divB's questions

I have an SSL connection to a server (owner-api.teslamotors.com) that hangs with wget, curl or openssl s_client. I am showing the curl version as it gives the most debug messages:

# curl -iv https://owner-api.teslamotors.com 
*   Trying 18.203.70.200:443...
* Connected to owner-api.teslamotors.com (18.203.70.200) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs

There it hangs after ClientHello. TCP connection establishes successfully (also confirmed with telnet/nc). Other network connection including any SSL connection I have tried works. Except owner-api.teslamotors.com:443.

I found this posting talking about MTU and it sounded far fetched. But I reduced the server MTU and it worked! It works with any MTU <= 1420.

The server connects using Ethernet (MTU 1500) to a Mikrotik router and from there the connection goes through a WireGuard tunnel (MTU 1420). I am aware that this may not be optimal as any IP packet from the server >1420 will need to be fragmented. However, this is agnostic of any L4 protocol. SSL over TCP should not care about fragmentation and MTU. Yet, this host does.

I ran a packet capture on the Mikrotik box and the traffic does not list anything abnormal to me:

The typical TCP handshake Num 1-3, then ClientHello (Num 4-5) and ServerHello (Num 6-7). No packet size comes close to the MTU and no other ICMP messages that would indicate issues with fragmentation etc.

Per comment, here is the tracepath output:

# tracepath owner-api.teslamotors.com
 1?: [LOCALHOST]                      pmtu 1500
 1:  XX.XX.56.210                                          0.410ms 
 1:  XX.XX.56.210                                          0.198ms 
 2:  XX.XX.56.210                                          0.138ms pmtu 1420
 2:  XX.XX.56.185                                        151.394ms 
 3:  no reply
 4:  100.100.200.1                                       157.220ms 
 5:  10.75.0.193                                         154.068ms 
 6:  10.75.2.53                                          161.950ms asymm  7 
 7:  decix1.amazon.com                                   152.107ms asymm  8 
 8:  decix2.amazon.com                                   153.068ms 
 9:  no reply
 [...]

I am really lost what the heck is going on here.

Why does this one SSL connection fail?

I have set up Intel ME (v11.8.92) and use MeshCommander for access.

The remote deskop (KVM) works well, as long as I have an external monitor connected in the VGA port. But if I disconnect the external monitor (also with a power cycle), the KVM screen remains black. Sometimes I get a single blinking dash at the very beginning (where there should be the BIOS).

Is this normal? And is there a setting to enable KVM regardless of whether external display is connected?

Is there any solution to not only proxy NTLM but to convert HTTP Basic Auth on the input side to NTLM on the output side?

Background: An internal SharePoint server using NTLM Auth should be accessible via an Apache reverse proxy. The problem is NTLM is stateful and mod_proxy can’t deal with it. Now Apache with mod_proxy could just provide Basic Auth (and authenticate via a passwd file or similar) and proxy to another internal Basic-Auth-to-NTLM translator. This just reads our http Auth credentials and passes them to SharePoint server.

Given a public /24 prefix, announced via BGP, 192.0.2.0/24. I have split this prefix into various smaller networks. I would like to use 1-2 servers for the DNS server (forward and reverse) which needs a static IP. Since this IP needs to go as NS record into the parent zone, changing IP is not simple (and requires support of the admin of 2.0.192.in-addr.arpa).

The various networks are connected to each other via p2p links/tunnels and OSPF. One such network is 192.0.2.208/28 and I would like to use 192.0.2.212 as DNS server. The DNS server will be a virtual machine and I would like to have the flexibility to move it to another network at a different location, say 192.0.2.234 in 192.0.2.232/29. Normally this requires not only changing the IP but also coordinating with the owner of 2.0.192.in-addr.arpa on the NS record update.

I was thinking of picking a /32 address from the prefix, say 192.0.2.255/32. This address could then be assigned to a dummy device or as a second IP. But unless the DNS server becomes a router (and/or runs OSPF too) I need to deal with static routing which sounds like a hassle too.

What is the best solution for this scenario? Nearly any other service can be addresses via DNS, so the IP itself is not as critical. But for a DNS server it is.

