[Vserver] Re: vserver cloaking ...
On Sun, Nov 02, 2003 at 08:24:39PM +, Jonathan Sambrook wrote:
At 17:28 on Sun 02/11/03, [EMAIL PROTECTED] masquerading as 'Herbert Poetzl' wrote:
Hi Jonathan!
are you still working/interested in doing
heavy vserver cloaking?
Yes I'm interested, but it's not that a _high_ priority for the company,
so I've been working on non-s_context and/or non-kernel matters.
What do you have in mind?
hey sorry for the last reply!
I obviously sent you the wrong one *blush* ...
now the right one:
we did some things to improve vserver security, like
hiding parts of proc filesystem and we are planning
to add a virtual network device and several other
things, which will vserver make more similar to
a real server ...
you probably know a hundred times more what is
different between a vserver and a real system, and
maybe you are interested in writing test scripts
, programs, or just textual check lists, which find/
name certain differences ...
I see no issue with a 'stealth' mode, which can
be activated/deactivated from the host for each
server (seems to make some sense, for certain
companies) and I'm going to support it, if somebody
shows enough interest and volunteers to do the
required testing ...
best,
Herbert
Regards,
Jonathan
Oh, and congratulations on re-injecting some life into the project {8{)}
tx ...
--
Jonathan Sambrook
Software Developer
Designer Servers
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Problems Setting Limits
On Mon, Nov 03, 2003 at 02:24:00PM +0100, Alexander Goeres wrote: Am Sonntag, 2. November 2003 23:44 schrieb Herbert Poetzl: 2. Well, I did the last several times and vservers worked after rebooting. What didn't work was the possibility to set a quota to a test-user. quotacheck succeeded, but quotaon -u -f /dev/hdb7 always failed with the errmsg: quotaon: using /var/aquota.user on /dev/hdb7 [/var] : No such device or address did you add the quota hashes as described in the (short) documentation on http://www.linux-vserver.org/ http://vserver.13thfloor.at/Linux2.6/index.php?page=Per+Context+Disk+Limits How do I add the quota hashes? Isn't it done with cqhadd -x 2 -v /dev/hdb7 you are right, I obviously misread your command for cqdlim ... sorry for that one ... 3. Another problem was then setting limits to a vserver.. cqhadd -x 2 -v /dev/hdb7 always returned cqhadd adding quota hash for /dev/hdb7 ... failed: Function not implemented for cqhadd, -ENOSYS (not implemented) is returned, when the TAGCTX flag isn't set on the filesystem (tagctx mount option) for cqdlim, the following is true: -ENXIO is returned if the quota hash does not exist, where -EPERM is returned if you don't have the required permission/capability ... And I was reading in one of the postings here about the mount option ctxquota. Sounds as if it's necessary for the limits? If yes, then there is another problem with the me and the patches, because the patched kernel refuses to remount the partition when this option is set: unknown option... correct, it seems that I forgot to mention that on the web page too, will correct it immediately ... by the way, remount is not an option, you have to 'mount' it with tagctx, and I don't suggest this on a root partition, because some parts of the vserver scripts write to it from within a context ... sorry for the misleading information, IRC would have been much faster ... HTH, Herbert greetings Alexander --- [EMAIL PROTECTED] tel.: +49 (0)30 / 61 20 26 87 fax: +49 (0)30 / 61 20 26 89 --- lieblinxNET we do software a Marwood Thiele GbR --- reichenber straße 125 10999 Berlin http://lieblinx.net --- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] 1.0 release - I agree!
hi jack and chunk, thanks for your info, the procedures are really great! i followed and merged both procedures to create my vserver and it works!! i'm using redhat7.3 inside redhat 7.3 (and will migrate to redhat 9 later), i did some additional steps (for somebody new to vserver like me): inside the vserver (after vserver new enter): - remove the /etc/rc.d/init.d/halt - remove the files/directories inside /proc - remove the files/directories inside /dev except (full, null, pts, zero, ptmx, random, urandom) -- pls tell me which file i could further remove or should be retained - modify the /etc/fstab to /dev/hdv1 / ext2 defaults 1 1 - modify the /etc/mtab to /dev/hdv1 / ext2 rw 0 0 - remove the /boot - remove unnecessary packages (like grub, apmd, etc) questions: how could i create a vserver by using link instead of copy so that i could share the disk space? cheers, charles - Original Message - From: Jacques Gelinas [EMAIL PROTECTED] To: Vserver mailing list [EMAIL PROTECTED] Sent: Saturday, November 01, 2003 1:58 AM Subject: Re: [Vserver] 1.0 release - I agree! On Fri, 31 Oct 2003 12:48:00 -0500, Charles wrote hi chuck, can you tell me how to make it work? do i need to modify the setting of the rh6.2 after rsync? i've got a rh7.3/rh9 host server, and like to run a rh7.3/rh9 vserver inside. thanks a lot! After copying, create a new configuration file in /etc/vservers Then enter the vserver vserver new enter Then turn off all services cd /etc/rc.d/init.d for serv in * do /sbin/chkconfig $serv off done Then turn only the services you need. Generally chkconfig crond on chkconfig syslog on chkconfig httpd on ... exit and start the vserver - Jacques Gelinas [EMAIL PROTECTED] vserver: run general purpose virtual servers on one box, full speed! http://www.solucorp.qc.ca/miscprj/s_context.hc ___ Vserver mailing list [EMAIL PROTECTED] http://www.solucorp.qc.ca/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] 1.0 release - I agree!
questions: how could i create a vserver by using link instead of copy so that i could share the disk space? cheers, charles Charles, forgive me if I misunderstood your question, I am by no means an expert at setting up vservers. However, regarding this issue, if you do cp -al file1 file2 (that's lower case A L ) it simply makes a hardlink from file1 to the other. That way, you can make links from the comfort of your copy command. Matthew Nuzum | ISPs: Make $200 - $5,000 per referral by www.followers.net | recomending Elite CMS to your customers! [EMAIL PROTECTED] | http://www.followers.net/isp ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] 1.0 release - I agree!
hi matthew, thanks for your hints!! i will try it! cheers, charles - Original Message - Ah, I see. Well, you probably want your /etc files to be manageable on a per vserver basis, so that'd be bad to link. Also, /var/log/* and probably some or all of /var/lib should not be linked. I think /usr is an excellent candidate for linking. There are others on this list that have already tackled this issue so it shouldn't be hard to get a conclusive answer. Additionally, the linuxconf vserver tools can automate this work, so it should be possible to simply look at that code to see what is and isn't linked. This would probably be a good reference item for the wiki. If/when we get a solid answer, we should probably post it there. Matthew Nuzum | ISPs: Make $200 - $5,000 per referral by www.followers.net | recomending Elite CMS to your customers! [EMAIL PROTECTED] | http://www.followers.net/isp - Original Message - From: Matthew Nuzum [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 10:48 PM Subject: RE: [Vserver] 1.0 release - I agree! questions: how could i create a vserver by using link instead of copy so that i could share the disk space? cheers, charles Charles, forgive me if I misunderstood your question, I am by no means an expert at setting up vservers. However, regarding this issue, if you do cp -al file1 file2 (that's lower case A L ) it simply makes a hardlink from file1 to the other. That way, you can make links from the comfort of your copy command. Matthew Nuzum | ISPs: Make $200 - $5,000 per referral by www.followers.net | recomending Elite CMS to your customers! [EMAIL PROTECTED] | http://www.followers.net/isp ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] An interesting problem/bug with IP aliases
On Fri, 31 Oct 2003 10:05:02 -0500, Chris Wright wrote * Jacques Gelinas ([EMAIL PROTECTED]) wrote: The ip command uses the same kernel interface as ifconfig to setup IP aliases. The SECONDARY flag can't be touched using the kernel interface. So the command will produce the same problem. While the ip command do more, especially on the routing side, it does the same thing on the IP aliases side. This isn't actually the case. The difference is how you can set the secondary flag, etc. Try this: # ip addr add 192.168.1.0/24 dev eth0 # ip addr add 192.168.1.1 dev eth0 # ip addr add 192.168.1.2 dev eth0 # ip addr list now you have two useable aliaes .1 and .2 (try pinging them from another machine). With .1 being the first one you set up (take note of the subnets that they are assigned to). Yes I am taking note. Both (1.2 and 1.1) end up on /32. I am getting the same result with ifconfig. They end up on different networks. $ /sbin/ip addr add 192.168.0.0/24 dev eth0 $ /sbin/ip addr add 192.168.0.1 dev eth0 $ /sbin/ip addr add 192.168.0.2 dev eth0 $ /sbin/ip addr list inet 192.168.0.0/24 scope global eth0 inet 192.168.0.1/32 scope global eth0 inet 192.168.0.2/32 scope global eth0 Now if I do $ /sbin/ip addr add 192.168.0.0/24 dev eth0 $ /sbin/ip addr add 192.168.0.1/24 dev eth0 $ /sbin/ip addr add 192.168.0.2/24 dev eth0 $ /sbin/ip addr list inet 192.168.0.0/24 scope global eth0 inet 192.168.0.1/24 scope global secondary eth0 inet 192.168.0.2/24 scope global secondary eth0 Now if I delete 192.168.0.0, I am loosing then all. - I have review this problem. I realise now why most people have not experienced this problem. If you set an IP alias (using whatever tool) on eth0, using the same network as currently defined on eth0, then the aliases become all secondary and you loose the aliases definition only if you unconfigure eth0, which you seldom do. We have withness this problem because we generally use private networks inside a host server and all the vservers are hook to this network. We do this to achieve physical network failover. All our server have 2 nics and using gated the internal network used by the vservers is advertised on both nics. Using the ip addr add 192.168.0.0/24 dev eth0 above should cure our own problem. I realise this is not a typical setup. - Jacques Gelinas [EMAIL PROTECTED] vserver: run general purpose virtual servers on one box, full speed! http://www.solucorp.qc.ca/miscprj/s_context.hc ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] An interesting problem/bug with IP aliases
* Jacques Gelinas ([EMAIL PROTECTED]) wrote: $ /sbin/ip addr add 192.168.0.0/24 dev eth0 $ /sbin/ip addr add 192.168.0.1 dev eth0 $ /sbin/ip addr add 192.168.0.2 dev eth0 $ /sbin/ip addr list inet 192.168.0.0/24 scope global eth0 inet 192.168.0.1/32 scope global eth0 inet 192.168.0.2/32 scope global eth0 Now if I do $ /sbin/ip addr add 192.168.0.0/24 dev eth0 $ /sbin/ip addr add 192.168.0.1/24 dev eth0 $ /sbin/ip addr add 192.168.0.2/24 dev eth0 $ /sbin/ip addr list inet 192.168.0.0/24 scope global eth0 inet 192.168.0.1/24 scope global secondary eth0 inet 192.168.0.2/24 scope global secondary eth0 Now if I delete 192.168.0.0, I am loosing then all. Yup, this latter example is what happens with ifconfig. I have review this problem. I realise now why most people have not experienced this problem. If you set an IP alias (using whatever tool) on eth0, using the same network as currently defined on eth0, then the aliases become all secondary and you loose the aliases definition only if you unconfigure eth0, which you seldom do. We have withness this problem because we generally use private networks inside a host server and all the vservers are hook to this network. We do this to achieve physical network failover. All our server have 2 nics and using gated the internal network used by the vservers is advertised on both nics. Using the ip addr add 192.168.0.0/24 dev eth0 above should cure our own problem. I realise this is not a typical setup. We have seen similar problems in the linux-ha project. Use of ip instead of ifconfig gives much better flexibility, IMHO. Hope it's working for you now. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Problems Setting Limits
Hi Enrico! Am Samstag, 1. November 2003 00:08 schrieb Enrico Scholz: [EMAIL PROTECTED] (Alexander Goeres) writes: with util-vserver (which btw failed to compile completely Which errors, which environment? Build of 0.23.96 has been tested successfully on RH rawhide, RHL 7.3 and Debian 2.2. The environment is Debian 3.0 and a kernel that was patched with the patches from http://vserver.13thfloor.at/Linux2.6/index.php?page=Per+Context+Disk+Limits. configure seems to run without problems, but make doesn't make it. I'll attach the nohups of configure and make. greetings Alexander --- [EMAIL PROTECTED] tel.: +49 (0)30 / 61 20 26 87 fax: +49 (0)30 / 61 20 26 89 --- lieblinxNET we do software a Marwood Thiele GbR --- reichenber straße 125 10999 Berlin http://lieblinx.net --- X configure-output: checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... no checking for mawk... mawk checking whether make sets $(MAKE)... yes checking whether to enable maintainer-specific portions of Makefiles... no checking for g++... g++ checking for C++ compiler default output... a.out checking whether the C++ compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking for style of include used by make... GNU checking dependency style of g++... gcc checking for gcc... gcc checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking dependency style of gcc... gcc checking for a BSD-compatible install... /usr/bin/install -c checking whether ln -s works... yes checking for ranlib... ranlib checking whether gcc and cc understand -c and -o together... yes checking whether the C-compiler accepts -Werror -W... yes checking whether gcc accepts -std=c99... no checking whether gcc accepts -Wall... yes checking whether gcc accepts -pedantic... yes checking whether gcc accepts -W... yes checking whether gcc accepts -Wno-unused-parameter... no checking whether the C++-compiler accepts -Werror -W... yes checking whether g++ accepts -ansi... yes checking whether g++ accepts -Wall... yes checking whether g++ accepts -pedantic... yes checking whether g++ accepts -W... yes checking whether g++ accepts -fmessage-length=0... no checking for linux kernel dir... /lib/modules/2.4.22-c17e/build checking for linux kernel headers... /lib/modules/2.4.22-c17e/build/include checking which vserver-rootdir is to use... /var/lib/vservers checking for supported APIs... legacy,compat checking for sys_virtual_context... no checking whether MS_MOVE is declared... no checking for ctx_t... no configure: creating ./config.status config.status: creating util-vserver.spec config.status: creating Makefile config.status: creating config.h config.status: config.h is unchanged config.status: executing depfiles commands make output make[1]: Entering directory `/root/util-vserver-0.23.96' test -z sysv/rebootmgr sysv/v_gated sysv/v_httpd sysv/v_named sysv/v_portmap sysv/v_sendmail sysv/v_smb sysv/v_sshd sysv/v_xinetd sysv/vservers scripts/util-vserver-vars scripts/vkill scripts/vps linuxconf/newvserver linuxcaps.h linuxvirtual.h || rm -f sysv/rebootmgr sysv/v_gated sysv/v_httpd sysv/v_named sysv/v_portmap sysv/v_sendmail sysv/v_smb sysv/v_sshd sysv/v_xinetd sysv/vservers scripts/util-vserver-vars scripts/vkill scripts/vps linuxconf/newvserver linuxcaps.h linuxvirtual.h test -z lib/libvserver.a || rm -f lib/libvserver.a test -z tests/chrootsafe tests/escaperoot tests/forkbomb tests/testipc tests/testlimit tests/testopenf || rm -f tests/chrootsafe tests/escaperoot tests/forkbomb tests/testipc tests/testlimit tests/testopenf test -z src/capchroot src/fakerunlevel src/filetime src/ifspec src/listdevip src/parserpmdump src/readlink src/showattr src/showperm src/vbuild src/vcheck src/vreboot src/vunify || rm -f src/capchroot src/fakerunlevel src/filetime src/ifspec src/listdevip src/parserpmdump src/readlink src/showattr src/showperm src/vbuild src/vcheck src/vreboot src/vunify test -z src/chbind src/chcontext src/rebootmgr src/reducecap src/vdu src/vfiles src/vserver-stat || rm -f src/chbind src/chcontext src/rebootmgr src/reducecap src/vdu src/vfiles src/vserver-stat rm -f *.o core *.core rm -f lib/lib_libvserver_a-checkversion.o rm -f lib/lib_libvserver_a-getctx.o rm -f lib/lib_libvserver_a-getversion.o rm -f lib/lib_libvserver_a-syscall.o rm -f lib/lib_libvserver_a-uint2str.o rm -f src/capchroot.o rm -f src/chbind.o rm -f src/chcontext.o rm -f
