Re: [Vserver] hostname ?
Hm.. I just upgraded to 0.30.210, and added utsname: cat /etc/vservers/snip/ccapabilities mount utsname cat /proc/virtual/xid/status UseCnt: 99 Tasks: 25 Flags: 020a0211 BCaps: 744c04ff CCaps: 00010101 Ticks: 0 still doesn't let me change the hostname I must be missing something. On Fri, 7 Jul 2006, Daniel Hokka Zakrisson wrote: Gregory (Grisha) Trubetskoy wrote: Sorry if this was already asked - I searched and couldn't find anything. Recently I went from 2.6.12.4-vs2.0 to 2.6.17-vs2.0.2-rc24 on one of the machines (needed 2.6.17 because of a hardware issue). Inside a vserver: with 2.6.12.4-vs2.0: # hostname blah # hostname blah with 2.6.17-vs2.0.2-rc24: # hostname blah hostname: you must be root to change the host name The configurations are identical: # cat bcapabilities ^29 ^30 # cat ccapabilities mount Obviously I don't want to give the CAP_SYS_ADMIN capability. Any advice would be very much appreciated!! What you want is the utsname ccapability, although that is given by default to guests (at least by util-vserver 0.30.210). Did you happen to change tools as well? What does grep CCap /proc/virtual/xid/status on the host say? -- Daniel Hokka Zakrisson GPG id: 06723412 GPG fingerprint: A455 4DF3 990A 431F FECA 7947 6136 DDA2 0672 3412 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] hostname ?
Sorry if this was already asked - I searched and couldn't find anything. Recently I went from 2.6.12.4-vs2.0 to 2.6.17-vs2.0.2-rc24 on one of the machines (needed 2.6.17 because of a hardware issue). Inside a vserver: with 2.6.12.4-vs2.0: # hostname blah # hostname blah with 2.6.17-vs2.0.2-rc24: # hostname blah hostname: you must be root to change the host name The configurations are identical: # cat bcapabilities ^29 ^30 # cat ccapabilities mount Obviously I don't want to give the CAP_SYS_ADMIN capability. Any advice would be very much appreciated!! Thanks, Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Copy VServer
On Thu, 1 Dec 2005, Lars Hallberg wrote: Herbert Poetzl wrote: On Thu, Dec 01, 2005 at 06:50:56PM +0100, Lars Hallberg wrote: inode based backup tools will preserve the tagging (like dump/restore), other tools (like rsync or tar) have to be 'enhanced' to know about the xid tags. similar is true for barrier and immutable link inversion flags ... As a sidenote, this may depend on the particular setup, but I've found that when you use unification, backing up the xid tags/iunlink isn't necessary becuase you can deduce what the flag/tag should be based on checking whether the file is unified and where it is. E.g. if the file is under /vservers/abc and is not unified (which you test by comparing the inode of the same file in the reference server), then it belongs to the 'abc' server, so tag it appropriately. Of course you'll need to write a script/program to do this :-) Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] loopback device inside a vserver?
On Tue, 29 Nov 2005, [ISO-8859-1] St?phane GAUTIER wrote: |-- interfaces | |-- 0 | | |-- ip | | |-- mask | | |-- name | | `-- dev | `-- 1 | |-- ip | `-- nodev Interface 1 is loopback. File ip : 127.0.0.1 touch nodev But just to clarify - I don't think you can have more than one 127.0.0.1 per host server. Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] BIND (named) and lo interface inside vserver
On Thu, 17 Nov 2005, Herbert Poetzl wrote: I obligate to say that today I installed http://openvz.org Has anyone here looked at this openvz stuff and care to outline some architectural differences? Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
Thanks! Just for documentation in case anyone gets stuck trying to fix this: It looks like older FC4 pam will work with ^30, and newer (pam-0.79-9.6) requires *both* ^29 and ^30. (Doesn't matter, BTW, whether you have pam_loginuid.so in your config, it looks like it is patched to use audit regardless). Grisha On Mon, 14 Nov 2005, Serge E. Hallyn wrote: Quoting Gregory (Grisha) Trubetskoy ([EMAIL PROTECTED]): On Thu, 14 Jul 2005, Enrico Scholz wrote: [EMAIL PROTECTED] (Enrico Scholz) writes: | # auditctl -m 'foo' | Error sending user message request (Operation not permitted) ... This gives problems on Fedora Core 4 as recent pam upgrade is using this functionality and most actions (su, cron) will fail therefore. Quick workaround is to add '^29' to the 'bcapabilities' of the corresponding vserver. Next util-vserver version will probably implicate this with the '--secure' option (after I decided how to deal with the CAP_QUOTACTL vs. CAP_AUDIT_WRITE conflict). This didn't work for me (just to make su - work), it seems that I needed ^30 (CAP_AUDIT_CONTROL). Does anyone here know what the security implication of this is? We don't run auditd. IIRC I originally added this capability... It's too coarse-grained for my liking, but only applicable to audit. It allows your process to change its loginuid, which you see reported in the audit msgs, but which is not used for any authentication. (same bit allows adding/del'ing/listing audit rules, iirc) For vserver, loginuid should probably always be reported along with the vserver id, I guess... -serge ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
On Thu, 14 Jul 2005, Enrico Scholz wrote: [EMAIL PROTECTED] (Enrico Scholz) writes: | # auditctl -m 'foo' | Error sending user message request (Operation not permitted) ... This gives problems on Fedora Core 4 as recent pam upgrade is using this functionality and most actions (su, cron) will fail therefore. Quick workaround is to add '^29' to the 'bcapabilities' of the corresponding vserver. Next util-vserver version will probably implicate this with the '--secure' option (after I decided how to deal with the CAP_QUOTACTL vs. CAP_AUDIT_WRITE conflict). This didn't work for me (just to make su - work), it seems that I needed ^30 (CAP_AUDIT_CONTROL). Does anyone here know what the security implication of this is? We don't run auditd. Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unique uptime report per guest
On Tue, 18 Oct 2005, Chuck wrote: ok found that but now where do i put the virt_uptime flag? into what file? Most likely in /etc/vservers/vserver name/flags (one flag per line) Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] strange ext3 corruption
Just curious - does your card have a battery and does it have write cache enabled? If you have no battery backup and write cache enabled and hard power off the server, you may see some corruption. On the other hand aacraid driver has had all kinds of problems, it was definitely unusable in 2.6.10. Grisha On Wed, 31 Aug 2005, Sebastien Bechet wrote: Hello, Be carful with vanilla kernel 2.6.12.5 and patch-2.6.12.4-vs2.0.diff.bz2 patch apply ok, but i have strange ext3 corruptions with aacraid. I'm looking about it. Bye. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] FC4 Guest
On Tue, 19 Jul 2005, Darryl Ross wrote: Then it's a case of cleaning up the initscripts so they don't do anything with hardware and stopping programs that aren't needed (kudzu, ntpd, etc etc) inside a guest. BTW - OpenVPS does all that for FC4 (you'll need the latest snapshots for FC4 though). Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Stopping a vserver which config dir has been deleted
Lookup the xid of the vserver (e.g. using vserver-stat), then: # vkill --xid xid -s TERM # vkill --xid xid -s KILL Grisha On Tue, 12 Jul 2005, Nicolas Costes wrote: Ahem... I made a mistake : I wanted to delete a vserver, and I just erased /etc/vserver_name. Then, when I wanted to delete /vservers/vserver_name, I got errors : The vserver was still running :((( So, the processes still run in their contexts, but I dont know how to kill them, I mean, I want to totally erase this vserver... Any ideas ? -- ,, (° Nicolas Costes /|\ IUT de La Roche / Yon ( ^ ) Cl? publique: http://www.keyserver.net/ ^ ^ Musique libre: http://musique-legale.info/ - http://www.jamendo.com/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Virtual Cluster Question
On Sun, 26 Jun 2005, Hans Eschler wrote: What are the possibilities of using linux-vserver virtual machines with loadbalancers. Roundrobin, direct routing or nat? We've had succesfully set up direct server return load-balancing, where vservers were on different physical machines. Direct server return means that the loadbalancer uses mac to send a packet which is then accepted by a server's kernel because the destination IP exists on the loopback interface. E.g. if the VIP is 1.2.3.4, then on every load balanced server you configure 1.2.3.4 on the loopback. Since loopbacks aren't visible from outside, there is no conflict. So for vserver, we used the dummy interfaces as the VIPs. There was a trick we had to do to alter the default ARP behaviour: echo 1 /proc/sys/net/ipv4/conf/eth0/arp_ignore Without this eth0 would answer even for the IP that's on the dummy interface. This was done with 1.9.x vserver. I haven't looked at how 2.0 deals with interfaces yet, I have a suspicion it might even be easier if we have a private loopback interface for every vserver. Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] solaris containers/zones
On Sat, 25 Jun 2005, Ehab Heikal wrote: Xen allows different Operating systems to run on the same server, now only linux and I think freebsd. Vserver only allows linux. The uppoint of vserver is that the kernel is shared wich means lower memory footprint. I think unification also reduces needed memory. I'd say the key advantage of vserver is the ability to access what's inside the vserver from the host. With xen you cannot see what's inside a virtual machine from the host, nor can you access its files, which makes it very difficult to administer efficiently. Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] solaris containers/zones
On Thu, 23 Jun 2005, Gregory (Grisha) Trubetskoy wrote: This is called PR. If you read this, you'll have a better idea of what's going on here: http://www.pycon.org/data/95/pycon-20050325-1-0900-95-ike.mp3 oops, bad paste job - the link is: http://www.paulgraham.com/submarine.html grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] solaris containers/zones
On Fri, 24 Jun 2005, Mike Tierney wrote: As much as I like Vservers (we use them on 2 of our Production servers!!) it looks like the Xen project (open source virtual machine software) IS getting LOTS of media coverage and attention/resources from vendors (Novell, IBM, Sun, HP, Redhat, etc). This is called PR. If you read this, you'll have a better idea of what's going on here: http://www.pycon.org/data/95/pycon-20050325-1-0900-95-ike.mp3 Xen was funded by commercial research money (from Microsoft and Intel IIRC) with the intent of turning it into a commercial venture, which is what Xensource is. All this buzz is to a large degree artificially generated to support the venture. Apparently the current version (v2) isn't that great but the next version (due out in August) sounds like a huge leap forward. And longhorn will just totally kick ass, so I heard! :-) Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] 2.0 question
I've been trying to follow: http://linux-vserver.org/NGNET-Testing-HOWTO with 2.6.11.10-vs2.0-rc2, but I get: # vnet -x -n -d lo vc_add_vndev: Function not implemented I must be missing something obvious :-) TIA Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] MySQL inside a vserver - permission denied?
On Mon, 16 May 2005, Werner Schalk wrote: # touch /var/run/mysqld/mysqld.sock # chown mysql:mysql /var/run/mysqld/mysqld.sock # ls /var/run/mysqld/mysqld.sock -la -rw-r--r-- 1 mysql mysql 0 May 26 04:11 /var/run/mysqld/mysqld.sock Just a suggestion: # chown mysql:mysql /var/run/mysqld Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] cpu counters in 1.9.5
On Thu, 12 May 2005, Herbert Poetzl wrote: okay, adding the 'counters' back should not be too hard, so I take that as 'feature request' ... ... or a 'feature return' :-) Thanks, Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] cpu counters in 1.9.5
Has something changed in the way vs1.9.5 accounts for CPU? We've upgraded from 2.6.10-vs1.9.4 to 2.6.11.7-vs1.9.5 and in /proc/virtual/xid/sched I see: snip cpu 0: 0 0 0 cpu 1: 0 0 0 cpu 2: 0 0 0 cpu 3: 0 0 0 after having run cat /dev/zero | bzip2 /dev/null in this vserver for a while. Let me know what other info I can provide to troubleshoot this. Thanks! Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Summary of recent improvement discussion
On Tue, 3 May 2005, Sam Vilain wrote: Bootstrapping Images The status of debootstrap and `rpmstrap' in the current utilities was briefly discussed, so that vservers of lots of different types could easily be built without installing extra utilities manually. I haven't seen this being discussed on the list, I hope I'm not about to say anything sacreligious, but am I in the minority to think that the build tools do not belong in util-vserver at all? I think that util-vserver should provide the absolute minimal build capability as proof-of-concept tucked away somehwehre in an examples/ subdirectory _only_. The job of writing/maintaining build tools belongs with distribution maintainers (or whoever else wants to take it up). When I set out to write what is now known as OpenVPS (which ATM is Fedora based), I wanted to use util-vserver as much as possible, but in the end found that since you ultimately end up having to figure out the intricate details of the underlying mechanism (rpm in my case), it ends up being easier to interface with rpm directly rather than via util-vserver scripts. They served as a pretty good example and a starting point, and that's about all the value I got from them. (We're actually more and more relying on Python bindings for a lot of rpm and vserver calls) Granted, there is an apparent chicken-and-egg problem here - linux vserver needs to be easy to use to gain more traction and that requires build images, and distribution maintainers are not going to take on complex tasks like this without there being sufficient coolness. But I think a lot more can be done through advocacy and solicitation rather than actually trying to do it. I also think more effort was put towards bringing core utilities towards mint condition (with man pages and everything) would go a lot further towards overall value for the project than focusing on build tools. Am I being off my nut here? (If so, that's OK, been there before!) Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Summary of recent improvement discussion
On Wed, 4 May 2005, Herbert Poetzl wrote: heh, how far is OpenVPS now? and what about it's 'current' targets/aims/whatever ... maybe you could give a short overview? Well... targets/aims is a big question that I've been trying to answer for a long time :-) The idea is to provide the missing software between just bare Linux VServer/utils and a hosting environment. To put it in perspective - anyone who uses vserver is very likely to create some sort of a image. Of course not knowing what the ultimate goal is there is no telling what that image might be becuase there is a big difference between running a jailed sendmail, a honeypot or hosting a VPS. But once you define the context, which in this case it _is_ a VPS, then a lot more becomes known - e.g. a VPS should probably include hosting-relevant packages (e.g. apache), you can make a pretty good guess at what services should be enabled, you can do little things like generate an SSL cert, create a default user, fix up mail config, etc, etc. From the host perspective - VPS's need to be provisioned/stopped/deleted fairly simply, they need to be backed up, you need to monitor resource usage and make sure that things are up, there needs to be a mechanism for keeping up to date with security updates, etc. It is also a given that you would use quite a few of physical servers, and those would need to be easily provisioned, monitored from a central place, etc. That's in a nutshell what OpenVPS aims to do. It's actually a lot of stuff, and it's not really easily categorizable as a control panel or whatever (in fact, the CP functionality is quite limited at this point). There is a status page that lists things that it already does reasonably well: http://www.openvps.org/Plone/about/status The other aspect of this project that should be mentioned is how it is run - rather than trying to make guesses as to what a hosting company would need, we actually went ahead and started a hosting company (ok, it was actually the other way around - first the company, then the project :)). As far as I can tell, OpenHosting is the _only_ hosting company that actually makes all (except for the billing stuff) of its software open source and is proud of it, but this is kind of getting OT for this list. OpenVPS is currently ASL licensed (this might change to GPL) and is all Python/C - that's just my mod_python heritage. Anyway - if this resonates with anyone on this list - and I _know_ that there are lots of ISP/hosting people here, subscribe to the OpenVPS dev list (http://openvps.org/mailman/listinfo/dev), we could certainly use a lot of help :-) Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] automount anyone?
On Wed, 27 Apr 2005, Herbert Poetzl wrote: On Tue, Apr 26, 2005 at 03:31:33PM -0400, Gregory (Grisha) Trubetskoy wrote: Has anyone here tried using automount with vservers? did you try to mount the autofs 'just' inside the vserver namespace (well, that's what I would do anyways) 'just' would be somewhere after the namespace is created, but before admin cap is removed - i couldn't quite figure out a nice way to do this with util-vserver (fstab doesn't help since automounts are done via the automount command) but even if we did find a place to fire atuomount from - IIRC the capabilities exist per-context. so either the automount daemon belongs to the context and cannot act on mount requests (assuming the context does not have cap_admin), OR it's outside the context (and does not see the namespace)... or is there some middle ground where it shares the namespace, but not the context? btw, which version (kernel/tools) are you using? This was done on 2.6.10-vs1.9.4 and util 0.30.196. Thanks, Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver application
I also like the file format - indentation as a delimiter... Very Pythonic and IOS-ish at the same time :) On Sat, 16 Apr 2005, Herbert Poetzl wrote: On Fri, Apr 15, 2005 at 03:11:24PM +0400, Peter V. Saveliev wrote: ... I did it :) Test build of RAD GNU/Linux uses vserver for regular service management. Example: 8-- interface ethernet 0 address 10.0.0.2/24 address 10.0.0.3/24 address 10.0.0.4/24 ! resource-list test address 10.0.0.2/24 scheduler hard 30% limit nproc 16 files 8 limit data 4096 limit rss 1024 ! service httpd port 80 realm basic root:secret allow 192.168.0.0/255.255.0.0 resource-list test 8-- So service httpd will be limited to ~30% cpu load, 16 running processes, 8 open files, 4Mb data and 1Mb rss. And will only see 10.0.0.2/24. If there is anybody interested in details, mail me or see docs for 0.2.1 at http://rad.peet.spb.ru/files/doc/ looks interesting, maybe you want to do a short introduction what RAD GNU/Linux is all about so that folks on the ML get a first impression ... best, Herbert PS: sorry poor English in docs -- I have no persistent proofreader, and this version still is not checked. -- Peter V. Saveliev ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Stable release for 2.6 kernel ...
Excellent! Is NG going to be part of it? Grisha On Mon, 11 Apr 2005, Herbert Poetzl wrote: Greetings Folks! we had a longer discussion last night and we came to the conclusion that this is the right time to start working on a stable 2.0 release (for 2.6.x) so while this will involve a lot of work and testing in various places this also means that there will be some kind of feature freeze for the 2.0 release candidates and we would like to ask you to participate in testing those release candidates and feed back whatever you consider important for the stable release we will also try to get a 'stable' release of the alpha util-vserver done, so consider both, kernel and tools as the upcoming 2.0 release ... we expect first release candidates to show up in one or two weeks, depending on the amount of immediate feedback to the email ... TIA, Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] CentOs distribution
This may be somewhat off-topic, but why is it that people like centos which seems to me like REL without support. Since support is what REL is all about, wouldn't it be better to go with FC3 (soon 4) rather than a bunch of outdated software that comprises EL? What am I missing? Grisha On Mon, 4 Apr 2005, Paul S. Gumerman wrote: Has anyone tried the CentOs 4.0 distribution with linux-vserver? It's a repackage of RedHat Enterprise Linux 4.0. I'm currently using A mish-mash of FC1, 2 3 and I'm considering a switch to CentOs. Two of my servers are Opteron-based, so I'm particularly interested if you are using the x86_64 arch. http://www.centos.org Paul ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Linux Vserver - Feature Question
I would also keep measurements of CPU ticks used. Since IO requires CPU cycles - is it possible that a CPU sched_hard indirectly limits IO just as well? Grisha On Fri, 1 Apr 2005, Matthew Nuzum wrote: On Thu, Mar 31, 2005 at 09:22:10PM -0600, Matthew Nuzum wrote: I think I can create a test case for this. I have a server that is not currently running any vserver stuff that will be ok with a reboot now and then. sounds good, please try to get 1.9.5.5 working there, because it already contains some blkio accounting and it would be very interesting to monitor those values ... (maybe with rrdtools) TIA, Herbert I'm still doing my month-end backup, but when that's done I'll start installing the vserver 1.9.5.5. Here is the test case that seems most logical to me, but advice on how to actually do concrete tests would be useful. 1. Create two vservers (vsa and vsb), start both. 2. In vsa start some heavily i/o intensive operation 3. In vsb try to do some tasks and notice how much i/o bandwidth I have available. Alternative plan: 1. Create 1 vserver and start it 2. In the vserver, start some heavily i/o intensive operation 3. In the host server try to do some tasks and notice how much i/o bandwidth I have available 4. After step 2 completes, in host server start a heavily i/o intensive operation 5. In vserver, try to do some tasks and notice how much i/o bandwidth I have available I have two ideas on heavily i/o intensive operation 1. I have a database with 35 million records. Doing any aggregate function such as max() requires several sequential scans and takes a significant amount of time. 2. Preparing my month end backup requires copying 13 GB of data. Any other suggestions? Question: I have only subjectively noticed a dramatic decrease in server performance when a vserver is performing i/o intensive tasks. How can I objectively measure and produce concrete numbers? -- Matthew Nuzum [EMAIL PROTECTED] www.followers.net - Makers of Elite Content Management System View samples of Elite CMS in action by visiting http://www.followers.net/portfolio/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Linux Vserver - Feature Question
The CPU ticks are in /proc/virtual/xid/sched Grisha On Fri, 1 Apr 2005, Matthew Nuzum wrote: I would also keep measurements of CPU ticks used. Since IO requires CPU cycles - is it possible that a CPU sched_hard indirectly limits IO just as well? Grisha How do you do that? P.S. I'm still compiling the vanilla kernel (I haven't even applied the vserver patch yet). At this rate I'll probably get back to you on Sunday. FYI Pii 350 MHz, 128 MB RAM, Ubuntu 4.1, 120 GB UDMA 133 hard drive. -- Matthew Nuzum [EMAIL PROTECTED] www.followers.net - Makers of Elite Content Management System View samples of Elite CMS in action by visiting http://www.followers.net/portfolio/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [RE:] Re: [Vserver] Linux Vserver - Feature Question
There is something like this in a patch to UML developed by the Linode folks: http://www.linode.com/forums/archive/o_t/t_790/linode.com_status_update_04_06_04.html Looks like a token bucket, only for IO. It may be easier to do something like this in UML because their IO driver is a constant (UBD) whereas in VServer things aren't so simple since the driver could be anything? Herbert can probably comment on this better :-) I do think that this would be an interesting feature. Grisha On Thu, 31 Mar 2005, Bodo Eggert wrote: On Thu, 31 Mar 2005, Herbert Poetzl wrote: On Thu, Mar 31, 2005 at 09:26:31AM +0200, [EMAIL PROTECTED] wrote: hmm, so you would like to artificially slow down the I/O transfer of a vserver, and make the transaction somewhat longer than necessary? I guess more like not slowing down the host or other vservers. -- Funny quotes: 19. Quantum mechanics: The dreams stuff is made of. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vsched
see this thread (read the whole thread, my post has some inaccuracies corrected in follow-ups) http://www.mail-archive.com/vserver@list.linux-vserver.org/msg03324.html Grisha On Fri, 1 Apr 2005, Peter V. Saveliev wrote: ... # vsched --help Usage: vsched [--xid xid] 8-- Can anybody tell me, what mean these options? [--fill-rate rate] -- in which measure? percents? [--interval interval] -- milliseconds? nanoseconds? crocodiles per mile? ;) skip cause=clear/ [--prio-bias bias] -- what is bias? 8-- [--] [command args*] -- Peter V. Saveliev ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] who?
Here is a ./ link from old times: http://slashdot.org/articles/01/11/06/2034233.shtml Grisha On Fri, 25 Mar 2005, [ISO-8859-1] Benoit St-Andr? wrote: Timo M?ller a ?crit : Hi, who exactly has started the vserver Project and when? Thanx ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver It started in 2001, and was created by Jacques Gelinas. Full info at http://www.solucorp.qc.ca/miscprj/s_context.hc , which was the vserver site before the project was turned into a community project, which Hebert now leads. You can check the ChangeLog of Jacques for more info on the when part: http://www.solucorp.qc.ca/changes.hc?projet=vserver -- Benoit St-Andr? [EMAIL PROTECTED] Mon carnet web: http://benoitst-andre.net/blog/ Connaissez-vous Linux?du-Qu?bec ? http://linuxeduquebec.org ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver (becoming stable ?)
How much (balpark) does an internet connection cost? On Tue, 22 Mar 2005, Herbert Poetzl wrote: Hi Community! the util-vserver tools (which started as a rewrite of the existing tools jacques provided) did see a lot of innovative changes and overall improvements in the last year (or a little longer) and we all know that the tools are very important for usability and acceptance of Linux-VServer ... now we are trying to focus on stabilizing tools and kernel (for 2.6) to such degree, that we might be able to get a stable release in a few months ... you probably remember the guy doing all that work (on util-vserver) Enrico Scholz, who managed to still maintain those tools while working on his studies ... now (or to be precise, a forthnight ago) he finished his diploma thesis ... -- Congratulations Enrico! but unfortunately this means that he will leave the university campus, which in turn means that he will lose his internet conenctivity (actually pretty soon, i.e. next wednesday), which again means, that he will not be able to work on that stuff, if we do not find a suitable solution to get him network access ... it seems that for now (please correct me if you know more than we do) some kind of dial-up (probably ISDN) is the only way for him ... and as he is living in germany, I thought maybe some cool provider could help him there, because ISDN (not speaking of 24/7) is really not cheap in europe ... so I'd like to ask on his behalf: is sombody able to sponsor/provide/arrange/whatever internet connectivity for Enrico (D-09432 Grossolbersdorf) so that he can continue his work on util-vserver and allow him to work with the community? please let us know! TIA, Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver (becoming stable ?)
I think OpenHosting could spare about $100/month (about half of 8 hr) - anyone else would like to pitch in? Grisha On Wed, 23 Mar 2005, Herbert Poetzl wrote: On Tue, Mar 22, 2005 at 02:24:35PM -0500, Gregory (Grisha) Trubetskoy wrote: How much (balpark) does an internet connection cost? a quick check at http://www.teltarif.de gave somewhat confusing information (as with all telcos in europe) but it boils down to: - ~ 0.9 cent per minute - about 20-30 EUR per month service if I assume 8h per day, at least 6 days a week, we are at 11520 minutes per month or roughly 120 EUR (24/7 would cost around 400 EUR *yikes*) anyway, it would be really cool if this could be done by a local provider or a company nearby, because this would probably save money ... thanks for asking, Herbert On Tue, 22 Mar 2005, Herbert Poetzl wrote: Hi Community! the util-vserver tools (which started as a rewrite of the existing tools jacques provided) did see a lot of innovative changes and overall improvements in the last year (or a little longer) and we all know that the tools are very important for usability and acceptance of Linux-VServer ... now we are trying to focus on stabilizing tools and kernel (for 2.6) to such degree, that we might be able to get a stable release in a few months ... you probably remember the guy doing all that work (on util-vserver) Enrico Scholz, who managed to still maintain those tools while working on his studies ... now (or to be precise, a forthnight ago) he finished his diploma thesis ... -- Congratulations Enrico! but unfortunately this means that he will leave the university campus, which in turn means that he will lose his internet conenctivity (actually pretty soon, i.e. next wednesday), which again means, that he will not be able to work on that stuff, if we do not find a suitable solution to get him network access ... it seems that for now (please correct me if you know more than we do) some kind of dial-up (probably ISDN) is the only way for him ... and as he is living in germany, I thought maybe some cool provider could help him there, because ISDN (not speaking of 24/7) is really not cheap in europe ... so I'd like to ask on his behalf: is sombody able to sponsor/provide/arrange/whatever internet connectivity for Enrico (D-09432 Grossolbersdorf) so that he can continue his work on util-vserver and allow him to work with the community? please let us know! TIA, Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Linux (2.6.10) Patch Vserver (1.9.4) + Grsecurity (2.1.1-2.6.10-as2-20050124225)
On Wed, 2 Mar 2005, Herbert Poetzl wrote: kernel, is there any chance VServer patch ever will? well, actually I do not really consider linux-vserver so general that it should be on every linux box, be it my mobile phone or your favorite linux game engine it's very specific software and I guess it's not worth the code in mainline when it is used by, let's say 1% of the linux kernel users ... But on the other hand this (or very similar) functionality is standard in FreeBSD and Solaris. Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Regarding Hard CPU scheduler
On Fri, 25 Feb 2005, Herbert Poetzl wrote: Speaking of token-buckets - is there a disk IO TB in the plans somewhere? I saw a reference to something like that on some UML board today... Cheers! Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Fw: [Xen-devel] Tiny patch: xen and vserver
What I think would be even more interesting/useful is to run UML inside a vserver. Has anyone tried it? Grisha On Tue, 22 Feb 2005, Matt Ayres wrote: Here is a patch for Vserver to run under Xen that was posted to the Xen devel list. It might be useful for some people. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Linux-VServer Community Fund?!
On Mon, 21 Feb 2005, Herbert Poetzl wrote: sure, as this is a new concept (basically the linux-vserver developers are all working for fun in their spare time) so nobody has really thought about that yet (input appreciated) What I've seen work great in the past is if you establish a target amount, i.e. this much will keep us going for the next 6 months, then run a capmain to reach it with a running total on a webpage. Don't be timid, post to /. :-) . Usually you'll get more than what you asked for. This is a great example: http://people.freebsd.org/~phk/funding.html My (virtual) $.02 Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Linux-VServer Agenda ...
On Sun, 20 Feb 2005, Nicolas Costes wrote: You need to deeply discuss those facts with the company, and why not try to secure the vservers' future in the job contract... My english is too bad when it comes to that domain, but I can try to say it like this: I agree to work for you if you agree to support vservers developpement, instead of trying to make them disappear, ie. use and promote the vservers technology in your products, and respect the GPL. That'd be all water under the bridge, since ultimately a corporation is to serve its stockholders regardless of what any officer of the corporation may say, even if it is truly spoken from the heart. The key thing is the holder of the copyright. And a typical employment agreement usually states that whatever work you do is actually owned by the company (regardless whether you do it in your spare time). And whoever owns the copyright can govern the project in whichever direction possible, even make part or all of it closed-source. I do not mean to say that this is what's going to happen, but it's a possibility nonetheless. Therefore the ideal situation is when the copyright is owned by a separate corporate entity, usually a not-for-profit, formed with a charter to specifically to support the project. Some good examples are the ASF (apache), Mozilla Foundation, OSDL, PSF, etc, etc. These organizations have no other interests, are not there to make money and cannot be easily intimidated legally or otherwise. There is a good reason why all these foundations exist in today's world of SCO and the like. Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] openvps
Dimitry - OpenVPS has a mailing list- [EMAIL PROTECTED] Grisha On Fri, 28 Jan 2005, Abdrashitov Dmitry wrote: Hello! Is anybody use vserver-hosting from www.openvps.org ? I have some questions... Dmitry ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] memory accounting - impossible?
I just wanted to confirm this on the list, let me know if the following statement isn't true. (I think that if true, this is something that should be well documented somewhere): There is no way to accurately account for a context's memory utilization. The values reported by vserver-stat and in /proc/virtual/*/limit are the sum of VM/VML/RSS for each individual process, and it does not account for the fact that these processes could be referencing same pages in memory, which they usually do after a fork(). So the more fork()s, the more skewed the counters are. Also, there is no simple way to overcome this limitation without significantly changing the code that deals with memory management. Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] stopping a context with zombie
Hi - Has anyone else had trouble killing a context that has zombie processes in it? This creates an annoying situation where the context cannot be started back up because utils-vserver complain that it is running already, yet I'm not aware of a way to eliminate a zombie. This is vs 1.9.3 and latest alpha tools. Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: next gen platform (was Re: [Vserver] VServer 2.6.9-1.9.3 uptime 63d :-))
FC3 seems pretty stable: # cat /etc/fedora-release Fedora Core release 3 (Heidelberg) # uptime 15:13:32 up 40 days, 17:59, 2 users, load average: 0.04, 0.05, 0.01 # uname -a Linux XXX 2.6.9-vs1.9.3x #11 SMP Thu Dec 9 21:10:52 EST 2004 i686 i686 i386 GNU/Linux Grisha On Wed, 19 Jan 2005, Eric Jorgensen wrote: This thread actually brings up a good question I've been meaning to ask. I've set of several vserver machines with several dozen guests, all on a RH9 base: kernel-2.4.22ctx-17c kernel-2.4.25-vs1.26 kernel-2.4.26-vs1.28smp I've now been looking to make a switch for my host OS. I was less than impressed with Fedora Core 1 and 2, but have been quite pleased with Fedora Core 3, at least on the desktop. And since it does have a 2.6 series kernel, I'm contemplating switching to it. But I'd rather wait for the platform to completely stable before moving. I'd rather not be changing/upgrading every week. I'd also like to transparently move my existing vserver guests. I am RH/Fedora leaning. Where are others going with their 2.6 installations, especially those wanting to be on the trailing edge? Thanks, Eric --- Tomas Fasth [EMAIL PROTECTED] wrote: Talking about uptime and stability; The following is an old installation of ours still serving customers; serverhost$ uname -rvm 2.4.20-mppe+ctx+xfs+vlan-k7 #1 Mon Sep 15 11:18:51 CEST 2003 i686 serverhost$ echo $(uptime) # getting rid of double spaces 15:07:55 up 490 days, 8:24, 1 user, load average: 0.02, 0.03, 0.00 serverhost$ sudo vserver-stat | expr $(wc -l) - 2 32 Well, not much of a load for the moment. But still ... ;) // Tomas ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: next gen platform (was Re: [Vserver] VServer 2.6.9-1.9.3 uptime 63d :-))
On Wed, 19 Jan 2005, Roderick A. Anderson wrote: Jacques did a pretty good promo for Vserver on the linuxconf list and I got the impression from it he has at least one Vserver running FC3. I was going to ask him about the steps he uses to build the the FC3 vserver kernel -- plus a few other questions -- hopefully today. When I hear back I'll let you know ... well actually I think he might lurk here a bit. There is an FC3 kernel here if you need one. It's a vanilla kernel RPM, doesn't have any RedHat patches in it: http://www.openvps.org/dist/misc/kernel-2.6.9vs1.9.3x-3.i386.rpm Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: next gen platform (was Re: [Vserver] VServer 2.6.9-1.9.3 uptime 63d :-))
On Wed, 19 Jan 2005, Roderick A. Anderson wrote: I keep forgeting to check in at openvps.org I used some instructions I think you provided to build a FC1 Vserver RPM and it was smooth process. That system is a AMD K6/2 500 with 256 MBtye RAM and currently running 6 vservers ; four of them web sites. No complaints from the owner. Since I'm mostly a user ; when you say without Redhat patches ; do I lose anything important? If it boots and runs as expected, then you're not losing anything. That's just my opinion :-) I think the RH patches are mostly for specific hardware and various esoteric things that they need to work, I've yet to find a problem with the vanilla kernel. Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Regarding Hard CPU scheduler
This thread has lots of info: http://www.mail-archive.com/vserver@list.linux-vserver.org/msg03324.html Grisha On Thu, 13 Jan 2005, shishir randive wrote: Hi , I am new to vserver , I want to know the details about the Hard CPU scheduler used by the vserver. There is a very little information is available about the Hard CPU scheduler , So where can I get the detail information about the Hard CPU scheduler. What algorithm is used by Hard CPU scheduler for Inter context and Intra context scheduling ? Thanking you , Regards, Shishir. __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ugly unchecked capability dependency in util-vserver
On Thu, 13 Jan 2005, Herbert Poetzl wrote: On Thu, Jan 13, 2005 at 03:27:19PM +0100, Thomas Weber wrote: So I think the util-vserver package should make sure that there is capability support in the kernel before starting the vserver or else it will silently run insecure vservers! well, IMHO that is something beyond the scope of util-vserver. why? simple, you would encounter the same issues on a vanilla system, if you do not load or compile in the capability stuff, similar to the issues you will encounter if you do not compile in support for ipv4, which clearly is _not_ something util-vserver should take care of when starting a new vserver ... If I try to configure ipv4 on an interface using a kernel that does not have ipv4 support I presume I will get an error (I've never actually tried running a kernel sans ipv4) - it sounds like util-vserver tools don't error out when you try to set a capability on a kernel that does not support them, which IMHO is not right. my $0.02 Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] CAN-2004-1235 anyone?
Is this something to worry about on vs 1.9.3 kernels? http://isec.pl/vulnerabilities/isec-0021-uselib.txt I saw Fedora released an updated kernel, though the comment at the beginning of the exploit code in the link above says tested only on 2.4.x. I for one could get it to compile, though I didn't try very hard. Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Sys V IPC tracking
On Tue, 28 Dec 2004, Herbert Poetzl wrote: On Mon, Dec 27, 2004 at 02:45:12PM -0500, Gregory (Grisha) Trubetskoy wrote: Hi all, Merry XMas - Is there a simpler way to track IPC resources short of entering every context and running ipcs? It seems that context 1 can only see its own semaphores/locks/etc, wouldn't it make more sense if it saw all of them? I take this as a feature request ... will look into it soon. Just to clarify this a bit: I was originally looking at the /proc/sysvipc, which shows ipc stats for the current context only. The ipcs command will show _all_ ipc resources if run from context 0. So this is somewhat of a bug - the ipcs (or rather the syscalls it uses) and /proc behave differently. To turn this into a feature request, I think it would be very neat if the /proc/sysvipc/ directory for a context XYZ appeared as /proc/virtual/XYZ/sysvipcs/. The rational behind this is monitoring/tracking tools that constantly check these values, sometimes under bad server conditions - it's a lot more efficient to read /proc than to parse ipcs output. On the issue of consistency between /proc and ipcs - my inclanation is that ipcs in ctx 0 should limit resources to context 0 just like /proc, but should show everything in context 1. This would be consistent with ps, and the utils could eventually have a vipcs command that works by switching to ctx 1. Thanks! Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Sys V IPC tracking
Hi all, Merry XMas - Is there a simpler way to track IPC resources short of entering every context and running ipcs? It seems that context 1 can only see its own semaphores/locks/etc, wouldn't it make more sense if it saw all of them? vs1.9.3 Thanks! Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Mini Howto for CPU hard limits
Another tip - put ^19 (without quotes) in the flags file to get virtualized load average. (This will probably be replaced with a word eventually in utils, but for now this works). This will make the vservers see their own load average. Originally, we were using sched_hard to peg the load on the server. But there is nothing worng with a high load, the only problem is that our vserver users didn't like seeing it. With virtualized load and no hard scheduling you get the best of both worlds - on an idle server, a vserver can make use of the resources available, and on a busy server the TBS limits kick in. Grisha On Mon, 20 Dec 2004, Thorsten Gunkel wrote: Create a file named flags and write sched_hard ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Next Generation Networking ...
On Thu, 9 Dec 2004, Herbert Poetzl wrote: ifconfig en0 hw ether 00:01:02:03:04:05 and it doesn't work with non-ngnet setups ... But wouldnt your solution give the same MAC to all vservers? I thought he wanted different MAC's for all vservers? nope, ngnet includes 'virtual' devices per vserver so they can be brought up/down and configured separately, including the MAC address ... So the virtual devices are not visible from outside and the traffic is routed to them inside the server, kinda like with QEMU? Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Next Generation Networking ...
On Tue, 7 Dec 2004, Darryl Ross wrote: I haven't had a look to see how you're doing the network stuff, but does it support (or will it support) the ability to set the ethernet MAC address for the virtual interface inside a vserver? AFAIK the decision on whether to accept a packet destined for a specific MAC address lies within the hardware of the network card (unless it's running in promiscuous mode), so this is a hardware limitation. Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] bypass xid enforcement flag?
Is there a flag that can be set that ignores persistent xids and allows a context to access files which are set to xids other than 0 or itself? (this is vs 1.9.3) Thanks! Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] cpu limits clone vservers
On Wed, 24 Nov 2004, Herbert Poetzl wrote:
Then, if you are a fat jabba, maybe you might end up getting rescheduled
instead of getting more memory whenever you want it!
thought about a simpler approach, with a TB for the
actual page-ins, so that every page-in will consume
a token, and you get a number per interval, as usual ...
There probably still needs to be a target size, which if exceeded, your
bucket is refilled slower. This way small contexts would not be suffering
because of a large and very active context. The sysadmins would need to
make sure that the sum of all targets does not exceed physical RAM.
So you'd have two additional parameters - target size and fill-interval
multiplier.
if (is_exceeded(target)) {
interval *= multplier;
}
Also - at which point does a malloc actually fail? It seems like context 0
should have a priority over other contexts - a non-0 context should under
no circumstances be able to exhaust the system memory.
May be there should be an additional level in the bucket - reschedule
level. If I actually empty the bucket, the malloc fails?
my $0.02
Grisha
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] cpu limits clone vservers
On Tue, 23 Nov 2004, Andreea Gansac wrote:
[EMAIL PROTECTED] util-vserver]# vlimit -c 49168 --cpu 30
vc_set_rlimit(): Success
If I run a process that does only while(1){} inside the vserver, the
cpu is used only 25%-30%.
If I'm not mistaken, this simply sets the cpu time to 30 seconds, so after
30 seconds of cpu time is used, processes in your context will be killed.
Take a look at this thread, it descibes what you want. (Read the whole
thread, because the first message from me has some ommissions):
http://list.linux-vserver.org/archive/vserver/msg08134.html
Reading the error I get at vcopy I understand that vcopy creates vserver
using unification. I don't want unification. I want every vserver to
have it's own logical volume, thus I can limit the space for every
vserver very easy.
I think vbuild is what I want but it's not working. Is there another
utility I don't know about? Or how can I make vbuild work?
You can limit the space much easier using the VServer disk limits. google
for vserver vdlimit. Basically you need xid tagging enabled in the kernel
(under VServer menu option in kernel config, off by default), need to
compile the vdlimit tool, then the partition on which vservers reside
needs to be mounted with the tagxid option, then you can set a limit like
this:
/usr/local/vdlimit-0.01/vdlimit -a -x 1 \
-S 0,10,0,1,5 /vservers
This means that for context , 0 space is presently used, 10 is
maximum allowed, 0 inodes presently used, 1 inodes maximum allowed, 5%
of disk space is reserved for root. Note that these limits exist only
while the serer is up and therefore need to be saved on shutdown and
restored on startup. The list archives have example scripts of how people
do this.
Grisha
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] cpu limits clone vservers
On Tue, 23 Nov 2004, [iso-8859-1] J?rn Engel wrote: What most people want in plain English: o Every user gets some guaranteed lower bound. o Sum of lower bounds doesn't exceed total resources. o Most of the time, not all resources get consumed. Add them to the 'leftover' pool. o Users that demand more resources than their lower bound get serviced from the leftover pool. o Users that, on average, use less resources get a higher priority when accessing the leftover pool. ...and the big challenge is - how do you apply this to memory usage? Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] 1.9.3 kernel rpm
On Sat, 20 Nov 2004, Herbert Poetzl wrote: hmm, just discovered that CONFIG_INOXID_INTERN is broken in 1.9.3 so it will probably not work at all ... Do you have more details on this? It seems to work OK here. Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] 1.9.3 kernel rpm
there is a 2.6.9 vs 1.9.3 kernel RPM here, if you're interested: http://www.openvps.org/dist/misc/kernel-2.6.9vs1.9.3-1.i386.rpm it was built using the config that comes with FC3 rpm, but without any redhat patches. so it's large and it's got more modules compiled than there are stars in the sky. it's been tested on FC2 and FC3 and seems to work ok. it's got SMP, hardcpu, and inoxid_intern (meaning xid tagging will only work for ext2/3 fs). enjoy grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Best backup of tagxid?
On Tue, 9 Nov 2004, [ISO-8859-1] Bj?rn Steinbrink wrote: On Tue, 9 Nov 2004 12:56:32 -0500 (EST) Gregory (Grisha) Trubetskoy [EMAIL PROTECTED] wrote: On Tue, 9 Nov 2004, [ISO-8859-1] Bj?rn Steinbrink wrote: On Tue, 9 Nov 2004 12:01:33 -0500 (EST) Gregory (Grisha) Trubetskoy [EMAIL PROTECTED] wrote: I don't see any reason why it should behave like that, would only cause trouble. Example: xid 10 is limited to 500MB and has 300MB in use. xid 0 deletes some 50MB file. Now there are files worth 250MB, but still the kernel assumes that 300MB are in use. I think this is fine. There is no way for context 0 to up the counter for another context (even chxid won't increment it), by the same token it seems more consistent if there would be no way to decrement it either. Where's the sense behind that? You would have to adapt the usage statistics every now and then. You'll just have to be mindful of this, and make sure to switch into a context when deleting files if you want the counter to be updated. The disk limits are volatile anyway (you have to set them upon bootup), so it's not like it is something that is an unnatended operation in the first place. The upside of this is that there are no special mount options that make things like backups difficult. What about unification? You normally don't want the unified files to lower the usage values upon removal of those files, since actually no space is freed. Hmm... haven't thought about this, good point. Well how about this: The key here is that a file belongs to a context other than 0. The actual xid doesn't matter. So perhaps another fs flag would solve this. (As far as I understand there is no xid flag right now, IATTR_XID is an artifact of whether MS_TAGXID is there). If I am in context 0 don't bother with counters. If I am in context X and removing a file, then: If the file belongs to a context other than 0: decrement counter If I am in context X and creating a file: Set the xid flag to 1 Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re[2]: [Vserver] Plesk 7
On Mon, 1 Nov 2004, vs-technik wrote: GGT Not with SMP, redundant power supplies and SCSI hardware RAID. Cheap GGT dedicated servers are completely worthless IMHO, too bad most people GGT don't understand it. oh no! this is (only) a faith-question. we use (for all hosting-solutions) _cheap_ servers without raid and without scsi. but every! vserver will rsynced to a second server and will work as a hotstandby-fail-over-system. Well if this is a question of two cheap servers vs one expensive one, then it probably amounts to about the same thing, since you're using vserver anyway. I was referring to those who have a cheap dedicated server all to themselves, i.e. to run a low volume website (or two). This isn't as much off-topic as it may seem, BTW. One of the things that I believe will lead to wider use of virtualization/separation technologies such as VServer is the consideration of energy consumption and rising energy costs. As servers get faster, they will consume more power (9W for a 90MHz Pentium vs 75W for a 2GHz), and at some point this will become significant enough where even a cheap box would not be justifiable on its own because of how much electricity its low end 5GHz processor consumes. So we're going to be back to mainframe line of thinking, where you don't associate physical boxen with their function (mail server, web server, etc.), but get one BIG box and segment it. Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Memory limits
I haven't seen memory discussed on this list for a while :-) I see that there are limits listed in the /proc/virtual/XXX/limits file, but I couldn't find any documentation on what they mean and how to set them. I'm especially curious about the RSS limit. I _think_ I've seen mentions that the FreeVPS patches force pages to be swapped out when the context exceeds the RSS limits. I'm not sure I have a formed opinion on this approach. On one hand it seems like it will reduce real RAM utilization by contexts, on the other it may generate unnecessary disk activity... Does VServer do something like this? What's the latest memory limit concensus? Thanks, Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Template server files
Here is what we do in OpenVPS. This is Fedora biased.
I think the utils strategy is copy-everything-then-unify, whereas we stuck
to hardlink-as-you-copy-then-leave-it-alone. Either strategy is fine, it
probably more depends on what you're doing. In our case the vserver is
intended to passed to a client/customer/etc, so it's best not to touch
those files once they're released, which why we've been avoiding vuinify.
We pretty much follow these steps:
1. Build a reference server like any other server (there is more than one
way to do it, we just use rpm and then manually adjust little things, the
vserver utils use the magic of apt to do it).
2. There is a fixflags script. It walks the tree and sets certain things
immutable (iunlink to be exact). The strategy is similar to what vunify
does - we rely on RPM package information, if a file is marked as config
it is not flagged with iunlink.
3. To make a vserver you have a clone script. The clone script makes
hard links to files that are iunlink, and copies most everything else.
Some files are not copied, but just created (touched). The specific clone
rules we use look like this (these rules make an assumption that the
reference server is in a pristine state, otherwise you'd need a more
elaborate set of rules):
CLONE_RULES = {
'copy' : ['/etc', '/var', '/root', '^/dev'],
'touch' : ['/var/log', '/var/run', '\.bash_history'],
'skip' : ['ssh_host_', '.pem$', '/proc/', '/var/tmp/',
'/var/cache/.*/.+']
}
(this is in python, btw)
This means /etc is always copied, everything in /var/log is always
touched, .pem files are skipped, etc.
4. If you update the reference server, just go ahead and do it, and
remember to run the fixflags afterwards, or the clone step will not
hardlink the new files because they're not iunlink.
Haven't tried vserver-copy, it probably does something similar.
Grisha
On Sun, 24 Oct 2004, Tor Rune Skoglund wrote:
Hi List,
when trying to make a good template server, one obviously has
to start and enter the virtual server and test the installation
of it, add some programs, make config changes in it and so on.
But when using it as a template, some files must be removed
or altered before it is made production ready. AFAICS at
least these have to be changed/deleted:
* ssh keys
* shell history file
* root password setting
* any standard users password settings
I am sure there are more, so if any of you experts out there
has additions to the list, please mail me or the list.
I'll make a summary on the wiki afterwards.
Also, I do not know how well vserver-copy or other copy tools
handle such files, as the documentation seems to be a bit
sparse on the tools. Any enlightment on these matters will
be highly appreciated.
Best regards
Tor Rune Skoglund
[EMAIL PROTECTED]
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Replication
On Thu, 21 Oct 2004, Thomas Hug wrote: Hi On Wed, 20 Oct 2004 11:20, David MacKinnon wrote: It's also a bit more cpu intensive than drbd. This may or may not be a concern for you. On the 1.9.x vserver this can be addressed with vsched. I've been able to make it work pretty well and plan on sending a quick how-to to the list. On my servers I run a nightly dump of /vservers, which can be pretty cpu intensive and I'm currently experimenting with being able to pace it with vsched. Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] quick vsched howto
As promised, here are my vsched findings. My set up is util-vserver 0.30.195 and vs 1.9.3. The token-bucket scheduler principle is pretty well explained here: http://www.linux-vserver.org/index.php?page=Linux-VServer-Paper-06 vsched takes the following arguments: --fill-rate The number of tokens that will be placed in the bucket. --interval How often (the above specified) number of tokens will be placed. This is in jiffies. Through some googleing I've found references that a jiffy is about 10ms, but it seems to me it's less than that. Not sure if the CPU speed has bearing on it. (Anyone know?) --tokens The bucket starts out with this many tokens. Tokens_max takes precedence here, so it cannot be higher than tokens_max. --tokens_min When a bucket is empty, the context is on hold _until_ at least this many tokens are in the bucket. --tokens_max The size of the bucket. When tokens aren't being used, the bucket will be getting fuller and fuller, but up to this value. So in effect this is your CPU burst parameter. --cpu_mask This is obsolete, but I've found the current vsched is a little picky and will segfault if you omit parameters, so I always specified 0 here. According to the VServer paper, At each timer tick, a running process consumes exactly one token from the bucket. Here running means actually needing the CPU as opposed to running as in existing. Most processes are not running most of the time, e.g. an httpd waiting on a socket isn't running, even though ps would list it. A token is quite a bit of CPU time (again I'm not sure if this is CPU speed dependent, my tests were on a 2.8GHz Xeon). Typing python on the command line (which is a huge operation IMHO) consumes 17 tokens in my tests. Having 10 tokens in your bucket is probably sufficient for a medium size compile job. Here are some guidelines. All this is very much unscientific and without a lot of testing and theory behind, so if someone has better quigelines, please pitch in. When trying to come up with a good setting in my environment (basically hosting), I was looking for values that would not cripple the snappiness of the server, but prevent people from being stupid (e.g. cat /dev/zero | bzip2 | bzip2 | bzip2 /dev/null). The fill interval should be short enough to not be noticeable, so something like 100 jiffies. The fill rate should be relatively small, something like 30 tokens. Tokens_min seems like it should simply equal to the fill rate. The tokens_max should be generous so that people can do short cpu-intensive things when the need them, so something like 1 tokens. You can see current token stats by looking at /proc/virtual/xid/sched on the mother server. (If fill_rate is 115 no matter what you do, see my vsched posting earlier in the list). You can also use vsched to pace any cpu intensive command, e.g.: vcontext --create -- \ vsched --fill-rate 30 \ --interval 100 \ --tokens 100\ --tokens_min 30 \ --tokens_max 200 \ --cpu_mask 0 -- /bin/my_cpu_hog While playing with this stuff I've run into situations where a context has no tokens left, at which point you cannot even kill the processes in it. Don't panic - you can always reenter the context and call vsched with new parameters. I think that's about it. HTH, Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] quick vsched howto
On Thu, 21 Oct 2004, Herbert Poetzl wrote: yes, this is if the hard scheduler is actually enabled That's one I forgot to mention - none of this has any visible effect (and by that I mean inability to drive the load to 30) unless sched_hard flag is set. So the pacing example should really be: vcontext --create -- \ vsched --fill-rate 30\ --interval 100\ --tokens 100 \ --tokens_min 30 \ --tokens_max 200 \ --cpu_mask 0 -- \ vattribute --flag sched_hard -- /bin/my_cpu_hog Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] quick vsched howto
On Fri, 22 Oct 2004, Sam Vilain wrote: Gregory (Grisha) Trubetskoy wrote: On Thu, 21 Oct 2004, Herbert Poetzl wrote: yes, this is if the hard scheduler is actually enabled That's one I forgot to mention - none of this has any visible effect (and by that I mean inability to drive the load to 30) unless sched_hard flag is set. A load of 30 is not a real problem (in terms of CPU, anyway) ... So all you're doing is hiding the problem and underutilising your CPUs. There is a lot of truth to that. While I agree that high load is a actually a good thing, some programs like sendmail change their behaviour based on load and do strange things like stop accepting new mail. _People_ are even worse thise way - their blod pressure rises with load :-). It almost seems that some sort of a ficticious reading of a load inside a context would be benificial. Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [PATCH] immulink ioctl is not available on vs1.9.3-rc2, even with CONFIG_VSERVER_LEGACY
On Tue, 19 Oct 2004, Herbert Poetzl wrote: already in 2.6.9-final-vs1.9.3-rc4 ;) What's the URL to get the patches these days? The stuff on the site is 1.9.1. Thanks, Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bind mounts within a vserver?
On Fri, 17 Sep 2004, Herbert Poetzl wrote: On Thu, Sep 16, 2004 at 10:29:52PM -0400, Gregory (Grisha) Trubetskoy wrote: Is it possible to somehow use mount --bind from within a vserver? (vs1.28). not in a secure way with the 2.4 stable branch, but it is with recent 2.6 (vs1.9.x) devel branch ... Could you please elaborate on this? On 1.9.3-rc2.1/latest utils I see that I can mount after I give the context SYS_ADMIN bcap, but that doesn't seem like a wise thing in a web hosting scenario (our case) - is there some other way? Thanks, Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] ping without cap_net_raw in 1.9.3 - how?
I noticed that in vs 1.9.3 ping appears to work even without CAP_NET_RAW (This is Fedora Core 2). Just curious, how's this possible? Thanks! Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Bringing down vsever brings down _all_ interfaces
I had something similar happen, but then it turned out the problem was with my config. I figured it out by inserting an occasional echo statement into /usr/local/lib/util-vserver/vserver.functions (disableInterfaces() is the func you'd probably be most interested in) to see what 'ip' commands are issued, e.g.: instead of (line 575) IP_ADDR)$_IP addr del $@;; make it IP_ADDR) echo $_IP addr del $@ $_IP addr del $@;; then stop the vserver HTH Grisha On Wed, 13 Oct 2004, David MacKinnon wrote: Just ran into this today one some new servers I'm setting up. util-vserver 0.30.195 (but it happened with 190 as well) vserver 2.6 patch 1.9.2 on 2.6.8.1 (with dm/drbd and nfs patches) When I stop _any_ vserver, it brings down _both_ eth0 and eth1 (leaving only lo up). This happens with vservers on the same subnet as the host, or on completely different networks. I haven't come across this before, I have another box with 2.6.8 + vs1.9.2 (no other patches) with util-vserver 0.30.190 that doesn't exhibit this behaviour. Copying the config from this working machine doesn't help at all. Anyone come across this before? I suppose I'll try stripping out other kernel patches, but I'm not wonderfully hopeful. Thanks, -David ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] interfaces show ip addresses?
In vs 1.9.3 I noticed that ifconfig from within a vserver shows the inet addr of eth0 and lo (in 1.2x it did not) - is this the way it's supposed to be, or am I missing a configuration option of some kind? Thanks! Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] interfaces show ip addresses?
Strange... after a reboot it behaves differently - pretty much gives me what I need - hide the IP of eth0, but show the vserver IP. Before it would hide all interfaces sompletely. Not sure what happened there... Grisha On Wed, 6 Oct 2004, Gregory (Grisha) Trubetskoy wrote: On Wed, 6 Oct 2004, Herbert Poetzl wrote: On Wed, Oct 06, 2004 at 04:28:03PM -0400, Gregory (Grisha) Trubetskoy wrote: In vs 1.9.3 I noticed that ifconfig from within a vserver shows the inet addr of eth0 and lo (in 1.2x it did not) - is this the way it's supposed to be, or am I missing a configuration option of some kind? yes! (yes or yes) it is supposed to be so, and you are probably looking for VXF_HIDE_NETIF ... But this appears to be hiding all interfaces, so that ifconfig shows nothing at all? What can I do to get it to behave more like 1.2x, where it shows the IP address of the vserver but not much else ? TIA, Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] interfaces show ip addresses?
OK, this isn't over yet :-)
I just compiled and installed 2.6.8.1-vs1.9.3-rc2.1, with
util-vserver-0.30.195 on a freshly installed FC1 machine.
Created a vserver, created a config (using the new utils method) when i
start it (with or without hide_netif in the flags file), the interface is
NOT created (ifconfig does not show it from either outside or inside), yet
I can ping the IP number and ssh to the vserver from outside.
I noticed a listdevip tool in utils, it shows:
# ./listdevip
127.0.0.1/255.0.0.0
192.168.1.105/255.255.255.0
192.168.1.130/255.255.255.0
The .130 address is the vserver.
Is this normal?
More info:
The exact config:
# find . -type f -print -exec cat {} \;
./context
1000
./flags
lock
./uts/nodename
test.ispol.com
./nice
9
./interfaces/0/dev
eth0
./interfaces/0/ip
192.168.1.130
./interfaces/0/bcast
192.168.1.255
./interfaces/0/mask
255.255.255.0
./fstab
none/dev/ptsdevpts gid=5,mode=620 0 0
none/proc procdefaults0 0
From inside the vserver:
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:30:1B:33:8E:9E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:590 errors:0 dropped:0 overruns:0 frame:0
TX packets:367 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:55077 (53.7 Kb) TX bytes:75701 (73.9 Kb)
Interrupt:209 Base address:0x9000
From outside:
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:30:1B:33:8E:9E
inet addr:192.168.1.105 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::230:1bff:fe33:8e9e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:626 errors:0 dropped:0 overruns:0 frame:0
TX packets:387 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:58251 (56.8 Kb) TX bytes:79517 (77.6 Kb)
Interrupt:209 Base address:0x9000
loLink encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1240 (1.2 Kb) TX bytes:1240 (1.2 Kb)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Thanks,
Grisha
On Wed, 6 Oct 2004, Herbert Poetzl wrote:
On Wed, Oct 06, 2004 at 04:28:03PM -0400, Gregory (Grisha) Trubetskoy wrote:
In vs 1.9.3 I noticed that ifconfig from within a vserver shows the inet
addr of eth0 and lo (in 1.2x it did not) - is this the way it's supposed
to be, or am I missing a configuration option of some kind?
yes! (yes or yes)
it is supposed to be so, and you are probably looking
for VXF_HIDE_NETIF ...
HTH,
Herbert
Thanks!
Grisha
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vdlimit question
Hello - this is vdlimit 0.01, linux 2.6.8.1, vs 1.9.2. I'm not sure vdlimit is supposed to behave this way, or am I missing something (as is not unusual): # df -k Filesystem 1K-blocks Used Available Use% Mounted on /dev/hda5 26193716 18202564 6660572 74% / /dev/hda3 101105 11053 84831 12% /boot none257996 0257996 0% /dev/shm /var/tmp/vserver 1007896820568136128 86% /vservers (/vservers is mounted on a loop-mounted file, not that it should matter) # vserver zzz exec df -k | grep hdv WARNING: can not find configuration, assuming legacy method /dev/hdv1 1007896820568136128 86% / (zzz is xid 10101, the WARNING skipped below) now just some random numbers: # ./vdlimit -a -x 10101 -S 200,20,300,4000,5 /vservers /vservers: 200,20,300,4000,5 # vserver zzz exec df -k | grep hdv /dev/hdv1 20 12672136128 9% / Why 12672? # ./vdlimit -x 10101 -d /vservers vc_get_dlimit: No such process--- also is this a problem? /vservers: 0,0,0,0,0 # ./vdlimit -a -x 10101 -S 1000,20,300,4000,5 /vservers /vservers: 1000,20,300,4000,5 # vserver zzz exec df -k | grep hdv WARNING: can not find configuration, assuming legacy method /dev/hdv1 20 12672136128 9% / again 12672? # ./vdlimit -x 10101 -d /vservers vc_get_dlimit: No such process /vservers: 0,0,0,0,0 # ./vdlimit -a -x 10101 -S 1000,30,300,4000,5 /vservers /vservers: 1000,30,300,4000,5 # vserver zzz exec df -k | grep hdv /dev/hdv1 30112672136128 46% / now 112672? Anyone seen this? Also, should I be using vdlimit at all or is there a util-vserver equivalent? P.S. this looks right, however: # vserver zzz exec df -i | grep hdv /dev/hdv1 4000 30037008% / Thanks! Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] 2.6 kernel and links to immutable files
I noticed that in 2.6 kernel you cannot create (hard) links to immutable files. So if I am trying to build a unified server, is my only option to remove the immutable flag temporarily while I link to it? This seems insecure. Or am I missing something obvious? Has anyone else ran into this? Thanks, Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Announcing the OpenVPS ISO (first stab)
On Thu, 30 Sep 2004, Herbert Poetzl wrote: The (very basic so far) instructions on how to use it and the link to the ISO itself are here: http://www.openvps.org/Plone/download/ISO b) 2.4.27 and vs1.29 are out ... how hard is an update? is it planned in the near future or will this take some time, maybe until 2.4.28 is out? Just updated the ISO on the site to kernel 2.4.27 and vs 1.29. Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Announcing the OpenVPS ISO (first stab)
On Thu, 30 Sep 2004, Matt Nuzum wrote: Cool. Could you please detail on the documentation website what happens during this stage: from http://www.openvps.org/Plone/download/ISO You also will need internet access at this point as the buildref process pulls a few RPM's from the openvps.org site. I know it sounds overly picky but I like to know what's going on when programs phone home during installation. They'll need RPM's in here. http://www.openvps.org/dist/misc/ Some of them have been modified to work with vserver, some are not part of Fedora Core, some only exist in FC2. The ideal scenario would be to include the whole reference server as part of the ISO, but that would probably take more than one CD, so we figured that it's simpler to just have it pulled of the net for now. Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bind mounts within a vserver?
On Fri, 17 Sep 2004, Herbert Poetzl wrote: On Thu, Sep 16, 2004 at 10:29:52PM -0400, Gregory (Grisha) Trubetskoy wrote: Is it possible to somehow use mount --bind from within a vserver? (vs1.28). not in a secure way with the 2.4 stable branch, but it is with recent 2.6 (vs1.9.x) devel branch ... Thanks of course, after adding enough CAPs, everything is possible ... We do something like this to allow ping and traceroute - there is an outside process that reenters the vserver to execute a particular command with an elevated capability. At first look it seems that mount --bind obeys chroot and it should be safe for us to allow it as well, or is there some apparent security problem with this? There is more details on the aforementioned kludge here for those interested: http://www.openvps.org/cvs/viewcvs.cgi/oh-host/ohd/README?rev=1.1content-type=text/vnd.viewcvs-markup Thanks for your help! Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] bind mounts within a vserver?
Is it possible to somehow use mount --bind from within a vserver? (vs1.28). Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver 2.4.26-vs1.28 kernel rpm howto
If anyone is interested, here is how I was able to build a vs kernel RPM: http://www.openvps.org/Plone/docs/developer/kernelrpm (BTW - anyone feel free to copy this to copy this to the VServer wiki if you feel its appropriate) Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ipt_owner patch fo vserver
Any chance that this will get rolled in to 1.29?
This could be very useful when you have a back-end network that you do not
vservers to have access to...
Grisha
On Fri, 30 Jul 2004, Herbert Poetzl wrote:
On Fri, Jul 30, 2004 at 04:28:02PM +0200, Pavel Semerad wrote:
Hello,
I am long time using patch for vserver (now 1.2.28), which
adds to ipt_owner possibility to match vx_id of socket owner. I am using it
to restrict where services in security contexts can connect to (so when
somebody breaks into service, he cannot connect to other computer).
It can be usefull also for others, so sending it.
Usage:
iptables -m owner --ctx-owner 0 ...
interesting ... are you the author of this patch?
why not join the irc channel (#vserver @ irc.oftc.net)
and chat a little about the future implementations
(ngn) and how this could/should be integrated ...
thanks,
Herbert
Pavel Semerad
Patch to 2.4.26 kernel with 1.2.28 vserver:
--- ./net/ipv4/netfilter/ipt_owner.c.vs-iptables2004-07-29 15:06:37.0
+0200
+++ ./net/ipv4/netfilter/ipt_owner.c2004-07-30 15:27:10.0 +0200
@@ -152,8 +152,14 @@ match(const struct sk_buff *skb,
}
}
- if (!sk || !sk-socket || !sk-socket-file)
+ if (!sk || !sk-socket || !sk-socket-file) {
+ if (info-match == IPT_OWNER_VS sk sk-socket)
+ /* perhaps kernel thread - use vx_id -1 */
+ if((-1 == info-vx_id) ^
+ !!(info-invert IPT_OWNER_VS))
+ ret = 1;
goto out;
+ }
if(info-match IPT_OWNER_UID) {
if((sk-socket-file-f_uid != info-uid) ^
@@ -185,6 +191,12 @@ match(const struct sk_buff *skb,
goto out;
}
+ if(info-match IPT_OWNER_VS) {
+ if((sk-vx_id != info-vx_id) ^
+ !!(info-invert IPT_OWNER_VS))
+ goto out;
+ }
+
ret = 1;
out:
--- ./include/linux/netfilter_ipv4/ipt_owner.h.vs-iptables 2002-11-29
00:53:15.0 +0100
+++ ./include/linux/netfilter_ipv4/ipt_owner.h 2004-07-29 15:11:28.0 +0200
@@ -7,6 +7,7 @@
#define IPT_OWNER_PID 0x04
#define IPT_OWNER_SID 0x08
#define IPT_OWNER_COMM 0x10
+#define IPT_OWNER_VS 0x80
struct ipt_owner_info {
uid_t uid;
@@ -14,6 +15,7 @@ struct ipt_owner_info {
pid_t pid;
pid_t sid;
char comm[16];
+int vx_id;
u_int8_t match, invert;/* flags */
};
And patch to iptables:
--- ./extensions/libipt_owner.c.ps 2003-01-06 13:40:33.0 +0100
+++ ./extensions/libipt_owner.c 2003-06-04 14:24:55.0 +0200
@@ -22,6 +22,7 @@ help(void)
[!] --pid-owner processid Match local pid\n
[!] --sid-owner sessionid Match local sid\n
[!] --cmd-owner name Match local command name\n
+[!] --ctx-owner ctxMatch local security context\n
\n,
IPTABLES_VERSION);
#else
@@ -31,6 +32,7 @@ IPTABLES_VERSION);
[!] --gid-owner groupidMatch local gid\n
[!] --pid-owner processid Match local pid\n
[!] --sid-owner sessionid Match local sid\n
+[!] --ctx-owner ctxMatch local security context\n
\n,
IPTABLES_VERSION);
#endif /* IPT_OWNER_COMM */
@@ -44,6 +46,7 @@ static struct option opts[] = {
#ifdef IPT_OWNER_COMM
{ cmd-owner, 1, 0, '5' },
#endif
+ { ctx-owner, 1, 0, '6' },
{0}
};
@@ -136,6 +139,17 @@ parse(int c, char **argv, int invert, un
break;
#endif
+ case '6':
+ check_inverse(optarg, invert, optind, 0);
+ ownerinfo-vx_id = strtoul(optarg, end, 0);
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM, Bad OWNER CTX value `%s',
optarg);
+ if (invert)
+ ownerinfo-invert |= IPT_OWNER_VS;
+ ownerinfo-match |= IPT_OWNER_VS;
+ *flags = 1;
+ break;
+
default:
return 0;
}
@@ -188,6 +202,9 @@ print_item(struct ipt_owner_info *info,
printf(%.*s , (int)sizeof(info-comm), info-comm);
break;
#endif
+ case IPT_OWNER_VS:
+ printf(%d , info-vx_id);
+ break;
default:
break;
}
@@ -218,6 +235,7 @@ print(const struct ipt_ip *ip,
#ifdef IPT_OWNER_COMM
print_item(info, IPT_OWNER_COMM, numeric, OWNER CMD match );
#endif
+ print_item(info, IPT_OWNER_VS, numeric, OWNER CTX match );
}
/* Saves the union ipt_matchinfo in parsable form to stdout. */
@@ -233,6 +251,7 @@ save(const struct ipt_ip *ip, const stru
#ifdef IPT_OWNER_COMM
print_item(info, IPT_OWNER_COMM, 0, --cmd-owner );
#endif
+ print_item(info, IPT_OWNER_VS, 0, --ctx-owner );
}
static
___
Vserver mailing list
[EMAIL PROTECTED]
Re: [Vserver] Problems with Per Context Disk Limis
Here is a Python version of a similar thing:
http://www.openvps.org/cvs/viewcvs.cgi/oh-host/scripts/ohdisk?rev=1.2content-type=text/vnd.viewcvs-markup
This isn't really a standalone script because it relies on some other
libs to enumerate vservers, but nonetheless, could be interesting for
someone trying to accomplish this.
The output goes to stdout, so it's up to the invoker to figure out in
which file to save it.
The end result is a shell script, so there is no need for a second script,
you just run the resulting file.
There is also a bit of code for resetting the inode count. I have not been
able to identify the source of the problem, but I am convinced there is an
inode leak in the code, so when the inode count approaches a certain
level, the script resets it to 0.
Another note is that we found that its a good idea to keep backups of the
disk limit counts (last hour, last day and last week, for example) -
should you by mistake boot a non-vps kernel and your vserver partition
will end up getting mounted without tagctx, you can accidently overwrite
your file.
Grisha
On Mon, 2 Aug 2004, Sebastian Ganschow wrote:
I finished on my little script to reset the Per Context Limits. It's based on
the script by Matt Ayres which I had to modify a little bit.
Both scripts can be found at
http://users.sg-0.de/sg/scripts/vserver
Maybe it isn't the best solution, but it is working.
greetings
Sebastian
--
Sebastian Ganschow
mailto:[EMAIL PROTECTED]
Quoting Herbert Poetzl [EMAIL PROTECTED]:
On Fri, Jul 30, 2004 at 03:27:37PM +0200, Sebastian Ganschow wrote:
Thank you so far.
I searched the mailing list archive before, but I think I
searched with the wrong keywords.
I just wondered why the Limits aren't stored like regular quotas,
simple, consider the following setup:
/dev/hd0 /
/dev/hd1 /vservers/vs1
/dev/hd2 /vservers/vs2
now quota is stored at the root dir of a disk, in
files called (a)quota.{user,group}, which in this
case could be /vservers/vs1/quota.user, you probably
do not want the disk limits to be stored in a
/vservers/vs1/disk.limit file inside the vserver
path ...
aside from that, writing the info back to the disk
seems not really necessary, and can be done from
userspace if somebody wants to do it ...
best,
Herbert
but the skript will be a appropriate solution for this problem.
regards
Sebastian
--
Sebastian Ganschow
mailto:[EMAIL PROTECTED]
Quoting Herbert Poetzl [EMAIL PROTECTED]:
On Fri, Jul 30, 2004 at 02:08:41PM +0200, Sebastian Ganschow wrote:
Hello,
I tried to set up Per Context Disk Limits with the documentation on
www.linux-vserver.org. When I set the Limit with
# cqhadd -x 101 -v /dev/hda6
# cddlim -x 101 -S 0,200,0,1000,5 -v /dev/hda6
the Limit ist working, but when I restart the server the Disk Limit is
away.
I tried it with kernel 2.4.25 and with kernel 2.4.22. In both cases
the
Disk
Limits are deleted after a restart of the system.
I configured it with the following documentation:
http://vserver.13thfloor.at/Linux2.6/index.php?page=Per+Context+Disk+Limits
What could be the Problem?
nothing, this is expected behaviour, in the 2.4
stable addon patch for quota and disk limits the
in kernel store (hash) for this information is
not persistent per se, but there are several
scripts (like the one Matt did) available (just
search the mailing list archives) to solve this
issue ...
http://list.linux-vserver.org/archive/vserver/msg06020.html
disk limits for the vs1.9.x branch (no quota yet)
takes a different approach, but a host reboot will
purge the settings too ...
HTH,
Herbert
Regards
Sebastian
PS: Could you please answer also to my email address, because of a bug
it
isn't
possible for me to subscribe to the mailing list.
--
Sebastian Ganschow
mailto:[EMAIL PROTECTED]
This message was sent using IMP, the Internet Messaging Program.
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
This message was sent using IMP, the Internet Messaging Program.
This message was sent using IMP, the Internet Messaging Program.
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Lycos goes Linux-VServer ...
On Tue, 27 Jul 2004, Herbert Poetzl wrote: PR Now you can! Lycos (Europe) has started their VDS beta testing program, which is 100% bleeding edge Linux-VServer Technology (vs1.9.2.10 exp. kernel) /PR Is there a URL? :-) Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver docs
I actually think that in the ideal world the building of the vserver should be outside the scope of the vserver project anyway, and should be something that the people in charge of distributions should be providing. My $0.02 Grisha On Thu, 17 Jun 2004, Bernhard Duebi wrote: On Thu, 2004-06-17 at 10:45, Matthias Wieser wrote: Am Wednesday 16 June 2004 23:18 schrieb Bernhard Duebi: Hi, I can't find the docs for util-vserver. Any help ? The host system is a SuSE 9.1 Professional. I installed kernel-2.6.6-vs1.9.1 I installed util-vserver-0.29.214 I tried vserver server build, but did not understand how to configre the build option. So I installed vserver with a script from the linux magazin. I tried vserver server start in legacy mode and in native mode, but no luck. Hi! I worked with the following and had much success: vserver NAME build --help (you don't trust me and want to read the options) vserver NAME build -m debootstrap --interface eth0:IPADDRESS/NETMASK --hostname NAME -- -d sid Hi, today I did vserver vs01 build -m debootstrap ... vserver vs01 start vserver vs01 enter and it worked. But the point is, I want a SuSE based vserver. Unfortunately util-vserver doesn't know about SuSE. I'm sure I can make it work if I knew how util-vserver works. But by now I have no idea what it takes to make a vserver work. Sincerely Bernhard ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- The secret of success is sincerity. Once you can fake that, you've got it made. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] the new kernel-crash
http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html Anyone tested this from within a vserver? I'm not near a computer that I could try this on. Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] lock flag question
What does the lock flag do? It seems that requesting another context from within a context is impossible anyway? Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] new utils configuration
I've been looking at the documentation for the new utils (nice stylesheet, btw), and it looks like there is a shift from using a single config file describing a vserver to a hierarchy of files (kinda reminds me of qmail)... Just curious - what was the rationale for this shift? Thanks! Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] hostname in hosts
Does your apache config have a Listen directive, and if so, what is it? When Listen does not specify an IP address (e.g. Listen 80), apache should bind to 0.0.0.0, which doesn't have much to do with the hostname AFAIK. If you're using Apache 1.3, then also check the BindAddress directive. Grisha On Tue, 8 Jun 2004, Lucas Albers wrote: Roderick A. Anderson said: This is a new for me. I know I'm pretty clueless on much of this stuff but I have never seen mention of a /etc/vservers/hosts file. What is it suppose to be for or how is it suppose to be used? my bad its this file: /vservers/vservername/etc/hosts Its the hosts file in the vserver. I encountered this little gotcha when I setup a new vserver with a 168.0.0.1 address then switched to a routable ip address. apache keep trying to use the old 168.0.0.1 address and I couldn not figure out why until I looked in /etc/hosts on the vserver apache was running on and saw the old 168.0.0.1 entry. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VServer management
IMHO snmp is very complex by design and as a consequence of that is a significant security threat. If I was a potential customer of your and you insisted that I must run snmpd in my server, I'd balk. There are probably ways to accomplish anything you do via snmp by other means. E.g. to count bits in and out, I found that using iptables (as described in Paul Sladen's Vserver FAQ) works great. As to handling authentication, it's not hard to verify the user's password against the hash in their passwd file. Here is the source for a little program that we use: http://dev.openhosting.com/cvs/viewcvs.cgi/oh-host/src/ohchkpwd/ohchkpwd.c?rev=1.1.1.1content-type=text/vnd.viewcvs-markup You give this program one argument, the root of the vserver, pipe userid:password to its stdin, and its exit code will tell you whether the credentials are satisfied. It has to be a setuid program if you're going to be running it from a webserver (which I'm assuming isn't running as root). Grisha On Fri, 4 Jun 2004, Dennis Roos wrote: Heyaz, I've been working on a webbased vserver administration application and I've been thinking about a way to run certain tasks on the host machine. The tasks involve: stopping/starting the vserver, deploying (in my case using rsync) new vservers and configs. I started on an implementation with a php based daemon, but that would mean I'd have to handle authentication, implement a protocol, calling various sub-applications from the daemon, etc. This gave me a lot of headaches :) At the moment I am monitoring our vserver installations using SNMP and started thinking of the idea of using the SNMP daemon I have already running as a full management daemon. This would simplify a lot from my end, but the end user (people running vserver environments) would have to install snmp on their servers, which, I can imagine, causes security risks not everyone is willing to take. To make a long story short, I am wondering if someone else considers using SNMP is a worthwile approach, or perhaps people have different ideas ? Regards, Dennis Roos Network Engineer InTouch N.V. Middenweg 76 1097 BS Amsterdam Tel: +31 (0)20 6752060 Fax: +31 (0)20 6758429 ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] grsecurity ending
On Tue, 1 Jun 2004, Herbert Poetzl wrote: currently I have _no_ sponsor sending money, and, although I would _love_ to spend all my time doing linux-vserver, I have to _work_ to earn the money to buy food and pay for shelter, connectivity and clothing ... Well - having been in this boat with mod_python for some years now, the least I can do is to say a very sincere thank you for all the hard work on vserver! Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unixbench results: vanilla/1.9.1 host/1.9.1 vserver
Thanks, Ryan! It'd be interesting to see numbers for the same test on the same machine but using User-Mode Linux... :-) Grisha On Sat, 22 May 2004, Herbert Poetzl wrote: On Fri, May 21, 2004 at 11:19:26PM +, [EMAIL PROTECTED] wrote: Just FYI... thanks for checking this for us ... Roderick: I asked Ryan to do those tests for us to check the impact of linux vserver on typical applications ... Ran unixbench-4.1.0 on a test machine four times with the following kernel configurations; the value for each run is the final score output by unixbench. Complete unixbench output can be downloaded here: http://www.sculpturedlife.com/vserver/unixbench.tar.bz2 2.6.6 vanilla1: 495.1 vanilla2: 494.7 vanilla3: 493.6 vanilla4: 494.1 average = 494.3 +/- 0.6 2.6.6-vs1.9.1 in host host1: 496.7 host2: 494.1 host3: 496.1 host4: 497.3 average = 496 +/- 1.5 2.6.6-vs1.9.1 in vserver vserver1: 452.0 (ignored) vserver2: 484.5 vserver3: 488.2 vserver4: 487.9 average = 486.8 +/- 2 so the overhead of linux vserver on the host is not measurable (it seems that it is slightly faster than a vanilla kernel, but within the expected and measured noise) and the overhead inside a vserver is roughly 2% which leaves us with 98% of the native performance ... best, Herbert Test machine: Dual Xeon 2.8GHz Fedora Core 2 binutils-2.15.90.0.3 gcc-3.3.3 util-vserver-0.29-214 Cheers, Ryan ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Immutable files and chattr
Sorry - this was vs1.26. I changed my fs/ext3/ioctl.c like this: --- fs/ext3/ioctl.c.orig2004-05-14 18:56:21.0 -0400 +++ fs/ext3/ioctl.c 2004-05-14 18:44:22.0 -0400 @@ -47,6 +47,10 @@ /* The JOURNAL_DATA flag is modifiable only by root */ jflag = flags EXT3_JOURNAL_DATA_FL; +/* Immutable files cannot be changed */ +if (oldflags flags EXT3_IMMUTABLE_FILE_FL) +return -EPERM; + /* * The IMMUTABLE_* and APPEND_ONLY flags can only be changed * by the relevant capability. This seems to give the expected behaviour. I think the fix for ext2 is identical, and I didn't look at reiserfs or any other filesystem. Anyway, hopefully this is at list a little bit helpful :-) Grisha On Fri, 14 May 2004, Herbert Poetzl wrote: On Fri, May 14, 2004 at 05:12:34PM -0400, Gregory (Grisha) Trubetskoy wrote: It looks like the attributes that do not require CAP_LINUX_IMMUTABLE (i.e. anything except IMMUTABLE_[FILE|LINK]FL and APPEND_FL) can by modified by root from within a vserver: ]# vserver grisha enter ipv4root is now 192.168.1.33 New security context is 10033 [EMAIL PROTECTED]:grisha /]lsattr /bin/ls i--t- /bin/ls [EMAIL PROTECTED]:grisha /]chattr +d /bin/ls [EMAIL PROTECTED]:grisha /]lsattr /bin/ls i-dt- /bin/ls I'm not sure this is workng as expected. It seems that an immutable file should be immutable including attribute changes. This doesn't seem like a yep, should not be allowed ... at least not on 'unified' files (i.e. with immutable set) please, always include some basic system information like kernel version, patch version, etc ... TIA, Herbert VServer, but rather a general Linux problem, but I wonder if the VServer patches should insist that immutability includes flag changing. Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Capability suid ?
Has there been any discussion of having a feature whereby a binary would be executed with higher capabilities automatically? Something like having a config file of some sort in the main server that lists a binary, its timestamp, size, an MD5/SHA hash and the capability. Whenever this binary would be invoked in a vserver it would atumatically be given those capabilities, provided that the time/size/hash matches. Or is this somehow technically unfeasable? Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver service command
On Fri, 7 May 2004, Bjoern Steinbrink wrote: The vserver script just calls itself with 'exec /sbin/service' instead of 'service' so that option really just saves a few keystrokes, that's all, you could also just use the exec call directly. This is a bit on a different topic, but I just thought I'd throw that in - I don't like this keystroke saving sugar, vserver should just have the 'exec' option and nothing else, even the 'enter' command is not that necessary IMHO :-) Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: /etc/hosts
nevermind, I think I found the problem :-) On Thu, 15 Apr 2004, Gregory (Grisha) Trubetskoy wrote: I may be missing something obvious, if so forgive me: For some reason all my vservers resolve names using the main server's /etc/hosts, not their own This OS is Fedora C1 (both inside and outside), kernel 2.4.25, vs 1.26 with corresponding util-vserver. I also have the ctx disk limit patch applied. Anyone seen this? Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver -- future directions
On Thu, 8 Apr 2004, Liam Helmer wrote: I actually looked, for quite a long time, to try and find something that was similar to the freebsd (?) union mount, or else the uml copy-on-write system. I haven't found anything that works well yet. So, instead of that, I worked with the existing linux mount system. I found this: http://translucency.sourceforge.net/ but I don't know how well it works. Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver -- future directions
Am I missing something - you're mounting things that are in the shadow
server via --bind - but doesn't this mean that if one of the vservers
unlinks the file in a directory mounted this way, it will be gone for all
other vservers?
BTW, I really wish Linux had something like the FreeBSD unionfs.
Grisha
On Thu, 8 Apr 2004, Sam Vilain wrote:
Enrico Scholz wrote:
* it has new vserver-build methods; currently the apt-rpm, debootstrap and
a simple skeleton methods are implemented. New methods are in preparation
(copy) or are waiting for community input (gentoo, slackware). For RPM
based distributions, 'vapt-get' and 'vrpm' tools were written which are
allowing a secure external packagemanagement.
Allow me to throw mine into the fold, then; these additions let you have
each vserver on a seperate filesystem, whilst still having the benefits
of unification; all changes are in /usr/sbin/vserver:
STATIC_DIRS=usr lib sbin bin
UNIQUE_DIRS=etc var
mountproc()
{
mkdir -p $VROOTDIR/$1/proc $VROOTDIR/$1/dev/pts
if [ ! -d $VROOTDIR/$1/proc/1 ] ; then
mount -n -t proc none $VROOTDIR/$1/proc
mount -n -t devpts -o gid=5,mode=0620 none $VROOTDIR/$1/dev/pts
fi
if [ -d $VROOTDIR/shadow/$1/usr -a ! -d $VROOTDIR/$1/usr/bin ]
then
for dir in $STATIC_DIRS
do
[ -d $VROOTDIR/$1/$dir ] || mkdir $VROOTDIR/$1/$dir
mount -n --bind $VROOTDIR/shadow/$1/$dir $VROOTDIR/$1/$dir
done
fi
}
umountproc()
{
umount $VROOTDIR/$1/proc 2/dev/null
umount $VROOTDIR/$1/dev/pts 2/dev/null
if [ -d $VROOTDIR/shadow/$1/usr ]
then
for dir in $STATIC_DIRS
do
umount $VROOTDIR/$1/$dir 2/dev/null
done
fi
}
# ... later on, during `vserver XXX build' code:
if test $UTIL_VSERVER_AVOID_COPY; then
mkdir -p $VROOTDIR/$1/{etc/rc.d/init.d,sbin,var/run,var/log}
else
MASTER=/
[ -d $VROOTDIR/master ] MASTER=$VROOTDIR/master
echo Copying files from $MASTER
if [ -d $VROOTDIR/shadow/master ]
then
( cd $VROOTDIR/master;
cp -ax $UNIQUE_DIRS $VROOTDIR/$1/. ) || exit 1
echo Linking files from $VROOTDIR/shadow/master
mkdir $VROOTDIR/shadow/$1
( cd $VROOTDIR/shadow/master;
cp -a $STATIC_DIRS $VROOTDIR/shadow/$1/.
cd $VROOTDIR/shadow
$USR_LIB_VSERVER/unify-dirs -il master $1 ) || exit 1
mountproc $1
TMP_MOUNT=1
else
( cd $MASTER
cp -ax $UNIQUE_DIRS $STATIC_DIRS $VROOTDIR/$1/. ) || exit 1
fi
fi
This all stems from a vague, possibly irrational urge that each vserver
should have its own filesystem, rather than letting many vservers share
the same filesystem and using quotas or a similar mechanism to restrict
them. This is convenient for me, as I use reiserfs (the masochism of
which pales in comparison to the bugs in the ext3 online resizing
patches) on LVM managed space, so I can allocate vservers more space as
and when required, and have protection against possible fragmentation
between servers (of course, the widely touted fact that Unix
filesystems don't /suffer/ from fragmentation may be true, but they're
not /immune/ to it).
To explain the above in excruciating detail:
* It is assumed that the `master' vserver, in /vservers/master, has
its /usr, /lib, /sbin and /bin moved to /vservers/shadow/master.
This filesystem will contain the operating system files (ie, the
four directories mentioned) for all vservers which are `shadowed'.
* during build time, the new server has /{usr,sbin,bin,lib} copied
via a `cd /vservers/shadow; cp -al master/* $vserver/; chattr -R
+iI $vserver' analog, if those directories have been moved out of
/vservers/master to /vservers/shadow/master in the skeleton.
I'm using a straight copy, followed by a call to my unify-dirs
script (which, hopefully, your new vunify is powerful enough to
emulate the behaviour of without all the segfaults) - which is
sub-optimal - a `vcp-al' would be useful - but works for me.
The other directories (/var and /etc) are simply copied into the
vserver's filesystem.
* during `vserver start' time, if the shadow operating system
directories are detected on /vservers/shadow/$1/*, then mount them
into place with mount --bind.
* Maintaining the unification is as simple as (cd /vservers/shadow;
unify-dirs -il *)
This is quite effective; even with a lot of software installed in the
master image, you only need about 30MB of space on the filesystems you
create as a minimal starting point for Debian woody vservers. And most
of that is the `apt' and `dpkg' databases.
This is all extremely
[Vserver] ctx disk limits and inodes
I've got a vserver that keeps running out of inodes. from the vserver root dir, find . | wc -l shows 42287. but df -i from within vserver shows: df -i FilesystemInodes IUsed IFree IUse% Mounted on /dev/hdv1 20 105933 94067 53% / 105933 - 42287 = 63646 missing inodes I'm not sure what happens inside the vserver because it belongs to a customer. I think they are running qmail which is inode-intensive. This vserver has never been rebooted since its creation, so the counts are only affected by the ctx disk limit hash thing. This is vs1.26 with corresponding ctx disk limit patches and utils, kernel 2.4.25. Is it possible for the disk limit system to somehow leak inodes, i.e. not reduce the count when they are freed? Thanks, Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] FreeVPS 1.3 features announce
It looks to me as if FreeVPS is somehow trying to compete with VServer by keeping its own fork of the project. What is the reason for that? Why not work on incorporating all these features into VServer? Grisha On Thu, 1 Apr 2004, Alexander Suvorov wrote: Dear coleagues! Let us to announce some new features in FreeVPS 1.3: 1. CPU Limit - allow to set up the upper limit of CPU usage inside VPS 2. CPU QoS - allow to set up the lower limit of CPU resource available inside VPS 3. Restore RSS memory accounting 4. DiskQuota speed optimization - separating dquota hash per each context 5. init emulation - add teinit, reboot, halt tools Best regards. -- Alexander Suvorov [EMAIL PROTECTED] http://www.freevps.com ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] FreeVPS 1.3 features announce
[I can translate the russian below if someone needs it, it's more than I need to know :-)] Anyway - I find the features that FreeVPS describes cool, especially since we use VServer for commercial hosting I could really use them, but I do not like the idea of having to use a specific kernel, and I am also not very confident about the direction of the FreeVPS team. If PSoft folds tomorrow, that will be the end of it it seems. FreeVPS does not appear to be a community project. There is no FreeVPS mailing list, no discussion of its architecture and direction, just continuos announcements about features. Grisha On Fri, 2 Apr 2004 [EMAIL PROTECTED] wrote: It looks to me as if FreeVPS is somehow trying to compete with VServer by keeping its own fork of the project. What is the reason for that? Why not work on incorporating all these features into VServer? Grisha 1) vserver , freevps - RH. etc... ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] [RESOLVED] Re: sshd weirdness: PAM session setup failed[6]: Permission denied
I just spent hours learning how PAM works...
I found that this will happen if S_NICE is set to anything above 0, _and_
pam_limits.so is enabled (default on fedora core 1).
Looking at pam_limits.c, it has this code in setup_limits() which is
probably where the trouble happens:
if (uid == 0) {
[SNIP]
pl-priority = 0;
}
[SNIP]
status = setpriority(PRIO_PROCESS, 0, pl-priority);
if (status != 0) {
retval = LIMIT_ERR;
}
So it looks like pam_limits will try to set your priority to 0 if you're
root. (Should this be considered a pam_limits bug?)
So the solution is either:
1. not to use S_NICE
2. comment out pam_limits.so from both /etc/pam.d/sshd and
/etc/pam.d/system-auth
Grisha
On Mon, 8 Mar 2004, Gregory (Grisha) Trubetskoy wrote:
I saw this posting earlier on:
http://www.paul.sladen.org/vserver/archives/200309/0176.html
And I am seeing the same problem:
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: PAM setting tty to /dev/pts/0
PAM session setup failed[6]: Permission denied
debug1: Calling cleanup 0x8059c20(0x8090c20)
debug1: session_pty_cleanup: session 0 release /dev/pts/0
Kernel 2.4.25, vserver 1.26 with ctx disk limit patches (though I don't
think that matters). The os both outside and inside the vserver is RH
Fedora 1.
I've found that a workaround is to restart sshd in the vserver after
starting it, e.g.:
# vserver blah start
[...]
# vserver blah exec service sshd restart
...but other than that I've spent quite a bit of time looking at things
and I can't find what's causing this problem. What might be the difference
between sshd being started from init, vs doing later?
Has anyone else seen this?
Thanks,
Grisha
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
