OpenVZ Virtuozzo Containers Wiki - User contributions [en]

User:Wese

2008-08-19T10:05:37Z

Wese:

== About ==

* HostNode: Debian Etch, OpenVz Stable
* Munin-OpenVZ Plugin: [http://blog.dead.at/2007/11/munin-plugin-openvz.html here]
* Munin-OpenVZ Plugin V2: [http://blog.dead.at/2008/08/munin-plugin-openvz-v2 here]
== Contact ==

* ICQ: 14393012
* Homepage: [http://www.dead.at here]

Monitoring openvz resources using munin

2008-08-14T15:23:56Z

Wese: Added usage example

[[Category: Monitoring]]

There are several plugins available on this page to monitor beancounter values in [http://munin.projects.linpro.no/ Munin].
The third one tries to combine the other two.

= "Simple" munin plugin =

The plugin listed below grabs all the beancounters' values.

<source lang="bash">
#!/bin/sh
#
# plugin to monitor OpenVZ bean counters.
#
#
#%# family=auto
#%# capabilities=autoconf suggest

ATTR=`basename $0 | sed 's/^vebc_//g'`

if [ "$1" = "autoconf" ]; then
if [ -r /proc/bc/0/resources ]; then
echo yes
exit 0
else
echo "no (/proc/bc/0/resources not found)"
exit 1
fi
fi

if [ "$1" = "suggest" ]; then
if [ -r /proc/bc/0/resources ]; then
cat /proc/bc/0/resources |
while read str; do
vals=($str)
echo ${vals[0]}
done
exit 0
else
exit 1
fi
fi

if [ "$1" = "config" ]; then
# echo "graph_order down up"
echo "graph_title $ATTR beancounter for containers"
echo 'graph_category system'
echo "graph_info 'Containers beancounters info'"

for CTID in `ls -d1 /proc/bc/???`; do
id=`basename $CTID`
grep $ATTR $CTID/resources |
while read str; do

vals=($str)
name=${vals[0]}
echo ${id}.label $id
echo "${id}.warning ${vals[3]}"
echo "${id}.critical ${vals[4]}"
done
done

exit 0
fi;

for CTID in `ls -d1 /proc/bc/???`; do
id=`basename $CTID`
grep $ATTR $CTID/resources |
while read str; do
vals=($str)
name=${vals[0]}
echo "$id.value ${vals[1]}"
done
done
</source>

= Extended Version for old system using user_beancounter =

Put it with the munin plugins and make a link for every
graph which should be produced named like:

vebc_VALUENAME1_VALUENAME2_..._CTID

e.g.: vebc_numflock_numpty_numsiginfo_101

<source lang="bash">
#!/bin/sh
#
# plugin to monitor OpenVZ bean counters.
#
#
#%# family=auto
#%# capabilities=autoconf suggest

ATTR=`basename $0 | sed -e 's/^vebc_.*_//'`
STATS=`basename $0 | sed -e 's/^vebc_//' -e 's/_[0-9]*$//' -e 's/_/ /g'`

if [ "$1" = "autoconf" ]; then
if [ -r /proc/bc/0/resources ]; then
echo yes
exit 0
else
echo "no (/proc/bc/0/resources not found)"
exit 1
fi
fi

if [ "$1" = "suggest" ]; then
if [ -r /proc/bc/0/resources ]; then
cat /proc/bc/0/resources |
while read str; do
vals=($str)
echo ${vals[0]}
done
exit 0
else
exit 1
fi
fi

if [ "$1" = "config" ]; then
# echo "graph_order down up"
echo "graph_title beancounter for CT$ATTR: $STATS"
echo "graph_category CT$ATTR"
echo "graph_info 'Container bean counters info'"

readme="false"
cat /proc/user_beancounters | while read myid stuff; do
line=""
if [ "$myid" == "$ATTR:" ]; then
readme="true"
line="$stuff"
echo $line
else
loid=`echo $myid | sed -e 's/.*:/:/'`
if [ "$loid" == ":" ]; then
readme="false"
fi
if [ "$readme" == "true" ]; then
line="$myid $stuff"
echo $line
fi
fi
done | while read name value top warn max; do
okname="dummy"
for statname in $STATS; do
if [ "$name" == "$statname" ]; then
okname=$name
fi
done

if [ "$okname" != "dummy" ]; then
echo $okname.label $name
echo $okname.warning $warn
echo $okname.critical $max
fi
done
exit 0
fi;

readme="false"
cat /proc/user_beancounters | while read myid stuff; do
line=""
if [ "$myid" == "$ATTR:" ]; then
readme="true"
line="$stuff"
echo $line
else
loid=`echo $myid | sed -e 's/.*:/:/'`
if [ "$loid" == ":" ]; then
readme="false"
fi
if [ "$readme" == "true" ]; then
line="$myid $stuff"
echo $line
fi
fi
done | while read name value x; do
okname="dummy"
for statname in $STATS; do
if [ "$name" == "$statname" ]; then
okname=$name
fi
done
if [ "$okname" != "dummy" ]; then
echo $okname.value $value
fi

done
</source>

This is not too performant but should do and the graphs are much
more readable then the first solution.

