[Vserver] FC4 Guest
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey All, I'm about to sit down and build a template FC4 guest image. Just wondering if anyone has already done this? If not I'll make mine available. Cheers Darryl -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC10oD/XQ6DbmPjokRAjkpAJ9Ekd4Q49kmNgZEThEoP/YSF7P6gQCfapbk Ja9e4feQ5rvNYjLclZ+J8E4= =DSnk -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
* Herbert Poetzl ([EMAIL PROTECTED]) wrote: > hmm, does anybody know why pam would want to do syscall > auditing in the first place? I'm a little lost here > actually ... Pam sets up the auid for each login session. This requires CAP_AUDIT_WRITE. The auid is then used in any messages generated via syscall auditing. thanks, -chris ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
On Fri, Jul 15, 2005 at 12:50:51AM +0200, Herbert Poetzl wrote:
> On Thu, Jul 14, 2005 at 03:21:36PM +0200, Enrico Scholz wrote:
> > Hello,
> >
> > it seems to be impossible to use the audit (CONFIG_AUDIT) interface
> > of the kernel within a vserver:
> >
> > | # auditctl -m 'foo'
> > | Error sending user message request (Operation not permitted)
> >
> > The generated syscalls are:
> >
> > | socket(PF_NETLINK, SOCK_RAW, 9) = 3
> > | fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
> > | sendto(3, "\24\0\0\0\355\3\5\0\1\0\0\0\0\0\0\0foo\0", 20, 0,
> > {sa_family=AF_NETLINK, pid=0, groups=}, 12) = 20
> > | select(4, [3], NULL, NULL, {0, 10}) = 1 (in [3], left {0, 10})
> > | recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0!e\0\0\377\377\377\377\24\0\0\0"...,
> > 8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
> > groups=}, [12]) = 36
> > | write(2, "Error sending user message reque"..., 60Error sending user
> > message request (Operation not permitted)) = 60
> >
> >
> > This gives problems on Fedora Core 4 as recent pam upgrade is
> > using this functionality and most actions (su, cron) will fail
> > therefore.
>
> hmm, does anybody know why pam would want to do syscall
> auditing in the first place? I'm a little lost here
> actually ...
ah, looks like redhat is patching again ...
http://people.redhat.com/sgrubb/audit/pam-0.78-loginuid.patch
so I guess it's fine to remove pam_loginuid.so for now
until the auditing interface is virtualized ...
best,
Herbert
> TIA,
> Herbert
>
> > I see two ways to solve the problem:
> >
> > 1. allow this kind of communication within a context
> > 2. make CONFIG_AUDIT conflict with CONFIG_VSERVER and hope that
> >libaudit is clever enough to ignore this error (untested)
> >
> > (I do not know the security implications of 1. and have not
> > tested 2.)
> >
> > Problem was seen on 2.6.12.2-vs2.0-rc5 + remap patch.
> >
> > Enrico
>
>
>
> > ___
> > Vserver mailing list
> > Vserver@list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
>
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
On Thu, Jul 14, 2005 at 03:21:36PM +0200, Enrico Scholz wrote:
> Hello,
>
> it seems to be impossible to use the audit (CONFIG_AUDIT) interface
> of the kernel within a vserver:
>
> | # auditctl -m 'foo'
> | Error sending user message request (Operation not permitted)
>
> The generated syscalls are:
>
> | socket(PF_NETLINK, SOCK_RAW, 9) = 3
> | fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
> | sendto(3, "\24\0\0\0\355\3\5\0\1\0\0\0\0\0\0\0foo\0", 20, 0,
> {sa_family=AF_NETLINK, pid=0, groups=}, 12) = 20
> | select(4, [3], NULL, NULL, {0, 10}) = 1 (in [3], left {0, 10})
> | recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0!e\0\0\377\377\377\377\24\0\0\0"...,
> 8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=},
> [12]) = 36
> | write(2, "Error sending user message reque"..., 60Error sending user
> message request (Operation not permitted)) = 60
>
>
> This gives problems on Fedora Core 4 as recent pam upgrade is
> using this functionality and most actions (su, cron) will fail
> therefore.
hmm, does anybody know why pam would want to do syscall
auditing in the first place? I'm a little lost here
actually ...
TIA,
Herbert
> I see two ways to solve the problem:
>
> 1. allow this kind of communication within a context
> 2. make CONFIG_AUDIT conflict with CONFIG_VSERVER and hope that
>libaudit is clever enough to ignore this error (untested)
>
> (I do not know the security implications of 1. and have not
> tested 2.)
>
> Problem was seen on 2.6.12.2-vs2.0-rc5 + remap patch.
>
> Enrico
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
On Thu, Jul 14, 2005 at 05:32:40PM +0200, Enrico Scholz wrote: > [EMAIL PROTECTED] (Enrico Scholz) writes: > > > | # auditctl -m 'foo' > > | Error sending user message request (Operation not permitted) > > ... > > This gives problems on Fedora Core 4 as recent pam upgrade is > > using this functionality and most actions (su, cron) will fail > > therefore. hmm, will look into it ... > Quick workaround is to add '^29' to the 'bcapabilities' of the > corresponding vserver. Next util-vserver version will probably > implicate this with the '--secure' option (after I decided how to > deal with the CAP_QUOTACTL vs. CAP_AUDIT_WRITE conflict). #define CAP_AUDIT_WRITE 29 #define CAP_AUDIT_CONTROL30 quota was moved into the CCAPS a long? time ago (at least for 2.6/2.0 so nothing to deal with) #define CAP_CONTEXT 31 is the only remaining capability ... best, Herbert > Enrico > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
[EMAIL PROTECTED] (Enrico Scholz) writes: > | # auditctl -m 'foo' > | Error sending user message request (Operation not permitted) > ... > This gives problems on Fedora Core 4 as recent pam upgrade is > using this functionality and most actions (su, cron) will fail > therefore. Quick workaround is to add '^29' to the 'bcapabilities' of the corresponding vserver. Next util-vserver version will probably implicate this with the '--secure' option (after I decided how to deal with the CAP_QUOTACTL vs. CAP_AUDIT_WRITE conflict). Enrico pgpDbxbFH1pML.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] audit interface
Hello,
it seems to be impossible to use the audit (CONFIG_AUDIT) interface
of the kernel within a vserver:
| # auditctl -m 'foo'
| Error sending user message request (Operation not permitted)
The generated syscalls are:
| socket(PF_NETLINK, SOCK_RAW, 9) = 3
| fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
| sendto(3, "\24\0\0\0\355\3\5\0\1\0\0\0\0\0\0\0foo\0", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=}, 12) = 20
| select(4, [3], NULL, NULL, {0, 10}) = 1 (in [3], left {0, 10})
| recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0!e\0\0\377\377\377\377\24\0\0\0"...,
8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=},
[12]) = 36
| write(2, "Error sending user message reque"..., 60Error sending user message
request (Operation not permitted)) = 60
This gives problems on Fedora Core 4 as recent pam upgrade is
using this functionality and most actions (su, cron) will fail
therefore.
I see two ways to solve the problem:
1. allow this kind of communication within a context
2. make CONFIG_AUDIT conflict with CONFIG_VSERVER and hope that
libaudit is clever enough to ignore this error (untested)
(I do not know the security implications of 1. and have not
tested 2.)
Problem was seen on 2.6.12.2-vs2.0-rc5 + remap patch.
Enrico
pgptjlKWpNF4I.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] stuck (can't set the ipv4 root - invalid argument)
On Thu, Jul 14, 2005 at 12:16:47AM +1000, Matt Paine wrote: > Hi. > > Ive been monitoring the list for a few days now, and constantly > searching the vserver site, and the util-vserver site and google for > appropriate documentation and I have not been able to find any hints as > to what to do next. > > My setup: > > Host has FC4. Vanilla kernel (2.6.12.2) with the latest vserver patch > (2.0-rc6). Standard options. All build and installed and booted with no > errors. > > util-vserver (0.30) built and installed with no errors. those are the stable/old tools ... get 0.30.207 > Its from here things get hazy. Sites mention the use of newvserver to > create a new virtual server, but thatis not part of the util-vserver no it's a debian add on of dubious value ... > package (as far as I can tell). Other sites give examples of the vserver > build command. This example is from the gentoo documentation > (http://www.gentoo.org/doc/en/vserver-howto.xml) although I seem to be > getting the same errors no matter what command I use... > > -8<- > > [EMAIL PROTECTED] ~]# vserver test2 build -m skeleton --hostname test2 > --initstyle plain --context 2 --interface test2=eth0:192.168.1.41/24 > > Directory /vservers/test2 has been populated > /etc/vservers/test2.conf has been created. Look at it! > Can't set the ipv4 root (Invalid argument) > Can't set the ipv4 root (Invalid argument) > Can't set the ipv4 root (Invalid argument) > Can't set the ipv4 root (Invalid argument) check with http://vserver.13thfloor.at/Stuff/SCRIPT/testme.sh and let us know the results ... best, Herbert > etc (total count 70 messages the same) > ... > Can't set the ipv4 root (Invalid argument) > Can't set the ipv4 root (Invalid argument) > [EMAIL PROTECTED] ~]# > > ->8-- > > The files do "seem" to exist in the /vserver/test2 directory. The > test2.conf did get created. So I though I'de ignore the error and > continue with other snippets I have found. > > > > 8< > > [EMAIL PROTECTED] ~]# vserver test2 enter > Can't set the ipv4 root (Invalid argument) > [EMAIL PROTECTED] ~]# > > ->8--- > > > Well, that didn't work. Perhaps I could try starting the server first? > > > 8< > > [EMAIL PROTECTED] ~]# vserver test2 start > Starting the virtual server test2 > Server test2 is not running > Can't set the ipv4 root (Invalid argument) > [EMAIL PROTECTED] ~]# > > ->8--- > > > > Stuck! > > Any help will be appreciated (let me know if anyone needs any further > information). This looks like such a fantastic project, but I've been > banging my head against the wall for almost a week now and still no luck. > > Thankyou in advance > > Matt. > > > > > -->8 > > > > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
