New openmediavault-kvm plugin

hli · 19. Januar 2022

Hi
how to add a bridge the right way in omv6 can not add it here

hli · 19. Januar 2022

i create the normal network bridge and this is working

hli · 19. Januar 2022

when i add it here , i can't get an ip

Please help

ryecoaaron · 19. Januar 2022

Zitat von hli

how to add a bridge the right way in omv6 can not add it here

Adding a bridge the right way does not need adding to the Networks tab. When you create the VM, choose bridge for the model and type in the bridge name. If you aren't getting an IP, something is wrong with your bridge or the VM.

hli · 19. Januar 2022

Hi you are right it works when i remove Docker

it is not the bridge or the VM but it has something to do with Docker

btw this is a brand new installation

how to solve

ryecoaaron · 19. Januar 2022

Zitat von hli

Hi you are right it works when i remove Docker

it is not the bridge or the VM but it has something to do with Docker

This is a difficult one to solve because docker adds firewall (iptables-legacy) rules that break the bridges traffic. The easiest way to fix is to run docker in a VM. Otherwise, you need to add rules.

chente · 19. Januar 2022

Zitat von hli

Hi you are right it works when i remove Docker

it is not the bridge or the VM but it has something to do with Docker

btw this is a brand new installation

how to solve

The problem could be that you created the bridge when the containers were already working. Recreating the containers could be the solution.

hli · 19. Januar 2022

Zitat von chente

The problem could be that you created the bridge when the containers were already working. Recreating the containers could be the solution.

Thank's for the reaction it's the iptables

ness1602 · 24. Januar 2022

Aaron,i haven't been looking hard, but are backups implemented in gui now?

ryecoaaron · 24. Januar 2022

Zitat von ness1602

are backups implemented in gui now?

No. Between porting to OMV 6.x and trying to get things to work better (moving some actions to virsh) and VM creation using virt-install (to not have to maintain xml in the plugin), I haven't got to backups.

meracl · 25. Januar 2022

What should be the permissions for the two folders "pool" "ISOS".

I created the folders using everyone:read, write as i struggled to get it to work otherwise.

Is that the correct way?

chente · 25. Januar 2022

Zitat von meracl

What should be the permissions for the two folders "pool" "ISOS".
I created the folders using everyone:read, write as i struggled to get it to work otherwise.
Is that the correct way?

That is a good question. I'm not going to lie here , when I say in the guide "pay attention to the permissions of these folders" it's because I don't know the right answer, so I'm just giving the warning. I can only say that my pool and ISOS folders are owned by root and have 775 permissions and they work.

Maybe ryecoaaron can shed some light here.

ryecoaaron · 25. Januar 2022

VMs are run as the libvirt-qemu user. So, that user should own the folder and have executable permissions. I will look into adding a button that fixes permissions.

chown libvirt-qemu:root /path/to/folder

chmod 700 /path/to/folder

chente · 26. Januar 2022

Zitat von ryecoaaron

VMs are run as the libvirt-qemu user. So, that user should own the folder and have executable permissions

Added to the guide.

meracl · 26. Januar 2022

Zitat von ryecoaaron

VMs are run as the libvirt-qemu user. So, that user should own the folder and have executable permissions. I will look into adding a button that fixes permissions.

chown libvirt-qemu:root /path/to/folder
chmod 700 /path/to/folder

Fixed permissions of those two folders as above.

All good thanks ryecoaaron

yestothis · 2. Februar 2022

Seeing the same thing with not being able to get an IP address using networking setup method 3 (to be able to ping host and outside).

Would really love to debug this. Any chance someone could chime in what to put into the iptables that Docker creates for it to work just like the ethernet interface does?

On my host machine, that's running OMV, here is ip a output:

Code

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether a8:a1:59:58:00:10 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:8b:52:3d:de:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.4/24 brd 192.168.1.255 scope global br0
       valid_lft forever preferred_lft forever
4: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 8c:8d:28:29:16:93 brd ff:ff:ff:ff:ff:ff
5: br-7e3e85864134: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ee:9c:35:1f brd ff:ff:ff:ff:ff:ff
    inet 172.28.0.1/16 brd 172.28.255.255 scope global br-7e3e85864134
       valid_lft forever preferred_lft forever
    inet6 fe80::42:eeff:fe9c:351f/64 scope link
       valid_lft forever preferred_lft forever
6: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:2f:48:89:04 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:2fff:fe48:8904/64 scope link
       valid_lft forever preferred_lft forever

Alles anzeigen

I'm able to ping from the host outside just fine, and also able to ping other Docker containers just fine too.

This is what Docker injects into iptables currently:

Code

# Warning: iptables-legacy tables present, use iptables-legacy to see them
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N LIBVIRT_FWI
-N LIBVIRT_FWO
-N LIBVIRT_FWX
-N LIBVIRT_INP
-N LIBVIRT_OUT
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-7e3e85864134 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-7e3e85864134 -j DOCKER
-A FORWARD -i br-7e3e85864134 ! -o br-7e3e85864134 -j ACCEPT
-A FORWARD -i br-7e3e85864134 -o br-7e3e85864134 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8282 -j ACCEPT
-A DOCKER -d 172.28.0.2/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 4533 -j ACCEPT
-A DOCKER -d 172.28.0.3/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 4443 -j ACCEPT
-A DOCKER -d 172.28.0.3/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.28.0.3/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8181 -j ACCEPT
-A DOCKER -d 172.28.0.3/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.28.0.4/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.28.0.5/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 9090 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.28.0.6/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8096 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p udp -m udp --dport 51820 -j ACCEPT
-A DOCKER -d 172.28.0.7/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.28.0.8/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8200 -j ACCEPT
-A DOCKER -d 172.28.0.9/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 7878 -j ACCEPT
-A DOCKER -d 172.28.0.10/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 9696 -j ACCEPT
-A DOCKER -d 172.28.0.11/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.28.0.12/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 6767 -j ACCEPT
-A DOCKER -d 172.28.0.13/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8989 -j ACCEPT
-A DOCKER -d 172.28.0.14/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 9101 -j ACCEPT
-A DOCKER -d 172.28.0.15/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8686 -j ACCEPT
-A DOCKER -d 172.28.0.16/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.28.0.18/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.28.0.20/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.28.0.20/32 ! -i br-7e3e85864134 -o br-7e3e85864134 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-7e3e85864134 ! -o br-7e3e85864134 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-7e3e85864134 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

Alles anzeigen

Looks like Docker creates its own bridge (br-7e3e85864134) and I see no mention of the network change I made in OMV that's just called br0. Do I somehow need to add it to this? Any ideas? Thank you in advance.

yestothis · 3. Februar 2022

Answering my own question from above... so I guess this was all I needed.

iptables -I FORWARD -i br0 -o br0 -j ACCEPT found via https://www.reddit.com/r/OpenM…s_libvirt_bridge_network/

Does anyone know if this line is safe? Does it bypass all rules/port closures or anything of that nature?

ryecoaaron · 3. Februar 2022

Zitat von yestothis

Does anyone know if this line is safe? Does it bypass all rules/port closures or anything of that nature?

If you don't have other firewall rules, then this is safe. You are just changing br0 back to the default behavior that Docker is changing. I would add this rule in the OMV firewall interface to make sure it is persistent.

yestothis · 3. Februar 2022

Ah good point, thank you!

I have no other custom rules in OMV firewall, but would rather see it in a GUI than the method above. Does this look right? And do I need the same rule for OUTPUT too?

ryecoaaron · 3. Februar 2022

Zitat von yestothis

Does this look right? And do I need the same rule for OUTPUT too?

Looks ok to me. I would try it with just input since the source and destination are the same.

Jetzt mitmachen!