Re: [Vserver] Kernel panic when running strace inside a vserver
Jarek Dylag wrote: Hello, I'm using kernel 2.6.17.1 with vsever patch vs2.1.1-rc24. Kernel panic when i try to use strace inside vserver (i can reproduce it while straceing qmail-smtpd and/or clamd-queue proces). Oops from netconsole in attachement. Jarek Dylag Thanks, this should be fixed in -rc25. -- Daniel Hokka Zakrisson GPG id: 06723412 GPG fingerprint: A455 4DF3 990A 431F FECA 7947 6136 DDA2 0672 3412 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] DRBD and vservers
Martin Fick wrote: I am cross posting this to both the drbd and the vserver lists since it seems very relevant to both. I am using drbd with vservers and I am running into a problem trying to make drbd devices go secondary, they report a device busy problem. I have read everything here, but I do not think this addresses my problem: http://linux-vserver.org/advanced+DRBD+mount+issues I have several vservers and each one has its own drbd device so that they can be migrated independently from one host to another. The problem is that when a vserver is stopped and another vserver which was started after the first vserver is still running, the drbd device for the first device remains busy despite the fact that it is not mounted in any namespace anymore. It's as if vservers keep a reference to any filesystems mounted before they were started even if they are not visible within the vserver? Is there anyway to fix this? Yes, you can enable namespace cleanup. I'm not sure which version of the patch is in the current Debian package, it might need an update, but if you have a working version, you should be able to touch /etc/vservers/.defaults/namespace-cleanup and any guests you start after that will not copy all the mounts. > (the /proc/mounts in every vserver context does not list the filesystem) You'll have you check the /proc/mounts inside the namespace only, as the context chroots and the mounts that are not visible to it are hidden. I am using debian unstable with the debian kernel 2.6.16-1-vserver-686, the debian vserver tools 0.2.6, the debian util-vserver 0.30.210.1. I assume you mean 0.30.210-10? -- Daniel Hokka Zakrisson GPG id: 06723412 GPG fingerprint: A455 4DF3 990A 431F FECA 7947 6136 DDA2 0672 3412 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] DRBD and vservers
I am cross posting this to both the drbd and the vserver lists since it seems very relevant to both. I am using drbd with vservers and I am running into a problem trying to make drbd devices go secondary, they report a device busy problem. I have read everything here, but I do not think this addresses my problem: http://linux-vserver.org/advanced+DRBD+mount+issues I have several vservers and each one has its own drbd device so that they can be migrated independently from one host to another. The problem is that when a vserver is stopped and another vserver which was started after the first vserver is still running, the drbd device for the first device remains busy despite the fact that it is not mounted in any namespace anymore. It's as if vservers keep a reference to any filesystems mounted before they were started even if they are not visible within the vserver? Is there anyway to fix this? (the /proc/mounts in every vserver context does not list the filesystem) I am using debian unstable with the debian kernel 2.6.16-1-vserver-686, the debian vserver tools 0.2.6, the debian util-vserver 0.30.210.1. The drbd version is version: 0.7.18 (api:78/proto:74). Thanks, -Martin __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to discover the "real" IP Address?
2006/7/7, Guenther Fuchs <[EMAIL PROTECTED]>: As for security reasons: I don't think it's (easily) possible - and furthermore, I don't think, it _should_ be (easily) possible. OK, let's say I know the hostname of TWO Servers (real ones) which both host a bunch of VServers. I therefore am able to know their IPs, right? Now, I tried following approach: pinging localhost gives me 0.0 ms times pinging SERVER1 gives me 0.0 ms times pinging SERVER2 gives me times form 0.1 to 0.4... Is it correct if I assume (without any definite certainty) that my VServer resides on SERVER1? ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Hack idea how to create a pseudeo /dev/tty9 as [EMAIL PROTECTED] ; )
Salve Herbert!
> > But back to the topic "could [EMAIL PROTECTED] use mknod".
> > Theoreticaly would it possible to add this feature
> > with a vmknode and a tool for [EMAIL PROTECTED] that guest
> > could create a block devices of their own without
> > harming other guests or the host itself
> > but it seems not to be a planed feature for vserver.
>
> well, what kind of 'devices' would you like to
> create inside a guest?
Well I like the "one task, one tool" philosophy,
or just the slogan "Devide et impera!" So I'm not
happy with the need to modificate asterisk scripts
or binary to run on a vserver remember in May
someone ask here on the list for the power to
create a fix terminal to use with perl.
But you are right, there are options for [EMAIL PROTECTED]
to work around. My skripting skills are not so high
and my try would be better inside the asterisk scripts
for shure - but I'm looking for a solution that is
indepentend of the task - finaly it should be
a skript/demon that request a pseudo terminal
and link this to a fix /dev/tty$n ($n choosen by
[EMAIL PROTECTED]).
The most perfect solution would be maybe, when
this pseudotty process take care that his "device"
exist and if not, that it is created again.
Howto creat a /dev/tty9 on a vserver without
the right to use mknode,
proposed by [EMAIL PROTECTED] 2006.07.07
Create two files:
/dev/init.d/pseudo-tty9
#!/usr/bin/expect -f
# Some software likes to have an own terminal
# but no function to request a pseudo terminal.
# On some vservers exist no or not enough
# tty devices, and [EMAIL PROTECTED] does not have the
# power to create some with mknode.
# The idea of this script is to run a bash
# as the user asterisk and detach it.
#
# expect "#" and "$" are part of the promt ;)2006
# 2006.07.07 by [EMAIL PROTECTED]
spawn dtach -A /tmp/pseudoterm.socket.9 -e a bash
expect "#" { send "/etc/init.d/pseudo-tty9-ln.sh\r" }
expect "#" { send "su - asterisk\r" }
expect "$" { send "a" }
#EOF
And:
/etc/init.d/pseudo-tty9-ln.sh
#!/bin/bash
ln -sf $(tty) /dev/tty9
#EOF
and run then:
update-rc.d -n pseudotty9 defaults
as well as:
/dev/init.d/pseudo-tty9
I seems to work, but it is not smart to have
2 files, and no automaticaly restory in case
something crash.
- what would be smarter then run a bash?
I will not waste your time - Herbert,
I like to discuss this and ask for tips how
to make it better on a asterisk-users
and I think on debian-users mailinglist,too.
Maybe some others here on the list does have
ideas and tips ;)
But you can tell me how you would call
such a link to a pseudo terminal construction?
BTW a hack like pseudo-tt9 has one big
advantage compare to a new feature inside
the vserver-tools... it will run today on
all vservers -- I don't think that my provider
would update to a newer vserver version this
year... ;)
Have a nice weekend,
rob
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] What is use of split package?
Sergio Belkin wrote: Hi, I want to know what is use of split-2.6.14.3-vs2.01.tar [.gz] [.bz2] at http://www.13thfloor.at/vserver/s_rel26/v2.01/ What should I use only patch or both, patch and split? thanks in advance The patch is the sum of all the smaller patches in the split. The split patchset makes it easier to review the code, as well as port it to a different kernel. -- Daniel Hokka Zakrisson GPG id: 06723412 GPG fingerprint: A455 4DF3 990A 431F FECA 7947 6136 DDA2 0672 3412 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to discover the "real" IP Address?
Hi there, on Friday, July 7, 2006 at 9:27:31 PM there was posted: BF> I've got a question (and I'm a newbie, too!): as I'm logged as "root" BF> on one of several Virtual Servers on a machine (each Virtual Server BF> having its own IP address), how can I check and discover the "real" BF> hosts IP Address and hostname? As for security reasons: I don't think it's (easily) possible - and furthermore, I don't think, it _should_ be (easily) possible. -- regards 'n greez, Guenther Fuchs (aka "muh" and "powerfox") ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] hostname ?
Gregory (Grisha) Trubetskoy wrote: Sorry if this was already asked - I searched and couldn't find anything. Recently I went from 2.6.12.4-vs2.0 to 2.6.17-vs2.0.2-rc24 on one of the machines (needed 2.6.17 because of a hardware issue). Inside a vserver: with 2.6.12.4-vs2.0: # hostname blah # hostname blah with 2.6.17-vs2.0.2-rc24: # hostname blah hostname: you must be root to change the host name The configurations are identical: # cat bcapabilities ^29 ^30 # cat ccapabilities mount Obviously I don't want to give the CAP_SYS_ADMIN capability. Any advice would be very much appreciated!! What you want is the utsname ccapability, although that is given by default to guests (at least by util-vserver 0.30.210). Did you happen to change tools as well? What does grep CCap /proc/virtual//status on the host say? -- Daniel Hokka Zakrisson GPG id: 06723412 GPG fingerprint: A455 4DF3 990A 431F FECA 7947 6136 DDA2 0672 3412 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to discover the "real" IP Address?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Flavio, how can I check and discover the "real" hosts IP Address and hostname? What do you mean by "real"? There should not be any direct way to discover the host (the main linux distro, which has access to all the vservers and can administer them) from inside a guest (one of the vservers); if you want to know the guest IP, use "ip addr show" (ifconfig will not work as expected, it's deprecated anyway). You can get the system hostname using "hostname"; the network hostname (which is the same as far as I know) can also be displayed using "uname -n". If you are interested in the hostname associated with that IP (which is what's important to network services), use "host " if you have the bind DNS tools installed (which should be the case in most distributions). Hope that helps, Baltasar ((( Baltasar Cevc ) World wide web: * http://www.openairkino.net/ (a project for the local youth; German only) * http://technik.juz-kirchheim.de/ (programming and admin projects) * http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFErrwXp2YsmzTbIwYRAts0AJsEZeWZoX1xRAfNvrO3y/NRCoWbigCfbaEG omrWDq+ksSIW1XyYnFSqXnw= =SnLF -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] /proc/virtnet error
Daniel Hokka Zakrisson wrote: Roderick A. Anderson wrote: How would I ( can I ) go about correcting this -- besides rebooting the host or using other drastic measures? Well, you'd first have to implement it in the kernel ;) Ok, so for the guy that thinks of 'C' as the third letter in the alphabet, it will be a reboot to fix this instance. I think you misunderstood me, there's no way to "fix" it, other than implementing the needed kernel support. As soon as you have a guest running, the count will be incorrect again. Nope I understood but I was thinking my creating/deleting was causing the counts to get out of alignment and that reboot of the host would get them back into harmony -- until my next round of creating and deleting. Thanks, Rod -- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] How to discover the "real" IP Address?
Hello list, I've got a question (and I'm a newbie, too!): as I'm logged as "root" on one of several Virtual Servers on a machine (each Virtual Server having its own IP address), how can I check and discover the "real" hosts IP Address and hostname? Regards Flavio. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] How to discover the "real" IP Address?
Hello list, I've got a question (and I'm a newbie, too!): as I'm logged as "root" on one of several Virtual Servers on a machine (each Virtual Server having its own IP address), how can I check and discover the "real" hosts IP Address and hostname? Regards Flavio. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] hostname ?
Sorry if this was already asked - I searched and couldn't find anything. Recently I went from 2.6.12.4-vs2.0 to 2.6.17-vs2.0.2-rc24 on one of the machines (needed 2.6.17 because of a hardware issue). Inside a vserver: with 2.6.12.4-vs2.0: # hostname blah # hostname blah with 2.6.17-vs2.0.2-rc24: # hostname blah hostname: you must be root to change the host name The configurations are identical: # cat bcapabilities ^29 ^30 # cat ccapabilities mount Obviously I don't want to give the CAP_SYS_ADMIN capability. Any advice would be very much appreciated!! Thanks, Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] /proc/virtnet error
Roderick A. Anderson wrote: How would I ( can I ) go about correcting this -- besides rebooting the host or using other drastic measures? Well, you'd first have to implement it in the kernel ;) Ok, so for the guy that thinks of 'C' as the third letter in the alphabet, it will be a reboot to fix this instance. I think you misunderstood me, there's no way to "fix" it, other than implementing the needed kernel support. As soon as you have a guest running, the count will be incorrect again. -- Daniel Hokka Zakrisson GPG id: 06723412 GPG fingerprint: A455 4DF3 990A 431F FECA 7947 6136 DDA2 0672 3412 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] /proc/virtnet error
Daniel Hokka Zakrisson wrote: Roderick A. Anderson wrote: Daniel Hokka Zakrisson wrote: Roderick A. Anderson wrote: While doing some clean up I was looking for remnants of a guest. When I ran: # find / -name '*vs666*' I got the following error message right away. WARNING: Hard link count is wrong for /proc/virtnet: this may be a bug in your filesystem driver. Since this directory has the context of guests as subdirs I was wondering if I might have caused this while _playing_ around -- creating, copying, deleting guests, etc. No, not at all. It seems we 'We' as in Linux-Vserver or 'we' as in the person building the guests or 'we' as in the Linux/File system folks? We as in Linux-VServer. just don't keep track of how many directories are inside /proc/virtual or /proc/virtnet, so the count never changes. How would I ( can I ) go about correcting this -- besides rebooting the host or using other drastic measures? Well, you'd first have to implement it in the kernel ;) Ok, so for the guy that thinks of 'C' as the third letter in the alphabet, it will be a reboot to fix this instance. Does it bother anyone else? Has anyone else ran into it? Could it mask other more dangerous problems? Rod -- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vyum verbosity?
Roderick A. Anderson wrote: Is there a way to turn up the verbosity when using vyum? You can specify it on the command line, like vyum ... -- -d 6 update. Looking in /usr/sbin/vyum and /usr/lib/util-vserver/vyum-worker I don't see anything to turn the verbosity level up. It's stored in /usr/lib*/util-vserver/distributions//yum/yum.conf, see debuglevel=1. For guests you've already created, see below. Specifically I'll looking for a method keep a ssh connection from timing out when it takes a __looonnng__ time to pull info and the RPMs from the repositories. An alternative would be to use a local repository. Not sure how to do this. Since vyum doesn't like the version of yum I'm having a tough time figuring out where it is getting yum-hack.conf from. It's generated on vserver ... build, as far as I can tell, and put in /vservers/.pkg//yum/etc/. -- Daniel Hokka Zakrisson GPG id: 06723412 GPG fingerprint: A455 4DF3 990A 431F FECA 7947 6136 DDA2 0672 3412 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] /proc/virtnet error
Roderick A. Anderson wrote: Daniel Hokka Zakrisson wrote: Roderick A. Anderson wrote: While doing some clean up I was looking for remnants of a guest. When I ran: # find / -name '*vs666*' I got the following error message right away. WARNING: Hard link count is wrong for /proc/virtnet: this may be a bug in your filesystem driver. Since this directory has the context of guests as subdirs I was wondering if I might have caused this while _playing_ around -- creating, copying, deleting guests, etc. No, not at all. It seems we 'We' as in Linux-Vserver or 'we' as in the person building the guests or 'we' as in the Linux/File system folks? We as in Linux-VServer. just don't keep track of how many directories are inside /proc/virtual or /proc/virtnet, so the count never changes. How would I ( can I ) go about correcting this -- besides rebooting the host or using other drastic measures? Well, you'd first have to implement it in the kernel ;) -- Daniel Hokka Zakrisson GPG id: 06723412 GPG fingerprint: A455 4DF3 990A 431F FECA 7947 6136 DDA2 0672 3412 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] /proc/virtnet error
Daniel Hokka Zakrisson wrote: Roderick A. Anderson wrote: While doing some clean up I was looking for remnants of a guest. When I ran: # find / -name '*vs666*' I got the following error message right away. WARNING: Hard link count is wrong for /proc/virtnet: this may be a bug in your filesystem driver. Since this directory has the context of guests as subdirs I was wondering if I might have caused this while _playing_ around -- creating, copying, deleting guests, etc. No, not at all. It seems we 'We' as in Linux-Vserver or 'we' as in the person building the guests or 'we' as in the Linux/File system folks? just don't keep track of how many directories are inside /proc/virtual or /proc/virtnet, so the count never changes. How would I ( can I ) go about correcting this -- besides rebooting the host or using other drastic measures? Rod -- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vyum verbosity?
Is there a way to turn up the verbosity when using vyum? Looking in /usr/sbin/vyum and /usr/lib/util-vserver/vyum-worker I don't see anything to turn the verbosity level up. Specifically I'll looking for a method keep a ssh connection from timing out when it takes a __looonnng__ time to pull info and the RPMs from the repositories. An alternative would be to use a local repository. Not sure how to do this. Since vyum doesn't like the version of yum I'm having a tough time figuring out where it is getting yum-hack.conf from. Any suggestions? TIA, Rod -- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] can't terminate OpenVPN tunnel within a vserver?
On Wed, Jul 05, 2006 at 01:54:28AM +, Daniel W. Crompton wrote: > On 7/4/06, Baltasar Cevc <[EMAIL PROTECTED]> wrote: > >On 04.07.2006, at 10:29, Daniel W. Crompton wrote: > >> You can, I just did it yesterday. You need to set the following in the > >> file "bcapabilities": > >> CAP_NET_ADMIN > >> CAP_NET_RAW > >I haven't tested it myself as I run OpenVPN in the host system only, > >but I'd say that these caps are not nice to give to a guest, as far as > >I know, you could more or less do any network operation (for any > >interface) in the guest then. > > Obviously, you are giving the guest full access. Then again setting a > routing on the guest is rather hard without CAP_NET_ADMIN, and as I well, the real danger here is, inside the guest (with CAP_NET_ADMIN), root can easily take your host interface down and render all your guests unuseable ... so use with caution :) > wanted to be able to set the route from with in the guest I needed > this on anyway. > Also my vservers need to be portable over many systems so having too > much host based configuration would make the transfer of a vserver > from one host to another more difficult than sending vserver stop and > start commands to the different hosts. this could be easily solved with the various startup and shutdown scripts (pre-pre, pre, post, post-post) > On the security I can access the vpn from another unprivileged vserver > on the same host: > > vhost-novpn ~# ping -I tap0 10.0.2.1 > > vhost-vpn ~ # tcpdump -vv -i tap0 > tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 96 > bytes > 01:34:05.027723 arp who-has vpn-router tell vhost-novpn > 01:34:06.027733 arp who-has vpn-router tell vhost-novpn > 01:34:07.027757 arp who-has vpn-router tell vhost-novpn > > 3 packets captured > 6 packets received by filter > 0 packets dropped by kernel > > This makes any other vserver I run with or without CAP_NET_ADMIN a > vserver with elevated rights, which mean just adding the tun/tap > device is dangerous. And as tap is meant for the creation of raw > ethernet frames this means, in principal, I would be able to send raw > ethernet data to the remote host, that also means routing data. you can as well create the tun/tap device as persistant one on the host (when the guest is started up) and 'just' use it inside the guest (in which case you can remove all the caps) > How secure is that? no very secure :) > >However, maybe, you will have to do this to get it working. I can't > >remember any option that could make OpenVPN use an already existing > >interface (I don't know how tun/tap work, thus whether that would be > >feasible at all). It should be worth searching the OpenVPN and/or > >kernel docs about that, though. > > That's what I did and I got exactly this answer. Unless anybody can > tell me how to do it another way. see above, and IIRC derjohn already tested that in several configurations, so maybe you find some info on his pages ... > >Just quickly searching around, my understanding is that you have to > >create the tun device on the host (which is what you want from a > >security perspective). Afterwards you can assign it to a guest and > >OpenVPN should be happy to use that one. However that seems to work > >with tap, I assume it won't work using tun as a device. > > It should, both tun and tap come from the same module, where tap is > slightly more powerful than tun. one is layer 3 the other layer 2, except for that there is no real difference in the 'powerfullness' > >>Add if you want to load the module inside the vserver on access: > >>CAP_SYS_MODULE > >That would be quite crazy, I'd say. You could load anything, thus > >provide the guest with any priviledge ever wanted... > I'd have to agree there, I don't have it enabled. and it is not required either, module loading either happens 'on demand' and on the host, or you simply preload the module > >> Add if you want to mknod the device inside the vserver: > >> CAP_MKNOD > >Quite dangerous, too, as it enables you to access the whole HD for > >example. > Again I don't have it enabled, but again I've left the option for the > user. giving CAP_MKNOD basically disables all the isolation and allows guest root to mess with the entire system, be careful here ... > Anybody installing a vpn on their vserver then giving somebody they > can't trust high level access to the vserver has just opened 2 > networks for attack. What disturbs me more is the fact that I can > access the vpn from another vserver. that is the least thing I'd worry about :) HTC, Herbert > D. > > > blaze your trail > > -- > redhat > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] /proc/virtnet error
Roderick A. Anderson wrote: While doing some clean up I was looking for remnants of a guest. When I ran: # find / -name '*vs666*' I got the following error message right away. WARNING: Hard link count is wrong for /proc/virtnet: this may be a bug in your filesystem driver. Since this directory has the context of guests as subdirs I was wondering if I might have caused this while _playing_ around -- creating, copying, deleting guests, etc. No, not at all. It seems we just don't keep track of how many directories are inside /proc/virtual or /proc/virtnet, so the count never changes. -- Daniel Hokka Zakrisson GPG id: 06723412 GPG fingerprint: A455 4DF3 990A 431F FECA 7947 6136 DDA2 0672 3412 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: linux-vserver patch 2.0.x for kernel 2.6.16
On Wed, Jul 05, 2006 at 12:20:27PM +0200, Rik Bobbaers wrote: > > > Herbert Poetzl wrote: > > >I think so, who is going to maintain it? > > if you give me the diffs between rc's, i'll keep them up to date for > 2.6.16 (as i'm not that fond of 2.6.17 kernel just yet... i'll wait > for a 2.6.17.20 or so, before i consider that one "stable") you are probably better off with the deltas published every time we change something, as the diff between two rc's might include the changes between kernel versions (and resulting changes) ... but I can assure you, all you need is available :) > as for grsec + vserver patches, i'm afraid i'll have to go to 2.6.17 > rather fast, since spender doesn't support 2.6.16 kernels anymore... > when vs2.0.2 comes out, and grsec 2.1.9, i'll try to fix a general > patch for 2.6.16 aswell as 2.6.17, if people are still interested in > 2.6.16 by then :) > > >well, 2.6.17 should have all that fixes, no? > > problem is, that 2.6.17 has a lot of new code ==> bugs. (just > check that sctp connection tracking stuff... it's... horrible. > > >if there is great demand and/or some good reason > >to do that, we will probably go that way ... > > what's the ETA on vs2.0.2 ? what are the issues on that one? should have been out for a week now, but I'm experiencing a lot of issues with my internet connectivity (absolutely not related to Linux-VServer :) and so I had to delay some of the planned testing ... I'm pretty confident we will release within the 2.6.17 cycle (did you hear me murphy?) but as usual the slogan is: "will be released when finished :)" HTH, Herbert > greetz, > > -- > harry > aka Rik Bobbaers > > K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 > [EMAIL PROTECTED] -=- http://harry.ulyssis.org > > "Work hard and do your best, it'll make it easier for the rest" > -- Garfield > > Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] sshd creates /dev/pts/*, how can I create a /dev/pts/rob with an init.d script?
On Thu, Jul 06, 2006 at 06:44:12PM +0200, Robert Michel wrote: > Salve Herbert! > > Herbert Poetzl schrieb am Donnerstag, den 06. Juli 2006 um 13:10h: > > > > but on the next day /usr/sbin/safe_asterisk does > > > not found /dev/tty9. /dev/pts/31 exist only > > > for my bash, after exiting this bash, also > > > /dev/pts/31 has been gone, and so this "hack" > > > does not work... ;( > > > > precisely, either you _want_ that output to go > > somewhere, then you have to 'provide' a real vc > > terminal or to make asterisk 'create' it on startup > > (by requesting a new one, like e.g. screen does) > > Exactly. > > > you could, for example, use screen to provide that > > pseudo terminal without modifying asterisk > > I have to play more with screen/dtach > - could screen create performance or other problems? > IMHO does screen does much more than to just create > a pseudo terminal and to slow asterik significant. > > > better use /dev/vc/9 (c:4:9 or the udev equiv) but > > basically you 'could' create the device for the guest > > on the host side, and the guest will be able to use > > it, just be careful _what_ you give to your guests :) > > > > So [EMAIL PROTECTED] can indirectly create dumy devices > > > and there is still no tool like mknode for vserver > > > - because it is not so neccessary and does not > > > have such a high priority - right? > > > > no, > > because it is a big can of worms and a security > > issue, just imagine somebody creating a block device > > which 'accidentially' is identical to your host's > > root partition, and then starts modifying stuff at > > a very low level :) > > You mean [EMAIL PROTECTED] could do things with the > power of [EMAIL PROTECTED] > > I can understand that it is good that [EMAIL PROTECTED] > can't dump the RAM, read the bios etc... > and everybody who setup his own vserver is happy > about a securiy gain - but it is a bit different > for people who rent a vserver and are only > [EMAIL PROTECTED] > > BTW I'm in favor that by default every vserver > installation creates a Vserver-README inside > the root directory for every guest instance > and a [EMAIL PROTECTED] I agree, and this could be something the community provides to the actual 'providers', but, as they build their own environments, with a multitude of different tools, there is no real way to 'force' that into a guest (which IMHO would be wrong anyways) > ISP are promoting vserver with "full root > access" As far as I know yet root-guest > can't use: > iptables, this one is not yet possible without help from the provider, but some provers allow you to do that via some web interface (in a secure way) > ping, should work quite fine with all recent versions of Linux-VServer if the proper context capability is set (raw_icmp, see http://linux-vserver.org/Caps+and+Flags) > tracerout, traceroute is a very misguided tool, and can be replaced by (the much newer) tracepath which should work out of the box (and give more information) > ntp, ntp uses the linux kernel to keep track of the time which doesn't really make sense on a per guest basis, it is much better to have only a single ntpd instance on the host (or in a special time guest) which keeps the entire system in sync > mknod is disabled (via a capability) for security reasons as you do not want folks to mess with devices they do not own ... > so some misunderstandings or noise on mailinglist > will come automaticaly. yes, from a 'customer' point of view it is completely understandable > When I know more about vservers, I will try > to contribute in that way... > > But back to the topic "could [EMAIL PROTECTED] use mknod". > Theoreticaly would it possible to add this feature > with a vmknode and a tool for [EMAIL PROTECTED] that guest > could create a block devices of their own without > harming other guests or the host itself > but it seems not to be a planed feature for vserver. well, what kind of 'devices' would you like to create inside a guest? > It's unthankful that people asking everytime > about errors or thinks that are not supported no problem with that, all the issues and/or feature requests reported back will be considered, and if there is a good way to do it, we will probably add it in the next version (as we already did with many inspired features, like the per guest time base :) > But I'm thankful about the vserver project > and that you have the focus on security you're very welcome! best, Herbert > Greetings, > rob > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver + Zend php + oracle
Hello list,
We are using the Zend php distribution, with Oracle support
(ZendCoreForOracle-v1.3.1), inside a vserver. The Oracle server is on another
machine.
The vserver works fine, we can connect to Oracle. But after some time, we are
unable to make new connections. I can't reproduce the bug on demand, but we
are facing it from time to time (once every 1 to 3 weeks, http server with a
light load).
A vserver restart is not sufficient : we have to reboot the *host* to make it
works again. I suspect that even a bug in php or oracle shouldn't get us to
this situation. Or am I wrong ? Do you have any experience of this ? Can it
be a bug in the vserver patch or in the kernel ?
Linux 2.6.16.16
VServer vs2.0.2-rc20
Doing "strace /usr/local/Zend/Core/bin/php connect.php" (a simple test
script) :
[...]
lstat64("/root/connect.php", {st_mode=S_IFREG|0644, st_size=428, ...}) = 0
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0
rt_sigaction(SIGPROF, {0x815a660, [PROF], SA_RESTART}, {0x815a660, [PROF],
SA_RESTART}, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
_llseek(4, 0, [0], SEEK_SET)= 0
read(4, "http://list.linux-vserver.org/mailman/listinfo/vserver
