Hi there!
On host - debian 10.5 (4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24)), lxc 3.0.3
On container - centos 6.10
Try to add an iptables rule inside container:
# iptables -I INPUT -p udp -m udp --dport 80:81 -m string --string "OLOLO" --algo bm -j DROP
FATAL: Could not load /lib/modules/4.19.0-10-amd64/modules.dep: No such file or directory
# depmod -ae
WARNING: Couldn't open directory /lib/modules/4.19.0-10-amd64: No such file or directory
FATAL: Could not open /lib/modules/4.19.0-10-amd64/modules.dep.temp for writing: No such file or directory
# ls -lah /lib/modules/
total 16K
dr-xr-xr-x 4 root root 4.0K Nov 27 10:57 .
dr-xr-xr-x 8 root root 4.0K Nov 27 10:57 ..
drwxr-xr-x 3 root root 4.0K Feb 3 2014 2.6.32-279.14.1.el6.x86_64
drwxr-xr-x 7 root root 4.0K Nov 27 10:57 2.6.32-754.35.1.el6.x86_64
Hey, @stgraber nice to see you!
Nope, unfortunately it has no effect. And there is more: I have a centos 7 container on the same host, and there is no same problem. I think the problem is only with centos6 teamplate.
I wonder if it’s just the tool being confused because /lib/modules exists in your container? Normally containers don’t have kernel packages installed and may be missing the path altogether, which may or may not be helping iptables handle this.
Feels like the problem is with CentOS 6 more than with the template, it’s most likely the version of iptables in CentOS 6 being a bit too picky in this case.
Both physical and OpenVZ will have kernels that are much more in sync with what CentOS6 shipped with, so more likely to make its iptables detect an existing module and move on.
You could try strace on that iptables call to see if you can’t figure out what module it’s trying to load.