%include "default.mgp" #%pcache #%pcache 1 1 0 1 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %leftfill, size 2, fore "black", back "white", font "thick", bimage "background.jpg" 1024x768 %center, size 7, vgap 30 Running Vservers on Debian %size 2, bar "brown" 5, vgap 30 %right, size 4, font "standard" by Bart Trojanowski bart@jukie.net %center, size 2 %image "linux-logo.png" April OCLUG tutorial 2005-04-28 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% http://linux.slashdot.org/article.pl?sid=04/12/02/2238253&tid=185&tid=223&tid=110&tid=106 %page Overview Virtualization techniques What is a Vserver Simple Demo Installing Tips and Tricks Q & A %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Virtualization Techniques CPU emulation CPU virtualization User-mode kernel Process separation Microkernels & hypervisors %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... CPU Emulation What is it? "processor run-time simulation down to each register" transparent to client software very low performance very portable as there is no host dependency can simulate non-existant hardware %pause Examples: QEMU bochs PearPC VirtualPC (Mac version) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... CPU Virtualization What is it? "client OS is fooled into thinking it's in charge" virtualization support from processor transparent to client software privileged operations are captured and emulated most non-IO code is executed w/o penalty %pause Examples: VMWare VirtualPC (Windows version) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... User Mode Kernels What is it? "port of kerenl to POSIX API" executes a client kernel in a user space process client OS drivers emulate access to hardware through host OS APIs transparent to client user space software %pause Examples: User Mode Linux CoLinux %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Process separation What is it? "hide processes from each other" multiple execution contexts for user space processes contexts are restricted in CPU, network and disk usage almost zero overhead on process execution %pause Examples: vserver (linux 2.4 & 2.6) jails (BSD) Virtuozzo (comertial product for Linux & Windows) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Microkernels & Hypervisors What is it? refered to as Paravirtualization hypervisor -- layer between hardware & client OS presents "virtual machines" with a software interface software interface is similar to underlying hardware non transparent -- requires client kernel changes %pause Examples: Traditional Microkernels Mach %cont, icon delta3 "black" 40 L4 %pause Microkernels for the sake of virtualization Xen %cont, icon delta3 "black" 40 IBM zSeries' z/VM & LPAR %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page What is a Vserver Why? Overview Isolation Tools Unification Limitations %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Why would you want a vserver? (1) security, %pause (2) porable setup, %pause (3) test an upgrade path, %pause (4) develop in a sandbox. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Overview Components kernel patch vserver tools Each client OS... can have its own unique root filesystem (via chroot) has its own IP address (and priveledged ports) has its own user/group database (even unique root account) cannot corrupt other client OS's cannot see or access other context's processes cannot break out of a chroot cannot create new device nodes %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Process isolation File system chroot protection for each vserver each context can have it's own quotas on a filesystem %pause Networking contexts are assigned IP number and hostname only this IP number can be used from the context %pause Processes contexts only see processes in their context contexts have private SysV IPC resources %pause Super user capabilities 'root' of vserver has limited capabilities %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Tools chcontext create a new security context root of base context can enter any context %pause chbind lock processes to use specific IP on bind() call %pause reducecap allows for reduction of capabilities %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Unification Problem you have 10 Debian/sarge vservers you have 10 clients with similar software requirements majority of the apt-get installed files are identical %pause Solution hardlinks used remove the duplication shared files use 'immutable' file attribute %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Vserver limitations Kernel is shared Kernel-aimed attacks can still compromise systems Not good for kernel/driver development/testing You may not be able to run certain OS versions together Network access is limited you have to configure the firewall from the host OS you cannot ping, traceroute, or tcpdump ... but, you can loosen up security restrictions X is a pain a lot of configuration, lower security ... but, not really a requirement for most servers %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Demo %size 40, center ... %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Installing Host OS install Kernel patch Installing using kpkg (2.4) Installing from scratch (2.6) Configuration Host OS The first vserver Subsequent vservers Unification %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Host OS install Recomendations minimal no services, daemons, etc except for ssh, and those that fail to run in vserver (ex: bind) %pause Packages ssh daemon and