc -rw-r--r-- 1 root root 100 Dec 28 2013 .cshrc -rw-r--r-- 1 root root 129 Dec 28 2013 .tcshrc Perhaps whatever is extracting it for you is removing the scripts... because I just downloaded the .tar.xz files from the OpenVZ contrib directory and looked... and there are two scripts there: # ls -lh /root/*.sh -rwxr-xr-x 1 root root 3.5K Jul 7 10:35 /root/create-centos7-ostemplate.sh -rwxr-xr-x 1 root root 1013 Jul 7 10:35 /root/create-centos7minimal-ostemplate.sh I've attached the two scripts as email program wordwrapping would have made them very messy. TYL, -- Scott Dowdle 704 Church Street Belgrade, MT 59714 (406)388-0827 [home] (406)994-3931 [work] create-centos7-ostemplate.sh Description: application/shellscript create-centos7minimal-ostemplate.sh Description: application/shellscript ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] CentOS 7 OS Template now in contrib
Greetings, - Original Message from LightDot - Did you consider putting the build scripts into a github repository? Hopefully, others could contribute to them or re-use them with more ease. I am not a git user... so no. And I'm not much of a programmer nor shell scripter... so they are very basic without any error checking nor fancy stuff. In a previous email to the list, I attached the scripts and I don't want to send them multiple times. Hopefully the list allows small attachments?!? On another matter, I'm reluctant to use contributed templates I don't know the source of, at least not in production. Ideally, each contributed template really should have a link to a post or a wiki page, describing it in more detail. The good thing about the scripts is that you can run them within a container assuming you have the free disk space... and they should work fine... so build your own. TYL, -- Scott Dowdle 704 Church Street Belgrade, MT 59714 (406)388-0827 [home] (406)994-3931 [work] ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] CentOS 7 OS Template now in contrib
On Mon, Jul 7, 2014 at 10:22 PM, Scott Dowdle dow...@montanalinux.org wrote: Greetings, CentOS sent out an announcement about the release of CentOS 7: http://lists.centos.org/pipermail/centos-announce/2014-July/020393.html I built a regular and a minimal OS Template and have uploaded it to contrib. Inside of /root are the scripts to create the OS Template from scratch. It assumes it is being built from a CentOS 7 host/container that has the CentOS repos configured correctly. I think at some point Openvz.org should provide trusted builds like docker is doing. At least we could get good docs on how those images are built. -- Benjamin Henrion bhenrion at ffii.org FFII Brussels - +32-484-566109 - +32-2-4148403 In July 2005, after several failed attempts to legalise software patents in Europe, the patent establishment changed its strategy. Instead of explicitly seeking to sanction the patentability of software, they are now seeking to create a central European patent court, which would establish and enforce patentability rules in their favor, without any possibility of correction by competing courts or democratically elected legislators. ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] CentOS 7 OS Template now in contrib
Greetings, - Original Message Benjamin Henrion bhenrion at ffii.org - I think at some point Openvz.org should provide trusted builds like docker is doing. Ok, I'll bite. What is a Docker Trusted Build? Whatever those are, I'm sure the OpenVZ official OS Templates are the equivalent. In several of OS Templates I contribute (Fedora 20, CentOS 6 and 7, SL 6 [7 ASAP], Oracle EL 6 [7 ASAP]), the build scripts are included within the OS Template (/root/create-*.sh) so the user can build their own from scratch if desired. At least we could get good docs on how those images are built. There are fairly good docs sprinkled throughout the wiki but it varies from distro to distro. I'd guess that the vast majority of OS Templates come from various chroot build environment programs that many distros have now. Provide those programs with a list of packages and they download them from the distro's official repositories, extract them into a install root directory, and then when done, makes some minor changes for containerization (fix up /etc/fstab, eliminate unneeded gettys, etc). It probably works best when you are building distro X from within distro X. For the contributed OS Templates, there is supposed to be a corresponding forum post with build details but very few people seem to follow that including myself. I need to get better at that. TYL, -- Scott Dowdle 704 Church Street Belgrade, MT 59714 (406)388-0827 [home] (406)994-3931 [work] ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
