Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 31 Oct 2011 23:31:56 +0400
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: Re: vzctl update

On Sat, Oct 29, 2011 at 01:21:06PM +0400, Solar Designer wrote:
> On Sat, Oct 22, 2011 at 02:12:13PM +0400, Dmitry V. Levin wrote:
> > I have no personal experience with running Fedora 14+ ovz containers, but,
> > according to vzctl changelog, some changes were made to address these and
> > other Fedora 14+ and 15+ issues.  In other words, vzctl package needs to
> > be updated.
> 
> Would you update vzctl for us?  That would be very helpful.

Are you sure I'm the right person to update vzctl?
I passed the maintenance of this package in Sisyphus to another person
after vzctl-3.0.24.2 release, which was about 10 months ago.  Also,
I haven't migrated to 2.6.32 stable kernels yet, so I still use 2.6.18
stable kernels.

> While at it, I think we'll need to make two changes:
> 
> 1. As far as I'm aware, newer vzctl dropped the use of cron jobs in
> favor of some event notification mechanism (which I am totally
> unfamiliar with).  However, I think they have no equivalent to this cron
> job that we add with vzctl-3.0.23-owl-cron.diff:
> 
> # Update /var/vzquota/quota.* files, which is desirable such that the
> # containers' recorded disk usage is closer to the actual one and, even more
> # importantly, such that any per-user and per-group quotas are recorded (not
> # only usage, but also the quotas themselves).  Without a cron job like this,
> # if the server crashes, then not only the recorded usage will be way off, but
> # also any manually set per-user and per-group quotas inside the containers
> # will be lost.
> 2,7,12,17,22,27,32,37,42,47,52,57 * * * * root /usr/sbin/vzlist -H -o veid | xargs -r -n1 /usr/sbin/vzquota stat > /dev/null
> 
> Is this understanding correct?

Yes, it seems to be correct.

> If so, would you re-introduce the cron
> jobs mechanism just for this specific cron job?  If so, I think this
> change would need to be submitted upstream.

The schedule for this cron job is not obvious.

> 2. I think the MODULES_DISABLED setting should accept more than just yes
> or no.  Maybe it should be made tri-state, with the extra value called,
> say, "optional" (meaning to disable optional modules only, but load the
> required ones).  Or maybe it should accept a list of modules to disable.

I don't like this MODULES_DISABLED control, IMHO it is rarely useful.
What sysadmin needs is a simple way to control the list of modules, not
just a control to disable the feature altogether.  The traditional
solution would be to have a reasonable default value for each of these
module lists, which local administrator can override.

For example, /etc/init.d/vz could do
. /usr/share/vzctl/vz-modules
to have these safe defaults loaded.


-- 
ldv

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