Online migration fails: "vzctl exited with code 17"

Original Publishing Date:
2020-01-22

Symptoms

I am unable to migrate a container "online" and the following errors can be observed in the target node's logs:

/var/log/vzctl.log:

2013-08-17T22:25:21+0200 vzctl : Container 3963 : Starting the Container ...
2013-08-17T22:25:21+0200 vzctl : Container 3963 : vzquota : (warning) Quota is running for id 3963 already
2013-08-17T22:25:21+0200 vzctl : Container 3963 : Setting quota ...
2013-08-17T22:25:21+0200 vzctl : Container 3963 : Container is mounted
2013-08-17T22:25:21+0200 vzctl : Container 3963 : Set cpus: 2
2013-08-17T22:25:21+0200 vzctl : Container 3963 : Set up iolimit: 20971520
2013-08-17T22:25:21+0200 vzctl : Container 3963 : Set up iopslimit: 60
2013-08-17T22:25:21+0200 vzctl : Container 3963 : Adding IP addresses: 46.41.128.247
2013-08-17T22:25:22+0200 vzctl : Container 3963 : Cannot undump the file: Invalid argument
2013-08-17T22:25:22+0200 vzctl : Container 3963 : Failed to start the Container
2013-08-17T22:25:23+0200 vzctl : Container 3963 : Container is unmounted
2013-08-17T22:25:23+0200 vzctl : Container 3963 : Failed to start the Container
2013-08-17T22:25:23+0200 vzctl : Container 3963 : Container is not running

/var/log/messages:

Aug 17 22:18:23 hwnode01 vzmdest[12099]: Start of CT 3963 migration (private /vz/private/3963, root /vz/root/3963)
Aug 17 22:22:38 hwnode01 vzmdest[12099]: vzctl_conf_get_param(QUOTAUGIDLIMIT) return 10000
Aug 17 22:22:38 hwnode01 vzmdest[12099]: QuotaInit CT#3963 ...
Aug 17 22:22:38 hwnode01 vzmdest[12099]: done
Aug 17 22:22:38 hwnode01 vzmdest[12099]: QuotaOn CT#3963 ...
Aug 17 22:22:38 hwnode01 vzmdest[12099]: done
Aug 17 22:25:21 hwnode01 vzmdest[12099]: Undumping CT#3963 ...
Aug 17 22:25:21 hwnode01 kernel: [292731.867040] CT: 3963: started
Aug 17 22:25:22 hwnode01 kernel: [292732.432237] CPT ERR: ffff880403c6e000,3963 :iptables-restore exited with 2
Aug 17 22:25:22 hwnode01 kernel: [292732.439801] CPT ERR: ffff880403c6e000,3963 :Most probably some iptables modules are not loaded
Aug 17 22:25:22 hwnode01 kernel: [292732.447542] CPT ERR: ffff880403c6e000,3963 :or CT's iptables utilities are incompatible with this kernel (version is older than 1.4.0)
Aug 17 22:25:22 hwnode01 kernel: [292732.463790] CPT ERR: ffff880403c6e000,3963 :(Offline migration and iptools upgrade might help).
Aug 17 22:25:22 hwnode01 kernel: [292732.472357] CPT ERR: ffff880403c6e000,3963 :rst_restore_net: -22
Aug 17 22:25:22 hwnode01 kernel: [292732.734847] CT: 3963: stopped
Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Cannot undump the file: Invalid argument
Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Error: iptables-restore exited with 2
Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Error: Most probably some iptables modules are not loaded
Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Error: or CT's iptables utilities are incompatible with this kernel (version is older than 1.4.0)
Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Error: (Offline migration and iptools upgrade might help).
Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Error: rst_restore_net: -22
Aug 17 22:25:22 hwnode01 vzmdest[12099]: vzctl : Failed to start the Container
Aug 17 22:25:23 hwnode01 vzmdest[12099]: vzctl : Failed to start the Container
Aug 17 22:25:23 hwnode01 vzmdest[12099]: /usr/sbin/vzctl exited with code 17
Aug 17 22:25:26 h2-vps06 vzmdest[12099]: /usr/sbin/vzctl exited with code 17

Cause

The problem with the migration is missing iptables modules; the migration fails on the operation of restoring the container’s state because there are no necessary modules to restore iptables rules.

Example of difference in iptables modules:

on the source node:

~# grep IPTABLES /etc/vz/vz.conf 
IPTABLES="iptable_nat ipt_conntrack ip_conntrack ip_conntrack_ftp ipt_tos ipt_LOG ipt_REDIRECT ipt_MASQUERADE ipt_length ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"

on the destination node:

~# grep IPTABLES /etc/vz/vz.conf 
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"

Resolution

To resolve this issue, take the following actions:

Correct iptables modules in /etc/vz/vz.conf so that they are the same in the source and destination.
Restart Virtuozzo service:
```
~# service vz restart
```
NOTE: all containers are to be restarted with Virtuozzo service restart

You can also read the following articles:

#746 - How do I enable firewall in a container?
#113056 - Managing iptables modules in containers
#115410 - Unable to set firewall rules inside container

Internal content

Link on internal Article