Introduction

This is a guide to setting up a vserver using Debian Squeeze.

Contents

Conventions:

Commands starting with '# ' are run as root. Commands starting with '$ ' can be run as a normal user.

Prepare host for vserver

Install vserver tools

# apt-get install util-vserver vserver-debiantools

Install and boot into a vserver-enabled kernel

The kernel package name depends on the architecture and kernel version. Try:

$ apt-cache search -n 'linux-image.*vserver'

and pick a version appropriate for your architecture.

For instance:

# apt-get install linux-image-2.6.26-1-vserver-686

Reboot into the new kernel.

Configure host daemons to only bind to host ip number

As vserver ip addresses are visible aliases on the main host, services on the main host must be configured to explicitly bind to the correct ip address, and avoid also binding to addresses belonging to vservers.

This includes the loopback address ( 127.0.0.1). If you need the host and/or multiple vservers to bind to localhost, look into setting up extra loopback interfaces on the host.

sshd

Edit /etc/ssh/sshd_config, change ListenAddress to:

ListenAddress ip.number.of.host

then:

# invoke-rc.d ssh force-reload

apache

Edit /etc/apache2/ports.conf, change the Listen lines from Listen portnum____ ___to Listen = _ipaddress:portnum, then restart with

# invoke-rc.d apache2 force-reload

postfix

Edit /etc/postfix/main.cf, change inet_interfaces to:

inet_interfaces ip.number.of.host, 127.0.0.1

then:

# invoke-rc.d postfix force-reload

exim

If your exim config is simple enough to have been configured through debconf:

# dpkg-reconfigure exim4-config

When asked which ip addresses to listen on, if using Squeeze:

127.0.0.1 ; ip.number.of.host

If using Lenny:

127.0.0.1 : ip.number.of.host

I.E. with Squeeze separate ip numbers with a semicolon (;), with Lenny use a colon (:).

If your exim has been manually configured:

Edit the appropriate configuration file, setting (with squeeze):

local_interfaces = 127.0.0.1 ; ip.number.of.host

or with lenny:

local_interfaces = 127.0.0.1 : ip.number.of.host

and then:

# invoke-rc.d exim4 force-reload

Create the vserver

# newvserver --hostname vservername --domain indymedia.org.uk --ip ip.address.of.vserver/netmask

In this context netmask is the number of bits in the ip address used for the network portion, in CIDR notation. You can find it by typing /sbin/ifconfig, looking for the Mask: entry and looking it up in the table at wikipedia.

For instance, with an ifconfig line on the host like:

inet addr:89.107.22.14  Bcast:89.107.22.63  Mask:255.255.255.192

if you wanted to give the vserver the next address in the subnet, you would use an option like:

--ip 89.107.22.15/26

Configure vserver settings

Enable starting automatically on boot

To have the vserver started automatically on boot:

# echo "default" > /etc/vservers/yourserver/apps/init/mark

Allow chroots within the vserver

sshd, at least, needs to be able to chroot within the vserver:

# echo SYS_CHROOT >> /etc/vservers/vservername/bcapabilities

Configure debugging

If you want to allow processes to be traced using strace(1) (handy for figuring out what something is actually doing), you need to enable tracing within the vserver with:

# echo SYS_PTRACE >> /etc/vservers/vservername/bcapabilities

Increase shared memory

If you are running Mir with postgres, you may need to increase the size of shared memory available to the vserver, by altering the sysctl values kernel.shmall and kernel.shmmax.

If you are running a kernel >= 2.6.19 you can do this as follows:

# mkdir -p /etc/vservers/yourserver/sysctl
# cd /etc/vservers/yourserver/sysctl
# mkdir 0 1
# echo kernel.shmall > 0/setting
# echo 67108864 > 0/value
# echo kernel.shmmax > 1/setting
# echo 67108864 > 1/value

Unfortunately, if you are running a kernel older than 2.6.19, as far as I can tell the only way to increase these values in the vserver is to recompile the kernel with new defaults, even setting the values in the host /etc/sysctl.conf and rebooting is not sufficient.

Configure /tmp

The default configuration sets up a 16Mb tmpfs on /tmp. If this is not enough for you, either remove the /tmp line from /etc/vservers/servername/fstab to have it use the normal filesystem for /tmp, or increase the size= value if you want a bigger tmpfs (bearing in mind it takes up memory, or at least swap).

For instance, to set /tmp/ to 5Gb, edit /etc/vservers/servername/fstab and set the /tmp line to:

none    /tmp            tmpfs   size=5g,mode=1777      0 0

Start the vserver

# vserver vservername start

Configure the system within the vserver

Login to vserver

# vserver vservername enter

Make yourself an account

# adduser yourname

Then add your ssh public key to ~yourname/.ssh/authorized_keys

Install ssh and sudo

# apt-get install openssh-server sudo

Give yourself permission to sudo by using visudo and adding:

yourname    ALL=(ALL) ALL

Secure ssh

After checking that logging in with your ssh key works and that you can sudo, you should consider securing ssh.

Disable root logins

Edit /etc/ssh/sshd_config and set:

PermitRootLogin no

then restart ssh:

# invoke-rc.d ssh force-reload

Disable password-based logins

Edit /etc/ssh/sshd_config and set:

PasswordAuthentication no

then restart ssh:

# invoke-rc.d ssh force-reload

Limit ssh brute-force attacks

Install either denyhosts or fail2ban.

Configure vserver daemons to only bind to host ip number

Perform the same procedures listed above, in "Configure host daemons to only bind to host ip number", only inside the vserver this time.

Note that exim may have attempted to start and failed before you reconfigured it, in which case it may have written to the paniclog, /var/log/exim4/paniclog. Check and delete this file, then restart exim:

# invoke-rc.d exim4 stop
# cat /var/log/exim4/paniclog
# rm /var/log/exim4/paniclog
# invoke-rc.d exim4 start

Done!

Your vserver is now set up. If you want to run Mir on it, see the companion document MirOnDebianSqueeze.

-- IanB - 2