ok that worked :
# cat /etc/modprobe.d/vz.conf
options vzevent reboot_event=1
options nf_conntrack *ip_conntrack_disable_ve0=0
*
# systemctl start firewalld.service
doesn't break my ssh session anymore
after setting *ip_conntrack_disable_ve0=0
*I restarted the full system *,* pehaps there was a way to reload vz
services without full restart ? *
*
thanks .*
*
Le 11/10/2016 12:32, Vasily Averin a écrit :
By default we disable conntracks on host
# cat /etc/modprobe.d/vz.conf
options nf_conntrack ip_conntrack_disable_ve0=1
It protects host from in "conntrack overflow" situation:
when all conntracks on host are in use host admin is unable to connect on host
via ssh.
Please feel free to enable it, it is quite safe for many cases.
Thank you,
Vasily Averin
On 11.10.2016 13:22, Jehan Procaccia wrote:
ok, that works fine with that:
# prlctl set MyCT11 --netfilter stateful
Set netfilter: stateful
The CT has been successfully configured.
and it is saved
# grep -i netfilter /vz/private/1d268e70-3597-4508-9e2a-903fc06b02a2/ve.conf
NETFILTER="stateful"
inside the CT now I can issue firewall-cmd
CT-1d268e70 /# firewall-cmd --get-active-zones
public
interfaces: eth0
Great !
Now, I realized that on the host machine, if I start firewalld I am locked out
of my ssh session :-(
although ssh service is open on all interfaces !
# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: br0 br1 br10 br11 em1 em2 p2p2 p2p2.11
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
I missed something again ?
regards .
Le 11/10/2016 11:04, Vasily Averin a écrit :
Dear Jehan,
OpenVZ container does not require to enable additional capabilities,
default settings allows to use iptables inside container.
However by default netfilter is restricted,
most likely you need to change it by using "prlctl set --netfilter"
--netfilter <disabled|stateless|stateful|full>
Restrict access to iptable modules inside the Container. The fol-
lowing modes are available:
disabled -- no modules are allowed.
stateless -- (default) all modules except NAT and conntracks are
allowed.
stateful -- all modules except NAT are allowed.
full -- all modules are allowed.
btw. prlctl works as "vzctl --save" in any cases, it saves the setting in
configs.
Thank you,
Vasily Averin
On 10.10.2016 22:42, Jehan Procaccia wrote:
hello
by default firewalld doesn't work on a fresh install container (centos7-x64)
docs says:
http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall
I guess I need to enable net_admin
net_admin Allows the administration of IP firewalls and accounting. off
as it it by default set to off
but the command is deprecated
# vzctl set MyCT11 --capability net_admin --save
Warning: The --capability option is deprecated
So I used prlctl (not proposed in the doc above !?)
# prlctl set MyCT11 --capability net_admin:on
Set capabilities: NET_ADMIN:on
The CT has been successfully configured.
but still in the CT
/# firewall-cmd --get-active-zones
nothing
/# firewall-cmd --reload
Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by that
name.
as if NET_ADMIN capability is not save permanently in the CT definition
what is the equivalent of vzctl --save with prlctl ?
or I mess somewhere else ?
Regards .
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
