Difference between revisions of "Installation on Debian/old"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(SECURE IT !)
(some formatting fixes)
Line 219: Line 219:
  
 
This allows anyone access to anything from anywhere.
 
This allows anyone access to anything from anywhere.
[edit]
+
 
New iptables rules
+
=== New iptables rules ===
  
 
Let's tighten that up a bit by creating a test iptables file:
 
Let's tighten that up a bit by creating a test iptables file:
Line 228: Line 228:
 
In this file enter some basic rules:
 
In this file enter some basic rules:
  
*filter
+
*filter
  
Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
+
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
 
  -A INPUT -i lo -j ACCEPT
 
  -A INPUT -i lo -j ACCEPT
 
  -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
 
  -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
  
Accepts all established inbound connections
+
# Accepts all established inbound connections
 
  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
Allows all outbound traffic
+
# Allows all outbound traffic
You could modify this to only allow certain traffic
+
# You could modify this to only allow certain traffic
 
  -A OUTPUT -j ACCEPT
 
  -A OUTPUT -j ACCEPT
  
Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
+
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
 
  -A INPUT -p tcp --dport 80 -j ACCEPT
 
  -A INPUT -p tcp --dport 80 -j ACCEPT
 
  -A INPUT -p tcp --dport 443 -j ACCEPT
 
  -A INPUT -p tcp --dport 443 -j ACCEPT
  
Allows SSH connections for script kiddies
+
# Allows SSH connections for script kiddies
THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
+
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
 
  -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
 
  -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
  
Now you should read up on iptables rules and consider whether ssh access  
+
# Now you should read up on iptables rules and consider whether ssh access  
for everyone is really desired. Most likely you will only allow access from certain IPs.
+
# for everyone is really desired. Most likely you will only allow access from certain IPs.
  
Allow ping
+
# Allow ping
 
  -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
  -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
  
log iptables denied calls (access via 'dmesg' command)
+
# log iptables denied calls (access via 'dmesg' command)
 
  -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
 
  -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
  
Reject all other inbound - default deny unless explicitly allowed policy
+
# Reject all other inbound - default deny unless explicitly allowed policy:
 
  -A INPUT -j REJECT
 
  -A INPUT -j REJECT
 
  -A FORWARD -j REJECT
 
  -A FORWARD -j REJECT
  
COMMIT
+
COMMIT
  
 
That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.
 
That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.
Line 292: Line 292:
  
 
  chmod +x /etc/network/if-pre-up.d/iptables
 
  chmod +x /etc/network/if-pre-up.d/iptables
 
  
 
[[Category: HOWTO]]
 
[[Category: HOWTO]]
 
[[Category: Debian]]
 
[[Category: Debian]]
 
[[Category: Installation]]
 
[[Category: Installation]]

Revision as of 06:57, 6 June 2008

OpenVZ consists of a kernel, user-level tools, and container templates.

This guide tells how to install the kernel and the tools on Debian stable.

Requirements

Filesystems

It is recommended to use a separate partition for container private directories (by default /var/lib/vz/private/<CTID>). The reason why you should do so is that if you wish to use OpenVZ per-container disk quota, you won't be able to use usual Linux disk quotas on the same partition. Bear in mind that per-container quota in this context includes not only pure per-container quota but also usual Linux disk quota used in container, not on HN.

At least try to avoid using root partition for containers because the root user of container will be able to overcome the 5% disk space barrier in some situations. If the HN root partition is completely filled, it will break the system.

OpenVZ per-container disk quota is supported only for ext2/ext3 filesystems so use one of these filesystems (ext3 is recommended) if you need per-container disk quota.

Repository setup

At the moment two different repositories are online at http://download.openvz.org:

by Ola Lundqvist <opal@debian.org>
(OpenVZ kernels only)
apt-uri http://download.openvz.org/debian
by Thorsten Schifferdecker <tsd@debian.systs.org>
apt-uri http://download.openvz.org/debian-systs
(Mirror of OpenVZ Repository from http://debian.systs.org/)
Yellowpin.svg Note: The next steps used the Repository at http://download.openvz.org/debian-systs, the actually OpenVZ Tools for Debian are exist only in unstable, see http://packages.debian.org/vzctl
Yellowpin.svg Note: per default on Ubuntu system, root task are done with sudo

This can be achieved by the following commands, as root or as privileged "sudo" user

# echo -e "\ndeb http://download.openvz.org/debian-systs etch openvz" >> /etc/apt/sources.list
# wget -q http://download.openvz.org/debian-systs/dso_archiv_signing_key.asc -O- | apt-key add - && apt-get update

There is even an lenny repository with kernel 2.6.24. Use it at your own risk!

# echo -e "\ndeb http://download.openvz.org/debian-systs lenny openvz" >> /etc/apt/sources.list
# wget -q http://download.openvz.org/debian-systs/dso_archiv_signing_key.asc -O- | apt-key add - && apt-get update

Kernel installation

Yellowpin.svg Note: In case you want to recompile the OpenVZ kernel yourself on Debian, see Compiling the OpenVZ kernel (the Debian way).

First, you need to choose what kernel you want to install.

OpenVZ Kernel list built with kernel config from http://download.openvz.org
Kernel Description Hardware Debian Architecture
ovzkernel-2.6.18 uniprocessor up to 4GB of RAM i386 and amd64
ovzkernel-2.6.18-smp symmetric multiprocessor up to 4 GB of RAM i386 and amd64
ovzkernel-2.6.18-enterprise SMP + PAE support + 4/4GB split up to 64 GB of RAM i386 only
OpenVZ Kernel list built with official Debian kernel config and OpenVZ Settings
Kernel Description Hardware Debian Architecture
fzakernel-2.6.18-686 uni- and multiprocessor up to 4GB of RAM i386
fzakernel-2.6.18-686-bigmem symmetric multiprocessor up to 64 GB of RAM i386
fzakernel-2.6.18-amd64 uni- and multiprocessor amd64
 # apt-get install <kernel>

Configuring the bootloader

In case GRUB is used as the boot loader, it will be configured automatically, or execute update-grub; lines similar to these will be added to the /boot/grub/menu.lst file:

[...]
  title           Debian GNU/Linux, kernel 2.6.18-ovz-028stab051.1-686
  root            (hd0,1)
  kernel          /vmlinuz-2.6.18-ovz-028stab051.1-686 root=/dev/sda5 ro vga=791
  initrd          /initrd.img-2.6.18-ovz-028stab051.1-686
  savedefault
[...]
Yellowpin.svg Note: per default on debian/ubuntu, a 2.6.22 kernel will boot before a 2.6.18, please check manually the grub boot order. See man update-grub for more details

Rebooting into OpenVZ kernel

Warning.svg Warning: Before you restart your Server, keep in mind, that your system has all needed modules enabled; booting from your harddisk (e.g. hardware modules, raid system(s), lvm2 etc). May you need a INITRD (initramdisk) or compile needed kernel modules statically in.

Now reboot the machine and choose the OpenVZ Linux Kernel on the boot loader menu. If the OpenVZ kernel has been booted successfully, proceed to installing the user-level tools for OpenVZ.

Installing the user-level tools

OpenVZ needs some user-level tools installed. Those are:

vzctl
A utility to control OpenVZ containers (create, destroy, start, stop, set parameters etc.)
vzquota
A utility to manage quotas for containers. Mostly used indirectly (by vzctl).
 # [sudo] apt-get install vzctl vzquota

Configuring

sysctl

There are a number of kernel parameters that should be set for OpenVZ to work correctly. These parameters are stored in /etc/sysctl.conf file. Here is the relevant part of the file; please edit it accordingly.

Yellowpin.svg Note: vzctl version from debian-systs, automate changing sysctl options for openvz
[...]

# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.ip_forward=1

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# TCP Explict Congestion Notification
#net.ipv4.tcp_ecn = 0

# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

[...]
 # [sudo] sysctl -p
Yellowpin.svg Note: You can make a symlink from /var/lib/vz to /vz as backward

compatibility to OpenVZ as installed in other distributions (Debian vz root directory is /var/lib/vz to be FHS-compliant.

 # [sudo] ln -s /var/lib/vz /vz 

OS templates

To install a container, you need OS template(s).

Precreated templates can be found here.

You can create your own templates, see Debian template creation, [[Ubuntu Gutsy template creation] and.

Yellowpin.svg Note: Setup your prefered standard OS Template : edit the /etc/vz/vz.conf
 # [sudo] apt-get install vzctl-ostmpl-debian

Additional User Tools

vzprocps
A set of utilities to provide system information (vzps and vztop)
vzdump
A utility to backup and restore container.
 # [sudo] apt-get install vzprocps vzdump

Use it!

After installing the OpenVZ kernel, user tools and a minimal OS template to create a first container and do some basic operations in OpenVZ environment. Read the download:doc/OpenVZ-Users-Guide.pdf, browse this wiki.

SECURE IT !

Now comes a small advice from someone who got his debian 4.0 container hacked by some script kiddies with a ssh brute-force method within a day after deployment. I believed naively that iptables was active on boot of the container as I had used webmin inside the VE to activate iptables on boot.

That is not so! Although webmin shows that iptables (Linux Firewall) is active on boot, it is not. You need to make a startup script for iptables as described further down.


Now see what rules are already configured. Issue this command inside your container:

iptables -L

The output will be similar to this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

This allows anyone access to anything from anywhere.

New iptables rules

Let's tighten that up a bit by creating a test iptables file:

nano /etc/iptables.test.rules

In this file enter some basic rules:

*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections for script kiddies
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access 
# for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.

Activate these new rules:

iptables-restore < /etc/iptables.test.rules

And see the difference:

iptables -L

Now the output tells us that only the ports defined above are open. All the others are closed.

Once you are happy, save the new rules to the master iptables file:

iptables-save > /etc/iptables.up.rules

To make sure the iptables rules are started on a reboot we'll create a new file:

nano /etc/network/if-pre-up.d/iptables

Add these lines to it:

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules

The file needs to be executable so change the permissions:

chmod +x /etc/network/if-pre-up.d/iptables