OpenVZ & Digital Ocean read/write test results

Here is a quick view on the read and write results on Digital Ocean & OpenVZ:

Write Operation with Digital Ocean Server
[email protected]:~# dd if=/dev/zero of=test bs=1048576 count=2048
2048+0 records in
2048+0 records out
2147483648 bytes (2.1 GB) copied, 7.93444 s, 271 MB/s
Read Operation with Digital Ocean Server
[email protected]:~# dd if=test of=/dev/null bs=1048576
2048+0 records in
2048+0 records out
2147483648 bytes (2.1 GB) copied, 3.39856 s, 632 MB/s

Write Operation with OpenVz Server
[email protected]:~# dd if=/dev/zero of=test bs=1048576 count=2048
2048+0 records in
2048+0 records out
2147483648 bytes (2.1 GB) copied, 20.3058 s, 106 MB/s
[email protected]:~# dd if=test of=/dev/null bs=1048576
2048+0 records in
2048+0 records out
2147483648 bytes (2.1 GB) copied, 2.26675 s, 947 MB/s
Read Operation with OpenVZ Server

The above results show that the Digital Ocean SSD does make it faster to write to the disk while the Reads are better in OpenVZ VPS that I own. This difference might change depending on the overhead of the Hardware node which would be serving my VPS/CloudVPS. More to digg out in coming days.

Fix: openvz, iptables, csf and errors

CSF has been one of the first choice for years now for me to secure server with a easily usable iptables manager. More than that it works as “A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers”.

While using csf on OpenVZ vps systems we end up facing lots of issues with respect to iptables modules. If you’re a sysadmin managing hardware nodes it might not be easy though it has got to do something quite simple. I’m pasting the similar issue once again here for a reference and let us recheck what we normally oversee.

Error received during csf test:

:~# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…FAILED [Error: iptables: No chain/target/match by that name.] – Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit…FAILED [Error: iptables: No chain/target/match by that name.] – Required for CONNLIMIT feature
Testing ipt_owner/xt_owner…FAILED [Error: iptables: No chain/target/match by that name.] – Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK

RESULT: csf will function on this server but some features will not work due to some missing iptable modules

Now, the quick remedy that we get to resolve this issue is to enable all the iptable modules in /etc/vz/vz.conf of the OpenVZ hardware node as follows:

IPTABLES=”ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp ipt_recent ipt_owner ipt_conntrack ipt_helper ipt_REDIRECT ipt_recent ipt_owner”

and restart all VM’s etc using  “service vz restart” to activate all modules to all VPS systems.

The other options we have is to enable these modules for a specific VPS/VM as follows: (PS: here 100 is a VPS id)

vzctl set 100 –iptables ipt_REJECT –iptables ipt_tos –iptables ipt_TOS –iptables ipt_LOG –iptables ip_conntrack –iptables ipt_limit –iptables ipt_multiport –iptables iptable_filter –iptables iptable_mangle –iptables ipt_TCPMSS –iptables ipt_tcpmss –iptables ipt_ttl –iptables ipt_length –iptables ipt_state –iptables iptable_nat –iptables ip_nat_ftp –iptables ipt_owner –iptables ipt_recent –save

If you run the above command with –setmode option, the modules will be applied.

Or you can add the IPTABLES line mentioned earlier (vz.conf entry) to VPS configuration file  (/etc/vz/conf/100.conf for the above example VPS) and restart VPS with the following command to make it effective.

vzctl restart 100

This was quite simple and known answer. But I have always found that it doesn’t go so smooth. This might be because of one simple reason that I quote here:

We keep removing OLD kernel packages etc and install the new ones to ensure that we have secure system with latest kernel and packages. During this process we end up loosing kernel modules required for the new modules. I figure this out once again while working on my hardware node just by typing the find command as follows under /lib

find /lib –name *ipt*

I was expecting the iptables modules to be listed under my current kernel but to my surprise I didn’t find them. I found them in one of the very old kernel that was installed on the box. Crazy. So, I decided to jump in and reinstall iptables packages quickly on the machine:

yum reinstall iptables-devel.i686 iptables-devel.x86_64 iptables-ipv6.x86_64 iptables.i686 iptables.x86_64

Here is the final output of my csf test after restarting my VM.

~# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK

RESULT: csf should function on this server

That’s it. Now you know why iptables doesn’t work even if you had not changed anything recently on hardware node (and forgotten that you restarted your system with a new kernel). Verify the iptables modules with lsmod and reinstall the packages if required.

Fix: fixquota fails with journaled quota support: not available with vzaquota (disabled)

If you’re running cPanel server on a OpenVZ hardware node, you might face issues with quota for few reasons:

1. Secondary quota might not have been enabled on hardware node.

You can verify by checking for “DISK_QUOTA=yes” in /etc/vz/conf/vz.conf

Also, QUOTAUGIDLIMIT needs to be set for the VPS in  /etc/sysconfig/vz-scripts/CT_ID.conf (PS: CT_ID is the container id of the VPS)

2. You should have initialized the quota via WHM.

If you continue to face problem even after applying both fixes, re-initializing quota might help as per http://wiki.openvz.org/Cpanel_quotas  Here is the excerpt:

WHM/Cpanel, a popular commercial web-based control panel for Linux, has a tendency to overwrite the special quota files in the VE context. I am referring to:

lrwxr-xr-x 1 root root 39 Jun 8 17:27 aquota.group -> /proc/vz/vzaquota/00000073/aquota.group
lrwxr-xr-x 1 root root 38 Jun 8 17:27 aquota.user -> /proc/vz/vzaquota/00000073/aquota.user

The result of these being overwritten will be WHM showing “unlimited” quota reports for all users in the system. An quick solution to this is to run these commands from within the VE as root:

rm -rf /aquota.user 2>/dev/null
rm -rf /aquota.group 2>/dev/null
unlink /aquota.user 2>/dev/null
unlink /aquota.group 2>/dev/null
for x in `find /proc/vz/vzaquota/ | tail -2 `; do ln -s $x / ; done

journled quota support warning didn’t get resolved even after this. Yet to check for the core reason for the same.

Enable ip from different subnet on OpenVZ Server

If you want to run virtual machines of different ip subnets from your node you will have to enable a parameter in /etc/vz/vz.conf.

Following is the remedy for those who are facing issues working with multiple subnet ip’s

# Controls which interfaces to send ARP requests and modify ARP tables on.
NEIGHBOUR_DEVS=all

Tags:

Fix: iptables: Unknown error 4294967295

Following error is noticed when you are running in the VM.

: Unknown error 4294967295

Main reason for this error iptables support missing in OpenVZ.

Here are the quick steps to resolve this issue permanently:

1. Define which iptables modules are available for VEs.

a)
Edit /etc/sysconfig/iptables-config file on a OpenVZ hardware node:

IPTABLES_MODULES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

b)
Edit /etc/sysconfig/vz file on a OpenVZ hardware node:

IPTABLES=”ipt_REJECT
ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

Note:– iptables modules list in IPTABLES and IPTABLES_MODULES parameters in /etc/sysconfig/vz and /etc/sysconfig/iptables-config files should be placed in one single line, no linebreaks is allowed in this parameter.

Restart OpenVZ server
# service vz restart

2. Increase ‘numiptent’ parameter for the VE you need to install APF into. This parameter limits the amount of iptables rules available for a VE. Default APF configuration requires ~400 rules. Lets set it to 400 in the example below for VE #101:

# vzctl set 101 --numiptent 400 --save

3. Start APF inside the VE:
# /etc/init.d/apf start

Tags: , ,