Differences

This shows you the differences between two versions of the page.

--- docs:vserver [2013-03-16 21:42] – [cgroups with libcgroup] arekm
+++ docs:vserver [2015-10-05 15:07] (current) – syn on glen
@@ Line 15: / Line 15: @@
 ===== Installing Vserver host on PLD Linux =====
-vserver support is included in PLD Linux main kernels, so you can just install kernel package
+Ensure you have appropriate [[packages:kernel]] installed.
-<file>
-# poldek -u kernel
-</file>
-or alternatively, a longterm stable kernel:
-<file>
-# poldek -u kernel-longterm
-</file>
+You can check this from kernel config:
+<code>
+# modprobe configs
+# zgrep CONFIG_VSERVER /proc/config.gz
+CONFIG_VSERVER=y
+</code>
 ===== Installing guest PLD Linux Vserver =====
@@ Line 65: / Line 62: @@
 If you need to use another combination, then there are two versions of PLD available for guest systems:
-  * pld-ac - [[:AcInfo|PLD 2.0 (Ac)]]
+  * pld-ac - [[:ac|PLD 2.0 (Ac)]]
-  * pld-th - [[:ThInfo|PLD 3.0 (Th)]]
+  * pld-th - [[:th|PLD 3.0 (Th)]]
 You may choose one using ''-d'' option:
@@ Line 395: / Line 392: @@
 [[http://www.solucorp.qc.ca/howto.hc?projet=vserver&amp;id=72|http://www.solucorp.qc.ca/howto.hc?projet=vserver&id=72]]
-You can use //lcap// program to see available capatabilities:
+You can use //lcap// program to see available capabilities:
@@ Line 579: / Line 576: @@
 ==== Running 32 bit vserver on an 64 bit host ====
-With recent PLD util-vserver package you can create 32-bit guest systems inside a 64-bit host. First you need to prepare a new distribution definition skeleton:
+With recent [[package>util-vserver]] package you can create 32-bit guest systems inside a 64-bit host.
+To specify arch during guest creation, use ''-d'' option, and to change what ''uname'' returns, use arguments ''%%--personality linux_32bit --machine i686%%'':
-<file># mkdir -p /etc/vservers/.distributions/pld-th-i686/poldek/repos.d
+<file># vserver test build --context <num> -n test -m poldek -- -d pld-th-i686 --personality linux_32bit --machine i686
 </file>
-Then copy your repository configuration to ''/etc/vservers/.distributions/pld-th-i686/poldek/repos.d/pld.conf'' and change the architecture and source paths to your liking. When configuration is ready, create a new guest vserver using the ''-d'' command line option:
+If you need to set ''uts'' parameters afterwards, you can just echo them:
+<file>
-<file># vserver test build --context <num> -n test -m poldek -- -d pld-th-i686
+# echo linux_32bit >> /etc/vservers/test/personality
+# echo i686 > /etc/vservers/test/uts/machine
 </file>
-Later to force i686 32bit use:
-<file># echo linux_32bit >> /etc/vservers/test/personality
-# echo i686 > /etc/vservers/test/uts/machine
-</file>
-however, you can do that at vserver build time using arguments ''--personality linux_32bit --machine i686''.
@@ Line 719: / Line 710: @@
+==== Running auditd inside guest ====
+You need ''CAP_AUDIT_CONTROL'' in ''bcapabilities'' and lower ''priority_boost'' to ''0'' in ''/etc/audit/auditd.conf''
+==== XFS filesystem - kernel upgrade causes xfs related oops (xfs_filestream_lookup_ag) ====
+After upgrading from 2.6-3.4 kernels (possibly other versions) to 3.18 (tested, possibly other versions) kernel ooppses
+almost immediately after accessing some files on xfs filesystem with ''xfs_filestream_lookup_ag'' visible in stack trace
+(or other filestream related function).
+That's because vserver patch for kernels earlier than 2.6.23 patched xfs filesystem to introduce new flag:
+<file c>
+#define XFS_XFLAG_BARRIER     0x00004000      /* chroot() barrier */
+</file>
+and files/dirs with such flag got saved on your filesystem.
+Starting with kernel 2.6.23 kernel introduced filestreams which are using 0x00004000 bit, thus causing conflict with vserver.
+<file c>
+#define XFS_XFLAG_FILESTREAM   0x00004000      /* use filestream allocator */
+</file>
+Vserver stopped adding such xfs xflag in 3.13 BUT your existing filesystem can still have XFS_XFLAG_BARRIER (0x00004000) set
+causing oops in newer kernels.
+How to find out if I'm affected?
+IIF you don't use filestream feature then modify http://oss.sgi.com/cgi-bin/gitweb.cgi?p=xfs/cmds/xfstests.git;a=blob_plain;f=src/bstat.c;hb=HEAD to show only files containing XFS_XFLAG_FILESTREAM
+<file diff>
+diff --git a/src/bstat.c b/src/bstat.c
+index 4e22ecd..887512f 100644
+--- a/src/bstat.c
++++ b/src/bstat.c
+@@ -34,19 +34,21 @@ dotime(void *ti, char *s)
+ void
+ printbstat(xfs_bstat_t *sp)
+ {
+-       printf("ino %lld mode %#o nlink %d uid %d gid %d rdev %#x\n",
+-               (long long)sp->bs_ino, sp->bs_mode, sp->bs_nlink,
+-               sp->bs_uid, sp->bs_gid, sp->bs_rdev);
+-       printf("\tblksize %d size %lld blocks %lld xflags %#x extsize %d\n",
+-               sp->bs_blksize, (long long)sp->bs_size, (long long)sp->bs_blocks,
+-               sp->bs_xflags, sp->bs_extsize);
+-       dotime(&sp->bs_atime, "atime");
+-       dotime(&sp->bs_mtime, "mtime");
+-       dotime(&sp->bs_ctime, "ctime");
+-       printf( "\textents %d %d gen %d\n",
+-               sp->bs_extents, sp->bs_aextents, sp->bs_gen);
+-       printf( "\tDMI: event mask 0x%08x state 0x%04x\n",
+-               sp->bs_dmevmask, sp->bs_dmstate);
++       if (sp->bs_xflags & XFS_XFLAG_FILESTREAM) {
++               printf("ino %lld mode %#o nlink %d uid %d gid %d rdev %#x\n",
++                               (long long)sp->bs_ino, sp->bs_mode, sp->bs_nlink,
++                               sp->bs_uid, sp->bs_gid, sp->bs_rdev);
++               printf("\tblksize %d size %lld blocks %lld xflags %#x extsize %d\n",
++                               sp->bs_blksize, (long long)sp->bs_size, (long long)sp->bs_blocks,
++                               sp->bs_xflags, sp->bs_extsize);
++               dotime(&sp->bs_atime, "atime");
++               dotime(&sp->bs_mtime, "mtime");
++               dotime(&sp->bs_ctime, "ctime");
++               printf( "\textents %d %d gen %d\n",
++                               sp->bs_extents, sp->bs_aextents, sp->bs_gen);
++               printf( "\tDMI: event mask 0x%08x state 0x%04x\n",
++                               sp->bs_dmevmask, sp->bs_dmstate);
++       }
+ }
+</file>
+and then run it with mounted directory of each filesystem (bstat /; bstat /home etc). It will print "ino ..." information for filestream files.
+How to clean up?
+rsync files to other partition, recreate problematic partition and then copy files back.
 ===== Debian or Ubuntu guest installation =====
@@ Line 1006: / Line 1074: @@
   * add ''quota_ctl'' to ''/etc/vservers/test/ccapabilities'':
   * restart your vserver and run ''edquota'' inside
 ===== Network namespace in vservers =====
+Starting from util-vserver 0.30.216-1.pre3054 there is basic support for creating network namespaces with interfaces inside.
+Enabling netns and two capabilities: NET_ADMIN (allows interfaces in guest to be managed) and NET_RAW (makes iptables working).
+<file>mkdir /etc/vservers/test/spaces
+touch /etc/vserver/test/spaces/net
+echo NET_ADMIN >> /etc/vservers/test/bcapabilities
+echo NET_RAW >> /etc/vservers/test/bcapabilities
+echo 'plain' > /etc/vservers/test/apps/init/style
+</file>
+Avoid context isolation since it makes little sense when using network namespaces:
+<file>touch /etc/vserver/test/noncontext</file>
+Configure interfaces:
+- arbitrary directory name, just for ordering
+myiface0 will be interface name inside of guest (optional, default geth0,
+geth1 and so on)
+veth-host - interface name on the host side
+<file>
+mkdir -p /etc/vservers/test/netns/interfaces/0
+echo myiface0 > /etc/vservers/test/netns/interfaces/guest
+echo veth-host > /etc/vservers/test/netns/interfaces/host
+</file>
+!!! FINISH ME. FINISH ME. FINISH ME. !!!
+===== Network namespace in vservers (OLD WAY) =====
 Enabling netns and two capabilities: NET_ADMIN (allows interfaces in guest to be managed) and NET_RAW (makes iptables working).
@@ Line 1014: / Line 1117: @@
-<file>mkdir /etc/vserver/test/spaces
+<file>mkdir /etc/vservers/test/spaces
-touch /etc/vserver/test/spaces/net
+touch /etc/vservers/test/spaces/net
 echo NET_ADMIN >> /etc/vservers/test/bcapabilities
 echo NET_RAW >> /etc/vservers/test/bcapabilities
@@ Line 1116: / Line 1219: @@
 </file>
 For these to work you need at least util-vserver-0.30.216-1.pre2955.3 (that .3 is important) and turn on per subsys support by doing:
 <file># mkdir /etc/vservers/.defaults/cgroup
 # touch /etc/vservers/.defaults/cgroup/per-ss
+</file>
+===== cgroups mountpoint =====
+if you have cgroups mounted somewhere else, you can inform vserver of that (it searching in ''/sys/fs/cgroup'' by default)
+<file>
+none        /dev/cgroup     cgroup  cpuset,cpu,cpuacct,devices,freezer,net_cls  0 0
+</file>
+you need to tell vserver where it mounted:
+<file>
+# cat /etc/vservers/.defaults/cgroup/mnt
+/dev/cgroup
 </file>