I encountered strange problem with Nftables which I don't understand. This is the sequence of a commands which lead to my state:

~# nft add table inet firewall
~# nft add set inet firewall blacklist4 \{ typeof ip saddr \; flags interval \; auto-merge \; \}
~# nft add element inet firewall blacklist4 \{ 192.0.2.0/25 \}
~# nft add element inet firewall blacklist4 \{ 192.0.2.128/25 \}
~# nft -a list ruleset
table inet firewall { # handle 0
        set blacklist4 { # handle 0
                typeof ip saddr
                flags interval
                auto-merge
                elements = { 192.0.2.0/25, 192.0.2.128/25 }
        }
}

So far, so good. Notice it was not automatically merged two halves of the /24 network into a single record, which I expected, and I found that I am not the first who noticed this: https://www.spinics.net/lists/netfilter/msg58958.html Now, at this state it won't let me add the "combined" nor "partial" range element:

~# nft add element inet firewall blacklist4 \{ 192.0.2.128/26 \}
Error: interval overlaps with an existing one
add element inet firewall blacklist4 { 192.0.2.128/26 }
                                       ^^^^^^^^^^^^^^
Error: Could not process rule: File exists
add element inet firewall blacklist4 { 192.0.2.128/26 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~# nft add element inet firewall blacklist4 \{ 192.0.2.0/24 \}
Error: interval overlaps with an existing one
add element inet firewall blacklist4 { 192.0.2.0/24 }
                                       ^^^^^^^^^^^^
Error: Could not process rule: File exists
add element inet firewall blacklist4 { 192.0.2.0/24 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

So removing both elements and checking:

~# nft delete element inet firewall blacklist4 \{ 192.0.2.0/24 \}
Error: interval not found in set
delete element inet firewall blacklist4 { 192.0.2.0/24 }
                                          ^^^^^^^^^^^^
Error: Could not process rule: No such file or directory
delete element inet firewall blacklist4 { 192.0.2.0/24 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~# nft delete element inet firewall blacklist4 \{ 192.0.2.0/25 \}
~# nft delete element inet firewall blacklist4 \{ 192.0.2.128/25 \}
~# nft -a list ruleset
table inet firewall { # handle 0
        set blacklist4 { # handle 0
                typeof ip saddr
                flags interval
                auto-merge
        }
}

I intentionally tried to remove the combined one first, because it was said earlier that "file exists". But it turned out it only exists when adding, but not when removing. The last command shows the set is empty; now let's add something back:

~# nft add element inet firewall blacklist4 \{ 192.0.2.0/24 \}
Error: Could not process rule: File exists
add element inet firewall blacklist4 { 192.0.2.0/24 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~# nft add element inet firewall blacklist4 \{ 192.0.2.0/25 \}
Error: Could not process rule: File exists
add element inet firewall blacklist4 { 192.0.2.0/25 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~# nft add element inet firewall blacklist4 \{ 192.0.2.0/26 \}
Error: Could not process rule: File exists
add element inet firewall blacklist4 { 192.0.2.0/26 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~# nft -a list ruleset
table inet firewall { # handle 0
        set blacklist4 { # handle 0
                typeof ip saddr
                flags interval
                auto-merge
        }
}

I can't add the same, the super block or the partial block, it says "file exists". Why? Where? The list command keeps saying the set is empty. How to add it back now? It is possible to reset this by flushing the set. However, it is this test set is empty, but in the real life it will have other data. This behaviour is retained if the set is created without auto-merge. If I remove flags interval, it works as expected, but only with individual IP addresses. This is OpenVZ system, 3.10.0-1160.42.2.vz7.184.10 #1 SMP Fri Dec 31 04:05:16 MSK 2021 x86_64 GNU/Linux. Could it be connected to that? nft version is nftables v0.9.8 (E.D.S.), the system is freshly updated Debian Bullseye.

