[ale] Virtual Dedicated Servers

Michael H. Warfield mhw at wittsend.com
Tue Apr 22 22:47:50 EDT 2003


On Tue, Apr 22, 2003 at 05:49:23PM -0400, Chris Fowler wrote:
> Mike,

> Can this help me create a virtual area to do development.

	Absolutely...

> My develop Box:
> 
> / -- RH 7.3
>    |
>    | /u01
>        |
>        | - devel - RH 7.2
> 
> TOo do development on my development box, I do the following command:
> 
> $ sudo /sbin/chroot /u01/devel bin/bash
> CHROOT # su - cfowelr
> CHROOT $

> My development environment is reliant on libaries and stuff in 7.2 so to
> keep my box on the latest version of RH and to make sure that all my
> machines can develop alike, I have a CD which has a tarball of a
> stripped down 7.2 install.  Anytime I need to develop on mew machine, I
> just untar it into a directory and chroot there.  

> So you prefer vserver eh?

	In escence, vservers are chrooted jails on steriods.  Each has
its own "security context" in which it can see only its processes and
its file systems.  Because of a bit of a hack in the kernel, there
is an extra lock on .. out of a chrooted jail (set mode 000 on the parent
directory and even root can't .. break the chroot).  Root in the
security contexts has certain capabilities stripped so it can't
reconfigure the network, create devices, load modulues, or manipulate file
systems (scripts -bind mount home directories and such).  Shared files,
such as "unified" binaries shared between different contexts, are flags
as disconnect on write so someone modifying a binary disconnects their
copy from other contexts before modification.  You can do installs
and builds and updates independently or in unision (from root context 0).

	Each security context has it's own IPROOT which defines what
IPv4 addresses are associated with 0.0.0.0 for daemons and servers and
"calls".

	It's not totally mature yet.  It's lacking IPv6 support and could
probably use some better support utilties.  Most of them are curses based
character mode stuff.  But it's usable and I have it on several production
servers doing quite well.  Once you learn some of the gotchas (mostly
IPv6 related stuff) it's managable and effective.

> Chris

> On Tue, 2003-04-22 at 17:40, Michael H. Warfield wrote:
> > On Tue, Apr 22, 2003 at 05:33:53PM -0400, Chris Fowler wrote:
> > > Hello,
> > 
> > > Last week I went to visit a web hosting facility that offered virtual
> > > dedicated servers on Linux.  They stated they had proprietary software
> > > to provide this product.  Its like a small Linux system that is
> > > controlled so the user can not use too many cycles up and limit the
> > > other customers. It was intriguing.  To me ti should be dedicated or
> > > shared.  That word virtual in the subject line of this email cancels out
> > > the second word "dedicated".  Can someone tell me if there is an OSS
> > > solution to allow VDS on Linux?  I might could put a view of my sites in
> > > one to protect the host from hacking.
> > 
> > 	FreeVSD		<www.freevsd.org>
> > 
> > 	Vserver		<http://www.solucorp.qc.ca/miscprj/s_context.hc>
> > 
> > 	OpenVSD		(suppose to be a branch of FreeVSD - status unknown)
> > 
> > 	I'm currently using vserver for situations where all the
> > virtual servers can run on the same kernel.  Even different distros can
> > run on the same kernel and root in one vserver can't muck with network
> > configurations or bust out of his security context.  In cases where
> > I need a different kernel (or OS) I just fall back to VMware (which is
> > neither open nor free but incredibly effective).  I've even got systems
> > (virtualized honeypot clusters) which are running simultanious combinations
> > of vserver and VMware for different virtual servers and machines.
> > 
> > 	Mike
> > 
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> > 
> > -- 
> >  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
> >   /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
> >   NIC whois:  MHW9      |  An optimist believes we live in the best of all
> >  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

 PGP signature




More information about the Ale mailing list