[Vserver] ifconfig_iproot() problem in vserver script
Hi, my setup looks like this ## myvserver.conf IPROOT=eth1:80.100.219.143 10.2.25.13 IPROOTDEV=eth1:1 ## eth1 inet Adresse:80.100.219.140 Bcast:80.100.219.255 Mask:255.255.255.128 ## eth1:1 inet Adresse:10.2.25.3 Bcast:10.2.25.255 Mask:255.255.255.0 in this case the vserver script configurs faulty interfaces like this eth1:myvserver inet Adresse:80.100.219.143 Bcast:82.100.209.255 Mask:255.255.255.128 eth1:1:myvserver inet Adresse:10.2.25.13 Bcast:82.100.209.255 Mask:255.255.255.128 attached patch fix this. Mask can be fixed by change the config like this ## myvserver.conf IPROOT=eth1:80.100.219.143/255.255.255.128 10.2.25.13/255.255.255.0 IPROOTDEV=eth1:1 but Bcast ist always false. /me -- ---// NU informationssysteme gmbh, nu research a: berliner straße 31, 01589 riesa, saxony, DE t: +49-3525-65733-40 f: +49-3525-65733-50 m: [EMAIL PROTECTED] w: http://nugmbh.de --- $cd pub; $more beer --- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. vserver.patch Description: Binary data ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] kill: (1) - No such process
Hi. 1. vserver not running: no defunct processes. 2. start vserver: still no defunct processes. 3. stop vserver: every application closed becomes defunct. 4. impossible to start the vserver again: vcontext: vc_create_context(): File exists. And init is hung (have to reset the computer). Ideas? well, next step is to trace the entire vserver startup with --debug and strace -fF to figure ... a) what is started and/or executed b) what might reach the init on the host it might also pose useful to turn on the linux-vserver debugging (especially the syscall command switch) What I did: - Recompile the kernel, enabling vserver debugging. [I didn't touch anything else in the config.] - Run strace as you suggested above (but note that I didn't find a --syscall switch in the vserver script). [I had attached a file with the output but it was refused by Mailman because it is 87 kB in size. So I now sent it to you (Herbert).] *But* I couldn't reproduce the previous behaviour. Now the vserver script seems to hang before the actual server is started (/proc/virtual/ contains no reference to new context 99), in function clone (cf. last line of strace output). Does this give you some hints as to what is going on? Best, Gilles ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ifconfig_iproot() problem in vserver script
On Thu, Apr 28, 2005 at 01:06:26PM +0200, Stephan Sachse wrote: Hi, my setup looks like this ## myvserver.conf IPROOT=eth1:80.100.219.143 10.2.25.13 IPROOTDEV=eth1:1 which is just plain wrong, you _never_ specify an alias as device if you want both 80.100.219.143 and 10.2.25.13 to be created as alias, then use: IPROOT=eth1:80.100.219.143 eth1:10.2.25.13 IPROOTDEV= if you want just 80.100.219.143 to be created and you assume that 10.2.25.13 already exists, then use: IPROOT=eth1:80.100.219.143 10.2.25.13 IPROOTDEV= ## eth1 inet Adresse:80.100.219.140 Bcast:80.100.219.255 Mask:255.255.255.128 ## eth1:1 inet Adresse:10.2.25.3 Bcast:10.2.25.255 Mask:255.255.255.0 in this case the vserver script configurs faulty interfaces like this eth1:myvserver inet Adresse:80.100.219.143 Bcast:82.100.209.255 Mask:255.255.255.128 eth1:1:myvserver inet Adresse:10.2.25.13 Bcast:82.100.209.255 Mask:255.255.255.128 attached patch fix this. the tools (util-vserver) get this quite right if you specify it correctly ... Mask can be fixed by change the config like this ## myvserver.conf IPROOT=eth1:80.100.219.143/255.255.255.128 10.2.25.13/255.255.255.0 IPROOTDEV=eth1:1 but Bcast ist always false. HTH, Herbert /me [funny stuff zapped ...] ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] FW: Oracle 10g... any Production Environments on VServer?
Sadly, Postgres is missing these important features; - bitmap indexes - OLAP query re-writing I'm a big postgres fan and closely follow the performance mailing list. These features sound intriguing so I'm going to enquire about their status. Interestingly, I've heard recent discussions about both bitmap indexes and materialized views and my belief was that many people on the list are using materialized views now, though I'm not sure if that is provided by a contributed module. I'm not trying to convince you to switch to PG, I'm just curious if these features are available to me. BTW, one interesting feature that Oracle has is the ability to store hierarchical data in a flat db table and pull it out in one query. For example: It can take this data: And sort it *correctly* like this: Id Parent Name Id Name 0 Home 0 Home 1 0 Documents1 Documents 2 0 Applications 4Work 3 0 Pictures 5Personal 4 1 Work 2 Applications 5 1 Personal 6Photoshop 6 2 Photoshop7OpenOffice.org 7 2 OpenOffice.org 3 Pictures 8 3 Family 8Family This takes several queries in PostgreSQL. [Pause (always Google before you post)] Oh, I knew bitmaps were fresh in my memory: http://sql-info.de/postgresql/news/weekly-news_2005-04-24.html ... Victor Y. Yegorov's on-disk bitmap indexes, which are a new index type intended to allow indexing low-cardinality attributes on large tables. The two features together should greatly improve performance of descision support / business intelligence workloads. And: http://jonathangardner.net/PostgreSQL/materialized_views/matviews.html Materialized views are certainly possible in PostgreSQL. Because of PostgreSQL's powerful PL/pgSQL language, and the functional trigger system, materialized views are somewhat easy to implement. Thanks for describing these features; they look like areas where I can improve some aspects of my application. -- Matthew Nuzum [EMAIL PROTECTED] www.followers.net - Makers of Elite Content Management System View samples of Elite CMS in action by visiting http://www.followers.net/portfolio/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ifconfig_iproot() problem in vserver script
Hi, On Thu, 28 Apr 2005 16:25:00 +0200 Herbert Poetzl [EMAIL PROTECTED] wrote: my setup looks like this ## myvserver.conf IPROOT=eth1:80.100.219.143 10.2.25.13 IPROOTDEV=eth1:1 which is just plain wrong, you _never_ specify an alias as device if you want both 80.100.219.143 and 10.2.25.13 to be created as alias, then use: IPROOT=eth1:80.100.219.143 eth1:10.2.25.13 IPROOTDEV= hmm, i test this, but now only the eth1:10.2.25.13 alias was created. the first alias (eth1:80.100.219.143) was missed ifconfig in the vserver looks like this eth0 Protokoll:Ethernet Hardware Adresse 00:40:63:C8:10:0E UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth1 Protokoll:Ethernet Hardware Adresse 00:50:BF:1A:21:36 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ... eth1:myvs Protokoll:Ethernet Hardware Adresse 00:50:BF:1A:21:36 inet Adresse:10.2.25.13 Bcast:82.100.209.255 Maske:255.255.255.128 ... you see the bcast addr on eth1:myvs? the alias for 80.100... ist missing. my util-vserver vsersion ist 0.29 but the vserver script is unchanged in 0.30. thanks /me -- ---// NU informationssysteme gmbh, nu research a: berliner straße 31, 01589 riesa, saxony, DE t: +49-3525-65733-40 f: +49-3525-65733-50 m: [EMAIL PROTECTED] w: http://nugmbh.de --- printk(What? oldfid != cii-c_fid. Call 911.\n); 2.4.3 linux/fs/coda/cnode.c --- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] MTA inside a vserver
I hope this isn't considered to be an idiotic question, but here goes: What's the minimal way to configure a vserver (using FC3 for both host and guest) to be able to send OUTGOING email via the sendmail service that is already running on the host I've got cron jobs running in a vserver that can't send mail to me. I'm hoping that there's something less heavy-weight than installing sendmail into each vserver. Thanks, Paul ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] MTA inside a vserver
Hi, You can use nail/mailrc to set remote host settings. http://nail.sourceforge.net/ Pablo I hope this isn't considered to be an idiotic question, but here goes: What's the minimal way to configure a vserver (using FC3 for both host and guest) to be able to send OUTGOING email via the sendmail service that is already running on the host I've got cron jobs running in a vserver that can't send mail to me. I'm hoping that there's something less heavy-weight than installing sendmail into each vserver. Thanks, Paul ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Vservers and Rootkits
I have a vserver that has all the indicators that is is a victim of a root
kit ( SucKIT ). In my readings so far I see that SucKIT is is loaded
through /dev/kmem ( ie. it doesn't need a kernel sith support for loadable
kernel modules -- http://la-samhna.de/library/rootkits/list.html ).
This is a very old Vserver kernel ( embarrassing but true -- 2.4.21ctx-17
).
Several other vservers , like this one , were built unified to a
reference cserver so whenever I find a replaced/changed file in the
'compromised' vserver ; fcheck ( run in the main server ) reports all the
unified vservers' files as changed.
For awhile I didn't have fcheck checking all the places it should have so
I've played hell trying to erradicate the rootkit. So my question is is
possible for an exploit using /dev/kmem in a vserver to stick something
in the kernel like a this?
Each time after I find and remove or replace the files and/or directories
I reboot the vserver ( not the main ). I'm still seeing the return of the
'[EMAIL PROTECTED]*' buggers. So either I haven't got all the compromised
accounts
plugged or there is someway the hole is remaining open.
I'm trying to remove this rather than just build a new vserver and move to
it. A Good exercise I feel.
Any thoughts or ideas on this?
TIA,
Rod
--
Open Source Software - You usually get more than you pay for...
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL
Will code for ale, porter, or single-malt
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] FW: Oracle 10g... any Production Environments on VServer?
Matthew Nuzum wrote: I'm a big postgres fan and closely follow the performance mailing list. These features sound intriguing so I'm going to enquire about their status. Ah, my plan is falling into place... rubs hands together features are available to me. BTW, one interesting feature that Oracle has is the ability to store hierarchical data in a flat db table and pull it out in one query. For example: [...] This takes several queries in PostgreSQL. It sounds great in theory, doesn't it? Then I found out that you can't use it for anything 'useful', for instance by passing in a table column alias to the START WITH from an outer query, which seemed to me the most natural way to use it; select t1.id, t1.name, tn.id as child_id from mytable t1 left join (select t2.id from mytable t2 start with t2.id = t1.id connect by prior id = parent_id ) tn on top_id = t1.id where t1.name like '%foo%'; That's not a valid query; in fact I couldn't really see a way I could use it to generically do 'recursive' joins, to pretend that a heirarchical relationship is a mapping table or something like that, even using views and such trickery. However, it sure is useful for indenting heirarchical results for a single heirarchy in display, like it's EXPLAIN PLAN statement. I've seen this a lot with Oracle. Some feature sounds great, then you try to use it and find it's not as useful as you thought, for a very trivial yet seemingly unsurmountable reason (and I refuse to learn any DB-specific 4GLs ;)). I was dumbfounded when a bug in functional indexes gave me bogus results for a query (if some silly conditions held), and there was simply no patch available for a supposedly stable database. So we had to upgrade to a new major version (and of course we found other bugs there too). Tangram has ways to work around this problem in a DB-independant way, so I'm not particularly worried :). The information you found about these features is interesting; it sure would be great if Pg is maturing enough to be a viable replacement! Thanks for the off-topic banter :) Sam. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vservers and Rootkits
On Thu, Apr 28, 2005 at 02:31:23PM -0700, Roderick A. Anderson wrote:
I have a vserver that has all the indicators that is is a victim of a root
kit ( SucKIT ). In my readings so far I see that SucKIT is is loaded
through /dev/kmem ( ie. it doesn't need a kernel sith support for loadable
life is hard without proc security ...
kernel modules -- http://la-samhna.de/library/rootkits/list.html ).
This is a very old Vserver kernel ( embarrassing but true -- 2.4.21ctx-17
).
Several other vservers , like this one , were built unified to a
reference cserver so whenever I find a replaced/changed file in the
'compromised' vserver ; fcheck ( run in the main server ) reports all the
unified vservers' files as changed.
For awhile I didn't have fcheck checking all the places it should have so
I've played hell trying to erradicate the rootkit. So my question is is
possible for an exploit using /dev/kmem in a vserver to stick something
in the kernel like a this?
very likely ...
Each time after I find and remove or replace the files and/or directories
I reboot the vserver ( not the main ). I'm still seeing the return of the
'[EMAIL PROTECTED]*' buggers. So either I haven't got all the compromised
accounts
plugged or there is someway the hole is remaining open.
I'm trying to remove this rather than just build a new vserver and move to
it. A Good exercise I feel.
well, one of the basic rules with 'infected' or
'compromised' servers is, get it offline and shut
it down asap, then, from a known good system,
inspect the various things ...
Any thoughts or ideas on this?
on 2.4.21ctx-17 there are plenty of options to
compromise guest and host system ...
best,
Herbert
TIA,
Rod
--
Open Source Software - You usually get more than you pay for...
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL
Will code for ale, porter, or single-malt
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vservers and Rootkits
On Thu, 28 Apr 2005, Roderick A. Anderson wrote: I have a vserver that has all the indicators that is is a victim of a root kit ( SucKIT ). In my readings so far I see that SucKIT is is loaded through /dev/kmem ( ie. it doesn't need a kernel sith support for loadable kernel modules -- http://la-samhna.de/library/rootkits/list.html ). This is a very old Vserver kernel ( embarrassing but true -- 2.4.21ctx-17 ). [...] For awhile I didn't have fcheck checking all the places it should have so I've played hell trying to erradicate the rootkit. So my question is is possible for an exploit using /dev/kmem in a vserver to stick something in the kernel like a this? /dev/kmem should not exist, but an exploit might give similar access. Change the kernel NOW. Each time after I find and remove or replace the files and/or directories I reboot the vserver ( not the main ). I'm still seeing the return of the '[EMAIL PROTECTED]*' buggers. So either I haven't got all the compromised accounts plugged or there is someway the hole is remaining open. So it hooked itself into the start scripts. You'll need to disable the start scripts and reenable them one by one untill you find the one starting the bugger. (If it's a rpm based vserver, you may try the rpm verify option.) I'm trying to remove this rather than just build a new vserver and move to it. A Good exercise I feel. If it's for exercise only, it's OK, but if it's a productive system, see http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx -- Funny quotes: 31. Why do overlook and oversee mean opposite things? ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Ubuntu Guest Image
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Heyas All, Does anyone have a Ubuntu Hoary guest image built? Alternatively, is it possible to use the debian-newvserver.sh script to build a hoary vserver? Thanks Darryl -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCcYlx/XQ6DbmPjokRAsVQAJ4va7VqPFNO4QhghFS3UVGdfQF7tgCfcxUd UTVm3HZ5+VnWNSlweNTq/uA= =d4gT -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Ubuntu Guest Image
You could always debootstrap to an image backed file using: debootstrap hoary /path/to/image/mount http:// us.archive.ubuntu.com/ubuntu ~ chris On Apr 28, 2005, at 6:10 PM, Darryl Ross wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Heyas All, Does anyone have a Ubuntu Hoary guest image built? Alternatively, is it possible to use the debian-newvserver.sh script to build a hoary vserver? Thanks Darryl -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCcYlx/XQ6DbmPjokRAsVQAJ4va7VqPFNO4QhghFS3UVGdfQF7tgCfcxUd UTVm3HZ5+VnWNSlweNTq/uA= =d4gT -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
