Reaching out to others! Free & Open Source Software, Kannada, L10n, L18n Data Science, Cloud Computing & more…

apf fix: unable to load iptables module (ip_tables)

While working with APF on servers, you might normally get to see the following error,

# apf -r
apf(2042): {glob} flushing & zeroing chain policies
apf(2042): {glob} firewall offline
apf(3179): {glob} activating firewall
apf(3284): {glob} unable to load iptables module (ip_tables), aborting.
apf(3179): {glob} firewall initalized
apf(3179): {glob} fast load snapshot saved

Your kernel is compiled with iptables statically instead of as a module, to resolve this you will need to change a small configuration in /etc/apf/conf.apf

SET_MONOKERN=”0″ Set it to “1″

Once this is done, restart apf to see the error vanishing.

SET_MONOKERN
# This allows the firewall to work around modular kernel issues by assuming
# that the system has all required firewall modules compiled directly into
# kernel. This mode of operation is not generally recommended but can be used
# scale APF to unique situations.

CSF Fix: iptables: No chain/target/match by that name

Unable to add a new block for an ip via CSF? Iptables modules are not loaded into your server’s kernel.

If you’re getting the following error on a OpenVZ VPS server:

iptables: No chain/target/match by that name

ACCEPT  udp opt — in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  state NEW udp dpt:953

Contact the DC to make a small change in OpenVZ iptables configuration in /etc/vz/vz.conf as follows:

IPTABLES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

Once this line is added, they will restart your vps or all vps nodes on the hardware node will be restarted to make iptables modules available.

This should resolve the issue.

LxLabs Ligesh commits suicide

ligeshA brilliant software engineer, Founder of LxLabs.com, creator of HyperVM – optimized virtualization technology which runs on both Xen and OpenVZ, “Host In a Box” solution LxAdmin/Kloxo for Web hosting companies, server owners, resellers – K.T Ligesh(32) commited suicide last night (8th June,2009) at his residence located in H.S.R Layout, Bangalore.

Yesterday night I was discussing with few of my colleagues about the recent vulnerability report logged on the net and the fixes released to patch it. Sadly I get to read this news in  papers on returning home. His innovative products have made a very good name in industry in a very short span of time. A very hardworking talent, free and open source enthusiast and a guitarist. He always thrived provide a best and an optimized web hosting tool to hosting industry. Its a great loss to all of us.

I recall interacting with this genius engineer prior to his product  launch and commenting on few initial glitches that I had noticed here at Instacarma. He has been such a great help during our further interactions on LxLabs forum etc. Instacarma family offers its deep condolences to his family and friends.

He puts a question mark in-front of us and LxAdmin’s future is unknown. There are more questions to be answered while his soul rests in peace.

News Source: TOI

Image Source: Kannada Prabha

OpenVZ overwriting /etc/hosts file

If you find that the /etc/hosts file getting over written (I have found this happening in Virtuzzo and HyperVM servers already) ensure that you add the additional entries above the following comment line which you see in /etc/hosts file.

# Auto-generated hostname. Please do not remove this comment.

Memory issue after OS upgrade?

Out of memory? Did you upgrade your OS recently? Then carefully have a look at ps -auwx output for memory consumption.

Today I found that initscripts package owned minilogd was eating up almost 70% of the server resources on a VPS running on OpenVZ virtualization. After reading a bit about it on the internet I found that it’s used by syslog and I had to restart syslog service to get the issue sorted out.

Alway make good use of the tools given by Linux to monitor the processes. They will surely help you to knockdown the problem that you’re facing.

Happy Hacking!

iptables: Memory allocation problem

Unable to block ips using iptables on your VPS? Is your APF installation failing to work?

[email protected] [~]# iptables -I INPUT -s 123.123.123.123 -j DROP
iptables: Memory allocation problem

Resolution:

If you’re using OpenVZ for virtualization, you might have exceeded the limit of ‘numiptent’ parameter value. You may check if there are non-zero failcounts for the ‘numiptent’ parameter inside VPS:

# egrep "failcnt|numiptent" /proc/user_beancounters

If you’re an admin with the access to hardware node, increase a bit parameter value using following command. (Following command won’t work inside the VPS node)
#vzctl set VPS_ID --save --numiptent NEW_BARRIER:NEW_LIMIT
This should resolve the issue.

Setting up a LAN inside OpenVZ Hardware Nodes

Configuring server network is always a fun. There is a good chance of getting disconnected from the remote servers if you’re working from a remote place on a production server. I have worked on OpenVZ for quite a long time now. But I had never  got to customize its internal VE networking.

Last month I had to configure a eth device inside each VE, i.e an another LAN ip needs to be configured for each VPS which you configure inside the hardware node with a different subnet mask. Nothing but a Virtual LAN. I though it will be easy and started editing the network configuration files but found that all my changes will be wiped off if the VE is rebooted. So I had to  make the changes at the node level. Following is a sample Network layout which I was trying to configure.

Image Source : OpenVZ Wiki

OpenVZ has got a nice wiki with detailed description of various networking scenarios and configuration. Though I got bit confused with briged networks, veth devices and other documentations initially, It was easy to follow the steps provided in this link to achieve the required results.

You can read the differences between venet and veth devices here.

Cannot allocate memory: apr_thread_create: unable to create worker thread

Today I was unable to start apache on one of the VPS servers. Here is the error_log output.

[Thu Aug 28 16:45:02 2008] [warn] pid file /var/run/apache2.pid overwritten — Unclean shutdown of previous Apache run?
[Thu Aug 28 16:45:02 2008] [notice] Apache/2.2.3 (Debian) configured — resuming normal operations
[Thu Aug 28 16:45:02 2008] [alert] (12)Cannot allocate memory: apr_thread_create: unable to create worker thread
[Thu Aug 28 16:45:02 2008] [alert] (12)Cannot allocate memory: apr_thread_create: unable to create worker thread
[Thu Aug 28 16:45:04 2008] [alert] No active workers found… Apache is exiting!

As a sysadmin first you should check the user_beancounters information on the hardware node get more inputs about the resource usage of the VPS to understand what might be causing the memory issue. This is how you can find the user_beancounters

cat /proc/user_beancounters

Normally you will find the failure counts for privvmpages.

privvmpages 4052 49146 49152 53575 20

In the above line last column shows the number of times VPS crossed the limit set for privvmpages.

You can change this value if you have the access to hardware node as follows:

vzctl set –privvmpages 100000 –save

VEID is the VPS number allocated on hardware node.

vzlist | grep will get you that number.

Now, take a scenario where in you have no access to VPS hardware node and you stilll want this issue to be fixed from your end.

Here is the fix:
You can force Apache to use far less memory than what ever it is using now by installing apache2-mpm-prefork instead of apache2-mpm-worker.

All that I did on the console of my Debian server to get this fix this issue is running the following command:

#aptitude install apache2-mpm-prefork

I restarted apache and it started working just fine.