[Vserver] problem with netfilter and vservers
Hello Gang, Ive been having some serious problems with vservers and iptables! Sometimes i need to had SNAT rules for my vservers to route outside the root server and, someother times, i cant access my vservers from the outside :o( Take this script for example: http://lms.ispgaya.pt/goodies/iptables On the server where i use it everything worked like a charm! Until...i had to add support in the kernel for another NIC. [EMAIL PROTECTED] ~# lspci 00:00.0 Host bridge: Intel Corp.: Unknown device 2570 (rev 02) 00:01.0 PCI bridge: Intel Corp.: Unknown device 2571 (rev 02) 00:1d.0 USB Controller: Intel Corp.: Unknown device 24d2 (rev 02) 00:1d.1 USB Controller: Intel Corp.: Unknown device 24d4 (rev 02) 00:1d.2 USB Controller: Intel Corp.: Unknown device 24d7 (rev 02) 00:1d.3 USB Controller: Intel Corp.: Unknown device 24de (rev 02) 00:1d.7 USB Controller: Intel Corp.: Unknown device 24dd (rev 02) 00:1e.0 PCI bridge: Intel Corp. 82801BA/CA/DB PCI Bridge (rev c2) 00:1f.0 ISA bridge: Intel Corp.: Unknown device 24d0 (rev 02) 00:1f.1 IDE interface: Intel Corp.: Unknown device 24db (rev 02) 00:1f.3 SMBus: Intel Corp.: Unknown device 24d3 (rev 02) 00:1f.5 Multimedia audio controller: Intel Corp.: Unknown device 24d5 (rev 02) 01:00.0 VGA compatible controller: nVidia Corporation RIVA TNT2 Model 64 (rev 15) 02:05.0 Ethernet controller: 3Com Corporation: Unknown device 1700 (rev 12) 02:0a.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) 02:0b.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) 02:0d.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) [EMAIL PROTECTED] ~# Since the 3com (gigabit builtin) ethernet device is unknown, i added support to it and recompiled the kernel. After rebooting the machine, i couldnt access any services on 192.168.3.81 (vserver called ciisp) from the outside). I disabled support for that NIC again, recompiled and rebootedand everything went back to normal again! Can anybody help me with this? Is this normal behaviour? I also dont understand why some vservers need for me to -j SNAT --to root-server and others dont! Thanks in advance, + | Luís Miguel Ferreira da Silva | Network Administrator @ISPGaya | Instituto Superior Politécnico Gaya | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Tel: +351 223745730/3/5 | GSM: +351 912671471 +351 936371253 + Este email foi enviado via o webmail do ISPGaya Instituto Superior Politécnico Gaya binUQlPZuJsAl.bin Description: Chave Pública PGP ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] problem with netfilter and vservers
Dear Herbert, Allthough i really thought your email was full of sarcasm (*really* sorry if i missinterpreted it :o) ), please read along the email to find some comments replying your comments... *sigh* well, lets interpret parts of it ... $IPTABLES -A POSTROUTING -t nat -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT $IPTABLES -A POSTROUTING -t nat -s 192.168.3.0/24 -d 192.168.4.0/24 -j ACCEPT accept network traffic from 192.168.3 to 192.168.2 and 192.168.4 (unmodified, unconditional) $IPTABLES -A POSTROUTING -t nat -s 192.168.3.0/24 -d 193.126.109.240/255.255.255.248 -j ACCEPT same for traffic from 192.168.3 to 193.126.109.240-247 hmm, why would KQPT Network Operations want packets from a private network? $IPTABLES -A POSTROUTING -t nat -s 192.168.3.0/24 -d 193.126.229.32/255.255.255.248 -j ACCEPT hmm, seems they definitely want private traffic :) $IPTABLES -A POSTROUTING -t nat -s 192.168.3.0/24 -d ! 192.168.0.0/16 -j SNAT --to 192.168.3.2 everything not destinated at 192.168 will appear as private IP 192.168.3.2 (strange, why would we want that?) $IPTABLES -A POSTROUTING -t nat -s 172.28.10.0/24 -d ! 172.28.10.0/24 -j SNAT --to-source 172.28.10.254 and similar for 172.28.10, which had no role yet, but seem to be valid IPs for output, and we SNAT them all to 172.28.10.254 ... so this setup assumes that both 192.168.3.2 and 172.28.10.254 can reach the outside (whatever that might mean) and that there are either two routes or the router can handle both IPs ... On the server where i use it everything worked like a charm! Until...i had to add support in the kernel for another NIC. [EMAIL PROTECTED] ~# lspci 00:00.0 Host bridge: Intel Corp.: Unknown device 2570 (rev 02) 00:01.0 PCI bridge: Intel Corp.: Unknown device 2571 (rev 02) 00:1d.0 USB Controller: Intel Corp.: Unknown device 24d2 (rev 02) 00:1d.1 USB Controller: Intel Corp.: Unknown device 24d4 (rev 02) 00:1d.2 USB Controller: Intel Corp.: Unknown device 24d7 (rev 02) 00:1d.3 USB Controller: Intel Corp.: Unknown device 24de (rev 02) 00:1d.7 USB Controller: Intel Corp.: Unknown device 24dd (rev 02) 00:1e.0 PCI bridge: Intel Corp. 82801BA/CA/DB PCI Bridge (rev c2) 00:1f.0 ISA bridge: Intel Corp.: Unknown device 24d0 (rev 02) 00:1f.1 IDE interface: Intel Corp.: Unknown device 24db (rev 02) 00:1f.3 SMBus: Intel Corp.: Unknown device 24d3 (rev 02) 00:1f.5 Multimedia audio controller: Intel Corp.: Unknown device 24d5 (rev 02) 01:00.0 VGA compatible controller: nVidia Corporation RIVA TNT2 Model 64 (rev 15) 02:05.0 Ethernet controller: 3Com Corporation: Unknown device 1700 (rev 12) 02:0a.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) 02:0b.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) 02:0d.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) hmm, four different network controllers easily confuse the unpracticed eye and often also the admin attached to it :) [EMAIL PROTECTED] ~# Since the 3com (gigabit builtin) ethernet device is unknown, i added support to it and recompiled the kernel. After rebooting the machine, i couldnt access any services on 192.168.3.81 (vserver called ciisp) from the outside). hmm, lets see .. *turns on the seeing orb* ... ah, looks like you 3com card got detected _before_ the other three realtek ones, so it was named eth0, instead of eth4 ... hmmm, ... and that probably messed up all other NICs, as they are now eth1 instead of eth0, eth2 instead of eth1 ... now, most likely some of your guests have the interface coded (its a little blurry now) and other just an ip I disabled support for that NIC again, recompiled and rebootedand everything went back to normal again! Can anybody help me with this? Is this normal behaviour? I guess yes, it is the typical linux networking behaviour so nothing critical ... I also dont understand why some vservers need for me to -j SNAT --to root-server and others dont! this also escapes my imagination (basically because of lack of information) but I assume that some have real IPs and/or communicate on private IPs where others have to use the host IP for outgoing traffic ... best, Herbert There are 4 NICs on the root server called leonardo-root. eth0 - 192.168.3.2 [connecting to our internal network / outside world] eth1 - 10.69.69.1 [connecting to the outside world (ADSL connection)] eth2 - 172.28.10.254 [connecting to some IP cameras] eth3 - not used...[until i added support for the 3com card off course :o)] Also, as you stated, after i added support to the 3com card, all the other NICs switched names... Well, a little comment on this :o) 1º of all, im no idiot and i obviously know that and changed all the cables 2º why did you assume that? 3º ever thought i could be using modules in my kernel and aliasing the NICs? ;o) Either way...by default, the packets to unknown networks go throw eth1 [gw: 10.69.69.254]. There
[Vserver] new kernel 2.4.27...
Hello dear list, I want to upgrade my servers to kernel 2.4.27 but there isnt a final 2.4.27 patch! :o) Will there be one soon Herbert? Best, +- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +- Este email foi enviado através do site http://webmail.ispgaya.pt/ Instituto Superior Politécnico Gaya ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] new kernel 2.4.27...
oh kie, thanks for the quick (as usual) response :o) Herbert Poetzl [EMAIL PROTECTED] escreveu: On Mon, Aug 09, 2004 at 01:49:19PM +0100, Luís Miguel Silva wrote: Hello dear list, I want to upgrade my servers to kernel 2.4.27 but there isnt a final 2.4.27 patch! :o) well, I wanted to avoid the 1.29 ooops, 1.30, oops 1.31 fiasco this time, so I decided to put up some release candidate, which I (if nobody else) will test during this week ... http://vserver.13thfloor.at/Experimental/patch-2.4.27-vs1.29-rc1.diff (probably) it will then get released as final 2.4.27 patch ... Will there be one soon Herbert? so yes ;) best, Herbert Best, +- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +- Este email foi enviado através do site http://webmail.ispgaya.pt/ Instituto Superior Politécnico Gaya ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver +- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +- Este email foi enviado através do site http://webmail.ispgaya.pt/ Instituto Superior Politécnico Gaya ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vservers...cron jobs...
