----- Original Message -----
From: "Nigel Marett" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 26, 2001 10:02 AM
Subject: Re: Some general FreeVSD questions
> Mornin Ben,
>
> > > Ah, good point. If the host server is aware of this service and it
has
> > > been virtualised (it has been configured properly in [x]inetd to
run
> > > through virtuald), then yes this may cause problems. Having just
tried
> > > it with apache, you get errors as the vs configured to bind to all
IPs
> > > fails to come up if there is another vs already running http, as
it
> > > can't bind to that address, so you're more likely to screw up your
own
> > > services that those on the other vs's. If the host server doesn't
know
> > > of the service (or it hasn't been virtualised) then there is no
way to
> > > get requests to the virtual server.
> >
> > In relation to your last sentence, in what way does the host server
> > 'know' of the MySQL servers (mysqld)? 'mysqld' is run from
> > "/etc/rc.vsd" on the VSs and is not 'virtualised' into
/etc/inetd.conf
> > on the host server? Yet MySQL requests get to the VS, don't they?
>
> mysqld is bound to the VS's IP, and listens on a port above 1024 (3306
I
> believe) so doesnt need root privs to bind to that port.
>
> If you can imagine the IP alias is actually _bound_ to the VS under
chroot,
> so has a real IP assigned to it.
>
> This comes into the area that I understand but yet still confuses me
at the
> same time, you need to imagine the VS as a host unto itself, and treat
it
> like one.
>
> So to answer your question, MySQL requests do go straight to your VS
via that
> VS's IP (alias) adress.
>
> Hope that makes sence.... =>
>
> Cheers,
>
> Nige
>
Nigel,
Thanks for the answer.
What I was really confused about, though, was that Damion made it sound
as if the host server had to "know" about a daemon listening on a port
(regardless of whether the port was under 1024 or not) on a VS before it
could be of any use. I.e., it sounded as if he was saying that in order
to get a port-listening daemon working on a VS, the host server had to
be specifically configured to allow this (which, in the case of MySQL
isn't true, you just make sure MySQL its installed on the VS and add a
few lines to "/etc/rc.vsd" on the VS.)
What I'm really getting at is that isn't it possible for an 'admin' user
of a VS, rather than specifically purchasing a hosting package which
includes MySQL, to compile and install MySQL and configure it themselves
to listen for requests? I suppose that the only way to stop this is to
set up strict firewall rules on the host server for each VS IP (so that
it blocks all ports except those for services purchased) but even then,
if they were desperate, they could use a non-standard port number (of a
service which they had purchased but were not using)?
Also, as I mentionned before, wouldn't it have nasty results if the
admin user configured a service to listen on an IP address belonging to
the host server or that of a different VS. For example, they could run
their MySQL server bound to the IP address 111.222.333.444
(which,say,belongs to another VS without MySQL) instead of their own IP
and pretend to be the other VS? etc. etc. etc. Is idaya working on some
sort of protection mechanism which will prevent any daemon running from
a VS that is listening on an IP other than the one(s) allocated to the
VS?
Regards,
Ben Kennish
[EMAIL PROTECTED]
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.281 / Virus Database: 149 - Release Date: 18/09/2001
------------------------- The freeVSD Support List --------------------------
Subscribe: mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support
Unsubscribe: mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support
Archives: http://freevsd.org/support/mail-archives/freevsd-support
-----------------------------------------------------------------------------
