From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Wed 28 Nov 2001 - 13:44:09 GMT
1.1. /usr/sbin/vserver enhancements
The utility now handles the following enhancements in the vserver
This setting defines ulimit settings passed to the vserver when it
This contains a set of capability available to vserver. For
example, if you want a vserver to be able to do some pings, put the
CAP_NET_RAW capability there.
When starting a vserver, the /var/run directory was not cleared. In
some situation, the various startup script were failing because a
bogus PID file was left there from a previous run.
1.2. chcontext: --cap option
The --cap option was added to help configure capabilities. The
--secure option was too restrictive. --secure is used to remove
critical capabilities and --cap is used to invert the effect by adding
back some capabilities. This is used by the /usr/sbin/vserver front-
end to handle the new S_CAPS /etc/vservers/*.conf configuration files.
1.3. chcontext: new --flag values
Two new flags are now handled by chcontext (and reducecap). Those
flags are nproc and private. The nproc flag establish a hard limit on
the number of processes run-able in a virtual server. It makes the
original ulimit (-u) setting global to the vserver instead of just per
The private flag is a little weird. Once a security context has this
flag set, it is not possible to join it. Even root in the root server
with all capabilities is not allowed. This makes the virtual server
fairly private. Security context 1 can still see which processes are
executing in the vserver, but can't interfere.
A new kernel is available as well. The changes are minimal this time
(the old vserver utilities are still compatible). Here they are:
+ ext3 file system
Since ext3 is now part of 2.4.16, it has been modified to support
the IMMUTABLE_LINKAGE feature.
+ ext3,ext2 and reiserfs are compiled (not as module) so they can be
easily used as root file system.
+ The nproc and private security context flag have been added. nproc
is especially useful to limit the total number of process in a
vserver. Fork bomb are not possible anymore.
+ A little bug fix. It was possible to produce a oops with the
new_s_context system call, when called by a non root user in the
I am also supplying the patch against 2.4.13 (without the ext3
stuff) for those who wants it.
1.5. The vservers service
This sysv init script is used to start and stop all virtual private
server. It only starts the vservers with the ONBOOT flag set to yes.
It used to only end vservers with ONBOOT=yes as well. This was not
really helpful. So now it starts the vservers with ONBOOT=yes, but
stops any vservers.
1.6. vserver-stat: new utility
The /usr/sbin/vserver-stat was contributed by Guillaum Dallaire. It
produces a report showing a summary of the different vservers. You see
the number of process per vservers for example.
2. Bug fixes
2.1. chbind: identifying network device
chbind had a bad habit of probing the kernel for any value of the --ip
command line option. Even if it was not a network device at all. This
was triggering error message from modprobe. It now checks in
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!