[Vserver] Template server files
Hi List, when trying to make a good template server, one obviously has to start and enter the virtual server and test the installation of it, add some programs, make config changes in it and so on. But when using it as a template, some files must be removed or altered before it is made production ready. AFAICS at least these have to be changed/deleted: * ssh keys * shell history file * root password setting * any standard users password settings I am sure there are more, so if any of you experts out there has additions to the list, please mail me or the list. I'll make a summary on the wiki afterwards. Also, I do not know how well vserver-copy or other copy tools handle such files, as the documentation seems to be a bit sparse on the tools. Any enlightment on these matters will be highly appreciated. Best regards Tor Rune Skoglund [EMAIL PROTECTED] ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Cannot set defaultroute under vserver
hi herbert : Thank for the replies . a. Understood. We cannot set default route inside vserver. It will mess up the host routing table :) Tested. I have read the LARTC but until now I still cannot ping or get vapt-get working. I started the a vserver using eth1 and have a ppp0 connection to the internet. Vserver IP : 192.168.100.200 This what i did using ip route :: sauron:/etc/iproute2# ip route list table main 203.106.129.217 dev ppp0 proto kernel scope link src 210.195.72.82 default via 203.106.129.217 dev ppp0 sauron:/etc/iproute2# echo 200 arsenic /etc/iproute2/rt_tables sauron:/etc/iproute2# ip rule add from 192.168.100.200 table arsenic sauron:/etc/iproute2# ip rule ls 0: from all lookup local 32765: from 192.168.100.200 lookup arsenic 32766: from all lookup main 32767: from all lookup default sauron:/etc/iproute2# ip route add default via 203.106.129.217 dev ppp0 table arsenic sauron:/etc/iproute2# ip route flush cache sauron:/etc/iproute2# ip rule ls 0: from all lookup local 32765: from 192.168.100.200 lookup arsenic 32766: from all lookup main 32767: from all lookup default sauron:~# vapt-get arsenic --all -- update vaptget: operating on vserver arsenic Err http://www.indexdata.dk indexdata/sarge/released Packages Temporary failure resolving 'www.indexdata.dk' b. figure that out. using the new config style . Need to create a file bcapabiities. c. can be check via the bcaps-v13.c file. anybody have a working ip route between ppp0 and vserver via a single gateway. Thank ! cheers On Fri, 22 Oct 2004 19:42:13 +0200, Herbert Poetzl [EMAIL PROTECTED] wrote: On Fri, Oct 22, 2004 at 04:37:20PM +0800, TK Lew wrote: hi : I can't seem to set the defaultroute under vserver. Get error message Operation not permitted. which is actually a Good Thing (TM) as you do not want the vserver to mess with your routing tables see http://www.linux-vserver.org/index.php?page=Documentation (# [iproute2] more than one default gw) http://archives.linux-vserver.org/200311/0470.html I have put a vserver name.conf under /etc/vserver but when running vserver name start is not reading this config file. maybe a new style config? I added CAP_SYS_ADMIN=yes in the config file. which means that the vserver root user can do what s/he likes with your host ;) Thank for any reply. best, Herbert Cheers ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Template server files
Here is what we do in OpenVPS. This is Fedora biased. I think the utils strategy is copy-everything-then-unify, whereas we stuck to hardlink-as-you-copy-then-leave-it-alone. Either strategy is fine, it probably more depends on what you're doing. In our case the vserver is intended to passed to a client/customer/etc, so it's best not to touch those files once they're released, which why we've been avoiding vuinify. We pretty much follow these steps: 1. Build a reference server like any other server (there is more than one way to do it, we just use rpm and then manually adjust little things, the vserver utils use the magic of apt to do it). 2. There is a fixflags script. It walks the tree and sets certain things immutable (iunlink to be exact). The strategy is similar to what vunify does - we rely on RPM package information, if a file is marked as config it is not flagged with iunlink. 3. To make a vserver you have a clone script. The clone script makes hard links to files that are iunlink, and copies most everything else. Some files are not copied, but just created (touched). The specific clone rules we use look like this (these rules make an assumption that the reference server is in a pristine state, otherwise you'd need a more elaborate set of rules): CLONE_RULES = { 'copy' : ['/etc', '/var', '/root', '^/dev'], 'touch' : ['/var/log', '/var/run', '\.bash_history'], 'skip' : ['ssh_host_', '.pem$', '/proc/', '/var/tmp/', '/var/cache/.*/.+'] } (this is in python, btw) This means /etc is always copied, everything in /var/log is always touched, .pem files are skipped, etc. 4. If you update the reference server, just go ahead and do it, and remember to run the fixflags afterwards, or the clone step will not hardlink the new files because they're not iunlink. Haven't tried vserver-copy, it probably does something similar. Grisha On Sun, 24 Oct 2004, Tor Rune Skoglund wrote: Hi List, when trying to make a good template server, one obviously has to start and enter the virtual server and test the installation of it, add some programs, make config changes in it and so on. But when using it as a template, some files must be removed or altered before it is made production ready. AFAICS at least these have to be changed/deleted: * ssh keys * shell history file * root password setting * any standard users password settings I am sure there are more, so if any of you experts out there has additions to the list, please mail me or the list. I'll make a summary on the wiki afterwards. Also, I do not know how well vserver-copy or other copy tools handle such files, as the documentation seems to be a bit sparse on the tools. Any enlightment on these matters will be highly appreciated. Best regards Tor Rune Skoglund [EMAIL PROTECTED] ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver