Re: [Vserver] How to discover the "real" IP Address?

[Bodo Eggert]

On Fri, 7 Jul 2006, Boniforti Flavio wrote:

> Hello list,
> I've got a question (and I'm a newbie, too!): as I'm logged as "root"
> on one of several Virtual Servers on a machine (each Virtual Server
> having its own IP address), how can I check and discover the "real"
> hosts IP Address and hostname?

All IP adresses you see are real IP adresses of the host. Choose any.
-- 
Top 100 things you don't want the sysadmin to say:
66. What do you mean you needed that directory?
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Logo design

[Bodo Eggert]

On Fri, 20 Jan 2006, Herbert Poetzl wrote:

> On Thu, Jan 19, 2006 at 09:24:54PM +0100, Bodo Eggert wrote:
> > On Thu, 19 Jan 2006, Roman Barczy?ski wrote:
> > > On 2006-01-19 17:58, Herbert Poetzl wrote:
> > 
> > > > okay I _know_ I should not spend any time on that
> > > > but I couldn't help to try some things myself
> > > > (based on the IMHO excellent checkmark idea)
> > > 
> > > heh, same to /me but, oh, well... my final version:
> > > http://romke.net/tmp/vserver-logo/
> > 
> > I didn't like the character spacing:
> > 
> > http://7eggert.dyndns.org/files/vserver-logo-2.png (or .xcf)
> 
> much better, indeed, except for the Linux,
> which IMHO should align (at the end) with
> the Server part .. but I'm not an expert
> on this, so it's just MHO ...

I thought about that, but I like it the way it is. Change it if you like 
it to be aligned.
-- 
Top 100 things you don't want the sysadmin to say:
61. Yes, I chowned all the files to belong to pvcs.  Is that a problem to
you?
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Logo design

[Bodo Eggert]

On Thu, 19 Jan 2006, Roman Barczy?ski wrote:
> On 2006-01-19 17:58, Herbert Poetzl wrote:

> > okay I _know_ I should not spend any time on that
> > but I couldn't help to try some things myself
> > (based on the IMHO excellent checkmark idea)
> 
> heh, same to /me but, oh, well... my final version:
> http://romke.net/tmp/vserver-logo/

I didn't like the character spacing:

http://7eggert.dyndns.org/files/vserver-logo-2.png (or .xcf)
-- 
Top 100 things you don't want the sysadmin to say:
33. Ooops.  Save your work, everyone.  FAST!
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Getting the namespace of processes

[Bodo Eggert]

On Mon, 9 Jan 2006, Wilhelm Meier wrote:

> Hi,
> 
> I want to extract the namespace-attribute of a specific/all process(es). Some 
> time ago there was a discussion about this topic, but I think the essence was 
> that there are no tools to get this information. Or am I wrong?
> 
> Is it possible to extract this information via /proc/...? I didn't find any 
> hints about that.

AFAIK, /proc/$PID/root is supposed to be a link to the namespce root. 
Since namespaces are anonymous, I can't think of anything better than 
this.

-- 
Top 100 things you don't want the sysadmin to say:
2. We had to format some tracks, and we seem to have hit an inode track.
Half the files are still there though...
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Assigning a virtual console to a given vserver

[Bodo Eggert]

On Sun, 8 Jan 2006, Bruno wrote:

> I would like to assign a virtual console to one or more vservers running on 
> my 
> box.
> 
> e.g.
>  vc0 - vc6 for host system
>  vc7 for first vserver
>  vc8 for second vserver
>  none for third vserver
>  ...
[...]
> Is this possible?

You need the console device file in the vserver dev directory, and you 
need to tweak the vserver inittab.
-- 
E.G.G.E.R.T.: Electronic Guardian Generated for 
  Efficient Repair and Troubleshooting
-- http://www.brunching.com/toys/toy-cyborger.html
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Virtualizing /proc/version

[Bodo Eggert]

On Wed, 4 Jan 2006, Herbert Poetzl wrote:
> On Wed, Jan 04, 2006 at 06:42:29PM +0100, Enrico Scholz wrote:
> > Herbert Poetzl <[EMAIL PROTECTED]> writes:

> > >> it would be nice when /proc/version could be virtualized
> > >> (e.g. using values from VCMD_set_vhi_name). Currently, it
> > >> reveals information about the real host (e.g. real os version,
> > >> buildhost/-user).
> > >
> > > hmm, looking at the code, I see:
> > >
> > > static int version_read_proc(char *page, char **start, off_t off,
> > >  int count, int *eof, void *data)
> > > ...
> > > const char vx_linux_banner[] =
> > > "Linux version %s (" LINUX_COMPILE_BY "@"
> > > LINUX_COMPILE_HOST ") (" LINUX_COMPILER ") %s\n";
> > 
> > oops, I did not looked exactly at it and did not noticed that the
> > release is already virtualized.
> > 
> > But it would be nice when LINUX_COMPILE_BY/HOST and perhaps the compiler
> > and date would be virtualized/anonymized. I see two ways:
> 
> well, I did not consider that information critical (mainly
> because it just tells you where the kernel was compiled, 
> who did it and what compiler was used (which usually is
> fine and doesn't tell you anything about the host), but
> I did spend some thought on how to virtualize that, and
> I came to the conclusion that a hack like a) is not really
> appropriate, as it does not help, but b) might be an option
> ...

The most simple solution is to bind-mount an apropiate file, but if there 
are many "virtualized" entries, this would get messy.

-- 
Top 100 things you don't want the sysadmin to say:
51. YEEEHA!!!  What a CRASH!!!
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Hostname confusion inside vserver

[Bodo Eggert]

On Tue, 20 Dec 2005, Stéphane GAUTIER wrote:

> Why scripts of creation: vserver build does not modify information 
> /etc/hostname and /etc/hosts in the vserver?

Because these names are distribution-dependant.
-- 
For every action, there is an equal and opposite criticism. (in boot camp)
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] testme.sh results and minor problem 2.6.14.2 / vs2.1.0-rc8 on x86_64 arch

[Bodo Eggert]

On Tue, 6 Dec 2005, Grzegorz Nosek wrote:

> I'd love to see future releases announced here too (esp. with a short
> list of changes).
> 
> Right now to know the changes I'll need to apply the rc8 and rc9
> patches to two vanilla trees and diff them afterwards (a diff of two
> diffs is ugly and unreadable). Could you maybe provide incremental
> patches between rc* releases a'la mainline linux/kernel/v2.6/incr/?

Did you try interdiff?

-- 
Bug? That's not a bug, that's a feature. 
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] [Bug] sendfile64 stopped working in host server after upgrading from vanilla

[Bodo Eggert]

On Sat, 3 Dec 2005, Alejandro Mery wrote:
> Bodo Eggert wrote:

> >After I upgraded from vanilla 2.6.11.10 to 2.6.14.2-vs2.1.0-rc7, the 
> >sendfile function in the host server stopped delivering the whole file.
> >After reverting to the old kernel, it works correctly again.
> >
> what fs?

/dev/md0 on / type ext3 (rw)

-- 
Ever notice how fast Windows runs? Neither did I. 
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] [Bug] sendfile64 stopped working in host server after upgrading from vanilla

[Bodo Eggert]

After I upgraded from vanilla 2.6.11.10 to 2.6.14.2-vs2.1.0-rc7, the 
sendfile function in the host server stopped delivering the whole file.
After reverting to the old kernel, it works correctly again.

--
$ echo -e 'GET http://be10/images/___.jpg HTTP/1.0\r\n\r' |
  netcat be10 80 | wc
 62 247   13032

(The file contains 78835 bytes).
--
open("/home/___/public_html/images/___.jpg", 
O_RDONLY|O_LARGEFILE) = 10
setsockopt(9, SOL_TCP, TCP_NODELAY, [0], 4) = 0
setsockopt(9, SOL_TCP, TCP_CORK, [1], 4) = 0
writev(9, [{"HTTP/1.1 200 OK\r\nDate: Sat, 03 D"..., 284}], 1) = 284
sendfile64(9, 10, [0], 78835)   = -1 EOVERFLOW (Value too large 
for defined data type)
--



-- 
"You, you, and you . . . Panic. The rest of you, come with me."
-U.S. Marine Corps Gunnery Sgt.
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] util-vserver: make install tries to compile

[Bodo Eggert]

On Thu, 24 Nov 2005, Enrico Scholz wrote:
> [EMAIL PROTECTED] (Bodo Eggert) writes:

> > If I run 'make install', the make script tries to compile a
> > file.
> 
> Can not reproduce that

It turned out to be a dependency on the dietlibc objects. If they don't 
exist on the target system, the build process will be restarted.

> > Off cause this can't work out, since I transfered the pre-built
> > directory from the machine with my compiler to my server, where
> > I want to install.
> 
> What is the deeper sense behind this unusual process? Why not
> just do the common
> 
> | make install DESTDIR=/var/tmp/uv-root

Because I asumed this function would be a property of ./configure if it 
existed, and I didn't find it there.

-- 
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] util-vserver: make install tries to compile

[Bodo Eggert]

On Wed, 23 Nov 2005, Herbert Poetzl wrote:
> On Wed, Nov 23, 2005 at 09:06:09PM +0100, Bodo Eggert wrote:

> > If I run 'make install', the make script tries to compile a file. Off 
> > cause this can't work out, since I transfered the pre-built directory from 
> > the machine with my compiler to my server, where I want to install.

BTW: The version is util-vserver-0.30.209.

> could it be that your 'transfer' was not without
> effect on the timestamps?

Both hosts are (successfully) synchronized using NTP, and I ran make and
make -k install in the same nfs-exported directory from which I tried to
install. Off cause as a user, I couldn't actually install. Then I switched
to the server, ran 'make install' again and got the same errors again.

I finally gave in and used checkinstall and installed the created rpm over 
the installed files just to remove it/them again. After doing this, I ran
"make -d ...", and it turned out to be a dependency on /opt/diet/include/*
automatically added by the build system. I hate automake and libtool.



Now I got the message <>. According to
http://svn.openfoundry.org/utilvserver/releases/0.30.203/doc/configuration.html,
this shouldn't happen on kernel 2.6 as it's unused, but it does. As it
turned out, it is a dietlibc bug: strncat(buf, "2", 1) did nothing. Maybe
this should be checked by the build process.



Next bug: function colorize in ./scripts/functions is called from colpanic 
without a style, so the "echo" command is used as a style and the '-n' 
option used as a shell command. This made it very hard to read the reason 
for the build process to fail on subsequent attempts after the first 
attempt failed.



BTW: I played with optimizing code, and I found that using the 'register' 
attribute makes the generated code worse on x86.

-- 
Funny quotes:  41. There are three religious truths:
 * Jews do not recognize Jesus as the Messiah.
 * Protestants do not recognize the Pope as the leader of the Christian faith.
 * Baptists do not recognize each other in the liquor store or at Hooters.
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] util-vserver: make install tries to compile

[Bodo Eggert]

If I run 'make install', the make script tries to compile a file. Off 
cause this can't work out, since I transfered the pre-built directory from 
the machine with my compiler to my server, where I want to install.

This is very annoying, especially since compiling as non-user should be
avoided for security reasons (and because of the resulting root-owned
files in your home directory).

-- 
Never share a foxhole with anyone braver than yourself. 
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Can't bind-mount host->guest

[Bodo Eggert]

On Sun, 30 Oct 2005, Jun OKAJIMA wrote:

> I also have same question.
> How to do a mount to vserver namespace?

I don't know about the vserver mechanism (I'm currently not running one),
but according to LKML, you can change namespace by chrooting to
/proc/$PID/root. I asume it will be possible to mount to
/proc/$PID/root/mount/point, too. Otherwise you'll need to mount, cd to
the mountpoint, chroot (2) to the namespace and bind-mount '.' to the
desired location.

Off cause this isn't tested, but I think it should work.
-- 
Funny quotes:
10. Nothing is fool proof to a talented fool.
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] ./testme.sh: line 115: which: command not found

[Bodo Eggert]

On Fri, 7 Oct 2005, Herbert Poetzl wrote:

> hmm, always assumed that the 'which' command is
> part of every distro ... but hey, live and learn,
> maybe somebody has a workaround to avoid 'which'?
> 
> patches are welcome ...

perl -i~ -pe 's/which/type -p/g' *.sh

-- 
Funny quotes:
26. If you take an Oriental person and spin him around several times, does he
become disoriented?
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] X11 vserver

[Bodo Eggert]

On Wed, 5 Oct 2005, hellekin wrote:

> I followed the previous thread on X11 with attention as I'm trying the same
> thing: I'd like my host to remain as small as possible while providing users
> with an X11 interface.
> 
> I started with adding CAP_SYS_RAWIO in the bcapabilities file and copying
> /dev/tty0, /dev/tty7 and /dev/tty10 to the vserver. Then, startx would fail
> with lack of /dev/mem, so I added it too. Then the mouse was missing, so I
> put /dev/psaux. I'm not sure this is the right way to go but the setup
> works.
> 
> The nVidia video card (GeForce 6200) failed to load so I changed the server
> to VESA and it worked fine.
> 
> My question is triple:
> 
> 1. is there a better way to run an X11 in a vserver?

Provide a generic in-kernel access method to graphic cards and make X11 
use it. The current interface is incapable of doing this.

> 2. how comes the nvidia module, loaded in the host, doesn't show up in the
> vserver?

Nobody cared to provide the strace showing the problem. Did you use the 
nvidia glide(?) library?

> 3. what is the clean way to login to this host from the console?  

I moved a tty$n interface into the vserver and edited inittab to provide 
this console. This can be used to provide a console to 62 guests.

> For (1.) I guess the /dev/mem can be a problem.

An attacker can gain host root privileges using /dev/mem.

-- 
Never share a foxhole with anyone braver than yourself. 
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] x with nvidia module in vserver?

[Bodo Eggert]

On Tue, 4 Oct 2005, Torsten Becker wrote:

> I try to run a complete workstation in a vserver including a x-server.
> This is no problem since I do not try to use the hardware acceleration 
> with the nvidia kernel module.
> I have set several capabilities for the vserver:



That's enough to make the vserver insecure.

> Does anyone have a hint for me, how I can manage this? Or is it impossible?
> I use this configuration to deploy the workstations to a pool of pc's. 
> Therefor the security between host and vserver is not first goal.

If your X11 is exploited, you're toast, so you can as well run X11 from 
the host and make it contact the xdm running in the vserver.

Off cause this isn't as flexble as running in the vserver, but unless 
you're testing different X-Servers, this should be a minor problem.

However, I don't know if 3d support is network transparent, and I can't 
test it here.
-- 
Funny quotes:
30. Why is a person who plays the piano called a pianist but a person who
drives a race car not called a racist?
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] rlimit for memory usage

[Bodo Eggert]

On Fri, 26 Aug 2005, Helmut Wollmersdorfer wrote:
> Oliver Welter wrote:

> My plan was, to give this context 20% CPU 'soft' (400 x 20% = 100 MHz), 
> 128 MB RSS rlimit, and 500 MB VM rlimit. But if OOM can kill some vital 
> processes, this would need watching the services and restart them by 
> heartbeat.

You should take a look at /proc/$PID/oom_score and /proc/$PID/oom_adj
to make them a worse target and use runit for critical services.

-- 
Top 100 things you don't want the sysadmin to say:
59. Wonder what *this* command does?
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] PDA Webinterface

[Bodo Eggert]

On Wed, 10 Aug 2005, Jan-Marc Pilawa wrote:
> > On Tue, Aug 09, 2005 at 08:06:41PM +0200, Dennis Paulisch wrote: 

> > >Hi, i am currently work on a webinterface for Linux 
> > >vServer to administrate via PDA. See the Screenshots on: 
> > >http://www.serversupportforum.de/forum/showthread.php?t=3978  
> >  
> > cool, a GPL release would be nice ... 
>  
> indeed, just bought this PDA a few days ago. But a solution to tunnel 
> the traffic somehow encrypted through my providers WAP-Proxy (flat) is 
> also neccessary... :-) 

If your browser can do ssl, use stunnel.
-- 
Funny quotes:
32. "I am" is reportedly the shortest sentence in the English language.
Could it be that "I do" is the longest sentence?
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Slackware

[Bodo Eggert]

On Fri, 8 Jul 2005, Martin Archanco wrote:

> The line is

NACK two lines:

> 127.0.0.1:
> ftp stream  tcp  nowait  root  /usr/sbin/tcpd proftpd

inetd will ignore bogus lines

-- 
"Religion is an insult to human dignity.  With or without it, you'd
have good people doing good things and evil people doing bad things, but
for good people to do bad things, it takes religion."
--Steven Weinberg, Nobel Laureate
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Slackware

[Bodo Eggert]

On Fri, 8 Jul 2005, Martin Archanco wrote:

> In the linux-vserver view this.
> 
> inetd/xinetd
> You can't bind inetd to a interface, replace it with xinetd.

This is wrong, you _can_ bind inetd to interfaces.

Example:
---/etc/inetd---
127.0.0.1:
swat stream tcp nowait.400 root /usr/sbin/swat swat
*:
qotdstream tcp nowait nobody /usr/bin/tcpd uptime
---

-- 
Funny quotes:
34. If FedEx and UPS were to merge, would they call it Fed UP?
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Re: NXServer inside of VServer?

[Bodo Eggert]

On Sat, 25 Jun 2005, Martin Honermeyer wrote:

> * Deleted everything from /tmp.
> * Tried to login again => same problem, window closes after a few seconds
> * looked at the user's .xsession-errors file:
> _IceTransmkdir: ERROR: Owner of /tmp/.ICE-unix must be set to root
[...]

> Note: I have to re-run those two commands every time I reboot the VServer.
> It seems like starting an X-Server from within FreeNX doesn't set up those
> permissions in /tmp correctly. Maybe that's because I don't have something
> like KDM run beforehand.

It's a common error, caused by KDE. It expects the boot scripts to create 
this dir, and if there is none, it will mess it up.

The [KX]DM startup script should create that directory, check if it's
owned by root and chmod it to 1777. If it isn't, remove or rename the
directory and retry a limited number of times.

-- 
"Just because you are paranoid, do'nt mean they're not after you."
-- K.Cobain
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] alpha and dietlibc

[Bodo Eggert]

On Thu, 23 Jun 2005, James Boddington wrote:

> diff -urN dietlibc-0.29-orig/include/signal.h dietlibc-0.29/include/signal.h
> --- dietlibc-0.29-orig/include/signal.h Tue Mar 15 18:51:22 2005
> +++ dietlibc-0.29/include/signal.h  Thu Jun 23 15:46:02 2005

Did you CC [EMAIL PROTECTED]
-- 
Bug? That's not a bug, that's a feature. 
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Suse and Yast inside VServer

[Bodo Eggert]

On Sat, 18 Jun 2005, Oliver Dietz wrote:

> Hi @all,
> 
> i want to use Suse 9.x inside a vserver. At 
> http://www.marlow.dk/site.php/tech/vserver is a Suse image available, but 
> without Yast - and a Yast is the main reason why to use Suse.

You should get it running by installing the rpms.
However, working with pin and rpm directly is less painfull.

-- 
Orbiting [..] is a planet whose ape-descended life forms are so
amazingly primitive that they still think digital watches are a
pretty neat idea.  --  "The Hitchhiker's Guide to the Galaxy"
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] CAP_SYS_ADMIN, how unsecure it is within vserver

[Bodo Eggert]

On Sat, 28 May 2005, gary ng wrote:

> I am testing out vserver(1.2.10 on 2.4, not ready for
> 2.6 yet because of stability issue unrelated to
> vserver) and I am wondering what is the impact of
> giving CAP_SYS_ADMIN to it.
> 
> Without it, I cannot mount within vserver but I see
> mount as a legitimate use like mounting CIFS/NFS or
> FUSE related file systems.

You can also mount filesystems containing device nodes. This would give
you root access to the host.

Secure user mounts are planned in the vanilla kernel, maybe they can be 
adopted for vservers.
-- 
Top 100 things you don't want the sysadmin to say:
45. Was that YOUR directory?
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] building from savannah CVS

[Bodo Eggert]

On Thu, 19 May 2005, Michal Ludvig wrote:
> Bodo Eggert wrote:

> > set -e

> Good hint, but does it work with non-bash as well?

I just tested it with the solaris /bin/sh, and it worked as expected.
-- 
Funny quotes:
10. Nothing is fool proof to a talented fool.
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] building from savannah CVS

[Bodo Eggert]

On Wed, 18 May 2005, Michal Ludvig wrote:

> #!/bin/sh

set -e
- and -

> rm -rf autom4te*.cache
> aclocal -I . -I m4  || exit 1
[...]

 remove these "|| exit 1"

-- 
Teamwork is essential, it gives them someone else to shoot at. 
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] /dev/console

[Bodo Eggert]

On Mon, 16 May 2005, Gilles wrote:

> But, just in case, how can one provide new devices?
> Is it just a matter of running 
> 
>  mknod /vservers/phony/dev/console c 5 1

Yes, but from the outside.
-- 
"Never tell the Platoon Sergeant you have nothing to do."
-Unknown Marine Recruit
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] MySQL inside a vserver - permission denied?

[Bodo Eggert]

On Mon, 16 May 2005, Werner Schalk wrote:

> ok my problem seems to be solved. It was a simple permission problem (I used 
> "cp" to copy a vserver but did not preserve the permissons). Thanks a lot 
> again to all the people that helped me.

To copy a directory structure with permissions, use
(cd $src && tar -cf - .)|(cd $dest && tar -xvf -)
-- 
Top 100 things you don't want the sysadmin to say:
40. The sprinkler system isn't supposed to leak is it?
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Extra root security

[Bodo Eggert]

On Thu, 12 May 2005, Gaz Wilson wrote:

> 
> Does anyone have an opinion as to whether disabling root's password
> within a vserver is worthwhile?  Noone logs into a vserver as root
> via ssh, only from the master using vserver enter, so there's no point
> in having a root password, so it can be disabled by adding *LCK* in the
> passwd file on the vserver?  Would this break anything (cron etc)

IMO only interactive logins are supposed to be affected, but sometimes 
there are programs not being interested in my opinion. Just create a test 
vserver and try it, it's too late here to do that myself.

-- 
AA - American Association Against Acronym Abuse Anonymous 
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] stty: standard input: Inappropriate ioctl for device

[Bodo Eggert]

On Mon, 2 May 2005, Rik van den Eijnden wrote:

> On startup of my vserver I get the message:
> stty: standard input: Inappropriate ioctl for device
> 
> Everything is running as expected, but why am I getting this message?

Ignore this message, it's printed because SuSE can't set the console for
printk messages.

-- 
Top 100 things you don't want the sysadmin to say:
81. The drive ate the tape but that's OK, I brought my screwdriver.
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Vservers and Rootkits

[Bodo Eggert]

On Thu, 28 Apr 2005, Roderick A. Anderson wrote:

> I have a vserver that has all the indicators that is is a victim of a root
> kit ( SucKIT ).  In my readings so far I see that SucKIT is is loaded
> through /dev/kmem ( ie. it doesn't need a kernel sith support for loadable 
> kernel modules --  ).  
> This is a very old Vserver kernel ( embarrassing but true -- 2.4.21ctx-17 
> ).
[...]
> For awhile I didn't have fcheck checking all the places it should have so
> I've played hell trying to erradicate the rootkit.  So my question is is
> possible for an exploit using /dev/kmem in a vserver to stick something 
> in the kernel like a this?

/dev/kmem should not exist, but an exploit might give similar access.

Change the kernel NOW.

> Each time after I find and remove or replace the files and/or directories 
> I reboot the vserver ( not the main ).  I'm still seeing the return of the 
> '[EMAIL PROTECTED]&*' buggers.  So either I haven't got all the compromised 
> accounts 
> plugged or there is someway the hole is remaining open.

So it hooked itself into the start scripts.

You'll need to disable the start scripts and reenable them one by one 
untill you find the one starting the bugger.

(If it's a rpm based vserver, you may try the rpm verify option.)

> I'm trying to remove this rather than just build a new vserver and move to 
> it.  A "Good" exercise I feel.

If it's for exercise only, it's OK, but if it's a productive system, see
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
-- 
Funny quotes:
31. Why do "overlook" and "oversee" mean opposite things?
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [RE:] Re: [Vserver] Linux Vserver - Feature Question

[Bodo Eggert]

On Thu, 31 Mar 2005, Herbert Poetzl wrote:
> On Thu, Mar 31, 2005 at 09:26:31AM +0200, [EMAIL PROTECTED] wrote:

> hmm, so you would like to artificially slow down the
> I/O transfer of a vserver, and make the transaction
> somewhat longer than necessary?

I guess more like not slowing down the host or other vservers.

-- 
Funny quotes:
19. Quantum mechanics: The dreams stuff is made of.
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] vserver patch for 2.6.11?

[Bodo Eggert]

On Tue, 8 Mar 2005, Eugen Leitl wrote:

> Another question: I'm about to buy memory for a couple of servers, to run
> VServers. What's the memory footprint of a typical VServer (running, let's
> say, postfix/apache/openvpn)? 100 MBytes, twice that?

HTTP-Server, router, News- and Web-Proxy, running exim.
System is something closely related to SuSE:

 total   used   free sharedbuffers cached
Mem: 45864  44892972  0   3200  10832
-/+ buffers/cache:  30860  15004
Swap:   131064  16272 114792


File-Server with KDM + running userspace application (142924K):
 total   used   free sharedbuffers cached
Mem:514872 509016   5856  0  42592 294080
-/+ buffers/cache: 172344 342528
Swap:   224888  13304 211584

Router and Squid-Proxy, LAMP:
 total   used   free sharedbuffers cached
Mem:320520 312220   8300  0 139752  16156
-/+ buffers/cache: 156312 164208
Swap:   240960   8928 232032

-- 
This time it will surely run. 

Friß, Spammer: [EMAIL PROTECTED] [EMAIL PROTECTED]
 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] packaging review for new Debian packages

[Bodo Eggert]

On Mon, 27 Dec 2004, Stephen Frost wrote:
> * Enrico Scholz ([EMAIL PROTECTED]) wrote:

> > * execve(2) is more efficiently than execvp(3)
> 
> Is there something in here that actually would notice from such a
> change?  Seriously, is there *really* some benefit here for an end user
> or is this just a lame excuse thrown in at the end?

There is a benefit, but it's not speed. Searching the PATH is less secure 
than execve, and it can fail if there are stale binaries in the PATH (e.g. 
in /usr/local/bin)
-- 
Funny quotes:
36. You never really learn to swear until you learn to drive.

Friß, Spammer: [EMAIL PROTECTED] [EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] problems with apache and php in a vserver

[Bodo Eggert]

On Tue, 5 Oct 2004, Eric Jorgensen wrote:

> If I start up apache without php, it works just fine. 
> However, if I
> install the RPM for php (4.2.2-17) it segfaults.

http://portal.suse.com/sdb/en/2004/05/fhassel_php4_91.html

HTH
-- 
Top 100 things you don't want the sysadmin to say:
62. I didn't think anybody would be doing any work at 2am, so I killed your
job.
Friß, Spammer: [EMAIL PROTECTED] [EMAIL PROTECTED]
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Should complain if wrong ip is written?

[Bodo Eggert]

On Wed, 18 Aug 2004, Bodo Eggert wrote:

> A sane thing would be creating a $vserver/etc/vconfig with something like:
> 
> hostname  $hostname
> ips   $ips[*]
> etchosts  $hostname $ips[*]
> x-userdefined we want to pass a user-definedvalue to the vserver

just tested:
The nameserver and the routes should be included here.
-- 
Maintenance-free: When it breaks, it can't be fixed... 

Friß, Spammer: [EMAIL PROTECTED] [EMAIL PROTECTED]
 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Should complain if wrong ip is written?

[Bodo Eggert]

On Tue, 17 Aug 2004, Ola Lundqvist wrote:

> I have got a wishlist request on vserver package.
> 
> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=253518
> 
> Do you think util-vserver should behave like this?

/etc/hostname is system-dependend; SuSE has /etc/HOSTNAME and my debian 
has "hostname" instead of "hostname 153.90.199.xx".
This means you cannot fix it in a generic as suggested.

A sane thing would be creating a $vserver/etc/vconfig with something like:

hostname  $hostname
ips   $ips[*]
etchosts  $hostname $ips[*]
x-userdefined we want to pass a user-definedvalue to the vserver
...

This would enable the user to do the changes by script on each startup 
using a distribution-generic script or to create his very own system.

-- 
It's redundant! It's redundant! 

Friß, Spammer: [EMAIL PROTECTED] [EMAIL PROTECTED]
 [EMAIL PROTECTED] [EMAIL PROTECTED]
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Mysql server on linux-vserver.org down?

[Bodo Eggert]

On Fri, 16 Jul 2004, Herbert Poetzl wrote:

> hmm, yeah, is my fault, I tried to mend the broken
> mysql with a cron script which restarts it once
> a day

Maybe you should take a look at runsv from "runit".
-- 
Funny quotes:
27. If people from Poland are called Poles, why aren't people from Holland
called Holes?
Friß, Spammer: [EMAIL PROTECTED] [EMAIL PROTECTED]
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Tiny system for template...

[Bodo Eggert]

On Fri, 2 Apr 2004, Dariush Pietrzak wrote:

> > Hm... my debain-base is less 100Mb.
> that's very cool, but I would prefer something closer to 5-10M.
> /dev/log with syslog-ng sounds a bit more efficient.

What about using busybox, compiled with the dietlibc?
-- 
I always tell customers/clients the same thing:
   "Good, Fast, Cheap.  You can pick two."
-- randem in <[EMAIL PROTECTED]>
Friß, Spammer: [EMAIL PROTECTED] [EMAIL PROTECTED]

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] "Can't chroot Operation not permitted" and other stuff

[Bodo Eggert]

On Wed, 17 Mar 2004, Thomas Guettler wrote:

> - How can I display the capabilities of /proc/self/status
>   in a humanreadable form?

reducecap --show

> - Would be nice if you get the missing capability in
>   the error message: "Missing Capability CAP_SYS_CHROOT"
>   instead of "Operation not permitted"

It's depending on the libc.

> - What is the difference between chroot and capchroot?

capchroot will drop CAP_SYS_CHROOT
-- 
Why is a Laundromat a really bad place to pick up a woman?
Because a woman who can't even afford a washing machine will
probably never be able to support you.
Friß, Spammer: [EMAIL PROTECTED] [EMAIL PROTECTED]

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Support with chroot problem

[Bodo Eggert]

On Wed, 3 Mar 2004 [EMAIL PROTECTED] wrote:

[util-vserver and suse/gcc 3.3.1]

> I observerd the same on SuSE9.0. Therefore, i just used the binaries
> built in a Suse8.2 environment hoping that this
> works as well. So far it does.
> But of course i am interested in a 'clean' solution, i.e.
> the vserver-utils compiled with gcc 3.3.1 on SuSE9.0.

I recently mailed a patch for reducecap to Enrico, which are
supposed to make it work as intended. (Looking at the code, I wonder how
it could ever have work before, and it didn't change fron .26 to .29).
(I didn't look colosely at the other tools, though.)

Just in case it helps, I put it to
http://7eggert.dyndns.org/~7eggert/vserver/

Since I don't know automake, I'm not sure how to change the depencencies.
Therefore I created a separate Makefile (same link). Just compile the
unpatched sources, apply the patch, put the Makefile into src/ and run
'make reducecap' again. (Or better, tell me from which file Makefile.in
is generated. I hope it _is_ generated ...)

-- 
The programmer's National Anthem is ''

Friß, Spammer: [EMAIL PROTECTED]
 [EMAIL PROTECTED] [EMAIL PROTECTED]

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] POLL: Number of IP Addresses in Each Vserver

[Bodo Eggert]

On Fri, 27 Feb 2004, Herbert Poetzl wrote:

> On Fri, Feb 27, 2004 at 08:26:53PM +0100, Thomas Gelf wrote:
> > Am Fre, den 27.02.2004 schrieb Herbert Poetzl um 17:50:

>  - missing: ping doesn't work like on linux server xy

>this can be secured by:
>- checking every raw packet via some packet checker
>- filtering out malicious packets ...

- Using UDP for pings (bad, since commonly firewalled).
- Implementing setpcap-attribute.
- Using vshelper to call ping in host context.

-- 
If you're short of everything but the enemy, you're in a combat zone.

Friß, Spammer: [EMAIL PROTECTED] [EMAIL PROTECTED]
 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] util-vserver tools - 16 ip address limit

[Bodo Eggert]

On Thu, 26 Feb 2004, Kevin Gray wrote:

>  > #define   NB_IPV4ROOT 64
>  >   struct vc_ip_mask_pair  ips[64];

Wouldn't it be better to use ips[NB_IPV4ROOT] etc. instead of immediate
values?

Just my ¢¢
-- 
"You, you, and you . . . Panic. The rest of you, come with me."
-U.S. Marine Corps Gunnery Sgt.


___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

RE: [Vserver] CAP processor usage and Vserver

[Bodo Eggert]

On Thu, 12 Feb 2004, Val A. Quimno wrote:

> How can I unsubscribe to this mailing list?
>
> UNSCRIBE

>From the headers of each mail:

List-Unsubscribe:
,

-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Demo...

[Bodo Eggert]

On Thu, 8 Jan 2004, Dariush Pietrzak wrote:
> On Wed, 7 Jan 2004, Bodo Eggert wrote:

[X outside vserver was considered to be insecure, I told X is insecure
anyway]

>  Hmm, this is supposed to be a 'demo', not a public kiosk.

ACK, therefore there is no need to jail the X-Server itself. So if it
doesn't work inside a jail, it's not an issue.

> > installations, but you won't (off cause) be able to run them concurently
>  Why not? I have been running multiple X-servers concurently years ago,
> have hardware developers figured some new way of screwing up?

No, I found a way to remember incorrectly, at least for working display
drivers.

> > or testing X, but as far as I can tell not for productive use.
>  hmm, then how do you accomplish 'fast user switching'? ie - three
> different users using the same machine 'concurrently'?
> ie - I sit and programm, some family member walks in and wants to 'check
> email'. What do you do?

Open x-term, sux, run program. Or I assign them to one of my other PCs and
X-Terminals.
-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Demo...

[Bodo Eggert]

On Wed, 7 Jan 2004, Dariush Pietrzak wrote:

> > Without testing: What about running xdm inside the vserver and X outside,
> > either with -query or with a chooser to select the (v)server?
>  Hmm, I'm not sure what that would accomplish - you would have to install X
> to master machine, the one that's supposed to carry only sshd and vserver
> environment, and that's not good.

X needs too much privileges to be any good on a secure machine. You might
reduce some risks, but I doubt you can get something you may actually
call "secure". Instead, you should run a P90 as X-Server and connect
using ethernet.

> And you wouldn't be able to run various
> X-servers on the same machine - like 3.3 versus 4.3 ( versus Xouvier or
> whatever it's called )

A bunch of vservers might be nice for switching between these
installations, but you won't (off cause) be able to run them concurently
if the hardware doesn't allow it. This might be handy if you're developing
or testing X, but as far as I can tell not for productive use.

-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Demo...

[Bodo Eggert]

On Wed, 7 Jan 2004, Dariush Pietrzak wrote:

> And another thing - can anyone share success stories about running X inside
> vserver? It would be nice to show off machine running different X server on
> different terminals, every one would be different dist and different X
> generation (4.2,4.3,3.3..), I'm rather server guy so any suggestions would
> be welcome as to how to accomplish something like that.

Without testing: What about running xdm inside the vserver and X outside,
either with -query or with a chooser to select the (v)server?

-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] util-vserver: compile problem with dietlibc

[Bodo Eggert]

dietlibc doesn't define uint64_t if __STRICT_ANSI__ is set, and -std=c99
defines __STRICT_ANSI__. To compile it, I had to add -U __STRICT_ANSI__
after -std=c99 in the Makefile.

I'll test it after finishing my civnet-game.
-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

re: [Vserver] chroot(safe) issues

[Bodo Eggert]

On Wed, 26 Nov 2003, Jacques Gelinas wrote:

> On Wed, 26 Nov 2003 02:55:02 -0500, Enrico Scholz wrote
>
> > Please not that the current 'chmod 000' hack is not affected by this
> > attacks since it is a fixed barrier which can not be bypassed.
> >
> > Therefore, it will not make sense to hope on a magic chrootsafe() syscall
> > for vservers. Alternative approaches like CLONE_NEWNS in combination with
> > pivot_root() or 'mount --rbind  /' (suggested by Rik van Riel) must
> > be investigated to find better methods.

Wouldn't this require mount-capabilities in vservers to allow nested
vservers? And would it protect against malicious applications sending fds
to each other?

> What about using a new attribute (instead of 000) to tag a directory permanently
> as a barrier.

I was thinking about keeping a (fixed-size?) list of (device,inode)s,
allocated at the first chrootsafe. This would allow 512 levels of
chrootsafe per 4k of allocated memory. I think this should be enough.

Off cause, this would not prevent malicious_app1 in chroot(a) to send
an fd to malicious_app2 in chroot(b), but an additional check in the
fd-passing-routine might do the trick.

I think it should be enough to allow directory-fd-passing only if the ctx
matches (or the sender is in a "magic" or parent ctx?) and all
chroot-points from the sending application are also included in the
receiver's chrootsafe-list. The receiver may still escalate it's
privileges (as usural, as long as fd passing is allowed), but the effect
should be limited to the sender's chroot and the combined privileges of
the malicious processes. (It is, isn't it?)

If directory fd passing is completely disabled, it shouldn't even be
possible to access files being in one chroot but having only access
permissons for uid/gid of another chrooted process. (This might especially
be important if a chrooted uid0-process was exploited as well as a user
account.) Maybe there should be an option to do this, too.

BTW: If no account is limited by a restricted shell and restrictions in
global config files, would allowing users =! root to chrootsafe as
decribed above be a security risk (asuming it includes chdir($newroot))?

-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

RE: [Vserver] XMas Wishlist

[Bodo Eggert]

On Sun, 16 Nov 2003, ian douglas wrote:

> how about "from the very beginning" documentation? ie: explain things for
> people that need more stepped instructions than "patch the kernel" (ie:
> explain how to apply a .diff file etc.), which OS's vserver has been tested
> on, etc.

We should point them to
 http://www.miredespa.com/wmaton/linux/kernel-patch-HOWTO.html

and add 
Unfortunately, this documentation does not include instructions for
stripping the base directory. If you gave a different name to the kernel
directory, patch will complain about missing files while patching. In this
case, cd into the kernel directory and patch using "patch -p1 ..."
instead.


-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Re: [Linux-privs-discuss] Capabilities & capability tools in Linux

[Bodo Eggert]

On Tue, 11 Nov 2003, Linas Vepstas wrote:

> Well, yes, that was my point. I'm getting the feeling that its implemented
> incorrectly, that there should have been a pair of bits: LOWERPCAP and
> RAISEPCAP, instead of SETPCAP.  Seems to me that LOWERPCAP, by allowing
> one process to take away the caps of another, is reasonably safe
> and useful.  So I was trying ask if you/other gurus see something flawed
> with this line of reasoning.

Imagine you'd take away capabilities from init...

If you put in the same checks kill() does, LOWERPCAP should be safe ...
-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Unsharing disk space

[Bodo Eggert]

On Tue, 11 Nov 2003, Roderick A. Anderson wrote:

> FYW, I have tried these three methods and got errors and/or the process
> aborted.
> Well I have returned to one of my near an dear topics - copying vservers.
>
> I have been all over this, back to messages posted in Jun, then those this
> month.  And guess what?  I can not get any of the methods to work.

You could also use the midnight commander to copy the files. HTH
-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] ssh X11 forwarding (after vserver xxx enter)

[Bodo Eggert]

On Tue, 11 Nov 2003, Thomas Gebhardt wrote:

> > COOKIE=`xauth list $DISPLAY`
> > vserver foo enter
> > xauth add $COOKIE
>
> doesn't seem to work for me. As far as I can see, there is no way
> to write from a vserver process to a socket on the master server.
> That's part of the vserver concept, isn't it?

The socket wil probably be outside the vserver-chroot-directory.
You should set (and export) DISPLAY to hostname:0 or localhost:0, this
will enable TCP connections.

You can also read some manpageas about X11-specific command line arguments
and create wrapper scripts.
-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.


___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Copy a vserver to different partition?

[Bodo Eggert]

On Wed, 5 Nov 2003, Roderick A. Anderson wrote:

>
> I've been all over the wiki and web site looking for a solution but I'm
> getting no place slowly.
>
> We had a hard drive fail but was able to move the /vservers/* into a
> working drive before replacing the bad drive.  As this is a live system
> I'd like to _not_ take the server down and do another copy t othe new
> partition.  I need to copy all the vservers (or one at a time) in
> /vservers to /vserver.new so I can stop the vservers, change the mount
> point, and restart them.

If you copy a running system, you will get an inconsistent state.
If you're running a web server, a proxy or some other read-only/caching
service, you'll just lose some log entries, so this may be ok. vservers
offering storage, mail or other r/w services should be stopped before
moving them.

The canonical way of copying a directory tree is:
(cd srcdir && tar -cf - .)|(cd dstdir && tar -xvf -)
-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] is there any "getting started with vserver" documentation anywhere?

[Bodo Eggert]

On Wed, 5 Nov 2003, Alexander Goeres wrote:

>
> I once tried to make the vservers run on a SuSE disto but after serveral
> weekends gave up. That's basically due to my lack of ability to compile a
> vanilla kernel on SuSE so that all the modules it has with its standard
> kernel work.

The .config file for the suse kernel is saved somewhere in the /proc
directory. If you copy it into the vanilla kernel directory, the settings
should be correct for building the new kernel.
-- 
   ¤ Bill of Spammer-Rights ¤
1. We have the right to assassinate you.
2. You have the right to be assassinated.
3. You have the right to resist, but it is futile.

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver