Does the RAM limit refer to "physical" RAM ?

[hopetindall]

APF and other iptables based firewalls need some customization to the vz setup to allow them to work.

(Basically - the ISP/hoster needs to tell vz which iptables 'features' this guest is allowed to use, how many entries in the iptables table he gets etc.

I've tried using both apf and hand coded iptables (which I prefer to be quite honest) - both work nicely now.

You cat check if your vps is setup to use iptables by cat'ing the following:

cat /proc/net/ip_tables_names

this should return:

mangle
filter
nat


cat /proc/net/ip_tables_targets

this should return:

LOG
TCPMSS
REJECT
TOS
DNAT
SNAT


I was trying to use REDIRECT - but it wasn't here - oh well. I can still DROP/ACCEPT etc.

PHT

[sleddog]

Quote:

Originally Posted by hopetindall

cat /proc/net/ip_tables_targets

this should return:

LOG
TCPMSS
REJECT
TOS
DNAT
SNAT

Looks like LOG is a valid target for me, but I don't get anything in the syslog (/var/log/messages) for something like:

-A INPUT -p tcp --dport 22 -j LOG

As far as I can tell, syslogging is configured the same as on my dedicated machine, where iptables logging works. Both the VPS and the dedicated are CentOS 4.3. I'm probably missing something obvious... any ideas?

[scotty]

Quote:

Originally Posted by jamesb

But I do not know if OpenVz allow the feature of burst or not. Maybe that's why we are not allowed to burst because it just can't?

OpenVZ certainly supports it. Check your user_beancounters -- currently they are set to the same value. I guess it is just how VPSLink setups their VE's.

I am more interested in whether OpenVZ supports Virtuozzo 3's SLM memory model, which gives each VE a more dedicated server-like environment.

[zebbers]

I think right now they just are getting setup...and not having bursting is the easiest method of giving everybody their share of performance. They seem to take our suggestions to heart...so if bursting would serve that purpose as well (I believe it would) then maybe they will switch.

[aero]

Quote:

Originally Posted by sleddog

As far as I can tell, syslogging is configured the same as on my dedicated machine, where iptables logging works. Both the VPS and the dedicated are CentOS 4.3. I'm probably missing something obvious... any ideas?

iptables logging works fine for me. My system is gentoo/iptables v1.3.5. The rule I used is:
-A INPUT -i venet0 -p tcp -m tcp --dport 22 -j LOG

Are you sure the rule is getting hit? What does your iptables-save -c show?

[sleddog]

Quote:

Originally Posted by aero

Are you sure the rule is getting hit? What does your iptables-save -c show?

[4:240] -A INPUT -i venet0 -p tcp -m tcp --dport 22 -j LOG

Which shows it's getting hit doesn't it? But /var/log/messages remains mute.

[aero]

maybe it's related to your syslogger? I'm using metalog.

Anyways, the iptables logs (at least on my box) should also appear in dmesg. Have you checked there?

[sleddog]

Finally got it. The kernel logger (klogd) was disabled -- presumably in the VPS template? Is there a reason for this?

I modified the startup script /etc/rc.d/init.d/syslog, restarted syslog and now logging occurs to /var/log/messages.

Here's a bit of the syslog startup script. The commented-out lines are the ones that disabled klogd. I added the bolded lines:

Code:

start() {
        echo -n $"Starting system logger: "
        daemon syslogd $SYSLOGD_OPTIONS
        RETVAL=$?
        echo
        echo -n $"Starting kernel logger: "
#       passed klogd skipped $KLOGD_OPTIONS
        daemon klogd $KLOGD_OPTIONS
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog
        return $RETVAL
}
stop() {
        echo -n $"Shutting down kernel logger: "
#       passed klogd skipped
        killproc klogd
        echo
        echo -n $"Shutting down system logger: "
        killproc syslogd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/syslog
        return $RETVAL
}

[hopetindall]

I found that turning on klog REALLY INCREASES the loadavg on the machine.

mine averages around .15 to .30 but with klog turned on - it was hovering between .75 and 1.2

PHT

[Alfarin]

Quote:

Originally Posted by sleddog

Finally got it. The kernel logger (klogd) was disabled -- presumably in the VPS template? Is there a reason for this?

I modified the startup script /etc/rc.d/init.d/syslog, restarted syslog and now logging occurs to /var/log/messages.

Here's a bit of the syslog startup script. The commented-out lines are the ones that disabled klogd. I added the bolded lines:

Code:

start() {
        echo -n $"Starting system logger: "
        daemon syslogd $SYSLOGD_OPTIONS
        RETVAL=$?
        echo
        echo -n $"Starting kernel logger: "
#       passed klogd skipped $KLOGD_OPTIONS
        daemon klogd $KLOGD_OPTIONS
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog
        return $RETVAL
}
stop() {
        echo -n $"Shutting down kernel logger: "
#       passed klogd skipped
        killproc klogd
        echo
        echo -n $"Shutting down system logger: "
        killproc syslogd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/syslog
        return $RETVAL
}

I don't see a whole lot of reason for the need to log kernel messages, and maybe VPSLink saw that it will increase the loads like insane anyways, so they disabled it in the image?