Re: [Vserver] Can't set the new security context
On Thu, Apr 08, 2004 at 11:30:44AM -0600, Lucas Albers wrote: > > Herbert Poetzl said: > > > 201 is known to fail with stable branch and legacy tools > > (vserver-0.XX) it works with experimental, and util-vserver > > tools (0.29.3 for example) > > > >> I read through the archives and could not find any more information > >> about > >> this particular error. > > > > that is the reason, why I do not include the vserver tools > > on the download page (vs1.26/vs1.27), only the util-vserver > > ones ... > > Herbert, > Are their any more newvserver diff's or complaints? > I'm filing all of the patches/bugs for it on the debian site, for the > newvserver maintainer. hmm, best to scan the archives, I guess ... sorry, Herbert > -- > Luke Computer Science System Administrator > Security Administrator,College of Engineering > Montana State University-Bozeman,Montana > > ___ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
Herbert Poetzl said: > 201 is known to fail with stable branch and legacy tools > (vserver-0.XX) it works with experimental, and util-vserver > tools (0.29.3 for example) > >> I read through the archives and could not find any more information >> about >> this particular error. > > that is the reason, why I do not include the vserver tools > on the download page (vs1.26/vs1.27), only the util-vserver > ones ... Herbert, Are their any more newvserver diff's or complaints? I'm filing all of the patches/bugs for it on the debian site, for the newvserver maintainer. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
On Thu, Mar 25, 2004 at 11:07:16PM -0700, Lucas Albers wrote: > > >> Lucas Albers said: > >> > When trying to stop a vserver instance I get the following error: > >> > "Can't set the new security context" > > Herbert Poetzl said: > > yeah, as I said, the tools are broken, send Jacques an > > email to fix them or get the debian linux-vserver maintainer > > to do it, or 'just' use the mainstream tools for linux-vserver > > So I did a little research... > I like the vserver debian tools. > I'm sure the debian maintainer will fix it. > > I filed this bug with debian, trivial fix, but I am not a shell programmer: > > my debian bug report 240009 > --- > It appears you just need to set the S_CONTEXT correctly in > /usr/sbin/vserver > > This appears to be the location: > in the stop part of /usr/sbin/vserver. > > $CHBIND_CMD $SILENT $IPOPT --bcast $IPROOTBCAST \ > S_CONTEXT= > $CHCONTEXT_CMD $SILENT --secure --ctx $S_CONTEXT \ > > Now this variable could be easily pulled from: > /usr/lib/printconf.sh > > which could easily source the context from: > /var/run/servername.ctx > > I know the steps to do this, but I am not a shell programmer, and not sure > of the correct way to fix this. > I believe this bug is actually critical and not normal, as it is a show > stopper. no it isn't because vserver-0.2x isn't maintained but the replacement util-vserver is (get util-vserver 0.29.3 and everything will work as expected) http://www.13thfloor.at/vserver/s_release/v1.27/util-vserver-0.29.3.tar.bz2 > Please fix this, as this directly affects my vserver installation. http://packages.debian.org/unstable/net/util-vserver (only 3 versions behind the current tools) http://www.13thfloor.at/vserver/s_release/v1.22/patch-vserver-0.29-fix01.diff (a very old, partial fix for the broken vserver-0.29 tools) HTH, Herbert > -- > Luke Computer Science System Administrator > Security Administrator,College of Engineering > Montana State University-Bozeman,Montana > > ___ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
AW: [Vserver] Can't set the new security context
I put this in my /etc/vservers/*.conf: # vserver x stop seems not to find the right contextnumber # so I set it manually, every vserver a different number! S_CONTEXT=3 I don't know much background, but this works. Greetings, Richard -- Stadt Zirndorf, EDV Richard Lippmann Tel. 0911/9600-190 -Ursprüngliche Nachricht- Von: Lucas Albers [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 25. März 2004 23:22 An: [EMAIL PROTECTED] Betreff: [Vserver] Can't set the new security context When trying to stop a vserver instance I get the following error: "Can't set the new security context" see complete error here: -- vserver web2 stop; Stopping the virtual server web2 Server web2 is running ipv4root is now 153.90.199.59 : Invalid argument sleeping 5 seconds Killing all processes --- debian 2.4.25 kernel with vs 1.26 vserver 0.29-2 I used debian newvserver to create the vserver instance. It starts fine, but does not want to stop. I ran herbert's test script http://vserver.13thfloor.at/Stuff/testme.sh and it indicates failure on test number 201. Test Output: --- Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl chcontext is working. chbind is working. Linux 2.4.25-vs1.26-grsec18 i686/0.29/0.29 [J] --- [001]# succeeded. [011]# succeeded. [031]# succeeded. [101]# succeeded. [102]# succeeded. [201]# failed. [202]# succeeded. --- The verbose failure is: [201]# chcontext --ctx 100 --flag fakeinit grep 'initpid: 0' /proc/self/status [201]# failed. I thought at first it was because I had include the vserver+grsec patch, so I recompiled a new kernel without any grsecurity options, and it still had the same error. I read through the archives and could not find any more information about this particular error. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
>> Lucas Albers said: >> > When trying to stop a vserver instance I get the following error: >> > "Can't set the new security context" Herbert Poetzl said: > yeah, as I said, the tools are broken, send Jacques an > email to fix them or get the debian linux-vserver maintainer > to do it, or 'just' use the mainstream tools for linux-vserver So I did a little research... I like the vserver debian tools. I'm sure the debian maintainer will fix it. I filed this bug with debian, trivial fix, but I am not a shell programmer: my debian bug report 240009 --- It appears you just need to set the S_CONTEXT correctly in /usr/sbin/vserver This appears to be the location: in the stop part of /usr/sbin/vserver. $CHBIND_CMD $SILENT $IPOPT --bcast $IPROOTBCAST \ S_CONTEXT= $CHCONTEXT_CMD $SILENT --secure --ctx $S_CONTEXT \ Now this variable could be easily pulled from: /usr/lib/printconf.sh which could easily source the context from: /var/run/servername.ctx I know the steps to do this, but I am not a shell programmer, and not sure of the correct way to fix this. I believe this bug is actually critical and not normal, as it is a show stopper. Please fix this, as this directly affects my vserver installation. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
On Thu, Mar 25, 2004 at 03:59:57PM -0700, Lucas Albers wrote: > > Lucas Albers said: > > When trying to stop a vserver instance I get the following error: > > "Can't set the new security context" > > > It looks like when I run the vserver script, it does not define the > correct context: > Here is the line from my vserver script to stop or start a vserver. > isn't it supposed to have a number defining the context right after --ctx? yeah, as I said, the tools are broken, send Jacques an email to fix them or get the debian linux-vserver maintainer to do it, or 'just' use the mainstream tools for linux-vserver http://www.13thfloor.at/vserver/s_release/v1.27/ HTH, Herbert > relevant output from running vserver stop webx; > > --- > /usr/sbin/chbind --ip 153.90.xxx.xx --bcast 153.90.xxx.xxx > /usr/sbin/chcontext --secure --ctx /usr/lib/vserver/capchroot . > /etc/init.d/rc 6 > ipv4root is now 153.90.xxx.xx > --- > > -- > Luke Computer Science System Administrator > Security Administrator,College of Engineering > Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
On Thu, Mar 25, 2004 at 03:22:12PM -0700, Lucas Albers wrote: > When trying to stop a vserver instance I get the following error: > "Can't set the new security context" > > see complete error here: > -- > vserver web2 stop; > Stopping the virtual server web2 > Server web2 is running > ipv4root is now 153.90.199.59 > : Invalid argument > sleeping 5 seconds > Killing all processes > --- > debian > 2.4.25 kernel with vs 1.26 > vserver 0.29-2 > I used debian newvserver to create the vserver instance. > It starts fine, but does not want to stop. > > I ran herbert's test script > http://vserver.13thfloor.at/Stuff/testme.sh > and it indicates failure on test number 201. > > Test Output: > --- > Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl > chcontext is working. > chbind is working. > Linux 2.4.25-vs1.26-grsec18 i686/0.29/0.29 [J] > --- > [001]# succeeded. > [011]# succeeded. > [031]# succeeded. > [101]# succeeded. > [102]# succeeded. > [201]# failed. > [202]# succeeded. > --- > > The verbose failure is: > [201]# chcontext --ctx 100 --flag fakeinit grep 'initpid: 0' > /proc/self/status > [201]# failed. > I thought at first it was because I had include the vserver+grsec patch, > so I recompiled a new kernel without any grsecurity options, and it still > had the same error. 201 is known to fail with stable branch and legacy tools (vserver-0.XX) it works with experimental, and util-vserver tools (0.29.3 for example) > I read through the archives and could not find any more information about > this particular error. that is the reason, why I do not include the vserver tools on the download page (vs1.26/vs1.27), only the util-vserver ones ... HTH, Herbert > -- > Luke Computer Science System Administrator > Security Administrator,College of Engineering > Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
Lucas Albers said: > When trying to stop a vserver instance I get the following error: > "Can't set the new security context" > It looks like when I run the vserver script, it does not define the correct context: Here is the line from my vserver script to stop or start a vserver. isn't it supposed to have a number defining the context right after --ctx? relevant output from running vserver stop webx; --- /usr/sbin/chbind --ip 153.90.xxx.xx --bcast 153.90.xxx.xxx /usr/sbin/chcontext --secure --ctx /usr/lib/vserver/capchroot . /etc/init.d/rc 6 ipv4root is now 153.90.xxx.xx --- -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Can't set the new security context
When trying to stop a vserver instance I get the following error: "Can't set the new security context" see complete error here: -- vserver web2 stop; Stopping the virtual server web2 Server web2 is running ipv4root is now 153.90.199.59 : Invalid argument sleeping 5 seconds Killing all processes --- debian 2.4.25 kernel with vs 1.26 vserver 0.29-2 I used debian newvserver to create the vserver instance. It starts fine, but does not want to stop. I ran herbert's test script http://vserver.13thfloor.at/Stuff/testme.sh and it indicates failure on test number 201. Test Output: --- Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl chcontext is working. chbind is working. Linux 2.4.25-vs1.26-grsec18 i686/0.29/0.29 [J] --- [001]# succeeded. [011]# succeeded. [031]# succeeded. [101]# succeeded. [102]# succeeded. [201]# failed. [202]# succeeded. --- The verbose failure is: [201]# chcontext --ctx 100 --flag fakeinit grep 'initpid: 0' /proc/self/status [201]# failed. I thought at first it was because I had include the vserver+grsec patch, so I recompiled a new kernel without any grsecurity options, and it still had the same error. I read through the archives and could not find any more information about this particular error. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
> Running on Debian Woody, kernel 2.4.25. you should also provide information on which vs version do you use (vs1.26 for example) and which userspace tools ( for example - vserver 0.29 ) And this combination, together with dynamic context ids causes similiar sympthoms to yours. Try setting S_CONTEXT in vservers/myvs..conf ( temporarily to the one currently allocated ). They say that util-vserver is better ( and this problem does not exist there ) but I find that it brings it's own set of quirks and troubles. -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 We're giving you a new chance in life, and an opportunity to screw it up in a new, original way. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
That seemed to do the trick, thanks for the help. nick vollmar wrote: This doesn't work - use vserver 0.29-1 from Debian testing. On Wed, 2004-03-10 at 17:38, Chris Besignano wrote: I downloaded the compiled kernel from ftp://ftp.solucorp.qc.ca/pub/vserver/vmlinuz-2.4.25-vs1.26, tools are vserver 0.29-2 from Debian unstable repository Cathy Sarisky wrote: Your kernel is patched with which version of the vserver patches? And what version of the tools are you using? On Wed, 10 Mar 2004, Chris Besignano wrote: I get the following message when I try to stop a vserver (vserver myhost stop). Can someone point me in the right direction? I am new to this. Running on Debian Woody, kernel 2.4.25. ipv4root is now 192.168.1.20 Can't set the new security context : Invalid argument sleeping 5 seconds Killing all processes chcontext version 0.29 chcontext [ options ] command arguments ... chcontext allocate a new security context and executes a command in that context. By default, a new/unused context is allocated Thanks for the help ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
This doesn't work - use vserver 0.29-1 from Debian testing. On Wed, 2004-03-10 at 17:38, Chris Besignano wrote: > I downloaded the compiled kernel from > ftp://ftp.solucorp.qc.ca/pub/vserver/vmlinuz-2.4.25-vs1.26, tools are > vserver 0.29-2 from Debian unstable repository > > Cathy Sarisky wrote: > > >Your kernel is patched with which version of the vserver patches? > >And what version of the tools are you using? > > > >On Wed, 10 Mar 2004, Chris Besignano wrote: > > > > > > > >>I get the following message when I try to stop a vserver (vserver myhost > >>stop). Can someone point me in the right direction? I am new to this. > >>Running on Debian Woody, kernel 2.4.25. > >> > >>ipv4root is now 192.168.1.20 > >>Can't set the new security context > >>: Invalid argument > >>sleeping 5 seconds > >>Killing all processes > >>chcontext version 0.29 > >>chcontext [ options ] command arguments ... > >> > >>chcontext allocate a new security context and executes > >>a command in that context. > >>By default, a new/unused context is allocated > >> > >> > >>Thanks for the help > >>___ > >>Vserver mailing list > >>[EMAIL PROTECTED] > >>http://list.linux-vserver.org/mailman/listinfo/vserver > >> > >> > >> > > > >___ > >Vserver mailing list > >[EMAIL PROTECTED] > >http://list.linux-vserver.org/mailman/listinfo/vserver > > > > > > > > ___ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver -- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
Update, /proc is not visible inside of my vserver. Also, should I have a /proc/vserver or a /proc/security on my host machine? Chris Besignano wrote: I downloaded the compiled kernel from ftp://ftp.solucorp.qc.ca/pub/vserver/vmlinuz-2.4.25-vs1.26, tools are vserver 0.29-2 from Debian unstable repository Cathy Sarisky wrote: Your kernel is patched with which version of the vserver patches? And what version of the tools are you using? On Wed, 10 Mar 2004, Chris Besignano wrote: I get the following message when I try to stop a vserver (vserver myhost stop). Can someone point me in the right direction? I am new to this. Running on Debian Woody, kernel 2.4.25. ipv4root is now 192.168.1.20 Can't set the new security context : Invalid argument sleeping 5 seconds Killing all processes chcontext version 0.29 chcontext [ options ] command arguments ... chcontext allocate a new security context and executes a command in that context. By default, a new/unused context is allocated Thanks for the help ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
I downloaded the compiled kernel from ftp://ftp.solucorp.qc.ca/pub/vserver/vmlinuz-2.4.25-vs1.26, tools are vserver 0.29-2 from Debian unstable repository Cathy Sarisky wrote: Your kernel is patched with which version of the vserver patches? And what version of the tools are you using? On Wed, 10 Mar 2004, Chris Besignano wrote: I get the following message when I try to stop a vserver (vserver myhost stop). Can someone point me in the right direction? I am new to this. Running on Debian Woody, kernel 2.4.25. ipv4root is now 192.168.1.20 Can't set the new security context : Invalid argument sleeping 5 seconds Killing all processes chcontext version 0.29 chcontext [ options ] command arguments ... chcontext allocate a new security context and executes a command in that context. By default, a new/unused context is allocated Thanks for the help ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
Your kernel is patched with which version of the vserver patches? And what version of the tools are you using? On Wed, 10 Mar 2004, Chris Besignano wrote: > I get the following message when I try to stop a vserver (vserver myhost > stop). Can someone point me in the right direction? I am new to this. > Running on Debian Woody, kernel 2.4.25. > > ipv4root is now 192.168.1.20 > Can't set the new security context > : Invalid argument > sleeping 5 seconds > Killing all processes > chcontext version 0.29 > chcontext [ options ] command arguments ... > > chcontext allocate a new security context and executes > a command in that context. > By default, a new/unused context is allocated > > > Thanks for the help > ___ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver > ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Can't set the new security context
I get the following message when I try to stop a vserver (vserver myhost stop). Can someone point me in the right direction? I am new to this. Running on Debian Woody, kernel 2.4.25. ipv4root is now 192.168.1.20 Can't set the new security context : Invalid argument sleeping 5 seconds Killing all processes chcontext version 0.29 chcontext [ options ] command arguments ... chcontext allocate a new security context and executes a command in that context. By default, a new/unused context is allocated Thanks for the help ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Can't set the new security context
I get the following message when I try to stop a vserver (vserver myhost stop). Can someone point me in the right direction? I am new to this. Running on Debian Woody, kernel 2.4.25. ipv4root is now 192.168.1.20 Can't set the new security context : Invalid argument sleeping 5 seconds Killing all processes chcontext version 0.29 chcontext [ options ] command arguments ... chcontext allocate a new security context and executes a command in that context. By default, a new/unused context is allocated Thanks for the help ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver