The idea is to create a separate file which will contain a filesystem for /tmp directories for all VPSes and mount that file as a loop device using noexec,nosuid options.
It can be done thusly:
1) Create a special file, and create a filesystem inside that file and mount it:
# dd if=/dev/zero of=/vz/tmpVE bs=1k count=2000000
# losetup /dev/loop0 /vz/tmpVE
# mkfs.ext2 /dev/loop0
# mkdir /vz/tmpVEs
# mount /dev/loop0 /vz/tmpVEs -o noexec,nosuid,nodev,rw
2) Add the following lines into /etc/sysconfig/vz-scripts/dists/scripts/postcreate.sh:
function vztmpsetup()
{
VEID=`basename $VE_ROOT`
cp /etc/sysconfig/vz-scripts/new.mount /etc/sysconfig/vz-scripts/$VEID.mount
cp /etc/sysconfig/vz-scripts/new.umount /etc/sysconfig/vz-scripts/$VEID.umount
if [ "$" != "" ]; then
[ -d /vz/tmpVEs/$ ] && rm -rf /vz/tmpVEs/$VEID/*
fi
chmod 755 /etc/sysconfig/vz-scripts/$VEID.mount
/etc/sysconfig/vz-scripts/$VEID.umount
}
vztmpsetup
exit 0
3) Create "/etc/sysconfig/vz-scripts/new.mount":
#!/bin/bash
#
# if one of these files does not exist then something is really broken
[ -f /etc/sysconfig/vz ] || exit 1
[ -f $VE_CONFFILE ] || exit 1
[ -f /etc/sysconfig/vz-scripts/$VEID.conf ] || exit 1
# Source configuration files to access $VE_ROOT
. /etc/sysconfig/vz
. $VE_CONFFILE
[ -e /vz/tmpVEs/$VEID ] || mkdir /vz/tmpVEs/$VEID
mount --bind /vz/tmpVEs/$VEID $VE_ROOT/tmp
4) Create "/etc/sysconfig/vz-scripts/new.umount":
#!/bin/bash
# if one of these files does not exist then something is really broken
[ -f /etc/sysconfig/vz ] || exit 1
[ -f $VE_CONFFILE ] || exit 1
# Source configuration files to access $VE_ROOT
. /etc/sysconfig/vz
. $VE_CONFFILE
# Unmount shared directory
if grep "/vz/root/$VEID/tmp" /proc/mounts >/dev/null; then
umount $VE_ROOT/tmp
fi
5) Add the following lines into "/etc/rc.sysinit":
losetup /dev/loop0 /vz/tmpVE
mount /dev/loop0 /vz/tmpVEs -o noexec,nosuid,nodev,rw
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment