Vserver configs
Aus Cryptronic
The content of the /etc/vservers directory
* /etc/vservers/.defaults
o cachebase
A link to the directory which will hold cached information about vservers.
o nonamespace
Disable namespace usage globally. It can be overridden for a single vserver by setting the namespace flag there. In this mode the /vservers directory must have the 'barrier' attribute. Else, common chroot(2) exploits are possible.
o run.rev
Path of the vserver run reverse directory. This directory contains symlinks named with XID numbers which point back to the configuration directory of vservers. Under kernel 2.4 this is required for the XID to VSERVER mapping; Under kernel 2.6 it is unused. NOTE: this link exists in 0.30.202+ only; in previous versions it was a vserver specific setting.
o vdirbase
A link to the default vserver rootdirectory.
o /etc/vservers/.defaults/apps
+ /etc/vservers/.defaults/apps/debootstrap
# mirror
The Debian mirror to use with the debootstrap program
# uri
When the debootstrap package is not installed; fetch it from this uri and install it at a temporary place.
+ /etc/vservers/.defaults/apps/init
# tty
A symlink to the TTY device where input/output will be redirected from/to at startup via initscript.
+ /etc/vservers/.defaults/apps/pkgmgmt
# apt.conf
The default apt.conf which is going to be used. It is overridden by distribution specific configuration file.
# base
+ /etc/vservers/.defaults/apps/vprocunhide
# files
A list of files which will be made visibly by vprocunhide. Wildcards are allowed and anything ending in '/' will be processed recursively. When this file exists, it overrides the defaults in SYSDEFAULTDIR/vprocunhide-files. The entries there must be absolute filenames inclusive the leading '/proc'.
+ /etc/vservers/.defaults/apps/vshelper
# debug
When existing, the vshelper execution will be traced.
# disabled
When existing, the vshelper functionality will be disabled for all vservers.
# logfile
The file where output will be logged to when vshelper is invoked from the kernel. This should point somewhere e.g. into /var/log.
# warning-disabled
When existing, sanity checks for the vshelper functionality will be skipped.
# /etc/vservers/.defaults/apps/vshelper/vshelper-methods
* handler
See vshelper/action.
+ /etc/vservers/.defaults/apps/vunify
# exclude
Static list of excluded files.
# pgkmgmt-force
When existing, information from packagemanagement will be used to create dynamic exclude-lists. This option requires that (a known) packagemanagement is configured for the vserver; else the requested operation will fail. Most tools assume 'on' as the default value.
# pkgmgmt-ignore
When existing, information from packagemanagement will not be used to create dynamic exclude-lists.
# /etc/vservers/.defaults/apps/vunify/hash
A directory which will be used as the storage place for the vhashify command.
* id
Points to a directory within the filesystems which are used for the vservers. There must be not more than one of such a directory per filesystem.
* method
The used hash method.
o /etc/vservers/.defaults/init
+ mtab
Default mtab file
* /etc/vservers/.distributions
o /etc/vservers/.distributions/dist
+ apt.conf
The default apt.conf which is going to be used. It overrides the apt.conf from CONFDIR/.defaults/apps/pkgmgmt.
+ dev
+ execdir
Directory with all executables and libraries which are required for this distribution.
+ initpost
Script which will be executed after packages are installed.
+ initpre
Script which will be executed before packages will be installed.
+ rpmlib
Directory which overrides /usr/lib/rpm.
+ /etc/vservers/.distributions/dist/apt
Default content of the /etc/apt/ directory.
+ /etc/vservers/.distributions/dist/pkgs
Contains files with packagenames.
# list
File which contains the name of packages. On top of file the special keywords '--reinstall' and '--can-fail' are possible.
+ /etc/vservers/.distributions/dist/pubkeys
Directory with GPG pubkeys which are used to sign the packages of this distribution.
+ /etc/vservers/.distributions/dist/rpm
Default content of the /etc/rpm directory.
+ /etc/vservers/.distributions/dist/yum
The default, yum-related content of the /etc directory.
# yum.conf
The master yum configuration file. It supports the @YUMETCDIR@, @YUMCACHEDIR@ and @YUMLOGDIR@ placeholder which will be replaced at vserver ... build time.
+ /etc/vservers/.distributions/dist/yum.repos.d
A directory with yum repositories.
* /etc/vservers/vserver-name
The configuration directory for the vserver vserver-name.
o bcapabilities
[experimental; name is subject of possible change] Contains the system capabilities. See lib/bcaps-v13.c for possible values.
o cache
Path of the storage area for cached information about this vserver.
o capabilities
Contains per line a capability. This file is used for the 2.4 kernel only; for 2.6 use bcapabilities.
o ccapabilities
[experimental; name is subject of possible change] Contains the context capabilities. See lib/ccaps-v13.c for possible values.
o context
Contains the context which shall be used for the vserver.
o flags
Contains per line a flag. See lib/cflags-v13.c for possible values.
o fstab
The fstab file for the vserver. Entries in this file will be mounted within the network context of the host. Use the fstab.remote file when you want that the mounting happens in the network context of the vserver. In most cases the 'fstab' file should be used.
o fstab.remote
The fstab file for the vserver. Entries in this file will be mounted within the network context of the host; this means that mount will be called as chbind <options> mount .... See fstab also.
o name
Contains the name of the vserver. When not given, the basename of the directory will be assumed as this name.
o namespace
Overrides the global nonamespace flag and enables namespace usage for the current vserver.
o nice
The nice-level on which the vserver will be started.
o nonamespace
Disables namespace usage for the current vserver. In this mode the /vservers directory must have the 'barrier' attribute. Else, common chroot(2) exploits are possible.
o personality
Used to set the personality of the vserver. First line in the file is the personality-type followed by flags (one item per line). See /usr/include/linux/personality.h for possible values.
o run
Points to a file which will contain the XID of the running vserver. When the vserver is stopped, this can be a dangling symlink.
o schedule
[experimental; name is subject of possible change] Contains the scheduler parameters, one per line. The Hard CPU limit uses a mechanism called a Token Bucket. the concept is simple: you have a bucket of a certain size which is filled with a specified amount R of tokens each interval T until the maximum is reached (excess tokens are spilled). At each timer tick, a running process consumes one token from the bucket, unless the bucket is empty. If the bucket is empty the process is put in the hold queue. When the bucket has been refilled to at least M tokens, all on hold processes are rescheduled. See the Linux VServer Wiki for more information about this file.
o shell
Contains the pathname of the shell which will be used by the "vserver ... enter" command.
o vdir
Path of the vserver root directory
o /etc/vservers/vserver-name/apps
+ /etc/vservers/vserver-name/apps/init
# cmd.prepare
The command which is used to setup the init-system (e.g. to set the runlevel in the utmp-file). Each option must be on a separate line.
# cmd.start
The command which is used to start the vserver. Each option must be on a separate line.
# cmd.start-sync
The command which is used to wait on the vserver after it has been started. Each option must be on a separate line. This file will be ignored when the sync flag does not exist and the '--sync' option was not used.
# cmd.stop
The command which is used to stop the vserver. Each option must be on a separate line.
# cmd.stop-sync
The command which is used to wait on the vserver after it has been stopped. Each option must be on a separate line. This file will be ignored when the sync flag does not exist and the '--sync' option was not used.
# depends
This file is used to configure vservers which must be running before the current vserver can be started. At shutdown, the current vserver will be stopped before its dependencies. Content of this file are vserver ids (one name per line).
# killseq
Contains the 'signal [wait signal]*' sequence which is used to stop the vserver.
# mark
This file is used to mark group of vservers which shall be started/stopped together by the initscript. Content is a simple string like 'default'.
# mtab
The initial-mtab which will be used for the vserver.
# runlevel
The start runlevel.
# runlevel.start
The start runlevel.
# runlevel.stop
The stop runlevel.
# style
Contains the init-style.
# sync
If this file is not present, all 'cmd.*-sync files will be ignored.
# tty
A symlink to the TTY device where input/output will be redirected from/to at startup via initscript.
+ /etc/vservers/vserver-name/apps/vshelper
# action
The action which is going to be executed when a vshelper event occurs. The default value is 'restart', but there can be defined own methods by placing scripts into the vshelper-methods directories. These scripts are fed with the same arguments as the vshelper script.
# debug
When existing, the vshelper execution will be traced for this vserver.
# disabled
When existing, the vshelper functionality will be disabled for this vserver.
# event
When existing, these scripts will be executed *instead* of the default handler defined in 'action'. Their name must match the event which caused the execution of vshelper; e.g. 'restart' or 'poweroff'. See the vs_reboot() function in the kernel for more details.
# sync-timeout
The timeout in seconds which is used when synchronising vserver startup/shutdown with the vshelper. When no set, 30 seconds will be assumed.
# warning-disabled
When existing, sanity checks for the vshelper functionality will be skipped.
+ /etc/vservers/vserver-name/apps/vshelper-methods
# handler
See vshelper/action.
+ /etc/vservers/vserver-name/apps/vunify
This directory contains configuration data required for vserver unification.
# exclude
Static list of files which are excluded for unification. This list supports an rsync-like syntax: when a file is prefixed by '+', it is a candidate for unification; when there is no prefix or a '-' or a '~' it will be excluded. Shell-wildcards are allowed for the filenames.
When used with vcopy, the '~' prefix prevents copying of the file entirely (e.g. for keyfiles). With this tool, the file will be copied instead of hardlinked when the '-' prefix is used.
# pgkmgmt-force
When existing, information from packagemanagement will be used to create dynamic exclude-lists. This option requires that (a known) packagemanagement is configured for the vserver; else the requested operation will fail. Most tools assume 'on' as the default value.
# pkgmgmt-ignore
When existing, information from packagemanagement will not be used to create dynamic exclude-lists.
# refserver.X
These are symlinks to the configuration directory (e.g. CONFDIR/vservers/<id>) of a refserver. There may be multiple such symlinks but they must be prefixed by 'refserver.' and will be processed in alphanumerical order.
# /etc/vservers/vserver-name/apps/vunify/hash
A directory which will be used as the storage place for the vhashify command.
* id
Points to a directory within the filesystems which are used for the vservers. There must be not more than one of such a directory per filesystem.
* method
The used hash method.
o /etc/vservers/vserver-name/dlimits
+ /etc/vservers/vserver-name/dlimits/dlimit
# directory
The directory to which the limit should be applied
# inodes_total
The amount of inodes this vserver should be limited to
# reserved
How much space (percentage-wise) should be reserved for the root user
# space_total
The amount of space this vserver should be limited to (measured in blocks of 1024 bytes)
o /etc/vservers/vserver-name/interfaces
+ bcast
The default broadcast address.
+ dev
The default network device.
+ mask
The default network mask.
+ prefix
The default network prefix-length.
+ scope
The default scope of the network interfaces.
+ /etc/vservers/vserver-name/interfaces/iface
'iface' is an arbitrary name for the interface; the value itself is not important but may be interesting regarding interface-creation and usage with chbind. Both happens in alphabetical order and numbers like '00' are good names for these directories.
# bcast
The broadcast address.
# dev
The network device.
# disabled
When this file exists, this interface will be ignored.
# ip
The ip which will be assigned to this interface.
# mask
The network mask.
# name
When this file exists, the interface will be named with the text in this file. Without such an entry, the IP will not be shown by ifconfig but by ip addr ls only. Such a labeled interface is known as an "alias" also (e.g. 'eth0:foo').
# nodev
When this file exists, the interface will be assumed to exist already. This can be used to assign primary interfaces which are created by the host or another vserver.
# novlandev
When this file exists, the steps which setup and destroy a VLAN interface will be skipped. This flag should be set when a VLAN interface is used by multiple vservers or by the host.
# prefix
The network prefix-length.
