Re: [Vserver] vserver build docs, and vserver docs in general

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Sat 20 May 2006 - 23:33:24 BST
Message-ID: <20060520223324.GD27387@MAIL.13thfloor.at>

On Sat, May 20, 2006 at 04:35:32PM +0200, ADNET Ghislain wrote:
> Hello Herbert,
>
> As you perhaps recall from our talk on the mailling list i am trying
> to build a "starter guide" for people that, like me discover the great
> vserver project and wants to use it at his best. I am doing the first
> step and of course this is KERNEL config ! :)
>
> Perhaps you can share with me the option that are a must to have on
> the kernel, and at the contrary the ones that could lead to problems
> with vserver or with security.

well, contrary to other kernel patches/projects, there
are no special kernel requirements and/or dangers when
configuring the kernel to your likings ...

of course, certain features require certain filesystems
as not all filesystems support xattrs or xid tagging,
or even quota :)

> Here is the one i saw :
>
> in Block devices
> ?????? Virtual Root device support ????????????
> ??? CONFIG_BLK_DEV_VROOT:
> ???
> ??? Saying Y here will allow you to use quota/fs ioctls on a shared
> ??? partition within a virtual server without compromising security.
>
> virtual server hummm ?? :)

yep, required for secure quota support

> <*> Quota format v2 support
>
> not sure, quota format2 seems desirable becose of the file tagging
> i guess

well, it's the newer quota format, but basically the
choice is yours (not really related)

> VSERVER part
> [*] Enable Legacy Kernel API (NEW)
> ¦ ¦ [ ] Show a Legacy Version ID (NEW)
> ¦ ¦ [ ] Disable Legacy Networking Kernel API
> ¦ ¦ [*] Enable Proc Security (NEW)
> ¦ ¦ [*] Enable Hard CPU Limits
> ¦ ¦ [ ] Limit the IDLE task (NEW)
> ¦ ¦ Persistent Inode Context Tagging (UID24/GID24) --->
> ¦ ¦ [ ] Tag NFSD User Auth and Files (NEW)
> ¦ ¦ [ ] VServer Debugging Code (NEW)
>
> those are the vserver choice, this seemed from the FAQ/HOW TO
> the best trouble free choices

hmm, in general I'd opt for the 'defaults' at least if
you want 'trouble free' operation ...

> In Security options
> [ ] Enable access key retention support
> ¦ ¦ [*] Enable different security models
> ¦ ¦ [*] Socket and Networking Security Hooks
> ¦ ¦ --- Default Linux Capabilities
> ¦ ¦ < > BSD Secure Levels (NEW)
>
> i wondered if this is usefull too, the names of those seems
> to permit security features that perhaps vserver uses.

no, those are unrelated, they are supposed to work, but
you have to decide if they make sense or not, and of
course you have to _use_ them :)

> IP: Virtual Server Configuration --->
>
> ths one is from the other project with a very similar name so i think
> we can say "this is not usefull for vserver virtualisation" warning :)
> If you have any hints about what kernel choice are mandatory, usefull
> or dangerous.. please tell me :)

hmm, it might be useful for folks using LVS (that's the
other project) and it does not clash with Linux-VServer
so for me (except for the name) it's not related

> I hope to be able to give some of my WE times to this HOW TO but the
> goal is to make it : "vserver team" approved as a guide to build the
> most stable vanilla install for vservers .

my general suggestion is to _first_ compile a mainline
kernel and make that work the way you like it. then
apply the Linux-VServer patch, and (re)run

 # make oldconfig

this will explicitely ask all _new_ options and provide
the defaults too, which should work just fine, otherwise
it's a bug you'd better report :)

HTH,
Herbert

> Cordialement,
> Ghislain ADNET.
> AQUEOS.
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sat May 20 23:33:47 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 20 May 2006 - 23:33:53 BST by hypermail 2.1.8