I seem to have encountered a bug in vzctl's installation. Upon installing it in a clean CentOS6.5-minimal installation according to the official wiki, network connectivity is limited to pinging IP addresses (I suspect ICMP traffic only).
I have created a bugreport with steps to reproduce, also copied here:
- Install node with CentOS-6.5-x86_64-minimal.iso
ifup eth0andping google.comto observe DNS resolution and network connectivity.- Install wget (
yum install wget). - Follow steps on http://wiki.openvz.org/Quick_installation to install vzkernel, vzctl, vzquota, and ploop.
- reboot
ifup eth0andping google.comto observe NO DNS resolution and network connectivity.- Edit
/etc/modprobe.d/openvz.conftooptions nf_conntrack ip_conntrack_disable_ve0=0and save. - reboot
ifup eth0andping google.comto observe DNS resolution and network connectivity.
Note that disabling iptables via service iptables stop restores connectivity, but that is a 'suboptimal' (hum hum :P ) workaround.
This is the output from iptables-save:
# iptables-save
# Generated by iptables-save v1.4.7 on Wed Apr 30 12:50:00 2014
*mangle
:PREROUTING ACCEPT [110:16800]
:INPUT ACCEPT [107:15810]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35:4954]
:POSTROUTING ACCEPT [35:4954]
COMMIT
# Completed on Wed Apr 30 12:50:00 2014
# Generated by iptables-save v1.4.7 on Wed Apr 30 12:50:00 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35:4954]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Apr 30 12:50:00 2014