client network testing tools iptables firewall vserver tools package: %cont, font "code" util-vserver %font "standard" debian tools package: %cont, font "code" vserver-debiantools %cont, font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... linux-2.4 w/vserver using kpkg Requirements %size 4, font "code" apt-get install kernel-package fakeroot \\ build-essential kernel-patch-vserver %font "standard" Building %size 4, font "code" CONF="--rootcmd=fakeroot --append-to-version=-vs1.2.11 --bzimage --subarch i686 --added-patches ctx" make-kpkg ${CONF} kernel-image make-kpkg ${CONF} modules-image make-kpkg ${CONF} kernel-headers %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... linux-2.6 w/vserver from a patch Requirements http://www.13thfloor.at/vserver/d_rel26/v1.9.5/ get the .diff.bz2 file http://kernel.org/pub/linux/kernel/v2.6/ get a kernel that matches the patch apt-get install build-essential gcc-3.4 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... linux-2.6 w/vserver from a patch Building %size 4, font "code" cd /usr/src/ tar xjf ${KERNEL} cd linux-2.6.11.5 bunzip2 -c < ${PATCH} | patch -p1 --dry-run bunzip2 -c < ${PATCH} | patch -p1 export CC=gcc-3.4 make menuconfig make bzImage modules make modules_install install %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... linux-2.6 w/vserver from a patch Configuration %size 4, font "code" Linux VServer ---> [*] Enable Legacy Kernel API [ ] Enable Proc Security [ ] Enable Hard CPU Limits [ ] Persistent Inode Context Tagging ( ) Disabled ( ) UID16/GID32 ( ) UID32/GID16 (*) UID24/GID24 ( ) UID32/GID32 ( ) Runtime [ ] Compile Debugging Code %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Host OS configuration /etc/vservers.conf BACKGROUND=no /etc/vservers/util-vserver-vars VROOTDIR=/var/lib/vservers /etc/newvserver-vars ONBOOT=yes ... protecting ${VROOTDIR} %size 4, font "code" chmod 000 ${VROOTDIR} chattr +t ${VROOTDIR} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Setting up a new vserver on Sarge (vserver-debiantools) %size 4, font "code" newvserver --mirror http://ftp.debian.org \\ --hostname foo --domain domain \\ --ip 192.168.0.100 %font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Setting up a new vserver on Woody (debootstrap & util-vserver) %size 4, font "code" mkdir ${VROOTDIR}/bar debootstrap woody ${VROOTDIR}/bar \\ http://ftp.debian.org cp /usr/lib/util-vserver/sample.conf \\ /etc/vservers/bar.conf vim /etc/vservers/bar.conf chroot ${VROOTDIR}/bar tzsetup -y dpkg-reconfigure passwd rm -f /etc/exim/exim.conf eximconfig %font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Setting up a new vserver Fedora (FC1) on Debian (util-vserver) %size 4, font "code" # put RH9 cd into drive mount /dev/cdrom /mnt/cdrom /usr/lib/util-vserver/install-fc1 minimum %font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... The configuration file /etc/vservers/myvserver.conf %size 4, font "code" ONBOOT=yes IPROOT=192.168.0.100 IPROOTDEV=eth0 S_HOSTNAME=bar.domain S_CONTEXT=100 ... %font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Cloning vservers on Sarge (vserver-debiantools) %size 4, font "code" dupvserver --vsroot ${VROOTDIR} \\ --from foo --to fiz \\ --ip 192.168.0.101 %font "standard" on Woody (util-vserver) %size 4, font "code" vserver-copy --vsroot ${VROOTDIR} \\ foo fiz vim /etc/vservers/biz.conf %font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... Unification vunify (util-vserver) %size 3, font "code" # /usr/lib/util-vserver/vunify /vs/foo /vs/bar -- ALL vservers /vs/bar Unify pkg adduser-3.63 from /vs/foo to /vs/bar Unify pkg apt-0.5.28.1 from /vs/foo to /vs/bar Unify pkg bsdmainutils-6.0.17 from /vs/foo to /vs/bar Unify pkg debconf-1.4.30.13 from /vs/foo to /vs/bar Unify pkg debianutils-2.8.4 from /vs/foo to /vs/bar Unify pkg dpkg-1.10.27 from /vs/foo to /vs/bar Unify pkg dselect-1.10.27 from /vs/foo to /vs/bar Unify pkg hostname-2.13 from /vs/foo to /vs/bar Unify pkg liblockfile1-1.06 from /vs/foo to /vs/bar Unify pkg netbase-4.21 from /vs/foo to /vs/bar Unify pkg tasksel-2.24 from /vs/foo to /vs/bar ... %font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Tips and Tricks consider 'testing' for host OS Sarge has better tools for vservers, raid, etc. run all public services from vservers ssh into vservers, limit use of 'enter' apps fail when they don't have control of the terminal rebuild bind9 w/o linux capabilities otherwise you cannot run it in a vserver %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ... more Tips and Tricks bind host daemons to main IP daemon will fail to bind if ctx 0 has bound to that port use 'bind' mounts to share data between vservers %size 3, font "code" mount /dev/big_raid_drive /export mount -o bind /export/home /vs/one/home mount -o bind /export/home /vs/two/home %font "standard" or in /etc/fstab %size 3, font "code" $ cat /etc/fstab ... /dev/big_raid_drive /export auto defaults 0 2 /export/home /vs/one/home auto bind 0 2 /export/home /vs/two/home auto bind 0 2 %font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Vserver References Project page http://linux-vserver.org/ Linux Vserver Paper http://linux-vserver.org/Linux-VServer-Paper S/W that fails to run in vservers http://linux-vserver.org/ProblematicPrograms %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Other References Additional build scripts http://www.marlow.dk/site.php/tech/vserver L4 microkernel http://l4ka.org/ Xen http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Questions %size 40, center ?