[Vserver] Linux-VServer architecture visualisation
Hi guys, I've created a small graphic visualizing the Linux-VServer architecture: http://tokkee.org/~tokkee/tmp/linux-vserver-arch.pdf Any comments? Suggestions for improvements? Especially, I'm not quite sure if context 1 is visualized correctly. Cheers, Sebastian -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] A possible new idea
You could use unionfs or bind-mounts to share directories between host- and guest-filesystem. Of course this would need some manuall work... well, bind mounts should work out-of-the-box, basically just add them to the fstab in the guest config Well, besides having to compile the unionfs module by hand it should work out-of-the-box as well. What I wanted to say is basically that you have to add the appropriate entries to fstab manually. There is no tool (at least none that I know of ;-) that automates the process of sharing static directories between guest and host. You have to decide for yourself which directories to share and add those to fstab. Pretty obvious though... ;-) Cheers, Sebastian -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] A possible new idea
Hi, why would somebody want to _share_ the host files with the guest, instead of having a separate filesystem for them? This is actually how Solaris 10 zones work. In a Solaris 10 zone the filesystems /usr /bin /lib and so on are read-only loop-back mounts to the host OS. It makes the guest a lot smaller as a result. Pretty much most of the overhead of a guest (zone in Solaris terms) is the local files in writeable filesystems to ensure OS stability (eg /var/sadm for package maintenance). You could use unionfs or bind-mounts to share directories between host- and guest-filesystem. Of course this would need some manuall work... Cheers, Sebastian -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
Hi there, Q: Is there a way to prevent that a superuser on the host system can Well, usually one characteristic of a superuser is the right to do _everything_. Even if you use something like SELinux or whatever, most superusers have physical access to their machines in one way or another. IMHO the best way to prevent a superuser from having access to sensible data is to use some form of PGP/GnuPG (or the like) encryption. But even then the superuser is able to read the memory of running processes... Cheers, Sebastian -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VMWare-Server and vserver
I've tryed on a centos 4.3 + freevps based server and vmware is not able to compile its network modules. What kind of error messages do you get? -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] testme.sh error and vserver does not start
$ dpkg -L util-vserver | grep init.d /etc/init.d /etc/init.d/util-vserver Huh? That's not an official Debian package ;-) -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: [collectd] vserver plugin for collectd
For those of you who don't know collectd (probably most guys on the linux-vserver mailing list ;-), please have a look at http://verplant.org/collectd/. In short, collectd is a small daemon which collects system information every 10 seconds and writes the results in an RRD-file. Tonight, I've written a plugin that collects the system ressources used by VServers (http://linux-vserver.org/). So far, the following data is collected: As an update: at http://tokkee.org/cgi-bin/collection.cgi/vserver-49152 you can find sample output. Enjoy ;-) Cheers, Sebastian -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT vservers
Hi, iptables is suppose to handle the -d hostname (host is 10.0.0.160) -A PREROUTING -p tcp -m tcp -d test.example.com -j DNAT --to-destination 10.0.1.2 ... what's wrong with my approach, I didn't succeed to make it work. iptables does only support IP based routing. I guess, the -d hostname switch is only provided for convenience but will simply resolve the hostname to the appropriate IP. I don't think domainname based routing is available at all... Cheers, Sebastian -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Iptables NAT vservers
.. it would explain why I didn't succeed ;-) Indeed ;-) Do you think there is a other way to redirect all incoming connection to a particular machine base on the connection name but not on the port number ex: ssh mymachine.example.com No, I don't think so... TCP/IP does not carry any hostname information, so routing would have to be done in the application layer protocol. HTTP, for example, carries the hostname with it - that's why domain based hosting is available (and possible ;-) e.g. in Apache. The connection name that you were refering to is the IP address... Cheers, Sebastian -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver plugin for collectd
Hi folks, This e-mail also goes to the linux-vserver mailing list. For those of you who don't know collectd (probably most guys on the linux-vserver mailing list ;-), please have a look at http://verplant.org/collectd/. In short, collectd is a small daemon which collects system information every 10 seconds and writes the results in an RRD-file. Tonight, I've written a plugin that collects the system ressources used by VServers (http://linux-vserver.org/). So far, the following data is collected: VServer socket msg. accounting (vserver-xid/socket.rrd) DS:unix_in:COUNTER:25:0:9223372036854775807 DS:unix_out:COUNTER:25:0:9223372036854775807 DS:inet_in:COUNTER:25:0:9223372036854775807 DS:inet_out:COUNTER:25:0:9223372036854775807 DS:inet6_in:COUNTER:25:0:9223372036854775807 DS:inet6_out:COUNTER:25:0:9223372036854775807 DS:other_in:COUNTER:25:0:9223372036854775807 DS:other_out:COUNTER:25:0:9223372036854775807 DS:unspec_in:COUNTER:25:0:9223372036854775807 DS:unspec_out:COUNTER:25:0:9223372036854775807 This is the in- and outgoing traffic for the listed protocols. Should be pretty self-explanatory. VServer threads (vserver-xid/threads.rrd) DS:total:GAUGE:25:0:65535 DS:running:GAUGE:25:0:65535 DS:uninterruptible:GAUGE:25:0:65535 DS:onhold:GAUGE:25:0:65535 Count of threads in the VServers. VServer load (vserver-xid/load.rrd) DS:avg1:GAUGE:25:0:100 DS:avg5:GAUGE:25:0:100 DS:avg15:GAUGE:25:0:100 System load of the VServers. VServer processes (vserver-xid/processes.rrd) DS:total:GAUGE:25:0:65535 Count of processes running in the VServers. VServer memory usage (vserver-xid/memory.rrd) DS:vm:GAUGE:25:0:9223372036854775807 DS:vml:GAUGE:25:0:9223372036854775807 DS:rss:GAUGE:25:0:9223372036854775807 DS:anon:GAUGE:25:0:9223372036854775807 Memory usage of the VServers: - vm is the virtual memory - vml is locked memory - rss (resident set size) is the real physical RAM used - anon (anonymous memory) is memory not backed by any file All data is read from /proc/virtual. See http://linux-vserver.org/HowTo+Read+ProcFS for details. Special thanks goes to the #vserver IRC channel and especially Bertl and daniel_hozac for their help. This is somewhat to be regarded as a first draft - I guess, there are still some things that can be improved or fixed. Beta testers and feedback is very appreciated. The plugin is available from the subversion repository (https://subversion.verplant.org/collectd/trunk). Cheers, Sebastian -- Sebastian tokkee Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
