]>
Commit | Line | Data |
---|---|---|
439886f6 JR |
1 | From: Enrico Scholz (enrico.scholz_at_informatik.tu-chemnitz.de) |
2 | Date: Fri 06 May 2005 - 20:04:18 BST | |
3 | ||
4 | * Previous message: Paul S. Gumerman: "Re: [Vserver] problems with vserver create -m yum" | |
5 | * In reply to: Paul S. Gumerman: "Re: [Vserver] problems with vserver create -m yum" | |
6 | * Next in thread: Paul S. Gumerman: "Re: [Vserver] problems with vserver create -m yum" | |
7 | * Next in thread: Kevin Pendleton: "Re: [Vserver] problems with vserver create -m yum" | |
8 | * Reply: Paul S. Gumerman: "Re: [Vserver] problems with vserver create -m yum" | |
9 | * Reply: Eric Jorgensen: "Re: [Vserver] problems with vserver create -m yum" | |
10 | ||
11 | psg_at_cooldog.com ("Paul S. Gumerman") writes: | |
12 | ||
13 | > Is there anywhere to be found an explanation of how package management | |
14 | > works with the new util-vserver system? | |
15 | ||
16 | I would suggest (for Fedora based systems): | |
17 | ||
18 | 1. create your own yum or apt repository by: | |
19 | a) copy all the shipped RPMs somewhere into your harddrive; e.g. | |
20 | | D=/srv/data/mirror/fedora/core | |
21 | | rsync -a /media/cdrom/Fedora/RPMS/ $D/3/i386 | |
22 | b) ditto for updates (e.g. execute a daily cronjob mirroring the | |
23 | updates directory) | |
24 | | rsync -a http://..../ $D/3-updates/i386 | |
25 | c) create the yum filesystem structure there: | |
26 | | mkdir -p $D/.yum/3/i386/{base,updates} | |
27 | | ln -s ../../../../3/i386 $D/.yum/i386/base/RPMS | |
28 | | ln -s ../../../../3-updates/i386 $D/.yum/i386/updates/RPMS | |
29 | d) create the repo there | |
30 | | createrepo $D/.yum/i386/base | |
31 | | createrepo $D/.yum/i386/updates | |
32 | ||
33 | e) ... similarly for apt ... ;) | |
34 | ||
35 | 2. register them as the repository for FC3 | |
36 | a) | mkdir -p /etc/vservers/.distributions/fc3/yum.repos.d | |
37 | b) | cat <<EOF >/etc/vservers/.distributions/fc3/yum.repos.d/fc3.repo | |
38 | [base] | |
39 | name=Fedora Core $releasever - $basearch - Base | |
40 | baseurl=file:///srv/data/mirror/fedora/core/.yum/3/$basearch/base | |
41 | enabled=1 | |
42 | gpgcheck=1 | |
43 | EOF | |
44 | c) | cat <<EOF >/etc/vservers/.distributions/fc3/yum.repos.d/fc3-updates.repo | |
45 | [updates] | |
46 | name=Fedora Core $releasever - $basearch - Updates | |
47 | baseurl=file:///srv/data/mirror/fedora/core/.yum/3/$basearch/updates | |
48 | enabled=1 | |
49 | gpgcheck=0 | |
50 | EOF | |
51 | ||
52 | To be more flexible, I strongly suggest to create an ftp or http | |
53 | vserver which provides the tree at $D. But for bootstrapping, the | |
54 | file:// based repo is ok. | |
55 | ||
56 | You will have to use hardcoded version strings ('3') instead of the | |
57 | flexible '$releasever' in the URL; yum does not provide any way to | |
58 | override this at runtime. Feel free to write a bugreport for yum ;) | |
59 | ||
60 | 3. Now, you can begin to create vservers | |
61 | ||
62 | | # vserver test build -m yum -- -d fc3 | |
63 | ||
64 | and install additional packages; e.g. | |
65 | ||
66 | | # vyum test -- install cfengine | |
67 | | # vrpm test -- -q cfengine | |
68 | ||
69 | 4. When you really need it, you can internalize the packagemanagement | |
70 | with | |
71 | ||
72 | | # vserver test pkgmgmt internalize | |
73 | ||
74 | But most of my vservers do not have internal packagemanagement; it | |
75 | adds additional dependencies and my vservers shall be minimal. | |
76 | ||
77 | Current (0.30.207) util-vserver version has a bug in the | |
78 | internalization process: you have to remove the '%_rpmdb' macro | |
79 | manually from /etc/rpm/macros in the vserver. Currently, yum | |
80 | configuration is not copied neither so you have to do this manually. | |
81 | ||
82 | > What I am particularly curious about is the usage of the various | |
83 | > .rpmdb directories inside each vserver, | |
84 | ||
85 | It is used to mount the rpm database in a secure way. "Secure" means | |
86 | that programs running in the vserver can not modify it. This is solved | |
87 | by | |
88 | ||
89 | 1. creating a new namespace before real rpm operations | |
90 | 2. bind-mounting '/vservers/.pkg/.../rpm/state' to /vservers/.../.rpmdb; | |
91 | this operation is done in a secure way | |
92 | 3. creating a new namespace and unmounting /.rpmdb before scripts are | |
93 | executed | |
94 | 4. changing the context before executing scripts | |
95 | ||
96 | The /.rpmdb mountpoint has to be in the toplevel directory; else when it | |
97 | would be e.g. /var/lib/rpm, an attacker within the vserver could create a | |
98 | /var/lib -> /var/foo symlink and place a malicious rpm database (e.g. a | |
99 | such one which causes buffer overflows) into /var/foo/rpm. | |
100 | ||
101 | There are some tricks like mounting the new database into the host also | |
102 | which workarounds some bugs in rpm. | |
103 | ||
104 | > and the .pkg directory structure under the vdirbase, and how they are | |
105 | > related. | |
106 | ||
107 | Program-depending directories are directly placed under /vservers/.pkg | |
108 | (e.g. 'rpm', 'apt' or 'yum'). Then, there are case depending directories | |
109 | like 'rpm/etc' which corresponds to '/etc/rpm', or 'rpm/state' which | |
110 | holds the rpm database, or 'yum/etc' for the configuration, or ... | |
111 | ||
112 | An important file is the the generated rpm-macros file (rpm/etc/macros): | |
113 | it contains both the %_rpmdb macro mentioned above and a line like: | |
114 | ||
115 | | %_netsharedpath /dev:/etc/rc.d/init.d/halt:/sbin/new-kernel-pkg:/usr/bin/rhgb-client | |
116 | ||
117 | This is needed to prevent installation of certain files (e.g. the | |
118 | default '/etc/rc.d/init.d/halt' causes problems on vserver shutdown, | |
119 | or '/sbin/new-kernel-pkg' makes installation of kernel package fail). | |
120 | ||
121 | Enrico | |
122 | ||
123 | * application/pgp-signature attachment: stored | |
124 | ||
125 | _______________________________________________ | |
126 | Vserver mailing list | |
127 | Vserver_at_list.linux-vserver.org | |
128 | http://list.linux-vserver.org/mailman/listinfo/vserver |