[Vserver] Re: Vserver on Gentoo AMD64 system
Hello Johnny, Johnny Rose Carlsen wrote: On Fri, 23 Sep 2005 21:31:36 +0200 Herbert Poetzl [EMAIL PROTECTED] wrote: On Fri, Sep 23, 2005 at 08:49:28PM +0200, Johnny Rose Carlsen wrote: Hi, Does anyone has any experience running Vserver on a Gentoo AMD64 system? Gentoo advices one to only use the gentoo-sources kernel on AMD64, because of some AMD64 patches. My install uses the vserver-sources kernel, but my system definately have some troubles with oopses and processes getting killed. several providers are already using vs2.0 on x86_64 (and I got zero bug/issue reports for that) so I assume it's working quite fine ... what kernel do you use and what kind of 'oopses' do you get? maybe an oops trace might help to identify possible issues and/or misconfigurations ... This is actually what I wanted to know, because i suspect that my troubles may lie in a broken Gentoo installation or hardware errors. Both are very likely at the moment. First step will be to see whether I can get the server to run stable with Gentoo AMD64 and no vserver. If thats a success, I will add vserver-support and see what happens. We are using vserver-sources-2.0 (2.6.12) on an amd64 (Intel Xeon) machine. It is running fine without problems. Uptime is 47 days now. There were some problems with the RAID controller and an older kernel which lead to crashes. Since the upgrade to the stable vserver-sources, everything is fine. Just let me know if you need further information. Greetz, Martin ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: NXServer inside of VServer?
(I am cross posting this to the linux-vserver list, as it is of interest to those people, too.) Hello Pablo, many thanks!! I got it working!!! This is what I did: * Deleted everything from /tmp. * Tried to login again = same problem, window closes after a few seconds * looked at the user's .xsession-errors file: _IceTransmkdir: ERROR: Owner of /tmp/.ICE-unix must be set to root _IceTransSocketUNIXCreateListener: mkdir(/tmp/.ICE-unix) failed, errno = 1 _IceTransMakeAllCOTSServerListeners: failed to create listener for local * So I looked into /tmp. The directory .ICE-unix was already there, the owner set to my user. * So I did: $ chown root /tmp/.ICE-unix $ chown root /tmp/.X11-unix * Login = works and runs like a shot!!! :-) Note: I have to re-run those two commands every time I reboot the VServer. It seems like starting an X-Server from within FreeNX doesn't set up those permissions in /tmp correctly. Maybe that's because I don't have something like KDM run beforehand. VServer configuration: I didn't have to enable any additional capabilities! Nice greetings, Martin Pablo A. Salgado wrote: Some time ago I tried to do the same and ran into troubles. First, I found no way to start xterm as normal user into vserver because some kind of problem with /dev/tty* into the vserver (the message was something like: I couldn't create tty#). The only user that could start xterm was root. That means that it seems to be posible to execute KDE as normal user but not xterm. Anyway I didn't find any documentation about this topic. Then, I installed freenx in the host system and run into the problem you describe starting KDE as normal user. After few attempts to start sessions I decided to erase any related KDE file in the /tmp directory and voilĂ ! it worked. Perhaps it could help you. Let me know if you success running NXserver into vserver :) On 6/30/05, Martin Honermeyer [EMAIL PROTECTED] wrote: Hello, I am trying to get an NXServer running inside a Linux VServer (www.linux-vserver.org http://www.linux-vserver.org). It works as far as this: KDE is starting, then the splash screen says initializing system devices and pow! the session just closes. It seems not to happen exactly at this point, but after the session is running for a few seconds. No errors in the nxserver log, no .xsession file in the user home (it should be there??). As the capabilities inside the VServer are very restricted, I need some advice from the NX devs about which system capabilities are needed in order to get an NXserver running. A list is at http://savannah.nongnu.org/cgi-bin/viewcvs/util-vserver/util-vserver/lib/bcaps-v13.c?rev=HEAD. I am using the newest FreeNX 0.4.1 and the free NXServer components 1.5.0 r3. The problem was the same with FreeNX 0.2.8 and NXServer components 1.4.0. If there are direct suggestions for a solution, at least I'd like to know how to get some more verbose log output! NX_LOG_LEVEL=7 doesn't tell much: ... NX 1000 NXNODE - Version 1.4.0-04-CVS OS (GPL) NX 700 Session id: nx32-1004-A2499FCF6F24DE826CBD8940338E63D3 NX 705 Session display: 1004 NX 703 Session type: unix-kde NX 701 Proxy cookie: a9588103ea86b8550176359e4255a222 NX 702 Proxy IP: 210.95.48.249 http://210.95.48.249 NX 706 Agent cookie: bd1745d567d62cf63fbdbbaee2ecdcb5 NX 704 Session cache: unix-kde NX 707 SSL tunneling: 0 NX 710 Session status: running NX 1002 Commit NX 1006 Session status: running NX 105 bye Bye NX 999 Bye NX 1001 Bye. NX 105 quit NX 1009 Session status: terminating NX 1006 Session status: closed (Btw, SSL encryption doesn't work at all. The client times out at Negotiating link parameters. Thanks for any help. It would be REALLY great to have this running! Greetz, Martin ___ FreeNX-kNX mailing list [EMAIL PROTECTED] https://mail.kde.org/mailman/listinfo/freenx-knx ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: Re: NXServer inside of VServer?
Hello Bodo, Bodo Eggert wrote: On Sat, 25 Jun 2005, Martin Honermeyer wrote: * Deleted everything from /tmp. * Tried to login again = same problem, window closes after a few seconds * looked at the user's .xsession-errors file: _IceTransmkdir: ERROR: Owner of /tmp/.ICE-unix must be set to root [...] Note: I have to re-run those two commands every time I reboot the VServer. It seems like starting an X-Server from within FreeNX doesn't set up those permissions in /tmp correctly. Maybe that's because I don't have something like KDM run beforehand. It's a common error, caused by KDE. It expects the boot scripts to create this dir, and if there is none, it will mess it up. The [KX]DM startup script should create that directory, check if it's owned by root and chmod it to 1777. If it isn't, remove or rename the directory and retry a limited number of times. As FreeNX doesn't need a display manager _at all_, why should I XDM? I think the easiest solution is two put the lines # fix X11/KDE problems rm -fR /tmp/.ICE-unix /tmp/.X11-unix mkdir /tmp/.ICE-unix /tmp/.X11-unix chmod 1777 /tmp/.ICE-unix /tmp/.X11-unix into /etc/conf.d/local.start (Gentoo VServer), so it is run on every boot. That would fix it for me. I've got an additional problem resulting from the inability to access pty's from the guest. I'd like to start xterm / konsole in my kde sessions. This isn't possible (not enough ptys). Is it possible to get this running? Using secure mounts maybe? Martin ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: Re: Re: NXServer inside of VServer?
Herbert Poetzl wrote: On Fri, Jul 08, 2005 at 01:48:18PM +0200, Martin Honermeyer wrote: Hello Bodo, Bodo Eggert wrote: On Sat, 25 Jun 2005, Martin Honermeyer wrote: I've got an additional problem resulting from the inability to access pty's from the guest. I'd like to start xterm / konsole in my kde sessions. This isn't possible (not enough ptys). Is it possible to get this running? Using secure mounts maybe? hmm, with a proper setup this should not happen ... please provide some logs (maybe an strace of the xterm start?) and check in the kernel log for suspicious messages ... My fault, sorry! It's a shame. I forgot to get those users into the tty group ... Now it works! Thank you, Martin ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: CAP_SYS_ADMIN, how unsecure it is within vserver
Hello people, Herbert Poetzl wrote: On Sat, May 28, 2005 at 09:25:51PM +0200, Bodo Eggert wrote: On Sat, 28 May 2005, gary ng wrote: I am testing out vserver(1.2.10 on 2.4, not ready for 2.6 yet because of stability issue unrelated to vserver) and I am wondering what is the impact of giving CAP_SYS_ADMIN to it. Without it, I cannot mount within vserver but I see mount as a legitimate use like mounting CIFS/NFS or FUSE related file systems. You can also mount filesystems containing device nodes. This would give you root access to the host. Secure user mounts are planned in the vanilla kernel, maybe they can be adopted for vservers. 2.6/1.9.x and 2.0-* already support 'secure' mounts inside a vserver guest ... How does this work? I am puzzled about this. In my setup, there is a vserver which has to access different logical volumes mounted on different paths. The vserver should be able to set up and manage quotas for each lv. So far, I have an ugly workaround. The host mounts those lv's from /dev/vg into the vserver. _After_ that, the vserver can be started, because it doesn't see those mounts when it's already running! This way, quotas can only be managed from within the host, as the vserver doesn't really see those mounts/devices! What would be the best way to do it? I don't quite understand what secure mounts are and how they work.. Greetings, Martin ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: Re: CAP_SYS_ADMIN, how unsecure it is within vserver
Thanks Herbert! I am using the 1.9.5 developer patches. I've just looked at the table in the Release FAQ. Am I right I have to upgrade my kernel to 2.0RCx in order to have VROOT support? Is it already in implemented in RC3? Martin Herbert Poetzl wrote: On Mon, Jun 06, 2005 at 10:30:16AM +0200, Martin Honermeyer wrote: Hello people, Herbert Poetzl wrote: On Sat, May 28, 2005 at 09:25:51PM +0200, Bodo Eggert wrote: On Sat, 28 May 2005, gary ng wrote: I am testing out vserver(1.2.10 on 2.4, not ready for 2.6 yet because of stability issue unrelated to vserver) and I am wondering what is the impact of giving CAP_SYS_ADMIN to it. Without it, I cannot mount within vserver but I see mount as a legitimate use like mounting CIFS/NFS or FUSE related file systems. You can also mount filesystems containing device nodes. This would give you root access to the host. Secure user mounts are planned in the vanilla kernel, maybe they can be adopted for vservers. 2.6/1.9.x and 2.0-* already support 'secure' mounts inside a vserver guest ... How does this work? I am puzzled about this. In my setup, there is a vserver which has to access different logical volumes mounted on different paths. The vserver should be able to set up and manage quotas for each lv. well, secure mounts are basically mounts of 'devices' the guest has available with the important restriction that they happen with 'nodev' so that the guest can not use new device nodes this way ... So far, I have an ugly workaround. The host mounts those lv's from /dev/vg into the vserver. _After_ that, the vserver can be started, because it doesn't see those mounts when it's already running! This way, quotas can only be managed from within the host, as the vserver doesn't really see those mounts/devices! that's a different issue you want to address here and the solution is the vroot device proxy, which allos to proxy quota ioctls to the device without giving away full access to the device ... What would be the best way to do it? I don't quite understand what secure mounts are and how they work.. just do it as you do it now, configure a vroot device for each lvm volume and copy that into the server ... set the filesystem type to ufs to avoid that the guest tools try to access the filesystem directly (done for ext2/3) and make sure that mtab contains the usr/grpquota flags (which are checked by the quota tools) HTH, Herbert Greetings, Martin ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Re: CAP_SYS_ADMIN, how unsecure it is within vserver
Am Montag 06 Juni 2005 16:56 schrieb Herbert Poetzl: On Mon, Jun 06, 2005 at 03:58:07PM +0200, Martin Honermeyer wrote: Thanks Herbert! I am using the 1.9.5 developer patches. I've just looked at the table in the Release FAQ. Am I right I have to upgrade my kernel to 2.0RCx in order to have VROOT support? Is it already in implemented in RC3? check in the kernel config (grep VROOT .config) There is no VROOT option.. I am using vserver-sources-1.9.5 in Gentoo. I just searched through the patches made in the ebuild. It doesn't contain any VROOT changes. As I think it contains the vanilla vserver patch, I suppose 1.9.5 doesn't contain VROOT patches at all? Martin ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: Problems with /proc filesystem under Gentoo!
That's it! Thanks, Herb! ;) Martin Herbert Poetzl wrote: On Mon, Feb 16, 2004 at 08:11:48PM +0100, Martin wrote: Hello people, I have just set up a Gentoo machine with both VServer development (kernel-2.4.25-rc1-vs1.3.7) and stable patches (kernel-2.4.24-vs1.26). I am using the newest util-vserver tools (0.29). Made my way through the installation of a Gentoo template VServer (http://vserver.strahlungsfrei.de/tiki-index.php?page=VServerGentooNew). well, it seems that most users did miss the security changes, anyway, here the archived mail: http://archives.linux-vserver.org/200401/0125.html and the additional info: both devel and experimental branch (1.3.7 and 0.07) do turn the vserver proc entries off (-d) by default, you ahve to enable those entries which are required and secure ;) HTH, Herbert Now I am stuck with fatal errors in both kernel versions. Using kernel 2.6 with the development patches: ,[ ] | vserver template-gentoo start | Starting the virtual server template-gentoo | Error: /proc must be mounted | To mount /proc at boot you need an /etc/fstab line like: | /proc /proc procdefaults | In the meantime, mount /proc /proc -t proc | Server template-gentoo is not running | ... ` Shortly thereafter, during the init phase, it fails with ,[ ] | Error: /proc must be mounted | To mount /proc at boot you need an /etc/fstab line like: | /proc /proc procdefaults | In the meantime, mount /proc /proc -t proc ` From the host system: ,[ ] | mount | none on /vservers/template-gentoo/proc type proc (rw) ` After entering the guest system, it is obvious that the proc filesystem doesn't work: ,[ ] | ps | Error: /proc must be mounted | To mount /proc at boot you need an /etc/fstab line like: | /proc /proc procdefaults | In the meantime, mount /proc /proc -t proc ` Those seem to be kernel messages. I didn't find those strings in any files under /usr.. Or is this a problem with the Gentoo init scripts?! I don't think so. Different problems under kernel 2.4, with stable VServer patches 1.26. Not even a simple chcontext works: ,[ ] | chcontext /bin/bash | New security context is 49153 | Can't exec /bin/bash (Permission denied) ` So what is this all about?? Greetz, Martin ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
