apf fix: unable to load iptables module (ip_tables)

While working with APF on servers, you might normally get to see the following error,

# apf -r
apf(2042): {glob} flushing & zeroing chain policies
apf(2042): {glob} firewall offline
apf(3179): {glob} activating firewall
apf(3284): {glob} unable to load iptables module (ip_tables), aborting.
apf(3179): {glob} firewall initalized
apf(3179): {glob} fast load snapshot saved

Your kernel is compiled with iptables statically instead of as a module, to resolve this you will need to change a small configuration in /etc/apf/conf.apf

SET_MONOKERN=”0″ Set it to “1″

Once this is done, restart apf to see the error vanishing.

SET_MONOKERN
# This allows the firewall to work around modular kernel issues by assuming
# that the system has all required firewall modules compiled directly into
# kernel. This mode of operation is not generally recommended but can be used
# scale APF to unique situations.

CSF Fix: iptables: No chain/target/match by that name

Unable to add a new block for an ip via CSF? Iptables modules are not loaded into your server’s kernel.

If you’re getting the following error on a OpenVZ VPS server:

iptables: No chain/target/match by that name

ACCEPT  udp opt — in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  state NEW udp dpt:953

Contact the DC to make a small change in OpenVZ iptables configuration in /etc/vz/vz.conf as follows:

IPTABLES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

Once this line is added, they will restart your vps or all vps nodes on the hardware node will be restarted to make iptables modules available.

This should resolve the issue.

Memory issue after OS upgrade?

Out of memory? Did you upgrade your OS recently? Then carefully have a look at ps -auwx output for memory consumption.

Today I found that initscripts package owned minilogd was eating up almost 70% of the server resources on a VPS running on OpenVZ virtualization. After reading a bit about it on the internet I found that it’s used by syslog and I had to restart syslog service to get the issue sorted out.

Alway make good use of the tools given by Linux to monitor the processes. They will surely help you to knockdown the problem that you’re facing.

Happy Hacking!

Cannot allocate memory: apr_thread_create: unable to create worker thread

Today I was unable to start apache on one of the VPS servers. Here is the error_log output.

[Thu Aug 28 16:45:02 2008] [warn] pid file /var/run/apache2.pid overwritten — Unclean shutdown of previous Apache run?
[Thu Aug 28 16:45:02 2008] [notice] Apache/2.2.3 (Debian) configured — resuming normal operations
[Thu Aug 28 16:45:02 2008] [alert] (12)Cannot allocate memory: apr_thread_create: unable to create worker thread
[Thu Aug 28 16:45:02 2008] [alert] (12)Cannot allocate memory: apr_thread_create: unable to create worker thread
[Thu Aug 28 16:45:04 2008] [alert] No active workers found… Apache is exiting!

As a sysadmin first you should check the user_beancounters information on the hardware node get more inputs about the resource usage of the VPS to understand what might be causing the memory issue. This is how you can find the user_beancounters

cat /proc/user_beancounters

Normally you will find the failure counts for privvmpages.

privvmpages 4052 49146 49152 53575 20

In the above line last column shows the number of times VPS crossed the limit set for privvmpages.

You can change this value if you have the access to hardware node as follows:

vzctl set –privvmpages 100000 –save

VEID is the VPS number allocated on hardware node.

vzlist | grep will get you that number.

Now, take a scenario where in you have no access to VPS hardware node and you stilll want this issue to be fixed from your end.

Here is the fix:
You can force Apache to use far less memory than what ever it is using now by installing apache2-mpm-prefork instead of apache2-mpm-worker.

All that I did on the console of my Debian server to get this fix this issue is running the following command:

#aptitude install apache2-mpm-prefork

I restarted apache and it started working just fine.

Cpanel is feature rich

If you’re a web hosting service provider, system administrator, website owner you got to think about a tool which lets you manage your server and websites easily. Cpanel is one of my favorite control panel for web hosting automation. Cpanel gives a lot of help to system administrator and save a considerable amount of time. Its ease of use and the fresh web2.0 design lets website owners manage their websites easily. On top of all this, Cpanel constantly improves and updates its product features. If you don’t have Cpanel on your servers think of using it, you will find the reasons below. Following gives an update on recent changes happening in Cpanel features.

cPanel 11.23 introduces a number of exciting changes to our industry leading control panel product. While there are many changes on the backend to cPanel and WHM with the 11.23 release, we’ll focus on four main areas: Memory Usage Reduction, Mail Flexibility and Efficiency, Backups and Transfers, and User Specific Changes.

Memory Usage

We aimed at reducing the memory footprint of cPanel with the 11.23 release. Two major changes in this area are VPS Optimized and Tailwatch. These changes were discussed earlier on the cPanel blog. Both of these changes are part of an overall focus in reducing memory overhead of the cPanel product, a focus that
extends beyond just our customers using VPS setups. The end result is a more responsive product that also uses less memory (up to 60% less standing memory usage on a VPS).

Mail Flexibility and Efficiency

Several important changes pertaining to mail handling and usage are available in 11.23.  cPanel 11.23 introduces full support for the Roundcube webmail interface. This provides a nice modern alternative for webmail users. Also, it is now possible to have Exim send mail using the IP address dedicated to an account. This not only brings in a much requested feature, but also resolves issues with using SPF records on
accounts with dedicated IP addresses. We have also introduced a SPF preference in the Exim Configuration editor to enable SPF checking at SMTP time. Running SPF checks at SMTP time, rather than during SpamAssassin greatly speeds up the mail delivery process on your server.

Backups and Transfers

cPanel account backup and transfer utilities have been greatly improved in cPanel 11.23. In 11.23 when transferring accounts, the utilities use WHM instead of rsync in order to improve speed and deal better with large file sizes. Also, more information about the accounts being transferred is available, such as disk space those accounts are currently using. Also the option to express transfer accounts from other cPanel servers has been added in order to speed up transfers.

User Specific Changes

In order to meet the needs of users on corporate proxies who cannot access cPanel, Webmail and WHM on the regular ports, a proxy system has been introduced to cPanel 11.23 which allows access to each service through a subdomain. For example, a user can now access cPanel at http://cpanel.example.com instead of https://example.com:2083/.

Additionally, a mechanism has been built into cPanel to notify users of SSL certificates which will expire soon. As it is highly important to ensure your SSL certificates are functioning properly, users will be alerted 30 days before their certificate is due to expire so they have ample time to renew their certificate.

Along with these changes, many products such as PHPMyAdmin which are shipped with cPanel have been upgraded to newer and far more responsive versions in order to improve the domain owner experience.

While the above features provide a great benefit to server administrators and end users, they are only a few of the changes that are brought about by cPanel 11.23. Other changes such as DNS record type support  have been documented in the cPanel change log at http://changelog.cpanel.net

If you wish to stay on cPanel 11.18, you should change your update preferences to use STABLE builds only.

Cpanel can change the future of your webhosting. Have a look at it today. If you want your websited hosted on a cpanel server, I can help you with it :) .