Re: [Vserver] Re: Nagios 2.x on a vserver. Anyone?
On Mon, Nov 14, 2005 at 10:50:06AM +0100, Evert Meulie wrote: > This is on a Gentoo system, with: > vserver-sources-2.0-r1 > util-vserver-0.30.208-r5 > > > Hmm, the testme.sh script does not seem to get installed on Gentoo... you can get it here: http://vserver.13thfloor.at/Stuff/SCRIPT/testme.sh > Evert > > Herbert Poetzl wrote: > >On Fri, Nov 11, 2005 at 09:04:18AM +0100, Evert Meulie wrote: > > > >>Warning for all! > >> > >>Even though Nagios 2.x eventually compiled on my system, I ended up > >>with a defective check_ping. And since check_ping is used by Nagios to > >>check whether a host is up or not, this causes MAJOR problems... > > > > > >what linux-vserver patches and tools? > >as usual, please provide the output of testme.sh > > > > > >>See http://www.meulie.net/forum_viewtopic.php?21.4226 for more info on > >>this subject > > > > > >hmm ... (which shows) > > > >CRITICAL_ERROR: > > Fixed... ;-) best, Herbert > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Nagios 2.x on a vserver. Anyone?
On Fri, Nov 11, 2005 at 05:49:06PM +0100, Dennis Roos wrote: > On Fri, 2005-11-11 at 10:25 -0600, Matthew Nuzum wrote: > > > on 2.x kernels, the raw_icmp capability replaces the > > > insecure CAP_NET_RAW. raw_icmp is given by default > > > on mainline util-vserver since (at least) 0.30.208 > > > (and we now have 0.30.209) > > > > > > > What I did to get it to work was: > > > > * Add CAP_NET_RAW to the capabilities of the vserver (in /etc/vservers) > > Well, I have 5 secs before I leave the office (weekend after all!), so > here is some info on my (working) host, if anyone needs more info, I'll > be back on monday ;) ): > > vserver-info > Versions: >Kernel: 2.6.11.6-grsec-vs1.9.5 >VS-API: 0x00010025 > util-vserver: 0.30.196; Apr 5 2005, 16:20:45 okay, if anyhow possible, please upgrade to Kernel 2.6.14.1-vs2.0.1-rc1 util-vserver 0.30.208 and no, CAP_NET_RAW should _not_ be required for ping with vs2.x kernels (2.6 with vs2.x patch) HTH, Herbert > Features: >CC: i686-pc-linux-gnu-gcc, i686-pc-linux-gnu-gcc > (GCC) 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6) > CXX: i686-pc-linux-gnu-g++, i686-pc-linux-gnu-g++ > (GCC) 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6) > CPPFLAGS: '' >CFLAGS: '-O2 -march=i686 -fomit-frame-pointer > -std=c99 -Wall -pedantic -W' > CXXFLAGS: '-O2 -march=i686 -fomit-frame-pointer -ansi > -Wall -pedantic -W -fmessage-length=0' >build/host: i686-pc-linux-gnu/i686-pc-linux-gnu > Use dietlibc: yes (0.28) >Build C++ programs: yes >Build C99 programs: yes >Available APIs: compat,v11,v13,fscompat,net,oldproc,olduts > ext2fs Source: e2fsprogs > syscall(2) invocation: fast > vserver(2) syscall#: 273/default > > > cat /proc/virtual/82/status (Nagios host) > UseCnt: 85 > Tasks: 38 > Flags: 00020215 > BCaps: d44c04ff > CCaps: 0101 > Ticks: 0 > > > > -- > Regards, > Dennis Roos > > Network Engineer @ InTouch N.V. > Middenweg 76 > 1097 BS Amsterdam > Tel: +31 (0)20 6752060 > Fax: +31 (0)20 6758429 > > -=[Assumption is the mother of all f*ckups]=- > > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Re: Nagios 2.x on a vserver. Anyone?
