On Fri, 2002-02-15 at 03:31, [EMAIL PROTECTED] wrote: > Hi Kevin, > > Quoting Kevin Littlejohn <[EMAIL PROTECTED]>: > > > "debbootstrap" package - > > I used it to build a fake server environment for a vserver > > - using http://www.solucorp.qc.ca/miscprj/s_context.hc > > What, no screaming and shouting on the list? > > Vserver looks realy interesting. > > Did you install it on a Debian box? > Does it work as well as the info would imply?
I've got it installed on a debian system, yes - running woody, with about 10 vservers setup. It's not the most efficient, or the best, setup at this stage: As I said above, debbootstrap, and I'm using mount --bind to remount /home inside each vse, /proc gets mounted the same way, as does /var/cache/apt. To dodge having to deal with stupid problems with upgrading packages in one vse and not another, I've simply made separate vse's, rather than try and hardlink files between them - that means memory usage is higher than it should be (all those shared libs are no longer as shared), but as I say, it stops other headaches. We've split based on service, rather than on user, so far - so there's one vse for ftp, one for ldap, one for the databases, etc. We've got a number set aside for end users, as we do things like Zope hosting, and I want to give people their own server. Oh, we also have /bin, /lib, /sbin, /etc, and the /usr and /usr/local equivalents chattr -R +i'ed - inside a vse you cannot change immutable flag, so it suddenly becomes _really_ useful. If someone breaks into a vse, they'll be able to get to the user's files, they'll not be able to touch any of the system files, and they'll not be able to subvert any other services. We can simply shuffle the service in question to another brand new vse, and put the broken one aside for investigation. It works, is about all I can say ;) Theoretically, we could install redhat in a vse on the debian box, or run potato in one, woody in another, or whatever. Latest version of the patch even lets you run one init per vse, which would be nice. We're using ldap for user auth, btw, which means I can list allowed services in ldap, and lock /etc/pam_ldap.conf down in each vse to filtering for a specific allowed service. Keeps users central - you could combine that with using /etc/passwd in certain vse's, if you wanted to give users complete control over their own environment. Given how well it's worked, we're looking at rolling it out to our other hosting boxes. KevinL -- Internet techie Obsidian Consulting Group Phone: +613 9653 9364 Fax: +613 9354 2681 http://www.obsidian.com.au/ [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
