forked from fhinkel/tryM2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
configuring_linux.tex
831 lines (688 loc) · 27.4 KB
/
configuring_linux.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
\documentclass[a4paper]{book}
\usepackage[DIV=13]{typearea} % Benjamins proposal, higher div saves more paper.
% Eliminating empty pages
\let\cleardoublepage\par % Alternatively: \let\cleardoublepage\clearpage
% Improving line layout, f.ex. eliminating overfull boxes, etc.
\usepackage[tracking, kerning, spacing]{microtype}
\microtypecontext{spacing=nonfrench}
\usepackage{verbatim}
\begin{document}
\tableofcontents
\chapter{General strategy}
To provide different M2 processes for several users and at the same time not putting the host system at any risk we have the following strategy:
\begin{enumerate}
\item Create a virtual machine where our server is inside. Apparently it is very difficult to escape from a virtual machine.
\item Inside the virtual machine have the users run in an (s)chrooted environment.
\item Limit the resources for each user using cgroups.
\item Do provide as little system files to the user as possible. We mount almost everything (except /proc) from a master schroot. The mounting happens readonly. If the user needs write access he gets a writable layer on top.
\item Mounting readonly with a writable layer forces us to modify the schroot source.
\end{enumerate}
Backing up the progress is easy using the snapshot tool of VBoxManage (see below). This document is supposed to provide enough information to set up this environment.
Please note that almost all (except the virtualbox) commands are to be executed on the virtual machine, i.e. webm2.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%
%%% Things we actually do on Habanero
%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\chapter{Actual usage}
This is a short manual how to start and stop things very concretely.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Controlling
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Controlling}
\subsection{Habanero}
Habanero can shut down using
\begin{verbatim}
sudo shutdown -P now
\end{verbatim}
and rebooted using
\begin{verbatim}
sudo reboot
\end{verbatim}
Currently I now of now way to booting it once it completely shut down besides being in the office.
\subsection{webm2}
Use the same commands as for habanero, after ssh on to webm2. If it gets stuck use
\begin{verbatim}
sudo -u vmuser VBoxManage controlvm "webm2" poweroff
\end{verbatim}
The only way to start it is
\begin{verbatim}
sudo -u vmuser VBoxManage startvm "webm2" --type=headless
\end{verbatim}
Other VBoxManage commands can be found below. To control webm2 they must be executed as the vmuser.
\subsection{schroot}
No need to start these. Else see the updating section on schroots and the chapter on schroots.
You can end all schroots using
\begin{verbatim}
sudo schroot -e -f --all-sessions
\end{verbatim}
To clean up all users use
\begin{verbatim}
cd /home/franzi/tryM2/perl-scripts
sudo perl total_cleanup.pl
\end{verbatim}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Updating
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Updating Ubuntus + M2}
\subsection{Habanero}
First ssh on to habanero. To update Ubuntu do
\begin{verbatim}
sudo apt-get update
sudo apt-get upgrade
\end{verbatim}
and possibly
\begin{verbatim}
sudo apt-get dist-upgrade
\end{verbatim}
If something fails, the following commands might help:
\begin{verbatim}
sudo apt-get autoclean
sudo apt-get autoremove
\end{verbatim}
\subsection{webm2}
First ssh on to habanero, from there ssh on to webm2. There is no way to ssh directly on to webm2.
Now you can execute the same commands as for habanero.
\subsection{The schroot}
You need to ssh on to webm2. Then go into the master schroot using
\begin{verbatim}
sudo -u lars schroot -c master -u root -d /home
\end{verbatim}
Your shell should now clearly indicate that you are inside the schroot. Since you already are root you can just
\begin{verbatim}
apt-get update
apt-get upgrade
apt-get dist-upgrade
\end{verbatim}
\subsection{Updating M2 in the schroot}
First get the '.tar.gz' with the newest M2. Then you can just unpack it to the folder
\begin{verbatim}
/fakeroots/master/M2
\end{verbatim}
Note that on our webm2 this is currently
\begin{verbatim}
/fakeroots/new_master/M2
\end{verbatim}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%
%%% Virtualbox
%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\chapter{VirtualBox (VBox)}
One can install VBox via apt:
\begin{verbatim}
sudo apt-get install virtualbox
\end{verbatim}
I do not (yet) provide information on how to install a guest system without the gui, sorry.
Lets give an short overview over the commands:
\begin{verbatim}
VBoxManage list runningvms
VBoxManage list vms
\end{verbatim}
will list the running VMs or all vms.
\begin{verbatim}
VBoxManage export machine name.ovf
\end{verbatim}
will export machine into file name.ovf.
For starting the vm machine via command line use
\begin{verbatim}
VBoxManage startvm machine --type headless
\end{verbatim}
Modifying VMs is done via modifyvm:
\begin{verbatim}
VBoxManage modifyvm machine --option value
\end{verbatim}
Here is a very concrete example working on habanero. First log on to habanero via ssh. Then
\begin{verbatim}
sudo -u vmuser -i
VBoxManage list vms
VBoxManage showvminfo webm2
VBoxManage modifyvm webm2 --memory 32768
VBoxManage startvm webm2 --type headless
VBoxManage controlvm webm2 poweroff
VBoxManage clonevm webm2 --name "webm2_rescue" --register
\end{verbatim}
One can take a snapshot using
\begin{verbatim}
VBoxManage snapshot webm2 take name --description "Cool features."
\end{verbatim}
CAUTION: For some reason taking a snapshot of the running machine didn't work.
Unfortunately I do not know how to set up port forwarding. Possibly
\begin{verbatim}
http://www.virtualbox.org/manual/ch06.html#natforward
\end{verbatim}
provides that information.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Starting the server at startup of vm
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Starting the server at startup of vm}
Log onto the vm using ssh. Now edit the crontab of root:
\begin{verbatim}
sudo crontab -e
\end{verbatim}
At the end insert the line
\begin{verbatim}
@reboot export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:
/usr/bin:/sbin:/bin:/M2/bin; cd /home/franzi/tryM2; make start >>
/home/webm2.logs/cron.log 2>&1
\end{verbatim}
Maybe the line breaks need to be removed if you are copying from this pdf.
This will export a PATH to have all necessary commands available for the forever script, change into the directory with the node server and then start it.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%
%%% cgroups
%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\chapter{cgroups}
We want to use cgroups to restrict the memory per user if this is possible.
\begin{verbatim}
sudo apt-get install cgroup-bin
sudo reboot
\end{verbatim}
Now the create\_user.pl script will create a new cgroup for each user with the following lines:
\begin{verbatim}
system "cgcreate -a $user -g memory:$user";
system "chown -R root:root /sys/fs/cgroups/memory/$user/";
system "echo 500000000 > /sys/fs/cgroup/memory/$user/memory.limit_in_bytes";
\end{verbatim}
Then the schroot can be executed in the corresponding cgroup using
\begin{verbatim}
sudo cgexec -g memory:user sudo -u user schroot -c user -u user -d /home/m2user -r M2
\end{verbatim}
If you want to see the tasks of a specific user:
\begin{verbatim}
cat /sys/fs/cgroup/memory/user/tasks
\end{verbatim}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%
%%% Schroots
%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\chapter{Schroots}
What is this about?
We wanted to build something in Ubuntu similar to jails in FreeBSD, i.e. have a
full system in a subtree without the riscs of breaking out. Additionally we
wanted it to be very secure, even root shouldn't be able to modify files.
Schroots were our weapon of choice. We first build a master schroot containing
the system and programs to run. At any point we can start the master schroot to
install programs.
Then we built clones of the master schroot. They mount everything readonly from
the master schroot, except some temporary folders to store temporary files
generated by processes (in our case M2). This document contains very detailed
information on what to do.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Preparation
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Preparation}
Install the following
\begin{verbatim}
sudo apt-get install debootstrap gettext doxygen po4a autoconf groff libboost-dev
libboost-program-options-dev libboost-regex-dev autopoint uuid-dev liblockdev1-dev
libpam0g-dev libboost-iostreams-dev libtool
\end{verbatim}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Installing schroot from source
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Installing schroot from modified source}
Since we need to temper with the source of schroot to modify it according to our needs, we have to compile and install it ourselves. First we download the source, then compile it and install it.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Mounting readonly file systems with a writable layer
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Mounting readonly file systems with a writable layer}
The problem we are trying to solve is the following: We want to mount the /etc
and /root folder inside the clone. Inside the clone they need to be writable
but we need their outer versions to be unchanged. This can be solved in the
fstab with an entry like
\begin{verbatim}
none /etc aufs br:/tmp=rw:/etc=ro 0 0
\end{verbatim}
This will mount both the outside /tmp and the outside /etc folder onto the
inner /etc. Changes in the inner /etc would be kept in the outer /tmp and leave
the outer /etc unharmed.
But now a new problem arises, namely all changes for all users would be kept in
the same /tmp folder and could cause trouble, thus we want something like:
\begin{verbatim}
tmpfs /tmpetc tmpfs nodev,nouid 0 0
none /etc aufs br:/absolute/path/to/tmpfs=rw:/etc=ro 0 0
\end{verbatim}
Thus we somehow need to enter the absolute path to the individually created /tmpetc.
The solution is to make the following work:
\begin{verbatim}
tmpfs /tmpetc tmpfs nodev,nouid 0 0
none /etc aufs br:$FULL_MOUNT_PATH/tmpfs=rw:/etc=ro 0 0
\end{verbatim}
Now you are done with this part.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% The master
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Creating the master}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Building Ubuntu precise pangolin
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Building precise}
First we don't want anything from the outside world going into the master.
Assume we are in a folder 'fakeroots', create a folder for the master
\begin{verbatim}
cd fakeroots
mkdir master
\end{verbatim}
Let path2master be the absolute path of the fakeroots folder.
Now install precise into the master folder
\begin{verbatim}
sudo debootstrap --variant=buildd --arch=amd64 precise
path2master/master
http://archive.ubuntu.com/ubuntu
\end{verbatim}
(all in one line)
Replace precise by another version if needed.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Creating the master profile
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Creating the master profile}
Start by duplicating the default profile
\begin{verbatim}
cd /usr/local/etc/schroot
sudo mkdir master
sudo cp default/* master
\end{verbatim}
Now we need to modify the profile for not getting some files from the outside
\begin{verbatim}
cd /usr/local/etc/schroot/master
sudo vim fstab
\end{verbatim}
Comment out all lines, except the line with /proc in fstab.
Later also comment out the lines in copyfiles and nssdatabases. Then schroot
won't copy the passwd file and /proc won't be mounted from the outside.
Somehow it's important to have initial copies of these files, though, for
having a sane system. If there aren't any sane versions of these files, M2 will
segfault. Also if you update these files and want them updated inside you will
have to uncomment these files.
Modify the configuration file to have the correct paths
\begin{verbatim}
sudo vim /usr/local/etc/schroot/master/config
\end{verbatim}
it should look like
\begin{verbatim}
# Settings for "master" profile.
FSTAB="/usr/local/etc/schroot/master/fstab"
COPYFILES="/usr/local/etc/schroot/master/copyfiles"
NSSDATABASES="/usr/local/etc/schroot/master/nssdatabases"
\end{verbatim}
Next I created the configuration file
\begin{verbatim}
cd /usr/local/etc/schroot/chroot.d
touch master.conf
\end{verbatim}
And filled it with the following content
\begin{verbatim}
[master]
description=Ubuntu precise pangolin master chroot
directory=path2master/master
root-users=lars <- your username here.
type=directory
users=m2user
profile=master <- total path doesn't work
\end{verbatim}
Note that apparently all the users mentioned here have to exist on the outside
as well. We definetely have to modify the passwd file, since at this point it
is a copy from the outside.
Note also that we need to move our custom 'open' and 'open-www' files to /usr/local/bin.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Installing M2
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Installing M2 and other things}
Move the M2 sources to a location (for example /home) inside the chroot:
\begin{verbatim}
sudo cp M2-1.4.0.1.tar.gz path2master/master/home/
\end{verbatim}
Now start the master schroot
\begin{verbatim}
schroot -c master -u root
\end{verbatim}
NO sudo in front of this command. Once inside, install everything you need
using apt. Note that you might get an error message depending on whether the
folder you start the schroot in also exists in the schroot environment or not.