I have an APC Rack PDU (AP7920) and a Lantronix ETS16P RS232 terminal server. I would like to connect the RackPDU directly to the Lantronix. The RackPDU has a serial RJ12 connector and the Lantronix a serial RJ45 connector. I found pinouts for RackPDU and Lantronix.

This is the connection I came up with:

However, after crimping the cable, the connection did not work (regardless how much I was typing in the Lantronix, there was no response from the APC).

Is this the right connection? Do I miss anything?

Are the TX- and RX- indeed GND?

Suppose the following network layout:

                         R1:                                   R2:
10.1.1.0/24 <--- 10.1.1.1, 192.168.1.1 <----------> 192.168.1.2, 10.1.2.1 ---> 10.1.2.0/24 

BIRD is installed on both R1 and R2. All information about the network topology is automatically given. It was my understanding that BIRD would automatically redistribute this information so that all stations can connect. But it does not seem as straight forward: R1 and R2 both automatically create "dynamic" routes for their respective subnets but they do not get handled automatically.

The device protocol does not import/export routes. The docs say about the direct protocol:

[...] Although there are some use cases that use the direct protocol (like abusing eBGP as an IGP routing protocol), in most cases it is not needed to have these device routes in BIRD routing table and to use the direct protocol. [...]

I thought the kernel protocol would automatically import these routes because they are part of the kernel routing table. But the documentation states:

Unfortunately, there is one thing that makes the routing table synchronization a bit more complicated. In the kernel routing table there are also device routes for directly connected networks. These routes are usually managed by OS itself (as a part of IP address configuration) and we don't want to touch that. They are completely ignored during the scan of the kernel tables and also the export of device routes from BIRD tables to kernel routing tables is restricted to prevent accidental interference.

So nobody (no protocol) wants to be responsible for distributing the very routes which would make the two networks connect. What's left is static but they I would need to recreate the whole connectivity of a router in the bird config file, something I thought OSPF over BIRD would do for me. Is this what I am supposed to do?

How should the config files for R1 and R2 look like?

router id 192.168.1.1;
protocol device {
  scan time 10;
}
protocol direct {
  interface "*"; # should I use this?
}
protocol kernel {
  learn;
  export all;
  import all;
  device routes true; # OR SHALL I USE THIS?
}
# I would like to avoid doing this:
#protocol static {
#  export all;
#  route 10.1.1.0/24 via 192.168.1.1;
#}
protocol ospf {
  import all;
  export all;
  area 0 {
    interface "eth0", "eth1" {
      cost 10; hello 10; transmit 2; wait 5; dead 40;
      type broadcast;
      authentication cryptographic;
      password "1234567890";
    };
  };
}

And:

router id 192.168.1.2;
protocol device {
  scan time 10;
}
protocol direct {
  interface "*"; # should I use this?
}
protocol kernel {
  learn;
  export all;
  import all;
  device routes true; # OR SHALL I USE THIS?
}
# I would like to avoid doing this:
#protocol static {
#  export all;
#  route 10.1.2.0/24 via 192.168.1.2;
#}
protocol ospf {
  import all;
  export all;
  area 0 {
    interface "eth0", "eth1" {
      cost 10; hello 10; transmit 2; wait 5; dead 40;
      type broadcast;
      authentication cryptographic;
      password "1234567890";
    };
  };
}

I have a simple ipip tunnel between 192.168.56.254/31 and 192.168.56.255/31.

My simple test config on 192.168.56.254/31 looks like:

protocol ospf test
{
        import none;
        export none;

        area 0.0.0.0 {
                interface "ipip-tun" {
                        cost 5;
                        type ptp;
                        authentication none;
                        neighbors {
                                192.168.56.255;
                        };
                };
        };
}

192.168.56.255/31 is a Mikrotik router. Both instances can't see themselves.

In tcpdump on 192.168.56.254/31, I see:

08:26:11.634115 IP 192.168.56.254 > 224.0.0.5: OSPFv2, Hello, length 44
08:26:11.990261 IP 192.168.56.255 > 224.0.0.5: OSPFv2, Hello, length 44

In the packet sniffer on the Mikrotik device I can see the transmitted packages (also to the multicast address) but no received one.

It confuses me that even the ptp mode uses multicast. Is this normal? If yes, are any configurations for the ipip tunnel required to make multicast work?

How can I switch the outlets of an APC Rack PDU (AP7920) via SNMP (Linux SNMP command tools like snmpget/snmpset) ?

I can't find anything about it.

I was able to walk it via:

snmpwalk -v3 -a MD5 -A xxxxxxxxxxxxxx -u switch -x DES -X xxxxxxxxxxxxxx 192.168.1.1

but not to switch an outlet.

In Debian with systemd, I use zfs and lxc. My zfs datasets are encrypted and their keys can be loaded from a network host via my /etc/zfs/zfs-load-key.sh script. My LXC containers are started by lxc.service.

Loading the keys requires the network up and running (otherwise I get the error "no route to host") but lxc.service requires the keys to be loaded.

Sounds trivial, but isn't. I created this file /etc/systemd/system/[email protected]:

[Unit]
Description=Load %I encryption keys from network host
DefaultDependencies=no
Before=zfs-mount.service lxc.service
After=zfs-import.target network-online.target
Requires=zfs-import.target
Wants=network-online.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/zfs/zfs-load-key.sh %I

[Install]
WantedBy=zfs-mount.service lxc.service

and enabled them via:

systemctl enable [email protected]
systemctl enable [email protected]

For for some reason, my LXC containers do not start because the keys were not yet loaded, ALTHOUGH I have Before=... lxc.service!

Why does this service not run at the right time, i.e. after the network is up and before lxc?

How to fix it?

I have an APC Rack PDU (AP7920) and have configured:

• [x] Enable SNMPv3 access
• Username: switch
• Authentication Passphrase: test
• Privacy Passphrase: test
• Authentication Protocol: (o) MD5
• Privacy Protocol: (o) DES
• Access Control: [x] Enable, Username: switch, NMS IP/Host Name: 0.0.0.0

Now when I execute snmpwalk I get:

# snmpwalk -v3 -a MD5 -A test -u switch -x DES -X test 192.168.1.1
snmpwalk: Decryption error

What am I doing wrong?

My goal is to switch outlets via SNMP

I have an APC Rack PDU AP7920 (hardware revision B2, manufactured 07/21/2012). When I log in via telnet I get:

American Power Conversion               Network Management Card AOS      v3.3.4                                          
(c) Copyright 2005 All Rights Reserved  Rack PDU APP                     v3.3.3     

I would like to upgrade the firmware. On the APC website, I found two options (they are very hidden for some reason): apc_hw02_aos390_rpdu374.exe and apc_hw02_aos392_rpdu392.exe (i.e., v3.9.0/3.7.4 and 3.9.2/3.9.2).

After executing go.bat and entering correct IP address, username and password, I get for both:

Checking network connection ...  ERROR!!! Login unsuccessful.

That's definitely not true: IP and login details are 100% correct. How can I upgrade this?

I have a Smart-UPS 1500RM in a remote location with two battery packs.

In order to maximize the lifetime of the battery packs, is it better to

• Use one pack until it dies and then hope that the other one is still good

• Switch between the two packs in an interval of 6-12 months?

I have a 42HE 19” server rack which houses a bunch of equipment (UPS, PDU, server, network, ...). It has wheels so it’s easy to move and it stands on a concrete floor.

The rack is out of metal and obviously the casings of the equipment are connected to the rack which acts as “earth”.

The entire rack is connected with power supply via a simple 19” extension/distribution. Some equipment (e.g. monitor) is directly connected to this distribution.

Important equipment (server, router, switch, DSL) is connected via an APC Rack-PDU and APC Smart-UPS 1500RM.

This implies the whole rack is connected to earth via the one cable. Since the rack has wheels (and is meant to be moved) this sounds right.

Is this correct or do I need additional grounding? (I think this potentially could create ground loops).

Is there anything in terms of grounding that should be taken care of with such an installation?

Interestingly there is no word in the manual and nothing to be found on the internet. But it seems like an obvious question:

While a UPS (let’s use APC Smart-UPS 1500RM as an example) drives equipment/server, is it safe to disconnect the mains power cable?

Which implications does this action have?

I have done this in the past and did not have issues. However, it does not feel right because that would interrupt earth connection as well. How come then, that the manual contains lots of obvious warnings but does not explicitly warn against disconnecting during operation?

I have a VPN tunnel to an OpenVPN server. The VPN is a Sophos VPN which uses OpenVPN under the hood. I do not know the server configuration nor can I change the server config. My tunnel endpoint is tun on Win 10 (OpenVPN 2.4.8) and its config looks looks like:

ip-win32 dynamic
client
dev tun
proto tcp
verify-x509-name "[...]"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
dev-node "OpenVPN"
pull-filter ignore redirect-gateway
route 192.168.20.0 255.255.255.0 vpn_gateway 3
<ca>
[...]
</ca>
<cert>
[...]
</cert>
<key>
[...]
</key>
auth-user-pass
cipher AES-128-CBC
auth SHA256
comp-lzo no
route-delay 4
verb 3
reneg-sec 0
remote [...] 8443

Now I have the issue that an SSH connection through the tunnel hangs at debug1: SSH2_MSG_KEXINIT sent (this is WSL ssh):

$ ssh -vvvv 192.168.20.147
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "192.168.20.147" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.20.147 [192.168.20.147] port 22.
debug1: Connection established.
[...]
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
[...]
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent

I capture the session with wireshark and see that I get "TCP Previous segment lost":

No.     Time        Source                Destination           Protocol Info
      4 2.933875    10.81.234.15          192.168.20.147        TCP      54013 > ssh [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=8
      5 3.305435    192.168.20.147        10.81.234.15          TCP      ssh > 54013 [SYN, ACK] Seq=0 Ack=1 Win=64480 Len=0 MSS=1240 WS=9
      6 3.305511    10.81.234.15          192.168.20.147        TCP      54013 > ssh [ACK] Seq=1 Ack=1 Win=65536 Len=0
      7 3.317162    10.81.234.15          192.168.20.147        SSHv2    Client Protocol: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3\r
      8 3.335238    192.168.20.147        10.81.234.15          SSHv2    Server Protocol: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3\r
      9 3.339937    10.81.234.15          192.168.20.147        TCP      [TCP segment of a reassembled PDU]
     10 3.339948    10.81.234.15          192.168.20.147        SSHv2    Client: Key Exchange Init
     11 3.635978    192.168.20.147        10.81.234.15          TCP      ssh > 54013 [ACK] Seq=42 Ack=42 Win=64512 Len=0
     12 3.947955    192.168.20.147        10.81.234.15          TCP      [TCP Previous segment lost] ssh > 54013 [ACK] Seq=1122 Ack=1402 Win=64512 Len=0

I think this could be related to MTU so I played around setting the MTU on the SSH server and the OpenVPN client endpoint (various values from the default 1500 down to <1000). No changes.

I also tried using ping -f -l PKTSIZE 192.168.20.147 and the interesting part is that ping succeeds until PKTSIZE=71 and for PKTSIZE > 71 I get "Request timed out".

Note: On a different computer with the Sophos VPN Endpoint client but otherwise the same network, everything works as expected.

I have 2x3TB disks with GPT and a zpool with uses a 2.7TB partition on the first disk (sda4) and 1TB on the second disk (sdb4).

Reason is that initially both disks were just 1TB and I sequentially replaced both of them with 3TB. But during the time I had 1x1TB and 1x3TB I used the remainder of the 3TB for a different partition which I want to delete now.

I use the latest ZFS on Linux (0.6.5.7-8-wheezy). What is the correct way to resize the pool to the full 2.7TB?

autoresize is currently off. This is the current output of lsblk and zpool status:

# lsblk
NAME    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda       8:0    0   2,7T  0 disk
├─sda1    8:1    0     1M  0 part
├─sda2    8:2    0  14,5G  0 part
│ └─md0   9:0    0  14,5G  0 raid1 /
├─sda3    8:3    0   4,2G  0 part
│ └─md2   9:2    0   4,2G  0 raid1 [SWAP]
└─sda4    8:4    0   2,7T  0 part
sdb       8:16   0   2,7T  0 disk
├─sdb1    8:17   0     1M  0 part
├─sdb2    8:18   0  14,5G  0 part
│ └─md0   9:0    0  14,5G  0 raid1 /
├─sdb3    8:19   0   4,2G  0 part
│ └─md2   9:2    0   4,2G  0 raid1 [SWAP]
├─sdb4    8:20   0 912,9G  0 part
└─sdb5    8:21   0   1,8T  0 part

# zpool status
  pool: zpradix1imain
 state: ONLINE
status: Some supported features are not enabled on the pool. The pool can
        still be used, but some features are unavailable.
action: Enable all features using 'zpool upgrade'. Once this is done,
        the pool may no longer be accessible by software that does not support
        the features. See zpool-features(5) for details.
  scan: resilvered 687G in 6h2m with 0 errors on Fri Dec 26 18:39:27 2014
config:

        NAME                                                STATE     READ WRITE CKSUM
        zpradix1imain                                       ONLINE       0     0     0
          mirror-0                                          ONLINE       0     0     0
            ata-WDC_WD30EZRZ-00WN9B0_WD-WCC4E7CL5U9D-part4  ONLINE       0     0     0
            ata-WDC_WD30EZRX-00D8PB0_WD-WMC4N0E6K1AW-part4  ONLINE       0     0     0

As a first step, I would delete sdb5 and resize sdb4 (via gdisk) to 2.7TB and rescanning the partition table (both disks would have identical partition layout then).

But then?

My setup is that ownCloud runs on an internal server at 192.168.200.1. At 43.23.104.153 there is a public apache with mod_proxy that forwards the requests to the internal server:

ProxyPass /edward https://192.168.200.1/owncloud/
ProxyPassReverse /edward https://192.168.200.1/owncloud/

owncloud is configured according to the manual for reverse proxy support:

$CONFIG = array (
  [...]
  'trusted_domains' =>.
  array (
    0 => '192.168.200.1',
  ),
#  'trusted_proxies' => [ '43.23.104.153'],
  'overwritehost' => 'external.tld',
  'overwritewebroot' => '/edward',
);

I can access the site internally without any problems from https://192.168.200.1/owncloud.

But when I navigate to https://external.tld/edward, after the login I get an Internal Server Error. The log file contains:

{"reqId":"d5K1uNLeJyGSC8LUQXgM","remoteAddr":"43.23.104.153","app":"index","message":"Exception: {\"Exception\":\"Exception\",\"Message\":\"The requested uri(\\\/owncloud
\\\/index.php\\\/apps\\\/files\\\/) cannot be processed by the script '\\\/owncloud\\\/\\\/index.php')\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/lib\\\/ba
se.php(837): OC\\\\AppFramework\\\\Http\\\\Request->getRawPathInfo()\\n#1 \\\/var\\\/www\\\/owncloud\\\/index.php(39): OC::handleRequest()\\n#2 {main}\",\"File\":\"\\\/va
r\\\/www\\\/owncloud\\\/lib\\\/private\\\/appframework\\\/http\\\/request.php\",\"Line   \":621}","level":3,"time":"2016-04-28T10:07:16+00:00","method":"GET","url":"\/edward
\/index.php\/apps\/files\/","user":"1f75fef2-7ab7-102e-95c7-3929d8475818"}

I'm totally out of ideas. What is wrong here?

With Routerboard 450G I want to configure the 5 Ethernet ports as follows:

• ether1: vlan3, untagged
• ether2: vlan1, untagged
• ether3: vlan2, untagged
• ether4: vlan2, untagged
• ether5: vlan1-vlan3, tagged

Within vlan1, the device should have IP 10.7.1.3/24.

