[Vserver] problems shuting down vserver with the same IP of the host
Hi First my host configuration Debian Sarge Uname a Linux debian 2.6.14.7-vs2.1.0-grsec-2.1.9 #1 PREEMPT Thu Mar 2 13:59:25 CLST 2006 i686 GNU/Linux When i create a vserver (name of vserver = geekzone) with a private IP (192.168.1.2/24) I have no problem whith Start and stop the vserver and the vserver works fine After that I stop the vserver Vserver geekzone stop and change the net configuration of the vserver with: echo 200.55.194.24 /etc/vservers/geekzone/interfaces/0/ip echo 29 /etc/vservers/geekzone/interfaces/0/prefix (200.55.194.54/29 is the public IP of the host machine) When i restart the vserver Vserver geekzone Start RTNETLINK answers: File exists Starting system log daemon: syslogd. Starting kernel log daemon: klogd. Starting MTA: exim4. Starting internet superserver: inetd. Starting deferred execution scheduler: atd. Starting periodic command scheduler: cron. And when i stop the vserver vserver geekzone stop Stopping periodic command scheduler: cron. Stopping MTA: exim4. Stopping internet superserver: inetd. Saving the System Clock time to the Hardware Clock... hwclock is unable to get I/O port access: the iopl(3) call failed. Hardware Clock updated to Tue Jan 10 20:43:27 CLST 2006. Stopping deferred execution scheduler: atd. Stopping kernel log daemon: klogd. Stopping system log daemon: syslogd. Sending all processes the TERM signal...done. Sending all processes the KILL signal...done. Saving random seed...done. Unmounting remote and non-toplevel virtual filesystems...done. Deconfiguring network interfaces...done. Cleaning up ifupdown...done. Deactivating swap...umount: none: not found umount: /tmp: must be superuser to umount Not superuser. done. Unmounting local filesystems...umount: none: not found umount: /tmp: must be superuser to umount umount: /dev/hdv1: not found umount: /: not mounted done. mount: permission denied Rebooting... ifdown: shutdown eth0: Permission denied after that all the system shutdown (vsrever and host), I need to do a vserver that listen in the same public IP than host but I dont know how i can resolv this inconvenient. Any sugestions welcome Thanks in advance Daniel Ortiz ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver and grsec
Rik Bobbaers schrieb:hey all,for those interested...i took a vanilla linux 2.6.14.4 kernelpatched it with an updated version of grsec 2.1.7and applied vserver 2.1.0 patch (including the sendfile patch and a optimisation for some weirdness in grsec)i put it all in a patch , which can be located at:http://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff.gzhttp://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff1 thing... if you can't start your vservers and get the following error message:vcontext: vc_set_cflags(): Operation not permittedyou need to enable capabilities in chroots. you can do this with:echo 0 /proc/sys/kernel/grsecurity/chroot_caps(or the appropriate sysctl command ;))if people think it 's a good thing to merge the patches... just let me know, i'll see what i can do to keep this a little bit up to date.have fun all! Works like a charm :-) I don't use the PAX part, but no problems withvserver and proc_security/randomness features.Thanks a lot!Merry Xmas,Oliver In the last two weeks I was trying to run a grsec-vserver kernel, with no results: I take the same kernel (2.6.14.4 kernel) and patch with patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff witch: match p0 patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff PAX is disabled, when I try to run gradm 2.17 or gradm 2.18 the system says to me:incompatible gradm and grsecutity versions #Vserver and grsecurity compile options:# Linux VServer#CONFIG_VSERVER_LEGACY=y# CONFIG_VSERVER_LEGACY_VERSION is not setCONFIG_VSERVER_DYNAMIC_IDS=y# CONFIG_VSERVER_NGNET is not setCONFIG_VSERVER_COWBL=yCONFIG_VSERVER_PROC_SECURE=is not setCONFIG_VSERVER_HARDCPU=yCONFIG_VSERVER_HARDCPU_IDLE=y# CONFIG_INOXID_NONE is not set# CONFIG_INOXID_UID16 is not set# CONFIG_INOXID_GID16 is not setCONFIG_INOXID_UGID24=y# CONFIG_INOXID_INTERN is not set# CONFIG_INOXID_RUNTIME is not set# CONFIG_XID_TAG_NFSD is not setCONFIG_XID_PROPAGATE=yCONFIG_VSERVER_DEBUG=yCONFIG_VSERVER_HISTORY=yCONFIG_VSERVER_HISTORY_SIZE=64 ## Grsecurity#CONFIG_GRKERNSEC=y# CONFIG_GRKERNSEC_LOW is not set# CONFIG_GRKERNSEC_MEDIUM is not setCONFIG_GRKERNSEC_HIGH=y# CONFIG_GRKERNSEC_CUSTOM is not set## Address Space Protection#CONFIG_GRKERNSEC_KMEM=yCONFIG_GRKERNSEC_IO=yCONFIG_GRKERNSEC_PROC_MEMMAP=yCONFIG_GRKERNSEC_BRUTE=yCONFIG_GRKERNSEC_HIDESYM=y## Role Based Access Control Options#CONFIG_GRKERNSEC_ACL_HIDEKERN=yCONFIG_GRKERNSEC_ACL_MAXTRIES=3CONFIG_GRKERNSEC_ACL_TIMEOUT=30## Filesystem