Author: patrys Date: Fri Jun 27 12:15:30 2008 GMT Module: PLDWWW URL: http://pld-linux.org/Vserver?action=diff&rev2=120&rev1=119 ---- Log message:
---- Page affected: Vserver ---- Diffs: ================================================================ Linux-VServer is a virtual private server implementation for the Linux kernel + == Resources == + * [http://linux-vserver.org/ Project homepage] * [http://linux-vserver.org/short+presentation short presentation] * [http://www.nongnu.org/util-vserver/doc/conf/configuration.html doc of configuration items]. you should change the stylesheet in your browser if you care for your eyes ;) @@ -14, +16 @@ * [http://www.gentoo.org/doc/en/vserver-howto.xml Gentoo Linux-VServer Howto] you'll need this if you want to setup Gentoo guest vserver * [http://linux-vserver.org/index.php?page=Linux-VServer-Paper-08 Field of Application paper] reasons why to use vserver. + == Contents == [[TableOfContents]] + == Installing Vserver host on PLD Linux == @@ -31, +35 @@ # poldek -u kernel-sound-{alsa,oss} }}} + == Installing guest PLD Linux Vserver == + === Preparing userspace tools === @@ -53, +59 @@ {{{ # /sbin/service vprocunhide start }}} + === Actual guest creation === @@ -102, +109 @@ }}} Note, however, that if you don't run ''plain'' init style you must have at least one daemon running inside your guest vserver or it will be shut down shortly. + == Configuring the network == @@ -126, +134 @@ # echo 192.168.0.1/24 > /etc/vservers/<vserver-name>/interfaces/0/ip }}} + == Configuring resources == * http://linux-vserver.org/Resource+Limits @@ -139, +148 @@ * {{{resource.min}}} A file which contains the guaranteed minimum of the given resource in the first line. The special keyword 'inf' is recognized. * {{{resource.soft}}} A file which contains the soft- of the given resource in the first line. The special keyword 'inf' is recognized. + == Managing packages == You should decide for either package management policy: @@ -154, +164 @@ * you cannot upgrade rpm packages when vserver is down (obviously). * you must have network configured in guest os to use poldek network functions ({{{/etc/resolv.conf}}}, {{{interfaces/N/IP}}}, etc) + === External package management === + ==== Using vpoldek ==== Syntax: {{{vpoldek <VSERVER> -- [REGULAR POLDEK OPTIONS]}}} @@ -165, +177 @@ # vpoldek test -- -u squid }}} + ==== Using vrpm ==== Syntax: {{{vrpm <VSERVER> -- [REGULAR RPM OPTIONS]}}} @@ -173, +186 @@ {{{ # vrpm test -- -qa 'apache-*' }}} + === Internal package management === @@ -191, +205 @@ $ less /usr/share/doc/util-vserver-build-0.30.210/package-management.txt.gz }}} + == Using plain init style == You might want to run your vserver with init style set to ''plain'', which means it runs like a regular Linux host, where everything is controlled by {{{/sbin/init}}}. The other reason for doing so is that it might happen that you can't enter your vserver because it gets shut down before you can enter it because of no running processes. @@ -201, +216 @@ # echo 'plain' > /etc/vservers/test/apps/init/style }}} + == Copying guest PLD Linux Vserver to another host == + - stop the vserver first + Stop the vserver first + {{{ # vserver test stop }}} + + Then just archive and copy the structure: {{{ # tar --exclude '/vservers/test/var/lib/mysql/*' -cSf /www/vs-test.tar \ /{etc/vservers,vservers,vservers/.pkg}/test }}} + == Removing guest PLD Linux Vserver == - stop the vserver first + Stop the vserver first + {{{ # vserver test stop }}} - remove vserver config, filesystem and in case of external package management the rpmdb dir + Remove vserver config, filesystem and in case of external package management the rpmdb dir: + {{{ # rm -rf /{etc/vservers,vservers,vservers/.pkg}/test }}} - recent util-vserver include patch which has new command called delete: + Recent util-vserver includes a new command called delete: + {{{ # vserver test delete Are you sure you want to delete the vserver test (y/N) y @@ -234, +258 @@ Please stand by while rebooting the vserver........................[ DONE ] }}} + == Common problems / Useful tricks == + === Starting vserver fails with Dynamic Context error === + {{{ # vserver test start Dynamic Context IDs are not supported, you must set Context ID in /etc/vservers/test/context file }}} + Fix: set Context ID number in /etc/vservers/test/context file + {{{ # echo <num> >/etc/vservers/test/context }}} + <num> must be a number within 2-32767 range. Rationale: Dynamic allocation of context IDs has been disabled in latest utils, due to it being deprecated and discouraged by the Linux Vserver authors. + === Starting vservers issues warnings about vc_net_create() === + {{{ # vserver test start chbind: vc_net_create(): Invalid argument @@ -259, +291 @@ This warning is issued when there are no network interfaces configured within given vserver. You may want to configure one (see section: ''Configuring the network''). If you need no network interfaces - e.g. when you plan not to run any daemons inside vserver - you may ignore this warning. + === Starting service emits ulimit error === + {{{ /etc/init.d/lighttpd: ulimit: exceeds allowable limit }}} + Fix: remove ''-u unlimited'' from ''DEFAULT_SERVICE_LIMITS'' in ''/etc/sysconfig/system'' or per service config. + === Provides: user(name) and group(name) do not work === + If some group is provided by multiple packages and one is deinstalled, the users will be removed. This is because the rpm binary is not available with external package management for rpm scripts. {{{ @@ -279, +316 @@ Workaround: disable ''RPM_USERDEL=yes'' from ''/etc/sysconfig/rpm'' + === Service ssh don't start inside guest server === + {{{ test sshd[17644]: error: Bind to port 22 on 192.168.0.1 failed: Cannot assign requested address. }}} Fix: set separate addresses after ''Listen``Address'' in ''/etc/ssh/sshd_config'' both on host and guest system. Guest configuration is optional as it's limited to chbind addresses and if these are not taken by the SSH daemon running on host system everything will work just fine. + === bind won't install because of a mknod problem === bind requires some special device nodes inside it's chroot jail located in ''/var/lib/named''. Vserver security does not allow device node creation so you will have to install the package specifying {{{--excludepath=/var/lib/named/dev}}} and then create devices {{{/dev/null}}} and {{{/dev/random}}} from outside of the vserver context. - UPDATE: vpoldek doesn't allow command line option + UPDATE: vpoldek doesn't allow the {{{--excludepath}} option: + {{{ - --excludepath=/var/lib/named/dev and in poldek.conf - # poldek: unrecognized option `--excludepath=/var/lib/named/dev' + poldek: unrecognized option `--excludepath=/var/lib/named/dev' }}} + - Alternative method to this is write in poldek.conf + An alternative method is to write in poldek.conf: + {{{ rpmdef = _netsharedpath /dev:/var/lib/named/dev }}} + - or in {{{/vservers/test/etc/rpm/macros}}} + or in {{{/vservers/test/etc/rpm/macros}}}: + {{{ %_netsharedpath /dev:/var/lib/named/dev }}} @@ -313, +357 @@ http://www.solucorp.qc.ca/howto.hc?projet=vserver&id=72 You can use ''lcap'' program to see available capatabilities: + {{{ # lcap Current capabilities: 0xFFFFFEFF @@ -332, +377 @@ 26) *CAP_SYS_TTY_CONFIG * = Capabilities currently allowed }}} + + === syslog-ng won't run === There is no access to klogd inside vservers so all you have to do is change the following line in the config file: @@ -346, +393 @@ source src { unix-stream("/dev/log"); internal(); }; }}} + === Running openvpn inside vserver === + You need to: + - * you need to create ''/dev/net/tun'': + * create ''/dev/net/tun'': - {{{ + {{{ # mkdir -p /vservers/test/dev/net # mknod -m 660 /vservers/test/dev/net/tun c 10 200 }}} * ~hide_netif - {{{ + {{{ # echo '~hide_netif' >> /etc/vservers/test/flags }}} - * CAP_NET_ADMIN + * grant CAP_NET_ADMIN - {{{ + {{{ # echo CAP_NET_ADMIN >> /etc/vservers/test/bcapabilities }}} + === Can't use ssh xauth forwarding === workaround: disable {{{X11UseLocalhost}}} in {{{sshd_config}}} + === Mount failed for selinuxfs on /selinux: Operation not permitted === When starting guest with init style being set to plain with newer libselinux you can see error message like this. It happens because init executes function from libselinux which tries to mount /selinux. Disable selinux for guest by doing: @@ -376, +428 @@ or in .defaults (to disable for all guests). + === Not enough space on /tmp === Just after installation in each vserver 16MB RAM-based filesystem is mounted in /tmp. If you want your /tmp filesystem to be bigger, reside on diffrent device or not be mounted at all see {{{/etc/vservers/test/fstab}}}. + === Disabling interface === + - it's very convenient to disable some interface so it won't be activated on vserver boot + It's very convenient to disable some interface so it won't be activated on vserver boot + {{{ # touch /etc/vservers/test/interfaces/0/disabled }}} + === Display mounts of each xid (vserver) === + {{{ for a in /proc/virtual/[0-9]*; do \ xid=$(basename $a /); \ @@ -395, +453 @@ done }}} - and similarly to umount /opt/storage on all running vservers: + And similarly to unmount {{{/opt/storage}}} on all running vservers: + {{{ for a in /proc/virtual/[0-9]*; do \ xid=$(basename $a /); \ @@ -404, +463 @@ done }}} - the last sample is needed if you want to umount /opt/storage completely on host, but as vservers inherit mounts at startup (even they don't use them) you can't umount /opt/storage. + The last sample is needed if you want to umount /opt/storage completely on host, but as vservers inherit mounts at startup (even they don't use them) you can't umount /opt/storage. + === squid won't start: FATAL: setrlimit: RLIMIT_NOFILE: (1) Operation not permitted === + {{{ # echo CAP_SYS_RESOURCE >> /etc/vservers/test/bcapabilities }}} @@ -416, +477 @@ Install {{{util-vserver-init}}} package, read and edit {{{/etc/sysconfig/vservers}}}. + === Vservers startup order === + Sometimes it may happen that you need to be sure that one of the vservers is started before the others - e.g. it provides some service that other depend on. Vserver provides an easy way to do this - let's assume that ''test2'' vserver depends on ''test'' and ''foo'' vservers: + {{{ # echo test >> /etc/vservers/test2/apps/init/depends # echo foo >> /etc/vservers/test2/apps/init/depends }}} + At shutdown, the ''test2'' vserver will be stopped before its dependencies. @@ -466, +531 @@ If you wish to have your guest vserver available on physical console, lets say, {{{/dev/tty2}}} do following: * comment out tty2 in {{{/etc/inittab}}} on host machine - - {{{ + {{{ #2:2345:respawn:/sbin/mingetty tty2 }}} - * copy /dev/tty2 from host machine as /vservers/name/dev/tty2 * comment out all ttys in /vservers/etc/inittab except tty2, it is good idea to comment all ttys anyway to suppress errors like - - {{{ + {{{ INIT: Id "1" respawning too fast: disabled for 5 minutes }}} - - * press ALT+F2 and login to your guest vserver :) + * press ALT+F2 and login to your guest vserver === Running 32 bit vserver on an 64 bit host === _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
