This article shows how you can do port-forwarding with rinetd on Debian Etch. rinetd allows you to forward ports from one system to another. This useful if you have moved your web sites to a new server with a different IP address. Of course, you have modified your DNS records, but it can take a few days until DNS changes become effective, and that is where rinetd comes into play. If clients still use the old DNS records, rinetd can redirect them to the new server. With rinetd, you do not have to fiddle with iptables rules.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

In this example I'm trying to redirect HTTP traffic (port 80) from the IP address 192.168.0.101 to the IP address 192.168.0.100.

Please note that rinetd is not able to redirect FTP because FTP requires more than one socket.

2 Installing And Configuring rinetd

To install rinetd, we simply run

apt-get install rinetd

rinetd's configuration file is /etc/rinetd.conf. To forward HTTP traffic from 192.168.0.101 to 192.168.0.100, we add the line 192.168.0.101 80 192.168.0.100 80:

vi /etc/rinetd.conf

# # this is the configuration file for rinetd, the internet redirection server # # you may specify global allow and deny rules here # only ip addresses are matched, hostnames cannot be specified here # the wildcards you may use are * and ? # # allow 192.168.2.* # deny 192.168.2.1? # # forwarding rules come here # # you may specify allow and deny rules after a specific forwarding rule # to apply to only that forwarding rule # # bindadress bindport connectaddress connectport 192.168.0.101 80 192.168.0.100 80 # logging information logfile /var/log/rinetd.log # uncomment the following line if you want web-server style logfile format # logcommon

Then we restart rinetd:

/etc/init.d/rinetd restart

Now run

netstat -tap

and you should see that rinetd is listening on port 80 (www):

server2:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:sunrpc *:* LISTEN 1956/portmap
tcp 0 0 server2.example.com:www *:* LISTEN 2485/rinetd
tcp 0 0 *:3025 *:* LISTEN 2347/rpc.statd
tcp 0 0 *:auth *:* LISTEN 2306/inetd
tcp 0 0 localhost.localdom:smtp *:* LISTEN 2294/exim4
tcp6 0 0 *:ssh *:* LISTEN 2326/sshd
tcp6 0 0 server2.example.com:ssh ::ffff:192.168.0.3:4776 ESTABLISHED2409/0
server2:~#

Now when you direct your browser to a web page on the IP address 192.168.0.101, it should receive that page from the server with the IP address 192.168.0.100.

Instead of specifiying the port numbers in /etc/rinetd.conf, you can also use the service names. The service names are stored in /etc/services, so when you open that file, you will see that the service for port 80 is named www on Debian.

grep 80 /etc/services

server2:~# grep 80 /etc/services
www 80/tcp http # WorldWideWeb HTTP
www 80/udp # HyperText Transfer Protocol
socks 1080/tcp # socks proxy server
socks 1080/udp
amanda 10080/tcp # amanda backup services
amanda 10080/udp
omirr 808/tcp omirrd # online mirror
omirr 808/udp omirrd
canna 5680/tcp # cannaserver
zope-ftp 8021/tcp # zope management by ftp
webcache 8080/tcp # WWW caching service
tproxy 8081/tcp # Transparent Proxy
omniorb 8088/tcp # OmniORB
omniorb 8088/udp
server2:~#

So you could use the following configuration in /etc/rinetd.conf, it has the same effect as the first one:

vi /etc/rinetd.conf

# # this is the configuration file for rinetd, the internet redirection server # # you may specify global allow and deny rules here # only ip addresses are matched, hostnames cannot be specified here # the wildcards you may use are * and ? # # allow 192.168.2.* # deny 192.168.2.1? # # forwarding rules come here # # you may specify allow and deny rules after a specific forwarding rule # to apply to only that forwarding rule # # bindadress bindport connectaddress connectport 192.168.0.101 www 192.168.0.100 www # logging information logfile /var/log/rinetd.log # uncomment the following line if you want web-server style logfile format # logcommon

And to make rinetd listen on all IP addresses that are configured on the system where it is installed, we can use 0.0.0.0 as the bindaddress:

vi /etc/rinetd.conf

# # this is the configuration file for rinetd, the internet redirection server # # you may specify global allow and deny rules here # only ip addresses are matched, hostnames cannot be specified here # the wildcards you may use are * and ? # # allow 192.168.2.* # deny 192.168.2.1? # # forwarding rules come here # # you may specify allow and deny rules after a specific forwarding rule # to apply to only that forwarding rule # # bindadress bindport connectaddress connectport 0.0.0.0 80 192.168.0.100 80 # logging information logfile /var/log/rinetd.log # uncomment the following line if you want web-server style logfile format # logcommon

After you've restarted rinetd...

