Join the community today
Register Now

Sysadmin OpenVZ 7 Kernel info

Discussion in 'System Administration' started by eva2000, Apr 30, 2019.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    44,742
    10,200
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,809
    Local Time:
    3:17 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    @jcat you mentioned OpenVZ 7 kernel supports IPSET unlike OpenVZ 6 so wondering if you can provide some information for outputs for these commands
    Code (Text):
    echo "$(uname -r) ($(uname -r | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'))"

    Code (Text):
    find /lib/modules/`uname -r` -name 'ipset'

    Example
    Code (Text):
    find /lib/modules/`uname -r` -name 'ipset'
    /lib/modules/3.10.0-957.10.1.el7.x86_64/kernel/net/netfilter/ipset
    
    echo "$(uname -r) ($(uname -r | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'))"
    2.6.32-042stab127.2 (2006032002)
    
    echo "$(uname -r) ($(uname -r | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'))"
    3.10.0-957.10.1.el7.x86_64 (3010000010)
    
    echo "$(uname -r) ($(uname -r | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'))"
    5.0.7-1.el7.elrepo.x86_64 (5000007000)
    

    With this info, will be adding proper IPSET detection support to Centmin Mod 123.09beta01 for OpenVZ7 systems like I already do for non-OpenVZ6 systems (KVM/XEN etc) :)
     
  2. jcat

    jcat Member

    130
    18
    18
    Jun 21, 2015
    New Jersey
    Ratings:
    +49
    Local Time:
    1:17 AM
    Sorry, I need to fix my notifications, here is the info:

    Code:
    # echo "$(uname -r) ($(uname -r | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'))"
    3.10.0-862.20.2.vz7.73.29 (3010000020)
    
    In container:

    Code:
    # find /lib/modules/`uname -r` -name 'ipset'
    find: '/lib/modules/3.10.0-862.20.2.vz7.73.29': No such file or directory
    
    Code:
    # find -iname '*ipset*'
    ./var/lib/yum/yumdb/i/4dff69a3bc73f6e185c9da0de4b6733305f3af86-ipset-libs-6.38-3.el7_6-x86_64
    ./var/lib/yum/yumdb/i/a9b00ab0b2f59115bffebd10b9c2b454dacb46df-ipset-6.38-3.el7_6-x86_64
    ./usr/share/doc/ipset-6.38
    ./usr/share/doc/ipset-libs-6.38
    ./usr/share/man/man8/ipset.8.gz
    ./usr/include/linux/netfilter/ipset
    ./usr/src/kernels/3.10.0-957.5.1.el7.x86_64/include/config/net/ematch/ipset.h
    ./usr/src/kernels/3.10.0-957.5.1.el7.x86_64/include/uapi/linux/netfilter/ipset
    ./usr/src/kernels/3.10.0-957.5.1.el7.x86_64/include/linux/netfilter/ipset
    ./usr/src/kernels/3.10.0-957.5.1.el7.x86_64/net/netfilter/ipset
    ./usr/sbin/ipset
    ./usr/lib64/libipset.so.11.1.0
    ./usr/lib64/libipset.so.11
    
    on node:

    Code:
    # find /lib/modules/`uname -r` -name 'ipset'
    /lib/modules/3.10.0-862.20.2.vz7.73.29/kernel/net/netfilter/ipset
    
    If you want access to a vm, happy to provide one as well just toss me an ssh key :)
     
  3. eva2000

    eva2000 Administrator Staff Member

    44,742
    10,200
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,809
    Local Time:
    3:17 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Should be fine, I updated 123.09beta01 code to just use kernel version + /proc/user_beancounters file existence to determine if IPSET on OpenVZ7 is supported so should have CSF Firewall auto enabling IPSET support when OpenVZ 7 with 3.10 kernel is detected like Centmin Mod does for KVM/XEN and bare metal dedicated servers :)
     
  4. jcat

    jcat Member

    130
    18
    18
    Jun 21, 2015
    New Jersey
    Ratings:
    +49
    Local Time:
    1:17 AM
    the ipset package isn't installed by default so may want to check for the package as well first otherwise csf will go capoot but can simply install with

    Code:
    yum install ipset
     
  5. eva2000

    eva2000 Administrator Staff Member

    44,742
    10,200
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,809
    Local Time:
    3:17 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Ah yes !!!!

    edit: oh already has a check for that

    Code (Text):
            # openvz7's 3.10 linux kernels support IPSET
            if [[ ! -f /usr/sbin/ipset ]]; then
                # CSF now has ipset support to offload large IP address numbers 
                # from iptables so uses less server resources to handle many IPs
                # does not work with OpenVZ VPS so only implement for non-OpenVZ
                yum -q -y install ipset ipset-devel
                sed -i 's/LF_IPSET = \"0\"/LF_IPSET = \"1\"/' /etc/csf/csf.conf
                setiplimits
            elif [[ -f /usr/sbin/ipset ]]; then
                sed -i 's/LF_IPSET = \"0\"/LF_IPSET = \"1\"/' /etc/csf/csf.conf
                setiplimits
            fi
    

    but adding one to installers too
     
  6. jcat

    jcat Member

    130
    18
    18
    Jun 21, 2015
    New Jersey
    Ratings:
    +49
    Local Time:
    1:17 AM
    Of course you do, ya damn magician :)
     
  7. eva2000

    eva2000 Administrator Staff Member

    44,742
    10,200
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,809
    Local Time:
    3:17 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I swear probably 30-50% of centmin mod's code is just extra logic to make things smarter than plain bash script :D