Re: [Vserver] Experimental Version
On Mo, 2004-04-19 at 20:06, Chris Wilson wrote: Hi all, Hi Chris, I'm trying to get the experimental vserver patch 0.09 working on kernel 2.6 (since it appears to be the only option for 2.6 right now). The kernel No, the most recent 2.6 patch is pre10. Patches, deltas and various other stuff can be found here: http://vserver.13thfloor.at/Experimental/ patched and compiled fine, but when I try to enter a virtual server (which I haven't tested on 2.4, so it could be a problem with the virtual server itself), I get the following errors: /usr/sbin/vserver: line 715: ulimit: max user processes: cannot modify limit: Invalid argument I guess you're using the stable tools, or at least a legacy configuration, replace -H with -HS in the ULIMIT line. This is a general kernel change introduced somewhere around 2.4.24 IIRC. Error: /proc must be mounted and readable To mount /proc at boot you need an /etc/fstab line like: /proc /proc procdefaults In the meantime, `mount /proc /proc -t proc' To set the permissions, `chmod 755 /proc' Proc-entries are by default hidden in devel/exper. patches, more information can be found here: http://www.linux-vserver.org/index.php?page=Proc-Security http://archives.linux-vserver.org/200401/0125.html http://list.linux-vserver.org/archive/vserver/msg06552.html ipv4root is now 192.168.3.181 Can't set the new security context : Invalid argument Hmm... Don't know, maybe you're not using a static context? Basic kernel/tools check script is located here: http://vserver.13thfloor.at/Stuff/testme.sh Can anyone advise me what the problem might be? Are new tools required for the experimental patch, and if so where can I get them from? I don't mind if they are experimental too, but I can't see any on the downloads page [http://www.13thfloor.at/vserver/e_patches/overview/]. The alpha tools are AFAIK not required but their use is strongly suggested, because only those provide support for the latest features. http://www.linux-vserver.org/index.php?page=alpha+util-vserver Bjoern ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Experimental Version
On Mon, Apr 19, 2004 at 08:48:23PM +0200, Bjoern Steinbrink wrote: On Mo, 2004-04-19 at 20:06, Chris Wilson wrote: Hi all, Hi Chris, I'm trying to get the experimental vserver patch 0.09 working on kernel 2.6 (since it appears to be the only option for 2.6 right now). The kernel No, the most recent 2.6 patch is pre10. Patches, deltas and various other stuff can be found here: http://vserver.13thfloor.at/Experimental/ yes, actually it's vs1.9.0pre10.3 ... ;) patched and compiled fine, but when I try to enter a virtual server (which I haven't tested on 2.4, so it could be a problem with the virtual server itself), I get the following errors: /usr/sbin/vserver: line 715: ulimit: max user processes: cannot modify limit: Invalid argument I guess you're using the stable tools, or at least a legacy configuration, replace -H with -HS in the ULIMIT line. This is a general kernel change introduced somewhere around 2.4.24 IIRC. (since 2.4.22 actually) unrelated to vserver, the kernel interface has changed, but still some tools do not know about it ;) Error: /proc must be mounted and readable To mount /proc at boot you need an /etc/fstab line like: /proc /proc procdefaults In the meantime, `mount /proc /proc -t proc' To set the permissions, `chmod 755 /proc' Proc-entries are by default hidden in devel/exper. patches, more information can be found here: with vs1.9.0pre10* you can actually disable the proc security from the menuconfig (or *config) http://www.linux-vserver.org/index.php?page=Proc-Security http://archives.linux-vserver.org/200401/0125.html http://list.linux-vserver.org/archive/vserver/msg06552.html ipv4root is now 192.168.3.181 Can't set the new security context : Invalid argument Hmm... Don't know, maybe you're not using a static context? Basic kernel/tools check script is located here: http://vserver.13thfloor.at/Stuff/testme.sh Can anyone advise me what the problem might be? Are new tools required for the experimental patch, and if so where can I get them from? I don't mind if they are experimental too, but I can't see any on the downloads page [http://www.13thfloor.at/vserver/e_patches/overview/]. The alpha tools are AFAIK not required but their use is strongly suggested, because only those provide support for the latest features. http://www.linux-vserver.org/index.php?page=alpha+util-vserver correct, many features are new to 1.9.x and the legacy tools do not know about them, so they can not handle them properly ... best, Herbert Bjoern ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver + other security patches
Is it possible to get these 3 patches working together: ctx+grsecurity+vserver. I need grsecurity to protect against numerous and repeated shell cracking atttempts from my students on the login server. I need the ctx patch to force disk quota's on the server's they use.. Is their any problem with using 2.4.25+patch-2.4.25-vs1.27-q0.14.diff and then a ctx patch? The archives contain conflicting opinions on this. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 1.27
I got an error applying the grsec patch, appears to be trying to delete a non-existent file on my system. (link listed below.) Other then that error, it applied clean. ** The next patch would delete the file arch/x86_64/ia32/ptrace32.c.orig, which does not exist! Assume -R? [n] Apply anyway? [n] y can't find file to patch at input line 6008 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -- |diff -uriN linux-2.4.25/arch/x86_64/ia32/ptrace32.c.orig linux-2.4.25-grsec-1.9.14-vserver-1.27/arch/x86_64/ia32/ptrace32.c.orig |--- linux-2.4.25/arch/x86_64/ia32/ptrace32.c.orig 2004-02-19 14:47:07.0 -0600 |+++ linux-2.4.25-grsec-1.9.14-vserver-1.27/arch/x86_64/ia32/ptrace32.c.orig 1969-12-31 18:00:00.0 -0600 -- File to patch: Skip this patch? [y] ** Sandino Araico Sánchez said: I've just uploaded the patch Vserver 1.27 + GR Security 1.9.14 against 2.4.25 to http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.27.patch.gz I have not tested it yet in production but it should work since I saw no significant difference from previous patch. Herbert Poetzl wrote: Hi Folks! vserver stable isn't dead yet ;) I updated the 1.2 (stable) branch to vs1.27, which includes a few bugfixes and contributions ... * the 'notail' flag used for the barrier is no longer inherited from dir to files ... * the 'bind sequence is important' issue was fixed (thanks to Cathy Sarisky for reporting) * the 'secure ipv6 on host' patch was added (kudos go to Ivo De Decker) you can download an all-in-one patch for 2.4.25 and 2.4.26-pre5 or tar archives of the broken out patches as well as a 2.4.25 incremental at: http://www.13thfloor.at/vserver/s_release/overview enjoy, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- Sandino Araico Sánchez -- Lo que no mata engorda. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
