Difference between revisions of "Installation on Debian/old"
(gitty repository removed, lenny added) |
|||
Line 9: | Line 9: | ||
directories (by default <code>/var/lib/vz/private/<CTID></code>). The reason why you should do so is that if you wish to use OpenVZ per-container disk quota, you won't be able to use usual Linux disk quotas on the same partition. Bear in mind that per-container quota in this context includes not only pure per-container quota but also usual Linux disk quota used in container, not on [[HN]]. | directories (by default <code>/var/lib/vz/private/<CTID></code>). The reason why you should do so is that if you wish to use OpenVZ per-container disk quota, you won't be able to use usual Linux disk quotas on the same partition. Bear in mind that per-container quota in this context includes not only pure per-container quota but also usual Linux disk quota used in container, not on [[HN]]. | ||
− | At least try to avoid using root partition for containers because the root user of container will be able to overcome the 5% disk space barrier in some situations. If the HN root partition is completely filled, it will break the system. | + | At least try to avoid using root partition for containers because the root user of container will be able to overcome the 5% disk space barrier in some situations. If the HN root partition is completely filled, it will break the system. |
OpenVZ per-container disk quota is supported only for ext2/ext3 filesystems so use one of these filesystems (ext3 is recommended) if you need per-container disk quota. | OpenVZ per-container disk quota is supported only for ext2/ext3 filesystems so use one of these filesystems (ext3 is recommended) if you need per-container disk quota. | ||
Line 197: | Line 197: | ||
to create a first container and do some | to create a first container and do some | ||
[[basic operations in OpenVZ environment]]. Read the [[download:doc/OpenVZ-Users-Guide.pdf]], browse this wiki. | [[basic operations in OpenVZ environment]]. Read the [[download:doc/OpenVZ-Users-Guide.pdf]], browse this wiki. | ||
+ | |||
+ | == SECURE IT ! == | ||
+ | |||
+ | Now comes a small advice from someone who got his debian 4.0 container hacked by some script kiddies with a ssh brute-force method within a day after deployment. I believed naively that iptables was active on boot of the container as I had used webmin inside the VE to activate iptables on boot. | ||
+ | |||
+ | That is not so! Although webmin shows that iptables (Linux Firewall) is active on boot, it is not. You need to make a startup script for iptables as described further down. | ||
+ | |||
+ | |||
+ | Now see what rules are already configured: | ||
+ | |||
+ | iptables -L | ||
+ | |||
+ | The output will be similar to this: | ||
+ | |||
+ | Chain INPUT (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | Chain FORWARD (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | Chain OUTPUT (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | |||
+ | This allows anyone access to anything from anywhere. | ||
+ | [edit] | ||
+ | New iptables rules | ||
+ | |||
+ | Let's tighten that up a bit by creating a test iptables file: | ||
+ | |||
+ | nano /etc/iptables.test.rules | ||
+ | |||
+ | In this file enter some basic rules: | ||
+ | |||
+ | *filter | ||
+ | |||
+ | Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT | ||
+ | |||
+ | Accepts all established inbound connections | ||
+ | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
+ | |||
+ | Allows all outbound traffic | ||
+ | You could modify this to only allow certain traffic | ||
+ | -A OUTPUT -j ACCEPT | ||
+ | |||
+ | Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) | ||
+ | -A INPUT -p tcp --dport 80 -j ACCEPT | ||
+ | -A INPUT -p tcp --dport 443 -j ACCEPT | ||
+ | |||
+ | Allows SSH connections for script kiddies | ||
+ | THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE | ||
+ | -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT | ||
+ | |||
+ | Now you should read up on iptables rules and consider whether ssh access | ||
+ | for everyone is really desired. Most likely you will only allow access from certain IPs. | ||
+ | |||
+ | Allow ping | ||
+ | -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | ||
+ | |||
+ | log iptables denied calls (access via 'dmesg' command) | ||
+ | -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | ||
+ | |||
+ | Reject all other inbound - default deny unless explicitly allowed policy | ||
+ | -A INPUT -j REJECT | ||
+ | -A FORWARD -j REJECT | ||
+ | |||
+ | COMMIT | ||
+ | |||
+ | That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier. | ||
+ | |||
+ | Activate these new rules: | ||
+ | |||
+ | iptables-restore < /etc/iptables.test.rules | ||
+ | |||
+ | And see the difference: | ||
+ | |||
+ | iptables -L | ||
+ | |||
+ | Now the output tells us that only the ports defined above are open. All the others are closed. | ||
+ | |||
+ | Once you are happy, save the new rules to the master iptables file: | ||
+ | |||
+ | iptables-save > /etc/iptables.up.rules | ||
+ | |||
+ | To make sure the iptables rules are started on a reboot we'll create a new file: | ||
+ | |||
+ | nano /etc/network/if-pre-up.d/iptables | ||
+ | |||
+ | Add these lines to it: | ||
+ | |||
+ | #!/bin/bash | ||
+ | /sbin/iptables-restore < /etc/iptables.up.rules | ||
+ | |||
+ | The file needs to be executable so change the permissions: | ||
+ | |||
+ | chmod +x /etc/network/if-pre-up.d/iptables | ||
+ | |||
[[Category: HOWTO]] | [[Category: HOWTO]] | ||
[[Category: Debian]] | [[Category: Debian]] | ||
[[Category: Installation]] | [[Category: Installation]] |
Revision as of 21:56, 5 June 2008
OpenVZ consists of a kernel, user-level tools, and container templates.
This guide tells how to install the kernel and the tools on Debian stable.
Contents
Requirements
Filesystems
It is recommended to use a separate partition for container private
directories (by default /var/lib/vz/private/<CTID>
). The reason why you should do so is that if you wish to use OpenVZ per-container disk quota, you won't be able to use usual Linux disk quotas on the same partition. Bear in mind that per-container quota in this context includes not only pure per-container quota but also usual Linux disk quota used in container, not on HN.
At least try to avoid using root partition for containers because the root user of container will be able to overcome the 5% disk space barrier in some situations. If the HN root partition is completely filled, it will break the system.
OpenVZ per-container disk quota is supported only for ext2/ext3 filesystems so use one of these filesystems (ext3 is recommended) if you need per-container disk quota.
Repository setup
At the moment two different repositories are online at http://download.openvz.org:
- by Ola Lundqvist <opal@debian.org>
- (OpenVZ kernels only)
- apt-uri http://download.openvz.org/debian
- by Thorsten Schifferdecker <tsd@debian.systs.org>
- apt-uri http://download.openvz.org/debian-systs
- (Mirror of OpenVZ Repository from http://debian.systs.org/)
Note: The next steps used the Repository at http://download.openvz.org/debian-systs, the actually OpenVZ Tools for Debian are exist only in unstable, see http://packages.debian.org/vzctl |
Note: per default on Ubuntu system, root task are done with sudo |
This can be achieved by the following commands, as root or as privileged "sudo" user
# echo -e "\ndeb http://download.openvz.org/debian-systs etch openvz" >> /etc/apt/sources.list # wget -q http://download.openvz.org/debian-systs/dso_archiv_signing_key.asc -O- | apt-key add - && apt-get update
There is even an lenny repository with kernel 2.6.24. Use it at your own risk!
# echo -e "\ndeb http://download.openvz.org/debian-systs lenny openvz" >> /etc/apt/sources.list # wget -q http://download.openvz.org/debian-systs/dso_archiv_signing_key.asc -O- | apt-key add - && apt-get update
Kernel installation
Note: In case you want to recompile the OpenVZ kernel yourself on Debian, see Compiling the OpenVZ kernel (the Debian way). |
First, you need to choose what kernel you want to install.
Kernel | Description | Hardware | Debian Architecture |
---|---|---|---|
ovzkernel-2.6.18 | uniprocessor | up to 4GB of RAM | i386 and amd64 |
ovzkernel-2.6.18-smp | symmetric multiprocessor | up to 4 GB of RAM | i386 and amd64 |
ovzkernel-2.6.18-enterprise | SMP + PAE support + 4/4GB split | up to 64 GB of RAM | i386 only |
Kernel | Description | Hardware | Debian Architecture |
---|---|---|---|
fzakernel-2.6.18-686 | uni- and multiprocessor | up to 4GB of RAM | i386 |
fzakernel-2.6.18-686-bigmem | symmetric multiprocessor | up to 64 GB of RAM | i386 |
fzakernel-2.6.18-amd64 | uni- and multiprocessor | amd64 |
# apt-get install <kernel>
Configuring the bootloader
In case GRUB is used as the boot loader, it will be configured automatically, or execute update-grub; lines similar to these will be added to the /boot/grub/menu.lst file:
[...] title Debian GNU/Linux, kernel 2.6.18-ovz-028stab051.1-686 root (hd0,1) kernel /vmlinuz-2.6.18-ovz-028stab051.1-686 root=/dev/sda5 ro vga=791 initrd /initrd.img-2.6.18-ovz-028stab051.1-686 savedefault [...]
Note: per default on debian/ubuntu, a 2.6.22 kernel will boot before a 2.6.18, please check manually the grub boot order. See man update-grub for more details |
Rebooting into OpenVZ kernel
Now reboot the machine and choose the OpenVZ Linux Kernel on the boot loader menu. If the OpenVZ kernel has been booted successfully, proceed to installing the user-level tools for OpenVZ.
Installing the user-level tools
OpenVZ needs some user-level tools installed. Those are:
- vzctl
- A utility to control OpenVZ containers (create, destroy, start, stop, set parameters etc.)
- vzquota
- A utility to manage quotas for containers. Mostly used indirectly (by vzctl).
# [sudo] apt-get install vzctl vzquota
Configuring
sysctl
There are a number of kernel parameters that should be set for OpenVZ to work correctly. These parameters are stored in /etc/sysctl.conf file. Here is the relevant part of the file; please edit it accordingly.
Note: vzctl version from debian-systs, automate changing sysctl options for openvz |
[...] # On Hardware Node we generally need # packet forwarding enabled and proxy arp disabled net.ipv4.conf.default.forwarding=1 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.ip_forward=1 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 # Enables the magic-sysrq key kernel.sysrq = 1 # TCP Explict Congestion Notification #net.ipv4.tcp_ecn = 0 # we do not want all our interfaces to send redirects net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0 [...]
# [sudo] sysctl -p
Note: You can make a symlink from /var/lib/vz to /vz as backward
compatibility to OpenVZ as installed in other distributions (Debian vz root directory is /var/lib/vz to be FHS-compliant. |
# [sudo] ln -s /var/lib/vz /vz
OS templates
To install a container, you need OS template(s).
Precreated templates can be found here.
You can create your own templates, see Debian template creation, [[Ubuntu Gutsy template creation] and.
Note: Setup your prefered standard OS Template : edit the /etc/vz/vz.conf |
# [sudo] apt-get install vzctl-ostmpl-debian
Additional User Tools
- vzprocps
- A set of utilities to provide system information (vzps and vztop)
- vzdump
- A utility to backup and restore container.
# [sudo] apt-get install vzprocps vzdump
Use it!
After installing the OpenVZ kernel, user tools and a minimal OS template to create a first container and do some basic operations in OpenVZ environment. Read the download:doc/OpenVZ-Users-Guide.pdf, browse this wiki.
SECURE IT !
Now comes a small advice from someone who got his debian 4.0 container hacked by some script kiddies with a ssh brute-force method within a day after deployment. I believed naively that iptables was active on boot of the container as I had used webmin inside the VE to activate iptables on boot.
That is not so! Although webmin shows that iptables (Linux Firewall) is active on boot, it is not. You need to make a startup script for iptables as described further down.
Now see what rules are already configured:
iptables -L
The output will be similar to this:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
This allows anyone access to anything from anywhere. [edit] New iptables rules
Let's tighten that up a bit by creating a test iptables file:
nano /etc/iptables.test.rules
In this file enter some basic rules:
- filter
Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allows all outbound traffic You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT
Allows SSH connections for script kiddies THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
Now you should read up on iptables rules and consider whether ssh access for everyone is really desired. Most likely you will only allow access from certain IPs.
Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT -A FORWARD -j REJECT
COMMIT
That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.
Activate these new rules:
iptables-restore < /etc/iptables.test.rules
And see the difference:
iptables -L
Now the output tells us that only the ports defined above are open. All the others are closed.
Once you are happy, save the new rules to the master iptables file:
iptables-save > /etc/iptables.up.rules
To make sure the iptables rules are started on a reboot we'll create a new file:
nano /etc/network/if-pre-up.d/iptables
Add these lines to it:
#!/bin/bash /sbin/iptables-restore < /etc/iptables.up.rules
The file needs to be executable so change the permissions:
chmod +x /etc/network/if-pre-up.d/iptables