Re: [Users] firewall capability in openVZ/virtuozzo 7
By default we disable conntracks on host # cat /etc/modprobe.d/vz.conf options nf_conntrack ip_conntrack_disable_ve0=1 It protects host from in "conntrack overflow" situation: when all conntracks on host are in use host admin is unable to connect on host via ssh. Please feel free to enable it, it is quite safe for many cases. Thank you, Vasily Averin On 11.10.2016 13:22, Jehan Procaccia wrote: > ok, that works fine with that: > > # prlctl set MyCT11 --netfilter stateful > Set netfilter: stateful > The CT has been successfully configured. > > and it is saved > > # grep -i netfilter /vz/private/1d268e70-3597-4508-9e2a-903fc06b02a2/ve.conf > NETFILTER="stateful" > > inside the CT now I can issue firewall-cmd > > CT-1d268e70 /# firewall-cmd --get-active-zones > public > interfaces: eth0 > > Great ! > > Now, I realized that on the host machine, if I start firewalld I am locked > out of my ssh session :-( > although ssh service is open on all interfaces ! > > # firewall-cmd --zone=public --list-all > public (default, active) > interfaces: br0 br1 br10 br11 em1 em2 p2p2 p2p2.11 > sources: > services: dhcpv6-client ssh > ports: > masquerade: no > forward-ports: > icmp-blocks: > rich rules: > > I missed something again ? > > regards . > > Le 11/10/2016 11:04, Vasily Averin a écrit : >> Dear Jehan, >> >> OpenVZ container does not require to enable additional capabilities, >> default settings allows to use iptables inside container. >> >> However by default netfilter is restricted, >> most likely you need to change it by using "prlctl set --netfilter" >> >> --netfilter >> Restrict access to iptable modules inside the Container. The >> fol- >> lowing modes are available: >> disabled -- no modules are allowed. >> stateless -- (default) all modules except NAT and conntracks >> are >> allowed. >> stateful -- all modules except NAT are allowed. >> full -- all modules are allowed. >> >> >> btw. prlctl works as "vzctl --save" in any cases, it saves the setting in >> configs. >> >> Thank you, >> Vasily Averin >> >> On 10.10.2016 22:42, Jehan Procaccia wrote: >>> hello >>> >>> by default firewalld doesn't work on a fresh install container (centos7-x64) >>> >>> docs says: >>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall >>> I guess I need to enable net_admin >>> net_admin Allows the administration of IP firewalls and accounting. >>> off >>> as it it by default set to off >>> >>> but the command is deprecated >>> # vzctl set MyCT11 --capability net_admin --save >>> Warning: The --capability option is deprecated >>> >>> So I used prlctl (not proposed in the doc above !?) >>> >>> # prlctl set MyCT11 --capability net_admin:on >>> Set capabilities: NET_ADMIN:on >>> The CT has been successfully configured. >>> >>> but still in the CT >>> /# firewall-cmd --get-active-zones >>> nothing >>> /# firewall-cmd --reload >>> Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate >>> RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by >>> that name. >>> as if NET_ADMIN capability is not save permanently in the CT definition >>> >>> what is the equivalent of vzctl --save with prlctl ? >>> or I mess somewhere else ? >>> >>> Regards . >>> >>> >>> >>> >>> >>> >>> ___ >>> Users mailing list >>> Users@openvz.org >>> https://lists.openvz.org/mailman/listinfo/users >>> > > > ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] firewall capability in openVZ/virtuozzo 7
You was need to re-load nf_conntrack module in this case. you was need to stop all containers, if they use conntracks, then stop firewall on host, than I expect you can unload nf_conntrack module. But this case is special, you was need to do it only once. On 11.10.2016 14:53, Jehan Procaccia wrote: > ok that worked : > # cat /etc/modprobe.d/vz.conf > options vzevent reboot_event=1 > options nf_conntrack *ip_conntrack_disable_ve0=0 > * > # systemctl start firewalld.service > doesn't break my ssh session anymore > > after setting *ip_conntrack_disable_ve0=0 > *I restarted the full system *,* pehaps there was a way to reload vz services > without full restart ? * > * > thanks .