Re: [Vserver] stuck (can't set the ipv4 root - invalid argument)
On Thu, Jul 14, 2005 at 12:16:47AM +1000, Matt Paine wrote: Hi. Ive been monitoring the list for a few days now, and constantly searching the vserver site, and the util-vserver site and google for appropriate documentation and I have not been able to find any hints as to what to do next. My setup: Host has FC4. Vanilla kernel (2.6.12.2) with the latest vserver patch (2.0-rc6). Standard options. All build and installed and booted with no errors. util-vserver (0.30) built and installed with no errors. those are the stable/old tools ... get 0.30.207 Its from here things get hazy. Sites mention the use of newvserver to create a new virtual server, but thatis not part of the util-vserver no it's a debian add on of dubious value ... package (as far as I can tell). Other sites give examples of the vserver build command. This example is from the gentoo documentation (http://www.gentoo.org/doc/en/vserver-howto.xml) although I seem to be getting the same errors no matter what command I use... -8- [EMAIL PROTECTED] ~]# vserver test2 build -m skeleton --hostname test2 --initstyle plain --context 2 --interface test2=eth0:192.168.1.41/24 Directory /vservers/test2 has been populated /etc/vservers/test2.conf has been created. Look at it! Can't set the ipv4 root (Invalid argument) Can't set the ipv4 root (Invalid argument) Can't set the ipv4 root (Invalid argument) Can't set the ipv4 root (Invalid argument) check with http://vserver.13thfloor.at/Stuff/SCRIPT/testme.sh and let us know the results ... best, Herbert etc (total count 70 messages the same) ... Can't set the ipv4 root (Invalid argument) Can't set the ipv4 root (Invalid argument) [EMAIL PROTECTED] ~]# -8-- The files do seem to exist in the /vserver/test2 directory. The test2.conf did get created. So I though I'de ignore the error and continue with other snippets I have found. 8 [EMAIL PROTECTED] ~]# vserver test2 enter Can't set the ipv4 root (Invalid argument) [EMAIL PROTECTED] ~]# -8--- Well, that didn't work. Perhaps I could try starting the server first? 8 [EMAIL PROTECTED] ~]# vserver test2 start Starting the virtual server test2 Server test2 is not running Can't set the ipv4 root (Invalid argument) [EMAIL PROTECTED] ~]# -8--- Stuck! Any help will be appreciated (let me know if anyone needs any further information). This looks like such a fantastic project, but I've been banging my head against the wall for almost a week now and still no luck. Thankyou in advance Matt. --8 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] audit interface
Hello,
it seems to be impossible to use the audit (CONFIG_AUDIT) interface
of the kernel within a vserver:
| # auditctl -m 'foo'
| Error sending user message request (Operation not permitted)
The generated syscalls are:
| socket(PF_NETLINK, SOCK_RAW, 9) = 3
| fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
| sendto(3, \24\0\0\0\355\3\5\0\1\0\0\0\0\0\0\0foo\0, 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=}, 12) = 20
| select(4, [3], NULL, NULL, {0, 10}) = 1 (in [3], left {0, 10})
| recvfrom(3, $\0\0\0\2\0\0\0\1\0\0\0!e\0\0\377\377\377\377\24\0\0\0...,
8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=},
[12]) = 36
| write(2, Error sending user message reque..., 60Error sending user message
request (Operation not permitted)) = 60
This gives problems on Fedora Core 4 as recent pam upgrade is
using this functionality and most actions (su, cron) will fail
therefore.
I see two ways to solve the problem:
1. allow this kind of communication within a context
2. make CONFIG_AUDIT conflict with CONFIG_VSERVER and hope that
libaudit is clever enough to ignore this error (untested)
(I do not know the security implications of 1. and have not
tested 2.)
Problem was seen on 2.6.12.2-vs2.0-rc5 + remap patch.
Enrico
pgptjlKWpNF4I.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
[EMAIL PROTECTED] (Enrico Scholz) writes: | # auditctl -m 'foo' | Error sending user message request (Operation not permitted) ... This gives problems on Fedora Core 4 as recent pam upgrade is using this functionality and most actions (su, cron) will fail therefore. Quick workaround is to add '^29' to the 'bcapabilities' of the corresponding vserver. Next util-vserver version will probably implicate this with the '--secure' option (after I decided how to deal with the CAP_QUOTACTL vs. CAP_AUDIT_WRITE conflict). Enrico pgpDbxbFH1pML.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
On Thu, Jul 14, 2005 at 05:32:40PM +0200, Enrico Scholz wrote: [EMAIL PROTECTED] (Enrico Scholz) writes: | # auditctl -m 'foo' | Error sending user message request (Operation not permitted) ... This gives problems on Fedora Core 4 as recent pam upgrade is using this functionality and most actions (su, cron) will fail therefore. hmm, will look into it ... Quick workaround is to add '^29' to the 'bcapabilities' of the corresponding vserver. Next util-vserver version will probably implicate this with the '--secure' option (after I decided how to deal with the CAP_QUOTACTL vs. CAP_AUDIT_WRITE conflict). #define CAP_AUDIT_WRITE 29 #define CAP_AUDIT_CONTROL30 quota was moved into the CCAPS a long? time ago (at least for 2.6/2.0 so nothing to deal with) #define CAP_CONTEXT 31 is the only remaining capability ... best, Herbert Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
On Fri, Jul 15, 2005 at 12:50:51AM +0200, Herbert Poetzl wrote:
On Thu, Jul 14, 2005 at 03:21:36PM +0200, Enrico Scholz wrote:
Hello,
it seems to be impossible to use the audit (CONFIG_AUDIT) interface
of the kernel within a vserver:
| # auditctl -m 'foo'
| Error sending user message request (Operation not permitted)
The generated syscalls are:
| socket(PF_NETLINK, SOCK_RAW, 9) = 3
| fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
| sendto(3, \24\0\0\0\355\3\5\0\1\0\0\0\0\0\0\0foo\0, 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=}, 12) = 20
| select(4, [3], NULL, NULL, {0, 10}) = 1 (in [3], left {0, 10})
| recvfrom(3, $\0\0\0\2\0\0\0\1\0\0\0!e\0\0\377\377\377\377\24\0\0\0...,
8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
groups=}, [12]) = 36
| write(2, Error sending user message reque..., 60Error sending user
message request (Operation not permitted)) = 60
This gives problems on Fedora Core 4 as recent pam upgrade is
using this functionality and most actions (su, cron) will fail
therefore.
hmm, does anybody know why pam would want to do syscall
auditing in the first place? I'm a little lost here
actually ...
ah, looks like redhat is patching again ...
http://people.redhat.com/sgrubb/audit/pam-0.78-loginuid.patch
so I guess it's fine to remove pam_loginuid.so for now
until the auditing interface is virtualized ...
best,
Herbert
TIA,
Herbert
I see two ways to solve the problem:
1. allow this kind of communication within a context
2. make CONFIG_AUDIT conflict with CONFIG_VSERVER and hope that
libaudit is clever enough to ignore this error (untested)
(I do not know the security implications of 1. and have not
tested 2.)
Problem was seen on 2.6.12.2-vs2.0-rc5 + remap patch.
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