# scope
The scope of the network interface.
o /etc/vservers/vserver-name/rlimits
A directory with resource limits. Possible resources are cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as and locks. This configuration will be honored for kernel 2.6 only.
+ resource
A file which contains the hard- and soft-limit of the given resource in the first line. The special keyword 'inf' is recognized.
+ resource.hard
A file which contains the hard- of the given resource in the first line. The special keyword 'inf' is recognized.
+ resource.min
A file which contains the guaranted minimum of the given resource in the first line. The special keyword 'inf' is recognized.
+ resource.soft
A file which contains the soft- of the given resource in the first line. The special keyword 'inf' is recognized.
o /etc/vservers/vserver-name/scripts
A directory for scripts. By default, when one of these scripts will be executed, the execution of defaultscripts (within .../.defaults/scripts) will be skipped. To execute them nevertheless, the $DONT_SKIP_DEFAULTS environment variable must be set by one of the in-shellcontext scripts (the non-executable ones).
+ post-start
The scriptlet which will be executed after the vserver has been started. Before executing the script, the vserver root directory will be made the working directory.
+ post-stop
The scriptlet which will be executed after the vserver has been stopped, but before the directories will be umounted and the the interfaces disabled. Before executing the script, the vserver root directory will be made the working directory.
+ postpost-stop
The scriptlet which will be executed after the vserver has been stopped completely. Before executing the script, the vserver root directory will be made the working directory.
+ pre-start
The scriptlet which will be executed after network-interfaces were enabled and the directories mounted, but before the vserver itself has been started. Before executing the script, the vserver root directory will be made the working directory.
+ pre-stop
The scriptlet which will be executed before the vserver will be stopped. Before executing the script, the vserver root directory will be made the working directory.
+ prepre-start
The scriptlet which will be executed before the network-interfaces are enabled and the directories are mounted. Before executing the script, the configuration directory will be made the working directory.
+ /etc/vservers/vserver-name/scripts/post-start.d
Repository of post-start like scripts. Before executing these scripts, the vserver root directory will be made the working directory.
# script
See post-start.
+ /etc/vservers/vserver-name/scripts/post-stop.d
Repository of post-stop like scripts. Before executing the script, the vserver root directory will be made the working directory.
# script
See post-stop.
+ /etc/vservers/vserver-name/scripts/postpost-stop.d
Repository of postpost-stop like scripts. Before executing the script, the vserver root directory will be made the working directory.
# script
See postpost-stop.
+ /etc/vservers/vserver-name/scripts/pre-start.d
Repository of pre-start like scripts. Before executing these scripts, the vserver root directory will be made the working directory.
# script
See pre-start.
+ /etc/vservers/vserver-name/scripts/pre-stop.d
Repository of pre-stop like scripts. Before executing the script, the vserver root directory will be made the working directory.
# script
See pre-stop.
+ /etc/vservers/vserver-name/scripts/prepre-start.d
Repository of prepre-start like scripts. Before executing the script, the configuration directory will be made the working directory.
# script
See prepre-start.
o /etc/vservers/vserver-name/ulimits
A directory with ulimits. Possible resources are cpu, data, fsize, locks, memlock, nofile, nproc, rss and/or stack. This configuration will be honored for kernel 2.4 only.
+ resource
A file which contains the hard- and soft-limit of the given resource in the first line. The special keyword 'inf' is recognized.
+ resource.hard
A file which contains the hard- of the given resource in the first line. The special keyword 'inf' is recognized.
+ resource.soft
A file which contains the soft- of the given resource in the first line. The special keyword 'inf' is recognized.
o /etc/vservers/vserver-name/uts
+ context
The context-name of the vserver. This file is listed for completeness only; the 'context' name is used and set internally by the util-vserver tools and can *not* be modified.
+ domainname
The NIS domainname of the vserver
+ machine
The machine-type of the vserver
+ nodename
The node-/hostname of the vserver
+ release
The OS-release of the vserver
+ sysname
The sysname of the vserver
+ version
The OS-version of the vserver
