- 2. Проброс NFS
- 3. Проброс USB-устройств
- 4. Проброс звуковой карты (как встроенной так и usb)
- 5. Проброс X’ов
- 6. Проброс раздела диска
- 7. Включение tun/tap
- .13. pvesr – Proxmox VE Storage Replication
- .15. vzdump – Backup Utility for VMs and Containers
- .16. ha-manager – Proxmox VE HA Manager
- .2. pvesm – Proxmox VE Storage Manager
- .5. pveceph – Manage CEPH Services on Proxmox VE Nodes
- .6. pvenode – Proxmox VE Node Management
- .8. qm – Qemu/KVM Virtual Machine Manager
- Разные мелочи
- Add camera to lxc container
- Assign webcam consistent linux device name so any usb port can be used
- Test camera
- Проброс usb устройств в proxmox ve kvm — do less!
- Фаирвол
2. Проброс NFS
На гипервизоре:
Устанавливаем nfs сервер
aptitude install nfs-kernel-server
правим конфиг nfs
nano /etc/exports
например экспортируем /var/lib/vz для 10.1.1.2
/var/lib/vz 10.1.1.2(rw,sync,fsid=root,no_root_squash,crossmnt,no_subtree_check)
перезапускаем nfs сервер
/etc/init.d/nfs-kernel-server restart
Добавляем поддержку nfs в контейнер
vzctl set [VEID] --features "nfs:on" --save
Внутри контейнера:
aptitude install nfs-common
пример монтирования
mount -t nfs 10.1.1.1:/var/lib/vz/ /vz
3. Проброс USB-устройств
Во всех случаях проброса устройств, если устройств более одного, лучше напрямую править конфиг контейнера, а не использовать vzctl, дело в том, что если вы не поместили все необходимые устройства сразу в одну строку, то vzctl затрет все предыдущие пробросы и установит только последний.
В общем случае:
vzctl set VEID --devices b|c:major:minor|all:[r|w|rw|none]
где b — блочное устройство, c — символьное. major:minor необходимо посмотреть в /dev/bus/usb для конкретного устройства.
Проброс по имени
vzctl set [VEID] --devnodes ttyUSB0:rw --save
Проброс по коду
vzctl set [VEID] --devices c:189:all:rw --save
Либо правкой конфига:
nano /etc/pve/openvz/[VEID].conf
DEVNODES="ttyUSB1:rw "
DEVNODES="c:189:all:rw "
Для проброса USB-устройства в запущенный контейнер необходимо:
Смонтировать из хост-системы в контейнер
mount -o bind /dev/<DEVNAME> $VE_ROOT/dev/<DEVNAME>
4. Проброс звуковой карты (как встроенной так и usb)
Во многом похоже на проброс обычного usb устройства, но с некоторыми отличиями.
На гипервизоре:
Ставим модули ядра для работы со звуком
5. Проброс X’ов
Заходим в контейнер через vzctl (не SSH)
делаем симлинк
rm /dev/tty0
ln -s /dev/tty1 /dev/tty0
Удаляем если установлен nscd
aptitude remove nscd
Ставим нужные пакеты
aptitude -R install xorg xserver-xorg-video-dummy xserver-xorg-input-kbd xserver-xorg-input-mouse alsa-base linux-sound-base libaudiofile0 dbus udev
Приводим
/etc/X11/xorg.conf
к виду
Section "InputDevice"
Identifier "Dummy Input"
Driver "void"
EndSection
Section "Device"
Identifier "Dummy Video"
Driver "dummy"
EndSection
Section "Monitor"
Identifier "Configured Monitor"
EndSection
Section "Screen"
Identifier "Default Screen"
Monitor "Configured Monitor"
Device "Dummy Video"
EndSection
Section "ServerLayout"
Identifier "Default Layout"
Screen "Default Screen"
InputDevice "Dummy Input"
EndSection
Стартуем Хы
/usr/bin/X :<DISPLAY#>
где
6. Проброс раздела диска
Принцип аналогичен предыдущим, но сделаем это по имени, например пробросим sda4
vzctl set [VEID] --devnodes sda4:rw --save
7. Включение tun/tap
Если мы хотим использовать vpn внутри контейнера, то без этого не обойтись.
Проверяем подгружен ли модуль
lsmod | grep tun
Если нет подгружаем
.13. pvesr – Proxmox VE Storage Replication
pvesr<COMMAND> [ARGS] [OPTIONS]
pvesr create-local-job<id> <target>[OPTIONS]
Create a new replication job
pvesr delete<id>[OPTIONS]
Mark replication job for removal.
pvesr disable<id>
Disable a replication job.
pvesr enable<id>
Enable a replication job.
pvesr finalize-local-job<id> [<extra-args>][OPTIONS]
Finalize a replication job. This removes all replications snapshots with
timestamps different than <last_sync>.
pvesr help[OPTIONS]
Get help about specified command.
pvesr list
List replication jobs.
pvesr prepare-local-job<id> [<extra-args>][OPTIONS]
Prepare for starting a replication job. This is called on the target node
before replication starts. This call is for internal use, and return a JSON
object on stdout. The method first test if VM <vmid> reside on the local
node. If so, stop immediately.
After that the method scans all volume IDs
for snapshots, and removes all replications snapshots with timestamps
different than <last_sync>. It also removes any unused volumes. Returns a
hash with boolean markers for all volumes with existing replication
snapshots.
pvesr read<id>
Read replication job configuration.
pvesr run[OPTIONS]
This method is called by the systemd-timer and executes all (or a specific)
sync jobs.
pvesr schedule-now<id>
Schedule replication job to start as soon as possible.
pvesr set-state<vmid> <state>
Set the job replication state on migration. This call is for internal use.
It will accept the job state as ja JSON obj.
pvesr status[OPTIONS]
List status of all replication jobs on this node.
pvesr update<id>[OPTIONS]
Update replication job configuration.
.15. vzdump – Backup Utility for VMs and Containers
vzdumphelp
vzdump{<vmid>}[OPTIONS]
Create backup.
- <vmid>: <string>
The ID of the guest system you want to backup.
- –all<boolean> (default =0)
Backup all known guest systems on this host.
- –bwlimit<integer> (0 – N) (default =0)
Limit I/O bandwidth (KBytes per second).
- –compress<0 | 1 | gzip | lzo | zstd> (default =0)
Compress dump file.
- –dumpdir<string>
Store resulting files to specified directory.
- –exclude<string>
Exclude specified guest systems (assumes –all)
- –exclude-path<string>
Exclude certain files/directories (shell globs). Paths starting with / are anchored to the container’s root, other paths match relative to each subdirectory.
- –ionice<integer> (0 – 8) (default =7)
Set CFQ ionice priority.
- –lockwait<integer> (0 – N) (default =180)
Maximal time to wait for the global lock (minutes).
- –mailnotification<always | failure> (default =always)
Specify when to send an email
- –mailto<string>
Comma-separated list of email addresses or users that should receive email notifications.
- –maxfiles<integer> (1 – N)
Deprecated: use prune-backups instead. Maximal number of backup files per guest system.
- –mode<snapshot | stop | suspend> (default =snapshot)
Backup mode.
- –node<string>
Only run if executed on this node.
- –notes-template<string>
Template string for generating notes for the backup(s). It can contain variables which will be replaced by their values. Currently supported are {{cluster}}, {{guestname}}, {{node}}, and {{vmid}}, but more might be added in the future.
- –pigz<integer> (default =0)
Use pigz instead of gzip when N>0. N=1 uses half of cores, N>1 uses N as thread count.
- –pool<string>
Backup all known guest systems included in the specified pool.
- –protected<boolean>
If true, mark backup(s) as protected.
- –prune-backups[keep-all=<1|0>] [,keep-daily=<N>] [,keep-hourly=<N>] [,keep-last=<N>] [,keep-monthly=<N>] [,keep-weekly=<N>] [,keep-yearly=<N>] (default =keep-all=1)
Use these retention options instead of those from the storage configuration.
- –quiet<boolean> (default =0)
Be quiet.
- –remove<boolean> (default =1)
Prune older backups according to prune-backups.
- –script<string>
Use specified hook script.
- –stdexcludes<boolean> (default =1)
Exclude temporary files and logs.
- –stdout<boolean>
Write tar to stdout, not to a file.
- –stop<boolean> (default =0)
Stop running backup jobs on this host.
- –stopwait<integer> (0 – N) (default =10)
Maximal time to wait until a guest system is stopped (minutes).
- –storage<string>
Store resulting file to this storage.
- –tmpdir<string>
Store temporary files to specified directory.
- –zstd<integer> (default =1)
Zstd threads. N=0 uses half of the available cores, N>0 uses N as thread count.
.16. ha-manager – Proxmox VE HA Manager
ha-manager<COMMAND> [ARGS] [OPTIONS]
ha-manager add<sid>[OPTIONS]
Create a new HA resource.
ha-manager config[OPTIONS]
List HA resources.
ha-manager crm-command migrate<sid> <node>
Request resource migration (online) to another node.
ha-manager crm-command relocate<sid> <node>
Request resource relocatzion to another node. This stops the service on the
old node, and restarts it on the target node.
ha-manager crm-command stop<sid> <timeout>
Request the service to be stopped.
ha-manager groupadd<group> –nodes <string>[OPTIONS]
Create a new HA group.
ha-manager groupconfig
Get HA groups.
ha-manager groupremove<group>
Delete ha group configuration.
ha-manager groupset<group>[OPTIONS]
Update ha group configuration.
ha-manager help[OPTIONS]
Get help about specified command.
ha-manager migrate
An alias for ha-manager crm-command migrate.
ha-manager relocate
An alias for ha-manager crm-command relocate.
ha-manager remove<sid>
Delete resource configuration.
ha-manager set<sid>[OPTIONS]
Update resource configuration.
ha-manager status[OPTIONS]
Display HA manger status.
.2. pvesm – Proxmox VE Storage Manager
pvesm<COMMAND> [ARGS] [OPTIONS]
pvesm add<type> <storage>[OPTIONS]
Create a new storage.
- <type>: <btrfs | cephfs | cifs | dir | glusterfs | iscsi | iscsidirect | lvm | lvmthin | nfs | pbs | rbd | zfs | zfspool>
Storage type.
- <storage>: <string>
The storage identifier.
- –authsupported<string>
Authsupported.
- –base<string>
Base volume. This volume is automatically activated.
- –blocksize<string>
block size
- –bwlimit[clone=<LIMIT>] [,default=<LIMIT>] [,migration=<LIMIT>] [,move=<LIMIT>] [,restore=<LIMIT>]
Set bandwidth/io limits various operations.
- –comstar_hg<string>
host group for comstar views
- –comstar_tg<string>
target group for comstar views
- –content<string>
Allowed content types.
- –data-pool<string>
Data Pool (for erasure coding only)
- –datastore<string>
Proxmox Backup Server datastore name.
- –disable<boolean>
Flag to disable the storage.
- –domain<string>
CIFS domain.
- –encryption-keya file containing an encryption key, or the special value “autogen”
Encryption key. Use autogen to generate one automatically without passphrase.
- –export<string>
NFS export path.
- –fingerprint([A-Fa-f0-9]{2}:){31}[A-Fa-f0-9]{2}
Certificate SHA 256 fingerprint.
- –format<string>
Default image format.
- –fs-name<string>
The Ceph filesystem name.
- –fuse<boolean>
Mount CephFS through FUSE.
- –is_mountpoint<string> (default =no)
Assume the given path is an externally managed mountpoint and consider the storage offline if it is not mounted. Using a boolean (yes/no) value serves as a shortcut to using the target path in this field.
- –iscsiprovider<string>
iscsi provider
- –keyringfile containing the keyring to authenticate in the Ceph cluster
Client keyring contents (for external clusters).
- –krbd<boolean>
Always access rbd through krbd kernel module.
- –lio_tpg<string>
target portal group for Linux LIO targets
- –master-pubkeya file containing a PEM-formatted master public key
Base64-encoded, PEM-formatted public RSA key. Used to encrypt a copy of the encryption-key which will be added to each encrypted backup.
- –max-protected-backups<integer> (-1 – N) (default =Unlimited for users with Datastore.Allocate privilege, 5 for other users)
Maximal number of protected backups per guest. Use -1 for unlimited.
- –maxfiles<integer> (0 – N)
Deprecated: use prune-backups instead. Maximal number of backup files per VM. Use 0 for unlimited.
- –mkdir<boolean> (default =yes)
Create the directory if it doesn’t exist.
- –monhost<string>
IP addresses of monitors (for external clusters).
- –mountpoint<string>
mount point
- –namespace<string>
RBD Namespace.
- –nocow<boolean> (default =0)
Set the NOCOW flag on files. Disables data checksumming and causes data errors to be unrecoverable from while allowing direct I/O. Only use this if data does not need to be any more safe than on a single ext4 formatted disk with no underlying raid system.
- –nodes<string>
List of cluster node names.
- –nowritecache<boolean>
disable write caching on the target
- –options<string>
NFS mount options (see man nfs)
- –password<password>
Password for accessing the share/datastore.
- –path<string>
File system path.
- –pool<string>
Pool.
- –port<integer> (1 – 65535) (default =8007)
For non default port.
- –portal<string>
iSCSI portal (IP or DNS name with optional port).
- –preallocation<falloc | full | metadata | off> (default =metadata)
Preallocation mode for raw and qcow2 images. Using metadata on raw images results in preallocation=off.
- –prune-backups[keep-all=<1|0>] [,keep-daily=<N>] [,keep-hourly=<N>] [,keep-last=<N>] [,keep-monthly=<N>] [,keep-weekly=<N>] [,keep-yearly=<N>]
The retention options with shorter intervals are processed first with –keep-last being the very first one. Each option covers a specific period of time. We say that backups within this period are covered by this option. The next option does not take care of already covered backups and only considers older backups.
- –saferemove<boolean>
Zero-out data when removing LVs.
- –saferemove_throughput<string>
Wipe throughput (cstream -t parameter value).
- –server<string>
Server IP or DNS name.
- –server2<string>
Backup volfile server IP or DNS name.
- –share<string>
CIFS share.
- –shared<boolean>
Mark storage as shared.
- –smbversion<2.0 | 2.1 | 3 | 3.0 | 3.11 | default> (default =default)
SMB protocol version. default if not set, negotiates the highest SMB2 version supported by both the client and server.
- –sparse<boolean>
use sparse volumes
- –subdir<string>
Subdir to mount.
- –tagged_only<boolean>
Only use logical volumes tagged with pve-vm-ID.
- –target<string>
iSCSI target.
- –thinpool<string>
LVM thin pool LV name.
- –transport<rdma | tcp | unix>
Gluster transport: tcp or rdma
- –username<string>
RBD Id.
- –vgname<string>
Volume group name.
- –volume<string>
Glusterfs Volume.
pvesm alloc<storage> <vmid> <filename> <size>[OPTIONS]
Allocate disk images.
pvesm apiinfo
Returns APIVER and APIAGE.
pvesm cifsscan
An alias for pvesm scan cifs.
pvesm export<volume> <format> <filename>[OPTIONS]
Used internally to export a volume.
pvesm extractconfig<volume>
Extract configuration from vzdump backup archive.
pvesm free<volume>[OPTIONS]
Delete volume
pvesm glusterfsscan
An alias for pvesm scan glusterfs.
pvesm help[OPTIONS]
Get help about specified command.
pvesm import<volume> <format> <filename>[OPTIONS]
Used internally to import a volume.
pvesm iscsiscan
An alias for pvesm scan iscsi.
pvesm list<storage>[OPTIONS]
List storage content.
pvesm lvmscan
An alias for pvesm scan lvm.
pvesm lvmthinscan
An alias for pvesm scan lvmthin.
pvesm nfsscan
An alias for pvesm scan nfs.
pvesm path<volume>
Get filesystem path for specified volume
pvesm prune-backups<storage>[OPTIONS]
Prune backups. Only those using the standard naming scheme are considered.
If no keep options are specified, those from the storage configuration are
used.
pvesm remove<storage>
Delete storage configuration.
pvesm scan cifs<server>[OPTIONS]
Scan remote CIFS server.
pvesm scan glusterfs<server>
Scan remote GlusterFS server.
pvesm scan iscsi<portal>
Scan remote iSCSI server.
pvesm scan lvm
List local LVM volume groups.
pvesm scan lvmthin<vg>
List local LVM Thin Pools.
pvesm scan nfs<server>
Scan remote NFS server.
.5. pveceph – Manage CEPH Services on Proxmox VE Nodes
pveceph<COMMAND> [ARGS] [OPTIONS]
pveceph createmgr
An alias for pveceph mgr create.
pveceph createmon
An alias for pveceph mon create.
pveceph createosd
An alias for pveceph osd create.
pveceph createpool
An alias for pveceph pool create.
pveceph destroymgr
An alias for pveceph mgr destroy.
pveceph destroymon
An alias for pveceph mon destroy.
pveceph destroyosd
An alias for pveceph osd destroy.
pveceph destroypool
An alias for pveceph pool destroy.
pveceph fs create[OPTIONS]
Create a Ceph filesystem
pveceph fs destroy<name>[OPTIONS]
Destroy a Ceph filesystem
pveceph help[OPTIONS]
Get help about specified command.
pveceph init[OPTIONS]
Create initial ceph default configuration and setup symlinks.
pveceph install[OPTIONS]
Install ceph related packages.
pveceph lspools
An alias for pveceph pool ls.
pveceph mds create[OPTIONS]
Create Ceph Metadata Server (MDS)
pveceph mds destroy<name>
Destroy Ceph Metadata Server
pveceph mgr create[OPTIONS]
Create Ceph Manager
pveceph mgr destroy<id>
Destroy Ceph Manager.
pveceph mon create[OPTIONS]
Create Ceph Monitor and Manager
pveceph mon destroy<monid>
Destroy Ceph Monitor and Manager.
pveceph osd create<dev>[OPTIONS]
Create OSD
pveceph osd destroy<osdid>[OPTIONS]
Destroy OSD
pveceph pool create<name>[OPTIONS]
Create Ceph pool
pveceph pool destroy<name>[OPTIONS]
Destroy pool
pveceph pool get<name>[OPTIONS][FORMAT_OPTIONS]
List pool settings.
pveceph pool ls[FORMAT_OPTIONS]
List all pools.
pveceph pool set<name>[OPTIONS]
Change POOL settings
pveceph purge[OPTIONS]
Destroy ceph related data and configuration files.
pveceph start[OPTIONS]
Start ceph services.
pveceph status
Get Ceph Status.
pveceph stop[OPTIONS]
Stop ceph services.
.6. pvenode – Proxmox VE Node Management
pvenode<COMMAND> [ARGS] [OPTIONS]
pvenode acme account deactivate[<name>]
Deactivate existing ACME account at CA.
pvenode acme account info[<name>][FORMAT_OPTIONS]
Return existing ACME account information.
pvenode acme account list
ACMEAccount index.
pvenode acme account register[<name>] {<contact>}[OPTIONS]
Register a new ACME account with a compatible CA.
pvenode acme account update[<name>][OPTIONS]
Update existing ACME account information with CA. Note: not specifying any
new account information triggers a refresh.
pvenode acme cert order[OPTIONS]
Order a new certificate from ACME-compatible CA.
pvenode acme cert renew[OPTIONS]
Renew existing certificate from CA.
pvenode acme cert revoke
Revoke existing certificate from CA.
pvenode acme plugin add<type> <id>[OPTIONS]
Add ACME plugin configuration.
pvenode acme plugin config<id>[FORMAT_OPTIONS]
Get ACME plugin configuration.
pvenode acme plugin list[OPTIONS][FORMAT_OPTIONS]
ACME plugin index.
pvenode acme plugin remove<id>
Delete ACME plugin configuration.
pvenode acme plugin set<id>[OPTIONS]
Update ACME plugin configuration.
pvenode cert delete[<restart>]
DELETE custom certificate chain and key.
pvenode cert info[FORMAT_OPTIONS]
Get information about node’s certificates.
pvenode cert set<certificates> [<key>][OPTIONS][FORMAT_OPTIONS]
Upload or update custom certificate chain and key.
pvenode config get[OPTIONS]
Get node configuration options.
pvenode config set[OPTIONS]
Set node configuration options.
pvenode help[OPTIONS]
Get help about specified command.
pvenode migrateall<target>[OPTIONS]
Migrate all VMs and Containers.
pvenode startall[OPTIONS]
Start all VMs and containers located on this node (by default only those
with onboot=1).
pvenode stopall[OPTIONS]
Stop all VMs and Containers.
pvenode task list[OPTIONS][FORMAT_OPTIONS]
Read task list for one node (finished tasks).
pvenode task log<upid>[OPTIONS]
Read task log.
pvenode task status<upid>[FORMAT_OPTIONS]
Read task status.
pvenode wakeonlan<node>
Try to wake a node via wake on LAN network packet.
.8. qm – Qemu/KVM Virtual Machine Manager
qm<COMMAND> [ARGS] [OPTIONS]
qm agent
An alias for qm guest cmd.
qm cleanup<vmid> <clean-shutdown> <guest-requested>
Cleans up resources like tap devices, vgpus, etc. Called after a vm shuts
down, crashes, etc.
qm clone<vmid> <newid>[OPTIONS]
Create a copy of virtual machine/template.
qm cloudinit dump<vmid> <type>
Get automatically generated cloudinit config.
qm config<vmid>[OPTIONS]
Get the virtual machine configuration with pending configuration changes
applied. Set the current parameter to get the current configuration
instead.
qm create<vmid>[OPTIONS]
Create or restore a virtual machine.
- <vmid>: <integer> (1 – N)
The (unique) ID of the VM.
- –acpi<boolean> (default =1)
Enable/disable ACPI.
- –agent[enabled=]<1|0> [,fstrim_cloned_disks=<1|0>] [,type=<virtio|isa>]
Enable/disable communication with the Qemu Guest Agent and its properties.
- –arch<aarch64 | x86_64>
Virtual processor architecture. Defaults to the host.
- –archive<string>
The backup archive. Either the file system path to a .tar or .vma file (use – to pipe data from stdin) or a proxmox storage backup volume identifier.
- –args<string>
Arbitrary arguments passed to kvm.
- –audio0device=<ich9-intel-hda|intel-hda|AC97> [,driver=<spice|none>]
Configure a audio device, useful in combination with QXL/Spice.
- –autostart<boolean> (default =0)
Automatic restart after crash (currently ignored).
- –balloon<integer> (0 – N)
Amount of target RAM for the VM in MB. Using zero disables the ballon driver.
- –bios<ovmf | seabios> (default =seabios)
Select BIOS implementation.
- –boot[[legacy=]<[acdn]{1,4}>] [,order=<device[;device…]>]
Specify guest boot order. Use the order= sub-property as usage with no key or legacy= is deprecated.
- –bootdisk(ide|sata|scsi|virtio)d
Enable booting from specified disk. Deprecated: Use boot: order=foo;bar instead.
- –bwlimit<integer> (0 – N) (default =restore limit from datacenter or storage config)
Override I/O bandwidth limit (in KiB/s).
- –cdrom<volume>
This is an alias for option -ide2
- –cicustom[meta=<volume>] [,network=<volume>] [,user=<volume>] [,vendor=<volume>]
cloud-init: Specify custom files to replace the automatically generated ones at start.
- –cipassword<password>
cloud-init: Password to assign the user. Using this is generally not recommended. Use ssh keys instead. Also note that older cloud-init versions do not support hashed passwords.
- –citype<configdrive2 | nocloud | opennebula>
Specifies the cloud-init configuration format. The default depends on the configured operating system type (ostype. We use the nocloud format for Linux, and configdrive2 for windows.
- –ciuser<string>
cloud-init: User name to change ssh keys and password for instead of the image’s configured default user.
- –cores<integer> (1 – N) (default =1)
The number of cores per socket.
- –cpu[[cputype=]<string>] [,flags=< FLAG[;-FLAG…]>] [,hidden=<1|0>] [,hv-vendor-id=<vendor-id>] [,phys-bits=<8-64|host>] [,reported-model=<enum>]
Emulated CPU type.
- –cpulimit<number> (0 – 128) (default =0)
Limit of CPU usage.
- –cpuunits<integer> (1 – 262144) (default =cgroup v1: 1024, cgroup v2: 100)
CPU weight for a VM, will be clamped to [1, 10000] in cgroup v2.
- –description<string>
Description for the VM. Shown in the web-interface VM’s summary. This is saved as comment inside the configuration file.
- –efidisk0[file=]<volume> [,efitype=<2m|4m>] [,format=<enum>] [,import-from=<source volume>] [,pre-enrolled-keys=<1|0>] [,size=<DiskSize>]
Configure a Disk for storing EFI vars. Use the special syntax STORAGE_ID:SIZE_IN_GiB to allocate a new volume. Note that SIZE_IN_GiB is ignored here and that the default EFI vars are copied to the volume instead. Use STORAGE_ID:0 and the import-from parameter to import from an existing volume.
- –force<boolean>
Allow to overwrite existing VM.
- –freeze<boolean>
Freeze CPU at startup (use c monitor command to start execution).
- –hookscript<string>
Script that will be executed during various steps in the vms lifetime.
- –hostpci[n][host=]<HOSTPCIID[;HOSTPCIID2…]> [,device-id=<hex id>] [,legacy-igd=<1|0>] [,mdev=<string>] [,pcie=<1|0>] [,rombar=<1|0>] [,romfile=<string>] [,sub-device-id=<hex id>] [,sub-vendor-id=<hex id>] [,vendor-id=<hex id>] [,x-vga=<1|0>]
Map host PCI devices into guest.
- –hotplug<string> (default =network,disk,usb)
Selectively enable hotplug features. This is a comma separated list of hotplug features: network, disk, cpu, memory and usb. Use 0 to disable hotplug completely. Using 1 as value is an alias for the default network,disk,usb.
- –hugepages<1024 | 2 | any>
Enable/disable hugepages memory.
- –ide[n][file=]<volume> [,aio=<native|threads|io_uring>] [,backup=<1|0>] [,bps=<bps>] [,bps_max_length=<seconds>] [,bps_rd=<bps>] [,bps_rd_max_length=<seconds>] [,bps_wr=<bps>] [,bps_wr_max_length=<seconds>] [,cache=<enum>] [,cyls=<integer>] [,detect_zeroes=<1|0>] [,discard=<ignore|on>] [,format=<enum>] [,heads=<integer>] [,import-from=<source volume>] [,iops=<iops>] [,iops_max=<iops>] [,iops_max_length=<seconds>] [,iops_rd=<iops>] [,iops_rd_max=<iops>] [,iops_rd_max_length=<seconds>] [,iops_wr=<iops>] [,iops_wr_max=<iops>] [,iops_wr_max_length=<seconds>] [,mbps=<mbps>] [,mbps_max=<mbps>] [,mbps_rd=<mbps>] [,mbps_rd_max=<mbps>] [,mbps_wr=<mbps>] [,mbps_wr_max=<mbps>] [,media=<cdrom|disk>] [,model=<model>] [,replicate=<1|0>] [,rerror=<ignore|report|stop>] [,secs=<integer>] [,serial=<serial>] [,shared=<1|0>] [,size=<DiskSize>] [,snapshot=<1|0>] [,ssd=<1|0>] [,trans=<none|lba|auto>] [,werror=<enum>] [,wwn=<wwn>]
Use volume as IDE hard disk or CD-ROM (n is 0 to 3). Use the special syntax STORAGE_ID:SIZE_IN_GiB to allocate a new volume. Use STORAGE_ID:0 and the import-from parameter to import from an existing volume.
- –ipconfig[n][gw=<GatewayIPv4>] [,gw6=<GatewayIPv6>] [,ip=<IPv4Format/CIDR>] [,ip6=<IPv6Format/CIDR>]
cloud-init: Specify IP addresses and gateways for the corresponding interface.
IP addresses use CIDR notation, gateways are optional but need an IP of the same type specified.
The special string dhcp can be used for IP addresses to use DHCP, in which case no explicit
gateway should be provided.
For IPv6 the special string auto can be used to use stateless autoconfiguration. This requires
cloud-init 19.4 or newer.If cloud-init is enabled and neither an IPv4 nor an IPv6 address is specified, it defaults to using
dhcp on IPv4.- –ivshmemsize=<integer> [,name=<string>]
Inter-VM shared memory. Useful for direct communication between VMs, or to the host.
- –keephugepages<boolean> (default =0)
Use together with hugepages. If enabled, hugepages will not not be deleted after VM shutdown and can be used for subsequent starts.
- –keyboard<da | de | de-ch | en-gb | en-us | es | fi | fr | fr-be | fr-ca | fr-ch | hu | is | it | ja | lt | mk | nl | no | pl | pt | pt-br | sl | sv | tr>
Keyboard layout for VNC server. This option is generally not required and is often better handled from within the guest OS.
- –kvm<boolean> (default =1)
Enable/disable KVM hardware virtualization.
- –live-restore<boolean>
Start the VM immediately from the backup and restore in background. PBS only.
- –localtime<boolean>
Set the real time clock (RTC) to local time. This is enabled by default if the ostype indicates a Microsoft Windows OS.
- –lock<backup | clone | create | migrate | rollback | snapshot | snapshot-delete | suspended | suspending>
Lock/unlock the VM.
- –machine(pc|pc(-i440fx)?-d (.d ) ( pved )?(.pxe)?|q35|pc-q35-d (.d ) ( pved )?(.pxe)?|virt(?:-d (.d ) )?( pved )?)
Specifies the Qemu machine type.
- –memory<integer> (16 – N) (default =512)
Amount of RAM for the VM in MB. This is the maximum available memory when you use the balloon device.
- –migrate_downtime<number> (0 – N) (default =0.1)
Set maximum tolerated downtime (in seconds) for migrations.
- –migrate_speed<integer> (0 – N) (default =0)
Set maximum speed (in MB/s) for migrations. Value 0 is no limit.
- –name<string>
Set a name for the VM. Only used on the configuration web interface.
- –nameserver<string>
cloud-init: Sets DNS server IP address for a container. Create will’
.’ automatically use the setting from the host if neither searchdomain nor nameserver’
.’ are set.- –net[n][model=]<enum> [,bridge=<bridge>] [,firewall=<1|0>] [,link_down=<1|0>] [,macaddr=<XX:XX:XX:XX:XX:XX>] [,mtu=<integer>] [,queues=<integer>] [,rate=<number>] [,tag=<integer>] [,trunks=<vlanid[;vlanid…]>] [,<model>=<macaddr>]
Specify network devices.
- –numa<boolean> (default =0)
Enable/disable NUMA.
- –numa[n]cpus=<id[-id];…> [,hostnodes=<id[-id];…>] [,memory=<number>] [,policy=<preferred|bind|interleave>]
NUMA topology.
- –onboot<boolean> (default =0)
Specifies whether a VM will be started during system bootup.
- –ostype<l24 | l26 | other | solaris | w2k | w2k3 | w2k8 | win10 | win11 | win7 | win8 | wvista | wxp>
Specify guest operating system.
- –parallel[n]/dev/parportd |/dev/usb/lpd
Map host parallel devices (n is 0 to 2).
- –pool<string>
Add the VM to the specified pool.
- –protection<boolean> (default =0)
Sets the protection flag of the VM. This will disable the remove VM and remove disk operations.
- –reboot<boolean> (default =1)
Allow reboot. If set to 0 the VM exit on reboot.
- –rng0[source=]</dev/urandom|/dev/random|/dev/hwrng> [,max_bytes=<integer>] [,period=<integer>]
Configure a VirtIO-based Random Number Generator.
- –sata[n][file=]<volume> [,aio=<native|threads|io_uring>] [,backup=<1|0>] [,bps=<bps>] [,bps_max_length=<seconds>] [,bps_rd=<bps>] [,bps_rd_max_length=<seconds>] [,bps_wr=<bps>] [,bps_wr_max_length=<seconds>] [,cache=<enum>] [,cyls=<integer>] [,detect_zeroes=<1|0>] [,discard=<ignore|on>] [,format=<enum>] [,heads=<integer>] [,import-from=<source volume>] [,iops=<iops>] [,iops_max=<iops>] [,iops_max_length=<seconds>] [,iops_rd=<iops>] [,iops_rd_max=<iops>] [,iops_rd_max_length=<seconds>] [,iops_wr=<iops>] [,iops_wr_max=<iops>] [,iops_wr_max_length=<seconds>] [,mbps=<mbps>] [,mbps_max=<mbps>] [,mbps_rd=<mbps>] [,mbps_rd_max=<mbps>] [,mbps_wr=<mbps>] [,mbps_wr_max=<mbps>] [,media=<cdrom|disk>] [,replicate=<1|0>] [,rerror=<ignore|report|stop>] [,secs=<integer>] [,serial=<serial>] [,shared=<1|0>] [,size=<DiskSize>] [,snapshot=<1|0>] [,ssd=<1|0>] [,trans=<none|lba|auto>] [,werror=<enum>] [,wwn=<wwn>]
Use volume as SATA hard disk or CD-ROM (n is 0 to 5). Use the special syntax STORAGE_ID:SIZE_IN_GiB to allocate a new volume. Use STORAGE_ID:0 and the import-from parameter to import from an existing volume.
- –scsi[n][file=]<volume> [,aio=<native|threads|io_uring>] [,backup=<1|0>] [,bps=<bps>] [,bps_max_length=<seconds>] [,bps_rd=<bps>] [,bps_rd_max_length=<seconds>] [,bps_wr=<bps>] [,bps_wr_max_length=<seconds>] [,cache=<enum>] [,cyls=<integer>] [,detect_zeroes=<1|0>] [,discard=<ignore|on>] [,format=<enum>] [,heads=<integer>] [,import-from=<source volume>] [,iops=<iops>] [,iops_max=<iops>] [,iops_max_length=<seconds>] [,iops_rd=<iops>] [,iops_rd_max=<iops>] [,iops_rd_max_length=<seconds>] [,iops_wr=<iops>] [,iops_wr_max=<iops>] [,iops_wr_max_length=<seconds>] [,iothread=<1|0>] [,mbps=<mbps>] [,mbps_max=<mbps>] [,mbps_rd=<mbps>] [,mbps_rd_max=<mbps>] [,mbps_wr=<mbps>] [,mbps_wr_max=<mbps>] [,media=<cdrom|disk>] [,queues=<integer>] [,replicate=<1|0>] [,rerror=<ignore|report|stop>] [,ro=<1|0>] [,scsiblock=<1|0>] [,secs=<integer>] [,serial=<serial>] [,shared=<1|0>] [,size=<DiskSize>] [,snapshot=<1|0>] [,ssd=<1|0>] [,trans=<none|lba|auto>] [,werror=<enum>] [,wwn=<wwn>]
Use volume as SCSI hard disk or CD-ROM (n is 0 to 30). Use the special syntax STORAGE_ID:SIZE_IN_GiB to allocate a new volume. Use STORAGE_ID:0 and the import-from parameter to import from an existing volume.
- –scsihw<lsi | lsi53c810 | megasas | pvscsi | virtio-scsi-pci | virtio-scsi-single> (default =lsi)
SCSI controller model
- –searchdomain<string>
cloud-init: Sets DNS search domains for a container. Create will’
.’ automatically use the setting from the host if neither searchdomain nor nameserver’
.’ are set.- –serial[n](/dev/. |socket)
Create a serial device inside the VM (n is 0 to 3)
- –shares<integer> (0 – 50000) (default =1000)
Amount of memory shares for auto-ballooning. The larger the number is, the more memory this VM gets. Number is relative to weights of all other running VMs. Using zero disables auto-ballooning. Auto-ballooning is done by pvestatd.
- –smbios1[base64=<1|0>] [,family=<Base64 encoded string>] [,manufacturer=<Base64 encoded string>] [,product=<Base64 encoded string>] [,serial=<Base64 encoded string>] [,sku=<Base64 encoded string>] [,uuid=<UUID>] [,version=<Base64 encoded string>]
Specify SMBIOS type 1 fields.
- –smp<integer> (1 – N) (default =1)
The number of CPUs. Please use option -sockets instead.
- –sockets<integer> (1 – N) (default =1)
The number of CPU sockets.
- –spice_enhancements[foldersharing=<1|0>] [,videostreaming=<off|all|filter>]
Configure additional enhancements for SPICE.
- –sshkeys<filepath>
cloud-init: Setup public SSH keys (one key per line, OpenSSH format).
- –start<boolean> (default =0)
Start VM after it was created successfully.
- –startdate(now | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS) (default =now)
Set the initial date of the real time clock. Valid format for date are:’now’ or 2006-06-17T16:01:21 or 2006-06-17.
- –startup `[[order=]d ] [,up=d ] [,down=d ] `
Startup and shutdown behavior. Order is a non-negative number defining the general startup order. Shutdown in done with reverse ordering. Additionally you can set the up or down delay in seconds, which specifies a delay to wait before the next VM is started or stopped.
- –storage<string>
Default storage.
- –tablet<boolean> (default =1)
Enable/disable the USB tablet device.
- –tags<string>
Tags of the VM. This is only meta information.
- –tdf<boolean> (default =0)
Enable/disable time drift fix.
- –template<boolean> (default =0)
Enable/disable Template.
- –tpmstate0[file=]<volume> [,import-from=<source volume>] [,size=<DiskSize>] [,version=<v1.2|v2.0>]
Configure a Disk for storing TPM state. The format is fixed to raw. Use the special syntax STORAGE_ID:SIZE_IN_GiB to allocate a new volume. Note that SIZE_IN_GiB is ignored here and 4 MiB will be used instead. Use STORAGE_ID:0 and the import-from parameter to import from an existing volume.
- –unique<boolean>
Assign a unique random ethernet address.
- –unused[n][file=]<volume>
Reference to unused volumes. This is used internally, and should not be modified manually.
- –usb[n][host=]<HOSTUSBDEVICE|spice> [,usb3=<1|0>]
Configure an USB device (n is 0 to 4).
- –vcpus<integer> (1 – N) (default =0)
Number of hotplugged vcpus.
- –vga[[type=]<enum>] [,memory=<integer>]
Configure the VGA hardware.
- –virtio[n][file=]<volume> [,aio=<native|threads|io_uring>] [,backup=<1|0>] [,bps=<bps>] [,bps_max_length=<seconds>] [,bps_rd=<bps>] [,bps_rd_max_length=<seconds>] [,bps_wr=<bps>] [,bps_wr_max_length=<seconds>] [,cache=<enum>] [,cyls=<integer>] [,detect_zeroes=<1|0>] [,discard=<ignore|on>] [,format=<enum>] [,heads=<integer>] [,import-from=<source volume>] [,iops=<iops>] [,iops_max=<iops>] [,iops_max_length=<seconds>] [,iops_rd=<iops>] [,iops_rd_max=<iops>] [,iops_rd_max_length=<seconds>] [,iops_wr=<iops>] [,iops_wr_max=<iops>] [,iops_wr_max_length=<seconds>] [,iothread=<1|0>] [,mbps=<mbps>] [,mbps_max=<mbps>] [,mbps_rd=<mbps>] [,mbps_rd_max=<mbps>] [,mbps_wr=<mbps>] [,mbps_wr_max=<mbps>] [,media=<cdrom|disk>] [,replicate=<1|0>] [,rerror=<ignore|report|stop>] [,ro=<1|0>] [,secs=<integer>] [,serial=<serial>] [,shared=<1|0>] [,size=<DiskSize>] [,snapshot=<1|0>] [,trans=<none|lba|auto>] [,werror=<enum>]
Use volume as VIRTIO hard disk (n is 0 to 15). Use the special syntax STORAGE_ID:SIZE_IN_GiB to allocate a new volume. Use STORAGE_ID:0 and the import-from parameter to import from an existing volume.
- –vmgenid<UUID> (default =1 (autogenerated))
Set VM Generation ID. Use 1 to autogenerate on create or update, pass 0 to disable explicitly.
- –vmstatestorage<string>
Default storage for VM state volumes/files.
- –watchdog[[model=]<i6300esb|ib700>] [,action=<enum>]
Create a virtual hardware watchdog device.
qm delsnapshot<vmid> <snapname>[OPTIONS]
Delete a VM snapshot.
qm destroy<vmid>[OPTIONS]
Destroy the VM and all used/owned volumes. Removes any VM specific
permissions and firewall rules
qm guest cmd<vmid> <command>
Execute Qemu Guest Agent commands.
qm guest exec<vmid> [<extra-args>][OPTIONS]
Executes the given command via the guest agent
qm guest exec-status<vmid> <pid>
Gets the status of the given pid started by the guest-agent
Разные мелочи
Правильный часовой пояс в контейнерах
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
Убираем бесполезное сообщение при входе в гипервизор через web-интерфейс.
В файле
/usr/share/pve-manager/ext4/pvemanagerlib.js
находим строку
if (data.status !== 'Active') {
и заменяем на
if (data.status == 'Active') {
Иногда с квотами возникает неприятность
Proxmox: ‘exit code 60′ – corrupt quota file
и виртуалка не стартует,
просто перезапустим квоты.
vzquota off [VEID]
vzquota : (error) Quota is not running for id [VEID]
vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID]
vzquota on [VEID]
Если нарушен кворум (cluster not ready – no quorum), а работать с остатками кластера нужно,
устанавливаем размер кворума, равным размеру текущих живых нод
pvecm e (количество живых нод)
Команды управления OpenVZ
Старт [VEID] ОС
vzctl start [VEID]
Подключаемся гостевой ОС
vzctl enter [VEID]
Остановка
vzctl stop [VEID]
Рестарт
vzctl restart [VEID]
Удаление
vzctl destroy [VEID]
Посмотреть статус
vzlist -a
Если у кого-то возникали другие нестандартные ситуации при работе с контейнерами, буду рад пополнить свои заметки, вдруг столкнусь в дальнейшем.
UPD-1: Проброс vlan
Проброс виланов в контейнер делается в 2 этапа. Покажу на примере виланов 151,152,666На гипервизоре:В /etc/network/interfaces
В контейнере:
Есть и другой вариант проброса виланов, но я использую такой, так-как при нем можно использовать удобно один и тот-же вилан в нескольких виртуалках, что часто нужно.
Add camera to lxc container
root@proxmox:~# lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 004: ID 046d:0825 Logitech, Inc. Webcam C270
Bus 001 Device 003: ID 8087:0aa7 Intel Corp.
Bus 001 Device 002: ID 26ce:01a2
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
root@proxmox:~# ls -al /dev/camera0
lrwxrwxrwx 1 root root 6 Oct 27 14:01 /dev/camera0 -> video0
root@proxmox:~# ls -al /dev/bus/usb/001/004
crw-rw-rw- 1 root video 189, 3 Oct 27 14:01 /dev/bus/usb/001/004
root@proxmox:~# vi /etc/pve/nodes/proxmox/lxc/103.conf
Add
lxc.cgroup.devices.allow: c 189:3 rwm
lxc.cgroup.devices.allow: c 81:0 rwm
lxc.mount.entry: /dev/bus/usb/001/004 dev/bus/usb/001/004 none bind,optional,create=file
lxc.mount.entry: /dev/camera0 dev/camera0 none bind,optional,create=file
lxc.mount.entry: /dev/video0 dev/video0 none bind,optional,create=file
^^^ not sure if the USB mount entry is really needed…
Assign webcam consistent linux device name so any usb port can be used
Camera: Logitech C270
Test camera
apt-get install fswebcam
root@proxmox:~# fswebcam -r 640x480 --jpeg 85 -D 1 -d /dev/camera0 test1.jpg
--- Opening /dev/camera0...
Trying source module v4l2...
/dev/camera0 opened.
No input was specified, using the first.
Delaying 1 seconds.
--- Capturing frame...
Captured frame in 0.00 seconds.
--- Processing captured image...
Setting output format to JPEG, quality 85
Writing JPEG image to 'test1.jpg'.
Проброс usb устройств в proxmox ve kvm — do less!
Весь интернет облазил в посках, а ответ оказался так близко – в man qm
VM CONFIGURATION
Each VM is identified by an unique ID (integer). Configuration for a VM is
stored at «/etc/qemu-server/ID.conf»
Currently, the following parameters are supported:
….
-usb[n] host=HOSTUSBDEVICE
Configure an USB device (n is 0 to 4). This can be used to
pass-through usb devices to the guest. HOSTUSBDEVICE syntax
is:
‘bus-port(.port)*’ (decimal numbers) or
‘vendor_id:product_id’ (hexadeciaml numbers)
You can use the ‘lsusb -t’ command to list existing usb
devices.
Note: This option allows direct access to host hardware. So it
is no longer possible to migrate such machines — use with
special care.
# lsusb
Bus 001 Device 004: ID 21dd:2112 Kingston Technology
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
В файле /etc/pve/qemu-server/ID.conf
строчку:
usb1: host=21dd:2112
Перезагрузите виртуальную машину и USB девайс должен стать доступным.
Фаирвол
В стандартном варианте фаирвол для контейнеров очень урезан по функционалу, попробуем это исправить.
nano /etc/vz/vz.conf
Комментируем текущую строку IPTABLES и вместо нее добавляем
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
сохраняемся и перезапускаем VZ
/etc/init.d/vz restart
После этого внутри контейнеров мы сможем нормально настроить фаирвол.
Добавляем модули, касающиеся фаирвола, при загрузке ядра на гипервизоре (лишний шаг, но на всякий случай)
nano /etc/modules
ipt_MASQUERADE
ipt_helper
ipt_REDIRECT
ipt_state
ipt_TCPMSS
ipt_LOG
ipt_TOS
iptable_nat
ipt_length
ipt_tcpmss
iptable_mangle
ipt_limit
ipt_tos
iptable_filter
ipt_ttl
ipt_REJECT
loop
Фаирвол на самом гипервизоре
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case “$1” in
start)
echo “Starting iptables”
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
# Запрещаем подключение к серверу
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# Позволяем входящие и исходящие соединения, инициированные уже установленными соединениями
$IPT -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
# Открываем свободный доступ для lo интерфейса
$IPT -A INPUT -i lo -j ACCEPT
# Открываем свободный доступ для внутренней сети
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
# Открываем ресурсы необходимые для работы кластера
$IPT -A INPUT -m addrtype –dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state –state NEW -m multiport –dports 5404,5405 -j ACCEPT
# Блокируем все попытки входящих TCP-соединений не SYN-пакетами
$IPT -I INPUT -m conntrack –ctstate NEW -p tcp ! –syn -j DROP
# Открываем доступ к необходимым сервисам
$IPT -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp –dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp –dport 8006 -j ACCEPT ## Proxmox panel
# Вводим ограничения для новых подключений по SSH (не больше 4 в минуту)
$IPT -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –rttl –name SSH -j DROP
# Запрещаем запрос имен netbios
$IPT -A INPUT -p tcp –dport 137:139 -j DROP
$IPT -A INPUT -p udp –dport 137:139 -j DROP
# Разрешаем определенные ICMP пакеты
$IPT -A INPUT -p ICMP –icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP –icmp-type 11 -j ACCEPT
# Отклоняем все с ошибками
$IPT -A INPUT -m state –state INVALID -j DROP
# Разрешаем прохождение DHCP запросов через iptables.
$IPT -A INPUT -p udp -m udp –dport 68 –sport 67 -j ACCEPT
# Блокируем порт-сканнеры
$IPT -A INPUT -m state –state NEW -p tcp –tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state –state NEW -p tcp –tcp-flags ALL NONE -j DROP
# Антиспуффинг
$IPT -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp –syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit –limit 2/s –limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo “Stopping iptables”
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo “Usage: /etc/init.d/iptables {start|stop}”
exit 1
;;
esac
exit 0
