Linux-vserver or every sandbox service
Recently on Habré published articles on openvz and lxc. It reminded me that this article is still in the sandbox ...
For the purposes of placing projects, I use this scheme: each service is launched in an isolated environment: combat - separately, test - separately, telephony - separately, web - separately. This reduces the risk of hacking systems, allows you to backup everything and everyone with one rsync to the neighboring server across the crown, and in the case of a hardware rush, simply pick up on the next hardware. (And using drbd + corosync allows you to do this automatically also)
To create an isolated environment, there are two approaches called VDS (hardware virtualization) and VPS / jail (process space virtualization).
')
To create VDS isolation use XEN, VirtualBox, VMWare and other virtual machines.
To create a VPS on linux, use either linux-vserver, or openvz, or lxc.
Advantages of VDS: the system inside can be absolutely any, you can keep different versions of the cores, you can install another OS.
The disadvantages of VDS are high IO performance losses, excessive CPU and RAM consumption for services duplicating those running on the server OS.
VPS advantages: extremely low performance loss, only for insulation, only those services that are really needed are launched.
Cons VPS: you can run only linux and the kernel will be only the version that is already running.
Since I don’t need different operating systems, I’m using linux-vserver everywhere (historically, I’ve been using it since 2004, and openvz was released to the public in 2005), and lxc, in my understanding, is not old enough to produce (although it’s very close already).
I will quote from the FAQ:
“What is the status of Linux-VServer?
Linux-VServer has more than a decade of maturity and is actively developed. Two projects are similar to Linux-VServer, [LXC], and [OpenVZ]. Of the two, OpenVZ offers some similar functionality to Linux-VServer. LXC is solely based on kernel mechanisms such as cgroups that are in modern kernels. It will continue to be mature. As this occurs, the Linux-VServer will take advantage of the LXC and continue to provide it. Currently, LXC offers significantly less functionality and isolation than Linux-vserver. "For the use of the LXC
Below I will describe the basic operations for launching a LAMP server in an isolated environment.
OS: debian-stable, 64bit
Starting from Wheezy, vserver support with the debian command has been removed, so I use the repo.psand.net/info kernel
After installation - reboot into the new kernel.
What we did:
This allows you to use a single server IP to start different services, dividing them by login (for example, to log in to the web virtual machine you just need to log in as web root or as root @ web).
After that, new servers can be launched on the server, tying them to the dummy0 interface.
Everything is fine, but the created servers respond to 192.168.1.x, and it is necessary that it be accessible from the outside.
To solve this, on the root we will need nginx:
This allows all incoming requests to the 80th port to scatter across different virtual machines, depending on the name.
If necessary, you can use proxy_pass to a different external IP, which allows you to move virtual servers across different machines without having to wait for the full update of DNS records, but this is a topic for a separate conversation.
Now we need to create a new virtual machine (number 57, web name) in which we install LAMP.
This establishes the base system, makes it autorun when the root system is rebooted.
Now the virtual machine is ready to install the necessary software in it. For example, the usual LAMP:
Everything! Now your server is running Apache in a completely isolated environment.
1. Direct entry to virtual servers is possible only by password.
2. On the root system, no one should be allowed access, so the root system should only have a verified minimum of software (ssh, nginx, iptables and nothing else).
3. If you need direct access to any ports inside virtual machines, forwarding needs to be done using iptables.
1. / var / lib / vservers / * it is desirable to place on lvm in order to be able to manage the allocation of space for virtual machines independently.
2. Resource management: simply created virtual machine can eat all the resources of the machine. Learn more about setting limits linux-vserver.org/Resource_Limits
3. / tmp /. Inside the default virtualok / tmp / is created as a ramdisk in 16m size. Or right before “vserver $ NAME start”, fix / etc / vservers / $ NAME / fstab
4. Useful information, information, etc. about linux-vserver can be found on linux-vserver.org
If there are useful questions, I will put the detailed answers to them in the topic.
For the purposes of placing projects, I use this scheme: each service is launched in an isolated environment: combat - separately, test - separately, telephony - separately, web - separately. This reduces the risk of hacking systems, allows you to backup everything and everyone with one rsync to the neighboring server across the crown, and in the case of a hardware rush, simply pick up on the next hardware. (And using drbd + corosync allows you to do this automatically also)
To create an isolated environment, there are two approaches called VDS (hardware virtualization) and VPS / jail (process space virtualization).
')
To create VDS isolation use XEN, VirtualBox, VMWare and other virtual machines.
To create a VPS on linux, use either linux-vserver, or openvz, or lxc.
Advantages of VDS: the system inside can be absolutely any, you can keep different versions of the cores, you can install another OS.
The disadvantages of VDS are high IO performance losses, excessive CPU and RAM consumption for services duplicating those running on the server OS.
VPS advantages: extremely low performance loss, only for insulation, only those services that are really needed are launched.
Cons VPS: you can run only linux and the kernel will be only the version that is already running.
Since I don’t need different operating systems, I’m using linux-vserver everywhere (historically, I’ve been using it since 2004, and openvz was released to the public in 2005), and lxc, in my understanding, is not old enough to produce (although it’s very close already).
I will quote from the FAQ:
“What is the status of Linux-VServer?
Linux-VServer has more than a decade of maturity and is actively developed. Two projects are similar to Linux-VServer, [LXC], and [OpenVZ]. Of the two, OpenVZ offers some similar functionality to Linux-VServer. LXC is solely based on kernel mechanisms such as cgroups that are in modern kernels. It will continue to be mature. As this occurs, the Linux-VServer will take advantage of the LXC and continue to provide it. Currently, LXC offers significantly less functionality and isolation than Linux-vserver. "For the use of the LXC
Below I will describe the basic operations for launching a LAMP server in an isolated environment.
OS: debian-stable, 64bit
Starting from Wheezy, vserver support with the debian command has been removed, so I use the repo.psand.net/info kernel
Configuring the root system to run linux-vserver
echo "deb http://repo.psand.net/ wheezy main" > /etc/apt/sources.list.d/psand.list wget -O - http://repo.psand.net/pubkey.txt | sudo apt-key add - aptitude update aptitude search linux-image-vserver # aptitude install linux-image-vserver-3.13-beng util-vserver curl bzip2 # 3.13 curl http://dev.call2ru.com/vs/nss_vserver_64.tar.bz2 | tar xfj - cd nss_vserver_64 make make install ln -s var/lib/vservers / curl http://dev.call2ru.com/vs/vserverauth.tar.gz | tar xfz - cd vserverauth/vslogin/ make cp vslogin /sbin/ chmod u+s /sbin/vslogin echo /sbin/vslogin >> /etc/shells echo -e "auto dummy0\niface dummy0 inet static\n\taddress 192.168.1.250\n\tnetmask 255.255.255.0\n" >> /etc/network/interfaces echo -e "\tpre-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE\n" >> /etc/network/interfaces echo -e "\tpost-down /sbin/iptables -t nat -D POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE\n" >> /etc/network/interfaces After installation - reboot into the new kernel.
What we did:
- Installed a kernel with linux-vserver support, installed utilities for creating / managing vservers.
- Installed my nss_vserver [1] module and vslogin, which allows you to log in via ssh directly into vserver
- Configured dummy0 interface to create a “private” network for virtual machines.
This allows you to use a single server IP to start different services, dividing them by login (for example, to log in to the web virtual machine you just need to log in as web root or as root @ web).
After that, new servers can be launched on the server, tying them to the dummy0 interface.
Everything is fine, but the created servers respond to 192.168.1.x, and it is necessary that it be accessible from the outside.
To solve this, on the root we will need nginx:
aptitude install nginx cat > /etc/nginx/sites-available/proxy <<END server { listen 80; # IP:PORT proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-SSL no; if ($http_host ~ "(?i)(somesite\.ru)$") { rewrite ^(.*) /web/$1 last; } # if' # catch-all rewrite ^(.*) /web/$1 last; # location /web// { proxy_pass http://192.168.1.57/; proxy_read_timeout 500; } } END ln -s ../sites-available/proxy /etc/nginx/sites-enabled/ /etc/init.d/nginx reload This allows all incoming requests to the 80th port to scatter across different virtual machines, depending on the name.
If necessary, you can use proxy_pass to a different external IP, which allows you to move virtual servers across different machines without having to wait for the full update of DNS records, but this is a topic for a separate conversation.
Now we need to create a new virtual machine (number 57, web name) in which we install LAMP.
Creating a new vserver
MIRROR=http://ftp.de.debian.org/debian NAME=web DOMAIN=mydom.ru CONTEXT=57 vserver $NAME build -m debootstrap --context $CONTEXT --hostname $NAME.$DOMAIN --interface dummy0:192.168.1.$CONTEXT/24 -- -d squeeze -m $MIRROR echo default > /etc/vservers/$NAME/app/init/mark vserver $NAME start vserver $NAME enter aptitude update aptitude install locales echo -e "en_US.UTF-8 UTF-8\nru_RU.UTF-8 UTF-8\n" >> /etc/locale.gen locale-gen echo -e "127.0.0.1 localhost.localdomain localhost vhost\n192.168.1.250 vroot\n" > /etc/hosts This establishes the base system, makes it autorun when the root system is rebooted.
Now the virtual machine is ready to install the necessary software in it. For example, the usual LAMP:
aptitude install apache2 libapache2-mod-php5 mysql-server php5-mysql php5-mysqli libapache2-mod-rpaf editor /etc/apache2/mods-available/rpaf.conf # ( "RPAFproxy_ips 127.0.0.1" 192.168.1.57 (IP )) a2enmod rpaf /etc/init.d/apache2 restart exit Everything! Now your server is running Apache in a completely isolated environment.
Problems of this approach include:
1. Direct entry to virtual servers is possible only by password.
2. On the root system, no one should be allowed access, so the root system should only have a verified minimum of software (ssh, nginx, iptables and nothing else).
3. If you need direct access to any ports inside virtual machines, forwarding needs to be done using iptables.
Moments left behind the scenes for simplicity of the article.
1. / var / lib / vservers / * it is desirable to place on lvm in order to be able to manage the allocation of space for virtual machines independently.
2. Resource management: simply created virtual machine can eat all the resources of the machine. Learn more about setting limits linux-vserver.org/Resource_Limits
3. / tmp /. Inside the default virtualok / tmp / is created as a ramdisk in 16m size. Or right before “vserver $ NAME start”, fix / etc / vservers / $ NAME / fstab
4. Useful information, information, etc. about linux-vserver can be found on linux-vserver.org
If there are useful questions, I will put the detailed answers to them in the topic.
Source: https://habr.com/ru/post/213995/
All Articles