/etc/init.d/rinetd restart

... rinetd should now listen on all interfaces (*:www):

netstat -tap

server2:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:sunrpc *:* LISTEN 1956/portmap
tcp 0 0 *:www *:* LISTEN 2503/rinetd
tcp 0 0 *:3025 *:* LISTEN 2347/rpc.statd
tcp 0 0 *:auth *:* LISTEN 2306/inetd
tcp 0 0 localhost.localdom:smtp *:* LISTEN 2294/exim4
tcp 0 0 server2.example.com:www 192.168.0.3:4798 TIME_WAIT -
tcp6 0 0 *:ssh *:* LISTEN 2326/sshd
tcp6 0 148 server2.example.com:ssh ::ffff:192.168.0.3:4776 ESTABLISHED2409/0
server2:~#

3 Links

• rinetd: http://www.boutell.com/rinetd
• Debian: http://www.debian.org

Read More......

This document describes how you can configure a Debian Etch system for IPv6 so that a) it can connect to other IPv6 hosts and b) other IPv6 hosts can connect to it. IPv6 should become more important in the future as recent estimates assume that there will be no more IPv4 addresses left by 2010 or 2011. Therefore it's time time to learn IPv6.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

1 Preliminary Note

In this tutorial I'm using a Debian server in a LAN (i.e., it uses a router to connect to the Internet) with the ethernet device eth0 and the IPv4 address 192.168.0.100. The router's public IP address at the time of this writing was 85.176.139.73. With IPv6, other systems can connect directly to the Debian system, regardless of the router and NAT. This tutorial will work for Debian systems that are connected directly to the Internet (i.e., no NAT, no router) as well.

To use IPv6, we will configure a tunnel that connects our IPv6 Debian system to IPv6 hardware on the other end (run by a so-called "tunnel broker") and thus to the IPv6 backbone. This tunnel is necessary because most ISPs don't support direct IPv6 connectivity, and it doesn't make sense to route IPv6 traffic over an IPv4 network because chances are that the next-hop router doesn't know what to do with this traffic.

There are multiple tunnel brokers that give you a tunnel and IPv6 addresses for free (e.g. http://tunnelbroker.net/, http://go6.net/4105/freenet.asp, http://www.sixxs.net/). These tunnel brokers are connected to the IPv6 backbone, and the tunnel connects your Debian Etch system to their IPv6 hardware and therefore to the IPv6 backbone.

2 Creating A Tunnel

Register with a tunnel broker - I'm using http://tunnelbroker.net/ as they are very fast - you can be up and running in a few minutes. Then log in on their web interface and create a tunnel ("Create Regular Tunnel" on the http://tunnelbroker.net/ web site). Fill in the IPv4 endpoint (this is the public IPv4 address of your Debian system - if it is behind a router, this is your router's public IPv4 address) and select a location close to you (these are the locations where the tunnel broker has POPs, i.e., connections to the IPv6 backbone):

Afterwards you will see a screen with the details of your tunnel.

These are the details for my test tunnel:

Server IPv4 address: 216.66.80.30
Server IPv6 address: 2001:0470:1f0a:cc0::1/64
Client IPv4 address: 85.176.139.73
Client IPv6 address: 2001:0470:1f0a:cc0::2/64

Please write down the Server IPv4 address (216.66.80.30), the Server IPv6 address (2001:0470:1f0a:cc0::1), and the Client IPv6 address (2001:0470:1f0a:cc0::2). We will need them in a moment.

3 Configuring The Debian System

Log in to your Debian system and take a look at the output of

ifconfig

server1:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:A5:5B:93
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea5:5b93/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:71 errors:0 dropped:0 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7789 (7.6 KiB) TX bytes:5809 (5.6 KiB)
Interrupt:169 Base address:0x1400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

server1:~#

Nothing special here, but the inet6 addr in the output means that the system is IPv6 capable.

Now we configure our new public IPv6 address and the tunnel as follows:

ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.30 #(please replace the IPv4 address with the IPv4 address of the tunnel broker server that you've chosen in the previous step)
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:0470:1f0a:cc0::2/64 #(please replace the IPv6 address with your own IPv6 address)
route -A inet6 add ::/0 dev sit1

That's it already. Take a look at

ifconfig

again, and you should see two new interfaces (sit0 and sit1) that are needed for our tunnel:

server1:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:A5:5B:93
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea5:5b93/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:145 errors:0 dropped:0 overruns:0 frame:0
TX packets:163 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12833 (12.5 KiB) TX bytes:19303 (18.8 KiB)
Interrupt:169 Base address:0x1400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

sit0 Link encap:IPv6-in-IPv4
inet6 addr: ::127.0.0.1/96 Scope:Unknown
inet6 addr: ::192.168.0.100/96 Scope:Compat
UP RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

sit1 Link encap:IPv6-in-IPv4
inet6 addr: 2001:470:1f0a:cc0::2/64 Scope:Global
inet6 addr: fe80::c0a8:64/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

server1:~#

Now we can test if we can ping the IPv6 address of the tunnel broker's server:

ping6 -c4 2001:0470:1f0a:cc0::1

server1:~# ping6 -c4 2001:0470:1f0a:cc0::1
PING 2001:0470:1f0a:cc0::1(2001:470:1f0a:cc0::1) 56 data bytes
64 bytes from 2001:470:1f0a:cc0::1: icmp_seq=1 ttl=64 time=16.8 ms
64 bytes from 2001:470:1f0a:cc0::1: icmp_seq=2 ttl=64 time=40.5 ms
64 bytes from 2001:470:1f0a:cc0::1: icmp_seq=3 ttl=64 time=37.5 ms
64 bytes from 2001:470:1f0a:cc0::1: icmp_seq=4 ttl=64 time=37.5 ms

--- 2001:0470:1f0a:cc0::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 16.880/33.135/40.550/9.466 ms
server1:~#

Looks good.

http://www.ipv6.org/v6-www.html has a list of IPv6 hosts. Let's pick one of them and test if we can ping it as well:

ping6 -c4 www.ipv6.uni-muenster.de

server1:~# ping6 -c4 www.ipv6.uni-muenster.de
PING www.ipv6.uni-muenster.de(tolot.ipv6.uni-muenster.de) 56 data bytes
64 bytes from tolot.ipv6.uni-muenster.de: icmp_seq=1 ttl=57 time=29.3 ms
64 bytes from tolot.ipv6.uni-muenster.de: icmp_seq=2 ttl=57 time=38.7 ms
64 bytes from tolot.ipv6.uni-muenster.de: icmp_seq=3 ttl=57 time=60.4 ms
64 bytes from tolot.ipv6.uni-muenster.de: icmp_seq=4 ttl=57 time=23.1 ms

--- www.ipv6.uni-muenster.de ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 23.194/37.940/60.454/14.127 ms
server1:~#

Ok, pinging other hosts is working fine. Now let's see if our system can be pinged on our public IPv6 address as well. Go to http://www.berkom.blazing.de/tools/ping.cgi and fill in your public IPv6 address. If all goes well, the output should be similar to this one:

Congratulations, IPv6 is now working on your system!

If you don't want to configure the sit0 and sit1 interfaces manually after each reboot, you can create the file /etc/network/if-up.d/ipv6 as follows:

vi /etc/network/if-up.d/ipv6

#!/bin/sh PATH=/sbin:/bin ifconfig sit0 up ifconfig sit0 inet6 tunnel ::216.66.80.30 ifconfig sit1 up ifconfig sit1 inet6 add 2001:0470:1f0a:cc0::2/64 route -A inet6 add ::/0 dev sit1

(Replace the IPv4 and IPv6 addresses with your own values!)

Then make the file executable:

chmod 755 /etc/network/if-up.d/ipv6

Now whenever the system boots, it starts the sit0 and sit1 interfaces automatically.

Read More......

phpsh is an interactive shell for php that features readline history, tab completion, quick access to documentation. It was developed at Facebook and ironically, is written mostly in python. This article explains how you can install/use it on a Debian Etch system.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

1 Installing phpsh

phpsh depends on PHP (4 or 5, 5 is recommended) and Python 2.4+, therefore we install PHP5 and Python as follows:

apt-get install php5-cli python

Afterwards we download and uncompress phpsh as follows:

wget http://www.phpsh.org/phpsh-latest.tgz
tar xvfz phpsh-latest.tgz

This creates the directory phpsh with the phpsh executable. Before we can run phpsh, we must make it executable:

cd phpsh
chmod 755 phpsh

2 Using phpsh

Now we can start the PHP shell simply by running

./phpsh

http://www.phpsh.org/readme.php shows how you can use the PHP shell. You can use tab to autocomplete function names, global variable names, constants, classes, and interfaces, and you can use the arrow keys to browse the command history. The equal sign at the beginning of a line will return the value of an expression.

