[Vserver] clone(..., CLONE_NEWNS) - -EPERM with 2.6.22.1-vs2.2.0.3-rc1
Hi, since 2.6.22-1-vs2.2.0.3-rc1, clone(..., CLONE_NEWNS) fails with -EPERM. Previous kernels allowed this when the VXC_SECURE_MOUNT ccap was set: With 2.6.21.5-vs2.2.0-rc3: | # vcontext --create -- vattribute --secure --ccap VXC_SECURE_MOUNT -- \ | vcontext --migrate-self --endsetup -- vnamespace -n /bin/sh | New security context is 49157 | sh-3.1# With 2.6.22-1-vs2.2.0.3-rc1: | # vcontext --create -- vattribute --secure --ccap VXC_SECURE_MOUNT -- \ | vcontext --migrate-self --endsetup -- vnamespace -n /bin/sh | New security context is 49163 | vnamespace: clone(): Operation not permitted strace before 'vnamespace' shows | clone(child_stack=0, flags=CLONE_VFORK|CLONE_NEWNS|SIGCHLD) = -1 EPERM (Operation not permitted) Setting all ccaps does not help. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Hashify 'etch' trouble?
[EMAIL PROTECTED] (Corey Wright) writes: clean-up hash directory http://www.paul.sladen.org/vserver/archives/200609/0016.html Can be written much shorter as | find /vservers/.hash/ -links 1 | xargs rm -f | find /vservers/.hash/ -type d | xargs rmdir 2/dev/null (no need for '-0' flag) Enrico pgpdTTOpQo1zE.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Relaxing the mount-nodev behavior
Hi, it would be nice when the current | + if (!capable(CAP_SYS_ADMIN)) | + mnt_flags |= MNT_NODEV; behavior can be relaxed a little bit. I need it e.g. to bind-mount a /dev filesystem into buildroots which will be created during runtime of the vserver. On first glance, | + if (!capable(CAP_SYS_ADMIN) | + !(flags (MS_BIND|MS_MOVE))) | + mnt_flags |= MNT_NODEV; seems to have the wanted effect without lowering security. Enrico pgp7aSPgjF5G2.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] anybody has experience for Vserver on ARM
[EMAIL PROTECTED] (Herbert Poetzl) writes: [EMAIL PROTECTED]:/work/test# strace -fF -o vcmd.trace ./vcmd syscall: unknown syscall trap 0xef000139 this might be/is an EABI issue unknow syscall should be a strace bug, I think. The basic failure is becuase of illegal instruction during vserver(num_cmd, num_id, data) syscall. well, the syscall trap looks fine, 313 is the syscall on arm and it seems that util-vserver uses the same implementation, so that should be fine too ... no; it uses the traditional version. fyi: ARM kernel can be built with two different ABIs (OABI and EABI) which differ in structure alignment. EABI (which seems to be used here) is relatively new and e.g. not supported by dietlibc yet. Syscall conventions might be different too which is causing the seen problems. CC: arm-angstrom-linux-gnueabi-gcc, Use dietlibc: no (you have been warned) syscall(2) invocation: traditional Enrico pgpC4DLdCfqvj.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Vhashify segmentation fault
[EMAIL PROTECTED] (Herve Guillemet) writes: There was some mail exchanges some month ago on the list between Enrico and Alberto about vhashify SIGSEGV on Debian x86_64. How did this end ? I seem to have the same problem: Does 'make check' report errors for the hashcalc* tests? If so, somebody with an x86_64 and Debian- and beecrypt knowledge should take a look at src/testsuite/hashcalc-plain.c and see what is going wrong there. Enrico pgpyea7Zs5xuR.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Trying to create vserver on logical volume fails....
[EMAIL PROTECTED] (Brian Ipsen) writes: I've created my own repo with Whitebox Enterprise Linux 4 - but when trying to add a vserver (for which a logical volume has been created and mounted in /vservers/vsrv01-mysql) I get this error: ... | error: unpacking of archive failed on file /usr/bin/X11;42dd8791: Caused by a bug in rpm. You will need a similar 'initpre' script like those of FC4 and other RH variants. Enrico pgpIVVmcNzJU1.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Pseudo terminal proxy for util-vserver
[EMAIL PROTECTED] (Benedikt Böhm) writes: With regard to the /dev/pts issue on vserver name enter i have ported the vlogin application from vserver-utils to util-vserver-0.30.210 Mmmh... without looking at the complete code, doing operations in the shown order is insecure: + if (vc_ctx_migrate(opts.xid) == -1) + PEXIT(Failed to migrate to context, EXIT_COMMAND); + ... + if (chroot(.) == -1) + PEXIT(Failed to chroot to cwd, EXIT_COMMAND); Attacker in context could ptrace the process between both commands and would get access to the host's /-filesystem. Enrico pgpTK4aq2QmLx.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Unifying Gentoo Guests
[EMAIL PROTECTED] (Oliver Welter) writes: eergh - it seems that vunify does not support gentoo guest. Anyone here can help me out ? Implementing the 'get-conffiles' operation for the 'gentoo' case in 'scripts/vpkg' should help. I do not know gentoo enough to develop it myself. Enrico pgpALNVvb3o5C.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to vunify/vhashify on Gentoo
[EMAIL PROTECTED] (Wilhelm Meier) writes: I'm using Gentoo as a host and also Gentoo as VPSs. If I try to vunify/vhashify two VPS, I get: gs vservers # ln -s /etc/vservers/vs01 /etc/vservers/vs01c/apps/vunify/refserver.00 gs vservers # vserver vs01c unify Can not determine packagemanagement style failed to determine configfiles Does vhashify/vunify really make sense on Gentoo? AFAIK, Gentoo does not have a packagemanagement and you have to recompile everything (which will probably produce different checksums). When you do a 'make install' from the same source tree, vhashify/vunify will still not work because most 'make install' do not preserve timestamps. But because timestamps are used to check whether files are identically resp. are going into the calculation of the hash value, you will not gain very much with vhashify/vunify on Gentoo. Enrico pgpDukvkGqWs6.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Virtualizing /proc/version
Hello, it would be nice when /proc/version could be virtualized (e.g. using values from VCMD_set_vhi_name). Currently, it reveals information about the real host (e.g. real os version, buildhost/-user). Hiding /proc/version is not possible because some programs (e.g. 'pidof') use it to check whether /proc is mounted. Enrico pgpuFUpyh32G7.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Virtualizing /proc/version
Herbert Poetzl [EMAIL PROTECTED] writes: it would be nice when /proc/version could be virtualized (e.g. using values from VCMD_set_vhi_name). Currently, it reveals information about the real host (e.g. real os version, buildhost/-user). hmm, looking at the code, I see: static int version_read_proc(char *page, char **start, off_t off, int count, int *eof, void *data) ... const char vx_linux_banner[] = Linux version %s ( LINUX_COMPILE_BY @ LINUX_COMPILE_HOST ) ( LINUX_COMPILER ) %s\n; oops, I did not looked exactly at it and did not noticed that the release is already virtualized. But it would be nice when LINUX_COMPILE_BY/HOST and perhaps the compiler and date would be virtualized/anonymized. I see two ways: (a) an additional context-flag (e.g. VXF_ANONYMIZE) which sets: * LINUX_COMPILE_BY @ LINUX_COMPILE_HOST to '[EMAIL PROTECTED]' * the LINUX_COMPILER to: gcc __GNUC__ . __GNUC_MINOR__ . __GNUC_PATCHLEVEL__ * the date should not contain hours/minutes/seconds (b) allow to configure the three entries above through new fields in VCMD_set_vhi_name Enrico pgpveV8NDUpPt.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] When to mount lvm? (vs2.0)
[EMAIL PROTECTED] (Lars Braeuer) writes:
I'm not sure where to mount an LVM2 device with vs2.0. I do
not want to mount it on system boot, but when starting the
guest vserver.
The fstab file in the vserver config directory seems to be the right place.
But when including an entry like this in the fstab file, the mount
won't show up in the hostsystem and will not be accessible via the
mount point in the /vservers directory:
/dev/mapper/vg-test01 / ext3 defaults 1 2
I would recommend to do physical mounting in the host's /etc/fstab
and bind-mount it in the vserver's fstab. E.g.
| [/etc/fstab]
| /dev/mapper/vg-test01 /srv/mnt/test01 ext3 defaults 1 2
| [/etc/vservers/.../fstab
| /srv/mnt/test01/ none bind
This gives the advantage that the partition will be fsck'ed
during the regularly system boot and that you can share it
between multiple vservers ('mount' is allowed only once per
physical partition but you can 'mount --bind' multiple times).
But I'm able to enter the vserver with vserver test01 enter,
weird.
Expected namespace behaviour...
Enrico
pgpPuXyODs6mp.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Problem with shutdown
[EMAIL PROTECTED] (Roché Compaan) writes:
Squid takes longer than most processes to stop, and this seems be a
problem when stopping a vserver:
...
Stopping proxy server: (waiting.../usr/sbin/vserver: line
85: 20939 Killed [EMAIL PROTECTED] ${USE_VNAMESPACE:
+$_VNAMESPACE --enter $S_CONTEXT -- } $_VCONTEXT $SILENT_OPT --migrate
--chroot --xid $S_CONTEXT -- [EMAIL PROTECTED]
Is the stop script experiencing a timeout and if so, is there a
setting one can change to let it wait until squid has stopped
completely?
E.g.
# echo 60 /etc/vservers/www-cache/apps/vshelper/sync-timeout
increases the timeout from 30 to 60 seconds.
Enrico
pgp6tPTbADVRQ.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver-build
[EMAIL PROTECTED] (John Francis Lee) writes: [EMAIL PROTECTED] ~]# vserver dns build -m yum ... Execution will continue in 5 seconds... ... The process hangs after the 5 seconds message Does it really hang or does it download the repository metadata? Can be e.g. checked with 'netstat' or 'df'... Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] PPC build failure of util-vserver
[EMAIL PROTECTED] (Enrico Scholz) writes: two check of util-vserver 0.30.209 are failing on a PPC machine... | /bin/sh: line 1: 18778 Killed ensc_use... ok, seems to be caused by a bug in the kernel elf loader http://bugzilla.kernel.org/show_bug.cgi?id=5645 which affects all platforms but gets triggered under some circumstances only. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unregister_netdevice errors with 2.6.14-vs2.0.1-pre3-prelim
Herbert Poetzl [EMAIL PROTECTED] writes: my VPN VServer do not work anymore with 2.6.14-vs2.0.1-pre3-prelim kernels. There, I get | unregister_netdevice: waiting for tun50 to become free. Usage count = 1 ... could you check if this patch fixes the issue for you? http://vserver.13thfloor.at/Experimental/FOR-2.0.1/delta-indev-fix01.diff thx; 2.6.14.2-vs2.0.1-rc2 (which contains this change) works without problems. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver-copy deprecated?!
[EMAIL PROTECTED] (Jens Holze) writes: I just realised that there is this copy program among the utils but it doesn't work (obviously because of the changes since the alpha, looks for .conf file). While copying the servers is not hard to do manually, is somebody actually working on this tool or is it going to vanish? As Herbert wrote, it will be probably superseeded by 'vserver ... copy'. But before implementing this functionality I need an API to change the configuration data. Such an API is very high on my priority list but I do not have a ETA. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vhashify segmentation fault
[EMAIL PROTECTED] (alberto) writes:
I finally had time to test vhasify on an i386 with valgrind, attached
is the output. Same debian source package as I used for x86_64 and
same options (added beecrypt2{,-dev} to dependencies so pbuilder
builds it with vhashify).
Using 'valgrind' on the 'hashcalc' test would probably make more sense
than running it on the whole 'vhashify'.
You could do:
| ./libtool --mode=execute valgrind --tool=memcheck ./src/testsuite/hashcalc
INSTALL SHA-1
which should print
aa/7a/adc343319437b8cf0a71345506d2d3e8cc43
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] unregister_netdevice errors with 2.6.14-vs2.0.1-pre3-prelim
Hello, my VPN VServer do not work anymore with 2.6.14-vs2.0.1-pre3-prelim kernels. There, I get | unregister_netdevice: waiting for tun50 to become free. Usage count = 1 like errors and every netdevice related operation (e.g. 'ip route show') stucks in 'D' state. Exactly the same setup works with 2.6.13.4-vs2.0.1-pre2. Some details about the VPN server: * NET_ADMIN + NET_RAW bcapabilities * ~hide_netif cflags * one normal ip * openvpn-2.0.2 (I know... a little bit old...) Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Error when creating centos min vserver
[EMAIL PROTECTED] (Peter McGregor) writes: [EMAIL PROTECTED] ~]# yum --version 2.4.0 Try to apply http://savannah.nongnu.org/cgi-bin/viewcvs/util-vserver/util-vserver/scripts/vyum-worker.diff?r1=1.5r2=1.6 (not in 0.209). yum-2.4 problems were easier to solve than I thought... ;) Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] PPC build failure of util-vserver
Herbert Poetzl [EMAIL PROTECTED] writes:
as you can see in
http://buildsys.fedoraproject.org/logs/fedora-development-extras/349-util-vserver-0.30.209-2.fc5/ppc/build.log
two check of util-vserver 0.30.209 are failing on a PPC machine.
...
http://vserver.13thfloor.at/Stuff/MANDRAKE/util-vserver-0.30.209-1mdk.src.rpm
involves just a small patch which disables the addr_limit_3gb tests,
as they did never work on mandrake (because of the missing flag)
should not be relevant here ('cflags' testcase does not use this flag)
PASS: lib/testsuite/cflags
PASS: lib/testsuite/personality
...
and compiled fine (and works fine) on my ppc laptop
maybe it is a compiler/fc* issue?
I added some more debugging (giving out line numbers) and at least the
'personality' testcase succeeded... OOM killer does not seem to be it
neither. New build at
http://buildsys.fedoraproject.org/logs/fedora-development-extras/415-util-vserver-0.30.209-3.fc5/ppc/build.log
gives me the binaries which are available at
http://ensc.de/vserver/cflags
http://ensc.de/vserver/personality
They are running fine in 'qemu-ppc' but I am not sure if qemu is
working. It would be nice when the two programs above can be tested
on a native box (statically linked, run as non-root).
TIA
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] PPC build failure of util-vserver
Hello,
as you can see in
http://buildsys.fedoraproject.org/logs/fedora-development-extras/349-util-vserver-0.30.209-2.fc5/ppc/build.log
two check of util-vserver 0.30.209 are failing on a PPC machine. AFAIR
same happened once for 0.30.208 but succeeded suddenly. Unfortunately,
I do not have such a machine available to trace the problems, and the
code seems ok for me. I do not know much about PPC, but
| /bin/sh: line 1: 18778 Killed ensc_use...
on i386/x86_64 would indicate problems with the OOM kernel killer.
It would be nice when somebody with a PPC box could repeat the checks
('make check') and look where and why they are failing. Dunno, whether
gdb works but place of error can be determined by adding something like
| printf(%s:%u\n, __FILE__, __LINE__)
to lib/testsuite/personality.c below the variable declarations of the
TEST_PF2T() and TEST_LIST() macros. Single checks can be repeated by
| $ make check # generates the binaries
| $ ./lib/testsuite/personality # should not cause any output
| $ gdb ./lib/testsuite/personality
TIA
Enrico
pgpFR63PVbjfy.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vhashify segmentation fault
[EMAIL PROTECTED] (alberto) writes: Mmmm, so it could be a beecrypt2 problem... right? I'll try installing from non-debian sources util-vserver and beecrypt to see what happens. The hash belongs to a real executable though (according to file hash_file), not sure which executable but something to do with mount (my guess from the strings it contains). I will add some testcases to localise the problem. But because I can not reproduce this behavior on my system, I can not tell a solution now. I would appreciate :) ok; please do a 'make check' with 0.30.209 and see if 'hashcalc.sh' succeeds. You can do | ./src/testsuite/hashcalc Makefile.am SHA-1 also, which should output the same hash like 'sha1sum Makefile.am' valgrind could give some more information perhaps; I guess a gdb stacktrace will not be very meaningful. Darn! no amd64 package for valgrind. I guess the i386 version won't help much debugging 64bit executables you mentioned that it happens on an i386 also so tests with valgrind could be done there also. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] gentoo util-vserver -r5 problem
[EMAIL PROTECTED] (Chuck) writes: phoenix rio # /etc/init.d/vservers start * Unhiding /proc entries ... [ ok ] * Starting vservers of type 'default' ... * ns1 starting make: *** No rule to make target `..stamp', needed by `.ns2.stamp'. make: Target `all' not remade because of errors. Please test it again with 0.30.209; I added some more diagnostics there and fixed behavior with empty or comment lines. 0.30.208 contained a bug but it should affect 'stop' only. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vhashify
[EMAIL PROTECTED] (Thorsten Gunkel) writes: In general this works great, but I had once or twice the problem that a service stopped working because it could not longer write to its files. Now I like to exclude the affected directory from the vhashify. http://linux-vserver.org/alpha+util-vserver mentions that this is possible but I don't understand how to exclude for example /var/data1 from vserver foo2. 1. /var is excluded by default 2. you can set up your own exclude list under | /etc/vservers/name/apps/vunify/exclude Be very careful when writing this list; it will completely override the default exclude list at | /usr/lib/util-vserver/defaults/vunify-exclude I suggest to copy the default list and add your files. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vhashify segmentation fault
[EMAIL PROTECTED] (alberto) writes: I'm running debian sarge on amd64 (though I can reproduce the problem on another machine running on i386). Custom built debian package for util-vserver-0.30.208-fix2 with beecrypt2 enabled ... lstat(/etc/vservers/.defaults/apps/vunify/hash/0/04/00/50805000-, 0x7fc6c8b0) = -1 ENOENT (No such file or directory) this looks already strange... a hash value with so much '0' is highly improbable... I will add some testcases to localise the problem. But because I can not reproduce this behavior on my system, I can not tell a solution now. ... --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Could give more outputs to/and help track down this bug(?). valgrind could give some more information perhaps; I guess a gdb stacktrace will not be very meaningful. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Done with building guest server on FC4 and now what?
[EMAIL PROTECTED] (Steven Truong) writes: 1. I already got FC4 built with yum method, but then within the guest server I could not find yum command anywhere despite having the /etc/yum.repos.d/* in place. The guest server does not have anything beside syslog running. ... 3. Could somebody outline the steps neccessary to set up the guest server to be useful in some services after one built it? It depends on the wanted functionality; for a webserver, at good start would be | vyum vservername -- install httpd mod_ssl Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver: Newbiew question regarding public key for tzdata is not installed
[EMAIL PROTECTED] (Steven Truong) writes: Hi, all. After following the advices from some experts here to use yum method instead of apt-rpm. I updated yum-2.4.0.0 to yum-2.4.0-0.chroot.fc4. However, I got this error of public key for tzdata is not installed error. GPG keys are searched in /etc/vserver/.distributions/.common/pubkeys/ (the reference spec file and util-vserver in Fedora Extras has the corresponding commands to copy the known keys to this location). To fix it, you could do | cp -a /etc/pki/rpm-gpg/RPM* /etc/.distributions/.common/pubkeys/ Enrico pgp29lD6JBi4U.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Unexpected behaviour with bind mounts
[EMAIL PROTECTED] (Jim Wight) writes: I am seeing odd behaviour with bind mounts. For example, if I specify mount --bind /tmp /vservers/tkt/opt in pre-start, and Be very careful when doing such stuff (resp. make sure that the vserver is trusted). Else, an attacker within the vserver can cause execution of arbitrary commands in the host... (hint: think of a symlink /vservers/tkt/opt - /bin) umount /vservers/tkt/opt in post-stop (or postpost-stop), * these scripts are NOT executed within the vserver namespace so /vservers/tkt/opt is not mounted at this place * there is not much need for an explicit unmount; when the last process of the vserver/context dies, the namespace will not be referenced anymore and an implicit unmount happens Enrico pgpXspse5qNCN.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver newbie: problems when build guest server on FC4
[EMAIL PROTECTED] (Steven Truong) writes: Hello, all. I am a vservers newbie. I have tried to setup vservers and learn more about it. I have FC4 x86 with kernel 2.6.12. I applied the patch-2.6.12.4-vs4 to the vanilla kernel. I also installed dietlibc-0.29, beecrypt-4.1.2-8, and util-vserver-0.30-208. The Linux box has gcc 4.0.1. I changed /etc/vservers/.distributions/fc4/apt/source.list to include only: rpmhttp://download.fedora.us/fedora/fedora latest/i386os updates This points to an FC2 repository... I tried to build a guest server with this command: vserver lanweb build -m apt-rpm --hostname=lanweb --netdev eth0 -- -d fc4 ... and this indicates that you expect FC4 Everything went smoothly until after all the rpms got downloaded and started to install. These are the start of the errors. ... Header V3 DSA signature: NOKEY, key ID 731002fa Preparing...### [100%] 1:bash ### [ 2%] /bin/sh: error while loading shared libraries: libtermcap.so.2: cannot open shared object file: No such file or directory error: %post(bash-2.05b-38.i386) scriptlet failed, exit status 127 ... 15:libtermcap ### [ 35%] this indicates some dependency problem in the packages (e.g. circular deps, insufficient Requires(pre) annotations). So, 'libtermcap' (with libtermcap.so.2) will be installed after the packages which are using it in their %post scriptlets. /bin/sh: error while loading shared libraries: libtermcap.so.2: cannot open shared object file: No such file or directory error: %pre(coreutils-5.2.1-7.i386) scriptlet failed, exit status 127 error: install: %pre scriptlet failed (2), skipping coreutils-5.2.1-7 %pre of coreutils failed so its installation will be skipped... 38:sysklogd ### [ 88%] /var/tmp/rpm-tmp.55110: line 4: touch: command not found /var/tmp/rpm-tmp.55110: line 5: chmod: command not found ... and tools like 'touch' and 'chmod' are missing It seemed like the package termcap did not work with the rest of the packages and so others can not access and share it. Could you tell me how to fix this? And why suddenly touch/chown/chmod could not be found when they are actually in the PATH? Could you tell me how to fix this or any recommendations of what to build at this point instead of FC4 for my current settings? 'apt-rpm' is nearly dead and I am not aware of apt repositories for recent Fedora distributions. You could create your own repo and test whether is works (things above look like packaging errors which might be fixed in the meantime). Or you could try 'yum', but it is unconfigurable and makes stupid assumptions without providing ways to turn them off so it is difficultly to use in chroot environments. So you have to apply a patch to make it work properly. Enrico pgpesvPeHZ6wX.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver newbie: problems when build guest server on FC4
[EMAIL PROTECTED] (Guenther Fuchs) writes: So I would recommend using yum - this works very fine here (as long as you ensure not using yum version 2.3 and _not_ 2.4 - later version breaks compatibility with Enrico's util-vserver tools) Please try the patch from the contrib/ dir (the 2.3.4 one applies to 2.4 also). I built lots of FC4 vservers on FC4 hosts so it seems to work ;) Enrico pgpC6OQFTS2fw.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver newbie: problems when build guest server on FC4
[EMAIL PROTECTED] (Guenther Fuchs) writes:
Please try the patch from the contrib/ dir (the 2.3.4 one applies to 2.4
also). I built lots of FC4 vservers on FC4 hosts so it seems to work ;)
Hmmm - found the patch but no real explanation on how to use it / i.e.
