[Vserver] clone(..., CLONE_NEWNS) -> -EPERM with 2.6.22.1-vs2.2.0.3-rc1
Hi, since 2.6.22-1-vs2.2.0.3-rc1, clone(..., CLONE_NEWNS) fails with -EPERM. Previous kernels allowed this when the VXC_SECURE_MOUNT ccap was set: With 2.6.21.5-vs2.2.0-rc3: | # vcontext --create -- vattribute --secure --ccap VXC_SECURE_MOUNT -- \ | vcontext --migrate-self --endsetup -- vnamespace -n /bin/sh | New security context is 49157 | sh-3.1# With 2.6.22-1-vs2.2.0.3-rc1: | # vcontext --create -- vattribute --secure --ccap VXC_SECURE_MOUNT -- \ | vcontext --migrate-self --endsetup -- vnamespace -n /bin/sh | New security context is 49163 | vnamespace: clone(): Operation not permitted strace before 'vnamespace' shows | clone(child_stack=0, flags=CLONE_VFORK|CLONE_NEWNS|SIGCHLD) = -1 EPERM (Operation not permitted) Setting all ccaps does not help. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Hashify 'etch' trouble?
[EMAIL PROTECTED] (Corey Wright) writes: > "clean-up hash directory" > http://www.paul.sladen.org/vserver/archives/200609/0016.html Can be written much shorter as | find /vservers/.hash/ -links 1 | xargs rm -f | find /vservers/.hash/ -type d | xargs rmdir 2>/dev/null (no need for '-0' flag) Enrico pgpdTTOpQo1zE.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Relaxing the mount-nodev behavior
Hi, it would be nice when the current | + if (!capable(CAP_SYS_ADMIN)) | + mnt_flags |= MNT_NODEV; behavior can be relaxed a little bit. I need it e.g. to bind-mount a /dev filesystem into buildroots which will be created during runtime of the vserver. On first glance, | + if (!capable(CAP_SYS_ADMIN) && | + !(flags & (MS_BIND|MS_MOVE))) | + mnt_flags |= MNT_NODEV; seems to have the wanted effect without lowering security. Enrico pgp7aSPgjF5G2.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] anybody has experience for Vserver on ARM
[EMAIL PROTECTED] (Herbert Poetzl) writes: >> [EMAIL PROTECTED]:/work/test# strace -fF -o vcmd.trace ./vcmd >> syscall: unknown syscall trap 0xef000139 this might be/is an EABI issue >> "unknow syscall" should be a strace bug, I think. The >> basic failure is becuase of "illegal instruction" during >> vserver(num_cmd, num_id, data) syscall. > > well, the syscall trap looks fine, 313 is the syscall > on arm and it seems that util-vserver uses the same > implementation, so that should be fine too ... no; it uses the traditional version. fyi: ARM kernel can be built with two different ABIs (OABI and EABI) which differ in structure alignment. EABI (which seems to be used here) is relatively new and e.g. not supported by dietlibc yet. Syscall conventions might be different too which is causing the seen problems. >> >> > CC: arm-angstrom-linux-gnueabi-gcc, >> >> > Use dietlibc: no (you have been warned) >> >> >syscall(2) invocation: traditional Enrico pgpC4DLdCfqvj.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Vhashify segmentation fault
[EMAIL PROTECTED] (Herve Guillemet) writes: > There was some mail exchanges some month ago on the list between > Enrico and Alberto about vhashify SIGSEGV on Debian x86_64. How did > this end ? I seem to have the same problem: Does 'make check' report errors for the hashcalc* tests? If so, somebody with an x86_64 and Debian- and beecrypt knowledge should take a look at src/testsuite/hashcalc-plain.c and see what is going wrong there. Enrico pgpyea7Zs5xuR.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Pseudo terminal proxy for util-vserver
[EMAIL PROTECTED] (Benedikt Böhm) writes:
> With regard to the /dev/pts issue on "vserver enter" i have ported
> the vlogin application from vserver-utils to util-vserver-0.30.210
Mmmh... without looking at the complete code, doing operations in the
shown order is insecure:
> + if (vc_ctx_migrate(opts.xid) == -1)
> + PEXIT("Failed to migrate to context", EXIT_COMMAND);
> + ...
> + if (chroot(".") == -1)
> + PEXIT("Failed to chroot to cwd", EXIT_COMMAND);
Attacker in context could ptrace the process between both commands and
would get access to the host's /-filesystem.
Enrico
pgpTK4aq2QmLx.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Trying to create vserver on logical volume fails....
[EMAIL PROTECTED] (Brian Ipsen) writes: > I've created my own repo with Whitebox Enterprise Linux 4 - but when trying > to add a vserver (for which a logical volume has been created and mounted in > /vservers/vsrv01-mysql) I get this error: > ... > | error: unpacking of archive failed on file /usr/bin/X11;42dd8791: Caused by a bug in rpm. You will need a similar 'initpre' script like those of FC4 and other RH variants. Enrico pgpIVVmcNzJU1.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Unifying Gentoo Guests
[EMAIL PROTECTED] (Oliver Welter) writes: > eergh - it seems that vunify does not support gentoo guest. Anyone > here can help me out ? Implementing the 'get-conffiles' operation for the 'gentoo' case in 'scripts/vpkg' should help. I do not know gentoo enough to develop it myself. Enrico pgpALNVvb3o5C.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to vunify/vhashify on Gentoo
[EMAIL PROTECTED] (Wilhelm Meier) writes: > I'm using Gentoo as a host and also Gentoo as VPSs. If I try to > vunify/vhashify two VPS, I get: > > gs vservers # ln > -s /etc/vservers/vs01 /etc/vservers/vs01c/apps/vunify/refserver.00 > > gs vservers # vserver vs01c unify > Can not determine packagemanagement style > failed to determine configfiles Does vhashify/vunify really make sense on Gentoo? AFAIK, Gentoo does not have a packagemanagement and you have to recompile everything (which will probably produce different checksums). When you do a 'make install' from the same source tree, vhashify/vunify will still not work because most 'make install' do not preserve timestamps. But because timestamps are used to check whether files are identically resp. are going into the calculation of the hash value, you will not gain very much with vhashify/vunify on Gentoo. Enrico pgpDukvkGqWs6.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Virtualizing /proc/version
Herbert Poetzl <[EMAIL PROTECTED]> writes:
>> it would be nice when /proc/version could be virtualized (e.g. using
>> values from VCMD_set_vhi_name). Currently, it reveals information about
>> the real host (e.g. real os version, buildhost/-user).
>
> hmm, looking at the code, I see:
>
> static int version_read_proc(char *page, char **start, off_t off,
> int count, int *eof, void *data)
> ...
> const char vx_linux_banner[] =
> "Linux version %s (" LINUX_COMPILE_BY "@"
> LINUX_COMPILE_HOST ") (" LINUX_COMPILER ") %s\n";
oops, I did not looked exactly at it and did not noticed that the
release is already virtualized.
But it would be nice when LINUX_COMPILE_BY/HOST and perhaps the compiler
and date would be virtualized/anonymized. I see two ways:
(a) an additional context-flag (e.g. VXF_ANONYMIZE) which sets:
* LINUX_COMPILE_BY "@" LINUX_COMPILE_HOST to '[EMAIL PROTECTED]'
* the LINUX_COMPILER to: "gcc" __GNUC__ "." __GNUC_MINOR__ "."
__GNUC_PATCHLEVEL__
* the date should not contain hours/minutes/seconds
(b) allow to configure the three entries above through new fields in
VCMD_set_vhi_name
Enrico
pgpveV8NDUpPt.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Virtualizing /proc/version
Hello, it would be nice when /proc/version could be virtualized (e.g. using values from VCMD_set_vhi_name). Currently, it reveals information about the real host (e.g. real os version, buildhost/-user). Hiding /proc/version is not possible because some programs (e.g. 'pidof') use it to check whether /proc is mounted. Enrico pgpuFUpyh32G7.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How do I unify my guests?
[EMAIL PROTECTED] (John Francis Lee) writes:
> I have succeeded in building an FC4 vserver host with several guest
> servers.
>
> I would like to "unify" them, share as many files among them as possible
> via hardlinks.
>
> [EMAIL PROTECTED] ~]# /lib/util-vserver/vunify -nv dhcp-dns
> Failed to initialize unification for this vserver
>
> What do I need to do here?
1. I would not use vunify because it requires a reference vserver with
the same software; 'vhashify' does not have this limitation.
'vunify' is more efficiently in ideal case ('vhashify' over a single
vserver will increase needed space). But this ideal case is difficultly
to reach so that 'vhashify' is more simple to use.
2. for 'vhashify', just do
| mkdir /etc/vservers/.defaults/apps/vunify/hash /vservers/.hash
| ln -0s /vservers/.hash /etc/vservers/.defaults/apps/vunify/hash/root
--> do this once
| mkdir /etc/vservers/.../apps/vunify # vhashify reuses vunify
configuration
--> do this for every vserver
3. vserver ... hashify
Enrico
pgp49gSCTmqkW.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] When to mount lvm? (vs2.0)
[EMAIL PROTECTED] (Lars Braeuer) writes:
> I'm not sure where to mount an LVM2 device with vs2.0. I do
> not want to mount it on system boot, but when starting the
> guest vserver.
>
> The fstab file in the vserver config directory seems to be the right place.
>
> But when including an entry like this in the fstab file, the mount
> won't show up in the hostsystem and will not be accessible via the
> mount point in the /vservers directory:
> /dev/mapper/vg-test01 / ext3 defaults 1 2
I would recommend to do physical mounting in the host's /etc/fstab
and bind-mount it in the vserver's fstab. E.g.
| [/etc/fstab]
| /dev/mapper/vg-test01 /srv/mnt/test01 ext3 defaults 1 2
| [/etc/vservers/.../fstab
| /srv/mnt/test01/ none bind
This gives the advantage that the partition will be fsck'ed
during the regularly system boot and that you can share it
between multiple vservers ('mount' is allowed only once per
physical partition but you can 'mount --bind' multiple times).
> But I'm able to enter the vserver with "vserver test01 enter",
> weird.
Expected namespace behaviour...
Enrico
pgpPuXyODs6mp.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Problem with shutdown
[EMAIL PROTECTED] (Roché Compaan) writes:
> Squid takes longer than most processes to stop, and this seems be a
> problem when stopping a vserver:
> ...
> Stopping proxy server: (waiting.../usr/sbin/vserver: line
> 85: 20939 Killed "[EMAIL PROTECTED]" ${USE_VNAMESPACE:
> +$_VNAMESPACE --enter "$S_CONTEXT" -- } $_VCONTEXT $SILENT_OPT --migrate
> --chroot --xid "$S_CONTEXT" -- "[EMAIL PROTECTED]"
>
> Is the stop script experiencing a timeout and if so, is there a
> setting one can change to let it wait until squid has stopped
> completely?
E.g.
# echo 60 > /etc/vservers/www-cache/apps/vshelper/sync-timeout
increases the timeout from 30 to 60 seconds.
Enrico
pgp6tPTbADVRQ.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver-build
[EMAIL PROTECTED] (John Francis Lee) writes: > [EMAIL PROTECTED] ~]# vserver dns build -m yum > ... > Execution will continue in 5 seconds... > ... > The process hangs after the 5 seconds message Does it really hang or does it download the repository metadata? Can be e.g. checked with 'netstat' or 'df'... Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver: make install tries to compile
[EMAIL PROTECTED] (Bodo Eggert) writes: > If I run 'make install', the make script tries to compile a > file. Can not reproduce that > Off cause this can't work out, since I transfered the pre-built > directory from the machine with my compiler to my server, where > I want to install. What is the deeper sense behind this unusual process? Why not just do the common | make install DESTDIR=/var/tmp/uv-root and distribute the content of /var/tmp/uv-root? Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] PPC build failure of util-vserver
[EMAIL PROTECTED] (Enrico Scholz) writes: > two check of util-vserver 0.30.209 are failing on a PPC machine... > > | /bin/sh: line 1: 18778 Killed ensc_use... ok, seems to be caused by a bug in the kernel elf loader http://bugzilla.kernel.org/show_bug.cgi?id=5645 which affects all platforms but gets triggered under some circumstances only. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unregister_netdevice errors with 2.6.14-vs2.0.1-pre3-prelim
Herbert Poetzl <[EMAIL PROTECTED]> writes: >> my VPN VServer do not work anymore with 2.6.14-vs2.0.1-pre3-prelim >> kernels. There, I get >> >> | unregister_netdevice: waiting for tun50 to become free. Usage count = 1 > ... > could you check if this patch fixes the issue for you? > > http://vserver.13thfloor.at/Experimental/FOR-2.0.1/delta-indev-fix01.diff thx; 2.6.14.2-vs2.0.1-rc2 (which contains this change) works without problems. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vhashify segmentation fault
[EMAIL PROTECTED] (alberto) writes:
> I finally had time to test vhasify on an i386 with valgrind, attached
> is the output. Same debian source package as I used for x86_64 and
> same options (added beecrypt2{,-dev} to dependencies so pbuilder
> builds it with vhashify).
Using 'valgrind' on the 'hashcalc' test would probably make more sense
than running it on the whole 'vhashify'.
You could do:
| ./libtool --mode=execute valgrind --tool=memcheck ./src/testsuite/hashcalc
INSTALL SHA-1
which should print
aa/7a/adc343319437b8cf0a71345506d2d3e8cc43
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver-copy deprecated?!
[EMAIL PROTECTED] (Jens Holze) writes: > I just realised that there is this copy program among the utils but it > doesn't work (obviously because of the changes since the alpha, looks > for .conf file). While copying the servers is not hard to do manually, > is somebody actually working on this tool or is it going to vanish? As Herbert wrote, it will be probably superseeded by 'vserver ... copy'. But before implementing this functionality I need an API to change the configuration data. Such an API is very high on my priority list but I do not have a ETA. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] unregister_netdevice errors with 2.6.14-vs2.0.1-pre3-prelim
Hello, my VPN VServer do not work anymore with 2.6.14-vs2.0.1-pre3-prelim kernels. There, I get | unregister_netdevice: waiting for tun50 to become free. Usage count = 1 like errors and every netdevice related operation (e.g. 'ip route show') stucks in 'D' state. Exactly the same setup works with 2.6.13.4-vs2.0.1-pre2. Some details about the VPN server: * NET_ADMIN + NET_RAW bcapabilities * ~hide_netif cflags * one "normal" ip * openvpn-2.0.2 (I know... a little bit old...) Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] PPC build failure of util-vserver
Herbert Poetzl <[EMAIL PROTECTED]> writes: >> >> two check of util-vserver 0.30.209 are failing on a PPC machine. >> ... >> http://ensc.de/vserver/cflags >> http://ensc.de/vserver/personality > > $ ./cflags > Killed > > $ ./personality > Killed > > here are my versions: > > http://vserver.13thfloor.at/Experimental/UTIL-VSERVER/cflags > http://vserver.13thfloor.at/Experimental/UTIL-VSERVER/personality > > (which work flawlessly) It is impossible for me to debug this further (SIGKILL seems to happen before main()), so util-vserver will not be available on Fedora for PPC arch. Perhaps some more details under https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172389 Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Error when creating centos min vserver
[EMAIL PROTECTED] ("Peter McGregor") writes:
> No Match for argument: indexhtml-4-1.centos4
> No Match for argument: redhat-logos-1.1.25-1.centos4.3
> No Match for argument: setup-2.5.37-1.1
> No Match for argument: tzdata-2004e-2
> No Match for argument: glibc-2.3.4-2
>
> Yum can find some files, but not all of them. The corresponding list of files
> in my "01" file
> (copied from the centos list on the vserver site) is
> indexhtml-4-1.centos4
> redhat-logos-1.1.25-1.centos4.3
> setup-2.5.37-1.1
> basesystem-8.0-4
> tzdata-2004e-2
> glibc-2.3.4-2
Do not do this; the pkgs/ files shall *never* contain versioned
packagenames and should list only leaf-packages but not their
dependencies.
FWIW, util-vserver 0.30.209 supports CentOS4.2 out-of-the box so
manual setup should not be needed.
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Error when creating centos min vserver
[EMAIL PROTECTED] ("Peter McGregor") writes:
> [EMAIL PROTECTED] ~]# yum --version
> 2.4.0
Try to apply
http://savannah.nongnu.org/cgi-bin/viewcvs/util-vserver/util-vserver/scripts/vyum-worker.diff?r1=1.5&r2=1.6
(not in 0.209). yum-2.4 problems were easier to solve than I thought... ;)
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] PPC build failure of util-vserver
Herbert Poetzl <[EMAIL PROTECTED]> writes:
>> as you can see in
>>
>>
>> http://buildsys.fedoraproject.org/logs/fedora-development-extras/349-util-vserver-0.30.209-2.fc5/ppc/build.log
>>
>> two check of util-vserver 0.30.209 are failing on a PPC machine.
> ...
> http://vserver.13thfloor.at/Stuff/MANDRAKE/util-vserver-0.30.209-1mdk.src.rpm
>
> involves just a small patch which disables the addr_limit_3gb tests,
> as they did never work on mandrake (because of the missing flag)
should not be relevant here ('cflags' testcase does not use this flag)
> PASS: lib/testsuite/cflags
> PASS: lib/testsuite/personality
> ...
> and compiled fine (and works fine) on my ppc laptop
>
> maybe it is a compiler/fc* issue?
I added some more debugging (giving out line numbers) and at least the
'personality' testcase succeeded... OOM killer does not seem to be it
neither. New build at
http://buildsys.fedoraproject.org/logs/fedora-development-extras/415-util-vserver-0.30.209-3.fc5/ppc/build.log
gives me the binaries which are available at
http://ensc.de/vserver/cflags
http://ensc.de/vserver/personality
They are running fine in 'qemu-ppc' but I am not sure if qemu is
working. It would be nice when the two programs above can be tested
on a native box (statically linked, run as non-root).
TIA
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] PPC build failure of util-vserver
Hello,
as you can see in
http://buildsys.fedoraproject.org/logs/fedora-development-extras/349-util-vserver-0.30.209-2.fc5/ppc/build.log
two check of util-vserver 0.30.209 are failing on a PPC machine. AFAIR
same happened once for 0.30.208 but succeeded suddenly. Unfortunately,
I do not have such a machine available to trace the problems, and the
code seems ok for me. I do not know much about PPC, but
| /bin/sh: line 1: 18778 Killed ensc_use...
on i386/x86_64 would indicate problems with the OOM kernel killer.
It would be nice when somebody with a PPC box could repeat the checks
('make check') and look where and why they are failing. Dunno, whether
gdb works but place of error can be determined by adding something like
| printf("%s:%u\n", __FILE__, __LINE__)
to lib/testsuite/personality.c below the variable declarations of the
TEST_PF2T() and TEST_LIST() macros. Single checks can be repeated by
| $ make check # generates the binaries
| $ ./lib/testsuite/personality # should not cause any output
| $ gdb ./lib/testsuite/personality
TIA
Enrico
pgpFR63PVbjfy.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] gentoo util-vserver -r5 problem
[EMAIL PROTECTED] (Chuck) writes: > phoenix rio # /etc/init.d/vservers start > * Unhiding /proc entries ... > > > [ ok ] > * Starting vservers of type 'default' ... > * ns1 starting > make: *** No rule to make target `..stamp', needed by `.ns2.stamp'. > make: Target `all' not remade because of errors. Please test it again with 0.30.209; I added some more diagnostics there and fixed behavior with empty or comment lines. 0.30.208 contained a bug but it should affect 'stop' only. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vhashify segmentation fault
[EMAIL PROTECTED] (alberto) writes: > Mmmm, so it could be a beecrypt2 problem... right? > I'll try installing from non-debian sources util-vserver and beecrypt > to see what happens. The hash belongs to a real executable though > (according to "file "), not sure which executable but > something to do with mount (my guess from the strings it contains). > >> I will add some testcases to localise the problem. But because I can not >> reproduce this behavior on my system, I can not tell a solution now. >> > > I would appreciate :) ok; please do a 'make check' with 0.30.209 and see if 'hashcalc.sh' succeeds. You can do | ./src/testsuite/hashcalc Makefile.am SHA-1 also, which should output the same hash like 'sha1sum Makefile.am' >> valgrind could give some more information perhaps; I guess a gdb >> stacktrace will not be very meaningful. > > Darn! no amd64 package for valgrind. I guess the i386 version won't > help much debugging 64bit executables you mentioned that it happens on an i386 also so tests with valgrind could be done there also. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vhashify
[EMAIL PROTECTED] (Thorsten Gunkel) writes: > In general this works great, but I had once or twice the problem > that a service stopped working because it could not longer write to > its files. Now I like to exclude the affected directory from the > vhashify. http://linux-vserver.org/alpha+util-vserver mentions > that this is possible but I don't understand how to exclude for > example /var/data1 from vserver foo2. 1. /var is excluded by default 2. you can set up your own exclude list under | /etc/vservers//apps/vunify/exclude Be very careful when writing this list; it will completely override the default exclude list at | /usr/lib/util-vserver/defaults/vunify-exclude I suggest to copy the default list and add your files. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vhashify segmentation fault
[EMAIL PROTECTED] (alberto) writes:
> I'm running debian sarge on amd64 (though I can reproduce the problem
> on another machine running on i386). Custom built debian package for
> util-vserver-0.30.208-fix2 with beecrypt2 enabled
> ...
> lstat("/etc/vservers/.defaults/apps/vunify/hash/0/04/00/50805000-",
> 0x7fc6c8b0) = -1 ENOENT (No such file or directory)
this looks already strange... a hash value with so much '0' is highly
improbable...
I will add some testcases to localise the problem. But because I can not
reproduce this behavior on my system, I can not tell a solution now.
> ...
> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> +++ killed by SIGSEGV +++
>
> Could give more outputs to/and help track down this bug(?).
valgrind could give some more information perhaps; I guess a gdb
stacktrace will not be very meaningful.
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Done with building guest server on FC4 and now what?
[EMAIL PROTECTED] (Steven Truong) writes: > 1. I already got FC4 built with yum method, but then within the guest server > I could not find yum command anywhere despite having the /etc/yum.repos.d/* > in place. The guest server does not have anything beside syslog running. > ... > 3. Could somebody outline the steps neccessary to set up the guest server to > be useful in some services after one built it? It depends on the wanted functionality; for a webserver, at good start would be | vyum -- install httpd mod_ssl Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver: Newbiew question regarding public key for tzdata is not installed
[EMAIL PROTECTED] (Steven Truong) writes: > Hi, all. After following the advices from some experts here to > use yum method instead of apt-rpm. I updated yum-2.4.0.0 to > yum-2.4.0-0.chroot.fc4. > > However, I got this error of public key for tzdata is not > installed error. GPG keys are searched in /etc/vserver/.distributions/.common/pubkeys/ (the reference spec file and util-vserver in Fedora Extras has the corresponding commands to copy the known keys to this location). To fix it, you could do | cp -a /etc/pki/rpm-gpg/RPM* /etc/.distributions/.common/pubkeys/ Enrico pgp29lD6JBi4U.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Unexpected behaviour with bind mounts
[EMAIL PROTECTED] (Jim Wight) writes: > I am seeing odd behaviour with bind mounts. For example, if I specify > > mount --bind /tmp /vservers/tkt/opt > > in pre-start, and Be very careful when doing such stuff (resp. make sure that the vserver is trusted). Else, an attacker within the vserver can cause execution of arbitrary commands in the host... (hint: think of a symlink /vservers/tkt/opt -> /bin) > umount /vservers/tkt/opt > > in post-stop (or postpost-stop), * these scripts are NOT executed within the vserver namespace so /vservers/tkt/opt is not mounted at this place * there is not much need for an explicit unmount; when the last process of the vserver/context dies, the namespace will not be referenced anymore and an implicit unmount happens Enrico pgpXspse5qNCN.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver newbie: problems when build guest server on FC4
[EMAIL PROTECTED] (Guenther Fuchs) writes:
>> Please try the patch from the contrib/ dir (the 2.3.4 one applies to 2.4
>> also). I built lots of FC4 vservers on FC4 hosts so it seems to work ;)
>
> Hmmm - found the patch but no real explanation on how to use it / i.e.
> what files to patch?! Is this files to patch a yum source build tree?
> If yes, most FC users would be happy, if someone (e.g. myself) could
> supply a rpm package of recent, patched yum to use.
>
> So pls give me short assistance, I then could rebuild a patched rpm
> and supply this back for the communtiy.
Just apply the attached patch against yum.spec (patch is for the devel
tree but it should be trivial to adapt it to FC-4).
Enrico
Index: yum.spec
===
RCS file: /cvs/dist/rpms/yum/devel/yum.spec,v
retrieving revision 1.51
diff -u -p -r1.51 yum.spec
--- yum.spec 4 Oct 2005 14:49:07 - 1.51
+++ yum.spec 6 Oct 2005 16:21:51 -
@@ -3,7 +3,7 @@
Summary: RPM installer/updater
Name: yum
Version: 2.4.0
-Release: 5
+Release: 5.chroot
License: GPL
Group: System Environment/Base
Source0: http://linux.duke.edu/projects/yum/download/2.4/yum-%{version}.tar.gz
@@ -23,6 +23,7 @@ Requires: urlgrabber
Requires: python-elementtree
Prereq: /sbin/chkconfig, /sbin/service, coreutils
BuildRoot: %{_tmppath}/%{name}-root
+Patch99: yum-2.3.4-chroot.patch
%description
Yum is a utility that can check for and automatically download and
@@ -38,6 +39,7 @@ automatically prompting the user as nece
%patch2 -p0 -b .sqlbyname
%patch3 -p0 -b .lists
+%patch99 -p1 -b .chroot
%build
make
pgpPNDaouF9au.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver newbie: problems when build guest server on FC4
[EMAIL PROTECTED] (Guenther Fuchs) writes: > So I would recommend using yum - this works very fine here (as long as > you ensure not using yum version 2.3 and _not_ 2.4 - later version > breaks compatibility with Enrico's util-vserver tools) Please try the patch from the contrib/ dir (the 2.3.4 one applies to 2.4 also). I built lots of FC4 vservers on FC4 hosts so it seems to work ;) Enrico pgpC6OQFTS2fw.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver newbie: problems when build guest server on FC4
[EMAIL PROTECTED] (Steven Truong) writes: > Hello, all. I am a vservers newbie. I have tried to setup vservers > and learn more about it. I have FC4 x86 with kernel 2.6.12. I > applied the patch-2.6.12.4-vs4 to the vanilla kernel. I also > installed dietlibc-0.29, beecrypt-4.1.2-8, and util-vserver-0.30-208. > The Linux box has gcc 4.0.1. I changed > /etc/vservers/.distributions/fc4/apt/source.list to include only: > rpmhttp://download.fedora.us/fedora/fedora latest/i386os updates This points to an FC2 repository... > I tried to build a guest server with this command: > vserver lanweb build -m apt-rpm --hostname=lanweb --netdev eth0 -- -d fc4 ... and this indicates that you expect FC4 > Everything went smoothly until after all the rpms got downloaded and > started to install. These are the start of the errors. > ... > Header V3 DSA signature: NOKEY, key ID 731002fa > Preparing...### [100%] >1:bash ### [ 2%] > /bin/sh: error while loading shared libraries: libtermcap.so.2: cannot > open shared object file: No such file or directory > error: %post(bash-2.05b-38.i386) scriptlet failed, exit status 127 > ... > 15:libtermcap ### [ 35%] this indicates some dependency problem in the packages (e.g. circular deps, insufficient Requires(pre) annotations). So, 'libtermcap' (with libtermcap.so.2) will be installed after the packages which are using it in their %post scriptlets. > /bin/sh: error while loading shared libraries: libtermcap.so.2: cannot > open shared object file: No such file or directory > error: %pre(coreutils-5.2.1-7.i386) scriptlet failed, exit status 127 > error: install: %pre scriptlet failed (2), skipping coreutils-5.2.1-7 %pre of coreutils failed so its installation will be skipped... > 38:sysklogd ### [ 88%] > /var/tmp/rpm-tmp.55110: line 4: touch: command not found > /var/tmp/rpm-tmp.55110: line 5: chmod: command not found ... and tools like 'touch' and 'chmod' are missing > It seemed like the package termcap did not work with the rest of > the packages and so others can not access and share it. Could > you tell me how to fix this? And why suddenly touch/chown/chmod > could not be found when they are actually in the PATH? Could > you tell me how to fix this or any recommendations of what to > build at this point instead of FC4 for my current settings? 'apt-rpm' is nearly dead and I am not aware of apt repositories for recent Fedora distributions. You could create your own repo and test whether is works (things above look like packaging errors which might be fixed in the meantime). Or you could try 'yum', but it is unconfigurable and makes stupid assumptions without providing ways to turn them off so it is difficultly to use in chroot environments. So you have to apply a patch to make it work properly. Enrico pgpesvPeHZ6wX.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] what am i doing wrong with vserver exec?
[EMAIL PROTECTED] (Stephen Harris) writes: >> /usr/sbin/vserver prometheus exec /bin/rm -f >> /var/spool/qmailscan/quarantine/new/* > ... > However, why not just use the host to remove the files? Because of symlinks like | /vservers/prometheus/var/spool/qmailscan/quarantine/new -> /etc or an other filesystem layout because of different namespaces. The security relevant part of the first issue can be workarounded by tools like 'chroot-sh' and the second issue by 'vnamespace -e'. But 'vserver ... exec' is more cleaner and solves the functionality relevant part of the first issue also. > /bin/rm -f /vservers/prometheus/var/spool/qmailscan/quarantine/new/* Enrico pgpAiBXOlYLkc.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] build -m rpm does not work
[EMAIL PROTECTED] (Jun OKAJIMA) writes: > I installed util-vserver-0.30.208 from tar ball and succeeded > to compile it on my Debian Sarge box. And vserver start/enter > and build -m debootsrap work. > > But, build -m rpm and vhashify does not work. (I assume you mean '-m apt-rpm' here as it is used below, and in the age of apt and yum there is not much need for the '-m rpm' method). > BTW, I found that distrib/* know what is essential for each > distribution. I want to know the basis of them. "Essential" means the package(s) which are essential for the functionality of the vserver. Without further information, this is only stuff like coreutils or glibc; depending on the purpose of the vserver, you can add things like httpd or samba or ... There is no need to put a full closure of the dependencies into 'rpmpriorities' or the package-lists; apt/yum will resolve the deps automatically and you will not run into problems with changed dependencies on updated packages. > I mean, for example, distrib/suse91 shows aaa_base.rpm is only > file to be essential, I am not familiarly with SUSE and used 'aaa_base' only as it sounds like a basic requirement. ;) > No dynamically linked rpm binary found; exiting... rpm based build-methods do not work without a dynamically linked rpm binary in your $PATH. > rm -rf /usr/local/etc/vservers/.defaults/vdirbase/101 > /usr/local/etc/vservers/101 > /usr/local/etc/vservers/.defaults/vdirbase/.pkg/101 > [EMAIL PROTECTED]:/# vserver 102 hashify > 'vserver ... suexec' is supported for running vservers only; aborting... > failed to determine configfiles When using internal packagemanagment (this is the default with '-m debootstrap'), the vserver must be running to determine the configfiles. This is recommended for external packagemanagment also because mounted filesystems are not visible else. Enrico pgphpwdxn9c9T.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] can not deactivate any block device with running vserver 2.0
[EMAIL PROTECTED] ("lukas.rueegg [pixworx multimedia]") writes:
>> c) using the cleanup feature we added to the kernel
>> (please discuss this with Enrico)
> enrico, we read your talk with sam and others in november '04 but didn't
> get any hints about the current status. is there any way of cleaning up
> a new namespace in the pre-start-script or generally for all namespaces
> available?
>
> at the moment, we are playing around with the pre-start-scripts, until
> now unsuccessfully...
atm, manual unmounting in the *pre-start script will be the best
choice. The architecture of the 'vserver' script does not allow
automatic cleanup. Perhaps I will add some logic datermining and
unmounting removable devices but this will be more a hack than a
clean solution.
