Re: [Vserver] vserver guest sharing the eth0 of host

2006-05-10 Thread Markus Neubauer
ADNET Ghislain schrieb:
 Hi,

   I am testing vserver and all works well for me but one thing. I have
 a server with one public IP. I use vserver to have 2 vserver, one is
 the prod one and the other is a test one. I start one after stopping
 the other (they never runs at the same time).  I have a problem in the
 fact that i use the eth0 of the host for both of them.

   My issue is that when i shut down one of the vserver it shutdown
 completly the eth0 interface of the Host...  I really find the
 documentation troubling. This patchwork of different how-to, faq
 and articles  is really hard to grasp for a new user of vserver.


 to come  back on my problem:


 /usr/src/util-vserver-0.30.210# vserver mailservertest stop
 Stopping periodic command scheduler: cron.
 Stopping ClamAV daemon: clamd
 Stopping ClamAV virus database updater: freshclam
 Stopping MTA: exim4.
 Stopping internet superserver: inetd.
 Stopping SpamAssassin Mail Filter Daemon: spamd.
 Saving the System Clock time to the Hardware Clock...
 hwclock is unable to get I/O port access:  the iopl(3) call failed.
 Hardware Clock updated to Tue May  9 19:52:31 UTC 2006.
 Stopping deferred execution scheduler: atd.
 Stopping kernel log daemon: klogd.
 Stopping system log daemon: syslogd.
 Sending all processes the TERM signal...done.
 Sending all processes the KILL signal...done.
 Saving random seed...done.
 Unmounting remote and non-toplevel virtual filesystems...done.
 Deconfiguring network interfaces...done.
 Cleaning up ifupdown...done.
 Deactivating swap...umount: none: not found
 umount: /tmp: must be superuser to umount
 Not superuser.
 done.
 Unmounting local filesystems...umount: none: not found
 umount: /tmp: must be superuser to umount
 umount: /dev/hdv1: not found
 umount: /: not mounted
 done.
 mount: permission denied
 Rebooting... ifdown: shutdown eth0: Permission denied
 :/usr/src/util-vserver-0.30.210#



 at this point the server loose the network.  i have not the  Enable
 different security models  setup as the FAQ says. I do not see
 anything special, any hints ?


 -- 
 Cordialement,
 Ghislain ADNET.


 # vserver-info
 Versions:
Kernel: 2.6.16.11-vs2.0.2-rc18
VS-API: 0x00020001
  util-vserver: 0.30.210; May  9 2006, 21:43:40

 Features:
CC: gcc, gcc (GCC) 3.3.5 (Debian 1:3.3.5-13)
   CXX: g++, g++ (GCC) 3.3.5 (Debian 1:3.3.5-13)
  CPPFLAGS: ''
CFLAGS: '-g -O2 -std=c99 -Wall -pedantic -W'
  CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W
 -fmessage-length=0'
build/host: i686-pc-linux-gnu/i686-pc-linux-gnu
  Use dietlibc: no (you have been warned)
Build C++ programs: yes
Build C99 programs: yes
Available APIs: v13,net
 ext2fs Source: e2fsprogs
 syscall(2) invocation: fast
   vserver(2) syscall#: 273/glibc

 Paths:
prefix: /usr/local
 sysconf-Directory: ${prefix}/etc
 cfg-Directory: ${prefix}/etc/vservers
  initrd-Directory: $(sysconfdir)/init.d
pkgstate-Directory: ${prefix}/var/run/vservers
   vserver-Rootdir: /vservers
Your trouble might get solved when you touch a file with the name nodev
in the interface dir of the corresponding interface.

Example: touch /etc/vservers/guestname/interfaces/0/nodev

That will avoid ifconfig for the defined interface.

hth Markus
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] VPS time differ from HOST time ??? why

2006-05-10 Thread Björn Steinbrink
On 2006.05.09 14:32:51 +0200, Sébastien CRAMATTE wrote:
 VPS time differ from HOST time ??? why
 
 I've changed my  host server time
 but my VPS  keep running with the old one.

Did you change the time or the timezone? The former will affect
everything running on the box, the latter will only affect the host or
the guest for which it was changed.

