/etc/hostname:
<my host name>
/etc/hosts:
127.0.0.1 localhost <my host name>
host's apache set to 8080. delegate directs traffic to it.
delegate needs to bind to 80.
hosts apache is bound to any address, 8080. (so less config files need to be updated on an ip change). we can get to host on port 8080 even if delegate is dead.
to check the ip routing table:
# netstat -rn
to check the NAT:
# iptables -t nat -L
old notes
Blaine's notes
Each vserver attaches itself to a single network interface, based on the IPROOT setting.
Add a new network interface like lo:1 or eth:1, and set the IP address on it to whatever you want the IP of the vserver to be. This is done like:
host# ipconfig lo:1 192.168.0.1
Then, the IPROOT variable in the /etc/vservers/.conf should be set like:
IPROOT="192.168.0.1"
when the vserver is started, the vserver will automatically attach to the corresponding network interface, and allow any servers inside the vhost to listen on that interface.
Delegate:
To setup HTTP proxying, the following delegate command is used:
host# delegated -v -P216.162.197.194:80 MOUNT="/* http://192.168.0.1:80/ vhost=-raven.riseup.net" PERMIT="*:*:*"
Multiple MOUNT entries can be used
Question: does this rewrite the HTTP/1.1 "Host:" header, or does it leave the header intact?
Ian's notes
It turns out that the cleanest way to provide each vserver with its own
IP address is to play some games with the loopback interface.
Apparently, the loopback interface defaults to a /8 netmask, so it's
necessary to first restrict that:
# ifconfig lo 127.0.0.1 netmask 255.255.255.0
You can then set up as many separate loopback addresses as necessary:
# ifconfig lo:1 127.0.1.1 netmask 255.255.255.255
# ifconfig lo:2 127.0.1.2 netmask 255.255.255.255
# ifconfig lo:3 127.0.1.3 netmask 255.255.255.255
# ifconfig lo:4 127.0.1.4 netmask 255.255.255.255
I haven't actually tried this with VServer and DeleGate, but it works
perfectly with a simple test script (see attached; "netcat" is a Debian
package):
$ netcat -w1 127.0.1.1 2000 <&-
111 -- I'm listening on address 127.0.1.1 -- 111
$ netcat -w1 127.0.1.2 2000 <&-
222 -- I'm listening on address 127.0.1.2 -- 222
$ netcat -w1 127.0.1.3 2000 <&-
333 -- I'm listening on address 127.0.1.3 -- 333
$ netcat -w1 127.0.1.4 2000 <&-
444 -- I'm listening on address 127.0.1.4 -- 444
So you ought to be able to bind each vserver instance to one of these
loopback addresses, and then have DeleGate proxy each incoming
connection onto the address corresponding to the HTTP virtual hostname
or the FTP subdirectory or whatever.
Micah's Notes
There has been a lot of discussion on the vserver mailing list about the future direction of vserver, in particular with regards to networking (see Herbert Poetzel's posts). We should look at the latest 1.9.0 pre-release (development release) which seems to deal with some of these issues, additionally, there is a design team for the next generation networking being put together.
iptables -t nat -A POSTROUTING -s 127.1.1.23 -j SNAT --to-source 216.162.197.192
What capabilities shall the server have? You can set these values for S_CAPS in /etc/vservers/xx.conf:
CAP_NET_RAW - You can create arbitrary ip-packets
CAP_SYS_TIME - You are allowed to set time: date, netdate, xntpd
CAP_NET_BROADCAST - You are allowed to send broadcast-packets, i.e. Samba
CAP_NET_BIND_SERVICE - Bind ports below 1024
CAP_CHOWN - You are allowed to change owner of files
Constants are from capability.h
|