Im talking about /etc/cron.daily jobs! :o) I created two files (webalizer and sarg) so my box would run them daily... logrotate (on /etc/cron.daily) got executed but my other two scripts werent! (they where allright and had write permissions). As i saw logrotate getting executed, i added my webalizer and sarg scripts to it. It worked allright. Today i checked that my scripts where executed fine! Btw, shouldnt crontab -l return the /etc/crontab file? proxy-adsl:/# crontab -l no crontab for root proxy-adsl:/# cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file. # This file also has a username field, that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 25 6* * * roottest -e /usr/sbin/anacron || run-parts --report /etc/cron.daily 47 6* * 7 roottest -e /usr/sbin/anacron || run-parts --report /etc/cron.weekly 52 61 * * roottest -e /usr/sbin/anacron || run-parts --report /etc/cron.monthly # It seems all went good...though i dont understand why my scripts did not ran alone... Thanks, Luís Silva A Dom, 2004-04-25 às 04:44, Nuno Silva escreveu: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luís Miguel Silva wrote: | Hello all, | | Does anybody else have problems with cron jobs? | I cant seem to get my cron jobs executed. | I allways had this problem with mini-debian-vserver based vservers. | | Anybody else? | Olá, Luís! I don't have problems with that particular image... Are you talking about the /etc/cron.* directories (and /etc/crontab) or user's cron jobs? I suspect that it's a configuration problem. If you find the problem please report so that the image can be fixed :-) Regards, Nuno Silva -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAizQsOPig54MP17wRAnt8AKCyVuroxNfHI933262JQ/yqDI8/twCeN0k5 x+3tgYD4eoCV/773IUL/k2A= =78Pa -END PGP SIGNATURE- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Vservers...cron jobs...
Hello all, Does anybody else have problems with cron jobs? I cant seem to get my cron jobs executed. I allways had this problem with mini-debian-vserver based vservers. Anybody else? Best, Luís Silva ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Listas de email direcionadas para divulgação
Damn...i cant believe it. We just got a mail from a web directory with email adresses separated by states, cities, companies, people, activities... Ahmm...damn spam! this is one of the reasons i dont believe in god! :oP If god'existed...he would punish these fuck'ups... :o[ A Sex, 2004-04-23 às 21:36, Mariana Coutinho escreveu: Listas para mala direta via e-mail. E-mails separados por estados, cidadas, empresas, pessoas físicas, atividades. http://www.gueb.de/divulgamail Programas para divulgação via e-mail. Divulgue seu site e venda muito mais. Listas de email direcionadas para divulgação de homepages ou venda de produtos e serviços via internet. E-mail marketing, spam, listas de mala direta. Visite agora: http://www.gueb.de/divulgamail ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Super Cheap V-1-A-G-R-A!! ($2/dose)
I thank this wonderfull'list...but i dont need it! :D A Sáb, 2004-03-06 às 14:46, steve escreveu: The lowest price on V I A G R A on the 'net!! Click here: http://royaldrugs.com/sv/index.php?pid=eph9106 laura carlchance binky robinhoo center sbdc groovy maria octobersailor cuddles asterix surf marvin tanya To get off this list, go to http://drugsbusiness.com/gv/applepie.php ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Linux-Vserver Wiki Hacked ;)
ROTFL...its typical...stupid brasilian'idiots. That dewd is brasilian. He wrote in Portuguese something like this: lol, if this projects security is like the security of this webpage, i advise everybody to use it! that way we can have so much fun! I wont even comment! fucking incompetents S4T4N1C_BR41N was here... *ROTFL*..no comments! ;o) A Sex, 2004-02-27 às 18:15, Herbert Poetzl escreveu: Hi Folks! some funny people decided to replace the Linux-VServer wiki, with a message ... as the wiki uses version control this was not an issue), but I would like to know what they wanted to tell us ... so here is the original message, and what altavista did to it ... -- = Linux VServer Project = se o projeto for que nem a segurança entaum aconselho a todos á ele... Pois assim agente vai se divertir muito... Vo nem fala nada incopetência do caralho viu S4T4N1C_BR41N was here Need Help?! [EMAIL PROTECTED] -!e0f!- -- altavista: Portugese - English -- = Linux VServer Project = if the project will be that nor the security entaum I advise to all á it... Therefore thus agent goes to have fun itself very... Vo nor says to nothing incompetence of caralho saw... S4T4N1C_BR41N was here Need Help?! [EMAIL PROTECTED] -!e0f!- -- this change was made from 200-232-205-3.dsl.telesp.net.br so maybe you know someone, who knows someone ;) TIA, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] TTY logging ...
a) do you consider this or a similar feature very useful for linux-vserver? b) would you use such a feature on your hosts? c) how do you feel about 'violating the privacy' in such cases ... a) Yeaps, all extra features are welcome b) sure! especially on a honeypot enviornment! c) what privacy? ;o) heh...all your users ARE BELONG to us! heh.. Best, Luís Herbert Poetzl [EMAIL PROTECTED] escreveu: Hi Folks! somebody on the irc channel mentioned a feature called 'tty loggin' which UML provides ... well it isn't strictly an UML feature, and therefore I would like to have your opinion: http://user-mode-linux.sourceforge.net/tty_logging.html ... especially: - do you consider this or a similar feature very useful for linux-vserver? - would you use such a feature on your hosts? - how do you feel about 'violating the privacy' in such cases ... TIA, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver +- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +- Este email foi enviado através do site http://webmail.ispgaya.pt/ Instituto Superior Politécnico Gaya ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] new linux 2.4.25
Yeah...and they're starting giving linux a bad name (on a security basis).. :o( Fortunately, more ms windows flaws have been discovered also..heh A Qua, 2004-02-18 às 15:44, Christian Mayrhuber escreveu: Herbert Poetzl wrote: On Wed, Feb 18, 2004 at 03:14:40PM +0100, Ond?ej Surý wrote: Herbert, would you be so kind and make diff against 2.4.25, which was release just few minutes ago? can be found at: http://www.13thfloor.at/vserver/s_release/v1.26/ HTH, Herbert Thanks! Damn are you quick. Finally, xfs has made it. Those root exploits are not doing linux any favour in the netcraft uptime survey ;-) ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Patch not working...more information?
Hello all, This time i was able to *apparently* fix the problem by using jacques tools 0.29! Sorry for the previous email but i did the upgrade to jacques tools in the past and the vservers still didnt work! Thanks, Luís Silva ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Patch not working...more information?
Still, i dont get it! If jacques broke the tools, why isnt their an official tarball with everything working? And...where are they broken? Perhaps there is something broken on my server and i dont know it yeat! :oP Best, Luís A Dom, 2004-02-08 às 16:15, Herbert Poetzl escreveu: On Sun, Feb 08, 2004 at 04:09:05PM +, Luís Miguel Silva wrote: Your page is a little confusing. Yes, i saw that you didnt host jacques tools and...saw a fix to jacques tools. But since i tried those tools with your fix and my vservers didnt work, i decided not to use the patch today. Why are they broken? because jack was in a hurry, and did to many changes at once ... I guess ;) Apparently, everything is working on my servers now! if it works for you, it's perfectly fine for me ... best, Herbert Thanks, Luís A Dom, 2004-02-08 às 16:01, Herbert Poetzl escreveu: On Sun, Feb 08, 2004 at 03:53:40PM +, Luís Miguel Silva wrote: Hello all, This time i was able to *apparently* fix the problem by using jacques tools 0.29! hmm, I hate to dissapoint people, but did you have a look at my pages? there is a reason why I do not list Jacks 0.29 version and it's simple, because it's broken! best, Herbert Sorry for the previous email but i did the upgrade to jacques tools in the past and the vservers still didnt work! Thanks, Luís Silva ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] A little complaint from a *sometimes* unhappy user...
Oh..my idea wasnt to flame Herbert! You rule man ;o) I just wanted to understand why things failed (at least for me). I subscribe the mailing list but unfortunatelly i dont have time to follow all the messages! Either way, it all is working perfectly now! The only thing i dont understand is what is the problem with jacques tools? :o) Im using them without the fix and they seem to work allright?? Best, Luís Silva A Dom, 2004-02-08 às 16:27, Cathy Sarisky escreveu: I applied patch 1.25. All went smooth until the boot process. The vservers didnt boot again with that Cant change to security context #-1 (i think that was the exact message if im not in mistake). I saw this, but it was swiftly fixed by upgrading the vserver tools. I wouldn't complain too much - Herbert issued a patch for the vulnerability at blazing speed, and while the first patch wasn't perfect, he was quick to correct it. Not too bad for someone who is doing this for all of us as a volunteer. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver-0.29 not compiling on one server..
Hello, I have a trustix 1.5 box and iam having trouble compiling the vserver-0.29 tools. [EMAIL PROTECTED] /usr/src/vservers/vserver-0.29# make g++-c -o syscall.o syscall.cc In file included from syscall.cc:1: linux/vswitch.h:78: syntax error before `;' linux/vswitch.h:79: syntax error before `;' linux/vswitch.h:84: syntax error before `;' linux/vswitch.h:86: syntax error before `;' linux/vswitch.h:87: syntax error before `;' linux/vswitch.h:96: syntax error before `;' linux/vswitch.h:97: syntax error before `;' linux/vswitch.h:107: syntax error before `;' linux/vswitch.h:108: syntax error before `;' linux/vswitch.h:109: syntax error before `;' linux/vswitch.h:110: syntax error before `;' linux/vswitch.h:114: syntax error before `;' linux/vswitch.h:115: syntax error before `;' linux/vswitch.h:116: syntax error before `;' syscall.cc:18: `uint32_t' was not declared in this scope syscall.cc:18: parse error before `,' syscall.cc: In function `int vserver(...)': syscall.cc:18: `cmd' undeclared (first use this function) syscall.cc:18: (Each undeclared identifier is reported only once syscall.cc:18: for each function it appears in.) syscall.cc:18: `id' undeclared (first use this function) syscall.cc:18: `data' undeclared (first use this function) syscall.cc: In function `int call_new_s_context(int, int *, unsigned int, unsigned int)': syscall.cc:40: `struct vcmd_new_s_context_v1' has no member named `remove_cap' syscall.cc:41: `struct vcmd_new_s_context_v1' has no member named `flags' syscall.cc: In function `int call_set_ipv4root(long unsigned int *, int, long unsigned int, long unsigned int *)': syscall.cc:59: `struct vcmd_set_ipv4root_v3' has no member named `broadcast' syscall.cc:61: `struct vcmd_set_ipv4root_v3::{anonymous}' has no member named `ip' syscall.cc:62: `struct vcmd_set_ipv4root_v3::{anonymous}' has no member named `mask' syscall.cc: In function `int call_set_ctxlimit(int, long int)': syscall.cc:77: `struct vcmd_ctx_rlimit_v0' has no member named `id' syscall.cc:78: `struct vcmd_ctx_rlimit_v0' has no member named `minimum' syscall.cc:79: `struct vcmd_ctx_rlimit_v0' has no member named `softlimit' syscall.cc:80: `struct vcmd_ctx_rlimit_v0' has no member named `maximum' make: *** [syscall.o] Error 1 [EMAIL PROTECTED] /usr/src/vservers/vserver-0.29# This is the output! Trustix comes with glibc 2.1, can this be the problem? The thing is i currently have a 2.4.21-ctx17 kernel working perfectly. Did something dramaticly changed on the latest patches/tools? This machine will *soon* be fresh installed, but, iam currently running a exploitable 2.4.21 kernel because of this! I dont have local access to the machine which narrows down the possibilites. and a new remote install of the system would be a little bit risky since this is a production server. Best, Luís Silva ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] [Release] Stable vs1.23 (improved security)
Hello, Great to read that :o) Am I gonna have the problems I had with 2.4.24-vs1.22? Iam referring to the security context problems. Currently iam using 2.4.24-vs1.00 because of those! (after exchanging some mails in the past week with other users, which you probably saw too, I think those problems had to do with me not being able to get a random security context)! Other users complained about the same and said they resolved their problem by specifying a static security context. Thanks for the new version, +--- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +--- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Herbert Poetzl Sent: segunda-feira, 12 de Janeiro de 2004 6:11 To: [EMAIL PROTECTED] Subject: [Vserver] [Release] Stable vs1.23 (improved security) Hello Community! hopefully the final bugfix release of the second linux-vserver stable release (1.23) is now available at http://www.13thfloor.at/vserver/s_release/v1.23/ you can download an all-in-one patch for 2.4.24 as well as tar archives of the splitup ... (patches for older kernels available on request) this release fixes another locking issue, this time within the /proc filesystem, and adds a very important security interface, to protect entries against unwanted access. older tools (especially tools for 1.22) should work but util-vserver-0.26 or later is recommended. new proc security feature: by using the vproc tool (provided in vproc-0.1.tar) it is now possible to limit the visibility of proc entries to either the host, the special context one, or both, according to your preference. note: by default all proc entries are visible and therefore accessible via read and write on all contexts, only restricted by the linux capability system, which is equivalent to the setup in all earlier versions. (using the entry meminfo as example) vproc /proc/meminfo(shows current visibility) vproc -d /proc/meminfo (hide in user context) vproc -D /proc/meminfo (hide in any context) vproc -E /proc/meminfo (show only in ctx one) vproc -e /proc/meminfo (default: visible) please make sure to disable dangerous entries which are not required in a vserver anyway, like hardware interfaces (ide,bus,pci,scsi) or kernel interfaces (kmem,iomem,ioports,sys,...) note: symbolic links and dynamically generated entries like /proc/pid can not be masked by this interface yet ... enjoy, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] High Port Pass through??
Isnt that because all the traffic which passes from the vservers to another network is passing by a NAT filter on the root vserver (which uses a high port for each connection it makes)? Best, +--- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +--- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Smit Sent: sábado, 10 de Janeiro de 2004 18:48 To: [EMAIL PROTECTED] Subject: Re: [Vserver] High Port Pass through?? On Fri, Jan 09, 2004 at 03:55:20PM -0800, Roderick A. Anderson wrote: *snipping to the point* We're seeing traffic that appears to be passed through on REALLY high port numbers. Can you install tcpdump on the machine and give a sample of the traffic you believe is improper? (or a firewall log) Regards, Erik Smit ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Problem with kernel 2.4.24 + vs1.22
Everything is now working when running kernel 2.4.24-vs1.00 and vserver-0.26 + util-vserver-0.25 Thank you! +--- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +--- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luís Miguel Silva Sent: quarta-feira, 7 de Janeiro de 2004 7:58 To: [EMAIL PROTECTED] Subject: RE: [Vserver] Problem with kernel 2.4.24 + vs1.22 As you expected, the last test failed. Im going to try to use the old tools and then downgrade vs-1.22 to vs-1.00 using kernel 2.4.24 [EMAIL PROTECTED] ~# sh testme.sh Linux-VServer Test [V0.05] (C) 2003-2004 H.Poetzl chcontext is working. chbind is working. Linux 2.4.24-vs1.22 i686/chcontext 0.29/chbind 0.29 [J] --- [001]# succeeded. [011]# succeeded. [031]# succeeded. [101]# succeeded. [102]# succeeded. [201]# succeeded. [202]# failed. [EMAIL PROTECTED] ~# Thanks for all, +--- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +--- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Herbert Poetzl Sent: quarta-feira, 7 de Janeiro de 2004 7:45 To: Luís Miguel Silva Cc: [EMAIL PROTECTED] Subject: Re: [Vserver] Problem with kernel 2.4.24 + vs1.22 On Wed, Jan 07, 2004 at 07:19:54AM -, Luís Miguel Silva wrote: I forgot to mention that this is happening on ALL my vservers since I upgraded to kernel 2.4.24-vs1.22! please download and execute the following script on one of your 'failing' machines ... http://vserver.13thfloor.at/Stuff/testme.sh (it is okay, when the last test fails) if you get any errors in the tests 202 try again with -v, and send the output if everything looks okay, please try to upgrade/update one thing at a time so in your case, just try the 'new' kernel with the 'old' tools you where using with 2.4.23-vs1.00 or downgrade/change the tools ... my vs1.22 installation, running for 23 days without any issues (2.4.23-vs1.22) uses util-vserver 0.26 from enrico HTH, Herbert Best, +--- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +--- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luís Miguel Silva Sent: quarta-feira, 7 de Janeiro de 2004 7:14 To: 'Herbert Poetzl' Cc: [EMAIL PROTECTED] Subject: RE: [Vserver] Problem with kernel 2.4.24 + vs1.22 Hello Herbert (and all others), Here are my configurations and tools versions: [EMAIL PROTECTED] /usr/src/installs/new-vserver# ls patch-vserver-0.29-fix01.diff util-vserver-0.26/ util-vserver-0.26.tar.bz2 vserver-0.29/ vserver-0.29.src.tar.gz [EMAIL PROTECTED] /usr/src/installs/new-vserver# cat /etc/vservers.conf # Configuration file for the vservers service # BACKGROUND=yes # start the vservers on tty9, in background so the rest