OpenVZ Forum


Home » General » Support » *SOLVED* Is OpenVZ in Parallels vm known to work?
*SOLVED* Is OpenVZ in Parallels vm known to work? [message #12463] Sun, 29 April 2007 13:02 Go to next message
kermit is currently offline  kermit
Messages: 6
Registered: April 2007
Junior Member
I've just installed OpenVZ inside a Parallels virtual machine on a Mac. I ran into problems with networking. Since I don't have a spare physical box around I can't check whether the problem also occurs on a "real" machine.

Did anyone manage to get OpenVZ networking to work in a Parallels (or VMWare) virtual machine?

Thanks

[Updated on: Mon, 21 May 2007 06:45] by Moderator

Report message to a moderator

Re: Is OpenVZ in Parallels vm known to work? [message #12523 is a reply to message #12463] Wed, 02 May 2007 07:53 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
In VMware it works without problems. And it should work in Parallels too, if usual linux distribution can work with network in it. Check routing, iptables and other network settings.

Vasily.

Report message to a moderator

Re: Is OpenVZ in Parallels vm known to work? [message #12620 is a reply to message #12463] Fri, 04 May 2007 13:12 Go to previous messageGo to next message
dev is currently offline  dev
Messages: 1693
Registered: September 2005
Location: Moscow
Senior Member
Yes, it works in Parallels 100% (though not tested on MAC by me).
Can you check the link in OpenVZ plz:
# ip a l
# dmesg

http://static.openvz.org/userbars/openvz-developer.png

Report message to a moderator

Re: Is OpenVZ in Parallels vm known to work? [message #12650 is a reply to message #12620] Sat, 05 May 2007 20:16 Go to previous messageGo to next message
kermit is currently offline  kermit
Messages: 6
Registered: April 2007
Junior Member
OK, it was obviously not Parallels, but some "feature" of the network I was trying it in (Wifi with 802.1x authentication). After moving to a simpler network, I get a network connection from the VPS.

Now I'm struggling with the firewall within the VPS. I've set the HN's firewall to be transparent for the VPS, which works fine. If I now switch on the firewall in the VPS (which is CentOS 4), I can't connect to the VPS via SSH, despite allowing SSH traffic in system-config-securitylevel. It looks like the rule generated by system-config-securitylevel for allowing incoming ssh connections is never matched (so the next rule REJECTs the incoming connection). If I simplify the rule (in /etc/sysconfig/iptables)

-A RH-Firewall-1-INPUT -m STATE --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

as generated by system-config-securitylevel to

-A RH-Firewall-1-INPUT -p tcp --dport 22 -J ACCEPT

and restart the firewall, I can connect to the VPS via SSH. However, I have about 5s delay after entering the password before I get the shell. This delay just goes away when I'm shutting down the firewall within the VPS.

I'm using kernel 2.6.18-8.el5.028stab031.1 and vzctl 3.0.16 on CentOS 5 on the HN and a CentOS 4 template on the VPS.

Any ideas whether this is a problem of the kernel or some mis-configuration?

Report message to a moderator

Re: Is OpenVZ in Parallels vm known to work? [message #12657 is a reply to message #12650] Sun, 06 May 2007 16:53 Go to previous messageGo to next message
dev is currently offline  dev
Messages: 1693
Registered: September 2005
Location: Moscow
Senior Member
not sure from your description where you setup these iptables rules in HN or inside VE?
if on HN, then you need to you FORWARD chain, not INPUT.
if in VE, then please check that all the required conntrack modules were loaded *before* VE start.

Use iptables -L -v to see counters which help to understand where packets were matched.

http://static.openvz.org/userbars/openvz-developer.png

Report message to a moderator

Re: Is OpenVZ in Parallels vm known to work? [message #12661 is a reply to message #12657] Sun, 06 May 2007 18:10 Go to previous messageGo to next message
kermit is currently offline  kermit
Messages: 6
Registered: April 2007
Junior Member
I'm setting the iptables rule for ssh in the VE. I have the exact same rule also in the HN (and there, in the HN, the very same rule works as expected and allows access via SSH to the HN), thus I believe that I have all necessary netfilter modules loaded in the kernel when the VE is started. Note that I do not get any error message in the VE when doing a

# service iptables restart

which is an additional indication that all necessary modules are available to the VE.

The package counters shown when doing a

# iptables -L -v -n

give a clear indication that the SSH rule is _not_ matched, but instead the following REJECT rule is matched.

This, and the fact that I _can_ connect to the VE when stopping the firewall in the VE shows that the package forwarding from the HN to the VE is working correctly.

I should also stress that the rule definition is not a hand crafted one but one that is automatically generated by Redhat's system-config-securitylevel script.

Any ideas?

