Some Tips On OpenVZ Deployment
Some Tips On OpenVZ Deployment
I rely heavily on OpenVZ. In this article I would like to share some of my personal experiences in OpenVZ deployment. I assume that the readers already know how to install OpenVZ and the basics of OpenVZ. This article describes some tips on OpenVZ usage via the command line. If you prefer GUI to command line, please turn to how to install WebVZ.
The setup described here follows these guidelines:
Before deploying any ovz containers, I make some changes to the configuration of the real server to make it more secure:
The above scheme works as follows: to connect to the real server, we connect as ssh-user. Then we must type in password for admin-user. If someone gains ssh key for ssh-user, he still must know the password for admin-user in order to gain access to the server (failure of /bin/su - admin will immediately generate an email alert by OSSEC).
To copy files from/to the server, we use sftp with the account sftp-user. If someone gains ssh key for this user, this is not such a big problem, since he can access only files under his $HOME.
Creating OpenVZ Containers
I find it more comfortable to create a template for all containers, so that when I need a new container, I simply make make a clone from the template. I use only debian stable for the real server as well as for the containers. So, the first step is to create a template and tune it to my taste:
Then anytime I need a new container, I use a script vz-clone as follows:
#!/bin/bash # script to clone an openvz VE set -e if [ -z "$2" ]; then echo "Usage: $0 <veid> <new-id>" exit 1 fi cfg="/etc/vz/conf/$1.conf" newcfg="/etc/vz/conf/$2.conf" if [ ! -e $cfg ]; then echo $cfg not found! exit 1 fi VEID=$1 . $cfg veprivate="$VE_PRIVATE" VEID=$2 . $cfg newveprivate="$VE_PRIVATE" if [ -e $newcfg ]; then echo $newcfg already exists! exit 1 fi if [ -e $newveprivate ]; then echo $newveprivate already exists! exit 1 fi if vzlist | fgrep -w -q $1 then vzctl stop $1 fi echo "Cloning $cfg to $newcfg" cp -a $cfg $newcfg echo "Cloning $veprivate to $newveprivate" mkdir -p $newveprivate cd $veprivate tar cf - . | (cd $newveprivate && tar xf -) echo "Do not forget to edit $newcfg (you need to edit at least HOSTNAME and IP_ADDRESS)" echo "Also do not forget to make an alias"
sudo sh vz-clone 2002 2010
Cloning /etc/vz/conf/2002.conf to /etc/vz/conf/2010.conf
Depending on your /etc/vz/vz.conf, the paths in the above might be different. I use the below settings:
Then we need to edit /etc/vz/conf/2010.conf, change e.g. HOSTNAME to host10, IP_ADDRESS to 192.168.100.10 and we are ready to go with the new container. We will also make an alias for the new container, which will be described in the next section.
Working With OpenVZ Containers
The ovz containers are identified by number. I find it easier to refer to them by name/alias, so that I don't have to remember for example 2010 is the id of the container running dns service. Apart from that, I also want to free myself from remembering the different commands vzctl, vzlist, vzquota, etc. and their parameters. So I create some simple scripts to help myself.
Usage is then simple:
It is also a good thing to keep the alias unique across different real servers, so that we can share /etc/vz-aliases between them without conflicts.
This article is already quite long, so let's stop here. We will continue in the next part, where we discuss issues like how to deploy Instrusion Detection with OSSEC, how to monitor and set UBC parameters for containers, etc.