* > * > Le 11/10/2016 12:32, Vasily Averin a écrit : >> By default we disable conntracks on host >> >> # cat /etc/modprobe.d/vz.conf >> options nf_conntrack ip_conntrack_disable_ve0=1 >> >> It protects host from in "conntrack overflow" situation: >> when all conntracks on host are in use host admin is unable to connect on >> host via ssh. >> >> Please feel free to enable it, it is quite safe for many cases. >> >> Thank you, >> Vasily Averin >> >> On 11.10.2016 13:22, Jehan Procaccia wrote: >>> ok, that works fine with that: >>> >>> # prlctl set MyCT11 --netfilter stateful >>> Set netfilter: stateful >>> The CT has been successfully configured. >>> >>> and it is saved >>> >>> # grep -i netfilter /vz/private/1d268e70-3597-4508-9e2a-903fc06b02a2/ve.conf >>> NETFILTER="stateful" >>> >>> inside the CT now I can issue firewall-cmd >>> >>> CT-1d268e70 /# firewall-cmd --get-active-zones >>> public >>> interfaces: eth0 >>> >>> Great ! >>> >>> Now, I realized that on the host machine, if I start firewalld I am locked >>> out of my ssh session :-( >>> although ssh service is open on all interfaces ! >>> >>> # firewall-cmd --zone=public --list-all >>> public (default, active) >>> interfaces: br0 br1 br10 br11 em1 em2 p2p2 p2p2.11 >>> sources: >>> services: dhcpv6-client ssh >>> ports: >>> masquerade: no >>> forward-ports: >>> icmp-blocks: >>> rich rules: >>> >>> I missed something again ? >>> >>> regards . >>> >>> Le 11/10/2016 11:04, Vasily Averin a écrit : Dear Jehan, OpenVZ container does not require to enable additional capabilities, default settings allows to use iptables inside container. However by default netfilter is restricted, most likely you need to change it by using "prlctl set --netfilter" --netfilter Restrict access to iptable modules inside the Container. The fol- lowing modes are available: disabled -- no modules are allowed. stateless -- (default) all modules except NAT and conntracks are allowed. stateful -- all modules except NAT are allowed. full -- all modules are allowed. btw. prlctl works as "vzctl --save" in any cases, it saves the setting in configs. Thank you, Vasily Averin On 10.10.2016 22:42, Jehan Procaccia wrote: > hello > > by default firewalld doesn't work on a fresh install container > (centos7-x64) > > docs says: > http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall > I guess I need to enable net_admin > net_admin Allows the administration of IP firewalls and accounting. > off > as it it by default set to off > > but the command is deprecated > # vzctl set MyCT11 --capability net_admin --save > Warning: The --capability option is deprecated > > So I used prlctl (not proposed in the doc above !?) > > # prlctl set MyCT11 --capability net_admin:on > Set capabilities: NET_ADMIN:on > The CT has been successfully configured. > > but still in the CT > /# firewall-cmd --get-active-zones > nothing > /# firewall-cmd --reload > Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate > RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by > that name. > as if NET_ADMIN capability is not save permanently in the CT definition > > what is the equivalent of vzctl --save with prlctl ? > or I mess somewhere else ? > > Regards . > > > > > > > ___ > Users mailing list > Users@openvz.org > https://lists.openvz.org/mailman/listinfo/users > >>> >>> > ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] firewall capability in openVZ/virtuozzo 7
ok that worked : # cat /etc/modprobe.d/vz.conf options vzevent reboot_event=1 options nf_conntrack *ip_conntrack_disable_ve0=0 * # systemctl start firewalld.service doesn't break my ssh session anymore after setting *ip_conntrack_disable_ve0=0 *I restarted the full system *,* pehaps there was a way to reload vz services without full restart ? * * thanks .