= Extended plugin from Jan Tomasek =
* Jan has posted another plugin on http://forum.openvz.org/index.php?t=msg&goto=15122, where I've fixed two things:
*# "exit 0" in the "config" block
*# Replaced "vals=($str); echo ${vals[0]}" with "echo ${str%% *}" (the former was causing problems I don't remember anymore)
* v1.3.2 (2008/08/09)
*# If only 1 variable is graphed, also display maxheld, barrier and limit
<source lang="bash">
#!/bin/sh
#
# Munin's plugin to monitor OpenVZ bean counters.
#
# $Log$
# Revision 1.3 2007/07/19 12:57:00 Jan Tomasek <jan@tomasek.cz>
# * rewrited to work with /proc/bc/<VEID>/resources instead of
# /proc/user_beancounters, that simplified code and result
# is also bit faster.
# * added references to OpenVZ wiki
# Revision 1.3.1 2008/05/13 01:26:00 Daniel Hahler <http://daniel.hahler.de/>
# * Minor fixes
# - "exit 0" in "config" block
# - Use "echo ${str%% *}" in "suggest", instead of "vals=($str); echo ${vals[0]}"
#
# Revision 1.3.2 2008/08/09 12:30:00 Christian Rubbert <crubbert@xrc.de>
# * Feature
# - If only 1 variable is graphed, also display maxheld, barrier and limit
#
# Original revision taken from:
# http://wiki.openvz.org/Monitoring_openvz_resources_using_munin
#
#%# family=auto
#%# capabilities=autoconf suggest

VEID=`basename $0 | sed -e 's/^vebc_.*_//'`;
STATS=`basename $0 | sed -e 's/^vebc_//' -e 's/_[0-9]*$//' -e 's/_/ /g'`
x=0; STATSCNT=`for i in $STATS; do x=$[$x+1]; done; echo $x`

if [ "$1" = "autoconf" ]; then
if [ -r /proc/bc/0/resources ]; then
echo yes
exit 0
else
echo "no (/proc/bc/0/resources not found)"
exit 1
fi
fi

if [ "$1" = "suggest" ]; then
if [ -r /proc/bc/0/resources ]; then
cat /proc/bc/0/resources | while read str; do
# Print everything before " "
echo ${str%% *}
done
exit 0
else
exit 1
fi
fi

if [ ! -f /proc/bc/$VEID/resources ]; then
exit 0;
fi

if [ "$1" = "config" ]; then
#echo "graph_order down up"
echo "graph_title VE$VEID: $STATS"
echo "graph_vlabel bean counters"
echo "graph_category VE$VEID"

# Note on URLs. General graph info is by munin version 1.2.5
# accepted even with HTML code. But for value.info it escapes URL,
# I expect that authors of munin will note that in future and put
# escaping even for graph.info.
echo "graph_info VE bean counters info. Documentation of the OpenVZ resource management is located at <a href=\"
http://wiki.openvz.org/UBC\">http://wiki.openvz.org/UBC</a>."

cat /proc/bc/$VEID/resources | while read name value top warn max stuff ; do
for statname in $STATS; do
if [ "$name" = "$statname" ]; then
URL="http://wiki.openvz.org/$name"
if [ "$warn" = "0" ]; then
warn=$max
fi
echo $name.label $name
echo $name.warning $warn
echo $name.critical $max
echo $name.info Description of this resource is located at $URL
fi
done
done

if [ "$STATSCNT" == "1" ]; then
echo maxheld.label Maxheld
echo maxheld.draw LINE2
echo maxheld.info Maximum value
echo barrier.label Barrier
echo barrier.draw LINE2
echo barrier.info Barrier
echo limit.label Limit
echo limit.draw LINE2
echo limit.info Limit
fi
exit 0
fi;

cat /proc/bc/$VEID/resources | while read name value top warn max stuff ; do
for statname in $STATS; do
if [ "$name" = "$statname" ]; then
echo $name".value "$value;

if [ "$STATSCNT" == "1" ]; then
echo maxheld.value $top
echo barrier.value $warn
echo limit.value $max
fi
fi
done
done</source>

= Munin plugin setup =
== Run as root ==
Please note, you have to configure plugin to run as root. Therefore, add the following to /etc/munin/plugin-conf.d/ somewhere:
[vebc*]
user root

== Installing the plugins ==
There's a single plugin file, which can be installed several times and can put several values into the same graph.
You should install the plugin from above to e.g. <code>/usr/local/share/munin/plugins/vebc_</code> and then put symlinks to there from /etc/munin/plugins.
The following script allows you to handle this easily:
To install this, you can use the following script:
<source lang="bash">
#!/bin/bash

FILE=`mktemp /tmp/ln-vebc-XXXXXX`

cd /etc/munin/plugins

for resources in kmemsize \
lockedpages_privvmpages_shmpages_physpages_vmguarpages_oomguarpages \
numproc \
numtcpsock_numflock_numpty_numsiginfo_numothersock_numiptent \
tcpsndbuf_tcprcvbuf_othersockbuf_dgramrcvbuf \
dcachesize \
numfile
do
for VE in 0 `/usr/sbin/vzlist | sed "s/^ *//" |grep '^[0-9]' | cut -f 1 -d " "` ; do
ln -sf /usr/local/share/munin/plugins/vebc_ "vebc_"$resources"_"$VE
echo "vebc_"$resources"_"$VE >> $FILE
done
done

# remove no longer deserved links (ie. links pointing to machines
# which were destroyed or stoped)

find -type l -name vebc_\* | sed "s/\.\///" | while read LN; do
if grep ^$LN$ $FILE >/dev/null; then
true
else
rm $LN
fi
done

rm $FILE
</source>

= Alternative: Using vzlist =
This simple script will generate an overview of the requested stat from all VE's.
When using vzlist your saved from any changes to the beancounters.

== Usage ==
Simply append the variable you want to monitor:
<source lang="bash">ln -s /usr/share/munin/plugins/openvz_ /etc/munin/plugins/openvz_physpages</source>

<source lang="bash">
#!/bin/sh
#
# Munin's plugin to monitor OpenVZ bean counters.
#
# $Log$
# 2008/08/14 Rene Weselowski <http://www.dead.at>
#
#%# family=auto
#%# capabilities=autoconf

ATTRIBUTE=`basename $0 | sed 's/^openvz_//g'`

if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi

if [ "$1" = "config" ]; then
echo "graph_title $ATTRIBUTE"
echo "graph_args --base 1000 -l 0"
echo "graph_scale yes"
echo "graph_vlabel $ATTRIBUTE Value"
echo "graph_category openvz"
echo "graph_info This graph shows OpenVZ: $ATTRIBUTE"
vzlist -a -H -o hostname | awk '{gsub(/\./,"_",$1)
print("'$ATTRIBUTE'"$1".label "$1"\n" \
"'$ATTRIBUTE'"$1".info '$ATTRIBUTE' for VE"$1)}'
exit 0
fi

vzlist -a -H -o hostname,$ATTRIBUTE | awk '{gsub(/\./,"_",$1)
print("'$ATTRIBUTE'"$1".value "$2)}'

</source>

Monitoring openvz resources using munin

2008-08-14T15:19:12Z

Wese: Added script which parses vzlist

[[Category: Monitoring]]

There are several plugins available on this page to monitor beancounter values in [http://munin.projects.linpro.no/ Munin].
The third one tries to combine the other two.

= "Simple" munin plugin =

The plugin listed below grabs all the beancounters' values.

<source lang="bash">
#!/bin/sh
#
# plugin to monitor OpenVZ bean counters.
#
#
#%# family=auto
#%# capabilities=autoconf suggest

ATTR=`basename $0 | sed 's/^vebc_//g'`

if [ "$1" = "autoconf" ]; then
if [ -r /proc/bc/0/resources ]; then
echo yes
exit 0
else
echo "no (/proc/bc/0/resources not found)"
exit 1
fi
fi

if [ "$1" = "suggest" ]; then
if [ -r /proc/bc/0/resources ]; then
cat /proc/bc/0/resources |
while read str; do
vals=($str)
echo ${vals[0]}
done
exit 0
else
exit 1
fi
fi

if [ "$1" = "config" ]; then
# echo "graph_order down up"
echo "graph_title $ATTR beancounter for containers"
echo 'graph_category system'
echo "graph_info 'Containers beancounters info'"

for CTID in `ls -d1 /proc/bc/???`; do
id=`basename $CTID`
grep $ATTR $CTID/resources |
while read str; do

vals=($str)
name=${vals[0]}
echo ${id}.label $id
echo "${id}.warning ${vals[3]}"
echo "${id}.critical ${vals[4]}"
done
done

exit 0
fi;

for CTID in `ls -d1 /proc/bc/???`; do
id=`basename $CTID`
grep $ATTR $CTID/resources |
while read str; do
vals=($str)
name=${vals[0]}
echo "$id.value ${vals[1]}"
done
done
</source>

= Extended Version for old system using user_beancounter =

Put it with the munin plugins and make a link for every
graph which should be produced named like:

vebc_VALUENAME1_VALUENAME2_..._CTID

e.g.: vebc_numflock_numpty_numsiginfo_101

<source lang="bash">
#!/bin/sh
#
# plugin to monitor OpenVZ bean counters.
#
#
#%# family=auto
#%# capabilities=autoconf suggest

ATTR=`basename $0 | sed -e 's/^vebc_.*_//'`
STATS=`basename $0 | sed -e 's/^vebc_//' -e 's/_[0-9]*$//' -e 's/_/ /g'`

if [ "$1" = "autoconf" ]; then
if [ -r /proc/bc/0/resources ]; then
echo yes
exit 0
else
echo "no (/proc/bc/0/resources not found)"
exit 1
fi
fi

if [ "$1" = "suggest" ]; then
if [ -r /proc/bc/0/resources ]; then
cat /proc/bc/0/resources |
while read str; do
vals=($str)
echo ${vals[0]}
done
exit 0
else
exit 1
fi
fi

if [ "$1" = "config" ]; then
# echo "graph_order down up"
echo "graph_title beancounter for CT$ATTR: $STATS"
echo "graph_category CT$ATTR"
echo "graph_info 'Container bean counters info'"

readme="false"
cat /proc/user_beancounters | while read myid stuff; do
line=""
if [ "$myid" == "$ATTR:" ]; then
readme="true"
line="$stuff"
echo $line
else
loid=`echo $myid | sed -e 's/.*:/:/'`
if [ "$loid" == ":" ]; then
readme="false"
fi
if [ "$readme" == "true" ]; then
line="$myid $stuff"
echo $line
fi
fi
done | while read name value top warn max; do
okname="dummy"
for statname in $STATS; do
if [ "$name" == "$statname" ]; then
okname=$name
fi
done

if [ "$okname" != "dummy" ]; then
echo $okname.label $name
echo $okname.warning $warn
echo $okname.critical $max
fi
done
exit 0
fi;

readme="false"
cat /proc/user_beancounters | while read myid stuff; do
line=""
if [ "$myid" == "$ATTR:" ]; then
readme="true"
line="$stuff"
echo $line
else
loid=`echo $myid | sed -e 's/.*:/:/'`
if [ "$loid" == ":" ]; then
readme="false"
fi
if [ "$readme" == "true" ]; then
line="$myid $stuff"
echo $line
fi
fi
done | while read name value x; do
okname="dummy"
for statname in $STATS; do
if [ "$name" == "$statname" ]; then
okname=$name
fi
done
if [ "$okname" != "dummy" ]; then
echo $okname.value $value
fi

done
</source>

This is not too performant but should do and the graphs are much
more readable then the first solution.

= Extended plugin from Jan Tomasek =
* Jan has posted another plugin on http://forum.openvz.org/index.php?t=msg&goto=15122, where I've fixed two things:
*# "exit 0" in the "config" block
*# Replaced "vals=($str); echo ${vals[0]}" with "echo ${str%% *}" (the former was causing problems I don't remember anymore)
* v1.3.2 (2008/08/09)
*# If only 1 variable is graphed, also display maxheld, barrier and limit
<source lang="bash">
#!/bin/sh
#
# Munin's plugin to monitor OpenVZ bean counters.
#
# $Log$
# Revision 1.3 2007/07/19 12:57:00 Jan Tomasek <jan@tomasek.cz>
# * rewrited to work with /proc/bc/<VEID>/resources instead of
# /proc/user_beancounters, that simplified code and result
# is also bit faster.
# * added references to OpenVZ wiki
# Revision 1.3.1 2008/05/13 01:26:00 Daniel Hahler <http://daniel.hahler.de/>
# * Minor fixes
# - "exit 0" in "config" block
# - Use "echo ${str%% *}" in "suggest", instead of "vals=($str); echo ${vals[0]}"
#
# Revision 1.3.2 2008/08/09 12:30:00 Christian Rubbert <crubbert@xrc.de>
# * Feature
# - If only 1 variable is graphed, also display maxheld, barrier and limit
#
# Original revision taken from:
# http://wiki.openvz.org/Monitoring_openvz_resources_using_munin
#
#%# family=auto
#%# capabilities=autoconf suggest

VEID=`basename $0 | sed -e 's/^vebc_.*_//'`;
STATS=`basename $0 | sed -e 's/^vebc_//' -e 's/_[0-9]*$//' -e 's/_/ /g'`
x=0; STATSCNT=`for i in $STATS; do x=$[$x+1]; done; echo $x`

if [ "$1" = "autoconf" ]; then
if [ -r /proc/bc/0/resources ]; then
echo yes
exit 0
else
echo "no (/proc/bc/0/resources not found)"
exit 1
fi
fi

if [ "$1" = "suggest" ]; then
if [ -r /proc/bc/0/resources ]; then
cat /proc/bc/0/resources | while read str; do
# Print everything before " "
echo ${str%% *}
done
exit 0
else
exit 1
fi
fi

if [ ! -f /proc/bc/$VEID/resources ]; then
exit 0;
fi

if [ "$1" = "config" ]; then
#echo "graph_order down up"
echo "graph_title VE$VEID: $STATS"
echo "graph_vlabel bean counters"
echo "graph_category VE$VEID"

# Note on URLs. General graph info is by munin version 1.2.5
# accepted even with HTML code. But for value.info it escapes URL,
# I expect that authors of munin will note that in future and put
# escaping even for graph.info.
echo "graph_info VE bean counters info. Documentation of the OpenVZ resource management is located at <a href=\"
http://wiki.openvz.org/UBC\">http://wiki.openvz.org/UBC</a>."

cat /proc/bc/$VEID/resources | while read name value top warn max stuff ; do
for statname in $STATS; do
if [ "$name" = "$statname" ]; then
URL="http://wiki.openvz.org/$name"
if [ "$warn" = "0" ]; then
warn=$max
fi
echo $name.label $name
echo $name.warning $warn
echo $name.critical $max
echo $name.info Description of this resource is located at $URL
fi
done
done

if [ "$STATSCNT" == "1" ]; then
echo maxheld.label Maxheld
echo maxheld.draw LINE2
echo maxheld.info Maximum value
echo barrier.label Barrier
echo barrier.draw LINE2
echo barrier.info Barrier
echo limit.label Limit
echo limit.draw LINE2
echo limit.info Limit
fi
exit 0
fi;

cat /proc/bc/$VEID/resources | while read name value top warn max stuff ; do
for statname in $STATS; do
if [ "$name" = "$statname" ]; then
echo $name".value "$value;

if [ "$STATSCNT" == "1" ]; then
echo maxheld.value $top
echo barrier.value $warn
echo limit.value $max
fi
fi
done
done</source>

= Munin plugin setup =
== Run as root ==
Please note, you have to configure plugin to run as root. Therefore, add the following to /etc/munin/plugin-conf.d/ somewhere:
[vebc*]
user root

== Installing the plugins ==
There's a single plugin file, which can be installed several times and can put several values into the same graph.
You should install the plugin from above to e.g. <code>/usr/local/share/munin/plugins/vebc_</code> and then put symlinks to there from /etc/munin/plugins.
The following script allows you to handle this easily:
To install this, you can use the following script:
<source lang="bash">
#!/bin/bash

FILE=`mktemp /tmp/ln-vebc-XXXXXX`

cd /etc/munin/plugins

for resources in kmemsize \
lockedpages_privvmpages_shmpages_physpages_vmguarpages_oomguarpages \
numproc \
numtcpsock_numflock_numpty_numsiginfo_numothersock_numiptent \
tcpsndbuf_tcprcvbuf_othersockbuf_dgramrcvbuf \
dcachesize \
numfile
do
for VE in 0 `/usr/sbin/vzlist | sed "s/^ *//" |grep '^[0-9]' | cut -f 1 -d " "` ; do
ln -sf /usr/local/share/munin/plugins/vebc_ "vebc_"$resources"_"$VE
echo "vebc_"$resources"_"$VE >> $FILE
done
done

# remove no longer deserved links (ie. links pointing to machines
# which were destroyed or stoped)

find -type l -name vebc_\* | sed "s/\.\///" | while read LN; do
if grep ^$LN$ $FILE >/dev/null; then
true
else
rm $LN
fi
done

rm $FILE
</source>

= Alternative: Using vzlist =
This simple script will generate an overview of the requested stat from all VE's.
When using vzlist your saved from any changes to the beancounters.

<source lang="bash">
#!/bin/sh
#
# Munin's plugin to monitor OpenVZ bean counters.
#
# $Log$
#
# 2008/08/14 Rene Weselowski <http://www.dead.at>
#
#
#%# family=auto
#%# capabilities=autoconf

ATTRIBUTE=`basename $0 | sed 's/^openvz_//g'`

if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi

if [ "$1" = "config" ]; then
echo "graph_title $ATTRIBUTE"
echo "graph_args --base 1000 -l 0"
echo "graph_scale yes"
echo "graph_vlabel $ATTRIBUTE Value"
echo "graph_category openvz"
echo "graph_info This graph shows OpenVZ: $ATTRIBUTE"
vzlist -a -H -o hostname | awk '{gsub(/\./,"_",$1)
print("'$ATTRIBUTE'"$1".label "$1"\n" \
"'$ATTRIBUTE'"$1".info '$ATTRIBUTE' for VE"$1)}'
exit 0
fi

vzlist -a -H -o hostname,$ATTRIBUTE | awk '{gsub(/\./,"_",$1)
print("'$ATTRIBUTE'"$1".value "$2)}'

</source>

User:Wese

2007-12-17T07:50:49Z

Wese: New page: == About == * HostNode: Debian Etch, OpenVz Stable * Munin-OpenVZ Plugin: [http://blog.dead.at/2007/11/munin-plugin-openvz.html here] == Contact == * ICQ: 14393012 * Homepage: [http://w...

== About ==

* HostNode: Debian Etch, OpenVz Stable
* Munin-OpenVZ Plugin: [http://blog.dead.at/2007/11/munin-plugin-openvz.html here]

== Contact ==

* ICQ: 14393012
* Homepage: [http://www.dead.at here]

Talk:Physical to container

2007-12-17T07:44:16Z

Wese:

== RSync Command ==
Please check the following command, Ive used with success:
rsync -arvpz --numeric-ids --exclude dev --exclude proc --exclude tmp --exclude mnt --exclude sys -e "ssh -l root@a.b.c.d" root@a.b.c.d:/ /vz/private/123/

== Migration Script ==

I composed a little Script to migrate a Debian Sarge Box to OpenVZ. (Some System specific steps have been removed)

<pre>#!/bin/sh
echo "Stopping VE 300..."
vzctl stop 300
echo "Creating base filesystem /dev /proc ..."
mknod /vz/private/300/dev/ptmx c 5 2
mkdir /vz/private/300/dev/pts
rm -f /vz/private/300/dev/null
mknod /vz/private/300/dev/null c 1 3
chmod o+rw /vz/private/300/dev/null
echo "Copy the tty's to VE and Set Permissions"
cp -r /dev/ttyp* /dev/ptyp* /vz/private/300/dev/
chmod o+wx /vz/private/300/dev/*typ*
echo "Creating /dev/random and Set Permissions"
mknod -m 644 /vz/private/300/dev/random c 1 8
mknod -m 644 /vz/private/300/dev/urandom c 1 9
chown root:root /vz/private/300/dev/random /vz/private/300/dev/urandom
echo "clearing mtab / fstab..."
echo -n > /vz/private/300/etc/fstab
rm /vz/private/300/etc/mtab
ln -s /proc/mounts /vz/private/300/etc/mtab
</pre>

Talk:Physical to container

2007-12-17T07:43:09Z

Wese: Migration Script

Please check the following command, Ive used with success:
rsync -arvpz --numeric-ids --exclude dev --exclude proc --exclude tmp --exclude mnt --exclude sys -e "ssh -l root@a.b.c.d" root@a.b.c.d:/ /vz/private/123/

== Migration Script ==

I composed a little Script to migrate a Debian Sarge Box to OpenVZ. (Some System specific steps have been removed)

<pre>#!/bin/sh
echo "Stopping VE 300..."
vzctl stop 300
echo "Creating base filesystem /dev /proc ..."
mknod /vz/private/300/dev/ptmx c 5 2
mkdir /vz/private/300/dev/pts
rm -f /vz/private/300/dev/null
mknod /vz/private/300/dev/null c 1 3
chmod o+rw /vz/private/300/dev/null
echo "Copy the tty's to VE and Set Permissions"
cp -r /dev/ttyp* /dev/ptyp* /vz/private/300/dev/
chmod o+wx /vz/private/300/dev/*typ*
echo "Creating /dev/random and Set Permissions"
mknod -m 644 /vz/private/300/dev/random c 1 8
mknod -m 644 /vz/private/300/dev/urandom c 1 9
chown root:root /vz/private/300/dev/random /vz/private/300/dev/urandom
echo "clearing mtab / fstab..."
echo -n > /vz/private/300/etc/fstab
rm /vz/private/300/etc/mtab
ln -s /proc/mounts /vz/private/300/etc/mtab
</pre>

Shared webhosting

2007-04-14T21:14:16Z

Wese: Sidenote on MySQL socket sharing

{{roughstub}}

== The problem ==

One of the problems with shared webhosting (i.e. different people with each his/her own webpages) is that modern script languages such as PHP, Python, or Perl are too powerful. For example take the following PHP script:

<pre>
<?php

function get_content($filename) {
$handle = fopen($filename, 'r');
echo fread($handle, filesize($filename));
fclose($handle);
}

get_content('/home/ppuk34/www/forum/config.inc.php');

?>
</pre>

With PHP you could use open_basedir to prevent this, but there are more ways. For example [http://mgeisler.net/php-shell/ PHP Shell], a script that is [http://mgeisler.net/downloads/phpshell/SECURITY often mis-used] by people with not-so-good intentions. Or think about the [http://www.f-secure.com/v-descs/santy_a.shtml Santy-worm] which mis-used phpBB. Again there is a solution in the form of safe_mode, but lots of PHP scripts break if you enable this. For Python, Perl, or CGI-scripts there are no easy ways and you have to use wrappers or other tricks to chroot these.

== The solution ==

[[Image:Shared hosting1.png|345px|right|The OpenVZ way of shared webhosting]]

You can waste hours of time in securing all the possible things you don't want in your shared webhosting environment. And unless you are very familiar with all the things modern scripting languages can do, you probably miss dozens of alternative routes. In this process you frustrate your clients, because security always means that legitimate things break. As a side effect of your hard work, you can waste hours of extra time in educating your users. But in the end most users don't care about security, unless they are themselves victims of a compromised host. Learning the hard way is by far the most effective method. One possible solution is dedicated webhosting, but most users don't have the experience to maintain a server or it is way to expensive for them.

The main problem with shared webhosting is that by its very nature all files which are served through the web are public. Apache for example uses only one account to read all files. As said, you can use tricks with CGI wrappers to execute the scripting languages under its own credentials. However this kind of security depends on the wrappers ability to securely separate the users. We all know that if this is broken — and most often it will be broken — the result is a higher clearance on the underlying filesystem. For most systems you need more than one wrapper, so the number of possible security problems grow. The ultimate user separation is in the kernel and you can view the modifications OpenVZ has done in this light. Instead of CGI wrappers we go one step higher and give every user its own minimal server. In the rest of this article we describe how shared webhosting with OpenVZ could be implemented.

=== Minimal server ===

Create an VEx with your favorite distro. Give it an internal IP-address in one of the ranges 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16. Then strip away all unnecessary init.d scripts so only the bare minimum is started. That means as a minimum syslogd and ssh so the account holder can upload his/her files through SCP/SFTP in his/her own minimal server. For this to work you need to set up [[Using NAT for VE with private IPs|destination NAT on VE0]] from high numbered ports to port 22 on the given private IP address:

<pre>
dnat="-j DNAT --to-destination"

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -A PREROUTING -p TCP --dport 10122 $dnat 192.168.13.101:22
iptables -t nat -A PREROUTING -p TCP --dport 10222 $dnat 192.168.13.102:22
...
</pre>

The other thing you want for webhosting is of course a webserver as well. To minimize the amount of needed memory, we choose [http://www.lighttpd.net/ Lighttpd] instead of the common Apache. Then configure the scripting language of your choice to run under this webserver. It is possible to use different languages/setups for different accounts as well. Also problematic CGI-scripts are not problematic anymore...

=== MySQL server ===

Most webhosting accounts use MySQL, but if you prefer another database server, go ahead. Create a new VEx with a lot more resources and again an internal IP-address. Now configure the accounts. As an extra security measure you can use the internal IP-address as well.

==== MySQL socket sharing ====

You can also share the socket of an VEx running MySQL, which is alot faster than TCP/IP.
e.g.:
<pre>
ln /var/lib/vz/private/101/var/run/mysqld/mysqld.sock /var/lib/vz/private/102/var/run/mysqld/mysqld.sock
</pre>
Inside of 102:
<pre>
$ mysql -u root -p -S /var/run/mysqld/mysqld.sock
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9 to server version: 5.0.32-Debian_7etch1-log
</pre>

=== Proxy webserver ===

Because we have only one public IP-address, we need an trick to access every minimal server based on the hostname in the HTTP request. For SSH we used different ports, but that is not an option for websites. Again we create an VEx with an internal IP-address. On this server we install Lighttpd as well, because the proxying is very simple. First we must forward port 80 to this server:

<pre>
dnat="-j DNAT --to-destination"

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -A PREROUTING -p TCP -d <external IP-address> --dport 80 $dnat 192.168.13.11:80
iptables -t nat -A PREROUTING -p TCP --dport 10122 $dnat 192.168.13.101:22
iptables -t nat -A PREROUTING -p TCP --dport 10222 $dnat 192.168.13.102:22
...
</pre>

Then we create for every website an section in /etc/lighttpd/lighttpd.conf as follows:

<pre>
$HTTP["host"] == "ve101.armorica.tk" {
proxy.server = ( "" => ( ( "host" => "192.168.13.101" ) ) )
}
</pre>

You can map more names to the same IP-address if needed. The last step is to add mod_proxy to the server.modules section.

For apache add a VirtualHost directive

<pre>
<VirtualHost external-IP-address:80>
ServerName mydomainnameishere.com
RewriteEngine On
RewriteRule ^(.*)$ http://192.168.2.101$1 [P]
RewriteRule ^(.*)$ http://mydomainnameishere.com$1 [P]
</VirtualHost>

<VirtualHost external-IP-address:80>
ServerName mydomainnameishere.com
RewriteEngine On
RewriteRule ^(.*)$ http://192.168.2.101$1 [P]
RewriteRule ^(.*)$ http://www.mydomainnameishere.com$1 [P]
</VirtualHost>
</pre>

=== Other applications ===

Create for other applications as mail, make sure that the minimal servers use this one for sending mail from webpages, DNS etc. VEx as needed. The resulting server is shown in the figure above.

[[Category:HOWTO]]

Shared webhosting

2007-04-14T21:11:22Z

Wese: MySQL Sharing via Socket

{{roughstub}}

== The problem ==

One of the problems with shared webhosting (i.e. different people with each his/her own webpages) is that modern script languages such as PHP, Python, or Perl are too powerful. For example take the following PHP script:

<pre>
<?php

function get_content($filename) {
$handle = fopen($filename, 'r');
echo fread($handle, filesize($filename));
fclose($handle);
}

get_content('/home/ppuk34/www/forum/config.inc.php');

?>
</pre>

With PHP you could use open_basedir to prevent this, but there are more ways. For example [http://mgeisler.net/php-shell/ PHP Shell], a script that is [http://mgeisler.net/downloads/phpshell/SECURITY often mis-used] by people with not-so-good intentions. Or think about the [http://www.f-secure.com/v-descs/santy_a.shtml Santy-worm] which mis-used phpBB. Again there is a solution in the form of safe_mode, but lots of PHP scripts break if you enable this. For Python, Perl, or CGI-scripts there are no easy ways and you have to use wrappers or other tricks to chroot these.

== The solution ==

[[Image:Shared hosting1.png|345px|right|The OpenVZ way of shared webhosting]]

You can waste hours of time in securing all the possible things you don't want in your shared webhosting environment. And unless you are very familiar with all the things modern scripting languages can do, you probably miss dozens of alternative routes. In this process you frustrate your clients, because security always means that legitimate things break. As a side effect of your hard work, you can waste hours of extra time in educating your users. But in the end most users don't care about security, unless they are themselves victims of a compromised host. Learning the hard way is by far the most effective method. One possible solution is dedicated webhosting, but most users don't have the experience to maintain a server or it is way to expensive for them.

The main problem with shared webhosting is that by its very nature all files which are served through the web are public. Apache for example uses only one account to read all files. As said, you can use tricks with CGI wrappers to execute the scripting languages under its own credentials. However this kind of security depends on the wrappers ability to securely separate the users. We all know that if this is broken — and most often it will be broken — the result is a higher clearance on the underlying filesystem. For most systems you need more than one wrapper, so the number of possible security problems grow. The ultimate user separation is in the kernel and you can view the modifications OpenVZ has done in this light. Instead of CGI wrappers we go one step higher and give every user its own minimal server. In the rest of this article we describe how shared webhosting with OpenVZ could be implemented.

=== Minimal server ===

Create an VEx with your favorite distro. Give it an internal IP-address in one of the ranges 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16. Then strip away all unnecessary init.d scripts so only the bare minimum is started. That means as a minimum syslogd and ssh so the account holder can upload his/her files through SCP/SFTP in his/her own minimal server. For this to work you need to set up [[Using NAT for VE with private IPs|destination NAT on VE0]] from high numbered ports to port 22 on the given private IP address:

<pre>
dnat="-j DNAT --to-destination"

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -A PREROUTING -p TCP --dport 10122 $dnat 192.168.13.101:22
iptables -t nat -A PREROUTING -p TCP --dport 10222 $dnat 192.168.13.102:22
...
</pre>

The other thing you want for webhosting is of course a webserver as well. To minimize the amount of needed memory, we choose [http://www.lighttpd.net/ Lighttpd] instead of the common Apache. Then configure the scripting language of your choice to run under this webserver. It is possible to use different languages/setups for different accounts as well. Also problematic CGI-scripts are not problematic anymore...

=== MySQL server ===

Most webhosting accounts use MySQL, but if you prefer another database server, go ahead. Create a new VEx with a lot more resources and again an internal IP-address. Now configure the accounts. As an extra security measure you can use the internal IP-address as well.

==== MySQL socket sharing ====

You can also share the socket of an VEx running MySQL.
e.g.:
<pre>
ln /var/lib/vz/private/101/var/run/mysqld/mysqld.sock /var/lib/vz/private/102/var/run/mysqld/mysqld.sock
</pre>
Inside of 102:
<pre>
$ mysql -u root -p -S /var/run/mysqld/mysqld.sock
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9 to server version: 5.0.32-Debian_7etch1-log
</pre>

=== Proxy webserver ===

Because we have only one public IP-address, we need an trick to access every minimal server based on the hostname in the HTTP request. For SSH we used different ports, but that is not an option for websites. Again we create an VEx with an internal IP-address. On this server we install Lighttpd as well, because the proxying is very simple. First we must forward port 80 to this server:

<pre>
dnat="-j DNAT --to-destination"

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -A PREROUTING -p TCP -d <external IP-address> --dport 80 $dnat 192.168.13.11:80
iptables -t nat -A PREROUTING -p TCP --dport 10122 $dnat 192.168.13.101:22
iptables -t nat -A PREROUTING -p TCP --dport 10222 $dnat 192.168.13.102:22
...
</pre>

Then we create for every website an section in /etc/lighttpd/lighttpd.conf as follows:

<pre>
$HTTP["host"] == "ve101.armorica.tk" {
proxy.server = ( "" => ( ( "host" => "192.168.13.101" ) ) )
}
</pre>

You can map more names to the same IP-address if needed. The last step is to add mod_proxy to the server.modules section.

For apache add a VirtualHost directive

<pre>
<VirtualHost external-IP-address:80>
ServerName mydomainnameishere.com
RewriteEngine On
RewriteRule ^(.*)$ http://192.168.2.101$1 [P]
RewriteRule ^(.*)$ http://mydomainnameishere.com$1 [P]
</VirtualHost>

<VirtualHost external-IP-address:80>
ServerName mydomainnameishere.com
RewriteEngine On
RewriteRule ^(.*)$ http://192.168.2.101$1 [P]
RewriteRule ^(.*)$ http://www.mydomainnameishere.com$1 [P]
</VirtualHost>
</pre>

=== Other applications ===

Create for other applications as mail, make sure that the minimal servers use this one for sending mail from webpages, DNS etc. VEx as needed. The resulting server is shown in the figure above.

[[Category:HOWTO]]

Talk:Shared webhosting

2007-04-14T21:06:54Z

Wese: MySQL Socket Sharing

--[[User:Hvdkamer|Hvdkamer]] 08:23, 2 August 2006 (EDT)
I probably did something stupid, but how can I link from the HOWTO's to this page?
: If you want to link to the Category:HOWTO, you put it like this
: <code><nowiki>[[:Category:HOWTO HOWTOs (i.e. this is link text)]]</nowiki></code>
: If you want your article to be included into HOWTO category, you put it like this (in any part of the article, usually at the end):
: <code><nowiki>[[Category:HOWTO]]</nowiki></code>
: --[[User:Kir|Kir]] 09:51, 2 August 2006 (EDT)

== Rename? ==

I suggest renaming the article to something like "Application separation" or "Services separation" since this is what you actually describe :) --[[User:Kir|Kir]] 10:22, 2 August 2006 (EDT)

: Go ahead if you think it describes the content better. I started to investigate OpenVZ because I had serious problems with shared hosting. The minimal servers (it is only a rough draft at this moment) are the solution to that. You could see this as application seperation, but for the end-user it is a "normal" webhosting account. Only he/she can do much more and can not break his/her prison :-) --[[User:Hvdkamer|Hvdkamer]] 10:28, 2 August 2006 (EDT)

:: May be to explain better my choice. After some serious problems with PHP (users who knew where an include with passwords lived, could see the content) I started to investigate the option of Apache threads with its own user credentials. That was the abonded project perchild. So there is not an easy technical solution. Also users hate safe_mode and open_basedir because it breaks there applications. They also want obscure CGI-scripts and all the things we administrators hate. I already used chrooted OpenSSH shell accounts. With the minimal servers I take that one step further. Now every user has total control (he/she can even be root) over his/her space.

:: If I had to do my research again, I think I would still start with "shared webhosting". Not "application seperation". I think that my term, although not exactly correct, will draw more people to this site. I think of it as "user seperation", but that is the whole point of OpenVZ? As said, its your Wiki, so change it if you think it is better :-) --[[User:Hvdkamer|Hvdkamer]] 10:40, 2 August 2006 (EDT)

::: I changed the introduction to give some examples of the problems shared webhosting is facing. I think that you now could see were it is going? I'm still in the process of setting up this server. So I thought to start this page while I'm working on it. Because if you do it weeks later, most subtle points are lost :-) --[[User:Hvdkamer|Hvdkamer]] 11:42, 2 August 2006 (EDT)

== Proxying ==

I would suggest using [http://www.apsis.ch/pound/ Pound] as the Proxy Server running on your Frontend VE. Its a pretty lightweight and _fast_ Proxy. Besides proxying it does also support load balancing, failover and SSL. I've been using it for various projects over the past few years, its proven to be pretty stable and reliable. --[[User:Torsten|Torsten]] 14:51, 9th Nov 2006 (CST)

== MySQL Socket Sharing ==

I found it was a good idea sharing the MySQL Socket instead of using TCP/IP. (which is also <b>ALOT</b> faster)

<pre>
# 101 is the MySQL Server VEx (debian 4.0)
# 102 Another VEx (opensuse 10.0)
ln /var/lib/vz/private/101/var/run/mysqld/mysqld.sock /var/lib/vz/private/102/var/run/mysqld/mysqld.sock
</pre>

The result
<pre>
opensuse:/ # mysql -u root -p -S /var/run/mysqld/mysqld.sock
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9 to server version: 5.0.32-Debian_7etch1-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>
</pre>