I am thinking about a daemon doing the vserver startup; this daemon
could be started very early, lives in its own namespace and would not be
affected by changes in the main-namespace. But this daemon does not have
a big priority...
Enrico
pgpZoE90WKlpj.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vs2.0 and Fedora Core 3
[EMAIL PROTECTED] ("Roderick A. Anderson") writes:
> I've followed the instructions for FC3 --
> http://linux-vserver.org/FedoraCore3_HowTo --
Version number of util-vserver (0.30.205) is a little bit low in this
HowTo; there should be native support for fc3 in recent versions (see
point 8).
> only deviating where versions are different and with the addition of
> getting a known good .config ( from the OpenVPS site ) to build the
> vserver kernel.
>
> When I get to building a new guest I keep getting the error about not
> finding glibc ( this using the '-m apt-rpm' switch ).
This is probably caused by an outdated sources.list in
/etc/vservers/.distributions/fc3/apt/sources.list so that the apt
repository can not be found. It is possible also that the repository is
incomplete or inconsistent.
Maintaining all these metainformation about the distributions (apt + yum
repositories) becomes hard and I am not sure what I will do regarding
them. Perhaps, they will be outsourced into a separate package which can
be updated more often.
> After reading _much_ more I've found the vserver-build.yum script and am
> attempting to build a guest as I type. This just completed but I got lots
> of warnings about an insecure yum.
Building the vserver will succeed but it will not be possible to use an
unmodified 'vyum' with a running vserver. Unfortunately, 'yum' does not
provide enough options to workaround this without patches :(
> With a solution of applying some patches and rebuilding or pestering
> the author to do it.
>
> Now when I try vserver-stat I get a warning about procfs-security.
> Using the link and following through I get the impression this should
> not be happening with with the 2.6 kernel and vs2.0.
'vprocunhide' (or executing vc_set_iattr(2) manully) *is* required. The
reference rpm (which is mentioned in the howto above also) should register
this script so it gets executed at the next boot automatically.
> Sorted that out with vprocunhide but now getting an error about
> /etc/rc.d/rc and level 3 ...
>
> The "fix" -- to append true to the end of the file didn't work.
The exact message (above the general hints) would be interesting.
Enrico
pgpYxhV9QOJpE.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: util-vserver 0.30.208 debs?
[EMAIL PROTECTED] (Karsten Horsmann) writes: >> Somebody should report it at the Debian bugtracking system. > > Would be this Report enough? > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320425 it seems to be the same issue, but I do not know if this report is enough ;) Enrico pgpewVFeSjqwc.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: util-vserver 0.30.208 debs?
[EMAIL PROTECTED] (Harald Kapper) writes: >>It was really trivial (<5 min) to take the 207 and make 208 debs. I've >>posted my source packages at http://www.complete.org/~jgoerzen/vs/ for >>anyone that wants them. >> >>They include fix1. > > thanks for the dsc - one odd thing came up through building - > it claimed (though installed) that beecrypt couldn't be found Seems to be a bug in the Debian beecrypt library. Somehow, functions which can be optimized were not built for i386. E.g. the seen error (beecrypt not detected) is caused by things like | /usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/libbeecrypt.so: undefined reference to `mppndiv' Indeed, [1] does not define it but non-i386 archs (e.g. [2]) or non-Debian libraries contain this function: | $ nm -D usr/lib/libbeecrypt.so.6.4.0 | grep mppndiv | U mppndiv | $ file usr/lib/libbeecrypt.so.6.4.0 | usr/lib/libbeecrypt.so.6.4.0: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), stripped | $ nm -D usr/lib/libbeecrypt.so.6.4.0 | grep mppndiv | 000124a4 T mppndiv | $ file usr/lib/libbeecrypt.so.6.4.0 | usr/lib/libbeecrypt.so.6.4.0: ELF 32-bit MSB shared object, PowerPC or cisco 4500, version 1 (SYSV), stripped Somebody should report it at the Debian bugtracking system. Enrico Footnotes: [1] ftp://ftp.debian.org/debian/pool/main/b/beecrypt/libbeecrypt6_4.1.2-1_i386.deb [2] ftp://ftp.debian.org/debian/pool/main/b/beecrypt/libbeecrypt6_4.1.2-1_powerpc.deb pgpqNA4kPi4TQ.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vs2.0 and the tools
[EMAIL PROTECTED] ("Roderick A. Anderson") writes:
> I went ahead and started building the utils as RPMs and ran
> into a couple of dependency issues. This is probably more an
> Enrico question.
>
> Why tetex-latex? Is it Redhat ( RPM ) build-documentation
> requirement?
It is only a build-requirement and used to build the API doc of
the library. I never tried whether it builds with '--nodeps'
also.
> Why xalan-j ( Java? ) Is this also a Redhat-ism?
Can be disabled by '--without xalan' at rpmbuild.
Enrico
pgpzfvYH0i8hr.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] running old style vservers on vs2.0-rc
[EMAIL PROTECTED] ("Dariush Pietrzak,,,") writes:
>> >> legacy configuration does not have a big future and *would*
>> >> need security fixes first, this has a very low priority.
>> > What security fixes?
>>
>> Oh... where shall I begin? Basically, the filesystem operations
>> are full of races and contain enough opportunities for symlink
> I'm not sure I follow, what filesystem operations, reading of
> configuration?
Code like
| mkdir -p $1/proc $1/dev/pts
| mount -t proc none $1/proc
|
| rm -f `find var/run -type f`
| rm -f var/lock/subsys/*
|
| exec $_CHBIND $SILENT $IPOPT --bcast $IPROOTBCAST \
| $_CHCONTEXT_COMPAT $SILENT $FLAGS $CAPS --secure --ctx
$S_CONTEXT \
| $_CAPCHROOT --suid $USERID . "$@"
(this enumeration is far away from being complete; just look
into the legacy 'vserver' script and you will find more of these
examples).
Enrico
pgp5RLJWp9W5f.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] running old style vservers on vs2.0-rc
[EMAIL PROTECTED] ("Dariush Pietrzak,,,") writes:
>> legacy configuration does not have a big future and *would*
>> need security fixes first, this has a very low priority.
> What security fixes?
Oh... where shall I begin? Basically, the filesystem operations
are full of races and contain enough opportunities for symlink
attacks. Fixes would need the redesign of large parts of the
legacy tools. The non-legacy part of util-vserver is the result of
this redesign and I am sure that symlink attacks are impossible
and races were eliminitated there ;)
(The 'initpost' script of RH style vservers is an exception...)
Enrico
pgpdsbHHKwUoW.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver build and no rpm displayed..
[EMAIL PROTECTED] (Jean-Christophe Petit) writes: > 2.6.12.3-vs2.0-rc9 with util-vserver-0.30.208 under CentOS 4 > followed the http://linux-vserver.org/CentOS_HowTo > > when in the vserver, "rpm -qa" gives nothing. Expected; external packagemangement is used by default which holds rpm database outside of the vserver. When you *really* need it, 'vserver ... pkgmgmt internalize' should copy it into the vserver so that 'rpm -q' works there. But for most vserver types, the external management should suffice. > I have the /.rpmdb/ in place with files inside: > bash-3.00# ls -la /.rpmdb/ > total 504 > drwxr-xr-x 2 root root4096 Aug 3 05:12 . > drwxr-xr-x 22 root root4096 Aug 3 05:04 .. > -rw-r--r-- 1 root root 16384 Aug 3 05:08 __db.001 > -rw-r--r-- 1 root root 1318912 Aug 3 05:08 __db.002 > -rw-r--r-- 1 root root 450560 Aug 3 05:08 __db.003 > -rw-r--r-- 1 root root 12288 Aug 3 05:12 Group ... These files were created by your 'rpm -q' operation which initializes the rpm database. Enrico pgpGynO0yx3SF.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] running old style vservers on vs2.0-rc
[EMAIL PROTECTED] (Bert De Vuyst) writes: > During some tests with the vserver 2.0-rc, I did have a problemen running > vservers with a old style configuration. The vservers do run fine, but the > vserver utils (vps, vserver-stat) can't display the vserver it's name. > > I run 2 vservers in the next example. > testserv1 uses the new style config (and context 14), > testserv2 uses the old style config (and context 27), > > When I run vserver-stat, I get net next output: > > CTX PROCVSZRSS userTIME sysTIMEUPTIME NAME > 0 68 247.9M 6.5K 30m57s73 13m10s83 7d05h34 root server > 14 7 14.4M 1.5K 30m41s50 52m36s55 6d47h03 testserv1 > 27 9 34.1M 2.9K 0m00s12 0m00s00 0m09s70 The XID -> name mapping is not implemented for legacy configurations. As legacy configuration does not have a big future and *would* need security fixes first, this has a very low priority. Enrico pgpJSj7hPgRSz.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Feature Request: comment char in VS20/new-style
[EMAIL PROTECTED] (Andreas John) writes: > I wanted to create commented version of /etc/vservers//flags, > but I was not able to find the right char for commenting out a line, > neither # nor ; worked even // was not the solution. Sorry; bug in util-vserver. Afair, somebody else mentioned it already but I lost track of it. Should be now really fixed in CVS. > I suspect the is at the time no way to "comment out" in new-style > format? No; but '# .. comment ...' should work in 0.30.209+. Enrico pgpHXbKYaPq0K.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Problem with shutdown (yes..)
[EMAIL PROTECTED] (Jean-Christophe Petit) writes: > is it possible to upload a new version in > http://www.13thfloor.at/~ensc/util-vserver/files/ ? I will see; but there were some non-trivial changes in the script part which I have to test first. When you need the fix, you can try http://savannah.nongnu.org/cgi-bin/viewcvs/util-vserver/util-vserver/src/vwait.c.diff?r1=1.1&r2=1.2 (the green line in the second hunk is the most important part). >>>hmm, isn't vwait --timeout 30 supposed to time out after 30 seconds >>>and go wild on your remaining processes? (this one is for enrico) >> >>There was a classical bug in the signal handling Enrico pgpHyqsXbas9l.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver-build fails with WBEL4 when specifying context
[EMAIL PROTECTED] (Brian Ipsen) writes: > Trying to build a new vserver using: > > # ./vserver-build -m yum -n test2 --hostname test2.domain.dk --interface > test2=eth0:192.168.3.37/24 --context 10037 -- -d wbel4 > > Due to the fact, that after RPM installation, I get a whole bunch of errors: > > vcontext: vc_create_context(): File exists > vcontext: vc_create_context(): File exists > vcontext: vc_create_context(): File exists These errors are not fatal; they are coming from the 'initpost' script which tries to disable some services. The services will be still on (and cause lot of (non-fatal) error messages at vserver startup), but the vserver was built You can fix the vserver by disabling all unneeded services manually; by default (= when 'vserver ... build' succeeds), only 'syslog' is enabled. > I started investigating what was going on What I discovered, was > the the specified context in fact existed.. This is what happens: > > Yum installs all the rpms.. Before it reports which RPM's that have been > installed, I grabbed this in another shell: > > # vps aux | grep minilog > root 6564 100370.0 0.0 1520 376 ?Ss 21:02 > 0:00 minilogd > root 6597 0 MAIN 0.0 0.0 3904 568 pts/3S+ 21:02 > 0:00 grep minilog You could try to start 'syslogd' in the vserver (without killing minilogd). Then, the generated syslog will probably give an indication why minilogd was started. I suspect some initscript which was executed by an rpm %scriptlet (when syslogd is not running, minilogd will be invoked by the initscripts). You could try to enter the context also shortly after the ./vserver-build and watch the processlist to see when and by what minilogd was started. > Installed: MAKEDEV.i386 0:3.15-2 NetworkManager.i386 0:0.3.1-3.WB1 > SysVinit.i386 0:2.85-34 acl.i386 0:2.2.23-5 acpid.i386 0:1.0.3-2 mmh... there seems to be lot of unneeded stuff in this list. E.g. NetworkManager, apmd or acipd are useless in vservers and not required by core packages. Enrico pgpMsQbQykP8P.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Problem with shutdown (yes..)
[EMAIL PROTECTED] (Herbert Poetzl) writes: > hmm, isn't vwait --timeout 30 supposed to time out after > 30 seconds and go wild on your remaining processes? > (this one is for enrico) There was a classical bug in the signal handling (glibc does not interrupt vc_wait_exit() but restarts it by default). I tested the dietlibc version only which does not show this behavior. There was a race also which could cause non-timeouting when the system time was modified in the wait phase. Both issues should be solved in CVS. Enrico pgpx4LaHxU9Cc.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] stuck (can't set the ipv4 root - invalid argument)
[EMAIL PROTECTED] (Matt Paine) writes: > Its complaining about the GPG keys, so I installed it with. > > 8< > rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY > #(that didn't work, so i tried another one) > rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora > -->8- That's not the right way; the keys will be imported into the current (host) rpmdb only. You have to copy the keys into /etc/vservers/.distributions/.common/pubkeys (the default rpm should do this automatically). Enrico pgp27u7cPxxyk.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] V_xxxx not running ?
[EMAIL PROTECTED] (Benoît des Ligneris) writes: > "Chasing" each and every config file of services started on your > host (apache:443, SSH, mySQL, postgreSQL, etc.) ssh should never be started through v_ssh as every shell inherits the network restrictions else.So it will be impossible to do administrative tasks like (re)starting vservers. Enrico pgpKB5Z23p1jG.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Install issue with yum - /var/lib/rpm/ ?
[EMAIL PROTECTED] (Brian Ipsen) writes: > Hmm... But the .rpmdb directory inside the guest os is empty > when the yum installation finishes ? Should it be like that ? Yes; that's ok and expected. Because of security reasons, the rpmdb is located outside of the vserver. | vserver pkgmgmt internalize should move it into the vserver, but it requires packages like rpm or yum which are not needed for the most vservers. Enrico pgprC4uDsglYP.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Install issue with yum - /var/lib/rpm/ ?
[EMAIL PROTECTED] (Brian Ipsen) writes: > I'm trying to install a WBEL4 client OS via yum (the RPM list has been > attached here). The rpm list does not matter (and is ignored by the '-m yum' method). > Unfortunately, I have some issues with a messages, that pops up during > installation. It's only a message... because yum does not do proper error-handling, the installation will succeed nevertheless. > I'm not quite sure, whether this warnings/errors shows up due to > missing dependency settings in the RPM - or it could be an issue with > installing via RPM... This happens because the rpm package has bad assumptions regarding the availability of the rpmdb in %scriptlets. Because of security reasons, this rpmdb is hidden and 'chown /var/lib/rpm/[A-Z]*' will not find a file where it can operate on. > The errors I get are: > > /bin/chown: cannot access `/var/lib/rpm/[A-Z]*': No such file or directory A workaround would be, to add a | touch "$vdir"/.rpmdb/FORTYTWO or (better, but untested) | ( cd "$vdir" && $_CHROOT_SH append /var/lib/rpm/FORTYTWO pgphQTf9KYy7s.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] V_xxxx not running ?
[EMAIL PROTECTED] (Herbert Poetzl) writes: >> I will fix it, although the v_* scripts will disappear soon. > > and be replaced by? nothing ;) I do not see much sense in these scripts. Most affected applications (httpd, named, sendmail, ssh, xinetd) can be configured with "native" methods to listen on a limited set of interfaces. 'portmap' is the only daemon where v_portmap might be useful, but it is not used very much today resp. only by programs which can run in the host only. And the missing reports about the broken startup order in v_portmap tells me, that this script is unused. ;) Enrico pgppyQ8ihXjgS.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] V_xxxx not running ?
[EMAIL PROTECTED] (Brian Ipsen) writes: > After upgrading to v2.0-rc8.1 and installing utils 0.30.208 I get this > error dusing startup of my server: > > Starting v_httpd: exec --ip eth0 /etc/init.d/httpd start oops... some legacy scripts (inclusive vsysvwrapper) were not updated to a new naming convention (it should be $_CHBIND but not $CHBIND in the script). I will fix it, although the v_* scripts will disappear soon. Enrico pgpNEKsYOQSP3.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver build - one remaining issue...
[EMAIL PROTECTED] (Brian Ipsen) writes: > # ./vserver-build --force -m yum -n dns-int1 -- -d wbel4 > ... > error: unpacking of archive failed on file /usr/bin/X11;42dd8791: cpio: > symlink failed - No such file or directory Happens due to a bug in rpm[1]. That's why, an 'initpre' script must be executed which worksarounds this issue. The common redhat-style 'initpre' script should be fine for RH clones, so you should add a symlink like | /etc/vservers/.distributions/initpre -> /usr/lib/util-vserver/distributions/redhat/initpre I will add more diagnostics to warn the user about this... Nevertheless, as yum does not do proper errorhandling this bug will be ignored and vserver should be built. Enrico Footnotes: [1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90941 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=52725 pgpbApEpCTMwS.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to build first vserver ?
[EMAIL PROTECTED] (Brian Ipsen) writes: > #./vserver-build --force -m yum -n dns-int1 -- -d wbel4 > Renamed '/etc/vservers/dns-int1' to '/etc/vservers/dns-int1.~1121798195~' > ftp://ftp.riken.jp/Linux/whitebox/Null/en/os/i386/repodata/repomd.xml: The yum author refuses to make yum configurable so there is no way to influence '$releasever'. Its value is defined only by the release number of the installed 'fedora-release' package (resp. the configured 'distroverpkg'). Yes, it sucks and feel free to bother the yum author regarding this issue. In the meantime, all occurences of '$releasever' have to be replaced manually with the correct value. > Next, I have an issue with the setup in general... I mount > /vservers/dns-int as a lvm-partition .. Sorry; not supported yet. Enrico pgplxkZUQqZ5U.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to build first vserver ?
[EMAIL PROTECTED] (Brian Ipsen) writes:
> My "base" vserver is up and running (with the vserver kernel) - the problem
> is creating a virtual server... I'm running WhiteBox Enterprise Linux 4 (a
> RHEL clone), but have difficulties figuring out how to create the
> distribution stuff - and where does it pick the RPM packages from ??
>
> Any hints, links, instructions etc are appreciated ...
I recommend to:
1. choose the best-fitting distribution from
/usr/lib/util-vserver/distributions; in your case, this is
probably fc4.
2. copy the files from there into a suitable directory under
/etc/vservers/.distributions/ :
| # cp -a /usr/lib/util-vserver/distributions/fc4 \
/etc/vservers/.distributions/wbel4
This directory ('wbel4') will be used later at the '-d' option
of the 'vserver ... build' command
3. adjust the initpre/initpost symlinks
4. depending on your installation method, you need to:
- create a sources.list for apt in the apt/ subdirectory, or
- adjust the yum repositories in the yum.repos.d/ subdir, or
- add/change files in the rpmlist.d/ subdir
When WhiteBox Enterprise Linux is like RHEL, you should now be
able to create new vservers with
| # vserver ... build -m yum ... -- -d wbel4
out-of-the-box (although it is strongly recommended to patch
yum).
Enrico
pgpuT9axiHWXz.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
[EMAIL PROTECTED] (Herbert Poetzl) writes:
>> > it seems to be impossible to use the audit (CONFIG_AUDIT) interface
>> > of the kernel within a vserver:
>> >
>> > | # auditctl -m 'foo'
>> > | Error sending user message request (Operation not permitted)
>> > ...
>> > This gives problems on Fedora Core 4 as recent pam upgrade
>> > is using this functionality and most actions (su, cron) will
>> > fail therefore.
>>
>> hmm, does anybody know why pam would want to do syscall
>> auditing in the first place? I'm a little lost here actually
>> ...
>
> ah, looks like redhat is patching again ...
>
> http://people.redhat.com/sgrubb/audit/pam-0.78-loginuid.patch
>
> so I guess it's fine to remove pam_loginuid.so for now
> until the auditing interface is virtualized ...
Ok, as expected, the NETLINK problem can be solved by giving
CAP_AUDIT_WRITE permissions by default.
Next problem is a
| [pid 10153] open("/proc/self/loginuid", O_WRONLY|O_TRUNC|O_NOFOLLOW) = -1
EPERM (Operation not permitted)
Hiding /proc/self/loginuid (so that open(2) returns with -ENOENT)
seems to make newer pam_loginuid happy[1]. As this can not be done
with procfs-security, would it be possible to hide the "loginuid"
entry statically for context!=0? (I guess, making it writable is
more complicated than hiding it).
Enrico
Footnotes:
[1]
http://cvs.fedora.redhat.com/viewcvs/rpms/pam/FC-4/pam-0.79-cleanup-redhat.patch?r1=1.3&r2=1.4
--
/"\
\ /ASCII Ribbon Campaign
X against HTML email & vCards
/ \ http://www.harley.com/turn-off-html/
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
[EMAIL PROTECTED] (Enrico Scholz) writes: > | # auditctl -m 'foo' > | Error sending user message request (Operation not permitted) > ... > This gives problems on Fedora Core 4 as recent pam upgrade is > using this functionality and most actions (su, cron) will fail > therefore. Quick workaround is to add '^29' to the 'bcapabilities' of the corresponding vserver. Next util-vserver version will probably implicate this with the '--secure' option (after I decided how to deal with the CAP_QUOTACTL vs. CAP_AUDIT_WRITE conflict). Enrico pgpDbxbFH1pML.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] audit interface
Hello,
it seems to be impossible to use the audit (CONFIG_AUDIT) interface
of the kernel within a vserver:
| # auditctl -m 'foo'
| Error sending user message request (Operation not permitted)
The generated syscalls are:
| socket(PF_NETLINK, SOCK_RAW, 9) = 3
| fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
| sendto(3, "\24\0\0\0\355\3\5\0\1\0\0\0\0\0\0\0foo\0", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=}, 12) = 20
| select(4, [3], NULL, NULL, {0, 10}) = 1 (in [3], left {0, 10})
| recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0!e\0\0\377\377\377\377\24\0\0\0"...,
8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=},
[12]) = 36
| write(2, "Error sending user message reque"..., 60Error sending user message
request (Operation not permitted)) = 60
This gives problems on Fedora Core 4 as recent pam upgrade is
using this functionality and most actions (su, cron) will fail
therefore.
I see two ways to solve the problem:
1. allow this kind of communication within a context
2. make CONFIG_AUDIT conflict with CONFIG_VSERVER and hope that
libaudit is clever enough to ignore this error (untested)
(I do not know the security implications of 1. and have not
tested 2.)
Problem was seen on 2.6.12.2-vs2.0-rc5 + remap patch.
Enrico
pgptjlKWpNF4I.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver-0.30.207-1mdk building error
[EMAIL PROTECTED] (Nicolas Costes) writes: > make[3]: Entering directory `/usr/src/RPM/BUILD/util-vserver-0.30.207' > ... > PASS: src/testsuite/chcontext-test > Invalid IP number or host name 'localhost' 'localhost' can not be resolved. Depending on your distribution, /etc/hosts might not be created during the vserver-build phase and without configured networking (existing ip, /etc/resolv.conf) this test will fail. Enrico pgp6d2tK7V15Z.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] realloc(3)/mremap(2) errors
[EMAIL PROTECTED] (Enrico Scholz) writes:
> | $ diet gcc x.c
> | $ strace ./a.out
> | execve("./a.out", ["./a.out"], [/* 41 vars */]) = 0
> | old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0x97f47000
> | mremap(0x97f47000, 4096, 8192, MREMAP_MAYMOVE) = -1 ENOMEM (Cannot allocate
> memory)
>~
Is the
| @@ -351,8 +352,13 @@ unsigned long do_mremap(unsigned long ad
| ...
| }
| - if (!may_expand_vm(current->mm, (new_len - old_len) >> PAGE_SHIFT)) {
| + if (!may_expand_vm(current->mm, (new_len - old_len) >> PAGE_SHIFT) ||
| + vx_vmpages_avail(current->mm, (new_len - old_len) >>
PAGE_SHIFT)) {
| ret = -ENOMEM;
hunk really correct, or is there missing a '!' before 'vx_vmpages_avail'?
Enrico
pgp0V5XsD2Xy4.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] realloc(3)/mremap(2) errors
Hi,
just to exclude possible failure-sources (I do not have time to
test a real vanilla 2.6.12.2 kernel, but at least a RH kernel is
fine), does somebody see why code like
| #include
| int main()
| {
| char *p = malloc(3000);
| realloc(p, 5000);
| }
fails on 2.6.12.2 + patch-2.6.12.2-vs2.0-rc5 in context 0 with
| $ diet gcc x.c
| $ strace ./a.out
| execve("./a.out", ["./a.out"], [/* 41 vars */]) = 0
| old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x97f47000
| mremap(0x97f47000, 4096, 8192, MREMAP_MAYMOVE) = -1 ENOMEM (Cannot allocate
memory)
~
Enrico
pgprBmZFUgEMy.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VPN within vserver, what I have found
[EMAIL PROTECTED] (gary ng) writes: > I just did a little more experiment and can now establish vpn links > with outside using either pptp(Windows) or openvpn, from within a > vserver. I run a lot of vservers with OpenVPN (indeed, every physical host has such a vserver). Important settings are: NET_ADMIN + NET_RAW in 'bcapabilities' and ~hide_netif in 'flags'. You will have to create the /dev/tun/net device in the vserver also. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: building from savannah CVS
Herbert Poetzl <[EMAIL PROTECTED]> writes: >> That's the kind of tests which can only be done by the developer ;) >> But other work and fear of zombies stopped me to play with 'vserver >> ... stop' till now... > > didn't get a bugreport regarding those zombies yet afais, Gilles reported in [EMAIL PROTECTED] already about them and a quick look in the IRC logs shows that they were discussed there also. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: building from savannah CVS
[EMAIL PROTECTED] (Herbert Poetzl) writes: >> > while we are at it, how would I 'build' a release tar archive >> > (i.e. clean everything up which doesn't go into your releases) >> > or a source rpm from the cvs sources? >> >> Do you mean something like 'make dist'? >> ... >> rpms can be built with the usual 'rpmbuild -ta .bz2' >> command. > > where does the tarball come from (using cvs)? It comes from the 'make dist' mentioned above: 1. cvs co ## --> the files 2. autoreconf -i -f ## --> configure, Makefile.in's and other stuff 3. ./configure ... ## --> see below also; ## Makefile, config.status, util-vserver.spec 4. make dist## --> util-vserver.spec, ChangeLog, the tarball To set reasonable paths and options, you can try './build-all dist' instead of 3. but this script is for my purposes only and documented only by its source. >> Dunno; next release will incorporate 'vwait' integration for >> 'vserver ... stop' which needs some testing. > > well, _now_ is the right time to _get_ some testing. of course, > without anything to test, there will be no testing ... ;) That's the kind of tests which can only be done by the developer ;) But other work and fear of zombies stopped me to play with 'vserver ... stop' till now... Enrico pgpvRpX4iH2L1.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: building from savannah CVS
[EMAIL PROTECTED] (Herbert Poetzl) writes: > while we are at it, how would I 'build' a release tar archive > (i.e. clean everything up which doesn't go into your releases) > or a source rpm from the cvs sources? Do you mean something like 'make dist'? Specifying 'CVS2CL=: RCS2LOG=:' should speedup things a little bit but you won't get a ChangeLog file. rpms can be built with the usual 'rpmbuild -ta .bz2' command. > PS: when can a new release be expected? (so that we can test > against vs2.0-rc1) Dunno; next release will incorporate 'vwait' integration for 'vserver ... stop' which needs some testing. Enrico pgpYsV0O3GOxu.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: building from savannah CVS
Herbert Poetzl <[EMAIL PROTECTED]> writes: > probably I'm just too dumb to figure it myself, but how would you > build the tools from the savannah CVS? checkout, execute 'autoreconf -i -f' and then './configure ...' && make > /usr/share/aclocal/pkg.m4:5: warning: underquoted definition of > PKG_CHECK_MODULES not my fault (and not fatal); lots of existing .m4 files are having underquoted definitions. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Upgrade main server from 2.4 to 2.6 kernel
[EMAIL PROTECTED] ("Roderick A. Anderson") writes:
> If I upgrade/install a new 2.6 vserver kernel on an existing
> system _*should*_ my old vservers ( created with a 2.4 kernel )
> still work. I realize there might be a few gotchas but for the
> most part should they work?
File attributes have been changed; the "Kernel 2.4 to kernel 2.6
transition" paragraph at http://linux-vserver.org/alpha+util-vserver
contains some hints but is far from being perfect (e.g. dot files
are not converted, and such with whitespace are handled wrong also).
Enrico
pgpER0o2ROVuv.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] FC3 with yum on vs2.0-pre4
[EMAIL PROTECTED] (Eric Jorgensen) writes: > However, I'm getting errors about gpg keys not existing. I had > set gpgcheck=0 in all the *.repo files (both in /etc/yum.repos.d > and /usr/lib/util-vserver/...). GPG keys will be added automatically from | "$__CONFDIR/.distributions/$DISTRIBUTION/pubkeys" \ | "$__CONFDIR/.distributions/.common/pubkeys" \ | "$__DISTRIBDIR/$DISTRIBUTION/pubkeys" First two places are for your customization so you can copy the keys into it. Enrico pgpoF0xiPgYxl.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] problems with vserver create -m yum
[EMAIL PROTECTED] ("Paul S. Gumerman") writes:
> Is there anywhere to be found an explanation of how package management
> works with the new util-vserver system?
I would suggest (for Fedora based systems):
1. create your own yum or apt repository by:
a) copy all the shipped RPMs somewhere into your harddrive; e.g.
| D=/srv/data/mirror/fedora/core
| rsync -a /media/cdrom/Fedora/RPMS/ $D/3/i386
b) ditto for updates (e.g. execute a daily cronjob mirroring the
updates directory)
| rsync -a http:/// $D/3-updates/i386
c) create the yum filesystem structure there:
| mkdir -p $D/.yum/3/i386/{base,updates}
| ln -s ../../../../3/i386 $D/.yum/i386/base/RPMS
| ln -s ../../../../3-updates/i386 $D/.yum/i386/updates/RPMS
d) create the repo there
| createrepo $D/.yum/i386/base
| createrepo $D/.yum/i386/updates
e) ... similarly for apt ... ;)
2. register them as the repository for FC3
a) | mkdir -p /etc/vservers/.distributions/fc3/yum.repos.d
b) | cat What I am particularly curious about is the usage of the various
> .rpmdb directories inside each vserver,
It is used to mount the rpm database in a secure way. "Secure" means
that programs running in the vserver can not modify it. This is solved
by
1. creating a new namespace before real rpm operations
2. bind-mounting '/vservers/.pkg/.../rpm/state' to /vservers/.../.rpmdb;
this operation is done in a secure way
3. creating a new namespace and unmounting /.rpmdb before scripts are
executed
4. changing the context before executing scripts
The /.rpmdb mountpoint has to be in the toplevel directory; else when it
would be e.g. /var/lib/rpm, an attacker within the vserver could create a
/var/lib -> /var/foo symlink and place a malicious rpm database (e.g. a
such one which causes buffer overflows) into /var/foo/rpm.
There are some tricks like mounting the new database into the host also
which workarounds some bugs in rpm.
> and the .pkg directory structure under the vdirbase, and how they are
> related.
Program-depending directories are directly placed under /vservers/.pkg
(e.g. 'rpm', 'apt' or 'yum'). Then, there are case depending directories
like 'rpm/etc' which corresponds to '/etc/rpm', or 'rpm/state' which
holds the rpm database, or 'yum/etc' for the configuration, or ...
An important file is the the generated rpm-macros file (rpm/etc/macros):
it contains both the %_rpmdb macro mentioned above and a line like:
| %_netsharedpath
/dev:/etc/rc.d/init.d/halt:/sbin/new-kernel-pkg:/usr/bin/rhgb-client
This is needed to prevent installation of certain files (e.g. the
default '/etc/rc.d/init.d/halt' causes problems on vserver shutdown,
or '/sbin/new-kernel-pkg' makes installation of kernel package fail).
