[Lxc-users] Two Questions: UID Privilage Isolation . Prevent cgroup mount in VM
Hi! I am new to the technology and thread. I have two basic questions, hope you can provide some guidance. 1. UID Privilege Isolation. ~ If I understand it right, currently if a host-uid and guest-uid have the same numerical value, they essentially have the same file access privilege. Posting from 01/14/11 indicated that a patchset related to 'user namespace' is in works to address this issue. Link in the LXC home/user indicated two possible approach are being considered. I was wondering if there has been any conclusion in this front ? 2. Guest modifying its own cgroup It appears that from a guest one can mount the cgroup and modify its own constraints specified in the cgroup. Is there a way, I can prevent a guest from doing so? Thanks in advance for your help --- Regards, Sanjay -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Two Questions: UID Privilage Isolation . Prevent cgroup mount in VM
Quoting sanjay (genacct...@gmail.com): Hi! I am new to the technology and thread. I have two basic questions, hope you can provide some guidance. 1. UID Privilege Isolation. ~ If I understand it right, currently if a host-uid and guest-uid have the same numerical value, they essentially have the same file access privilege. Posting from 01/14/11 indicated that a patchset related to 'user namespace' is in works to address this issue. Link in the LXC home/user indicated two possible approach are being considered. I was wondering if there has been any conclusion in this front ? I don't know what link you mean. There is a clear roadmap, there is plenty of work to be done. 2. Guest modifying its own cgroup It appears that from a guest one can mount the cgroup and modify its own constraints specified in the cgroup. Is there a way, I can prevent a guest from doing so? LSM -serge -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] ESX VM host and network issues
Hello, I'm struggling for two days now with some completely weird network behaviours. My host is a virtual machine hosted on an ESX farm. I planned to deploy several containers on it to achieve various tasks. Host is running Scientific Linux 6 with default kernel (2.6.32), and my container is an Oracle Linux 6. I discovered that i had to change ESX vswitch settings to allow promiscuous mode in order to make the host bridge correctly behave, but it still gives me weird results. Most of the time after having started the container, network inside the container is erratic. I can ping or ssh from the host to the container, but nothing gets out of the container or in the container from the LAN. While the container is still running, if i issue a network restart on the host, the container start behaving correctly and network works again as expected. The problem is that it's not reliable at all. If i stop/restart the container several times, it starts losing network again that i can only get back by issuing the network restart on the host... Here's my container configuration: lxc.utsname = ct-011 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth0 lxc.network.mtu = 1500 lxc.network.ipv4 = 0.0.0.0 lxc.mount = /etc/lxc/ct-01.fstab lxc.rootfs = /srv/lxc/ct-01/ lxc.cap.drop = sys_module mknod lxc.cap.drop = mac_override sys_time lxc.cap.drop = setfcap setpcap sys_boot I set the network from inside the container to avoid having to modify too much of container init - I also tried setting IP from lxc config and it gave me the same result. My bridge is set with forward delay to 0 and STP on as having it disabled doesn't work at all. I don't have that much errors that could lead me to a solution here's a snippet of my dmesg after restarting twice the network on the host: e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None br0: starting userspace STP failed, starting kernel STP br0: topology change detected, propagating br0: port 1(eth0) entering forwarding state device vethAuDQzn entered promiscuous mode br0: topology change detected, propagating br0: port 2(vethAuDQzn) entering forwarding state br0: port 2(vethAuDQzn) entering disabled state br0: port 1(eth0) entering disabled state br0: port 1(eth0) entering disabled state e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None br0: topology change detected, propagating br0: port 1(eth0) entering forwarding state br0: topology change detected, propagating br0: port 2(vethAuDQzn) entering forwarding state I'm starting to desperate here and i hope one of you has an idea on what would be needed to make that thing work correctly. Regards, Olivier -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Two Questions: UID Privilage Isolation . Prevent cgroup mount in VM
Hi Serge! Thanks for your help. (The link I was referring in original mail: http://lxc.sourceforge.net/index.php/about/kernel-namespaces/user/). Regards, Sanjay On Thu, Apr 14, 2011 at 3:19 PM, Serge Hallyn serge.hal...@canonical.comwrote: Quoting sanjay (genacct...@gmail.com): Hi! I am new to the technology and thread. I have two basic questions, hope you can provide some guidance. 1. UID Privilege Isolation. ~ If I understand it right, currently if a host-uid and guest-uid have the same numerical value, they essentially have the same file access privilege. Posting from 01/14/11 indicated that a patchset related to 'user namespace' is in works to address this issue. Link in the LXC home/user indicated two possible approach are being considered. I was wondering if there has been any conclusion in this front ? I don't know what link you mean. There is a clear roadmap, there is plenty of work to be done. 2. Guest modifying its own cgroup It appears that from a guest one can mount the cgroup and modify its own constraints specified in the cgroup. Is there a way, I can prevent a guest from doing so? LSM -serge -- Regards, Sanjay -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LVM logical volume in container
Hi, On 2011.04.14 17:51:22 -0500, Serge Hallyn wrote: ... lxc.cgroup.devices.allow = b 252:2 rwm I did exactly that earlier but it didn't work correctly. I guess I screwed up somewhere, as it works properly now. Regards, Ben signature.asc Description: Digital signature -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
