Using Linux VServer Enrico Scholz [email protected] - p. 1/47 Motivation (1) Introduction G Motivation (1) Administrator: G Motivation (2) G Requirements G Wishes n lots of services (FTP, HTTP*, LDAP, KRB, DNS, . ) G Solutions n vserver updates without side-effects Security n own hostnames and IPs The Toolsets n access restrictions Base-Operations Management Prospective Developer: n tests in different environments (compiler, libraries, programs, distributions) n providing binaries for different distributions - p. 2/47 Motivation (2) Introduction G Motivation (1) Businessman: G Motivation (2) G Requirements G Wishes n selling of “root-servers” (IP, CPU power, disk-space, G Solutions root-account) vserver Security The Toolsets Base-Operations Solutions: Management n Prospective one physical machine per server but: hardware costs, room, cooling, UPS n multiple dedicated servers on the same hardware ) “virtual servers” - p. 3/47 Requirements Introduction n behavior like an ordinary server (same binaries, no special G Motivation (1) G Motivation (2) syscalls) G Requirements G Wishes n G Solutions process isolation u vserver kill(2), ptrace(2) u Security /etc/init.d/sshd restart n The Toolsets filesystem isolation u Base-Operations no collisions when using standard-paths u Management keeping of secrets Prospective n no backdoors u direct hardware-access (/dev/hda) u direct kernel-access (/dev/kmem) ) no influence on the function of other servers or of the host - p. 4/47 Wishes Introduction n effective G Motivation (1) G Motivation (2) u performance (CPU, I/O) G Requirements G Wishes u memory (RAM, disk) G Solutions n vserver easy manageable u Security creation u operation The Toolsets ) using of known tools Base-Operations n Management limits/quotas for diskspace, CPU, net Prospective n migration to other physical machines - p. 5/47 n vmware/bochs/qemu u usable as usual machine u but: high resource consumption; often for i386 only n UML u middle till high resource consumption n SELinux u fulfills (security related) requirements u no complete virtualization (hostname, ip) u ??? n Linux vserver, BSD Jails, SUN Zones, FreeVPS u grouping of processes u usage of same hardware and kernel u new and already existing access control mechanisms u nearly no overhead Solutions Introduction n special hardware (S/390) G Motivation (1) G Motivation (2) G Requirements G Wishes G Solutions vserver Security The Toolsets Base-Operations Management Prospective - p. 6/47 n UML u middle till high resource consumption n SELinux u fulfills (security related) requirements u no complete virtualization (hostname, ip) u ??? n Linux vserver, BSD Jails, SUN Zones, FreeVPS u grouping of processes u usage of same hardware and kernel u new and already existing access control mechanisms u nearly no overhead Solutions Introduction n special hardware (S/390) G Motivation (1) G Motivation (2) n G Requirements vmware/bochs/qemu G Wishes u G Solutions usable as usual machine u vserver but: high resource consumption; often for i386 only Security The Toolsets Base-Operations Management Prospective - p. 6/47 n SELinux u fulfills (security related) requirements u no complete virtualization (hostname, ip) u ??? n Linux vserver, BSD Jails, SUN Zones, FreeVPS u grouping of processes u usage of same hardware and kernel u new and already existing access control mechanisms u nearly no overhead Solutions Introduction n special hardware (S/390) G Motivation (1) G Motivation (2) n G Requirements vmware/bochs/qemu G Wishes u G Solutions usable as usual machine u vserver but: high resource consumption; often for i386 only n Security UML u The Toolsets middle till high resource consumption Base-Operations Management Prospective - p. 6/47 n Linux vserver, BSD Jails, SUN Zones, FreeVPS u grouping of processes u usage of same hardware and kernel u new and already existing access control mechanisms u nearly no overhead Solutions Introduction n special hardware (S/390) G Motivation (1) G Motivation (2) n G Requirements vmware/bochs/qemu G Wishes u G Solutions usable as usual machine u vserver but: high resource consumption; often for i386 only n Security UML u The Toolsets middle till high resource consumption Base-Operations n SELinux Management u fulfills (security related) requirements Prospective u no complete virtualization (hostname, ip) u ??? - p. 6/47 Solutions Introduction n special hardware (S/390) G Motivation (1) G Motivation (2) n G Requirements vmware/bochs/qemu G Wishes u G Solutions usable as usual machine u vserver but: high resource consumption; often for i386 only n Security UML u The Toolsets middle till high resource consumption Base-Operations n SELinux Management u fulfills (security related) requirements Prospective u no complete virtualization (hostname, ip) u ??? n Linux vserver, BSD Jails, SUN Zones, FreeVPS u grouping of processes u usage of same hardware and kernel u new and already existing access control mechanisms u nearly no overhead - p. 6/47 Introduction vserver G Quickstart (1) G Quickstart (2) G Properties (Kernel) (1) G Properties (Kernel) (2) G Userspace vserver G chroot-environments Security The Toolsets Base-Operations Management Prospective - p. 7/47 Quickstart (1) Introduction 1. download and untaring of the kernel sources vserver G Quickstart (1) $ wget http://ftp.kernel.org/pub/linux/kernel/v2.x/linux-2.x.y.tar.bz2 G Quickstart (2) $ tar xjf linux-2.x.y.tar.bz2 G Properties (Kernel) (1) $ cd linux-2.x.y G Properties (Kernel) (2) G Userspace a G chroot-environments 2. download of the corresponding vserver-patch from Security http://www.13thfloor.at/vserver/project/ and applying of this The Toolsets patch Base-Operations $ bzcat patch-2.x.y-vs1.z.diff.bz2 | patch -p1 Management Prospective 3. configuration, build and installation of the kernel $ make config $ make dep && make all modules && make install modules_install a 1.2x – stable, 1.3x and 1.9x – experimental - p. 8/47 Quickstart (2) Introduction 4. download of the userspace toolsa (util-vserver) from vserver http://www.nongnu.org/util-vserver G Quickstart (1) G Quickstart (2) G Properties (Kernel) (1) 5. configuration, build and installation G Properties (Kernel) (2) G Userspace $ rpmbuild -ta util-vserver-0.x.y.tar.bz2 \ G chroot-environments [--without xalan] [--without dietlibc] # rpm -Uvh ... Security The Toolsets oder Base-Operations $ ./configure [--prefix=...] <options>* && make # make install Management Prospective 6. reboot http://linux-vserver.org a 0.x.y ! stable if no y, pre if y<90, rc if 90≤y<190 and alpha if 190≤y - p. 9/47 Properties (Kernel) (1) Introduction n developer: Herbert Pötzl vserver n G Quickstart (1) one multiswitch syscall for the entire functionality G Quickstart (2) G Properties (Kernel) (1) n attributes for processes: G Properties (Kernel) (2) u xid G Userspace numeric context-ID ( ) G chroot-environments ! processes with xid1 invisible for xid2-processes Security n attributes for process-contexts: The Toolsets u hostname resp. a complete utsname entry(2.6) Base-Operations u system- & context-specific(2.6) capabilities Management u flags Prospective u namespace(2.6) u scheduling parameters(2.6) - p. 10/47 Properties (Kernel) (2) Introduction n large parts of security based on linux-capabilities vserver (/usr/include/linux/capability.h), e.g. G Quickstart (1) G Quickstart (2) u no new devices without CAP_MKNOD G Properties (Kernel) (1) G Properties (Kernel) (2) u no interface-configuration without CAP_NET_ADMIN G Userspace u G chroot-environments no filesystem-mounting without CAP_SYS_ADMIN u Security . The Toolsets n hiding of filesystem-entries Base-Operations some entries in /proc without capability protection, e.g. Management /proc/sysrq-trigger or /proc/scsi/scsi Prospective ) hiding outside of host-context n context-quotas n outbreak-safe chroot(2) environments - p. 11/47 Userspace Introduction n two toolsets: “vserver” und “util-vserver” vserver n G Quickstart (1) low-level syscallwrappers G Quickstart (2) G Properties (Kernel) (1) n vserver == chroot-environment + configuration-data G Properties (Kernel) (2) G Userspace n management of the vservers G chroot-environments u creation Security u starting/stopping The Toolsets u optimizations Base-Operations n Management configuration usually under /etc/vservers/ n Prospective starting with “vserver <id> start”; stopping with “vserver <id> stop” - p. 12/47 n chroot-environment must be assumed as hostile u execution of arbitrary programs as root u creation, removal, renaming and modification of arbitrary files, symlinks and directories ) special care and kernel-support required chroot-environments Introduction n usually at /vservers/<id> vserver n G Quickstart (1) usually files and directories like in ordinary linuxdistributions, G Quickstart (2) G Properties (Kernel) (1) but special installations possible G Properties (Kernel) (2) n G Userspace distribution within the chroot != host-distribution G chroot-environments Security The Toolsets Base-Operations Management Prospective - p. 13/47 chroot-environments Introduction n usually at /vservers/<id> vserver n G Quickstart (1) usually files and directories like in ordinary linuxdistributions, G Quickstart (2) G Properties (Kernel) (1) but special installations possible G Properties (Kernel) (2) n G Userspace distribution within the chroot != host-distribution G chroot-environments n chroot-environment must be assumed as hostile Security u execution of arbitrary programs as root The Toolsets u creation, removal, renaming and modification of arbitrary Base-Operations