Hmm... this command works for me with fakeinit on although, it should
really be calling "init q", but that's just me being picky.
You did restart the vserver after adding the flag, yes? Enter the vserver and
check if there's a process called "init" with a pid of 1 (use ps xa). You are
using
Actually, this is very OT... I'd search the gentoo forums, and you'll
probably find this question 20 times.
try adding "buildpkg" to FEATURES= in /etc/make.conf
the packages are created at /usr/portage/packages
On Sat, 2005-01-01 at 20:51 +0100, Oliver Welter wrote:
> Hi Folks
>
> I am running
t routing via eth1. I the other machines have no
> eth1 access, you need to alter their outgoing IP via SNAT.
> Might ofc be wrong, but then someone will reply and I will get it
> right myself, too ;)
>
> Regards,
> Adrian
--
Liam Helmer <[EMAIL PROTECTED]>
if this matters
> >
> > THX
> >
> > Oliver
> > --
> > Diese Nachricht wurde digital unterschrieben
> > oliwel's public key: http://www.oliwel.de/oliwel.crt
> > Basiszertifikat: http://www.ldv.ei.tum.de/page72
>
> best,
> Herbe
slog-ng if this matters
>
> THX
>
> Oliver
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
--
Liam Helmer <[EMAIL PROTECTED]>
___
Vse
ckstart.php
If this interests you, or you want to know more, email me at:
liam at strongboxlinux.com
Cheers,
Liam
--
StrongBox Linux
http://www.strongboxlinux.com
"Making Security Friendly"
--
Liam Helmer <[EMAIL PROTECTED]>
___
V
STROUTING -o ppp0 -s 192.168.1.0/24 -d !
> 192.168.1.0/24 -j SNAT --to-source
> next enter in my vserver:
> apt-get update
> 0% [Connecting to ftp2.it.debian.org (213.156.32.111)]
> 0% [Connecting to ftp2.it.debian.org (213.156.32.111)
Correction:
-A POSTROUTING -o ppp0
-i ppp0 won't work, sorry.
Cheers,
Liam
On Mon, 2004-12-20 at 09:28 -0800, Liam Helmer wrote:
> On Sat, 2004-12-18 at 12:28 +0100, Vincenzo Agosto wrote:
> > Herbert Poetzl wrote:
> > IP=`ifconfig ppp0 | grep inet | cut -d:
Here's my BCapabilities -> I've been running X inside a vserver for
quite some time. This is what I use.
CAP_CHOWN
CAP_DAC_READ_SEARCH -> needed for X
CAP_FOWNER
CAP_FSETID
CAP_KILL
CAP_SETGID
CAP_SETUID
CAP_SETPCAP -> I use this for ethereal
CAP_NET_BIND_SERVICE
CAP_NET_BROADCAST
CAP_NET_RAW
C
On Sat, 2004-12-18 at 12:28 +0100, Vincenzo Agosto wrote:
> Herbert Poetzl wrote:
> IP=`ifconfig ppp0 | grep inet | cut -d: -f2 | awk {'print $1'}`
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j
> SNAT --to-source $IP
> same problem :(
Wanna try quoting a little less me
s
> Darryl
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iD8DBQFBwi5Z/XQ6DbmPjokRAropAKCBCKaOln50pIH7N/TLxZFQ1X3iLgCfWW3o
> haj3s4BwGrgaivi9se3qhfI=
> =R7XN
> -END PGP SIGNATURE-
>
> ___
SD. In Window, the newly
> created "Bridge" gets a mac address and dishes the data to the right
> network card some how.
>
> Would either of these two things have any bearing?
--
Liam Helmer <[EMAIL PROTECTED]>
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
ch is an deal
I'm working on with a company that does Content Management Systems,
http://www.thesmallbox.com (which, incidentally, is a cool product and
has an online demo).
Cheers,
Liam
On Tue, 2004-11-02 at 09:18 -0800, R. Dale Thomas wrote:
> Liam Helmer wrote:
> [snip]
>
&
Hey y'all,
I've mentioned this before, but, now that I've finally got my new site
up, I'll put in a proper plug.
I've been building a linux distribution over the last year that is based
on linux-vserver, called StrongBox linux. It's based around gentoo and
debian, running kernel 2.6.8.1. The basi
d# ./vservers-legacy status
> > > > > ONBOOT=yes Server germanium is not running
> > > > >
> > > > > I can't seem to start the vserver.
> > > >
> > > > Hm, seems your debootstrap run wasn't completed successfully.
> > > > debootstrap uses a fake start-stop-daemon to prevent the newly installed
> > > > services from interfering with the currently running services. IIRC it
> > > > should automatically be replaced with the real start-stop-daemon when
> > > > debootstrap finishes.
> > > >
> > > > HTH
> > > > Bjoern
> > > >
> > > ___
> >
> >
> > > Vserver mailing list
> > > [EMAIL PROTECTED]
> > > http://list.linux-vserver.org/mailman/listinfo/vserver
> >
> ___
> Vserver mailing list
> [EMAIL PROTECTED]
> http://list.linux-vserver.org/mailman/listinfo/vserver
>
--
Liam Helmer <[EMAIL PROTECTED]>
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
> ___
> Vserver mailing list
> [EMAIL PROTECTED]
> http://list.linux-vserver.org/mailman/listinfo/vserver
--
Liam Helmer <[EMAIL PROTECTED]>
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
lus, you can easily implement change
control systems that allow you to log _all_ changes that are made to a
server. And you don't have to spend every night running checksums on all
your binaries to see if someone's broken into your system yet...
If you're man
On Wed, 2004-10-13 at 20:50 +0200, Jörn Engel wrote:
> The only problem is that cowlinks are symmetric. There is no natural
> way to tell the "original" from the "copy". It's up to the user to
> declare 2.6.8 the "original" and 2.6.9-rc3-bk8 the "copy".
This is one thing that I live about Union
; to be regular files.
>
> o A new syscall should be introduced to retrieve the inode number of
> the underlying inode (eg I1 in the example). Diff needs to use this
> system call so it's optimization for hard links works with cowlinks
> as well.
Sorry, I missed some of the message ;)
> This directory does not exist. In fact /etc/iproute2 doesn't. Does this
> indicate whether iproute2 is installed or just not used in this manner.
>
> > 200 vserver
>
> I'm assuming vserver is a label so with my naming convertion it would be
>
>
of this year
> addressing this same issue.
>Do you think it may be part of Fedora Core 1? Rpm reports a
> iproute-2.4.7-11. Is there another way to test whether this is a
> Redhat/Fedora naming convention or the real thing -- 2?
>
> On Tue, 12 Oct 2004, Liam Helmer wrote:
&
N) routes and I forgot to look at this logs since it
> appeared this was working (secondary MX) until we got flooded with
> junkmail this week-end which seems to have overloaded the primary MX (a
> stand alone system). Nothing like a load test to get the smoke f
It's funny... I'd sent that a week ago, and it didn't show up on the
list, but I managed to answer my own question anyways. Ah, the
reliability of email ;)
Cheers,
Liam
On Thu, 2004-10-07 at 18:25 +0200, Björn Steinbrink wrote:
> On Fri, 01 Oct 2004 02:00:27 -0700
> Liam Hel
gt; > Eric
> >
> > ___
> > Vserver mailing list
> > [EMAIL PROTECTED]
> > http://list.linux-vserver.org/mailman/listinfo/vserver
> ___
> Vserver mailing list
> [EMAIL PROTECTED]
> http://list.linux-vserver.org/mailman/listinfo/vserver
>
--
Liam Helmer <[EMAIL PROTECTED]>
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
system :) Or just see the 2G/2G option I
> already seen discussed in linux kernel mailing lists...
> And posting in linux kernel mailing list.
>
> Thanks for your response...
>
> Oh, btw, You may be interrested by the fact we have now more than 100
> vservers deployed... T
I have made a patch to allow you to use a vserver within a virtual
context but without a chbind, updated for the new vserver utils. I can
post it up if you like.
But, either way, your ideal is probably not running a service that uses
direct kernel access (like nfsd) within a vserver. You might wan
... which is at bugs.gentoo.org.
Wanna send a copy my way as well? Or a link to the bugs.gentoo.org entry
if you do that?
Cheers,
Liam
On Wed, 2004-07-28 at 16:48, Georges Toth wrote:
> hi,
>
> could you please make a bugtracker entry on gentoo.org for that ebuild for it
> to be included in the
>From the list archives: 1 vserver copied to another thread...
This looks pretty complete, and it's designed for copying 1 live server
to a new server.
Cheers,
Liam
-Forwarded Message-
> From: Joel Vandal <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: [Vserver] rsyncing vserv
Well, the vserver mailing list works... but a number of people have been
having some issues with the subscribe/unsubscribe mechanism. I'm not
sure what the current status of that is.
As to your project: wow, looks really neat. It looks to me like a good
fit with vserver, as it adds a lot to vserve
Yup. The patch we did on IRC is working like a charm.
Incidentally, the squashfs maintainer pointed to the XID tagging issues
as well, saying that that was likely it.
Cheers,
Liam
On Mon, 2004-07-12 at 23:19, Herbert Poetzl wrote:
> On Mon, Jul 12, 2004 at 07:58:07PM +0000, Liam Helmer wr
I guess you could have a picture of a penguin in a whole bunch of
pieces... Or sliced penguin ;)
But, that's getting morbid...
Cheers,
Liam
On Mon, 2004-07-12 at 21:49, Christian Jaeger wrote:
> At 21:36 Uhr + 12.07.2004, Liam Helmer wrote:
> >I think I liked the first one bes
I think I liked the first one best. But, either of the first 2 are fine.
Also, my g/f thought they were cute. And, hey, that's what a logo's
about, isn't it?
Cheers,
Liam
On Mon, 2004-07-12 at 20:36, Matthew Nuzum wrote:
> I liked 2 and 4 best. Logo 4 had a little more of a "corp" feel which ma
Hey Herbert,
We chatted a bit about this on IRC, but I wanted to try and get this
resolved, so I'll make a more thorough report on the matter:
I'm using kernel 2.6.7 with vserver 1.9.2-rc5.
The problem I'm running into is with the squashfs file system
(http://squashfs.sf.net). This bug affects bo
I'm getting kernel errors and a system hang using the new tools.
Configuration: kernel 2.6.6 with vserver 1.9.1
util-vserver 0.2.9-214
filesystems: mostly reiserfs and tmpfs. Using lvm-2 and device-mapper.
devfs: no
result: eventual system hang, all cpu being used up by ksoftirq, reboot
won't work
On Fri, 2004-06-18 at 00:27, Enrico Scholz wrote:
> http://www-user.tu-chemnitz.de/~ensc/util-vserver/doc/conf/configuration.html
>
> or at
>
> http://www.linux-vserver.org/index.php?page=alpha+util-vserver
Thanks Enrico,
Nice, backdrop ;-)
l8r
Liam
___
On Thu, 2004-06-17 at 09:29, Herbert Poetzl wrote:
> On Wed, Jun 16, 2004 at 11:10:32PM +0000, Liam Helmer wrote:
> hmm, well, !--secure is _very_ insecure, maybe it would
> be a better approach to add the CAPs one by one, to
> find a minimal set of CAPs for your 'special' us
I've been playing with the alpha vserver tools, and I'm trying to figure
out how to expand a vservers capabilities. I hacked the previous version
to not pass the --secure flag with a certain commandline option, so that
I could do things like run X-Windows or similar applications. I found a
referenc
I think that you're honestly better off creating some kind of pipe or
socket where the commands come through, which has a list of functions
that it can provide. That way you can have a list, and see if there's a
match for what's sent. It'd really be quite hard to implement a SUID
type of arrangeme
> On a side note, we are working on a php/ldap based vserver configuration
> management tool, as the only tool I am aware of is still unavailable...
>
> If anyone is interested, I'd be willing to put it online somewhere...
> Contact me off-list about this.
Sounds cool... I'd be into possibly help
On Wed, 2004-05-12 at 17:31, Dennis Roos wrote:
> Hi,
> Here's the problem:
> Users inside the vserver are unable to traceroute (ping works fine, due
> to the CAP_NET_RAW)... traceroute complains about the (source)
> interface, like so:
> root # traceroute -n www.google.nl
> traceroute: findsaddr:
I think that this is because bind9 uses linux-capabilities to do it's
change to a particular user -> thus, when capabilities aren't present in
the compilation, no user switch is possible. That's been my take on it
at least.
I'm in the process of switching my sites to pdns anyways though -> which
r
I'm not sure it will be THAT big a deal. Most of the upgrades to
software are required specifically for things like e2fs utils, etc ->
things that require access to the kernel syscalls. I remember running
redhat 6.2 with kernel 2.4pre1 (back in the day), and there was very
little I needed to do to
> I don't like this keystroke saving sugar, vserver should just have the
> 'exec' option and nothing else, even the 'enter' command is not that
> necessary IMHO :-)
>
Well, you don't have to use it ;) If it saves me 10 minutes (in total)
out of my day, that's a good thing.
But, if you really want
> > Enforcing routing of outgoing packets to always use the vservers's
> > source IP(s)
> this is something which will be solved by the next
> step when I clean up the network implementation of
> vserver (and should already work partially), so I
> think this should not require special rules ...
No
> hmm, I do not see a problem with implementing a
> netfilter for xid (on outgoing packets), if you
> (or somebody else) volunteers to do the userspace
> part (for netfilter) to configure it ...
I'm up for it. We'd have to all decide on what people want it to do,
exactly, but that's cool. Somethin
's an
intervening router. I'm not 100% sure it'll catch the packets correctly
though, but it might be worth a shot.
Cheers,
Liam
On Wed, 2004-04-28 at 18:00, [EMAIL PROTECTED] wrote:
> Liam Helmer wrote:
> > Did you check those to make sure that packets coming from
>
On Wed, 2004-04-28 at 16:55, Alex Lyashkov wrote:
> В Срд, 28.04.2004, в 19:45, Liam Helmer пишет:
> > This question came up on the list a week or two ago, and the answer was
> > that IPtables rules were changing the source address of outgoing
> > connections. Did you check th
This question came up on the list a week or two ago, and the answer was
that IPtables rules were changing the source address of outgoing
connections. Did you check those to make sure that packets coming from
your vserver addresses aren't being SNAT-ed to something?
Just thought I'd check.
Cheers,
I'm not sure what the question is here, but I currently use Plesk inside
a vserver without any issues on one of my client's boxes. The only
weirdness for me was having to make sure that my ip addresses were added
to the box using ifconfig, not iproute -> I'm using an old version of
plesk that uses
On Wed, 2004-04-21 at 19:07, Micah Anderson wrote:
> You may have missed the section below where I include the
> vservers/.conf file which shows clearly that the private IP is
> in the IPROOT= variable, and this still doesn't work.
>
> micah
>
> On Wed, 21 Apr 2004, Liam
To make it communicate using a private IP would involved adding that
private ip to it's IPROOT= variable in the vservsers/.conf file.
However, you're probably much better off adding permissions to the mysql
server so that that the external IP can connect, and not changing the
vserver config at all.
this mean you're thinking about doing this, in your copious
spare time? ;)
Cheers,
Liam
On Thu, 2004-04-08 at 23:34, Herbert Poetzl wrote:
> On Thu, Apr 08, 2004 at 05:51:05PM +0000, Liam Helmer wrote:
> > Intruiging, I managed to miss that one.
> > I tried it out, in case
onto it... ;)
Other than directory unlinking stuff, it works quite well. No crashes
yet. The interface (via sysctl) is a little odd, but it seems to work
OK.
Cheers,
Liam
On Thu, 2004-04-08 at 14:43, Gregory (Grisha) Trubetskoy wrote:
> On Thu, 8 Apr 2004, Liam Helmer wrote:
>
> > I a
I went on a different tack with all this: I wanted to use read only disk
images for vservers, and then have a set of configuration files that are
shared between the vservers. This still lets you do updates to some
degree with file binds and the like, but completely locks down the
ability of the vse
On Wed, 2004-03-31 at 05:11, Herbert Poetzl wrote:
On Wed, Mar 31, 2004 at 01:41:14AM +, Liam Helmer wrote:
printf "%s:%02x" eth0 12345
Ooh, cool. That's much nicer. So, after fixing a couple of other bugs too, it should look more like this:
vstohex () {
The creation of the dummy devices is ugly and has races ('dummy0' is
used by every 'vserver ... start' instance which conflicts with the
parallel vserver startup). 'dummy' would be ideally but is not
supported by the kernel.
I've attached what I was thinking, roughly. Yes, this is part of a
On Tue, 2004-03-30 at 20:27, Enrico Scholz wrote:
> Ok, I implemented the first part of your suggestion into util-vserver[1];
> for the second one (iptables), I am not sure how to realize it (especially
> the removal of the rules).
I'll work on that one, 'cause it would be useful for me... I'll se
Here's a bunch of thoughts on networking in linux-vserver.
The nice thing about the current linux-vserver interface is that it's
efficient. The packet only has to travel once through the network stack,
which makes it faster, especially when packets have to be rebuilt from
fragments.
The bad thing
On Tue, 2004-03-30 at 09:51, Dariush Pietrzak wrote:
> > > http://strongboxlinux.com/files/linux-2.4.25sbl1/
> > >
> > > vserver+POM+supermount+evfs+freeswan+a few other things
> >
> > Wow. Super patchset! For those of us slightly Linux challenged will a
> yup, and broken systrace on top. Very
Works no problem. You can use my patchset if you're running 2.4.25:
http://strongboxlinux.com/files/linux-2.4.25sbl1/
vserver+POM+supermount+evfs+freeswan+a few other things
Cheers,
Liam
On Mon, 2004-03-29 at 17:58, Roderick A. Anderson wrote:
> Has anyone applied the IPTables POM patches from
Yes, it works fine -> but you have to fine-tune the permissions a lot ->
it ends up requiring most of the admin permissions, /dev/kmem, etc...
It still makes sense for some applications -> having a separate
filesystem namespace and/or ip space for a desktop can be a great boon
for zero administrat
It sounds to me like there's definitely interest. The thing is, you
haven't told anyone what freevps really does at this point. Virtually
nobody on this list, I imagine, is running that version of redhat and
that kernel. And, if they are, they're looking to upgrade, because it's
very hard to secure
I personally use Gentoo for the vast majority of my work, so a redhat
specific patchset isn't that useful to me. I noticed FreeVPS when I was
looking around, but the fact that it's so distribution-specific caused
me to pass it by without much more than a second glance. (Like most
linux geeks, I'm e
I like option a; I think that using the LSM framework is the best way to
go, and ensures that you have a whole lot less work in the future ->
instead of patching in a vserver framework, instead you have a more
established API that will be less of a moving target to develop against.
It also makes it
ce] Digest: generating secret for digest
authentication ...
[Fri Jan 23 00:43:17 2004] [notice] Digest: done
OK... I just have to get it more random data -> that, I can deal with!
Cheers,
Liam
On Thu, 2004-01-22 at 15:28, Liam Helmer wrote:
> Hey guys,
>
> I've been working wi
Hey guys,
I've been working with linux vservers inside my distribution
(http://desktopappliances.org). I'm currently playing with a web server
module running in a vserver. However, I have 2 bugs that are cropping
up, and I'm trying to identify and correct them.
First off, the obligatory setup inf
hich
is, naturally, a big security hole. It also seems to create a device for
it's graphics card on startup, which may be an issue.
Cheers,
Liam
On Fri, 2003-12-19 at 12:04, Herbert Poetzl wrote:
> On Fri, Dec 19, 2003 at 11:14:47AM -0800, Liam Helmer wrote:
> > Anyone a
Awsome! I look forward to testing it out for you.
Well, I won't worry about it too much then -> I'm sure you're way more
qualified at this than I am .
l8r,
Liam
On Fri, 2003-12-19 at 12:03, Herbert Poetzl wrote:
> I'm working on a port to ck1, and I guess it will
> be available soon for vs1.3.x
Anyone attempted getting XFree86 working inside a vserver? Anyone
succeeded? I can't see why this shouldn't work, so I'm curious if it's
been tried.
l8r,
Liam
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vser
I've been working on getting the linux-vservers patch working with a ck
+ grsecurity patched kernel (maintained on this site:
http://www.plumlocosoft.com/kernel/). The CK patchset is a set of
patches for preemption, a new kernel scheduler (I believe a backport of
some of the stuff in 2.6, plus oth
70 matches
Mail list logo