PVE 4.1-26 & CSF iptables modules missing

[karnz]

Hello,

I just done a fresh installation of PVE and would like to use CSF firewall within LXC but some modules are missing.

--- log from CSF test script within LXC (CentOS 6) ---
[root@ct1 ~]# ./csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...FAILED [FATAL Error: FATAL: Could not load /lib/modules/4.2.6-1-pve/modules.dep: No such file or directory] - Required for csf to function
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Protocol wrong type for socket.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: FATAL: Could not load /lib/modules/4.2.6-1-pve/modules.dep: No such file or directory] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf will not function on this server due to FATAL errors from missing modules [1]
---

--- pveversion on HW node ---
root@pm1:/etc/pve/lxc# pveversion -v
proxmox-ve: 4.1-26 (running kernel: 4.2.6-1-pve)
pve-manager: 4.1-1 (running version: 4.1-1/2f9650d4)
pve-kernel-4.2.6-1-pve: 4.2.6-26
lvm2: 2.02.116-pve2
corosync-pve: 2.3.5-2
libqb0: 0.17.2-1
pve-cluster: 4.0-29
qemu-server: 4.0-41
pve-firmware: 1.1-7
libpve-common-perl: 4.0-41
libpve-access-control: 4.0-10
libpve-storage-perl: 4.0-38
pve-libspice-server1: 0.12.5-2
vncterm: 1.2-1
pve-qemu-kvm: 2.4-17
pve-container: 1.0-32
pve-firewall: 2.0-14
pve-ha-manager: 1.0-14
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u1
lxc-pve: 1.1.5-5
lxcfs: 0.13-pve1
cgmanager: 0.39-pve1
criu: 1.6.0-1
zfsutils: 0.6.5-pve6~jessie
---

I ever used PVE long time ago and knew that we can insert "IPTABLES=xxx yyy zzz" to /etc/vz/vz.conf, but now that file is missing or relocated to another folder? Or do I have another option to do this?
I already googled but no result for the latest PVE 4.1 at all. (all answer points to /etc/vz/vz.conf which is available only for previous versions)

Just another question, does anyone ever successfully migrate Odin Virtuozzo (ploop fs) to Proxmox LXC?

Thanks.

 

[dietmar]

I ever used PVE long time ago and knew that we can insert "IPTABLES=xxx yyy zzz" to /etc/vz/vz.conf, but now that file is missing or relocated to another folder?

We do not use OpenVZ any longer, so you cannot use that config file. Instead, add those modules to /etc/modules, so that they get loaded at startup.

 

[karnz]

Thanks Dietmar, I tried to insert to /etc/modules and reboot the server but no luck, still got the same error.
I want to try this latest version of Proxmox then I can migrate from Virtuozzo soon.
This CSF is one of common things on every container we are running.

Do you have other suggestions? Thanks!

 

[dietmar]

And the modules are loaded at the host side?

 

[karnz]

Yes it works out of the box on the host side even I left /etc/modules untouched. Below testing are all OK. but not for LXC.
I'm running Proxmox on Odin's KVM (testing purpose). Is this a reason of not working iptables within LXC?

---
root@pm1:~/csf# ./csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server
---

Another question, is it limited for 3 Proxmox's hosts (on KVM) on a cluster? because when I join with another host, will get an error "Waiting for quorum..." and timeout. Try to join again will get

---
can't create shared ssh key database '/etc/pve/priv/authorized_keys'
cluster config '/etc/pve/corosync.conf' already exists
---

 

[dietmar]

Is this a reason of not working iptables within LXC?

honestly, I never tested that. Instead, I always use the Proxmox VE firewall, or use KVM to run such things.

Another question, is it limited for 3 Proxmox's hosts (on KVM) on a cluster?

no - you can use up to 32 nodes.

because when I join with another host, will get an error "Waiting for quorum..." and timeout. Try to join again will get

looks like a multicast problem on the network

can't create shared ssh key database '/etc/pve/priv/authorized_keys'
cluster config '/etc/pve/corosync.conf' already exists
---

you need to use the --force flag if you join a node that already exists.

 

[huangochieu]

I have the same error and run:

#cp -r /lib/modules/"folder-kernel-lastet" /lib/modules/"folder-kernel-missing"/

#example :
#cd /lib/modules/
#cp -r 2.6.32-696.6.3.el6.x86_64/ 4.4.67-1-pve/

"Error: FATAL: Could not load" has resolved

I usually handle this error, with the netfilter=full option on Virtuozzo, but here there is not fix !
Best regards,

 

[wbumiller]

Using iptables within containers should work fine, however, the containers cannot trigger autoloading of modules which have not yet been loaded, you have to do this on the host. Use modprobe to load the missing modules on the host.