Hi Jehan,

you don't need to configure any capabilities in Virtuozzo 7 anymore as user 
namespaces are used in vz7 now.
Yes, documentation contains outdated description, we'll update docs soon:

And in your case most probably you just need to enable conntracks for Container:
# prlctl set MyCT --netfilter stateful

or if you need NAT as well:
# prlctl set MyCT --netfilter full

Hope that helps.

Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 10/10/2016 10:42 PM, Jehan Procaccia wrote:

by default firewalld doesn't work on a fresh install container

docs says:
I guess I need to enable net_admin
net_admin     Allows the administration of IP firewalls and accounting.
as it it by default set to off

but the command is deprecated
# vzctl set MyCT11 --capability net_admin --save
Warning: The --capability option is deprecated

So I used prlctl (not proposed in the doc above !?)

# prlctl set MyCT11 --capability net_admin:on
Set capabilities: NET_ADMIN:on
The CT has been successfully configured.

but still in the CT
/# firewall-cmd --get-active-zones
/# firewall-cmd --reload
Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match
by that name.
as if NET_ADMIN capability is not save permanently in the CT definition

what is the equivalent of vzctl --save with prlctl ?
or I mess somewhere else ?

Regards .
Users mailing list

Reply via email to