Re: [Vserver] IPTables and limiting inter-vserver communication
I would like to use IPTables to block the client vservers from talking to each other but since they all have the same MAC address, this becomes problematic. What is the current best practice for doing this? Have you tried blocking all traffic between local IPs except if source and destination are the same? As long as you don't give the NET_ADMIN or NET_RAW capabilities to the guest, the users in there cannot spoof the IP. baltasar ((( Baltasar Cevc ) World wide web: # http://www.openairkino.net/ (a project for the local youth; German only) # http://technik.juz-kirchheim.de/ (programming and admin projects) # http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 23 22 08 22 ) PGP.sig Description: This is a digitally signed message part ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Localhost definition problem with Postfix/Amavisd-new
HI Alejandro, But I can't put the mail server to work because the Postfix can't establish a connection to the amavisd. Because of the variety of components I suspect that amavisd-new, spamassassin or clamav are hardcoded to 127.0.0.1, so I can't use a private non-routable IP as localhost. I use exactly that setup in an vserver. Clamd can use sockets to communicate, in amavisd-new you can set all the IP-Adresses. The setup does not use spamd, as amavisd-new has native support for SpamAssassin. Try modifying your amavisd and clamd settings to reflect that, it should definitively work. In amavisd.conf the following variables should do ## # M T A I N T E R F A C E A N D D O M A I N S ## # where to forward checked mail $forward_method = 'smtp:1.2.3.4:fromamavis'; # where to submit notifications $notify_method = 'smtp:1.2.3.4:fromamavis'; # where to listen for incoming mail $inet_socket_port = 2005; $inet_socket_bind = '1.2.3.4'; # allow connections from these hosts only @inet_acl = qw( 127.0.0.1 ::1 1.2.3.4 ); Hope that helps, Baltasar ((( Baltasar Cevc ) World wide web: # http://www.openairkino.net/ (a project for the local youth; German only) # http://technik.juz-kirchheim.de/ (programming and admin projects) # http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 23 22 08 22 ) PGP.sig Description: This is a digitally signed message part ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bastion host
Hi Gislain, On 23.04.2007, at 09:27, ADNET Ghislain wrote: I run vserver to isolate webserver from the real host. From time to time i have a process than run wild and block everything. I cannot even connect (ssh) to the Host. Which would be the more efficient way to configure the system so that vservers cannot prevent the host to work even if they are at max disk/network/cpu usage. The host itself does only run ssh and some monitoring tool. So it stay idle most of the time. The goal is to allways be able to connect to the host and manage things from here to recover from issues. What best practice do you use with vservers to acheive this goal ? You'll have to configure resource limits - see the following wiki pages for details: - http://linux-vserver.org/Resource_Limits - http://linux-vserver.org/Memory_Limits However, there's one thing I wasn't able to cure using these: when guest and host use the same HDD, the host can become horribly slow when a guest does serious IO (I had that problem on a machine with a single PATA drive). This did'nt prevent a login, though, the only thing was everything was painfully slow when the machine was 99% waiting for IO. Baltasar ((( Baltasar Cevc ) World wide web: # http://www.openairkino.net/ (a project for the local youth; German only) # http://technik.juz-kirchheim.de/ (programming and admin projects) # http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 23 22 08 22 ) PGP.sig Description: This is a digitally signed message part ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] raising individual interface devices
Hi Chuck Quoting Chuck [EMAIL PROTECTED]: is there a way to raise an individual interface device in a vserver without restarting the entire server? i am installing several vservers that will require various ip addresses for specific SSL certs added one at a time but should not down the entire service just to do so.. eg: eg: /etc/vservers/guestname/interfaces/0 /etc/vservers/guestname/interfaces/1 then i want to add /etc/vservers/guestname/interfaces/2 and bring it alive without disturbing 0 or 1 or the operation of any services under them. Add the interface configuration, add the IP to the interface on the host (ip addr add dev yyy, as far as and enter the vserver (using vserver enter); the newly opened session in the context knows the new IP, too. So you may restart your Webserver then and use the new IP. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] raising individual interface devices
Hi Chuck Quoting Chuck [EMAIL PROTECTED]: is there a way to raise an individual interface device in a vserver without restarting the entire server? i am installing several vservers that will require various ip addresses for specific SSL certs added one at a time but should not down the entire service just to do so.. eg: eg: /etc/vservers/guestname/interfaces/0 /etc/vservers/guestname/interfaces/1 then i want to add /etc/vservers/guestname/interfaces/2 and bring it alive without disturbing 0 or 1 or the operation of any services under them. Add the interface configuration, add the IP to the interface on the host (ip addr add dev yyy, as far as and enter the vserver (using vserver enter); the newly opened session in the context knows the new IP, too. So you may restart your Webserver then and use the new IP. Sorry, I've accidently hit send - here's the complete text I wanted to write ;-) Add the interface configuration, add the IP to the interface on the host (ip addr add dev yyy) - so the host knows the IP (which is normally done by vserver start). Then enter the vserver (using vserver enter); the newly opened session (your bash process or similar) in the context knows the new IP, too. So you may add it to your Webserver config and restart it (now having the newly assigned IP, too). Hope that helps, Baltasar ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Routing in VServers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 15.02.2007, at 08:30, Asier Baranguán wrote: Herbert Poetzl escribió: http://www.faqs.org/docs/iptables/traversingoftables.html note, in recent kernels the local tables can be selected independantly IIRC ... Hmm... one question not directly related to this. My guests work with 'eth0' interface but I've seen in some mails from the list that people make their guests work with the dummy0 interface. ¿What's the advantage of using it? I can't see the point :-? I'd say there is no technical advantage - I sometimes do that if I want to have public and private IP addresses separated (I use eth0 for public ones and dummy0 for private ones). The communication is taking place on 'lo' anyway, traffing going to the outerspace will be routed as usual by the host. So even with my dummy0 setup, I have to set up SNAT/Masquerading connections to outerspace. As far as I can see some people (that was what I thought at the beginning, too) don't want to have the guest to guest traffic on eth0 and use dummy. This is, of coure, pointless, as the kernel takes care of that and has all that traffic on lo. Hope that answers your question Balatasar ((( Baltasar Cevc ) World wide web: # http://www.openairkino.net/ (a project for the local youth; German only) # http://technik.juz-kirchheim.de/ (programming and admin projects) # http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 178 691 22 33 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFF1CnUp2YsmzTbIwYRAhQOAJ9QpQsqbZ/N5dExGzmvsXGIPODzMQCgjVOq jFSAekO7bRtdZ63UI+IgKwU= =TSzn -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Disconnect on vserver build
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've a problem to install vserver on a dedicated server. In fact, i only access to him with ssh. My problem is'nt really the installation but the build. When i launch a verserver build image ( i follow this tutorial ), after the second yum, i'm disconnect from my ssh and i cannot reconnect without restart the server. Do you know why ? Can i have a very verbose log somewhere ? If I understand you right, you are logged into the vserver host, not a guest - so starting a vserver should normally not affect you. If it does anyway, it's probably due to the fact that your vserver has too many capabilities (or you don't use the capabilities at all). In this case, the guest can overwrite the network configuration. So try to check whether your kernel supports capabilities and limit them. (Maybe you need to load the module or recompile with the capability functionality in the base kernel). PS : My vserver host is on FC6 and vserver too :) Or do you mean you're trying to run vservers in a vserver guest? That is not supported, as a guest is not a machine but only a restricted environment using the same kernel as the host. Baltasar ((( Baltasar Cevc ) World wide web: # http://www.openairkino.net/ (a project for the local youth; German only) # http://technik.juz-kirchheim.de/ (programming and admin projects) # http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFFvfUVp2YsmzTbIwYRArYoAKCZgJIif+bkYIC9NWy2xr0Wt5deswCfdRpV 6w3jmKj8inmOO3WOLXtN7So= =tznC -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to show processes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29.01.2007, at 18:10, Peter Matulis wrote: I am new to linux vserver and I have inherited a machine running it. I may be wrong but I believe this machine should be running quite a few processes but this is not the case when I issue the ps command. Does each vserver partition the output of its processes? If so, how do I access this information? You may use vserver name enter and ps to display the processes in one vserver. To see all the processes running on the machine use 'vps' on the host. Hope that helps, Baltasar ((( Baltasar Cevc ) World wide web: # http://www.openairkino.net/ (a project for the local youth; German only) # http://technik.juz-kirchheim.de/ (programming and admin projects) # http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFFvkDyp2YsmzTbIwYRAhjPAJ4rHARw386vB4oronl891NJK6DziwCfV/Zy GTZnF3g9SxHbcIG/fY/3EJQ= =f86S -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Quota on shared partiton using derjohn kernel 2.6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16.11.2006, at 19:41, Herbert Poetzl wrote: if you interest and angagement for per context quota is significantly longer than a few hours, then there should be no problem adding and testing this I'm interested, too. However I don't have a test environment set up at the moment and don't know when I'll be able to do that. But if you'd start, I should be able to change that ;-) (However, I would only have 1 or 2 Pentium machines, so I could only test on a very small scale). Anyway, thanx for the efforts. Linux-VServer really rocks! Baltasar ((( Baltasar Cevc ) World wide web: * http://www.openairkino.net/ (a project for the local youth; German only) * http://technik.juz-kirchheim.de/ (programming and admin projects) * http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFFXMt8p2YsmzTbIwYRAqeyAKCmLw21xaN8cxTMUgBxpWdCgc/saACgkBNg HovViw8B3C1z/dTIBeYlFnw= =GEgC -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Set default gateway for a guest
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Attila, On 03.11.2006, at 15:25, Attila - Van der Velde Media wrote: How can i set a default gateway for a guest? Now a guest cannot reach the internet. When i type route, on the commandline within the guest, gateway shows * The routing is a kernel thing - thus it's done 'by the host' for all the vservers (same applies to packet filtering). You have to change the routes on the host. I'd check the packet filter and the routing (do that on the host). It may also be a resolver problem (maybe you haven't set up /etc/resolv.conf in the guests, or their IPs aren't considered valid clients on the nameserver you try to reach). If you want different routing, depending on the vserver you're using, you'll probably want to set up advanced routing (IPRoute2, ip route command, see the Linux advanced routing and traffic control howto for starting points). Baltasar ((( Baltasar Cevc ) World wide web: * http://www.openairkino.net/ (a project for the local youth; German only) * http://technik.juz-kirchheim.de/ (programming and admin projects) * http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFFTNEqp2YsmzTbIwYRAsQ9AJ9JuneCro15Bwc/e2ET7yTukC/clACffhpk YEz7NoErKRZ8CasFEG90h4M= =BmYR -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Postgres, Vserver Firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 22.10.2006, at 03:58, Herbert Poetzl wrote: SRC=10.0.0.151 DST=10.0.0.151 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=5432 DPT=54937 WINDOW=32767 RES=0x00 ACK SYN URGP=0 Which is pretty strange since - my firewall rules allow all connection from port 5432. I'd double-check the rules. Please note that you have lo traffic with non-lo IP addresses (as far as I can tell that's normally not the case without vserver). As far as I know the packets would have been from and to eth0 for example without the patched kernel. nope, wrong, the packets would look exactly the same without the vserver patch, local traffic is always 'local' and thus uses the loopback (lo) device what would have been different (on the host or with an unpatched kernel) is, that the command would have chosen 127.0.0.1 instead (given that this is available and assigned to lo, which is usually the case) Vserver should not change anything with Netfilter, except for the fact that you have to set up the rules on the host and that the interface names may change. it doesn't change anything there. period. Sorry, I obviously wrote non-sense. I just quickly thought about it, didn't check my assumptions and and made up wrong conclusions because of that :-( Shame on me. Baltasar -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFFOzlMp2YsmzTbIwYRAquvAJ0QykOfNhgK+CRMWEWWsnh3Wjd+YQCgzH2q 3YP8x0wKjFU4yc0MUt2nI1o= =GRTb -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Postgres, Vserver Firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Marc, On 20.10.2006, at 21:42, Marc Kalberer wrote: Hello, I get crazy on one prob. I'm migrating a normal server inside a vserver I setup a postgres(7.4) server inside a vserver so it listen to the vserver-ip interface (10.0.0.151) When I connect using psql -h(vserverip) -Ublablabla (policy password) I got a IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=10.0.0.151 DST=10.0.0.151 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=5432 DPT=54937 WINDOW=32767 RES=0x00 ACK SYN URGP=0 Which is pretty strange since - my firewall rules allow all connection from port 5432. I'd double-check the rules. Please note that you have lo traffic with non-lo IP addresses (as far as I can tell that's normally not the case without vserver). As far as I know the packets would have been from and to eth0 for example without the patched kernel. Vserver should not change anything with Netfilter, except for the fact that you have to set up the rules on the host and that the interface names may change. Baltasar ((( Baltasar Cevc ) World wide web: * http://www.openairkino.net/ (a project for the local youth; German only) * http://technik.juz-kirchheim.de/ (programming and admin projects) * http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFFOhSvp2YsmzTbIwYRAvfCAKDMo0tmm9Yed/5+Ndgnl54rl4Wq/wCgx54L /SBCxxjBmkZVltWGVZDFXLE= =XYZn -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver with Squid/Postfix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 19.10.2006, at 15:59, Alejandro Cabrera Obed wrote: Dear all, I've built a vserver on Debian in order to install a Squid proxy server to use in my network and a Postfix mail server for local mail only. Squid has the squid.conf configuration file with some lines involving localhost and Postfix has the main.cf configuration file involving the 127.0.0.0/8 network block. In my vserver I've created just this dummy interfaces: eth0:vs1 10.0.0.1/24 eth0:vs2 192.168.10.1/32 (non-ruteable) and in /etc/hosts I map localhost to 192.168.10.1. My questions are: 1) Is the mapping localhost to 192.168.10.1 a solution for squid.conf and main.cf lines involving localhost ??? You have to change the lines that have the IP address or IP net specification. I positively know that Postfix _does not_ need an lo interface: I have a vserver without any lo mapping running with it; you'll just have to move content filters etc. to the IP of the Vserver and use Iptables to protect them from outside use. Anyway: the solution you proposed yourself is proably even nicer: have one public and one internal IP so that if your Iptables will not work, you won't have people connect to the reinject interface of postfix and so on. 2) What is the solution for the my networks = 127.0.0.0/8 network block set up in the main.cf from Postfix ??? You don't need the block. Just change mynetworks = vserver ip/24 and you'll effectively have the same results as a non-vserver with 127.0.0.1. Vserver will automatically map connects to localhost to the IP of the vserver then. I'm not sure for Squid, but I think it does not make any assumptions about the existance of lo; so it'll probably either run or you will be able to make it run with small modifications (change all the 127.0.0.1/localhost occurences in the squid.conf to some other IP). In case you experience trouble with you can mail me via PM or you may want to contact the Postfix/Squid mailing list - I'm quite sure there will be a simple solution for both services. Baltasar ((( Baltasar Cevc ) World wide web: * http://www.openairkino.net/ (a project for the local youth; German only) * http://technik.juz-kirchheim.de/ (programming and admin projects) * http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFFOicDp2YsmzTbIwYRAjlcAJ4pBjNv+c8RQhQVI95a4JSXaz0tJQCfdtnv dUcR8SdYwObHz4mV+hnEnAI= =bi3l -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] PPP inside VServer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Eugene, I'm not sure, but that may be a priviledge problem - try if it works when adding the appropirate capabilities if you haven't done so yet (I think it should be CAP_NET_ADMIN). However adding that capability is a security issue as the guest is allowed to change too many network settings then. Hope that's a starting point, greetings from Regensburg, Germany Baltasar ((( Baltasar Cevc ) World wide web: * http://www.openairkino.net/ (a project for the local youth; German only) * http://technik.juz-kirchheim.de/ (programming and admin projects) * http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFE7cJpp2YsmzTbIwYRAmBEAKCV24UvCoylZgvLbPKU/T8qMJAz7ACgj20g u2/XESIwVtvs7oNXssJfkqI= =EDcL -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] How to discover the real IP Address?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Flavio, how can I check and discover the real hosts IP Address and hostname? What do you mean by real? There should not be any direct way to discover the host (the main linux distro, which has access to all the vservers and can administer them) from inside a guest (one of the vservers); if you want to know the guest IP, use ip addr show (ifconfig will not work as expected, it's deprecated anyway). You can get the system hostname using hostname; the network hostname (which is the same as far as I know) can also be displayed using uname -n. If you are interested in the hostname associated with that IP (which is what's important to network services), use host ip address if you have the bind DNS tools installed (which should be the case in most distributions). Hope that helps, Baltasar ((( Baltasar Cevc ) World wide web: * http://www.openairkino.net/ (a project for the local youth; German only) * http://technik.juz-kirchheim.de/ (programming and admin projects) * http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFErrwXp2YsmzTbIwYRAts0AJsEZeWZoX1xRAfNvrO3y/NRCoWbigCfbaEG omrWDq+ksSIW1XyYnFSqXnw= =SnLF -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Protecting guests' interfaces
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Is there any way to restrict a guest from accessing some interfaces or services of other guests? The guest can only actively use the interfaces assigned to it (see the great flower page, /etc/vservers/vserver-name/interfaces about that), however, it can connect to other guests' interfaces. So if you talk about blocking network connections between the hosts, that would be a firewall thing, you'd have to set up iptables to get there. Yes, I know. But I have not succeeded to restrict access by iptables, neither. It seems that no iptables rules are used when the IP packets are delivered inside the host. At least inside one device. Or do I have a bug in my rules? Locally generated packages traverse somewhat different chains than packets from the internet; when using the appropriate chains, they should be filtered (well, it worked for me); as I currently don't have any special treatments for specific packets, I don't have the right chain in mind, you should be able to find it here, though: http://www.faqs.org/docs/iptables/traversingoftables.html Hope that helps, Baltasar ((( Baltasar Cevc ) World wide web: * http://www.openairkino.net/ (a project for the local youth; German only) * http://technik.juz-kirchheim.de/ (programming and admin projects) * http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFErX0Wp2YsmzTbIwYRAnX1AKDQuOA64V2saeseKyXhXf4CrWwxlQCcDrAX dKeITADM5IvcpwJfujB8xmA= =21Em -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Protecting guests' interfaces
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Teemu, Is there any way to restrict a guest from accessing some interfaces or services of other guests? The guest can only actively use the interfaces assigned to it (see the great flower page, /etc/vservers/vserver-name/interfaces about that), however, it can connect to other guests' interfaces. So if you talk about blocking network connections between the hosts, that would be a firewall thing, you'd have to set up iptables to get there. Baltasar ((( Baltasar Cevc ) World wide web: * http://www.openairkino.net/ (a project for the local youth; German only) * http://technik.juz-kirchheim.de/ (programming and admin projects) * http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFEquuIp2YsmzTbIwYRApb3AKDFL8K0XmWHbp7eiGm8/bsK0fSKWgCgzvcx Nf4ATeXWWHB3jVuROvqZn4c= =JqHg -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] can't terminate OpenVPN tunnel within a vserver?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 04.07.2006, at 10:29, Daniel W. Crompton wrote: On 7/3/06, Eugen Leitl [EMAIL PROTECTED] wrote: On Mon, Jul 03, 2006 at 12:12:34PM +0200, Baltasar Cevc wrote: I can't have an OpenVPN tunnel terminate in a vserver, can I? You can, I just did it yesterday. You need to set the following in the file bcapabilities: CAP_NET_ADMIN CAP_NET_RAW I haven't tested it myself as I run OpenVPN in the host system only, but I'd say that these caps are not nice to give to a guest, as far as I know, you could more or less do any network operation (for any interface) in the guest then. However, maybe, you will have to do this to get it working. I can't remember any option that could make OpenVPN use an already existing interface (I don't know how tun/tap work, thus whether that would be feasible at all). It should be worth searching the OpenVPN and/or kernel docs about that, though. Just quickly searching around, my understanding is that you have to create the tun device on the host (which is what you want from a security perspective). Afterwards you can assign it to a guest and OpenVPN should be happy to use that one. However that seems to work with tap, I assume it won't work using tun as a device. Add if you want to load the module inside the vserver on access: CAP_SYS_MODULE That would be quite crazy, I'd say. You could load anything, thus provide the guest with any priviledge ever wanted... You absolutely want to load the modules manually on the host and never give the guest permission to do so. Add if you want to mknod the device inside the vserver: CAP_MKNOD Quite dangerous, too, as it enables you to access the whole HD for exemple. Baltasar ((( Baltasar Cevc ) World wide web: * http://www.openairkino.net/ (a project for the local youth; German only) * http://technik.juz-kirchheim.de/ (programming and admin projects) * http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFEqu3pp2YsmzTbIwYRAuQzAJ428ERq5k8E+hFl35wVE2WkZavKlwCeJAVr 5Yv6+dzCtQ+zG85UNKIvTeM= =by/8 -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] can't terminate OpenVPN tunnel within a vserver?