However, when I want to ping the Routerboard it is not reachable. I configured the device the following way:

1. Include ether1 in switching:

/interface ethernet switch print
Flags: I - invalid
 #   NAME                                    TYPE          MIRROR-SOURCE                                  MIRROR-TARGET                                  SWITCH-ALL-PORTS
 0   switch1                                 Atheros-8316  none                                           none                                           yes

2. Switch all ports together:

/interface ethernet print
Flags: X - disabled, R - running, S - slave
 #    NAME                                      MTU MAC-ADDRESS       ARP        MASTER-PORT                                    SWITCH
 0 R  ether1                                   1500 E4:8D:8C:18:D5:A1 enabled    none                                           switch1
 1  S ether2                                   1500 E4:8D:8C:18:D5:A2 enabled    ether1                                         switch1
 2  S ether3                                   1500 E4:8D:8C:18:D5:A3 enabled    ether1                                         switch1
 3  S ether4                                   1500 E4:8D:8C:18:D5:A4 enabled    ether1                                         switch1
 4 RS ether5                                   1500 E4:8D:8C:18:D5:A5 enabled    ether1                                         switch1

3. Configure ports 1-4 to remove VLAN tags and port 5 to add them; set default VLAN IDs:

/interface ethernet switch port print
Flags: I - invalid
 #   NAME                                                         SWITCH                                                         VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   ether1                                                       switch1                                                        secure    always-strip                 3
 1   ether2                                                       switch1                                                        secure    always-strip                 1
 2   ether3                                                       switch1                                                        secure    always-strip                 2
 3   ether4                                                       switch1                                                        secure    always-strip                 2
 4   ether5                                                       switch1                                                        secure    add-if-missing               0
 5   switch1-cpu                                                  switch1                                                        fallback  leave-as-is                  0

4. Wire the VLANs together. As can be seen, ether2 and ether5 are connected through vlan1:

/interface ethernet switch vlan print
Flags: X - disabled, I - invalid
 #   SWITCH                                                                         VLAN-ID PORTS
 0   switch1                                                                              3 ether1
                                                                                            ether5
 1   switch1                                                                              1 ether2
                                                                                            ether5
 2   switch1                                                                              2 ether3
                                                                                            ether4
                                                                                            ether5

5. Finally, add IP address to ether2:

/ip addr print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   10.7.1.3/24        10.7.1.0        ether2

Port 5 is directly connected to a managed switch which outputs vlan1-vlan3 tagged. The Routerboard cannot be pinged.

Do I miss something in the configuration or do I understand the concept wrong? (To my understanding, it would be sufficient to add the IP to ether2, because it is switched to vlan1 on ether5)

Does ZFS on Linux already support Encryption? If not, is it planned?

I found tons of info for ZFS+LUKS but that's absolutely uninteresting: I want ZFS encryption so that I can do replication using zfs send to an "untrusted" backup server. I.e., zfs send fragments should be encrypted.

If ZoL does not support encryption, is there a more elegant way other than creating zVols and using LUKS+EXT on top of it (loosing many ZFS advantages)?

I have a Debian squeeze kernel (linux-image-2.6.32-5-openvz-amd64) which according to the Doku should support cgroups. When I look into the kernel configuration, it does (or is some other kernel configuration required?)

# zgrep -i cgroup /boot/config-2.6.32-5-openvz-amd64
# CONFIG_CGROUP_SCHED is not set
CONFIG_CGROUPS=y
# CONFIG_CGROUP_DEBUG is not set
CONFIG_CGROUP_DEVICE=y
CONFIG_BLK_CGROUP=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_NET_CLS_CGROUP=y

Also, according to http://wiki.debian.org/LXC, a kernel parameter cgroup_enable=memory might be necessary. I started the kernel with it:

# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-2.6.32-5-openvz-amd64 root=UUID=6332fe39-7eaa-4519-b6c1-e05808284586 ro cgroup_enable=memory quiet console=ttyS0,57600n8

However, the system still has no cgroup support! The cgroup file system cannot be mounted as the file system type is not even known to the system:

# mount -t cgroup none /cgroup
mount: unknown filesystem type 'cgroup'

and:

# grep -i cgroup /proc/filesystems
#

So there is either a bug or I miss something. Can anyone tell me what? Is there a kernel parameter missing? A kernel configuration?