[Vserver] proc too secure?
Hi - sorry for asking again - Normally I like to research such things properly, but time is not on my side for this project, so I come in hope of a quick solution. I need to install binfmt support within a vserver, however proc is secured in such a way as it cannot install properly: Setting up binfmt-support (1.2.3) ... mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. Enabling additional executable binary formats: mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. binfmt-support. Is there a (good) way to allow this to happen without removing proc security entirely? I didn't see anything in the docs I have skimmed through... thanks and apologies for asking without doing much research first. -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to copy/debug a vserver
On Wed, 4 May 2005, Herbert Poetzl wrote: On Tue, May 03, 2005 at 06:24:11PM +0200, Arjen wrote: On 3/5/05 10:55 am, Werner Schalk [EMAIL PROTECTED] wrote: My system is Gentoo, and I am still using util-vserver X on 2.6.11-rc3-vs1.9.4. My USE flags do include vserver and portage overlay is set to /usr/local/portage (both inside the vserver). When I execute mc inside the vserver I also get mc subshell.c: couldn't open master side of pty pty_open_master: No such file or directory Sounds familiar. I've tried several gentoo vserver installs, with the portage overlay, without it (normal install) and using baselayout-vserver as the baselayout. None of them would start flawless, you'll have to edit around 7 or 8 initscripts (add the 'exit 0' on top of the script) or remove them from the startupsequence using rc-update (rc-update del checkfs boot). This might give you a clean startup but I think this is not the right thing to do. Why, well because we could break things this way. Like you I'm experiencing issues with tty's. I've got similar problems using screen and ssh. Ever tried to ssh from one vserver to another vserver? Or started a screen session inside a vserver? I think the problem has something to do hmm, did you verify that your user is in the 'tty' group? Ok, i've got things working, ssh by adding it to the tty group and screen by making it sgid. But, again, i don't think this is the real solution, in my host a normal user doesn't need to be in the tty group to be able to ssh, or screen doesn't need the sgid bit set to work in the host. with /dev/tty*, crw-rw 1 root tty 5, 0 Mar 4 14:39 /dev/tty (inside the vserver) Compare it with /dev/tty in the host, crw-rw-rw- 1 root tty 5, 0 May 1 22:32 /dev/tty (in the host) Btw, when i extract the stages tarballs (i tried a stage2 stage3) the rights are as in the vserver. I don't know why (and how) it is different when compared to the host. It could be I'm missing something at startup which changes these settings because of the 'exit 0''s in some of the initscripts. I stopped trying to solve this, but since you seem to have a similar problem maybe someone has a bright moment reading this :) well, both, ssh _and_ screen work here .. which doesn't mean much as the version I tested on is 2.4/1.2.10 ... I'm running Gentoo, 2.6.11.6-grsec-vs1.9.5 on an amd64, util-vserver-0.30.204. Cheers, -Arjen ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Summary of recent improvement discussion
On Tue, 3 May 2005, Sam Vilain wrote: Bootstrapping Images The status of debootstrap and `rpmstrap' in the current utilities was briefly discussed, so that vservers of lots of different types could easily be built without installing extra utilities manually. I haven't seen this being discussed on the list, I hope I'm not about to say anything sacreligious, but am I in the minority to think that the build tools do not belong in util-vserver at all? I think that util-vserver should provide the absolute minimal build capability as proof-of-concept tucked away somehwehre in an examples/ subdirectory _only_. The job of writing/maintaining build tools belongs with distribution maintainers (or whoever else wants to take it up). When I set out to write what is now known as OpenVPS (which ATM is Fedora based), I wanted to use util-vserver as much as possible, but in the end found that since you ultimately end up having to figure out the intricate details of the underlying mechanism (rpm in my case), it ends up being easier to interface with rpm directly rather than via util-vserver scripts. They served as a pretty good example and a starting point, and that's about all the value I got from them. (We're actually more and more relying on Python bindings for a lot of rpm and vserver calls) Granted, there is an apparent chicken-and-egg problem here - linux vserver needs to be easy to use to gain more traction and that requires build images, and distribution maintainers are not going to take on complex tasks like this without there being sufficient coolness. But I think a lot more can be done through advocacy and solicitation rather than actually trying to do it. I also think more effort was put towards bringing core utilities towards mint condition (with man pages and everything) would go a lot further towards overall value for the project than focusing on build tools. Am I being off my nut here? (If so, that's OK, been there before!) Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to copy/debug a vserver
On Wed, May 04, 2005 at 02:32:59PM +0200, Arjen wrote: On Wed, 4 May 2005, Herbert Poetzl wrote: On Tue, May 03, 2005 at 06:24:11PM +0200, Arjen wrote: On 3/5/05 10:55 am, Werner Schalk [EMAIL PROTECTED] wrote: My system is Gentoo, and I am still using util-vserver X on 2.6.11-rc3-vs1.9.4. My USE flags do include vserver and portage overlay is set to /usr/local/portage (both inside the vserver). When I execute mc inside the vserver I also get mc subshell.c: couldn't open master side of pty pty_open_master: No such file or directory Sounds familiar. I've tried several gentoo vserver installs, with the portage overlay, without it (normal install) and using baselayout-vserver as the baselayout. None of them would start flawless, you'll have to edit around 7 or 8 initscripts (add the 'exit 0' on top of the script) or remove them from the startupsequence using rc-update (rc-update del checkfs boot). This might give you a clean startup but I think this is not the right thing to do. Why, well because we could break things this way. Like you I'm experiencing issues with tty's. I've got similar problems using screen and ssh. Ever tried to ssh from one vserver to another vserver? Or started a screen session inside a vserver? I think the problem has something to do hmm, did you verify that your user is in the 'tty' group? Ok, i've got things working, ssh by adding it to the tty group and screen by making it sgid. But, again, i don't think this is the real solution, in my host a normal user doesn't need to be in the tty group to be able to ssh, or screen doesn't need the sgid bit set to work in the host. well, hey this is a security feature, feel free to change the permissions of the pts mount to use insecure rw for all ... sgid for screen should not be required, if your user is in the tty group ... (check with changing the tty with chmod a+rw /dev/tty* ) with /dev/tty*, crw-rw 1 root tty 5, 0 Mar 4 14:39 /dev/tty (inside the vserver) Compare it with /dev/tty in the host, crw-rw-rw- 1 root tty 5, 0 May 1 22:32 /dev/tty (in the host) Btw, when i extract the stages tarballs (i tried a stage2 stage3) the rights are as in the vserver. I don't know why (and how) it is different when compared to the host. It could be I'm missing something at startup which changes these settings because of the 'exit 0''s in some of the initscripts. I stopped trying to solve this, but since you seem to have a similar problem maybe someone has a bright moment reading this :) well, both, ssh _and_ screen work here .. which doesn't mean much as the version I tested on is 2.4/1.2.10 ... I'm running Gentoo, 2.6.11.6-grsec-vs1.9.5 on an amd64, util-vserver-0.30.204. be carefult to use 64bit userspace for the tools, and a nicely patched up dietlibc ... (unless you are running it with a 32bit kernel ;) HTH, Herbert Cheers, -Arjen ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Summary of recent improvement discussion
On Wed, May 04, 2005 at 10:33:46AM -0400, Gregory (Grisha) Trubetskoy wrote: On Tue, 3 May 2005, Sam Vilain wrote: Bootstrapping Images The status of debootstrap and `rpmstrap' in the current utilities was briefly discussed, so that vservers of lots of different types could easily be built without installing extra utilities manually. I haven't seen this being discussed on the list, I hope I'm not about to say anything sacreligious, but am I in the minority to think that the build tools do not belong in util-vserver at all? I think that util-vserver should provide the absolute minimal build capability as proof-of-concept tucked away somehwehre in an examples/ subdirectory _only_. The job of writing/maintaining build tools belongs with distribution maintainers (or whoever else wants to take it up). When I set out to write what is now known as OpenVPS (which ATM is Fedora based), I wanted to use util-vserver as much as possible, but in the end found that since you ultimately end up having to figure out the intricate details of the underlying mechanism (rpm in my case), it ends up being easier to interface with rpm directly rather than via util-vserver scripts. They served as a pretty good example and a starting point, and that's about all the value I got from them. (We're actually more and more relying on Python bindings for a lot of rpm and vserver calls) Granted, there is an apparent chicken-and-egg problem here - linux vserver needs to be easy to use to gain more traction and that requires build images, and distribution maintainers are not going to take on complex tasks like this without there being sufficient coolness. But I think a lot more can be done through advocacy and solicitation rather than actually trying to do it. I also think more effort was put towards bringing core utilities towards mint condition (with man pages and everything) would go a lot further towards overall value for the project than focusing on build tools. Am I being off my nut here? (If so, that's OK, been there before!) heh, how far is OpenVPS now? and what about it's 'current' targets/aims/whatever ... maybe you could give a short overview? TIA, Herbert Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] proc too secure?
Hi again! I discovered earlier that yes indeed, if you configure the host up with the relevant binfmt stuff, the vservers adopt those settings, so all is well and good. I am having trouble with grsec though - I have set it for medium security, and yet the vserver refuses to start complaining that the capabilities don't exist - yet I checked the kernel and the default capabilities are set (monolithically, not as a module) - just checking all kernel options and recompilng, in case there's some difference between my working kernel with grsec disabled and this one... In the meantime, if anyone has used grsec along with vservers, I'd be interested to hear any stories about making it work!!! Thanks all! Gary Wilson On Wed, 4 May 2005, Herbert Poetzl wrote: On Wed, May 04, 2005 at 10:01:49AM +0100, Gaz Wilson wrote: Hi - sorry for asking again - Normally I like to research such things properly, but time is not on my side for this project, so I come in hope of a quick solution. I need to install binfmt support within a vserver, however proc is secured in such a way as it cannot install properly: Setting up binfmt-support (1.2.3) ... mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. Enabling additional executable binary formats: mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. binfmt-support. binfmt or more precisely misc binary format support is not available inside vserver, because it need userspace helpers which have to 'run' in the proper context, and that has just not be done yet ... you can use it on the host though ... and it might reach/map into vservers (not tested) best, Herbert Is there a (good) way to allow this to happen without removing proc security entirely? I didn't see anything in the docs I have skimmed through... thanks and apologies for asking without doing much research first. -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] proc too secure?
Self-followup - sorry! I have sorted grsec with vservers and so far everything is working nicely now :) Fingers x'd :) Thatnks for everyone's help to date. gary On Wed, 4 May 2005, Gaz Wilson wrote: Hi again! I discovered earlier that yes indeed, if you configure the host up with the relevant binfmt stuff, the vservers adopt those settings, so all is well and good. I am having trouble with grsec though - I have set it for medium security, and yet the vserver refuses to start complaining that the capabilities don't exist - yet I checked the kernel and the default capabilities are set (monolithically, not as a module) - just checking all kernel options and recompilng, in case there's some difference between my working kernel with grsec disabled and this one... In the meantime, if anyone has used grsec along with vservers, I'd be interested to hear any stories about making it work!!! Thanks all! Gary Wilson On Wed, 4 May 2005, Herbert Poetzl wrote: On Wed, May 04, 2005 at 10:01:49AM +0100, Gaz Wilson wrote: Hi - sorry for asking again - Normally I like to research such things properly, but time is not on my side for this project, so I come in hope of a quick solution. I need to install binfmt support within a vserver, however proc is secured in such a way as it cannot install properly: Setting up binfmt-support (1.2.3) ... mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. Enabling additional executable binary formats: mount: permission denied update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on /proc/sys/fs/binfmt_misc. binfmt-support. binfmt or more precisely misc binary format support is not available inside vserver, because it need userspace helpers which have to 'run' in the proper context, and that has just not be done yet ... you can use it on the host though ... and it might reach/map into vservers (not tested) best, Herbert Is there a (good) way to allow this to happen without removing proc security entirely? I didn't see anything in the docs I have skimmed through... thanks and apologies for asking without doing much research first. -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- / Gary Wilson, aka dragon/dragonlord/dragonv480\ .'(_.--. e: [EMAIL PROTECTED] MSN: dragonv480 .--._)`. _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ `.( `--' w: http://volvo480.northernscum.org.uk `--' ).' \w: http://www.northernscum.org.uk / ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Summary of recent improvement discussion
On Wed, 4 May 2005, Herbert Poetzl wrote: heh, how far is OpenVPS now? and what about it's 'current' targets/aims/whatever ... maybe you could give a short overview? Well... targets/aims is a big question that I've been trying to answer for a long time :-) The idea is to provide the missing software between just bare Linux VServer/utils and a hosting environment. To put it in perspective - anyone who uses vserver is very likely to create some sort of a image. Of course not knowing what the ultimate goal is there is no telling what that image might be becuase there is a big difference between running a jailed sendmail, a honeypot or hosting a VPS. But once you define the context, which in this case it _is_ a VPS, then a lot more becomes known - e.g. a VPS should probably include hosting-relevant packages (e.g. apache), you can make a pretty good guess at what services should be enabled, you can do little things like generate an SSL cert, create a default user, fix up mail config, etc, etc. From the host perspective - VPS's need to be provisioned/stopped/deleted fairly simply, they need to be backed up, you need to monitor resource usage and make sure that things are up, there needs to be a mechanism for keeping up to date with security updates, etc. It is also a given that you would use quite a few of physical servers, and those would need to be easily provisioned, monitored from a central place, etc. That's in a nutshell what OpenVPS aims to do. It's actually a lot of stuff, and it's not really easily categorizable as a control panel or whatever (in fact, the CP functionality is quite limited at this point). There is a status page that lists things that it already does reasonably well: http://www.openvps.org/Plone/about/status The other aspect of this project that should be mentioned is how it is run - rather than trying to make guesses as to what a hosting company would need, we actually went ahead and started a hosting company (ok, it was actually the other way around - first the company, then the project :)). As far as I can tell, OpenHosting is the _only_ hosting company that actually makes all (except for the billing stuff) of its software open source and is proud of it, but this is kind of getting OT for this list. OpenVPS is currently ASL licensed (this might change to GPL) and is all Python/C - that's just my mod_python heritage. Anyway - if this resonates with anyone on this list - and I _know_ that there are lots of ISP/hosting people here, subscribe to the OpenVPS dev list (http://openvps.org/mailman/listinfo/dev), we could certainly use a lot of help :-) Grisha ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to copy/debug a vserver
On 4/5/05 5:02 pm, Herbert Poetzl [EMAIL PROTECTED] wrote: On Wed, May 04, 2005 at 02:32:59PM +0200, Arjen wrote: On Wed, 4 May 2005, Herbert Poetzl wrote: On Tue, May 03, 2005 at 06:24:11PM +0200, Arjen wrote: ssh. Ever tried to ssh from one vserver to another vserver? Or started a screen session inside a vserver? I think the problem has something to do hmm, did you verify that your user is in the 'tty' group? Ok, i've got things working, ssh by adding it to the tty group and screen by making it sgid. But, again, i don't think this is the real solution, in my host a normal user doesn't need to be in the tty group to be able to ssh, or screen doesn't need the sgid bit set to work in the host. well, hey this is a security feature, feel free to change the permissions of the pts mount to use insecure rw for all ... sgid for screen should not be required, if your user is in the tty group ... (check with changing the tty with chmod a+rw /dev/tty* ) Aha, ok, sorry for my lack of knowledge here, but I assumed the environment should be the same as in the host. Logical question, is it 'normal' that the host has a+rw and the guests don't? with /dev/tty*, crw-rw 1 root tty 5, 0 Mar 4 14:39 /dev/tty (inside the vserver) Compare it with /dev/tty in the host, crw-rw-rw- 1 root tty 5, 0 May 1 22:32 /dev/tty (in the host) I'm running Gentoo, 2.6.11.6-grsec-vs1.9.5 on an amd64, util-vserver-0.30.204. be carefult to use 64bit userspace for the tools, and a nicely patched up dietlibc ... (unless you are running it with a 32bit kernel ;) ATM I'm happily running 3 to 5 vservers, 3 of them replaced 2 actual computers! Much less noise ;) and I could finally separate things. It's running in a (I'm not sure if this is gentoo specific) multilib environment, not pure 64bit but it al looks pretty solid, no real problems, the vservers are doing their work nicely. IOW thanx guys! :) Cheers, -Arjen ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OpenFoundry project for Vserver Utilities
[EMAIL PROTECTED] (Ola Lundqvist) writes: * Is a dependency on perl for building acceptable? I need it as one of the manpages (vserver-build) is written in .pod format and need pod2man (provided by perl) to convert to manpage format. I'm not sure what you think about that. I can probably rewrite it directly to manpage format but it will take some time (which I do not have too much of). I also seem to have a different version of vserver manpage that is regenerated by pod2man (I have forgot that). I am not sure how documentation should be handled. I am tending to a master XML file which can be translated into '... --help' output, man-pages or DocBook XML or ... Current way which reformates the '--help' output is not very clever: it introduces redundancy, does not provide additional information and requires additional maintenance. * I will modify vserver-copy to have better rsync options --numeric-ids -H and maybe some more. vserver-copy needs much changes as it uses still the legacy config. * I will make src/vshelper-sync.c have a ifdef on __linux__ instead of __linux to work better with dietlibc. Best place to report such things would be the bugtracker at savannah. * I will modify man/chcontext.8 so it have section 8 inside too. ditto Enrico pgphe1WK7nnVG.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OpenFoundry project for Vserver Utilities
[EMAIL PROTECTED] (Sam Vilain) writes: I have set up a new project on OpenFoundry.org for util-vserver. OpenFoundry is like SourceForge, except it doesn't suck. http://utilvserver.openfoundry.org/ (no hyphens allowed in project names! bummer) For now the important thing it has is a public read-only Subversion server, and is trivial for project Admins to invite other people to be committers. So, you can grab the latest version of util-vserver from; http://svn.openfoundry.org/utilvserver/trunk/ Then use svn update friends to pull down new versions! :-D mmh... I am not very happy with the way how this was solved, because: * afais, the complete history of changes was lost in the SVN reimport * the svn repository contains lots of autogenerated files (e.g. ChangeLog, Makefile.in, configure, ...) which should not be handled by SCM systems * I do not think that Subversion is so much better than CVS that a change is required. Changeset support or support of distributed development would be arguments convincing me but SVN does not offer these features. * what's wrong with current hosting at savannah? Ok, they are excessively paranoid which makes things like file uploads nearly impossibly. But I still have hope that it will be fixed. First two points can be perhaps solved by converting the CVS tree but I never did such a conversion. As already mentioned, I do not see the necessity of such a step. Enrico pgpLVKynieDJL.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OpenFoundry project for Vserver Utilities
Hello On Wed, May 04, 2005 at 08:34:59PM +0200, Enrico Scholz wrote: [EMAIL PROTECTED] (Sam Vilain) writes: I have set up a new project on OpenFoundry.org for util-vserver. OpenFoundry is like SourceForge, except it doesn't suck. http://utilvserver.openfoundry.org/ (no hyphens allowed in project names! bummer) For now the important thing it has is a public read-only Subversion server, and is trivial for project Admins to invite other people to be committers. So, you can grab the latest version of util-vserver from; http://svn.openfoundry.org/utilvserver/trunk/ Then use svn update friends to pull down new versions! :-D mmh... I am not very happy with the way how this was solved, because: * afais, the complete history of changes was lost in the SVN reimport * the svn repository contains lots of autogenerated files (e.g. ChangeLog, Makefile.in, configure, ...) which should not be handled by SCM systems I think there are triggers that can be added to svn. Right now I have upsted the ChangeLog manually to make sure no such thing is lost. Or was the ChangeLog fully autogenerated? * I do not think that Subversion is so much better than CVS that a change is required. Changeset support or support of distributed development would be arguments convincing me but SVN does not offer these features. The best upgrade thing with svn compared to cvs is that you can handle directories too and do not loose the history. You can hack this to CVS but then you have to have shell access and know how CVS is managed behind the scenes. * what's wrong with current hosting at savannah? Ok, they are excessively paranoid which makes things like file uploads nearly impossibly. But I still have hope that it will be fixed. First two points can be perhaps solved by converting the CVS tree but I never did such a conversion. As already mentioned, I do not see the necessity of such a step. I have done such a conversion and can do it again if you like. My commits have not been to extensive so I can do it again without problem after a conversion. I thought you was behind this change so I happily started to commit things. Hope you do not mind. :) Regards, // Ola Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- - Ola Lundqvist --- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to copy/debug a vserver
On Wed, May 04, 2005 at 07:42:38PM +0200, Arjen wrote: On 4/5/05 5:02 pm, Herbert Poetzl [EMAIL PROTECTED] wrote: On Wed, May 04, 2005 at 02:32:59PM +0200, Arjen wrote: On Wed, 4 May 2005, Herbert Poetzl wrote: On Tue, May 03, 2005 at 06:24:11PM +0200, Arjen wrote: ssh. Ever tried to ssh from one vserver to another vserver? Or started a screen session inside a vserver? I think the problem has something to do hmm, did you verify that your user is in the 'tty' group? Ok, i've got things working, ssh by adding it to the tty group and screen by making it sgid. But, again, i don't think this is the real solution, in my host a normal user doesn't need to be in the tty group to be able to ssh, or screen doesn't need the sgid bit set to work in the host. well, hey this is a security feature, feel free to change the permissions of the pts mount to use insecure rw for all ... sgid for screen should not be required, if your user is in the tty group ... (check with changing the tty with chmod a+rw /dev/tty* ) Aha, ok, sorry for my lack of knowledge here, but I assumed the environment should be the same as in the host. Logical question, is it 'normal' that the host has a+rw and the guests don't? guess it really depends on the security level of the host (i.e. if your security is tighter, you will put more things into specific groups like tty, cdwrite, ...) with /dev/tty*, crw-rw 1 root tty 5, 0 Mar 4 14:39 /dev/tty (inside the vserver) Compare it with /dev/tty in the host, crw-rw-rw- 1 root tty 5, 0 May 1 22:32 /dev/tty (in the host) I'm running Gentoo, 2.6.11.6-grsec-vs1.9.5 on an amd64, util-vserver-0.30.204. be carefult to use 64bit userspace for the tools, and a nicely patched up dietlibc ... (unless you are running it with a 32bit kernel ;) ATM I'm happily running 3 to 5 vservers, 3 of them replaced 2 actual computers! Much less noise ;) and I could finally separate things. It's running in a (I'm not sure if this is gentoo specific) multilib environment, not pure 64bit but it al looks pretty solid, no real problems, the vservers are doing their work nicely. IOW thanx guys! :) you're welcome! Cheers, -Arjen ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Summary of recent improvement discussion
Gilles wrote: Bootstrapping Images I haven't seen this being discussed on the list, I hope I'm not about to say anything sacreligious, but am I in the minority to think that the build tools do not belong in util-vserver at all? Although not knowing much about it, I would think so too. I would like to see the tools as being inclusive, rather than minimal. You wouldn't expect to buy a car, then have to go somewhere else to get the seats and panelling. It is easily possible to have the source build into more than one package, make parts of it optional, etc - to avoid forcing everyone to install tons of what they might perceive as rubbish just to use vserver. Sure, projects like OpenVPS or StrongBox that have a different goal - providing business level objectives package rather than system level - still need to be seperate projects (but then, maybe parts of OpenVPS do belong in util-vserver, maybe all of it, who knows!). There may be a time when this really does deserve to be taken out and put in another package, but I don't think that time has come yet... Sam. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver