On Sun, 15 Dec 2002, Adam H. Pendleton wrote: > I am about to replace the rh7.3-minimal file with a list of packages of my > own choosing, composed of the packages installed by RedHat when using the > categories I select at install time (Print Support, etc.). In other words, > this file will contain all the packages that are installed in the root > system. The reason for this is that I need each vserver to appear as > identical to the "master" server as possible, in terms of utilities, > programs, packages, etc.
You could use "vserver nameofserver build" for this. That'll get you all the packages in the root server, complete with unification where disk partitioning allows. > My question is: are there any of these packages that I should NOT > include in this list? I am assuming that because vserver is really just > about changing the context of processes, that changes to the kernel, > through means such as iptables, will affect all vservers? Does that > mean I should avoid installing the ipchains/iptables packages, because I > do not want users of this vserver to be able to inadvertently change the > firewall configuration of any other vserver? Is this sort of behavior > protected by vserver? Vservers CANNOT talk to the kernel or otherwise make trouble unless you give them extra capabilities in the .conf file (S_CAPS="" is default). This makes it pretty safe to run less-trusted programs (and users!) in a vserver. iptables and ipchains won't run in a vserver. You'll get a message about needing to insmod, if memory serves. I've seen kudzu eat 100% cpu in a vserver while trying to find hardware to detect. I'd avoid it. You might like to have a look at http://www.paul.sladen.org/vserver/faq/ . Paul has some good info collected there. :) Cathy
