[Vserver] bind9 in vserver
Can I run BIND9 in a vserver? If yes, is there something I need to be aware of? (One of my nameservers died, so I'm considering virtualizing DNS). -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bind9 in vserver
Eugen Leitl a écrit : Can I run BIND9 in a vserver? If yes, is there something I need to be aware of? (One of my nameservers died, so I'm considering virtualizing DNS). Yes you can but you need to be aware of these capabilities CAP_MKNOD ( first launch on fedora , you can remove it after ) and CAP_SYS_RESOURCE in /etc/vservers/vserver_name/bcapabilities. Or you have to compile bind with --disable-linux-caps ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bind9 in vserver
Or you have to compile bind with --disable-linux-caps -- MUCH better ! (security wise) I'd like to know what is the security problem with CAP_SYS_RESSOURCE ? Herbert said Currently the following Linux Capabilities are considered secure, if you add others to them, you will probably open some security hole. but what is the problem with override resource limits, quota, reserved space on fs, ...? DOS on another vserver using the whole ressources ? what else ? thanks ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bind9 in vserver
I'd like to know what is the security problem with CAP_SYS_RESSOURCE ? Herbert said Currently the following Linux Capabilities are considered secure, if you add others to them, you will probably open some security hole. but what is the problem with override resource limits, quota, reserved space on fs, ...? DOS on another vserver using the whole ressources ? what else ? I'm sure some other people on this list can explain that a lot better than I can. The great thing about vserver is besides the stuff you surely know, that it restricts access to the host system a lot. So only basic stuff is allowed. If you need quota...which is safe AFAIK, you have to add that capetc... (and use vroot). The problem with that sys-ressource cap is IIRC that it gives too much access rights to the guest. Which in turn _may_ lead to a host take over ... correct me if I'm wrong.. The bind problem is that with the default installation, it tries to raise its caps on runtime. And that is bad, and by default disabled for a vserver-guest. I run several name servers as guests, and have compiled bind with caps-disabled, and it works great. So either use the dev version of vserver (as suggested) or recompile bind. Hope this helps :-) -- regards, Georges Toth ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] How to use init script
I want to execute some tasks when a vserver is started, but I don't know how to make it. I found an instruction in http://www.solucorp.qc.ca/howto.hc?projet=vserverid=56 But it seems that it doesn't work for util-vserver 0.30.210. Are there any other ways to do it? Bruno gave me a hint that I can change util-vserver to call a script in /usr/lib/utils-vserver/vserver.start. I found these commands in it: pushd $VSERVER_DIR/vdir/ /dev/null execScriptlets $VSERVER_DIR $VSERVER_NAME post-start popd /dev/null So I tried touching a file post-start in /etc/vservers/guestname/, and put my initscript in post-start. But it doesn't work either. Am I on a right way? There's an associated problem with sshd. I edited guest's sshd_config file to listen on a designated ipv6 address, which is binded to guest with Daniel's chbind6 only after the guest's started. But sshd could not start up automatically because there's no ipv6 address assigned yet when guest is starting up. So I hope the guest starts up with this sequence: 1. guest started up 2. Using chbind6 to assign an ipv6 address for it 3. Start up sshd I think I could cancel the automatically start of sshd, and put chbind6 and service sshd start into vserver's initscripts. Are there any other good ideas? Snip #vserver gast start Starting system logger:[ OK ] Starting kernel logger:[ OK ] Starting sshd: [ OK ] Starting xinetd: [ OK ] Starting crond:[ OK ] #vserver gast enter [EMAIL PROTECTED] /]# service sshd status sshd dead but subsys locked #vserver gast stop Stopping sshd: [FAILED] Stopping xinetd: [ OK ] Stopping crond:[ OK ] Shutting down kernel logger: [FAILED] Shutting down system logger: [ OK ] Starting killall: Stopping sshd: [FAILED] [FAILED] -snap--- Best regards! ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver