Openvz
all about my experiences with openvz
- http://wiki.openvz.org/Quick_installation
- http://wiki.openvz.org/OS_template_cache_preparation
- http://wiki.openvz.org/VE_creation
- http://wiki.openvz.org/Resource_management
- http://wiki.openvz.org/Setting_UBC_parameters
now that everything up and running, time to plan for disaster:
- http://wiki.openvz.org/Checkpointing_and_live_migration
- http://wiki.openvz.org/Backup_of_a_running_VE_with_vzdump
links:
- http://www.linux.com/articles/114214
- http://forum.swsoft.com/showthread.php?s=a625a96c903f83d9b565f28a9500cb24&threadid=26770&perpage=15&pagenumber=3
few templates:
config examples:
- 64meg ram burstable 128. 50% cpu usage
# UBC parameters (in form of barrier:limit)
# Primary parameters
AVNUMPROC="40:40"
NUMPROC="999999:999999"
NUMTCPSOCK="7999992:7999992"
NUMOTHERSOCK="7999992:7999992"
VMGUARPAGES="16384:2147483647"
# Secondary parameters
KMEMSIZE="2147483646:2147483646"
TCPSNDBUF="13421568:195447808"
TCPRCVBUF="13421568:195447808"
OTHERSOCKBUF="13421568:195447808"
DGRAMRCVBUF="13421568:195447808"
OOMGUARPAGES="16384:2147483647"
# Auxiliary parameters
LOCKEDPAGES="999999:999999"
SHMPAGES="16384:16384"
PRIVVMPAGES="32768:32768"
NUMFILE="23999976:23999976"
NUMFLOCK="999999:999999"
NUMPTY="500000:500000"
NUMSIGINFO="999999:999999"
DCACHESIZE="2147483646:2147483646"
PHYSPAGES="0:2147483647"
NUMIPTENT="999999:999999"
# Disk quota parameters (in form of softlimit:hardlimit)
DISKSPACE="6553600:6553600"
DISKINODES="3276800:3276800"
QUOTATIME="0"
# CPU fair sheduler parameter
CPUUNITS="1000"
VE_ROOT="/vz/root/$VEID"
VE_PRIVATE="/vz/private/110"
OSTEMPLATE="centos-4-i386-minimal"
ORIGIN_SAMPLE="vps.basic"
QUOTAUGIDLIMIT="1000"
HOSTNAME="64"
CPULIMIT="50"
MEMINFO="pages:32768"
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"
- 128meg burstable 256meg
# UBC parameters (in form of barrier:limit)
# Primary parameters
AVNUMPROC="40:40"
NUMPROC="999999:999999"
NUMTCPSOCK="7999992:7999992"
NUMOTHERSOCK="7999992:7999992"
VMGUARPAGES="32768:2147483647"
# Secondary parameters
KMEMSIZE="2147483646:2147483646"
TCPSNDBUF="26843136:208869376"
TCPRCVBUF="26843136:208869376"
OTHERSOCKBUF="26843136:208869376"
DGRAMRCVBUF="26843136:208869376"
OOMGUARPAGES="32768:2147483647"
# Auxiliary parameters
LOCKEDPAGES="999999:999999"
SHMPAGES="32768:32768"
PRIVVMPAGES="65536:65536"
NUMFILE="23999976:23999976"
NUMFLOCK="999999:999999"
NUMPTY="500000:500000"
NUMSIGINFO="999999:999999"
DCACHESIZE="2147483646:2147483646"
PHYSPAGES="0:2147483647"
NUMIPTENT="999999:999999"
# Disk quota parameters (in form of softlimit:hardlimit)
DISKSPACE="13107200:13107200"
DISKINODES="6553600:6553600"
QUOTATIME="0"
# CPU fair sheduler parameter
CPUUNITS="1000"
VE_ROOT="/vz/root/$VEID"
VE_PRIVATE="/vz/private/120"
OSTEMPLATE="debian-4.0-i386-minimal"
ORIGIN_SAMPLE="vps.basic"
QUOTAUGIDLIMIT="1000"
HOSTNAME="128"
CPULIMIT="50"
MEMINFO="pages:65536"
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"
- 256meg burstable 512.
