Re: [Vserver] vserver + other security patches
Is it possible to get these 3 patches working together: ctx+grsecurity+vserver. ctx IS vserver? you mean ctx quota+grsec+vserver? Possible. I need grsecurity to protect against numerous and repeated shell cracking atttempts from my students on the login server. As experience show, admin can run around patching and 'securing' all day round... and in the end admin gets tired, and new wave of students come every year... Keeping system up-to date might be the best answer, every activity that places additional burden on the admin fails in the long run ( that would include using extra patches, and definitelly includes using conflicting patches). Is their any problem with using 2.4.25+patch-2.4.25-vs1.27-q0.14.diff The archives contain conflicting opinions on this. I might be the one spreading most of opposing data on this - As there's noone actively maintaining vserver+grsec, this means that all you can find is some patch some dweeb put together. And there's a dozen of ways to do that, and you don't even know which she used. So there's no such thing as THE grsec+vs patch. As soon as there is such person ( and it seems like WOLK will include both, and mcp said that he will make those two play nicely together ) you can go ahead and use those. Until then - you're on your own. -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 We're giving you a new chance in life, and an opportunity to screw it up in a new, original way. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] [Release] Development 1.3.9
Hi Community! 1.3.9 was released a few days ago, just forgot to announce it :(, the changes where minimal, I included the ipv6 security fix, and a workaround for the buggy debian woody compiler ... I didn't get _any_ complaints about the 1.3.x branch (especially 1.3.8), but also no positive feedback, so I hope for the best, but expect the worst ;) please let me know if you consider this stable enough to become 1.4, I'll wait another week or two, and will try to fix _any_ issue that get reported back ... so please do a final test, if possible ... thanks, Herbert PS: 1.27 was updated for 2.4.26 too ;) ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Vserver in cluster
Hi everybody, I'm new to the vserver world, and I have a suestion for you :) I find very interesting the idea behind vserver but as I'm working in production world I need to be sure that services are always online. So to lower the service cost I can use vserver, but to achieve availability I'd would like to put vservers in cluster (1 vserver on a physical machine backuped by a vserver on another physical machine). Does someone have set such a configuration ? cheers, David ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver in cluster
On Tuesday 20 April 2004 16:01, David Amiel wrote: Hi everybody, I'm new to the vserver world, and I have a suestion for you :) I find very interesting the idea behind vserver but as I'm working in production world I need to be sure that services are always online. So to lower the service cost I can use vserver, but to achieve availability I'd would like to put vservers in cluster (1 vserver on a physical machine backuped by a vserver on another physical machine). Does someone have set such a configuration ? cheers, David ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver I think I can remember that someone wrote about his use of vserver and drbd. Drbd is a block device which is designed to build high availability clusters. This is done by mirroring a whole block device via (a dedicated) network. You could see it as a network raid 1. http://drbd.cubit.at/ -- lg, Chris ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver in cluster
I am using that sort of 'clustering' but without drbd which had same flaws as I tested it. I simply use rsync to copy the changed vserver-files. What you still have to do (same when you use drbd) is configurate some kind of failover-service (e.g. heartbeat or some self written stuff) to manage failover and takeback (and using rsync, the direction of the data which has to be copied). Regards, Daniel On Tuesday 20 April 2004 16:15, Christian Mayrhuber wrote: I think I can remember that someone wrote about his use of vserver and drbd. Drbd is a block device which is designed to build high availability clusters. This is done by mirroring a whole block device via (a dedicated) network. You could see it as a network raid 1. http://drbd.cubit.at/ This is not the current homepage, sorry. The newest version can be found at http://www.drbd.org/ ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Experimental Version
Hi Herbert, other stuff can be found here: http://vserver.13thfloor.at/Experimental/ yes, actually it's vs1.9.0pre10.3 ... ;) Well, actually it's vs1.9.0pre11 right now, but let's not split hairs :-) with vs1.9.0pre10* you can actually disable the proc security from the menuconfig (or *config) Hmm, it's a shame that that's all you can do, because at least when using the stable tools, I can't stop a vserver with this feature enabled: [EMAIL PROTECTED] vservers]# vserver distcc stop Stopping the virtual server distcc Error: /proc must be mounted and readable To mount /proc at boot you need an /etc/fstab line like: /proc /proc procdefaults In the meantime, `mount /proc /proc -t proc' To set the permissions, `chmod 755 /proc' Server distcc is not running Thanks to you and Bjoern for all your help! I'm working on getting things up and running with 2.6.6rc1 and the pre11 patch now (and /proc security disabled). Cheers, Chris. -- _ __ __ _ / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Experimental Version
On Tue, Apr 20, 2004 at 03:41:00PM +0100, Chris Wilson wrote: Hi Herbert, other stuff can be found here: http://vserver.13thfloor.at/Experimental/ yes, actually it's vs1.9.0pre10.3 ... ;) Well, actually it's vs1.9.0pre11 right now, but let's not split hairs :-) with vs1.9.0pre10* you can actually disable the proc security from the menuconfig (or *config) Hmm, it's a shame that that's all you can do, because at least when using the stable tools, I can't stop a vserver with this feature enabled: hmm, you can still use the vproc utility from the stable page, to enable the procfs ;) [EMAIL PROTECTED] vservers]# vserver distcc stop Stopping the virtual server distcc Error: /proc must be mounted and readable To mount /proc at boot you need an /etc/fstab line like: /proc /proc procdefaults In the meantime, `mount /proc /proc -t proc' To set the permissions, `chmod 755 /proc' Server distcc is not running Thanks to you and Bjoern for all your help! I'm working on getting things up and running with 2.6.6rc1 and the pre11 patch now (and /proc security disabled). Cheers, Chris. -- _ __ __ _ / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Experimental Version
On Tue, Apr 20, 2004 at 03:38:48PM +0100, Chris Wilson wrote: Hi Bjoern, No, the most recent 2.6 patch is pre10. Patches, deltas and various other stuff can be found here: http://vserver.13thfloor.at/Experimental/ Ahh, thanks, those are better :-) Does anyone know why these aren't linked to by the patches page at [http://www.13thfloor.at/vserver/e_patches/overview/]? because I'm lazy, like every developer ;) I guess you're using the stable tools, or at least a legacy configuration, replace -H with -HS in the ULIMIT line. This is a general kernel change introduced somewhere around 2.4.24 IIRC. Wow, nice of them to break binary compatibility in a stable kernel release :-) Still, I suppose it's not the first time. actually it was called a bug-fix ... 8-) Proc-entries are by default hidden in devel/exper. patches, more information can be found here: http://www.linux-vserver.org/index.php?page=Proc-Security http://archives.linux-vserver.org/200401/0125.html http://list.linux-vserver.org/archive/vserver/msg06552.html This feature is still giving me problems, like an inability to shut down vservers once they're started. I've had to turn it off for now. Hmm... Don't know, maybe you're not using a static context? Basic kernel/tools check script is located here: Seems to have been related to the old patch, the newer versions (1.9.0-pre9 and later) don't seem to have this problem Thanks very much for your help! Cheers, Chris. -- _ __ __ _ / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver in cluster
Now I need VRRP between the servers, and/or a mechanism to move on services between the 2 vservers (via mon ?). don't use VRRP, use uCARP. ( I use VRRP currently ... ;) The beauty of vserver is that you can think of vserver as services, ie - service apache == vserver apache. Shut it down on one machine, and bring back up on another when uCARP says so ( i prefer having two twin vservers, when one of them goes down I boot up another, without shared storage ) -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 We're giving you a new chance in life, and an opportunity to screw it up in a new, original way. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver in cluster
On Tuesday 20 April 2004 16:26, David Amiel wrote: Thank you for your, drdb could be the beginning of the solution, I'll have a look. Now I need VRRP between the servers, and/or a mechanism to move on services between the 2 vservers (via mon ?). Does Ip implementation of vservers support such mecanisms ? David I've found this howto, using the heartbeat package from the linux-ha project. http://www.slackworks.com/~dkrovich/DRBD/ It should be quite simple to do a failover with a vserver, if you have the same configuration. Put your VSERVER_ROOT on drbd, or some other replication mechanism. Call vserver X start on the standby system if the heartbeat to X fails and send some notification to the admin. If you are using debian, you can experiment with: # apt-get install -t unstable drbd drbd-source heartbeat util-vserver I'd suggest to use the the vserver-1.27 kernel patches from http://www.13thfloor.at/vserver/s_release/v1.27/linux-vserver-1.27.tar.bz2 and 2.4.26 from kernel.org. You have to build your own kernel with the drbd module in drbd-source and the vserver patch. Hopefully, you will not get any rejects. If you want to use reiserfs you should apply the data logging patches from chris mason from ftp://ftp.suse.com/pub/people/mason/patches/data-logging/2.4.25 prior to the vserver patch. If not, I'd suggest to use ext3, which does data=ordered by default. -- lg, Chris ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Experimental Version
Hi Herbert, with vs1.9.0pre10* you can actually disable the proc security from the menuconfig (or *config) OK, I built a 2.6.6-rc1 kernel with the -pre11 patch, and it Oopses when I try to enter a vserver: [EMAIL PROTECTED] vservers]# vserver distcc1 enter /sbin/ifconfig eth1:distcc1 192.168.3.181 netmask 255.255.255.0 broadcast 192.168.3.255 SIOCSIFADDR: File exists SIOCSIFFLAGS: Cannot assign requested address SIOCSIFNETMASK: Cannot assign requested address SIOCSIFBRDADDR: Cannot assign requested address SIOCSIFFLAGS: Cannot assign requested address ipv4root is now 192.168.3.181 Host name is now distcc1.netservers.co.uk New security context is 49155 Segmentation fault linux1 kernel: kernel BUG at include/linux/vinline.h:62! linux1 kernel: invalid operand: [#3] linux1 kernel: PREEMPT linux1 kernel: CPU:0 linux1 kernel: EIP:0060:[c0113385]Not tainted linux1 kernel: EFLAGS: 00010286 (2.6.6-rc1-vs1.9.0pre11) linux1 kernel: EIP is at mm_init+0xe2/0x101 linux1 kernel: eax: e610bc00 ebx: ecx: edfeff80 edx: e610bc00 linux1 kernel: esi: e4b25ea4 edi: dfd8a76c ebp: dfd8a580 esp: e4b25dfc linux1 kernel: ds: 007b es: 007b ss: 0068 linux1 kernel: Process save_s_context (pid: 2082, threadinfo=e4b24000 task=defdc330) linux1 kernel: Stack: dfd8a580 e4b25e6c 0001 dfd8a580 dfd8a6e0 linux1 kernel:dfd8a6e0 linux1 kernel: linux1 kernel: Call Trace: linux1 kernel: [c01136ea] copy_mm+0xe7/0x427 linux1 kernel: [c0114321] copy_process+0x453/0xb7c linux1 kernel: [c01593ea] do_pipe+0x185/0x205 linux1 kernel: [c0114a9a] do_fork+0x50/0x16d linux1 kernel: [c01b398a] copy_to_user+0x3e/0x4e linux1 kernel: [c014c9ba] sys_llseek+0x9f/0xc4 linux1 kernel: [c0104387] sys_clone+0x41/0x45 linux1 kernel: [c010575d] sysenter_past_esp+0x52/0x71 linux1 kernel: linux1 kernel: Code: 0f 0b 3e 00 5f e6 28 c0 eb dc a1 ec 1f 35 c0 89 6c 24 04 89 Any ideas? Cheers, Chris. -- _ __ __ _ / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Vserver in cluster
Hi Daniel I am using that sort of 'clustering' but without drbd which had same flaws as I tested it. I simply use rsync to copy the changed vserver-files. What you still have to do (same when you use drbd) is configurate some kind of failover-service (e.g. heartbeat or some self written stuff) to manage failover and takeback (and using rsync, the direction of the data which has to be copied). What problems did you have with drbd? Dan ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver + other security patches
