Linux Virtual Server documentation and utilities
About
The Linux VServer project allows an administrator to run multiple completely partitioned instances of Linux on a single system. Each vserver runs at full host speed.
This is, of course, perfect for virtual hosting. One can provide a customer with a full installation of Linux without having to supply the physical resources for a completely separate server.
Virtual Hosting
The virtual server on which SwapOff.org is running shares its resources with four other virtual servers. All of these domains share one single public IP address, so giving each vserver access to network services was quite tricky.
Software
After much trialling of software, I settled on the following to give virtual services to the vservers.
Pound reverse HTTP/HTTPS proxy
Pound is a reverse proxy that runs on the front-end server, forwarding all HTTP and HTTPS requests on to the requested virtual servers. The beauty of this solution is that only one HTTPS session needs to be maintained, between the client and the front-end server, as Pound proxies HTTPS to HTTP.
Perdition is to IMAP/POP3 as Pound is to HTTP/HTTPS.
JFTPGW is a light FTP proxy, perfect for forwarding FTP on to vservers. In addition, its access control easily allows you to secure it without fear of your proxy being used as a spammers dreams come true. I have no control over any of the vservers running on the real-server, but I would hope that the vserver administrators do not allow plain text authentication.
Exim is an SMTP server which is, while being very easy to configure, still very extensible. Exim is configured to forward all mail for the hosted domains on to the relavent vserver. Basic SMTP.
OpenSSH is used for remote access.
Configuration
All of the software was quite easy to configure, though the access control configuration of JFTPGW is slightly non-intuitive in my opinion.
To allow virtual users to authenticate with services running on the front-end, a Perl script is used to consolidate user authentication databases on the vservers. This is primarily for OpenSSH, so that users can log directly in to their vservers, and Exim, to let users do SMTP AUTH in order to relay.
Utilities
In order to allow direct logins to vservers via OpenSSH running on the real-server, I had to write a /bin/login replacement.
The basic logic of this program is thus.
- Use the GECOS field from the virtual user in the real-servers password database to determine which user and vserver to login to. The GECOS field must be in the form <user>@<domain>.
- Propogate UTMP/WTMP entries from the real server into the vserver. This maintains a consistent view for the vserver administrator, who will see the remote host, correct user, etc.
- Change ownership/permissions of the login PTY so the virtual user has ownership.
- Enter virtual server as the correct user, propogating any command line arguments supplied to the real-server on to the virtual users shell.
- Wait for virtual user to exit.
- Restore ownership of PTY and clean up UTMP/WTMP.
With these steps, vslogin allows virtual users to log directly in to their vserver, scp, etc.
Download
Anton Fedorov has updated vslogin with some newer features. Downloads and further explanation are available here.
