This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
docs:vserver [2013-07-06 18:35] glen [Running auditd inside guest] |
docs:vserver [2013-12-06 16:30] glen [cgroups with libcgroup] |
||
---|---|---|---|
Line 1009: | Line 1009: | ||
* add ''quota_ctl'' to ''/etc/vservers/test/ccapabilities'': | * add ''quota_ctl'' to ''/etc/vservers/test/ccapabilities'': | ||
- | * restart your vserver and run ''edquota'' inside | + | * restart your vserver and run ''edquota'' inside |
===== Network namespace in vservers ===== | ===== Network namespace in vservers ===== | ||
+ | |||
+ | Starting from util-vserver 0.30.216-1.pre3054 there is basic support for creating network namespaces with interfaces inside. | ||
+ | |||
+ | Enabling netns and two capabilities: NET_ADMIN (allows interfaces in guest to be managed) and NET_RAW (makes iptables working). | ||
+ | |||
+ | |||
+ | <file>mkdir /etc/vservers/test/spaces | ||
+ | touch /etc/vserver/test/spaces/net | ||
+ | echo NET_ADMIN >> /etc/vservers/test/bcapabilities | ||
+ | echo NET_RAW >> /etc/vservers/test/bcapabilities | ||
+ | echo 'plain' > /etc/vservers/test/apps/init/style | ||
+ | </file> | ||
+ | |||
+ | Avoid context isolation since it makes little sense when using network namespaces: | ||
+ | <file>touch /etc/vserver/test/noncontext</file> | ||
+ | |||
+ | Configure interfaces: | ||
+ | |||
+ | 0 - arbitrary directory name, just for ordering | ||
+ | |||
+ | myiface0 will be interface name inside of guest (optional, default geth0, | ||
+ | geth1 and so on) | ||
+ | |||
+ | veth-host - interface name on the host side | ||
+ | |||
+ | <file> | ||
+ | mkdir -p /etc/vservers/test/netns/interfaces/0 | ||
+ | echo myiface0 > /etc/vservers/test/netns/interfaces/guest | ||
+ | echo veth-host > /etc/vservers/test/netns/interfaces/host | ||
+ | </file> | ||
+ | |||
+ | !!! FINISH ME. FINISH ME. FINISH ME. !!! | ||
+ | |||
+ | ===== Network namespace in vservers (OLD WAY) ===== | ||
Enabling netns and two capabilities: NET_ADMIN (allows interfaces in guest to be managed) and NET_RAW (makes iptables working). | Enabling netns and two capabilities: NET_ADMIN (allows interfaces in guest to be managed) and NET_RAW (makes iptables working). | ||
Line 1017: | Line 1052: | ||
- | <file>mkdir /etc/vserver/test/spaces | + | <file>mkdir /etc/vservers/test/spaces |
- | touch /etc/vserver/test/spaces/net | + | touch /etc/vservers/test/spaces/net |
echo NET_ADMIN >> /etc/vservers/test/bcapabilities | echo NET_ADMIN >> /etc/vservers/test/bcapabilities | ||
echo NET_RAW >> /etc/vservers/test/bcapabilities | echo NET_RAW >> /etc/vservers/test/bcapabilities | ||
Line 1119: | Line 1154: | ||
</file> | </file> | ||
For these to work you need at least util-vserver-0.30.216-1.pre2955.3 (that .3 is important) and turn on per subsys support by doing: | For these to work you need at least util-vserver-0.30.216-1.pre2955.3 (that .3 is important) and turn on per subsys support by doing: | ||
- | |||
<file># mkdir /etc/vservers/.defaults/cgroup | <file># mkdir /etc/vservers/.defaults/cgroup | ||
# touch /etc/vservers/.defaults/cgroup/per-ss | # touch /etc/vservers/.defaults/cgroup/per-ss | ||
+ | </file> | ||
+ | |||
+ | ===== cgroups mountpoint ===== | ||
+ | |||
+ | if you have cgroups mounted somewhere else, you can inform vserver of that (it searching in ''/sys/fs/cgroup'' by default) | ||
+ | |||
+ | <file> | ||
+ | none /dev/cgroup cgroup cpuset,cpu,cpuacct,devices,freezer,net_cls 0 0 | ||
+ | </file> | ||
+ | |||
+ | you need to tell vserver where it mounted: | ||
+ | <file> | ||
+ | # cat /etc/vservers/.defaults/cgroup/mnt | ||
+ | /dev/cgroup | ||
</file> | </file> |