ADMIN+Magazine+Sample+PDF

Recommendations

Info

Virtualization OpenVZ After restarting the VE, you should be able to ping it from within the host context. After entering the VE, you should also be able to ping the host or another client (Figure 6). For more details on the network configuration, see the “Network Modes” box. OpenVZ Administration The vzctl tool handles a number of additional configuration tasks. Besides starting, stopping, entering, and exiting VEs, you can use the ‐set option to set a number of operational parameters. Running vzlist in the host context displays a list of the currently active VEs, including some additional information such as the network parameter configuration (Figure 7). In the VE, you can display the process list in the usual way by typing ps. And, if the package sources are configured correctly, patches and software updates should work in the normal way using apt, yum, or yast depending on your guest system. For the next step, it is a good idea to enter the VE by typing vzctl enter VEID. Then, you can set the root password, create more users, and assign the privileges you wish to give them; otherwise, you can only use the VEs in trusted environments. Figure 9: Virtual Ethernet devices make the VE a full-fledged member of the network with all its advantages and disadvantages. Without additional configuration, the use of VEs is a security risk because only one host kernel exists, and each container has a superuser. Besides this, you need to be able to restrict the resources available to each VE, such as the disk and memory and the CPU cycles in the host context. OpenVZ has a set of configuration parameters for defining resource limits known as User Bean Counters (UBCs) [8]. The parameters are classified by importance in Primary, Secondary, and Auxiliary. Most of these parameters can also be set with vzctl set (Figure 8). For example, you can enter sudo vzctl set 100 ‐‐cpus 2 to set the maximum number of CPUs for the VE. The maximum permitted disk space is set by the ‐‐diskspace parameter. A colon between two values lets you specify a minimum and maximum limit: sudo vzctl set 100 ‐‐diskspace 8G:10G U ‐‐quotatime 300 Incidentally, sudo vzlist ‐o lists all the set UBC parameters. Note that some UBC parameters can clash, so you will need to familiarize yourself with the details by reading the exhaustive documentation. To completely remove a container from the system, just type the sudo vzctl destroy command. Conclusions Resource containers with OpenVZ offer a simple approach to running virtual Linux machines on a Linux host. According to the developers, the Network Modes In many cases, a venet device is all you need in the line of network interfaces in a VE. Each venet device sets up a point-to-point connection to the host context and can be addressed using an IP address from the host context. Venet devices have a couple of drawbacks, however: They don’t have a MAC address and thus don’t support ARP or broadcasting, which makes it impossible to use DHCP to assign IP addresses. Also, network services like Samba rely on functional broadcasting. A virtual Ethernet (veth) device solves this problem (Figure 9). These devices are supported by a kernel module that uses vzctl to present a virtual network card to the VE. The vzethdev sets up two Ethernet devices: one in the host context and one in the VE. The devices can be named individually, and you can manually or automatically assign a MAC address to them. The host-side device can also reside on a bridge to give the VE a network environment that is visible in the host context. Within the container, the administrator can then use Linux tools to configure the network interface with a static address or even use DHCP. The kernel module is loaded when the OpenVZ kernel boots. You can check that you have it by issuing the sudo lsmod | grep vzethdev command. To configure a veth device in the container, run sudo vzctl set 101 ‐‐netif_add eth0 ‐‐save where eth0 is the interface name in the container context. The device name in the host context defaults to vethVEID. If needed, you can assign MAC addresses and device names explicitly. The device can be listed in the host context in the normal way with ifconfig. The number following the dot (0) refers to the device number; here, this is the first veth device in the container with the VEID of 100: sudo ifconfig veth100.0 A bridge device is the only thing missing for host network access; to set this up host-side, give the sudo brtcl addbr vmbr0 command, then sudo brctl addif vmbr0 verth100.0 to bind it to the veth device, assuming bridge‐utils is installed. Host-side you now have the interfaces l0, eth0, venet0, and veth100.0. If the bridge device is set up correctly, brctl show gives you a listing similar to Figure 10. The additional veth device set up here, 100.1, is for test purposes only and is not important to further steps. Virtual network devices are slightly slower than venet devices. Also, security might be an issue with a veth device – this places a full-fledged Ethernet device in the container context, which the container owner could theoretically use to sniff all the traffic outside the container. 56 Admin 01 www.admin-magazine.com
OpenVZ Virtualization OpenVZ kernel requires just a couple of simple steps, and the template system gives you everything you need to set up guest Linux distributions quickly. OpenVZ has a head start of several years development compared with modern hypervisor solutions such as KVM and is thus regarded as mature. Unfortunately, the OpenVZ kernel lags behind vanilla kernel development. However, if you are thinking of deploying OpenVZ commercially, you might consider its commercial counterpart Virtuozzo. Besides support, there are a number of aspects to take into consideration when using resource containers. For example, hosting providers need to offer customers seamless administration via a web interface, with SSH and FTP, or by both methods; of course, the security concerns mentioned previously cannot be overlooked. Parallels offers seamless integration of OpenVZ with Plesk and convenient administrations tools for, say, imposvirtualization overhead with OpenVZ is only two to three percent more CPU and disk load: These numbers compare with the approximately five percent quoted by the Xen developers. The excellent values for OpenVZ are the result of the use of only one kernel. The host and guest kernels don’t need to run identical services, and caching effects for the host and guest kernels do not interfere with each other. The containers themselves provide a complete Linux environment without installing an operating system. The environment only uses the resources that the applications running in it actually need. The only disadvantage of operating system virtualization compared with paravirtualization or hardware virtualization is that, apart from the network interfaces, it is not possible to assign physical resources exclusively to a single guest. Otherwise, you can do just about anything in the containers, including installing packages and providing services. Additionally, setting up the ing resource limits in the form of the GUI-based Parallels Management Console [9] or Parallels Infrastructure Manager [10]. The excellent OpenVZ wiki covers many topics, such as the installation of Plesk in a VE or setting up an X11 system [11]. OpenVZ is the only system that currently offers Linux guest systems a level of performance that can compete with that of a physical system without sacrificing performance to the implementation itself. This makes OpenVZ a good choice for virtualized Linux servers of any kind. n Info [1] Linux VServer: [http:// linux‐vserver. org/ Welcome_to_Linux‐VServer. org] [2] OpenVZ: [http:// wiki. openvz. org/ Main_Page] [3] Virtuozzo: [http:// www. parallels. com/ de/ products/ pvc45] [4] User-Mode Linux: [http:// user‐mode‐linux. sourceforge. net] [5] OpenVZ quick install guide: [http:// wiki. openvz. org/ Quick_installation] [6] Creating your own OpenVZ templates: [http:// wiki. openvz. org/ Category:Templates] [7] Prebuilt OpenVZ templates: [http:// wiki. openvz. org/ Download/ template/ precreated] [8] OpenVZ User Bean Counters: [http:// wiki. openvz. org/ UBC_parameters_table] [9] Parallels Management Console: [http:// www. parallels. com/ de/ products/ virtuozzo/ tools/ vzmc] [10] Parallels Infrastructure Manager: [http:// www. parallels. com/ de/ products/ pva45] [11] X11 forwarding: [http:// wiki. openvz. org/ X_inside_VE] [12] Live migration: [http:// openvz. org/ documentation/ mans/ vzmigrate. 8] Figure 10: This example includes one venet and one veth device in the host context. The latter is physically connected to the host network via a bridge device. The host-side veth bridge looks like a normal Ethernet device (eth0) from the container context. The Author Thomas Drilling has been a freelance journalist and editor for scientific and IT magazines for more than 10 years. With his editorial office team, he regularly writes on the subject of open source, Linux, servers, IT administration, and Mac OS X. In addition to this, Thomas Drilling is also a book author and publisher, a consultant to small and medium-sized companies, and a regular speaker on Linux, open source and IT security. www.admin-magazine.com Admin 01 57
Page 1 and 2:
ADMIN Network & Security Rescue CD
Page 3 and 4:
Welcome to Admin WELCOME ALL FOR AD
Page 5 and 6: Table of Contents SERVICE 8 Spacewa
Page 7 and 8: POWERHOUSE PERL 11 cool projects! F
Page 9 and 10: Spacewalk Features configuration fi
Page 11 and 12: Spacewalk Features Figure 2: Assign
Page 13 and 14: Spacewalk Features kickstart profil
Page 15 and 16: Icinga Features Table 1: States Opt
Page 17 and 18: Icinga Features ministrators only n
Page 19 and 20: Icinga Features Figure 6: Network o
Page 21 and 22: MySQL Forks and Patches Features th
Page 23 and 24: MySQL Forks and Patches Features In
Page 25 and 26: Exchange 2010 Features © peapop, F
Page 27 and 28: they can now synchronize text messa
Page 29 and 30: Backup Software Features data. One
Page 31 and 32: Backup Software Features tended), l
Page 33 and 34: Backup Software Features Two “wiz
Page 35 and 36: Backup & Disaster Recovery Georgeto
Page 37 and 38: OCFS2 Tools ing. OCFS2 is fairly si
Page 39 and 40: OCFS2 Tools F Figure 2: Unspectacul
Page 41 and 42: To do this, you need to change the
Page 43 and 44: Synergy Tools Figure 1: Synergy as
Page 45 and 46: SystemTap Tools The SystemTap [3] t
Page 47 and 48: SystemTap Tools Instead of searchin
Page 49 and 50: Package Your Scripts Virtualization
Page 51 and 52: Linux Magazine ACADEMY curl U http:
Page 53 and 54: openVz VirtuAlizAtion live migratio
Page 55: OpenVZ Virtualization a number of c
Page 59 and 60: AND SAVE 30%! ADMIN Network & Secur
Page 61 and 62: Virtual Machine Manager Virtualizat
Page 63 and 64: Virtual Machine Manager Virtualizat
Page 65 and 66: Teamviewer Management and be contro
Page 67 and 68: NOV. 7-12 2010 24th Large Installat
Page 69 and 70: Chef Management Server Provides rec
Page 71 and 72: Chef Management ‐r http://s3.amaz
Page 73 and 74: Chef Management Figure 5: The clien
Page 75 and 76: Sysinternals Management AdInsight a
Page 77 and 78: Sysinternals Management Name Table
Page 79 and 80: PAM and Hardware Nuts and Bolts Fig
Page 81 and 82: November 13-19, 2010 • Ernest N.
Page 83 and 84: PAM and Hardware Nuts and Bolts to
Page 85 and 86: ON NEWSSTANDS NOW ! UBUNTU USER MAG
Page 87 and 88: modSecurity nutS And boltS complex
Page 89 and 90: ModSecurity Nuts and bolts Insider
Page 91 and 92: REAL SOLUTIONS FOR REAL NETWORKS Ea
Page 93 and 94: Daemon Monitoring Nuts and Bolts Fi
Page 95 and 96: VPns with SSTP nuTS And BoLTS Hands
Page 97 and 98: VPNs with SSTP Nuts and Bolts Figur
Page 100: DEDICATED SERVERS £59 FROM PER MON
show all

ADMIN+Magazine+Sample+PDF

Create successful ePaper yourself

Delete template?

Save as template?