0

Hello friends at Serverfault!

I'm having a weird issue with my CentOS 6.10 OpenVZ server (using Virtualizor), as I have enable IPv6 support.

This server has basically exactly the same setup as three other servers with same OS and kernel, the only difference is that this server is configured as a master and the other three servers as slave.

In order to have IPv6 fully functional on the server's containers, I need to be able to disable ip6tables (not IPv6 altogether, but just the ip6tables).

If I run the command to stop ip6tables I get this error:

service ip6tables stop

ip6tables: Saving firewall rules to /etc/sysconfig/ip6table[ OK ] ip6tables: Setting chains to policy ACCEPT: filter [ OK ] ip6tables: Flushing firewall rules: [ OK ] ip6tables: Unloading modules: ip6table_filter ip6t_LOG ip6[FAILED]lter ip6_tables

The OpenVZ kernel I have across all the four servers is

2.6.32-042stab134.46 #1 SMP Wed Jan 16 05:56:41 CET 2019 x86_64 x86_64 x86_64 GNU/Linux

As I said earlier, only this master server returns this error when trying to stop ip6tables, while it works perfectly on the other twin salve servers.

I'd appreciate any help you can please give me to be able to stop ip6tables successfully and be able to fully exploit IPv6 inside this server's containers.

These are the modules loaded on the master server that returns the error:

lsmod
Module                  Size  Used by
sit                    11553  0 
tunnel4                 2983  1 sit
sch_sfq                 5835  94 
cls_u32                 6934  2 
sch_cbq                16537  2 
ip6t_LOG                8485  10 
ip6t_rt                 6714  6 
xt_recent               8593  8 
ipt_addrtype            2161  8 
xt_conntrack            3960  111 
iptable_raw             2368  0 
vzethdev                8245  0 
pio_kaio               14060  0 
pio_nfs                19043  0 
pio_direct             30148  54 
pfmt_raw                3333  0 
pfmt_ploop1             6671  54 
ploop                 120055  167 pio_kaio,pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
simfs                   5189  0 
vzrst                 206905  7 
vzcpt                 156425  1 vzrst
nfs                   449026  3 pio_nfs,vzrst,vzcpt
lockd                  78281  2 vzrst,nfs
fscache                61345  1 nfs
auth_rpcgss            46116  1 nfs
nfs_acl                 2655  1 nfs
sunrpc                274118  6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
vziolimit               3775  0 
vzdquota               55467  0 [permanent]
xt_owner                2250  0 
nf_nat                 23122  1 vzrst
xt_length               1330  0 
xt_hl                   1539  44 
xt_tcpmss               1615  0 
xt_TCPMSS               3549  0 
iptable_mangle          3453  0 
iptable_filter          2897  5 
xt_multiport            2772  0 
xt_limit                2126  33 
nf_conntrack_ipv4       9650  93 nf_nat
nf_defrag_ipv4          1523  1 nf_conntrack_ipv4
ipt_LOG                 7886  16 
xt_DSCP                 2841  0 
xt_dscp                 2065  0 
ipt_REJECT              2423  3 
ip_tables              18183  3 iptable_raw,iptable_mangle,iptable_filter
vzevent                 2171  1 
vznetdev               18984  108 
vzmon                  24539  57 vzrst,vzcpt,vznetdev
vzdev                   2725  5 vzethdev,vziolimit,vzdquota,vznetdev,vzmon
ip6t_REJECT             4447  2 
nf_conntrack_ipv6       7993  20 
nf_defrag_ipv6         26701  1 nf_conntrack_ipv6
nf_conntrack           81593  6 xt_conntrack,vzrst,vzcpt,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6
ip6table_filter         3025  3 
ip6_tables             19020  2 ip6t_LOG,ip6table_filter
ipv6                  342524  1685 sit,vzrst,vzcpt,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
pppoatm                 4421  0 
atm                    48007  1 pppoatm
ppp_async               7866  0 
crc_ccitt               1725  1 ppp_async
ppp_deflate             4176  0 
zlib_deflate           21661  1 ppp_deflate
arc4                    1483  0 
ecb                     2217  0 
ppp_mppe                6246  0 
ppp_generic            25891  4 pppoatm,ppp_async,ppp_deflate,ppp_mppe
slhc                    5845  1 ppp_generic
tun                    18741  0 
acpi_pad               88001  0 
iTCO_wdt                7342  0 
iTCO_vendor_support     3064  1 iTCO_wdt
serio_raw               4666  0 
sb_edac                18571  0 
edac_core              46717  2 sb_edac
i2c_i801               13273  0 
sg                     29542  0 
lpc_ich                13579  0 
mfd_core                1935  1 lpc_ich
ioatdma                54090  896 
shpchp                 29554  0 
ext4                  431864  56 
jbd2                   93732  1 ext4
mbcache                 8201  1 ext4
raid1                  33193  2 
sd_mod                 37126  8 
crc_t10dif              1217  1 sd_mod
isci                  134936  0 
libsas                 74618  1 isci
scsi_transport_sas     35628  2 isci,libsas
igb                   193997  0 
dca                     7133  2 ioatdma,igb
i2c_algo_bit            5911  1 igb
i2c_core               29164  3 i2c_i801,igb,i2c_algo_bit
ptp                     9646  1 igb
pps_core               10722  1 ptp
ahci                   43194  6 
wmi                     6287  0 
dm_mirror              14904  0 
dm_region_hash         12189  1 dm_mirror
dm_log                  9938  2 dm_mirror,dm_region_hash
dm_mod                102855  2 dm_mirror,dm_log

