CloudBlue Technical Support

Symptoms

I am unable to migrate a container "online" and the following errors can be observed in the target node's logs:

• /var/log/vzctl.log:

  2013-08-17T22:25:21+0200 vzctl : Container 3963 : Starting the Container ...
  2013-08-17T22:25:21+0200 vzctl : Container 3963 : vzquota : (warning) Quota is running for id 3963 already
  2013-08-17T22:25:21+0200 vzctl : Container 3963 : Setting quota ...
  2013-08-17T22:25:21+0200 vzctl : Container 3963 : Container is mounted
  2013-08-17T22:25:21+0200 vzctl : Container 3963 : Set cpus: 2
  2013-08-17T22:25:21+0200 vzctl : Container 3963 : Set up iolimit: 20971520
  2013-08-17T22:25:21+0200 vzctl : Container 3963 : Set up iopslimit: 60
  2013-08-17T22:25:21+0200 vzctl : Container 3963 : Adding IP addresses: 46.41.128.247
  2013-08-17T22:25:22+0200 vzctl : Container 3963 : Cannot undump the file: Invalid argument
  2013-08-17T22:25:22+0200 vzctl : Container 3963 : Failed to start the Container
  2013-08-17T22:25:23+0200 vzctl : Container 3963 : Container is unmounted
  2013-08-17T22:25:23+0200 vzctl : Container 3963 : Failed to start the Container
  2013-08-17T22:25:23+0200 vzctl : Container 3963 : Container is not running
  

• /var/log/messages:

  Aug 17 22:18:23 hwnode01 vzmdest[12099]: Start of CT 3963 migration (private /vz/private/3963, root /vz/root/3963)
  Aug 17 22:22:38 hwnode01 vzmdest[12099]: vzctl_conf_get_param(QUOTAUGIDLIMIT) return 10000
  Aug 17 22:22:38 hwnode01 vzmdest[12099]: QuotaInit CT#3963 ...
  Aug 17 22:22:38 hwnode01 vzmdest[12099]: done
  Aug 17 22:22:38 hwnode01 vzmdest[12099]: QuotaOn CT#3963 ...
  Aug 17 22:22:38 hwnode01 vzmdest[12099]: done
  Aug 17 22:25:21 hwnode01 vzmdest[12099]: Undumping CT#3963 ...
  Aug 17 22:25:21 hwnode01 kernel: [292731.867040] CT: 3963: started
  Aug 17 22:25:22 hwnode01 kernel: [292732.432237] CPT ERR: ffff880403c6e000,3963 :iptables-restore exited with 2
  Aug 17 22:25:22 hwnode01 kernel: [292732.439801] CPT ERR: ffff880403c6e000,3963 :Most probably some iptables modules are not loaded
  Aug 17 22:25:22 hwnode01 kernel: [292732.447542] CPT ERR: ffff880403c6e000,3963 :or CT's iptables utilities are incompatible with this kernel (version is older than 1.4.0)
  Aug 17 22:25:22 hwnode01 kernel: [292732.463790] CPT ERR: ffff880403c6e000,3963 :(Offline migration and iptools upgrade might help).
  Aug 17 22:25:22 hwnode01 kernel: [292732.472357] CPT ERR: ffff880403c6e000,3963 :rst_restore_net: -22
  Aug 17 22:25:22 hwnode01 kernel: [292732.734847] CT: 3963: stopped
  Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Cannot undump the file: Invalid argument
  Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Error: iptables-restore exited with 2
  Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Error: Most probably some iptables modules are not loaded
  Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Error: or CT's iptables utilities are incompatible with this kernel (version is older than 1.4.0)
  Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Error: (Offline migration and iptools upgrade might help).
  Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Error: rst_restore_net: -22
  Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Failed to start the Container
  Aug 17 22:25:23 hwnode01 vzmdest[12099]: vzctl : Failed to start the Container
  Aug 17 22:25:23 hwnode01 vzmdest[12099]: /usr/sbin/vzctl exited with code 17
  Aug 17 22:25:26 h2-vps06 vzmdest[12099]: /usr/sbin/vzctl exited with code 17
  

Cause

The problem with the migration is missing iptables modules; the migration fails on the operation of restoring the container’s state because there are no necessary modules to restore iptables rules.

Example of difference in iptables modules:

• on the source node:

  ~# grep IPTABLES /etc/vz/vz.conf 
  IPTABLES="iptable_nat ipt_conntrack ip_conntrack ip_conntrack_ftp ipt_tos ipt_LOG ipt_REDIRECT ipt_MASQUERADE ipt_length ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"
  

• on the destination node:

  ~# grep IPTABLES /etc/vz/vz.conf 
  IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"
  

Resolution

To resolve this issue, take the following actions:

1. Correct iptables modules in /etc/vz/vz.conf so that they are the same in the source and destination.

2. Restart Virtuozzo service:

   ~# service vz restart
   

   NOTE: all containers are to be restarted with Virtuozzo service restart

You can also read the following articles:

#746 - How do I enable firewall in a container?
#113056 - Managing iptables modules in containers
#115410 - Unable to set firewall rules inside container

Internal content