Problem to setup firewall via Power Panel with CentOS 7

Discussion in 'Containers and Virtual Machines Discussion' started by Machiasiaweb, Mar 3, 2016.

  1. Machiasiaweb

    Machiasiaweb Mega Poster

    Messages:
    163
    Hello,

    I found that have a problem when using CentOS 7. When using Power Panel to establish firewall rule. It got following error:

    --
    Failed to add the firewall rule to the Input chain.
    Error saving the iptables information
    ---
    But when I using CentOS 6. It work fine.

    Did anyone have experience about this?

    By PCS or PVA version is:
    PVA: 6.0-3112
    PCS: 6.0.10-3178

    Thanks!
     
  2. Pavel

    Pavel A.I. Auto-Responder Odin Team

    Messages:
    403
    This issue has already been reported to our development team as a bug #PVA-34477.
    Issue can be workarounded by creating the substitute file inside of a container(don't forget to set executable permissions for the file) :
     
  3. letitgo

    letitgo Bit Poster

    Messages:
    2
    I 've just had this problem
     
  4. chili1001

    chili1001 Kilo Poster

    Messages:
    95
    We have the same problem with Debian 8 container.
    Is there also a workaround?

    Thanks
    Matthias
     
  5. Pavel

    Pavel A.I. Auto-Responder Odin Team

    Messages:
    403
    Hello Matthias,

    AFAIK it's a bit different issue - a bug previously reported as PVA-34934.
    It will be addressed in the next PVA Update.

    If you click on firewall configuration in PP for Debian 8 container, the following file is created:
    Code:
    root@v276:/# cat /etc/network/if-pre-up.d/iptables
    #!/bin/sh
    /sbin/iptables-restore < /etc/firewall.conf
    
    Since /etc/firewall.conf is absent, there is no network in such container after the restart.

    Code:
    root@v276:/# ifup venet0:0
    /etc/network/if-pre-up.d/iptables: 2: /etc/network/if-pre-up.d/iptables: cannot open /etc/firewall.conf: No such file
    run-parts: /etc/network/if-pre-up.d/iptables exited with return code 2
    Failed to bring up venet0:0.
    
    Workaround: create /etc/firewall.conf

    Code:
    root@v276:/# touch /etc/firewall.conf
    
    root@v276:/# ifup venet0:0
    root@v276:/# ifup venet0
    Waiting for DAD... Done
    
    Afterwards firewall should become configurable via VZPP.
     
  6. chili1001

    chili1001 Kilo Poster

    Messages:
    95
    Hello Pavel

    Thank your for the answer

    • I tryed this. When Debian 8 container created and I try to activate Firewall, I lost SSH-Connection to container. And PP shows "error saving the iptables information"
    • After that I loget in to container from node with # vzctl enter CSID
    • I run # ifup venet0:0 but I get the answer "ifup: interface venet0:0 already configured
    • I also created firewall.conf in /etc directory and run #ifup venet0:0 again
     
  7. Pavel

    Pavel A.I. Auto-Responder Odin Team

    Messages:
    403
    Dear Matthias,

    Part about "ifup" is only explanation of what happens along the way causing the issue.
    "touch /etc/firewall.conf" should've been the fix.
    Did you try to manipulate firewall after the file was "touched" ?
    What were the results?
     
  8. chili1001

    chili1001 Kilo Poster

    Messages:
    95
    Hello Pavel

    I just created firewall.conf file. I have not tryed to manipulate the file. I only tryed to manage to start firewall-setting from PP again.
     
  9. Pavel

    Pavel A.I. Auto-Responder Odin Team

    Messages:
    403
    Reproduced locally.
    Diagnosis was correct - bug ID is correct.
    Workaround was not correct.
    Proper workaround - to unmount "/tmp" inside of a container:
    vzctl exec $CTID umount /tmp

    Also, to remove the line from fstab from the container to avoid new mounts.
    Note, however, if there is software sensitive to "tmp" being "non-tmpfs", it might malfunction.
     
  10. chili1001

    chili1001 Kilo Poster

    Messages:
    95
    Hello Pavel

    Thank you. I think, for the moment, we will stop offering Debian 8 containers, until the problem are fixed.
    The workaround is impractical for existing systems.

    Thanks. Matthias
     
  11. chili1001

    chili1001 Kilo Poster

    Messages:
    95
    Hello

    Problem with CentOS 7 firwall, managed from PP still exist with latest version of virtuozzo
     
  12. Pavel

    Pavel A.I. Auto-Responder Odin Team

    Messages:
    403
    Hello Matthias,

    The fix wouldn't be a part of the VZ update, fix will come in a VA (former PVA) update.
    It has not been released yet
     
  13. chili1001

    chili1001 Kilo Poster

    Messages:
    95
    Thank you pavel. Did you have any ideas, when this could be?
     
  14. Pavel

    Pavel A.I. Auto-Responder Odin Team

    Messages:
    403
    Hello Matthias,

    We do not have a solid ETA so far, but hotfix should be released somewhere mid May.
    Note, that is not official announcement, just a rough estimation :)
     
  15. chili1001

    chili1001 Kilo Poster

    Messages:
    95
    :) I will not ask again.
     
  16. Machiasiaweb

    Machiasiaweb Mega Poster

    Messages:
    163
    Hello,

    I want to check does PVA-34477 and PVA-34934 is already resolved?

    Thanks!
     
  17. Pavel

    Pavel A.I. Auto-Responder Odin Team

    Messages:
    403
    New PVA update was not shipped so far.
    Are bugs fixed in code? Yes. Is Update shipped? Not yet.
    Please be patient, that is going to be a rather big update.
     

Share This Page