You was need to re-load nf_conntrack module in this case. you was need to stop all containers, if they use conntracks, then stop firewall on host, than I expect you can unload nf_conntrack module.
But this case is special, you was need to do it only once. On 11.10.2016 14:53, Jehan Procaccia wrote: > ok that worked : > # cat /etc/modprobe.d/vz.conf > options vzevent reboot_event=1 > options nf_conntrack *ip_conntrack_disable_ve0=0 > * > # systemctl start firewalld.service > doesn't break my ssh session anymore > > after setting *ip_conntrack_disable_ve0=0 > *I restarted the full system *,* pehaps there was a way to reload vz services > without full restart ? * > * > thanks .* > * > Le 11/10/2016 12:32, Vasily Averin a écrit : >> By default we disable conntracks on host >> >> # cat /etc/modprobe.d/vz.conf >> options nf_conntrack ip_conntrack_disable_ve0=1 >> >> It protects host from in "conntrack overflow" situation: >> when all conntracks on host are in use host admin is unable to connect on >> host via ssh. >> >> Please feel free to enable it, it is quite safe for many cases. >> >> Thank you, >> Vasily Averin >> >> On 11.10.2016 13:22, Jehan Procaccia wrote: >>> ok, that works fine with that: >>> >>> # prlctl set MyCT11 --netfilter stateful >>> Set netfilter: stateful >>> The CT has been successfully configured. >>> >>> and it is saved >>> >>> # grep -i netfilter /vz/private/1d268e70-3597-4508-9e2a-903fc06b02a2/ve.conf >>> NETFILTER="stateful" >>> >>> inside the CT now I can issue firewall-cmd >>> >>> CT-1d268e70 /# firewall-cmd --get-active-zones >>> public >>> interfaces: eth0 >>> >>> Great ! >>> >>> Now, I realized that on the host machine, if I start firewalld I am locked >>> out of my ssh session :-( >>> although ssh service is open on all interfaces ! >>> >>> # firewall-cmd --zone=public --list-all >>> public (default, active) >>> interfaces: br0 br1 br10 br11 em1 em2 p2p2 p2p2.11 >>> sources: >>> services: dhcpv6-client ssh >>> ports: >>> masquerade: no >>> forward-ports: >>> icmp-blocks: >>> rich rules: >>> >>> I missed something again ? >>> >>> regards . >>> >>> Le 11/10/2016 11:04, Vasily Averin a écrit : >>>> Dear Jehan, >>>> >>>> OpenVZ container does not require to enable additional capabilities, >>>> default settings allows to use iptables inside container. >>>> >>>> However by default netfilter is restricted, >>>> most likely you need to change it by using "prlctl set --netfilter" >>>> >>>> --netfilter <disabled|stateless|stateful|full> >>>> Restrict access to iptable modules inside the Container. The >>>> fol- >>>> lowing modes are available: >>>> disabled -- no modules are allowed. >>>> stateless -- (default) all modules except NAT and >>>> conntracks are >>>> allowed. >>>> stateful -- all modules except NAT are allowed. >>>> full -- all modules are allowed. >>>> >>>> >>>> btw. prlctl works as "vzctl --save" in any cases, it saves the setting in >>>> configs. >>>> >>>> Thank you, >>>> Vasily Averin >>>> >>>> On 10.10.2016 22:42, Jehan Procaccia wrote: >>>>> hello >>>>> >>>>> by default firewalld doesn't work on a fresh install container >>>>> (centos7-x64) >>>>> >>>>> docs says: >>>>> http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall >>>>> I guess I need to enable net_admin >>>>> net_admin Allows the administration of IP firewalls and accounting. >>>>> off >>>>> as it it by default set to off >>>>> >>>>> but the command is deprecated >>>>> # vzctl set MyCT11 --capability net_admin --save >>>>> Warning: The --capability option is deprecated >>>>> >>>>> So I used prlctl (not proposed in the doc above !?) >>>>> >>>>> # prlctl set MyCT11 --capability net_admin:on >>>>> Set capabilities: NET_ADMIN:on >>>>> The CT has been successfully configured. >>>>> >>>>> but still in the CT >>>>> /# firewall-cmd --get-active-zones >>>>> nothing >>>>> /# firewall-cmd --reload >>>>> Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate >>>>> RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by >>>>> that name. >>>>> as if NET_ADMIN capability is not save permanently in the CT definition >>>>> >>>>> what is the equivalent of vzctl --save with prlctl ? >>>>> or I mess somewhere else ? >>>>> >>>>> Regards . >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users@openvz.org >>>>> https://lists.openvz.org/mailman/listinfo/users >>>>> >>> >>> > _______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
