Using VServer in CentOS 5.1

IMPORTANT NOTE:

The CentOS developers spend a good deal of time and effort ensuring that CentOS is stable and usable in production environments. Using VServer means using an unsupported kernel. I did find that this affected KVM's ability to simulate multiple processors, but haven't had any other problems. This doesn't meant that you won't have problems, and you are advised to procede at your own risk.

An article on the CentOS wiki goes into further detail about the risks of using an unsupported kernel and if this a production machine, please read it first.

That being said, the VServer people obviously put a great deal of work into their kernel as well. The author has run a variety of programs on test machines, and aside from the KVM-quemu smp issue, has had no other problems. The important point is that the CentOS developers can only officially support CentOS kernels.

Linux-VServer is very much like a FreeBSD jail. Rather than a virtual machine like VirtualBox or VMware it's more of a sophisticated chroot environment. It can be useful to add a layer of security if running, for example, a web server. Limits can be set on the guest system's use of resources. By default it dynamically shares the host's memory and CPU and will run at near native speed.

The VServer website, has an article explaining the different forms of virtualization as well as a page with various scenarios where it might be a good choice.

The website has a good deal of documentation. Much of this article is taken from there.

Note for Fedora users:

For Fedora users who might have come upon this article, the VServer's Fedora docs are outdated. The facti.net sit has an article that, although also somewhat dated, is more current. That article has a link to a second article explaining how to build a custom kernel for Fedora.

One thing that might not be quite clear from either the article or the VServer pages is that to get get the latest kernel tarball, download it from the link in the left hand column, under the the Linux-VServer branch Linux kernel. The patch mentioned in the article is in the column marked 2.2 Stable or 2.3 Development. The 2.2 and 2.3 numbers refer to the Vserver patches, not the kernel itself. The links aren't marked kernel and patch, which can be a bit confusing. They just say 2.6.22.19 for the kernel and vs2.2.0.7 for the patch at time of writing, Mid May, 2008.

Preparation for the install

Before installing, a few things have to be done on the host computer. In short, add a yum repo, download the kernel and make a few changes in the host's configuration.

Add the yum repo

Create a new file in /etc/yum/repos.d. The VServer's wiki article calls it dhozac-vserver.repo which is as good a name as any., The file reads
[dhozac-vserver]
name=Linux-VServer related packages for CentOS $releasever - $basearch
baseurl=http://rpm.hozac.com/dhozac/centos/$releasever/vserver/$basearch
gpgkey=http://rpm.hozac.com/conf/keys/RPM-DHOZAC-GPG-KEY

The wiki suggests next updating yum before doing anything else.
yum update yum

Get the VServer kernel

The next step is to get the vs kernel. It is a later version than that used by CentOS so doing
yum update kernel kernel-devel

will download the VServer kernel, 2.6.22.19-vs2.3.0.34.1 at time of writing. The kernel-devel rpm is helpful if any rebuilding has to be done, otherwise, it may be unnecessary. The installation should automatically add an entry to grub.

Host configuration changes.

If the reader has any third party modules, they will have to be redone against the new kernel. At present, the r8168 module for the increasingly common Realtek onboard network adapter is one of them. (This should change in the upstream provider's next version, which will probably make it to CentOS by mid June of 2008.) If using the rpmforge dkms version, it is relatively simple.

Once the new kernel is installed, there will be a new entry for it in /lib/modules. For ease of typing, the current CentOS kernel of 2.6.18-53.1.19.e15 will be shortened to 2.6.18 and the VServer kernel shortened to 2.6.22-vs. Use the real names in /lib/modules, rather than the shortened names here.

The r8168 modules will be in /lib/modules/2.6.18/extras. Copy it to the /lib/modules entry for the new kernel, then run depmod.
cd /lib/modules
cp 2.6.19/extras/r8168.ko 2.6.22-vs/extras
depmod 2.6.22-vs

This pattern should work for any dkms modules.

In the case of NVidia, or any module downloaded from a manufacturer's website, the module will probably have to be rebuilt after booting into the new kernel. Therefore, if the module in question is for a network card, be sure to download any necessary files before rebooting.

One other pre-installation consideration is that if planning to use ssh to access the virtual guest, you will have to edit the host's /etc/ssh/sshd_config file. The default is to listen on all addresses. However, the guest will have its own address, so edit the host's sshd_config to only listen on its (the host's) own IP address. Change the line in in /etc/ssh/sshd_config that reads
#ListenAddress 0.0.0.0

Uncomment it by removing the # sign and change the ListenAddress to the host's IP. If the host system has an IP address of 192.168.1.80 change that line to read
ListenAddress 192.168.1.80

Then restart ssh.
/etc/init.d/sshd restart

Install a few necessary packages for using the guest system.
yum install util-vserver{,-core,-lib,-sysv,-build}

There will now be a few new entries in /etc/init.d. Set vprocunhide and util-vserver to run at boot. (This may be done automatically by the installation.)
chkconfig util-vserver on
chkconfig vprocunhide on

Reboot into the new kernel.

Installing the guest system.

The VServer document on building guests gives several different methods. In this case, we will install a CentOS guest. The two easiest methods for CentOS are using a template and using yum.

There is already a template for a minimal CentOS installation. One can download the image from sandio.net and use the template method. At time of writing, there is only a 32 bit template for CentOS 5. images.

If using this method, store the template, a tar.bz2 image, somewhere. (The VServer document gives an example of /vservers/.templates.) Don't decompress and untar it, the build method uses it as it is.

The template can be used on other systems. For example, if you have installed the VServer kernel on Fedora, you can build a CentOS guest.

In the examples, the guest system will be called vcentos. The domain will be example.com Replace all instances of vcentos with the name that you give your server and use your domain name rather than example.com The command is typed on a single line. (Depending upon screen size and resolution, many browsers will show it on multiple lines.)
vserver vcentos build -m template --hostname vcentos.example.com
--interface eth0:192.168.1.70/24 -- -d centos5 -t
/vservers/.templates/centos-5-i686-2007-07-14.tar.bz2

Explanation:
vserver vcentos. The guest name without the domain. Replace this with the name you choose to give your guest.

build -m template. The -m is for method, in this case, the template method of building.

--hostname. The full hostname of the guest, including domain.

--interface eth0:192.168.1.70/24. The interface and IP address of the guest system. It should be on the same subnet as the host. In this case, we're using the typical 192.168.1.0/24 subnet. (For those unfamiliar with the meaning of that, it's the same as having a netmask of 255.255.255.0).

-- -d centos5. A -- as a separater and the name of the distribution you're using. If you'd downloaded a Fedora 8 image, you would use -d fedora8.

The -- - isn't a typo. The build command is divided into different parts, and the -- serves to separate them. The first part has the basic configuration options, in this case, everything up to and including the --interface section. The second part, separated by the -- gives the distribution and, in this case, the template's location.

-t /vservers/.templates/centos-5-i686-2007-07-14.tar.bz2. The -t is for the template being used, so give the command the full path to that template.

Installing with Yum

To install a 64 bit CentOS guest (only on a 64 bit host) use the yum method of installation.
vserver vcentos build -m yum --hostname vcentos.example.com
--interface eth0:192.168.1.70/24 -- -d centos5

This will pull in a very minimal installation, consisting of the base system, gcc and a few other things.

To install a Fedora 8 guest change the -d to f8. A list of available distributions can be found in /usr/lib/util-vserver/distributions. (On a 64 bit host, the list is in /usr/lib64/util-vserver/distributions.)

Configuring the guest

Package management
The newly installed guest is a minimal system. Commands like less, which, passwd, and vi are missing. Packages can be managed from the host or within the guest.

To manage packages from the host, use the vyum command. The syntax is
vyum <servername> -- install <package_name>

For example, to install the passwd command on our guest system
vyum vcentos -- install passwd

You will see a typical yum dialog, showing what will be downloaded and asking is this OK. After typing y for yes, you will see the package installing.

The guest system does not have to be running for this command to work.

However, if the package name is incorrect, for example, using vi instead of vim-minimal or vim-enhanced, it may give you no indication that it didn't work save for the fact that you haven't seen the typical yum dialog. It may do nothing more than briefly pause, then return you to the command prompt. If you don't see the typical yum dialog, then the package was not installed. If you've given the wrong package name, you might see the typical yum dialog ending with the message Nothing to do, however this is not always the case.

To manage packages within the guest, first install yum with vyum. Then run verserver pkgmgmt internalize.
vyum vcentos -- install yum
vserver vcentos pkgmgmt internalize

If yum didn't install correctly, the pkgmgmt command will give an error.

Further configuration
The files of the guest live in /etc/vserver/vcentos/vdir. You can edit them before starting the server. (Remember, vcentos is our example server, replace that with the name you gave your server.)

Start the guest system.
vserver vcentos start

To enter your server for further configuration
vserver vcentos enter

You will be placed at a root prompt. This default install has no /etc/shadow, so you will be unable to set root's password. To remedy this, assuming you've installed the passwd command with vyum (or with yum, if you've configured it on the guest) run
pwconv

This will create the /etc/shadow file. You can now set a password for root in the usual way.

If you plan to access the guest system via ssh, (also not installed by default on the guest--you have to install openssh-server and client) /etc/pam.d/sshd has to be modified on the guest. As per the VServer FAQ, on CentOS and Fedora guests, comment out the last line of the guest's /etc/pam.d/sshd file. It reads
session    required     pam_loginuid.so

Comment that line out by putting a # in front of it.

At this point, you can configure your guest system as you would any other CentOS system. For example, if using the VServer system to add an extra layer of security to a web server, you would now install httpd and configure the appropriate files on the guest.

Running the VServer at host startup

To have your default vserver guest start when the host boots, first activate the /etc/init.d/vserver-default script.
chkconfig vserver-default on

Then go to /etc/vservsers/vcentos/apps/init. (Replace vcentos with your server's name.)
echo default > mark
In other words you're creating a file called mark consisting of the single word, default. Next time you boot the host system, the Vserver guest called vcentos will also start.

This has been a fairly simple introduction. One can run multiple hosts, limit resources used by a host and several other things. The reader would do well to visit the VServer website for more information.


Creative Commons License This work is licensed under a Creative Commons License