Difference between revisions of "Frequently Asked Questions"
From Linux-VServer
KornAndras (Talk | contribs) (split nondefault mark value stuff into its own question) |
|||
(38 intermediate revisions by 18 users not shown) | |||
Line 12: | Line 12: | ||
== General == | == General == | ||
+ | |||
+ | {{Question | ||
+ | |Question=What is the status of Linux-VServer? | ||
+ | ||Details=Linux-VServer has more than a decade of maturity and is actively developed. Two projects are similar to Linux-VServer, [[http://lxc.sf.net LXC]], and [[http://openvz.org OpenVZ]]. Of the two, OpenVZ is the more mature and offers some similar functionality to Linux-VServer. LXC is solely based on the kernel mechanisms such as cgroups that are present in modern kernels. These kernel mechanisms will continue to be refined and isolation will mature. As that occurs, Linux-VServer will take advantage of those new features separately from LXC and continue to provide the same robust user interface that it does currently. Currently, LXC offers significantly less functionality and isolation than Linux-vserver. LXC will eventually be a robust wrapper around kernel mechanisms but is still under heavy development and not considered ready for production use. | ||
+ | |Signature=beck}} | ||
+ | |||
+ | |||
{{Question | {{Question | ||
Line 85: | Line 92: | ||
||Details=First you can read [http://linux-vserver.org/Memory+Allocation] and [[Memory Limits]]. | ||Details=First you can read [http://linux-vserver.org/Memory+Allocation] and [[Memory Limits]]. | ||
If you want a recipe, do this: | If you want a recipe, do this: | ||
− | # Check the size of memory pages. On x86 and x86_64 is usually 4 KB per page. | + | # Check the size of memory pages. On x86 and x86_64 is usually 4 KB per page. (on linux "getconf -a|grep PAGE" will give you the information) |
# Create /etc/vserver/<guest>/rlimits/ | # Create /etc/vserver/<guest>/rlimits/ | ||
# Check your physical memory size on the host, e.g. with "free -m". maxram = kilobytes/pagesize. | # Check your physical memory size on the host, e.g. with "free -m". maxram = kilobytes/pagesize. | ||
Line 104: | Line 111: | ||
</pre> | </pre> | ||
− | The default is anticipatory a.k.a. "AS". When running several guests on a host you probably want the I/O performance shared in a fair way among the different guests. The kernel comes with a "completely fair queueing" scheduler, CFQ, which can do that. (More on schedulers can be found at http://lwn.net/Articles/114770/) | + | The default since 2.6.18 in Sept 2006 is CFQ, described below, and prior to that was anticipatory a.k.a. "AS" ([[http://en.wikipedia.org/wiki/CFQ#Kernel_2.6.18_.2820_September_2006.29 Wikipedia]]). When running several guests on a host you probably want the I/O performance shared in a fair way among the different guests. The kernel comes with a "completely fair queueing" scheduler, CFQ, which can do that. (More on schedulers can be found at http://lwn.net/Articles/114770/) |
This is how to set the scheduler to "cfq" manually: | This is how to set the scheduler to "cfq" manually: | ||
<pre> | <pre> | ||
Line 151: | Line 158: | ||
with sudo and ionice installed on the root server to increase the *nice*ness of pid 24409, with uid 2089 | with sudo and ionice installed on the root server to increase the *nice*ness of pid 24409, with uid 2089 | ||
|Signature=Groteblup}} | |Signature=Groteblup}} | ||
+ | |||
+ | {{Question | ||
+ | |Question=I want iotop to display all guest processes on host to give me a nice overview of I/O usage. | ||
+ | ||Details=You must allow iotop to read information from all guests. Add | ||
+ | |||
+ | <PRE> | ||
+ | # setattr --watch /proc/vmstat | ||
+ | </PRE> | ||
+ | to, for example, rc.local, and later run iotop: | ||
+ | <PRE> | ||
+ | # vcontext --migrate --xid 1 -- iotop | ||
+ | </PRE> | ||
+ | |Signature=corey via ser}} | ||
== Unification == | == Unification == | ||
Line 156: | Line 176: | ||
{{Question | {{Question | ||
|Question=What is unification (vunify)? | |Question=What is unification (vunify)? | ||
− | ||Details=Unification is Hard Links on Steroids. Guests can 'share' common files (usually binaries and libraries) in a secure way, by creating hard links with special properties (immutable but unlinkable (removable)). The tool to identify common files and to unify them is called vunify. | + | ||Details=[[Unification]] is Hard Links on Steroids. Guests can 'share' common files (usually binaries and libraries) in a secure way, by creating hard links with special properties (immutable but unlinkable (removable)). The tool to identify common files and to unify them is called [[vunify]]. |
|Signature=derjohn}} | |Signature=derjohn}} | ||
{{Question | {{Question | ||
− | |Question=What is vhashify? | + | |Question=What is [[vhashify]]? |
− | ||Details=The successor of vunify, a tool which does unification based on hash values (which allows to find common files in arbitrary paths.) | + | ||Details=The successor of [[vunify]], a tool which does unification based on hash values (which allows to find common files in arbitrary paths.) |
It creates hardlinks to files named after a hash of the content of the file. If you have a recent version of the vserver patch (2.2+), with CONFIG_VSERVER_COWBL enabled, you can even modify the hardlinked files inside the vservers and the links will be broken automatically. | It creates hardlinks to files named after a hash of the content of the file. If you have a recent version of the vserver patch (2.2+), with CONFIG_VSERVER_COWBL enabled, you can even modify the hardlinked files inside the vservers and the links will be broken automatically. | ||
There seems to be a catch when a hashified file has multiple hardlinks inside a guest, or when another internal hardlink is added after hashification. Link breaking will remove all the internal hardlinks too, so the guest will end up with different copies of the original file. The correct solution would be to not hashify files that have multiple links prior to hashification, and to break the link to the hashified version when a new internal hardlink is created. Apparently, this is not implemented yet (?). | There seems to be a catch when a hashified file has multiple hardlinks inside a guest, or when another internal hardlink is added after hashification. Link breaking will remove all the internal hardlinks too, so the guest will end up with different copies of the original file. The correct solution would be to not hashify files that have multiple links prior to hashification, and to break the link to the hashified version when a new internal hardlink is created. Apparently, this is not implemented yet (?). | ||
− | |Signature=Guy-}} | + | <br/>|Signature=Guy- |
+ | <br/> | ||
+ | Note: hashify cannot cross XFS project QUOTA because hardlinks cannot cross projects. | ||
+ | }} | ||
{{Question | {{Question | ||
|Question=How do I manage a multi-guest setup with vhashify? | |Question=How do I manage a multi-guest setup with vhashify? | ||
− | ||Details=For 'vhashify', just do these once: | + | ||Details=For '[[vhashify]]', just do these once: |
<pre> | <pre> | ||
mkdir /etc/vservers/.defaults/apps/vunify/hash /vservers/.hash | mkdir /etc/vservers/.defaults/apps/vunify/hash /vservers/.hash | ||
Line 252: | Line 275: | ||
|Question=How do I add several IPs to a vserver? | |Question=How do I add several IPs to a vserver? | ||
||Details=First of all a single guest vserver only supports up to 16 IPs (There is a 64-IP patch available, which is in "derjohn's kernel"). | ||Details=First of all a single guest vserver only supports up to 16 IPs (There is a 64-IP patch available, which is in "derjohn's kernel"). | ||
+ | <pre> | ||
+ | Update from IRC (2011-08-22): | ||
+ | <mmouse> quick question: what is the maximum count of IPs (v4) I can have in a single guest? | ||
+ | <daniel_hozac> unlimited. | ||
+ | </pre> | ||
+ | |||
Here is a little helper-script that adds a list of IPs defined in a text file, one per line. | Here is a little helper-script that adds a list of IPs defined in a text file, one per line. | ||
<pre> | <pre> | ||
Line 293: | Line 322: | ||
{{Question | {{Question | ||
|Question=If I shut down my vserver guest, the whole Internet interface ethX on the host is shut down. What happened? | |Question=If I shut down my vserver guest, the whole Internet interface ethX on the host is shut down. What happened? | ||
− | ||Details=When you shut down a guest (''i.e. vserver foo stop''), the IP is brought down on the host also. If this IP happens to be the primary IP of the host, the kernel will not only bring down the primary IP, but also all secondary IP addresses. But in very recent kernels, there is an option ''settable'' which prevents that nasty feature. It's called "alias promotion". You may set it via sysctl by adding ''net.ipv4.conf.all.promote_secondaries=1'' in /etc/sysctl.conf or via sysctl command line. | + | ||Details=When you shut down a guest (''i.e. vserver foo stop''), the IP is brought down on the host also. If this IP happens to be the primary IP of the host, the kernel will not only bring down the primary IP, but also all secondary IP addresses. Similarly, if your guests bring up IPs of more than one subnet, all other IPs from a specific subnet will be shut down if you stop the guest which created the first ("parent") IP. |
− | |Signature=derjohn}} | + | |
+ | You can check this on the host using the command "ip addr show". Example output: | ||
+ | <pre> | ||
+ | 1: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 | ||
+ | link/ether 00:01:02:03:04:05 brd ff:ff:ff:ff:ff:ff | ||
+ | inet 192.168.249.172/27 brd 192.168.249.191 scope global eth0 | ||
+ | inet 192.168.234.194/27 brd 192.168.234.223 scope global eth0 | ||
+ | inet 192.168.249.169/27 brd 192.168.249.191 scope global secondary eth0 | ||
+ | inet 192.168.234.195/27 brd 192.168.234.223 scope global secondary eth0 | ||
+ | </pre> | ||
+ | In this example, if you stop the guest which brings down the IP 192.168.249.172, the IP 192.168.249.169 will be brought down as well, because it is a secondary IP of the "parent" 192.168.249.172. | ||
+ | |||
+ | But in very recent kernels, there is an option ''settable'' which prevents that nasty feature. It's called "alias promotion". You may set it via sysctl by adding ''net.ipv4.conf.all.promote_secondaries=1'' in /etc/sysctl.conf or via sysctl command line. | ||
+ | |Signature=derjohn, Hurga}} | ||
{{Question | {{Question | ||
Line 409: | Line 451: | ||
|Signature=bobnormal}} | |Signature=bobnormal}} | ||
+ | {{Question | ||
+ | |Question=Services won't bind to 127.0.0.1 when I configure them to bind to all available IPs / (binding service to * doesn't bind to loopback)? | ||
+ | ||Details=You've configured single public IP and have kernel option "Linux VServer -> Automatic Single IP Special Casing" enabled. | ||
+ | It means somehow "optimized" :D | ||
+ | If you don't want this you have 3 possible solutions (quoting Bertl): | ||
+ | * disable the auto single IP in the kernel | ||
+ | * assign more than one IP to the guest | ||
+ | * disable single ip special casing for that guest | ||
+ | |||
+ | The later is done by : echo "~single_ip" >> /etc/vservers/<VSERVER>/nflags | ||
+ | At runtime to avoid restarting the vserver: nattribute --set --nid <guest> --flag ~single_ip | ||
+ | |Signature=swenTjuln}} | ||
+ | |||
+ | {{Question | ||
+ | |Question=When using network namespaces and vserver together, netstat does not work in the vserver. What's wrong? | ||
+ | ||Details=All proc entries are hidden by default in the guests. During startup of the host system a tool called vprocunhide makes some /proc files visible. | ||
+ | |||
+ | If you create a new network namespace you have to do the same in the network namespace because the new /proc/net files are not available for the vprocunhide outside the new network namespace. So something like that should be sufficient to get netstat working in vservers with network namespaces: | ||
+ | |||
+ | <pre> | ||
+ | ip netns exec $NAMESPACE /usr/lib/util-vserver/vprocunhide | ||
+ | </pre> | ||
+ | |Signature=AlexanderS}} | ||
== Administration tools == | == Administration tools == | ||
Line 497: | Line 562: | ||
{{Question | {{Question | ||
|Question=My mysqld running in a guest behaves strangely and is awfully slow/locks up | |Question=My mysqld running in a guest behaves strangely and is awfully slow/locks up | ||
− | ||Details=This can be related to /tmp being too small. mysqld stores temporary tables in /tmp and as such, if a lot of queries happen and /tmp runs full this can cause one query to lock up whilst creating the tmp table and all other queries waiting to acquire the lock. There are two possible solutions to that problem: a.) Modify /etc/vservers/vserver-name/fstab and assign more memory to the tmpfs of /tmp and b.) remove the /tmp entry from /etc/vservers/vserver-name/fstab completly. Especially on database servers with a rather high load the second one might be the preferred method.|Signature=sp}} | + | ||Details=This can be related to /tmp being too small. mysqld stores temporary tables in /tmp and as such, if a lot of queries happen and /tmp runs full this can cause one query to lock up whilst creating the tmp table and all other queries waiting to acquire the lock. There are two possible solutions to that problem: a.) Modify /etc/vservers/vserver-name/fstab and assign more memory to the tmpfs of /tmp and b.) remove the /tmp entry from /etc/vservers/vserver-name/fstab completly. Especially on database servers with a rather high load the second one might be the preferred method. |
+ | If you prefer not to modify or disable tmpfs, you can reconfigure MySQL to use a different tmpdir such as "/var/tmp". For example, edit /etc/my.cnf (RHEL/CentOS) or create /etc/mysql/conf.d/mysqld_custom.conf (Debian) and add the following line: | ||
+ | <pre> | ||
+ | tmpdir = /var/tmp | ||
+ | </pre> | ||
+ | Afterwards, restart MySQL (/etc/init.d/mysqld restart) and then review MySQL variables (mysqladmin -uroot -p variables) to confirm "tmpdir" is no longer pointing to "/tmp". |Signature=sp, jrklein}} | ||
{{Question | {{Question | ||
Line 512: | Line 582: | ||
/bin/sed --in-place -e "s/^session.*required.*pam_loginuid.so/# session\trequired\tpam_loginuid.so/g" /etc/pam.d/* | /bin/sed --in-place -e "s/^session.*required.*pam_loginuid.so/# session\trequired\tpam_loginuid.so/g" /etc/pam.d/* | ||
</pre> | </pre> | ||
− | |Signature=patrick}} | + | |
+ | '''UPDATE:''' If you are compiling your own kernel this can be fixed system-wide by setting CONFIG_AUDIT_LOGINUID_IMMUTABLE=n in kernels .config file. | ||
+ | |||
+ | |Signature=patrick, SwenTjuln}} | ||
{{Question | {{Question | ||
Line 545: | Line 618: | ||
Besides that I created a small helper script for managing the autostart foo: ((vserver-autostart))|Signature=derjohn}} | Besides that I created a small helper script for managing the autostart foo: ((vserver-autostart))|Signature=derjohn}} | ||
+ | |||
+ | {{Question | ||
+ | |Question=How do I start all vservers with a <tt>mark</tt> value of something other than "default"? | ||
+ | ||Details=To start all vservers with a mark value of <tt>foo</tt>, you can use something like: | ||
+ | <pre> | ||
+ | MARK=foo NUMPARALLEL=42 LOCKFILE=vserver-foo /path/to/util-vserver/vserver-wrapper start | ||
+ | </pre> | ||
+ | |||
+ | If you want to automate this, you can create a copy of the <tt>/etc/init.d/vservers-default</tt> script called <tt>/etc/init.d/vservers-foo</tt>, set <tt>MARK</tt>, <tt>NUMPARALLEL</tt> and <tt>LOCKFILE</tt> appropriately in it, and have it start at whatever point in the boot process.|Signature=Guy-}} | ||
{{Question | {{Question | ||
Line 573: | Line 655: | ||
||Details=After a reboot you need to run the vprocunhide script. If running this script causes many errors to print on the screen, try checking the kernel you have booted with (perhaps it does not have the linux-vserver extensions enabled). | ||Details=After a reboot you need to run the vprocunhide script. If running this script causes many errors to print on the screen, try checking the kernel you have booted with (perhaps it does not have the linux-vserver extensions enabled). | ||
|Signature=mattzerah}} | |Signature=mattzerah}} | ||
+ | |||
+ | {{Question | ||
+ | |Question=When I try to start a guest i get this message "vsched: vc_set_sched(): Function not implemented". | ||
+ | ||Details=After an upgrade of the kernel/tools if you used the old scheduler function you must convert them to cgroup cpu limits. If you do not want limits search and remove/rename /etc/vservers/*/sched/ and the guest will start again. This might also happen when you use a newer kernel patch but did not yet update the vserver utils to a recent version (Thorsten). | ||
+ | |Signature=aqueos}} | ||
== Kernel == | == Kernel == | ||
Line 616: | Line 703: | ||
newvserver --arch i386 ... | newvserver --arch i386 ... | ||
</pre> | </pre> | ||
+ | |||
+ | On debian debootstrap can also be gived the arch option: | ||
+ | <pre> | ||
+ | vserver myguest \ | ||
+ | build -m debootstrap -n myguest \ | ||
+ | --hostname myguest.mydomain.com \ | ||
+ | -- -d squeeze -- \ | ||
+ | --arch=amd64 (or i386 if you want 32bit) | ||
+ | </pre> | ||
+ | |||
|Signature=derjohn}} | |Signature=derjohn}} | ||
Line 621: | Line 718: | ||
|Question=What does the guest privacy option do in the kernel settings ? | |Question=What does the guest privacy option do in the kernel settings ? | ||
||Details=<pre> | ||Details=<pre> | ||
− | > i was wondering about the real thing that guest privacy does. | + | >i was wondering about the real thing that guest privacy does. |
#ifdef CONFIG_VSERVER_PRIVACY | #ifdef CONFIG_VSERVER_PRIVACY | ||
#define VS_ADMIN_P (0) | #define VS_ADMIN_P (0) | ||
Line 660: | Line 757: | ||
{{Question | {{Question | ||
|Question=VServer is included in the stable Debian GNU/Linux for years now. What VS version did they include? | |Question=VServer is included in the stable Debian GNU/Linux for years now. What VS version did they include? | ||
− | ||Details= | + | ||Details=There is no support in Debian for Linux-Vserver since the Wheezy release. Debian Squeeze included a 2.6.32 based kernel-package called 2.6.32-5-vserver-ARCH. This contained VServer 2.3.0.36.29.6 with some additional fixes. |
|Signature=scientes}} | |Signature=scientes}} | ||
Line 666: | Line 763: | ||
|Question=Were can I get newer versions of VServer as ready made packages for Debian? | |Question=Were can I get newer versions of VServer as ready made packages for Debian? | ||
||Details= There are a number of locations | ||Details= There are a number of locations | ||
+ | * http://repo.psand.net/info/ has Debian Lenny, Squeeze and Wheezy repositories. Many kernel versions are present. Currently (Febraury 2013) 3.2 kernels are being maintained for Wheezy, with additional packages for 3.4 and 3.10 also available. Architectures available are i386 and amd64. This repository also contains curremt util-vserver builds. Build will shortly begin for Jessie. | ||
+ | * http://www.lihas.de/anleitungen-und-service/linux-vserver-kernel-fuer-debian/linux-vserver-kernel-english details their automatically built repository currently for 3.4 kernels. Building, patching and testing for the kernels is automated. | ||
+ | |||
+ | Older unmaintained repositories are/were here: | ||
+ | |||
* http://linux-vserver.derjohn.de/ - "my kernels are always 'devel' branch" (derjohn). This repo contain kernels up to 2.6.29 for amd64, 2.6.26 for i386. | * http://linux-vserver.derjohn.de/ - "my kernels are always 'devel' branch" (derjohn). This repo contain kernels up to 2.6.29 for amd64, 2.6.26 for i386. | ||
− | * http:// | + | * http://backports.debian.org/ contains 2.6.32 backports for Lenny at time of writing (11th May 2010) |
− | + | * http://zbla.net/debian/ Unofficial debian vserver packages '''WARNING : i386 packets are compiled for 64bits !''' apt source line: ''deb http://zbla.net/debian/ ./'' (N/A as of 2011/12/27) | |
− | * http://zbla.net/debian/ Unofficial debian vserver packages '''WARNING : i386 packets are compiled for 64bits !''' apt source line: ''deb http://zbla.net/debian/ ./'' | + | |
|Signature=Gremble | |Signature=Gremble | ||
}} | }} | ||
− | + | {{Question | |
− | + | |Question=Were can I get newer versions of VServer as ready made packages for Ubuntu? | |
+ | ||Details= There is only one location for | ||
+ | *http://repo-ubuntu.psand.net/dists/ is the only repository maintained for Ubuntu. It covers the same builds as http://repo.psand.net/info/ - and information there should be used, replacing 'precise' as distro in your /etc/apt/source.list. | ||
+ | |Signature=Gremble | ||
+ | }} | ||
== Misc == | == Misc == | ||
Line 683: | Line 788: | ||
{{Question | {{Question | ||
− | |Question=I want to (re)mount a | + | |Question=I want to (re)mount a virtual filesystem (like tmpfs) in a running guest ... but the guest has no rights (capability) to (re)mount? |
− | ||Details= | + | ||Details=I take as example your /tmp partition within the guest is too small, what will be likely the case if you stay with the 16MB default (vserver build mounts /tmp as 16 MB tmpfs!). |
<pre> | <pre> | ||
# vnamespace -e XID mount -t tmpfs -o remount,size=256m,mode=1777 none /var/lib/vservers/<guest>/tmp/ | # vnamespace -e XID mount -t tmpfs -o remount,size=256m,mode=1777 none /var/lib/vservers/<guest>/tmp/ | ||
Line 699: | Line 804: | ||
vnamespace -e builder chroot /var/lib/vservers/<guest>/ mount -o remount,size=64m,mode=1777 /tmp | vnamespace -e builder chroot /var/lib/vservers/<guest>/ mount -o remount,size=64m,mode=1777 /tmp | ||
</pre> | </pre> | ||
+ | |Signature=derjohn/BenjaminGreen}} | ||
− | + | {{Question | |
− | |Signature=derjohn}} | + | |Question=How do I bind mount a host directory inside a running guest? |
+ | ||Details=There are two ways to do this: one is to enter the bind mount in the guest fstab and restart the guest. | ||
+ | |||
+ | To understand the other way, let me explain how mount namespaces work. | ||
+ | |||
+ | Every guest has two mount namespaces associated with it: one "''management namespace''" and one "''operational namespace''". | ||
+ | |||
+ | On starting the guest, first the management namespace is created as a copy of the host namespace (which means that everything that was mounted on the host is mounted in the new namespace as well). This has unwelcome side effects: for example, if you had a cdrom mounted while starting the guest, you wouldn't be able to eject it until you stop the guest even if you umount it on the host, because it's still mounted in the guest. Therefore, the namespace is ''cleaned up'': filesystems that are mounted outside the root of the guest get unmounted in the guest namespace. | ||
+ | |||
+ | Subsequently, the operational namespace of the guest is created as a copy of the management namespace, and the guest's processes are started in it. | ||
+ | |||
+ | To bind mount a host directory in the guest, you must first make that host directory visible in the management namespace of the guest. This is automatically the case if the directory resides inside a mountpoint that exists in the guest namespace as well; however, if the guest config referenced no part of this mountpoint (or it didn't yet exist when you started the guest), then the cleanup mentioned above removed it from the guest's management namespace and you need to re-add it. | ||
+ | |||
+ | Let's assume, as an example, that we want a guest to see a subdirectory, called <tt>foo</tt>, of the cdrom we just mounted on the host (e.g. under <tt>/media/cdrom</tt>). | ||
+ | |||
+ | Let's enter the management namespace of the guest (that's what <tt>-i 0</tt> is for): | ||
+ | |||
+ | <pre> | ||
+ | # vnamespace -i 0 -e <guest-xid> -- /bin/bash | ||
+ | </pre> | ||
+ | |||
+ | Now you have access to all host devices; mount the device that contains your directory wherever you want, but you may prefer to mount it in the same location you used on the host. (Note, though, that it's not even necessary for the device to be mounted in the host namespace at all.) | ||
+ | |||
+ | It's likely best to use <tt>mount -n</tt> lest your host <tt>/etc/mtab</tt> get polluted with mounts from other namespaces. | ||
+ | |||
+ | <pre> | ||
+ | # mount -n /dev/sr0 /media/cdrom | ||
+ | # exit | ||
+ | </pre> | ||
+ | |||
+ | We're now back in the host namespace. <tt>vmount</tt> can now be used to bind mount <tt>/media/cdrom/foo</tt> inside a running guest (in this example, under <tt>/foo</tt> inside the vserver root): | ||
+ | |||
+ | <pre> | ||
+ | # vmount guestname -- --bind /media/cdrom/foo /mnt/foo | ||
+ | </pre> | ||
+ | |Signature=[[User:KornAndras|Guy-]] 01:31, 10 January 2012 (UTC)}} | ||
+ | |||
+ | {{Question | ||
+ | |Question=How do I mount a device present on the host under a directory in a running guest? | ||
+ | ||Details=Use something like: | ||
+ | <pre> | ||
+ | vnamespace -e <guestname> mount -n /dev/<device> /vservers/<guest>/place/you/want/to/mount/it | ||
+ | </pre> | ||
+ | |||
+ | This device can be unmounted with: | ||
+ | |||
+ | <pre> | ||
+ | vnamespace -e <guestname> umount -n /vservers/<guest>/place/you/want/to/mount/it | ||
+ | </pre> | ||
+ | |||
+ | |Signature=derjohn/BenjaminGreen}} | ||
{{Question | {{Question | ||
Line 743: | Line 899: | ||
setpriority(PRIO_PROCESS, 0, 0) = -1 EACCES (Permission denied) | setpriority(PRIO_PROCESS, 0, 0) = -1 EACCES (Permission denied) | ||
You can use 'su nobody -c nice some_cmd' instead. | You can use 'su nobody -c nice some_cmd' instead. | ||
− | |||
− | |||
+ | The problem is caused by the fact that host system is setting limits for guests (when instructed to do so) and the dropped capability dissallows processess on guest systems to change and increase them later. That means no process on a guest can lower nice value above the limit set by host. | ||
+ | |||
+ | If the pam_limits module is activated on a guest system it will first try to '''reset nice value to 0''' even if <tt>/etc/security/limits.conf</tt> file is empty or even if there are lower priority limits set in it. The pam_limits module does that since [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=241663 its developers decided] that it should reset some limits to defaults and start from scratch when applying new restrictions. Unfortunately, already limited guest system won't be able to do it since resetting nice value to 0 means increasing the limit which is forbidden. See [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311058 Debian Bug report logs - #311058] for more information about that Debian bug. | ||
+ | |||
+ | See also [[Frequently_Asked_Questions#Cron is not working on my guest system (which is Debian). How can I fix it?|Cron is not working…]] | ||
+ | |||
+ | |Signature=daniel_hozac & Beuc & Paweł Wilk}} | ||
+ | |||
+ | {{Question | ||
