Archive for the ‘VPS’ Category

Configuring CSF in a VPS

Saturday, December 12th, 2009

You may get the following error while restarting csf on a vps server

Error: iptables command [/sbin/iptables -v -A LOGDROPIN -p tcp -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '] failed, at line 280

In a vps (openvz or Virtuzzo) the csf configuration is something different. Lets see how we can make csf work with vps .

Before starting the installation of csf, you should confirm the following modules are installed on the main VPS.

ipt_conntrack

ipt_LOG

ipt_owner

ipt_state

ip_conntrack_ftp

iptable_filter

You can confirm whether these modules are already loaded using

# lsmod |grep -i <module-name>

If its not installed you can install this using modprob

modprob ipt_conntrack

After that you should add these modules to the iptables configuration as follows

# vi /etc/sysconfig/iptables-config

IPTABLES_MODULES=”ipt_conntrack ipt_LOG ipt_owner ipt_state ip_conntrack_ftp”

You need to edit the vps client node configuration file as follows ( example node is 101 )

# vi /etc/sysconfig/vz-scripts/101.conf

IPTABLES=”iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ipt_state iptable_nat ip_nat_ftp ipt_owner ip_conntrack_ftp”

Restart the client node .

# vzctl restart 101

Now login to your client node and install csf . Before restarting csf let us edit the configuration file .

# /etc/csf/csf.conf

ETH_DEVICE = “venet0″ # from ifconfig you will get the ethernet device
MONOLITHIC_KERNEL = “1″
VERBOSE = “0″

Restart csf

# csf -r

If you have followed the above steps properly then it should start without any errors . In case if you get error , some of the modules I find necessary are

ipt_MASQUERADE

ipt_helper

ipt_REDIRECT

ipt_state

ipt_TCPMSS

ipt_LOG

ipt_SAME

ipt_TOS

iptable_nat

ipt_length

ipt_tcpmss

iptable_mangle

ipt_limit

ipt_tos

iptable_filter

ipt_helper

ipt_tos

ipt_ttl

ipt_REJECT

ip_conntrack

ip_multiport

ip_nat_ftp

ipt_owner

ipt_recent

ipt_REDIRECT

Now if you can start csf without any error but it blocks all connections to site when enabled. If you disable csf it starts working . If so , make sure that you have opened all ports in csf configuration file and then execute the below commands from the client node (101 in our case)

iptables -A INPUT -i venet0 -j ACCEPT

iptables -A OUTPUT -o venet0 -j ACCEPT

iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0

iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0

Or else you can add the above iptables rules to ” vi /etc/csf/csfpre.sh ” and restart csf

Other issues related to csf in a vps can be caused by “numiptent

Run the below command from your vps node (101) and see if there are any failcounts .

cat /proc/user_beancounters

numiptent should be set to at least 1000

You can increase the values of these parameters as discussed here .

Tags: , , , , ,
Posted in VPS | No Comments »

Unable to fork: Cannot allocate memory

Monday, November 30th, 2009

While logging to a VPS from the host server(main node) , you see the message:

Unable to fork: Cannot allocate memory

This usually occurs when VPS is running out of resources especially RAM. Restarting the vps may be a temporary fix which allows you to enter the server . But it prevents executing some commands throwing the same error message .

You can increase privvmpages and kmemsize values for the VPS in order to solve the issue .From the client node in order to see each resource , run the command

cat /proc/user_beancounters

It has five values associated with it: current usage, maximum usage , barrier, limit, and fail counter. The meaning of barrier and limit is parameter-dependent; in short, those can be thought of as a soft limit and a hard limit. If any resource hits the limit, the fail counter for it is increased. This allows the owner to detect problems by monitoring /proc/user_beancounters in the container.

uid      resource         held        maxheld    barrier          limit failcnt

101:    kmemsize       5741113  8347532   2147483646  2147483646 453225323642

privvmpages    33656     44989       98304          98304 106507

In order to increase the value of the two parameters edit the below file from the main node

/etc/sysconfig/vz-scripts/101.conf ( 101 is my vps node)

You can see the value as below

PRIVVMPAGES=”98304:98304″

Increase the value as you need

PRIVVMPAGES=”100000:100000″

Restart your vps after the changes .

# vzctl restart 101

You can also raise the limit as sown below from the host node .

vzctl set 101 –privvmpages 100000:100000 –save

vzctl restart 101

kmemsize

Size of unswappable memory in bytes, allocated by the operating system kernel.

privvmpages

Memory allocation limit. Privvmpages parameter allows controlling the amount of memory allocated by applications.

Tags: , , , ,
Posted in VPS | 5 Comments »

Unable to open pty: No such file or directory

Monday, November 30th, 2009

You may receive the following message on entering a VPS:

# vzctl enter 101

enter into VE 101 failed

Unable to open pty: No such file or directory

The reason behind this is the missing tty/pty files . You can create it using the MAKEDEV program, execute the following commands on the host server ( main node ).

# vzctl exec VEID /sbin/MAKEDEV tty
# vzctl exec VEID /sbin/MAKEDEV pty

Replace VEID with your actual vps id . In our example its 101 .

Restart vps .

#vzctl restart VEID

Thats a temporary fix. To Fix this issue permanently follow the below steps after entering to your vps client node (101 in our case) .

1) #vzctl enter VEID

2) Edit the file /etc/rc.sysinit

3) Comment the line
#/sbin/start_udev

4) Add the following lines after /sbin/start_udev:
/sbin/MAKEDEV tty
/sbin/MAKEDEV pty

5) Reboot your VPS client node .
vzctl restart VEID

You can also access the file /etc/rc.sysinit for the node 101 from the main VPS node . It should be from /vz/private/VEID/etc/rc.sysinit .

You can also try the below steps by updating the startup files

# vzctl exec VEID update-rc.d -f udev remove
# vzctl restart veid

Above fixes may not work for ubuntu servers . In that case you can try the below command

# vzctl exec VEID ‘dpkg –force-depends –purge udev’

Tags: , , , ,
Posted in VPS | 3 Comments »