Inside the chroot
\begin{verbatim}
cd /home
tar -xzf M2-1.4.0.1.tar.gz
cd /
mkdir M2
mv /home/installed/* M2
rm -rf /home/installed/
rm /home/M2-1.4.0.1.tar.gz
apt-get update
apt-get upgrade
apt-get install vim
\end{verbatim}
Install all packages needed for M2. Start the schroot as root and inside
\begin{verbatim}
apt-get install libxml2 graphviz curl
M2
\end{verbatim}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% The Clone
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Cloning the master schroot}
We want to prepare a profile for the clones
\begin{verbatim}
cd /usr/local/etc/schroot
sudo mkdir clone
sudo cp master/* clone
cd clone
sudo vim config
\end{verbatim}
edit this to look like
\begin{verbatim}
# Settings for "clone" profile.
FSTAB="/usr/local/etc/schroot/clone/fstab"
COPYFILES="/usr/local/etc/schroot/clone/copyfiles"
NSSDATABASES="/usr/local/etc/schroot/clone/nssdatabases"
\end{verbatim}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Mounting the master files readonly
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Mounting readonly with a writable layer}
Edit the fstab to fetch the master files
\begin{verbatim}
sudo vim /usr/local/etc/schroot/clone/fstab
\end{verbatim}
it should look like
\begin{verbatim}
# <file system> <mount point> <type> <options> <dump> <pass>
/proc /proc none bind 0 0
/proc /proc none remount,bind,ro 0 0
/fakeroots/master/bin /bin none bind 0 0
/fakeroots/master/bin /bin none remount,bind,ro 0 0
/fakeroots/master/cbin /cbin none bind 0 0
/fakeroots/master/cbin /cbin none remount,bind,ro 0 0
/fakeroots/master/usr /usr none bind 0 0
/fakeroots/master/usr /usr none remount,bind,ro 0 0
/fakeroots/master/srv /srv none bind 0 0
/fakeroots/master/srv /srv none remount,bind,ro 0 0
/fakeroots/master/lib /lib none bind 0 0
/fakeroots/master/lib /lib none remount,bind,ro 0 0
/fakeroots/master/lib64 /lib64 none bind 0 0
/fakeroots/master/lib64 /lib64 none remount,bind,ro 0 0
/fakeroots/master/sys /sys none bind 0 0
/fakeroots/master/sys /sys none remount,bind,ro 0 0
/fakeroots/master/selinux /selinux none bind 0 0
/fakeroots/master/selinux /selinux none remount,bind,ro 0 0
/fakeroots/master/var /var none bind 0 0
/fakeroots/master/var /var none remount,bind,ro 0 0
/fakeroots/master/boot /boot none bind 0 0
/fakeroots/master/boot /boot none remount,bind,ro 0 0
/fakeroots/master/media /media none bind 0 0
/fakeroots/master/media /media none remount,bind,ro 0 0
/fakeroots/master/opt /opt none bind 0 0
/fakeroots/master/opt /opt none remount,bind,ro 0 0
/fakeroots/master/run /run none bind 0 0
/fakeroots/master/run /run none remount,bind,ro 0 0
/fakeroots/master/mnt /mnt none bind 0 0
/fakeroots/master/mnt /mnt none remount,bind,ro 0 0
/fakeroots/master/M2 /M2 none bind 0 0
/fakeroots/master/M2 /M2 none remount,bind,ro 0 0
# Temporary file systems
tmpfs /tmp tmpfs nodev,nosuid,size=32M 0 0
tmpfs /home/m2user tmpfs nodev,nosuid,size=32M,rw,uid=1002,gid=1002 0 0
# Mounting readonly folders writable
tmpfs /tmpetc tmpfs nodev,nosuid,size=4M,mode=755 0 0
none /etc aufs br:$FULL_MOUNT_PATH/tmpetc=rw:/fakeroots/master/etc=ro 0 0
tmpfs /tmproot tmpfs nodev,nosuid,size=4M,mode=755 0 0
none /root aufs br:$FULL_MOUNT_PATH/tmproot=rw:/fakeroots/master/root=ro 0 0
\end{verbatim}
Please bear with me for not modifying the paths.
A word on the gid and uid: Since the users come from the host system, I just
took them from there. We set the mode of the /root and /etc folder by setting
the mode on the corresponding /tmp folders. We don't want the user to be able
to mess up the files there, even not temporary. Go on and try to touch
something as a user.
In the nssdatabases and copyfiles file comment out all lines.
Note that we do not have a sbin folder at all.
Now one can run the schroot. At desctruction the also the folders /etc and
/root are eliminated.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Configuring the clone
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Configuring the clone}
Create a folder for the clone (maybe inside fakeroots)
\begin{verbatim}
cd fakeroots
mkdir clone
\end{verbatim}
Edit the clone chroot config
\begin{verbatim}
cd /usr/local/etc/schroot/chroot.d
sudo vim clone.conf
\end{verbatim}
to look like
\begin{verbatim}
[clone]
description=Ubuntu precise pangolin clone chroot
directory=path2clone/clone
root-users=lars
type=directory
users=m2user
profile=clone
\end{verbatim}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Running the clone for the first time
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{First test of the clone}
Start the clone and check it
\begin{verbatim}
schroot -c clone -u root
touch /bin/bla
\end{verbatim}
should yield
\begin{verbatim}
touch: cannot touch `/bin/bla': Read-only file system
\end{verbatim}
Note: Have a look at the copyfiles file in the configuration folder.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Schroot Commands
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Schroot Commands}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Basics
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Basic commands}
One can list all schroots with
\begin{verbatim}
schroot -l
\end{verbatim}
Kill all schroots with
\begin{verbatim}
schroot -e --all-sessions
\end{verbatim}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Naming schroots
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Naming the schroots}
Start a schroot with given id name. Then access it as a user
\begin{verbatim}
schroot -c chroot -n name -b
schroot -c name -u user -r
\end{verbatim}
It is not possible to log into the named schroot immediately.
This is also the format of the commands used in m2server-module.js.
Alternatively start M2 when logging on
\begin{verbatim}
schroot -c name -u user -r /M2/bin/M2 -d /home/user
\end{verbatim}
Of course this directory should exist.
Ending this schroot
\begin{verbatim}
schroot -c name -e
\end{verbatim}
One can use this to let the schroot know its name:
\begin{verbatim}
schroot -c name -d existing/rw/dir -u user -r touch name
\end{verbatim}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Updating the schroot
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Short note on updating our schroots:}
\begin{enumerate}
\item Shut down the forever script.
\item Shut down the m2server.
\item Kill all schroots using
\begin{verbatim}
sudo schroot -e -f --all-sessions
\end{verbatim}
\item Start the master schroot:
\begin{verbatim}
sudo -u lars schroot -c master -u root
\end{verbatim}
\item You should now be inside the schroot as root. Do
\begin{verbatim}
apt-get update
apt-get upgrade
\end{verbatim}
\item For updating M2 move the new .tar.gz to /fakeroots/new\_master/home (or wherever your master schroot is) and inside the schroot unpack the tarball. Then, still inside, replace /M2 with the new files and delete the tarball. With adjusted paths you could also do this from the outside.
\item Restart the server.
\end{enumerate}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%
%%% Gentoo walkthrough
%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\chapter{Gentoo walkthrough}
This is a collection of commands to create a virtual machine with a 20G harddisc running gentoo. Using the above instructions one can then install schroot on it and use it to run a node server.
First command downloads a gentoo minimal installation disc. Then create a virtual machine and mount it.
\begin{verbatim}
wget http://distfiles.gentoo.org/releases/amd64/autobuilds/current-iso/default/20130207/install-amd64-minimal-20130207.iso
VBoxManage createhd
VBoxManage createhd --filename gentoo_hd.vdi --size 20000 --variant Standard
VBoxManage list ostypes
VBoxManage createvm --name gentoo_webm2 --ostype Gentoo_64 --register
VBoxManage list vms
VBoxManage modifyvm
VBoxManage storagectl gentoo_webm2 --name "SATA Controller" --add sata
VBoxManage storageattach gentoo_webm2 --storagectl "SATA Controller" --port 0 --device 0 --type hdd --medium "gentoo_hd.vdi"
VBoxManage storagectl gentoo_webm2 --name "IDE Controller" --add ide
VBoxManage storageattach gentoo_webm2 --storagectl "IDE Controller" --port 0 --device 0 --type dvddrive --medium "install-amd64-minimal-20130207.iso"
VBoxManage modifyvm gentoo_webm2 --boot1 dvd --boot2 disk --boot3 none --boot4 none
VBoxHeadless -s gentoo_webm2 -n -m 3389
\end{verbatim}
Now the virtual machine is started. Since it has no ssh-server running, you have to access it using a ssh tunnel and vncviewer:
\begin{verbatim}
ssh -L 3389:127.0.0.1:3389 [email protected]
vncviewer localhost:3389
\end{verbatim}
Now you are inside the virtual machine. Check the network connection:
ifconfig tells that everything is alright.
Then start partitioning the harddisc.
\begin{verbatim}
fdisk /dev/sda
n p 1 default +128M
a 1
n p 2 default +3072M
t 2 82
n p 3 default +10G
n e default
n default +3G
n default default
p
\end{verbatim}
You should now have 6 partitions
\begin{verbatim}
w
\end{verbatim}
Then mount the partitions.
\begin{verbatim}
mkswap /dev/sda2
swapon /dev/sda2
mkfs.ext2 /dev/sda1
mkfs.ext4 /dev/sda3
mkfs.ext4 /dev/sda5
mkfs.ext4 /dev/sda6
mount /dev/sda3 /mnt/gentoo
cd /mnt/gentoo
mkdir boot
mkdir fakeroot
mkdir usr
cd usr
mkdir local
cd
mount /dev/sda1 /mnt/gentoo/boot
mount /dev/sda5 /mnt/gentoo/fakeroot
mount /dev/sda6 /mnt/gentoo/usr/local
cd /mnt/gentoo
links http://www.gentoo.org/main/en/mirrors.xml
\end{verbatim}
Download stage 3 tarball
\begin{verbatim}
tar xvjpf stage...
nano -w /mnt/gentoo/etc/portage/make.conf add line MAKEOPTS="-j3" at end
mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf
mirrorselect -i -r -o >> /mnt/gentoo/etc/portage/make.conf
cat /mnt/gentoo/etc/portage/make.conf
cp -L /etc/resolv.conf /mnt/gentoo/etc/
mount -t proc none /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
chroot /mnt/gentoo /bin/bash
source /etc/profile
export PS1="(chroot) $PS1"
mkdir /usr/portage
emerge-webrsync
emerge --sync
echo "America/New_York" > /etc/timezone
emerge gentoo-sources
cd /usr/src/linux
emerge pciutils
lspci
lsmod
make menuconfig
\end{verbatim}
In the config enable the cgroup support and the aufs file system. If it doesn't support the aufs filesystem you will have to download and install a different kernel later using emerge.
\begin{verbatim}
make && make modules_install
cp arch/x86_64/boot/bzImage /boot/kernel-xxx-gentoo
emerge genkernel
genkernel --install initramfs
emerge vim
vim /etc/fstab
cd /etc/init.d
ln -s net.lo net.eth0
rc-update add net.eth0 default
emerge syslog-ng
rc-update add syslog-ng default
emerge grub
vim /boot/grub/grub.conf
grep -v rootfs /proc/mounts > /etc/mtab
grub-install --no-floppy /dev/sda
exit
umount -l /mnt/gentoo/dev{/shm,/pts,}
umount -l /mnt/gentoo{/boot,/proc,}
reboot
\end{verbatim}
This will fail. First remove the cdrom, as vmuser do:
\begin{verbatim}
VBoxManage storageattach gentoo_webm2 --storagectl "IDE Controller" --port 0 --device 0 --type dvddrive --medium none
VBoxManage modifyvm gentoo_webm2 --natpf1 "guestssh,tcp,,13779,,13779"
VBoxManage modifyvm gentoo_webm2 --natpf1 "webaccess,tcp,,3691,,8002"
\end{verbatim}
Now install an ssh server and have it listen on port 13779
\begin{verbatim}
emerge openssh
rc-update add sshd default
vim /etc/ssh/sshd_config
\end{verbatim}
Log on to the virtual machine and install the necessary node stuff.
\begin{verbatim}
sudo emerge nodejs
sudo npm install -g connect forever cookies
\end{verbatim}
\end{document}