Article ID: 119187, created on Dec 16, 2013, last review on May 11, 2014

  • Applies to:
  • Virtuozzo 6.0


  • PCS node is a member of a Parallels Cloud Storage cluster.
  • High Availability is enabled for the node.
  • Parallels Cloud Storage Update 5 (SP1) is installed (6.0.5-1771).
  • It is not possible to ping any host from the PCS node: ping results in Operation not permitted error message.
  • The node is marked as crashed by shaman:

    11-11-13 18:12:41.702 shaman: Detected node md.e32b5c43ebbd4385 CRASH


The issue is recognized as a product bug with internal ID PSBM-24167.

Wrong MDS ports are indicated in the configuration of WDOG_CHAIN in iptables, making the node unavailable in the cluster, when netfilter watchdog action is triggered:

[root@pcs ~] iptables -nvL

Chain WDOG_CHAIN_IN (1 references)
target     prot opt source               destination
ACCEPT     tcp  --             tcp dpt:22
ACCEPT     tcp  --             tcp dpt:40000
ACCEPT     tcp  --             tcp dpt:40001
ACCEPT     tcp  --             tcp dpt:47109
DROP       all  --  

Chain WDOG_CHAIN_OUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --             tcp spt:22
ACCEPT     tcp  --             tcp spt:40000
ACCEPT     tcp  --             tcp spt:40001
ACCEPT     tcp  --             tcp spt:47109
DROP       all  --  


Apply the following patch on all servers in the cluster and restart the service shamand (or reboot the node):

[root@pcs-3rdline-3 ~]# diff /usr/share/shaman/init_wdog /tmp/init_wdog.fixed -u
--- /usr/share/shaman/init_wdog 2013-11-29 20:17:07.000000000 +0400
+++ /tmp/init_wdog.fixed        2013-12-16 22:56:53.719629533 +0400
@@ -20,11 +20,11 @@
 /sbin/iptables -A WDOG_CHAIN_OUT -p tcp --sport ssh -j ACCEPT

 # mdsd
-/sbin/iptables -A WDOG_CHAIN_IN -p tcp --dport 40000 -j ACCEPT
-/sbin/iptables -A WDOG_CHAIN_OUT -p tcp --sport 40000 -j ACCEPT
+/sbin/iptables -A WDOG_CHAIN_IN -p tcp --dport 2510 -j ACCEPT
+/sbin/iptables -A WDOG_CHAIN_OUT -p tcp --sport 2510 -j ACCEPT

-/sbin/iptables -A WDOG_CHAIN_IN -p tcp --dport 40001 -j ACCEPT
-/sbin/iptables -A WDOG_CHAIN_OUT -p tcp --sport 40001 -j ACCEPT
+/sbin/iptables -A WDOG_CHAIN_IN -p tcp --dport 2511 -j ACCEPT
+/sbin/iptables -A WDOG_CHAIN_OUT -p tcp --sport 2511 -j ACCEPT

 # csd
 /sbin/iptables -A WDOG_CHAIN_IN -p tcp --dport 47109 -j ACCEPT

Note: This solution assumes that MDS service is listening on default ports in the cluster. If the ports were changed manually, replace 2510 and 2511 with the necessary ones.

After that, when the node gets marked as crashed, it will be rebooted automatically by shaman service.

Search Words

operation not permitted

c62e8726973f80975db0531f1ed5c6a2 2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef

Email subscription for changes to this article
Save as PDF