of the # boot process end early BACKGROUND=no # This variable controls where the vservers are stored. # This file is sourced by the various vservers configuration files # in /etc/vservers. Each vserver may redefine the value so it points # elsewhere. So vservers may be located in various places on the system. # To make it simple, when you want to learn what is the vserver root # source one vserver configuration and you will learn what is the # actual vserver root for this vserver VSERVERS_ROOT=/vservers # When starting or entering a vserver, its /etc/mtab is generated on # the fly so it matches the various volumes mounted inside the vserver GENERATEMTAB=yes [EMAIL PROTECTED] /usr/src/installs/new-vserver# cat /etc/vservers/srmi.conf # Description: sapienflex-rmi # Select an unused context (this is optional) # The default is to allocate a free context on the fly # In general you don't need to force a context #S_CONTEXT= # Select the IP number assigned to the virtual server # This IP must be one IP of the server, either an interface # or an IP alias IPROOT=192.168.3.86 # You can define on which device the IP alias will be done # The IP alias will be set when the server is started and unset # when the server is stopped # The netmask and broadcast are computed by default from IPROOTDEV
[Vserver] Problem with kernel 2.4.24 + vs1.22
Hello all, Today I updated my servers kernel to 2.4.24-vs1.22 and im having some trouble when I try to stop the vserver. [EMAIL PROTECTED] /usr/src/installs/new-vserver# vserver srmi stop Stopping the virtual server srmi Server srmi is running ipv4root is now 192.168.3.86 Can't set the new security context : Invalid argument sleeping 5 seconds Killing all processes chcontext version 0.29 chcontext [ options ] command arguments ... chcontext allocate a new security context and executes a command in that context. By default, a new/unused context is allocated --cap CAP_NAME Add a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h In general, this option is used with the --secure option --secure removes most critical capabilities and --cap adds specific ones. --cap !CAP_NAME Remove a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h --ctx num Select the context. On root in context 0 is allowed to select a specific context. Context number 1 is special. It can see all processes in any contexts, but can't kill them though. Option --ctx may be repeated several times to specify up to 16 contexts. --disconnect Start the command in background and make the process a child of process 1. --domainname new_domainname Set the domainname (NIS) in the new security context. Use none to unset the domain name. --flag Set one flag in the new or current security context. The following flags are supported. The option may be used several time. fakeinit: The new process will believe it is process number 1. Useful to run a real /sbin/init in a vserver. lock: The new process is trapped and can't use chcontext anymore. sched: The new process and its children will share a common execution priority. nproc: Limit the number of process in the vserver according to ulimit setting. Normally, ulimit is a per user thing. With this flag, it becomes a per vserver thing. private: No one can join this security context once created. ulimit: Apply the current ulimit to the whole context --hostname new_hostname Set the hostname in the new security context This is need because if you create a less privileged security context, it may be unable to change its hostname --secure Remove all the capabilities to make a virtual server trustable --silent Do not print the allocated context number. Information about context is found in /proc/self/status [EMAIL PROTECTED] /usr/src/installs/new-vserver# uname -a Linux leonardo-root.ispgaya.pt 2.4.24-vs1.22 #1 SMP Tue Jan 6 09:52:07 WET 2004 i686 unknown unknown GNU/Linux [EMAIL PROTECTED] /usr/src/installs/new-vserver# Is this the problem with vkill you mention on your site (Herbert)? Best, +--- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +--- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Hello Herbert, What about quota support for 2.4.24? ;oP Hugz, +--- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +--- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Herbert Poetzl Sent: segunda-feira, 5 de Janeiro de 2004 21:52 To: [EMAIL PROTECTED] Subject: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24 Hi Community! for those who read about the newly discovered exploits in 2.4.23 ... and those who haven't yet, I decided to update the latest vserver patches (including the first stable release) to 2.4.24 ... you can find them together with updated, signed md5sums on http://www.13thfloor.at/vserver/project/ HTH, Herbert vulnerabilities: http://isec.pl/vulnerabilities/isec-0013-mremap.txt http://www.securityfocus.com/bid/9154 ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Kernel 2.6.0..
Hello all, Im sorry if this as already been discussed on this mailing list but, is there going to be any vserver support for the 2.6.x kernel series? Best regards and happy new year! +--- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +--- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Greetings
It seems to me that you're missing the kernel headers from your system? [EMAIL PROTECTED] ~# locate ext2fs /usr/include/ext2fs /usr/include/ext2fs/ext2_ext_attr.h /usr/include/ext2fs/bitops.h /usr/include/ext2fs/ext2_err.h /usr/include/ext2fs/ext2_types.h /usr/include/ext2fs/ext2_fs.h /usr/include/ext2fs/ext2_io.h /usr/include/ext2fs/ext2fs.h /usr/lib/libext2fs.a /usr/lib/libext2fs.so /usr/lib/libext2fs.so.2 /lib/libext2fs.so.2.4 /lib/libext2fs.so.2 [EMAIL PROTECTED] ~# Check to see if you have them installed... Best, +- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +- -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de John Francis Lee Enviada: domingo, 14 de Dezembro de 2003 13:14 Para: [EMAIL PROTECTED] Assunto: [Vserver] Greetings Hello, I've downloaded and applied the patches (1.22) to a 2.4.22 kernel and am now trying to get the vserver, util-vserver and admin-vserver to work. I run rh8.0 I tried the mdk rpms but vserver choked asking for a different version of libstdc++. So I got the source. There's no configure and no instructions so I just typed make [EMAIL PROTECTED] vserver-0.29]# make g++-c -o syscall.o syscall.cc g++-c -o old_syscall.o old_syscall.cc g++ -funsigned-char -Wall -g -O -DVERSION=\0.29\ chbind.cc syscall.o old_syscall.o -o chbind g++ -funsigned-char -Wall -g -O -DVERSION=\0.29\ chcontext.cc syscall.o old_syscall.o -o chcontext g++ -funsigned-char -Wall -g -O -DVERSION=\0.29\ reducecap.cc syscall.o old_syscall.o -o reducecap g++-c -o vutil.o vutil.cc vutil.cc:12:28: ext2fs/ext2_fs.h: No such file or directory vutil.cc: In function `int setext2flag(const char*, bool, int)': vutil.cc:73: `EXT2_IOC_SETFLAGS' undeclared (first use this function) vutil.cc:73: (Each undeclared identifier is reported only once for each function it appears in.) make: *** [vutil.o] Error 1 Any help with what's wrong here? Thanks in advance. -- John Francis Lee [EMAIL PROTECTED] ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserverVÇ«½êæj)b b²Õlz»Þ®X¬¶X§»ìz»Þ®àÛiÿùb²Ùbìo±êïzº+ùYùb²Ø§~ï±êïz
[Vserver] problem setting user limits...
Hello all, I have a question regarding the ulimit on the vserver. On vserver.conf i have ULIMIT=-HS -u 250 now i want to set some extra flags for each user that logs on to the server. so i changed /etc/profile to have a: ulimit -S -c 0 -p 8 This doesnt work. But i can set ulimit -S -c 0 -t 2048 for example. Is there a patch or something i should do to only allow for X processes for EACH users that log on to my server using shell access? Best, +- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +- Este email foi enviado através do site http://webmail.ispgaya.pt/ Instituto Superior Politécnico Gaya ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Patch for kernel 2.4.23...remote root = 2.4.22
Hello all, I have been using kernel 2.4.21 + ctx17 (because of all the trouble i had using a different vserver patchset). also, i have been trying to keep from using other versions till the vserver project went back in line again (which it seems to have :o). Either way, because of the new local root vulnerability on kernels = 2.4.22, i really need urgently to patch all my boxes to 2.4.23. When will there be a patch for it? Best, +- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +- VÇ«½êæj)b b²Õlz»Þ®X¬¶X§»ìz»Þ®àÛiÿùb²Ùbìo±êïzº+ùYùb²Ø§~ï±êïz