Re: Vserver / was 100MB
On Fri, 2002-02-15 at 03:31, firstname.lastname@example.org wrote:
> Hi Kevin,
> Quoting Kevin Littlejohn <email@example.com>:
> > "debbootstrap" package -
> > I used it to build a fake server environment for a vserver
> > - using http://www.solucorp.qc.ca/miscprj/s_context.hc
> What, no screaming and shouting on the list?
> Vserver looks realy interesting.
> Did you install it on a Debian box?
> Does it work as well as the info would imply?
I've got it installed on a debian system, yes - running woody, with
about 10 vservers setup. It's not the most efficient, or the best,
setup at this stage:
As I said above, debbootstrap, and I'm using mount --bind to remount
/home inside each vse, /proc gets mounted the same way, as does
/var/cache/apt. To dodge having to deal with stupid problems with
upgrading packages in one vse and not another, I've simply made separate
vse's, rather than try and hardlink files between them - that means
memory usage is higher than it should be (all those shared libs are no
longer as shared), but as I say, it stops other headaches.
We've split based on service, rather than on user, so far - so there's
one vse for ftp, one for ldap, one for the databases, etc. We've got a
number set aside for end users, as we do things like Zope hosting, and I
want to give people their own server.
Oh, we also have /bin, /lib, /sbin, /etc, and the /usr and /usr/local
equivalents chattr -R +i'ed - inside a vse you cannot change immutable
flag, so it suddenly becomes _really_ useful.
If someone breaks into a vse, they'll be able to get to the user's
files, they'll not be able to touch any of the system files, and they'll
not be able to subvert any other services. We can simply shuffle the
service in question to another brand new vse, and put the broken one
aside for investigation.
It works, is about all I can say ;) Theoretically, we could install
redhat in a vse on the debian box, or run potato in one, woody in
another, or whatever. Latest version of the patch even lets you run one
init per vse, which would be nice.
We're using ldap for user auth, btw, which means I can list allowed
services in ldap, and lock /etc/pam_ldap.conf down in each vse to
filtering for a specific allowed service. Keeps users central - you
could combine that with using /etc/passwd in certain vse's, if you
wanted to give users complete control over their own environment.
Given how well it's worked, we're looking at rolling it out to our other
Internet techie Obsidian Consulting Group
Phone: +613 9653 9364 Fax: +613 9354 2681