Enrico
pgpeSkNEpAGjv.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OpenFoundry project for Vserver Utilities
Herbert Poetzl <[EMAIL PROTECTED]> writes: >> mmh... I am not very happy with the way how this was solved, because: > > well, if you would show up now and then on the channel > we might have taken a different approach ... but I > guess although the various aspects might not be perfect, > IMHO the direction is generally good ... > > at least I prefer this over a dozen different branches done by everybody > and his dog ... To avoid the dozen of different branches, I would like when the solved issues/bugs/patches/wishes will be filled at a central place instead of spreading them across IRC logs, maillists or Wikis. Personal mail is also problematic because some issues can not be handled immediately but require further investigations and might be forgotten over the time. > [... moving the CVS tree into an SVN repository ...] >> First two points can be perhaps solved by converting the CVS tree but I >> never did such a conversion. As already mentioned, I do not see the >> necessity of such a step. > > well, this isn't intended to replace the savannah (i.e. > your) development branch, the idea is to have a breeding > ground for various changes, kind of idea pool, where > you can skim the useful stuff very easily ... I just think that SVN can not be used for that. E.g. I will pick some (but not all) of the changes in SVN and apply them (perhaps with small changes) to my util-vserver branch. But who will remerge my branch (with lots of conflicts) back into SVN? And the larger the changes in SVN will be, the larger and meaninglesser will be the 'svn diff ' output. I prefer small changesets which fulfill exactly one purpose. > if you have a better solution for that, please let us know, we are > easily convinced by good arguments ;) My mid-term plans are including a switch to GNU Arch when it is provided by Savannah. But the extremely positive mentioning of Monotone at lkml and its very good changeset support (this in GNU Arch is not good, but still better than this of SVN) will bring me to evaluate this SCM system before doing a final decision. For now, please use the Savannah infrastructure (bug- and patch-tracker) and try to use replyable addresses as possible. ;) Enrico pgpRTMpH2Xb7j.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OpenFoundry project for Vserver Utilities
[EMAIL PROTECTED] (Sam Vilain) writes: > I have set up a new project on OpenFoundry.org for util-vserver. > OpenFoundry is like SourceForge, except it doesn't suck. > > http://utilvserver.openfoundry.org/ > > (no hyphens allowed in project names! bummer) > > For now the important thing it has is a public read-only Subversion > server, and is trivial for project Admins to invite other people to be > committers. > > So, you can grab the latest version of util-vserver from; > > http://svn.openfoundry.org/utilvserver/trunk/ > > Then use "svn update" & friends to pull down new versions! :-D mmh... I am not very happy with the way how this was solved, because: * afais, the complete history of changes was lost in the SVN reimport * the svn repository contains lots of autogenerated files (e.g. ChangeLog, Makefile.in, configure, ...) which should not be handled by SCM systems * I do not think that Subversion is so much better than CVS that a change is required. Changeset support or support of distributed development would be arguments convincing me but SVN does not offer these features. * what's wrong with current hosting at savannah? Ok, they are excessively paranoid which makes things like file uploads nearly impossibly. But I still have hope that it will be fixed. First two points can be perhaps solved by converting the CVS tree but I never did such a conversion. As already mentioned, I do not see the necessity of such a step. Enrico pgpLVKynieDJL.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OpenFoundry project for Vserver Utilities
[EMAIL PROTECTED] (Ola Lundqvist) writes: > * Is a dependency on perl for building acceptable? I need it as one > of the manpages (vserver-build) is written in .pod format and need > pod2man (provided by perl) to convert to manpage format. I'm not > sure what you think about that. I can probably rewrite it directly > to manpage format but it will take some time (which I do not have too > much of). I also seem to have a different version of vserver manpage > that is regenerated by pod2man (I have forgot that). I am not sure how documentation should be handled. I am tending to a master XML file which can be translated into '... --help' output, man-pages or DocBook XML or ... Current way which reformates the '--help' output is not very clever: it introduces redundancy, does not provide additional information and requires additional maintenance. > * I will modify vserver-copy to have better rsync options > --numeric-ids -H and maybe some more. vserver-copy needs much changes as it uses still the legacy config. > * I will make src/vshelper-sync.c have a ifdef on __linux__ instead of > __linux to work better with dietlibc. Best place to report such things would be the bugtracker at savannah. > * I will modify man/chcontext.8 so it have section 8 inside too. ditto Enrico pgphe1WK7nnVG.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Problem to build util-vserver on ia64.
[EMAIL PROTECTED] (Ola Lundqvist) writes: > lib_internal/unify-copy.c: In function `copyMMap': > lib_internal/unify-copy.c:142: error: `MADV_SEQUENTIAL' undeclared (first use > in this function) mmh... a dietlibc issue http://cvs.fedora.redhat.com/viewcvs/devel/dietlibc/dietlibc-0.28-madv.patch?root=extras&rev=HEAD&view=auto should fix it. I will report it upstream tomorrow. Enrico pgpgf8YHmHIwl.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] shutting down all vservers
[EMAIL PROTECTED] (Marcel de Riedmatten) writes: > I am playing with with the new debian package util-vserver 0.30.204-5, > thanks to Ola for that. I dont want some vserver to be started > automaticaly at startup so i don't put the "default" mark for that one. > But when i shutdown the machine and this vserver is running it isn't > shutown and some filesystem can't be unmounted. Sorry; this is not supported yet. I plan to add a final script which shutdowns all 'unmarked' vservers but had not time to implement it. It will probably be solved by an '--unmarked' selector (similarly to '--all'). Enrico pgp6KIRnrfvxy.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver content too minimal
[EMAIL PROTECTED] ("Commission Scolaire de Laval Laval") writes:
> I believe I'm experiencing problems with my vserver since I miss a
> great amount of commands, like "passwd" and "rpm" for example. I'd
> like to know what I did wrong.
Nothing; it is intended to work in this way. Depending on your vserver,
none of these two commands are needed (e.g. only 5 of my 70 vservers have
'passwd' and only 15 have 'rpm'). The standard buildmethod adds only a
minimal set of packages which are required by every vserver. For RH based
distributions, this is the 'coreutils' package (plus its dependencies).
Too much packages result only in problems (security + update strategy
related ones) so you should install only the needed ones. E.g. when you
want an http server, just execute 'vapt-get vserv1 -- install httpd'.
When you really want a certain package in every vserver, you could add
its name into /etc/vservers/.distributions/.../pkgs/my-packages after
copying the standard packageset (from IRC logs I see, that you will know
about what I am speaking ;)). *Never* modify the standard 01, 02, 03
files; they are full of hacks to workaround problems which might break
with additional packages.
Enrico
pgpgy5UQVRp02.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver + dietlibc ...
[EMAIL PROTECTED] (Stephen Frost) writes: >> That's not possible. During the extraction phase, 'rpm' has to do >> an username -> uid mapping with the setup from the inside of the >> chroot. So at least there, I need getpwname() after chroot(). > > Sorry for the double-reply but additionally, is that the only place > where this issue exists? I'm not even sure what you mean by the > 'extraction phase'- do you mean when building the vserver? It is meant the phase when 'rpm --root ...' extracts the files and has to map the username to an uid. > If you're building it new it seems unlikely that it's a compramised > vserver. 'vrpm' + 'vapt-get' + 'vyum' work long after the initial build also. This might be after the vserver was compromised. > Does this affect Debian users at all (who use Debian in their vservers)? Probably not; for Debian only the internal packagemanagement is supported. Enrico pgpNJ4RJ803tT.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: util-vserver-0.30.206 ... timetravel?
Herbert Poetzl <[EMAIL PROTECTED]> writes: > just tried to 'update' my rpms to the latest release of util-vserver > for testing (0.30.206) but it seems that this version will need some > time to become usable, no? > > checking whether to enable dietlibc... no (too old; 0.29+ required, 0.28 > found) mmh... should affect non-i386 only. When you think you have such an arch, can you post the 'build/host' line in the 'vserver-info' output? Else, I think that this check is correct; dietlibc<=0.28 causes too much problems on non-i386. For people who know what they do, this check can be overridden and dietlibc usage be enforced... Enrico pgp4QwUv1dr9V.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver + dietlibc ...
Herbert Poetzl <[EMAIL PROTECTED]> writes: >> >> I guess it was using _syscall3() instead of syscall(). >> ... >> To clearify things: >> >> util-vserver prefers to use _syscall3() (which is called 'fast' >> syscall invocation method in the ./configure output) when it is >> available. _syscall3() is often implemented with inline assembler >> in . But at least on i386, it can not be used in >> combination with dynamic linking as it writes to the %ebx register >> which is reserved for PIC addressing. >> >> Therefore, most glibc kernel-headers do not provide the _syscallX() >> functions overall and the 'traditional' syscall(2) must be used. > > what if we implement the _syscall3 for all known platforms > in a proper way, and feed them back to glibc/kernel headers > as well as integrate them into dietlibc and/or util-vserver? The kernel (resp. projects like [1] which provide sanitized headers) would be the right place for such changes. But there will pass much time before you can rely on it. These headers are/should not be provided by libc implementations. Enrico Footnotes: [1] http://ep09.pld-linux.org/~mmazur/linux-libc-headers/ pgpyDCLkISnmV.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver + dietlibc ...
[EMAIL PROTECTED] (Stephen Frost) writes: >> >> according to Enrico (please confirm or correct) the glibc >> >> has issues with the fake name resolver and is generally >> >> considered insecure because usually dynamically linked ... >> > >> > This really needs further explanation and justification. What about >> > glibc being dynamically linked (and able to load other libraries) >> > makes it insecure, specifically? >> >> 1. 'insecure', because the dynamical loading of libnss_* is >>uncontrollable. There is no (documented??) way to disable this >>loading e.g. when the chroot was entered. Executing a function which >>would load an nss-library does not give any guarantee that the next >>call to this function with another argument would not load another >>library. > > It's not uncontrollable- just don't call NSS functions after you've > chroot'd. That's not possible. During the extraction phase, 'rpm' has to do an username -> uid mapping with the setup from the inside of the chroot. So at least there, I need getpwname() after chroot(). Enrico pgpxCsneViktQ.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver + dietlibc ...
Herbert Poetzl <[EMAIL PROTECTED]> writes: >> > no, thanks I already figured it, the dietlibc needs >> > patching as the syscall(2) for x86_64 isn't implemented >> > >> > .o( I wonder _what_ is running on your machine ;) >> >> I guess it was using _syscall3() instead of syscall(). Shouldn't it? > > yes, after I read your 'other' email ... this makes > some sense ... I just wondered because I didn't know > that it is available on x86_64 (headers) To clearify things: util-vserver prefers to use _syscall3() (which is called 'fast' syscall invocation method in the ./configure output) when it is available. _syscall3() is often implemented with inline assembler in . But at least on i386, it can not be used in combination with dynamic linking as it writes to the %ebx register which is reserved for PIC addressing. Therefore, most glibc kernel-headers do not provide the _syscallX() functions overall and the 'traditional' syscall(2) must be used. Enrico pgphpOigxwzJp.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver + dietlibc ...
[EMAIL PROTECTED] (Stephen Frost) writes: >> according to Enrico (please confirm or correct) the glibc has issues >> with the fake name resolver and is generally considered insecure >> because usually dynamically linked ... > > This really needs further explanation and justification. What about > glibc being dynamically linked (and able to load other libraries) > makes it insecure, specifically? 1. 'insecure', because the dynamical loading of libnss_* is uncontrollable. There is no (documented??) way to disable this loading e.g. when the chroot was entered. Executing a function which would load an nss-library does not give any guarantee that the next call to this function with another argument would not load another library. 2. the glibc NSS implementation uses caching/optimization which can cause failures in chroot operations. E.g. when the 'getpwnam()' before chroot(2) (which is used to load the libnss_* libraries) creates a connection to the 'nscd' daemon, this connection will be used for the second 'getpwnam()' (after chroot(2)) also, which will return wrong results. You will see this issue with rpm based vserver-build methods when the tools are compiled with glibc and nscd is running. > What changes would need to be done to make use of it > secure? Provide a way to: * disable dynamic libnss_* loading * disable usage of nscd Enrico pgpXatutYnyWK.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver build bug
[EMAIL PROTECTED] (Kevin Pendleton) writes: > When you try to use the vserver build -m copy function it requires a > file that does not exist. Yes, this is expected because this method is not implemented yet. Sorry, I should remove it from the help text Enrico pgptFzisI6GK1.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: another vserver build bug
Kevin Pendleton <[EMAIL PROTECTED]> writes: > When I try to use the vserver build -m apt-rpm function to create a fc3 > vserver on a centos host with util-vserver-0.30.205, I get the following > output: > > vserver base-fc3 build -m apt-rpm --hostname domain.com --interface > domain=eth0:192.168.0.129/24 --initstyle plain --context 500 --force -- > -d fc3 > ... >2:filesystem ### > [ 29%] > error: unpacking of archive failed on file /usr/bin/X11;4256ae14: cpio: > symlink failed - No such file or directory Sorry, I forgot to add the instructions which make fc3 a redhat style system (the 'initpre' script is missing). A workaround could be to set 'redhat_style' during the installation of the tools: | $ make install redhat_style='rh9 fc1 fc2 fc3' ... Alternatively, you can link the scripts into the distribution directory manually: | # ln -s ../redhat/initpre /usr/lib/util-vserver/distributions/fc3/ | # ln -s ../redhat/initpost /usr/lib/util-vserver/distributions/fc3/ Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Fakeinit issues
Hello,
I discovered some irregularities regarding fakeinit functionality. The
following program gives different output on host and vservers:
| int main(int argc, char *argv[])
| {
| printf("%i\n", getsid(atoi(argv[1])));
| }
On host:
| # ./a.out 1
| 0
on VServer:
| # chcontext --xid 100 --flag fakeinit ./a.out 1
| 7448
This issue causes unexpected behaviour with SysV's 'killall5' which will
kill the init-process also.
Btw, this test reveals a minor security leak: getsid(2) does not test if
the pid is visible but gives out the correct result:
| # chcontext --xid 100 --flag fakeinit ./a.out $$
| 10461
('$$' expands to the pid of the bash invoking 'chcontext'). Ditto for
getpgid(2).
The used patch was vs1.9.5-rc4 on a 2.6.11.6 kernel.
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] I'm in trouble now ....
[EMAIL PROTECTED] ("Paul S. Gumerman") writes:
> Ran "vserver fc3-reference hashify", which ran ok with one message
> (sorry, can't recall it now).
The exact message would be helpful perhaps.
> Then tried "vserver loco-reference hashify" which failed with a
> message saying "vserver ... suexec is support for running vserver
> only; aborting ..." *BTW, that should read "supported".*
Thx, speling has been fixed.
When this message appears, 'vhashify' stopped at a very early stage
without modifying any file.
> I tried to start loco-reference, but got the message "an error
> occurred very likely that initscript faild " with no other
> details regarding just what had failed. When I started it again, I did
> get the message that lines 1 and 3 in the fstab had failed because the
> fs's were already mounted, so it did get that far, at least.
>
> I also found that I could no longer stop any of the running vservers.
> The message was " still running unexpectedly. Please investigate
> it manually."
>
> Running vserver-stat results in a Segmentaion fault.
Tracking this segfault would be helpfully. Do you see kernel messages
(oops) there? Else, possible ways to trace it are:
* chcontext --xid 1 strace vserver-stat
* chcontext --xid 1 gdb vserver-stat --> r + bt
(perhaps compiling tools with 'CFLAGS="-O0 -g3" ./configure ...')
> Also, this might be a hint: if I try running vtop (as root) I get
> "chcontext: execvp: ("top") Permission denied"
mmh... is SELinux enabled?
Enrico
pgpSm03zpuTQh.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [announce] util-vserver 0.30.205 + status report
[EMAIL PROTECTED] ("Paul S. Gumerman") writes:
> Where can I find this?
Sorry, please use the
http://www.nongnu.org/util-vserver/
homepage or the savannah projectpage
https://savannah.nongnu.org/projects/util-vserver/
Enrico
pgpg07da9qMcN.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver (becoming stable ?)
[EMAIL PROTECTED] (Olivier Poitrey) writes: >> what about LYCOS? They are using vserver and get much money with >> it. They also provide Internet-Access. >> Here a link for the german readers: >> http://www.lycos.de/startseite/online/internetzugang.html >> >> Should Enrico ask them for some money to stay online at home? They >> provide ISDN (and DSL). 100 Euros per month is no money for a >> company like Lycos. >> Lycos could give him 200 hours free per month or something like that. > > Sure we can do this. I don't know if ADSL with Lycos will be possible > at his place Probably not (at least not, unless somebody installs copper cable parallel to the existing fibre cable). When DSL would be available I would pay the 25-30 EUR myself. But ATM, ISDN is the only alternative. Enrico pgp3hM5Mn96NP.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] [announce] util-vserver 0.30.205 + status report
Hello, version 0.30.205 util-vserver (alpha branch) is out. Noticable changes are a new 'vhashify' command which is a successor of 'vunify'. It uses some aggressive techniques like mmap'ing of files and the creation of sparse files. To prevent data lossage, it is strongly recommended to execute 'make check' when using non-ext3 filesystems. (Unfortunately, the 'cmp' tool is sometimes not configured for large files and will create false positives). Another issue is 'vyum': the current 'yum' version makes it impossible to execute it when the vserver is running (there, /.. might be unequal to /). A fix for yum can be found at https://bugzilla.redhat.com/beta/show_bug.cgi?id=146650#c1 but the upstream author dislikes it. Feel free to request another fix there ;) Enrico pgpsKo3fY0D4h.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] security context ?
[EMAIL PROTECTED] (Timo Müller) writes: > hmm > how can I disable selinux? http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825880 Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] rpmpriorities
[EMAIL PROTECTED] (Timo Mueller) writes: > Can I here: > /usr/src/redhat/BUILD/util-vserver-0.30.204/distrib/fc3/apt/rpmpriorities > > Configure what packages been installed when I build a new vserver? > Or what stand this (rpmpriorities) for? That's a configuration file for apt. It is used by util-vserver to define a minimal set of packages which must be there (else, apt will complain loudly when such a packages is going to be removed). It can be used also to add packages which are necessary for the vserver operation (e.g. 'httpd' for webservers). But I think, it is easier to execute 'vapt-get webserver -- install httpd' instead of editing this file manually. Google will be your friend for more information about 'rpmpriorities'. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] build problem
[EMAIL PROTECTED] (Timo Mueller) writes: > But just for my understanding: What is this -initpre- and > whydoes it work now? This is a script which will be executed before unpackaging the files. It works because it workarounds >>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=52725 There is another script 'initpost' which gets executed after unpackaging and makes stuff like the removal of certain initscripts. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] security context ?
[EMAIL PROTECTED] (Timo Müller) writes: > I´ve a FedoraCore3 vserver and I wanna change the password for an > user and then ... > > passwd test > passwd: root:system_r:unconfined_t is not authorized to change the > password of test Disable SELinux. Its kernel API (/proc/self/attr + /selinux) makes it unsuitable for chroot environments. Every workaround you apply will be voided by the next libselinux version. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] Config
[EMAIL PROTECTED] (Timo Müller) writes: > where can i change that ?? > > Can not find a vserver-setup at '/usr/local/etc/vservers//'. See README for the ./configure options which create "expected" paths. Enrico pgpVWwiaozYHy.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] build problem
[EMAIL PROTECTED] (Timo Müller) writes: > this error comes wehen I want to build a fc3 vserver! > ... >2:filesystem >### [ 29%] > Fehler: unpacking of archive failed on file /usr/bin/X11;422ffd85: > cpio: symlink failed - No such file or directory I was wrong in my last (private) mail... Probably you are missing the 'initpre' script which creates /usr/bin before installing the files. For reasons see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=52725 For now, just link the common redhat 'initpre' script to your fc3 distribution dir; e.g.: | ln -s /usr/lib/util-vserver/distributions/redhat/initpre /etc/vservers/.distributions/fc3/ Enrico pgplqaGU2kRxW.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [vservers] Two Problems
[EMAIL PROTECTED] (Timo Müller) writes: > I´ve build a fc2 vserver and I can start it and enter it but I can´t > stop it. > This error comes or it dont go on (i think it can´t shutdown that > interface) But why ??: mmh... the network initscripts should have been disabled by 'vserver ... build' (the initpost command is responsible for doing that). > Second: > I wanna build a fc3 vserver, but in ./distrubotion is only fc2, so i > make a new directory > fc3 and add a soource list to > /etc/vservers/.distributions/fc3/apt/sources.list you should add an 'rpmpriorities' there also. Next util-vserver version will have apt support for fc3 also. > And now i wanne build it and then: > > -bash-3.00# vserver vs-fc3-3 build --force -m apt-rpm --hostname > vsfc3-3.a.de --netdev et > 0 --interface xxx.xxx.xxx.xxx/26 -- -d fc3 -m apt-rpm --hostname > vsfc3-3.a.de --netdev eth0 > Renamed '/usr/local/etc/vservers/.defaults/vdirbase/vs-fc3-3' to ~~ Are you sure that there are no conflicts? Above, you mentioned /etc/... as the place for the configuration. > E: Konnte Datei > /usr/local/etc/vservers/vs-fc3-3/apps/pkgmgmt/base/apt/etc/rpmpriorities > nicht öffnen - open (2 Datei oder Verzeichnis nicht gefunden) Enrico pgpr68ZOtnvw7.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
