Vserver : For the purposes of placing projects, I use this scheme: each service is launched in an isolated environment: combat – separately, test – separately, telephony – separately, web – separately. This reduces the risk of hacking systems, allows you to backup everything and everyone with one rsync to the neighboring server across the crown, and in the case of a hardware rush, simply pick up on the next hardware. (And using drbd + corosync allows you to do this automatically)

To create an isolated environment, there are two approaches called VDS (hardware virtualization) and VPS / jail (process space virtualization).

To create VDS isolation use XEN, VirtualBox, VMWare and other virtual machines.
To create a VPS on linux, use either linux-vserver, or openvz, or lxc.

Advantages of VDS: the system inside can be absolutely any, you can keep different versions of the cores, you can install another OS.
The disadvantages of VDS are high IO performance losses, excessive CPU and RAM consumption for services duplicating those running on the server OS.

VPS advantages: extremely low performance loss, only for insulation, only those services that are really needed are launched.
Cons VPS: you can run only linux and the kernel will be only the version that is already running.

Since I don’t need different operating systems, I’m using linux-vserver everywhere (historically, I’ve been using it since 2004, and openvz was released to the public in 2005), and lxc, in my understanding, is not old enough to produce (although it’s very close already).

Below I will describe the basic operations for launching a LAMP server in an isolated environment.

OS: debian-stable, 64bit
Starting from Wheezy, vserver support with the debian command has been removed, so I use the kernel with repo.psand.net/info/

Configuring the root system to run linux-vserver

 echo "deb http://repo.psand.net/ wheezy main" > /etc/apt/sources.list.d/psand.list wget -O - http://repo.psand.net/pubkey.txt | sudo apt-key add - aptitude update aptitude search linux-image-vserver aptitude install linux-image-vserver-3.13-beng util-vserver curl bzip2  curl http://dev.call2ru.com/vs/nss_vserver_64.tar.bz2 | tar xfj - cd nss_vserver_64 make make install ln -s var/lib/vservers / curl curl http://dev.call2ru.com/vs/vserverauth.tar.gz | tar xfz - cd vserverauth/vslogin/ make cp vslogin /sbin/ chmod u+s /sbin/vslogin echo /sbin/vslogin >> /etc/shells echo -e "auto dummy0\niface dummy0 inet static\n\taddress 192.168.1.250\n\tnetmask 255.255.255.0\n" >> /etc/network/interfaces echo -e "\tpre-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE\n" >> /etc/network/interfaces echo -e "\tpost-down /sbin/iptables -t nat -D POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE\n" >> /etc/network/interfaces 

After installation – reboot into the new kernel.

What we did:

  • Installed a kernel with linux-vserver support, installed utilities for creating / managing vservers.
  • Installed my nss_vserver [1] module and vslogin, which allows you to log in via ssh directly into vserver
  • Configured dummy0 interface to create a “private” network for virtual machines.

This allows you to use a single server IP to start different services, dividing them by login (for example, to log in to a virtual web machine, you just need to log in as web root or as root @ web).

After that, new servers can be launched on the server, tying them to the dummy0 interface.
Everything is fine, but the created servers respond to 192.168.1.x, and it is necessary that it be accessible from the outside.

To solve this, on the root we will need nginx:

  aptitude install ngin cat > /etc/nginx/sites-available/proxy <<END server { listen 80;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_set_header X-SSL no; if ( $http_host ~ "(?i)(somesite\.ru)$" ) { rewrite ^(.*) /web/ $1 last;
}
location /web// { proxy_pass http://192.168.1.57/;
proxy_read_timeout 500;
}
}
END ln -s ../sites-available/proxy /etc/nginx/sites-enabled/ /etc/init.d/nginx reload

This allows all incoming requests to the 80th port to scatter across different virtual machines, depending on the name.
If necessary, you can use proxy_pass to a different external IP, which allows you to move virtual servers across different machines without having to wait for the full update of DNS records, but this is a topic for a separate conversation.

Now we need to create a new virtual machine (number 57, web name) in which we install LAMP.

Creating a new vserver

  MIRROR=http://ftp.de.debian.org/debian NAME=web DOMAIN=mydomain.com CONTEXT=57 vserver $NAME build -m debootstrap --context $CONTEXT --hostname $NAME . $DOMAIN --interface dummy0:192.168.1. $CONTEXT /24 -- -d squeeze -m $MIRROR echo default > /etc/vservers/ $NAME /app/init/mark vserver $NAME start vserver $NAME enter aptitude update aptitude install locales echo -e "en_US.UTF-8 UTF-8\nru_RU.UTF-8 UTF-8\n" >> /etc/locale.gen locale-gen echo -e "127.0.0.1 localhost.localdomain localhost vhost\n192.168.1.250 vroot\n" > /etc/hosts 

This establishes the base system, makes it autorun when the root system is rebooted.

Now the virtual machine is ready to install the necessary software in it. For example, the usual LAMP:

  aptitude install apache2 libapache2-mod-php5 mysql-server php5-mysql php5-mysqli libapache2-mod-rpaf editor /etc/apache2/mods-available/rpaf.conf a2enmod rpaf /etc/init.d/apache2 restart exit 

Everything! Now your server is running Apache in a completely isolated environment.

Problems of this approach include:

1. Direct entry to virtual servers is possible only by password.
2. On the root system, no one should be allowed access, so on the root system there should only be a verified minimum of software (ssh, nginx, iptables and nothing else).
3. If you need direct access to any ports inside virtual machines, forwarding needs to be done using iptables.

Moments left behind the scenes for simplicity of the article.

1. / var / lib / vservers / * it is desirable to place on lvm in order to be able to manage the allocation of space for virtual machines independently.
2. Resource management: simply created virtual machine can eat all the resources of the machine. Learn more about setting limits linux-vserver.org/Resource_Limits
3. / tmp /. Inside the default virtualok / tmp / is created as a ramdisk in 16m size. Or, just before “vserver $ NAME start” fix / etc / vservers / $ NAME / fstab
4. Useful information, information, etc. about linux-vserver can be found on linux-vserver.org/