Miscellaneous openVZ notes
Miscellaneous openVZ notes
Enabling iptables modules for container
Enabling iptables conntrack modules in container
By default iptables conntrack modules are not enabled for container. Hence 'state' module does not works properly within a container. To enable use of state module in container use:
vzctl set <CID> --iptables iptable_filter --iptables ip_conntrack --save
Note that this requires container to be stopped and then started again. Also base machine should have the connection tracking modules installed and preferably even in use through base machines firewall.
Enabling iptables nat module for container
By default nat module for iptables in not enabled for container. To enable the module use:
vzctl set <CID> --iptables iptable_nat --save
Source NAT for containers using base machine
Source NAT for containers can be done using base machine to provide LAN/Internet access to container without requiring an additional IP or exposing the container to outside world. To NAT outgoing connections from container use:
iptables -t nat -I POSTROUTING -s <container-private-IP> -o <exit-interface> -j SNAT --to-source <container-ip>
Enabling tun/tap devices for container
To enable tun/tap devices for container (to use container as VPN server) use following steps:
- Use following commands with appropriate CID on base machine
- vzctl set <CID> --devnodes net/tun:rw --save
- vzctl set <CID> --devices c:10:200:rw --save
- vzctl set <CID> --capability net_admin:on --save
- Use following commands as root user inside container
- mkdir -p /dev/net
- chmod 600 /dev/net/tun
- Restart container