* * Le 11/10/2016 12:32, Vasily Averin a écrit : By default we disable conntracks on host # cat /etc/modprobe.d/vz.conf options nf_conntrack ip_conntrack_disable_ve0=1 It protects host from in "conntrack overflow" situation: when all conntracks on host are in use host admin is unable to connect on host via ssh. Please feel free to enable it, it is quite safe for many cases. Thank you, Vasily Averin On 11.10.2016 13:22, Jehan Procaccia wrote: ok, that works fine with that: # prlctl set MyCT11 --netfilter stateful Set netfilter: stateful The CT has been successfully configured. and it is saved # grep -i netfilter /vz/private/1d268e70-3597-4508-9e2a-903fc06b02a2/ve.conf NETFILTER="stateful" inside the CT now I can issue firewall-cmd CT-1d268e70 /# firewall-cmd --get-active-zones public interfaces: eth0 Great ! Now, I realized that on the host machine, if I start firewalld I am locked out of my ssh session :-( although ssh service is open on all interfaces ! # firewall-cmd --zone=public --list-all public (default, active) interfaces: br0 br1 br10 br11 em1 em2 p2p2 p2p2.11 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: I missed something again ? regards . Le 11/10/2016 11:04, Vasily Averin a écrit : Dear Jehan, OpenVZ container does not require to enable additional capabilities, default settings allows to use iptables inside container. However by default netfilter is restricted, most likely you need to change it by using "prlctl set --netfilter" --netfilter Restrict access to iptable modules inside the Container. The fol- lowing modes are available: disabled -- no modules are allowed. stateless -- (default) all modules except NAT and conntracks are allowed. stateful -- all modules except NAT are allowed. full -- all modules are allowed. btw. prlctl works as "vzctl --save" in any cases, it saves the setting in configs. Thank you, Vasily Averin On 10.10.2016 22:42, Jehan Procaccia wrote: hello by default firewalld doesn't work on a fresh install container (centos7-x64) docs says: http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall I guess I need to enable net_admin net_admin Allows the administration of IP firewalls and accounting. off as it it by default set to off but the command is deprecated # vzctl set MyCT11 --capability net_admin --save Warning: The --capability option is deprecated So I used prlctl (not proposed in the doc above !?) # prlctl set MyCT11 --capability net_admin:on Set capabilities: NET_ADMIN:on The CT has been successfully configured. but still in the CT /# firewall-cmd --get-active-zones nothing /# firewall-cmd --reload Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by that name. as if NET_ADMIN capability is not save permanently in the CT definition what is the equivalent of vzctl --save with prlctl ? or I mess somewhere else ? Regards . ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] firewall capability in openVZ/virtuozzo 7
ok, that works fine with that: # prlctl set MyCT11 --netfilter stateful Set netfilter: stateful The CT has been successfully configured. and it is saved # grep -i netfilter /vz/private/1d268e70-3597-4508-9e2a-903fc06b02a2/ve.conf NETFILTER="stateful" inside the CT now I can issue firewall-cmd CT-1d268e70 /# firewall-cmd --get-active-zones public interfaces: eth0 Great ! Now, I realized that on the host machine, if I start firewalld I am locked out of my ssh session :-( although ssh service is open on all interfaces ! # firewall-cmd --zone=public --list-all public (default, active) interfaces: br0 br1 br10 br11 em1 em2 p2p2 p2p2.11 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: I missed something again ? regards . Le 11/10/2016 11:04, Vasily Averin a écrit : Dear Jehan, OpenVZ container does not require to enable additional capabilities, default settings allows to use iptables inside container. However by default netfilter is restricted, most likely you need to change it by using "prlctl set --netfilter" --netfilter Restrict access to iptable modules inside the Container. The fol- lowing modes are available: disabled -- no modules are allowed. stateless -- (default) all modules except NAT and conntracks are allowed. stateful -- all modules except NAT are allowed. full -- all modules are allowed. btw. prlctl works as "vzctl --save" in any cases, it saves the setting in configs. Thank you, Vasily Averin On 10.10.2016 22:42, Jehan Procaccia wrote: hello by default firewalld doesn't work on a fresh install container (centos7-x64) docs says: http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall I guess I need to enable net_admin net_admin Allows the administration of IP firewalls and accounting. off as it