New openmediavault-kvm plugin
- ryecoaaron
- Geschlossen
-
-
-
-
how to add a bridge the right way in omv6 can not add it here
Adding a bridge the right way does not need adding to the Networks tab. When you create the VM, choose bridge for the model and type in the bridge name. If you aren't getting an IP, something is wrong with your bridge or the VM.
-
Hi you are right it works when i remove Docker
it is not the bridge or the VM but it has something to do with Docker
btw this is a brand new installation
how to solve
-
Hi you are right it works when i remove Docker
it is not the bridge or the VM but it has something to do with DockerThis is a difficult one to solve because docker adds firewall (iptables-legacy) rules that break the bridges traffic. The easiest way to fix is to run docker in a VM. Otherwise, you need to add rules.
-
Hi you are right it works when i remove Docker
it is not the bridge or the VM but it has something to do with Docker
btw this is a brand new installation
how to solveThe problem could be that you created the bridge when the containers were already working. Recreating the containers could be the solution.
-
The problem could be that you created the bridge when the containers were already working. Recreating the containers could be the solution.
Thank's for the reaction it's the iptables
-
Aaron,i haven't been looking hard, but are backups implemented in gui now?
-
are backups implemented in gui now?
No. Between porting to OMV 6.x and trying to get things to work better (moving some actions to virsh) and VM creation using virt-install (to not have to maintain xml in the plugin), I haven't got to backups.
-
What should be the permissions for the two folders "pool" "ISOS".
I created the folders using everyone:read, write as i struggled to get it to work otherwise.
Is that the correct way?
-
What should be the permissions for the two folders "pool" "ISOS".
I created the folders using everyone:read, write as i struggled to get it to work otherwise.
Is that the correct way?
That is a good question. I'm not going to lie here , when I say in the guide "pay attention to the permissions of these folders" it's because I don't know the right answer, so I'm just giving the warning. I can only say that my pool and ISOS folders are owned by root and have 775 permissions and they work.
Maybe ryecoaaron can shed some light here.
-
VMs are run as the libvirt-qemu user. So, that user should own the folder and have executable permissions. I will look into adding a button that fixes permissions.
chown libvirt-qemu:root /path/to/folder
chmod 700 /path/to/folder
-
VMs are run as the libvirt-qemu user. So, that user should own the folder and have executable permissions
Added to the guide.
-
VMs are run as the libvirt-qemu user. So, that user should own the folder and have executable permissions. I will look into adding a button that fixes permissions.
chown libvirt-qemu:root /path/to/folder
chmod 700 /path/to/folder
Fixed permissions of those two folders as above.
All good thanks ryecoaaron
-
Seeing the same thing with not being able to get an IP address using networking setup method 3 (to be able to ping host and outside).
Would really love to debug this. Any chance someone could chime in what to put into the iptables that Docker creates for it to work just like the ethernet interface does?
On my host machine, that's running OMV, here is ip a output:
Code
Alles anzeigen1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000 link/ether a8:a1:59:58:00:10 brd ff:ff:ff:ff:ff:ff altname enp0s31f6 3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:8b:52:3d:de:f1 brd ff:ff:ff:ff:ff:ff inet 192.168.1.4/24 brd 192.168.1.255 scope global br0 valid_lft forever preferred_lft forever 4: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 8c:8d:28:29:16:93 brd ff:ff:ff:ff:ff:ff 5: br-7e3e85864134: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ee:9c:35:1f brd ff:ff:ff:ff:ff:ff inet 172.28.0.1/16 brd 172.28.255.255 scope global br-7e3e85864134 valid_lft forever preferred_lft forever inet6 fe80::42:eeff:fe9c:351f/64 scope link valid_lft forever preferred_lft forever 6: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:2f:48:89:04 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:2fff:fe48:8904/64 scope link valid_lft forever preferred_lft forever
I'm able to ping from the host outside just fine, and also able to ping other Docker containers just fine too.
This is what Docker injects into iptables currently:
Code
Alles anzeigen# Warning: iptables-legacy tables present, use iptables-legacy to see them -P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N DOCKER-USER -N LIBVIRT_FWI -N LIBVIRT_FWO -N LIBVIRT_FWX -N LIBVIRT_INP -N LIBVIRT_OUT -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o br-7e3e85864134 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-7e3e85864134 -j DOCKER -A FORWARD -i br-7e3e85864134 ! -o br-7e3e85864134 -j ACCEPT -A FORWARD -i br-7e3e85864134 -o br-7e3e85864134 -j ACCEPT -A OUTPUT -j LIBVIRT_OUT -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8282 -j ACCEPT -A DOCKER -d 172.28.0.2/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 4533 -j ACCEPT -A DOCKER -d 172.28.0.3/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 4443 -j ACCEPT -A DOCKER -d 172.28.0.3/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 3000 -j ACCEPT -A DOCKER -d 172.28.0.3/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8181 -j ACCEPT -A DOCKER -d 172.28.0.3/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8080 -j ACCEPT -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -d 172.28.0.4/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -d 172.28.0.5/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 9090 -j ACCEPT -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8000 -j ACCEPT -A DOCKER -d 172.28.0.6/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8096 -j ACCEPT -A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p udp -m udp --dport 51820 -j ACCEPT -A DOCKER -d 172.28.0.7/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8080 -j ACCEPT -A DOCKER -d 172.28.0.8/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8200 -j ACCEPT -A DOCKER -d 172.28.0.9/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 7878 -j ACCEPT -A DOCKER -d 172.28.0.10/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 9696 -j ACCEPT -A DOCKER -d 172.28.0.11/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 3306 -j ACCEPT -A DOCKER -d 172.28.0.12/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 6767 -j ACCEPT -A DOCKER -d 172.28.0.13/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8989 -j ACCEPT -A DOCKER -d 172.28.0.14/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 9101 -j ACCEPT -A DOCKER -d 172.28.0.15/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8686 -j ACCEPT -A DOCKER -d 172.28.0.16/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 3000 -j ACCEPT -A DOCKER -d 172.28.0.18/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -d 172.28.0.20/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8080 -j ACCEPT -A DOCKER -d 172.28.0.20/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i br-7e3e85864134 ! -o br-7e3e85864134 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -o br-7e3e85864134 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN
Looks like Docker creates its own bridge (br-7e3e85864134) and I see no mention of the network change I made in OMV that's just called br0. Do I somehow need to add it to this? Any ideas? Thank you in advance.
-
Answering my own question from above... so I guess this was all I needed.
iptables -I FORWARD -i br0 -o br0 -j ACCEPT found via https://www.reddit.com/r/OpenM…s_libvirt_bridge_network/
Does anyone know if this line is safe? Does it bypass all rules/port closures or anything of that nature?
-
Does anyone know if this line is safe? Does it bypass all rules/port closures or anything of that nature?
If you don't have other firewall rules, then this is safe. You are just changing br0 back to the default behavior that Docker is changing. I would add this rule in the OMV firewall interface to make sure it is persistent.
-
-
Does this look right? And do I need the same rule for OUTPUT too?
Looks ok to me. I would try it with just input since the source and destination are the same.
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!