Report message to a moderator

Re: Is OpenVZ in Parallels vm known to work? [message #12673 is a reply to message #12650] Mon, 07 May 2007 07:41 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
Hello,

can you tell me, please, what distribution are you using on HN? For me (centos 4.4), the rule generated by your `system-config-securitylevel` doesn't work:

[root@white ~]# CentOS release 4.4 (Final)
[root@white ~]# iptables -A RH-Firewall-1-INPUT -m STATE --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables v1.2.11: Couldn't load match `STATE':/lib64/iptables/libipt_STATE.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

Thank you,
Vasily.

Report message to a moderator

Re: Is OpenVZ in Parallels vm known to work? [message #12860 is a reply to message #12673] Sat, 12 May 2007 12:04 Go to previous messageGo to next message
kermit is currently offline  kermit
Messages: 6
Registered: April 2007
Junior Member
Regarding the versions I am using:

Kernel 2.6.18-8.el5.028stab031.1 and vzctl 3.0.16 on CentOS 5 on the HN and a CentOS 4 template on the VPS.

Regarding the firewall rule that behaves unexpectedly in the VE:

Sorry, I have just realized that I had an error in the capitalization of the firewall rule. The correct line is:

iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

that is: "state" is not in capitals. (When using "STATE" in the command line above I get the same error message as you.)

Report message to a moderator

Re: Is OpenVZ in Parallels vm known to work? [message #12884 is a reply to message #12860] Mon, 14 May 2007 10:11 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
Hello,

I've just tried to reproduce the problem:

HN: Centos 4.4
VE: Centos 4.4
vzctl: 3.0.16
kernel: 2.6.18-028stab031

I added ipt_state module to vz.conf file and loaded this module on HN, then I started VE and used system-config-securitylevel utility in VE to mark venet0 as trusted interface and allow ssh traffic. It resulted in the following /etc/sysconfig/iptables file:
[root@VE /]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i venet0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

After that I was able to ssh to VE from HN and from other nodes. But note, that I have no any firewall rules in VE0 (including SNAT/DNAT rules)

Report message to a moderator

Re: Is OpenVZ in Parallels vm known to work? [message #12906 is a reply to message #12463] Mon, 14 May 2007 16:42 Go to previous messageGo to next message
kermit is currently offline  kermit
Messages: 6
Registered: April 2007
Junior Member
Hi,

> After that I was able to ssh to VE from HN and from other nodes. But note, that I have no any firewall rules in VE0 (including SNAT/DNAT rules)

Note that this is what I want to do: let the VE admin set their own firewall rules. And that is what doesn't work for me, at least not with the rules that are automatically generated.

So if you would try to switch on the firewall in the VE (using the same procedure as for the HN) and there, too, allow SSH traffic, then you should see the problem.

Report message to a moderator

Re: Is OpenVZ in Parallels vm known to work? [message #12912 is a reply to message #12906] Tue, 15 May 2007 06:09 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
I think you undestood my last post incorrectly: VE0 == HN, so I setuped firewall only _in_ _VE_, but no any firewall rules on HN.

Thanks,
Vasily.

Report message to a moderator

icon7.gif  Re: Is OpenVZ in Parallels vm known to work? [message #13092 is a reply to message #12912] Sat, 19 May 2007 12:51 Go to previous messageGo to next message
kermit is currently offline  kermit
Messages: 6
Registered: April 2007
Junior Member
OK, I see: the resolution is to add ipt_state to the IPTABLES variable of /etc/vz/vz.conf. I was under the (wrong) impression that this is only necessary if the HN hasn't the module already loaded.

I consider the issue solved. Thanks a lot for your help and patience. Cool

I've two suggestions:

* Since ipt_state is used by the default firewall configuration of Redhat (and CentOS) and since Redhat is kind of the primary distribution you support, what about adding libipt_state to the list of allowed iptables libraries by default?

* The OpenVZ-Users-Guide on page 70 advises to add iptables modules to the variable IPTABLES_MODULES of file /etc/sysconfig/iptables-config. That should be corrected to refer to the variable IPTABLES of file /etc/vz/vz.conf.

Report message to a moderator

Re: Is OpenVZ in Parallels vm known to work? [message #13118 is a reply to message #13092] Mon, 21 May 2007 06:44 Go to previous message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
Thank you for the suggestions, I offer you to post them as separate bug reports with enhancement severity to bugzilla.openvz.org.

Thank you,
Vasily.

Report message to a moderator

Previous Topic: OpenVZ and yum service
Next Topic: [SOLVED] Routing problem in VE
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Thu Aug 15 00:23:05 GMT 2024

Total time taken to generate the page: 0.02903 seconds
Powered by FUDforum Powered by Virtuozzo Containers