Linux - ContainersThis forum is for the discussion of all topics relating to Linux containers. Docker, LXC, LXD, runC, containerd, CoreOS, Kubernetes, Mesos, rkt, and all other Linux container platforms are welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
a couple containers lost networking a couple days ago, i'm thinking it likely the issue is iptables commands being issued by system code somewhere. we manage iptables with our own firewall script. we're running openvz7 on centos7. i already removed firewalld, and i would like to know what code causes the following three entries in /var/log/messages:
Oct 5 15:53:05 pecan kernel: Bridge firewalling registered
Oct 5 15:53:16 pecan systemd: Started SYSV: setup firewall (iptables) rules (INPUT chain for the HN, FORWARD chain for clients).
Oct 5 15:53:48 pecan prl_disp_service: 10-05 15:53:48.987 W /cmn_utils:2214:2391/ Start setting basic firewall rules...
that's the page that primarily served as template for the firewall script we're using. in centos6/openvz6 this has worked fine. in centos7/openvz7, even with firewalld already uninstalled, we see quite a bit of firewall/iptables related logging in /var/log/messages (see my OP for examples), but with no indication where to find the code that's causing the messages!
the dearth of documentation leaves me wondering if the path of least resistance is to give up on our own trusty iptables management script, and reinstall and learn to use firewalld, in the likelihood that's what's expected of us.
that's not really what i want to do tho. we already have traffic accounting all implemented in our own script, and learning and reimplementing in a new layer of abstraction doesn't strike me as all that likely to lead to an increase in either functionality or reliability.
Well, it was your OP output that I used for a quick search, and I noticed the reference to the HN firewall, so I assumed that was involved? Did you not investigate that further?
You're not forced to use firewalld, so you can leave that out of the equation if already disabled.
indeed, that's the advice from which i wrote our current iptables management script several years ago, and it has served us very well in centos6/openvz6.
documentation for openvz7 however seems rather lacking. i'm trying to find out what system code in centos7/openvz7 is now stepping in to manipulate iptables even in the absence of firewalld. /var/log/messages is filled with messages about manipulating iptables that our script didn't generate. i want to find the code that's generating those messages.
Well, the first entry is associated with OpenVZ for configured network bridging AFAIU.
Quote:
indeed, that's the advice from which i wrote our current iptables management script several years ago, and it has served us very well in centos6/openvz6.
So you are using HN firewall, that seems to be what the second line you shared is about.
prl-disp-service is a OpenVZ management service. It is a component of OpenVZ.
That's about all I can offer. I'm sure you can search online as well as I. Perhaps you can get the required support from the OpenVZ forum. Good luck with this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.