Björn
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] LinuxTag 2006

2006-05-10 Thread Mike Schneider

Matt Ayres wrote:

Mike Schneider wrote:

as most of you will know, we had a booth a Linuxtag 2006 which
took place in Wiesbaden from May 3rd to 6th. Kudos go to DerJohn who
organized the whole thing.

At the booth we had some servers running VServer in a 19'' rack and
a multi-seat workstation which had the individual seats running inside
it's own VServer each.


I'm glad to hear things went over well.  How was the response to Linux 
VServer versus the other virtualisation technologies out there?  This 
seems to be the first large demonstration of this project to the general 
public and I am curious (as I'm sure some others are too).


A question that was asked a lot was
'what is the difference to [Xen|UML|VMware|...]'
I need not answer this question on this list. We were able to
distinguish ourselves and got a lot of people interested enough
to say they'll try it out.

A point that we could almost always drive home is that VServer
distiguishes itself from other solutions in being so simplicistic
and always on top of new kernel development that it can easily be
combined with other applications:
 - combination with drbd to gain failover
 - combination with multi-seat technology to gain hardened multi-seat
   servers


Also, this web interface... any details?  Website?


Sorry, can't say none about that. I met the guy who's writing it
and I hope he'll read this and come forward.

Regards,
Mike Schneider
--
--
Dipl. Inform. Mike Schneider
IT Systems Management Associate
IT-Systems Management Division
Fraunhofer IPSI
Dolivostrasse 15, 64293 Darmstadt, Germany
Phone: +49 6151 869-845, Fax: +49 6151 869-819
E-mail: [EMAIL PROTECTED]
http://www.ipsi.fraunhofer.de/~mikeschneider
--



smime.p7s
Description: S/MIME Cryptographic Signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] vserver traceroute

2006-05-10 Thread Herbert Poetzl
On Sun, Apr 30, 2006 at 10:22:22PM +0300, Nikolay Kichukov wrote:
 hello,
 what i DID try to temporarily fix the problem and that did not work was:
 
 vattribute --set --xid id --ccap raw_icmp --bcap -1
 
 something else i wanted to ask was:
 
 Another point that i noticed is, that the df command is no longer
   listing the /dev/hdv device. The output is something like:
  
  
   df -ha
  
   FilesystemSize  Used Avail Use% Mounted on
  
   proc 0 0 0   -  /proc
  
   devpts   0 0 0   -  /dev/pts
  
  
   What could be causing this?

 Within the guest /etc/fstab is now empty. What caused that file to be
 erased?

somehow I lost the overview about the changes and/or
the effects you observed, I'd suggest to pay a visit
to the IRC channel (#vserver @ irc.oftc.net) where
we should be able to track down whatever causes your
issues ...

HTH,
Herbert

 Regards,
 -nik
 
 
 - Original Message -
 From: Herbert Poetzl [EMAIL PROTECTED]
 To: Nikolay Kichukov [EMAIL PROTECTED]
 Cc: vserver@list.linux-vserver.org
 Sent: Sunday, April 30, 2006 9:21 PM
 Subject: Re: [Vserver] vserver traceroute
 
 
  On Sun, Apr 30, 2006 at 10:54:26PM +0300, Nikolay Kichukov wrote:
  
   Hello,
   Just upgraded to the latest development util-vserver release.
  
   However, when I try to vattribute, I am getting exactly the same
   behaviour. sshd is again not accepting connections. When I try to
   temporary fix the problem with --bcap -1, there is no update.
 
  hmm, maybe you got that wrong, what I meant was:
 
  whenever you want to set the ccaps, also add the --bcaps -1
  to that command line .. to work around the bug, btw, it
  works quite fine here with 0.30.210 + patches
 
  HTH,
  Herbert
 
   /usr/local/sbin/vserver-info
  
   Versions:
  
   Kernel: 2.6.14.4-vs2.1.0nevir
  
   VS-API: 0x00020001
  
   util-vserver: 0.30.210; Apr 30 2006, 20:31:56
  
   Features:
  
   CC: gcc, gcc (GCC) 4.0.3 (Debian 4.0.3-1)
  
