Re: [Vserver] OCS Inventory
On 3/16/07, Daniel Hokka Zakrisson <[EMAIL PROTECTED]> wrote: Daniel W. Crompton wrote: After reading Jean-Marc's answer I thought it could also be the fact that you might just need to create /dev/mem. You absolutely never ever want to do that, if you care the least about the guest being secure... /dev/mem would give it complete access to the contents of your RAM. Seriously if you care about your guest being secure you make sure that the host doesn't have physical network access. If you want to be able to run certain programs in a guest you sometimes need rights which are available to only the host. That's the whole point of caps. I want to make it clear that I have no idea what the OCS program does, but if you want to run it in a guest then you need to be able to access /dev/mem. Making the guest insecure is the price you have to pay. Having network access for a machine means risking remote attacks it's the price you pay. I hardly run anything on my host systems besides syslog and sshd, practically everything runs in a guest. Some guests have caps that give it almost full access to the host system on other guests you don't even have write access to the disk or a compiler. (It logs to the host's syslog anyway.) The level of access you need in a guest determines who access is given to, not whether you do something or not. The only thing you "absolutely never ever" want to do is give somebody you don't trust physical access to the host, anything else is a question of need. D. blaze your trail -- redhat ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OCS Inventory
Daniel W. Crompton wrote: > On 3/16/07, Daniel Hokka Zakrisson <[EMAIL PROTECTED]> wrote: >> Daniel W. Crompton wrote: >>> After reading Jean-Marc's answer I thought it could also be the fact >>> that you might just need to create /dev/mem. >> >> You absolutely never ever want to do that, if you care the least about >> the >> guest being secure... /dev/mem would give it complete access to the >> contents of your RAM. > > Seriously if you care about your guest being secure you make sure that > the host doesn't have physical network access. If you want to be able > to run certain programs in a guest you sometimes need rights which are > available to only the host. That's the whole point of caps. Which should not be taken as lightly as "you just need to create XYZ". It's something that essentially voids the entire virtualization/isolation that Linux-VServer provides... -- Daniel Hokka Zakrisson ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OCS Inventory
On 3/17/07, Daniel Hokka Zakrisson <[EMAIL PROTECTED]> wrote: You absolutely never ever want to do that, if you care the least about the guest being secure... /dev/mem would give it complete access to the contents of your RAM. Seriously if you care about your guest being secure you make sure that the host doesn't have physical network access. If you want to be able to run certain programs in a guest you sometimes need rights which are available to only the host. That's the whole point of caps. Which should not be taken as lightly as "you just need to create XYZ". It's something that essentially voids the entire virtualization/isolation that Linux-VServer provides... You are right that I was a little flippant in my remark that one should just create /dev/mem, and should have mentioned the security implications. My remark did contain reservation you didn't pick-up on. "You might just need to create XYZ" carries a very different message than "you just need to create XYZ." In this case "might" means that it is possible that you would need to do XYZ, I realize that this reservation could be missed in a cursory reading. However that doesn't however negate the fact that to run OCS Agent as is in a guest you might just need to create /dev/mem. regards, D. blaze your trail -- redhat ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OCS Inventory
in the same sense... disable all firewalls, open up your telnet port and allow passwordless rootlogin on all your machines or pull the plug those are the only possibilities, right? Daniel W. Crompton wrote: Seriously if you care about your guest being secure you make sure that the host doesn't have physical network access. If you want to be able to run certain programs in a guest you sometimes need rights which are available to only the host. That's the whole point of caps. I want to make it clear that I have no idea what the OCS program does, but if you want to run it in a guest then you need to be able to access /dev/mem. Making the guest insecure is the price you have to pay. Having network access for a machine means risking remote attacks it's the price you pay. I hardly run anything on my host systems besides syslog and sshd, practically everything runs in a guest. Some guests have caps that give it almost full access to the host system on other guests you don't even have write access to the disk or a compiler. (It logs to the host's syslog anyway.) The level of access you need in a guest determines who access is given to, not whether you do something or not. The only thing you "absolutely never ever" want to do is give somebody you don't trust physical access to the host, anything else is a question of need. -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry Nobody notices when things go right. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OCS Inventory
On Sat, Mar 17, 2007 at 02:37:39PM +, Daniel W. Crompton wrote: > On 3/17/07, Daniel Hokka Zakrisson <[EMAIL PROTECTED]> wrote: > >>>You absolutely never ever want to do that, if you care the least about > >>>the > >>>guest being secure... /dev/mem would give it complete access to the > >>>contents of your RAM. > >>Seriously if you care about your guest being secure you make sure that > >>the host doesn't have physical network access. If you want to be able > >>to run certain programs in a guest you sometimes need rights which are > >>available to only the host. That's the whole point of caps. > >Which should not be taken as lightly as "you just need to create XYZ". > >It's something that essentially voids the entire virtualization/isolation > >that Linux-VServer provides... > > You are right that I was a little flippant in my remark that one > should just create /dev/mem, and should have mentioned the security > implications. My remark did contain reservation you didn't pick-up on. > "You might just need to create XYZ" carries a very different message > than "you just need to create XYZ." In this case "might" means that it > is possible that you would need to do XYZ, I realize that this > reservation could be missed in a cursory reading. > > However that doesn't however negate the fact that to run OCS Agent as > is in a guest you might just need to create /dev/mem. you might want to check with the source (of OCS Agent) what the application actually does with /dev/mem best, Herbert > regards, > > D. > > > blaze your trail > > -- > redhat > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver CPU limit question
On Fri, Mar 16, 2007 at 06:54:26PM -0700, Albert Mak (almak) wrote: > Hi, > > I have Linux (2.6.14.3 Kernel) with Vserver 2.0.1 and testing the CPU > limit capabilities. I have 2 vserver contexts both running CPU intensive > app capable of using up 100% CPU, I am setting up on vserver to limit 1 > context to 10% CPU and the 2nd to 80% CPU, both using flags sched_prio. > I am seeing CPU usage split 50/50 between the 2 contexts. I repeated the > same test using sched_hard with the same result (kernel VSERVER_HARDCPU > config set to y). I am expecting to see at least the CPU usage close to > the Vserver limits. > > Have I got the wrong settings or some other issues. Your help is really > appreciated. > > -Albert > > top - 18:37:04 up 26 min, 1 user, load average: 2.04, 1.40, 0.62 > Tasks: 127 total, 3 running, 124 sleeping, 0 stopped, 0 zombie > Cpu(s): 98.7% us, 1.3% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.0% hi, > 0.0% si > Mem:513084k total, 115660k used, 397424k free,10200k buffers > Swap:0k total,0k used,0k free,39332k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND > 6616 root 20 0 1332 228 184 R 49.8 0.0 2:23.12 > exceed_cpu_limi > 6513 root 20 0 1336 232 184 R 48.1 0.0 2:43.79 > exceed_cpu_limi > > -bash-2.05b# vps > PID CONTEXT TTY TIME CMD > 3672 0 MAIN pts/000:00:00 bash > 6513 2 APP1 pts/000:03:01 exceed_cpu_limi > 6616 3 APP2 pts/000:02:40 exceed_cpu_limi > 7655 1 ALL_PROC pts/000:00:00 vps > 7656 1 ALL_PROC pts/000:00:00 ps > > -bash-2.05b# pwd > /etc/vservers/APP1 > -bash-2.05b# cat flags > sched_prio you want to add sched_hard here if you want hard scheduling, the prio scheduler will only adjust priorities according to the token buckets ... I'd also suggest to use a more recent kernel (and probably Linux-VServer patch) than this one as the scheduler was enhanced quite a lot in 2.2.x > -bash-2.05b# cat schedule > 80 > 100 > 200 > 50 > 140 > dummy > > -bash-2.05b# pwd > /etc/vservers/APP2 > -bash-2.05b# cat flags > sched_prio > -bash-2.05b# cat schedule > 10 > 100 > 200 > 50 > 140 > dummy > > -bash-2.05b# cat /proc/virtual/2/sched > Token: 140 > FillRate: 1 > Interval:100 > TokensMin:50 > TokensMax: 140 > PrioBias: 0 > VaVaVoom: -5 > cpu 0: 229674 71 0 > > -bash-2.05b# cat /proc/virtual/3/sched > Token: 140 > FillRate: 10 > Interval:100 > TokensMin:50 > TokensMax: 140 > PrioBias: 0 > VaVaVoom: -5 > cpu 0: 217275 54 0 looks like none of the token buckets is active here, what does the /proc/virtual/2/status show? TIA, Herbert > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Oops with rejecting routes in vservers instance
On Thu, Mar 15, 2007 at 07:38:44PM +0100, Herbert Poetzl wrote: > On Thu, Mar 15, 2007 at 12:18:12PM +0100, Asier Baranguán wrote: > > Asier Baranguán escribió: > > > > >>~~~ > > >>quite ancient ... could you try something like 2.6.18-4 or > > >>even better 2.6.19.7-vs2.2.0-rc17 and tell me if you see > > >>the same issues? > > >> > > >>will try to recreate it here ... > > > > > >Oops. > > > > > >Kernel 2.16.38-vs2.0.3-rc1 and same problem... okay, was actually easy to recreate, thanks to your information and testing ... turned out to be an issue present in recent versions too ... > > >Is there any fix for this in the 'stable' 2.6.16 kernel? yep, we updated the 2.6.16 kernel to 2.6.16.43 and the patch to 2.0.3-rc2, you can find it here: http://vserver.13thfloor.at/Experimental/patch-2.6.16.43-vs2.0.3-rc2.diff thanks for spotting, Herbert > > Emm... I want to say "any fix for the 2.0.3rc1 release > > of the 'stable' > > 2.6.16 kernel" > > will check that tonight or tomorrow, when I get > around digging out that old kernel :) > > best, > Herbert > > > Thanks > > > begin:vcard > > fn;quoted-printable:Asier Barangu=C3=A1n > > n;quoted-printable:Barangu=C3=A1n;Asier > > org;quoted-printable:ELPA Gesti=C3=B3n > > adr;quoted-printable;dom:;;c/ Henao 4 - 3=C2=BAA;Bilbao;Bizkaia;48009 > > email;internet:[EMAIL PROTECTED] > > title:A/P > > tel;work:944.23.01.66 > > tel;fax:944.23.01.78 > > x-mozilla-html:FALSE > > url:http://www.elpagestion.com > > version:2.1 > > end:vcard > > > > > ___ > > Vserver mailing list > > Vserver@list.linux-vserver.org > > http://list.linux-vserver.org/mailman/listinfo/vserver > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Vserver CPU limit question
Hi Herbert Here is the output of /proc/virtual/2/status as requested Both context 2 and 3 have the same setting. -bash-2.05b# cat /proc/virtual/2/status UseCnt: 7 Tasks: 2 Flags: 000202020210 BCaps: 354c24ff CCaps: 0101 Ticks: 0 Thanks. -Albert -Original Message- From: Herbert Poetzl [mailto:[EMAIL PROTECTED] Sent: Saturday, March 17, 2007 11:36 AM To: Albert Mak (almak) Cc: vserver@list.linux-vserver.org Subject: Re: [Vserver] Vserver CPU limit question On Fri, Mar 16, 2007 at 06:54:26PM -0700, Albert Mak (almak) wrote: > Hi, > > I have Linux (2.6.14.3 Kernel) with Vserver 2.0.1 and testing the CPU > limit capabilities. I have 2 vserver contexts both running CPU > intensive app capable of using up 100% CPU, I am setting up on vserver > to limit 1 context to 10% CPU and the 2nd to 80% CPU, both using flags sched_prio. > I am seeing CPU usage split 50/50 between the 2 contexts. I repeated > the same test using sched_hard with the same result (kernel > VSERVER_HARDCPU config set to y). I am expecting to see at least the > CPU usage close to the Vserver limits. > > Have I got the wrong settings or some other issues. Your help is > really appreciated. > > -Albert > > top - 18:37:04 up 26 min, 1 user, load average: 2.04, 1.40, 0.62 > Tasks: 127 total, 3 running, 124 sleeping, 0 stopped, 0 zombie > Cpu(s): 98.7% us, 1.3% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.0% hi, > 0.0% si > Mem:513084k total, 115660k used, 397424k free,10200k buffers > Swap:0k total,0k used,0k free,39332k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND > 6616 root 20 0 1332 228 184 R 49.8 0.0 2:23.12 > exceed_cpu_limi > 6513 root 20 0 1336 232 184 R 48.1 0.0 2:43.79 > exceed_cpu_limi > > -bash-2.05b# vps > PID CONTEXT TTY TIME CMD > 3672 0 MAIN pts/000:00:00 bash > 6513 2 APP1 pts/000:03:01 exceed_cpu_limi > 6616 3 APP2 pts/000:02:40 exceed_cpu_limi > 7655 1 ALL_PROC pts/000:00:00 vps > 7656 1 ALL_PROC pts/000:00:00 ps > > -bash-2.05b# pwd > /etc/vservers/APP1 > -bash-2.05b# cat flags > sched_prio you want to add sched_hard here if you want hard scheduling, the prio scheduler will only adjust priorities according to the token buckets ... I'd also suggest to use a more recent kernel (and probably Linux-VServer patch) than this one as the scheduler was enhanced quite a lot in 2.2.x > -bash-2.05b# cat schedule > 80 > 100 > 200 > 50 > 140 > dummy > > -bash-2.05b# pwd > /etc/vservers/APP2 > -bash-2.05b# cat flags > sched_prio > -bash-2.05b# cat schedule > 10 > 100 > 200 > 50 > 140 > dummy > > -bash-2.05b# cat /proc/virtual/2/sched > Token: 140 > FillRate: 1 > Interval:100 > TokensMin:50 > TokensMax: 140 > PrioBias: 0 > VaVaVoom: -5 > cpu 0: 229674 71 0 > > -bash-2.05b# cat /proc/virtual/3/sched > Token: 140 > FillRate: 10 > Interval:100 > TokensMin:50 > TokensMax: 140 > PrioBias: 0 > VaVaVoom: -5 > cpu 0: 217275 54 0 looks like none of the token buckets is active here, what does the /proc/virtual/2/status show? TIA, Herbert > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver