[Planetlab-devel] myplc in a vserver context
Stephen Soltesz
soltesz at CS.Princeton.EDU
Thu Jun 21 10:50:41 EDT 2007
Hey, guys,
I wanted to give you a brief update on the myplc in a slice development.
To get the vici cluster back up for the VINI summer camp participants, I
installed a little box in 002 to host the myplc instance
(vidi.cs.princeton.edu). But rather than run it on a vanilla FC install, I
installed the myplc package into a vserver context with its own IP address.
It's running without difficulty on pl-virtual-01.cs.princeton.edu.
VIDI has only one network interface, but it's hosting currently three IP
addresses, and vserver associates the appropriate address with the
appropriate context. For instance running ifconfig in the root context on vidi:
[root at vidi ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:06:5B:74:EC:C0
inet addr:128.112.139.46 Bcast:128.112.139.127 Mask:255.255.255.128
eth0:dhozac10 Link encap:Ethernet HWaddr 00:06:5B:74:EC:C0
inet addr:128.112.139.112 Bcast:128.112.139.127 Mask:255.255.255.128
eth0:vici40 Link encap:Ethernet HWaddr 00:06:5B:74:EC:C0
inet addr:128.112.139.111 Bcast:128.112.139.127 Mask:255.255.255.128
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
But in the dhozac10 context, which is a second myplc instance for Daniel we see:
[root at pl-virtual-02 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:06:5B:74:EC:C0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6997190 errors:0 dropped:0 overruns:1 frame:0
TX packets:4518257 errors:0 dropped:0 overruns:0 carrier:0
eth0:dhozac10 Link encap:Ethernet HWaddr 00:06:5B:74:EC:C0
inet addr:128.112.139.112 Bcast:128.112.139.127 Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:18 Base address:0xac00
It looks similar from within the vici40 context.
Doing the installation by hand I took the following steps, some of which are
atypical for vserver:
# vserver vici40 build --hostname pl-virtual-01 -m yum --context 1040
--interface vici40=eth0:128.112.139.111/25 -- -d fc5-local
Where fc5-local is a mashed-up configuration in
/usr/lib/util-vserver/distributions/ that uses a local loop-back mounted DVD
iso for the FC5 install. This makes it go a little faster for me.
# vrpm vici40 -- -ihv myplc-0.5-4.planetlab.2007.06.09.i386.rpm
# cd /etc/vservers/vici40
# cat ccapabilities
SECURE_MOUNT
ADMIN_CLOOP
# cat bcapabilities
IPC_LOCK
IPC_OWNER
SYS_ADMIN
MKNOD
These are very permissive capabilities. Not something we'd want to give
just any slice. For now, though they provide insight into the kind of
permissions that myplc expects and how we could push-back on its design if
we wanted to keep it in a context long-term or just reduce its privilege
generally, both of which sound positive to me.
# chroot /vserver/vici40 chkconfig plc off
# vserver vici40 start
# vserver vici40 enter
<vici40># service plc mount
<vici40># chroot /plc/root su -
<vici40><plc># plc-config-tty
Because there is not a conventional loopback device within the vserver
context, it's necessary to configure the hostnames as the actual address for
that context: 128.112.139.111 in the case of vici40/pl-virtual-01.
<vici40># chkconfig plc on
<vici40># service plc restart
<vici40># [configure sshd to listen on single address]
<vici40># [disable pam_loginuid.so" in /etc/pam.d/*]
# exit
For some reason, parts of the PAM authentication do not work within the
vserver guest context. This will prevent sshd from letting users log in.
So, to fix it, it is necessary to comment out the pam_loginuid.so options in
the /etc/pam.d/* configuration files.
I think that's it. And as of today, both pl-virtual-01 and pl-virtual-02
are running independent myplc instances on the same machine. Cool.
http://pl-virtual-01.cs.princeton.edu
http://pl-virtual-02.cs.princeton.edu
Stephen.
More information about the Devel
mailing list