On Tue, Feb 17, 2004 at 12:07:44PM +0100, Thomas Gelf wrote: > Hello together! > > I'm new on this list so please be patient with me! My English > is not that good, but it seems that I'm not alone with this > problem :o) > > We started testing vserver one week ago, I found this great > project while looking for an alternative to UML which we have > currently running on different Web-, Mail and DNS-Servers. > > UML is great, but I'm not satisfied with the performance of > Loopback-mounted sparse-files. > > We compiled about 30-40 Kernels last week, vserver's documentation > was not really helpful (please don't hit me :o) - we did some
go ahead, improve it, that's what a wiki is designed for ... > changes to debian-newvserver.sh to make it possible to run it > with the exploit-proof "chattr +t /vservers"-directory. If > someone is interested in it (it was not that difficult) - mail me! I would suggest sendig it to the debian-newvserver maintainer whoever that might be atm ... > We haven't been able to compile kernel 2.6, maybe Herbert's > patch (http://list.linux-vserver.org/archive/vserver/msg06189.html) it seems to be a debian woody oddity, it was confirmed that using sarge does solve this issue too, but as it seems that we can provide a harmless workaround, this will be included in the next release ... > will help. Currently we are running 2.4.25-rc2, also using context- > based disk-limits. make sure to use static context ids ... > I'll stop indroduction now, let's start with my first question to > this list: We would like to improve vserver's networking support. > Like with our UML-Servers we did the following today (on debian): > > # apt-get install uml-utilities > # apt-get install bridge-utils > # mkdir -p /dev/net > # mknod -m 660 /dev/net/tun c 10 200 > # chmod 660 /dev/net/tun > # chown root.uml-net /dev/net/tun // group uml-net added by debian > > now stop all your vservers, we did the following on a debian box > with eth0:192.168.124.100, using this script (change ip addresses): > --- > #!/bin/sh > tunctl -u root -t tom0 > brctl addbr br0 > ifconfig eth0 0.0.0.0 promisc up > ifconfig tom0 0.0.0.0 promisc up > ifconfig br0 192.168.124.100 netmask 255.255.255.0 up > brctl stp br0 off > brctl setfd br0 1 > brctl sethello br0 1 > brctl addif br0 eth0 > brctl addif br0 tom0 > route add default gw 192.168.124.1 > --- > this also works during a ssh connection, but I'm not responsible if > it doesn't - and no, you don't have to use "tom0" :) > > change /etc/vservers/XX.conf to match the new interface "tom0". > > now we tried to add S_CAPS="CAP_NET_RAW" - tadaaaaaaaaaa! just try > to use the standard "ping" program. starting a sniffer works, but > you will see absolutely nothing. hmm, interesting approach, could you also try it with the dummy interface (dummy0), that might work as well, and if might be a simpler? solution ... > we did all this tests this morning (it's 12:05 in south tyrol/italy now) > and will go on installing a default web hosting environment on our new > vservers. > > what do you think about this approach? is it secure? is it worth to > invest time to enhance it? we are not kernel hackers so we need help > for the following features: hide real interfaces in vservers, show > them a "eth0" interface instead of "tom0:vs1", add a virtual loopback > device. not so fast, but yes, we could probably do a lot of those things, just think nameif and private namespaces ... > linux-vserver is a great project, compliments to all guys contributing > to it. we would like to help to improve this project, doing tests, > posting our ideas, maybe writing documentation (english with your help, > german, italian) or little howto's, userspace utilities... And we need > your feedback to go on faster! do not let anybody stop you! HTH, Herbert > yours sincerly > Thomas Gelf > > > -- > Thomas Gelf <[EMAIL PROTECTED]> > > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
