openvz

1. Host will be open on LAN and guests on WAN. Additionally, there is a bridged LAN for guests.
2. We will be using bridge networking for protecting the Host Network and saving IP addresses, also giving flexibility with the guest network setup.
3. Configure LAN Eth1 port to 192.168.1.2
4. WAN Eth0 port is not assigned any IP address.
6. Install the required bridge-utils package via:

* Network:

* WAN Bridge device br0:

* WAN eth0 device:

* LAN Bridge device br1:

* LAN eth1 device:

Helper script to create users on all OpenVZ VEs simultaneously:

If you manage several OpenVZ containers, here is a simple bash script to keep the OpenVZ containers upto date.

Following the instruction over at OpenVZ Wiki, I've had no problems with the installation and creation of templates prior to CentOS-5.2 on x86_64 systems. However, with the latest set of updates to CentOS-5.2, the vzpkgcache seems to have been broken as sysklogd is no longer being installed by default. Below is how I got it to work:

Note: edit /vz/template/centos/5/x86_64/config/minimal.list and append .x86_64 to all except for the addons packages. Then run:

which gives the below error at the end:

The solution was to edit "/vz/template/centos/5/x86_64/config/install-post" and set syslog and syslog.conf sed replacements with exit status of "0".

1. Increase the NUMIPTENT values in VE conf file to 1000 on the host:
   
   NUMIPTENT="1000:1000"

2. Edit "/etc/sysconfig/vz" on the host:
   
   IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_owner ipt_length ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_recent"

3. Make sure the above modules are loaded on the host, so it would help if you have APF on the host as well.
   
4. Restart the VE
   
   # vzctl restart <VEID>

5. It is normal to get ipt_recent error as below:
   
   Warning: Unknown iptable module: ipt_recent, skipped

   You can verify the modules loaded via:
   

   # vzctl exec <VEID> grep ipt_recent /proc/net/ip_tables_matches

   Note: ipt_recent is required for passive ftp to work, else... will need to specify passive ftp ports in ftp conf file and open those ports via apf as well.

6. Here is a typical apf config on a VE with CentOS-5 running ISPConfig.
   DEVEL_MODE="0"
IFACE_IN="venet0"
IFACE_OUT="venet0"
IFACE_TRUSTED=""
SET_MONOKERN="1"
IG_TCP_CPORTS="21,22,25,53,80,81,110,143,443"
IG_UDP_CPORTS="53"
EGF="1"
EG_TCP_CPORTS="21,25,80,443,43"
EG_UDP_CPORTS="20,21,53"

Recently, I've had a client who's had issues with uploading files and general functioning of the ISPConfig hosting control panel.

So the first thing I checked out was "/proc/user_beancounters", and everything seemed normal there.

Quick check with `vzquota` turned out that the inodes were maxed out.

Blocks and Inodes can also be checked/displayed within the container via `df -h` and `df -i`.

Additionally, since he had a lot of users, he was maxed out on the users limits too. Noticed that with `repquota -a` which pulled up a huge number of users.

Increasing the appropriate limits with vzctl on diskspace, diskinodes and quotaugidlimit resolved all issues.

If you're hosted on a VPS, the below would explain if you are getting the resources that you paid for:

As mentioned in the resources (/proc/user_beancounters):

vmguarpages	0	30,000	2,147,483,647	4KB pages	\
      Memory allocation guarantee

This is the guaranteed RAM you get which works out to be:

30000 x 4 / 1024 = 117.1875 MB

Accordingly kmemsize is set to:

kmemsize	7,167,393	12,288,832	13,517,715	bytes	\
     Size of unswappable memory, allocated by the operating system kernel

Minimum kmemsize should be 10% of the vmguarpages, which is correct for the current setup:

12288832/1024/1024 = 11.7 MB == 10% of 117 (vmgaurpges)