what files to patch?! Is this files to patch a yum source build tree?
If yes, most FC users would be happy, if someone (e.g. myself) could
supply a rpm package of recent, patched yum to use.
So pls give me short assistance, I then could rebuild a patched rpm
and supply this back for the communtiy.
Just apply the attached patch against yum.spec (patch is for the devel
tree but it should be trivial to adapt it to FC-4).
Enrico
Index: yum.spec
===
RCS file: /cvs/dist/rpms/yum/devel/yum.spec,v
retrieving revision 1.51
diff -u -p -r1.51 yum.spec
--- yum.spec 4 Oct 2005 14:49:07 - 1.51
+++ yum.spec 6 Oct 2005 16:21:51 -
@@ -3,7 +3,7 @@
Summary: RPM installer/updater
Name: yum
Version: 2.4.0
-Release: 5
+Release: 5.chroot
License: GPL
Group: System Environment/Base
Source0: http://linux.duke.edu/projects/yum/download/2.4/yum-%{version}.tar.gz
@@ -23,6 +23,7 @@ Requires: urlgrabber
Requires: python-elementtree
Prereq: /sbin/chkconfig, /sbin/service, coreutils
BuildRoot: %{_tmppath}/%{name}-root
+Patch99: yum-2.3.4-chroot.patch
%description
Yum is a utility that can check for and automatically download and
@@ -38,6 +39,7 @@ automatically prompting the user as nece
%patch2 -p0 -b .sqlbyname
%patch3 -p0 -b .lists
+%patch99 -p1 -b .chroot
%build
make
pgpPNDaouF9au.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] what am i doing wrong with vserver exec?
[EMAIL PROTECTED] (Stephen Harris) writes: /usr/sbin/vserver prometheus exec /bin/rm -f /var/spool/qmailscan/quarantine/new/* ... However, why not just use the host to remove the files? Because of symlinks like | /vservers/prometheus/var/spool/qmailscan/quarantine/new - /etc or an other filesystem layout because of different namespaces. The security relevant part of the first issue can be workarounded by tools like 'chroot-sh' and the second issue by 'vnamespace -e'. But 'vserver ... exec' is more cleaner and solves the functionality relevant part of the first issue also. /bin/rm -f /vservers/prometheus/var/spool/qmailscan/quarantine/new/* Enrico pgpAiBXOlYLkc.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] build -m rpm does not work
[EMAIL PROTECTED] (Jun OKAJIMA) writes: I installed util-vserver-0.30.208 from tar ball and succeeded to compile it on my Debian Sarge box. And vserver start/enter and build -m debootsrap work. But, build -m rpm and vhashify does not work. (I assume you mean '-m apt-rpm' here as it is used below, and in the age of apt and yum there is not much need for the '-m rpm' method). BTW, I found that distrib/* know what is essential for each distribution. I want to know the basis of them. Essential means the package(s) which are essential for the functionality of the vserver. Without further information, this is only stuff like coreutils or glibc; depending on the purpose of the vserver, you can add things like httpd or samba or ... There is no need to put a full closure of the dependencies into 'rpmpriorities' or the package-lists; apt/yum will resolve the deps automatically and you will not run into problems with changed dependencies on updated packages. I mean, for example, distrib/suse91 shows aaa_base.rpm is only file to be essential, I am not familiarly with SUSE and used 'aaa_base' only as it sounds like a basic requirement. ;) No dynamically linked rpm binary found; exiting... rpm based build-methods do not work without a dynamically linked rpm binary in your $PATH. rm -rf /usr/local/etc/vservers/.defaults/vdirbase/101 /usr/local/etc/vservers/101 /usr/local/etc/vservers/.defaults/vdirbase/.pkg/101 [EMAIL PROTECTED]:/# vserver 102 hashify 'vserver ... suexec' is supported for running vservers only; aborting... failed to determine configfiles When using internal packagemanagment (this is the default with '-m debootstrap'), the vserver must be running to determine the configfiles. This is recommended for external packagemanagment also because mounted filesystems are not visible else. Enrico pgphpwdxn9c9T.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] can not deactivate any block device with running vserver 2.0
[EMAIL PROTECTED] (lukas.rueegg [pixworx multimedia]) writes: c) using the cleanup feature we added to the kernel (please discuss this with Enrico) enrico, we read your talk with sam and others in november '04 but didn't get any hints about the current status. is there any way of cleaning up a new namespace in the pre-start-script or generally for all namespaces available? at the moment, we are playing around with the pre-start-scripts, until now unsuccessfully... atm, manual unmounting in the *pre-start script will be the best choice. The architecture of the 'vserver' script does not allow automatic cleanup. Perhaps I will add some logic datermining and unmounting removable devices but this will be more a hack than a clean solution. I am thinking about a daemon doing the vserver startup; this daemon could be started very early, lives in its own namespace and would not be affected by changes in the main-namespace. But this daemon does not have a big priority... Enrico pgpZoE90WKlpj.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: util-vserver 0.30.208 debs?
[EMAIL PROTECTED] (Karsten Horsmann) writes: Somebody should report it at the Debian bugtracking system. Would be this Report enough? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320425 it seems to be the same issue, but I do not know if this report is enough ;) Enrico pgpewVFeSjqwc.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vs2.0 and Fedora Core 3
[EMAIL PROTECTED] (Roderick A. Anderson) writes: I've followed the instructions for FC3 -- http://linux-vserver.org/FedoraCore3_HowTo -- Version number of util-vserver (0.30.205) is a little bit low in this HowTo; there should be native support for fc3 in recent versions (see point 8). only deviating where versions are different and with the addition of getting a known good .config ( from the OpenVPS site ) to build the vserver kernel. When I get to building a new guest I keep getting the error about not finding glibc ( this using the '-m apt-rpm' switch ). This is probably caused by an outdated sources.list in /etc/vservers/.distributions/fc3/apt/sources.list so that the apt repository can not be found. It is possible also that the repository is incomplete or inconsistent. Maintaining all these metainformation about the distributions (apt + yum repositories) becomes hard and I am not sure what I will do regarding them. Perhaps, they will be outsourced into a separate package which can be updated more often. After reading _much_ more I've found the vserver-build.yum script and am attempting to build a guest as I type. This just completed but I got lots of warnings about an insecure yum. Building the vserver will succeed but it will not be possible to use an unmodified 'vyum' with a running vserver. Unfortunately, 'yum' does not provide enough options to workaround this without patches :( With a solution of applying some patches and rebuilding or pestering the author to do it. Now when I try vserver-stat I get a warning about procfs-security. Using the link and following through I get the impression this should not be happening with with the 2.6 kernel and vs2.0. 'vprocunhide' (or executing vc_set_iattr(2) manully) *is* required. The reference rpm (which is mentioned in the howto above also) should register this script so it gets executed at the next boot automatically. Sorted that out with vprocunhide but now getting an error about /etc/rc.d/rc and level 3 ... The fix -- to append true to the end of the file didn't work. The exact message (above the general hints) would be interesting. Enrico pgpYxhV9QOJpE.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: util-vserver 0.30.208 debs?
[EMAIL PROTECTED] (Harald Kapper) writes: It was really trivial (5 min) to take the 207 and make 208 debs. I've posted my source packages at http://www.complete.org/~jgoerzen/vs/ for anyone that wants them. They include fix1. thanks for the dsc - one odd thing came up through building - it claimed (though installed) that beecrypt couldn't be found Seems to be a bug in the Debian beecrypt library. Somehow, functions which can be optimized were not built for i386. E.g. the seen error (beecrypt not detected) is caused by things like | /usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/libbeecrypt.so: undefined reference to `mppndiv' Indeed, [1] does not define it but non-i386 archs (e.g. [2]) or non-Debian libraries contain this function: | $ nm -D usr/lib/libbeecrypt.so.6.4.0 | grep mppndiv | U mppndiv | $ file usr/lib/libbeecrypt.so.6.4.0 | usr/lib/libbeecrypt.so.6.4.0: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), stripped | $ nm -D usr/lib/libbeecrypt.so.6.4.0 | grep mppndiv | 000124a4 T mppndiv | $ file usr/lib/libbeecrypt.so.6.4.0 | usr/lib/libbeecrypt.so.6.4.0: ELF 32-bit MSB shared object, PowerPC or cisco 4500, version 1 (SYSV), stripped Somebody should report it at the Debian bugtracking system. Enrico Footnotes: [1] ftp://ftp.debian.org/debian/pool/main/b/beecrypt/libbeecrypt6_4.1.2-1_i386.deb [2] ftp://ftp.debian.org/debian/pool/main/b/beecrypt/libbeecrypt6_4.1.2-1_powerpc.deb pgpqNA4kPi4TQ.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vs2.0 and the tools
[EMAIL PROTECTED] (Roderick A. Anderson) writes: I went ahead and started building the utils as RPMs and ran into a couple of dependency issues. This is probably more an Enrico question. Why tetex-latex? Is it Redhat ( RPM ) build-documentation requirement? It is only a build-requirement and used to build the API doc of the library. I never tried whether it builds with '--nodeps' also. Why xalan-j ( Java? ) Is this also a Redhat-ism? Can be disabled by '--without xalan' at rpmbuild. Enrico pgpzfvYH0i8hr.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] running old style vservers on vs2.0-rc
[EMAIL PROTECTED] (Dariush Pietrzak,,,) writes: legacy configuration does not have a big future and *would* need security fixes first, this has a very low priority. What security fixes? Oh... where shall I begin? Basically, the filesystem operations are full of races and contain enough opportunities for symlink attacks. Fixes would need the redesign of large parts of the legacy tools. The non-legacy part of util-vserver is the result of this redesign and I am sure that symlink attacks are impossible and races were eliminitated there ;) (The 'initpost' script of RH style vservers is an exception...) Enrico pgpdsbHHKwUoW.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] running old style vservers on vs2.0-rc
[EMAIL PROTECTED] (Dariush Pietrzak,,,) writes: legacy configuration does not have a big future and *would* need security fixes first, this has a very low priority. What security fixes? Oh... where shall I begin? Basically, the filesystem operations are full of races and contain enough opportunities for symlink I'm not sure I follow, what filesystem operations, reading of configuration? Code like | mkdir -p $1/proc $1/dev/pts | mount -t proc none $1/proc | | rm -f `find var/run -type f` | rm -f var/lock/subsys/* | | exec $_CHBIND $SILENT $IPOPT --bcast $IPROOTBCAST \ | $_CHCONTEXT_COMPAT $SILENT $FLAGS $CAPS --secure --ctx $S_CONTEXT \ | $_CAPCHROOT --suid $USERID . $@ (this enumeration is far away from being complete; just look into the legacy 'vserver' script and you will find more of these examples). Enrico pgp5RLJWp9W5f.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Feature Request: comment char in VS20/new-style
[EMAIL PROTECTED] (Andreas John) writes: I wanted to create commented version of /etc/vservers/foo/flags, but I was not able to find the right char for commenting out a line, neither # nor ; worked even // was not the solution. Sorry; bug in util-vserver. Afair, somebody else mentioned it already but I lost track of it. Should be now really fixed in CVS. I suspect the is at the time no way to comment out in new-style format? No; but '# .. comment ...' should work in 0.30.209+. Enrico pgpHXbKYaPq0K.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] running old style vservers on vs2.0-rc
[EMAIL PROTECTED] (Bert De Vuyst) writes: During some tests with the vserver 2.0-rc, I did have a problemen running vservers with a old style configuration. The vservers do run fine, but the vserver utils (vps, vserver-stat) can't display the vserver it's name. I run 2 vservers in the next example. testserv1 uses the new style config (and context 14), testserv2 uses the old style config (and context 27), When I run vserver-stat, I get net next output: CTX PROCVSZRSS userTIME sysTIMEUPTIME NAME 0 68 247.9M 6.5K 30m57s73 13m10s83 7d05h34 root server 14 7 14.4M 1.5K 30m41s50 52m36s55 6d47h03 testserv1 27 9 34.1M 2.9K 0m00s12 0m00s00 0m09s70 The XID - name mapping is not implemented for legacy configurations. As legacy configuration does not have a big future and *would* need security fixes first, this has a very low priority. Enrico pgpJSj7hPgRSz.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver build and no rpm displayed..
[EMAIL PROTECTED] (Jean-Christophe Petit) writes: 2.6.12.3-vs2.0-rc9 with util-vserver-0.30.208 under CentOS 4 followed the http://linux-vserver.org/CentOS_HowTo when in the vserver, rpm -qa gives nothing. Expected; external packagemangement is used by default which holds rpm database outside of the vserver. When you *really* need it, 'vserver ... pkgmgmt internalize' should copy it into the vserver so that 'rpm -q' works there. But for most vserver types, the external management should suffice. I have the /.rpmdb/ in place with files inside: bash-3.00# ls -la /.rpmdb/ total 504 drwxr-xr-x 2 root root4096 Aug 3 05:12 . drwxr-xr-x 22 root root4096 Aug 3 05:04 .. -rw-r--r-- 1 root root 16384 Aug 3 05:08 __db.001 -rw-r--r-- 1 root root 1318912 Aug 3 05:08 __db.002 -rw-r--r-- 1 root root 450560 Aug 3 05:08 __db.003 -rw-r--r-- 1 root root 12288 Aug 3 05:12 Group ... These files were created by your 'rpm -q' operation which initializes the rpm database. Enrico pgpGynO0yx3SF.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Problem with shutdown (yes..)
[EMAIL PROTECTED] (Jean-Christophe Petit) writes: is it possible to upload a new version in http://www.13thfloor.at/~ensc/util-vserver/files/ ? I will see; but there were some non-trivial changes in the script part which I have to test first. When you need the fix, you can try http://savannah.nongnu.org/cgi-bin/viewcvs/util-vserver/util-vserver/src/vwait.c.diff?r1=1.1r2=1.2 (the green line in the second hunk is the most important part). hmm, isn't vwait --timeout 30 supposed to time out after 30 seconds and go wild on your remaining processes? (this one is for enrico) There was a classical bug in the signal handling Enrico pgpHyqsXbas9l.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Problem with shutdown (yes..)
[EMAIL PROTECTED] (Herbert Poetzl) writes: hmm, isn't vwait --timeout 30 supposed to time out after 30 seconds and go wild on your remaining processes? (this one is for enrico) There was a classical bug in the signal handling (glibc does not interrupt vc_wait_exit() but restarts it by default). I tested the dietlibc version only which does not show this behavior. There was a race also which could cause non-timeouting when the system time was modified in the wait phase. Both issues should be solved in CVS. Enrico pgpx4LaHxU9Cc.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] stuck (can't set the ipv4 root - invalid argument)
[EMAIL PROTECTED] (Matt Paine) writes: Its complaining about the GPG keys, so I installed it with. 8 rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY #(that didn't work, so i tried another one) rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora --8- That's not the right way; the keys will be imported into the current (host) rpmdb only. You have to copy the keys into /etc/vservers/.distributions/.common/pubkeys (the default rpm should do this automatically). Enrico pgp27u7cPxxyk.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Install issue with yum - /var/lib/rpm/ ?
[EMAIL PROTECTED] (Brian Ipsen) writes: Hmm... But the .rpmdb directory inside the guest os is empty when the yum installation finishes ? Should it be like that ? Yes; that's ok and expected. Because of security reasons, the rpmdb is located outside of the vserver. | vserver id pkgmgmt internalize should move it into the vserver, but it requires packages like rpm or yum which are not needed for the most vservers. Enrico pgprC4uDsglYP.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] V_xxxx not running ?
[EMAIL PROTECTED] (Benoît des Ligneris) writes: Chasing each and every config file of services started on your host (apache:443, SSH, mySQL, postgreSQL, etc.) ssh should never be started through v_ssh as every shell inherits the network restrictions else.So it will be impossible to do administrative tasks like (re)starting vservers. Enrico pgpKB5Z23p1jG.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] V_xxxx not running ?
[EMAIL PROTECTED] (Herbert Poetzl) writes: I will fix it, although the v_* scripts will disappear soon. and be replaced by? nothing ;) I do not see much sense in these scripts. Most affected applications (httpd, named, sendmail, ssh, xinetd) can be configured with native methods to listen on a limited set of interfaces. 'portmap' is the only daemon where v_portmap might be useful, but it is not used very much today resp. only by programs which can run in the host only. And the missing reports about the broken startup order in v_portmap tells me, that this script is unused. ;) Enrico pgppyQ8ihXjgS.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Install issue with yum - /var/lib/rpm/ ?
[EMAIL PROTECTED] (Brian Ipsen) writes: I'm trying to install a WBEL4 client OS via yum (the RPM list has been attached here). The rpm list does not matter (and is ignored by the '-m yum' method). Unfortunately, I have some issues with a messages, that pops up during installation. It's only a message... because yum does not do proper error-handling, the installation will succeed nevertheless. I'm not quite sure, whether this warnings/errors shows up due to missing dependency settings in the RPM - or it could be an issue with installing via RPM... This happens because the rpm package has bad assumptions regarding the availability of the rpmdb in %scriptlets. Because of security reasons, this rpmdb is hidden and 'chown /var/lib/rpm/[A-Z]*' will not find a file where it can operate on. The errors I get are: /bin/chown: cannot access `/var/lib/rpm/[A-Z]*': No such file or directory A workaround would be, to add a | touch $vdir/.rpmdb/FORTYTWO or (better, but untested) | ( cd $vdir $_CHROOT_SH append /var/lib/rpm/FORTYTWO /dev/null ) to the 'initpre' script of your distribution. Enrico pgphQTf9KYy7s.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to build first vserver ?
[EMAIL PROTECTED] (Brian Ipsen) writes: #./vserver-build --force -m yum -n dns-int1 -- -d wbel4 Renamed '/etc/vservers/dns-int1' to '/etc/vservers/dns-int1.~1121798195~' ftp://ftp.riken.jp/Linux/whitebox/Null/en/os/i386/repodata/repomd.xml: The yum author refuses to make yum configurable so there is no way to influence '$releasever'. Its value is defined only by the release number of the installed 'fedora-release' package (resp. the configured 'distroverpkg'). Yes, it sucks and feel free to bother the yum author regarding this issue. In the meantime, all occurences of '$releasever' have to be replaced manually with the correct value. Next, I have an issue with the setup in general... I mount /vservers/dns-int as a lvm-partition .. Sorry; not supported yet. Enrico pgplxkZUQqZ5U.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver build - one remaining issue...
[EMAIL PROTECTED] (Brian Ipsen) writes: # ./vserver-build --force -m yum -n dns-int1 -- -d wbel4 ... error: unpacking of archive failed on file /usr/bin/X11;42dd8791: cpio: symlink failed - No such file or directory Happens due to a bug in rpm[1]. That's why, an 'initpre' script must be executed which worksarounds this issue. The common redhat-style 'initpre' script should be fine for RH clones, so you should add a symlink like | /etc/vservers/.distributions/initpre - /usr/lib/util-vserver/distributions/redhat/initpre I will add more diagnostics to warn the user about this... Nevertheless, as yum does not do proper errorhandling this bug will be ignored and vserver should be built. Enrico Footnotes: [1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90941 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=52725 pgpbApEpCTMwS.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] V_xxxx not running ?
[EMAIL PROTECTED] (Brian Ipsen) writes: After upgrading to v2.0-rc8.1 and installing utils 0.30.208 I get this error dusing startup of my server: Starting v_httpd: exec --ip eth0 /etc/init.d/httpd start oops... some legacy scripts (inclusive vsysvwrapper) were not updated to a new naming convention (it should be $_CHBIND but not $CHBIND in the script). I will fix it, although the v_* scripts will disappear soon. Enrico pgpNEKsYOQSP3.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to build first vserver ?
[EMAIL PROTECTED] (Brian Ipsen) writes:
My base vserver is up and running (with the vserver kernel) - the problem
is creating a virtual server... I'm running WhiteBox Enterprise Linux 4 (a
RHEL clone), but have difficulties figuring out how to create the
distribution stuff - and where does it pick the RPM packages from ??
Any hints, links, instructions etc are appreciated ...
I recommend to:
1. choose the best-fitting distribution from
/usr/lib/util-vserver/distributions; in your case, this is
probably fc4.
2. copy the files from there into a suitable directory under
/etc/vservers/.distributions/ :
| # cp -a /usr/lib/util-vserver/distributions/fc4 \
/etc/vservers/.distributions/wbel4
This directory ('wbel4') will be used later at the '-d' option
of the 'vserver ... build' command
3. adjust the initpre/initpost symlinks
4. depending on your installation method, you need to:
- create a sources.list for apt in the apt/ subdirectory, or
- adjust the yum repositories in the yum.repos.d/ subdir, or
- add/change files in the rpmlist.d/ subdir
When WhiteBox Enterprise Linux is like RHEL, you should now be
able to create new vservers with
| # vserver ... build -m yum ... -- -d wbel4
out-of-the-box (although it is strongly recommended to patch
yum).
Enrico
pgpuT9axiHWXz.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
[EMAIL PROTECTED] (Herbert Poetzl) writes: it seems to be impossible to use the audit (CONFIG_AUDIT) interface of the kernel within a vserver: | # auditctl -m 'foo' | Error sending user message request (Operation not permitted) ... This gives problems on Fedora Core 4 as recent pam upgrade is using this functionality and most actions (su, cron) will fail therefore. hmm, does anybody know why pam would want to do syscall auditing in the first place? I'm a little lost here actually ... ah, looks like redhat is patching again ... http://people.redhat.com/sgrubb/audit/pam-0.78-loginuid.patch so I guess it's fine to remove pam_loginuid.so for now until the auditing interface is virtualized ... Ok, as expected, the NETLINK problem can be solved by giving CAP_AUDIT_WRITE permissions by default. Next problem is a | [pid 10153] open(/proc/self/loginuid, O_WRONLY|O_TRUNC|O_NOFOLLOW) = -1 EPERM (Operation not permitted) Hiding /proc/self/loginuid (so that open(2) returns with -ENOENT) seems to make newer pam_loginuid happy[1]. As this can not be done with procfs-security, would it be possible to hide the loginuid entry statically for context!=0? (I guess, making it writable is more complicated than hiding it). Enrico Footnotes: [1] http://cvs.fedora.redhat.com/viewcvs/rpms/pam/FC-4/pam-0.79-cleanup-redhat.patch?r1=1.3r2=1.4 -- /\ \ /ASCII Ribbon Campaign X against HTML email vCards / \ http://www.harley.com/turn-off-html/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] audit interface
Hello,
it seems to be impossible to use the audit (CONFIG_AUDIT) interface
of the kernel within a vserver:
| # auditctl -m 'foo'
| Error sending user message request (Operation not permitted)
The generated syscalls are:
| socket(PF_NETLINK, SOCK_RAW, 9) = 3
| fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
| sendto(3, \24\0\0\0\355\3\5\0\1\0\0\0\0\0\0\0foo\0, 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=}, 12) = 20
| select(4, [3], NULL, NULL, {0, 10}) = 1 (in [3], left {0, 10})
| recvfrom(3, $\0\0\0\2\0\0\0\1\0\0\0!e\0\0\377\377\377\377\24\0\0\0...,
8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=},
[12]) = 36
| write(2, Error sending user message reque..., 60Error sending user message
request (Operation not permitted)) = 60
This gives problems on Fedora Core 4 as recent pam upgrade is
using this functionality and most actions (su, cron) will fail
therefore.
I see two ways to solve the problem:
1. allow this kind of communication within a context
2. make CONFIG_AUDIT conflict with CONFIG_VSERVER and hope that
libaudit is clever enough to ignore this error (untested)
(I do not know the security implications of 1. and have not
tested 2.)
Problem was seen on 2.6.12.2-vs2.0-rc5 + remap patch.
Enrico
pgptjlKWpNF4I.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] audit interface
[EMAIL PROTECTED] (Enrico Scholz) writes: | # auditctl -m 'foo' | Error sending user message request (Operation not permitted) ... This gives problems on Fedora Core 4 as recent pam upgrade is using this functionality and most actions (su, cron) will fail therefore. Quick workaround is to add '^29' to the 'bcapabilities' of the corresponding vserver. Next util-vserver version will probably implicate this with the '--secure' option (after I decided how to deal with the CAP_QUOTACTL vs. CAP_AUDIT_WRITE conflict). Enrico pgpDbxbFH1pML.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver-0.30.207-1mdk building error
[EMAIL PROTECTED] (Nicolas Costes) writes: make[3]: Entering directory `/usr/src/RPM/BUILD/util-vserver-0.30.207' ... PASS: src/testsuite/chcontext-test Invalid IP number or host name 'localhost' 'localhost' can not be resolved. Depending on your distribution, /etc/hosts might not be created during the vserver-build phase and without configured networking (existing ip, /etc/resolv.conf) this test will fail. Enrico pgp6d2tK7V15Z.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] realloc(3)/mremap(2) errors
[EMAIL PROTECTED] (Enrico Scholz) writes:
| $ diet gcc x.c
| $ strace ./a.out
| execve(./a.out, [./a.out], [/* 41 vars */]) = 0
| old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x97f47000
| mremap(0x97f47000, 4096, 8192, MREMAP_MAYMOVE) = -1 ENOMEM (Cannot allocate
memory)
~
Is the
| @@ -351,8 +352,13 @@ unsigned long do_mremap(unsigned long ad
| ...
| }
| - if (!may_expand_vm(current-mm, (new_len - old_len) PAGE_SHIFT)) {
| + if (!may_expand_vm(current-mm, (new_len - old_len) PAGE_SHIFT) ||
| + vx_vmpages_avail(current-mm, (new_len - old_len)
PAGE_SHIFT)) {
| ret = -ENOMEM;
hunk really correct, or is there missing a '!' before 'vx_vmpages_avail'?
Enrico
pgp0V5XsD2Xy4.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VPN within vserver, what I have found
[EMAIL PROTECTED] (gary ng) writes: I just did a little more experiment and can now establish vpn links with outside using either pptp(Windows) or openvpn, from within a vserver. I run a lot of vservers with OpenVPN (indeed, every physical host has such a vserver). Important settings are: NET_ADMIN + NET_RAW in 'bcapabilities' and ~hide_netif in 'flags'. You will have to create the /dev/tun/net device in the vserver also. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: building from savannah CVS
Herbert Poetzl [EMAIL PROTECTED] writes: That's the kind of tests which can only be done by the developer ;) But other work and fear of zombies stopped me to play with 'vserver ... stop' till now... didn't get a bugreport regarding those zombies yet afais, Gilles reported in [EMAIL PROTECTED] already about them and a quick look in the IRC logs shows that they were discussed there also. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: building from savannah CVS
[EMAIL PROTECTED] (Herbert Poetzl) writes: while we are at it, how would I 'build' a release tar archive (i.e. clean everything up which doesn't go into your releases) or a source rpm from the cvs sources? Do you mean something like 'make dist'? Specifying 'CVS2CL=: RCS2LOG=:' should speedup things a little bit but you won't get a ChangeLog file. rpms can be built with the usual 'rpmbuild -ta tarball.bz2' command. PS: when can a new release be expected? (so that we can test against vs2.0-rc1) Dunno; next release will incorporate 'vwait' integration for 'vserver ... stop' which needs some testing. Enrico pgpYsV0O3GOxu.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: building from savannah CVS
[EMAIL PROTECTED] (Herbert Poetzl) writes: while we are at it, how would I 'build' a release tar archive (i.e. clean everything up which doesn't go into your releases) or a source rpm from the cvs sources? Do you mean something like 'make dist'? ... rpms can be built with the usual 'rpmbuild -ta tarball.bz2' command. where does the tarball come from (using cvs)? It comes from the 'make dist' mentioned above: 1. cvs co ## -- the files 2. autoreconf -i -f ## -- configure, Makefile.in's and other stuff 3. ./configure ... ## -- see below also; ## Makefile, config.status, util-vserver.spec 4. make dist## -- util-vserver.spec, ChangeLog, the tarball To set reasonable paths and options, you can try './build-all dist' instead of 3. but this script is for my purposes only and documented only by its source. Dunno; next release will incorporate 'vwait' integration for 'vserver ... stop' which needs some testing. well, _now_ is the right time to _get_ some testing. of course, without anything to test, there will be no testing ... ;) That's the kind of tests which can only be done by the developer ;) But other work and fear of zombies stopped me to play with 'vserver ... stop' till now... Enrico pgpvRpX4iH2L1.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: building from savannah CVS
Herbert Poetzl [EMAIL PROTECTED] writes: probably I'm just too dumb to figure it myself, but how would you build the tools from the savannah CVS? checkout, execute 'autoreconf -i -f' and then './configure ...' make /usr/share/aclocal/pkg.m4:5: warning: underquoted definition of PKG_CHECK_MODULES not my fault (and not fatal); lots of existing .m4 files are having underquoted definitions. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] FC3 with yum on vs2.0-pre4
[EMAIL PROTECTED] (Eric Jorgensen) writes: However, I'm getting errors about gpg keys not existing. I had set gpgcheck=0 in all the *.repo files (both in /etc/yum.repos.d and /usr/lib/util-vserver/...). GPG keys will be added automatically from | $__CONFDIR/.distributions/$DISTRIBUTION/pubkeys \ | $__CONFDIR/.distributions/.common/pubkeys \ | $__DISTRIBDIR/$DISTRIBUTION/pubkeys First two places are for your customization so you can copy the keys into it. Enrico pgpoF0xiPgYxl.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Upgrade main server from 2.4 to 2.6 kernel
[EMAIL PROTECTED] (Roderick A. Anderson) writes: If I upgrade/install a new 2.6 vserver kernel on an existing system _*should*_ my old vservers ( created with a 2.4 kernel ) still work. I realize there might be a few gotchas but for the most part should they work? File attributes have been changed; the Kernel 2.4 to kernel 2.6 transition paragraph at http://linux-vserver.org/alpha+util-vserver contains some hints but is far from being perfect (e.g. dot files are not converted, and such with whitespace are handled wrong also). Enrico pgpER0o2ROVuv.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] problems with vserver create -m yum
[EMAIL PROTECTED] (Paul S. Gumerman) writes:
Is there anywhere to be found an explanation of how package management
works with the new util-vserver system?
I would suggest (for Fedora based systems):
1. create your own yum or apt repository by:
a) copy all the shipped RPMs somewhere into your harddrive; e.g.
| D=/srv/data/mirror/fedora/core
| rsync -a /media/cdrom/Fedora/RPMS/ $D/3/i386
b) ditto for updates (e.g. execute a daily cronjob mirroring the
updates directory)
| rsync -a http:/// $D/3-updates/i386
c) create the yum filesystem structure there:
| mkdir -p $D/.yum/3/i386/{base,updates}
| ln -s ../../../../3/i386 $D/.yum/i386/base/RPMS
| ln -s ../../../../3-updates/i386 $D/.yum/i386/updates/RPMS
d) create the repo there
| createrepo $D/.yum/i386/base
| createrepo $D/.yum/i386/updates
e) ... similarly for apt ... ;)
2. register them as the repository for FC3
a) | mkdir -p /etc/vservers/.distributions/fc3/yum.repos.d
b) | cat EOF /etc/vservers/.distributions/fc3/yum.repos.d/fc3.repo
[base]
name=Fedora Core $releasever - $basearch - Base
baseurl=file:///srv/data/mirror/fedora/core/.yum/3/$basearch/base
enabled=1
gpgcheck=1
EOF
c) | cat EOF /etc/vservers/.distributions/fc3/yum.repos.d/fc3-updates.repo
[updates]
name=Fedora Core $releasever - $basearch - Updates
baseurl=file:///srv/data/mirror/fedora/core/.yum/3/$basearch/updates
enabled=1
gpgcheck=0
EOF
To be more flexible, I strongly suggest to create an ftp or http
vserver which provides the tree at $D. But for bootstrapping, the
file:// based repo is ok.
You will have to use hardcoded version strings ('3') instead of the
flexible '$releasever' in the URL; yum does not provide any way to
override this at runtime. Feel free to write a bugreport for yum ;)
3. Now, you can begin to create vservers
| # vserver test build -m yum -- -d fc3
and install additional packages; e.g.
| # vyum test -- install cfengine
| # vrpm test -- -q cfengine
4. When you really need it, you can internalize the packagemanagement
with
| # vserver test -- pkgmgmt internalize
But most of my vservers do not have internal packagemanagement; it
adds additional dependencies and my vservers shall be minimal.
Current (0.30.207) util-vserver version has a bug in the
internalization process: you have to remove the '%_rpmdb' macro
manually from /etc/rpm/macros in the vserver. Currently, yum
configuration is not copied neither so you have to do this manually.
What I am particularly curious about is the usage of the various
.rpmdb directories inside each vserver,
It is used to mount the rpm database in a secure way. Secure means
that programs running in the vserver can not modify it. This is solved
by
1. creating a new namespace before real rpm operations
2. bind-mounting '/vservers/.pkg/.../rpm/state' to /vservers/.../.rpmdb;
this operation is done in a secure way
3. creating a new namespace and unmounting /.rpmdb before scripts are
executed
4. changing the context before executing scripts
The /.rpmdb mountpoint has to be in the toplevel directory; else when it
would be e.g. /var/lib/rpm, an attacker within the vserver could create a
/var/lib - /var/foo symlink and place a malicious rpm database (e.g. a
such one which causes buffer overflows) into /var/foo/rpm.
There are some tricks like mounting the new database into the host also
which workarounds some bugs in rpm.
and the .pkg directory structure under the vdirbase, and how they are
related.
Program-depending directories are directly placed under /vservers/.pkg
(e.g. 'rpm', 'apt' or 'yum'). Then, there are case depending directories
like 'rpm/etc' which corresponds to '/etc/rpm', or 'rpm/state' which
holds the rpm database, or 'yum/etc' for the configuration, or ...
An important file is the the generated rpm-macros file (rpm/etc/macros):
it contains both the %_rpmdb macro mentioned above and a line like:
| %_netsharedpath
/dev:/etc/rc.d/init.d/halt:/sbin/new-kernel-pkg:/usr/bin/rhgb-client
This is needed to prevent installation of certain files (e.g. the
default '/etc/rc.d/init.d/halt' causes problems on vserver shutdown,
or '/sbin/new-kernel-pkg' makes installation of kernel package fail).
Enrico
pgpeSkNEpAGjv.pgp
Description: PGP signature
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OpenFoundry project for Vserver Utilities
Herbert Poetzl [EMAIL PROTECTED] writes: mmh... I am not very happy with the way how this was solved, because: well, if you would show up now and then on the channel we might have taken a different approach ... but I guess although the various aspects might not be perfect, IMHO the direction is generally good ... at least I prefer this over a dozen different branches done by everybody and his dog ... To avoid the dozen of different branches, I would like when the solved issues/bugs/patches/wishes will be filled at a central place instead of spreading them across IRC logs, maillists or Wikis. Personal mail is also problematic because some issues can not be handled immediately but require further investigations and might be forgotten over the time. [... moving the CVS tree into an SVN repository ...] First two points can be perhaps solved by converting the CVS tree but I never did such a conversion. As already mentioned, I do not see the necessity of such a step. well, this isn't intended to replace the savannah (i.e. your) development branch, the idea is to have a breeding ground for various changes, kind of idea pool, where you can skim the useful stuff very easily ... I just think that SVN can not be used for that. E.g. I will pick some (but not all) of the changes in SVN and apply them (perhaps with small changes) to my util-vserver branch. But who will remerge my branch (with lots of conflicts) back into SVN? And the larger the changes in SVN will be, the larger and meaninglesser will be the 'svn diff my branch' output. I prefer small changesets which fulfill exactly one purpose. if you have a better solution for that, please let us know, we are easily convinced by good arguments ;) My mid-term plans are including a switch to GNU Arch when it is provided by Savannah. But the extremely positive mentioning of Monotone at lkml and its very good changeset support (this in GNU Arch is not good, but still better than this of SVN) will bring me to evaluate this SCM system before doing a final decision. For now, please use the Savannah infrastructure (bug- and patch-tracker) and try to use replyable addresses as possible. ;) Enrico pgpRTMpH2Xb7j.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OpenFoundry project for Vserver Utilities
[EMAIL PROTECTED] (Ola Lundqvist) writes: * Is a dependency on perl for building acceptable? I need it as one of the manpages (vserver-build) is written in .pod format and need pod2man (provided by perl) to convert to manpage format. I'm not sure what you think about that. I can probably rewrite it directly to manpage format but it will take some time (which I do not have too much of). I also seem to have a different version of vserver manpage that is regenerated by pod2man (I have forgot that). I am not sure how documentation should be handled. I am tending to a master XML file which can be translated into '... --help' output, man-pages or DocBook XML or ... Current way which reformates the '--help' output is not very clever: it introduces redundancy, does not provide additional information and requires additional maintenance. * I will modify vserver-copy to have better rsync options --numeric-ids -H and maybe some more. vserver-copy needs much changes as it uses still the legacy config. * I will make src/vshelper-sync.c have a ifdef on __linux__ instead of __linux to work better with dietlibc. Best place to report such things would be the bugtracker at savannah. * I will modify man/chcontext.8 so it have section 8 inside too. ditto Enrico pgphe1WK7nnVG.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] OpenFoundry project for Vserver Utilities
[EMAIL PROTECTED] (Sam Vilain) writes: I have set up a new project on OpenFoundry.org for util-vserver. OpenFoundry is like SourceForge, except it doesn't suck. http://utilvserver.openfoundry.org/ (no hyphens allowed in project names! bummer) For now the important thing it has is a public read-only Subversion server, and is trivial for project Admins to invite other people to be committers. So, you can grab the latest version of util-vserver from; http://svn.openfoundry.org/utilvserver/trunk/ Then use svn update friends to pull down new versions! :-D mmh... I am not very happy with the way how this was solved, because: * afais, the complete history of changes was lost in the SVN reimport * the svn repository contains lots of autogenerated files (e.g. ChangeLog, Makefile.in, configure, ...) which should not be handled by SCM systems * I do not think that Subversion is so much better than CVS that a change is required. Changeset support or support of distributed development would be arguments convincing me but SVN does not offer these features. * what's wrong with current hosting at savannah? Ok, they are excessively paranoid which makes things like file uploads nearly impossibly. But I still have hope that it will be fixed. First two points can be perhaps solved by converting the CVS tree but I never did such a conversion. As already mentioned, I do not see the necessity of such a step. Enrico pgpLVKynieDJL.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Problem to build util-vserver on ia64.
[EMAIL PROTECTED] (Ola Lundqvist) writes: lib_internal/unify-copy.c: In function `copyMMap': lib_internal/unify-copy.c:142: error: `MADV_SEQUENTIAL' undeclared (first use in this function) mmh... a dietlibc issue http://cvs.fedora.redhat.com/viewcvs/devel/dietlibc/dietlibc-0.28-madv.patch?root=extrasrev=HEADview=auto should fix it. I will report it upstream tomorrow. Enrico pgpgf8YHmHIwl.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver + dietlibc ...
[EMAIL PROTECTED] (Stephen Frost) writes: That's not possible. During the extraction phase, 'rpm' has to do an username - uid mapping with the setup from the inside of the chroot. So at least there, I need getpwname() after chroot(). Sorry for the double-reply but additionally, is that the only place where this issue exists? I'm not even sure what you mean by the 'extraction phase'- do you mean when building the vserver? It is meant the phase when 'rpm --root ...' extracts the files and has to map the username to an uid. If you're building it new it seems unlikely that it's a compramised vserver. 'vrpm' + 'vapt-get' + 'vyum' work long after the initial build also. This might be after the vserver was compromised. Does this affect Debian users at all (who use Debian in their vservers)? Probably not; for Debian only the internal packagemanagement is supported. Enrico pgpNJ4RJ803tT.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] shutting down all vservers
[EMAIL PROTECTED] (Marcel de Riedmatten) writes: I am playing with with the new debian package util-vserver 0.30.204-5, thanks to Ola for that. I dont want some vserver to be started automaticaly at startup so i don't put the default mark for that one. But when i shutdown the machine and this vserver is running it isn't shutown and some filesystem can't be unmounted. Sorry; this is not supported yet. I plan to add a final script which shutdowns all 'unmarked' vservers but had not time to implement it. It will probably be solved by an '--unmarked' selector (similarly to '--all'). Enrico pgp6KIRnrfvxy.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: util-vserver-0.30.206 ... timetravel?
Herbert Poetzl [EMAIL PROTECTED] writes: just tried to 'update' my rpms to the latest release of util-vserver for testing (0.30.206) but it seems that this version will need some time to become usable, no? checking whether to enable dietlibc... no (too old; 0.29+ required, 0.28 found) mmh... should affect non-i386 only. When you think you have such an arch, can you post the 'build/host' line in the 'vserver-info' output? Else, I think that this check is correct; dietlibc=0.28 causes too much problems on non-i386. For people who know what they do, this check can be overridden and dietlibc usage be enforced... Enrico pgp4QwUv1dr9V.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver + dietlibc ...
Herbert Poetzl [EMAIL PROTECTED] writes: no, thanks I already figured it, the dietlibc needs patching as the syscall(2) for x86_64 isn't implemented .o( I wonder _what_ is running on your machine ;) I guess it was using _syscall3() instead of syscall(). Shouldn't it? yes, after I read your 'other' email ... this makes some sense ... I just wondered because I didn't know that it is available on x86_64 (headers) To clearify things: util-vserver prefers to use _syscall3() (which is called 'fast' syscall invocation method in the ./configure output) when it is available. _syscall3() is often implemented with inline assembler in asm/unistd.h. But at least on i386, it can not be used in combination with dynamic linking as it writes to the %ebx register which is reserved for PIC addressing. Therefore, most glibc kernel-headers do not provide the _syscallX() functions overall and the 'traditional' syscall(2) must be used. Enrico pgphpOigxwzJp.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver + dietlibc ...
[EMAIL PROTECTED] (Stephen Frost) writes: according to Enrico (please confirm or correct) the glibc has issues with the fake name resolver and is generally considered insecure because usually dynamically linked ... This really needs further explanation and justification. What about glibc being dynamically linked (and able to load other libraries) makes it insecure, specifically? 1. 'insecure', because the dynamical loading of libnss_* is uncontrollable. There is no (documented??) way to disable this loading e.g. when the chroot was entered. Executing a function which would load an nss-library does not give any guarantee that the next call to this function with another argument would not load another library. It's not uncontrollable- just don't call NSS functions after you've chroot'd. That's not possible. During the extraction phase, 'rpm' has to do an username - uid mapping with the setup from the inside of the chroot. So at least there, I need getpwname() after chroot(). Enrico pgpxCsneViktQ.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: another vserver build bug
Kevin Pendleton [EMAIL PROTECTED] writes: When I try to use the vserver build -m apt-rpm function to create a fc3 vserver on a centos host with util-vserver-0.30.205, I get the following output: vserver base-fc3 build -m apt-rpm --hostname domain.com --interface domain=eth0:192.168.0.129/24 --initstyle plain --context 500 --force -- -d fc3 ... 2:filesystem ### [ 29%] error: unpacking of archive failed on file /usr/bin/X11;4256ae14: cpio: symlink failed - No such file or directory Sorry, I forgot to add the instructions which make fc3 a redhat style system (the 'initpre' script is missing). A workaround could be to set 'redhat_style' during the installation of the tools: | $ make install redhat_style='rh9 fc1 fc2 fc3' ... Alternatively, you can link the scripts into the distribution directory manually: | # ln -s ../redhat/initpre /usr/lib/util-vserver/distributions/fc3/ | # ln -s ../redhat/initpost /usr/lib/util-vserver/distributions/fc3/ Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver build bug
[EMAIL PROTECTED] (Kevin Pendleton) writes: When you try to use the vserver build -m copy function it requires a file that does not exist. Yes, this is expected because this method is not implemented yet. Sorry, I should remove it from the help text Enrico pgptFzisI6GK1.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Fakeinit issues
Hello,
I discovered some irregularities regarding fakeinit functionality. The
following program gives different output on host and vservers:
| int main(int argc, char *argv[])
| {
| printf(%i\n, getsid(atoi(argv[1])));
| }
On host:
| # ./a.out 1
| 0
on VServer:
| # chcontext --xid 100 --flag fakeinit ./a.out 1
| 7448
This issue causes unexpected behaviour with SysV's 'killall5' which will
kill the init-process also.
Btw, this test reveals a minor security leak: getsid(2) does not test if
the pid is visible but gives out the correct result:
| # chcontext --xid 100 --flag fakeinit ./a.out $$
| 10461
('$$' expands to the pid of the bash invoking 'chcontext'). Ditto for
getpgid(2).
The used patch was vs1.9.5-rc4 on a 2.6.11.6 kernel.
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] I'm in trouble now ....
[EMAIL PROTECTED] (Paul S. Gumerman) writes: Ran vserver fc3-reference hashify, which ran ok with one message (sorry, can't recall it now). The exact message would be helpful perhaps. Then tried vserver loco-reference hashify which failed with a message saying vserver ... suexec is support for running vserver only; aborting ... *BTW, that should read supported.* Thx, speling has been fixed. When this message appears, 'vhashify' stopped at a very early stage without modifying any file. I tried to start loco-reference, but got the message an error occurred very likely that initscript faild with no other details regarding just what had failed. When I started it again, I did get the message that lines 1 and 3 in the fstab had failed because the fs's were already mounted, so it did get that far, at least. I also found that I could no longer stop any of the running vservers. The message was still running unexpectedly. Please investigate it manually. Running vserver-stat results in a Segmentaion fault. Tracking this segfault would be helpfully. Do you see kernel messages (oops) there? Else, possible ways to trace it are: * chcontext --xid 1 strace vserver-stat * chcontext --xid 1 gdb vserver-stat -- r + bt (perhaps compiling tools with 'CFLAGS=-O0 -g3 ./configure ...') Also, this might be a hint: if I try running vtop (as root) I get chcontext: execvp: (top) Permission denied mmh... is SELinux enabled? Enrico pgpSm03zpuTQh.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] util-vserver (becoming stable ?)
[EMAIL PROTECTED] (Olivier Poitrey) writes: what about LYCOS? They are using vserver and get much money with it. They also provide Internet-Access. Here a link for the german readers: http://www.lycos.de/startseite/online/internetzugang.html Should Enrico ask them for some money to stay online at home? They provide ISDN (and DSL). 100 Euros per month is no money for a company like Lycos. Lycos could give him 200 hours free per month or something like that. Sure we can do this. I don't know if ADSL with Lycos will be possible at his place Probably not (at least not, unless somebody installs copper cable parallel to the existing fibre cable). When DSL would be available I would pay the 25-30 EUR myself. But ATM, ISDN is the only alternative. Enrico pgp3hM5Mn96NP.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [announce] util-vserver 0.30.205 + status report
[EMAIL PROTECTED] (Paul S. Gumerman) writes: Where can I find this? Sorry, please use the http://www.nongnu.org/util-vserver/ homepage or the savannah projectpage https://savannah.nongnu.org/projects/util-vserver/ Enrico pgpg07da9qMcN.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] security context ?
[EMAIL PROTECTED] (Timo Müller) writes: I´ve a FedoraCore3 vserver and I wanna change the password for an user and then ... passwd test passwd: root:system_r:unconfined_t is not authorized to change the password of test Disable SELinux. Its kernel API (/proc/self/attr + /selinux) makes it unsuitable for chroot environments. Every workaround you apply will be voided by the next libselinux version. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] build problem
[EMAIL PROTECTED] (Timo Mueller) writes: But just for my understanding: What is this -initpre- and whydoes it work now? This is a script which will be executed before unpackaging the files. It works because it workarounds https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=52725 There is another script 'initpost' which gets executed after unpackaging and makes stuff like the removal of certain initscripts. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] rpmpriorities
[EMAIL PROTECTED] (Timo Mueller) writes: Can I here: /usr/src/redhat/BUILD/util-vserver-0.30.204/distrib/fc3/apt/rpmpriorities Configure what packages been installed when I build a new vserver? Or what stand this (rpmpriorities) for? That's a configuration file for apt. It is used by util-vserver to define a minimal set of packages which must be there (else, apt will complain loudly when such a packages is going to be removed). It can be used also to add packages which are necessary for the vserver operation (e.g. 'httpd' for webservers). But I think, it is easier to execute 'vapt-get webserver -- install httpd' instead of editing this file manually. Google will be your friend for more information about 'rpmpriorities'. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] security context ?
[EMAIL PROTECTED] (Timo Müller) writes: hmm how can I disable selinux? http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825880 Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] build problem
[EMAIL PROTECTED] (Timo Müller) writes: this error comes wehen I want to build a fc3 vserver! ... 2:filesystem ### [ 29%] Fehler: unpacking of archive failed on file /usr/bin/X11;422ffd85: cpio: symlink failed - No such file or directory I was wrong in my last (private) mail... Probably you are missing the 'initpre' script which creates /usr/bin before installing the files. For reasons see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=52725 For now, just link the common redhat 'initpre' script to your fc3 distribution dir; e.g.: | ln -s /usr/lib/util-vserver/distributions/redhat/initpre /etc/vservers/.distributions/fc3/ Enrico pgplqaGU2kRxW.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [vserver] Config
[EMAIL PROTECTED] (Timo Müller) writes: where can i change that ?? Can not find a vserver-setup at '/usr/local/etc/vservers//'. See README for the ./configure options which create expected paths. Enrico pgpVWwiaozYHy.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [vservers] Two Problems
[EMAIL PROTECTED] (Timo Müller) writes: I´ve build a fc2 vserver and I can start it and enter it but I can´t stop it. This error comes or it dont go on (i think it can´t shutdown that interface) But why ??: mmh... the network initscripts should have been disabled by 'vserver ... build' (the initpost command is responsible for doing that). Second: I wanna build a fc3 vserver, but in ./distrubotion is only fc2, so i make a new directory fc3 and add a soource list to /etc/vservers/.distributions/fc3/apt/sources.list you should add an 'rpmpriorities' there also. Next util-vserver version will have apt support for fc3 also. And now i wanne build it and then: -bash-3.00# vserver vs-fc3-3 build --force -m apt-rpm --hostname vsfc3-3.a.de --netdev et 0 --interface xxx.xxx.xxx.xxx/26 -- -d fc3 -m apt-rpm --hostname vsfc3-3.a.de --netdev eth0 Renamed '/usr/local/etc/vservers/.defaults/vdirbase/vs-fc3-3' to ~~ Are you sure that there are no conflicts? Above, you mentioned /etc/... as the place for the configuration. E: Konnte Datei /usr/local/etc/vservers/vs-fc3-3/apps/pkgmgmt/base/apt/etc/rpmpriorities nicht öffnen - open (2 Datei oder Verzeichnis nicht gefunden) Enrico pgpr68ZOtnvw7.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Mandrakelinux's patch for 0.30.204
[EMAIL PROTECTED] (Velu Erwan) writes: I have to admit that I do not know anything about 'urpmi', but with 'yum' and 'apt' I can configure the repository which is going to be used. This makes it possible to install FC2 guests on FC3 hosts by using '... -d fc2'. In urpmi you can choose the repository you want to install. How do I specify this repository in the 'vserver ... build -m urpmi' commandline? Using /.rpmdb is a hack; /dev would be a much nicer place because it is available everywhere and ignored by rpm. But there is rh bugzilla bug #106057 which requires that the rpm database must be both in the chroot-environment and in the real-root one. So the /.rpmdb has to stay. SO it seems that many vserver are sharing the /.rpmdb of my real system. So it sounds like all my vserver are sharing the same rpmdb which is not interesting. Am I wrong ? Yes, you are wrong ;) /.rpmdb is mounted in a separate namespace used only for exactly one 'rpm --root' operation. Enrico pgpbQOG5Jqv71.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Mandrakelinux's patch for 0.30.204
[EMAIL PROTECTED] (Velu Erwan) writes: I do not know if urpmi supports this, but it should be possible to specify the version of Mandrake Linux. E.g. | vserver ... build -m urpmi -- -d mdk10 Of course it could be done, but the main idea was to install the vserver using the virtual basesystem rpm (available on all mandrakelinux release). I have to admit that I do not know anything about 'urpmi', but with 'yum' and 'apt' I can configure the repository which is going to be used. This makes it possible to install FC2 guests on FC3 hosts by using '... -d fc2'. So it would be nice when I could call 'urpmi' in the same way (install mdk9 guests on a mdk10 hosts e.g.). -_rpmdb_mntpoint=/.rpmdb +_rpmdb_mntpoint=$BASEDIR/.rpmdb This does not look sane. The rpm-database mountpoint MUST be at the / of the vserver. I must assume that some hack were introduce but certainly because I didn't catch everything in vserver's architecture. Oooh... I just detected an ugly bug in the rpmdb handling which was hidden by the /var/lib/rpm symlink. Please try [1] if it fixes your problems. Else: Base idea behind the external packagemanagement is, that host commands shall never rely on any guest data. E.g. I do not trust db4 (the databasesystem used by rpm) enough to store the rpmdb within the guest. Perhaps there are exploits in the database-reading-code which can be triggered by a manipulated database. So, using /var/lib/rpm as a place for the rpmdb is dangerous: an attacker within the vserver could create a /var/lib - /somewhere symlink pointing to such a manipulated database. And there is nothing which can be done against it... That's why, the rpmdb has to be mounted into the toplevel directory where such symlinks are impossible. Using /.rpmdb is a hack; /dev would be a much nicer place because it is available everywhere and ignored by rpm. But there is rh bugzilla bug #106057 which requires that the rpm database must be both in the chroot-environment and in the real-root one. So the /.rpmdb has to stay. The position of the rpm-database is specified by the %_dbpath macro which is changed in the vserver specific rpm-configuration. I do not know if 'urpmi' honors this macro (apt had a similar bug which caused me to create an (insecure) /var/lib/rpm - /.rpmdb symlink), whether it must be configured at another place, or if 'urpmi' must be fixed. +_VURPMI=$SBINDIR/urpmi path should be determined in %configure. And the variable should be named '_URPMI', not '_VURPMI'. Once again a lake in the the global knoweldge :/ How will you operate after the vserver was build? Do you require an 'vserver ... pkgmgmnt internalize'? If not, you should create a 'vurpmi' wrapper. A plain 'urpmi --root /vserver/...' is dangerous and must never be used. Enrico Footnotes: [1] http://savannah.nongnu.org/cgi-bin/viewcvs/util-vserver/util-vserver/scripts/vserver-build.functions.rpm.diff?r1=1.5r2=1.6 pgpG6nJ1dZb2x.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Small bug report and feature request
[EMAIL PROTECTED] (Micah Anderson) writes: |* make a 'clone' build method | |which allows to clone an existing vserver (with modified options) I would like to have a generic CLI tool which modifies the configuration, before I implement this method. 'vcopy' needs testing also; especially for the not-link-but-copy and skipped-files cases. What is vcopy? I did not know it existed and I cannot find any man pages for it. Does it do a clone of a vserver? It is a 'cp -l' with a builtin 'vunify'. It uses the same exclude list mechanism like 'vunify' so that certain files will be copied instead of linked (e.g. cfg-files), or skipped entirely (e.g. ssh hostkeys, user data). Basic usage (requires 0.30.203+) is | # mkdir -p /etc/vservers/source/apps/vunify | (+ configure special exclude lists) | # /usr/lib/util-vserver/vunify dst src But it is not mature enough to document it somewhere else ;) (e.g. '-n' does not really work, source *requires* a supported pkg-management, ...) Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Strange vshelper behaviour (reboot)
[EMAIL PROTECTED] (Herbert Poetzl) writes: after a decent debug session we now know that the vshelper reboot functionality is broken with 0.30.196 on vs1.2.10 (I suspect on older versions too) ... the culprit seems to be vserver-info, which, for whatever reason, is not able to 'reverse' the xid (to a vserver name) ... access(/var/lib/run/vservers.rev/2, F_OK) = -1 ENOENT (No such file or directory) ... hmm .. but there is /var/run/vservers.rev/2 mmh... seems to be caused by different ideas about %_localstatedir in the RH and Mandrake world... I will remove 'run.rev' as a vserver-local setting and make it a a system-wide option. any idea how that can be different on 2.6/1.9? As said, 2.6 does not use the 'run.rev' mechanism but vuname for the XID - vserver mapping. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Small bug report and feature request
[EMAIL PROTECTED] (Micah Anderson) writes:
A small bug report and a feature request:
1. vserver --help shows me:
running ... succeeds iff the vserver is running
-^^^ should only be one f :)
Really? It is meant as
| From The Free On-line Dictionary of Computing (09 FEB 02) [foldoc]:
|
| iff
|
| mathematics, logic if and only if, i.e. necessary and
| sufficient. For example, two figures are {congruent} iff one
| can be placed over the other so that they coincide.
Feature request would be to create a vserver name remove
that properly shuts down the vserver and then removes its
configuration and vserver files. I mistakenly removed the
files before stopping the vserver last night and it was an
interesting adventure to solve that (credit of course goes to
Bertl to track down how).
When namespaces are used (that's the default), everything will be
unmounted after finishing the last process. So executing 'vkill
--xid ID -s 9' would have done the trick also. ;)
I will think about the 'vserver ... remove' command.
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vunify problem
[EMAIL PROTECTED] (Micah Anderson) writes: Then I followed the instructions on http://linux-vserver.org/alpha+util-vserver to unify vservers: 1. mkdir -p /usr/local/etc/vservers/MT/apps/vunify 2. ln -s /usr/local/etc/vservers/seedbank /usr/local/etc/vservers/MT/apps/vunify/refserver.00 Then when I do a dry-run of the unification, it does not work: # /usr/local/lib/util-vserver/vunify -v -n MT /usr/local/lib/util-vserver/vunify -v -n MT Initializing exclude-list for /vservers/MT (MT) no reference vserver configured ? Strange... you should get 'unification for reference vserver not configured'... Can you try | # mkdir -p /usr/local/etc/vservers/seedbank/apps/vunify | # /usr/local/lib/util-vserver/vunify -v -n MT ? When this does not work, please provide an strace of the vunify command. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: Strange vshelper behaviour (reboot)
Herbert Poetzl [EMAIL PROTECTED] writes: after a decent debug session we now know that the vshelper reboot functionality is broken with 0.30.196 on vs1.2.10 (I suspect on older versions too) ... the culprit seems to be vserver-info, which, for whatever reason, is not able to 'reverse' the xid (to a vserver name) === linux-2.4.29-vs1.2.10 [root@(none) /]$ vserver zope3 start [root@(none) /]$ vserver-stat CTX PROCVSZRSS userTIME sysTIMEUPTIME NAME 0 12 1.9M 2780m05s33 0m11s13 0m54s65 root server 25 7.5M 7410m02s32 0m06s11 0m09s53 What gives an 'strace vserver-info 2 ID'? When a name can be resolved, you should see lines like | access(/var/run/vservers.rev/2, F_OK) = 0 | open(/var/run/vservers.rev/2/run, O_RDONLY) = 3 | lseek(3, 0, SEEK_END) = 2 | lseek(3, 0, SEEK_SET) = 0 | read(3, 2\n, 3) = 2 Then, verify with 'vserver --debug zope3 start' that the chain-command contains | ... /usr/lib/util-vserver/save_ctxinfo /etc/vservers/zope3 ... and that '/etc/vservers/zope3/run.rev/2' is a symlink pointing back to '/etc/vservers/zope3'. When these things look sane, make sure that no 'vshelper' rebootet the vserver between 'vserver ... start' and 'vserver-stat'. You could e.g. enable vshelper logging and look for vshelper invocations. === linux-2.6.11-rc2-vs1.9.4-rc4 [root@(none) /]$ vserver zope3 start [root@(none) /]$ vserver-stat CTX PROCVSZRSS userTIME sysTIMEUPTIME NAME 0 11 1.9M 2850m06s12 0m11s50 2m42s67 root server 2916M 1.7K 0m00s73 0m02s30 0m04s30 zope3 Yes; the 'run.rev' mechanism exists for kernel 2.4 only. With kernel 2.6, the 'context' uname field is used to identify the vserver. btw, this 'reverse' lookup is also causing big troubles with the ngnet testing, as the tools are not able to handle/delegate a vshelper call when the context is just starting up Sorry; vshelper was never indented for starting vservers. (or just finished) mmh... I would wonder when existing reset-mechanisms exit after invoking reboot(2). When this happens, you would see a kernel panic about a killed init on each reboot. I think, that most init-implementations go into an endless sleep after calling reboot(2) so the context will be alive at 'vshelper' execution time. Enrico ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bcapabilities not working?
[EMAIL PROTECTED] (Andrew Mendelsohn) writes: Here is the Debug output. There is no corresponding line for bcap, as ++ OPTS_VATTRIBUTE=([EMAIL PROTECTED] --ccap $cap) for ccap. ... ++ local f=/etc/vservers/apache2server/bcapabilities ++ test -e /etc/vservers/apache2server/bcapabilities ~ ... Using 2.6.10 with patch-2.6.10-vs1.9.3.17.diff and compiling util-vserver 0.30.196, it seems that I can't remove capabilities via the /usr/local//etc/vservers/webserver/bcapabilities ~ configuration file using ~ALL. Are you sure that the '~ALL' was configured in the correct vserver? Enrico -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: alpha util-vserver patch: improve/fix dietlibc version detection
Hans Ulrich Niedermann [EMAIL PROTECTED] writes:
What they fix:
* handle a version number like 0.27-7
Can you check if CVS ([1]) fixes your problem?
It does not.
For _dietlibc_ver_min=27-7, the line
_dietlibc_ver_min=${_dietlibc_ver_min%%[!0-9]*}
doesn't do what it is supposed to do.
What do you expect there?
| $ _dietlibc_ver_min=27-7
| $ echo ${_dietlibc_ver_min%%[!0-9]*}
| 27
seems to be the correct result.
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: alpha util-vserver patch: improve/fix dietlibc version detection
Hans Ulrich Niedermann [EMAIL PROTECTED] writes:
For _dietlibc_ver_min=27-7, the line
_dietlibc_ver_min=${_dietlibc_ver_min%%[!0-9]*}
doesn't do what it is supposed to do.
What do you expect there?
| $ _dietlibc_ver_min=27-7
| $ echo ${_dietlibc_ver_min%%[!0-9]*}
| 27
seems to be the correct result.
Exactly, if it is in the shell. But due to [] being the m4 quotes, you
have to write that as
dietlibc_ver_min=${_dietlibc_ver_min%%[[!0-9]]*}
in m4/ensc_dietlibc.m4.
argll... stupid error. Thx for detecting it.
Enrico
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
