---
Andrey Ryabinin (2):
ve/kmod/whitelist: Allow ip6tables_raw modules autoload upon request from
CT
ve/kmod/whitelist: Allow nf_tables module autoloading on request from CT
Cyrill Gorcunov (1):
ve/kmod/whitelist: Add modules to whitelist for c/r sake
Kirill Tkhai (2):
From: Konstantin Khorenko
Introduce "kernel.ve_allow_module_load" sysctl
to allow (1) / deny (0) indorect kernel modules load upon requests
from inside Containers.
Indirect modules "autoload" set enabled by default.
https://jira.sw.ru/browse/PSBM-127787
Signed-off-by: Konstantin Khorenko
---
From: Konstantin Khorenko
If a kernel modules is requested indirectly from inside a Container,
check is this modules is blacklisted on the Node first.
https://jira.sw.ru/browse/PSBM-127787
Signed-off-by: Konstantin Khorenko
Signed-off-by: Kirill Tkhai
---
kernel/kmod.c | 25 +++
From: Konstantin Khorenko
ve/kmod/whitelist: Allow iptables/netfilter modules for autoload from CT
For now following modules are allowed by default to be autoloaded
upon indirect request from inside a Container:
* iptables/ip6tables core modules
* netfilters core modules (including nf_tables_in
From: Konstantin Khorenko
https://jira.sw.ru/browse/PSBM-127787
It's a port of following vz7 commits:
* 3a4142e ("ve/kmod: Port autoloading from CT") (partially)
* 8af13e7c ("ve/kmod: list of allowed to autoload in CT modules")
(partially)
Signed-off-by: Konstantin Kho
From: Konstantin Khorenko
ve/kmod/whitelist: List of allowed to autoload in CT modules
(non-netfilters)
Following non-netfilter modules are allowed to be autoloaded
from inside a CT:
* binfmt_misc
* fs-overlay
It's port of vz7 commits:
* 8af13e7c ("ve/kmod: list o
From: Pavel Tikhomirov
vxlan is safe in CT as:
1) Udp multicast socket to connect to outer word sits in creation net-
namespace, and these socket can get packets only forwarded/routed
in creation ns.
2) Vxlan device is owned by second netns(could be same as first) as
any other network device, s
From: Pavel Tikhomirov
After allowing dummy devices in container in bug PSBM-43329 by commit
6061ed860950 ("ve/net/dummy: enable support in a container") docker-ui
testcase TestDaemonIP was unXFAIed but it still fails to create dummy
because module is not automaticly loaded in rtnl_newlink:
ip l
From: Cyrill Gorcunov
When doing checpoint/restore during migration we use netlink
sockets with diag functionality to fetch various information
we need. In particular when restoring on the machine where
say netfilter modules are not loaded we fail with
| [root@s175 ~]# less /vz/dump/rst-iVS9OC-
Otherwise, in case of destination node does not have
modules loaded, CT migration fails.
https://jira.sw.ru/browse/PSBM-90319
Signed-off-by: Kirill Tkhai
(cherry picked from vz7 commit
c92758e6ea45 ("net: Allow autoloading conntrack nft-helper-* modules"))
Signed-off-by: Konstantin Khorenko
From: Andrey Ryabinin
Currently autoloading of the ip6table_raw module is forbidden
from container, leading to:
ip6tables-restore v1.4.21: ip6tables-restore: unable to initialize table
'raw'
If use of ip6tables is allowed in container, autoloading of the ip6tables_raw
has to be permitted a
From: Stanislav Kinsburskiy
Otherwise Container online migration can fail.
https://jira.sw.ru/browse/PSBM-58178
Signed-off-by: Stanislav Kinsburskiy
Reviewed-by: Dmitry Safonov
(cherry picked from vz7 commit
d6e47c05b868 ("ve/modules: allow NFS modules autoload in Containers"))
Signed-off-
From: Pavel Tikhomirov
we still need to add ip_vs module in /etc/modules-load.d/vz.conf
to be able to use ipvs in CT, all other modules are request_module'ed
from ip_vs.
https://jira.sw.ru/browse/PSBM-63883
Signed-off-by: Pavel Tikhomirov
Reviewed-by: Andrew Vagin
(cherry picked from vz7 comm
From: Pavel Tikhomirov
I forgot to allow in CT autoload of needed modules, so do:
ip_set_list_set
ip_set_hash_netiface
ip_set_hash_ipportnet
ip_set_hash_netport
ip_set_hash_net
ip_set_hash_ipportip
ip_set_hash_ipport
ip_set_hash_ip
ip_set_bitmap_port
ip_set_bitmap_ipmac
ip_set_bitmap_ip
ip_set
h
From: Andrey Ryabinin
Allow nf_tables.ko module autloading from CT. Needed for iptables in centos 8.
https://jira.sw.ru/browse/PSBM-98211
Signed-off-by: Andrey Ryabinin
(cherry picked from vz7 commit 18c67099330a ("ve/kmod, nf_tables: allow
nf_tables.ko autoloading on request from ve."))
Sign
From: Pavel Tikhomirov
Need it for docker Docker nat rules c/r in nft based environment.
https://jira.sw.ru/browse/PSBM-125002
Signed-off-by: Pavel Tikhomirov
ve/kmod: fix misprint in fib modules autoload allow rules
When testing criu to suspend resume "fib" rules I found out that we ha
From: Vasily Averin
Patch enables autoload of iptable_security and ip6table_security from
inside containers.
It decreases number of errors generated during firewalld start.
https://jira.sw.ru/browse/PSBM-98212
Signed-by: Vasily Averin
(cherry picked from vz7 commit 77a471044478 ("ve/kmod: en
Otherwise rules like below can't applied from inside CT,
when the module is not loaded.
$iptables -I FORWARD -m string --string "xx" --algo kmp --to 65535 -j DROP
https://jira.sw.ru/browse/PSBM-97729
Signed-off-by: Kirill Tkhai
(cherry picked from vz7 commit
2e3b2c332d41 ("ve/modules: Add
From: Konstantin Khorenko
A Container with CentOS 8 inside uses nft by default and
iptables work in a legacy mode, for that "nft_compat" is
required, so allow its autoload.
[CT]# iptables -A INPUT -m tos --tos Minimize-Cost -j REJECT
iptables v1.8.2 (nf_tables): Couldn't load match
`t
From: Konstantin Khorenko
+ "nfnetlink-subsys-3", /* NFNL_SUBSYS_QUEUE */
https://jira.sw.ru/browse/PSBM-92694
Signed-off-by: Konstantin Khorenko
(cherry picked from vz7 commit 588834a3e83f
("ve/netfilter/ipset: allow nfnetlink_queue module autoload"))
Signed-off-by: Konstan
From: Pavel Tikhomirov
We see that k8s_weave-npc container fails with:
Thu Oct 29 09:19:53 2020 <5> ulogd.c:981 building new pluginstance stack:
'log1:NFLOG,base1:BASE,pcap1:PCAP'
Thu Oct 29 09:19:53 2020 <7> ulogd_inppkt_NFLOG.c:552 unable to bind to log
group 86
Thu Oct 29 09:19:53 2020 <7>
On 07.10.2021 18:18, Cyrill Gorcunov wrote:
> Hi! Here is a ported vtty series, build and boot tested only obviously.
> I think we might revisit this code and rework more deeply once we manage
> to run containers inside so I would be able to manipulate vtty console
> from userspace level.
>
> http
commited
On 08.10.2021 12:50, Kirill Tkhai wrote:
> ---
>
> Andrey Ryabinin (2):
> ve/kmod/whitelist: Allow ip6tables_raw modules autoload upon request
> from CT
> ve/kmod/whitelist: Allow nf_tables module autoloading on request from CT
>
> Cyrill Gorcunov (1):
> ve/kmod/white
23 matches
Mail list logo
