0

So I've been trying to set up a webserver on my VPS with CentOS 7. To do this I've used this tutorial. Installation of MySQL/MariaDB and PHP worked successfully. However I can't access my server, because I haven't allowed external access yet.

To do this I am forced to use these three commands (according to the tutorial):

firewall-cmd --permanent --zone=public --add-service=http

firewall-cmd --permanent --zone=public --add-service=https

firewall-cmd --reload

The command firewall-cmd wasn't found because according to this thread, OpenVZ installs a stripped down version of CentOS7, so I used the commands from there.

However, following error message popped up when using systemctl start firewalld:

Job for firewalld.service failed. See 'systemctl status firewalld.service' and 'journalctl -xn' for details.

systemctl status firewalld.service -l shows this info:

firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: failed (Result: exit-code) since Mon 2016-07-18 04:31:46 EDT; 6min ago Process: 12522 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=1/FAILURE) Main PID: 12522 (code=exited, status=1/FAILURE)

Jul 18 04:31:46 Christof2 systemd[1]: firewalld.service: main process exited, code=exited, status=1/FAILURE Jul 18 04:31:46 Christof2 systemd[1]: Failed to start firewalld - dynamic firewall daemon. Jul 18 04:31:46 Christof2 systemd[1]: Unit firewalld.service entered failed state.

FYI: I did everything from a fresh installation of CentOS7, if you want I can simply reinstall CentOS and do one step differently, if that helps.

  • 2
    I'm pretty sure firewalld doesn't work in an OpenVZ container (and a lot of other things don't either). If you rented this from somewhere, cancel it and go get a proper VPS with actual virtualization, such as KVM. – Michael Hampton Jul 18 '16 at 09:01
  • How does OpenVZ impact this? Isn't there a possibility to get all the missing packages in order to use firewalld? – Christof Kälin Jul 18 '16 at 09:43
  • Firewalld requires D-Bus, which AFAIK doesn't work inside containers. – Michael Hampton Jul 18 '16 at 10:03
  • +1 for Michael's reply - in addition to this, you might need some kernel modules which would need to be added by your hosting provider and some hosting providers might not support all the modules you need, so better move to a VPS using KVM or even Xen. – Mugurel Aug 10 '16 at 11:35

2 Answers2

1

First of all, check if you have ipv6 access, and if not; alter your etc/firewalld/firewalld.conf to set IPv6_rpfilter = 0 and run systemctl restart firewalld.service

If still nothing, check journalctl -u firewalld for further details.

However it may well be that your host needs to provide the NETFILTER="full" capability to your container config, also they will need to allocate the beancounter numiptent to something around 500 or more.

Doing those configs should allow firewalld to start on a centos7 OpenVZ container and anything else, your logs will provide the answers to.

Cheers

TechnicalChaos
  • 133
  • 1
  • 8
1

Iptables, being a kernel functionality, needs to be explicitly loaded on openvz host and enabled per container.

If you have access to host, follow man vzctl and look for --netfilter. Older openvz versions would have a different procedure to do the same.

Alec Istomin
  • 312
  • 1
  • 8