[Vserver] Re: Conversion script for legacy config files to new config directory
Hi Dennis, Dennis Roos wrote (some time ago): After half an hour of scripting I came up with a somewhat working conversion script for Linux-VServer configs to the new directory configuration layout. It has been created for my specific environment, but I hope it helps someone ;) I used your vscfg-conf.sh for my migration to the new config layout. Thanks for providing this! I adopted it and corrected the handling of multiple network devices. Also I set the flag /apps/init/mark to default so that the vserver is started via /etc/init.d/vserver-default (under debain at least ;-)) So I want to share these changes too. Kind regards Dirk vscfg-convert.sh Description: application/shellscript ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] is DMZ on dummy[0-9] good practice
Hi all, I just installed (that means 14 days ago) linux-vserver and run ~12 vservers on one physical box running different services inside every vserver (mail server, web server, etc.). It works great! The iptables firewall (via firehol) is filtering all the traffic for the vservers. I wanted to have a DMZ and installed an additional network card to bind all these vservers to. But then I discovered the dummy device and want to change eth1 against dummy0 (after installing the dummy module ;-) and remove the additional network card from the server if it can be done. But first I want to know, if this is common =good) practice. Or should I rather tinker with bridge and tun devices? The mailing list shows many things possible (vlan, bridge, dummy), but I can't see, what the best practices are. If I can gather all th information needed, the I am willing to write some doku in the wiki at linux-vserver.org :-) Thanks for your advice. Greetings Dirk ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Conversion script for legacy config files to new config directory
On Sat, Aug 13, 2005 at 08:21:29AM +0200, Dirk Ruediger wrote: Hi Dennis, Dennis Roos wrote (some time ago): After half an hour of scripting I came up with a somewhat working conversion script for Linux-VServer configs to the new directory configuration layout. It has been created for my specific environment, but I hope it helps someone ;) I used your vscfg-conf.sh for my migration to the new config layout. Thanks for providing this! I adopted it and corrected the handling of multiple network devices. Also I set the flag /apps/init/mark to default so that the vserver is started via /etc/init.d/vserver-default (under debain at least ;-)) So I want to share these changes too. excellent, thanks a lot ... Kind regards Dirk ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Inconsitent handling of mounts with 2.4.31-vs1.2.10 on Fedora 1
[ Oops, sorry Herbert... my initial reply only went to you.. sorry! ] On Sat, Aug 13, 2005 at 03:43:37AM +0200, Herbert Poetzl wrote: On Fri, Aug 12, 2005 at 09:03:39PM -0400, Stephen Harris wrote: use bind mounts because I want the vservers to only have read-only access to the filesystem, and bind mounts don't (or didn't, last time I tried) allow changes in permissions between the original location and the bound location. yeah, right, that's where my BME (Bind Mount Extension) patches come into play (fixing this mainline 'bug/feature') Does this patch work with the 1.2 series? I can't use the 2.0 series vserver because of my requirement for 2.4 kernels :-( # Select an unused context (this is optional) # The default is to allocate a free context on the fly # In general you don't need to force a context what defaults are those? That's what was created by the install-fc1 script which came with util-verser-0.30-0. guest. So will the request come from the guest's IP address, or will it fall through to the host, and the host make the request. the host will make the request, but with the guest's ip (NFS isn't really supported with 2.4/1.2.x) Yeah, it seems to be a little messy :-) well, it is how networking works right now :) I can understand _why_ things happen the way they happen, I'm just supprised it worked at all. I guess the Linux NFS server has a security issue; as long as the filehandle information works it doesn't check that the IP address matches the original mount IP address. In this case, luckily, good! Yeah, it's very annoying. Alan Cox has a lot to say about it! he probably has ... fixing it would be better, though :) The 2.6 maintainers don't agree with Alan, so there's an issue :-( I haven't checked the latest 2.6 kernels, but last month the issue still seemed to be unresolved. I'd _love_ to move to 2.6 and replace my FC1 system, but it seems I can't (or else pay money for USB enclosures...). -- rgds Stephen ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] clone-srcipt?
On Sat, Aug 13, 2005 at 09:47:42AM +0200, Dirk Ruediger wrote: Hi Andreas, Andreas John schrieb: Hello! Did anyone already create a sript that copies an existing guest to a new name and changes ip/context/name etc. within (for debian in my case)? I'm using /usr/sbin/dupvserver from the vserver-debiantools package. Works very well. It should be in stable. the 'copy' part (for the configuration) from vserver-debiantools 0.1.10 shows clearly that it _only_ supports legacy config (which is older than a year now and deprecated) ... | if [ ! -r /etc/vservers/$TO.conf -o $FORCE = yes ] ; then |cp /etc/vservers/$FROM.conf /etc/vservers/$TO.conf |perl -pi -e s#$FROM#$TO#g; \ |/etc/vservers/$TO.conf |if [ $FROMIP != $TOIP ] ; then |perl -pi -e s#$FROMIP#$TOIP#g; \ |/etc/vservers/$TO.conf |fi |if [ $FROMDEV != $TODEV -a -n $TODEV ] ; then |perl -pi -e s#$FROMDEV#$TODEV#g; \ |/etc/vservers/$TO.conf |fi | fi also it seems to assume that you use a single IP with a very specific network setup, otherwise I would not see how it could work correctly ... |FROMNAME=$S_HOSTNAME |FROMIP=$IPROOT |FROMDEV=$IPROOTDEV |;; - it doesn't handle IPROOTMASK or IPROOTBCAST - it doesn't handle more complex IPROOT setups correctly like eth0:192.168.0.1/255.255.255.0 and probably a bunch of other issues if you dig into it ... until a 'proper' solution is presented by Enrico the 'best' way to copy a vserver guest is to do it like this: vserver new build -m skeleton ...options... rm -rf /path/to/new cp -va /path/to/old /path/to/new unfortunately this will destroy external package management and might have other unwanted sideeffects and I really hope that there will be a proper solution soon ... best, Herbert HTH Dirk ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] is DMZ on dummy[0-9] good practice
On Sat, Aug 13, 2005 at 09:37:13AM +0200, Dirk Ruediger wrote: Hi all, I just installed (that means 14 days ago) linux-vserver and run ~12 vservers on one physical box running different services inside every vserver (mail server, web server, etc.). It works great! The iptables firewall (via firehol) is filtering all the traffic for the vservers. great! sounds like the way it's supposed to be ... I wanted to have a DMZ and installed an additional network card to bind all these vservers to. But then I discovered the dummy device and want to change eth1 against dummy0 (after installing the dummy module ;-) and remove the additional network card from the server if it can be done. sure, that can be done ... But first I want to know, if this is common =good) practice. Or should I rather tinker with bridge and tun devices? The mailing list shows many things possible (vlan, bridge, dummy), but I can't see, what the best practices are. actually it doesn't really matter which device you 'bind' the address to, because the interface will not be used for outgoing packets (if it isn't the proper route, which is very unlikely with a dummy device) and it will not be used for local traffic either ... bridge/tun sounds funny, but nobody could explain to me the purpose/feature/idea behind that ... If I can gather all th information needed, the I am willing to write some doku in the wiki at linux-vserver.org :-) so IMHO dummy0 should be what you want, but don't assume that packets will originate from there or leave through this interface (otherwise your setup is very broken) HTH, Herbert Thanks for your advice. Greetings Dirk ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Inconsitent handling of mounts with 2.4.31-vs1.2.10 on Fedora 1
On Fri, Aug 12, 2005 at 10:25:44PM -0400, Stephen Harris wrote: On Sat, Aug 13, 2005 at 03:43:37AM +0200, Herbert Poetzl wrote: On Fri, Aug 12, 2005 at 09:03:39PM -0400, Stephen Harris wrote: use bind mounts because I want the vservers to only have read-only access to the filesystem, and bind mounts don't (or didn't, last time I tried) allow changes in permissions between the original location and the bound location. yeah, right, that's where my BME (Bind Mount Extension) patches come into play (fixing this mainline 'bug/feature') Does this patch work with the 1.2 series? I can't use the 2.0 series vserver because of my requirement for 2.4 kernels :-( there is a patch for 2.4 kernels, but it was not combined with linux-vserver (1.2.x) yet ... provided there is some interest and somebody (you?) is willing to test it, I see no problem to provide one ... # Select an unused context (this is optional) # The default is to allocate a free context on the fly # In general you don't need to force a context what defaults are those? That's what was created by the install-fc1 script which came with util-verser-0.30-0. hmm, how old is that package? guest. So will the request come from the guest's IP address, or will it fall through to the host, and the host make the request. the host will make the request, but with the guest's ip (NFS isn't really supported with 2.4/1.2.x) Yeah, it seems to be a little messy :-) well, it is how networking works right now :) I can understand _why_ things happen the way they happen, I'm just supprised it worked at all. I guess the Linux NFS server has a security issue; as long as the filehandle information works it doesn't check that the IP address matches the original mount IP address. In this case, luckily, good! depends on the version, nowadays nobody uses NFS below vers=3 (nobody expecting it to work, that is) and usually tcp based (instead of udp) ... Yeah, it's very annoying. Alan Cox has a lot to say about it! he probably has ... fixing it would be better, though :) The 2.6 maintainers don't agree with Alan, so there's an issue :-( I haven't checked the latest 2.6 kernels, but last month the issue still seemed to be unresolved. I'd _love_ to move to 2.6 and replace my FC1 system, but it seems I can't (or else pay money for USB enclosers...). well, I don't remember an IDE hotplug standard by default, I know that some SATA enclosures support it ... but hey there is the source, use it ... -- rgds Stephen ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Inconsitent handling of mounts with 2.4.31-vs1.2.10 on Fedora 1
On Sat, Aug 13, 2005 at 12:56:13PM +0200, Herbert Poetzl wrote: On Fri, Aug 12, 2005 at 10:25:44PM -0400, Stephen Harris wrote: On Sat, Aug 13, 2005 at 03:43:37AM +0200, Herbert Poetzl wrote: Does this patch work with the 1.2 series? I can't use the 2.0 series vserver because of my requirement for 2.4 kernels :-( there is a patch for 2.4 kernels, but it was not combined with linux-vserver (1.2.x) yet ... provided there is some interest and somebody (you?) is willing to test it, I see no problem to provide one ... I'll happily test! The host is an NFS server for my home network and doesn't do much else, so I can reboot it as needed, when I'm at home :-) That's what was created by the install-fc1 script which came with util-verser-0.30-0. hmm, how old is that package? It's the one downloaded from http://www.13thfloor.at/vserver/s_release/v1.2.10/util-vserver-0.30.tar.bz2 [ Re IDE hotswap ] well, I don't remember an IDE hotplug standard by default, I know that some SATA enclosures support it ... but hey In the 2.4 series you could do % hdparm -b 0 /dev/hdg dev/hdg: setting bus state to 0 (off) busstate = 0 (off) and that would turn off the IDE bus (from the kernel perspective) allowing you to swap disks on that bus (so something like a hotswap enclosure is fine, ensuring you remove physical power from the device before swapping it). Then you can do another hdparm and the kernel would redetect devices on that IDE bus: % hdparm -b 1 /dev/hdg /dev/hdg: setting bus state to 1 (on) busstate = 1 (on) And the following shows in dmesg output: Probing IDE interface ide3... hdg: Maxtor 6Y120P0, ATA DISK drive ide: drives found on hot-added interface. blk: queue c03462fc, I/O limit 4095Mb (mask 0x) hdg: attached ide-disk driver. hdg: host protected area = 1 hdg: 240121728 sectors (122942 MB) w/7936KiB Cache, CHS=238216/16/63, UDMA(133) there is the source, use it ... Unfortunately the changes between 2.4 and 2.6 make this non-trivial :-( My memory is saying that /dev/hdg (in my case) becomes unusable after the bus state is turned off, so we can't add the device back again, and this is quite low level in the device management handler. (But I could be wrong!) -- rgds Stephen ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Inconsitent handling of mounts with 2.4.31-vs1.2.10 on Fedora 1
there is a patch for 2.4 kernels, but it was not combined with linux-vserver (1.2.x) yet ... provided there is some interest and somebody (you?) is willing to test it, I see no problem to provide one ... I've been using this combination for over a year now without issues. -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 Total Existance Failure ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] clone-srcipt?
