Re: [Vserver] ugly unchecked capability dependency in util-vserver
* Thomas Weber ([EMAIL PROTECTED]) wrote: > On Thu, Jan 13, 2005 at 02:06:50PM -0800, Chris Wright wrote: > > * Thomas Weber ([EMAIL PROTECTED]) wrote: > > > if you have to try using capabilities in order to detect kernel support > > > for it, wouldn't it be more usefull to have the capability system > > > generate an entry in /proc (or /sys)? And no, I'm not a kernel hacker. > > > > /sys/module/capability/ will only exist if capability system is active > > (for fairly recent 2.6 kernels). > > I've seen this, but will it exist even if it's compiled non modular? Yes, that was what I meant by the caveat re: fairly recent 2.6 kernels. Rusty added code such that statically built modules still populated /sys/module/$mod/parameters or somesuch. It's not the best, but it's something. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ugly unchecked capability dependency in util-vserver
On Thu, Jan 13, 2005 at 02:06:50PM -0800, Chris Wright wrote: > * Thomas Weber ([EMAIL PROTECTED]) wrote: > > if you have to try using capabilities in order to detect kernel support > > for it, wouldn't it be more usefull to have the capability system > > generate an entry in /proc (or /sys)? And no, I'm not a kernel hacker. > > /sys/module/capability/ will only exist if capability system is active > (for fairly recent 2.6 kernels). I've seen this, but will it exist even if it's compiled non modular? Tom ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ugly unchecked capability dependency in util-vserver
* Thomas Weber ([EMAIL PROTECTED]) wrote: > if you have to try using capabilities in order to detect kernel support > for it, wouldn't it be more usefull to have the capability system > generate an entry in /proc (or /sys)? And no, I'm not a kernel hacker. /sys/module/capability/ will only exist if capability system is active (for fairly recent 2.6 kernels). thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ugly unchecked capability dependency in util-vserver
[sorry for messing up the thread by answering personal and forwarding to the list earlier] On Thu, Jan 13, 2005 at 07:26:30PM +0100, Herbert Poetzl wrote: > On Thu, Jan 13, 2005 at 05:46:10PM +0100, Thomas Weber wrote: > > On Thu, Jan 13, 2005 at 05:12:43PM +0100, Herbert Poetzl wrote: > > > > So I think the util-vserver package should make sure that there is > > > > capability support in the kernel before starting the vserver or else it > > > > will silently run insecure vservers! > > > > > > well, IMHO that is something beyond the scope of > > > util-vserver. why? simple, you would encounter the > > > same issues on a vanilla system, if you do not load > > > or compile in the capability stuff, similar to the > > > issues you will encounter if you do not compile in > > > support for ipv4, which clearly is _not_ something > > > util-vserver should take care of when starting a > > > new vserver ... > > > > I don't think it's much diffrent than checking the permissions of > > /vservers and giving a warning... > > do the tools warn on misconfigured barriers? at least the old ones did. > (not sure about that) but agreed, a warning would > be nice, unless it gives false positives ... more than nice. > (I guess patches are welcome ;) if you have to try using capabilities in order to detect kernel support for it, wouldn't it be more usefull to have the capability system generate an entry in /proc (or /sys)? And no, I'm not a kernel hacker. > > I don't consider myself a newbie, and I'm running vservers for quite > > some time now - this wasn't a know issue to me and it's not very > > obvious to figure out. Yet I'm glad this was a problem for me, because > > an as you call it 'clean vserver config' would not have triggerd this > > behaviour and maybe I would now run totally insecure vservers without > > knowing. Maybe there are already lots of insecure vservers up and > > running out there. > > probably, at least with debian it seems to be default > to build linux-caps as module and _not_ load it on > bootup (hopefully that will be fixed soon) building linux-caps as module was my decision. I don't use debian packages for the kernel. I compile it myself. Like most people I expect something to fail if the kernel doesn't have support for it (coming from 2.4 kernels one might even expect it to load automatically). regards, Tom ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver start: Cannot find device eth0:xxx
Herbert Poetzl wrote: But when I try again to start the vserver, I get the same error message as previously. What happens ? unrelated, probably you got the config wrong (with the build command) so that it tries to setup some device which doesn't exist (eth0:modele) Or, just a guess, maybe the kernel is compiled without network aliasing support? Tom -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.11 - Release Date: 12/01/2005 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't build on Alpha
On Thu, Jan 13, 2005 at 07:47:30PM +0100, Herbert Poetzl wrote: > On Thu, Jan 13, 2005 at 11:33:24AM -0600, John Goerzen wrote: > > Hi, > > > > I'm trying to build 2.6.9 with the latest dev release for Alpha. I'm > > getting: > > what is the 'latest dev release for Alpha'? Sorry, that was uncler. I should have said "I'm trying to build 2.6.9 for Alpha with the latest dev release". In this case, it means 1.9.3 :-) > > Any ideas? > > looks like the syscall made it into the kernel ... > > just remove the second definition (line 367) Will do. Interestingly, they're different: On line 236: #define __NR_vserver273 On line 367: #define __NR_vserver428 But in any case, that fixed it. -- John ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver start: Cannot find device eth0:xxx
On Thu, Jan 13, 2005 at 06:49:16PM +0100, Nicolas Costes wrote: > > Hello, all ! > > I use the last devel util-vserver tools (196 ?), and have setup a mandrake > with: > # vserver modele build -m skeleton --(interfaces, etc...) > Then: > # urpmi --root /vservers/modele basesystem > > I get a 100Mb vserver. This method works with the stable tools. I doubt that, as the stable tools do neither support the build method you used, nor the resulting config ... > Here, when I start my vserver, it tell me that it cannot find the > device "eth0:modele". could you provide the entire vserver modele build -m skeleton line? > I know that with devel tools I got to create it myself, so this is just wrong, the devel tools can create normal ip addresses or 'legacy style' aliases or use existing ips (it's just a matter of configuration) > I've created (On the host) > /etc/sysconfig/network-scripts/ifcfg-eth0:modele. really not necessary (but maybe fun to do ;) > Then, I start this interface with "ifup eth0:modele", and > "ifconfig" shows it to me... expected ... > But when I try again to start the vserver, I get the same > error message as previously. What happens ? unrelated, probably you got the config wrong (with the build command) so that it tries to setup some device which doesn't exist (eth0:modele) HTH, Herbert > Thanks... > > > -- > ,, > (°> Nicolas Costes > /|\ IUT de La Roche / Yon > ( ^ ) Clé publique: http://www.keyserver.net/ > ^ ^ Musique libre: http://www.magnatune.com/ > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't build on Alpha
On Thu, Jan 13, 2005 at 11:33:24AM -0600, John Goerzen wrote: > Hi, > > I'm trying to build 2.6.9 with the latest dev release for Alpha. I'm > getting: what is the 'latest dev release for Alpha'? > LD usr/built-in.o > AS arch/alpha/kernel/entry.o > In file included from arch/alpha/kernel/entry.S:12: > include/asm/unistd.h:367:1: warning: "__NR_vserver" redefined > include/asm/unistd.h:236:1: warning: this is the location of the previous > definition > CC arch/alpha/kernel/traps.o > CC arch/alpha/kernel/process.o > In file included from include/linux/unistd.h:9, > from arch/alpha/kernel/process.c:20: > include/asm/unistd.h:367:1: "__NR_vserver" redefined > include/asm/unistd.h:236:1: this is the location of the previous definition > make[2]: *** [arch/alpha/kernel/process.o] Error 1 > make[1]: *** [arch/alpha/kernel] Error 2 > make[1]: Leaving directory `/home/jgoerzen/programs/kernel/linux-2.6.9' > > Any ideas? looks like the syscall made it into the kernel ... just remove the second definition (line 367) thanks for reporting! best, Herbert > > -- John > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ugly unchecked capability dependency in util-vserver
On Thu, Jan 13, 2005 at 12:43:26PM -0500, Gregory (Grisha) Trubetskoy wrote: > > On Thu, 13 Jan 2005, Herbert Poetzl wrote: > > >On Thu, Jan 13, 2005 at 03:27:19PM +0100, Thomas Weber wrote: > > > >>So I think the util-vserver package should make sure that there is > >>capability support in the kernel before starting the vserver or else it > >>will silently run insecure vservers! > > > >well, IMHO that is something beyond the scope of util-vserver. why? > >simple, you would encounter the same issues on a vanilla system, if you > >do not load or compile in the capability stuff, similar to the issues > >you will encounter if you do not compile in support for ipv4, which > >clearly is _not_ something util-vserver should take care of when > >starting a new vserver ... > > If I try to configure ipv4 on an interface using a kernel that does not > have ipv4 support I presume I will get an error (I've never actually tried > running a kernel sans ipv4) - it sounds like util-vserver tools don't > error out when you try to set a capability on a kernel that does not > support them, which IMHO is not right. agreed, but you have to complain to Linus, as setting (and getting) the caps for a process works just fine, even when the capability system is missing ... so the tools have no easy way to detect this ... the only way to detect it, is to drop some caps and do something evil, if it fails, everything is fine ;) best, Herbert > my $0.02 > > Grisha > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Can't build on Alpha
Hi, I'm trying to build 2.6.9 with the latest dev release for Alpha. I'm getting: LD usr/built-in.o AS arch/alpha/kernel/entry.o In file included from arch/alpha/kernel/entry.S:12: include/asm/unistd.h:367:1: warning: "__NR_vserver" redefined include/asm/unistd.h:236:1: warning: this is the location of the previous definition CC arch/alpha/kernel/traps.o CC arch/alpha/kernel/process.o In file included from include/linux/unistd.h:9, from arch/alpha/kernel/process.c:20: include/asm/unistd.h:367:1: "__NR_vserver" redefined include/asm/unistd.h:236:1: this is the location of the previous definition make[2]: *** [arch/alpha/kernel/process.o] Error 1 make[1]: *** [arch/alpha/kernel] Error 2 make[1]: Leaving directory `/home/jgoerzen/programs/kernel/linux-2.6.9' Any ideas? -- John ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Vserver start: Cannot find device eth0:xxx
Hello, all ! I use the last devel util-vserver tools (196 ?), and have setup a mandrake with: # vserver modele build -m skeleton --(interfaces, etc...) Then: # urpmi --root /vservers/modele basesystem I get a 100Mb vserver. This method works with the stable tools. Here, when I start my vserver, it tell me that it cannot find the device "eth0:modele". I know that with devel tools I got to create it myself, so I've created (On the host) /etc/sysconfig/network-scripts/ifcfg-eth0:modele. Then, I start this interface with "ifup eth0:modele", and "ifconfig" shows it to me... But when I try again to start the vserver, I get the same error message as previously. What happens ? Thanks... -- ,, (°> Nicolas Costes /|\ IUT de La Roche / Yon ( ^ ) Clé publique: http://www.keyserver.net/ ^ ^ Musique libre: http://www.magnatune.com/ pgpR7k98LIWRT.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ugly unchecked capability dependency in util-vserver
On Thu, 13 Jan 2005, Herbert Poetzl wrote: On Thu, Jan 13, 2005 at 03:27:19PM +0100, Thomas Weber wrote: So I think the util-vserver package should make sure that there is capability support in the kernel before starting the vserver or else it will silently run insecure vservers! well, IMHO that is something beyond the scope of util-vserver. why? simple, you would encounter the same issues on a vanilla system, if you do not load or compile in the capability stuff, similar to the issues you will encounter if you do not compile in support for ipv4, which clearly is _not_ something util-vserver should take care of when starting a new vserver ... If I try to configure ipv4 on an interface using a kernel that does not have ipv4 support I presume I will get an error (I've never actually tried running a kernel sans ipv4) - it sounds like util-vserver tools don't error out when you try to set a capability on a kernel that does not support them, which IMHO is not right. my $0.02 Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ugly unchecked capability dependency in util-vserver
[and this time to the list also] On Thu, Jan 13, 2005 at 05:12:43PM +0100, Herbert Poetzl wrote: > > No capability module/support in kernel -> the shutdown scripts inside > > the vserver shut down all my network interfaces of the whole box. > > now the question arises, why do the shutdown scripts > do that at all? well, it's the default /etc/init.d/networking stop doing an ifdown -a on a debian system. > > So I think the util-vserver package should make sure that there is > > capability support in the kernel before starting the vserver or else it > > will silently run insecure vservers! > > well, IMHO that is something beyond the scope of > util-vserver. why? simple, you would encounter the > same issues on a vanilla system, if you do not load > or compile in the capability stuff, similar to the > issues you will encounter if you do not compile in > support for ipv4, which clearly is _not_ something > util-vserver should take care of when starting a > new vserver ... I don't think it's much diffrent than checking the permissions of /vservers and giving a warning... > > this was with 2.6.9+vs1.9.3 and util-vserver 0.30.196 > > as beforementioned a clean vserver config should not > touch the hardware (and therefore not take down the > interfaces) regardless of the capabilities (i.e. the > admin should have cleaned them up) even a clean vserver config given away to a customer can end up in an 'unclean' vserver - customer's doing updates or maybe even intentional writes /etc/init.d/ scripts which will then be run from outside the vserver by root on the host. And this is something I consider a serious security problem. So at least a warning message should be printed! I don't consider myself a newbie, and I'm running vservers for quite some time now - this wasn't a know issue to me and it's not very obvious to figure out. Yet I'm glad this was a problem for me, because an as you call it 'clean vserver config' would not have triggerd this behaviour and maybe I would now run totally insecure vservers without knowing. Maybe there are already lots of insecure vservers up and running out there. Tom ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ugly unchecked capability dependency in util-vserver
On Thu, Jan 13, 2005 at 03:27:19PM +0100, Thomas Weber wrote: > Hi there, > > after setting up a remote box (no console access) i always lost connection > after a vserver stop. first i thought it was a kernel crash, but then i > figured that it was only the network interface beeing turned off. > after finaly cloning the whole box to a local machine (ever tried to > solve such a problem remote only without network ;) and a couple of > hours pulling my hair (i run plenty of vservers at diffrent locations > for quite some time) i figured that the machine didn't have the capability > module loaded. yep, known issue ... > No capability module/support in kernel -> the shutdown scripts inside > the vserver shut down all my network interfaces of the whole box. now the question arises, why do the shutdown scripts do that at all? > So I think the util-vserver package should make sure that there is > capability support in the kernel before starting the vserver or else it > will silently run insecure vservers! well, IMHO that is something beyond the scope of util-vserver. why? simple, you would encounter the same issues on a vanilla system, if you do not load or compile in the capability stuff, similar to the issues you will encounter if you do not compile in support for ipv4, which clearly is _not_ something util-vserver should take care of when starting a new vserver ... > this was with 2.6.9+vs1.9.3 and util-vserver 0.30.196 as beforementioned a clean vserver config should not touch the hardware (and therefore not take down the interfaces) regardless of the capabilities (i.e. the admin should have cleaned them up) best, Herbert > Tom > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Regarding Hard CPU scheduler
On Thu, Jan 13, 2005 at 05:48:46AM -0800, shishir randive wrote: > Hi , > > I am new to vserver , I want to know the > details about the Hard CPU scheduler used by the > vserver. http://linux-vserver.org/Linux-VServer-Paper-06 (06.3) > There is a very little information is > available about the Hard CPU scheduler , So where can > I get the detail information about the Hard CPU > scheduler. the best source is the source of course, so: http://vserver.13thfloor.at/Experimental/split-vs1.9.3.14/14_sched.diff > What algorithm is used by Hard CPU scheduler > for Inter context and Intra context scheduling ? as linux-vserver uses the existing scheduler for _all_ process, regardless of inter or intra context, the algorithms are basically the same as on the mainline kernel ... there are some ideas to refine the concept of the hold queue by making it per context and cpu, so that the corner cases (when too many processes are put on hold) are handled better than now ... HTH, Herbert >Thanking you , > >Regards, >Shishir. > > > > > __ > Do you Yahoo!? > Yahoo! Mail - Find what you need with new enhanced search. > http://info.mail.yahoo.com/mail_250 > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Regarding Hard CPU scheduler
This thread has lots of info: http://www.mail-archive.com/vserver@list.linux-vserver.org/msg03324.html Grisha On Thu, 13 Jan 2005, shishir randive wrote: Hi , I am new to vserver , I want to know the details about the Hard CPU scheduler used by the vserver. There is a very little information is available about the Hard CPU scheduler , So where can I get the detail information about the Hard CPU scheduler. What algorithm is used by Hard CPU scheduler for Inter context and Intra context scheduling ? Thanking you , Regards, Shishir. __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] ugly unchecked capability dependency in util-vserver
Hi there, after setting up a remote box (no console access) i always lost connection after a vserver stop. first i thought it was a kernel crash, but then i figured that it was only the network interface beeing turned off. after finaly cloning the whole box to a local machine (ever tried to solve such a problem remote only without network ;) and a couple of hours pulling my hair (i run plenty of vservers at diffrent locations for quite some time) i figured that the machine didn't have the capability module loaded. No capability module/support in kernel -> the shutdown scripts inside the vserver shut down all my network interfaces of the whole box. So I think the util-vserver package should make sure that there is capability support in the kernel before starting the vserver or else it will silently run insecure vservers! this was with 2.6.9+vs1.9.3 and util-vserver 0.30.196 Tom ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Regarding Hard CPU scheduler
Hi , I am new to vserver , I want to know the details about the Hard CPU scheduler used by the vserver. There is a very little information is available about the Hard CPU scheduler , So where can I get the detail information about the Hard CPU scheduler. What algorithm is used by Hard CPU scheduler for Inter context and Intra context scheduling ? Thanking you , Regards, Shishir. __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