# UBC parameters (in form of barrier:limit)
# Primary parameters
AVNUMPROC="40:40"
NUMPROC="999999:999999"
NUMTCPSOCK="7999992:7999992"
NUMOTHERSOCK="7999992:7999992"
VMGUARPAGES="65536:2147483647"
# Secondary parameters
KMEMSIZE="2147483646:2147483646"
TCPSNDBUF="53687296:235713536"
TCPRCVBUF="53687296:235713536"
OTHERSOCKBUF="53687296:235713536"
DGRAMRCVBUF="53687296:235713536"
OOMGUARPAGES="65536:2147483647"
# Auxiliary parameters
LOCKEDPAGES="999999:999999"
SHMPAGES="65536:65536"
PRIVVMPAGES="131072:131072"
NUMFILE="23999976:23999976"
NUMFLOCK="999999:999999"
NUMPTY="500000:500000"
NUMSIGINFO="999999:999999"
DCACHESIZE="2147483646:2147483646"
PHYSPAGES="0:2147483647"
NUMIPTENT="999999:999999"
# Disk quota parameters (in form of softlimit:hardlimit)
DISKSPACE="26214400:26214400"
DISKINODES="13107200:13107200"
QUOTATIME="0"
# CPU fair sheduler parameter
CPUUNITS="1000"
VE_ROOT="/vz/root/$VEID"
VE_PRIVATE="/vz/private/130"
OSTEMPLATE="centos-5-i386-minimal"
ORIGIN_SAMPLE="vps.basic"
QUOTAUGIDLIMIT="1000"
HOSTNAME="256"
CPULIMIT="50"
MEMINFO="pages:131072"
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"
- 512meg burstable 1024
# UBC parameters (in form of barrier:limit)
# Primary parameters
AVNUMPROC="40:40"
NUMPROC="999999:999999"
NUMTCPSOCK="7999992:7999992"
NUMOTHERSOCK="7999992:7999992"
VMGUARPAGES="131072:2147483647"
# Secondary parameters
KMEMSIZE="2147483646:2147483646"
TCPSNDBUF="107374592:289400832"
TCPRCVBUF="107374592:289400832"
OTHERSOCKBUF="107374592:289400832"
DGRAMRCVBUF="107374592:289400832"
OOMGUARPAGES="131072:2147483647"
# Auxiliary parameters
LOCKEDPAGES="999999:999999"
SHMPAGES="131072:131072"
PRIVVMPAGES="262144:262144"
NUMFILE="23999976:23999976"
NUMFLOCK="999999:999999"
NUMPTY="500000:500000"
NUMSIGINFO="999999:999999"
DCACHESIZE="2147483646:2147483646"
PHYSPAGES="0:2147483647"
NUMIPTENT="999999:999999"
# Disk quota parameters (in form of softlimit:hardlimit)
DISKSPACE="52428800:52428800"
DISKINODES="26214400:26214400"
QUOTATIME="0"
# CPU fair sheduler parameter
CPUUNITS="1000"
VE_ROOT="/vz/root/$VEID"
VE_PRIVATE="/vz/private/140"
OSTEMPLATE="debian-4.0-i386-minimal"
ORIGIN_SAMPLE="vps.basic"
QUOTAUGIDLIMIT="1000"
HOSTNAME="512"
CPULIMIT="50"
MEMINFO="pages:262144"
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"
768meg ram
# UBC parameters (in form of barrier:limit)
# Primary parameters
AVNUMPROC="40:40"
NUMPROC="999999:999999"
NUMTCPSOCK="7999992:7999992"
NUMOTHERSOCK="7999992:7999992"
VMGUARPAGES="196608:2147483647"
# Secondary parameters
KMEMSIZE="2147483646:2147483646"
TCPSNDBUF="161060864:343087104"
TCPRCVBUF="161060864:343087104"
OTHERSOCKBUF="161060864:343087104"
DGRAMRCVBUF="161060864:343087104"
OOMGUARPAGES="196608:2147483647"
# Auxiliary parameters
LOCKEDPAGES="999999:999999"
SHMPAGES="196608:196608"
PRIVVMPAGES="255999744:255999744"
NUMFILE="23999976:23999976"
NUMFLOCK="999999:999999"
NUMPTY="500000:500000"
NUMSIGINFO="999999:999999"
DCACHESIZE="2147483646:2147483646"
PHYSPAGES="0:2147483647"
NUMIPTENT="999999:999999"
firewall for openvz
#!/bin/bash
#
# firewall This shell script takes care of setting up a firewall for a virtuosso based VPS
# (no stateful rules/connection tracking or logging.
# Borrows heavily from a script by Dmitry Konstantinov of sw-soft
# http://vpsinfo.nixhost.net/firewall.htm
#
# chkconfig: 2345 18 92
# description: setup firewall configuration
IPTABLES="/sbin/iptables"
SERVER_IPS=`/sbin/ifconfig | grep inet | cut -d : -f 2 | cut -d \ -f 1 | grep -v 127.0.0.1`
FWIN="${IPTABLES} -A INPUT"
FWOUT="${IPTABLES} -A OUTPUT"
OK="-j ACCEPT"
NO="-j DROP"
# Flush tables and change default policy to DROP
function initialize() {
local TABLE="${1}"
${IPTABLES} -F ${TABLE}
${IPTABLES} -P ${TABLE} DROP
}
# Flush tables and change default policy to ACCEPT
function stop() {
local TABLE="${1}"
${IPTABLES} -F ${TABLE}
${IPTABLES} -P ${TABLE} ACCEPT
}
# Verify call switch
case "$1" in
start|restart)
initialize INPUT
initialize OUTPUT
initialize FORWARD
# INPUT
# 1) loopback
${FWIN} -i lo ${OK}
${FWIN} -d 127.0.0.0/8 ${NO}
# 2) We allow incoming SSH connections and answers to
# our own SSH connections:
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 22 ${OK}
${FWIN} -p tcp --sport 22 -d ${OURIP} "!" --syn ${OK}
done
# 3) We allow incoming DNS queries as well as answers to our
# DNS queries.
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 53 ${OK}
${FWIN} -p udp -d ${OURIP} --dport 53 ${OK}
${FWIN} -p tcp --sport 53 -d ${OURIP} --dport 1024: "!" --syn ${OK}
${FWIN} -p udp --sport 53 -d ${OURIP} --dport 1024: ${OK}
done
# 4) We allow access to our SMTP server, as well as answers
# to our SMTP connections and, temporarily, identd stuff:
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 25 ${OK}
${FWIN} -p tcp --sport 25 -d ${OURIP} --dport 1024: "!" --syn ${OK}
${FWIN} -p tcp --sport 1024: -d ${OURIP} --dport 113 ${OK}
#${FWIN} -p udp --sport 1024: -d ${OURIP} --dport 113 ${OK}
${FWIN} -p tcp --sport 113 -d ${OURIP} --dport 1024: "!" --syn ${OK}
#${FWIN} -p udp --sport 113 -d ${OURIP} --dport 1024: ${OK}
done
# 5) We also allow access to our POP/sPOP server.
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 110 ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 995 ${OK}
done
# 6) and to IMAP/IMAPs
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 143 ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 993 ${OK}
done
# 7) we would like to be able to use lynx ;)
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp --sport 80 -d ${OURIP} --dport 1024: "!" --syn ${OK}
done
# 8) We allow incoming echo replies/requests from everywhere:
for OURIP in ${SERVER_IPS}; do
${FWIN} -p icmp -d ${OURIP} --icmp-type 0 ${OK}
${FWIN} -p icmp -d ${OURIP} --icmp-type 3 ${OK}
${FWIN} -p icmp -d ${OURIP} --icmp-type 8 ${OK}
${FWIN} -p icmp -d ${OURIP} --icmp-type 11 ${OK}
done
# 9) We also would like to allow access to our web server:
for OURIP in ${SERVER_IPS}; do
${FWIN} -p tcp -d ${OURIP} --dport 80 ${OK}
${FWIN} -p tcp -d ${OURIP} --dport 443 ${OK}
done
# 10) people are still crazy enough to use ftp
for OURIP in ${SERVER_IPS}; do
for PORT in 20 21; do
${FWIN} -p tcp -d ${OURIP} --dport ${PORT} ${OK}
${FWIN} -p tcp --sport ${PORT} -d ${OURIP} --dport 1024: "!" --syn ${OK}
${FWIN} -p udp -d ${OURIP} --dport ${PORT} ${OK}
${FWIN} -p udp --sport ${PORT} -d ${OURIP} --dport 1024: ${OK}
done
done
# allow answers on high ports
${FWIN} -p tcp -m tcp --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
${FWIN} -p udp -m udp --dport 1024:65535 -j ACCEPT
# passive ftp
# configure ftp server to allow passive ftp on ports outside of
# the local range. Check local range with
# cat /proc/sys/net/ipv4/ip_local_port_range
#
# for pure-ftpd, use --passiveportrange 61001:65535 in
# /etc/sysconfig/pure-ftpd
#
# for proftpd use PassivePorts 61001 65535
# in /etc/proftpd.conf
#
#${FWIN} -p tcp -m tcp --dport 61001:65535 ${OK}
# Everything else is denied by default - policy is DROP.
# OUTPUT
# 1) Loopback packets.
${FWOUT} -o lo ${OK}
${FWOUT} -s 127.0.0.0/8 ${NO}
# 2) We allow all outgoing traffic:
for OURIP in ${SERVER_IPS}; do
${FWOUT} -s ${OURIP} ${OK}
done
;;
stop)
# turn off the firewall, flush all rules
echo "Flushing rulesets.."
stop INPUT
stop OUTPUT
stop FORWARD
;;
status)
# display the current status - both firewall rules and masquerading
# connections
# list rules. -n avoids DNS lookups
$IPTABLES -nL
;;
*)
echo "Usage: firewall {start|stop|restart|status}"
exit 1
esac
exit 0