
                          vserver all changes logs

                                  Version 0.0

Enhancements

    First release

                This  is the first release of a very interesting project:
                Running  several general purpose Linux server on a single
                box  with  a  high  degree  of Independence and security.
                Check it out.

    vserver package

                Beside the kernel patch, the vserver package was created.
                It  includes  the  utilities  and the framework to handle
                several virtual servers.

                                  Version 0.1

Enhancements

    New v_xxx sysv init scripts to help the main server

                If  you are running the same network services both in the
                main  server  and  virtual servers, you may end up with a
                little  problem:  The service in the virtual server can't
                start  because  the  TCP port is already used by the main
                server.  The  solution  is  to  restrict  the main server
                service  (HTTP for example) to use a single IP instead of
                all  (0.0.0.0).  While  most service may be configured to
                achieve  that this is annoying. Using the chbind utility,
                part of this package (vserver) one can start any service,
                bound to a single IP. For example, you can do:

        /etc/rc.d/init.d/httpd stop
        /usr/sbin/chbind --ip eth0 /etc/rc.d/init.d/httpd start

                This  is annoying, especially because we want to automate
                the  boot  process.  To  solve  this, the vserver package
                supplies  3 new services in the main server. They are off
                by  default. There is v_sshd, v_xinetd and v_httpd. Those
                services are simple wrapper to start the original service
                using the chbind command above. So if you need to run the
                same  network service in the main server and some virtual
                server,  turn  off the service (linuxconf/control/control
                service   activity)   and  enable  the  corresponding  v_
                service.

Bug fixes

    vserver build command

                The  build  command populates a vserver and creates dummy
                /etc/fstab  and  /etc/mtab.  This  way, the df command is
                happy  as  well as other admin tools (Linuxconf for one).
                Previous  versions  of  the vserver packages were copying
                the  fstab  and  mtab  of  the  main  server and this was
                producing confusing output.

                                  Version 0.2

Enhancements

    Documentation

                The documentation found at
                [1]http://www.solucorp.qc.ca/miscprj/s_context.hc     was
                enhanced. Worth a review...

    rebootmgr and vreboot utility

                A  virtual  server  is  not  able/allowed  to re boot the
                computer.  It  is nevertheless useful to simulate a robot
                of  the  virtual  server  services. Basically, we end all
                services,  kill  all  remaining processes and start over.
                This  is  achieved  by running the following command from
                the main server:

        /usr/sbin/vserver SERVER restart

                But  it can't be executed from inside the virtual server.
                To  solve this the rebootmgr (robot manager) was created.
                It  is  a  service which installs a unix domain socket in
                each  virtual  server  (/dev/reboot).  The  /sbin/vreboot
                utility  is  used  to  request  a reboot from any virtual
                server. The reboot manager knows which vserver is sending
                the request and execute the command above.

                The /sbin/vhalt utility is supplied as well, which simply
                end a virtual server activity.

                The  rebootmgr  is  a  service and is off by default. You
                must enable it.

Bug fixes

    Stopping a virtual server

                There  was  a flaw in the vserver utility and sometime, a
                virtual  server  was  not  ended properly. Some processes
                were  left running and this was preventing the restart of
                the vserver.

                                  Version 0.3

Enhancements

    /usr/sbin/vserver enhancements

                The vserver utility is doing the /proc and /dev/pts mount
                when  a  vserver  is  started.  It  was calling the mount
                command   with  relative  path  and  this  was  confusing
                /etc/mtab somewhat. It is now using absolute paths.

                vserver  is  also a little more verbose when starting and
                stopping a vserver. This makes the /var/log/boot.log file
                a little more explicit.

    Missing LICENSE file

                The  vserver  is  licensed  under  the GNU Public License
                (GPL).  The  package was missing the LICENSE file stating
                that.

    Missing readlink utility

                The  vserverkillall  (used  by  vserver VSERVER stop) was
                relying  on  the  readlink  utility,  which is not always
                available (delivered with tetex). The vserver package now
                includes its own readlink utility in /usr/lib/vserver.

Bug fixes

    New kernel 2.4.10ctx-2

                A  fix was done in the kernel to prevent changes in /proc
                from  a  virtual  server  administrator.  The  /proc file
                system  was not properly protected by a capability. It is
                now.  You  can find the kernel patch patch-2.4.10ctx-2 as
                well  as  two pre-compiled kernel binaries for UP and SMP
                machines (kernel-2.4.10ctx-2.tar.gz)

    rebootmgr ineffective when start at boot time

                The  rebootmgr  service  was  not  working  at  all. When
                notified  to  reboot  or  halt  a  virtual server, it was
                completely   failing  because  its  standard  output  and
                standard  error channel was pointing to closed pipes. Now
                it    redirect    the    /usr/sbin/vserver   command   to
                /var/log/boot.log (append).

    rebootmgr service not restarted by Linuxconf

                When  you  add a new virtual server, you must restart the
                rebootmgr  service  so  it properly setup its /dev/reboot
                socket in that vserver.

                The  sysv  init  script  was  missing  the  tags  used by
                Linuxconf so it knows when rebootmgr must be restarted.

                                  Version 0.4

Enhancements

    /usr/lib/vserver/vunify utility: new

                The vunify script is used to unify the disk space used by
                several   vservers.   Vservers   are  running  in  chroot
                environment.  As  such,  they  can't share files. This is
                useful  (secure,  flexible), but annoying: Not fun having
                glibc installed 10 times for example.

                It  is  possible  to share files using hard links. vunify
                was  created  to  merge common package using hard link so
                they use the same disk space. It works like this

/usr/lib/vserver/vunify refserver serv1 serv2 serv3 -- pkg1 pkg2 pkg3 ...

                refserver  is  the  reference  server. serv1 to serv3 are
                other  vservers  and all vservers have a copy of the same
                RPM  packages  pkg1,  pkg2.  The utility will extract the
                list  of  file own by the various packages. Configuration
                files  are  omitted  from the list. Then it will walk the
                vservers  and  erase  the  files  and  setup  a hard link
                pointing  to  the  file  in refserver. Once done, it will
                turn  the  file  immutable  bit.  This  bit  prevent  the
                vservers  from modifying the file. Even root can't do it.
                You  will end up saving a log of disk space. You may gain
                some  performance as well since the various shared object
                will be loaded only once in memory for all vservers. This
                could be noticeable if you have many vservers.

                Experiment  have  shown  that unifying the packages bash,
                glibc,  perl  and binutils save 60 megabytes per vserver.
                Given those package seldom change, this is a nice saving.

                vunify  also  feature  a  --undo  option to un-unify some
                package.  It turns off the immutable bit and place a copy
                of  the files in each vservers. This can be useful if you
                intend to update one package.

                Have fun!

    vserver command enhancement

                The  build  option  now turn off all service in the newly
                created  vserver.  this  is  useful because in general, a
                vserver  runs few services. Further, many common services
                found  in  Linux are useless in a vserver environment. So
                after   installing   a   vserver   "enter"   it  (vserver
                VSERVER-name  enter) and enable the service you need with
                either Linuxconf or chkconfig.

Bug fixes

    rebootmgr service missing

                vserver 0.3 has introduced a new service called rebootmgr
                allowing   virtual   server   to  request  a  reboot  (of
                themselves).  Unfortunately  the  sysv  init  script  was
                missing in the package.

                                  Version 0.5

                The  new  vserver  package relies on new ability found in
                the kernel patch
                [2]ftp://ftp.solucorp.qc.ca/pub/vserver/diffctx-2.4.11-3
                .  This  patch  works  with  2.4.12  as  well. I have not
                released pre-compiled kernel for now.

Enhancements

    chcontext and reducecap command line option

                The  two  utilities  support  the new --flag command line
                option.  This  is  used to set some flags in the security
                context. For new the two flags are:

               o lock
                 Once set, a security context is locked. It can't request
                 another security context.
               o sched
                 This   changes   the  way  priority  is  calculated  for
                 processes   in  a  vserver.  The  priority  is  kind  of
                 aglomerated.  A vserver running 50 active processes will
                 have  a same impact on the server as if it was running a
                 single process (roughly).

                All those flags are one-shot. You can set them, you can't
                unset them.

    vserver command: S_FLAGS support<

                The  vserver command supports the new --flag command line
                option  of  the  chcontext  utility. You encode the flags
                (lock   and   sched)   in   the   vserver   configuration
                (/etc/vservers/confname.conf) like this

        S_FLAGS="lock sched"

                By   default,   all   new   vserver   are   created  with
                S_FLAGS="lock".

                                  Version 0.6

Enhancements

    New kernel 2.4.13 and new immutable flags

                The  patch  now work on top of kernel 2.4.13. Both normal
                and  SMP  kernel  are  supplied. This new kernel provides
                mostly  the  same  feature  and implementation as before.
                Here are the changes:

               o System  call  number  has been changed to avoid conflict
                 with other new feature in the kernel.
               o New  IMMUTABLE-LINK-INVERT flag. This was contributed by
                 Sam  Vilain  (sam@vilain.net). This new ext2 flag solves
                 the  unification issues. When you unify two vservers, to
                 save  disk space, you have to protect the file somewhat,
                 to  avoid  one  vserver  from  affecting  the other. The
                 solution  is  to  turn  the  file immutable so even root
                 can't  modify  them  (root in vservers is not allowed to
                 play with the immutable bit).
                 There  was  a  drawback  with this. The unified vservers
                 were  locked somewhat. A vserver administrator could not
                 perform package update for example.
                 The   new   IMMUTABLE-LINKAGE-INVERT   solves  this.  It
                 modifies  the  way  an  immutable file behave. With this
                 flag  on,  the  file may be unlinked (removed), allowing
                 normal  package  updates. But the original data can't be
                 modified.
                 The  default  for  vunify  and  vbuild  is  to  set both
                 IMMUTABLE-FILE   and  IMMUTABLE-LINKAGE-INVERT  bits  on
                 linked  file.  This  gives  you  robustness (one vserver
                 can't  modify  the linked file shared by other vservers)
                 and flexibility (one vserver may evolve independently.

                You  absolutely  need vserver 0.6 to use this kernel. You
                can    find    more    information    about    the    new
                immutable-linkage-invert flag at
                [3]http://sam.vilain.net/immutable. You will find there a
                modified  ext2fsprog  package  to  use  those  flags. The
                vunify  and  vbuild  utility  do not need this package to
                operate though.

    New vbuild utility

                The  /usr/lib/vserver/vbuild utility has been written. It
                allows  one  to  clone  a reference vserver, hard linking
                files  when  possible.  You end up creating a new virtual
                private  server  with a large package set, yet using only
                few  megs  of disk space. Like the vunify command, vbuild
                sets  the  immutable  flag  on linked file so the vserver
                can't  change them (since they are shared between several
                vservers).

                Here is the command line usage:

                vbuild [ options ] reference-server new-vservers

               o --test
                 Show what will be done, do not do it.
                 (not completed)
               o --debug
                 Prints some debugging messages.
               o --noflags
                 Do not put any immutable flags on the file
               o --immutable
                 Set the immutable_file bit on the files.
               o --immutable-mayunlink
                 Sets the immutable_link flag on files.
               o --stats
                 Produce  statistics  on the number of file linked copied
                 and so on.

                By  default,  the immutable_file and immutable_link flags
                are  set on the files. So if you want no immutable flags,
                you  must  use  --noflags. If you want a single flag, you
                must   use  --noflags  first,  then  the  --immutable  or
                --immutable-mayunlink flag.

    New vtop utility

                vtop  is a simple shell script, executing the top utility
                in security context 1, so it can see all processes.

    vunify rewrite

                The  /usr/lib/vserver/vunify  utility has been rewritten.
                It uses roughly the same syntax with few more options.

                vunify  [  options  ]  reference-server  vservers  ... --
                packages

               o --test
                 Show what will be done, do not do it.
               o --undo
                 Put  back  the  file  in  place,  using  copies from the
                 reference server.
               o --debug
                 Prints some debugging messages.
               o --noflags
                 Do not put any immutable flags on the file.
               o --immutable
                 Set the immutable_file bit on the files.
               o --immutable-mayunlink
                 Sets the immutable_link flag on files.

                By  default,  the immutable_file and immutable_link flags
                are  set on the files. So if you want no immutable flags,
                you  must  use  --noflags. If you want a single flag, you
                must   use  --noflags  first,  then  the  --immutable  or
                --immutable-mayunlink flag.

                If  packages  is  ALL,  then  all common package with the
                reference  server  will  be unified. The new vunify makes
                sure this is the same package version before unifying.

Changes

    System call renumbering

                The  system  call  we  had chosen was already assigned to
                other projects so we picked new number. This make the old
                vserver   package  incompatible  with  the  newer  kernel
                2.4.13ctx-3.

                If  you  have  already  some  vserver running and want to
                upgrade to the new kernel, here is the update sequence:

        # Stop all vservers
        /etc/rc.d/init.d/vservers stop
        # Disable the vservers service
        /sbin/chkconfig vservers off
        # Install the new kernel in LILO
        # reboot
        # Update to the new vserver package
        rpm -Uvh vserver-0.6-1.i386.rpm
        # Enable the vservers package
        /sbin/chkconfig vservers on
        # Start the vservers
        /etc/rc.d/init.d/vservers start

                                  Version 0.7

Enhancements

    /usr/sbin/vserver enhancements

                The utility now handles the following enhancements in the
                vserver configuration file:

               o ULIMIT
                 This  setting  defines  ulimit  settings  passed  to the
                 vserver when it is started.
               o S_CAPS
                 This  contains a set of capability available to vserver.
                 For example, if you want a vserver to be able to do some
                 pings, put the CAP_NET_RAW capability there.

                When  starting  a vserver, the /var/run directory was not
                cleared.  In  some  situation, the various startup script
                were failing because a bogus PID file was left there from
                a previous run.

    chcontext: --cap option

                The   --cap   option   was   added   to   help  configure
                capabilities.  The  --secure  option was too restrictive.
                --secure  is  used  to  remove  critical capabilities and
                --cap  is  used  to invert the effect by adding back some
                capabilities.  This  is  used  by  the  /usr/sbin/vserver
                front-end  to  handle the new S_CAPS /etc/vservers/*.conf
                configuration files.

    chcontext: new --flag values

                Two   new   flags  are  now  handled  by  chcontext  (and
                reducecap).  Those flags are nproc and private. The nproc
                flag  establish  a  hard limit on the number of processes
                run-able  in  a  virtual  server.  It  makes the original
                ulimit (-u) setting global to the vserver instead of just
                per user.

                The  private  flag  is  a  little  weird. Once a security
                context has this flag set, it is not possible to join it.
                Even root in the root server with all capabilities is not
                allowed.  This  makes  the virtual server fairly private.
                Security  context  1  can  still  see which processes are
                executing in the vserver, but can't interfere.

    kernel-2.4.16ctx-4

                A  new  kernel  is  available  as  well.  The changes are
                minimal  this  time  (the old vserver utilities are still
                compatible). Here they are:

               o ext3 file system
                 Since  ext3  is now part of 2.4.16, it has been modified
                 to support the IMMUTABLE_LINKAGE feature.
               o ext3,ext2  and  reiserfs are compiled (not as module) so
                 they can be easily used as root file system.
               o The  nproc  and  private security context flag have been
                 added.  nproc  is  especially  useful to limit the total
                 number  of  process  in  a  vserver.  Fork  bomb are not
                 possible anymore.
               o A little bug fix. It was possible to produce a oops with
                 the new_s_context system call, when called by a non root
                 user in the root server.
                 I  am  also  supplying the patch against 2.4.13 (without
                 the ext3 stuff) for those who wants it.

    The vservers service
                 This  sysv  init  script  is  used to start and stop all
                 virtual private server. It only starts the vservers with
                 the ONBOOT flag set to yes. It used to only end vservers
                 with ONBOOT=yes as well. This was not really helpful. So
                 now  it  starts  the vservers with ONBOOT=yes, but stops
                 any vservers.

    vserver-stat: new utility
                 The  /usr/sbin/vserver-stat  was contributed by Guillaum
                 Dallaire.  It produces a report showing a summary of the
                 different  vservers.  You  see the number of process per
                 vservers for example.
                 Bug fixes

    chbind: identifying network device

                            chbind  had a bad habit of probing the kernel
                            for  any  value  of  the  --ip  command  line
                            option.  Even  if it was not a network device
                            at  all.  This  was  triggering error message
                            from modprobe. It now checks in /proc/net/dev
                            first.

                 Version 0.9

Enhancements

    /usr/sbin/newvserver: new

                                  /usr/sbin/newvserver  is  an admin tool
                                  to  help  create new vserver. It allows
                                  you to enter pretty everything you need
                                  to specify a virtual private server. It
                                  supports   unification.  You  pick  the
                                  reference  vserver and it does the job.
                                  It  creates  the  vserver configuration
                                  file  and update the vserver /etc/hosts
                                  accordingly.

                                  This  utility  works  both in graphical
                                  and  text  mode.  You  must install the
                                  packages        linuxconf-lib       and
                                  linuxconf-util from
                                  [4]http://www.solucorp.qc.ca/linuxconf/
                                  download.hc .

                                  I have separated the vserver package in
                                  two:    vserver    and   vserver-admin.
                                  newvserver is part of the later.

    /usr/sbin/vrpm: new

                                  vrpm  is  a  little wrapper for the rpm
                                  command.  It  lets  you  apply  an  RPM
                                  command   on   several   vservers.  For
                                  example, you can do

        /usr/sbin/vrpm ALL -- -Uvh /tmp/*.rpm
        /usr/sbin/vrpm server1 server2 -- -Uvh this-rpm.rpm

                                  It  takes  care  of  the --root command
                                  line option.

    /usr/sbin/vserver: new features

                                  Various  little  things  were  added to
                                  this command:

                              - /usr/sbin/vserver server stop
                                This  always  umount  /proc  and /dev/pts
                                even  if the vserver was not running. The
                                "enter" command leaves /proc and /dev/pts
                                mounted  and this was causing problems at
                                shutdown time.
                              - /usr/sbin/vserver      server     service
                                service_name start|stop|restart
                                This  is  a  little  helper  to control a
                                service inside a vserver. This allows you
                                to  enter,  act  on  a  sysv  service and
                                leave.
                              - /usr/sbin/vserver    server   exec   some
                                commands
                                This  lets  you  execute a command in the
                                context  of  a  vserver  and  exits.  The
                                "service"   and   "enter"   commands  are
                                implemented on top of that.

    kernel 2.4.17 ctx-5

                                  I  have  tested  the  vserver  patch on
                                  2.4.17.  I have also found a bug in the
                                  ext3  fs for the new immutable-linkage.
                                  Unification  was not working on an ext3
                                  file system. Now all seems fine.

    vbuild: one file system

                                  The /usr/lib/vserver/vbuild utility has
                                  been  enhanced  to  stay  in  one  file
                                  system  only. It is possible to build a
                                  vserver  from  another  which has mount
                                  point (/proc generally) active.

                 Version 0.10

Enhancements

    /usr/lib/vserver/vdu: New

                                  This  is  a  limited  clone  of  the du
                                  command.  It  skips file with more than
                                  one  link.  It  is used to evaluate the
                                  disk usage of an unified vserver. Using
                                  the   normal   du   for  this  task  is
                                  misleading  since  it  will  count  all
                                  unified files.

    /usr/sbin/newvserver: more stats

                                  The  utility now reports more statistic
                                  about  the amount of file and directory
                                  copied/linked.

    CAP_SYS_CHROOT capability

                                  It  is  now  possible  to  remove  this
                                  capability  from a vserver (No process,
                                  not even root, in a vserver can use the
                                  chroot   system   call).   Just   place
                                  !CAP_SYS_CHROOT  in the S_CAPS variable
                                  of the vserver configuration file.

                                  To    support    this    feature,   the
                                  /usr/sbin/vserver   script  had  to  be
                                  reworked a bit since entering a vserver
                                  context  involves  using  chroot. So we
                                  had  to kind of enter the context, then
                                  kill CAP_SYS_CHROOT

    chroot and security issues: plugged

                                  The  new ctx-6 kernel solves the issues
                                  with chroot. With previous kernel, root
                                  inside     a     vserver    with    the
                                  CAP_SYS_CHROOT  capability  was able to
                                  escape out of the vserver and enter the
                                  root  server.  We  solve  this  using a
                                  single line in
                                  fs/namei.c:vfs_permission(). All chroot
                                  escape  involves walking you way toward
                                  the  real  root  using  relative  chdir
                                  (chdir("..")).  The  trick  was to make
                                  the  /vservers directory into a "no man
                                  land" by issuing the following command:

        chmod 000 /vservers

                                  Setting  these  permission  bits  (well
                                  turning   them   all   off)   make  the
                                  directory  inaccessible  for  any other
                                  user  than  root.  The  change  in  the
                                  kernel  ctx-6  makes  such  a directory
                                  unusable  even  by  root in a different
                                  security context (not 0).

                                  The  /usr/sbin/vserver  will create the
                                  /vservers    appropriately.    If   the
                                  directory  exist,  it  will  check  the
                                  permissions  and  signal  the  admin if
                                  they are not 000.

    New kernel ctx-6

                                  The    new   kernel   patch-2.4.17ctx-6
                                  introduce  many  enhancements.  This is
                                  still  binary  compatible, so moving to
                                  this   kernel   does  not  involve  any
                                  configuration   changes.   Updating  to
                                  vserver  0.10 is recommended, but there
                                  is no special upgrade step.

                                  The features are:

                              - /dev/pts  is now private in each vserver.
                                One  vserver  can't see or interfere with
                                the other pseudo-tty of the other server,
                                including the root server.
                              - Network  device:  A  vserver can only see
                                the  network  device  associated with its
                                ipv4 root.
                              - system  V ipc: The sysv ipc resources are
                                now private per security context.
                              - The  fakeinit  concept  allow  usage of a
                                normal /sbin/init in a vserver.
                              - A  signal  handling  bug  was solved. The
                                most  noticeable  feature is that cntrl-C
                                now work when using "vserver name enter".
                                Other   networking   issue  are  probably
                                solved by this.

                                  You  can  get the patch and binaries as
                                  usual from
                                  [5]ftp://ftp.solucorp.qc.ca/pub/vserver
                                  . The pub/vserver/patches also contains
                                  a  relative  patch from ctx-5 to ctx-6.
                                  You can review what was done this way.

                                  This   kernel   plugs   probably   most
                                  security issues. There is still to many
                                  things  visible in /proc as seen from a
                                  vserver. A new file system called vproc
                                  will  be  written  to provide a limited
                                  view.

                                  While  this  kernel  should  prevent  a
                                  vserver administrator to gain access to
                                  the  vserver,  there  are still ways to
                                  produce  some  DOS  by  exhausting  all
                                  resources.   The  nproc  feature  works
                                  correctly  and  control  the  amount of
                                  processes  used by a vserver. Some more
                                  work is needed to address all the other
                                  resource limits (files, memory, ...)

    No NIS domain in a vserver

                                  A  vserver  may be run with a different
                                  NIS  domain  name than the root server.
                                  Or  it could run with the same. To keep
                                  the  same  domain name, one just had to
                                  set  the  S_DOMAINNAME  variable to the
                                  vserver configuration file to nothing.

                                  There  were no way to tell that you did
                                  not want a NIS domain name in a vserver
                                  when  there  was  one  set  in the root
                                  server. You can now enter "none" as the
                                  S_DOMAINNAME value to achieve this.

    Per vserver /sbin/init

                                  The  ctx-6 kernel supports the fakeinit
                                  context  flag.  This flag is entered in
                                  the   S_FLAGS   line   of  the  vserver
                                  configuration file
                                  (/etc/vservers/xx.conf).  Once  you set
                                  this  flag, the vserver will be started
                                  and stop using /sbin/init, found in the
                                  vserver  environment.  This is a normal
                                  /sbin/init    as    supplied   by   the
                                  distribution.  You  should take care of
                                  cleaning up /etc/inittab in the vserver
                                  environment.  Using this feature, it is
                                  possible  to  use  various run level in
                                  the vserver, switch between them and so
                                  on.    You   can   also   use   respawn
                                  /etc/inittab services as well.

                                  Here  is  what  fakeinit  does  in  the
                                  kernel:

                                  This assigned the current process so it
                                  works  like the process number 1. Using
                                  this  trick, a normal /sbin/init may be
                                  run in a vserver. The /usr/sbin/vserver
                                  command  will  use  /sbin/init to start
                                  and   stop   a   vserver.   A  properly
                                  configured   /etc/inittab   is   needed
                                  though.

                              - Processes   loosing   their   parent  are
                                re-parent to this process.
                              - getppid()  done  by child process of this
                                process returns 1.
                              - getpid() done by this process returns 1.
                              - This  process is not shown in /proc since
                                process number 1 is always shown.
                              - An   "initpid"   entry  is  available  in
                                /proc/*/status  to  tell which process is
                                the fake init process.

                                  One  nice  thing  about this feature is
                                  that  the /usr/sbin/vserver is somewhat
                                  distribution   independent.  It  simply
                                  runs  /sbin/init to start a vserver and
                                  then  "/sbin/init  6"  to  stop it (and
                                  then   kills  the  remaining  process).
                                  There  are  some  drawbacks  (for  now)
                                  though and input are welcome.

                                  First,  the vserver start-up is no more
                                  synchronous. The /usr/sbin/vserver used
                                  to  run "/etc/rc.d/rc 3" and wait until
                                  it  ends.  Now, it runs /sbin/init, but
                                  /sbin/init  won't end until the vserver
                                  ends.  So  /usr/sbin/vserver has to let
                                  go  /sbin/init in background. This is a
                                  little annoying.

                                  When a vserver is started like this, we
                                  don't  see  all  the service started as
                                  before.  Without  fakeinit, we see each
                                  service  getting  started and a OK/FAIL
                                  message   for   each.   Now,   it  goes
                                  completely    silent.    I   have   not
                                  investigated  this  behavior. I suspect
                                  /sbin/init   is   opening   a  new  tty
                                  (console) and runs the start-up scripts
                                  using that newly open console.

                                  Since  /sbin/init runs all the start-up
                                  code,  we don't know when it is done so
                                  we  can't run the post-start section of
                                  the      /etc/vservers/xx.sh     script
                                  properly.

                                  Note  that both start-up strategy still
                                  work: fakeinit and the original. So you
                                  current  vserver installation will work
                                  as before without any fiddling. Once we
                                  have  iron  out  the fakeinit drawback,
                                  this  will  become  the  default way of
                                  doing things.

    Some capability missing

                                  The  chcontext  and  reducecap  utility
                                  were incomplete. Many capabilities were
                                  not handled. They are now complete.

Bug fixes

    /usr/sbin/vserver-stat: some fixes

                                  The  vserver-stat  utility  had various
                                  output glitches.

                 Version 0.11

Enhancements

    /usr/sbin/vkill: new<

                                  This is a simple script. You do

        /usr/sbin/vkill PID

                                  and  it  will locate the vserver owning
                                  that   process,   enter   its  security
                                  context and issue the kill.

    /usr/sbin/vserver

                                  Various enhancements:

                              - /var/run
                                Only  files  are  erased from /var/run at
                                vserver    build   and   start-up   time.
                                Sub-directories     are    left.    Also,
                                /var/run/utmp   is   created   empty   at
                                start-up time.
                              - /var/log/wtmp
                                It  is  created  empty  at  vserver build
                                time. It is ignored after that.
                              - 5 seconds sleep after stopping a vserver,
                                before killing the remaining processes. 5
                                instead of 2.
                              - S_CAPS  not  processed  when  entering  a
                                vserver
                                When  entering  a  running  vserver,  the
                                S_CAPS  setting  was  not enabled for the
                                shell.  So  if  you had given the vserver
                                some    capabilities,   they   were   not
                                available when using "enter".

    Dynamic system call number

                                  The  2 system calls used by the vserver
                                  project  are  not  yet  reserved in the
                                  kernel.   To   help  people  using  the
                                  vserver   patch   with  other  patches,
                                  having  conflicting system call number,
                                  the  ctx-8 publish in /proc/self/status
                                  the  system  call  numbers. The various
                                  utilities    (chbind,   reducecap   and
                                  chcontext)  are  using this information
                                  on  the fly. So you can move the system
                                  call  around  and  the  utilities  keep
                                  working without recompile.

    kernel ctx-8

                                  Here is a small change log:

                              - Dynamic system calls numbering
                              - Per user/per context resources.
                                The  ulimit  resources for a user used to
                                be  shared across vserver. This was plain
                                wrong  since  user  ID  N in a vserver is
                                unrelated   to   user  ID  N  in  another
                                vserver.
                                Contributed     by     Patrick     Schaaf
                                <bof@bof.de>
                              - Using 127.0.0.1 in a vserver.
                                Note,    this   is   unrelated   to   the
                                multi-IP-per-vserver  concept.  A vserver
                                normally  use  a  single IP to listen and
                                talk.  In general, this is not a problem.
                                But  it  breaks  a  little semantic. Most
                                services out there simply do a bind on IP
                                0.0.0.0.  This  way,  they expect to grab
                                any  incoming  traffic.  They also expect
                                that  talking  to 127.0.0.1 is a good way
                                (configuration    less)    to   talk   to
                                themselves.   Some   services  are  using
                                localhost   (which  is  redirect  to  the
                                ipv4root  of  the  vserver)  and some are
                                using 127.0.0.1 directly.
                                The  ctx-8  kernel  now maps 127.0.0.1 to
                                the  ipv4root  of the vserver on the fly.
                                This  solves  some  issues with samba and
                                should  also (not tested) solve the issue
                                with PostgreSQL.
                              - Per vserver network activity.
                                The  output of netstat is now filtered by
                                vserver.   This  includes  /proc/net/tcp.
                                This  is  not done per ipv4root but using
                                the    security    context.    This   was
                                contributed     by    Martin    Josefsson
                                <gandalf@wlug.westbo.se>

    Man pages for most utilities

                                  Thanks  to  klavs klavsen <kl@vsen.dk>,
                                  we   have   now  a  man  page  for  all
                                  utilities.  Now, we need a man page for
                                  the 2 system calls.

                 Version 0.12

Enhancements

    kernel 2.4.18ctx-8

                                  Nothing    new    vserver   wise.   The
                                  patch-2.4.17ctx-8  was  adapted  to the
                                  new  kernel  2.4.18.  There  were minor
                                  adjustment  needed in kernel/exit.c and
                                  kernel/fork.c. No new features.

                                  2.4.18   introduces  new  system  calls
                                  (reserved  at least), so we had to move
                                  our   own  at  the  end.  If  you  have
                                  vserver-0.12, it does not matter, as it
                                  adapts  to  the  kernel on the fly. You
                                  can  use  the  same  binary  to  run  a
                                  2.4.17ctx-any   kernel   or   the   new
                                  2.4.18ctx-8.

Bug fixes

    dynamic system call

                                  There was a bug. It was not working for
                                  the  new_s_context.  To move to the new
                                  2.4.18ctx-8     kernel,     you    need
                                  vserver-0.12.

                                  vserver-stat was changed to use the new
                                  dynamic system call feature

                 Version 0.13

Bug fixes

    Dynamic system call number, a glitch

                                  Since vserver 0.11, the vserver utility
                                  are  able  to  probe the kernel to find
                                  the   number   of   the   system  calls
                                  new_s_context   and  set_ipv4root.  The
                                  same   binaries   may   be   used  with
                                  different kernels (where the new system
                                  calls have different numbers).

                                  This  was  done  because the two system
                                  calls are not official( reserved in the
                                  official  kernel) and probably won't be
                                  until we have covered more grounds...

                                  vserver-0.12 uncovered a flaw where the
                                  file /proc/self/status was not properly
                                  parsed.  But  there was another gotcha.
                                  When  used  with an older kernel (older
                                  than  2.4.17ctx-8),  the  utility  were
                                  using the values in
                                  /usr/include/asm/unistd.h.
                                  Unfortunately,    those    values   are
                                  dependent   on   the  kernel  currently
                                  installed  on your computer. If it is a
                                  2.4.18  kernel,  the  system calls have
                                  different  number  than on older 2.4.17
                                  kernel.

                                  To    make   the   story   short,   the
                                  vserver-0.13  utilities are not relying
                                  on kernel headers for their default, so
                                  work  with  older kernel as well as the
                                  new  2.4.17ctx-8  or  2.4.18ctx-8. They
                                  have been tested on 2.4.17ctx-6. Please
                                  upgrade.

                 Version 0.14

Enhancements

    chbind: broadcast address

                                  chbind  accepts  the --bcast option. It
                                  is   supporting  the  new  set_ipv4root
                                  which  requires  an  IP  number  and  a
                                  broadcast address.

                                  If  you  only  specify  the --ip option
                                  with a device, the broadcast address of
                                  the device is used. This is used namely
                                  in the /etc/init.d/v_xxxx services.

/usr/sbin/chbind --ip eth0 /bin/sh

                                  the  new  chbind works on older kernel.
                                  The   broadcast   address   is   simply
                                  ignored.

    kernel 2.4.18ctx-9: set_ipv4root changed

                                  This new kernel enhances set_ipv4root a
                                  bit.  This  is not the multi-ip support
                                  yet    though.   This   kernel   allows
                                  application  relying  on  broadcast  to
                                  work  in  vservers.  The  trick  is  to
                                  assigned   both  an  IP  number  and  a
                                  broadcast  address  to  a  vserver. The
                                  socket  handling for UDP was modified a
                                  little  (one line in net/ipv4/udp.c) so
                                  an  incoming  packet is processed if it
                                  matched  the  vserver IP or the vserver
                                  broadcast address.

                                  There  is  no  configuration changed to
                                  take  advantage  of  that. You need the
                                  new kernel and vserver-0.14. Stuff like
                                  samba  (which  was  already  working in
                                  most cases) are now working completely.
                                  Even  dhcpd works inside a vserver (see
                                  the FAQ though).

                                  So  the  set_ipv4root  was changed, but
                                  the  kernel sports a syscall versioning
                                  system and vserver-0.14 supports it. So
                                  vserver-0.14   works   with  any  "ctx"
                                  kernel.  The new kernel works also with
                                  older   vserver  utilities  except  the
                                  vserver   broadcast   address  will  be
                                  improperly assigned.

    vfiles: new utility

                                  The  vfiles  utility is used to extract
                                  the  list  of  non-unifiable files in a
                                  vserver. The utility works like this

/usr/sbin/vfiles reference-server server

                                  Using  the  output of this command, one
                                  may archive only the relevant part of a
                                  vserver.  You  can  use  this to move a
                                  vserver  from  one  server  to another.
                                  Only  move  few  megs.  On  the  target
                                  server,  use vunify to fill the missing
                                  files.   You   must  have  a  identical
                                  reference  server  on the target server
                                  though.

                                  Anyway,  this  is general purpose. Life
                                  may  tell  us  if this is really useful
                                  :-)

    vps reworked

                                  vps was reworked a little. The previous
                                  version was not working on some distro.
                                  Test it out.

    vserver configuration file

                                  There  are  two new optional entries in
                                  /etc/vservers/*.conf:

                              - IPROOTMASK:  This  is the netmask used to
                                configure  the  IP  alias. By default, it
                                uses the netmask of the IPROOTDEV device.
                              - IPROOTBCAST:   This   is   the  broadcast
                                address  used  to configure the IP alias.
                                Again,   it  uses  the  IPROOTDEV  device
                                settings by default.

                                  You  generally  do  not  need to assign
                                  those fields. Just upgrading to vserver
                                  0.14  and  restarting  your vserver and
                                  the  IP  alias  will be configure. This
                                  was  an issue for some service (as seen
                                  on  the  mailing  list).  Prior version
                                  were  always  setting  the  netmask  to
                                  255.255.255.255.

    vserver-stat and dynamic system calls

                                  The utility was using fixed system call
                                  numbers   unlike   the   other  vserver
                                  utilities. Fixed!

    v_xxxx services enhancements

                                  /etc/init.d/v_sendmail was added to the
                                  list.  By  default  each v_xxxx service
                                  perform  a  chbind  on  the  main  eth0
                                  address.  For  each  service,  you  can
                                  setup a file called
                                  /etc/vservices/service.conf   (one  per
                                  service). In that file, you can specify
                                  a different IP or device.

IP=x.y.z.w

                                  The   extra   configuration   file   is
                                  optional.

                 Version 0.16

Enhancements

    Install vserver from cdrom

                                  This  is  a start and contributions are
                                  welcome. I have written a script called
                                  /usr/lib/vserver/install-rh7.2.    This
                                  script  expects  a single argument (for
                                  now),  which is the name of the vserver
                                  to  create.  It  will install a vserver
                                  based  on  Red  Hat  7.2  CD  (found in
                                  /mnt/cdrom)  from  scratch.  It  is not
                                  using   the  root  server  at  all.  It
                                  installs  everything from the first CD.
                                  With    unification,   it   creates   a
                                  not-so-big  vserver and contains pretty
                                  much anything an admin might want.

                                  I  would  be interested in other script
                                  like this to install SuSE, Mandrake and
                                  Debian from scratch. At some point, the
                                  newvserver  front-end  will offer those
                                  in the pop-up list. So you will be able
                                  to install either from the root server,
                                  from   another   vserver  or  from  any
                                  distribution CDroms.

                                  Contribution welcome :-)

    v services all supporting /etc/vservices/*.conf configuration

                                  All  the /etc/init.d/v_xxx services are
                                  now  completed  and  use  the  optional
                                  /etc/vservices/xxx.conf file. This file
                                  provides  the  IP number to use to bind
                                  the service. By default, the service is
                                  bound to eth0. Using the optional file,
                                  you bind it to whatever you want

                                  For example:

        IP=eth1
        IP=192.168.1.1

    Various /usr/sbin/vxxxx utilities

                                  Utilities   like   vtop,   vpstree  and
                                  friends  are  using /usr/sbin/chcontext
                                  to switch to context number 1. They are
                                  using  the --silent option so you don't
                                  see  the  "New  security  context is 1"
                                  needlessly.

    vserver script enhancement

                                  A  vserver  may operate with 0.0.0.0 as
                                  its  IPROOT.  This means the vserver is
                                  allowed  to  use  any IP it wants, like
                                  the root server. The vserver script was
                                  trying  to setup and IP alias with this
                                  address.

