A container migration attempt fails with the following errors:
vztar : /bin/vztar: -: Cannot write: Connection reset by peer vztar : /bin/vztar: Error is not recoverable: exiting now /bin/vztar exited with code 2
1391783367: Copy private area '/vz/private/1017' 1391783367: write() : Broken pipe 1391783367: vzsock_send() return 5 1391783367: Can't move/copy CT#101 -> CT#101, ,  : vzsock_send() return 5
The container has a large amount of inodes inside.
The allowed SSH or TCP inactivity period is insufficient and doesn't allow the migration to complete.
Enable SSH client keep-alive probes on the source server:
# grep Alive /etc/ssh/ssh_config ServerAliveInterval 100 ServerAliveCountMax 100
Sometimes TCP keep-alive settings should be adjusted on both source and destination nodes too.
tcp_keep-alive_time should be the same on both nodes, and it should be less than TCP timeout configured on the Hardware Firewall. This will instruct the nodes to start keep-alive communication before Hardware Firewall timeout.
For example, if the Hardware Firewall is configured with 10 minutes TCP timeout, send the keep-alive probes every 9 minutes:
[root@vz ~]# echo 540 > /proc/sys/net/ipv4/tcp_keepalive_time
To increase the keep-alive duration:
[root@vz ~]# echo 100 > /proc/sys/net/ipv4/tcp_keepalive_probes [root@vz ~]# echo 100 > /proc/sys/net/ipv4/tcp_keepalive_intvl
The value of
tcp_keepalive_probes should be chosen depending on the application needs. 100 keep-alive packets with 100 seconds interval will result in more than two and a half hours of a live connection, which should be sufficient for most cases.
/etc/sysctl.conf to make these changes permanent.
net.ipv4.tcp_keepalive_time = 540 net.ipv4.tcp_keepalive_probes = 100 net.ipv4.tcp_keepalive_intvl = 100
Note: the default keep-alive values are:
# cat /proc/sys/net/ipv4/tcp_keepalive_time 7200 # cat /proc/sys/net/ipv4/tcp_keepalive_intvl 75 # cat /proc/sys/net/ipv4/tcp_keepalive_probes 9