Dariush Pietrzak said: Is it possible to get these 3 patches working together: ctx+grsecurity+vserver. ctx IS vserver? you mean ctx quota+grsec+vserver? Possible. Yes, the ctx quota patch. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Mala direta e-mails listas de email http://www.gueb.de/divulgamail
As melhores listas segmentadas de e-mails para mala direta. Todos os tipos: http://www.gueb.de/divulgamail Cadastros de e-mails segmentados por estados, profissões, empresas e pessoas físicas. Tudo que você pracisa para fazer a divulgação e publicidade do seu negócio, programas para spam e e-mail marketing. Listagens atualizadas e garantidas. Visite agora: http://www.gueb.de/divulgamail ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Warning: E-mail viruses detected
Our virus detector has just been triggered by a message you sent:- To: [EMAIL PROTECTED] Subject: hi Date: Tue Apr 20 16:48:13 2004 One or more of the attachments (friend.zip, friend.scr) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files to avoid this constraint. The virus detector said this about the message: Report: MailScanner: Windows Screensavers are often used to hide viruses (friend.scr) Report: MailScanner: Windows Screensavers are often used to hide viruses (friend.scr) -- MailScanner Email Virus Scanner www.mailscanner.info MailScanner thanks transtec Computers for their support ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Networking between vservers
I've got a vserver whose IP is 192.168.0.1 and another whose is 192.168.0.2. I can ping between these two vservers fine, however, I tried to setup mysql to connect from .1 to .2 and found that it was using the host's actual IP to connect, instead of the private IP: $ mysqladmin -h 192.168.0.2 ping connect to server at '192.168.0.2' failed error: 'Host '212.112.147.194' is not allowed to connect to this MySQL server' I used tcpdump to look at the different interfaces, and it was only when I looked at the loopback did I see the traffic happening: 18:51:54.867738 212.112.147.194.43166 192.168.0.2.mysql: S 648997658:648997658(0) win 32767 mss 16396,sackOK,timestamp 88679821 0,nop,wscale 0 (DF) 18:51:54.867825 192.168.0.2.mysql 212.112.147.194.43166: S 649947611:649947611(0) ack 648997659 win 32767 mss 16396,sackOK,timestamp 88679821 88679821,nop,wscale 0 (DF) 18:51:54.867904 212.112.147.194.43166 192.168.0.2.mysql: . ack 1 win 32767 nop,nop,timestamp 88679821 88679821 (DF) 18:51:54.868663 192.168.0.2.mysql 212.112.147.194.43166: P 1:77(76) ack 1 win 32767 nop,nop,timestamp 88679822 88679821 (DF) [tos 0x8] 18:51:54.868740 212.112.147.194.43166 192.168.0.2.mysql: . ack 77 win 32767 nop,nop,timestamp 88679822 88679822 (DF) 18:51:54.868801 192.168.0.2.mysql 212.112.147.194.43166: F 77:77(0) ack 1 win 32767 nop,nop,timestamp 88679822 88679822 (DF) [tos 0x8] 18:51:54.869254 212.112.147.194.43166 192.168.0.2.mysql: F 1:1(0) ack 78 win 32767 nop,nop,timestamp 88679822 88679822 (DF) [tos 0x8] 18:51:54.869305 192.168.0.2.mysql 212.112.147.194.43166: . ack 2 win 32767 nop,nop,timestamp 88679822 88679822 (DF) [tos 0x8] How can I make it so that the vserver is communicating with the private IP instead of the public one? I want to do this so I can allow some vservers the ability to access the mysql, but not others. I can simply add 212.112.147.194 to the tables to be able to connect, but then all the vservers would be able to connect, when I only want 192.168.0.1 to be able to connect, but not 192.168.0.3 for example. Thanks for any pointers! Here is some more info: /etc/vservers/db.conf: # # the vserver which runs the databases # S_DOMAINNAME=db S_HOSTNAME=db IPROOT=192.168.0.2 IPROOTMASK=255.255.255.0 IPROOTDEV=eth0 S_CAPS=CAP_NET_RAW /etc/vservers/zun.conf: S_HOSTNAME=zun IPROOT=192.168.0.1 IPROOTMASK=255.255.255.0 IPROOTDEV=eth0 S_FLAGS=lock nproc ULIMIT=-u 256 -n 1024 S_CAPS=CAP_NET_RAW Thanks! micah Naturally, the common people don't want war, but after all, it is the leaders of a country who determine the policy...Voice or no voice, the people can always be brought to the bidding of the leaders. This is easy. All you have to do is to tell them they are being attacked, and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same in every country. -- Goering, Nuremburg trial ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