And this is the result of lsmod on the server where ip6tables can be stopped without any issue:

Module                  Size  Used by
xt_set                  4040  0 
ip_set                 30955  1 xt_set
nfnetlink               4587  1 ip_set
nf_conntrack_ipv6       7993  22 
nf_defrag_ipv6         26701  1 nf_conntrack_ipv6
xt_conntrack            3960  43 
ip6table_mangle         3629  1 
iptable_nat             6091  1 
ip6table_filter         3025  1 
ip6_tables             19020  2 ip6table_mangle,ip6table_filter
xt_comment              1042  6 
sit                    11553  0 
tunnel4                 2983  1 sit
xt_recent               8593  0 
sch_sfq                 5835  22 
cls_u32                 6934  2 
sch_cbq                16537  2 
iptable_raw             2368  1 
vzethdev                8245  0 
pio_kaio               14060  0 
pio_nfs                19043  0 
pio_direct             30148  34 
pfmt_raw                3333  0 
pfmt_ploop1             6671  34 
ploop                 120055  107 pio_kaio,pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
simfs                   5189  0 
vzrst                 206905  9 
vzcpt                 156425  1 vzrst
nfs                   449026  3 pio_nfs,vzrst,vzcpt
lockd                  78281  2 vzrst,nfs
fscache                61345  1 nfs
auth_rpcgss            46116  1 nfs
nfs_acl                 2655  1 nfs
sunrpc                274118  6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
vziolimit               3775  0 
vzdquota               55467  0 [permanent]
xt_owner                2250  0 
nf_nat                 23122  2 iptable_nat,vzrst
xt_length               1330  0 
xt_hl                   1539  0 
xt_tcpmss               1615  0 
xt_TCPMSS               3549  0 
iptable_mangle          3453  1 
iptable_filter          2897  3 
xt_multiport            2772  7 
xt_limit                2126  0 
nf_conntrack_ipv4       9650  24 iptable_nat,nf_nat
nf_defrag_ipv4          1523  1 nf_conntrack_ipv4
ipt_LOG                 7886  1 
xt_DSCP                 2841  0 
xt_dscp                 2065  0 
ipt_REJECT              2423  2 
ip_tables              18183  4 iptable_nat,iptable_raw,iptable_mangle,iptable_filter
vzevent                 2171  1 
vznetdev               18984  68 
vzmon                  24539  37 vzrst,vzcpt,vznetdev
vzdev                   2725  7 vzethdev,vziolimit,vzdquota,vznetdev,vzmon
ip6t_REJECT             4447  2 
nf_conntrack           81593  7 nf_conntrack_ipv6,xt_conntrack,iptable_nat,vzrst,vzcpt,nf_nat,nf_conntrack_    ipv4
ipv6                  342524  1199 nf_conntrack_ipv6,nf_defrag_ipv6,ip6table_mangle,sit,vzrst,vzcpt,ip6t_REJECT
pppoatm                 4421  0 
atm                    48007  1 pppoatm
ppp_async               7866  0 
crc_ccitt               1725  1 ppp_async
ppp_deflate             4176  0 
zlib_deflate           21661  1 ppp_deflate
arc4                    1483  0 
ecb                     2217  0 
ppp_mppe                6246  0 
ppp_generic            25891  4 pppoatm,ppp_async,ppp_deflate,ppp_mppe
slhc                    5845  1 ppp_generic
tun                    18741  0 
ipmi_si                47304  0 
ipmi_msghandler        40332  1 ipmi_si
acpi_pad               88001  0 
iTCO_wdt                7342  0 
iTCO_vendor_support     3064  1 iTCO_wdt
serio_raw               4666  0 
joydev                 10544  0 
sb_edac                18571  0 
edac_core              46717  2 sb_edac
i2c_i801               13273  0 
sg                     29542  0 
lpc_ich                13579  0 
mfd_core                1935  1 lpc_ich
ioatdma                54090  576 
shpchp                 29554  0 
ext4                  431864  36 
jbd2                   93732  1 ext4
mbcache                 8201  1 ext4
raid1                  33193  2 
sd_mod                 37126  8 
crc_t10dif              1217  1 sd_mod
isci                  134936  0 
libsas                 74618  1 isci
scsi_transport_sas     35628  2 isci,libsas
ahci                   43194  6 
igb                   193997  0 
dca                     7133  2 ioatdma,igb
i2c_algo_bit            5911  1 igb
i2c_core               29164  3 i2c_i801,igb,i2c_algo_bit
ptp                     9646  1 igb
pps_core               10722  1 ptp
wmi                     6287  0 
dm_mirror              14904  0 
dm_region_hash         12189  1 dm_mirror
dm_log                  9938  2 dm_mirror,dm_region_hash
dm_mod                102855  2 dm_mirror,dm_log

Many thanks everyone!

fabioganga
  • 1
  • 1

1 Answers1

0

List loaded kernel modules and try to unload them manually with modprobe -r <module-name> command.

Likely issue is caused by usage some modules inside the containers.

Other reason is wrong order of unloading of the modules.

Anton Danilov
  • 4,874
  • 2
  • 11
  • 20
  • Thanks a lot Anton for your reply! How can I list the loaded kernel modules and how can I ensure that the module will not be loaded again if the server gets rebooted? Thanks! – fabioganga Jun 28 '19 at 17:41
  • Use `lsmod` command. It shows loaded kernel modules. To prevent loading modules use blacklist. Just create any file with `.conf` extension under `/etc/modprobe.d/` directory and insert into it lines with `blacklist ` content. – Anton Danilov Jun 28 '19 at 17:48
  • Thanks Anton. I assume the cuplrit is probably ip6t_LOG as on the slave server this module is not loaded, in fact. However, I cannot seem to be able to unload it as I now have this error: modprobe -r ip6t_LOG FATAL: Module ip6t_LOG is in use. Is there a way I can force unload this module? Thanks – fabioganga Jun 28 '19 at 17:57
  • Something uses this module. There is a `--force` flag, but it's very dangerous and can cause the kernel panic. Paste the output of `lsmod` and new information into the question. Also, flush the firewall rules before unloading. – Anton Danilov Jun 28 '19 at 18:01
  • Thanks a lot Anton, I have edited my question adding the result of lsmod command for both servers, the one giving the issue and the one who doesn't. Thanks again! – fabioganga Jun 28 '19 at 18:30
  • Notice the ref count value in `lsmod` outputs (this is `used by` column) of `ipt_LOG` module. It means this module used by somewhere. Likely the firewalls inside VPS. So you need somehow check it (list the rule set inside containers). – Anton Danilov Jun 28 '19 at 19:29