it by default set to off but the command is deprecated # vzctl set MyCT11 --capability net_admin --save Warning: The --capability option is deprecated So I used prlctl (not proposed in the doc above !?) # prlctl set MyCT11 --capability net_admin:on Set capabilities: NET_ADMIN:on The CT has been successfully configured. but still in the CT /# firewall-cmd --get-active-zones nothing /# firewall-cmd --reload Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by that name. as if NET_ADMIN capability is not save permanently in the CT definition what is the equivalent of vzctl --save with prlctl ? or I mess somewhere else ? Regards . ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] firewall capability in openVZ/virtuozzo 7
Hi Jehan, you don't need to configure any capabilities in Virtuozzo 7 anymore as user namespaces are used in vz7 now. Yes, documentation contains outdated description, we'll update docs soon: https://bugs.openvz.org/browse/OVZ-6802 And in your case most probably you just need to enable conntracks for Container: # prlctl set MyCT --netfilter stateful or if you need NAT as well: # prlctl set MyCT --netfilter full Hope that helps. -- Best regards, Konstantin Khorenko, Virtuozzo Linux Kernel Team On 10/10/2016 10:42 PM, Jehan Procaccia wrote: hello by default firewalld doesn't work on a fresh install container (centos7-x64) docs says: http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall I guess I need to enable net_admin net_admin Allows the administration of IP firewalls and accounting. off as it it by default set to off but the command is deprecated # vzctl set MyCT11 --capability net_admin --save Warning: The --capability option is deprecated So I used prlctl (not proposed in the doc above !?) # prlctl set MyCT11 --capability net_admin:on Set capabilities: NET_ADMIN:on The CT has been successfully configured. but still in the CT /# firewall-cmd --get-active-zones nothing /# firewall-cmd --reload Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by that name. as if NET_ADMIN capability is not save permanently in the CT definition what is the equivalent of vzctl --save with prlctl ? or I mess somewhere else ? Regards . ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
Re: [Users] firewall capability in openVZ/virtuozzo 7
Dear Jehan, OpenVZ container does not require to enable additional capabilities, default settings allows to use iptables inside container. However by default netfilter is restricted, most likely you need to change it by using "prlctl set --netfilter" --netfilter Restrict access to iptable modules inside the Container. The fol- lowing modes are available: disabled -- no modules are allowed. stateless -- (default) all modules except NAT and conntracks are allowed. stateful -- all modules except NAT are allowed. full -- all modules are allowed. btw. prlctl works as "vzctl --save" in any cases, it saves the setting in configs. Thank you, Vasily Averin On 10.10.2016 22:42, Jehan Procaccia wrote: > hello > > by default firewalld doesn't work on a fresh install container (centos7-x64) > > docs says: > http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall > I guess I need to enable net_admin > net_admin Allows the administration of IP firewalls and accounting. > off > as it it by default set to off > > but the command is deprecated > # vzctl set MyCT11 --capability net_admin --save > Warning: The --capability option is deprecated > > So I used prlctl (not proposed in the doc above !?) > > # prlctl set MyCT11 --capability net_admin:on > Set capabilities: NET_ADMIN:on > The CT has been successfully configured. > > but still in the CT > /# firewall-cmd --get-active-zones > nothing > /# firewall-cmd --reload > Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate > RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by > that name. > as if NET_ADMIN capability is not save permanently in the CT definition > > what is the equivalent of vzctl --save with prlctl ? > or I mess somewhere else ? > > Regards . > > > > > > > ___ > Users mailing list > Users@openvz.org > https://lists.openvz.org/mailman/listinfo/users > ___ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users