+ | |Question=Cron is not working on my guest system (which is Debian). How can I fix it? | ||
+ | ||Details=On a guest system the cron daemon may not work properly. When looking into the log file (e.g. <tt>/var/log/syslog</tt>) the following message may appear repeatedly: | ||
+ | CRON[xxxxx]: Permission denied | ||
+ | |||
+ | Similar thing may happen with the <tt>su</tt> when trying to execute a command as root. | ||
+ | |||
+ | It's not the problem in Cron but in the pam_limits module on a guest system (see [[Frequently_Asked_Questions#When using nice and su (for example, in the updatedb cron job), I get: su: Permission denied. What does it mean?|FAQ:When using nice and su…]] for more information about the cause). | ||
+ | |||
+ | There are 4 ways to solve or work-around this problem: | ||
+ | |||
+ | '''1. Allowing guests to reset resource limits:''' | ||
+ | |||
+ | It's clean solution but you may expect some guest processes increasing their limits because not everything is controlled by PAM. It also breaks centralized resources limiting approach so a guest can do bad things that may cause other guests and host to be overloaded and unresponsive. | ||
+ | |||
+ | To apply it you have to add <tt>CAP_SYS_RESOURCE</tt> flag to <tt>/etc/vservers/<server name>/bcapabilities</tt> (2.6 kernels). | ||
+ | |||
+ | See [[util-vserver:Capabilities_and_Flags|Capabilities and Flags]] for more information. | ||
+ | |||
+ | '''2. Disabling pam_limits on a guest systems:''' | ||
+ | |||
+ | This workaround is easy and works fine when your guest systems aren't really multiuser but rather service boxes. It disables setting of the resource limits by PAM so the limits can only be set globally for the whole guest (using rlimits or cgroups on a host) but never increased inside of the guest system. | ||
+ | |||
+ | To apply it just enter the guest and edit the files listed below, commenting out any line containing <tt>pam_limits</tt>: | ||
+ | |||
+ | /etc/pam.d/su | ||
+ | /etc/pam.d/sudo | ||
+ | /etc/pam.d/cron | ||
+ | |||
+ | You can also use this one-liner on a guest: | ||
+ | |||
+ | <pre> | ||
+ | /bin/sed --in-place -e "s/^\s\?session.*pam_limits.so.*/\#\0/g" /etc/pam.d/{su,sudo,cron} | ||
+ | </pre> | ||
+ | |||
+ | '''3. Allowing guest's pam_limits to set limits when possible:''' | ||
+ | |||
+ | This workaround allows you to have working <tt>pam_limits</tt> inside a guest system and global limits set by a host system. What's the catch? The problematic PAM module won't fully work for the root user on a guest system as expected and there might appear some PAM's warnings in guest's <tt>auth.log</tt>. Since using pam_limits to limit regular user processes is far more frequent than using it to limit root processes, this solution may be a good compromise. It is about setting a proper limits in pam_limits configuration and about setting this PAM module in a way that its function is optional (instead of required). The last change makes PAM to continue with session even if pam_limits encounters some error during setting limits (it usually applies to superuser sessions). | ||
+ | |||
+ | The not so nice news is that there might be a need of keeping guest's limits configuration up to date according to limits globally set for a guest. The limits set in pam_limits configuration file(s) shouldn't be higher (lower in case of nice value) than global guest's limits. | ||
+ | |||
+ | To apply it enter the guest and edit the files listed below, replacing occurences of <tt>required</tt> by <tt>optional</tt> in the lines containing <tt>pam_limits</tt>: | ||
+ | |||
+ | /etc/pam.d/su | ||
+ | /etc/pam.d/sudo | ||
+ | /etc/pam.d/cron | ||
+ | |||
+ | For example: | ||
+ | |||
+ | # Sets up user limits, please define limits for cron tasks | ||
+ | # through /etc/security/limits.conf | ||
+ | session optional pam_limits.so | ||
+ | |||
+ | Then on a guest system create the file <tt>/etc/security/limits.d/01-fixpam.conf</tt> containing: | ||
+ | |||
+ | <pre> | ||
+ | * - priority X # replace X with your guest's nice value | ||
+ | </pre> | ||
+ | |||
+ | You can automate this process to happen automagically for any guest by creating the startup script named <tt>/etc/vservers/.defaults/scripts/post-start.d/01-pamfix</tt>: | ||
+ | |||
+ | <pre> | ||
+ | #!/bin/sh | ||
+ | |||
+ | # This script tries to fix pam_limits entries | ||
+ | # to make it possible for PAM in a guest system to | ||
+ | # set its own limits. | ||
+ | |||
+ | PAM_DIR="etc/pam.d" | ||
+ | PAM_SERVICES="su sudo cron" | ||
+ | LIMITS_FILE="etc/security/limits.d/01-pamfix.conf" | ||
+ | |||
+ | vname="$2" | ||
+ | [ -z "$vname" ] && exit 0 | ||
+ | |||
+ | vcfg=$( /usr/sbin/vserver-info "$vname" CFGDIR ) | ||
+ | [ ! -d "$vcfg" ] && exit 0 | ||
+ | |||
+ | for s in $PAM_SERVICES | ||
+ | do | ||
+ | pamfile="${PAM_DIR#\/}/$s" | ||
+ | [ -f "$pamfile" ] && /bin/sed --in-place -e "s/\(^\s\?session.*\)required\(.*pam_limits.so.*\)/\1optional\2/g" "$pamfile" | ||
+ | done | ||
+ | |||
+ | [ ! -f "${vcfg}/nice" ] && exit 0 | ||
+ | nval=$( /usr/bin/head -1 "${vcfg}/nice" ) | ||
+ | [ -n "$nval" ] && echo "* - priority $nval # (added by vserver startup script)" > "${LIMITS_FILE#\/}" | ||
+ | |||
+ | exit 0 | ||
+ | </pre> | ||
+ | |||
+ | '''4. Disabling resource limits for a guest:''' | ||
+ | |||
+ | It easy, clean and… unsafe solution. You just have to not set resource limits (e.g. priority, nice value) for a guest or set the nice value limit to 0 on a host system. Resetting it later by guest's <tt>pam_limits</tt> will not generate an error. | ||
+ | |||
+ | |Signature=Paweł Wilk}} | ||
{{Question | {{Question | ||
|Question=How do I handle NFS mounts within in a guest? | |Question=How do I handle NFS mounts within in a guest? | ||
− | ||Details=There are | + | ||Details=There are at least four ways. |
+ | |||
+ | In any case, you probably want to force the nfs version to 3 or lower to avoid id mapping issues (one symptom of having an id mapping issue is that <tt>no_root_squash</tt> appears to be ignored). You can check whether the mount uses nfsv4 by looking at <tt>/proc/mounts</tt> inside the guest. You can force the protocol version to 3 by passing the mount options <tt>nfsvers=3,mountvers=3</tt>. | ||
'''1)''' Mount the NFS share from the host OS and let vserver guest access it as part of it's file system. | '''1)''' Mount the NFS share from the host OS and let vserver guest access it as part of it's file system. | ||
Line 758: | Line 1,018: | ||
See http://www.nongnu.org/util-vserver/doc/conf/configuration.html | See http://www.nongnu.org/util-vserver/doc/conf/configuration.html | ||
+ | |||
+ | Note that as of 0.30.216-pre3000 and kernel 3.0.4-vs2.3.1-pre10.1, the mount request will appear to originate from the IP of the host, not the guest. It is unclear (to [[User:KornAndras|Guy-]]) whether this is a bug. | ||
'''3)''' Add capabilities to the vserver guest instance to grant sufficient rights to allow NFS mounts. | '''3)''' Add capabilities to the vserver guest instance to grant sufficient rights to allow NFS mounts. | ||
Line 769: | Line 1,031: | ||
See [[Capabilities_and_Flags]] for more information about vserver capabilities. | See [[Capabilities_and_Flags]] for more information about vserver capabilities. | ||
− | If you want the NFS shares to be mounted when the guest starts, add them to /etc/vserver/<vserver_name>/fstab | + | If you want the NFS shares to be mounted when the guest starts, add them to /etc/vserver/<vserver_name>/fstab. |
+ | |||
+ | '''4)''' Before starting the guest, make a directory of the host "shared" using <tt>mount --make-shared /path/to/dir</tt>, then set up autofs to mount nfs shares under <tt>/path/to/dir/sharename</tt>. | ||
+ | |||
+ | rbind mount subdirectories of <tt>/path/to/dir</tt> in the guest from its fstab. | ||
+ | |||
+ | This setup is good if the nfs shares are not often needed, and especially if they're occasionally needed by more than one guest. (As of September 2011, running autofs inside a vserver guest didn't work for me. --[[User:KornAndras|Guy-]] 01:05, 30 October 2011 (UTC)) | ||
||Signature=martindk}} | ||Signature=martindk}} | ||
Line 885: | Line 1,153: | ||
||Signature=derjohn | ||Signature=derjohn | ||
}} | }} | ||
+ | |||
+ | [[Category:Community]] | ||
+ | [[Category:Categories]] |
Latest revision as of 17:01, 20 February 2018
We currently migrate to MediaWiki from our old installation, but not all content has been migrated yet. Take a look at the Wiki Team page for instructions how to help or look at the old wiki to find the information not migrated yet.
To ease migration we created a List of old Documentation pages.
CURRENTLY THE CONTENT OF THE OLD WIKI FAQ (AND MORE) IS BEING MIGRATED TO THIS PAGE (TASK: DERJOHN)
General
What is the status of Linux-VServer?
What is a 'Guest'?
What kind of Operating System (OS) can I run as guest?
Is this a new project? When was it started?
Which distributions did you test?
Is VServer comparable to XEN/UML/QEMU?
With which version should I begin?
Is VServer secure?
Performance?
What is the "great flower page"?
Resources usage
Resource sharing?
- memory: Dynamically.
- CPU usage: Dynamically (token bucket)
Resource limiting?
- using ulimits and rlimits (rlimit is a new feature of kernel 2.6/vs2.0.) per guest, to limit the memory consumption, the number of processes or file-handles, ... : see Resource Limits
- CPU usage : see CPU Scheduler
- disk space usage : see Disk Limits and Quota
How do I limit a guests RAM? I want to prevent OOM situations on the host!
If you want a recipe, do this:
- Check the size of memory pages. On x86 and x86_64 is usually 4 KB per page. (on linux "getconf -a
Disk I/O limiting? Is that possible?
# cat /sys/block/hdc/queue/scheduler noop [anticipatory] deadline cfq
The default since 2.6.18 in Sept 2006 is CFQ, described below, and prior to that was anticipatory a.k.a. "AS" ([Wikipedia]). When running several guests on a host you probably want the I/O performance shared in a fair way among the different guests. The kernel comes with a "completely fair queueing" scheduler, CFQ, which can do that. (More on schedulers can be found at http://lwn.net/Articles/114770/) This is how to set the scheduler to "cfq" manually:
root# echo "cfq" > /sys/block/hdc/queue/scheduler root# cat /sys/block/hdc/queue/scheduler noop anticipatory deadline [cfq]
Keep in mind that you have to do it on all physical discs. So if you run an md-softraid, do it to all physical /dev/hdXYZ discs! If you run Debian there is a predefined way to set the /sys values at boot-time:
# apt-get install sysfsutils [...] # grep cfq /etc/sysfs.conf block/sda/queue/scheduler = cfq block/sdc/queue/scheduler = cfq # /etc/init.d/sysfsutils restart
For non-vserver processes and CFQ you can set by which key the kernel decides about the fairness:
cat /sys/block/hdc/queue/iosched/key_type pgid [tgid] uid gid
Hint: The 'key_type'-feature has been removed in the mainline kernel recently. Don't look for it any longer :(
The default is tgid, which means to share fairly among process groups. Think every guest is treated like a own process group. It's not possible to set a scheduler strategy within a guest. All processes belonging to the same guest are treated like "noop" within the guest. So: If you run apache and some ftp-server within the _same_ guest, there is no fair scheduling between them, but there is fair scheduling between the whole guest and all other guests.
And: It's possible to tune the scheduler parameters in several ways. Have a look at /sys/block/hdc/queue/....
Nice disk I/O scheduling, is that possible?
It's split into three groups, called real-time, best effort and idle. The default is best-effort, but within best-effort, you can have a niceness from 0 to and including 7. You can set this niceness by the tool ionice, which for debian is either in the package util-linux or schedutils. To change the io-niceness you need the CAP_SYS_NICE, and need to have the same uid as the processe you want to ionice.
- Note: If you want to use any schedulung other than best-effort you will also need the CAP_SYS_ADMIN-flag. Be warned that this gives quite some capabilities to the vserver, not just for I/O scheduling!
If you want to increase the niceness of an I/O hogging process within a vserver you need to do:
chcontext --xid sponlp1 sudo -u '#2089' ionice -c2 -n5 -p24409with sudo and ionice installed on the root server to increase the *nice*ness of pid 24409, with uid 2089
I want iotop to display all guest processes on host to give me a nice overview of I/O usage.
# setattr --watch /proc/vmstat
to, for example, rc.local, and later run iotop:
# vcontext --migrate --xid 1 -- iotop
Unification
What is unification (vunify)?
What is vhashify?
It creates hardlinks to files named after a hash of the content of the file. If you have a recent version of the vserver patch (2.2+), with CONFIG_VSERVER_COWBL enabled, you can even modify the hardlinked files inside the vservers and the links will be broken automatically. There seems to be a catch when a hashified file has multiple hardlinks inside a guest, or when another internal hardlink is added after hashification. Link breaking will remove all the internal hardlinks too, so the guest will end up with different copies of the original file. The correct solution would be to not hashify files that have multiple links prior to hashification, and to break the link to the hashified version when a new internal hardlink is created. Apparently, this is not implemented yet (?).
How do I manage a multi-guest setup with vhashify?
mkdir /etc/vservers/.defaults/apps/vunify/hash /vservers/.hash ln -s /vservers/.hash /etc/vservers/.defaults/apps/vunify/hash/root
Then, do this one line per vserver:
mkdir /etc/vservers/<vservername>/apps/vunify # vhashify reuses vunify configuration
To hashify a running vserver, do (possibly from a cronjob):
vserver name-of-guest hashify
The guest needs to be running because vhashify tries to figure out what files not to hashify by calling the package manager of the guest via vserver enter.
In order for the OS cache to benefit from the hardlinking, you'll have to restart the vservers.
To clean up hashified files that are no longer referenced by any vserver, do (possibly from a cronjob):
find /vservers/.hash -type f -links 1 -print0 | xargs -0 rmUntil you do this, the files still take up place even though no vservers need them.
Filesystem usage
Is there a way to implement "user/group quota" per VServer?
What about "Quota" for a context? Howto limit disk usage?
How do I tag a guest's directory with xid?
Filesystem XID tagging only works on supported filesystem. Those are currently: ext2/3, reiserfs/reiser3, xfs and jfs. To activate the XID tagging you have to mount the filesystem with "-o tag" (former tagxid is outdated since VS2.2). Attention: It's _not_ possible to "-o remount,tag", you have to mount it freshly. The guests will tag their files automatiaclly. If you copy files in from the host, you have to tag them manually like this:
chxid -c xid -R /var/lib/vservers/<guest>
Note: Context 0 and 1 will see all files, guests will only be able to access untagged files and their own XID. They can see other XID files but no information about the file, e.g. no owner, no group, no permissions.
Note: It is not advised to tag the root filesystem, as explained by Herbert : trying to do so will expose you to some troubles !
How can I copy anything from host to guest partition, normally unvisible on host?
vnamespace --enter <xid> -- /bin/bashand then use standard cp or rsync programs.
Why is the barrier attribute disappearing on reiserfs filesystem after umount or host reboot?
mount /dev/reiserfsdev /vservers -oattrs setattr --barrier /vserversto get the barrier survive after umount/reboot.
Network
Does it support IPv6?
I can't do all I want with the network interfaces inside the guest?
How do I add several IPs to a vserver?
Update from IRC (2011-08-22): <mmouse> quick question: what is the maximum count of IPs (v4) I can have in a single guest? <daniel_hozac> unlimited.
Here is a little helper-script that adds a list of IPs defined in a text file, one per line.
#!/bin/bash j=1 for i in `cat myiplist`; do j=$(($j+1)) mkdir $j echo $i > $j/ip echo "24" > $j/prefix done
How do I assign a new IP address to a running guest?
- add the ip on the host, for example
ip addr add 194.169.123.23/24 dev eth0
- add the ip to the guest's network context (a guests NID is the same as the XID {context ID})
naddress --add --nid <nid> --ip 194.169.123.23/24
- enter the guest (best via ssh)
- restart the services that need to make use of the new address if required
- update the config in /etc/vserver/<servername>/interfaces to reflect the changes for the next guest restart (if desired)
If my host has only one a single public IP, can I use RFC1918 IP (e.g. 192.168.foo.bar) for the guest vservers?
iptables -t nat -I POSTROUTING -s $VSERVER_NETZ ! -d $VSERVER_NETZ -j SNAT --to $EXT_IP
See: HowtoPrivateNetworking and
http://www.tgunkel.de/it/software/doc/linux_server.en#h3-VServer_Masquerading_SNAT (THX, [MUPPETS]Gonzo)
If I shut down my vserver guest, the whole Internet interface ethX on the host is shut down. What happened?
You can check this on the host using the command "ip addr show". Example output:
1: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:01:02:03:04:05 brd ff:ff:ff:ff:ff:ff inet 192.168.249.172/27 brd 192.168.249.191 scope global eth0 inet 192.168.234.194/27 brd 192.168.234.223 scope global eth0 inet 192.168.249.169/27 brd 192.168.249.191 scope global secondary eth0 inet 192.168.234.195/27 brd 192.168.234.223 scope global secondary eth0
In this example, if you stop the guest which brings down the IP 192.168.249.172, the IP 192.168.249.169 will be brought down as well, because it is a secondary IP of the "parent" 192.168.249.172.
But in very recent kernels, there is an option settable which prevents that nasty feature. It's called "alias promotion". You may set it via sysctl by adding net.ipv4.conf.all.promote_secondaries=1 in /etc/sysctl.conf or via sysctl command line.
Can I run an OpenVPN Server in a guest?
This is the minimal OpenVPN configuration for the Server which will be used to demonstrate how to get it running in a client:
# Networking setup server 192.168.16.0 255.255.255.0 dev tun16 ifconfig-noexec comp-lzo # Certificates dh ... ca ... cert ... key ... # Management persist-key keepalive 10 60 verb 4
First of all you have to prepare the host with a persistent interface in the right mode and with the right settings. This is easily done by using openvpn and the ip and route tools.
# openvpn --mktun --dev tun16 # ip link set dev tun16 txqueuelen 100 # ifconfig tun16 192.168.16.1 pointopoint 192.168.16.2 mtu 1500 # route add -net 192.168.16.0 netmask 255.255.255.0 gw 192.168.16.2
If you need different settings, openvpn will tell you the ifconfig and route commands it uses to configure the interface when being started on the host with the original config file, but without ifconfig-noexec. Additionally, the guest needs /dev/net/tun to make OpenVPN happy. This can be created with MAKEDEV:
# cd /var/lib/vserver/<myopenvpnserver>/dev/ # ./MAKEDEV tun (creates the dev/net/tun device accessible by the guest - even a tap interface needs /dev/net/tun !)
Finally, the guest needs to have the tun device assigned:
# head /etc/vservers/<myopenvpnserver>/interfaces/1/* ==> /etc/vservers/<myopenvpnserver>/interfaces/1/ip <== 192.168.16.1 ==> /etc/vservers/<myopenvpnserver>/interfaces/1/nodev <== tun16 ==> /etc/vservers/<myopenvpnserver>/interfaces/1/prefix <== 24 #
The client's conf may look like that:
# Basic setup client proto tcp-client dev tun remote <ipaddress> comp-lzo verb 4 # Certificate ca ...[ Based on derJohn's original answer, all errors mine ]
Trying to connect to a vserver from the host or another vserver on the same host fails
sin_addr=inet_addr("xx.xx.xx.xx")}, yy) = -1 EINVAL (Invalid argument)
A: The host/guest cannot communicate with another guest on same host.
- check all netmasks on all interfaces (do they overlap) ?
- check policy routing (disable it temporary) ?
- check that lo is up (Networking within a host/guest always uses lo interface)
Can I use iptables ?
If you really, really, really need iptables on the guest and you are aware about loosing a big part of VServer isolation and security you could add the NET_ADMIN capability. Consider writing wrappers to manage iptables on the host instead.
Is it possible to prevent guest from bringing down primary ip?
Is it possible to provide a different MAC address per vServer?
Real answer from _are_:
When I once needed 'real' seperate MAC-addresses I used TAP-devices and VDE2 ([http://vde.sourceforge.net/ Virtual Distributed Ethernet]). Basically vServer is an isolation of existing resources, not a virtualization of 'new' devices. Without extra fuss you can't add a 'new' network interface to a vServer, no matter if it is eth* or tap*, you always add it to the host and give the vServer access to it. I got the TAP+VDE2 up and running, but I think it is too much trouble for basically the simple adding of IPs to a vServer unless you really need the MAC address separate.
You can also utilize MACVLAN ability from kernel.
I.e. create macvlan0 interface with:
ip link add link eth0 address 00:19:d1:29:d2:58 macvlan0 type macvlan[Reference]
Is it possible to hide packet counters on the host network interface from vServer guests?
Services won't bind to 127.0.0.1 when I configure them to bind to all available IPs / (binding service to * doesn't bind to loopback)?
It means somehow "optimized" :D If you don't want this you have 3 possible solutions (quoting Bertl):
* disable the auto single IP in the kernel * assign more than one IP to the guest * disable single ip special casing for that guest
The later is done by : echo "~single_ip" >> /etc/vservers/<VSERVER>/nflags
At runtime to avoid restarting the vserver: nattribute --set --nid <guest> --flag ~single_ip
When using network namespaces and vserver together, netstat does not work in the vserver. What's wrong?
If you create a new network namespace you have to do the same in the network namespace because the new /proc/net files are not available for the vprocunhide outside the new network namespace. So something like that should be sufficient to get netstat working in vservers with network namespaces:
ip netns exec $NAMESPACE /usr/lib/util-vserver/vprocunhide
Administration tools
Which guest vservers are running?
CTX PROC VSZ RSS userTIME sysTIME UPTIME NAME 0 77 965.1M 334.6M 14m14s18 2m28s69 1h33m46 root server 49152 7 14M 5.2M 0m00s40 0m00s30 1h30m15 chiffon
Is there a web-based interface for vserver that will allow creation/deletion/configuration etc. of vserver guests?
- http://Openvcp.org which is a distributed system (agent!) with a web-interface, with which you can build/remove guests
- http://vsmon.revolutionlinux.com/ is a distributed monitoring-only solution that allows you to search for a particular vserver in your park.
Hosting foreign distributions
I run a Debian host and want to build an Ubuntu guest. Howto?
vserver vubuntu build --force -m debootstrap --hostname vubuntu.myvservers.net --netdev eth0 --interface 192.168.0.2/24 \ --context 42 -- -d breezy -m http://de.archive.ubuntu.com/ubuntu
[UPDATE] Currently there are problems in building breezy under unclear circumstances, which seems to have to do with udev. If the above didnt work, try:
vserver vubuntu build --force -m debootstrap --hostname vubuntu.myvservers.net --netdev eth0 --interface 192.168.0.2/24 \ --context 42 -- -d breezy -m http://de.archive.ubuntu.com/ubuntu -- --exclude=udev
In very recent versions of the utils, the problem should not occur anymore (it has to do with the 'secure-mount' if you look in the MLs)
Well, sid's debootstrap knows how to bootstrap Ubuntu linux. Make sure to have a current debootstrap package:
apt-get update apt-get install debootstrapThe knowledge how to build ubuntu 'breezy badger' (which you probably want to be your guest at the time of writing) has been added recently.
I want to build a Gentoo guest. Howto?
Application level problems
I did everything right, but the application foo does not start. What's up there?
When I try to ssh to the guest, I log into the host, even if I installed sshd on the guest. What's wrong here?
Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress ::
And now change the setting to
Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to ListenAddress your.hosts.ip.here # not the guests IP!
Then '/etc/init.d/ssh restart' on the host, after that on the guest (if you did apt-get install ssh on the guest already.) Do I have to explain more? If the hosts sshd binds all available IP addresses on port 22 (The hosts 'sees' even all addresses of the guests!). So if the guest starts its sshd, it can't bind to port 22 any more. You need to change that setting only on the host.
(BTW: A similar approach has to be done for a lot of daemons, e.g. Apache. If the daemon does not support an explicit bind, you may use the chbind command to 'hide' IP addresses from the daemon before starting.)
Bind9 does not like to start in my guest.
My mysqld running in a guest behaves strangely and is awfully slow/locks up
If you prefer not to modify or disable tmpfs, you can reconfigure MySQL to use a different tmpdir such as "/var/tmp". For example, edit /etc/my.cnf (RHEL/CentOS) or create /etc/mysql/conf.d/mysqld_custom.conf (Debian) and add the following line:
tmpdir = /var/tmpAfterwards, restart MySQL (/etc/init.d/mysqld restart) and then review MySQL variables (mysqladmin -uroot -p variables) to confirm "tmpdir" is no longer pointing to "/tmp".
Pure-FTP does not run inside a VServer?
Why do neither sshd nor crond (vixie-cron) work correctly in my CentOS / Fedora guest? I get 'pam_loginuid(crond:session): set_loginuid failed opening loginuid' and similar lines in my logs.
pam authentication (also used with openssh) enables "pam_loginuid.so" in the /etc/pam.d/* files. Comment those out as they are not necessary and will not load within a guest anyway. This probably is also necessary on updates later on, if the configs get changed. You therefore may add the following command line to a cronjob file or your software update script:
/bin/sed --in-place -e "s/^session.*required.*pam_loginuid.so/# session\trequired\tpam_loginuid.so/g" /etc/pam.d/*UPDATE: If you are compiling your own kernel this can be fixed system-wide by setting CONFIG_AUDIT_LOGINUID_IMMUTABLE=n in kernels .config file.
How do i install nagios-plugins on a Gentoo guest?
The easiest way to do this from the host (assuming the guest is running) is:
vnamespace -e <xid> -- chroot /vservers/<name> emerge nagios-plugins -va
Somebody runs ntpd in guest and you can't use ntpdate in host?
ntpdate -u ntp.domain.xy
or you can use command:
chbind --nid 42 --ip 1.2.3.4 -- ntpdate ntp.domain.xywhere IP will be the IP of host.
Start / Stop a VServer
How do I make a vserver guest start by default?
echo "default" > /etc/vservers/derjohn/apps/init/mark
If you want to start it earlier, please read the init script "/etc/init.d/util-vserver" to find out how to do it. In most cases you don't need to change this. On Debian the vservers are started at "20", so after most other stuff is up (networking etc.).
Besides that I created a small helper script for managing the autostart foo: ((vserver-autostart))
How do I start all vservers with a mark value of something other than "default"?
MARK=foo NUMPARALLEL=42 LOCKFILE=vserver-foo /path/to/util-vserver/vserver-wrapper startIf you want to automate this, you can create a copy of the /etc/init.d/vservers-default script called /etc/init.d/vservers-foo, set MARK, NUMPARALLEL and LOCKFILE appropriately in it, and have it start at whatever point in the boot process.
My host works, but when I start a guest it says that it has a problem with chbind.
What is old-style and new-style config?
How can I reboot/halt guests?
For legacy Linux-VServer (i.e. 1.2.x), you have to replace /sbin/halt in the guests with vreboot and start rebootmgr in the host. You also need to have a <guest>.conf file in /etc/vservers for each guest. Please have a look at /etc/init.d/rebootmgr.
For Linux-VServer 2.0+, sys_reboot has been virtualized to do the right thing. No changes are needed in guests. Please note that some things depend on the init style used by the guest : read util-vserver:InitStyles
What is the initial PATH?
When I try to start a guest i get this message "/proc/uptime can not be accessed. Usually, this is caused by procfs-security. Please read the FAQ for more details"?
When I try to start a guest i get this message "vsched: vc_set_sched(): Function not implemented".
Kernel
Is SMP Supported?
Do I really need the legacy-interfaces? What are these legacy-interfaces?
I have a vserver running on a Linux kernel with preemption. Is VServer "preempt" safe?
32 vs 64 Bit? What should I take?
[*] Kernel support for ELF binaries <M> Kernel support for MISC binaries [*] IA32 Emulation <---- without that, the entire 32bit API is not present <M> IA32 a.out support
You can force the guest to behave like a 32 environment like this:
echo linux_32bit > /etc/vservers/$NAME/personality echo i686 > /etc/vservers/$NAME/uts/machine
(thanks cehteh for the hint!)
But you can force debootstrap to put 32 bit binaries into the guest by 'export ARCH=i386';
export ARCH=i386 ; vserver build ....
On debian when using the newvserver script "export ARCH=i386" has no effect, just use:
newvserver --arch i386 ...
On debian debootstrap can also be gived the arch option:
vserver myguest \ build -m debootstrap -n myguest \ --hostname myguest.mydomain.com \ -- -d squeeze -- \ --arch=amd64 (or i386 if you want 32bit)
What does the guest privacy option do in the kernel settings ?
>i was wondering about the real thing that guest privacy does. #ifdef CONFIG_VSERVER_PRIVACY #define VS_ADMIN_P (0) #define VS_WATCH_P (0) #else > > Does it just prevent the spectator context ? it prevents the spectator context and the admin functionality in all cases which are privacy sensitive, which includes: - ptrace - devmapper - devpts - inode tag permissions - mountinfo - kill/signal - netlink dumps - tun control - iopriority > > What security do it bring to the system ? together with the VXF_STATE_ADMIN it can be used to secure a guest (to some degree) from unwanted access from the host admin, of course, as the admin can change the kernel, this is a voluntary feature which mostly prevents certain kinds of accidential peeking or guest modification
Distribution specific questions
VServer is included in the stable Debian GNU/Linux for years now. What VS version did they include?
Were can I get newer versions of VServer as ready made packages for Debian?
- http://repo.psand.net/info/ has Debian Lenny, Squeeze and Wheezy repositories. Many kernel versions are present. Currently (Febraury 2013) 3.2 kernels are being maintained for Wheezy, with additional packages for 3.4 and 3.10 also available. Architectures available are i386 and amd64. This repository also contains curremt util-vserver builds. Build will shortly begin for Jessie.
- http://www.lihas.de/anleitungen-und-service/linux-vserver-kernel-fuer-debian/linux-vserver-kernel-english details their automatically built repository currently for 3.4 kernels. Building, patching and testing for the kernels is automated.
Older unmaintained repositories are/were here:
- http://linux-vserver.derjohn.de/ - "my kernels are always 'devel' branch" (derjohn). This repo contain kernels up to 2.6.29 for amd64, 2.6.26 for i386.
- http://backports.debian.org/ contains 2.6.32 backports for Lenny at time of writing (11th May 2010)
- http://zbla.net/debian/ Unofficial debian vserver packages WARNING : i386 packets are compiled for 64bits ! apt source line: deb http://zbla.net/debian/ ./ (N/A as of 2011/12/27)
Were can I get newer versions of VServer as ready made packages for Ubuntu?
- http://repo-ubuntu.psand.net/dists/ is the only repository maintained for Ubuntu. It covers the same builds as http://repo.psand.net/info/ - and information there should be used, replacing 'precise' as distro in your /etc/apt/source.list.
Misc
Why isn't there a device /dev/xyz within a guest?
I want to (re)mount a virtual filesystem (like tmpfs) in a running guest ... but the guest has no rights (capability) to (re)mount?
# vnamespace -e XID mount -t tmpfs -o remount,size=256m,mode=1777 none /var/lib/vservers/<guest>/tmp/
(if there's a problem, try expanding the symlinks in the mount path) Be warned that the guest will not recognize the change, as the /etc/mtab file is not updated when you mount like this. To permanently change the mount, edit /etc/vserver/<guest>/fstab on the host.
If you get:
mount: can't find /var/lib/vservers/<guest>/tmp in /etc/fstab or /etc/mtab
then try instead:
vnamespace -e builder chroot /var/lib/vservers/<guest>/ mount -o remount,size=64m,mode=1777 /tmp
How do I bind mount a host directory inside a running guest?
To understand the other way, let me explain how mount namespaces work.
Every guest has two mount namespaces associated with it: one "management namespace" and one "operational namespace".
On starting the guest, first the management namespace is created as a copy of the host namespace (which means that everything that was mounted on the host is mounted in the new namespace as well). This has unwelcome side effects: for example, if you had a cdrom mounted while starting the guest, you wouldn't be able to eject it until you stop the guest even if you umount it on the host, because it's still mounted in the guest. Therefore, the namespace is cleaned up: filesystems that are mounted outside the root of the guest get unmounted in the guest namespace.
Subsequently, the operational namespace of the guest is created as a copy of the management namespace, and the guest's processes are started in it.
To bind mount a host directory in the guest, you must first make that host directory visible in the management namespace of the guest. This is automatically the case if the directory resides inside a mountpoint that exists in the guest namespace as well; however, if the guest config referenced no part of this mountpoint (or it didn't yet exist when you started the guest), then the cleanup mentioned above removed it from the guest's management namespace and you need to re-add it.
Let's assume, as an example, that we want a guest to see a subdirectory, called foo, of the cdrom we just mounted on the host (e.g. under /media/cdrom).
Let's enter the management namespace of the guest (that's what -i 0 is for):
# vnamespace -i 0 -e <guest-xid> -- /bin/bash
Now you have access to all host devices; mount the device that contains your directory wherever you want, but you may prefer to mount it in the same location you used on the host. (Note, though, that it's not even necessary for the device to be mounted in the host namespace at all.)
It's likely best to use mount -n lest your host /etc/mtab get polluted with mounts from other namespaces.
# mount -n /dev/sr0 /media/cdrom # exit
We're now back in the host namespace. vmount can now be used to bind mount /media/cdrom/foo inside a running guest (in this example, under /foo inside the vserver root):
# vmount guestname -- --bind /media/cdrom/foo /mnt/foo
How do I mount a device present on the host under a directory in a running guest?
vnamespace -e <guestname> mount -n /dev/<device> /vservers/<guest>/place/you/want/to/mount/it
This device can be unmounted with:
vnamespace -e <guestname> umount -n /vservers/<guest>/place/you/want/to/mount/it
Does anyone know how to increase the size of /tmp within a vserver w/o restarting?
# vnamespace -e XID mount -n -t tmpfs -o remount,size=32m tmpfs /<vdir>/<guest>/tmp
or something like that. The arguments are needed since mount is not going to be using /etc/fstab for the information and the version of /proc/mounts is best understood by
# vnamespace -e XID cat /proc/mounts.See Frequently_Asked_Questions#I want to (re)mount a partition in a running guest ... but the guest has no rights (capability) to (re)mount?
#1 ERROR: capset(): Operation not permitted
How can I make 'vserver start' mount the root filesystem?
/dev/drbd0 / xfs rw,dev 0 0
I deleted a guest's directory without shutting it down. Now I have a "ghost" running. Is there any possibility to get it out of proc without rebooting?
You will also need to remove guest's ip, for example with:
ip addr del <ip> dev eth0
When using nice and su (for example, in the updatedb cron job), I get: su: Permission denied. What does it mean?
$ strace nice su nobody [...] setpriority(PRIO_PROCESS, 0, 0) = -1 EACCES (Permission denied)
You can use 'su nobody -c nice some_cmd' instead.
The problem is caused by the fact that host system is setting limits for guests (when instructed to do so) and the dropped capability dissallows processess on guest systems to change and increase them later. That means no process on a guest can lower nice value above the limit set by host.
If the pam_limits module is activated on a guest system it will first try to reset nice value to 0 even if /etc/security/limits.conf file is empty or even if there are lower priority limits set in it. The pam_limits module does that since its developers decided that it should reset some limits to defaults and start from scratch when applying new restrictions. Unfortunately, already limited guest system won't be able to do it since resetting nice value to 0 means increasing the limit which is forbidden. See Debian Bug report logs - #311058 for more information about that Debian bug.
See also Cron is not working…
Cron is not working on my guest system (which is Debian). How can I fix it?
CRON[xxxxx]: Permission denied
Similar thing may happen with the su when trying to execute a command as root.
It's not the problem in Cron but in the pam_limits module on a guest system (see FAQ:When using nice and su… for more information about the cause).
There are 4 ways to solve or work-around this problem:
1. Allowing guests to reset resource limits:
It's clean solution but you may expect some guest processes increasing their limits because not everything is controlled by PAM. It also breaks centralized resources limiting approach so a guest can do bad things that may cause other guests and host to be overloaded and unresponsive.
To apply it you have to add CAP_SYS_RESOURCE flag to /etc/vservers/<server name>/bcapabilities (2.6 kernels).
See Capabilities and Flags for more information.
2. Disabling pam_limits on a guest systems:
This workaround is easy and works fine when your guest systems aren't really multiuser but rather service boxes. It disables setting of the resource limits by PAM so the limits can only be set globally for the whole guest (using rlimits or cgroups on a host) but never increased inside of the guest system.
To apply it just enter the guest and edit the files listed below, commenting out any line containing pam_limits:
/etc/pam.d/su /etc/pam.d/sudo /etc/pam.d/cron
You can also use this one-liner on a guest:
/bin/sed --in-place -e "s/^\s\?session.*pam_limits.so.*/\#\0/g" /etc/pam.d/{su,sudo,cron}
3. Allowing guest's pam_limits to set limits when possible:
This workaround allows you to have working pam_limits inside a guest system and global limits set by a host system. What's the catch? The problematic PAM module won't fully work for the root user on a guest system as expected and there might appear some PAM's warnings in guest's auth.log. Since using pam_limits to limit regular user processes is far more frequent than using it to limit root processes, this solution may be a good compromise. It is about setting a proper limits in pam_limits configuration and about setting this PAM module in a way that its function is optional (instead of required). The last change makes PAM to continue with session even if pam_limits encounters some error during setting limits (it usually applies to superuser sessions).
The not so nice news is that there might be a need of keeping guest's limits configuration up to date according to limits globally set for a guest. The limits set in pam_limits configuration file(s) shouldn't be higher (lower in case of nice value) than global guest's limits.
To apply it enter the guest and edit the files listed below, replacing occurences of required by optional in the lines containing pam_limits:
/etc/pam.d/su /etc/pam.d/sudo /etc/pam.d/cron
For example:
# Sets up user limits, please define limits for cron tasks # through /etc/security/limits.conf session optional pam_limits.so
Then on a guest system create the file /etc/security/limits.d/01-fixpam.conf containing:
* - priority X # replace X with your guest's nice value
You can automate this process to happen automagically for any guest by creating the startup script named /etc/vservers/.defaults/scripts/post-start.d/01-pamfix:
#!/bin/sh # This script tries to fix pam_limits entries # to make it possible for PAM in a guest system to # set its own limits. PAM_DIR="etc/pam.d" PAM_SERVICES="su sudo cron" LIMITS_FILE="etc/security/limits.d/01-pamfix.conf" vname="$2" [ -z "$vname" ] && exit 0 vcfg=$( /usr/sbin/vserver-info "$vname" CFGDIR ) [ ! -d "$vcfg" ] && exit 0 for s in $PAM_SERVICES do pamfile="${PAM_DIR#\/}/$s" [ -f "$pamfile" ] && /bin/sed --in-place -e "s/\(^\s\?session.*\)required\(.*pam_limits.so.*\)/\1optional\2/g" "$pamfile" done [ ! -f "${vcfg}/nice" ] && exit 0 nval=$( /usr/bin/head -1 "${vcfg}/nice" ) [ -n "$nval" ] && echo "* - priority $nval # (added by vserver startup script)" > "${LIMITS_FILE#\/}" exit 0
4. Disabling resource limits for a guest:
It easy, clean and… unsafe solution. You just have to not set resource limits (e.g. priority, nice value) for a guest or set the nice value limit to 0 on a host system. Resetting it later by guest's pam_limits will not generate an error.
How do I handle NFS mounts within in a guest?
In any case, you probably want to force the nfs version to 3 or lower to avoid id mapping issues (one symptom of having an id mapping issue is that no_root_squash appears to be ignored). You can check whether the mount uses nfsv4 by looking at /proc/mounts inside the guest. You can force the protocol version to 3 by passing the mount options nfsvers=3,mountvers=3.
1) Mount the NFS share from the host OS and let vserver guest access it as part of it's file system.
mount --bind may also be beneficial in this scenario.
2) Use util-vserver and create a fstab.remote file in the /etc/vserver/<vserver_name> directory. Populate this with the NFS shares and they will be mounted in the context of the vserver guest.
See http://www.nongnu.org/util-vserver/doc/conf/configuration.html
Note that as of 0.30.216-pre3000 and kernel 3.0.4-vs2.3.1-pre10.1, the mount request will appear to originate from the IP of the host, not the guest. It is unclear (to Guy-) whether this is a bug.
3) Add capabilities to the vserver guest instance to grant sufficient rights to allow NFS mounts.
Add the following to /etc/vserver/<vserver_name>/bcapabilities
SYS_ADMIN
Add the following to /etc/vserver/<vserver_name>/ccapabilities
SECURE_MOUNT BINARY_MOUNT
See Capabilities_and_Flags for more information about vserver capabilities.
If you want the NFS shares to be mounted when the guest starts, add them to /etc/vserver/<vserver_name>/fstab.
4) Before starting the guest, make a directory of the host "shared" using mount --make-shared /path/to/dir, then set up autofs to mount nfs shares under /path/to/dir/sharename.
rbind mount subdirectories of /path/to/dir in the guest from its fstab.
This setup is good if the nfs shares are not often needed, and especially if they're occasionally needed by more than one guest. (As of September 2011, running autofs inside a vserver guest didn't work for me. --Guy- 01:05, 30 October 2011 (UTC))
vserver start/stop/enter fails with something like "vnamespace: execvp("/usr/sbin/vserver"): No such file or directory" ?
vnamespace -e <guest> cat /proc/mounts
If there is no /usr, you can fix your problem with simply mounting it using the following command:
vnamespace -e <guest> mount /dev/<device> /usr
The command vserver <$server> start gives '/etc/init.d/rc: line 74: /etc/default/rcS: No such file or directory', what do I do?
check your install log and it should tell you something about that your server didn't get installed properly
- use stable distribution of debian as server (debootstrap may be different over the versions)
- deny_mount, deny_caps and deny_pivot should be off if your running grsec.
How could I rename a vserver directory?
- Stop the vserver in question
- rename the /vservers/<server name> directory
- rename the /etc/vservers/<server name> directory
- update link: /etc/vservers/<server name>/run → /var/run/vservers/<server name>
- update link: /etc/vservers/<server name>/vdir → /etc/vservers/.defaults/vdirbase/<server name>
- update link: /etc/vservers/<server name>/cache → /etc/vservers/.defaults/cachebase/<server name>
- update link: /var/run/vservers.rev/<server XID> → /etc/vservers/<server name>
- Start the vserver in question. It should start properly.
what if i see my vserver in vserver-stat but with no name ?
Just do a : cat /etc/vservers/<guest>/context > /var/run/vservers/<guest>
check that the <guest> is the good one by using vuname --get --xid <context> with the context you have in the vserver-stat listing.
Upgrade from 2.0 to 2.2
I now get errors like "ncontext: vc_net_create(): Invalid argument; dynamic contexts disabled." on startup. Vservers are not started
echo 101 > /etc/vservers/myvserv/contextADDENDUM: please consider that valid static contexts are between 2 and 49151 ( daniel_hozac on IRC ) otherwise you will end up with unexplainable error "ncontext: vc_net_migrate(): No such process" when trying to start the vserver.
How do I assign a static context to an existing vserver?
Since upgrading to a newer VS version my guest complains about "vsched: non-numeric value specified for '--priority_bias" at start time. What's wrong?
# cat /usr/local/sbin/vserver-convert-schedule-to-scheddir #/bin/sh mkdir /etc/vservers/$1/sched sed -e 1p -n /etc/vservers/$1/schedule > /etc/vservers/$1/sched/fill-rate sed -e 2p -n /etc/vservers/$1/schedule > /etc/vservers/$1/sched/interval sed -e 3p -n /etc/vservers/$1/schedule > /etc/vservers/$1/sched/tokens sed -e 4p -n /etc/vservers/$1/schedule > /etc/vservers/$1/sched/tokens-min sed -e 5p -n /etc/vservers/$1/schedule > /etc/vservers/$1/sched/tokens-max mv /etc/vservers/$1/schedule /etc/vservers/$1/schedule.converted.see.scheddir # see: http://oldwiki.linux-vserver.org/Scheduler+Parameters # see: http://www.nongnu.org/util-vserver/doc/conf/configuration.html#sched
Here is an example how to do so:
# mkdir /etc/vservers/<vserver>/sysctl/0 -p # echo kernel.shmall > /etc/vservers/<vserver>/sysctl/0/setting # echo 134217728 > /etc/vservers/<vserver>/sysctl/0/value # mkdir /etc/vservers/<vserver>/sysctl/1 -p # echo kernel.shmmax > /etc/vservers/<vserver>/sysctl/1/setting # echo 134217728 > /etc/vservers/<vserver>/sysctl/1/value
It's also explained on the geat flower page:
- see: http://www.nongnu.org/util-vserver/doc/conf/configuration.html -> Look for "sysctl".
After changing those values, restart your guest, enter it and check if the values are set:
# sysctl -a | grep shm ... kernel.shmall = 134217728 kernel.shmmax = 134217728
To change a value for a running guest, on the host use:
vspace -e CONTEXTID --ipc sysctl -w kernel.shmall=134217728 vspace -e CONTEXTID --ipc sysctl -w kernel.shmmax=134217728