Difference between revisions of "Frequently Asked Questions"

From Linux-VServer

Jump to: navigation, search
m (Minor fixes to "Bind9 does not like to start in my guest" section)
(Various cleanups and corrections)
Line 18: Line 18:
  
 
{{Question|Question=Which distributions did you test?||Details=
 
{{Question|Question=Which distributions did you test?||Details=
A: Some. Check out the wiki for ready-made guest images. But you can easily build own guest images, e.g. with Debian's debootstrap. Checkout ((step-by-step Guide 2.6)) how to do that.|Signature=derjohn}}
+
A: Some. Check out the wiki for ready-made guest images. But you can easily build own guest images, e.g. with Debian's debootstrap. Checkout ((Building Guest Systems)) how to do that.|Signature=derjohn}}
  
 
{{Question|Question=Is VServer comparable to XEN/UML/QEMU?||Details=
 
{{Question|Question=Is VServer comparable to XEN/UML/QEMU?||Details=
Line 41: Line 41:
  
 
{{Question|Question=Disk I/O limiting? Is that possible?||Details=
 
{{Question|Question=Disk I/O limiting? Is that possible?||Details=
A: Well, since vs2.1.1 linux-vserver supports a mechanism called 'I/O scheduling', which appeared in the 2.6 mainline some time ago. The mainline kernel offers several I/O schedulers:
+
A: Well, since vs2.1.1 Linux-VServer supports a mechanism called 'I/O scheduling', which appeared in the 2.6 mainline some time ago. The mainline kernel offers several I/O schedulers:
  
 
<pre>
 
<pre>
Line 82: Line 82:
 
The default is tgid, which means to share fairly among process groups. Think every guest is treated like a own process group. It's not possible to set a scheduler strategy within a guest. All processes belonging to the same guest are treated like "noop" within the guest. So: If you run apache and some ftp-server within the _same_ guest, there is no fair scheduling between them, but there is fair scheduling between the whole guest and all other guests.
 
The default is tgid, which means to share fairly among process groups. Think every guest is treated like a own process group. It's not possible to set a scheduler strategy within a guest. All processes belonging to the same guest are treated like "noop" within the guest. So: If you run apache and some ftp-server within the _same_ guest, there is no fair scheduling between them, but there is fair scheduling between the whole guest and all other guests.
  
And: It's possible to tune the scheduler parameters in several ways. Have a look at /sys/block/hdc/queue/....
+
And: It's possible to tune the scheduler parameters in several ways. Have a look at /sys/block/hdc/queue/....|Signature=derjohn}}
  
You need a very recent Version of VS devel, e.g. the 2.1.1-rc18 can do it. Some older version have that feature too, then it got lost and was reinvented. So: Go and get a rc18 - only in 'devel', not stable!|Signature=derjohn}}
+
{{Question|Question=Why isn't there a device /dev/xyz within a guest?||Details=
 +
A: Device nodes allow userspace to access hardware (or virtual resources). Creating a device node inside the guest's namespace will give access to that device, so for security reasons, the number of 'given' devices is small.|Signature=derjohn}}
  
{{Question|Question=Why isn't there a device /dev/bla? within a guest||Details=
+
{{Question|Question=What is unification (vunify)?||Details=
A: Device nodes allow Userspace to access hardware (or virtual resources). Creating a device node inside the guest's namespace will give access to that device, so for security reasons, the number of 'given' devices is small.|Signature=derjohn}}
+
 
+
{{Question|Question=What is Unification (vunify)?||Details=
+
 
A: Unification is Hard Links on Steroids. Guests can 'share' common files (usually binaries and libraries) in a secure way, by creating hard links with special properties (immutable but unlinkable (removable)). The tool to identify common files and to unify them is called vunify.|Signature=derjohn}}
 
A: Unification is Hard Links on Steroids. Guests can 'share' common files (usually binaries and libraries) in a secure way, by creating hard links with special properties (immutable but unlinkable (removable)). The tool to identify common files and to unify them is called vunify.|Signature=derjohn}}
  
Line 110: Line 108:
 
|Signature=derjohn}}
 
|Signature=derjohn}}
  
{{Question|Question=With which VS version should I begin?||Details=
+
{{Question|Question=With which version should I begin?||Details=
A: If you are new to VServer I recommend to try 2.0.+. Take "alpha utils" Version 0.30.210. In Debian Sid there appeared well running version of it recently. (It's  a .210 at the time of writing).|Signature=derjohn}}
+
A: If you are new to VServer I recommend to try the latest stable kernel patch, and the latest util-vserver "alpha" release.|Signature=derjohn}}
  
{{Question|Question=is there a way to implement "user/group quota" per VServer?||Details=
+
{{Question|Question=Is there a way to implement "user/group quota" per VServer?||Details=
 
A: Yes, but not on a shared partition for now. You need to put the guest on a separate partition, setup a vroot device (to make the quota access secure), copy that into the guest, and adjust the mtab line inside the guest.|Signature=derjohn}}
 
A: Yes, but not on a shared partition for now. You need to put the guest on a separate partition, setup a vroot device (to make the quota access secure), copy that into the guest, and adjust the mtab line inside the guest.|Signature=derjohn}}
  
{{Question|Question=what about "Quota" for a context?||Details=
+
{{Question|Question=What about "Quota" for a context?||Details=
A: Context quotas are now called Disk Limits (so that we can tell them apart from the user/group quotas :). They are supported out of the box (with vs2.0) for all major filesystems (Ext2/3, ReiserFS, XFS, JFS)|Signature=derjohn}}
+
A: Context quotas are now called Disk Limits (so that we can tell them apart from the user/group quotas :). They are supported out of the box (with vs2.0+) for all major filesystems (ext2/3, ReiserFS, JFS)|Signature=derjohn}}
  
 
{{Question|Question=Does it support IPv6?||Details=
 
{{Question|Question=Does it support IPv6?||Details=
A: Currently not. Some developer has to move his ... to reimplement this functionality from the V4 code (I read that on the ML ;)). Will probably be superseded by the ngnet (next generation networking) soon. There is a Wiki page regarding this: http://linux-vserver.org/IPv6|Signature=derjohn}}
+
A: Currently it requires an additional patch, but the functionality should be available in 2.3+ soon. ((IPv6)) has more information.|Signature=derjohn}}
  
 
{{Question|Question=I can't do all I want with the network interfaces inside the guest?||Details=
 
{{Question|Question=I can't do all I want with the network interfaces inside the guest?||Details=
Line 132: Line 130:
  
 
{{Question|Question=What is the "great flower page"?||Details=
 
{{Question|Question=What is the "great flower page"?||Details=
A. Well, this page contains all configation options for vserver in version > 1.9 (I think .. I joined Linux-VServer in version 2, so I don't know for sure). The name of the page is derivived from the stylesheet(s) it contains: It displays background pictures of a very great flower, so regard it as highly optimized. It was designed by a non-designer, who asks us to create a better one. I played with the thought of creating a complete new theme for that page - but actually we all got used to the name "great flower page", so we stick to it. If you are unable to read it clearly, feel invited to join the IRC channel #vserver, we may tell you how to ;)|Signature=derjohn}}
+
A. Well, [http://www.nongnu.org/util-vserver/doc/conf/configuration.html this page] contains all configuration options for util-vserver. The name of the page is derived from the stylesheet(s) it contains.|Signature=derjohn}}
 
   
 
   
 
{{Question|Question=How do I add several IPs to a vserver? ||Details=
 
{{Question|Question=How do I add several IPs to a vserver? ||Details=
A: First of all a single guest vserver only supports up to 16 IPs (There is a 64-IP patch available, which is in "derjohn's kernel", you need extra util-vserver anyway).
+
A: First of all a single guest vserver only supports up to 16 IPs (There is a 64-IP patch available, which is in "derjohn's kernel").
 
Here is a little helper-script that adds a list of IPs defined in a text file, one per line.
 
Here is a little helper-script that adds a list of IPs defined in a text file, one per line.
 
<pre>
 
<pre>
Line 144: Line 142:
 
         mkdir $j
 
         mkdir $j
 
         echo $i > $j/ip
 
         echo $i > $j/ip
        echo $i > $j/ip-old
 
 
         echo "24" > $j/prefix
 
         echo "24" > $j/prefix
 
done
 
done
Line 154: Line 151:
 
iptables -t nat -I POSTROUTING -s $VSERVER_NETZ  ! -d $VSERVER_NETZ -j SNAT --to $EXT_IP
 
iptables -t nat -I POSTROUTING -s $VSERVER_NETZ  ! -d $VSERVER_NETZ -j SNAT --to $EXT_IP
 
</pre>
 
</pre>
See: HowtoPrivateNetworking and  
+
See: [[HowtoPrivateNetworking]] and  
 
http://www.tgunkel.de/it/software/doc/linux_server.en#h3-VServer_Masquerading_SNAT (THX, [MUPPETS]Gonzo)|Signature=derjohn}}
 
http://www.tgunkel.de/it/software/doc/linux_server.en#h3-VServer_Masquerading_SNAT (THX, [MUPPETS]Gonzo)|Signature=derjohn}}
  
Line 160: Line 157:
 
A: When you shut down a guest (''i.e. vserver foo stop''), the IP is brought down on the host also. If this IP happens to be the primary IP of the host, the kernel will not only bring down the primary IP, but also all secondary IP addresses. But in very recent kernels, there is an option ''settable'' which prevents that nasty feature. It's called "alias promotion". You may set it via sysctl by adding ''net.ipv4.conf.all.promote_secondaries=1'' in /etc/sysctl.conf or via sysctl command line.|Signature=derjohn}}
 
A: When you shut down a guest (''i.e. vserver foo stop''), the IP is brought down on the host also. If this IP happens to be the primary IP of the host, the kernel will not only bring down the primary IP, but also all secondary IP addresses. But in very recent kernels, there is an option ''settable'' which prevents that nasty feature. It's called "alias promotion". You may set it via sysctl by adding ''net.ipv4.conf.all.promote_secondaries=1'' in /etc/sysctl.conf or via sysctl command line.|Signature=derjohn}}
  
 
{{Question|Question=On Debian Sarge (stable) only util-vserver is 0.30-204 available, which has been reported to be buggy (I didnt check the version for longer time) How do I compile a local version of alpha util-vserver .210 on Debian?||Details=
 
A:
 
<pre>
 
apt-get build-dep util-vserver
 
 
./configure --prefix=/usr/local/ --enable-release \
 
--mandir=/usr/local/share/man \
 
--infodir=/usr/local/share/info \
 
--sysconfdir=/etc --enable-dietlibc \
 
--localstatedir=/var \
 
--with-vrootdir=/var/lib/vservers
 
 
make
 
 
make install-distribution
 
(Which does a make install + setting a symlink ln -s /usr/local/lib/util-vserver/vshelper /sbin/vshelper )
 
 
</pre>
 
 
To test which version you are running:
 
<pre>
 
# which vserver
 
/usr/local/sbin/vserver
 
 
</pre>
 
 
This should point to ..local...
 
 
If you dont want to build it yourself: On www.backports.org there are backported (for sarge) linux-images (2.6.16) with vserver-patch enabled and a updated util-vserver package as well.
 
|Signature=derjohn}}
 
 
{{Question|Question=I use derjohn's kernel or a differnet kernel with a more-than-16-IPs-per-guest-patch and can't use more than 16 IPs. Why?||Details=
 
A: You need to patch util-vserver, too. So you obviously need to recompile util-vserver (see above). In the util-vserver directory there are header files in the ./kernel/ directory. Patch like this:
 
 
<pre>
 
kernel/network.h:#define NB_IPV4ROOT    64
 
</pre>
 
 
BTW: The initial patches can be found here: http://vserver.13thfloor.at/Experimental/VARIOUS/util-vserver-0.30.196-net64.diff.bz2 and  http://vserver.13thfloor.at/Experimental/VARIOUS/delta-2.6.9-vs1.9.3-net64.diff
 
|Signature=unknown}}
 
  
 
{{Question|Question=I run a Debian host and want to build an Ubuntu guest. Howto?||Details=
 
{{Question|Question=I run a Debian host and want to build an Ubuntu guest. Howto?||Details=
Line 255: Line 211:
 
Then '/etc/init.d/ssh restart' on the host, after that on the guest (if you did apt-get install ssh on the guest already.)
 
Then '/etc/init.d/ssh restart' on the host, after that on the guest (if you did apt-get install ssh on the guest already.)
  
Do I have to explain more? If the hosts sshd binds all available IP addresses on port 22 (The hosts 'sees' even all addresses of the guests!). So if the guest starts its sshd, it cant bind to port 22 any more. You need to change that setting only on the host.  
+
Do I have to explain more? If the hosts sshd binds all available IP addresses on port 22 (The hosts 'sees' even all addresses of the guests!). So if the guest starts its sshd, it can't bind to port 22 any more. You need to change that setting only on the host.  
 
(BTW: A similar approach has to be done for a lot of daemons, e.g. Apache. If the daemon does not support an explicit bind, you may use the chbind command to 'hide' IP addresses from the daemon before starting.)|Signature=derjohn}}
 
(BTW: A similar approach has to be done for a lot of daemons, e.g. Apache. If the daemon does not support an explicit bind, you may use the chbind command to 'hide' IP addresses from the daemon before starting.)|Signature=derjohn}}
  
Line 263: Line 219:
  
 
{{Question|Question=Bind9 does not like to start in my guest.||Details=
 
{{Question|Question=Bind9 does not like to start in my guest.||Details=
A: Check out the [[Problematic Programs]] page and/or get my [http://linux-vserver.derjohn.de/bind9-packages/bind9-capacheck_9.3.2-2_i386.deb vserver-guest-ready Debian package] for Debian Sid guests, and check out the [http://linux-vserver.derjohn.de/bind9-packages/README.txt readme]. (Hint: This is fresh stuff. The give me Feedback)<br />
+
A: Check out the ((ProblematicPrograms)) page and/or get my [http://linux-vserver.derjohn.de/bind9-packages/bind9-capacheck_9.3.2-2_i386.deb vserver-guest-ready Debian package] for Debian Sid guests and check out the [http://linux-vserver.derjohn.de/bind9-packages/README.txt readme]. (Hint: This is fresh stuff. Please give me feedback)
 +
 
[UPDATE] Since VServer Devel 2.1.1-rc18 you do not need to patch the userland tools anymore. The capabilities are masked.|Signature=derjohn}}
 
[UPDATE] Since VServer Devel 2.1.1-rc18 you do not need to patch the userland tools anymore. The capabilities are masked.|Signature=derjohn}}
  
 
{{Question|Question=Which guest vservers are running?||Details=
 
{{Question|Question=Which guest vservers are running?||Details=
A: {{vserver-stat}}.  Example output:
+
A: Use vserver-stat to find out.  Example output:
 
<pre>
 
<pre>
 
CTX  PROC    VSZ    RSS  userTIME  sysTIME    UPTIME NAME
 
CTX  PROC    VSZ    RSS  userTIME  sysTIME    UPTIME NAME
Line 278: Line 235:
 
{{Question|Question=How can I reboot/halt guests?||Details=
 
{{Question|Question=How can I reboot/halt guests?||Details=
 
A: It depends.  
 
A: It depends.  
For vserver with legacy-interfaces support, you have to replace {{/sbin/halt}} in guests with vreboot and start rebootmgr in host. You also need to have a dummy <guest>.conf file in /etc/vservers for each guest. Please have a look at /etc/init.d/rebootmgr.
+
For legacy Linux-VServer (i.e. 1.2.x), you have to replace /sbin/halt in the guests with vreboot and start rebootmgr in the host. You also need to have a <guest>.conf file in /etc/vservers for each guest. Please have a look at /etc/init.d/rebootmgr.
Vserver with native interface utilizes /dev/initctl. No changes are needed in guests. Just make sure that REBOOT capability is adjusted in guests.|Signature=derjohn}}
+
For Linux-VServer 2.0+, sys_reboot has been virtualized to do the right thing. No changes are needed in guests.|Signature=derjohn}}
  
 
{{Question|Question=Do I really need the legacy-interfaces? What are these legacy-interfaces?||Details=
 
{{Question|Question=Do I really need the legacy-interfaces? What are these legacy-interfaces?||Details=
A: Since vserver is an ongoing project, new features might replace old ones, some might still on development. Legacy-interfaces are available for backward compability (which might be removed someday). See Q: How can I reboot/halt guests?|Signature=derjohn}}
+
A: Since Linux-VServer is an ongoing project, new features might replace old ones, some might require a development version. Legacy-interfaces are available for backward compability (which might be removed someday) with Linux-VServer 1.2.x.|Signature=derjohn}}
  
{{Question|Question= I have a vserver running on a Linux kernel with preemption. Is VServer "preempt" safe?||Details=
+
{{Question|Question=I have a vserver running on a Linux kernel with preemption. Is VServer "preempt" safe?||Details=
 
A: There are no known issues about running vserver on a preemption enabled kernel. I would like to add, that the vserver kernelhackers would probably exclude that option in 'make menuconfig' if there would be an incompatibility. Just my $.02 :)|Signature=derjohn}}
 
A: There are no known issues about running vserver on a preemption enabled kernel. I would like to add, that the vserver kernelhackers would probably exclude that option in 'make menuconfig' if there would be an incompatibility. Just my $.02 :)|Signature=derjohn}}
  
 
{{Question|Question=Is this a new project? When was it started?||Details=
 
{{Question|Question=Is this a new project? When was it started?||Details=
A: The first public occurance of linux-vserver was Oct 2001. The initial mail can be found here: http://www.cs.helsinki.fi/linux/linux-kernel/2001-40/1065.html
+
A: The first public occurrence of Linux-VServer was Oct 2001. The initial mail can be found here: http://www.cs.helsinki.fi/linux/linux-kernel/2001-40/1065.html
So you can expect a mature software product wich does it's magic quite well (And hey, we have a version > 2.0 ! )|Signature=derjohn}}
+
So you can expect a mature software product which does its magic quite well (And hey, we have a version > 2.0!)|Signature=derjohn}}
  
