OpenVZ Forum


Home » General » Support » Reboot VPS
Reboot VPS [message #2591] Mon, 10 April 2006 21:05 Go to next message
scooter is currently offline  scooter
Messages: 38
Registered: December 2005
Location: Texas
Member
Has anyone came up with a way for a VPS to be rebooted via the webpage?

I'm not much of a php programer so not able to actually do this unfortunately.

Reckon I need to learn PHP Smile


Scooter Harris
Re: Reboot VPS [message #2592 is a reply to message #2591] Mon, 10 April 2006 21:25 Go to previous messageGo to next message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member

Actually you can use shell (or any other language, for that matter) to program simple CGIs. Or, yep, use php. Smile

I can not teach you the basics of PHP, but I can tell you you are entering the high risk zone so, if implemented improperly (insecurely) your solution could do more harm than good.

So, here are a few ideas of how to do it more securely:

(1) do NOT run web server on a host system, use some dedicated VE for it.

(2) in the host system, create some user, say ovzss. Install sudo package if it's not there, and edit /etc/sudoers to allow this user execute vzctl start and vzctl stop commands as root without entering a password. The appropriate line in /etc/sudoers should look like this:
ovzss         ALL=(ALL)        NOPASSWD:/usr/sbin/vzctl start,/usr/sbin/vzctl stop


(3) in the VE you created for running a web server, create SSH keys for apache user (or another user from which account your httpd runs), and put ssh2 public key to host system as ~ovzss/.ssh/authorized_keys2, so apache user can login into host system via ssh without entering the password

(4) in the CGI you wrote, you should do something like
system("ssh ovzss@host.ip.add.ress sudo /usr/sbin/vzctl start $VEID");


(5) in the CGI you wrote, CHECK that $VEID passed from the web user is really a VEID, i.e. it should contain positive non-zero number not exceeding a few digits and only that.

(6) Limit access to the CGI script itself, using Apache Allow/Deny directives.

Surely this can be improved in a few ways, but I hope that as-is it creates a sensible minimum security.


Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png
Re: Reboot VPS [message #2593 is a reply to message #2591] Mon, 10 April 2006 21:30 Go to previous messageGo to next message
scooter is currently offline  scooter
Messages: 38
Registered: December 2005
Location: Texas
Member
great thank you, i'll check it out this evening Smile

But yes when i was going to 'build' something i was going to restrict apache access to the core servers to 1 single IP and run the other stuff from a VE and post to the apache on the core.


Scooter Harris
Re: Reboot VPS [message #2623 is a reply to message #2591] Tue, 11 April 2006 21:57 Go to previous message
scooter is currently offline  scooter
Messages: 38
Registered: December 2005
Location: Texas
Member
Well, i did get something working, nothing fancy but it works.

Got it working with all the servers we have from one location.

Just need to secure it some so people can't reboot anyone else's VE's Smile

Scooter


Scooter Harris
Previous Topic: software RAID1 support on Centos 4.1?
Next Topic: Iptables problem in SUSE10 kernel
Goto Forum:
  


Current Time: Mon Nov 18 00:01:42 GMT 2024

Total time taken to generate the page: 0.02865 seconds