Re: [Vserver] Gentoo and hashified files
Hi Einar Oliver: I am somewhat amazed that your setup works. I would think Portage would get very upset, or at least confused, when packages that aren't marked as updated are, dependencies should be broken etc. But two years running is quite stable. Is it just /var and parts of /etc that are externally mounted, while /usr, /lib etc. are all shared? Its a bit tricky - I will sketch the setup for you: I have a template /vservers/template - that is a full blown gentoo installation for vservers. When I do updates, I do them by chroot'ing to this dir - NOT by entering a vserver! This way the portage and the dependency database (stored in /var/) get updated. In the vserver guests fstab, I mount the per guest partition to /disk and overlay some bind-mounts for /var and some of the /etc directories (not the whole one!). For easy setups its also ok to make symlinks from /etc to the var partition The only thing you must take care of, are updates that change the config-files syntax. It should be obious that files on the per-guest config system (the cut-out parts of /etc and perhaps things in /var) are not updated. I use this setup for Webservers mainly, they are nearly equal so I just have a differing config for /etc/apache2, all network and hostname stuff ist done from outside. If you have any questions dont mind to ask Oli -- Protect your environment - close windows and adopt a penguin! PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF 8168 CAB7 B0DD 3985 1721 signature.asc Description: OpenPGP digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Gentoo and hashified files
This might be offtopic but perhaps useful. I have multiple guests that share the same root directly. All configuration and runtime relevant dirs (var and parts of etc( are mounted from a per guest partition. Works with no hasle here for over 2 years now Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Correct usage of vlan devices / weird error
Hi Folks, Today I ran into a problem with newtwork devices on vlans. My box has one physikal interface (eth0) which hosts two vlans (vlan3 + vlan4). The basic vlan interfaces are created on system bootup and have each one ip assigned. In the vserver-config I used the default syntax with vlan3 in the file dev and ignored the warnings on startup *sic* which worked on my old config (0.30.210 tools on 2.6.15 kernel). Today an angry customer called that his webserver is down - examination showed: The guest has a total of 6 interfaces assigned where 4 are in vlan3, the first 3 in the vlan startup properly, the 4th one shows NETLINK: numeric result out of range. Anybody has an idea on this ? And perhaps anybody can point me to a good idea how to get rid of the warnings. I dont succeed with the nodev flag... Oliver -- Protect your environment - close windows and adopt a penguin! PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF 8168 CAB7 B0DD 3985 1721 signature.asc Description: OpenPGP digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vnamespace -e 666 mount changed behaviour, guest mounts no longer displayed
Hi Folks, I used the chance to upgrade my boxes and ran into one big issue now: I use nagios to monitor my disks, the setup is done like follows: * I have one partition per vserver guest * the partition is mounted into the guest via the guests fstab (/dev/drbd/www1 /data ext3 defaults 0 0) I used vnamespace -e xid check_disk www1 which runs a nagios script in the namespace of the guest. The nagiso script basically runs a mount and greps the output. Now, ergh - what happens: Old behaviour: Kernel: 2.6.15.4-vs2.1.1-rc6-gentoo VS-API: 0x00020001 util-vserver: 0.30.210; Feb 17 2006, 22:32:37 box$ vnamespace -e www2 mount ...lot of mounts on the root box /dev/drbd/www2 on /vservers/www2/data type ext3 (rw,nodev,data=ordered) tmpfs on /vservers/www2/dev type tmpfs (rw) none on /vservers/www2/proc type proc (rw,nodiratime,nodev) New behaviour: Kernel: 2.6.20-vs2.2.0-gentoo VS-API: 0x00020200 util-vserver: 0.30.212; Apr 9 2007, 02:27:57 box$ vnamespace -e www1 mount ...lot of mounts on the root box tmpfs on /vservers/wwwtemplate/dev type tmpfs (rw,size=100k) tmpfs on /vservers/netqmail/dev type tmpfs (rw,size=100k) The drbd mount is missing, though the nagios script fails. Any ideas ??? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Behaviour of fstab mounting changed ?
Hi Folks, I upgraded my box from Kernel: 2.6.15.4-vs2.1.1-rc6-gentoo VS-API: 0x00020001 util-vserver: 0.30.210; Feb 17 2006, 22:32:37 to Kernel: 2.6.20-vs2.2.0-gentoo VS-API: 0x00020200 util-vserver: 0.30.212; Apr 9 2007, 02:27:57 And now have problems with some mount related things I use drbd disks (one per guest) to share to guests between machines. The device is mounted via a fstab entry, the drbd status is set via a script in prepre-start/postpost-stop. This worked flawlessly for over a year now, with the new tools I cant shutdown the drbd device from postpost-stop because the device seems to be still mounted. Anybody can help ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] current stable on gentoo ?
Hi Hollow, 2.2.0 is in portage since Apr 2nd .. okok - my portage was 7 days old @Hollow - whats about new stages and the new baselayout - I saw your planet dev post from November 06 which reads about almost done. http://people.linux-vserver.org/~hollow/stages/ thx Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
Hi Asier, Networking firewall are not my strong points, so perhaps this could sound a silly question. There are only silly answers... I've five linux VServers, each with it's own _real_ IP address (not 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to close access from outside to some ports, but allow full communication between the guests. The guests have valid IP addresses so I think [DS]NAT is not needed. Communication between the guests never crosses the iptables rules, so you can safely use the toolset of your distro to block the ports from outside. If you want to do it by hand, there are a lot of rulebuilder outside, but for simply blocking ports this should be sufficient: iptables -I INPUT -p tcp --dport 3306 -j DROP Will drop all connections to mysql from outside. If you prefer a whitelist approach you can deny all incoming trafic by policy and only drill holes into the Firewall where needed - but this is a bit of magic as you can really riun your day if you lock yourself out of the box :) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
Hi Bruno, Sorry Oliver, but local traffic DOES cross iptables (INPUT and OUTPUT rules, not sure about pre/post-routing), but crossing is done with interface 'lo' instead of 'eth*' or whatever other interface. sorry you are totally right - fingers were faster then neurons :( Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] firewall between 2 vservers
Hi Oliver, i'm trying to restrict access from one vserver to another vserver running on the same machine. one is running on dummy0, the other one on dummy1. i tried firehol and shorewall, but it just doesn't work. it seems that all firewall rules are just ignored. what's so special with the vserver networking? has anyone examples how to setup working iptables rules that prevents access from one vserver to another? AFAIK it is not possible to restrict networking betwwen two guests as the pakets are switched directly on the shared interface and do not pass the iptables queues. There is a new network stack popping up at the horizon (network-ng) but its not usable at the moment. Oliver smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] firewall between 2 vservers
Hi Bruno, All traffic does go through iptables, even local one! Local traffic will leave through the OUTPUT chain and come in through the INPUT chain, using lo interface. In most cases though iptables is configured to accept all traffic that goes through lo... Hmm , guess I was wrong - through lo it should work - I mixxed up my tries to do some nat between guests which is surely not working through loopback. Sorry for the miss Oliver smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Gentoo vserver profile has gone
Hi Phreak/Hollow, today I wanted to do some updates on my servers and recogniced that gentoo folks deleted the 2005.1 profiles tree with the vserver profile in it. As 2006.x does not contain the vserver profile I am a bit stuck. Might you please push a usable profile to the actuall portage asap. THX Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] dev in read-only guest / using a ramdisk
Hi Folks, I postet a similar mail to the list about a year ago but didnt find time to deal with the issue - so it pops up now again :) My Problem: I have my guests root on a read-only partition, var is another partition and tmp is a ramdisk. I have the /dev tree on the readonly partition at the moment - the result is, that syslog is not working because process cant write on the socket I tried to use a symlink for /dev/log to the writable partition - seems not to work. If I put the whole /dev directory on the /var partition and create a link or use bind-mount I get vcontext: open(/dev/null): Permission denied On guest start and the init is aborted. Anybody here can point me to a working solution ? Perhaps a ramdisk for dev (but how to create the necessary nodes on the ramdisk??) merry x.mas and best reagrds Oliver smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] dev in read-only guest / using a ramdisk
Hi Herbert, yes, because the bind mount probably doesn't exist when the tools try to write to /dev/null Hmmm, anyway IMHO a more secure solution would be to bind mount the /dev/log only and keep the entire /dev read only as that is more secure than having them on var AFAIK its not possible the bind-mount a file, or am I wrong? I played around and came to a very nice solution :) I added a Script to the prepre-start level, that mounts a tmpfs on /dev and creates the necessary nodes. Seems to do fine Thx for the help anyway Oliver smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Enlarge /tmp partition
Hi Alejandro, LibClamAV Error: wrote 0 instead of 512 (/tmp/clamav-67ea3a8be7a9faa9/main.ndb) cli_untgz: no space left on device In my /etc/vservers/virtual1/fstab I have this line related to /tmp: none /tmp tmpfs size=16m, mode 1777 0 0 The /tmp is a memory based filesystem in that xase - this means it is entirely kept in the machines RAM. You have 16M what is too small for clamav - you can enlarge the size by just puttingthe wanted number in the parameter size=XXXm (you must restart the vserver afterwards). Note that this will consume RAM ressources, if you have plenty of them, thats okm otherwise you should map /tmp to a new partition or, if you dont have one left, drop the mointpoint and put it on the /var partiion with a symlink (ln -s /var/_tmp /tmp) Oliver smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] qmail-queue-scanner on vserver
Hi John, I am running a qmail server as gentoo guest too and didnt have any problems... Did you set the spamassassin Use-Flag on QMS? Perhaps you should try it manual by unpacking the qms package and run configure by hand. Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] 2006.1 Gentoo x86 stage3 for vserver ?
Chuck wrote: I have searched everywhere I can think of and can only find stage3 files dated march 2006. That will require an entire rebuild to bring it to spec! is it a bad idea to use a default stage3 AFAIK since the last update of the baselayout it is not necessary to use a special stage - perhaps hollow or phreak can shade some lights Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] 2006.1 Gentoo x86 stage3 for vserver ?
Sounds good - I am currently building an up-to-date version based on the latest image (unpacked Hollows stage3 and running gcc update procedure) I guess the image will be ready in around 6 to 8 hours and I can offer it for download for using it as a template... Oliver John Alberts wrote: What arch do you need? If you need x86, I gave Bob P from the Jackass! project a tarball that was created around September. You can download it at one of the mirrors at: http://jackass.homelinux.org/jackass/mirror.html If you need an amd64 arch, I can try and tarball one up for you tonight and provide a link tomorrow. -John On 12/5/06, Benedikt Böhm [EMAIL PROTECTED] wrote: On Tuesday 05 December 2006 12:57, Chuck wrote: I have searched everywhere I can think of and can only find stage3 files dated march 2006. That will require an entire rebuild to bring it to spec! unfortunately these are the newest vserver stage3 currently available... Any place to find something done using 2006.1/gcc4.1.1? I understand I cannot build my own any more as there are no more vserver baselayout packages according to a previous msg in this list and I must use production quality packages on this machine. I cannot use experimentals. As long as baselayout-1.13 is not stable, there will be no standard stages that work with vserver... you still have to use vserver stages until it's stable... baselayout-vserver still exists, and should be used in production environments, it will be removed after 1.13 is stable... probably i'll create a bunch of new stages meanwhile, so that upgrade loads will decrease.. Bene ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] 2006.1 Gentoo x86 stage3 for vserver ?
Hi Chuck http://jackass.homelinux.org/jackass/mirror.html i686 thank you however i cannot access any of the mirrors listed. at least this one is working for me ftp://jackass.mojope.com/jackass/vserver only one answered an ftp client and it required a login other than anonymous Oli -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver patch breaks fritzcapi on amd64 / 2.6.17
Hi Folks, bougth an AMD 64 X2 and ran into a problem. When I want to build the fritzcapi module (AVM Fritzcard driver) I get an error (see below). System is a gentoo with 2.6.17 kernel patchset. Any ideas Oliver make[1]: Entering directory `/usr/src/linux-2.6.17-vserver-2.1.1-rc31' CC [M] /var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src/main.o CC [M] /var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src/driver.o In file included from /var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src/tables.h:31, from /var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src/driver.c:45: /var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src/queue.h:32: error: conflicting types for 'tag_t' include/linux/types.h:43: error: previous declaration of 'tag_t' was here In file included from /var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src/tables.h:31, from /var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src/driver.h:31, from /var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src/main.c:45: /var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src/queue.h:32: error: conflicting types for 'tag_t' include/linux/types.h:43: error: previous declaration of 'tag_t' was here make[2]: *** [/var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src/main.o] Error 1 make[2]: *** Waiting for unfinished jobs make[2]: *** [/var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src/driver.o] Error 1 make[1]: *** [_module_/var/tmp/portage/fritzcapi-2.6.43/work/usr/src/kernel-modules/fritzcapi/fritz.pci/src] Error 2 make[1]: Leaving directory `/usr/src/linux-2.6.17-vserver-2.1.1-rc31' make: *** [fcpci.ko] Error 2 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] gentoo update?
Hi Chuck, you can find all rc* kernels in our overlay at http://overlays.gentoo.org/proj/vps Tip: emerge layman - this is a tool for managing overlays - its very helpul ;) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Latest usable Gentoo package
Hi Guys, this is mainly for hollow et al - what is the latest ebuild you will consider good for production of the 2.1 series ? I am currently running 2.6.15.4-vs2.1.1-rc6-gentoo and want to upgrade due to the latest kernel bugs Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Latest usable Gentoo package
Hi Christian, question as missleading - I know the overlay but I wonder if there is some categorization about quite stable / bleeding edge in the rcs or if it is ok to take always the latest one. Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Latest usable Gentoo package
Hi Christian Nope there is no categorization or rating in the svn-repo. I also wouldn't use the _rc's on a stable machine, since from time to time there's some bugs in them that need to be fixed. So - what do you suggest for using 2.1 on gentoo? I run the 2.1 for over a year now without problems and dont want to go back to 2.0 but want to update the kernel... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Changing IP/netmask of vserver guests
Hi Henrik, all IP config is (normally) done within the interfaces/nr/ directory via ip/prefix. So, I guess changing all these files will do the job... I dont know a Tool but some lines of bash code should do. Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Remount Filesystem + Add Interface from the outside
Hi Oliver, try vnamespace -e xid mount xid is the context id that you can obtain by vserver-stat Take care that the adressing of mountpoints is a bit tricky because it is inside the namespace but not in the chroot - so you have e.g. /vserver/foo/tmp Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Gentoo eBuilds gone
Hi Folks, after a portage sync I recognized that all ebuilds except an old kernel 2.6.15, tools 2.0.1 has gone. What happend ? Is this related to the bugseries? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] DRBD and vservers
Hi Martin so complicated to get right. I have been fighting with the process for about a week now. I spend some more together with Herbert debugging even issues in kernel code of some filesystems drivers - sometimes using OSS is not only fun (I learned mich about kernel and stuff in this time) a vserver ocf script. Am I the only one to ever do this? I know that people are using vservers with drbd, are they not using heartbeat? Most ppl use only one drbd device for the whole machine - so they never run into such problems perhaps its a god idea too add your knowlegde to the drbd+vserver wikipage :) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] DRBD and vservers
Hallo Martin, I dealt with this issue a year ago and its running fine with my setup - I really suggest using the Solution 1) proposed on the wiki, if this is a possible setup for you. If you need any help, we can meet at the IRC for an interactitve discussion Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] whole subnet on vServer / performance
Hi Folks, there was a disussion some time ago here on multiple IPs assigned to one vServer. I now have the need to assign a 32 Address net to one guest - anybody here did some tests on this or can give me a go/nogo for this ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Issues of Security
Hi Manish, Has anybody done any work or study on security of vserver. What are the possible security downsides and possible areas of attack on vserver both from other vservers on the same host and from external agent. Any pointers on this would be very helpful. Thanks, I havent done a study, but from the basic idea behind vserver following issues are relevant: * if we assume, the context isolation works without errors, the risk for guest - guest attacks is equal to physical independent server * for non root users it is impossible to attack a guest from the host side * it IS possible - and with a faulty setup very likely - that a raising need for ressources (IO, mem, network) of a guest affects the other guests - as they share the same physikal maschine. The scheduler concept might help here *If there is a flaw in the isolation code of vserver OR someone manages to exploit a kernel bug to load some modules from inside a guest, all of the above is no longer true. I dont know if anybody here has practical results on this As I dont know what you mean with external agents I cant help you on this. If you simply mean attacks from outside, vserver is not more vulnerable like any other system. A bad setup of some services might enable an attacker to take over the guest with root privs, but even in this case he will not have that much fun, as a lot of things are not allowed inside a guest. E.g. he cant spawn new IPs, compromise your kernel, etc. This behaviour can be improved by tailoring the capabilities of the guest. HTH Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] secure a guest against the host's root-account
Hi Folks, this might be a strange question for some of you as it is more an academical interesst, but I hope you can help me out ;) Q: Is there a way to prevent that a superuser on the host system can * see process of a guest * enter a guest * receive any other valuable info from the guest The idea behind is easy - I want to give away a guest system that uses an encrypted filesystem for its sensible data. The guest system itsself will provide only very limited access to the data via an API and it must be prevented by any means that even the Bofh of the host can access any of the data So, is there any way to do this ? I guess that SELinux/GR will offer some pointers to forbid root these actions, but are there any easier ways ?? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
Hi Mike, Serge, So, is there any way to do this ? I guess that SELinux/GR will offer some pointers to forbid root these actions, but are there any easier ways ?? Sounds like SELinux is the tool of choice for that. And if your concern is with the host's admins, not with exploited root apps on the host server, then selinux still won't help you. Partiallymy second question here on the list regarding TPM support would be a great possibility to ensure and certifiy a certain state of the Root-Server. But to keep on track - are they any good howtos for SELinux/vserver Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] great flower page
hi Dominique I'm dealing with failover intensively too. In any case of failover (automated or manual) I have to check that configuration is exactly replicated and up-to-date on all nodes (usually four or five nodes), else I disable failover. So I used to check versionning information hard-coded in comments of all configuration files that matter, in particular vserver config. I'm quite puzzled to do so with the new style config. So, I drive another way, I have a master config on a configuration server that is replicated to the nodes, using rsync it is very easy to have one generic and one node.specific tree and sync them over... but I guess this is all a matter of personal preferences... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VMWare-Server and vserver
Hi Steph, are there any known issues running the vmware-server on a 2.6 kernel with applied vserver-patches? As VMWare has a totally differnt concept and is quite a normal application I dont thnik so. I run a vm-workstation here on a recent vserver-patched kernel without any problems Oli -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ability to use 130+ ips within a vserver yet?
Hi Chuck, my only other option is to do policy routing which i don't think our switch/router ios is right for.. at least then i could target the entier /24 for port 80 requests and translate them to something like 7080 before it gets to the machine and then back out again. messy at best i suspect. Might it be an option to do so with iptables ? I use this approach for some servers without any problems - I think that iptable -t nat -I PREROUTING -d 192.168.168.0/24 --dport 80 -j DNAT --to target:port Should work without reasonable impact on the load... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ability to use 130+ ips within a vserver yet?
