On Tue, Aug 08, 2006 at 04:42:09PM +0200, Oliver Heinz wrote: > Am Dienstag, 8. August 2006 16:07 schrieb Herbert Poetzl: > > On Tue, Aug 08, 2006 at 11:07:21AM +0200, Oliver Heinz wrote: > > > Am Montag, 7. August 2006 20:24 schrieb Herbert Poetzl: > > > > On Mon, Aug 07, 2006 at 12:24:54PM +0200, Oliver Heinz wrote: > > > > > Am Montag, 7. August 2006 11:42 schrieb Oliver Heinz: > > > > > > Hi there, > > > > > > > > > > > > I want to remount temporarily an noexec filesystem (/tmp) that is > > > > > > mounted in a vserver. I don't want to change the fstab and restart > > > > > > the vserver, and I don't want to give the vserver the caps to do it > > > > > > from within. > > > > > > > > > > > > I'm sure there is a way to do that from the root-vserver, right? > > > > > > > > > > > > Within the vserver it would be a 'mount -o remount,exec /tmp' > > > > > > > > > > > > I found the secure-mount command but did not manage to get it to do > > > > > > what I wanted. > > > > > > > > > > Just found that I forgot to add the second part. Same with Network > > > > > Interfaces, how cann I add/delete an Interface from the outside to a > > > > > running vserver. > > > > > > > > first, with recent devel kernels and proper tools you > > > > can add ips to a running guest, given that the guest > > > > already had at least two ips assigned (single ip > > > > special casing is still there) > > > > > > Why do I need already two IPs assigned? > > > > because a single IP will get special casing if you do not > > tell the guest otherwise, which makes it impossible for > > already bound services to accomodate to a new ip > > Is it possible to give the guest enough capabilities > to add IPs from within and will this work?
yes and (probably no). thing is, you can add NET_ADMIN which will allow you to add new ips to the network stack, you probably can also give CAP_CONTEXT to allow certain vserver commands, but I doubt that this will allow you to do the necessary manipulations to the network context in a _somewhat_ secure manner but, as usual, a simple helper approach can solve this quite fine, just install a daemon on the host which can be contacted from within the guest, which adds an ip to the network stack _and_ the calling guest (this also works for iptables and routing btw :) HTH, Herbert > > > > now, 'how' to do that depends on the tools you use, > > > > but basically its a single command which adds or removes > > > > a single ip ... > > > > > > I tried a > > > vnamespace -e service ip addr add 172.29.50.163/24 brd 172.29.50.255 > > > dev eth1 to add an interface to the guest called service > > > > > > But this is probably the wrong command :-( > > > > yep, vnamespace enters the 'file system namespace' for that > > guest, which is not really related to ips as you figured > > > > > I get an additional ip that is shown on the root-vserver > > > > > > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > > link/ether 00:0e:0c:71:0f:8e brd ff:ff:ff:ff:ff:ff > > > inet 172.29.50.100/24 brd 172.29.50.255 scope global eth1 > > > inet 172.29.50.199/24 brd 172.29.50.255 scope global secondary eth1 > > > ... > > > inet 172.29.50.163/24 brd 172.29.50.255 scope global secondary eth1 > > > > > > But no new interface is shown inside the guest: > > > > > > [EMAIL PROTECTED]:/etc/snappy# vserver service enter > > > service:/# ip addr show > > > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > > link/ether 00:0e:0c:71:0f:8e brd ff:ff:ff:ff:ff:ff > > > inet 172.29.50.199/24 brd 172.29.50.255 scope global secondary eth1 > > > > > > I'm running: > > > Kernel: 2.6.16.25-vs2.0.2-rc20-grsec2.1.9 > > > VS-API: 0x00020001 > > > util-vserver: 0.30.210; Mar 3 2006, 14:06:42 > > > > with vserver-utils (according to Hollow): > > > > nx -add-addr <nid> <ip>/<prefix> > > > > with vcmd (hack tool): > > > > vcmd -i <nid> -C net_add .type=1 .count=1 .ip[0]=<ip> .mask=<mask> > > > > note: (older) vcmd takes the if/mask as dotted quad, but > > in reverse order (fixed in newer version) > > > > Thanks, I'll try that. > > > Bye, > Oliver > _______________________________________________ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver