Re: [Vserver] patch-2.6.16-rc1-vs2.1.0.6.1 ok ;-)
On Tue, Jan 24, 2006 at 09:19:33AM +0100, Joel Soete wrote: Hello Herbert, [...] excellent, I would appreciate to get a posting similar to http://list.linux-vserver.org/archive/vserver/msg11977.html Here there are: Linux-VServer Test [V0.14] Copyright (C) 2003-2005 H.Poetzl chcontext is working. chbind is working. Linux 2.6.16-rc1-vs2.1.0.6.1-pa2-d32up parisc/0.30.209/0.30.209 [Ea] (0) VCI: 0002:0001 263 03000116 --- [000]# succeeded. [001]# succeeded. [011]# succeeded. [031]# succeeded. [101]# succeeded. [102]# succeeded. [201]# succeeded. [202]# succeeded. well even -v option didn't give me more, though? but the -L option will :) oops ? so here are the additional success ;-) --- [L01]# succeeded. [D01]# succeeded. [L02]# succeeded. [D02]# succeeded. [L03]# succeeded. [D03]# succeeded. [L11]# succeeded. [D11]# succeeded. [L12]# succeeded. [D12]# succeeded. [L21]# succeeded. [D21]# succeeded. [L22]# succeeded. [D22]# succeeded. [L31]# succeeded. [D31]# succeeded. Tx, Joel --- NOTE! My email address is changing to ... @scarlet.be Please make the necessary changes in your address book. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] I/O CFQ scheduler [scanned]
Am Dienstag, den 24.01.2006, 20:06 +0300 schrieb Vasily Tarasov: Can you tell me, please, can util-vserver-0.30.209 http://www.13thfloor.at/vserver/d_rel26/v2.1.0/util-vserver-0.30.209.tarwork with I/O CFQ Scheduler already? I did not know util-vserver {had|could have} any problems with that... I am using the CFQ I/O elevator on most of my servers (with vserver guests), without any problems until now... How? Compile CFQ I/O scheduler support into the kernel and append the following parameter to your kernel boot parameters: elevator=cfq Regards, // Veit signature.asc Description: This is a digitally signed message part ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Abstract (not FS based) UNIX sockets collision
Hi, It seems that abstract UNIX sockets leak from a vserver. I'm trying to run the same java app inside two vservers and only the first one started succeeds. The critical piece from strace is: 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0 20397 bind(5, {sa_family=AF_FILE, [EMAIL PROTECTED]/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use) Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket hashes are identical across all vservers and that no additional context check is used. There is a context check in include/net/af_unix.h, but this does not seem to be used when creating sockets from unix_bind(). Any ideas? Regards Andreas pgpRCrJhZsFKO.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vservers don't start after update to 2.01
On Wed, Jan 25, 2006 at 12:45:55PM +0100, Jens Holze wrote: 2006/1/13, Jens Holze [EMAIL PROTECTED]: 2006/1/11, Herbert Poetzl [EMAIL PROTECTED]: On Wed, Jan 11, 2006 at 04:03:58PM +0100, Jens Holze wrote: Hi! I updated VServer from 2.00 to 2.01 by patching a new 2.6.14.4-kernel and installing the utils (209) from self-build rpms on Fedora Core 4. maybe the installation of your 'self built' utils is a little incomplete ... I'd try with the source tar, and after a proper configuration (to get your pathes right) do the 'make install' and 'make install-distribution' I erased the rpms and installed from source (with the prefix=/). Everything is in place now, save_ctxinfo in /lib/util-vserver/ . Everything worked prior to that but since then I can't manage to start any debian-based Vservers. I thought something with the kernel went wrong so I build it anew but that didn't solve anything. When trying to start a vserver I get: // RTNETLINK answers: File exists this means that the 'configured' IP(s) already exists, maybe with a different netmask/prefix, check with 'ip addr ls' and remove the 'offending' IP(s) Yeah I know, this one is not the problem, I just took existing settings and made a new server from it hoping that would eliminate the save_ctxinfo problem... // save_ctxinfo: execv(): No such file or directory this very much looks like the save_ctxinfo is failing possible reasons could be: - /lib/util-vserver/save_ctxinfo (or wherever it is on your distro) is not executable or missing - /etc/vservers/.defaults/run.rev is not pointing to a valid directory to store the info - the directory /var/run/vservers.rev is not writeable or does not exist I thought so but: save_ctxinfo is at the exact location and executable... /run.rev is there and pointing to /var/run/vservers.rev which exists and is writeable (there are directories inside for the fedora vservers which are running!). It must be something special that is done in debian vservers which doesn't happen with fedora core vservers?! Also, I wonder where the vserver starting script looks for this file, is it possible that I have to edit any config file? I mean it's in the same directory so why doesn't he find it? // An error occured while executing the vserver startup sequence; when // there are no other messages, it is very likely that the init-script // (/etc/init.d/rc 3) failed. // // Common causes are: // * /etc/rc.d/rc on Fedora Core 1 and RH9 fails always; the 'apt-rpm' build // method knows how to deal with this, but on existing installations, // appending 'true' to this file will help. // // Failed to start vserver 'debian_two' The common causes don't really help and I can't think of anything else. I even build an all new debian vserver but even this one doesn't boot. Other (Fedora-based) vservers do work perfectly. Any help would be greatly appreciated. yes, well, to explain all kinds of errors in a tool of this complexity is almost impossible ... Of course it is, it's just that its obviously a different problem as far as I get it. Jens HTH, Herbert Jens ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver Hi! I had an intense look at the installation since obviously something must have gone wrong there (as you pointed out, too). I checked for vprocunhide being in place and executed (which is the case) and then ran the testme.sh once more where I first got an error with chcontext in /usr/sbin/chcontext. There should be no such file since I erased those with rpm and then installed from source to /(etc,lib/util-verser,sbin). That drew my attention to the fact that obviously some files of the prior rpm installation remained on the system and I wondered whether that causes the problem (allthough I still wonder why it only happens with debian based vservers). After I deleted the redundant chcontext the testme.sh found no error at all. Then I deleted /usr/sbin/vserver presuming that /sbin/vserver should be used. However, the problem remained, the servers fail to boot while directories for their context are created under /var/run/vservers.rev and the run files do point to the respective files in /var/run/vservers as if the servers actually were running. Maybe he's looking for the save_ctxinfo in all the wrong places? I'm sure it's just some really stupid tweak I simply couldn't think of yet. Any other suggestions? could you provide the output of 'vserver-info - SYSINFO' and the results from the testme.sh run ? TIA, Herbert Thanks Jens ___ Vserver mailing list Vserver@list.linux-vserver.org
Re: [Vserver] I/O CFQ scheduler
On Tue, Jan 24, 2006 at 08:06:38PM +0300, Vasily Tarasov wrote: Hello. Can you tell me, please, can util-vserver-0.30.209 http://www.13thfloor.at/vserver/d_rel26/v2.1.0/util-vserver-0.30.209.tar work with I/O CFQ Scheduler already? yes, it's a 'hard-coded' kernel feature of the devel branch (for now) How? just enable the cfq i/o scheduler for your system/tasks and the accounting will be done per context (guest) in the future I guess there will be util support to fine tune the priorities and set the I/O groups ... HTH, Herbert Thank you. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Virtualizing a physical server
On Wed, Jan 25, 2006 at 03:12:46AM +0200, Ehab Heikal wrote: I need to setup a development or staging server of an existing running server. Is there a tool to do so? just create a new skeleton guest with the -m skeleton build method, which resembles the physical system regarding networking and naming, the copy over the entire contents of the physical machine, excluding the /dev and /proc directory to the skeleton dir (cp -a, dump/restore, tar, rsync, ...) starting and stopping the guest should work after that, but you might want to clean up scripts later to avoid a bunch of failures when the new guest tries to mess with the hardware ... HTH, Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Virtualizing a physical server
If the skeleton method in still to heavy for you to start off with try download prebuild virtualmachine guests:After you installed a (rpm: http://www.virtualinfrastructure.nl/downloads/kernel-2.6.11-1.35_FC3.vs2.0.0.0.rc4.i686.rpm) kernel just unpak itbash# wget http://www.virtualinfrastructure.nl/downloads/precompiled/virtualinfrastructure-11012006-fc3-minimal.tgzbash# tar xvzf virtualinfrastructure-11012006-fc3-minimal.tgzbash# mkdir /etc/vserversbash# mv fc3_minimal /etc/vservers en start the thing:bash# vserver fc3_minimal startbash# vserver fc3_minimal enterbe aware: This is a fedora core 3 guest and fedora code 3 kernel. For other versions check the vserver website. Cheers,J-On 1/25/06, Herbert Poetzl [EMAIL PROTECTED] wrote: On Wed, Jan 25, 2006 at 03:12:46AM +0200, Ehab Heikal wrote: I need to setup a development or staging server of an existing running server. Is there a tool to do so?just create a new skeleton guest with the -m skeleton build method, which resembles the physical systemregarding networking and naming, the copy over theentire contents of the physical machine, excludingthe /dev and /proc directory to the skeleton dir(cp -a, dump/restore, tar, rsync, ...) starting and stopping the guest should work afterthat, but you might want to clean up scripts laterto avoid a bunch of failures when the new guesttries to mess with the hardware ...HTH,Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver___Vserver mailing listVserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Abstract (not FS based) UNIX sockets collision
On Wed, Jan 25, 2006 at 03:35:23PM +0100, Andreas Schultz wrote: Hi, It seems that abstract UNIX sockets leak from a vserver. I'm trying to run the same java app inside two vservers and only the first one started succeeds. The critical piece from strace is: 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0 20397 bind(5, {sa_family=AF_FILE, [EMAIL PROTECTED]/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use) Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket hashes are identical across all vservers and that no additional context check is used. There is a context check in include/net/af_unix.h, but this does not seem to be used when creating sockets from unix_bind(). Any ideas? this should help ... --- linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-21 18:28:17 +0100 +++ linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-25 17:22:11 +0100 @@ -238,6 +238,8 @@ static struct sock *__unix_find_socket_b sk_for_each(s, node, unix_socket_table[hash ^ type]) { struct unix_sock *u = unix_sk(s); + if (!vx_check(s-sk_xid, VX_IDENT|VX_WATCH)) + continue; if (u-addr-len == len !memcmp(u-addr-name, sunname, len)) goto found; thanks for spotting this ... best, Herbert Regards Andreas ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Abstract (not FS based) UNIX sockets collision
В Срд, 25.01.2006, в 18:47, Herbert Poetzl пишет: On Wed, Jan 25, 2006 at 03:35:23PM +0100, Andreas Schultz wrote: Hi, It seems that abstract UNIX sockets leak from a vserver. I'm trying to run the same java app inside two vservers and only the first one started succeeds. The critical piece from strace is: 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0 20397 bind(5, {sa_family=AF_FILE, [EMAIL PROTECTED]/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use) Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket hashes are identical across all vservers and that no additional context check is used. There is a context check in include/net/af_unix.h, but this does not seem to be used when creating sockets from unix_bind(). Any ideas? this should help ... --- linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-21 18:28:17 +0100 +++ linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-25 17:22:11 +0100 @@ -238,6 +238,8 @@ static struct sock *__unix_find_socket_b sk_for_each(s, node, unix_socket_table[hash ^ type]) { struct unix_sock *u = unix_sk(s); + if (!vx_check(s-sk_xid, VX_IDENT|VX_WATCH)) + continue; if (u-addr-len == len !memcmp(u-addr-name, sunname, len)) goto found; thanks for spotting this ... this not a full fix. this not fix issue for FS based unix sockets. -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Virtualizing a physical server
On Wed, Jan 25, 2006 at 04:48:07PM +0100, Joep Gommers wrote: If the skeleton method in still to heavy for you to start off with try download prebuild virtualmachine guests: After you installed a (rpm: http://www.virtualinfrastructure.nl/downloads/kernel-2.6.11-1.35_FC3.vs2.0.0.0.rc4.i686.rpm) kernel just unpak it bash# wget http://www.virtualinfrastructure.nl/downloads/precompiled/virtualinfrastructure-11012006-fc3-minimal.tgz bash# tar xvzf virtualinfrastructure-11012006-fc3-minimal.tgz bash# mkdir /etc/vservers bash# mv fc3_minimal /etc/vservers en start the thing: bash# vserver fc3_minimal start bash# vserver fc3_minimal enter be aware: This is a fedora core 3 guest and fedora code 3 kernel. For other versions check the vserver website. well, good idea, but how would that help him with virtualizing an existing machine? TIA, Herbert Cheers, J- On 1/25/06, Herbert Poetzl [EMAIL PROTECTED] wrote: On Wed, Jan 25, 2006 at 03:12:46AM +0200, Ehab Heikal wrote: I need to setup a development or staging server of an existing running server. Is there a tool to do so? just create a new skeleton guest with the -m skeleton build method, which resembles the physical system regarding networking and naming, the copy over the entire contents of the physical machine, excluding the /dev and /proc directory to the skeleton dir (cp -a, dump/restore, tar, rsync, ...) starting and stopping the guest should work after that, but you might want to clean up scripts later to avoid a bunch of failures when the new guest tries to mess with the hardware ... HTH, Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Virtualizing a physical server
This is what I did. Modify as required. Hope it helps. sig Creating a vserver from a non-vserver host (The server was redhat AS 3) * Clone host1 (non-vserver) to host2:vserver1 calcrs03 -- calvunix02:rhas3template01 ssh calvunix02 sudo /etc/rc.d/rsyncd start sudo vserver vrhas3template01 build -m skeleton -n vrhas3template01 --context 30 --hostname vrhas3template01.corporate.net --interface 172.27.XX.XX --netdev eth0 --netmask 255.255.248.0 --initstyle plain ssh calcrs03 cat /home/sig/rsync-exclude.txt /u01/ /u02/ /u03/ /u04/ /u05/ /u06/ /u07/ /u08/ /u09/ /u10/ /u11/ /u99/ /unix_data/ /proc/ /dev/ /boot/ sudo rsync -avz -e ssh --exclude-from=/home/sig/rsync-exclude.txt / 172.27.XX.XX:/vservers/vrhas3template01 ssh calvunix02 sudo vi /vservers/vrhas3template01/etc/resolv.conf sudo vi /vservers/vrhas3template01/etc/fstab sudo vi /vservers/vrhas3template01/etc/hosts sudo vi /vservers/vrhas3template01/etc/ssh/sshd_config X11UseLocalhost no - Needed for vserver x forwarding sudo vi /vservers/vrhas3template01/etc/sysconfig/network set hostname sudo vi /vservers/vrhas3template01/etc/rc.sysinit remove mtab references remove tty references sudo vi /vservers/vrhas3template01/etc/inittab remove tty references check over /usr/local/etc/vservers/vrhas3template01/.. sudo vserver vrhas3template01 start sudo vserver-stat sudo vserver vrhas3template01 enter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ehab Heikal Sent: Tuesday, January 24, 2006 6:13 PM To: vserver@list.linux-vserver.org Subject: [Vserver] Virtualizing a physical server I need to setup a development or staging server of an existing running server. Is there a tool to do so? ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Abstract (not FS based) UNIX sockets collision
On Wed, Jan 25, 2006 at 06:51:14PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 18:47, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 03:35:23PM +0100, Andreas Schultz wrote: Hi, It seems that abstract UNIX sockets leak from a vserver. I'm trying to run the same java app inside two vservers and only the first one started succeeds. The critical piece from strace is: 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0 20397 bind(5, {sa_family=AF_FILE, [EMAIL PROTECTED]/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use) Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket hashes are identical across all vservers and that no additional context check is used. There is a context check in include/net/af_unix.h, but this does not seem to be used when creating sockets from unix_bind(). Any ideas? this should help ... --- linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-21 18:28:17 +0100 +++ linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-25 17:22:11 +0100 @@ -238,6 +238,8 @@ static struct sock *__unix_find_socket_b sk_for_each(s, node, unix_socket_table[hash ^ type]) { struct unix_sock *u = unix_sk(s); + if (!vx_check(s-sk_xid, VX_IDENT|VX_WATCH)) + continue; if (u-addr-len == len !memcmp(u-addr-name, sunname, len)) goto found; thanks for spotting this ... this not a full fix. this not fix issue for FS based unix sockets. sorry Alex, but the filesystem case is already covered by the namespaces, which you can verify easily ... so everything fine here ... best, Herbert -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Abstract (not FS based) UNIX sockets collision
В Срд, 25.01.2006, в 19:07, Herbert Poetzl пишет: On Wed, Jan 25, 2006 at 06:51:14PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 18:47, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 03:35:23PM +0100, Andreas Schultz wrote: Hi, It seems that abstract UNIX sockets leak from a vserver. I'm trying to run the same java app inside two vservers and only the first one started succeeds. The critical piece from strace is: 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0 20397 bind(5, {sa_family=AF_FILE, [EMAIL PROTECTED]/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use) Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket hashes are identical across all vservers and that no additional context check is used. There is a context check in include/net/af_unix.h, but this does not seem to be used when creating sockets from unix_bind(). Any ideas? this should help ... --- linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-21 18:28:17 +0100 +++ linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-25 17:22:11 +0100 @@ -238,6 +238,8 @@ static struct sock *__unix_find_socket_b sk_for_each(s, node, unix_socket_table[hash ^ type]) { struct unix_sock *u = unix_sk(s); + if (!vx_check(s-sk_xid, VX_IDENT|VX_WATCH)) + continue; if (u-addr-len == len !memcmp(u-addr-name, sunname, len)) goto found; thanks for spotting this ... this not a full fix. this not fix issue for FS based unix sockets. sorry Alex, but the filesystem case is already covered by the namespaces, which you can verify easily ... so everything fine here ... don`t. inode must have one context id (just are error or if unification), but access/bind from an other context. -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Abstract (not FS based) UNIX sockets collision
On Wed, Jan 25, 2006 at 07:27:11PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 19:07, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 06:51:14PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 18:47, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 03:35:23PM +0100, Andreas Schultz wrote: Hi, It seems that abstract UNIX sockets leak from a vserver. I'm trying to run the same java app inside two vservers and only the first one started succeeds. The critical piece from strace is: 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0 20397 bind(5, {sa_family=AF_FILE, [EMAIL PROTECTED]/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use) Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket hashes are identical across all vservers and that no additional context check is used. There is a context check in include/net/af_unix.h, but this does not seem to be used when creating sockets from unix_bind(). Any ideas? this should help ... --- linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-21 18:28:17 +0100 +++ linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-25 17:22:11 +0100 @@ -238,6 +238,8 @@ static struct sock *__unix_find_socket_b sk_for_each(s, node, unix_socket_table[hash ^ type]) { struct unix_sock *u = unix_sk(s); + if (!vx_check(s-sk_xid, VX_IDENT|VX_WATCH)) + continue; if (u-addr-len == len !memcmp(u-addr-name, sunname, len)) goto found; thanks for spotting this ... this not a full fix. this not fix issue for FS based unix sockets. sorry Alex, but the filesystem case is already covered by the namespaces, which you can verify easily ... so everything fine here ... don`t. inode must have one context id (just are error or if unification), but access/bind from an other context. could you provide an example where it fails for you? TIA, Herbert -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Abstract (not FS based) UNIX sockets collision
В Срд, 25.01.2006, в 19:51, Herbert Poetzl пишет: On Wed, Jan 25, 2006 at 07:27:11PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 19:07, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 06:51:14PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 18:47, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 03:35:23PM +0100, Andreas Schultz wrote: Hi, It seems that abstract UNIX sockets leak from a vserver. I'm trying to run the same java app inside two vservers and only the first one started succeeds. The critical piece from strace is: 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0 20397 bind(5, {sa_family=AF_FILE, [EMAIL PROTECTED]/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use) Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket hashes are identical across all vservers and that no additional context check is used. There is a context check in include/net/af_unix.h, but this does not seem to be used when creating sockets from unix_bind(). Any ideas? this should help ... --- linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-21 18:28:17 +0100 +++ linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-25 17:22:11 +0100 @@ -238,6 +238,8 @@ static struct sock *__unix_find_socket_b sk_for_each(s, node, unix_socket_table[hash ^ type]) { struct unix_sock *u = unix_sk(s); + if (!vx_check(s-sk_xid, VX_IDENT|VX_WATCH)) + continue; if (u-addr-len == len !memcmp(u-addr-name, sunname, len)) goto found; thanks for spotting this ... this not a full fix. this not fix issue for FS based unix sockets. sorry Alex, but the filesystem case is already covered by the namespaces, which you can verify easily ... so everything fine here ... don`t. inode must have one context id (just are error or if unification), but access/bind from an other context. could you provide an example where it fails for you? look into unix_bind. you can`t create unix socket if fs consist fs object with same name. One object can be create via chroot or via full path and second is program inside VPS. -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Abstract (not FS based) UNIX sockets collision
On Wed, Jan 25, 2006 at 08:25:20PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 19:51, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 07:27:11PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 19:07, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 06:51:14PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 18:47, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 03:35:23PM +0100, Andreas Schultz wrote: Hi, It seems that abstract UNIX sockets leak from a vserver. I'm trying to run the same java app inside two vservers and only the first one started succeeds. The critical piece from strace is: 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0 20397 bind(5, {sa_family=AF_FILE, [EMAIL PROTECTED]/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use) Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket hashes are identical across all vservers and that no additional context check is used. There is a context check in include/net/af_unix.h, but this does not seem to be used when creating sockets from unix_bind(). Any ideas? this should help ... --- linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-21 18:28:17 +0100 +++ linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-25 17:22:11 +0100 @@ -238,6 +238,8 @@ static struct sock *__unix_find_socket_b sk_for_each(s, node, unix_socket_table[hash ^ type]) { struct unix_sock *u = unix_sk(s); + if (!vx_check(s-sk_xid, VX_IDENT|VX_WATCH)) + continue; if (u-addr-len == len !memcmp(u-addr-name, sunname, len)) goto found; thanks for spotting this ... this not a full fix. this not fix issue for FS based unix sockets. sorry Alex, but the filesystem case is already covered by the namespaces, which you can verify easily ... so everything fine here ... don`t. inode must have one context id (just are error or if unification), but access/bind from an other context. could you provide an example where it fails for you? look into unix_bind. you can`t create unix socket if fs consist fs object with same name. One object can be create via chroot or via full path and second is program inside VPS. well, it's the idea of those sockets to have a filesystem representation, so naturally it will give an error when the filesystem entry already exists (which IMHO is the right thing here). nevertheless, as the guests will not 'share' the same namespace and therfore will have different areas of the filesystem assigned, they will be able to create one instance (of a given name) per context, which is the same as on a real machine, no? best, Herbert -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Virtualizing a physical server
The section starting with sudo vi /vservers/vrhas3template01/etc/resolv.conf Are these files that I should manually edit? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 25, 2006 7:02 PM To: vserver@list.linux-vserver.org Subject: RE: [Vserver] Virtualizing a physical server This is what I did. Modify as required. Hope it helps. sig Creating a vserver from a non-vserver host (The server was redhat AS 3) * Clone host1 (non-vserver) to host2:vserver1 calcrs03 -- calvunix02:rhas3template01 ssh calvunix02 sudo /etc/rc.d/rsyncd start sudo vserver vrhas3template01 build -m skeleton -n vrhas3template01 --context 30 --hostname vrhas3template01.corporate.net --interface 172.27.XX.XX --netdev eth0 --netmask 255.255.248.0 --initstyle plain ssh calcrs03 cat /home/sig/rsync-exclude.txt /u01/ /u02/ /u03/ /u04/ /u05/ /u06/ /u07/ /u08/ /u09/ /u10/ /u11/ /u99/ /unix_data/ /proc/ /dev/ /boot/ sudo rsync -avz -e ssh --exclude-from=/home/sig/rsync-exclude.txt / 172.27.XX.XX:/vservers/vrhas3template01 ssh calvunix02 sudo vi /vservers/vrhas3template01/etc/resolv.conf sudo vi /vservers/vrhas3template01/etc/fstab sudo vi /vservers/vrhas3template01/etc/hosts sudo vi /vservers/vrhas3template01/etc/ssh/sshd_config X11UseLocalhost no - Needed for vserver x forwarding sudo vi /vservers/vrhas3template01/etc/sysconfig/network set hostname sudo vi /vservers/vrhas3template01/etc/rc.sysinit remove mtab references remove tty references sudo vi /vservers/vrhas3template01/etc/inittab remove tty references check over /usr/local/etc/vservers/vrhas3template01/.. sudo vserver vrhas3template01 start sudo vserver-stat sudo vserver vrhas3template01 enter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ehab Heikal Sent: Tuesday, January 24, 2006 6:13 PM To: vserver@list.linux-vserver.org Subject: [Vserver] Virtualizing a physical server I need to setup a development or staging server of an existing running server. Is there a tool to do so? ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Virtualizing a physical server
yup -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ehab Heikal Sent: Wednesday, January 25, 2006 7:30 PM To: vserver@list.linux-vserver.org Subject: RE: [Vserver] Virtualizing a physical server The section starting with sudo vi /vservers/vrhas3template01/etc/resolv.conf Are these files that I should manually edit? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 25, 2006 7:02 PM To: vserver@list.linux-vserver.org Subject: RE: [Vserver] Virtualizing a physical server This is what I did. Modify as required. Hope it helps. sig Creating a vserver from a non-vserver host (The server was redhat AS 3) * Clone host1 (non-vserver) to host2:vserver1 calcrs03 -- calvunix02:rhas3template01 ssh calvunix02 sudo /etc/rc.d/rsyncd start sudo vserver vrhas3template01 build -m skeleton -n vrhas3template01 --context 30 --hostname vrhas3template01.corporate.net --interface 172.27.XX.XX --netdev eth0 --netmask 255.255.248.0 --initstyle plain ssh calcrs03 cat /home/sig/rsync-exclude.txt /u01/ /u02/ /u03/ /u04/ /u05/ /u06/ /u07/ /u08/ /u09/ /u10/ /u11/ /u99/ /unix_data/ /proc/ /dev/ /boot/ sudo rsync -avz -e ssh --exclude-from=/home/sig/rsync-exclude.txt / 172.27.XX.XX:/vservers/vrhas3template01 ssh calvunix02 sudo vi /vservers/vrhas3template01/etc/resolv.conf sudo vi /vservers/vrhas3template01/etc/fstab sudo vi /vservers/vrhas3template01/etc/hosts sudo vi /vservers/vrhas3template01/etc/ssh/sshd_config X11UseLocalhost no - Needed for vserver x forwarding sudo vi /vservers/vrhas3template01/etc/sysconfig/network set hostname sudo vi /vservers/vrhas3template01/etc/rc.sysinit remove mtab references remove tty references sudo vi /vservers/vrhas3template01/etc/inittab remove tty references check over /usr/local/etc/vservers/vrhas3template01/.. sudo vserver vrhas3template01 start sudo vserver-stat sudo vserver vrhas3template01 enter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ehab Heikal Sent: Tuesday, January 24, 2006 6:13 PM To: vserver@list.linux-vserver.org Subject: [Vserver] Virtualizing a physical server I need to setup a development or staging server of an existing running server. Is there a tool to do so? ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver