Hi Jehan, you don't need to configure any capabilities in Virtuozzo 7 anymore as user namespaces are used in vz7 now. Yes, documentation contains outdated description, we'll update docs soon: https://bugs.openvz.org/browse/OVZ-6802
And in your case most probably you just need to enable conntracks for Container: # prlctl set MyCT --netfilter stateful or if you need NAT as well: # prlctl set MyCT --netfilter full Hope that helps. -- Best regards, Konstantin Khorenko, Virtuozzo Linux Kernel Team On 10/10/2016 10:42 PM, Jehan Procaccia wrote:
hello by default firewalld doesn't work on a fresh install container (centos7-x64) docs says: http://docs.virtuozzo.com/virtuozzo_7_users_guide/advanced-tasks/configuring-capabilities.html?highlight=firewall I guess I need to enable net_admin net_admin Allows the administration of IP firewalls and accounting. off as it it by default set to off but the command is deprecated # vzctl set MyCT11 --capability net_admin --save Warning: The --capability option is deprecated So I used prlctl (not proposed in the doc above !?) # prlctl set MyCT11 --capability net_admin:on Set capabilities: NET_ADMIN:on The CT has been successfully configured. but still in the CT /# firewall-cmd --get-active-zones nothing /# firewall-cmd --reload Error: '/sbin/iptables -w2 -t filter -I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: No chain/target/match by that name. as if NET_ADMIN capability is not save permanently in the CT definition what is the equivalent of vzctl --save with prlctl ? or I mess somewhere else ? Regards .
_______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
