date:20041024

[Vserver] Template server files

2004-10-24 Thread Tor Rune Skoglund

Hi List,

when trying to make a good template server, one obviously has
to start and enter the virtual server and test the installation 
of it, add some programs, make config changes in it and so on.

But when using it as a template, some files must be removed
or altered before it is made production ready. AFAICS at
least these have to be changed/deleted:

* ssh keys 
* shell history file
* root password setting
* any standard users password settings

I am sure there are more, so if any of you experts out there
has additions to the list, please mail me or the list. 
I'll make a summary on the wiki afterwards.

Also, I do not know how well vserver-copy or other copy tools 
handle such files, as the documentation seems to be a bit
sparse on the tools. Any enlightment on these matters will
be highly appreciated.

Best regards
Tor Rune Skoglund
[EMAIL PROTECTED]

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Cannot set defaultroute under vserver

2004-10-24 Thread TK Lew

hi herbert :

Thank for the replies .

a. Understood. We cannot set default route inside vserver. It will
mess up the host routing table :) Tested.

I have read the LARTC but until now I still cannot ping or get 
vapt-get  working.

I started the a vserver using eth1 and have a ppp0 connection to the internet.

Vserver IP : 192.168.100.200
This what i did using ip route ::

sauron:/etc/iproute2# ip route list table main
203.106.129.217 dev ppp0  proto kernel  scope link  src 210.195.72.82
default via 203.106.129.217 dev ppp0
sauron:/etc/iproute2# echo 200 arsenic  /etc/iproute2/rt_tables
sauron:/etc/iproute2# ip rule add from 192.168.100.200 table arsenic
sauron:/etc/iproute2# ip rule ls
0:  from all lookup local
32765:  from 192.168.100.200 lookup arsenic
32766:  from all lookup main
32767:  from all lookup default
sauron:/etc/iproute2# ip route add default via 203.106.129.217 dev
ppp0 table arsenic
sauron:/etc/iproute2# ip route flush cache
sauron:/etc/iproute2# ip rule ls 0:  from all lookup local
32765:  from 192.168.100.200 lookup arsenic
32766:  from all lookup main
32767:  from all lookup default

sauron:~# vapt-get arsenic --all -- update
vaptget: operating on vserver arsenic
Err http://www.indexdata.dk indexdata/sarge/released Packages
  Temporary failure resolving 'www.indexdata.dk'

b. figure that out. using the new config style . Need to create a file
bcapabiities.

c. can be check via the bcaps-v13.c file.

anybody have a working ip route between ppp0 and vserver via a single gateway.

Thank !

cheers

On Fri, 22 Oct 2004 19:42:13 +0200, Herbert Poetzl [EMAIL PROTECTED] wrote:
 On Fri, Oct 22, 2004 at 04:37:20PM +0800, TK Lew wrote:
  hi :
 
  I can't seem to set the defaultroute under vserver. Get error message
  Operation not permitted.
 
 which is actually a Good Thing (TM) as you do not
 want the vserver to mess with your routing tables
 
 see
 
 http://www.linux-vserver.org/index.php?page=Documentation
 (# [iproute2] more than one default gw)
 http://archives.linux-vserver.org/200311/0470.html
 
  I have put a vserver name.conf under /etc/vserver but when running
  vserver name start is not reading this config file.
 
 maybe a new style config?
 
  I added CAP_SYS_ADMIN=yes in the config file.
 
 which means that the vserver root user can do what s/he
 likes with your host ;)
 
  Thank for any reply.
 
 best,
 Herbert
 
  Cheers
 
 
  ___
  Vserver mailing list
  [EMAIL PROTECTED]
  http://list.linux-vserver.org/mailman/listinfo/vserver

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Template server files

2004-10-24 Thread Gregory (Grisha) Trubetskoy


Here is what we do in OpenVPS. This is Fedora biased.
I think the utils strategy is copy-everything-then-unify, whereas we stuck 
to hardlink-as-you-copy-then-leave-it-alone. Either strategy is fine, it 
probably more depends on what you're doing. In our case the vserver is 
intended to passed to a client/customer/etc, so it's best not to touch 
those files once they're released, which why we've been avoiding vuinify.

We pretty much follow these steps:
1. Build a reference server like any other server (there is more than one 
way to do it, we just use rpm and then manually adjust little things, the 
vserver utils use the magic of apt to do it).

2. There is a fixflags script. It walks the tree and sets certain things 
immutable (iunlink to be exact). The strategy is similar to what vunify 
does - we rely on RPM package information, if a file is marked as config 
it is not flagged with iunlink.

3. To make a vserver you have a clone script. The clone script makes 
hard links to files that are iunlink, and copies most everything else. 
Some files are not copied, but just created (touched). The specific clone 
rules we use look like this (these rules make an assumption that the 
reference server is in a pristine state, otherwise you'd need a more 
elaborate set of rules):

CLONE_RULES = {
'copy'  : ['/etc', '/var', '/root', '^/dev'],
'touch' : ['/var/log', '/var/run', '\.bash_history'],
'skip'  : ['ssh_host_', '.pem$', '/proc/', '/var/tmp/',
   '/var/cache/.*/.+']
}
(this is in python, btw)
This means /etc is always copied, everything in /var/log is always 
touched, .pem files are skipped, etc.

4. If you update the reference server, just go ahead and do it, and 
remember to run the fixflags afterwards, or the clone step will not 
hardlink the new files because they're not iunlink.

Haven't tried vserver-copy, it probably does something similar.
Grisha
On Sun, 24 Oct 2004, Tor Rune Skoglund wrote:
Hi List,
when trying to make a good template server, one obviously has
to start and enter the virtual server and test the installation
of it, add some programs, make config changes in it and so on.
But when using it as a template, some files must be removed
or altered before it is made production ready. AFAICS at
least these have to be changed/deleted:
* ssh keys
* shell history file
* root password setting
* any standard users password settings
I am sure there are more, so if any of you experts out there
has additions to the list, please mail me or the list.
I'll make a summary on the wiki afterwards.
Also, I do not know how well vserver-copy or other copy tools
handle such files, as the documentation seems to be a bit
sparse on the tools. Any enlightment on these matters will
be highly appreciated.
Best regards
Tor Rune Skoglund
[EMAIL PROTECTED]
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] Template server files

Re: [Vserver] Cannot set defaultroute under vserver

Re: [Vserver] Template server files

3 matches

Site Navigation

Mail list logo

Footer information