Hi, Herbert Poetzl schrieb: On Sat, Aug 13, 2005 at 09:47:42AM +0200, Dirk Ruediger wrote: Hi Andreas, Andreas John schrieb: Hello! Did anyone already create a sript that copies an existing guest to a new name and changes ip/context/name etc. within (for debian in my case)? I'm using /usr/sbin/dupvserver from the vserver-debiantools package. Works very well. It should be in stable. the 'copy' part (for the configuration) from vserver-debiantools 0.1.10 shows clearly that it _only_ supports legacy config (which is older than a year now and deprecated) ... I just discovered it too (because I just converted my config from legacy style). Now I kept my legacy config for the template vserver, create clones and convert the old-sytle config of the clone to the new config layout. Its a bit awkward, but seems to work. For me at least ;-) Greetings Dirk ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] is DMZ on dummy[0-9] good practice
I wanted to have a DMZ and installed an additional network card to bind all these vservers to. But then I discovered the dummy device and want to change eth1 against dummy0 (after installing the dummy module ;-) and remove the additional network card from the server if it can be done. But first I want to know, if this is common =good) practice. Or should I rather tinker with bridge and tun devices? The mailing list shows many things possible (vlan, bridge, dummy), but I can't see, what the best practices are. If I can gather all th information needed, the I am willing to write some doku in the wiki at linux-vserver.org :-) Dirk, If you feel capable and have the time, I suspect many would enjoy reading a mini how to explaining the set up of a virtual LAN like you're doing. It seems like the subject comes up often enough for it to be a useful reference. -- Matthew Nuzum [EMAIL PROTECTED] www.followers.net - Makers of Elite Content Management System View samples of Elite CMS in action by visiting http://www.followers.net/portfolio/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] utils' fix01 : build problem
On Sat, Aug 13, 2005 at 04:07:30AM +0200, intrigeri wrote: Hello, Herbert Poetzl wrote (12 Aug 2005 17:37:02 +0200) : On Fri, Aug 12, 2005 at 03:58:15PM +0200, intrigeri wrote: Hello, on a Debian Sarge PPC box (gcc 3.3.5), compiling and running util-vserver 0.30.208 works perfectly, but after applying the fix01 patch on a fresh source tree configuring as usual, make fails : ist this PPC or PPC64? It's PPC. hmm, strange ... maybe special/unusual/broken? binutils? I just compiled the tools, from the tar as well as the rpm on my powerpc notebook, and it just worked fine (both times with the fix01) Mandrake Linux release 9.1 (Bamboo) for ppc gcc (GCC) 3.3.5 (Mandrake Linux 9.1 3.3.5-1mdk) GNU ld version 2.15.90.0.3 20040415 could you arrange an account there for me? I'm sorry, I can't. np, I assume your binutils are to blame ... but we'll see P.S.: I read the list, no need to Cc: me :) I usually just reply to everyone :) and my mail setup filters incoming duplicates (in case I'm subscribed somewhere) but when I manage to remember, I'll do a list only reply on your emails ... best, Herbert Ciao, -- intrigeri [EMAIL PROTECTED] ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver