We are test bedding some dual octacore, 64GB servers for webhosting cPanel.

Due to how much SSD disk/memory and CPU we have on these servers we really want to go for density.

Things seem pretty stable at 2048 IPs on the server however as we approach adding 4096 IP's the server (gets us to a nice 80% resource utilization) we start having network issues where we lose all network connectivity to the server until we "service iptables restart"

We are also running CSF on the boxes.

Is there some limit in Centos by default that limits how many interfaces or rules can be used and if so, can that limit be raised by adjusting sysctl parameters?

I know your first thought will be "this seems ludicrous, why would you do it" but at this point I'm rather intrigued why a box of this configuration with x64 Centos would be crapping out?

Thank you =)

Ah, the web-based management panel provider that allowed hundreds of servers running cPanel to get compromised...


How are you adding them?


What are the symptoms?
Have you tried modprobing all related modules with debugging enabled?
And if you're really interested in analyzing this properly: have you tried a debug kernel?

If you're not a careless sysadmin, cPanel is not a problem... It's the "kiddie hosts" with a dollar and a dream that make up the bulk of the issues

I have not gone so far as to use a debug kernel yet... IP's are added using cPanel's interface which ties them into its "ipaliases" daemon (read: range files/etc don't work with cPanel)

My presumption is, I'm hitting a resource/system limit (think Openvz... my servers are NOT running Openvz - just to clarify) and as a result the firewall just stops passing all traffic through it

I will be the first to admit, on the debug side of Linux, my chops are pretty weak... It's only out of curiosity and failed repetitive online lurking that I've opened this thread

By all means, this is not a "fix my problem" thread, rather, help me understand.

Thank you

Completely off-topic but I was referring to their recent security incident: http://forum.whmcs.com/showthread.ph...mised&p=296646.


It's the same way you (should) look at log files first when trying to troubleshoot user land service problems. If 'dmesg' output doesn't show any clues or leads, and if the kernel or kernel modules don't provide switches to increase verbosity (run 'modinfo' on for example your network device related LKMs should show) then running a debug kernel (obviously not on a production machine) would be the first thing to do IMHO.