vzcpt and vzrst modules are unloaded from the node

Original Publishing Date:
2022-04-13

Symptoms

vzcpt and vzrst modules are not loaded on a host:

[root@pcs ~]# lsmod | awk '$1=="vzcpt" || $1=="vzrst"'
[root@pcs ~]#

Absence of these modules prevent containers to be migrated successfully in online mode:

122997 Cannot migrate container online: module rst is not loaded

Cause

vzcpt and vzrst modules are responsible for container checkpointing and restoring. In order to be able to checkpoint container on one server and resume on another it is tightly working with various iptables modules:

[root@pcs ~]# lsmod | awk '$4~/vzcpt/ || $4~/vzrst/'
vzcpt                 152124  3 vzrst,vzcptpram,vzfs
nf_nat                 23730  2 vzrst,iptable_nat
nf_conntrack           81301  6 xt_conntrack,vzrst,vzcpt,iptable_nat,nf_nat,nf_conntrack_ipv4
nfs                   444631  3 vzrst,vzcpt,pio_nfs
lockd                  76070  2 vzrst,nfs
vzmon                  24311  28 vzrst,vzcpt,vzredir,vznetdev,vzlist,vzstat
ipv6                  339765  1784 vzrst,vzcpt,ip6table_mangle,ip6_vzprivnet,ip6_vzredir
[root@pcs ~]#

During iptables service restart modules are re-loaded, i.e. server unloads modules and loads them back. Due to the modules dependencies vzrst and vzcpt are also unloaded, but not loaded back because iptables service is not aware of them:

[root@pcs ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: mangle raw filte[  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:  iptable_filter iptable_filter[FAILED]es
iptables: Applying firewall rules:                         [  OK  ]

[root@pcs ~]# lsmod | egrep '^nf_nat|^nf_conntrack|^nfs|^lockd|^vzmon|^ipv6'
nf_conntrack_ipv4       9938  2
nf_conntrack           81301  2 xt_conntrack,nf_conntrack_ipv4
nfs                   444631  1 pio_nfs
lockd                  76070  1 nfs
nfs_acl                 2655  1 nfs
vzmon                  24311  26 vzredir,vznetdev,vzlist,vzstat
ipv6                  339765  1792 ip6table_mangle,ip6_vzprivnet,ip6_vzredir

[root@pcs ~]# lsmod | egrep 'vzcpt|vzrsst'
[root@pcs ~]#

This issue was recognized as a product bug with internal ID #PSBM-32793.

Resolution

Issue will be permanently fixed in one of the future updates. To load Virtuozzo-related modules back, initiate vz service:

[root@pcs ~]# service vz init

In order to prevent kernel modules to be unloaded during iptables restart, it is possible to adjust its configuration file:

[root@pcs ~]# echo IPTABLES_MODULES_UNLOAD=no >> /etc/sysconfig/iptables-config