From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Tue 17 Feb 2004 - 11:52:07 GMT
On Tue, Feb 17, 2004 at 12:07:44PM +0100, Thomas Gelf wrote:
> Hello together!
> I'm new on this list so please be patient with me! My English
> is not that good, but it seems that I'm not alone with this
> problem :o)
> We started testing vserver one week ago, I found this great
> project while looking for an alternative to UML which we have
> currently running on different Web-, Mail and DNS-Servers.
> UML is great, but I'm not satisfied with the performance of
> Loopback-mounted sparse-files.
> We compiled about 30-40 Kernels last week, vserver's documentation
> was not really helpful (please don't hit me :o) - we did some
go ahead, improve it, that's what a wiki is designed for ...
> changes to debian-newvserver.sh to make it possible to run it
> with the exploit-proof "chattr +t /vservers"-directory. If
> someone is interested in it (it was not that difficult) - mail me!
I would suggest sendig it to the debian-newvserver maintainer
whoever that might be atm ...
> We haven't been able to compile kernel 2.6, maybe Herbert's
> patch (http://list.linux-vserver.org/archive/vserver/msg06189.html)
it seems to be a debian woody oddity, it was confirmed that
using sarge does solve this issue too, but as it seems that
we can provide a harmless workaround, this will be included
in the next release ...
> will help. Currently we are running 2.4.25-rc2, also using context-
> based disk-limits.
make sure to use static context ids ...
> I'll stop indroduction now, let's start with my first question to
> this list: We would like to improve vserver's networking support.
> Like with our UML-Servers we did the following today (on debian):
> # apt-get install uml-utilities
> # apt-get install bridge-utils
> # mkdir -p /dev/net
> # mknod -m 660 /dev/net/tun c 10 200
> # chmod 660 /dev/net/tun
> # chown root.uml-net /dev/net/tun // group uml-net added by debian
> now stop all your vservers, we did the following on a debian box
> with eth0:192.168.124.100, using this script (change ip addresses):
> tunctl -u root -t tom0
> brctl addbr br0
> ifconfig eth0 0.0.0.0 promisc up
> ifconfig tom0 0.0.0.0 promisc up
> ifconfig br0 192.168.124.100 netmask 255.255.255.0 up
> brctl stp br0 off
> brctl setfd br0 1
> brctl sethello br0 1
> brctl addif br0 eth0
> brctl addif br0 tom0
> route add default gw 192.168.124.1
> this also works during a ssh connection, but I'm not responsible if
> it doesn't - and no, you don't have to use "tom0" :)
> change /etc/vservers/XX.conf to match the new interface "tom0".
> now we tried to add S_CAPS="CAP_NET_RAW" - tadaaaaaaaaaa! just try
> to use the standard "ping" program. starting a sniffer works, but
> you will see absolutely nothing.
hmm, interesting approach, could you also try it with
the dummy interface (dummy0), that might work as well,
and if might be a simpler? solution ...
> we did all this tests this morning (it's 12:05 in south tyrol/italy now)
> and will go on installing a default web hosting environment on our new
> what do you think about this approach? is it secure? is it worth to
> invest time to enhance it? we are not kernel hackers so we need help
> for the following features: hide real interfaces in vservers, show
> them a "eth0" interface instead of "tom0:vs1", add a virtual loopback
not so fast, but yes, we could probably do a lot of those
things, just think nameif and private namespaces ...
> linux-vserver is a great project, compliments to all guys contributing
> to it. we would like to help to improve this project, doing tests,
> posting our ideas, maybe writing documentation (english with your help,
> german, italian) or little howto's, userspace utilities... And we need
> your feedback to go on faster!
do not let anybody stop you!
> yours sincerly
> Thomas Gelf
> Thomas Gelf <vserver_at_gelf.net>
> Vserver mailing list
Vserver mailing list