Editing Installation on Debian/old
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | |||
− | |||
OpenVZ consists of a kernel, user-level tools, and container templates. | OpenVZ consists of a kernel, user-level tools, and container templates. | ||
− | This guide tells how to install the kernel and the tools on [http://www.debian.org Debian] | + | This guide tells how to install the kernel and the tools on [http://www.debian.org Debian] stable. |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Requirements == | == Requirements == | ||
=== Filesystems === | === Filesystems === | ||
− | It | + | It is recommended to use a separate partition for container private |
− | directories (by default <code>/var/lib/vz/private/<CTID></code>). The reason | + | directories (by default <code>/var/lib/vz/private/<CTID></code>). The reason why you should do so is that if you wish to use OpenVZ per-container disk quota, you won't be able to use usual Linux disk quotas on the same partition. Bear in mind that per-container quota in this context includes not only pure per-container quota but also usual Linux disk quota used in container, not on [[HN]]. |
− | At | + | At least try to avoid using root partition for containers because the root user of container will be able to overcome the 5% disk space barrier in some situations. If the HN root partition is completely filled, it will break the system. |
− | OpenVZ per-container disk quota is supported only for ext2/ext3 filesystems | + | OpenVZ per-container disk quota is supported only for ext2/ext3 filesystems so use one of these filesystems (ext3 is recommended) if you need per-container disk quota. |
− | === Repository setup | + | === Repository setup === |
− | |||
− | |||
− | |||
− | |||
At the moment two different repositories are online at http://download.openvz.org: | At the moment two different repositories are online at http://download.openvz.org: | ||
Line 43: | Line 29: | ||
{{Note|By default, on Ubuntu systems root tasks are executed with [https://help.ubuntu.com/community/RootSudo sudo]}} | {{Note|By default, on Ubuntu systems root tasks are executed with [https://help.ubuntu.com/community/RootSudo sudo]}} | ||
− | This can be | + | This can be achieved by the following commands, as root or as privileged "sudo" user |
<pre> | <pre> | ||
# echo -e "\ndeb http://download.openvz.org/debian-systs etch openvz" >> /etc/apt/sources.list | # echo -e "\ndeb http://download.openvz.org/debian-systs etch openvz" >> /etc/apt/sources.list | ||
Line 49: | Line 35: | ||
</pre> | </pre> | ||
− | + | There is even an '''lenny''' repository with kernel 2.6.24. '''Use it at your own risk!''' | |
− | |||
− | There is even | ||
− | |||
− | |||
<pre> | <pre> | ||
− | + | # echo -e "\ndeb http://download.openvz.org/debian-systs lenny openvz" >> /etc/apt/sources.list | |
− | + | # wget -q http://download.openvz.org/debian-systs/dso_archiv_signing_key.asc -O- | apt-key add - && apt-get update | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
− | |||
− | |||
== Kernel installation == | == Kernel installation == | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
{{Note|In case you want to recompile the OpenVZ kernel yourself on Debian, see [[Compiling the OpenVZ kernel (the Debian way)]].}} | {{Note|In case you want to recompile the OpenVZ kernel yourself on Debian, see [[Compiling the OpenVZ kernel (the Debian way)]].}} | ||
Line 136: | Line 92: | ||
</pre> | </pre> | ||
− | + | === Configuring the bootloader === | |
In case GRUB is used as the boot loader, it will be configured automatically, or execute update-grub; lines similar to these will be added to the <tt>/boot/grub/menu.lst</tt> file: | In case GRUB is used as the boot loader, it will be configured automatically, or execute update-grub; lines similar to these will be added to the <tt>/boot/grub/menu.lst</tt> file: | ||
Line 152: | Line 108: | ||
{{Note|per default on debian/ubuntu, a 2.6.22 kernel will boot before a 2.6.18, please check manually the grub boot order. See man update-grub for more details}} | {{Note|per default on debian/ubuntu, a 2.6.22 kernel will boot before a 2.6.18, please check manually the grub boot order. See man update-grub for more details}} | ||
− | ===== | + | === Rebooting into OpenVZ kernel === |
+ | |||
+ | {{Warning|Before you restart your Server, keep in mind, that your system has all needed modules enabled; booting from your harddisk (e.g. hardware modules, raid system(s), lvm2 etc). May you need a INITRD (initramdisk) or compile needed kernel modules statically in.}} | ||
+ | |||
+ | Now reboot the machine and choose the OpenVZ Linux Kernel on the boot loader menu. If the OpenVZ kernel has been booted successfully, proceed to installing the user-level tools for OpenVZ. | ||
+ | |||
+ | == Installing the user-level tools == | ||
OpenVZ needs some user-level tools installed. Those are: | OpenVZ needs some user-level tools installed. Those are: | ||
Line 163: | Line 125: | ||
<pre> | <pre> | ||
# [sudo] apt-get install vzctl vzquota | # [sudo] apt-get install vzctl vzquota | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
Line 215: | Line 133: | ||
There are a number of kernel parameters that should be set for OpenVZ to work correctly. These parameters are stored in <tt>/etc/sysctl.conf</tt> file. Here is the relevant part of the file; please edit it accordingly. | There are a number of kernel parameters that should be set for OpenVZ to work correctly. These parameters are stored in <tt>/etc/sysctl.conf</tt> file. Here is the relevant part of the file; please edit it accordingly. | ||
− | {{Note|vzctl version from debian-systs, | + | {{Note|vzctl version from debian-systs, automate changing sysctl options for openvz}} |
<pre> | <pre> | ||
Line 224: | Line 142: | ||
net.ipv4.conf.default.forwarding=1 | net.ipv4.conf.default.forwarding=1 | ||
− | net.ipv4.conf.default.proxy_arp=0 | + | net.ipv4.conf.default.proxy_arp = 0 |
net.ipv4.ip_forward=1 | net.ipv4.ip_forward=1 | ||
# Enables source route verification | # Enables source route verification | ||
− | net.ipv4.conf.all.rp_filter=1 | + | net.ipv4.conf.all.rp_filter = 1 |
# Enables the magic-sysrq key | # Enables the magic-sysrq key | ||
− | kernel.sysrq=1 | + | kernel.sysrq = 1 |
# TCP Explict Congestion Notification | # TCP Explict Congestion Notification | ||
− | #net.ipv4.tcp_ecn=0 | + | #net.ipv4.tcp_ecn = 0 |
# we do not want all our interfaces to send redirects | # we do not want all our interfaces to send redirects | ||
− | net.ipv4.conf.default.send_redirects=1 | + | net.ipv4.conf.default.send_redirects = 1 |
− | net.ipv4.conf.all.send_redirects=0 | + | net.ipv4.conf.all.send_redirects = 0 |
[...] | [...] | ||
Line 249: | Line 167: | ||
(Debian vz root directory is /var/lib/vz to be FHS-compliant.}} | (Debian vz root directory is /var/lib/vz to be FHS-compliant.}} | ||
− | # [sudo] ln -s /var/lib/vz /vz | + | # [sudo] ln -s /var/lib/vz /vz |
=== OS templates === | === OS templates === | ||
− | |||
− | |||
To install a container, you need OS template(s). | To install a container, you need OS template(s). | ||
− | Precreated templates can be found | + | Precreated templates can be found [http://download.openvz.org/contrib/template/precreated/ here]. |
You can create your own templates, see | You can create your own templates, see | ||
Line 264: | Line 180: | ||
{{Note|Setup your prefered standard OS Template : edit the /etc/vz/vz.conf}} | {{Note|Setup your prefered standard OS Template : edit the /etc/vz/vz.conf}} | ||
− | # [sudo] apt-get install vzctl-ostmpl-debian | + | # [sudo] apt-get install vzctl-ostmpl-debian |
== Additional User Tools == | == Additional User Tools == | ||
Line 276: | Line 192: | ||
# [sudo] apt-get install vzprocps vzdump | # [sudo] apt-get install vzprocps vzdump | ||
+ | == Start it! == | ||
+ | |||
+ | # [sudo] /etc/init.d/vz start | ||
+ | |||
+ | This does not make the vz system automatically start at boot time. For automatic start: | ||
+ | |||
+ | # [sudo] ln -s /etc/init.d/vz /etc/rc2.d/S98vz | ||
+ | |||
+ | == Use it! == | ||
+ | |||
+ | After installing the OpenVZ kernel, user tools and a minimal OS template | ||
+ | to create a first container and do some | ||
+ | [[basic operations in OpenVZ environment]]. Read the [[download:doc/OpenVZ-Users-Guide.pdf]], browse this wiki. | ||
+ | |||
+ | == SECURE IT ! == | ||
+ | |||
+ | Now comes a small advice from someone who got his debian 4.0 container hacked by some script kiddies with a ssh brute-force method within a day after deployment. I believed naively that iptables was active on boot of the container as I had used webmin inside the VE to activate iptables on boot. | ||
+ | |||
+ | That is not so! Although webmin shows that iptables (Linux Firewall) is active on boot, it is not. You need to make a startup script for iptables as described further down. | ||
+ | |||
+ | |||
+ | Now see what rules are already configured. Issue this command inside your container: | ||
+ | |||
+ | iptables -L | ||
+ | |||
+ | The output will be similar to this: | ||
+ | |||
+ | Chain INPUT (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | Chain FORWARD (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | Chain OUTPUT (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | |||
+ | This allows anyone access to anything from anywhere. | ||
− | + | === New iptables rules === | |
+ | Let's tighten that up a bit by creating a test iptables file: | ||
− | + | nano /etc/iptables.test.rules | |
− | + | In this file enter some basic rules: | |
− | + | *filter | |
− | + | # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT | ||
− | + | # Accepts all established inbound connections | |
− | + | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
− | + | # Allows all outbound traffic | |
+ | # You could modify this to only allow certain traffic | ||
+ | -A OUTPUT -j ACCEPT | ||
− | + | # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) | |
+ | -A INPUT -p tcp --dport 80 -j ACCEPT | ||
+ | -A INPUT -p tcp --dport 443 -j ACCEPT | ||
− | + | # Allows SSH connections for script kiddies | |
+ | # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE | ||
+ | -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT | ||
− | + | # Now you should read up on iptables rules and consider whether ssh access | |
+ | # for everyone is really desired. Most likely you will only allow access from certain IPs. | ||
− | + | # Allow ping | |
+ | -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | ||
− | # | + | # log iptables denied calls (access via 'dmesg' command) |
− | / | + | -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 |
− | + | # Reject all other inbound - default deny unless explicitly allowed policy: | |
+ | -A INPUT -j REJECT | ||
+ | -A FORWARD -j REJECT | ||
− | + | COMMIT | |
− | + | That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier. | |
− | + | Activate these new rules: | |
− | + | iptables-restore < /etc/iptables.test.rules | |
− | + | And see the difference: | |
iptables -L | iptables -L | ||
− | + | Now the output tells us that only the ports defined above are open. All the others are closed. | |
+ | |||
+ | Once you are happy, save the new rules to the master iptables file: | ||
+ | |||
+ | iptables-save > /etc/iptables.up.rules | ||
− | + | To make sure the iptables rules are started on a reboot we'll create a new file: | |
− | + | nano /etc/network/if-pre-up.d/iptables | |
− | + | Add these lines to it: | |
− | # | + | #!/bin/bash |
+ | /sbin/iptables-restore < /etc/iptables.up.rules | ||
− | + | The file needs to be executable so change the permissions: | |
− | + | chmod +x /etc/network/if-pre-up.d/iptables | |
− | |||
[[Category: HOWTO]] | [[Category: HOWTO]] | ||
[[Category: Debian]] | [[Category: Debian]] | ||
[[Category: Installation]] | [[Category: Installation]] |