OpenVZ 7 / Virtuozzo 7 Minimal templates

Comments

• abnoeh OG

  November 2019 edited November 2019

  how did you add debian10 template? I though it needed real 4.x kernel.
• InceptionHosting Hosting ProviderOG

  November 2019

  @abnoeh said:
  how did you add debian10 template? I though it needed real 4.x kernel.

  just for you
  
  Virtuozzo 7 does not bind the kernel version of the host to the container like OpenVZ 6 did.
  I mean it is just a psudo kernel version anyway it just tracks the distro current version and displays it in the container you still use the host nodes kernel but now at least software does not complain about expecting a different version.

  Thanked by (1)abnoeh

  https://inceptionhosting.com
  Please do not use the PM system here for Inception Hosting support issues.
• abnoeh OG

  November 2019 edited November 2019

  tried debian 10 image, firewalls (nftable/ufw/iptables trans) failed to start with error for bunch of nft related kernel modules and unknown option "--dport"

  ERROR: problem running ufw-init
  modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/4.19.0/modules.builtin.bin'
  modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/4.19.0
  modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/4.19.0/modules.builtin.bin'
  modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/4.19.0
  modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/4.19.0/modules.builtin.bin'
  modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/4.19.0
• InceptionHosting Hosting ProviderOG

  November 2019

  From the host node: vzctl set CTID --netfilter=full --save
  I only made the templates the templates cant enable or give access to kernel modules on the host node for you

  https://inceptionhosting.com
  Please do not use the PM system here for Inception Hosting support issues.
• abnoeh OG

  November 2019 edited November 2019

  @AnthonySmith said:
  From the host node: vzctl set CTID --netfilter=full --save
  I only made the templates the templates cant enable or give access to kernel modules on the host node for you

  well it was your NL OVZ7 node, so... write a ticket?

  https://www.lowendtalk.com/discussion/158922/virtuozzo-7-docker-ready-50-off-double-disk-up-to-6gb-ram-from-21-p-year-netherlands/p1
• InceptionHosting Hosting ProviderOG

  November 2019

  @abnoeh said:

  @AnthonySmith said:
  From the host node: vzctl set CTID --netfilter=full --save
  I only made the templates the templates cant enable or give access to kernel modules on the host node for you

  well it was your NL OVZ7 node, so... write a ticket?

  https://www.lowendtalk.com/discussion/158922/virtuozzo-7-docker-ready-50-off-double-disk-up-to-6gb-ram-from-21-p-year-netherlands/p1

  ah ok: https://clients.inceptionhosting.com/index.php?rp=/knowledgebase/36/Iptables-csf-ufw-firewalld-or-vpn-software-problems.html

  Thanked by (1)abnoeh

  https://inceptionhosting.com
  Please do not use the PM system here for Inception Hosting support issues.
• abnoeh OG

  November 2019 edited November 2019

  @AnthonySmith said:

  ah ok: https://clients.inceptionhosting.com/index.php?rp=/knowledgebase/36/Iptables-csf-ufw-firewalld-or-vpn-software-problems.html

  I found the root cause.
  you need to change firefall framework to iptables in debian 10 image, because debian 10 changed to nftable and need different kernal modules. witch you and most provider doesn't enabled.
  https://wiki.debian.org/nftables >

  # update-alternatives --set iptables /usr/sbin/iptables-legacy
  # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
  # update-alternatives --set arptables /usr/sbin/arptables-legacy
  # update-alternatives --set ebtables /usr/sbin/ebtables-legacy
  

  Thanked by (2)InceptionHosting Bochi
• InceptionHosting Hosting ProviderOG

  November 2019 edited November 2019

  Cool good fix, I will look in to it now I know for the host nodes and add that to the KB I linked, much appreciated!

  edit: enabled on all my nodes now.

  Thanked by (1)abnoeh

  https://inceptionhosting.com
  Please do not use the PM system here for Inception Hosting support issues.
• abnoeh OG

  November 2019

  @AnthonySmith said:
  Cool good fix, I will look in to it now I know for the host nodes and add that to the KB I linked, much appreciated!

  edit: enabled on all my nodes now.

  sorry, but it nftables still looks broken. it ask for nf_nat_ftp,nf_conntrack_ftp and nf_conntrack_netbios_ns
  maybe it's just best to edit image to use legacy iptables.>

  -- A start job for unit nftables.service has begun execution.
  -- 
  -- The job identifier is 79.
  Nov 13 14:04:21  nft[282]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Operation not supported
  Nov 13 14:04:21  nft[282]: flush ruleset
  Nov 13 14:04:21  nft[282]: ^^^^^^^^^^^^^^
  Nov 13 14:04:21  nft[282]: /etc/nftables.conf:5:1-2: Error: Could not process rule: Operation not supported
  Nov 13 14:04:21  nft[282]: table inet filter {
  Nov 13 14:04:21  nft[282]: ^^
  Nov 13 14:04:21  nft[282]: /etc/nftables.conf:6:15-19: Error: Could not process rule: Operation not supported
  Nov 13 14:04:21  nft[282]:         chain input {
  Nov 13 14:04:21 nft[282]:                      ^^^^^
  Nov 13 14:04:21  nft[282]: /etc/nftables.conf:9:15-21: Error: Could not process rule: Operation not supported
  Nov 13 14:04:21  nft[282]:         chain forward {
  Nov 13 14:04:21  nft[282]:                      ^^^^^^^
  Nov 13 14:04:21  nft[282]: /etc/nftables.conf:12:15-20: Error: Could not process rule: Operation not supported
  Nov 13 14:04:21  nft[282]:         chain output {
  Nov 13 14:04:21  nft[282]:                      ^^^^^^
  Nov 13 14:04:21  systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
  -- Subject: Unit process exited
  -- Defined-By: systemd
  -- Support: https://www.debian.org/support
  
• abnoeh OG

  November 2019

  Update : enableing nftable related kernel modules touched upsteam bug, and tring to using it will cause kernel panic and make host(not single container) to reboot. Looks like use legacy iptable is best for now
• greensysadmin OG

  November 2019

  Just want to thank you Ant, you probably recall me and you having a silly set-to on the old forum as my Debian 9 instance was running out of RAM for apt commands. I switched to your new Ubuntu 18.04 template and used the PPA to get wireguard-tools, which seems to use less resources than pinning the unstable repo on Debian to get that package and its dependencies.

  (If anyone is interested, I'm following this guide to get wireguard-go working on my LES box:

  https://d.sb/2019/07/wireguard-on-openvz-lxc

  Obviously, switching out the section about pinning the Debian unstable repo and using the Wireguard PPA instead, still issuing "apt-get install wireguard-tools --no-install-recommends". The rest of the guide works really well (I compile wireguard-go on my local machine and push it onto my instance) and with wireguard-go and an OpenVPN server setup, as well as fail2ban, I'm still only using about 39M RAM on idle and all apt commands seem to be working without any issues.)

  Thanked by (2)InceptionHosting mikho