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Eugen, Setting up openvpn (2.0-1sarge3) ... /bin/mknod: `/dev/net/tun': Operation not permitted I can't have an OpenVPN tunnel terminate in a vserver, can I? I'm not sure about the exact answer - the error you've got is because you don't have the capability to create devices - there's some information about OpenVPN in Vservers in the following page, maybe that helps: http://linux-vserver.org/some_hints_from_john (Search for openvpn in that page) Baltasar ((( Baltasar Cevc ) World wide web: * http://www.openairkino.net/ (a project for the local youth; German only) * http://technik.juz-kirchheim.de/ (programming and admin projects) * http://baltasar.cevc-topp.de/ (private homepage) ) Phone: +49 176 232 20 822 ) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFEqO2Zp2YsmzTbIwYRAvI4AKCjuPlUDUc7C3CgBIOW4MqjqLAg/QCfQqMB xok/TPBPPuGXL2aZk08VyoM= =rKKd -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Timeout and SIGKILL error upon guest stop
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Youri, I experienced some strange hanging when DNS resolving did not work. I'm I had such problems with MySQL, I'm not sure about other daemons, but that may be a point to check. As another point to search, I'd try to stop the daemon manually and do an strace on some of the processes at the same time - that may show what it's doing. Baltasar -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFEUft2p2YsmzTbIwYRAn+JAJ489NJZyoTb0BrnpqG/NrGMXAafrACfcKkI XOnjmBdnt+5gNqKVvfYDFmA= =AdlX -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Plesk in vserver
I'm not sure whether I've correctly understood what you mean. Doesn't qmail start? When that's your problem, I assume the solution would be to create an init script or to use the real init instead of fakeinit. DJB's daemontools usually start using the inittab which will fail with fakeinit, as fakeinit will only start the init scripts that are in the current runleven (or some default runlevel; I'm not sure about that). So try to create a init script with the following contents and link it to the appropriate place: #!/bin/csh /command/svscanboot Hope that helps, Baltasar ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver on DSL-Router. Problem with SNAT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Juergen, local packets will not traverse the POSTROUTING chain - use OUTPUT instead (I am not sure whether the MASQUERADE target will work there - if not, you'll have to script some automatic IP update...) Hope that helps, Baltasar -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFDjCCvp2YsmzTbIwYRArqHAJ0VefmP+xvRos8MYGUFo+rq2LrGugCgojCP mAAILOXncNek4nMrf99y7hc= =mwol -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver on DSL-Router. Problem with SNAT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Juergen, The OUTPUT nat chain is only able to dnat. Now that you mention this I think I remember the point: OUPUT is not the place to do it - you were right with POSTROUTING - I had a look on the configuration on my server - the relevant part looks like this: Chain POSTROUTING (policy ACCEPT) [...] SNAT tcp -- web_max.intern !vservers.intern/24 to:ip1 SNAT udp -- vservers.intern/24 !vservers.intern/24 to:ip2 SNAT tcp -- vservers.intern/24 !vservers.intern/24 to:ip2 SNAT icmp -- vservers.intern/24 !vservers.intern/24 to:ip2 I haven't ever tried it with MASQUERADE, but the configuration mentioned here works Hope you will find a solution soon ;-) Baltasar -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFDjLsTp2YsmzTbIwYRAit+AKCl0rrbDFst3/SSY1UiqsOp1EgekgCgyZUH WRyOY0i+sNDdt6hXK7+7wY0= =IIkd -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ifconfig
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At least on my server, ifconfig won't show the alias addresses. I use ip addr show when I want to show them. Hope that helps! Baltasar -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFCsDIMp2YsmzTbIwYRAjDVAJ9D3aXpznM/N7FDRPXePyaAOzab7wCfemU8 WGhqiK5DSVKCfQ4c9ZGB3XI= =mcES -END PGP SIGNATURE- ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver