Re: [PVE-User] NAT Problems with PVE Firewall

2017-06-21 Thread Elias Werberich 
Hello,

thank you, it works.
But it will not bypass any firewall rules?

Regards,

Elias Werberich

Am 21.06.2017 um 21:12 schrieb Yannick Palanque:
> Le 2017-06-21 18:26, Elias Werberich a écrit :
>> Using SNAT instead of MASQUERADE does not solve the problem.
>> In a pve-devel thread [2] I read that the following rules should help,
>> but it does not work either.
>>
>> post-up iptables -t raw -A PREROUTING -s '10.0.0.0/24' -i vmbr12
>> -j CT --zone 1
>> post-up iptables -t raw -A PREROUTING -d '10.0.0.0/24' -i vmbr12
>> -j CT --zone 1
>
>
> Hello,
>
> I use
> post-up   iptables -t raw -I PREROUTING  -i fwbr+ -j CT --zone 1
> and I have no problem with NAT and FW.
>
> Regards,
>
>
>
> Yannick Palanque

___
pve-user mailing list
pve-user@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] [pve-devel] Proxmox VE 5.0 beta2 released!

2017-06-21 Thread Gilberto Nunes 
And when PVE 5 comes out??

2017-06-19 3:29 GMT-03:00 Emmanuel Kasper :

> > In the meantime, I assume I can install proxmox beta on debian 9 stable ?
> > To start playing with the API, make sure our applications will still work
> > fine, maybe start adding some Cloud-Init support in there :)
>
> Yes, you can install the 5.0 Beta on Debian 9.0, see
> https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Stretch
>
> ___
> pve-user mailing list
> pve-user@pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>



-- 

Gilberto Ferreira
about.me/gilbertof

___
pve-user mailing list
pve-user@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] NAT Problems with PVE Firewall

2017-06-21 Thread Yannick Palanque 

Le 2017-06-21 18:26, Elias Werberich a écrit :

Using SNAT instead of MASQUERADE does not solve the problem.
In a pve-devel thread [2] I read that the following rules should help,
but it does not work either.

post-up iptables -t raw -A PREROUTING -s '10.0.0.0/24' -i vmbr12
-j CT --zone 1
post-up iptables -t raw -A PREROUTING -d '10.0.0.0/24' -i vmbr12
-j CT --zone 1



Hello,

I use
post-up   iptables -t raw -I PREROUTING  -i fwbr+ -j CT --zone 1
and I have no problem with NAT and FW.

Regards,



Yannick Palanque
___
pve-user mailing list
pve-user@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

[PVE-User] NAT Problems with PVE Firewall

2017-06-21 Thread Elias Werberich 
Dear Proxmox Group,

I am currently trying to configure a simple NAT with PVE Firewall enabled.
As long as I do not enable the firewall on the VM network interface, the
wiki solution [1] works perfectly.
PVE Firewall is enabled on datacenter and node level.

--- BEGIN: /etc/network/interfaces (PVE) ---

auto lo
iface lo inet loopback

allow-hotplug eth0

auto eth0
iface eth0 inet static
address  xxx.yyy.zzz.aaa
netmask  255.255.255.255
gateway  xxx.yyy.zzz.bbb
pointopoint xxx.yyy.zzz.bbb

auto vmbr12
iface vmbr12 inet static
address 10.0.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eth0
-j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o
eth0 -j MASQUERADE

--- END: /etc/network/interfaces (PVE) ---

--- BEGIN: /etc/network/interfaces (VM) ---

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address  10.0.0.100
netmask  255.255.255.0
gateway  10.0.0.1

--- END: /etc/network/interfaces (VM) ---

It seems that POSTROUTING is called too early so internal addresses are
not translated.
Using SNAT instead of MASQUERADE does not solve the problem.
In a pve-devel thread [2] I read that the following rules should help,
but it does not work either.

post-up iptables -t raw -A PREROUTING -s '10.0.0.0/24' -i vmbr12 -j CT 
--zone 1
post-up iptables -t raw -A PREROUTING -d '10.0.0.0/24' -i vmbr12 -j CT 
--zone 1

Using NAT "and" PVE Firewall is not an unusal scenario. It looks like some kind 
of "pvefw bug".

Yours sincerely,

Elias Werberich

-
[1]:
https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29_with_iptables
[2]: https://pve.proxmox.com/pipermail/pve-devel/2014-March/010406.html


signature.asc
Description: OpenPGP digital signature
___
pve-user mailing list
pve-user@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] Container cant start - Ceph Storage

2017-06-21 Thread Daniel 
Problem was solved by my self.
Problem was that the Container is already running on another Host.


-- 
Grüsse
 
Daniel

Am 21.06.17, 13:21 schrieb "pve-user im Auftrag von Daniel" 
:

Hi there,

i have a problem. After my cluster crashes again I cant start 2 nodes which 
runs on a Ceph Storage.

I got this error:

 lxc-start -name 215 -F
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1317 Path 
"/sys/fs/cgroup/systemd//lxc/ame" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1381 No such file or directory 
- Failed to create /sys/fs/cgroup/systemd//lxc/ame: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1317 Path 
"/sys/fs/cgroup/systemd//lxc/ame-1" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1381 No such file or directory 
- Failed to create /sys/fs/cgroup/systemd//lxc/ame-1: No such file or directory
lxc-start: start.c: start: 1450 No such file or directory - Failed to exec 
"215".
lxc-start: sync.c: __sync_wait: 57 An error occurred in another process 
(expected sequence number 5)
lxc-start: start.c: __lxc_start: 1365 Failed to spawn container "ame".
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/systemd//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/cpuset//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/cpu//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/blkio//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/memory//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/devices//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/freezer//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/net_cls//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/perf_event//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/hugetlb//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/pids//lxc/ame-2
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be 
obtained by setting the --logfile and --logpriority options.


It seems that the device is looked somehow.

Anyone has an Idea what can I do here?

--
Grüsse

Daniel
___
pve-user mailing list
pve-user@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user


___
pve-user mailing list
pve-user@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

[PVE-User] Container cant start - Ceph Storage

2017-06-21 Thread Daniel 
Hi there,

i have a problem. After my cluster crashes again I cant start 2 nodes which 
runs on a Ceph Storage.

I got this error:

 lxc-start -name 215 -F
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1317 Path 
"/sys/fs/cgroup/systemd//lxc/ame" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1381 No such file or directory - 
Failed to create /sys/fs/cgroup/systemd//lxc/ame: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1317 Path 
"/sys/fs/cgroup/systemd//lxc/ame-1" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1381 No such file or directory - 
Failed to create /sys/fs/cgroup/systemd//lxc/ame-1: No such file or directory
lxc-start: start.c: start: 1450 No such file or directory - Failed to exec 
"215".
lxc-start: sync.c: __sync_wait: 57 An error occurred in another process 
(expected sequence number 5)
lxc-start: start.c: __lxc_start: 1365 Failed to spawn container "ame".
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/systemd//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/cpuset//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/cpu//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/blkio//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/memory//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/devices//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/freezer//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/net_cls//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/perf_event//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/hugetlb//lxc/ame-2
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1272 Error destroying 
/sys/fs/cgroup/pids//lxc/ame-2
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained 
by setting the --logfile and --logpriority options.


It seems that the device is looked somehow.

Anyone has an Idea what can I do here?

--
Grüsse

Daniel
___
pve-user mailing list
pve-user@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user