Creating and using vserver virtual servers

From Unixshell# community wiki

Linux-Vserver [1] is a virtualization layer that allows you to run a Linux distribution within Linux. Using this method has many benefits, most apparent of which are: added security, new and easier ways to perform backups, "hot swap-able" servers, full root access on all vservers, and multiple flavors of linux installed under the same main server.

This howto will focus on Debian as both the host and guest, however, it should be easily enough to adapt for other flavors of linux. Also, because of the nature of this wiki, it will include some unixshell specific details. Because of the way the emulation is done in linux-vserver, there is very little overhead. That said, each vserver will still consume the same amount of resources as a full installation. As a result, vservers should probably not be used on some of the more modest plans. I would suggest at least the 64, preferably the 96.

Contents 1 Prepare the Vserver Host 1.1 Kernel and vserver-utils 1.2 Host Networking 1.2.1 xinetd 1.2.2 Networking Option A 1.2.3 Networking Option B 1.2.4 Saving IP Tables Rules 2 Create a Vserver Guest 3 Configure the Guest 3.1 Guest Networking 3.1.1 Guest Networking Option A 3.1.2 Guest Networking Option B 4 Tips, Tricks, and Goodies 4.1 Other Guest Distros 4.2 Hot swapping 4.3 Backups 4.4 Reselling 4.5 Other 5 External Resources

[edit] Prepare the Vserver Host

[edit] Kernel and vserver-utils

1. Use Teknic to change your kernel to "latest-linux-2.6+vserver." Be certain to reboot from the Teknic admin menu.

2. Install the necessary packages on your server. For unxishell, you don't need to install the kernel patch. The other suggested packages are a good idea to install if not already installed.

[root@host]/root# apt-get install vserver-debiantools util-vserver
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
  debootstrap iproute libatm1 rsync
Suggested packages:
  kernel-patch-vserver vlan iptables modutils module-init-tools
The following NEW packages will be installed:
  debootstrap iproute libatm1 rsync util-vserver vserver-debiantools
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 1505kB of archives.
After unpacking 3621kB of additional disk space will be used.
Do you want to continue? [Y/n]

[edit] Host Networking

Regardless of the networking option you chose, there are some basic caveats and gotchas to consider.

• All network services in the host AND guest must be configured to bind ONLY to the designated IP address. Many bind to ALL IP addresses by default.
• Ip tables MUST be used to allow networking in the guest.
• The guest will have certain restrictions on network abilities (but not performance).

The host must be configured to allow the guest to access the internet, and to allow the internet to access it. These steps should be taken from within the host.

[edit] xinetd

Install xinetd as a replacement for inetd. This allows you to easily bind services started by inetd to the proper IP address.

[root@host]/root# apt-get install xinetd

Once xinetd is installed, edit the /etc/xinetd.conf file. It should look like this:

# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/

defaults
{
bind=HOST_IP_ADDRESS
}

includedir /etc/xinetd.d

Where HOST_IP_ADDRESS is the external IP address of the host. This tells xinetd to bind all services to the host IP address only.

For each service that isn't started by inetd, you will have to edit the config files and tell it to bind only to the IP address of the host. There are far too many to list here, but below are some common applications.

Apache2

Config File: /etc/apache2/ports.conf
Parameter: Listen IP_ADDR:80

SSH

Config File: /etc/ssh/sshd_config
Parameter: ListenAddress IP_ADDR

[edit] Networking Option A

The first option for networking is for those who want their guests to have external IP addresses. This is ideal for resellers, and is actually the simpler setup. If you decide to use Networking Option A, you must have additional external IP addresses. You can purchase these by contacting sales@unixshell.com.

On the host machine, we must configure iptables to allow network addresses other than the default one to pass through.

 [root@host]/root# iptables -t NAT -A PREROUTING -d GUEST_IP_ADDRESS -i eth0 -j ACCEPT

Where GUEST_IP_ADDRESS is the IP address of the guest.

vserver will automatically bring the proper devices up and set up the network interfaces so that the guest has network access. If you are interested in seeing this, you must use the ip command found in the iproute package.

[root@host]/root# ip addr show eth0

[edit] Networking Option B

This option doesn't require any additional IP addresses.

In this case, the host will act as a firewall for your guest vserver. We will use iptables to control which packets pass through to a vserver, and which stop at the host.

The host needs to be configured to allow networking to the guest. Below is an explanation of how to do this.

iptables -t nat -A PREROUTING -d HOST_IP -i eth0 -p tcp -m tcp --dport HOST_PORT -j DNAT --to-destination GUEST_IP:GUEST_PORT

This is the basic format of the iptables rules we will be creating. This tells iptables to forward any TCP traffic that's coming in from eth0 on HOST_IP port HOST_PORT to GUEST_IP port GUEST_PORT.

iptables -t nat -D PREROUTING -d 65.254.37.136 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.2:80

A more useful "real life" example, this tells the host at 65.254.37.136 to forward all tcp traffic from the host 65.254.37.136:80 to the guest 192.168.100.2:80. This is useful for running a webserver on a guest.

You will have to do this with each port you want forwarded. If you are unsure which services run on which ports, look in /etc/services.

When you have finished forwarding ports of all the services you want running on the guest, you will need to tell the host to allow the guest to access the internet.

[root@host]/root# iptables -t NAT -A POSTROUTING -s GUEST_IP -j SNAT --to-source HOST_IP

Where GUEST_IP is the guest IP address, and HOST_IP is the host IP address.

• Hint: You can specify entire subnets (192.168.100.0/255.255.255.0) as the GUEST_IP if you plan to have addition guests running on the same subnet.

[edit] Saving IP Tables Rules

You will want to save the rules from iptables so they are activated at boot. This can be accomplished by saving the output iptables-save to /var/lib/iptables/active.

[root@host]/root# iptables-save > /var/lib/iptables/active

[edit] Create a Vserver Guest

1. This howto uses newvserver from vserver-debianutils to create a new Debian vserver guest. It is possible to use other linux flavors as guest, but you must use a different method. This will be briefly touched on at the end of the howto.

2. As root, create a new vserver. The command to use is newvserver. It has many options, but only the essential will be here.

[root@host]/root# newvserver --hostname HOSTNAME --domain DOMAIN --ip IP_ADDRESS -v --mirror DEBIAN_MIRROR --dist DEBIAN_DIST

In the above example, everything in CAPS needs to be changed.

• HOSTNAME: The hostname of your guest.
• DOMAIN: The domain of your guest.
• IP_ADDRESS: The IP address of your guest. If you are using networking option a, I assume you know what the IP address should be. If you are using option b, it needs to be an internal address like 192.168.100.2.
• DEBIAN_MIRROR: The Debian mirror you want to use. Default is http://ftp.uk.debian.org/debian.
• DEBIAN_DIST: The Debian distribution you want to use. Default is sarge. Woody is also a choice.

3. Wait. The installation will take a while, especially if you're using one of the lower end services. Once the download and installations are complete, you will be entered into the vserver guest, and setup will continue just as if you installed Debian on a physical server. Follow the prompts until it exits. NOTE: When starting the vserver, it will often hang at "Starting MTA server..." You can safely press CTRL + C and let it boot. This is a result of the networking not yet being fully configured.

[edit] Configure the Guest

Once your guest has been installed, you can use vserver from the host to start, restart, stop, and enter the guest.

([root@host]/root# vserver GUEST_HOSTNAME start)
[root@host]/root# vserver GUEST_HOSTNAME enter

If all goes well, you'll find yourself as root in a brand new installation. You can use the guest (almost) as a real server: Install whatever applications you want, and configure the server how you want.

[edit] Guest Networking

As mentioned, there are some special cases with networking under vserver. From within the server you must: 1. Install and set up xinetd as described above for the host, except change the bind to the guest's IP address. 2. As with the host, for each program you want to run that's not started by inetd, you must change the config file to bind only to the guest's IP address. See the Host Networking section for details.

[edit] Guest Networking Option A

No special steps?

[edit] Guest Networking Option B

No special steps?

[edit] Tips, Tricks, and Goodies

Below you will find tips, trick and extra files that may be helpful.

[edit] Other Guest Distros

Use vserver build -m blah. Finish this.

[edit] Hot swapping

• Keep a devel or beta server running parallel to a production server. Going live with the devel server is as easy as changing iptable rules on the host.

[edit] Backups

• Use reoback[2] to backup /var/lib/vservers to /var/lib/reoback/backups/. Use my hacky little program to restore them. HLP found at http://devel.narnarnar.com/vserver/vserver-restore.sh

[edit] Reselling

• Create a "skeleton" guest server. Use my hacky little program #2 to copy it as needed for clients. HLP2 found at http://devel.narnarnar.com/vserver/vserver-copy.sh

[edit] Other

• Use vhashify to reduce the space used by vservers. Haven't messed with it much yet.

[edit] External Resources

http://linux-vserver.org/