                                  When   not   using  the  fakeinit  (per
                                  vserver  private init process) facility
                                  the  vserver  script  was  starting  in
                                  runlevel 3. It is now using the default
                                  runlevel  (initdefault)  found  in  the
                                  vserver  /etc/inittab  file.  One  step
                                  closer to have this script distribution
                                  independent. Please test it and send me
                                  other fixes as needed.

                                  The    script   uses   /etc/init.d   or
                                  /etc/rc.d/init.d on the fly.

                                  When  stopping  a vserver, the IP alias
                                  is  removed even if the vserver was not
                                  running.  When  you  "enter" a vserver,
                                  the  IP  alias  is put in place. If you
                                  stop  it,  it  is  removed.  Especially
                                  useful  when  you  fiddle  with  a  two
                                  copies   of  a  vserver  (on  different
                                  physical server).

                                  When  stopping  a  vserver, the vserver
                                  script  /etc/vservers/xx.sh  is  always
                                  called  with the post-stop argument. So
                                  doing   a   "vserver   xx  stop"  clean
                                  everything.

                                  When  doing  "vserver  xx  exec ..." or
                                  "vserver  xx  enter" and the vserver xx
                                  is not running, the /etc/vservers/xx.sh
                                  script  is  called  with  the pre-start
                                  option,  making  sure  the  vserver  is
                                  entered with the proper environment.

                                  When  doing "vserver xx enter", bash is
                                  started  with  the option --login. This
                                  insure proper environment settings.

Bug fixes

    chcontext: printing wrong result

                                  When  switching  to a specific security
                                  context (generally context number one),
                                  chcontext  was  reporting  0 as the new
                                  context. A little miss-leading. Fixed!

    cosmetic bug in save_s_context and vserverkillall

                                  Those two utilities were reporting some
                                  shell  errors. Although arm-less it was
                                  annoying.  You  could  see the bug when
                                  shutting down a vserver.

    kernel ctx-10

                                  Thanks  to  Willy  Tarreau, the netstat
                                  bug  in  kernel  2.4.18ctx-9  is fixed.
                                  2.4.18ctx-10 is the same thing as ctx-9
                                  with  only  cosmetic  change + a little
                                  rework  of  "struct  sock".  The  added
                                  field  (in ctx-9) has been moved closer
                                  to  the  end  of  the  structure so the
                                  beginning  of  "struct sock" still look
                                  like  another kernel structure. (C does
                                  not have inheritance...).

                                  Now  that 2.4.18ctx-10 works (should be
                                  as reliable as 2.4.18ctx-8), it is time
                                  to test ctx-9 enhancements, notably the
                                  ability  to  support  UDP  broadcast in
                                  vservers. Samba now work completely out
                                  of the box in a vserver. Please test it
                                  out.

    vbuild and vunify: zombies process

                                  The  vbuild  and vunify are calling the
                                  rpm  command  repeatedly  and  were not
                                  waiting  properly  for  its end status.
                                  This  was  creating  many  many  zombie
                                  processes. Fixed!

    vservers sysv init script

                                  This    script    was    sourcing   the
                                  /etc/init.d/functions script uselessly.
                                  This   script   is   a  RedHat-ism  and
                                  vservers   do   not  need  any  of  its
                                  facility anyway.

                 Version 0.17

Bug fixes

    Compilation with stdc++

                                  Some    glibc   distribution   requires
                                  linking  stdc++  while other not. I add
                                  it anyway and it should work on all.

    vserver xx enter

                                  This  was using "bash --login" to setup
                                  a  shell in the vserver environment. It
                                  is  now  using  -login,  which works on
                                  both new and older bash.

                 Version 0.18

Enhancements

    Building vservers out of RedHat CDs

                                  The   newvserver   utility   has   been
                                  enhanced so you can interactively build
                                  vservers  from  the  first Redhat CD or
                                  either  7.2  or  7.3.  This  is done by
                                  using the
                                  /usr/lib/vserver/install-rh7,2       or
                                  install-rh7.3  script. The later is new
                                  in vserver 0.18.

                                  The  build  process  configure properly
                                  /etc/sysconfig/network   to  help  some
                                  package  operate properly. netatalk for
                                  one    grabs   the   host   name   from
                                  /etc/sysconfig/network.

    kernel ctx-12: binding to the broadcast address

                                  ctx-12  allows  this.  A  normal kernel
                                  allows this as well.

    kernel ctx-12: multi-IP

                                  The  new  kernel  supports  multiple IP
                                  numbers  assigned  to  a  vserver. This
                                  allows  a  vserver to setup services on
                                  more  than one IP. To make use of that,
                                  you  simply  enter several IP number in
                                  the   IPROOT   field   of  the  vserver
                                  configuration file:

        IPROOT="192.168.1.1 192.168.1.2"

                                  Do not forget the quotes!

                                  The  vserver  utility  will  create the
                                  necessary  IP aliases. The first one is
                                  created    using   the   vserver   name
                                  (eth0:name)  and the other are adding a
                                  number   as   a   suffix   (eth0:name1,
                                  eth0:name2, ...).

                                  The multi-IP support keeps the original
                                  semantic of the vserver in some ways. A
                                  service  doing  a  bind  ANY  (bind  to
                                  0.0.0.0)  will  setup its IP service on
                                  the  first IP number of the vserver. If
                                  you  wants to listen to several IP, you
                                  will need to configure your service for
                                  each IP number explicitly. For example,
                                  for  apache,  you  will  need  multiple
                                  listen  statements.  By default, apache
                                  has  a  "listen  80"  statement (a bind
                                  any)  which translate in a vserver to a
                                  listen  first-ip-of-the-vserver:80.  So
                                  you  must  simply  add listen statement
                                  for  the remaining IP. For example, for
                                  the above IPROOT statement:

        listen 192.168.1.2:80

                                  This  departs  from the normal behavior
                                  of  a Unix/Linux OS. When you do a bind
                                  any,  you  end up listening to every IP
                                  configured  on  the  box.  It  was  not
                                  possible  to achieve that easily in the
                                  kernel,  while keeping performance high
                                  (100%)  and yet control which IP may be
                                  use   by   a  vserver.  So  this  is  a
                                  compromise.  Time  will tell how usable
                                  it is.

Bug fixes

    Building the package on rh6.2

                                  The    vserver    source   do   include
                                  linux/capability.h.  Mixing  kernel and
                                  glibc   header  is  not  a  good  thing
                                  (generally),  but  glibc do not provide
                                  support  for capabilities yet. This was
                                  causing  some strange problem (remember
                                  the  thread "C++ sucks". This was fixed
                                  by  moving  the  #include capability.h>
                                  after  the  other  #include  in various
                                  source.

                 Version 0.19

Enhancements

    C++ issues

                                  The  pfstream stuff has been removed so
                                  the  utility  should compile with newer
                                  libraries   (the   pfstream  stuff  was
                                  deprecated).

    Debian support

                                  The vserver command now support Debian.
                                  It  does  it on the fly. It knows where
                                  to  find  the runlevel start-up script,
                                  how to turn on and off a service and so
                                  on.

                                  There  are  still  few  things to do to
                                  completely  support Debian, notably the
                                  unification  of  DEB  package.  We  are
                                  getting there.

    Multi IP on several devices

                                  Since  kernel  ctx-12, you can setup up
                                  to  16  IPs  per vserver. All those IPs
                                  had   to   be   on   the   same  device
                                  (IPROOTDEV).  It  is  now  possible  to
                                  assign  those  IPs  to several devices,
                                  using the explicit syntax:

        IPROOT="eth0:1.2.3.4 eth1:2.3.4.5 192.168.1.2"
        IPROOTDEV=eth2

                                  In  the  above example, IP 1.2.3.4 will
                                  be  setup  on device eth0, 2.3.4.5 will
                                  be  installed  on  eth1 and 192.168.1.2
                                  will  go  on eth2 (IPROOTDEV is used by
                                  default).

    Packaging

                                  All  the  scripts have been modified to
                                  allow  the  package  to  be  moved in a
                                  different  location.  All the /usr/sbin
                                  and  /usr/lib/vserver  have been change
                                  to  use $USR_SBIN and $USR_LIB_VSERVER.
                                  At the top of each script, those macros
                                  are defined. The install-fix.sh utility
                                  patch  the  script  with  the effective
                                  value of those macros.

                                  This way, the package could be moved to
                                  /usr/local/sbin and
                                  /usr/local/lib/vserver if needed.

    vrpm enhancements

                                  The  vrpm  command is trying to run the
                                  rpm  command  in the proper context (if
                                  the vserver is running) so post-install
                                  script  will  have  proper  effect (and
                                  won't interfere with the root server).

    vserver command enhancements

                                  The "suexec" command was added. You can
                                  execute  a command in a vserver context
                                  under  a specific user-id (known to the
                                  vserver). It works like this

        vserver NAME suexec user command args ...

                                  The  "status"  command  was  added.  It
                                  reports  some information about a given
                                  vserver. Here is an example:

        $ /usr/sbin/vserver smb001 status
        Server smb001 is running
        18 processes running
        Vserver uptime: 12:01

                                  The  --silent general option was added.
                                  It  kills  all informative messages. It
                                  is  generally  used  with  the  exec or
                                  running command. For example:

        # Counting the processes
        vserver --silent XXX exec ps ax | wc -l

    v_xxx pseudo services support multi-IP

                                  The  various  pseudo  services  such as
                                  v_httpd and friends have been reworked.
                                  Previously   they   were   setting  the
                                  ipv4root  to eth0 and starting the real
                                  service.  It  was  possible to override
                                  the    IP    by   providing   a   small
                                  configuration  file  in /etc/vservices.
                                  For  a  pseudo service v_xxx, you could
                                  setup    /etc/vservices/xxx.conf    and
                                  inside,  define the variable IP. It was
                                  possible  to  enter one IP only. Now it
                                  is  possible  to  enter  two or more IP
                                  like this

        # File /etc/vservices/xxx.conf
        IP="1.2.3.4 2.3.4.5 192.168.1.2"

                 Version 0.20

Enhancements

    More documentation in the package

                                  The   package  now  contains  the  full
                                  change-log,  the documentation found on
                                  the  net  and the FAQ. All formatted in
                                  text.

    vrpm --unify option

                                  The  vrpm  command has been enhanced to
                                  apply  vunify  to  the  packages  it is
                                  updating immediately. You simply do

        vrpm --unify serv1 serv2 -- -Uvh some packages ...

    vserver using $@ instead of $*

                                  When   using   vserver  xxx  exec,  the
                                  argument are passed using $@ instead of
                                  $*,     preserving    their    topology
                                  (preserving  argument with spaces). The
                                  save_s_context   script  was  fixed  as
                                  well.

Bug fixes

    rebootmgr sysv script broken

                                  In  0.18,  the system V init script for
                                  the  reboot  manager  service  was  not
                                  working.  The service was not starting.
                                  As   such,   vservers  were  unable  to
                                  request a reboot.

    vserver-stat displays in Bytes instead of bits...

                                  vserver-stat   was  displaying  various
                                  quantities  using Kb, Mb, Gb instead of
                                  KB,  MB,  and GB. vserver-stat can also
                                  display  TB,  but I could not tested it
                                  :-)

                 Version 0.21

Enhancements

    /usr/lib/vserver/vcheck: new

                                  The  vcheck utility has been created to
                                  verify package integrity in one vserver
                                  using  the  package database of another
                                  server.  This is a first step to create
                                  a Linux server where one can answer the
                                  following questions:

                              - Has this server been cracked ?
                              - What was changed ?

                                  Currently,    there    is    no   Linux
                                  distribution  (no OS in fact) which may
                                  answer  those  questions. Once a server
                                  has  been abused, the intruder may have
                                  changed  quite a lot and may have cover
                                  his  tracks. When you execute a command
                                  on  such  a  machine,  you can't really
                                  trust the output.

                                  Now, on a linux server running vservers
                                  and  no  network  service  in  the root
                                  server,   you  have  one  part  of  the
                                  solution.   The  root  server  and  the
                                  kernel  can't  be  tempered. So you can
                                  always  trust  the various commands you
                                  are running.

                                  <BIG disclaimer>

                                  Now proving that along its entire life,
                                  the  root  server has never been opened
                                  to   crack   attempt,  is  a  difficult
                                  project.  All  I  say  is  that  a root
                                  vserver  can't  be  modified  from  the
                                  vservers  or anywhere else if it has no
                                  network service.

                                  This  is  nevertheless  one goal of the
                                  vserver  project.  Create  a robust and
                                  trusted  root  server  in which you can
                                  run  all  kind of more flexible virtual
                                  servers.

                                  </BIG disclaimer>

                                  Back to our normal schedule...

                                  So if you trust the root server and you
                                  trust  another (reference) vserver (one
                                  which  is  never  running), you can use
                                  the  vcheck  utility  to perform an rpm
                                  verify   command,  but  using  the  RPM
                                  database  in the reference vserver. The
                                  corresponding packages will be checked.

        vcheck --verify refvserver vserver1 vserver2 ...

                                  vcheck  has another option, --diffpkgs,
                                  to  compare  the  package  list  in  to
                                  vserver.  You  can  see how to vservers
                                  evolved.

    Argument quoting part 2

                                  The   vserver  command  was  discarding
                                  argument  topology.  A  fix was done in
                                  0.20,  but it was flawed. Now it should
                                  work fine. You can do things like:

        /usr/sbin/vserver server exec command "argument with space"

                                  And  the  command will receive a single
                                  argument.

    GCC 3.2 support

                                  The  various  little  fixes  have  been
                                  added  so the project compiles properly
                                  using GCC 3.2.

    newvserver enhancements

                                  Two  section  has  been  added  to  the
                                  dialog.  One  is  "authentication".  It
                                  lets   you   enter   the  vserver  root
                                  password,   select   if  you  want  MD5
                                  passwords and shadow passwords.

                                  The  other  section is called NIS/Ldap.
                                  It  lets  you enter the NIS domain, NIS
                                  server, LDAP base dn and LDAP server.

                                  Both  section are normally found at the
                                  end  of  the  installation  of  a Linux
                                  distribution.

                                  This  information  is  enabled  in  the
                                  vserver  using  the authconfig command.
                                  Not   all   distribution   carry   this
                                  command. We will have to figure out how
                                  to  enable this on all distribution. If
                                  /usr/sbin/authconfig  is missing in the
                                  vserver,   the   information   is   not
                                  applied. So newvserver works anyway.

    newvserver: installing from mandrake 8.2 and redhat 8.0

                                  I  have  modified newvserver to install
                                  from  those  OS.  Mandrake 8.2 does not
                                  work  yet  (work in progress). Not sure
                                  why.  RedHat  8.0  kind  of  work.  The
                                  problem is really weird. When I execute
                                  the  following script on RedHat 8.0, to
                                  install a Redhat 8.0 vserver newvserver
                                  do:

        /usr/lib/vserver/install-rh8.0 redhat full

                                  Now,  if  you  run this with the Redhat
                                  supplied  kernel (2.4.18-14), it works.
                                  If    you    use    a   2.4.19   kernel
                                  (2.4.19ctx-14    for    example),   rpm
                                  installs  few  package  and  then  wait
                                  forever,  trapped  in  a pause() system
                                  call.

                                  I have not yet explain this behavior.

    rebootmgr using pidfile

                                  The  rebootmgr  service  now uses a PID
                                  file  to locate the process. This makes
                                  the system V init script more reliable.
                                  The  script itself does not include the
                                  "function"  helper script anymore. This
                                  is a redhat-ism and it was not using it
                                  anyway.

    vserver --nodev option

                                  Sometime,  you  wish to enter a vserver
                                  without  enabling  its  network device.
                                  You often need this because the vserver
                                  is  a  copy  and  the  real  vserver is
                                  already  running  on  another  physical
                                  server. Enabling the device would cause
                                  clashes on the network.

                                  The --nodev option tells vserver not to
                                  skip this step.

        /usr/sbin/vserver --nodev server enter

    vserver: vlan support

                                  A  vserver  may  be  installed on an IP
                                  number  sitting  on  a  different  vlan
                                  (Virtual    LAN).   You   specify   the
                                  IPROOTDEV has device.vlannum (eth0.231)
                                  or the IPROOT using device.vlannum:IP.

                                  An IP alias will be set on this virtual
                                  device  after  configuring  it. It uses
                                  the  loopback  number as the default IP
                                  to configure the vlan device.

Bug fixes

    capchroot: incompatible NSS plug-gins

                                  capchroot  is used to cross the vserver
                                  root  and then select the proper UID to
                                  execute   the  command.  Unfortunately,
                                  this  program  is  started  in the root
                                  server  environment,  then  switch  the
                                  root  and  then  uses getpwnam to learn
                                  about the user ID of a named user.

                                  to  perform  the getpwnam() call, glibc
                                  uses    NSS   (Name   Service   Switch)
                                  plug-gins    to    access    the   user
                                  information.  These plug-gins are taken
                                  in  the vserver environment and are not
                                  always  compatible with the root server
                                  glibc.

                                  To  avoid  this problem, we really need
                                  two  utilities. One running in the root
                                  server, switching root and then calling
                                  another  (/bin/id  ?) in the vserver to
                                  learn  about  the  user. This way, both
                                  utilities  will be compatible with each
                                  world.  Remember that a root server may
                                  be  some Linux distribution/release and
                                  the  vserver  may  be running a totally
                                  different distribution/release.

                                  For  now,  I  have  fixed  the  problem
                                  somewhat,  but it is not perfect Before
                                  switching    root,    I    perform    a
                                  getpwnam("root"),  so the plug-gins are
                                  loaded.   When   I   perform  the  real
                                  getpwnam,   after   the   switch,   the
                                  plug-gins are already in memory so they
                                  work.  Further,  if  the target user is
                                  root,  I  do not need to perform any of
                                  this and uses the UID 0.

                                  Note  that  this  capchroot  feature is
                                  needed by the suexec sub-command of the
                                  vserver command.

                                  This  cheat kind of works. It works for
                                  most  people.  Now,  if your vserver is
                                  running  NIS  and not your root server,
                                  for  example,  then  the  NSS plug-gins
                                  loaded  are  not  the one needed in the
                                  vserver. In this case it does not work.

                                  We  will  need  a  better solution. For
                                  now,  what we have will work for pretty
                                  much everybody.

    Stopping a vserver on debian

                                  The  vserver script was not setting the
                                  PREVLEVEL  environment  variable before
                                  switching  to  runlevel 6. This has the
                                  effect  of  not  stopping  the services
                                  properly.

                 Version 0.22

Enhancements

    kernel 2.4.19ctx-15

                                  A  new  kernel  patch  is available. It
                                  tool   some   time   to   achieve/debug
                                  (another   tcp_tw_bucket   issue,  like
                                  ctx-9). Here are the features:

                              - When sending an UDP request, the ipv4root
                                is  used  as  the  source  IP.  Prior  to
                                ctx-15,  an  IP  of  the  host server was
                                used,  so  the  reply  was  never getting
                                back.   ypbind   in  broadcast  mode  was
                                failing because of that.
                              - Bind(any) with multiple IPs. This was not
                                working  previously. You had to setup one
                                listening socket per IP. Now, the default
                                operation  mode of most IP services, does
                                what  you expect: It receives any request
                                coming to one of the IPs of the vserver.
                              - Bind(any)  and netstat: When performing a
                                bind(any),  it  will  show  this  way  in
                                netstat. Cool. there is one little catch.
                                If  you  perform  a  netstat  in the root
                                server  using  the security context 1 (so
                                you can see sockets of all vservers), you
                                will   see  potentially  several  sockets
                                bound  to the same port using the 0.0.0.0
                                address.
                                How confusing...
                                This  is  normal.  Unless two vserver are
                                sharing  some IPs, they are allowed to do
                                a  bind(0.0.0.0)  on the same port and it
                                will  show  this way. So this is a little
                                strange in the root server, but perfectly
                                ok in the vserver.
                              - A small optimization with bind(any) and a
                                single  IP.  The previous semantic was to
                                map  a  bind(any)  to the first IP of the
                                vserver  (ipv4root).  This  semantic  was
                                kept  as an optimization in the kernel in
                                the case where a vserver has a single IP.
                                This is the common case.
                                This  optimization  may  go  away, maybe,
                                when  we  will  attack  the  per  vserver
                                private  network  loopback.  Depending on
                                the  solution  selected,  the common case
                                may  become  two  IPs  per  vserver  (the
                                loopback and the main IP).

                                  I  have not done any benchmark with the
                                  new  bind(any)  stuff.  It  might  be a
                                  little slower. Potentially not visible.
                                  Comments welcome.

    newvserver: Excluded directories

                                  When  building  a  new  vserver  out of
                                  another,    you    can    exclude   few
                                  directories.    Only    the   directory
                                  structure  will  be copied. By default,
                                  newvserver  exclude  /var/log, /var/run
                                  and /var/spool/mail.

                                  There  is a TAB in the form to enter up
                                  to 4 directories to exclude.

    newvserver: sshd cleanup

                                  When cloning a vserver, you may want to
                                  reset the sshd private keys so new ones
                                  are   generated.  A  check-box  is  now
                                  provided  to  handle  that. It is on by
                                  default.

                                  This  avoids  having  all  your vserver
                                  ending   with  the  same  sshd  private
                                  keys...

    Per IP netmask

                                  The   IPROOT   entry   in  the  vserver
                                  configuration   file  now  support  one
                                  netmask  per entry. The complete syntax
                                  is

IPROOT="[device:]ip[/netmask] ..."

                                  where   stuff   in  square  bracket  is
                                  optional.

    server run-level

                                  A  vserver  does  not  use its own init
                                  process   unless   fakeinit   is  used.
                                  Normally    /sbin/init    writes   into
                                  /var/run/utmp  to  record  the  current
                                  run-level  and  some  tools  are  using
                                  that.

                                  Now even if you are not using fakeinit,
                                  /var/run/utmp  is  properly initialized
                                  with  the  proper runlevel (as found in
                                  /etc/inittab).

    vbuild: new --excldir option

                                  When  using  vbuild to clone a vserver,
                                  you   can   use  the  --excldir  option
                                  repeatedly  to  exclude some files. The
                                  directory  structure is duplicated, but
                                  no  file  is  copied.  This  is used by
                                  newvserver.

    vrpm: No unification is /var/log

                                  When  using  the  --unify, the /var/log
                                  directory  is  excluded.  Some packages
                                  are  owning  files  there  and  are not
                                  tagged  as configuration file (which is
                                  fair). Unifying those files is creating
                                  problems.

                                  This  problem  was specific to /var/log
                                  (and  everything under) as far as I can
                                  see,  so this is hard-coded in the vrpm
                                  script.

    vserver profiles

                                  It  is  sometime  useful  to  operate a
                                  vserver  with  some  settings  and then
                                  operate  it  with different settings. A
                                  setting  is called a profile and covers
                                  the S_HOSTNAME, IPROOT and IPROOTDEV.

                                  There are two ways to select a profile:

                              - Edit  the  configuration  file and insert
                                PROFILE=somename
                              - PROFILE=somename vserver XX start

                                  Once  you have started a vserver with a
                                  given  profile,  it  is  stored  in the
                                  /var/run/vserver/XX.ctx  file,  so  you
                                  can  enter  and  stop the vserver using
                                  the  active  profile,  even if you have
                                  changed   the   profile  value  in  the
                                  configuration file.

                                  The  newvserver  tool has been modified
                                  so you can immediately enter the second
                                  profile  value. By default, one profile
                                  is  called prod and the other is called
                                  backup.

                                  vservers  may  be  used  as a fail-over
                                  strategy  where  whole  servers  may be
                                  switched on and off on the fly. Now one
                                  may   use   some  synchronization  tool
                                  (rsync ?) to make sure the backup is up
                                  to date. Sometime, it is not enough and
                                  you wish to maintain the backup in sync
                                  with    the   production   vserver   in
                                  real-time  or  almost. To perform that,
                                  you  need  to enable the backup server,
                                  but   you  can't  do  that  unless  you
                                  provide   different   network   setting
                                  (avoid  having two vserver running with
                                  the  same  IP).  So the profile concept
                                  was introduced.

                                  When  starting  a vserver using a given
                                  profile,   the   environment   variable
                                  PROFILE  is  defined so you can perform
                                  various  action  such as exchanging key
                                  configuration  file,  starting services
                                  differently and so on.

                                  Linuxconf  users may want to enable the
                                  switchprofile pseudo service (available
                                  lately)  to  switch  between  different
                                  configuration file set.

    vserver: empty IPROOT

                                  When  a  vserver must run with the same
                                  IP as the root server, the trick was to
                                  set   IPROOT=0.0.0.0.  Now  setting  an
                                  empty  IPROOT  is  equivalent (and more
                                  intuitive).

Bug fixes

    vserver: setting resources when using enter or exec

                                  The  vserver was not setting the ulimit
                                  resources when performing an "enter" or
                                  "exec" command. Fixed!

                 Version 0.23

Enhancements

    Support for 17c kernel

                                  The   kernel   ctx-17c  support  proper
                                  selection  of  the  source  IP based on
                                  routing information. This is useful for
                                  vservers   with   several   IP  numbers
                                  connected to private networks.

                                  When  you enter the IP addresses of the
                                  vserver,  you  may  specify the netmask
                                  associated   with   this  address.  The
                                  syntax is

        IPV4ROOT=[device:]ip/mask ...

                                  The  /mask  is  new.  If  you forget to
                                  enter the mask, it is using the mask of
                                  the  device  on which the ip alias will
                                  be set.

                 Version 0.26

Enhancements

    /etc/vservers/install-post.sh

                                  if  this  script  exists,  it  will  be
                                  executed after you create a new vserver
                                  with the newvserver command. The script
                                  receives a single argument: The path of
                                  the vserver (/vserver/vserver-name).

    /usr/lib/vserver/distrib-info: new

                                  All the utility originally using RPM to
                                  probe  one vserver package database are
                                  now using the script
                                  /usr/lib/vserver/distrib-info.  This is
                                  a    front-end   to   potentially   all
                                  packaging  system.  Currently, only RPM
                                  is   supported   but   DEB   and  other
                                  packaging   facility  could  be  added,
                                  making  all  application  like  vunify,
                                  vbuild,  newvserver  and  friend,  more
                                  general.

                                  Debian  user  have  complained for some
                                  time.   Now   your  chance.  Patch  for
                                  distrib-info welcome.

                                  A  man page has been written to explain
                                  what it does.

    chbind: --ip ip/mask

                                  The chbind utility has been modified to
                                  accept a netmask along with the IP when
                                  using   the  --ip  option.  You  simply
                                  specify IP/netmask.

    chcontext: CAP_QUOTACTL support

                                  The   kernel   vs1.00   support  a  new
                                  capability  allowing  someone to handle
                                  the  disk  quota. Prior to this kernel,
                                  one   needed  CAP_SYS_ADMIN  to  handle
                                  quota.   The   vserver   package   (and
                                  chcontext)     do    understand    this
                                  capability.

    newvserver

                                  A man page was written

    vserver-copy: new

                                  The  vserver-copy script let you copy a
                                  vserver  from one machine to another. A
                                  man  page  has  been written to explain
                                  how  it  works. It generally uses rsync
                                  over ssh to operate.

    vserver-stat: show vserver description

                                  It shows the vserver description at the
                                  end of each lines.

    vservers sysv script

                                  The  script  now  support  the PRIORITY
                                  variable  in  the vserver configuration
                                  files  to  control  vservers  start and
                                  stop  order.  Lower  priority value are
                                  started first and stopped last.

Changes

    chrootsafe: optional

                                  The  chrootsafe syscall did not make it
                                  so  the  utility uses it if it is there
                                  and  use the normal chroot if not. They
                                  do not complain as before if chrootsafe
                                  is missing.

                 Version 0.27

Enhancements

    Install redhat 9 and fedora core 1 from CD

                                  The  newvserver utility can now install
                                  a  vserver  from  a  RedHat 9 or Fedora
                                  core  1  first  cdrom. As usual you can
                                  install   a   minimum  vserver  or  the
                                  complete CD.

    Support for vs1.1 kernels

                                  The  new kernel with the virtual switch
                                  system  call  is now supported. You can
                                  using  vserver  0.27  with  vs-1.0 (aka
                                  ctx) and vs1.1 kernels.

Bug fixes

    ULIMIT with -HS

                                  The   configuration  files  created  by
                                  vserver  and  newvserver  now correctly
                                  use  -HS  instead  -of  -H  to  set the
                                  global ULIMIT settings.

                 Version 0.28

Enhancements

    /usr/sbin/vserver --verbose

                                  The --verbose option was used so we can
                                  learn  what  vserver  is  doing when it
                                  setups the IP aliases.

    New man page vserver.conf.5

                                  This  man  page  describe the format of
                                  the      configuration      file     in
                                  /etc/vservers.

    Running v_xxx service with the loopback

                                  The  v_xxx service (v_sshd and friends)
                                  are provided to help running service on
                                  the  root  server  without  interfering
                                  with  similar  services  in the virtual
                                  servers.  The  various  v_xxx  services
                                  achieve    this    by    starting   the
                                  corresponding xxx services using chbind
                                  to restrict the IPs they are allowed to
                                  bind.

                                  Previously,  all  those  services  were
                                  bound  to  eth0  only.  Now  by default
                                  (unless overridden in
                                  /etc/vservices/xxx.conf)  the  services
                                  are bound to 127.0.0.1 and eth0.

                                  This  solves  for  one the problem with
                                  ssh   X11  port  forwarding  since  ssh
                                  assumes   connections   are   done   on
                                  localhost (127.0.0.1) and not eth0.

Bug fixes

    chbind: --ip without parameter

                                  chbind   was   improperly  parsing  its
                                  command  line  and  was crashing if the
                                  option --ip was used without value.

    Security issue with vserver 0.27

                                  vserver  0.27 on vs-1.1 kernels was not
                                  setting    the    capability    ceiling
                                  properly,  providing  vservers with too
                                  much power.

                 Version 0.29

Enhancements

    /usr/lib/vserver/printconf.sh: new utility

                                  This  utility  shields application from
                                  the    complexity    of   the   vserver
                                  configuration  files.  It  should  also
                                  protect application from changes we may
                                  do to the configuration format.

                                  This    utility   reads   one   vserver
                                  configuration   file   and  prints  the
                                  relevant  variable one by line, without
                                  any  comment.  This  utility  should be
                                  used  by  any  script  operating  on  a
                                  vserver. C++ application should use the
                                  vutil_readconf()   function,  which  is
                                  using printconf.sh.

                                  The utility is generally used like this
                                  in the various scripts:

        eval `/usr/lib/vserver/printconf.sh --quote vserver-name`

                                  The  --quota  option puts double quotes
                                  around  the  values  to make the output
                                  usable  by scripts. C++ application are
                                  not  using  it. They simply assume that
                                  everything passed the equal sign is the
                                  value, up to the end of the line.

                                  All  utilities  in  the vserver package
                                  are now complying with this strategy.

    Debian patches

                                  All   the   patches   from  the  Debian
                                  projects     were     applied.     Some
                                  enhancements  were  done  (discussed in
                                  this change log). This includes new man
                                  pages,   some  C++  fixes,  some  stuff
                                  related to VSERVERS_ROOT.

    New variables in configuration files

                                  Few  variables  were  added in vservers
                                  configurations files:

                              - GENERATEMTAB=yes|no
                                This   tells   the   vserver  utility  to
                                generate  a  new  /etc/mtab  in a vserver
                                every time it is entered or started. This
                                is  done  after the pre-start step of the
                                vserver companion script
                                (/etc/vservers/*.sh).
                                Originally,   the   file   /etc/mtab  was
                                produced  only  at  vserver creation time
                                and   this   was  fine  for  most  cases.
                                Sometime   a   vserver   is  mapped  over
                                multiple  volume  and  /etc/mtab  must be
                                adjusted. Now this is done
                                auto-magically.
                                Every  mounts  visible  in the vserver is
                                included.  Dummy  devices (/dev/hdvN) are
                                generated  on the fly. Network mounts are
                                shown as is (the origin of the mount)
                                This   feature   may  be  turned  off  by
                                entering
        GENERATEMTAB=no
                                        in      the     vserver     configuration
                                file.
                              - VSERVERS_ROOT
                                This  controls  the base directory use to
                                setup vservers. This variable is normally
                                written  in /etc/vservers.conf and shared
                                by  several  vservers. The actual rool of
                                the vserver is $VSERVERS_ROOT/name
                                A vserver may override this variable. The
                                newvserver    utility    will   write   a
                                VSERVERS_ROOT=   line   in   the  vserver
                                configuration  file  if a different value
                                was  selected  (compared  to  the  one in
                                /etc/vservers.conf).
                              - VSERVERDIR
                                While     a    vserver    may    redefine
                                VSERVERS_ROOT, it is not that convenient.
                                A vserver may simply define VSERVERDIR to
                                point  wherever it fits. This variable is
                                optional,  but  the  printconf.sh utility
                                makes  sure  it  is defined: If a vserver
                                configuration    file   do   not   define
                                VSERVERDIR,    then    it   is   set   to
                                $VSERVERS_ROOT/name.
                                Application  dealing  with  vservers file
                                should   rely   on  VSERVERDIR  (and  use
                                printconf.sh)

    newvserver: VSERVERS_ROOT support

                                  The  utility  presents  a  new field to
                                  select  the  vserver  root  to  use for
                                  vserver  creation.  A drop down let you
                                  review  the various vservers roots used
                                  on  this  server and the amount of disk
                                  space available on each.

                                  newvserver  use  /etc/vservers.conf  to
                                  extract    the    default   value   for
                                  VSERVERS_ROOT.     It    also    checks
                                  /etc/vservers/newvserver.default     to
                                  extract  the  value  from  the newvroot
                                  variable     (if     available)     (So
                                  /etc/vservers/newvserver.defaults
                                  override /etc/vservers.conf).

                                  The  --vroot  command  line  option was
                                  also added to setup the default value.

    rebootmgr: supports VSERVERDIR

                                  The  utility  places its sockets in the
                                  proper        directories,        using
                                  vutil_readconf()  to  learn the vserver
                                  installation directory (VSERVERDIR).

    Vservers configuration files

                                  A  small  change  was  made  to vserver
                                  configuration     files.    The    file
                                  /etc/vservers.conf contains system wide
                                  defaults,  but  is not used directly by
                                  the various tools, except when creating
                                  a   new   virtual   server.  This  file
                                  (/etc/vservers.conf)     is    normally
                                  sourced   by   the   various   vservers
                                  configuration  files (included). From a
                                  tool  perspective,  for a vserver named
                                  foo,     only    /etc/vservers/foo.conf
                                  matters.  foo.conf normally starts like
                                  this:

        # Description: Some vserver
        source /etc/vservers.conf
        ...

                                  Using  this strategy, sites are free to
                                  implement  whatever  logic they want to
                                  manage vservers. For example, sites may
                                  decide to move the S_CAPS or S_FLAGS to
                                  /etc/vservers.conf      to     minimize
                                  repetition in vservers.

                                  All the utilities have been modified to
                                  obey this rules. Utilities for example,
                                  must  source  one vserver configuration
                                  file   to   learn   its   VSERVERS_ROOT
                                  directory  (more on this in this change
                                  log).

                                  You  do  not have to change anything to
                                  use   vserver  0.29.  The  printconf.sh
                                  utility    sources   /etc/vservers.conf
                                  before     sourcing     the     vserver
                                  configuration  file. But newvserver and
                                  "vserver  build" produces configuration
                                  files with the proper source command at
                                  the top.

Changes

    v_xxx services bound to 127.0.0.1

                                  V_xxx  services (sshd, ...) are special
                                  services  used  in  the  root server to
                                  limit  its  IP  scope to some IPs. This
                                  way, vservers are free to use the other
                                  IPs   of   the   machine.  In  previous
                                  release,  all v_xxx services were bound
                                  to   eth0  only.  It  was  possible  to
                                  override  this  using  a  corresponding
                                  file   /etc/vservices/xxx.conf  with  a
                                  line like:

        IP="ip1 ip2"

                                  It  turns  out  to be more practical to
                                  bind  services  to  127.0.0.1 and eth0.
                                  X11   forwarding  in  sshd  is  working
                                  better  like  this.  So  now, all v_xxx
                                  services  are  bound  to  127.0.0.1 and
                                  eth0,    unless   overridden   by   the
                                  /etc/vservices/xxx.conf

                 Version 0.31

Enhancements

    Installing several distro from CD

                                  Support has been added to newvserver to
                                  install the following distribution from
                                  the first CD/DVD

                              - Fedora core 1
                              - Fedora core 2
                              - RedHat enterprise 3
                              - SuSE 9.0

    vnetstat: new utility

                                  The is a new utility, crude in fact, to
                                  show all sockets on a vserver.

Bug fixes

    vrpm --unify

                                  The  --unify  option now excludes files
                                  in  /etc and /var/log from unification.
                                  In previous versions, only /var/log was
                                  excluded.

Rfrences

   1. http://www.solucorp.qc.ca/miscprj/s_context.hc
   2. ftp://ftp.solucorp.qc.ca/pub/vserver/diffctx-2.4.11-3
   3. http://sam.vilain.net/immutable
   4. http://www.solucorp.qc.ca/linuxconf/download.hc
   5. ftp://ftp.solucorp.qc.ca/pub/vserver
