OpenVZ 7 / Virtuozzo 7 Minimal templates

AnthonySmithAnthonySmith AdministratorHosting Provider
edited November 2019 in Technical

I made a complete set a few days ago, thought I would share them as I don't see them anywhere else.
These are fully functional and VERY minimal templates for OpenVZ 7/ Virtuozzo 7, all tested.
They range from 5mb to 9mb ram used on initial deployment:
http://185.164.137.206/vz7/
For SolusVM you will need to be on at least the latest mainline release (probably better off on beta - upcp 3) which enables the EZ templates option when adding an OpenVZ templates in solusvm
I have spend a fair bit of time working with the EZ template system now, its very different to OpenVZ 6 or "legacy templates" as they are now known so if anyone needs any help just shout up, not enough info public at this stage.

If your host does not have them available yet point them here :)

Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
Please do not use the PM system here for Inception Hosting support issues.

Comments

  • abnoehabnoeh OG
    edited November 2019

    how did you add debian10 template? I though it needed real 4.x kernel.

  • AnthonySmithAnthonySmith AdministratorHosting Provider

    @abnoeh said:
    how did you add debian10 template? I though it needed real 4.x kernel.

    just for you :)

    Virtuozzo 7 does not bind the kernel version of the host to the container like OpenVZ 6 did.
    I mean it is just a psudo kernel version anyway it just tracks the distro current version and displays it in the container you still use the host nodes kernel but now at least software does not complain about expecting a different version.

    Thanked by (1)abnoeh

    Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
    Please do not use the PM system here for Inception Hosting support issues.

  • abnoehabnoeh OG
    edited November 2019

    tried debian 10 image, firewalls (nftable/ufw/iptables trans) failed to start with error for bunch of nft related kernel modules and unknown option "--dport"

    ERROR: problem running ufw-init
    modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/4.19.0/modules.builtin.bin'
    modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/4.19.0
    modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/4.19.0/modules.builtin.bin'
    modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/4.19.0
    modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/4.19.0/modules.builtin.bin'
    modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/4.19.0

  • AnthonySmithAnthonySmith AdministratorHosting Provider

    From the host node: vzctl set CTID --netfilter=full --save
    I only made the templates the templates cant enable or give access to kernel modules on the host node for you :)

    Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
    Please do not use the PM system here for Inception Hosting support issues.

  • abnoehabnoeh OG
    edited November 2019

    @AnthonySmith said:
    From the host node: vzctl set CTID --netfilter=full --save
    I only made the templates the templates cant enable or give access to kernel modules on the host node for you :)

    well it was your NL OVZ7 node, so... write a ticket?

    https://www.lowendtalk.com/discussion/158922/virtuozzo-7-docker-ready-50-off-double-disk-up-to-6gb-ram-from-21-p-year-netherlands/p1

  • AnthonySmithAnthonySmith AdministratorHosting Provider

    @abnoeh said:

    @AnthonySmith said:
    From the host node: vzctl set CTID --netfilter=full --save
    I only made the templates the templates cant enable or give access to kernel modules on the host node for you :)

    well it was your NL OVZ7 node, so... write a ticket?

    https://www.lowendtalk.com/discussion/158922/virtuozzo-7-docker-ready-50-off-double-disk-up-to-6gb-ram-from-21-p-year-netherlands/p1

    ah ok: https://clients.inceptionhosting.com/index.php?rp=/knowledgebase/36/Iptables-csf-ufw-firewalld-or-vpn-software-problems.html

    Thanked by (1)abnoeh

    Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
    Please do not use the PM system here for Inception Hosting support issues.

  • abnoehabnoeh OG
    edited November 2019

    I found the root cause.
    you need to change firefall framework to iptables in debian 10 image, because debian 10 changed to nftable and need different kernal modules. witch you and most provider doesn't enabled.
    https://wiki.debian.org/nftables >

    # update-alternatives --set iptables /usr/sbin/iptables-legacy
    # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
    # update-alternatives --set arptables /usr/sbin/arptables-legacy
    # update-alternatives --set ebtables /usr/sbin/ebtables-legacy
    
    Thanked by (2)AnthonySmith Bochi
  • AnthonySmithAnthonySmith AdministratorHosting Provider
    edited November 2019

    Cool good fix, I will look in to it now I know for the host nodes and add that to the KB I linked, much appreciated! <3

    edit: enabled on all my nodes now.

    Thanked by (1)abnoeh

    Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
    Please do not use the PM system here for Inception Hosting support issues.

  • @AnthonySmith said:
    Cool good fix, I will look in to it now I know for the host nodes and add that to the KB I linked, much appreciated! <3

    edit: enabled on all my nodes now.

    sorry, but it nftables still looks broken. it ask for nf_nat_ftp,nf_conntrack_ftp and nf_conntrack_netbios_ns
    maybe it's just best to edit image to use legacy iptables.>

    -- A start job for unit nftables.service has begun execution.
    -- 
    -- The job identifier is 79.
    Nov 13 14:04:21  nft[282]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Operation not supported
    Nov 13 14:04:21  nft[282]: flush ruleset
    Nov 13 14:04:21  nft[282]: ^^^^^^^^^^^^^^
    Nov 13 14:04:21  nft[282]: /etc/nftables.conf:5:1-2: Error: Could not process rule: Operation not supported
    Nov 13 14:04:21  nft[282]: table inet filter {
    Nov 13 14:04:21  nft[282]: ^^
    Nov 13 14:04:21  nft[282]: /etc/nftables.conf:6:15-19: Error: Could not process rule: Operation not supported
    Nov 13 14:04:21  nft[282]:         chain input {
    Nov 13 14:04:21 nft[282]:                      ^^^^^
    Nov 13 14:04:21  nft[282]: /etc/nftables.conf:9:15-21: Error: Could not process rule: Operation not supported
    Nov 13 14:04:21  nft[282]:         chain forward {
    Nov 13 14:04:21  nft[282]:                      ^^^^^^^
    Nov 13 14:04:21  nft[282]: /etc/nftables.conf:12:15-20: Error: Could not process rule: Operation not supported
    Nov 13 14:04:21  nft[282]:         chain output {
    Nov 13 14:04:21  nft[282]:                      ^^^^^^
    Nov 13 14:04:21  systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
    -- Subject: Unit process exited
    -- Defined-By: systemd
    -- Support: https://www.debian.org/support
    
  • Update : enableing nftable related kernel modules touched upsteam bug, and tring to using it will cause kernel panic and make host(not single container) to reboot. Looks like use legacy iptable is best for now

  • Just want to thank you Ant, you probably recall me and you having a silly set-to on the old forum as my Debian 9 instance was running out of RAM for apt commands. I switched to your new Ubuntu 18.04 template and used the PPA to get wireguard-tools, which seems to use less resources than pinning the unstable repo on Debian to get that package and its dependencies.

    (If anyone is interested, I'm following this guide to get wireguard-go working on my LES box:

    https://d.sb/2019/07/wireguard-on-openvz-lxc

    Obviously, switching out the section about pinning the Debian unstable repo and using the Wireguard PPA instead, still issuing "apt-get install wireguard-tools --no-install-recommends". The rest of the guide works really well (I compile wireguard-go on my local machine and push it onto my instance) and with wireguard-go and an OpenVPN server setup, as well as fail2ban, I'm still only using about 39M RAM on idle and all apt commands seem to be working without any issues.)

    Thanked by (2)AnthonySmith mikho
Sign In or Register to comment.