3 # Copyright (C) 2003 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
4 # based on vserver by Jacques Gelinas
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 2, or (at your option)
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program; if not, write to the Free Software
18 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
20 # This is a script to control a virtual server
22 : ${UTIL_VSERVER_VARS:=$(dirname $0)/util-vserver-vars}
23 test -e "$UTIL_VSERVER_VARS" || {
24 echo "Can not find util-vserver installation; aborting..."
27 . "$UTIL_VSERVER_VARS"
30 USR_LIB_VSERVER=$PKGLIBDIR
32 VSERVER_CMD=$USR_SBIN/vserver
33 CHBIND_CMD=$USR_SBIN/chbind
34 CHCONTEXT_CMD=$USR_SBIN/chcontext
35 SAVE_S_CONTEXT_CMD=$USR_LIB_VSERVER/save_s_context
36 CAPCHROOT_CMD=$USR_LIB_VSERVER/capchroot
37 VSERVERKILLALL_CMD=$USR_LIB_VSERVER/vserverkillall
38 DEFAULTPATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
47 mkdir -p $1/proc $1/dev/pts
48 if [ ! -d $1/proc/1 ] ; then
49 mount -t proc none $1/proc
50 mount -t devpts -o gid=5,mode=0620 none $1/dev/pts
55 umount $1/proc 2>/dev/null
56 umount $1/dev/pts 2>/dev/null
59 # Check that the vservers parent directory has permission 000
60 # This is the key to avoid chroot escape
64 PERM=`$USR_LIB_VSERVER/showperm $VROOTDIR/$1/..`
65 if [ "$PERM" != 000 ] ; then
67 echo "**********************************************************"
68 echo $VROOTDIR/$1/.. has insecure permissions.
69 echo A vserver administrator may be able to visit the root server.
71 echo " " chmod 000 $VROOTDIR/$1/..
72 echo do it anytime you want, even if vservers are running.
73 echo "**********************************************************"
77 # Set the IP alias needed by a vserver
80 if [ "$NODEV" = "" -a "$IPROOT" != "" -a "$IPROOT" != "0.0.0.0" -a "$IPROOT" != "ALL" ] ;then
81 # A vserver may have more than one IP
82 # The first alias is dev:vserver
83 # and the other are dev:vserver1,2,3 and so on
84 # An IP may hold the device. The following is valid
85 # IPROOT="1.2.4.5 eth1:1.2.3.5"
87 # The first IP 1.2.3.4 will go on eth0 and the other on eth1
88 # VLAN devices are also supported (eth0.231 for vlan 231)
95 # Split the device and IP if available
98 eval `echo $oneip | tr : ' ' | (read dev ip; echo oneip=$ip; echo IPDEV=$dev)`
101 # Split the IP and the netmask if available
104 eval `echo $oneip | tr / ' ' | (read ip msk; echo oneip=$ip; echo MASK=$msk)`
105 eval `$USR_LIB_VSERVER/ifspec "" "$oneip" "$MASK" "$BCAST"`
108 if [ "$IPDEV" != "" ] ; then
111 if [ ! -f /proc/net/vlan/$IPDEV ] ; then
112 /sbin/vconfig add `echo $IPDEV | tr . ' '`
114 /sbin/ifconfig $IPDEV 127.0.0.1
118 # Compute the default netmask, if missing
119 eval `$USR_LIB_VSERVER/ifspec $IPDEV "$oneip" "$MASK" "$BCAST"`
122 #echo /sbin/ifconfig $IPDEV:$1$SUFFIX $oneip netmask $IPROOTMASK broadcast $IPROOTBCAST
123 /sbin/ifconfig $IPDEV:$1$SUFFIX $oneip netmask $IPROOTMASK broadcast $IPROOTBCAST
125 if [ "$SUFFIX" = "" ] ; then
128 SUFFIX=`expr $SUFFIX + 1`
132 if [ "$IPROOTBCAST" = "" ] ; then
133 IPROOTBCAST=255.255.255.255
136 ifconfig_iproot_off()
138 if [ "$NODEV" = "" -a "$IPROOT" != "" -a "$IPROOT" != "0.0.0.0" -a "$IPROOT" != "ALL" -a "$IPROOTDEV" != "" ] ;then
143 # Split the device and IP if available
146 eval `echo $oneip | tr : ' ' | (read dev ip; echo IPDEV=$dev)`
149 /sbin/ifconfig $IPDEV:$1$SUFFIX down 2>/dev/null
150 if [ "$SUFFIX" = "" ] ; then
153 SUFFIX=`expr $SUFFIX + 1`
158 # Split an IPROOT definition, trash the devices and
159 # compose a set of --ip option for chbind
163 if [ "$IPS" = "" ] ; then
166 if [ "$1" = "ALL" ] ; then
167 IPS=`$USR_LIB_VSERVER/listdevip`
171 # Split the device and IP if available
174 eval `echo $oneip | tr : ' ' | (read dev ip; echo oneip=$ip)`
179 # eval `echo $oneip | tr / ' ' | (read ip msk; echo oneip=$ip)`
186 # Extract the initial runlevel from the vserver inittab
189 INITDEFAULT=`grep :initdefault $VROOTDIR/$1/etc/inittab | sed 's/:/ /g' | ( read a level b; echo $level)`
192 # Read the vserver configuration file, reusing the PROFILE value
193 # found in /var/run/vservers
196 if [ -f /var/run/vservers/$1.ctx ] ; then
197 . /var/run/vservers/$1.ctx
198 if [ "$S_PROFILE" != "" ] ; then
199 export PROFILE=$S_PROFILE
203 . /etc/vservers/$1.conf
207 echo vserver [ options ] server-name command ...
209 echo server-name is a directory in $VROOTDIR
211 echo The commands are:
212 echo " build : Create a virtual server by copying the packages"
213 echo " of the root server"
214 echo " enter : Enter in the virtual server context and starts a shell"
215 echo " Same as \"vserver name exec /bin/sh\""
216 echo " exec : Exec a command in the virtual server context"
217 echo " suexec : Exec a command in the virtual server context uid"
218 echo " service : Control a service inside a vserver"
219 echo " vserver name service service-name start/stop/restart/status"
220 echo " start : Starts the various services in the vserver, runlevel 3"
221 echo " stop : Ends all services and kills the remaining processes"
222 echo " running : Tells if a virtual server is running"
223 echo " It returns proper exit code, so you can use it as a test"
224 echo " status : Tells some information about a vserver"
225 echo " chkconfig : It turns a server on or off in a vserver"
227 echo "--nodev : Do not configure the IP aliases of the vserver"
228 echo " Useful to enter a vserver without enabling its network"
229 echo " and avoiding conflicts with another copy of this vserver"
230 echo " running elsewhere"
231 echo "--silent : No informative messages about vserver context and IP numbers"
232 echo " Useful when you want to redirect the output"
244 CAPS="$CAPS --cap $f"
254 if [ "$1" = "--silent" ] ; then
257 elif [ "$1" = "--nodev" ] ; then
264 # Setup the default ulimit for a vserver
266 # File handle are limited to half of the current system limit
267 # Virtual memory is limited to the ram size
268 NFILE=`cat /proc/sys/fs/file-max`
269 NFILE=`expr $NFILE / 2`
270 VMEM=`cat /proc/meminfo | grep MemTotal | (read a b c; echo $b)`
271 # Disabled for now, we need a different to set the security
272 # context limit than fiddling with ulimit
273 #ulimit -H -n $NFILE -v $VMEM
275 if [ $# -lt 2 ] ; then
277 elif [ "$2" = "build" ] ; then
278 # Either the directory does not exist or is empty
279 NBSUB=`ls $VROOTDIR/$1 2>/dev/null | grep -v lost+found | wc -l`
281 if [ "$NBSUB" != 0 ] ; then
282 echo Virtual server $VROOTDIR/$1 already exist
284 if [ ! -d $VROOTDIR ] ; then
285 mkdir $VROOTDIR || exit 1
288 echo Directory $VROOTDIR was created with permissions 000
290 mkdir -p $VROOTDIR/$1 || exit 1
291 chattr -t $VROOTDIR/$1
292 chmod 755 $VROOTDIR/$1
293 if test "$UTIL_VSERVER_AVOID_COPY"; then
294 mkdir -p $VROOTDIR/$1/{etc/rc.d/init.d,sbin,var/run,var/log}
296 cp -ax /sbin /bin /etc /usr /var /lib $VROOTDIR/$1/. || exit 1
298 cd $VROOTDIR/$1 || exit 1
300 rm -f var/spool/mail/*
301 rm -f `find var/run -type f`
302 rm -f `find var/log -type f`
304 rm -f var/lock/subsys/*
305 rm -f etc/cron.d/kmod
306 mkdir proc tmp home root boot
307 test -f /root/.bashrc && cp -a /root/.bashrc root/.
308 test -f /root/.bash_profile && cp -a /root/.bash_profile root/.
311 # Create a minimal dev so the virtual server can't grab
314 vserver_mknod dev/null c 1 3 666
315 vserver_mknod dev/zero c 1 5 666
316 vserver_mknod dev/full c 1 7 666
317 vserver_mknod dev/random c 1 8 644
318 vserver_mknod dev/urandom c 1 9 644
319 vserver_mknod dev/tty c 5 0 666
320 vserver_mknod dev/ptmx c 5 2 666
322 # Create a dummy /etc/fstab and /etc/mtab to please
323 # df and linuxconf. We use hdv1, which does not exist
324 # to remind the admin that it is not the real drive
325 echo /dev/hdv1 / ext2 defaults 1 1 >etc/fstab
326 echo /dev/hdv1 / ext2 rw 0 0 >etc/mtab
327 # Install the vreboot utility
328 cp -a $USR_LIB_VSERVER/vreboot sbin/.
329 ln -sf vreboot sbin/vhalt
331 echo Directory $VROOTDIR/$1 has been populated
332 if [ ! -d /etc/vservers ] ; then
334 chmod 600 /etc/vservers
335 echo Directory /etc/vservers has been created
337 if [ ! -f /etc/vservers/$1.conf ] ; then
338 CONF=/etc/vservers/$1.conf
340 if [ "$PROFILE" = "" ] ; then
343 # Select the IP number assigned to the virtual server
344 # This IP must be one IP of the server, either an interface
346 # A vserver may have more than one IP. Separate them with spaces.
347 # do not forget double quotes.
349 # IPROOT="1.2.3.4 2.3.4.5"
350 # IPROOT="eth0:1.2.3.4 eth1:2.3.4.5"
351 # If the device is not specified, IPROOTDEV is used
355 # The netmask and broadcast are computed by default from IPROOTDEV
358 # You can define on which device the IP alias will be done
359 # The IP alias will be set when the server is started and unset
360 # when the server is stopped
362 # You can set a different host name for the vserver
363 # If empty, the host name of the main server is used
374 # Uncomment the onboot line if you want to enable this
375 # virtual server at boot time
377 # You can set a different NIS domain for the vserver
378 # If empty, the current on is kept
379 # Set it to "none" to have no NIS domain set
381 # You can set the priority level (nice) of all process in the vserver
382 # Even root won't be able to raise it
384 # You can set various flags for the new security context
385 # lock: Prevent the vserver from setting new security context
386 # sched: Merge scheduler priority of all processes in the vserver
387 # so that it acts a like a single one.
388 # nproc: Limit the number of processes in the vserver according to ulimit
389 # (instead of a per user limit, this becomes a per vserver limit)
390 # private: No other process can join this security context. Even root
391 # Do not forget the quotes around the flags
393 # You can set various ulimit flags and they will be inherited by the
394 # vserver. You enter here various command line argument of ulimit
395 # ULIMIT="-HS -u 200"
396 # The example above, combined with the nproc S_FLAGS will limit the
397 # vserver to a maximum of 200 processes
399 # You can set various capabilities. By default, the vserver are run
400 # with a limited set, so you can let root run in a vserver and not
401 # worry about it. He can't take over the machine. In some cases
402 # you can to give a little more capabilities (such as CAP_NET_RAW)
403 # S_CAPS="CAP_NET_RAW"
405 # Select an unused context (this is optional)
406 # The default is to allocate a free context on the fly
407 # In general you don't need to force a context
410 echo $CONF has been created. Look at it\!
412 # Turn off some service useless on a vserver
413 # vserver_turnoff apmd network autofs dhcpd gpm ipchains iptables \
414 # irda isdn keytable kudzu linuxconf-setup netfs nfs nfslock \
415 # pcmcia portmap pppoe random rawdevices rhnsd rstatd ruserd \
416 # rwalld rwhod sendmail smb snmpd v_httpd h_xinetd v_sshd vservers \
419 cd etc/init.d 2>/dev/null || cd etc/rc.d/init.d
423 *.bak|*~|functions|killall|halt|single)
426 #$USR_LIB_VSERVER/capchroot $VROOTDIR/$1 /sbin/chkconfig --level 2345 $serv off
427 $0 --silent $1 chkconfig --level 2345 $serv off
432 rm -f etc/rc.d/rc6.d/S*reboot
434 elif [ ! -f /etc/vservers/$1.conf ] ; then
435 echo No configuration for this vserver: /etc/vservers/$1.conf
437 elif [ ! -d $VROOTDIR/$1/. ] ; then
438 echo No directory for this vserver: $VROOTDIR/$1
440 elif [ "$2" = "start" ] ; then
441 echo Starting the virtual server $1
443 if ! $VSERVER_CMD $1 running
445 test -x /etc/vservers/$1.sh && /etc/vservers/$1.sh pre-start $1
452 . /etc/vservers/$1.conf
455 cd $VROOTDIR/$1 || exit 1
457 if [ "$PROFILE" != "" ] ; then
458 echo export PROFILE=$PROFILE >etc/PROFILE
461 rm -f `find var/run -type f`
463 chgrp ${UTMP_GROUP:-utmp} var/run/utmp
464 chmod 0664 var/run/utmp
465 rm -f var/lock/subsys/*
466 mountproc $VROOTDIR/$1
474 STARTCMD="/etc/rc.d/rc $INITDEFAULT"
475 if [ -x $VROOTDIR/$1/etc/init.d/rc ] ; then
476 STARTCMD="/etc/init.d/rc $INITDEFAULT"
477 elif [ -x $VROOTDIR/$1/usr/bin/emerge ] ; then
478 STARTCMD="/sbin/rc default"
479 elif [ -x $VROOTDIR/$1/etc/rc.d/rc.M ] ; then
480 STARTCMD="/etc/rc.d/rc.M"
485 for f in $S_FLAGS dummy
493 FLAGS="$FLAGS --flag fakeinit"
494 STARTCMD=/sbin/minit-start
495 DISCONNECT=--disconnect
500 FLAGS="$FLAGS --flag $f"
502 DISCONNECT=--disconnect
505 FLAGS="$FLAGS --flag $f"
509 if [ -n "$S_START" ] ; then
512 if [ "$FAKEINIT" = "" ] ; then
513 $USR_LIB_VSERVER/fakerunlevel $INITDEFAULT var/run/utmp
516 calculateCaps $S_CAPS
518 if [ "$S_CONTEXT" != "" ] ; then
519 CTXOPT="--ctx $S_CONTEXT"
521 if [ "$S_HOSTNAME" != "" ] ; then
522 HOSTOPT="--hostname $S_HOSTNAME"
523 export HOSTNAME=$S_HOSTNAME
525 if [ "$S_DOMAINNAME" != "" ] ; then
526 DOMAINOPT="--domainname $S_DOMAINNAME"
528 if [ "$S_NICE" != "" ] ; then
529 NICECMD="nice -$S_NICE"
531 mkdir -p /var/run/vservers
532 chmod 700 /var/run/vservers
534 if [ "$ULIMIT" != "" ] ; then
539 # We switch to $VROOTDIR/$1 now, because after the
540 # security context switch $VROOTDIR directory becomes a dead zone.
542 IPOPT=`setipopt $IPROOT`
543 export PATH=$DEFAULTPATH
544 $NICECMD $CHBIND_CMD $SILENT $IPOPT --bcast $IPROOTBCAST \
545 $CHCONTEXT_CMD $SILENT $DISCONNECT $CAPS $FLAGS $CTXOPT $HOSTOPT $DOMAINOPT --secure \
546 $SAVE_S_CONTEXT_CMD /var/run/vservers/$1.ctx \
547 $CAPCHROOT_CMD $CHROOTOPT . $STARTCMD
549 test -x /etc/vservers/$1.sh && /etc/vservers/$1.sh post-start $1
551 elif [ "$2" = "running" ] ; then
552 if [ ! -f /var/run/vservers/$1.ctx ] ; then
553 echo Server $1 is not running
556 . /var/run/vservers/$1.ctx
557 NB=$($USR_SBIN/vps ax | awk '{print $2}' | grep \^$S_CONTEXT\$ | wc -l)
558 #NB=`$CHCONTEXT_CMD --silent --ctx $S_CONTEXT ps ax | wc -l`
559 #NB=`eval expr $NB + 0`
560 if [ "$NB" -gt 0 ] ; then
561 echo Server $1 is running
564 echo Server $1 is not running
568 elif [ "$2" = "status" ] ; then
571 . /var/run/vservers/$1.ctx
572 NB=$($USR_SBIN/vps ax | awk '{print $2}' | grep \^$S_CONTEXT\$ | wc -l)
573 echo $NB processes running
574 echo Vserver uptime: `$USR_LIB_VSERVER/filetime /var/run/vservers/$1.ctx`
576 elif [ "$2" = "stop" ] ; then
577 echo Stopping the virtual server $1
585 if $VSERVER_CMD $1 running
587 test -x /etc/vservers/$1.sh && /etc/vservers/$1.sh pre-stop $1
590 mountproc $VROOTDIR/$1
591 # The fakeinit flag tell us how to turn off the server
593 export PREVLEVEL=$INITDEFAULT
594 STOPCMD="/etc/rc.d/rc 6"
595 if [ -x $VROOTDIR/$1/etc/init.d/rc ] ; then
596 STOPCMD="/etc/init.d/rc 6"
597 elif [ -x $VROOTDIR/$1/usr/bin/emerge ] ; then
598 STOPCMD="/sbin/rc shutdown"
599 elif [ -x $VROOTDIR/$1/etc/rc.d/rc.6 ] ; then
600 STOPCMD="/etc/rc.d/rc.6"
603 for f in $S_FLAGS dummy
608 FLAGS="$FLAGS --flag fakeinit"
609 STOPCMD="/sbin/minit-stop"
613 FLAGS="$FLAGS --flag $f"
614 STOPCMD="/sbin/init 6"
621 if [ -n "$S_STOP" ] ; then
625 calculateCaps $S_CAPS
628 IPOPT=`setipopt $IPROOT`
629 export PATH=$DEFAULTPATH
630 $CHBIND_CMD $SILENT $IPOPT --bcast $IPROOTBCAST \
631 $CHCONTEXT_CMD $SILENT $CAPS --secure --ctx $S_CONTEXT \
632 $CAPCHROOT_CMD . $STOPCMD
634 if test "$IS_MINIT"; then
635 echo "Waiting for minit finish-signal"
636 dd if=var/run/minit-stop of=/dev/zero bs=1 count=1 &>/dev/null
639 echo sleeping 5 seconds
643 echo Killing all processes
644 $CHBIND_CMD --silent $IPOPT --bcast $IPROOTBCAST \
645 $CHCONTEXT_CMD $CAPS --secure --silent --ctx $S_CONTEXT \
648 # We umount anyway, because "enter" establish the mount
649 # but when you exit, the server is considered not running
650 umountproc $VROOTDIR/$1
652 test -x /etc/vservers/$1.sh && /etc/vservers/$1.sh post-stop $1
653 ifconfig_iproot_off $1
654 elif [ "$2" = "restart" ] ; then
660 elif [ "$2" = "suexec" ] ; then
661 if [ -z "$3" ] ; then
662 echo "Missing user!" >&2
663 echo "vserver vserver-name suexec user command [ args ... ]" >&2
665 elif [ -z "$4" ] ; then
666 echo "Missing command and arguments!" >&2
667 echo "vserver vserver-name suexec user command [ args ... ]" >&2
675 . /etc/vservers/$1.conf
678 mountproc $VROOTDIR/$1
679 PS1="[\u@vserver:$1 \W]"
685 for f in $S_CAPS dummy
694 CAPS="$CAPS --cap $f"
699 for f in $S_FLAGS dummy
703 FLAGS="$FLAGS --flag fakeinit"
709 FLAGS="$FLAGS --flag $f"
714 if [ "$ULIMIT" != "" ] ; then
717 if $0 $VSERVER running >/dev/null
719 . /var/run/vservers/$VSERVER.ctx
720 cd $VROOTDIR/$VSERVER
721 IPOPT=`setipopt $IPROOT`
722 export PATH=$DEFAULTPATH
723 exec $CHBIND_CMD $SILENT $IPOPT --bcast $IPROOTBCAST \
724 $CHCONTEXT_CMD $SILENT $FLAGS $CAPS --secure --ctx $S_CONTEXT \
725 $CAPCHROOT_CMD --suid $USERID . "$@"
727 test -x /etc/vservers/$1.sh && /etc/vservers/$1.sh pre-start $1
731 if [ "$S_CONTEXT" != "" ] ; then
732 CTXOPT="--ctx $S_CONTEXT"
734 if [ "$S_HOSTNAME" != "" ] ; then
735 HOSTOPT="--hostname $S_HOSTNAME"
736 export HOSTNAME=$S_HOSTNAME
738 if [ "$S_DOMAINNAME" != "" ] ; then
739 DOMAINOPT="--domainname $S_DOMAINNAME"
741 mkdir -p /var/run/vservers
742 cd $VROOTDIR/$VSERVER
743 IPOPT=`setipopt $IPROOT`
744 export PATH=$DEFAULTPATH
745 exec $CHBIND_CMD $SILENT $IPOPT --bcast $IPROOTBCAST \
746 $CHCONTEXT_CMD $SILENT $FLAGS $CAPS --secure $CTXOPT $HOSTOPT $DOMAINOPT \
747 $SAVE_S_CONTEXT_CMD /var/run/vservers/$VSERVER.ctx \
748 $CAPCHROOT_CMD --suid $USERID $CHROOTOPT . "$@"
751 elif [ "$2" = "exec" ] ; then
754 exec $0 $NODEV $SILENT $VSERV suexec root "$@"
755 elif [ "$2" = "enter" ] ; then
757 exec $0 $NODEV $SILENT $1 exec /bin/bash -login
758 elif [ "$2" = "service" ] ; then
762 exec $0 $NODEV $SILENT $VSERVER exec /sbin/service "$@"
763 elif [ "$2" = "chkconfig" ] ; then
768 if [ "$1" = "--level" ] ; then
769 LEVELS=( --level "$2" )
772 if [ $# != 2 -a ! -x $VROOTDIR/$VSERVER/sbin/chkconfig ] ; then
773 echo Invalid argument, expected vserver name chkconfig [ --level nnn ] service on\|off
774 elif [ -x $VROOTDIR/$VSERVER/sbin/chkconfig ] ; then
775 exec $0 --silent $VSERVER exec /sbin/chkconfig "${LEVELS[@]}" "$@"
776 elif [ -x $VROOTDIR/$VSERVER/usr/sbin/update-rc.d ] ; then
777 if [ "$2" = "on" -o "$2" = "start" ] ; then
778 $0 --silent $VSERVER exec /usr/sbin/update-rc.d -f $1 remove >/dev/null
779 exec $0 --silent $VSERVER exec /usr/sbin/update-rc.d $1 start 80 2 3 4 5 . stop 20 0 1 6 . >/dev/null
780 elif [ "$2" = "off" -o "$2" = "stop" ] ; then
781 $0 --silent $VSERVER exec /usr/sbin/update-rc.d -f $1 remove >/dev/null
782 exec $0 --silent $VSERVER exec /usr/sbin/update-rc.d $1 stop 20 0 1 2 3 4 5 6 . >/dev/null
784 echo vserver chkconfig: Expecting on or off
787 echo chkconfig functionality is not available on this
788 echo vserver distribution.
789 echo Looked for /sbin/chkconfig and /usr/sbin/update-rc.d
792 echo Command unknown $2