I use wmware workstation to run two virtual machines with OpenVZ 2.6.32-042stab108.2 installed on top on CentOS 6.6. I have created another primary partition, /dev/sda4, to configure it as drbd resource. I also created a filsystem on it. The second machine is actually created using the virtual disk of the first one, with changed hostname and eth0 ip address. The drbd configuration file is this: global { usage-count no; } common { syncer { rate 100M; } } resource r0 { protocol C; startup { wfc-timeout 15; degr-wfc-timeout 60; } net { cram-hmac-alg sha1; shared-secret "password"; } on primary { device /dev/drbd0; disk /dev/sda4; address 192.168.18.10:7788; meta-disk internal; } on secondary { device /dev/drbd0; disk /dev/sda4; address 192.168.18.20:7788; meta-disk internal; } } After creating the resource with **drbdadm create-md r0**, when I enter **service drbd start**, I get: Failure: (127) Device minor not allocated. The output of **drbdadm dump all** might be helpful: [root@primary ~]# drbdadm dump all # /etc/drbd.conf # resource r0 on primary: not ignored, not stacked resource r0 { protocol C; on primary { device /dev/drbd0 minor 0; disk /dev/sda4; address ipv4 192.168.18.10:7788; meta-disk internal; } on secondary { device /dev/drbd0 minor 0; disk /dev/sda4; address ipv4 192.168.18.20:7788; meta-disk internal; } net { cram-hmac-alg sha1; shared-secret danuts; } startup { wfc-timeout 15; degr-wfc-timeout 60; } } What is causing this error and how can it be mitigated? Thanks!

I have a little problem, and I have had a backup from my hoster, this consists of the following files, now the question arises how do I get the files out of it, I don't want to start servers but those Get files from it I hope I am right here with my problem

I am attempting to confirm swap usage on an OpenVZ vps. (I have had issues with badly configured swap files before) To do so I am slowly filling the memory using code from this question https://unix.stackexchange.com/questions/1367/how-to-test-swap-partition . Then while running the code, monitoring memory and swap usage using top. Whilst running, the swap usage does not change, instead the usage of the memeater code approaches real memory limits then stops. Is this normal behaviour for the swap file in an OpenVZ setup? Other useful info- - - - swappiness = 60 # uname -a Linux vps.server.com 5.4.0 #1 SMP Mon Mar 16 15:39:59 MSK 2020 x86_64 x86_64 x86_64 GNU/Linux # cat /proc/user_beancounters Version: 2.5 uid resource held maxheld barrier limit failcnt 21423: kmemsize 48521216 101617664 9223372036854775807 9223372036854775807 0 lockedpages 93 149 9223372036854775807 9223372036854775807 0 privvmpages 175203 477143 9223372036854775807 9223372036854775807 0 shmpages 366 368 9223372036854775807 9223372036854775807 0 dummy 0 0 9223372036854775807 9223372036854775807 0 numproc 71 71 4194304 4194304 0 physpages 133247 262148 262144 262144 381 vmguarpages 0 0 9223372036854775807 9223372036854775807 0 oomguarpages 139011 276392 0 0 14 numtcpsock 0 0 9223372036854775807 9223372036854775807 0 numflock 6 104 9223372036854775807 9223372036854775807 0 numpty 1 4 9223372036854775807 9223372036854775807 0 numsiginfo 0 87 9223372036854775807 9223372036854775807 0 tcpsndbuf 0 0 9223372036854775807 9223372036854775807 0 tcprcvbuf 0 0 9223372036854775807 9223372036854775807 0 othersockbuf 0 0 9223372036854775807 9223372036854775807 0 dgramrcvbuf 0 0 9223372036854775807 9223372036854775807 0 numothersock 0 0 9223372036854775807 9223372036854775807 0 dcachesize 20279296 24981504 9223372036854775807 9223372036854775807 0 numfile 860 5590 9223372036854775807 9223372036854775807 0 dummy 0 0 9223372036854775807 9223372036854775807 0 dummy 0 0 9223372036854775807 9223372036854775807 0 dummy 0 0 9223372036854775807 9223372036854775807 0 numiptent 44 44 9223372036854775807 9223372036854775807 0

This is a very generic question, but it has been coming up more and more often for me. I would like to try and determine an appropriate course of action for this generic case, as I think it could benefit me and other sysadmins in the future. The commonality in all cases though is java. The reason I am asking this question here rather than stack overflow is that this is a sysadmin question. I think it is very appropriate here. A user comes up to me and says "My application is very slow. The server you gave me has poor performance." This server could be bare metal, OpenVZ, or KVM. In all cases, OS is CentOS 6. When the user tells me this, they are referring to page load time (JIRA) or benchmark numbers. (Selenium or proprietary app) Now, I have a sneaking suspicion that the server itself is fine. I ssh onto the server, and notice that the load is less than 1. Memory usage is fine as well, ranging anywhere from 2-20 gigs of ram free. Finally, I check iowait with vmstat, and notice that it is 0. cpu idle is 99. Looking at Java with top, I can see that CPU percentage is around 200% or so for that process. This is on systems with anywhere from 4 to 24 cores. Of course, openvz does processor allocation different from KVM or bare metal.) In the cases that this occurs on an openvz or kvm guest, I hop onto the host as well, and see similar things. cpu idle is 99%. iowait is 0. memory is sometimes hundreds of gigs free. I have looked at these java processes and threads with strace, and strace -f. There are tons of futex, clock, and epoll. If I reverse grep those, I'm left with mostly ioctl, stat, sendto. Applications where this has happened: Selenium, JIRA, and misc proprietary java applications. Always java though. I have considered tuning the niceness of the java processes, but AFAIK niceness will only affect how processes are scheduled. If the load is low, it won't help to speed things up. Sometimes the application uses mysql, but looking at mysql in top shows almost no cpu usage there. I'm guessing that if that was the bottleneck, we would see higher cpu usage. Bottom line: How do I prove to the user that the server works just fine, but their application sucks? Theoretically, the application could be slow because it encountered a while loop that will never exit. Which leads me to believe that this task is impossible, analogous to solving the halting problem. o_O But perhaps I can tune java to behave a bit better, or perhaps there is a way to profile the running application, point to a chunk of code and say "There's your problem".

I am currently having some issues with the cache. It is a little too much right now so I wanted to clear it. I googled and found this little command: sync && echo 3 > /proc/sys/vm/drop_caches. I am logged in as root over SSH (not using sudo). These are the attempts I made: root@server: ~ # ll /proc/sys/vm/drop_caches -rw-r--r-- 1 root root 0 15. Jan 20:21 /proc/sys/vm/drop_caches root@server: ~ # echo 3 > /proc/sys/vm/drop_caches -bash: /proc/sys/vm/drop_caches: Permission denied root@server: ~ # sudo su -c "echo 3 > /proc/sys/vm/drop_caches" bash: /proc/sys/vm/drop_caches: Permission denied root@server: ~ # echo 3 | sudo tee /proc/sys/vm/drop_caches tee: /proc/sys/vm/drop_caches: Permission denied 3 It is a remote machine running Debian. As far as I know there are some vCores in this machine and it uses Virtuozzo for the virtualization. I really just want to clear the cache *(So I can only access it using SSH)*. I also tried registering this as a cronjob. But it simply fails too!

I have Debian 9 with OpenVZ 6 running on it, I created my VPS like this: vzctl create 10 -- ostemplate debian-8.0-x86_64-minimal vzctl set 10 --ipadd 192.168.1.5 --save However when I start the virtual machine it has not assigned the private IP so I cannot setup nat on host machine to allow this virtual server access to the internet. This is output of ip addr from the virtual: 1: lo: mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: venet0: mtu 1500 qdisc noop state DOWN link/void This is /etc/network/interfaces: auto lo iface lo inet loopback OpenVZ should configure this file because on my old machine with Debian 7 and debian 7 VPS this file is automatically configured by the OpenVZ manager so everytime VPS restarts it gets new configuration according to what this container has in OpenVZ configuration. I need this process to be automatic, sure I can config this manually but thats not what I need. EDIT: When I tried debian 7 template, everything works just fine, so I guess there is problem only with Debian 8 templates that are not getting auto configured by OpenVZ. However debian 7 is very old and I need at least Debian 8 containers. EDIT 2: This message appears when I try to set IP to Debian 8 container: vzctl set 10 --ipadd 192.168.1.11 --save UB limits were set successfully Adding IP address(es): 192.168.1.11 main: line 710: /etc/init.d/network: No such file or directory CT configuration saved to /etc/vz/conf/10.conf

A am running a Spark application, it is possible to specify some parameters like the number of threads. My question : how I can find the number of threads in my container OpenVZ. Some details : $lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 64 CPU family: 6 Model: 45 Stepping: 7 CPU MHz: 2294.304 BogoMIPS: 4588.60 $ nproc 24 $nproc --all 64

I tried to change the default Apache port on the Centos 7 OpenVZ container, but it just didn't work. curl **.**.**.**:8080 curl: (7) Failed to connect to **.**.**.** port 8080: No route to host But it works correctly with the standard port: $ curl -I **.**.**.** HTTP/1.1 403 Forbidden Date: Wed, 01 May 2019 01:06:31 GMT Server: Apache/2.4.6 (CentOS) Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT ETag: "1321-5058a1e728280" Accept-Ranges: bytes Content-Length: 4897 Content-Type: text/html; charset=UTF-8 At first I thought it was related to the SELinux policy, but as I read further, SELinux does not work on OpenVZ - Openvz_SELinux . When I tried to change the port to Centos 7 KVM VM, it worked flawlessly (the necessary rules were created for SELinux): $ curl -I **.**.**.**:8080 HTTP/1.1 403 Forbidden Date: Wed, 01 May 2019 01:09:51 GMT Server: Apache/2.4.6 (CentOS) Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT ETag: "1321-5058a1e728280" Accept-Ranges: bytes Content-Length: 4897 Content-Type: text/html; charset=UTF-8 After that I changed the OS on the OpenVZ container to Ubuntu 18.04. It works correctly. $ curl -I **.**.**.**:8080 HTTP/1.1 200 OK Date: Wed, 01 May 2019 01:19:57 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Fri, 12 Apr 2019 08:09:12 GMT ETag: "2aa6-58650d16807ed" Accept-Ranges: bytes Content-Length: 10918 Vary: Accept-Encoding Content-Type: text/html Any suggestions on this case? P.S. Firewalld, iptables and ufw are disabled on all VPS.

I'm trying nproc and nproc --all in an OpenVZ container to count the number of CPU threads assigned to the vps by upstream provider. While nproc resulting 1, nproc --all resulting 24 CPU threads. May anyone please help me in explaining this? The upstream provider is supposed to assign only one CPU and cat /proc/cpuinfo is also saying that. Then from where and how this 24 is coming? Please find a screenshot here . I'm using CentOS 7 inside the vps.

An OpenVZ host (RHEL 6) is running Debian-based containers. The problem is that network traffic, instead of being routed to a relevant container (10.10.104.1) via venet0 interface, gets routed to the host network's default gateway (143.215.76.129). At the same time, traffic to the 192.168.x.x network does not get redirected to the gateway. Relevant output below.

# traceroute 10.10.104.1
traceroute to 10.10.104.1 (10.10.104.1), 30 hops max, 60 byte packets
 1  143.215.76.129 (143.215.76.129)  1.349 ms  1.314 ms  1.280 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  *^C

# traceroute 192.168.104.32
traceroute to 192.168.104.32 (192.168.104.32), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  *^C

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.104.1     0.0.0.0         255.255.255.255 UH    0      0        0 venet0
143.215.76.128  0.0.0.0         255.255.255.128 U     0      0        0 eth0
143.215.76.128  0.0.0.0         255.255.255.128 U     0      0        0 eth1
143.215.76.128  0.0.0.0         255.255.255.128 U     0      0        0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1004   0        0 eth2
0.0.0.0         143.215.76.129  0.0.0.0         UG    0      0        0 eth0

In CentOS 6 w/ OpenVZ 2.6.32, this command outputs IPs with the highest number of connections against port 22, e.g: [root@legovz ~]# netstat -antu | grep :22 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 2 217.20.114.121 3 0.0.0.0 3 58.242.82.6 [root@legovz~]# Under CentOS 7, w/ OpenVZ 7, the output is always as follows, despite the fact I know there is lots of traffic on port 22: [root@ovz7 ~]# netstat -antu | grep :22 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 1 0.0.0.0 [root@ovz7 ~]# What I need to do differently, to achieve the same result with CentOS 7.? If I can't, why?

So ive found with several hosting companies that my vps plan will reset its hostname and dns resolve.conf files to their initial state after reboot, loosing any changes. I suspect this is a openvz thing, but im not 100%

I'm learning to administer a VPS which has an openVZ kernel (= go easy...). I thought I'd attempt to load a missing kernal module by reinstalling my kernel with: sudo apt-get install -y linux-image-$(uname -r) Not only did that fail to get the module I needed, my disk usage doubled. My VPS host admin loaded the module in the host kernel which solved that issue. But now I have 8+GB of redundant OS libraries for Ubuntu 18.04. How can i remove these redundant libraries? apt auto-remove didn't help. Besides starting from scratch, would appreciate suggestions how one can reclaim the 8+GB of SSD space I carelessly lost!

I am using some VPSes in OpenVZ containers. As I can see, our hosting provider somes moves them between his physical machines. It also means unwaited (and unexpected) reboots. I have no technical contact with the VPS provider (there is a... complex company structure ;-) ), but I would like to know, what is happening and why. I checked the /proc/cpuinfo, yes it sometimes changes. But it is not enough. Can I somehow extract some ID about the host machine, while I have only a root access to the VPS (and zero access to the host)?

After yum upgrade in may 2019 now i have following: network in container not start. nothing in log ps ax show, that network start script running forever /bin/bash /etc/sysconfig/network-scripts/ifup-eth ifcfg-lo After investigating(adding additional debug echo commands) i can see that this line in script never ends ip link set dev venet0 up Any ideas what i have check after that?

I have a cheap OpenVZ VPS, and I noticed the time is a lot wrong. Each time I try: ntpdate -s time.nist.gov it silently returns as if it was successful, but nothing changes. When I do: date -s 11:11 it says date: cannot set date: Operation not permitted. **Is there a trick to be able to modify date on an OpenVZ VPS?** Note: I have done service ntpd stop, but it's already not running.

I've been doing some research and decided to implement OpenVZ since it allows each container to be isolated from other containers, unlike LXC. However, OpenVZ is still not supported for ARM processors. Any way to work around the container isolation issue in LXC?

I am starting this question despite it seems like this question, but it isn't. I am getting different outputs from the commands as given in that question. Now I want to show you my scenario. From my knowledge of operating systems, virtual memory is used to swap the files from main memory which are not used frequently and free up space for other active programs and files. My MySQL Database Server is getting killed by own, and I don't know why, and I think this is because of the Virtual Memory. So, I want to increase my Virtual Memory. I read from this link, but again the outputs are a bit different like I don't have some like sda1 or something. I don't have any knowledge of Linux so please explain in more basic terms. I don't know any command neither know what a command does. Here some of the outputs of the commands. swapon -s Filename Type Size Used Priority /dev/null partition 524288 516556 -1 free -m total used free shared buffers cached Mam: 1024 734 289 128 0 74 -/+ buffers/chahe: 660 363 Swap: 512 504 7 df -h Filesystem Size Used Avail Use% Mounted on /dev/simfs 40G 3.1G 37G 8% / none 256M 4.0K 256M 1% /dev **So please tell me how can I increase the Virtual Memory size?** **Edit** This question marked duplicate but again my terminal giving different output than in this answer . dd if=/dev/zero of=/raid1/swapfile bs-1M count=8192 dd : opening `/raid1/swapfile': No such file or directory I don't have idea what a mdadm RAID is.

I've stopped using OpenVZ for a couple of years and now I'm back at it I feel somewhat overwhelmed by the increased level of complexity. I'm just stuck for hours on this simple task: I want to use the hardware node as my local DNS cache for *all* container types (which paradigm is new to me), host and bridged. I have only containers. I have successfully configured dnsmasq to listen on both br0 and virbr0, the interfaces for bridged and host-only containers, respectively. I could confirm the step with dig @interface and that works. What doesn't work: - name resolution in any container times out - pinging the hardware node address gives no reply From the hardware node: # prlsrvctl net list Network ID Type Bound To Bridge Slave interfaces Bridged bridged enp2s0 br0 Host-Only host-only virbr0 With virbr0: 10.37.130.2/24 and br0:192.168.xx.5/28. I've run prlctl set --nameserver 10.37.130.2 and even though it has no name resolution. I *suppose* I need to add a rule to iptables but, man, there are so many even for local processes! Even common sense doesn't help: I've tried adding a rule to accept UDP packets on port 53 for both interfaces... no way, there's something else. Just don't know what to hack: - I don't know if dnsmasq receives the DNS requests - I don't know if it sends responses - I don't know if the responses are blocked by the firewall. Here's what I have with tcpdump, whether I add my firewall rule or not: # tcpdump tcpdump: WARNING: venet0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 23:03:20.876113 IP 192.168.xx.4.53894 > myhostname.local.domain: 32621+ A? google.com. (28) 23:03:25.875974 IP 192.168.xx.4.53894 > myhostname.local.domain: 32621+ A? google.com. (28) ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel This happens when I do a simple host google.com from a container that has the host command. From that container: # ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=39 time=328 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=39 time=19.8 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=39 time=20.3 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=39 time=20.3 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=39 time=44.1 ms 64 bytes from 8.8.8.8: icmp_seq=6 ttl=39 time=20.4 ms ^C --- 8.8.8.8 ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5002ms rtt min/avg/max/mdev = 19.836/75.699/328.996/113.614 ms Then why the ... does the firewall list these rules? -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT Frustratingly complicated.