  
 
{{Question|Question=Can I run an OpenVPN Server in a guest?||Details=
 
{{Question|Question=Can I run an OpenVPN Server in a guest?||Details=
A: Yes. I don't want to provide an in-depth OpenVPN tutorial, but want to show how I made OpenVPN work in a guest as server. I was not able to run it with a tun devive, due to a buglet in util-vserver and kernel when it comes to settings a an ip address a point to point link: If you add "ip addr add <ip> peer <mypeer> dev tun0" there is no way to map the tun0 interface into a guest, even not with a 'nodev' option. (bug confirmed to be reproducible by daniel_hoczac)
+
A: Yes. I don't want to provide an in-depth OpenVPN tutorial, but want to show how I made OpenVPN work in a guest as server.
  
 
First of all you have to prepare the host with a persistent tuntap interface in tap-mode. The tools we need come from the uml-utilities.
 
First of all you have to prepare the host with a persistent tuntap interface in tap-mode. The tools we need come from the uml-utilities.
Then you need to create a device /dev/net/tun, which the OpenVPN userspace daemon reads. Well assume 10.10.10.100 is the server IP, and 10.10.10.101 is the client ip - to be cool be choose a /31 netmask (255.255.255.254), so we have a net without broadcast and don't waste IPs :)
+
Then you need to create a device /dev/net/tun, which the OpenVPN userspace daemon reads. We'll assume 10.10.10.100 is the server IP, and 10.10.10.101 is the client IP - to be cool be choose a /31 netmask (255.255.255.254), so we have a net without broadcast and don't waste IPs :)
  
 
On the host do:  
 
On the host do:  
Line 424: Line 381:
 
</pre>
 
</pre>
  
In the next lesson I will talk about OpenVPN's server mode, which can deal with with multiple clients connecting to one ip and one port (i.e. you only need one guest for tons or 'roadwarriros'), tls connections and pki.
+
In the next lesson I will talk about OpenVPN's server mode, which can deal with with multiple clients connecting to one IP and one port (i.e. you only need one guest for tons of 'road warriors'), TLS connections and PKI.
  
 
Contributions welcome. :)|Signature=derjohn}}
 
Contributions welcome. :)|Signature=derjohn}}
Line 445: Line 402:
 
(thanks cehteh for the hint!)
 
(thanks cehteh for the hint!)
  
But you can force debootstrap to but 32 bit binaries into the guest by 'export ARCH=i386';
+
But you can force debootstrap to put 32 bit binaries into the guest by 'export ARCH=i386';
 
<pre>
 
<pre>
 
export ARCH=i386 ; vserver build ....  
 
export ARCH=i386 ; vserver build ....  
Line 451: Line 408:
  
 
{{Question|Question=I want to (re)mount a partition in a running guest ... but the guest has no rights (capability) to (re)mount?||Details=
 
{{Question|Question=I want to (re)mount a partition in a running guest ... but the guest has no rights (capability) to (re)mount?||Details=
A: I'll explain. I take as example your /tmp partition within the guest is too small, what will be likely the case if you stay with the 16MB default (vserver build mounts /tmp as 16 MB tempfs!).
+
A: I'll explain. I take as example your /tmp partition within the guest is too small, what will be likely the case if you stay with the 16MB default (vserver build mounts /tmp as 16 MB tmpfs!).
 
<pre>
 
<pre>
 
# vnamespace -e XID  mount -t tmpfs -o remount,size=256m,mode=1777 none /var/lib/vservers/<guest>/tmp/
 
# vnamespace -e XID  mount -t tmpfs -o remount,size=256m,mode=1777 none /var/lib/vservers/<guest>/tmp/
Line 461: Line 418:
 
A: First you can read [http://linux-vserver.org/Memory+Allocation] and [[Memory Limits]].
 
A: First you can read [http://linux-vserver.org/Memory+Allocation] and [[Memory Limits]].
  
If you want a recipe, do that:
+
If you want a recipe, do this:
 
1. Check the size of memory pages. On x86 and x86_64 is usually 4 KB per page.
 
1. Check the size of memory pages. On x86 and x86_64 is usually 4 KB per page.
 
2. Create /etc/vserver/<guest>/rlimits/
 
2. Create /etc/vserver/<guest>/rlimits/
Line 502: Line 459:
 
(2.6.11.5-vs-1.9.5 + 0.30-205)|Signature=IrcQuestions}}
 
(2.6.11.5-vs-1.9.5 + 0.30-205)|Signature=IrcQuestions}}
  
{{Question|Question=How can I make 'vserver start' mount the root filesystem||Details=
+
{{Question|Question=How can I make 'vserver start' mount the root filesystem?||Details=
mount it via /etc/vservers/vserver-name/fstab, make sure to set the option 'dev' e.g.:
+
Mount it via /etc/vservers/vserver-name/fstab, make sure to set the option 'dev' e.g.:
 
<pre>/dev/drbd0    /      xfs    rw,dev          0 0</pre>
 
<pre>/dev/drbd0    /      xfs    rw,dev          0 0</pre>
util-vserver 210 won't be able to find some scripts for the reboot, add into /etc/vservers/vserver-name/apps/init/cmd.stop
 
<pre>/etc/init.d/rc
 
6</pre>
 
 
|Signature=AdrianReyer}}
 
|Signature=AdrianReyer}}
  
Line 525: Line 479:
  
  
{{Question|Question="I deleted a guest's directory without shutting it down. Now I have a "ghost" running. Is there any possibility to get it out of proc without rebooting?||Details=vkill --xid <xid> -s 15; sleep 2; vkill --xid <xid> -s 9|Signature=daniel_hozac}}
+
{{Question|Question=I deleted a guest's directory without shutting it down. Now I have a "ghost" running. Is there any possibility to get it out of proc without rebooting?||Details=vkill --xid <xid> -s 15; sleep 2; vkill --xid <xid> -s 9|Signature=daniel_hozac}}
  
 
== Upgrade from 2.0 to 2.2 ==
 
== Upgrade from 2.0 to 2.2 ==

Revision as of 13:13, 24 January 2007

Icon-Caution.png

We currently migrate to MediaWiki from our old installation, but not all content has been migrated yet. Take a look at the Wiki Team page for instructions how to help or look at the old wiki to find the information not migrated yet.

To ease migration we created a List of old Documentation pages.

CURRENTLY THE CONTENT OF THE OLD WIKI FAQ (AND MORE) IS BEING MIGRATED TO THIS PAGE (TASK: DERJOHN)


Contents


What is a 'Guest'?

To talk about stuff, we need some naming. The physical machine is called 'Host' and the 'main' context running the Host Distro is called 'Host Context'. The virtual machine/distro is called 'Guest' and basically is a Distribution (Userspace) running inside a 'Guest Context'.
derjohn




What kind of Operating System (OS) can I run as guest?

A: With VServer you can only run Linux guests. The trick is that a guest does not run a kernel on its own (as XEN and UML do), it merely uses a virtualized host kernel-interface. VServer offers so called security contexts which make it possible to seperate one guest from each other, i.e. they cannot get data from each other. Imagine it as a chroot environment with much more security and features.
derjohn



Which distributions did you test?

A: Some. Check out the wiki for ready-made guest images. But you can easily build own guest images, e.g. with Debian's debootstrap. Checkout ((Building Guest Systems)) how to do that.
derjohn



Is VServer comparable to XEN/UML/QEMU?

A: Nope. XEN/UML/QEMU and VServer are just good friends. Because you ask, you probably know what XEN/UML/QEMU are. VServer in contrary to XEN/UML/QEMU not "emulate" any hardware you run a kernel on. You can run a VServer kernel in a XEN/UML/QEMU guest. This is confirmed to work at least with Linux 2.6/vs2.0.
derjohn



Is VServer secure?

A: We hope so. It should be as least as secure as Linux is. We consider it much much more secure though.
derjohn



Performance?

A: For a single guest, we basically have native performance. Some tests showed insignificant overhead (about 1-2%) others ran faster than on an unpatched kernel. This is IMVHO significantly less than other solutions waste, especially if you have more than a single guest (because of the resource sharing).
derjohn



Is SMP Supported?

A: Yes, on all SMP capable kernel architectures.
derjohn



Resource sharing?

A: Yes ....
  • memory: Dynamically.
  • CPU usage: Dynamically (token bucket)
derjohn



Resource limiting?

A: Yes, you can set maximum limits per guest, but you can only offer guaranteed resource availability with some ticks at the time. There is the possibility to ulimit and to rlimit. Rlimit is a new feature of kernel 2.6/vs2.0.
derjohn



Disk I/O limiting? Is that possible?

A: Well, since vs2.1.1 Linux-VServer supports a mechanism called 'I/O scheduling', which appeared in the 2.6 mainline some time ago. The mainline kernel offers several I/O schedulers:
# cat /sys/block/hdc/queue/scheduler
noop [anticipatory] deadline cfq

The default is anticipatory a.k.a. "AS". When running several guests on a host you probably want the I/O performance shared in a fair way among the different guests. The kernel comes with a "completely fair queueing" scheduler, CFQ, which can do that. (More on schedulers can be found at http://lwn.net/Articles/114770/)

This is how to set the scheduler to "cfq" manually:

root# echo "cfq" > /sys/block/hdc/queue/scheduler
root# cat /sys/block/hdc/queue/scheduler
noop anticipatory deadline [cfq]

Keep in mind that you have to do it on all physical discs. So if you run an md-softraid, do it to all physical /dev/hdXYZ discs!

If you run Debian there is a predefined way to set the /sys values at boot-time:

# apt-get install sysfsutils
[...]

# cat /etc/sysfs.conf  | grep cfq
block/sda/queue/scheduler = cfq
block/sdc/queue/scheduler = cfq

# /etc/init.d/sysfsutils restart

For non-vserver processes and CFQ you can set by which key the kernel decides about the fairness:

cat /sys/block/hdc/queue/iosched/key_type
pgid [tgid] uid gid

Hint: The 'key_type'-feature has been removed in the mainline kernel recently. Don't look for it any longer :(

The default is tgid, which means to share fairly among process groups. Think every guest is treated like a own process group. It's not possible to set a scheduler strategy within a guest. All processes belonging to the same guest are treated like "noop" within the guest. So: If you run apache and some ftp-server within the _same_ guest, there is no fair scheduling between them, but there is fair scheduling between the whole guest and all other guests.

And: It's possible to tune the scheduler parameters in several ways. Have a look at /sys/block/hdc/queue/....
derjohn



Why isn't there a device /dev/xyz within a guest?

A: Device nodes allow userspace to access hardware (or virtual resources). Creating a device node inside the guest's namespace will give access to that device, so for security reasons, the number of 'given' devices is small.
derjohn



What is unification (vunify)?

A: Unification is Hard Links on Steroids. Guests can 'share' common files (usually binaries and libraries) in a secure way, by creating hard links with special properties (immutable but unlinkable (removable)). The tool to identify common files and to unify them is called vunify.
derjohn



What is vhashify?

A: The successor of vunify, a tool which does unification based on hash values (which allows to find common files in arbitrary paths.)
derjohn



How do I manage a multi-guest setup with vhashify?

A: For 'vhashify', just do these once:
mkdir /etc/vservers/.defaults/apps/vunify/hash /vservers/.hash
ln -s /vservers/.hash /etc/vservers/.defaults/apps/vunify/hash/root

Then, do this one line per vserver:

mkdir /etc/vservers/<vservername>/apps/vunify   # vhashify reuses vunify configuration
derjohn



With which version should I begin?

A: If you are new to VServer I recommend to try the latest stable kernel patch, and the latest util-vserver "alpha" release.
derjohn



Is there a way to implement "user/group quota" per VServer?

A: Yes, but not on a shared partition for now. You need to put the guest on a separate partition, setup a vroot device (to make the quota access secure), copy that into the guest, and adjust the mtab line inside the guest.
derjohn



What about "Quota" for a context?

A: Context quotas are now called Disk Limits (so that we can tell them apart from the user/group quotas :). They are supported out of the box (with vs2.0+) for all major filesystems (ext2/3, ReiserFS, JFS)
derjohn



Does it support IPv6?

A: Currently it requires an additional patch, but the functionality should be available in 2.3+ soon. ((IPv6)) has more information.
derjohn



I can't do all I want with the network interfaces inside the guest?

A: For now the networking is 'Host Business' -- the host is a router, and each guest is a server. You can set the capability ICMP_RAW in the context of the guest, or even the capability CAP_NET_RAW (which would even allow to sniff interfaces of other guests!). Likely to change with ngnet.
derjohn



Is there a web-based interface for vserver that will allow creation/deletion/configuration etc. of vserver guests?

A. http://OpenVPS.org which is a set of scripts with a web-interface for webhosters/ISPs. http://Openvcp.org which is a distributed system (agent!) with a web-interface, with which you can build/remove guests. http://vsmon.revolutionlinux.com/ is a distributed monitoring-only solution that allows you to search for a particular vserver in your park.
derjohn



What is old-style and new-style config?

A. Old-style config refers to a single text-file that contains all the configuration settings. With new-style config the configuration is split into several directories and files. You should probably go for new-style config if you are asking.
derjohn



What is the "great flower page"?

A. Well, this page contains all configuration options for util-vserver. The name of the page is derived from the stylesheet(s) it contains.
derjohn



How do I add several IPs to a vserver?

A: First of all a single guest vserver only supports up to 16 IPs (There is a 64-IP patch available, which is in "derjohn's kernel").

Here is a little helper-script that adds a list of IPs defined in a text file, one per line.

#!/bin/bash
j=1
for i in `cat myiplist`; do
        j=$(($j+1))
        mkdir $j
        echo $i > $j/ip
        echo "24" > $j/prefix
done
derjohn



If my host has only one a single public IP, can I use RFC1918 IP (e.g. 192.168.foo.bar) for the guest vservers?

A: Yes, use iptables with SNAT to masquerade it.
iptables -t nat -I POSTROUTING -s $VSERVER_NETZ  ! -d $VSERVER_NETZ -j SNAT --to $EXT_IP

See: HowtoPrivateNetworking and

http://www.tgunkel.de/it/software/doc/linux_server.en#h3-VServer_Masquerading_SNAT (THX, [MUPPETS]Gonzo)
derjohn



If I shut down my vserver guest, the whole Internet interface ethX on the host is shut down. What happened?

A: When you shut down a guest (i.e. vserver foo stop), the IP is brought down on the host also. If this IP happens to be the primary IP of the host, the kernel will not only bring down the primary IP, but also all secondary IP addresses. But in very recent kernels, there is an option settable which prevents that nasty feature. It's called "alias promotion". You may set it via sysctl by adding net.ipv4.conf.all.promote_secondaries=1 in /etc/sysctl.conf or via sysctl command line.
derjohn




I run a Debian host and want to build an Ubuntu guest. Howto?

A: Simple ;) Assume you want to build a breezy guest on a sid host with IP 192.168.0.2 and hostname vubuntu, then do:
vserver vubuntu build --force -m debootstrap --hostname vubuntu.myvservers.net --netdev eth0 --interface 192.168.0.2/24 \
--context 42 -- -d breezy -m http://de.archive.ubuntu.com/ubuntu

[UPDATE] Currently there are problems in building breezy under unclear circumstances, which seems to have to do with udev. If the above didnt work, try:

vserver vubuntu build --force -m debootstrap --hostname vubuntu.myvservers.net --netdev eth0 --interface 192.168.0.2/24 \
--context 42 -- -d breezy -m http://de.archive.ubuntu.com/ubuntu -- --exclude=udev

In very recent versions of the utils, the problem should not occur anymore (it has to do with the 'secure-mount' if you look in the MLs)

Well, sid's debootstrap knows how to bootstrap Ubuntu linux. Make sure to have a current debootstrap package:

apt-get update
apt-get install debootstrap
The knowledge how to build ubuntu 'breezy badger' (which you probably want to be your guest at the time of writing) has been added recently.
derjohn



How do I make a vserver guest start by default?

A: At least on Debian, I can tell you how to do it with the new-style config. If your guest is called "derjohn" and you want it to be started somewhere at the of your bootstrap process, then do:
echo "default" > /etc/vservers/derjohn/apps/init/mark

If you want to start it earlier, please read the init script "/etc/init.d/vserver-default" to find out how to do it. In most cases you don't need to change this. On Debian the vservers are started at "90", so after most other stuff is up (networking etc.).

Besides that I created a small helper script for managing the autostart foo: ((vserver-autostart))
derjohn



My host works, but when I start a guest it says that it has a problem with chbind.

A: You are probably using util-vserver <= 0.30.209, which does use dynamic network contexts internally (With 0.30.210 this fact changed). So if you compiled your kernel without dynamic contexts, you may start guests, but you can't use the network context.The solution is either to switch to .210 util (or Hollow's toolset) or compile the kernel with dynamic network contexts. SE Keyword: invalid option `nid' testme.sh
derjohn




When I try to ssh to the guest, I log into the host, even if I installed sshd on the guest. What's wrong here?

A: Look at /etc/ssh/sshd_config of the host:
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::

And now change the setting to

Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
ListenAddress your.hosts.ip.here  # not the guests IP! 

Then '/etc/init.d/ssh restart' on the host, after that on the guest (if you did apt-get install ssh on the guest already.)

Do I have to explain more? If the hosts sshd binds all available IP addresses on port 22 (The hosts 'sees' even all addresses of the guests!). So if the guest starts its sshd, it can't bind to port 22 any more. You need to change that setting only on the host.

(BTW: A similar approach has to be done for a lot of daemons, e.g. Apache. If the daemon does not support an explicit bind, you may use the chbind command to 'hide' IP addresses from the daemon before starting.)
derjohn



I did everything right, but the application foo does not start. What's up there?

A: Before asking on the IRC channel, please check out the 'problematic programs' page: Problematic Programs
derjohn



Bind9 does not like to start in my guest.

A: Check out the ((ProblematicPrograms)) page and/or get my vserver-guest-ready Debian package for Debian Sid guests and check out the readme. (Hint: This is fresh stuff. Please give me feedback) [UPDATE] Since VServer Devel 2.1.1-rc18 you do not need to patch the userland tools anymore. The capabilities are masked.
derjohn



Which guest vservers are running?

A: Use vserver-stat to find out. Example output:
CTX   PROC    VSZ    RSS  userTIME   sysTIME    UPTIME NAME
0       77 965.1M 334.6M  14m14s18   2m28s69   1h33m46 root server
49152    7    14M   5.2M   0m00s40   0m00s30   1h30m15 chiffon
derjohn




How can I reboot/halt guests?

A: It depends.

For legacy Linux-VServer (i.e. 1.2.x), you have to replace /sbin/halt in the guests with vreboot and start rebootmgr in the host. You also need to have a <guest>.conf file in /etc/vservers for each guest. Please have a look at /etc/init.d/rebootmgr.

For Linux-VServer 2.0+, sys_reboot has been virtualized to do the right thing. No changes are needed in guests.
derjohn



Do I really need the legacy-interfaces? What are these legacy-interfaces?

A: Since Linux-VServer is an ongoing project, new features might replace old ones, some might require a development version. Legacy-interfaces are available for backward compability (which might be removed someday) with Linux-VServer 1.2.x.
derjohn



I have a vserver running on a Linux kernel with preemption. Is VServer "preempt" safe?

A: There are no known issues about running vserver on a preemption enabled kernel. I would like to add, that the vserver kernelhackers would probably exclude that option in 'make menuconfig' if there would be an incompatibility. Just my $.02 :)
derjohn



Is this a new project? When was it started?

A: The first public occurrence of Linux-VServer was Oct 2001. The initial mail can be found here: http://www.cs.helsinki.fi/linux/linux-kernel/2001-40/1065.html So you can expect a mature software product which does its magic quite well (And hey, we have a version > 2.0!)
derjohn




Can I run an OpenVPN Server in a guest?

A: Yes. I don't want to provide an in-depth OpenVPN tutorial, but want to show how I made OpenVPN work in a guest as server.

First of all you have to prepare the host with a persistent tuntap interface in tap-mode. The tools we need come from the uml-utilities. Then you need to create a device /dev/net/tun, which the OpenVPN userspace daemon reads. We'll assume 10.10.10.100 is the server IP, and 10.10.10.101 is the client IP - to be cool be choose a /31 netmask (255.255.255.254), so we have a net without broadcast and don't waste IPs :)

On the host do:

# apt-get install uml-utilities
# cd /var/lib/vserver/<myopenvpnserver>/dev/
# ./MAKEDEV tun
  (creates the dev/net/tun device accessible by te guest - even a tap interface need /dev/net/tun !)
# tunctl -t tap0
  (creates the network device 'tap0' persistently)

Then add the ip to the guest:

# cat /etc/vservers/<myopenvpnserver>/interfaces/1/ip
10.10.10.100
# cat /etc/vservers/<myopenvpnserver>/interfaces/1/prefix
31
# cat /etc/vservers/<myopenvpnserver>/interfaces/1/dev
tap0
(This kind of config brings the ip when the vserver is started - only the tap0 interface has to exist already, see above!)

Here is a sample config for the guest (which is acting as a server):

Install OpenVPN package on server and client, in the Debian case:

# apt-get install openvpn

The server's conf looks like that:

# port and interface specs

# behave like a ssl-webserver
port 443
proto tcp-server

# tap device? (keep in mind you need /dev/net/tun !)
dev tap0

# now the ips we will use for the tunnel
ifconfig 10.10.10.100 255.255.255.254
ifconfig-noexec

# the server part

# Keep VPN connections, even if the client IP changes
float

# use compression (may also even obfuscate content filters)
comp-lzo

# use a static key - create it with 'openvpn --genkey --secret static.key'
secret static.key

# dont reload the key after a SIGUSR1
persist-key

# check alive all 10 secs
keepalive 10 60

# verbosity level (from 1 to 9, 9 is max log level)
verb 4
status openvpn-status.log

The client's conf may look like that (This example even makes the tunnel the clients default address):

# cat /etc/openvpn/client.conf
# port and interface specs

# the following is not necessary, if you bring up openvpn via Debian's init script:
daemon ovpn-my-clients-name

# behave like a ssl-webserver
port 443
proto tcp-client
remote %%%<insert-the-guest-primary-public-ip-here>%%%%
# what device tun ot tap?
dev tap

# now the ips we will use for the tunnel
ifconfig 10.10.10.101 255.255.255.254

# Keep VPN connections, even if the client IP changes
float
mssfix

# use compression (may also even obfuscate content filters)
comp-lzo

# use a static key
secret static.key

# dont reload the key after a SIGUSR1
persist-key

# check alive all 10 secs
keepalive 10 60

# verbosity level (from 1 to 9, 9 is max log level)
verb 4

# set the default route
route-gateway 10.10.10.100
redirect-gateway def1
# to add special routes you can do it wihtin the openvpn client conf:
# route <dest> <mask> <gateway>

# if you need to connect via proxy (like squid)
# http-proxy s p [up] [auth] : Connect to remote host through an HTTP proxy at
#                  address s and port p.  If proxy authentication is required,
#                  up is a file containing username/password on 2 lines, or
#                  'stdin' to prompt from console.  Add auth='ntlm' if
#                  the proxy requires NTLM authentication.

# http-proxy s p [up] [auth]


# http-proxy-option type [parm] : Set extended HTTP proxy options.
#                                  Repeat to set multiple options.
#                  VERSION version (default=1.0)
#                  AGENT user-agent

# http-proxy-option type [parm]

In the next lesson I will talk about OpenVPN's server mode, which can deal with with multiple clients connecting to one IP and one port (i.e. you only need one guest for tons of 'road warriors'), TLS connections and PKI.

Contributions welcome. :)
derjohn



32 vs 64 Bit? What should I take?

A: If you have the choice make the host a 64 bit one. You can run a guest as 32 bit or as 64 bit on a 64 bit host. To run it as 32 bit, you need to compile the x86_64 (a.k.a. AMD64) with the following options:
[*] Kernel support for ELF binaries
<M> Kernel support for MISC binaries
[*] IA32 Emulation <---- without that, the entire 32bit API is not present
<M>   IA32 a.out support  

You can force the guest to behave like a 32 environment like this:

echo linux_32bit > /etc/vservers/$NAME/personality
echo i686 > /etc/vservers/$NAME/uts/machine

(thanks cehteh for the hint!)

But you can force debootstrap to put 32 bit binaries into the guest by 'export ARCH=i386';

export ARCH=i386 ; vserver build .... 
derjohn



I want to (re)mount a partition in a running guest ... but the guest has no rights (capability) to (re)mount?

A: I'll explain. I take as example your /tmp partition within the guest is too small, what will be likely the case if you stay with the 16MB default (vserver build mounts /tmp as 16 MB tmpfs!).
# vnamespace -e XID  mount -t tmpfs -o remount,size=256m,mode=1777 none /var/lib/vservers/<guest>/tmp/
Be warned that the guest will not recognize the change, as the /etc/mtab file is not updated when you mount like this. To permanently change the mount, edit /etc/vserver/<guest>/fstab on the host.
derjohn




How do I limit a guests RAM? I want to prevent OOM situations on the host!

A: First you can read [1] and Memory Limits.

If you want a recipe, do this: 1. Check the size of memory pages. On x86 and x86_64 is usually 4 KB per page. 2. Create /etc/vserver/<guest>/rlimits/ 3. Check your physical memory size on the host, e.g. with "free -m". maxram = kilobytes/pagesize. 4. Limit the guests physical RAM to value smaller then maxram:

echo %%insertYourPagesHereSmallerThanMaxram%% > /etc/vserver/<guest>/rlimits/rss

5. Check your swapspace, e.g. with 'swapon -s'. maxswap = swapkilobytes/pagesize. 6. Limit the guest's maximum number of as pages to a value smaller than (maxram+maxswap):

echo %%desiredvalue%% > /etc/vserver/<guest>/rlimits/as
It should be clear this can still lead to OOM situations. Example: You have two guests and your as limit per guest is greater than 50% of (maxram+maxswap). If both guests request their maximum at the same point in time, there will be not enough mem .....
derjohn




Were can I get newer versions of VServer as ready made packages for Debian?

A: Here you go: http://linux-vserver.derjohn.de/ . There is also some stuff on backports.org, but my kernels are always 'devel' branch.
derjohn



Can I use iptables ?

Yes but right now only on the host (rootserver). Please realize that all traffic is local and will not touch the forward chain.
BeginnerFAQ



Trying to connect to a vserver from the host or another vserver on the same host fails

strace shows
 
sin_addr=inet_addr("xx.xx.xx.xx")}, yy) = -1 EINVAL (Invalid argument)

A: The host/guest cannot communicate with another guest on same host.

  • check all netmasks on all interfaces (do they overlap) ?
  • check policy routing (disable it temporary) ?
  • check that lo is up (Networking within a host/guest always uses lo interface)
CommonProblems



#1 ERROR: capset(): Operation not permitted

capabilities are not enabled in kernel-setup please check that CONFIG_SECURITY_CAPABILITIES is loaded or included in the kernel. ( check with "cat /path_to_kernel/.config
IrcQuestions



How can I make 'vserver start' mount the root filesystem?

Mount it via /etc/vservers/vserver-name/fstab, make sure to set the option 'dev' e.g.:
/dev/drbd0     /       xfs     rw,dev          0 0
AdrianReyer



How do I tag a guest's directory with xid?

Tagging the guest's files gives you serveral advantages, e.g. the accoutung will work properly.

Filesystem XID tagging only works on supported filesystem. Those are currently: ext2/3, reiserfs/reiser3, xfs and jfs. To activate the XID tagging you have to mount the filesystem with "-o tagxid". Attention: It's _not_ possible to "-o remount,tagxid", you have to mount it freshly. The guests will tag their files automatiaclly. If you copy files in from the host, you have to tag them manually like this:

chxid -c xid -R /var/lib/vservers/<guest>
Note: Context 0 and 1 will see all files, guests will only be able to acess untagged files and their own XID. They can see other XID files but no information about the file, e.g. no owner, no group, no permissions.
derjohn_and_gonzo_and_are



More FAQs to be merged; [2]


My mysqld running in a guest behaves strangely and is awfully slow/locks up

This can be related to /tmp being too small. mysqld stores temporary tables in /tmp and as such, if a lot of queries happen and /tmp runs full this can cause one query to lock up whilst creating the tmp table and all other queries waiting to acquire the lock. There are two possible solutions to that problem: a.) Modify /etc/vservers/vserver-name/fstab and assign more memory to the tmpfs of /tmp and b.) remove the /tmp entry from /etc/vservers/vserver-name/fstab completly. Especially on database servers with a rather high load the second one might be the preferred method.
sp




I deleted a guest's directory without shutting it down. Now I have a "ghost" running. Is there any possibility to get it out of proc without rebooting?

vkill --xid <xid> -s 15; sleep 2; vkill --xid <xid> -s 9
daniel_hozac



Upgrade from 2.0 to 2.2

I now get errors like "ncontext: vc_net_create(): Invalid argument; dynamic contexts disabled." on startup. Vservers are not started

Dynamic context are disabled by default and are deprecated. For example, tagxid and network checks won't be useable with dynamic ids. Now you should manually assign a explicit context to your vservers, like echo 101 > /etc/vservers/myvserv/context
daniel_hozac&Beuc


Personal tools