Hi Chuck, iptable -t nat -I PREROUTING -d 192.168.168.0/24 --dport 80 -j DNAT --to target:port Should work without reasonable impact on the load... hmm.. ok im no iptables whiz but i will try this syntax... i have to eliminate nat since they are all public ip addresses.. i suspect maybe something like this might work in our saved rules file? (gentoo) You will need NAT - as this will translate the destination... i suspect maybe this may need to be changed.. -A RH-Firewall-1-INPUT PREROUTING -d 64.113.34.0/24 --dport 80 [dont know what to do with -j here] --to 64.113.34.0/24:7080 Basically PREROUTING is another chain than the one you are using - so, I suggest: iptables -t nat -A PREROUTING -p tcp -d 64.113.34.0/24 --dport 80 -j DNAT --to :7080 This will redirect every traffic to 64.113.34.0/24:80 to the same ip as the orginal paket but going to port 7080. If you want to stuff everything into one vServer with one IP, just repace the target with -j DNAT --to vserversip:port HTH Oliver PS: if you have problems revealing private data write PM, or join #vserver - will be there shortly as oliwel -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Passive FTP with Proftpd within guest
Hi Youri, I'm trying to get a simple Proftpd-mysql server running in one of my guests, and was wondering how I could enable passive ftp connections. Has this got something to do with guest capabilities or do I have to resort to some iptables fiddling on the host? And would the solution be to bind this guest directly to the host address? I cant see your problemdoes your guest use its own IP ? If so, all ports are reachable from outside without any problems, same counts for mysql. Just make sure that no 0.0.0.0 gathering process is running on your host - mysql is somewhat greedy in this aspect and will bind to all available IPs if running on the host. Thus will prevent your guest from occuping the port. If you share the IP it would be nearly the same, exept that - of course - no service must run on the IP/Port used by proftp or mysql Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bug when starting without daemons
Hi Boris, this is more or less expected behaviour... vServer does not really run an own linux inside the compartments but only does process separation. What init-type are you running - I guess that if you use fakeinit, at least the init-process will reside in the namespace. To circumvent the problem I wrote a litte helper that simply sleeps infinitely inside the server. Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] kde and ltsp on a guest
Hi Chris, as all guest use the original kernel more or less directly, there is almost no performance loss and even no networking latency. But you might run into problems regardig proper rights that X needs on the kernel to run the grafics card - I am not that deep in the stuff to give you adequate advise on this - but I think there are several people here who can... If you get this up and running - I would appreciate to see your resukts on the wiki or here on the list (have the same need but didnt spend any efforts so long..) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Probs with kernel bug
Talking to myself ;) Hollow: Downgrading to vservers-sources-2.1.1-rc6 did the job - so something between is broken (yes its an unstable branch I know) Oliver Oliver Welter wrote: Hi Folks, I just upgrade a gentoo box to current 2.1.1 patchset on 2.6.15 and get following problem: Fireing up a freshly build vserver results in a hanging shell, vps ax shows: 1736 0 MAIN pts/0Ss 0:00 -bash 1763 0 MAIN pts/0S+ 0:00 /usr/sbin/vnamespace --new -- /usr/sbin/vserver nonamespace test start 1767 0 MAIN pts/0S+ 0:00 /bin/bash /usr/sbin/vserver nonamespace test start 1775 0 MAIN pts/0S+ 0:00 /usr/lib/util-vserver/lockfile /var/lock/vserver.etcvserverstest.startup /tmp/vserver-lock.qnsK8I 1817 666 test pts/0D+ 0:00 [vcontext] 1818 666 test ?Ss 0:00 init [3] 2056 666 test ?Ss 0:00 /usr/sbin/syslog-ng In the kernel log I get this: (no monutpoints are set in the vserver...) Any ideas ?? Oliver [ cut here ] kernel BUG at kernel/exit.c:548! invalid operand: [#1] CPU:0 EIP:0060:[c0117ba4]Not tainted VLI EFLAGS: 00010046 (2.6.15.4-vs2.1.1-rc9-gentoo) EIP is at exit_notify+0x694/0x880 eax: f77dd600 ebx: f77ddb44 ecx: f77dd570 edx: 0001 esi: f77dda90 edi: f77dda90 ebp: f77dd570 esp: f702df5c ds: 007b es: 007b ss: 0068 Process vcontext (pid: 1817[#666], threadinfo=f702c000 task=f77dd570) Stack: 071a 0001 c01dae4d f77dd61c f77dd61c f702df78 f702df78 f767ffe0 f77dd570 0001 c0117f36 f77dd570 c0507450 0001 f702dfa4 bfb093ec 0009 f702c000 c011810d c010292f Call Trace: [c01dae4d] ext3_destroy_inode+0x1d/0x30 [c0117f36] do_exit+0x1a6/0x350 [c011810d] sys_exit+0xd/0x10 [c010292f] sysenter_past_esp+0x54/0x75 Code: ff 8b 54 24 1c 8d 46 70 89 42 04 89 56 70 8d 54 24 1c 89 50 04 89 44 24 1c e9 ff f9 ff ff 0f 0b 9e 02 bc 85 40 c0 e9 2e fa ff ff 0f 0b 24 02 bc 85 40 c0 e9 3a fa ff ff 8b 41 10 85 c0 0f 85 74 1Fixing recursive fault but reboot is needed! ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Unifying Gentoo Guests
Hi Daniel, Use vhashify instead? It is totally independent from your guests' distribution. /usr/lib/util-vserver/vhashify -nv www1 Initializing exclude-list for /vservers/wwwtemplate (www1) Can not determine packagemanagement style failed to determine configfiles Seems not to work either... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Unifying Gentoo Guests
Hi Enrico eergh - it seems that vunify does not support gentoo guest. Anyone here can help me out ? Implementing the 'get-conffiles' operation for the 'gentoo' case in 'scripts/vpkg' should help. I do not know gentoo enough to develop it myself. As gentoo hast no binary packages and the result of compilation depends on LOTS of flags I see no way to make this... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Probs with kernel bug
Hi Folks, I just upgrade a gentoo box to current 2.1.1 patchset on 2.6.15 and get following problem: Fireing up a freshly build vserver results in a hanging shell, vps ax shows: 1736 0 MAIN pts/0Ss 0:00 -bash 1763 0 MAIN pts/0S+ 0:00 /usr/sbin/vnamespace --new -- /usr/sbin/vserver nonamespace test start 1767 0 MAIN pts/0S+ 0:00 /bin/bash /usr/sbin/vserver nonamespace test start 1775 0 MAIN pts/0S+ 0:00 /usr/lib/util-vserver/lockfile /var/lock/vserver.etcvserverstest.startup /tmp/vserver-lock.qnsK8I 1817 666 test pts/0D+ 0:00 [vcontext] 1818 666 test ?Ss 0:00 init [3] 2056 666 test ?Ss 0:00 /usr/sbin/syslog-ng In the kernel log I get this: (no monutpoints are set in the vserver...) Any ideas ?? Oliver [ cut here ] kernel BUG at kernel/exit.c:548! invalid operand: [#1] CPU:0 EIP:0060:[c0117ba4]Not tainted VLI EFLAGS: 00010046 (2.6.15.4-vs2.1.1-rc9-gentoo) EIP is at exit_notify+0x694/0x880 eax: f77dd600 ebx: f77ddb44 ecx: f77dd570 edx: 0001 esi: f77dda90 edi: f77dda90 ebp: f77dd570 esp: f702df5c ds: 007b es: 007b ss: 0068 Process vcontext (pid: 1817[#666], threadinfo=f702c000 task=f77dd570) Stack: 071a 0001 c01dae4d f77dd61c f77dd61c f702df78 f702df78 f767ffe0 f77dd570 0001 c0117f36 f77dd570 c0507450 0001 f702dfa4 bfb093ec 0009 f702c000 c011810d c010292f Call Trace: [c01dae4d] ext3_destroy_inode+0x1d/0x30 [c0117f36] do_exit+0x1a6/0x350 [c011810d] sys_exit+0xd/0x10 [c010292f] sysenter_past_esp+0x54/0x75 Code: ff 8b 54 24 1c 8d 46 70 89 42 04 89 56 70 8d 54 24 1c 89 50 04 89 44 24 1c e9 ff f9 ff ff 0f 0b 9e 02 bc 85 40 c0 e9 2e fa ff ff 0f 0b 24 02 bc 85 40 c0 e9 3a fa ff ff 8b 41 10 85 c0 0f 85 74 1Fixing recursive fault but reboot is needed! smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Logo Contest
Hi Folks, just wanna ask whats about our Logo-Contest ? So far I didnt vote - so Ill do: I prefer the Text with Checkmark Versions 3 to 10. I like 3 regarding the Font-setting but would suggest moving the v into the S and color it blue like in 10. :) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Unifying Gentoo Guests
Hi Folks, eergh - it seems that vunify does not support gentoo guest. Anyone here can help me out ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Gentoo-Baselayout 1.20-pre8 broken ?
Hi Hollow, yesterday I updated a very old guest from the old use-flag hacked baselayout to baselayout-vserver-1.20_pre8 - the result was that none of the runscripts worked... Running them on the bash inside the started guest showed succes but the process werent started at all. Weired: If you add the full path to the start-stop-daemon inside the script it works - so dont ask me what this means... I downgraded to 1.11 and its running all fine now...so I guess there is a bug in the 1.20 release. Oliver -- --==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-- Dipl.-Ing. Oliver Welter - microBLUE - http://www.microblue.de Tel: 08131/80525 - Fax: 08131/80526 - Post: Loestr. 15; 85221 Dachau webbasierte Anwendungen - Servertechnik - Groupware - PCs und Netzwerke --==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-- smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Gentoo-Baselayout 1.20-pre8 broken ?
Hi Chris, I downgraded to 1.11 and its running all fine now...so I guess there is a bug in the 1.20 release. Hrm. Never heard of such an error (an never encountered one ..). Which commands did you exactly run ? (AFAIR there was some magic needed, but not sure) Basically syslog-ng and sshd and some mailserver related stuff - the error was everytime the same - it seemed that start-stop-daemon is not working properly Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [FIxed] Gentoo-Baselayout 1.20-pre8 broken ?
Hi Folks, it seems that the update process from the very old baselayout caused the problem - I fixed it with first upgrading to 1.11 and then going up to 1.20. Works for me, the only sginificant differnce I found is, that 1.11 upgrad emerged a new sysvinit and updated some config-files that 1.20 didnt. If anyone is interested I can provide the used guest for testing Oliver Oliver Welter wrote: Hi Chris, I downgraded to 1.11 and its running all fine now...so I guess there is a bug in the 1.20 release. Hrm. Never heard of such an error (an never encountered one ..). Which commands did you exactly run ? (AFAIR there was some magic needed, but not sure) Basically syslog-ng and sshd and some mailserver related stuff - the error was everytime the same - it seemed that start-stop-daemon is not working properly Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] DRBD mount problem wiki update
Hello Holger, FYI, I have just updated the wiki about the DRBD mount problem: http://linux-vserver.org/advanced+DRBD+mount+issues (Solution 4) Hope this is useful for some of you as well. uhh - this is a even more ugly hack than Solution 3 ;) But nevertheless - if it works... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver hosting on server4you.com
Stay away from server4free. I've used both their dedicated server and vservers, and the latter product was awful. Service was nonexistent, and I was threatened with a suit when I demanded termination because of sever4free/server4u were defaulting on their part of the contract. I just can tell you the same - I had a business with them (actually another company name but same business behind) and they are very unfriendly, bad service and not cooperational... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: vserver heartbeat?
Hi Evert, Is that a better method than using the init script instead? I thought that starting/stopping services by calling them directly was in general 'frowned upon' in Gentoo...? the Gentoo init script is not capable of staring individual servers, it just can start/stop all servers, so if you use heartbeat with only tow nodes and want gentoo to start all vserver guest if the opposite node fails this is ok. If you use (like me) a setup with more than one opponent, you cant use the gentoo script without modifications PS. Are you by any chance also using DRBD for your vservers? I have to incorporate that as well, as a 'prerequisite' for vserver, I guess... Yes I do :) Perhaps this little HowTo http://linux-vserver.org/advanced+DRBD+mount+issues on Mounting, DRBD and vServer is helpfull - if yo have any question just contact me, during daytime (CET) you can drop me a private mail and talk to me on the IRC too if you want Oliver Oliver Welter wrote: Hi Evert, I just linked /usr/sbin/vserver to /etc/ha.d/resource.d and put into my haressources file: vserver::mail Works for me (gentoo, too ;) Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: vserver heartbeat?
Hi Evert, My setup has all (currently 6) vservers on 1 DRBD-partition (which is on 2 physical nodes), so I guess the symlinking would do in my situation? In this case, using the gentoo startup script would be the favourite idea - but dont forget to enable the guest for autostart ;) Using the the vserver helper script directly will work also - in this case oyu must of course run the startup script on boot with autostart disabled Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver heartbeat?
Hi Evert, I just linked /usr/sbin/vserver to /etc/ha.d/resource.d and put into my haressources file: vserver::mail Works for me (gentoo, too ;) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Bug/Issue with Routing, Multiple NICs and vServers
Hi Folks, I encounter several problems regarding routing with a vServer host that has mutliple networks. I have a host which occupies three networks, my guest has IPs only in two of them resulting in the problem, that guest is unable to ping the third network under certain circumstances. When I try to ping the third network, the packets are emitted with source address from the first activated network (so, the lowest number in the interface directory) - in my case this is an internal maintenance LAN and I get packets that are unroutable. The packets are routed to teh target but are discarded there because they come in via the external NIC (third network) but have a source adderss that belongs to the internal NIC. I hope anybody understands this description - but I cant describe it better... The workaround for now is, to setup the IP belonging to the default route of the host as first in the vServer. It also works when I discard all network-routes from the hosts routing table and adress this by source based routing policies. But I assume that it would be best, when the implementation of vServer network-management hides all routes that are not accessible by the guest. Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] gentoo guest: strange behaviour after baselayout update
Hi Hollow, Hi Folks :) Today, I tried to update a very old gentoo guest, that was build with the old baselayout with use-flag from portage overlay. What I did, was to unemerge the old baselayout and emerge the new baselayout-vserver instead. On the first glance it seemed to work, but having a closer look showed boot-up messages appearing on the local consoles about crahsing boot scripts (net.lo, hostname, serial, console) After digging around I replaced the /dev filesystem with a copy from a fresh vServer guest, and it seems that now the problems have gone... At all, I am not really sure if the system really works fine, but it seems... Any ideas what to check or how to check further ? Espacially: Is there a way to see the messages of the guest starting up, as it was on the old gentoo init-style (I am using plain now) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Firewalling with vServers
Hi Folks, I played around with vServer and Firewalls with netfilter/iptables My goal was to achieve a per vServer configuration that can be maintained easily. A first approach is the set of scripts you can download here http://www.oliwel.de/vFirewall.tgz It is a basic init-script that protects the host system and a set of vserver start/stop scripts with per guest configuration files, that are executed on start/stop of the appropriate guest. Any comments are welcome Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Logo contest
Hi Folks, would be nice to have a central webpage with all logos or at least links to all logos. I had a look on the most logos send to the ML, but cant remember all of them and it is a hard issue to look for all the links in the archives.. So, perhaps we can setup a wiki page or so... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Screen inside vserver
Hi Folks, anyway who can point me to an idea how to use screen inside a guest ? When calling screen, it complains about the nonexisting /dev/pts/0... Can I safely create the device or will this be a security issue ?? Guest (and Host) is Gentoo, 2.6.15vs2.1 with recent utils regards Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Screen inside vserver
eyck wrote: afair, you have to ssh into the box to use screen. vserver name enter and issuing a screen command does not work. it's not that it doesn't work, it's that it easier and safer to tell people 'just ssh into your guest' instead of explaining how to make it work. As I dont have SSH running inside the guest and I am not afraid of some work, how :) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Screen inside vserver
Hi Guys, sorry for the hints - but dont make too much noise ,) seems to be not that easy... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] mountpoint blocked even with all context shutdown
Hi Herbert, Hi Christian, you have to start 'thinking' in namespaces and avoid leftovers and unwanted 'copies' or duplicate mounts ... I do !! But as mentioned in my OP 1) The mount is done inside the namespace of the guest - it is not visible outside in the root and is not copied into later started servers. At least I can confirm this with issuing mount inside the guest (vserver www1 enter and then mount) inside the namespace (vnamespace -e www1 mount) Neither one shows the mount ! 2) I shutdown ALL virtual servers, so I assume that all namespaces are destroyed. At least vserver-stat does not show anything beside the root server and vps ax does not show any process running with another ID than main... So, I see two possible approaches on the probleme: 1) drbd keeps its own mount table that is not freed correctly 2) the kernel blocks mounts from a not longer active namespace I dont have any idea how to debug, and to make it even harder, the problem shows not on all mounts/guest, which are basically configured all identical. It might be a problem that the mount inside the namespavce is not cleanly freed when the startup/shutdown of the guest fails/hangs somewhere, but this is only a wild guess :( Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] mountpoint blocked even with all context shutdown
Hi Grzegorz It might be a problem that the mount inside the namespavce is not cleanly freed when the startup/shutdown of the guest fails/hangs somewhere, but this is only a wild guess :( If you stop your guest in an unclean way (e.g. vwait times out), the namespace stays there (or at least it used to be when I was playing with them). You can clear it with vnamespace -c xid but do check the syntax so that you don't wipe your root namespace :) vnamespace --help --cleanup|-c ... remove all mounts from the namespace of the current context So it does not take a XID as arguement... vnamespace -e xid with statically asigend xid of the formerly used namespace die's with vnamespace: vc_enter_namespace(): No such process Any other ideas ? Is there a way to list namespaces known to the kernel and kill them ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] mountpoint blocked even with all context shutdown
Hi Herbert, Hi Christian, you have to start 'thinking' in namespaces and avoid leftovers and unwanted 'copies' or duplicate mounts ... I do !! But as mentioned in my OP 1) The mount is done inside the namespace of the guest - it is not visible outside in the root and is not copied into later started servers. At least I can confirm this with issuing mount inside the guest (vserver www1 enter and then mount) inside the namespace (vnamespace -e www1 mount) Neither one shows the mount ! 2) I shutdown ALL virtual servers, so I assume that all namespaces are destroyed. At least vserver-stat does not show anything beside the root server and vps ax does not show any process running with another ID than main... So, I see two possible approaches on the probleme: 1) drbd keeps its own mount table that is not freed correctly 2) the kernel blocks mounts from a not longer active namespace I dont have any idea how to debug, and to make it even harder, the problem shows not on all mounts/guest, which are basically configured all identical. It might be a problem that the mount inside the namespavce is not cleanly freed when the startup/shutdown of the guest fails/hangs somewhere, but this is only a wild guess :( Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] mountpoint blocked even with all context shutdown
Hi Folks, I am running some vservers and use one block device per server (in fact a drbd device, see http://linux-vserver.org/advanced+DRBD+mount+issues, Solution 1). Now I run into problems with UNmounting... If I want to unmount one corresponding block device and get an error, that someone has mounted the device, even after shuting down ALL of the server's... So, I have only the root context running, there is no mount visible via /proc/mount on the device I want to shut down, but it is not working...I can solve the issue only with a reboot(not really a smart solution for a server).. Even vps or vserver-stat show any non-root-context proces running So, any ideas ? Can anyone tell me where else to look for mounts ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VServer logo?
hi Alberto, cool work :) May I add a suggestion.. The checkmarks look so ordered - perhaps it gives a better impression to variate size and position of the checkmarks instead making this kind of matrix... Sorry I am not an artist :) Oli -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] network config with VLANs
Hi Folks, I have some problems with vlans and vservers.. I have a box that has one physical Interface that hosts two VLANs, both are official Addresses and reachable from the Internet. The main host hast conectivity on both networks . 1) What should I but in interfaces/0/dev ? eth0 or vlan1 fails, I get a message: creation of VLAN_PLUS_VID_NO_PAD devices is not supported; please create them before starting the vserver and use the 'nodev' flag then When I put nodev in the dev file I get a warning - I put an empty file nodev in the interface directory - seems to work, is this correct? 2) I have a problem with routing - if the vserver guest has only addresses in one of the networks, I cannot ping across the networks because the hosts routing table show up in the guest, but the devices shonw there for routing dont exists. I am fiddling around with iptables and got some aspects to work, but not allis there another trick ? I run everyting on gentoo with up to date tools Kernel: 2.6.14-vs2.0.1-gentoo VS-API: 0x00020001 util-vserver: 0.30.209; Jan 2 2006, 22:49:56 Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] can't access ssh
Hi Stefan, IIUC you can access the vServer from the host system, so the SSH is working ? Can you ping the vServer from outside ? Perhaps you have a problem with DNS resolution or so and cause a timeout on the connection because the guest tries a lookup on the connecting host... Try shutting down the shprewall for testing, perhaps this is an issue - networking with vServer is a bit strange sometimes.. Oliver/vserver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Moving Vservers from one Linux machine to other .
Hi, Can anyone explain,how to move vservers from one linux to other linux machine?Without installing vserver related kernel and tools is it possible to start my vserver on new linux machine? You must install vServer Kernel and Tools on both machines How to copy my vserver within the machine,is it enough to take just cp of that directory ?I m struct with this problem,to proceed further .Plz help me in solving this. Best way is to simply create a new skeleton with vserver tools and then just copy over the entire (not running) directory /vserver/old to /vserver/new To copy/repliacte the servers between machines its sufficient to copy /etc/vservers/servername and /vserver/servername to the new maschine Oliver PS: Would be nice to announce your real identity in Mail Header -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] possible issue with vserver-new / gentoo
Hi Hollow, I think I found an issue using vserver-new on gentoo... I tried to create a new Guest from a stage3 tarball - it failed for some stupid reasons and the script decided to remove the already created directories - unfortunatley it also removed the /dev filesystem inside the new guest, which crashed the /dev on my base server... I am running all up-to-date tools and udev Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Hosting Vserver's on CODA or Lustre Distributed File Systems?
Hi, I run my vServer with DRBD - this means you can only have one actve mount at a time, but in case of failover it takes less than a minute to remount the backup node... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Nagios 2.x on a vserver. Anyone?
Hi, I think that this problem is related to the nonexisting 127.0.0.1 address. If I remeber correctly than nagios try to ping this address and cant reach it I think that I simply commented this check out in the scripts Oliver Evert Meulie wrote: (cross-post from: http://www.meulie.net/forum_viewtopic.php?94.4177 ) Hi all! I'm attempting to install Nagios 2.x on a vserver. However, the build stops with: checking for ICMP ping syntax... Has anyone else come across this problem before? Regards, Evert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Probs after update world in Gentoo Guest
Hi Hollow, Hi List, I have several problems with my gentoo guests :( 1) I build a new guest from scratch using vserver-new with a stage3 tarball from your website, afterwards I did an emerge -u world. Running etc-update tries to replaced /etc/inittab with a version taht contains tty entries - no good ida I think... 2) The recent utils (0.30.308-r4) are a little bit to silent... I was running above mentioned server on a r4 toolset without any error-msgs. I than transfered the server image to a box with -r2 tools and got startup errors, that looks like the old problem with broken init scripts... When upgrading the tools the error messages are gone, the server seems to startup withput problems but I am a little bit nervous BTW: Base systems are Gentoo too, both using recent kernels wit 2.0vs patches... Any ideas ?? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Probs after update world in Gentoo Guest
Hi Chuck, 1) I build a new guest from scratch using vserver-new with a stage3 tarball from your website, afterwards I did an emerge -u world. Running etc-update tries to replaced /etc/inittab with a version taht contains tty entries - no good ida I think... did you first run emerge metadata and check the world file to be sure the standard baselayout is replaced with the vserver one in the listing? it errgh - metadate: no, but emerge -u world -vp shows baselayout-vserver-1.12.0_pre8-r2, now, after the update emerge -s baselayout: * sys-apps/baselayout-vserver Latest version available: 1.12.0_pre8-r2 Latest version installed: 1.12.0_pre8-r2 So this is right there were some start/stop issues with earlier tools on gentoo. -r4 is the first one to work properly with their fixes for it. i just installed -r5 which seems to be working well once i figure out what i dont have configured correctly when using depends. ok perhaps it as just this...I pray for it...I have now running a not so critical server with the new layout but it will become a catastrophe if I once migrated my prodcution systems :) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How do I enable SSH-server on my VServer?
Hi, I have successfully installed VServer on a Gentoo-box here, using http://www.gentoo.org/doc/en/vserver-howto.xml for guidance. This went fine, but now I'm wondering how to contact my virtual server via SSH... I have emerge-d openssh, but when I try to connect to the IP of the virtual server, I always end up on the main server instead... it seems that your root server's sshd is listening to all IP Adresses - you have to put the adresses of the base server in its sshd_config. Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Cleanup after unsuccessful startup
Hi Listpeople, I have a question on cleanup in case of an unclean startup. I do some checks on the vserver environment in the pre-start Script. When they fail I kill the startup process with an exit call - is there anything I ave to cleanup (contexts, init prcess, etc) or is this done by the tools automagically ? regards Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] routing question
Hi Guenther, Now the prob: There should be set up _one_ host with also internal _and_ external IP (on eth0) which should externally use a different gw and also which should not change anything on the base setup. But if I activate _any_ external IP on eth0 the (previous) default route for eth1 is nomore used but guests (only having eth1 activated!) try to connect direct through this eth0 ip which they naturally can't use so traffic stops completely 8-( Any idea's/hint's? You have to work around this with NATing and PREROUTING rules on the host - if it is possible to not give an external IP to the host yo would have easier live with NATing outside to a internal IP... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] routing question
Hi Guenther, Interesting approach, but this breaks the thought of a dual-homed proxy I guess. Thank's anyway for thinking 'bout. What I would really love is a hack to get the networking done on a per-context basis but I guess this is a which for x.mas in 20 years ;-) Not really - If I understood some recent disussions correctly this is planned in the ngnet stuff which should be available in a not so far future... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] nagios monitoring - guest or host?
Hi Chuck, 1. Can I somehow set things up so a guest can execute a pre-defined command script on the host? This would allow nagios to do things like re-start a guest if it is not responding. There are some ways to do so: 1) The root Server can access the filesystem of the guest, so you can use cron or similar to check for a file inside the guest from the side of the host, and than behave accordingly. For Example, you create a file reboot containing server123 by nagios in a directory inside the guest and than have a process that collects this file from outside and do the reboot. 2) There are some helper scripts like the reboot script, but I dont how these work - might be this can do the job... 3) The standard way, using SSH or RPC or similar and do a normal network connect like you do with any other remote execution Regarding performance impact: It does not matter if the process runs in or outside a guest... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Problems with /dev on read-only mounts
Hi All, I am running into a problem with a read-only filesystem regarding dev. My root server has a read-only mount for the base-installation with a writable partition for var and temp, for dev I use devfs, so the ro mount is no problem. Now I try to do the same inside the vServer Guest, the var and tmp are on writable partitions, the base system is on a read only mount. As the /dev resides also on the ro-mount I cannot start syslog (/dev/log is nor writable) Is there any solution to create a virtual /dev inside the vserver without creating security holes ? I am running Gentoo on Host and Guest with recent 2.0 tools regards Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Routing issue with multiple networks on host / vlans
Hi List, I have a stupid problem and cant track it down :( I have a host system running, that owns IP in two networks (realized via VLANs if it matters) So I have: eth0.1 - 10.0.0.10 (NetA) eth0.2 - 192.168.0.10 (NetB) The setup on the host ist running, means I can ping hosts in both networks, the default route is set via the 10. and works, too. Both IPs can be pinged from outside too. Now the problem: I have a guest that owns only an IP from NetA - I can ping everythig except hosts in NetB. The problem seems to be, that there is a route for NetB shown inside the server, but this route uses an invalid interface (the other VLAN, it is indicatede with * in the routing table) route -n: 10.0.0.0/24 - eth0.1 192.168.168.0.0/24 - * 0.0.0.0/0 - 10.0.0.1 So any ideas how I can remove the invalid route from the vServer ? The expected behaviour will be, that the guest sends the packets for NetB to the router (a cisco maschine) using the default route as the destination is not on the same network. It might also be a solution to use the host system for routing between the nets... Is there any solution with teh real IPs or must I create loopback/dummy networks and lots of NATs ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] rlimit for memory usage
Hi Helmut, well, you can certainly do that, and I guess most apps will handle that perfectly well, unfortunately there are certain apps which tend to allocate huge amounts of virtual memory, just in case they'll need it later on, and those will be really suprised, once they reach the RSS limit and get killed off by the OOM killer. What means 'killed off'? Naively I assumed, that if e.g. current RSS of the context is 52 MB and something (e.g. start of a Java application) tries to get 42 MB, some pages must be 'kicked out' of real memory to fullfill the 64 MB limit, resulting in bad performance, but not 'killed'. In this case it is likely that simply your new process wont start, you get in real problems if you run into rss limit for an already running process: A process P tells the kernel to reserve e.g 40 MB of RAM but instantly only needs 20 MB, now you fill up the remaining 44 MB of physikal RAM with other process. When now the R want's the already reserved space there is nothing you can give him. Now eiter P terminates because it cant allocate the mem it needs or the OOM Killer process tries to sweep out processes from the RAM. It is very likely that it will kill some currently idle processes that are essential for your system(I had this last week when OOM killed my mysql and silently my sshd...) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Monitor Scheduler Ressources
Hi Bene, thanatos ~ # cat /proc/virtual/23760/sched Token: 9430 FillRate: 20 Interval: 57 TokensMin: 3000 TokensMax: 9430 PrioBias: 0 VaVaVoom: 0 cpu 0: 4632928 32 925413 cat sched Token: 0 FillRate: 16 Interval: 32 TokensMin: 200 TokensMax: 1000 PrioBias: 0 cpu 0: 2781226 443749 0 Hmm, why do I have 0 Tokens in the bucket ? Must I setup a scheduler for ALL vServers ? I have done so only for this one, the other contexts have a sched file in proc too and show 0 Tokens too Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Monitor Scheduler Ressources
Hi, I have setup a host with the Token Scheduler (http://linux-vserver.org/Scheduler+Parameters) - is it possible to monitor the buckets ?? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] rlimit for memory usage
Hi, sorry if this is a stupid question but I cant find an answer I have a maschine with 3 GB physikal RAM What must I put into the rlimits/ directory to allow the vServer to use a maximum of 1.5GB ??? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Auto-Restart after systemcrash / gentoo init-style
Hi List, today my host crashed du to some bad conditions...and I found a very stupid issue I run gentoo (host and guest) with 2.6 kernel and recent tools. The vServers are guarded by a heartbeat installation. Now my hardware crahed, the external server-watchdog rebootet the maschine and the host came up fine, BUT my vServers didnt start. As the servers crahsed during runtime the /var/lib/init.d inside the guests indicated a running system and so the vserver start command was ineffectiv on all vServers. Is there any tool or flag to force the start of a (gentoo) vServer even if the init.d directory is not empty ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver startup problem
Hi Bastian, I followed this Howto http://gentoo.home.xnull.de/doc/en/vshandbook/ OS : gentoo util-vserver: 0.30.207 vserver-sources : 2.0_rc6 my error: --- [EMAIL PROTECTED]:~ # vserver gentoo-template start No command given; use '--help' for more information. An error occured while executing the vserver startup sequence; when there are no other messages, it is very likely that the init-script () failed. double-check that you have properly confgiured the PORTAGE_OVERLAY and that ypur portage is using it (try emerge baselayout -Dvp and you should see a note that portage overlay is used. Common problem here is, that there is a higer version number in the defautl portage than in overlay, in that case, force emerge to use the overlayed package by pointing emerge directly to the overlayed ebuild file Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] ntpd is not able to update local clock
Hi Folks, I have a problem with ntp running on a vServer Kernel - I dont know if vServer is the Problem but I dont have another idea... Im running gentoo with kernel 2.6.11.7-grsec2.1.5-vs2.0pre1 and 0.30.205 tools. I run openntpd, in the debug log I see reply from 62.94.26.10: offset 6.151850 delay 0.067772, next query 30s adjusting local clock by 6.134870s but the local time is NOT adjusted - you can see this as the clock difts away more and more My kernel config has proc security enabled and vprocunhide was called on startup... CONFIG_VSERVER=y # # Linux VServer # CONFIG_VSERVER_LEGACY=y CONFIG_VSERVER_LEGACYNET=y CONFIG_VSERVER_PROC_SECURE=y Anyone here has an idea ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ntpd is not able to update local clock
consider two guests 'adjusting' the hardware clock according to their idea of time? would it make sense to have guests which differer a few seconds? would it make sense to have 50+ ntpds running, one on each guest? probably not, that is why wall time is not virtualized and has to be handled on the host (or in a guest with the required priviledges) Hi Bertl, I forgot to tell - the ntp is running on the main host of course using ntpdate works but the ntpd is not adjusting the clock Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ntpd is not able to update local clock
Hi All, it seems that some ntp related libs were messedup - I unmerge all of them and installed the net-misc/ntp package which seems to work... Thanks anyway to all.. Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Limiting a vserver's ressources
Hi Werner, I now need to do a full backup as this is a new server. Obviously I will do incremental backups in the near future but not now :-) When you issue the rsync command form the source machine you can try a nice so it will not eat all your cpu. For other solutions dig the archives of the list - there are actually two approaches. 1: set the ulimit for the server to limit mem/cpu usage 2: use the vsched options (there was a thread on the list some weeks ago, http://list.linux-vserver.org/archive/vserver/msg09262.html or google for vsched ) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] add new interface/ip to runnig server without restart
Hi Guys, simple question - I have an Apache running inside a vServer and now must add a new IP Adress to it. So i edited thte interface section in the configs as usual. Is there a way to commit these changes / activate the new IP Adresse without restarting the vServer ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Limit load if necessary with vsched / token bucket question
Hi List, I read through the lists but wanst abel to find an answer... I have one maschine that is running up to five vservers. Now I want to achive that in times of heavy load the individual Servers get a minimum percentage of CPU time. So for example I will force that my very important Server A alwasy gets at least 50% CPU time when needed while A to D need only 10%. If Server A does not need so much CPU time, the other ones are allowed to take as much as available. Is there any way to do this with the vserver-tools ? I am running pre2.0 on Gentoo Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] unify gentoo guests
Hi List, anybody here has some idea on how to unify gentoo guest servers ? Might it be a good idea to write a script that scans the servers, does md5-checksumms and than links similar files together ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] bind mount and performance
Hi List, as I have resolved all my technical difficulties I have a performance question: Scenario: I run virtual Webservers which share a single root but need their own var, webtree and etc trees. For Testing I setup this up like this: /vserver/base - contains the root /vserver/www1...X - are symlinks to base /data/www1/etc, /data/www1/var, /data/www1/webtree are linked to their targets inside the vServer with bind entries in the vServer fstab. It seems to work perfectly, my question: is the number of bind-mounts a huge impact on performance ? If so, anyone has an adequate and faster solution ? THX Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Start-Up Scipts
Hi List, I have a little problem with vserver Start-up scriots... I am running Gentoo Host/Guest with 2.6.9 kernel and vserver-tools 0.30.196 1) I have a vServer called wwwmain - I added a script wwwmain.sh in /etc/vservers/ but it seems that this is never executed.. 2) I want to create a mount --bind inside the vserver. The problem is that I need this mount-point already when running through the init (Apache has its config on this mount) I tried vnamespace -e wwwmain mount --bind which works fine after starting the vserver, but how can I call this command when the context is set up but the init has not started... Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] ELF Loader Bug exploitable inside a vServer
Hi Folks, serious problem: I read about the new BufferOverflow in the kernel's ELF Loader - it seems that an unprivileged attacker can start process in the kernels context.. Is it possible to gain root inside a vServer ? Is it possible to break out of a vServer with this Bug ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ELF Loader Bug exploitable inside a vServer
Hello Herbert, serious problem: I read about the new BufferOverflow in the kernel's ELF Loader - it seems that an unprivileged attacker can start process in the kernels context.. details? - which issue? - what kernels are affected? - how does the 'exploit' look like? I reffered to the Announce on heise (http://www.heise.de/newsticker/meldung/59498) - I did not any additional research as I dont have much knowldeg about kernel but this one here sounds serioius as it might allow loading a compromised kernel-space programm by simply running an infected binary Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ELF Loader Bug exploitable inside a vServer
yup, but better upgrade to 2.6.11.9-vs2.0-rc1 ;) As I use this on *very* vital production machines - anyone here who can tell me if its working ;) Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to copy/debug a vserver
yup, usually (on non gentoo systems) it's simply done by default (i.e. disabling all but minimal services) but the gentoo recursive? service system makes it a little trickier ... but I remember folks who have done it ... There is a special eBuild vor vServer that patches the base-layout - see http://dev.gentoo.org/~hollow/vserver/guide/ Section 5 Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to copy/debug a vserver
yeah I actually used the Gentoo vserver-specific baselayout to build my vserver image in the first place?! Is there a way I can check whether I got the right baselayout installed in my vserver? have you set the use-flag ? have you configured your port_overlay correctly ? Hmm, I dont know what files to check - perhaps Bene is reading here *wink* Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
