Frequently Asked Questions
From Linux-VServer
We currently migrate to MediaWiki from our old installation, but not all content has been migrated yet. Take a look at the Wiki Team page for instructions how to help or look at the old wiki to find the information not migrated yet.
To ease migration we created a List of old Documentation pages.
CURRENTLY THE CONTENT OF THE OLD WIKI FAQ (AND MORE) IS BEING MIGRATED TO THIS PAGE (TASK: DERJOHN)
What is a 'Guest'?
What kind of Operating System (OS) can I run as guest?
Which distributions did you test?
Is VServer comparable to XEN/UML/QEMU?
Is VServer secure?
Performance?
Is SMP Supported?
Resource sharing?
- memory: Dynamically.
- CPU usage: Dynamically (token bucket)
Resource limiting?
Disk I/O limiting? Is that possible?
# cat /sys/block/hdc/queue/scheduler noop [anticipatory] deadline cfq
The default is anticipatory a.k.a. "AS". When running several guests on a host you probably want the I/O performance shared in a fair way among the different guests. The kernel comes with a "completely fair queueing" scheduler, CFQ, which can do that. (More on schedulers can be found at http://lwn.net/Articles/114770/)
This is how to set the scheduler to "cfq" manually:
root# echo "cfq" > /sys/block/hdc/queue/scheduler root# cat /sys/block/hdc/queue/scheduler noop anticipatory deadline [cfq]
Keep in mind that you have to do it on all physical discs. So if you run an md-softraid, do it to all physical /dev/hdXYZ discs!
If you run Debian there is a predefined way to set the /sys values at boot-time:
# apt-get install sysfsutils [...] # cat /etc/sysfs.conf | grep cfq block/sda/queue/scheduler = cfq block/sdc/queue/scheduler = cfq # /etc/init.d/sysfsutils restart
For non-vserver processes and CFQ you can set by which key the kernel decides about the fairness:
cat /sys/block/hdc/queue/iosched/key_type pgid [tgid] uid gid
Hint: The 'key_type'-feature has been removed in the mainline kernel recently. Don't look for it any longer :(
The default is tgid, which means to share fairly among process groups. Think every guest is treated like a own process group. It's not possible to set a scheduler strategy within a guest. All processes belonging to the same guest are treated like "noop" within the guest. So: If you run apache and some ftp-server within the _same_ guest, there is no fair scheduling between them, but there is fair scheduling between the whole guest and all other guests.
And: It's possible to tune the scheduler parameters in several ways. Have a look at /sys/block/hdc/queue/....
You need a very recent Version of VS devel, e.g. the 2.1.1-rc18 can do it. Some older version have that feature too, then it got lost and was reinvented. So: Go and get a rc18 - only in 'devel', not stable!
Why isn't there a device /dev/bla? within a guest
What is Unification (vunify)?
What is vhashify?
How do I manage a multi-guest setup with vhashify?
mkdir /etc/vservers/.defaults/apps/vunify/hash /vservers/.hash ln -0s /vservers/.hash /etc/vservers/.defaults/apps/vunify/hash/root
Then, do this one line per vserver:
mkdir /etc/vservers/<vservername>/apps/vunify # vhashify reuses vunify configuration
With which VS version should I begin?
is there a way to implement "user/group quota" per VServer?
what about "Quota" for a context?
Does it support IPv6?
I can't do all I want with the network interfaces inside the guest?
Is there a web-based interface for vserver that will allow creation/deletion/configuration etc. of vserver guests?
What is old-style and new-style config?
What is the "great flower page"?
How do I add several IPs to a vserver?
Here is a little helper-script that adds a list of IPs defined in a text file, one per line.
#!/bin/bash j=1 for i in `cat myiplist`; do j=$(($j+1)) mkdir $j echo $i > $j/ip echo $i > $j/ip-old echo "24" > $j/prefix done
If my host has only one a single public IP, can I use RFC1918 IP (e.g. 192.168.foo.bar) for the guest vservers?
iptables -t nat -I POSTROUTING -s $VSERVER_NETZ ! -d $VSERVER_NETZ -j SNAT --to $EXT_IP
See: HowtoPrivateNetworking and
http://www.tgunkel.de/it/software/doc/linux_server#h3-Vserver_Masquerading_SNAT (THX, [MUPPETS]Gonzo)
If I shut down my vserver guest, the whole Internet interface ethX on the host is shut down. What happened?
On Debian Sarge (stable) only util-vserver is 0.30-204 available, which has been reported to be buggy (I didnt check the version for longer time) How do I compile a local version of alpha util-vserver .210 on Debian?
apt-get build-dep util-vserver ./configure --prefix=/usr/local/ --enable-release \ --mandir=/usr/local/share/man \ --infodir=/usr/local/share/info \ --sysconfdir=/etc --enable-dietlibc \ --localstatedir=/var \ --with-vrootdir=/var/lib/vservers make make install-distribution (Which does a make install + setting a symlink ln -s /usr/local/lib/util-vserver/vshelper /sbin/vshelper )
To test which version you are running:
# which vserver /usr/local/sbin/vserverThis should point to ..local...
{{Question|Question=I use derjohn's kernel or a differnet kernel with a more-than-16-IPs-per-guest-patch and can't use more than 16 IPs. Why?||Details=
A: You need to patch util-vserver, too. So you obviously need to recompile util-vserver (see above). In the util-vserver directory there are header files in the ./kernel/ directory. Patch like this:
kernel/network.h:#define NB_IPV4ROOT 64
BTW: The initial patches can be found here: http://vserver.13thfloor.at/Experimental/VARIOUS/util-vserver-0.30.196-net64.diff.bz2 and http://vserver.13thfloor.at/Experimental/VARIOUS/delta-2.6.9-vs1.9.3-net64.diff
I run a Debian host and want to build an Ubuntu guest. Howto?
vserver vubuntu build --force -m debootstrap --hostname vubuntu.myvservers.net --netdev eth0 --interface 192.168.0.2/24 \ --context 42 -- -d breezy -m http://de.archive.ubuntu.com/ubuntu
[UPDATE] Currently there are problems in building breezy under unclear circumstances, which seems to have to do with udev. If the above didnt work, try:
vserver vubuntu build --force -m debootstrap --hostname vubuntu.myvservers.net --netdev eth0 --interface 192.168.0.2/24 \ --context 42 -- -d breezy -m http://de.archive.ubuntu.com/ubuntu -- --exclude=udev
In very recent versions of the utils, the problem should not occur anymore (it has to do with the 'secure-mount' if you look in the MLs)
Well, sid's debootstrap knows how to bootstrap Ubuntu linux. Make sure to have a current debootstrap package:
apt-get update apt-get install debootstrapThe knowledge how to build ubuntu 'breezy badger' (which you probably want to be your guest at the time of writing) has been added recently.
How do I make a vserver guest start by default?
echo "default" > /etc/vservers/derjohn/apps/init/mark
If you want to start it earlier, please read the init script "/etc/init.d/vserver-default" to find out how to do it. In most cases you don't need to change this. On Debian the vservers are started at "90", so after most other stuff is up (networking etc.).
Besides that I created a small helper script for managing the autostart foo: ((vserver-autostart))
My host works, but when I start a guest it says that it has a problem with chbind.
When I try to ssh to the guest, I log into the host, even if I installed sshd on the guest. What's wrong here?
Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress ::
And now change the setting to
Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to ListenAddress your.hosts.ip.here # not the guests IP!
Then '/etc/init.d/ssh restart' on the host, after that on the guest (if you did apt-get install ssh on the guest already.)
Do I have to explain more? If the hosts sshd binds all available IP addresses on port 22 (The hosts 'sees' even all addresses of the guests!). So if the guest starts its sshd, it cant bind to port 22 any more. You need to change that setting only on the host.
(BTW: A similar approach has to be done for a lot of daemons, e.g. Apache. If the daemon does not support an explicit bind, you may use the chbind command to 'hide' IP addresses from the daemon before starting.)
I did everything right, but the application foo does not start. What's up there?
Bind9 does not like to start in my guest.
((ProblematicPrograms)) and/or get my [((ProblematicPrograms)) and/or get my vserver-guest-ready Debian package for Debian Sid guests from that URL: http://linux-vserver.derjohn.de/bind9-packages/bind9-capacheck_9.3.2-2_i386.deb and check out the readme. (Hint: This is fresh stuff. The give me Feedback)
[UPDATE] Since VServer Devel 2.1.1-rc18 you do not need to patch the userland tools anymore. The capabilities are masked.
Which guest vservers are running?
CTX PROC VSZ RSS userTIME sysTIME UPTIME NAME 0 77 965.1M 334.6M 14m14s18 2m28s69 1h33m46 root server 49152 7 14M 5.2M 0m00s40 0m00s30 1h30m15 chiffon
How can I reboot/halt guests?
For vserver with legacy-interfaces support, you have to replace Template:/sbin/halt in guests with vreboot and start rebootmgr in host. You also need to have a dummy <guest>.conf file in /etc/vservers for each guest. Please have a look at /etc/init.d/rebootmgr.
Vserver with native interface utilizes /dev/initctl. No changes are needed in guests. Just make sure that REBOOT capability is adjusted in guests.
Do I really need the legacy-interfaces? What are these legacy-interfaces?
I have a vserver running on a Linux kernel with preemption. Is VServer "preempt" safe?
Is this a new project? When was it started?
Can I run an OpenVPN Server in a guest?
First of all you have to prepare the host with a persistent tuntap interface in tap-mode. The tools we need come from the uml-utilities. Then you need to create a device /dev/net/tun, which the OpenVPN userspace daemon reads. Well assume 10.10.10.100 is the server IP, and 10.10.10.101 is the client ip - to be cool be choose a /31 netmask (255.255.255.254), so we have a net without broadcast and don't waste IPs :)
On the host do:
# apt-get install uml-utilities # cd /var/lib/vserver/<myopenvpnserver>/dev/ # ./MAKEDEV tun (creates the dev/net/tun device accessible by te guest - even a tap interface need /dev/net/tun !) # tunctl -t tap0 (creates the network device 'tap0' persistently)
Then add the ip to the guest:
# cat /etc/vservers/<myopenvpnserver>/interfaces/1/ip 10.10.10.100 # cat /etc/vservers/<myopenvpnserver>/interfaces/1/prefix 31 # cat /etc/vservers/<myopenvpnserver>/interfaces/1/dev tap0 (This kind of config brings the ip when the vserver is started - only the tap0 interface has to exist already, see above!)
Here is a sample config for the guest (which is acting as a server):
Install OpenVPN package on server and client, in the Debian case:
# apt-get install openvpn
The server's conf looks like that:
# port and interface specs # behave like a ssl-webserver port 443 proto tcp-server # tap device? (keep in mind you need /dev/net/tun !) dev tap0 # now the ips we will use for the tunnel ifconfig 10.10.10.100 255.255.255.254 ifconfig-noexec # the server part # Keep VPN connections, even if the client IP changes float # use compression (may also even obfuscate content filters) comp-lzo # use a static key - create it with 'openvpn --genkey --secret static.key' secret static.key # dont reload the key after a SIGUSR1 persist-key # check alive all 10 secs keepalive 10 60 # verbosity level (from 1 to 9, 9 is max log level) verb 4 status openvpn-status.log
The client's conf may look like that (This example even makes the tunnel the clients default address):
# cat /etc/openvpn/client.conf # port and interface specs # the following is not necessary, if you bring up openvpn via Debian's init script: daemon ovpn-my-clients-name # behave like a ssl-webserver port 443 proto tcp-client remote %%%<insert-the-guest-primary-public-ip-here>%%%% # what device tun ot tap? dev tap # now the ips we will use for the tunnel ifconfig 10.10.10.101 255.255.255.254 # Keep VPN connections, even if the client IP changes float mssfix # use compression (may also even obfuscate content filters) comp-lzo # use a static key secret static.key # dont reload the key after a SIGUSR1 persist-key # check alive all 10 secs keepalive 10 60 # verbosity level (from 1 to 9, 9 is max log level) verb 4 # set the default route route-gateway 10.10.10.100 redirect-gateway def1 # to add special routes you can do it wihtin the openvpn client conf: # route <dest> <mask> <gateway> # if you need to connect via proxy (like squid) # http-proxy s p [up] [auth] : Connect to remote host through an HTTP proxy at # address s and port p. If proxy authentication is required, # up is a file containing username/password on 2 lines, or # 'stdin' to prompt from console. Add auth='ntlm' if # the proxy requires NTLM authentication. # http-proxy s p [up] [auth] # http-proxy-option type [parm] : Set extended HTTP proxy options. # Repeat to set multiple options. # VERSION version (default=1.0) # AGENT user-agent # http-proxy-option type [parm]
In the next lesson I will talk about OpenVPN's server mode, which can deal with with multiple clients connecting to one ip and one port (i.e. you only need one guest for tons or 'roadwarriros'), tls connections and pki.
Contributions welcome. :)
32 vs 64 Bit? What should I take?
[*] Kernel support for ELF binaries <M> Kernel support for MISC binaries [*] IA32 Emulation <---- without that, the entire 32bit API is not present <M> IA32 a.out support
You can force the guest to behave like a 32 environment like this:
echo linux_32bit > /etc/vservers/$NAME/personality echo i686 > /etc/vservers/$NAME/uts/machine
(thanks cehteh for the hint!)
But you can force debootstrap to but 32 bit binaries into the guest by 'export ARCH=i386';
export ARCH=i386 ; vserver build ....
I want to (re)mount a partition in a running guest ... but the guest has no rights (capability) to (re)mount?
# vnamespace -e XID mount -t tmpfs -o remount,size=256m,mode=1777 none /var/lib/vservers/<guest>/tmp/Be warned that the guest will not recognize the change, as the /etc/mtab file is not updated when you mount like this. To permanently change the mount, edit /etc/vserver/<guest>/fstab on the host.
How do I limit a guests RAM? I want to prevent OOM situations on the host!
If you want a recipe, do that: 1. Check the size of memory pages. On x86 and x86_64 is usually 4 KB per page. 2. Create /etc/vserver/<guest>/rlimits/ 3. Check your physical memory size on the host, e.g. with "free -m". maxram = kilobytes/pagesize. 4. Limit the guests physical RAM to value smaller then maxram:
echo %%insertYourPagesHereSmallerThanMaxram%% > /etc/vserver/<guest>/rlimits/rss
5. Check your swapspace, e.g. with 'swapon -s'. maxswap = swapkilobytes/pagesize. 6. Limit the guest's maximum number of as pages to a value smaller than (maxram+maxswap):
echo %%desiredvalue%% > /etc/vserver/<guest>/rlimits/asIt should be clear this can still lead to OOM situations. Example: You have two guests and your as limit per guest is greater than 50% of (maxram+maxswap). If both guests request their maximum at the same point in time, there will be not enough mem .....
Were can I get newer versions of VServer as ready made packages for Debian?
Can I use iptables ?
=== Try to connect to a vserver from the master or another vserver on the same host fails with
- strace shows:
sin_addr=inet_addr("xx.xx.xx.xx")}, yy) = -1 EINVAL (Invalid argument)===
- check all netmasks on all interfaces (do they overlap) ?
- check policy routing (disable it temporary) ?
- check that lo is up (Networking within a host/vserver always uses lo interface)