Author Topic: Howto Zentyal in proxmox as OpenVZ  (Read 14849 times)

SorlaK

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +2/-0
    • View Profile
Howto Zentyal in proxmox as OpenVZ
« on: January 19, 2012, 05:39:51 pm »
Hello to everyone here is  a short guide for setting zentyal 2.2 in a openvz with proxmox most of the issue that i  found where related to firewall module.

Starting

1- The node must have the fallowing modules up
modprobe xt_mark
modprobe ipt_mark
modprobe ip_conntrack

2-Check  /etc/vz/vz.conf there must be a  IPTABLE section with the next parameters:
"ipt_REDIRECT ipt_multiport ipt_state ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle
ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ip_conntrack_ftp ip_nat_irc ipt_helper ipt_conntrack ip_conntrack_irc"

3- Create the container with a standar template of ubuntu 10.04 provide by proxmox's team

4- Set up the contanier, the usual stuff network, sourcelist... and add to it the zentyal's ppa.

5- Install aptitude and make a safe-upgarde

6- Create the admin group (necessary for access to zentyal is web interface)

7- Create the user/s that will hava acces to zentyaweb-GUI and add those to admin group.(Note i belive that zentyal will not allow concurrent conections from thow admin user fo security rasons)

8- Then apititude install zentyal-software zentyal-services, aftter this you can access to the web interface and install the rest of the modules that you may need.

I most add that i find necesary reboot the node for some setting to be properly accepted for the container.

Tested in
#####################################
pve-manager: 1.9-26 (pve-manager/1.9/6567)
running kernel: 2.6.18-6-pve
proxmox-ve-2.6.18: 1.8-15
pve-kernel-2.6.18-2-pve: 2.6.18-5
pve-kernel-2.6.18-6-pve: 2.6.18-15
qemu-server: 1.1-32
pve-firmware: 1.0-14
libpve-storage-perl: 1.0-19
vncterm: 0.9-2
vzctl: 3.0.29-3pve1
vzdump: 1.2-16
vzprocps: 2.0.11-2
vzquota: 3.0.11-1
###################################
pve-manager: 1.9-26 (pve-manager/1.9/6567)
running kernel: 2.6.32-6-pve
proxmox-ve-2.6.32: 1.9-55
pve-kernel-2.6.32-6-pve: 2.6.32-55
qemu-server: 1.1-32
pve-firmware: 1.0-14
libpve-storage-perl: 1.0-19
vncterm: 0.9-2
vzctl: 3.0.29-3pve1
vzdump: 1.2-16
vzprocps: 2.0.11-2
vzquota: 3.0.11-1
pve-qemu-kvm: 0.15.0-2
ksm-control-daemon: 1.0-6
##################################


If you dont like the web interface show the venet0 interface then you must go to /etc/zentyal/network.conf
there is a parameter to list whish interface must be ignored, add to it and that will be all.Regards

Hispano hablantes:

Openvz Zentyal firewall

1-En el nodo debe estar habilitado los siguientes módulos
modprobe xt_mark
modprobe ipt_mark
modprobe ip_conntrack

y en /etc/vz/vz.conf declarado en el apartado IPTABLE debe estar lo siguiente:
"ipt_REDIRECT ipt_multiport ipt_state ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle
ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ip_conntrack_ftp ip_nat_irc ipt_helper ipt_conntrack ip_conntrack_irc"

2-Crear la openvz con una plantilla estandar de de ubuntu 10.04 proveida por el equipo de zentyal


3-Seguir el procedimiento estándar después de crear una openvz
Configurar red, source.list... etc.

4-Instalar aptitude y actualizar el sistema con un safe-upgrade

5-Crear el grupo admin (necesario para acceder a la interfaz web de zentayl)

6-Crear el usuario o usuarios que podrán acceder y añadirlos al grupo admin (NOTA según tengo entendido zentyal no permite
que varios administradores accedan por la web simultáneamente por seguridad)

7-Añadir el ppa de zentyal al source.list
Actualizar el source.list en instalar unicamente zentyal-software zentyal-services
seguir con la instalación y acceder por la interfaz web.


Debo agregar que encontré necesario reiniciar el nodo donde
se encontraba la openvz para que tomara correctamente algunos módulos.

Probado en Proxmox 1.9
con dos kernels diferentes:
#####################################
pve-manager: 1.9-26 (pve-manager/1.9/6567)
running kernel: 2.6.18-6-pve
proxmox-ve-2.6.18: 1.8-15
pve-kernel-2.6.18-2-pve: 2.6.18-5
pve-kernel-2.6.18-6-pve: 2.6.18-15
qemu-server: 1.1-32
pve-firmware: 1.0-14
libpve-storage-perl: 1.0-19
vncterm: 0.9-2
vzctl: 3.0.29-3pve1
vzdump: 1.2-16
vzprocps: 2.0.11-2
vzquota: 3.0.11-1
###################################
pve-manager: 1.9-26 (pve-manager/1.9/6567)
running kernel: 2.6.32-6-pve
proxmox-ve-2.6.32: 1.9-55
pve-kernel-2.6.32-6-pve: 2.6.32-55
qemu-server: 1.1-32
pve-firmware: 1.0-14
libpve-storage-perl: 1.0-19
vncterm: 0.9-2
vzctl: 3.0.29-3pve1
vzdump: 1.2-16
vzprocps: 2.0.11-2
vzquota: 3.0.11-1
pve-qemu-kvm: 0.15.0-2
ksm-control-daemon: 1.0-6
##################################

Debo agragar que zentyal reconoce la interfaz venet0 y tambien la muestra en la interfaz web si no desean que esta se muestre o cualquier otra entonces deben ir a /etc/zentyal/network.conf alli hay un apartado donde se definen que interfaces ignorar solo deben agregarla alli y listo. Saludos

zonique

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Howto Zentyal in proxmox as OpenVZ
« Reply #1 on: February 19, 2012, 01:50:27 pm »
I have given Zentyal a try on Proxmox as well and followed the instructions above. Unfortunately, I can't get rid of the last few error messages that appear when I try to startup the firewall (/etc/init.d/zentyal firewall start):

Error output: FATAL: Module ip_conntrack_ftp not found.
 FATAL: Module ip_nat_ftp not found.
 FATAL: Module ip_conntrack_tftp not found.
 iptables: No chain/target/match by that name.

I'm completely stuck with this message as my iptables/openvz knowledge isn't that great.
Is there anyone that could shed some light on this?

SorlaK

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +2/-0
    • View Profile
Re: Howto Zentyal in proxmox as OpenVZ
« Reply #2 on: February 20, 2012, 02:42:40 pm »
Yes, that error is common in 1.9 proxmox in the newest version 2.0 it dosent happen

quick fix :

go to /usr/share/perl5/EBox/Iptable
and coment the line 129 and 131 that should "solve" the issue.
« Last Edit: February 20, 2012, 02:44:12 pm by SorlaK »

zonique

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Howto Zentyal in proxmox as OpenVZ
« Reply #3 on: February 20, 2012, 07:57:15 pm »
Thanks very much for the suggestion SorlaK!
I've started experimenting with /usr/share/perl5/EBox/Iptable.pm straight away, but I'm afraid my attempts weren't very successful.

Although I can see that the two lines that were commented out are indeed not executing anymore, I'm still receiving the same error message in the end:

Code: [Select]
/sbin/sysctl -q -w net.ipv4.ip_forward="1"
/sbin/sysctl -q -w net.ipv4.tcp_syncookies="1"
/sbin/sysctl -q -w net.ipv4.conf.all.log_martians="0"
/sbin/sysctl -q -w net.ipv4.conf.all.accept_redirects="0"
/sbin/sysctl -q -w net.ipv4.conf.all.send_redirects="0"
/sbin/sysctl -q -w net.ipv4.conf.all.accept_source_route="0" failed.
Error output: FATAL: Module ip_conntrack_ftp not found.
 FATAL: Module ip_nat_ftp not found.
 FATAL: Module ip_conntrack_tftp not found.
 iptables: No chain/target/match by that name.

I am currently using Proxmox 2.0 RC1 by the way.

Any other hints or tips are more than welcome!

SorlaK

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +2/-0
    • View Profile
Re: Howto Zentyal in proxmox as OpenVZ
« Reply #4 on: February 20, 2012, 10:15:45 pm »
ok, that is odd, i jus jave a zentyal over the proxmox 2.0RC1 and this wasent a problem, are you shure that the serve have this setup in /etc/vz/vz.com :
"ipt_REDIRECT ipt_multiport ipt_state ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle
ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ip_conntrack_ftp ip_nat_irc ipt_helper ipt_conntrack ip_conntrack_irc"

?Regards

zonique

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Howto Zentyal in proxmox as OpenVZ
« Reply #5 on: February 20, 2012, 10:22:28 pm »
I have indeed amended the IPTABLES line in /etc/vz/vz.conf to the one proposed in the instructions.

I have noticed something else: After I setup Zentyal a seconds time, I noticed that this message only starts appearing once you add modules zentyal-dhcp and zentyal-dns.
If you don't have these modules installed, you may indeed not see this error message.