Re: [Vserver] fuse ( sshfs ) in guests

2007-05-25 Thread Philippe Teuwen 



You will need to see /dev/fuse and be able to write to it. You may copy the 
file from the host, but have to make it so that it is owned by owner root and 
group fuse inside the client (this is the standard set up SFAIK).

I order to get a fuse program working in a recent LTSP set up I also needed to 
add to the ccapabilities that guest. I needed to add both SECURE_MOUNT and 
BINARY_MOUNT.
  

Hello,

I tried the following:
/etc/vservers/devel/ccapabilities
SECURE_MOUNT
SECURE_REMOUNT
BINARY_MOUNT

Then I can use mount but not fuse, strace shows:

mount -t proc null ~/mnt:
mount(null, /root/mnt, proc, MS_MGC_VAL, NULL) = 0

mount --bind /home ~/mnt:
mount(/home, /root/mnt, 0x40fde2, MS_MGC_VAL|MS_BIND, 0) = 0

but sshfs:
mount([EMAIL PROTECTED]:/, /root/mnt, fuse, 
MS_NOSUID|MS_NODEV, 
max_read=65536,fd=4,rootmode=4,user_id=0,group_id=0) = -1 EPERM 
(Operation not permitted)


or with CompFused (compression fuse fs)
mount(fuse, /root/mnt, fuse, MS_NOSUID|MS_NODEV, 
fd=4,rootmode=4,user_id=0,group_id=0) = -1 EPERM (Operation not 
permitted)


But if I give extra
/etc/vservers/devel/bcapabilities
SYS_ADMIN

then it works:
mount(fuse, /root/mnt, fuse, MS_NOSUID|MS_NODEV, 
fd=3,rootmode=4,user_id=0,group_id=0) = 0


So there is apparently some extra capability required by fuse but I 
don't want to give plain CAP_SYS_ADMIN

Any idea?

Note that to strace mount() call into a libfuse fork, you can try sth like
_FUSE_COMMFD=1 strace -s256 /usr/bin/fusermount -o fsname=fuse -- /root/mnt
It's a broken fuse call as there is no unix socket associated but it's 
enough to hit the mount() call.


Kernel: 2.6.17.14-grsec2.1.9-vs2.0.2.1
VS-API: 0x00020002
util-vserver: 0.30.212; Dec 9 2006, 20:37:54

Please don't tell me to try a very new kernel/patch just to see unless 
you know something was indeed fixed, it's on a production vserver...


Phil

___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Gentoo and hashified files

2007-05-25 Thread Einar S. Idsø 
Oliver,

Thank you very much for your description. It sounds highly interesting,
and I may try it out when I have the time.

Thanks!
Einar

Oliver Welter wrote:
 Its a bit tricky - I will sketch the setup for you:
 
 I have a template /vservers/template - that is a full blown gentoo
 installation for vservers. When I do updates, I do them by chroot'ing to
 this dir - NOT by entering a vserver!
 This way the portage and the dependency database (stored in /var/) get
 updated.
 
 In the vserver guests fstab, I mount the per guest partition to /disk
 and overlay some bind-mounts for /var and some of the /etc directories
 (not the whole one!). For easy setups its also ok to make symlinks from
 /etc to the var partition
 The only thing you must take care of, are updates that change the
 config-files syntax. It should be obious that files on the per-guest
 config system (the cut-out parts of /etc and perhaps things in /var) are
 not updated. I use this setup for Webservers mainly, they are nearly
 equal so I just have a differing config for /etc/apache2, all network
 and hostname stuff ist done from outside.
 
 If you have any questions dont mind to ask
 
 Oli
 
 
 
 
 ___
 Vserver mailing list
 Vserver@list.linux-vserver.org
 http://list.linux-vserver.org/mailman/listinfo/vserver

___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver