munin-node in openvz-container not reachable from host-system

Question

I have a problem figuring out why my openvz-container is not reachable from the outside (host-system) on port 4949.

netstat in the container:

[root@openvz ~]# netstat -utapn |grep 4949
tcp        0      0 0.0.0.0:4949                0.0.0.0:*                   LISTEN      9503/munin-node

And netstat on the host:

[root@host ~]# netstat -utapn |grep LISTEN |grep 4949
tcp        0      0 0.0.0.0:4949                0.0.0.0:*                   LISTEN      305719/munin-node

Which is pretty much identical. On host and in the openvz-container

telnet localhost 4949

is working correctly and I get the munin-node prompt.

The munin-node.conf on the openvz-guest looks like this (pretty standard except the last line I think):

log_level 4
log_file /var/log/munin/munin-node.log
port 4949
pid_file /var/run/munin/munin-node.pid
background 1
setseid 1

# Which port to bind to;
host *
user root
group root
setsid yes

# Regexps for files to ignore

ignore_file ~$
ignore_file \.bak$
ignore_file %$
ignore_file \.dpkg-(tmp|new|old|dist)$
ignore_file \.rpm(save|new)$

# Set this if the client doesn't report the correct hostname when
# telnetting to localhost, port 4949
#
#host_name lisse.hasselt.wieers.com

# A list of addresses that are allowed to connect.  This must be a
# regular expression, due to brain damage in Net::Server, which
# doesn't understand CIDR-style network notation.  You may repeat
# the allow line as many times as you'd like

allow ^127\.0\.0\.1$
cidr_allow 192.168.122/24

On the host it's the same without the last line.

It is not possible to telnet to the openvz-machine from the host, neither is it possible to telnet from the vz-container with its IP instead of localhost.

Is that a basic problem with openvz or did I just miss something?

Help is much appreciated,

Wayne

No, already flushed iptables on the host (empty iptables on the guest) and no change. — m_sc, Jul 19 '11 at 12:09

score 0 · Answer 1 · answered Jul 20 '11 at 10:57

0

i think the last line is wrong. cidr uses afaik notations like 192.168.1.122/24

you are missing one number.

answered Jul 20 '11 at 10:57

jojoo

444
3
10

That is not the problem. I changed it to ^192\.168\.122\.1$ and ^192\.168\.122\.104$ but still the host can not telnet 192.168.122.104 4949. But now the VZ-Container can telnet to his own IP. – m_sc Jul 20 '11 at 17:56
hei.i dont know i i get you right, but the cidr_allow should be something like `cidr_allow 192.168.122.104/24`. the backslash(or regex) IPs goes with the plain allow. read more about that at http://munin-monitoring.org/wiki/munin-node.conf. but maybe i misunderstood you, and you already did that. – jojoo Jul 21 '11 at 15:37
I changed the cidr_allow line to `^192\.168\.122\.1$` and `^192\.168\.122\.104$`. So there is no cidr_allow anymore, and it still does not work. Is that a bit clearer? :) – m_sc Jul 24 '11 at 19:06

munin-node in openvz-container not reachable from host-system

1 Answers1