Type

q

to leave the PHP shell.

Here's a sample output:

server1:~/phpsh# ./phpsh
I can't find a tags file for you. To enable tab completion in phpsh,
go to the root directory of your php code and run 'ctags -R',
(or whatever the analagous command is with your version of ctags,)
then run phpsh from that directory or a subdirectory of that directory.
Commandline: php -q /root/phpsh/phpsh.php
phpsh (c)2006 by Charlie Cheever and Dan Corson and Facebook, Inc.
type 'h' or 'help' to see instructions & features
New Feature: You can use the -c option to turn off coloring
php> = 2 + 3
5
php> $test = "This is a test.";
php> echo $test;
This is a test.
php> = array(array(1,2,3), array("a" => "b", "c" => "d", "e" => "f"), 'g', 'h')
Array
(
[0] => Array
(
[0] => 1
[1] => 2
[2] => 3
)

[1] => Array
(
[a] => b
[c] => d
[e] => f
)

[2] => g
[3] => h
)

php> $a = "abcdefg";
php> echo substr($a,0,3);
abc
php> q

server1:~/phpsh#

Read More......

Security is based on three characteristics: prevention, protection and detection. Grsecurity is a patch for Linux kernel that allows you to increase each of these points.

This howto was performed on a Debian Lenny system. Thus some tools are Debian specific. However, tasks can be performed with other distro specific tools or even with universal tools (make).

Everything will done with root privileges. However, you can perform them with a limited account thanks to sudo and fake-kpkg tools.

1. Preliminary Note

To compile the kernel, you need to install some specific packages:

rom1:/root# aptitude install patch bin86 kernel-package build-essential

If you like to configure your kernel in graphical console mode (make menuconfig), you must install one more package:

rom1:/root# aptitude install libncurses5-dev

Check that iniramfs-tools (used to generated the init ramdisk) is installed (it should be):

rom1:/usr/src# dpkg -l initramfs*

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii initramfs-tool 0.85i tools for generating an initramfs
rom1:/usr/src#

Go to the source folder:

rom1:/root# cd /usr/src

Download the grsecurity patch and the

2.6.24.5

Linux vanilla kernel:

rom1:/usr/src# wget grsecurity.net/grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz

rom1:/usr/src# wget eu.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.5.tar.gz

NB: you may need to configure wget in case you are using an HTTP proxy (which may use authentication). You need to edit /root/.wgetrc so it looks like this:

http_proxy=192.168.0.1
proxy-user=foo # Put this line if you need to authenticate against your proxy
proxy-passwd=bar # Put this line if you need to authenticate against your proxy

Decompress the archive of the kernel:

rom1:/usr/src# tar xzvf linux-2.6.24.5.tar.gz

Create a symbolic link on the new kernel folder to ease the following tasks:

rom1:/usr/src# ln -s linux-2.6.24.5 linux

Now, the environment is ready. Let's go hardening!

2. Patch the vanilla kernel

Move the grsecurity patch to the new directory:

rom1:/usr/src# mv grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz linux/grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz

Decompress and patch the source of the kernel:

rom1:/usr/src# cd linux

rom1:/usr/src/linux# gunzip <>

Now the patch is applied and the source of the kernel was modified. Let's configure the kernel to enable Grsecurity.

3. Configure the hardened kernel

In this example, we will configure the kernel using a console menu (make menuconfig). This is why we installed the libncurses5-dev package. However, you can configure in pure console mode (make config), or in GUI mode (make xconfig).

Grsecurity has predefined levels: low, medium, high. It can also be configured in custom level where you choose to enable or not option by option. See http://www.grsecurity.net/confighelp.php/ for more info on each option. In this HowTo, we will configure Grsecurity in High level.

rom1:/usr/src/linux# make menuconfig

Now, we will enable Grsecurity in the menu.

Go to Security options > Grsecurity > tick Grsecurity. Then, you can go to Security Level and tick High.

You can profit from configuring Grsecurity to optimise your kernel. Eg: On your server you probably don't need support for infrared, blutooth, probably neither wifi, ipx, X25, token ring, ATM, firewire, PCcard, joystick, mouse, sound....

4. Compile the hardened kernel

It is now time to compile your hardened kernel. First, just in case, clean up:

rom1:/usr/src/linux# make-kpkg clean

Launch compilation itself (this may take a while depending on your CPU power and RAM availability!!!):

rom1:/usr/src/linux# make-kpkg --initrd --append-to-version "grsec1.0" kernel_image

In case you are not using a Debian distro, you can compile the classic way with:

make mrproper
make menuconfig
make clean
make
make modules_install
mkinitramfs
make install

5. Install the hardened kernel

Your new kernel is now compiled and a .deb package file has been generated in the /usr/src folder. You need to install your kernel as any .deb package:

rom1:/usr/src# dpkg -i linux-image-2.6.24.5-grsec_grsec1.0_i386.deb

During the installation, an initrd image will be generated. This may take a while depending on your CPU power and RAM availability! You may also check that the new kernel image is really a kernel !

rom1:/usr/src# file vmlinuz-2.6.24.5-grsec
vmlinuz-2.6.24.5-grsec: Linux kernel x86 boot executable RO-rootFS, root_dev 0x801, swap_dev 0x1, Normal VGA

It is now time to restart your system with your new hardened kernel:

rom1:/usr/src/linux# shutdown -r now

Now that your system has restarted, you can check that your new kernel is running:

rom1:~# uname -r

2.6.24.5-grsec

6. Testing the hardened kernel

Except the fact that uname -r is saying your kernel is a grsec one, how do you know you are running a hardened kernel ? This is where we will use paxtest which will simulate an attack on the kernel and show if you are vulnerable or not. Download paxtest:

rom1:/tmp# wget http://www.grsecurity.net/~paxguy1/paxtest-0.9.7-pre5.tar.gz

Extract it:

rom1:/tmp# tar xzvf paxtest-0.9.7-pre5.tar.gz
rom1:/tmp# cd paxtest-0.9.7-pre5

Compile it (type make to have the list of targets):

rom1:/tmp/paxtest-0.9.7-pre5# make generic

Run it (there are 2 differents modes: kiddie and blackhat):

rom1:/tmp/paxtest-0.9.7-pre5# ./paxtest kiddie

NB: unless you are using high grsecurity level or custom level, you will have a vulnerable kernel. Indeed, you are only getting userland ASLR protection in a medium mode.

7. Links

• Grsecurity home site: http://www.grsecurity.net
• Linux kernel site: http://www.kernel.org
• Wikipedia article on ASLR: http://en.wikipedia.org/wiki/Address_space_layout_randomization

Read More......

vzdump is a backup and restore utility for OpenVZ VMs. This tutorial shows how you can use it to clone/back up/restore virtual machines with vzdump.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

I'm using two OpenVZ servers in this tutorial:

• server1.example.com: IP 192.168.0.100
• server2.example.com: IP 192.168.0.101

(Both are using Debian Etch and are set up according to this tutorial: Installing And Using OpenVZ On Debian Etch - but it works with any other distribution as well.)

I'm running a virtual machine with the hostname test.example.com, the IP address 192.168.0.102 and the VEID 102 on server1.example.com, and I want to back up that machine and restore it on server2.example.com.

We can restore it on server2.example.com with no changes (e.g. same IP address and hostname), but in that case we must stop the VM on server1.example.com because otherwise the IP address and hostname would conflict; the second possibility is to restore it on server2.example.com, but change some parameters like the IP address and hostname with the vzctl set command - in this case we can run both VMs (the original one on server1.example.com and the clone on server2.example.com) at the same time. This is a great method to clone VMs.

2 Preparing The OpenVZ Servers

First we must install vzdump and rsync which is a dependency. On Debian, the command is as follows:

server1/server2:

apt-get install vzdump rsync

3 Creating A Backup Of A VM

(This chapter is for server1 only!)

On server1.example.com, I want to create a backup of my VM with the VEID 102. Take a look at

man vzdump

to learn how to use vzdump.

To back up all VMs on your server, you'd use something like

vzdump --compress --dumpdir /home/backup --stop --all

--compress means: compress the dump file (results in a .tgz).

--dumpdir specifies the directory in which you want to store the dump. If you don't specify a dumpdir, it defaults to /vz/dump or /var/lib/vz/dump (depends on your distribution).

--stop stops the VM, creates the backup, and starts it again afterwards. Your VM can be down a few minutes if you use --stop. A faster solution would be to use...

--suspend: it suspends the VM; the VM is then copied via rsync to a temporary directory. The VM gets resumed right afterwards so that it's down only a few seconds, and then the dump is created using the copy in the temporary directory. I recommend to use this one if you can't afford long downtimes.

You can as well leave out --stop and --suspend and dump a running VM. In most cases this makes no problem, but it is possible that the dump is inconsistent, so be warned!

--all creates a dump of all available VMs. If you want to dump only a specific VM, replace --all with the VEID of the VM.

To create a dump of our VM 102 in /home/backup and stop the VM during the backup, use

vzdump --compress --dumpdir /home/backup --stop 102

To create a dump in the default directory (/vz/dump or /var/lib/vz/dump), use

vzdump --compress --stop 102

The output could look as follows:

server1:/vz/dump# vzdump --compress --stop 102
INFO: starting backup for VPS 102 (/var/lib/vz/private/102)
INFO: starting first sync /var/lib/vz/private/102 to /var/lib/vz/dump/tmp9009
INFO: stopping vps
Stopping container ...
Container was stopped
Container is unmounted
INFO: final sync /var/lib/vz/private/102 to /var/lib/vz/dump/tmp9009
INFO: restarting vps
Starting container ...
Container is mounted
Adding IP address(es): 192.168.0.102
Setting CPU units: 1000
Configure meminfo: 65536
Set hostname: test.example.com
File resolv.conf was modified
Container start in progress...
INFO: vps is online again after 15 seconds
INFO: Creating archive '/var/lib/vz/dump/vzdump-102.tgz' (/var/lib/vz/dump/tmp9009/102)
Total bytes written: 340428800 (325MiB, 11MiB/s)
INFO: backup for VPS 102 finished successful (1.37 minutes)
server1:/vz/dump#

To not stop, but suspend the VM, use

vzdump --compress --suspend 102

This is a sample output:

server1:~# vzdump --compress --suspend 102
INFO: starting backup for VPS 102 (/var/lib/vz/private/102)
INFO: starting first sync /var/lib/vz/private/102 to /var/lib/vz/dump/tmp10842
INFO: suspend vps
Setting up checkpoint...
suspend...
get context...
Checkpointing completed succesfully
INFO: final sync /var/lib/vz/private/102 to /var/lib/vz/dump/tmp10842
INFO: resume vps
Resuming...
INFO: vps is online again after 4 seconds
INFO: Creating archive '/var/lib/vz/dump/vzdump-102.tgz' (/var/lib/vz/dump/tmp10842/102)
Total bytes written: 340428800 (325MiB, 24MiB/s)
INFO: backup for VPS 102 finished successful (1.57 minutes)
server1:~#

After the backup, take a look at the dump directory...

ls -l /vz/dump/

... and you should see a .tgz file:

server1:~# ls -l /vz/dump/
total 147864
-rw-r--r-- 1 root root 1170 2008-11-20 17:40 vzdump-102.log
-rw-r--r-- 1 root root 151249685 2008-11-20 17:40 vzdump-102.tgz
server1:~#

You can now copy the dump to the other OpenVZ server, e.g. with scp (this copies /vz/dump/vzdump-102.tgz to the /home directory on server2.example.com):

scp /vz/dump/vzdump-102.tgz root@192.168.0.101:/home

4 Restoring A VM

(This chapter is for server2 only!)

On server2.example.com, you can now restore the VM as follows...

vzdump --restore /home/vzdump-102.tgz 250

... where 250 is the new VEID of the restored VM - you can use any VEID that is unused on server2.example.com - you could even use 102 again if it is unused on server2.example.com.

If you don't want to modify the settings of the VM (e.g. IP address, hostname), you can start it now, but please make sure that the original VM is stopped on server1.example.com because otherwise the IP addresses conflict:

vzctl start 250

If you want to run both VMs (the original one and the clone) at the same time, you must change the IP address and hostname of the clone before you start it.

To set a new hostname, run sonething like this:

vzctl set 250 --hostname test2.example.com --save

To set a new IP address, we must first delete the original one...

vzctl set 250 --ipdel 192.168.0.102 --save

... and then set a new one:

vzctl set 250 --ipadd 192.168.0.250 --save

Afterwards we can start the clone:

vzctl start 250

5 Links

• OpenVZ: http://wiki.openvz.org/

Read More......