   CXX: g++, g++ (GCC) 4.0.3 (Debian 4.0.3-1)
  
   CPPFLAGS: ''
  
   CFLAGS: '-g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time'
  
   CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0
   -funit-at-a-time'
  
   build/host: i686-pc-linux-gnu/i686-pc-linux-gnu
  
   Use dietlibc: yes
  
Build C++ programs: yes
  
Build C99 programs: yes
  
Available APIs: v13,net
  
 ext2fs Source: e2fsprogs
  
   syscall(2) invocation: alternative
  
 vserver(2) syscall#: 273/glibc
  
  Paths:
  
 prefix: /usr/local
  
sysconf-Directory: /etc
  
 cfg-Directory: /etc/vservers
  
   initrd-Directory:
   $(sysconfdir)/init.d
  
   pkgstate-Directory:
 /var/run/vservers
  
  vserver-Rootdir:
 /var/lib/vservers
  
   Assumed 'SYSINFO' as no other
   option given; try '--help' for more information.
  
  
  
   Another point that i noticed is, that the df command is no longer
   listing the /dev/hdv device. The output is something like:
  
  
   df -ha
  
   FilesystemSize  Used Avail Use% Mounted on
  
   proc 0 0 0   -  /proc
  
   devpts   0 0 0   -  /dev/pts
  
  
   What could be causing this?
  
  
   Regards,
   -nik
  
  
  
  
   On Sun, 2006-04-30 at 17:03 +0200, Herbert Poetzl wrote:
On Sun, Apr 30, 2006 at 02:53:20PM +0300, Nikolay Kichukov wrote:
 Hello Herbert,
 I see now. So traceroute cannot be used within a guest environment.
 I
 will try tracepath instead.

 One more thing I'd like to comment on is that, every time I issue:

 vattribute --set --xid id --ccap raw_icmp

 on the host, I am getting the following error on the guest when I
 try
 to ssh to it:

 fatal: chroot(/var/run/sshd): Operation not permitted

 The only way I go around that is to reboot the guest.

 What am I doing wrong when I am setting the --ccap ? Do I reset some
 default ccaps or bcaps ? I only have the ccapabilities file and it
 only
 contain raw_icmp. So is the default startup of a vserver
 initializing
 some extra flags/capabilities that are not necessarily predefined
 withing flags/ccapabilities/bcapabilities?
   
there was a tool bug regarding vattribute, where
you ahd to specify the bcaps when you want to change
the ccaps, so you might try the following instead
   
vattribute --set --xid id --bcaps -1 --ccap raw_icmp
   
or update to a 

Re: [Vserver] Re: Basic Question

2006-05-10 Thread Herbert Poetzl
On Tue, May 09, 2006 at 02:02:51PM -0400, Fareha Shafique wrote:
 Fareha Shafique wrote:
 
 Corey Wright wrote:
 
 storage space is conserved because files only exist in one place,
 but are referenced within multiple vservers though special hard
 links.
 
 memory space is conserved because binaries and shared libraries (and
 any item in the file cache, i suppose) only exist in memory once,
 though many vservers may be executing/using the file. the idea is to
 extend the concept of shared libraries to vservers, so that just
 as a shared library may be referenced by multiple applications and
 it only exists in memory once, the same is true for a shared library
 referenced by multiple vservers (by way of vhashify).
 
 all the examples i have seen enable vhashify for vserver guests, not
 the host. i presume it is possible, but it is never applicable in
 my case because hard links are only shared on a single filesystem
 (where i mount my host's executables/libraries on /usr and my
 vservers on /home).
 
 hth.
 
 corey
  
 
 Thanks, that explaination helps :)
 Now, is it only libraries and binaries that can be shared or can a 
 vserver be an exact replica of the host. 
 
 Oh sorry, that was already answered. I guess anything on the filesystem 
 can be shared.
 
 How about if I want the filesystem of vserver vs1 to be an exact 
 replica of the host, and only when I write/modify any file a local 
 copy should be created for vs1 (using COW)? Is this possible?
 
 Let me explain this better. Say I want to upgrade some software or
 install new software on my host machine. Before doing this, I would
 like to test the upgrade in an environment that is an exact replica of
 the host machine. Is it possible to create a vserver identical to the
 host so that it can be used as the test environment?

yes, but I would suggest to make a copy first and not to
unify it with the host system, just to make sure that 
nothing goes wrong ...

later, you can unify the guest with the host, given that
both use the same filesystem

HTH,
Herbert

 Thanks,
 -FS
 ___
 Vserver mailing list
 Vserver@list.linux-vserver.org
 http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Re: Basic Question

2006-05-10 Thread Corey Wright
On Tue, 09 May 2006 14:02:51 -0400
Fareha Shafique [EMAIL PROTECTED] wrote:

 Fareha Shafique wrote:
 
  Corey Wright wrote:
 
  storage space is conserved because files only exist in one place, but 
  are
  referenced within multiple vservers though special hard links.
 
  memory space is conserved because binaries and shared libraries (and
  any item in the file cache, i suppose) only exist in memory once,
  though many
  vservers may be executing/using the file.  the idea is to extend the
  concept of shared libraries to vservers, so that just as a
  shared library may be referenced by multiple applications and it only
  exists in memory once, the same is true for a shared library 
  referenced by
  multiple vservers (by way of vhashify).
 
  all the examples i have seen enable vhashify for vserver guests, not
  the host.  i presume it is possible, but it is never applicable in my
  case because hard links are only shared on a single filesystem (where
  i mount my
  host's executables/libraries on /usr and my vservers on /home).
 
  hth.
 
  corey
   
 
  Thanks, that explaination helps :)
  Now, is it only libraries and binaries that can be shared or can a 
  vserver be an exact replica of the host. 
 
 Oh sorry, that was already answered. I guess anything on the filesystem 
 can be shared.

let me again emphasize: i have never seen vhashify used to unify the host
with guests.  i don't know if the vhashify application allows for such.
you might be able to do it by creating a skeleton configuration
in /etc/vservers representing the host (ie /etc/vservers/host) with a vdir
that symlinks to /. just be sure to exclude /etc/vservers or you may
experience recursive problems.  but that's a total hack, unsupported, and
may even void the warranty. ;-)

  How about if I want the filesystem of vserver vs1 to be an exact 
  replica of the host, and only when I write/modify any file a local 
  copy should be created for vs1 (using COW)? Is this possible?
 
 Let me explain this better. Say I want to upgrade some software or 
 install new software on my host machine. Before doing this, I would like 
 to test the upgrade in an environment that is an exact replica of the 
 host machine. Is it possible to create a vserver identical to the host 
 so that it can be used as the test environment?

why don't you instead have two vservers: one test  one production.  push
all your production applications/configuration from the host into a test
guest.  when the test guest works how you want, just copy the test
guest to the production guest and unify the two.

i do something similar.  i have a test guest (that's literally the name
of the guest) where i test applications and when everything works like i
want, i apt-get install or copy the tested application on a
production guest, copy over the configuration, vhashify the production
guest, and start it.

the added benefit of having your production environment contained within
a guest is that to relocate the production environment you simply stop the
guest, tarball/cpio/rsync/scp/etc it (the guest and its configuration) to
another vserver host, and start it there.

i think you are trying to push a square peg into a round hole with your
current design and should reconsider if possible.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Another conceptual newbie question

2006-05-10 Thread Stephen Harris
On Wed, May 10, 2006 at 08:38:57AM -0500, Corey Wright wrote:
 mv /bin/bash /bin/bash.new
 mv /bin/bash.new /bin/bash

Do you mean
  mv /bin/bash /bin/bash.old
  cp /bin/bash.old /bin/bash
ie a cp for the second command?

I'm not totally familiar with vhashify semantics, but the two commands
you wrote would leave the inode number unchanged, and so it would still
be a hard link to the unified file.

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] What is the best way to connect from 1 vserver to other vserver within the same host ?

2006-05-10 Thread Herbert Poetzl
On Tue, May 09, 2006 at 12:15:01PM +0200, Sébastien CRAMATTE wrote:
 Herbert Poetzl a écrit :
 On Sat, May 06, 2006 at 08:27:10AM +0200, Peter Mann wrote:
   
 On Fri, May 05, 2006 at 10:22:13PM +0200, Sébastien CRAMATTE wrote:
 
 What is the best way to connect from 1 vserver to other vserver
 within the same host ?

 I've got an Ldap directory inside one vserver and a postfix that
 use ldap in another vserver. I search the best way to connect to
 the ldap server with the maximum of security.

 you can simply use the 'network' connection between them,
 as it will not leave the host system (it will go over the
 loopback lo interface, and cannot be sniffed by other
 guests, given that you use a secure setup which is default)

 But each VPS by default doesn't have lo interface ? 

your VPS doesn't _show_ an lo interface (yet), but the
host for sure _has_ one, otherwise most things would
fail in your networking

 What do you mean ?

addresses assigned to the host (this includes all guest
IPs) will be known as _local_ addresses and traffic to
those addresses will _always_ go via the loopback device

 My VPS have each one a PUBLIC IP  so ?

 Could you explain me a little bite more ?

so all the public IPs will be known as local addresses
to the host (and therefore to the other guests too)
so traffic between the guests (or host and guest) via
those public ips will not leave the host (i.e. happen
on the loopback device)

HTH,
Herbert

 vserver technology for a minute) and use SSL connection - ldaps://
 or stunnel4
 
 the best way is IMHO using SSL connection independent on vserver
 technology ...
 
 
 that will do also, of course trading performance for 
 flexibility when you move the guests apart ...
 
   
 I'm looking closer about this but I prefer the first solution
 
 HTH,
 Herbert
 
   
 -- 
 
 5o   Peter.Mann at tuke.sk
 
 
 ___
 Vserver mailing list
 Vserver@list.linux-vserver.org
 http://list.linux-vserver.org/mailman/listinfo/vserver
 
 ___
 Vserver mailing list
 Vserver@list.linux-vserver.org
 http://list.linux-vserver.org/mailman/listinfo/vserver
   
 
 ___
 Vserver mailing list
 Vserver@list.linux-vserver.org
 http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Sharing directories

2006-05-10 Thread Herbert Poetzl
thread hijacking seems to be popular these days ...

interesting to see that folks even hijack already 
hijacked threads ...

for those who do not know what I am talking about,
here some clues:


Mike Schneider:
  Message-ID: [EMAIL PROTECTED]

on thread topic reply from Matt Ayres:
  Message-ID: [EMAIL PROTECTED]
  References: [EMAIL PROTECTED]
  In-Reply-To: [EMAIL PROTECTED]

now Sébastien CRAMATTE hijacks the thread:
(probably because his mailer is not really thread
aware or because he just does not care, taking any
email and just hitting reply, then changing the 
topic to something else)

  Message-ID: [EMAIL PROTECTED]
  References: [EMAIL PROTECTED] [EMAIL PROTECTED]
  In-Reply-To: [EMAIL PROTECTED]

and finally, Ehab Heikal does the same on the
already hijacked thread ...

  In-Reply-To: [EMAIL PROTECTED]

why am I not surprised that both use Windows(tm)
to send their emails?

anyway, let me state the following here:

in the future, I will not answer such off-topic
posts with anything else but a note that this is
very impolite behaviour ... and I guess other
folks on the ML might start doing the same ...

thanks,
Herbert

___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] vserver guest sharing the eth0 of host

2006-05-10 Thread ADNET Ghislain




this seems to do the trick !  Thanks a lot :)

Cordialement,
Ghislain ADNET.
AQUEOS.

Attention !  Pour toute demande de support
ou commande de domaine utilisez désormais: 

http://support.aqueos.net.   


  

   
  AQUEOS
- Service Informatique
1, Rue Albert Einstein
77420 Champs sur marne
  
  
Service technique :  http://support.aqueos.net
Service commercial :  [EMAIL PROTECTED]
Tel : 01.64.02.99.37, Fax: 0 1.72.70.32.66
  
  

  





  Your trouble might get solved when you touch a file with the name nodev
in the interface dir of the corresponding interface.

Example: touch /etc/vservers/guestname/interfaces/0/nodev

That will avoid ifconfig for the defined interface.

hth Markus
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
  



___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


[Vserver] A possible new idea

2006-05-10 Thread Fareha Shafique
After asking various questions about unification, I don't think vhashify 
quite supports what I have in mind. I wanted to get some opinions/ideas 
from the users of this mailing list.


I am thinking if vservers can somehow be used to provide MAC (Mandatory 
Access Control) through containers. For example, a vserver shares the 
same filesystem as the host server, with read and write access to the 
host files being defined through a set of MAC policies. In this way, 
different policies can be defined for different vservers. Also, writes 
can be contained within a vserver (so that if a file is written to, a 
copy is made in the vserver's space) and integrated with the host only 
through explicit 'commits' to allow, for example, new configurations to 
be tested in an environment exactly the same as the host server and then 
transferred to the host using a commit.


Any comments please?

Thanks.
-FS
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] A possible new idea

2006-05-10 Thread Herbert Poetzl
On Wed, May 10, 2006 at 02:46:34PM -0400, Fareha Shafique wrote:
 After asking various questions about unification, I don't think vhashify 
 quite supports what I have in mind. I wanted to get some opinions/ideas 
 from the users of this mailing list.
 
 I am thinking if vservers can somehow be used to provide MAC (Mandatory 
 Access Control) through containers. For example, a vserver shares the 
 same filesystem as the host server, with read and write access to the 
 host files being defined through a set of MAC policies. In this way, 
 different policies can be defined for different vservers. Also, writes 
 can be contained within a vserver (so that if a file is written to, a 
 copy is made in the vserver's space) and integrated with the host only 
 through explicit 'commits' to allow, for example, new configurations to 
 be tested in an environment exactly the same as the host server and then 
 transferred to the host using a commit.

 Any comments please?

sounds interesting, any ideas how to realize this?

 Thanks.
 -FS
 ___
 Vserver mailing list
 Vserver@list.linux-vserver.org
 http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] A possible new idea

2006-05-10 Thread Fareha Shafique

Herbert Poetzl wrote:


On Wed, May 10, 2006 at 02:46:34PM -0400, Fareha Shafique wrote:
 

After asking various questions about unification, I don't think vhashify 
quite supports what I have in mind. I wanted to get some opinions/ideas 
from the users of this mailing list.


I am thinking if vservers can somehow be used to provide MAC (Mandatory 
Access Control) through containers. For example, a vserver shares the 
same filesystem as the host server, with read and write access to the 
host files being defined through a set of MAC policies. In this way, 
different policies can be defined for different vservers. Also, writes 
can be contained within a vserver (so that if a file is written to, a 
copy is made in the vserver's space) and integrated with the host only 
through explicit 'commits' to allow, for example, new configurations to 
be tested in an environment exactly the same as the host server and then 
transferred to the host using a commit.
   



 


Any comments please?
   



sounds interesting, any ideas how to realize this?

 

Well, my first impression of vservers was that it provided a kind of 
containment that I have mentioned. I mean after quickly going over the 
short introduction, I thought that a vserver has read only access to the 
host server's files and CoW is used whenever the vserver modifes a file. 
However, after installing a vserver, I realized this was not the case. 
And after asking a few questions on the mailing list, I learnt that 
there is no direct way to do this. I was hoping to find out what some of 
those involved in the development of linux-vserver thought about the 
feasibility of this idea.
So basically, at the moment, I don't really have much idea how to 
realize this, but I am hoping those more involved with vserver will some 
ideas to share :)

___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] A possible new idea

2006-05-10 Thread Herbert Poetzl
On Wed, May 10, 2006 at 05:17:55PM -0400, Fareha Shafique wrote:
 Herbert Poetzl wrote:
 
 On Wed, May 10, 2006 at 02:46:34PM -0400, Fareha Shafique wrote:
 
 After asking various questions about unification, I don't think
 vhashify quite supports what I have in mind. I wanted to get some
 opinions/ideas from the users of this mailing list.
 
 I am thinking if vservers can somehow be used to provide MAC
 (Mandatory Access Control) through containers. For example, a
 vserver shares the same filesystem as the host server, with read
 and write access to the host files being defined through a set of
 MAC policies. In this way, different policies can be defined for
 different vservers. Also, writes can be contained within a vserver
 (so that if a file is written to, a copy is made in the vserver's
 space) and integrated with the host only through explicit 'commits'
 to allow, for example, new configurations to be tested in an
 environment exactly the same as the host server and then transferred
 to the host using a commit.
 
 Any comments please?
 
 sounds interesting, any ideas how to realize this?
 
 Well, my first impression of vservers was that it provided a kind of
 containment that I have mentioned. I mean after quickly going over the
 short introduction, I thought that a vserver has read only access to
 the host server's files and CoW is used whenever the vserver modifes a
 file. However, after installing a vserver, I realized this was not the
 case. And after asking a few questions on the mailing list, I learnt
 that there is no direct way to do this. I was hoping to find out what
 some of those involved in the development of linux-vserver thought
 about the feasibility of this idea.

well, yes, they did :)

 So basically, at the moment, I don't really have much idea how to
 realize this, but I am hoping those more involved with vserver will
 some ideas to share :)

aha, good, well, what would be the advantage over the
currently established way to do this, i.e. have a
template (some cleaned up version of your host system)
and update guests either individually or at-once with
the v* tools (like vrpm, vapt, vyum ...)?

why would somebody want to _share_ the host files with
the guest, instead of having a separate filesystem for
them?

note: I'm just trying to figure the rationale behind
this suggestion ...

best,
Herbert

 ___
 Vserver mailing list
 Vserver@list.linux-vserver.org
 http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


[Vserver] Re: A possible new idea

2006-05-10 Thread Matvey Gladkikh
On 10/05/06 14:46 -0400, Fareha Shafique wrote:
 After asking various questions about unification, I don't think vhashify 
 quite supports what I have in mind. I wanted to get some opinions/ideas 
 from the users of this mailing list.
 
 I am thinking if vservers can somehow be used to provide MAC (Mandatory 
 Access Control) through containers. For example, a vserver shares the 
 same filesystem as the host server, with read and write access to the 
 host files being defined through a set of MAC policies. In this way, 
 different policies can be defined for different vservers. Also, writes 
 can be contained within a vserver (so that if a file is written to, a 
 copy is made in the vserver's space) and integrated with the host only 
 through explicit 'commits' to allow, for example, new configurations to 
 be tested in an environment exactly the same as the host server and then 
 transferred to the host using a commit.
 
 Any comments please?

Rsync backup copy, do update, if smth fails - restore from backup.
BTW if smth fails - you are likely updating developement version.

Or I mistaken?

-- 
Matvey Gladkikh
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] vserver traceroute

2006-05-10 Thread Nikolay Kichukov
Hello Herbert,
I already joined irc and there were people there that helped me out
resolve all the pending issues.
Thanks and Regards,
-Nikolay Kichukov



On Wed, 2006-05-10 at 14:42 +0200, Herbert Poetzl wrote:
 On Sun, Apr 30, 2006 at 10:22:22PM +0300, Nikolay Kichukov wrote:
  hello,
  what i DID try to temporarily fix the problem and that did not work was:
  
  vattribute --set --xid id --ccap raw_icmp --bcap -1
  
  something else i wanted to ask was:
  
  Another point that i noticed is, that the df command is no longer
listing the /dev/hdv device. The output is something like:
   
   
df -ha
   
FilesystemSize  Used Avail Use% Mounted on
   
proc 0 0 0   -  /proc
   
devpts   0 0 0   -  /dev/pts
   
   
What could be causing this?
 
  Within the guest /etc/fstab is now empty. What caused that file to be
  erased?
 
 somehow I lost the overview about the changes and/or
 the effects you observed, I'd suggest to pay a visit
 to the IRC channel (#vserver @ irc.oftc.net) where
 we should be able to track down whatever causes your
 issues ...
 
 HTH,
 Herbert
 
  Regards,
  -nik
  
  
  - Original Message -
  From: Herbert Poetzl [EMAIL PROTECTED]
  To: Nikolay Kichukov [EMAIL PROTECTED]
  Cc: vserver@list.linux-vserver.org
  Sent: Sunday, April 30, 2006 9:21 PM
  Subject: Re: [Vserver] vserver traceroute
  
  
   On Sun, Apr 30, 2006 at 10:54:26PM +0300, Nikolay Kichukov wrote:
   
Hello,
Just upgraded to the latest development util-vserver release.
   
However, when I try to vattribute, I am getting exactly the same
behaviour. sshd is again not accepting connections. When I try to
temporary fix the problem with --bcap -1, there is no update.
  
   hmm, maybe you got that wrong, what I meant was:
  
   whenever you want to set the ccaps, also add the --bcaps -1
   to that command line .. to work around the bug, btw, it
   works quite fine here with 0.30.210 + patches
  
   HTH,
   Herbert
  
/usr/local/sbin/vserver-info
   
Versions:
   
Kernel: 2.6.14.4-vs2.1.0nevir
   
VS-API: 0x00020001
   
util-vserver: 0.30.210; Apr 30 2006, 20:31:56
   
Features:
   
CC: gcc, gcc (GCC) 4.0.3 (Debian 4.0.3-1)
   
CXX: g++, g++ (GCC) 4.0.3 (Debian 4.0.3-1)
   
CPPFLAGS: ''
   
CFLAGS: '-g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time'
   
CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0
-funit-at-a-time'
   
build/host: i686-pc-linux-gnu/i686-pc-linux-gnu
   
Use dietlibc: yes
   
 Build C++ programs: yes
   
 Build C99 programs: yes
   
 Available APIs: v13,net
   
  ext2fs Source: e2fsprogs
   
syscall(2) invocation: alternative
   
  vserver(2) syscall#: 273/glibc
   
   Paths:
   
  prefix: /usr/local
   
 sysconf-Directory: /etc
   
  cfg-Directory: /etc/vservers
   
initrd-Directory:
$(sysconfdir)/init.d
   
pkgstate-Directory:
  /var/run/vservers
   
   vserver-Rootdir:
  /var/lib/vservers
   
Assumed 'SYSINFO' as no other
option given; try '--help' for more information.
   
   
   
Another point that i noticed is, that the df command is no longer
listing the /dev/hdv device. The output is something like:
   
   
df -ha
   
FilesystemSize  Used Avail Use% Mounted on
   
proc 0 0 0   -  /proc
   
devpts   0 0 0   -  /dev/pts
   
   
What could be causing this?
   
   
Regards,
-nik
   
   
   
   
On Sun, 2006-04-30 at 17:03 +0200, Herbert Poetzl wrote:
 On Sun, Apr 30, 2006 at 02:53:20PM +0300, Nikolay Kichukov wrote:
  Hello Herbert,
  I see now. So traceroute cannot be used within a guest environment.
  I
  will try tracepath instead.
 
  One more thing I'd like to comment on is that, every time I issue:
 
  vattribute --set --xid id --ccap raw_icmp
 
  on the host, I am getting the following error on the guest when I
  try
  to ssh to it:
 
  fatal: chroot(/var/run/sshd): Operation not permitted
 
  The only way I go around that is to reboot the guest.
 
  What am I doing wrong when I am setting the --ccap ? Do I reset some
  default ccaps or bcaps ? I only have the ccapabilities file and it
  only
  contain raw_icmp. So is the default startup of a vserver
  

Re: [Vserver] A possible new idea

2006-05-10 Thread Sebastian Harl
Hi,

  why would somebody want to _share_ the host files with
  the guest, instead of having a separate filesystem for
  them?
 
 This is actually how Solaris 10 zones work.  In a Solaris 10
 zone the filesystems /usr /bin /lib and so on are read-only loop-back
 mounts to the host OS.  It makes the guest a lot smaller as a result.
 Pretty much most of the overhead of a guest (zone in Solaris terms)
 is the local files in writeable filesystems to ensure OS stability
 (eg /var/sadm for package maintenance).

You could use unionfs or bind-mounts to share directories between host- and
guest-filesystem. Of course this would need some manuall work...

Cheers,
Sebastian
-- 
Sebastian tokkee Harl
GnuPG-ID: 0x8501C7FC
http://tokkee.org/



signature.asc
Description: Digital signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver