From: Cathy Sarisky (cathy_at_acornhosting.net)
Date: Sun 15 Dec 2002 - 23:42:22 GMT
On Sun, 15 Dec 2002, Adam H. Pendleton wrote:
> I am about to replace the rh7.3-minimal file with a list of packages of my
> own choosing, composed of the packages installed by RedHat when using the
> categories I select at install time (Print Support, etc.). In other words,
> this file will contain all the packages that are installed in the root
> system. The reason for this is that I need each vserver to appear as
> identical to the "master" server as possible, in terms of utilities,
> programs, packages, etc.
You could use "vserver nameofserver build" for this. That'll get you all
the packages in the root server, complete with unification where disk
> My question is: are there any of these packages that I should NOT
> include in this list? I am assuming that because vserver is really just
> about changing the context of processes, that changes to the kernel,
> through means such as iptables, will affect all vservers? Does that
> mean I should avoid installing the ipchains/iptables packages, because I
> do not want users of this vserver to be able to inadvertently change the
> firewall configuration of any other vserver? Is this sort of behavior
> protected by vserver?
Vservers CANNOT talk to the kernel or otherwise make trouble unless you
give them extra capabilities in the .conf file (S_CAPS="" is default).
This makes it pretty safe to run less-trusted programs (and users!) in a
vserver. iptables and ipchains won't run in a vserver. You'll get a
message about needing to insmod, if memory serves. I've seen kudzu eat
100% cpu in a vserver while trying to find hardware to
detect. I'd avoid it.
You might like to have a look at http://www.paul.sladen.org/vserver/faq/ .
Paul has some good info collected there. :)