Hi Ed,
Ed W:
> - Assume /ro and /rw, where /ro is a base installation, and /rw contains
> directories /home/ and /var/
> - Desired end result is that /union should become an aufs mount with /ro
> readonly at the bottom, rw/{home,var} writeable and next up, and
> readonly further up.
> - The only writeable dirs on /union are /home and /var
>
> What is the most efficient configuration to achieve this?
If the filesystem type of your ro and rw are not special, I'd suggest to
use the default configuration. If your branch filesystem is
ramfs(initramfs/rootfs), fuse, or hfsplus, then you need to enable the
corresponding aufs config.
> On a related note, I would be interested to read the vserver example
> which is now a broken link on the aufs website? Do you perhaps have a
> saved copy somewhere and could restore that (and other?) examples?
Ah, sorry.
I have a plan to update the document, but leave it due to just my
dullness. Here is the document in aufs1 era. Note, it may be need to
review and follow up the latest version (which I don't do it yest).
J. R. Okajima
----------------------------------------------------------------------
A sample procedure for Linux-VServer and aufs on plain Debian Etch.
Junjiro Okajima
# $Id: linux-vserver.txt,v 1.7 2008/02/18 04:42:22 sfjro Exp $
o Introduction
Linux-Vserver (http://linux-vserver.org) is another solution for
virtualization.
It doesn't provide hardware emulation, bios emulation nor individual
kernel for virtual machines, but it provides Virtual Private
Server(VPS) aka Security Context.
VPS shares the hardware among the host and other VPS, and runs on a
host kernel, and finally it provides an individual virtual server.
A root filesystem for VPS is a normal directory or mount-point, unlike
QEMU's fs-image file.
If you can admit sharing everything under OS among VPSs and the host,
it is recommended to use aufs in order to reduce the disk usage for
common system files.
./patch/vserver.patch in aufs is originally written and posted to ML
by Wilhelm Meier. Additionally, he gave a comment on this document.
o Scenario
- virtual server 1
Services: public HTTP only
IP Address: 192.168.1.101
- virtual server 2
Services: public FTP only
IP Address: 192.168.1.102
- host
Services: only SSH for internal administration
IP Address: 192.168.1.9
misc: build /srv/plain for both of vs1 and vs2, as an aufs
readonly branch.
/srv/plain is the common base dir for vs1 and vs2,
including package management.
build /srv/vs[12].rw as an aufs readwrite branch.
mount /var/lib/vservers/vs[12] as aufs.
+ /var/lib/vservers/vs1 = /srv/vs1.rw + /srv/plain
+ /var/lib/vservers/vs2 = /srv/vs2.rw + /srv/plain
o Prepare the host
- install plain Debian Etch.
- install the necessary packages.
# aptitude install linux-image-2.6.18-5-vserver-686 \
linux-headers-2.6.18-5-vserver-686 util-vserver debootstrap \
ssh cvs patch gcc sudo bzip2
- set sudo by visudo, if necessary.
- make SSH to accept on host only, by editing /etc/ssh/sshd_config.
ListenAddress 192.168.1.9
- configure your boot loader for vmlinuz-2.6.18-5-vserver-686.
- reboot with the kernel vmlinuz-2.6.18-5-vserver-686.
o Install aufs to host
- download aufs source files.
- build and install aufs module.
$ patch -p0 < ./patch/vserver.patch
patching file fs/aufs/vfsub.h
$ make -s -f local.mk
Building modules, stage 2.
- install aufs module.
o Build the common directory, /srv/plain
- install plain Debian Etch to /srv/plain
$ cd /srv
$ sudo mkdir plain vs1.rw vs2.rw
$ sudo debootstrap etch ./plain http://ftp.debian.org/debian
I: Retrieving Release
I: Retrieving Packages
:::
I: Base system installed successfully.
- setup the common issues
+ vs1 and vs2 must be described in /etc/hosts.
+ disable some init scripts around the management for a hardware, as
vserver-debiantools package does.
+ /srv/plain/etc/hostname is dummy. it will be overrode by
/srv/vs[12].rw/etc/hostname later.
+ in this sample, the packages are handled or centralized on host.
+ disable IPv6 in proftpd, if necessary (on unnecessary).
$ cd /srv/plain
$ sudo cp -p --parents /etc/apt/sources.list /etc/hosts .
