CloudBlue Technical Support

Symptoms

Power Panel (VZPP) is not working correctly for containers.

The following errors may be shown:

Forbidden
You don't have permission to access /vz/cp/wnd,8503b864-7439-4a7c-a09b-24caeb04c7e7 on this server.
Apache Server at 203.0.113.2 Port 4643"

or:

Forbidden

The IP address of a physical server cannot be used with its Parallels Power Panel port number.

Do one of the following:

    If you want to open the Parallels Virtual Automation Control Center, use the IP address of the management server with the default port number.
    If you want to open the Parallels Power Panel, use the IP address or hostname of the Virtual Environment.

or:

Unable to connect
Firefox can't establish a connection to the server at 203.0.113.2:4643.

Resolution

Things to try:

1. Check CT 1 health; it should be running with 1-4 processes

   ~# vzlist 1
   CTID      NPROC STATUS    IP_ADDR         HOSTNAME
      1          3 running   192.168.176.27  -
   

   If CT 1 doesn't exist, reinstall 'PVA Power Panel' component of PVA Agent.

2. Check that IP address of CT 1 is accessible from virtualization node itself.

   Iptables and Private Networks configuration should be reviewed.

   By default PVA Agent generates IP address for CT1 that belongs to 192.168.X.X subnet, thus, in most cases avoid using this subnet for Private Networks.

3. Check CT 1 resources; some counters may be failed:

   ~# awk '$6' /proc/bc/1/resources
      privvmpages                    61                69570                65536                69632                    9
   

   If the output is not empty, it means that this counter has been exceeded. The last column indicates the number of times it was failed.

   In this case, increase the failed parameter for the container:

   ~# vzctl set 1 --privvmpages 131072:131072 --save
   

4. Restart Power Panel service:

   ~# pvapp restart
   

5. Check the problem on the network level. Make sure that a connection to the Hardware Node on port 4643 can be established from the outside.

   ~# telnet <node_ip_address> 4643
   

6. Check which process listens on the 4643 port:

   # netstat -antp | grep 4643
   tcp   0   0 0.0.0.0:4643      0.0.0.0:*     LISTEN     433943/init
   tcp   0   0 :::4643           :::*          LISTEN     433943/init
   

   If the process is anything other then init, update the virtualization software (PCS/PVC/PSBM) on the node to the latest build.

   NOTE: Typically, Apache web-server listens the port 4643 on the node, and the command above should list httpd process. However, if there is a container with a process which listens the port 4643, then it can replace node's httpd process. The container #1 from PVA Power Panel component opens the port in this way and the container is started after the node's processes, so it should be shown. Updating PVA installation should restart the container #1, and its process init should be shown in the output.

7. Check that offline management is enabled for the specific CT and that offline services are listed correctly:

   ~# grep OFF /vz/private/CTID/ve.conf
   OFFLINE_MANAGEMENT="yes"
   OFFLINE_SERVICE="vzpp vzpp-desktop"
   

   If the OFFLINE_SERVICE setting is absent from the CT's configuration file, check the global settings:

   ~# grep OFF /etc/vz/vz.conf
   OFFLINE_SERVICE="vzpp vzpp-plesk vzpp-desktop"
   

   To enable offline management for a specific CT, do the following:

   ~# vzctl set CTID --offline_management yes --offline_service "vzpp vzpp-desktop" --save
   

8. Restart the service container:

   ~# vzctl restart 1
   

9. Check the CT 1 proxy log /vz/root/1/var/log/pavm/pim-cp-proxy.log for any errors and possible hints.

10. In case Power Panel does not work for some particular containers, check which networking mode is configured for the affected virtual environments. Offline Management for container works only for host-routed networking mode. Offline Management for virtual machines works for both host-routed and bridged modes.

Internal content

In case CT1 IP address is not accessible from the node:

# ping 192.168.176.27
PING 192.168.176.27 (192.168.176.27) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

In most cases "Operation not permitted" while you are trying to ping something occurs when iptables have OUTPUT chain policy set to DROP everyting. Or if you have whole 192.168.X.X in private network:

linuxvps07cloud ~]# prlsrvctl privnet list
Name              G Netmasks
LEGACY            x 192.168.0.0/16