logrotate

Resource

FTP site

ftp://ring.ocn.ad.jp/pub/linux/RedHat/redhat/linux/code/logrotate/

ftp://ring.ocn.ad.jp/pub/linux/RedHat/redhat/linux/code/popt/

ftp://ftp.redhat.com/pub/redhat/linux/code/logrotate/

Web site

http://www.nic.com/~dave/

http://ume.med.ucalgary.ca/usenet/Solaris/0398.html

Pre-requisite

Required: popt

Optional: None

logrotate-2.6

% wget http://www.nic.com/~dave/logrotate-2.6-solaris.tar
% tar xvf logrotate-2.6-solaris.tar
% cd logrotate-2.6
% su
# cp logrotate /usr/local/sbin/
# mkdir /usr/local/logrotate/optix/
# vi /usr/local/logrotate/optix/logrotate.conf
# vi /usr/local/logrotate/optix/logrotate.cron
# chmod 744 /usr/local/logrotate/optix/logrotate.cron
# mkdir /usr/local/logrotate/optix/logrotate.d
# /usr/local/logrotate/optix/logrotate.cron
# vi /usr/local/logrotate/optix/logrotate.status

Bir dizin içine nasıl Debian/Sarge kurulur?

Yazı hakkında

Bu yazıdaki yönlendirmeleri takip ettiğinize, bir dizin içinde, temel Debian/Sarge kurulumu hangi dosyaları üretiyorsa, o dasyaları toparlamış olacağız. O dizinin içine chroot komutu ile girip sisteminizden bağımsız bir dosya sisteminde denemelerinizi yapabilir konuma geleceksiniz.

Bu yazıyı hazırlarken Debian/Sid kullanıyorum. Kullandığım her yazılımın versiyonunu, referans olarak vermeye dikkar edeceğim.

Can Burak Çilingir

Gerekli yazılımı edinin

Bu iş için gerekecek yazılım olan debootstrap'ı alışıldık şekilde yükleyin:

# aptitude install debootstrap

Gerekli dosyaları çekin

Bu adımda debootstrap ile sarge için gerekli .deb dosyalarını çekeceğiz:

# mkdir sarge
# debootstrap --download-only --keep-debootstrap-dir sarge ./sarge/
I: Retrieving Packages
I: Validating Packages
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Found additional required dependencies: libtext-iconv-perl zlib1g
I: Checking component main on http://ftp.debian.org/debian...
I: Retrieving adduser
I: Validating adduser
I: Retrieving apt
I: Validating apt
...

Eğer yakınlarınızdaki bir debian yansısını kullanmak istiyorsanız, komutun sonuna http://ftp.debian.org/debian şeklinde bir yansı ekleyebilirsiniz.

Eğer elinizde bulunan deb dosyalarınızın bir daha çekilmesini istemiyorsanız, sarge dizini içinde var/cache/apt/archives altına kopyaladıktan sonra işleme bağlayın.

Kurulu yapıp sistemi hazırlayın

Öncelikle proc ve dev dizinlerini bağlayın.

# mount -t proc proc sarge/proc
# mount --bind /dev/ sarge/dev

Create a unified vserver instance
(this is done many times)

1. create a new vserver
2. run the vserver
3. enter the vserver

This shows you how to setup a new vserver using a static IP, and use it.

create a new vserver

First create a DNS record for your new vserver that points to an available IP address.

kea         IN  A   69.90.134.201


Then build a new vserver using the vserver build method for debian.

MAKE SURE THERE ARE NO SPACES IN THIS VARIABLE AFTER YOU SET IT!

# REMOVE_PACKAGES="sparc-utils,dhcp-client,lilo,makedev,pcmcia-cs,ppp,\
pppconfig,pppoe,pppoeconf,setserial,syslinux,fdutils,libpcap0,\
iptables,pciutils"


# vserver kea build -m debootstrap --hostname kea --interface \
eth0:69.90.134.201/25 -- -d sarge -- --exclude=$REMOVE_PACKAGES 


This will create a new vserver with a fresh debian installation of the basics in $vdirbase. The configuration for your
vserver is in /etc/vserver/. The $vdirbase comes with the debian package as /var/lib/vservers, it is defined as whatever /etc/vservers/.defaults/vdirbase symlinks to.

run the vserver

To start your vserver, you simply need to do the following:

# vserver <vserver> start


You will see output like the following:

root@macaw:/etc/vservers# vserver kea start
ipv4root is now 69.90.134.201
Host name is now kea
New security context is 49152
Starting system log daemon: syslogd.
Starting internet superserver: inetd.
Starting periodic command scheduler: cron.


This vserver now will behave like a real server.

enter the vserver

To enter the vserver you do the following on macaw:

# vserver <vserver> enter


You will see something like the following:

root@macaw:/etc/vservers# vserver kea enter
ipv4root is now 69.90.134.201
New security context is 49152
root@kea:/# ls
bin  boot  dev  etc  home  initrd  lib  media  mnt  opt  proc  root  sbin  srv  sys  tmp  [ usr  var


You are now inside your new server, all the files you see are your vserver files, not the files on the host system. You can apt-get install packages into your vserver just like you would on the "outside". To go back to the host system, you simply exit from the shell.

You can also edit the files in the vserver directly from the host system in $vdirbase/

If you apt-get install sshd while in your vserver you should be able to ssh into your vserver from the outside!

Prepare the host system
(this is only done once)

1. get the kernel source
2. get the vserver patch
3. get the vserver utilities
4. compile your kernel
1. kernel configuration
2. patch and compile the kernel
5. install your kernel
6. reboot your machine
7. Set up the general vserver directories including the barrier
8. Make services not be greedy

get the kernel source

# apt-get install kernel-source-2.6.8
# cd /usr/src
# tar -jxf kernel-source-2.6.8.tar.bz2


It is actually better to use the 2.6.12 kernel than 2.6.8 as there are security updates and the vserver patch that is used for 2.6.12 is the stable version 2.0 release, also the util-vserver tools version has many bugs fixed.

To do this, temporarily add the following to your /etc/apt/sources.list:

deb http://ftp.debian.org/debian/ testing main non-free contrib
deb-src http://ftp.debian.org/debian/ testing main non-free contrib


Then do an apt-get update, and install the newer kernel-source:

# apt-get update
# apt-get -t testing install linux-source-2.6.12
# cd /usr/src
# tar -jxf linux-source-2.6.12.tar.bz2


get the vserver patch

# apt-get install kernel-patch-vserver


If you are going the recommended route of using the newer patch, then do the following instead:

# apt-get -t testing install kernel-patch-vserver


get the vserver utilities

If you are using Sarge, be sure to use the backported version of util-vserver that is available in the riseup apt repository. You can do that by adding this line to your /etc/apt/sources.list:

deb http://deb.riseup.net/debian unstable main


Then run apt-get update, and then do:

# apt-get install util-vserver


If you are using testing or unstable, make sure you are getting a version of util-vserver that is of version 0.30.209 or newer.

compile your kernel

The instructions are located in /usr/share/doc/kernel-patch-vserver/README.Debian, but this is essentially how you do it...

kernel configuration

First, you need a kernel config file...
Dont have a kernel config? You can use the one that debian uses for their kernels and you will be almost certain that it will work, but it will take a really long time to compile (several hours) unless you remove some unnecessary things.

To get the debian 2.6.8 kernel config you can do the following:

# apt-cache search kernel-image-2.6.8 


Pick the kernel image that matches your architecture and multiplicity of processors (if you have more than one proc, choose one that has smp), then get the source as follows:

# cd /usr/src
# apt-get source kernel-image-2.6.8-2-686
# cd kernel-image-2.6.8-i386-2.6.8/config


Now copy the config file that matches your architecture into your kernel source directory:

# cp 686 /usr/src/kernel-source-2.6.8/.config


If you are using the 2.6.12 kernel source instead, the only way I know of to get the debian config file is to do:

# apt-cache search linux-image-2.6.12


(pick your architecture)

# apt-get install linux-image-2.6.12-1-686


Now copy the config file that was placed in /boot from the install of this package:

# cp /boot/config-2.6.12-1-686 /usr/src/linux-source-2.6.12/.config


Now you are going to want to remove the unstable lines from your /etc/apt/sources.list and then run apt-get update. Otherwise the next time you do an apt-get dist-upgrade you are going to upgrade to unstable, and that's bad. I would like to put instructions here on how to apt pin certain packages, or set the default release to "stable" so that this doesn't happen, but I need to remember how to do that.... if you know, tell me :)

From here on out you can follow the rest of the instructions as detailed, substituting 2.6.12 for 2.6.8.

Now you can either proceed straight from here using this config, or you can trim some of the unnecessary things out of the config (this will vastly reduce the length of the compile time, but is more dangerous because if you remove something that you shouldn't, then you will not be able to boot that new kernel). If you want to remove some unnecessary thigns (such as sound, firewire, usb, ISDN, telephony, blah blah blah), then do:

# cd /usr/src/kernel-source-2.6.8
# make menuconfig


Now uncheck all the unnecessary modules, devices, features etc. but becareful!

patch and compile the kernel

Now to actually patch and compile the kernel:

# cd /usr/src/kernel-source-2.6.8
# export PATCH_THE_KERNEL=YES
# make-kpkg --rootcmd fakeroot --revision custom01 --added-patches vserver --append-to-version +vserver --initrd binary-arch


install your kernel

# cd ..
# dpkg -i kernel-image-2.6.8+vserver_custom01_i386.deb
# dpkg -i kernel-headers-2.6.8+vserver_custom01_i386.deb


reboot your machine

# echo "everyone run for cover!" | wall
# shutdown -r now


Set up the general vserver directories including the barrier

The default base directory where your vservers will be put is defined as whatever /etc/vservers/.defaults/vdirbase symlinks to, this is called the vdirbase. When you install util-vserver it is set to /var/lib/vservers. You might not have enough space in /var for vservers, and want to put them elsewhere (a common place is /vservers), if you want to change your vdirbase you can simply rm /etc/vservers/.defaults/vdirbase and then symlink it to the new place (ln -s /vservers /etc/vservers/.defaults/vdirbase).

IMPORTANT
If you change the vdirbase, you must also change the permissions on that directory so it is impossible to escape from the vserver. You need to create the "chroot barrier" which forbids any writing actions and chroot escapes, this entire procedure can be done as follows:

# mkdir /vservers
# rm /etc/vservers/.defaults/vdirbase
# ln -s /vservers /etc/vservers/.defaults/vdirbase
# setattr --barrier /vservers


Make services not be greedy

All processes in the host system must bind to specific ip address. Otherwise, the vservers will not be able to see any traffic over a port which has been bound by a process in the host system.

By default the Debian sshd package starts by binding to the ip address 0.0.0.0, this is greedy and keeps you from installing ssh on your vservers. You need to limit the IP that your host uses for ssh to just the IP of the server itself. If you do not do this you will install ssh on your new vserver and try to ssh to it and only get the host, not your vserver. This also applies to other services, such as apache - you need to make these services Listen to only the IP of the server, otherwise they also Listen for all the vservers.

For ssh you can fix this by editting /etc/ssh/sshd_config and changing the line:

#ListenAddress 0.0.0.0


to

ListenAddress 69.90.134.201


(using the IP of your host of course) and then instruct sshd to reload its configuration:

# /etc/init.d/ssh restart


For apache change /etc/apache/httpd.conf to have:

Listen 216.162.197.194:8080


Are there any ports used on the host system which are still bound to all IP addresses? Check with:

# netstat -lp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address        Foreign Address  State   PID/Program 
tcp        0      0 *:www                *:*              LISTEN  26361/apache
tcp        0      0 ibis.riseup.net:ssh  *:*              LISTEN  607/sshd


Here we see that apache has www (port 80) bound to all addresses, but that sshd has ssh (port 22) bound correctly to a single ip.