On Fri, 2005-11-11 at 10:25 -0600, Matthew Nuzum wrote: > > on 2.x kernels, the raw_icmp capability replaces the > > insecure CAP_NET_RAW. raw_icmp is given by default > > on mainline util-vserver since (at least) 0.30.208 > > (and we now have 0.30.209) > > > > > What I did to get it to work was: > > > * Add CAP_NET_RAW to the capabilities of the vserver (in /etc/vservers) Well, I have 5 secs before I leave the office (weekend after all!), so here is some info on my (working) host, if anyone needs more info, I'll be back on monday ;) ): vserver-info Versions: Kernel: 2.6.11.6-grsec-vs1.9.5 VS-API: 0x00010025 util-vserver: 0.30.196; Apr 5 2005, 16:20:45 Features: CC: i686-pc-linux-gnu-gcc, i686-pc-linux-gnu-gcc (GCC) 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6) CXX: i686-pc-linux-gnu-g++, i686-pc-linux-gnu-g++ (GCC) 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6) CPPFLAGS: '' CFLAGS: '-O2 -march=i686 -fomit-frame-pointer -std=c99 -Wall -pedantic -W' CXXFLAGS: '-O2 -march=i686 -fomit-frame-pointer -ansi -Wall -pedantic -W -fmessage-length=0' build/host: i686-pc-linux-gnu/i686-pc-linux-gnu Use dietlibc: yes (0.28) Build C++ programs: yes Build C99 programs: yes Available APIs: compat,v11,v13,fscompat,net,oldproc,olduts ext2fs Source: e2fsprogs syscall(2) invocation: fast vserver(2) syscall#: 273/default cat /proc/virtual/82/status (Nagios host) UseCnt: 85 Tasks: 38 Flags: 00020215 BCaps: d44c04ff CCaps: 0101 Ticks: 0 -- Regards, Dennis Roos Network Engineer @ InTouch N.V. Middenweg 76 1097 BS Amsterdam Tel: +31 (0)20 6752060 Fax: +31 (0)20 6758429 -=[Assumption is the mother of all f*ckups]=- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Re: Nagios 2.x on a vserver. Anyone?
> on 2.x kernels, the raw_icmp capability replaces the > insecure CAP_NET_RAW. raw_icmp is given by default > on mainline util-vserver since (at least) 0.30.208 > (and we now have 0.30.209) > > > What I did to get it to work was: > > * Add CAP_NET_RAW to the capabilities of the vserver (in /etc/vservers) > > again, are we talking about 1.2.x or 2.x kernels here? This confused the heck out of me when I first read it... to clarify to anyone else who didn't get it at first, and I may be the only one, "1.x kernels" means Linux 2.4.x kernels patched with the linux vserver 1.2.x version patches (i.e. vserver 1.2.x). "2.x kernels" means Linux 2.6.x kernels patched with the linux vserver 2.x version patches (i.e. vserver 2.x). Kernel 1.x == Linux 2.4, vserver 1.2.x Kernel 2.x == Linux 2.6, vserver 2.x -- Matthew Nuzum <[EMAIL PROTECTED]> www.followers.net - Makers of "Elite Content Management System" View samples of Elite CMS in action by visiting http://www.followers.net/portfolio/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Nagios 2.x on a vserver. Anyone?
On Fri, Nov 11, 2005 at 10:06:59AM +0100, Dennis Roos wrote: > On Fri, 2005-11-11 at 09:04 +0100, Evert Meulie wrote: > > Warning for all! > > > > Even though Nagios 2.x eventually compiled on my system, I ended up > > with a defective check_ping. And since check_ping is used by Nagios > > to check whether a host is up or not, this causes MAJOR problems... > > For ping you need to enable a specific capability. I have nagios 2.0 > running fine within a vserver ;) on 2.x kernels, the raw_icmp capability replaces the insecure CAP_NET_RAW. raw_icmp is given by default on mainline util-vserver since (at least) 0.30.208 (and we now have 0.30.209) > What I did to get it to work was: > * Add CAP_NET_RAW to the capabilities of the vserver (in /etc/vservers) again, are we talking about 1.2.x or 2.x kernels here? > * start the vserver > * modify configure to check for a hostname instead of 127.0.0.1 > * compile nagios > * configure nagios > * run nagios :) TIA, Herbert > -- > Regards, > Dennis Roos > > Network Engineer @ InTouch N.V. > Middenweg 76 > 1097 BS Amsterdam > Tel: +31 (0)20 6752060 > Fax: +31 (0)20 6758429 > > -=[Assumption is the mother of all f*ckups]=- > > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Nagios 2.x on a vserver. Anyone?
On Fri, Nov 11, 2005 at 09:04:18AM +0100, Evert Meulie wrote: > Warning for all! > > Even though Nagios 2.x eventually compiled on my system, I ended up > with a defective check_ping. And since check_ping is used by Nagios to > check whether a host is up or not, this causes MAJOR problems... what linux-vserver patches and tools? as usual, please provide the output of testme.sh > See http://www.meulie.net/forum_viewtopic.php?21.4226 for more info on > this subject hmm ... (which shows) CRITICAL_ERROR: Line 144 /www/e/evert/htdocs/class2.php Error reported as: [1]: Unable to read core settings from database - Core settings exist but cannot be unserialized. Attempting to restore core backup ... CRITICAL_ERROR: Line 149 /www/e/evert/htdocs/class2.php Error reported as: [3]: Core settings saved - backup made active. Logo best, Herbert > Regards, > Evert > > > > Evert Meulie wrote: > >(cross-post from: http://www.meulie.net/forum_viewtopic.php?94.4177 ) > > > > > > > >Hi all! > > > >I'm attempting to install Nagios 2.x on a vserver. However, the build > >stops with: > > > >checking for ICMP ping syntax... > > > > > >Has anyone else come across this problem before? > > > > > >Regards, > > Evert > > > >___ > >Vserver mailing list > >Vserver@list.linux-vserver.org > >http://list.linux-vserver.org/mailman/listinfo/vserver > > > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Nagios 2.x on a vserver. Anyone?
On Fri, 2005-11-11 at 09:04 +0100, Evert Meulie wrote: > Warning for all! > > Even though Nagios 2.x eventually compiled on my system, I ended up with a > defective check_ping. And since check_ping is used by Nagios to check whether > a host is up or not, this causes MAJOR problems... For ping you need to enable a specific capability. I have nagios 2.0 running fine within a vserver ;) What I did to get it to work was: * Add CAP_NET_RAW to the capabilities of the vserver (in /etc/vservers) * start the vserver * modify configure to check for a hostname instead of 127.0.0.1 * compile nagios * configure nagios * run nagios :) -- Regards, Dennis Roos Network Engineer @ InTouch N.V. Middenweg 76 1097 BS Amsterdam Tel: +31 (0)20 6752060 Fax: +31 (0)20 6758429 -=[Assumption is the mother of all f*ckups]=- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Nagios 2.x on a vserver. Anyone?
On Tue, Nov 08, 2005 at 07:59:21PM +, Lyn St George wrote: > On Tue, 8 Nov 2005 13:04:50 +0100, Herbert Poetzl wrote: > > >On Tue, Nov 08, 2005 at 10:03:40AM +0100, Evert Meulie wrote: > >> Yup, that was it! :-) > >> > >> Are there any plans to make 127.0.0.1 existant in future versions of > >> vserver? > > > >yes :) > > Does this mean that binding to 127.0.0.1 is currently risky in > some way? well, binding to, no, as it will be remapped to your first IP, disabling or circumventing this mechanism, might result in lower security ... > The reason I ask is that I had to do this to setup Postfix + amavisd > +spamd inside a vserver. This uses the old style config, and I just > added 127.0.0.1 to the list of IPs to bind to. A netstat within the > vserver shows the correct 2 ports bound to this IP, while a netstat > on the host shows no ports bound. Kernel 2.6.12.4 + vs2.0 + > tools 0.30.208. well, yes this reduces the security, but as long as you 'know' who will bind to 127.0.0.1, it should be moderate ... best, Herbert > >> Regards, > >>Evert > >> > >> > >> Oliver Welter wrote: > >> >Hi, > >> > > >> >I think that this problem is related to the nonexisting 127.0.0.1 > >> >address. If I remeber correctly than nagios try to ping this address and > >> >cant reach it > >> >I think that I simply commented this check out in the scripts > >> > > > - > Lyn > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Nagios 2.x on a vserver. Anyone?
On Tue, 8 Nov 2005 13:04:50 +0100, Herbert Poetzl wrote: >On Tue, Nov 08, 2005 at 10:03:40AM +0100, Evert Meulie wrote: >> Yup, that was it! :-) >> >> Are there any plans to make 127.0.0.1 existant in future versions of >> vserver? > >yes :) Does this mean that binding to 127.0.0.1 is currently risky in some way? The reason I ask is that I had to do this to setup Postfix + amavisd +spamd inside a vserver. This uses the old style config, and I just added 127.0.0.1 to the list of IPs to bind to. A netstat within the vserver shows the correct 2 ports bound to this IP, while a netstat on the host shows no ports bound. Kernel 2.6.12.4 + vs2.0 + tools 0.30.208. >> Regards, >> Evert >> >> >> Oliver Welter wrote: >> >Hi, >> > >> >I think that this problem is related to the nonexisting 127.0.0.1 >> >address. If I remeber correctly than nagios try to ping this address and >> >cant reach it >> >I think that I simply commented this check out in the scripts >> > - Lyn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Nagios 2.x on a vserver. Anyone?
On Tue, Nov 08, 2005 at 10:03:40AM +0100, Evert Meulie wrote: > Yup, that was it! :-) > > Are there any plans to make 127.0.0.1 existant in future versions of > vserver? yes :) > Regards, > Evert > > > Oliver Welter wrote: > >Hi, > > > >I think that this problem is related to the nonexisting 127.0.0.1 > >address. If I remeber correctly than nagios try to ping this address and > >cant reach it > >I think that I simply commented this check out in the scripts > > > >Oliver > > > >Evert Meulie wrote: > > > >>(cross-post from: http://www.meulie.net/forum_viewtopic.php?94.4177 ) > >> > >> > >> > >>Hi all! > >> > >>I'm attempting to install Nagios 2.x on a vserver. However, the build > >>stops with: > >> > >>checking for ICMP ping syntax... > >> > >> > >>Has anyone else come across this problem before? > >> > >> > >>Regards, > >> Evert > >> > >>___ > >>Vserver mailing list > >>Vserver@list.linux-vserver.org > >>http://list.linux-vserver.org/mailman/listinfo/vserver > > > > > > > > > > > >___ > >Vserver mailing list > >Vserver@list.linux-vserver.org > >http://list.linux-vserver.org/mailman/listinfo/vserver > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
