Using FAI as a vserver build method
The basic steps are outlined in each section of this document. This is based on Debian sarge, augmented with Linux-VServer 2.0.2 and util-vserver 0.30.209.
The example system is assumed to want all its vservers set up on the interface "dummy0" in the IP range "192.168.254.0/24". It is assumed that the /etc/network/interfaces file has already been suitably configured, eg:
auto dummy0 iface dummy0 inet static address 192.168.254.1 netmask 255.255.255.0 up iptables -t nat -I POSTROUTING -j SNAT -s 192.168.254.0/24 --to-source 188.8.131.52
Note when writing firewall rules the packets between vservers on the same machine actually travel over the loopback interface regardless of the interface you set them up on. Go figure.
Anyway, read on and skip the sections you find irrelevant. Normal sysadmin stuff, like setting up hosts records, etc, is your responsibility - but please do send feedback if you think that there are steps that could be included here that would help someone else following these instructions from not making the same foolish mistakes that you did.
VServers will be set up in the standard location of /var/lib/vservers/. It's probably a good idea to partition this separately. Individual vservers may have their own individual partitions, though for filesystem unification to work (allowing multiple identical libraries and binaries to share the same memory image across vservers), you will need to perform extra customisations later.
When using unification, each vserver's /usr, /lib, /sbin and /bin will be on the same partition using the magic of filesystem namespaces and bind mounts.
Compiling the vserver packages
The base system can (and for best practice, should) be a minimal installation, no compilers etc are necessary.
However we need to build a decent VServer kernel and util-vserver in an environment with compilers, because the versions in Debian are hopelessly out of date to the point of being unsupported. This does not have to be done on the target machine, but often for pragmatic reasons is.
mkdir -p /var/lib/vservers/compileit debootstrap sarge /var/lib/vservers/compileit http://your.local/debian
This space will become a vserver later, but for now you can just use chroot(8) to get into it, install important packages, and build the kernel.
# copy the running kernel config into the system cp /boot/config-`uname -r` /var/lib/vservers/compileit/usr/src chroot /var/lib/vservers/compileit vi /etc/apt/sources.list # add deb-src lines for unstable apt-get install build-essential kernel-package cd /usr/src # build dietlibc - dependency for util-vserver apt-get build-dep dietlibc-dev apt-get source --build dietlibc-dev dpkg -i dietlibc*deb # then build util-vserver apt-get build-dep util-vserver apt-get source --build util-vserver # get a kernel and patch it with recent patch wget -O - -q ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-184.108.40.206.tar.gz | tar xf - cd linux-220.127.116.11 wget -O - -q http://vserver.13thfloor.at/Experimental/patch-18.104.22.168-vs2.0.2-rc17.diff | patch -p1 # install the magic config we saved from before cp ../config-* .config # or `make menuconfig' if you want dumb kernel config decisions # to be made for you instead of making dumb decisions yourself. # Be sure to say "Yes" to Linux-VServer :) make oldconfig make-kpkg --revision 1 binary
You will then be left with some nice kernel-image-22.214.171.124-vs2.0.2-rc17-ARCH.deb and util-vserver-0.30.209-2.ARCH.deb (or something like that) which you can install on your host server. Reboot.
Build the FAI vserver
This is a good idea, to keep the base system clean. This server only serves the function of running the 'make-fai-nfsroot' commands, etc. IT IS NOT SECURE. This is because it needs to be able to use mknod(1) for debootstrap.
The examples here should also work if fai is installed in the main system, but has received less testing.
vserver fai build -m debootstrap --force \ --interface dummy0:192.168.254.2/24 \ --flags sched,nproc --hostname fai \ -- -d sarge -m http://your.local/debian vserver fai start vserver fai enter vi /etc/fai/fai.conf vi /etc/fai/sources.list make-fai-nfsroot
Work in Progress Below Here
Setup your install area
Set up the /usr/share/fai directory within your FAI vserver. You will need to include the changes in User:BrianShowalter/Using FAI to install Linux-vservers.
In /usr/lib/util-vserver/vserver-build.fai, put:
# # Copyright (C) 2006 Sam Vilain <firstname.lastname@example.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. tmp=$(getopt -o '+d:+f:+n:' --long debug,pkgmgmt -n "$0" -- "$@") || exit 1 eval set -- "$tmp" . "$_LIB_VSERVER_BUILD_FUNCTIONS_PKGMGMT" DISTRIBUTION=: FAI_VSERVER= FAI_NFSROOT=/usr/lib/fai/nfsroot FAI_DIR=/usr/share/fai use_pkgmgmt= while true; do echo "ARGS: =>$*<=" case "$1" in -f) FAI_VSERVER=$2; shift; ;; -n) FAI_NFSROOT=$2; shift; ;; -d) FAI_DIR=$2; shift; ;; --debug) set -x;; --) shift; break ;; *) echo "vserver-build.fai: internal error: unrecognized option '$1'" >&2 exit 1 ;; esac shift done getDistribution '' 1 base.init base.initFilesystem "$OPTION_FORCE" setup_writeOption "$VSERVER_NAME" setup_writeInitialFstab test -z "$BUILD_INITPRE" || "$BUILD_INITPRE" "$SETUP_CONFDIR" "$UTIL_VSERVER_VARS" test -z "$1" || "$@" test -z "$BUILD_INITPOST" || "$BUILD_INITPOST" "$SETUP_CONFDIR" "$UTIL_VSERVER_VARS" # if they specified a vserver where FAI is installed, then prefix its # root to the FAI_NFSROOT etc (unless they have already specified a # $ROOTDIR-relative path) REAL_ROOTDIR=`cd $ROOTDIR; pwd -P` REAL_VDIR=`cd $VDIR; pwd -P` echo "ROOTDIR is $REAL_ROOTDIR" echo "VDIR is $REAL_VDIR" if [ -n "$FAI_VSERVER" ] then echo "FAI_VSERVER is $FAI_VSERVER" if [ `expr "$FAI_NFSROOT" : "$REAL_ROOTDIR"` -eq 0 ] then FAI_NFSROOT="$REAL_ROOTDIR/$FAI_VSERVER$FAI_NFSROOT" fi if [ `expr "$FAI_DIR" : "$REAL_ROOTDIR"` -eq 0 ] then FAI_DIR="$REAL_ROOTDIR/$FAI_VSERVER$FAI_DIR" fi fi echo "FAI_NFSROOT is $FAI_NFSROOT" echo "FAI_DIR is $FAI_DIR" export VDIR ROOTDIR FAI_VSERVER FAI_DIR FAI_NFSROOT # setup a new filesystem namespace set -e echo "Setting up tmp mounts" vnamespace -n -- sh -x -c " mount -n -o ro --bind $FAI_NFSROOT /mnt && mount -n -t tmpfs -o size=16m,mode=1777 vm /mnt/tmp && mkdir /mnt/tmp/target && mount -n --bind $VDIR /mnt/tmp/target && mount -n -o ro --bind $FAI_DIR /mnt/fai && mount -n -o ro --bind $FAI_DIR /mnt/usr/share/fai && mount -n -t proc proc /mnt/proc && chcontext --secure --cap mknod chroot /mnt" base.setSuccess
Then in /usr/lib/util-vserver/vserver-build, change
To include fai:
Build the vserver
The command would be:
vserver vschild build -m fai --force \ --interface eth2:192.168.254.4/24 \ --flags sched,nproc --hostname vschild -- \ -f fai
The first -m fai tells vserver xxx build to use the FAI build method. The second tells the above script to use the fai server called fai as the vserver where the FAI configuration area is installed.
The vserver-build.fai script should be running sh -c '/usr/sbin/fai vschild_create && /usr/bin/fai vschild_install' rather than just starting a shell in the FAI environment.
It looks like the 'subroutines' files, etc need to be customised heavily to work, at least from the version of FAI in Debian sarge. This work is likely to proceed on an FAI branch.