$ sudo chroot .
# passwd
# echo plain > /etc/hostname
# tzconfig
:::
# for link in klogd hwclock.sh setserial urandom networking umountfs halt
reboot mountvirtfs mountall.sh mountnfs.sh ifupdown
> do update-rc.d -f $link remove
> done
# aptitude update
# aptitude upgrade
# aptitude install apache2 proftpd
# aptitude clean
# /etc/init.d/proftpd stop
# echo UseIPv6 off >> /etc/proftpd/proftpd.conf
# exit
- customize apache2 and proftpd services anyway you like here. but
remember, you need to specify IP address to every service in
linux-vserver, instead of wildcard (0.0.0.0).
o Build VPS root directory, /var/lib/vservers/vs[12]
- build VPS
$ sudo vserver vs1 build -m skeleton --hostname vs1 --interface
eth0:192.168.1.101/24
$ sudo vserver vs2 build -m skeleton --hostname vs2 --interface
eth0:192.168.1.102/24
- append these lines to /etc/fstab on host, in order to mount the root
directory for VPSs automatically at boot time.
none /var/lib/vservers/vs1 aufs defaults,br:/srv/vs1.rw:/srv/plain 0 0
/home /var/lib/vservers/vs1/home ext3 defaults,bind,ro 0 0
none /var/lib/vservers/vs2 aufs defaults,br:/srv/vs2.rw:/srv/plain 0 0
/home /var/lib/vservers/vs2/home ext3 defaults,bind,rw 0 0
- and mount them
$ sudo mount -a
o Setup VPSs
- set their hostname.
- on vs1,
+ configure apache2 to start automatically.
+ disable proftpd.
$ sudo chroot /var/lib/vservers/vs1
# echo vs1 > /etc/hostname
# echo 'NO_START=0' >> /etc/default/apache2
# echo 'RUN=no' >> /etc/default/proftpd
# exit
- on vs2,
+ configure proftpd to listen to vs2 only.
$ sudo chroot /var/lib/vservers/vs2
# echo vs2 > /etc/hostname
# echo DefaultAddress vs2 >> /etc/proftpd/proftpd.conf
# exit
$
- start them on boot automatically.
# echo default > /etc/vservers/vs1/apps/init/mark
# echo default > /etc/vservers/vs2/apps/init/mark
- you can setup the resource limit, scheduling policy or something for
every VPS, via /etc/vservers/vs[12].
cf. http://www.nongnu.org/util-vserver/doc/conf/configuration.html
- you can customize the services here too. but it is useful to
centralize every management on /srv/plain.
- it is recommended to centralize every system administration to the
host, including package management, in order to reduce the disk
usage for common system files.
the file you setup individually will become independent and has no
influences from the common dir /srv/plain. for example, if you
install a package on vs1 by a generic package management tool or
linux-vserver specific command, all files related to package
management will be copied-up to /srv/vs1.rw. if you manage packages
on /srv/plain later, you may make yourself confused .
- reboot your system, the host.
o Test
- check VPSs
$ sudo vserver-stat
CTX PROC VSZ RSS userTIME sysTIME UPTIME NAME
0 34 29.3M 9.9M 0m03s20 0m04s44 0m29s82 root server
49152 6 149.3M 10.5M 0m00s00 0m00s00 0m13s79 vs1
49153 3 12.5M 2.7M 0m00s00 0m00s00 0m13s80 vs2
- check the all services (from another system.)
$ for i in 9 101 102
> do
> j=192.168.1.$i
> echo $j
> ssh $j hostname
> wget http://$j
> ftp $j
> done
192.168.1.9
[email protected]'s password:
YouHostName
ftp: connect: Connection refused
ftp> ^D
192.168.1.101
ssh: connect to host 192.168.1.101 port 22: Connection refused
16:26:56 URL:http://192.168.1.101/apache2-default/ [44/44] -> "index.html" [1]
ftp: connect: Connection refused
ftp> ^D
192.168.1.102
ssh: connect to host 192.168.1.102 port 22: Connection refused
Connected to 192.168.1.102.
220 ProFTPD 1.3.0 Server (Debian) [192.168.1.102]
Name (192.168.1.102:jro): ^D
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 221 Goodbye.
$
Enjoy!
----------------------------------------------------------------------
------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