Protections#CONFIG_GRKERNSEC_PROC=yCONFIG_GRKERNSEC_PROC_USER=yCONFIG_GRKERNSEC_PROC_USERGROUP=yCONFIG_GRKERNSEC_PROC_GID=1001CONFIG_GRKERNSEC_PROC_ADD=yCONFIG_GRKERNSEC_LINK=yCONFIG_GRKERNSEC_FIFO=yCONFIG_GRKERNSEC_CHROOT=yCONFIG_GRKERNSEC_CHROOT_MOUNT=yCONFIG_GRKERNSEC_CHROOT_DOUBLE=is not setCONFIG_GRKERNSEC_CHROOT_PIVOT=yCONFIG_GRKERNSEC_CHROOT_CHDIR=is not setCONFIG_GRKERNSEC_CHROOT_CHMOD=yCONFIG_GRKERNSEC_CHROOT_FCHDIR=yCONFIG_GRKERNSEC_CHROOT_MKNOD=yCONFIG_GRKERNSEC_CHROOT_SHMAT=yCONFIG_GRKERNSEC_CHROOT_UNIX=yCONFIG_GRKERNSEC_CHROOT_FINDTASK=yCONFIG_GRKERNSEC_CHROOT_NICE=yCONFIG_GRKERNSEC_CHROOT_SYSCTL=yCONFIG_GRKERNSEC_CHROOT_CAPS=is not set## Kernel Auditing## CONFIG_GRKERNSEC_AUDIT_GROUP is not set# CONFIG_GRKERNSEC_EXECLOG is not setCONFIG_GRKERNSEC_RESLOG=y# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set# CONFIG_GRKERNSEC_AUDIT_CHDIR is not setCONFIG_GRKERNSEC_AUDIT_MOUNT=y# CONFIG_GRKERNSEC_AUDIT_IPC is not setCONFIG_GRKERNSEC_SIGNAL=yCONFIG_GRKERNSEC_FORKFAIL=yCONFIG_GRKERNSEC_TIME=yCONFIG_GRKERNSEC_PROC_IPADDR=y# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set## Executable Protections#CONFIG_GRKERNSEC_EXECVE=yCONFIG_GRKERNSEC_SHM=yCONFIG_GRKERNSEC_DMESG=yCONFIG_GRKERNSEC_RANDPID=y# CONFIG_GRKERNSEC_TPE is not set## Network Protections#CONFIG_GRKERNSEC_RANDNET=yCONFIG_GRKERNSEC_RANDSRC=y# CONFIG_GRKERNSEC_SOCKET is not set## Sysctl support#CONFIG_GRKERNSEC_SYSCTL=yCONFIG_GRKERNSEC_SYSCTL_ON=y## Logging Options#CONFIG_GRKERNSEC_FLOODTIME=10CONFIG_GRKERNSEC_FLOODBURST=4# CONFIG_KEYS is not set# CONFIG_SECURITY is not set ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] vserver and grsec
Thanks for the quick answer Ok, i beggining the kernel compilation with your sugesteds patches and gradm any bug or problem i will notice.in this thread.. Sorry my english ...from Chile -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Rik Bobbaers Enviado el: Miércoles, 01 de Marzo de 2006 11:48 Para: vserver@list.linux-vserver.org Asunto: Re: [Vserver] vserver and grsec On Wednesday 01 March 2006 14:04, Daniel Ortiz wrote: I take the same kernel (2.6.14.4 kernel) and patch with patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff witch: match -p0 patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff PAX is disabled, when I try to run gradm 2.17 or gradm 2.18 the system says to me: incompatible gradm and grsecutity versions # hi there, you have to use the correct software for gradm to work... i never used gradm before myself, but i tried it on the latest patch... try the following patch: http://harry.ulyssis.org/vserver/patch-2.6.14.7-vs2.1.0-grsec2.1.9.diff.gz with this gradm: http://harry.ulyssis.org/vserver/gradm-2.1.9-200602141850.tar.gz that should work seemless (btw. this is a completely new patch, merged from scratch... as far as i know it works without any problems... so please test and let me know if there are any problems with it (which aren't there in the default vserver 2.1.0 patch off course... backporting the 2.1.1-rc9 has proven to be a bit too much work, so i fear, unstable)) so... upgrade all!!! :) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver __ NOD32 1.1422 (20060301) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] vserver and grsec
The sugested -2.1.9-200602141850.tar.gz works no incompatibilty error begining the tests. bye. -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Daniel Ortiz Enviado el: Miércoles, 01 de Marzo de 2006 12:58 Para: vserver@list.linux-vserver.org Asunto: RE: [Vserver] vserver and grsec Thanks for the quick answer Ok, i beggining the kernel compilation with your sugesteds patches and gradm any bug or problem i will notice.in this thread.. Sorry my english ...from Chile -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Rik Bobbaers Enviado el: Miércoles, 01 de Marzo de 2006 11:48 Para: vserver@list.linux-vserver.org Asunto: Re: [Vserver] vserver and grsec On Wednesday 01 March 2006 14:04, Daniel Ortiz wrote: I take the same kernel (2.6.14.4 kernel) and patch with patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff witch: match -p0 patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff PAX is disabled, when I try to run gradm 2.17 or gradm 2.18 the system says to me: incompatible gradm and grsecutity versions # hi there, you have to use the correct software for gradm to work... i never used gradm before myself, but i tried it on the latest patch... try the following patch: http://harry.ulyssis.org/vserver/patch-2.6.14.7-vs2.1.0-grsec2.1.9.diff.gz with this gradm: http://harry.ulyssis.org/vserver/gradm-2.1.9-200602141850.tar.gz that should work seemless (btw. this is a completely new patch, merged from scratch... as far as i know it works without any problems... so please test and let me know if there are any problems with it (which aren't there in the default vserver 2.1.0 patch off course... backporting the 2.1.1-rc9 has proven to be a bit too much work, so i fear, unstable)) so... upgrade all!!! :) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver __ NOD32 1.1422 (20060301) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver __ NOD32 1.1422 (20060301) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] New project with vserver documentation (In spanish)
Cuando quieras puedes publicar tu documentación, absolutamente bienvenida es tu ayuda, la idea es publicar info testeadayo ahora estoy tratando de hacer funcionar grsec+vserver y espero pronto publicar esta info..es español saludos De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Jairo Enrique Serrano Castañeda Enviado el: Jueves, 23 de Febrero de 2006 11:44 Para: vserver@list.linux-vserver.org Asunto: Re: [Vserver] New project with vserver documentation (In spanish) muy interesante hermano, puedo ayudarte, aunque con el tiempo que me queda... pero bueno.. no importa ;) On 2/21/06, Daniel Ortiz [EMAIL PROTECTED] wrote: Hi I started a new proyect named LinuxParanoico.CL (actually in www.minitruck.cl, when i have money i will move the site to www.linuxparanoico.cl, this month), the project goals is create, elaborate and find information and documentation about the GNU/Linux security issues . in this moment a complete documentation about the vserver-project is in progress, we want to create a fully tested and completed guide about vservers in spanish (debian sarge based), rigth now the documentation about vservers include (all in spanish): 1.- spanish guide to recompile the kernel with the vserver patch 2.- networking basic configuration 3.- How move the base-directories 4.- host services configuration (ssh, apache,etc) 5.- Most used vservers commands 6.- networking advanced configuration (in progress) 7.- Postinstalation configutation of the debian sarge vservers 8.- Mount directories in vservers 9.- How install new vservers (from scrath an from new vserver) and how copy vservers and respald them. Inthe future we want cover all the features about vserver, like vserver and grsecurity, install another distros, tested configurations, Virtual Hostings guides, etc if you want link the page in the vserver oficial site absolutely no problem, but keep in mind that the project is in www.minitruck.cl and in the next week will be moved to www.linuxparanoico.cl bye Daniel zaterio ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Jairo Enrique Serrano Castañeda Ingeniero de Sistemas UTB T - http://www.jsnat.com - http://savio.unitecnologica.edu.co C - http://www.drupal.org.es - http://www.champetux.org ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] New project with vserver documentation (In spanish)
Hi I started a new proyect named LinuxParanoico.CL (actually in www.minitruck.cl , when i have money i will move the site to www.linuxparanoico.cl, this month), the project goals is create, elaborate and find information and documentation about the GNU/Linux security issues . in this moment a complete documentation about the vserver-project is in progress, we want to create a fully tested and completed guide about vservers in spanish (debian sarge based), rigth now the documentation about vservers include (all in spanish): 1.- spanish guide to recompile the kernel with the vserver patch 2.- networking basic configuration 3.- How move the base-directories 4.- host services configuration (ssh, apache,etc) 5.- Most used vservers commands 6.- networking advanced configuration (in progress) 7.- Postinstalation configutation of the debian sarge vservers 8.- Mount directories in vservers 9.- How install new vservers (from scrath an from new vserver) and how copy vservers and respald them. Inthe future we want cover all the features about vserver, like vserver and grsecurity, install another distros, tested configurations, Virtual Hostings guides, etc if you want link the page in the vserver oficial site absolutely no problem, but keep in mind that the project is in www.minitruck.cl and in the next week will be moved to www.linuxparanoico.cl bye Daniel zaterio ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver ftp network configuration
Hi everibody: In the past i was playing whit vserver just for fun, but know i want to implement this tool in my production server (named trauko) in trauko i need to implement a secure ftp, i am think to implement the ftp in to a vserver enviromenet, but i have some questions about the correct network configuration: 1,- ¿In trauko (with public ip) i need to create a NAT to the vserver (private ip) with netfilter ? 2,-¿I can configure vserver with the same trauko public ip and the vserver just listen in this IP? and if the last way is correct ¿Can I ejecute diferent bind servers (DNS) in the vservers listen all in the same port? thanks in advance zaterio ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver