1. Prepare a Xen VM with a minimal install of CentOS/RHEL 5 (64bit or 32bit).
    1. Make sure you have set your host name and IP Addressing etc. The VM should have internet access (obviously).
  2. Install HyperVM following these instructions.
    1. Be sure to append [–virtualization-type=openvz] (omit the square brackets) to the install command.
  3. At the end of the installer, don’t reboot!
    1. The default OpenVZ kernel installed by the HyperVM installer won’t work inside of a Xen VM (it will work on a normal bare metal server). Download the proper kernel for your architecture: 32bit (i686) or 64bit (x86_64). At the time of writing, the current OpenVZ kernel was 2.6.18-384.4.1.
    2. You are specifically looking to download and install the kernel that starts with: ‘ovzkernel-xen’ anything else will likely install, but will not boot!
    3. Install using this command [# rpm -ivh ovzkernel-xen-*.rpm] – Don’t use [# rpm -Uvh] you will upgrade the installed kernel instead and you will lose the ability to roll back to a known working kernel should things go wrong.
    4. Open your /boot/grub/grub.conf file (in vi or nano) and make sure you are able to differentiate between the existing kernel and the ovzkernel-xen kernel. Perhaps append something to the title line, like ‘OpenVZ-Xen’. I saw three kernels in mine, the original CentoS 5 kernel, the OpenVZ kernel (installed by the HyperVM installer) and the OpenVZ-Xen kernel.
  4. Now it’s time to reboot. How you perform this step will be dependant on a couple of things.
    1. If you have console access to your VM (it may be via an alternate SSH connection or applet if your hosting provider has one), I suggest not editing your grub.conf file just yet. Connect to the console and reboot the VM. You can then catch the grub boot loader and choose the OpenVZ-Xen kernel (not to be confused with the similar named OpenVZ kernel). If all goes well, you can edit the grub.conf file later and set grub to boot from the OpenVZ-Xen kernel by default. If things break, you’ll either be able to reboot and choose a different ‘known working’ kernel, or your VM won’t boot at all. In this case you’ll have to ask your hosting provider to switch your default kernel back to the original kernel. If you have Dom0 access (you’ll know what this if you do) you can edit grub.conf via pyGrub and try again.
    2. If you don’t have console access, you’ll need to edit the grub.conf file first and set the OpenVZ-Xen kernel as the default kernel and reboot, hoping all goes well. As above, if all does go well, you’ll be able to login via SSH and also to the HypeVM control panel. If things break and you lose access to your VM, you’ll have to contact your hosting provider and have them investigate for you. You can assist them be asking them to configure grub to boot from the standard normal CentOS kernel again. Afterwards, when you have access, you can try again ūüėČ
  5. By default, HyperVM wants to use the ‘Xen driver’ as the virtualisation method. This won’t work, you can’t run xen VMs inside of a Xen VM. Why Xen is the default ‘driver’ when you chose OpenVZ at the very beginning? I have no idea.
    1. Use the following commands to switch the system from Xen to OpenVZ [#. /scripts/directory] [#¬†lphp.exe ../bin/common/setdriver.php –server=localhost –class=vps –driver=openvz] (omit the square brackets of course). There are two commands, the first changes the current working directory, the second changes the virtualisation driver.
    2. After a few moments, you’ll see a confirmation message.
  6. You’re done! You can now login to the HyperVM control panel, add IP Addresses and create VMs!

Comments, Suggestions, Requests, all welcome ūüėČ

After installing ConfigServer Security and Firewall, many of us try to achieve as many ‘green’ results as possible. The often tricky one (or two) options to achieve, is mounting /tmp and /var/tmp as ‘separate’ file systems. On a bare metal linux installation (no virtualisation) this is easy to achieve by creating a file system (partition or¬†pseudo¬†file system) and mounting it accordingly. Under virtualisation (openvz, virtuozzo etc) this is not so easy, in fact, it’s not actually supported at all. However, there are two things you can try.

  1. Nothing. Just leave it. After all, the message at the bottom of the check security page says ‘This scoring does not necessarily reflect the security of your server or the relative merits of each check’ In other words, getting all green doesn’t¬†necessarily¬†mean your server is secure.
  2. You can set up pretend mount points (this works on bare metal installations as well). Delete the /var/tmp directory and symlink it to /tmp (ln -s /tmp /var/tmp). Next, edit your /etc/fstab file and all the following line: /tmp /tmp   ext3    defaults,usrquota,bind,noauto,noexec,nosuid        0 0 Finally, be sure to change the permissions to 1777 (chmod -R 1777).

The second option above doesn’t really achieve anything except the green ‘OK’ from CSF. Traditionally, the /tmp and /var/tmp directory have been located on a separate file system, due to the volatile nature of the files and content that are temporarily stored there. If the server was compromised via this directory, it could be easy to stop the compromise by un-mounting the file system. Better still, if the file system itself was hacked or damaged, it would only be the /tmp and /var/tmp that was damaged, both of which are easily replaced and can be deleted, removed and recreated all while the system is still running, not to mention that no important data is ever stored in these directories either.

I came across a conundrum some time ago. I have a CentOS Linux based VPS running a few various different ‘processes’ for different purposes. My problem was that from time to time, these processes would stop or die, for whatever reason. Given that I require absolute uptime from these processes (or at least as close as I can get) I needed a script, a way to check if the process was running, and if not, to start it, all without my manual help. Now, Before you read any further, I just want to make it clear, I am talking about uncommon processes (not system services or daemons). To name a few:

Initially, I searched and searched the internet and found all sorts of solutions dating back to the 1990’s all the way through to 2010. I even managed to cobble something together, but it was pretty terrible and failed sometimes (more often than not actually).

Some readers may have noticed that one of my examples above, already contains an almost perfectly good solution!

Services for IRC (developed primarily by Andrew Church), contains an additional script (once compiled and installed) under the file name of ircservces-chk (located here: /usr/local/sbin/ircservices-chk on most linux distributions). The contents of this file looks like this:

#!/bin/sh
#
# Script to check whether IRC Services is running, and restart it if not.
# Usage: ircservices-chk [-q] [ircservices-options]
# -q: don't write any output
# ircservices-options: options to pass to ircservices executable
# If you change PIDFile in ircservices.conf, also change PIDFILE below.
#
# IRC Services is copyright (c) 1996-2009 Andrew Church.
# E-mail:
# Parts written by Andrew Kempe and others.
# This program is free but copyrighted software; see the file GPL.txt for
# details.

PIDFILE=ircservices.pid

if [ "X$1" = "X-q" ] ; then
exec 1>/dev/null
exec 2>/dev/null
shift
fi

ok=
if [ -f "/usr/local/lib/ircservices/$PIDFILE" ] ; then
pid=`cat "/usr/local/lib/ircservices/$PIDFILE"`
if echo "0$pid" | grep -q '[^0-9]' ; then
rm -f "/usr/local/lib/ircservices/$PIDFILE"
elif kill -0 $pid ; then
ok=1
fi
fi

if [ ! "$ok" ] ; then
"/usr/local/sbin/ircservices" "$@"
fi

This script is almost perfect for my use (it does an exactly perfect job for ircservices), but not quite. This script uses the process id (PID) of ircservices to check if it is running or not. That’s ok, but not all programs output their current process ID to a file based location on the system or in any way that’s useful to the end user. I added a line to the beginning of the script, using the pgrep command to output the PID of my selected process to a file.

pgrep process-name > /home/username/a-directory-of-your-choosing/a-file-name-of-your-choosing.pid

Obviously you would replace process-name with the name of the process you want to monitor and username with your actual username.

You can use the command ps aux to list all the processes currently running on your system and locate the process you want to monitor.

The ‘.pid’ file extension isn’t really necessary, however it might be handy for identifying what the file is, should you come across it later on down the track. Here’s my example for checking that ircbot is running:

#!/bin/sh
#
# Script to check whether IRC Services is running, and restart it if not.
# Usage: ircservices-chk [-q] [ircservices-options]
# -q: don't write any output
# ircservices-options: options to pass to ircservices executable
# If you change PIDFile in ircservices.conf, also change PIDFILE below.
#
# IRC Services is copyright (c) 1996-2009 Andrew Church.
# E-mail:
# Parts written by Andrew Kempe and others.
# This program is free but copyrighted software; see the file GPL.txt for
# details.
pgrep ircbot > /home/username/ircbot/ircbot.pid
PIDFILE=ircbot.pid

if [ "X$1" = "X-q" ] ; then
exec 1>/dev/null
exec 2>/dev/null
shift
fi

ok=
if [ -f "/home/username/ircbot/$PIDFILE" ] ; then
pid=`cat "/home/username/ircbot/$PIDFILE"`
if echo "0$pid" | grep -q '[^0-9]' ; then
rm -f "/home/username/ircbot/$PIDFILE"
elif kill -0 $pid ; then
ok=1
fi
fi

if [ ! “$ok” ] ; then

"/home/username/ircbot/ircbot" "$@"
fi

Here’s my final version.

#!/bin/sh
#
# Script to check whether a process is running, and restart it if not.
# Usage: running [-q]
# -q: don't write any output
# Props to Andrew Church (http://www.ircservices.za.net) for creating
# the original script ircservices-chk of which this script you are using
# now is a slight modification by Quin Rose of Mokona Modoki
# http://www.mokonamodoki.com/

pgrep ircbot > /home/username/ircbot/ircbot.pid

PIDFILE=ircbot.pid

if [ "X$1" = "X-q" ] ; then
exec 1>/dev/null
exec 2>/dev/null
shift
fi

ok=
if [ -f "/home/username/ircbot/$PIDFILE" ] ; then
pid=`cat "/home/username/ircbot/$PIDFILE"`
if echo "0$pid" | grep -q '[^0-9]' ; then
rm -f "/home/username/ircbot/$PIDFILE"
elif kill -0 $pid ; then
ok=1
fi
fi

if [ ! "$ok" ] ; then
"/home/username/ircbot/ircbot" "$@"
fi

To use this script, just copy and past the code above into your favourite editor and be sure to save the script, and make it executable with:  chmod +x filename

Last but not least, you don’t want to have to run this script all the time, and manually by yourself do you? Wondering if you can just get put it in a cron job and let it rip? Well, Yes! You can! Add the following line to cron for automatic (once a minute) process checking goodness:

* * * * * /home/andrew/ircbot/ircbot-chk -q

There are plenty of resources on the web relating to cron, so if you would rather have cron execute the script less often, you’ll need to do a little googling.

Adding the -q sends all output from the script to /dev/null (a black hole of sorts) thus not showing any output on the screen. You can test it with or without the -q.

If you have any questions or would like for information or examples, please do let me know in the comments, and I will be only too happy to be of assistance! This certainly helped me, so I thought I would share, so that it could help you too!