Re: [Vserver] Hosts and Guests and NTP; oh my.

2007-07-03 Thread Corey Wright
On Tue, 03 Jul 2007 17:29:34 -0700
Roderick A. Anderson [EMAIL PROTECTED] wrote:

 Chuck wrote:
  On Tuesday 03 July 2007 19:07, Roderick A. Anderson wrote:
  I'm pretty sure a guest normally can't change the system clock 
  so I plan on having the host run ntpd for setting the system time
  and the guest provide the service to the network.
 
  Is this a disaster waiting to happen?  Are there any other/better ways 
  to do this?
  
  we run several time servers and to be honest i wouldn't even consider
  making a vserver guest a time server. let the host do it all. it takes
  literally no resources and is easy to configure. our 3 host machines
  each is a time server as well, offering ntp service to different
  portions of our networks.
  
  the time spent in massaging configurations to allow a vserver to serve
  time, if it can even be done properly,  is better spent in having a
  nice dinner :)
  
  i have found vservers answer 99.% of my needs, but ntp is one
  service i would not even consider for virtualizing.
  
  my 2 cents anyway :)
 
 A very excellent two penny's worth.  The plan developed before I 
 remembered there might be an issue.  Not wanting to admit to others at 
 work it might not be so great I forged on.  Thanks for the clue-stick.

see Novell's AppArmor (though they got it when they bought some
security-focused linux distribution whose name i can't currently remember
and am too lazy too look up ;-).  it allows SELinux like MAC (mandatory
access control), but better suited to securing particular applications
instead of the overhead/hassle of the entire system.

there are already policy files/descriptions/configurations for several
applications distributed with AppArmor, one of them being NTPd, but they
usually end up being distro specific, but it's easy to create your own by
running NTPd under the control of a monitor (actually it creates a warn-all
policy that logs all exercised permissions to syslog) and when finished the
monitor asks you what permissions to allow based on the permissions NTPd
exercised while being monitored.

there's even a recorded video presentation of it from the 2006 FOSDEM (see
FOSDEM website).

this is what i'm about to implement (done all the preliminary research and
tried it on qemu as ubuntu already has packages, but i need to rebuild/port
it to debian) for services (NTP, SNMP) that require too many capabilities
to securely contain with Vserver in a guest and are easier to restrain with
AppArmor.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Re: Re: Re: Re: Re: Re: java crash in vserver...

2007-05-12 Thread Corey Wright
On Sat, 12 May 2007 17:36:24 +0200
Herbert Poetzl [EMAIL PROTECTED] wrote:

 On Sat, May 12, 2007 at 09:13:19AM +0200, Jan Zuchhold wrote:
  The problem is caused by running out of space on /tmp. 
  You mount that on tmpfs, specified in fstab in the 
  vserver-config dir:
  
  none   /tmptmpfs   size=16m,mode=1777  0 0
  
  If you remove or comment-out this line (or increase 
  the size), it works.
 
 nice one, tx, btw, 16MB for /tmp should be more
 than sufficient for properly written programs,
 (larger temporary files go to /var/tmp)

i must respectfully disagree.  i have never heard of such a rule and the
FHS
(http://www.pathname.com/fhs/pub/fhs-2.3.html#VARTMPTEMPORARYFILESPRESERVEDBETWEE)
doesn't include that justification either.

and that is why i am on record as saying:

 btw, i hate that useless default 16 MB tmpfs mount within the guests and
 removing it from /etc/vservers/guest/fstab is one of the first things i do
 upon creating a new guest.
- http://www.paul.sladen.org/vserver/archives/200702/0014.html

when i last cared to check which directory applications used for temporary
files (to insure libpam-tmpdir, automatic per-user temporary directories,
was effective) i only ever saw used /tmp (hard-coded unfortunately), TMP,
or TMPDIR and those variables do not distinguish between maximum temporary
file size.

i consider this the only wart of linux-vserver.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Hashify 'etch' trouble?

2007-05-11 Thread Corey Wright
On Fri, 11 May 2007 08:04:49 +0100
Ben Green [EMAIL PROTECTED] wrote:

 On Fri, 11 May 2007 04:05:21 +0100, Corey Wright [EMAIL PROTECTED]
 wrote:
 
  the only problems i've encounter without COW is:
 
 Excellent, thankyou for that, those were exactly the sorts of problems I
 expected.
 
 I'd like to read the thread about pruning and the patches. The archive
 doesn't search well through google and has no inbuilt search. Any idea
 when the discussion was? I would prefer not to load anyones servers (and
 my HD) by downloading the lot.

i found the relevant marked/flagged emails in my personal email archive and
then searched google for the quoted email subject.

clean-up hash directory
http://www.paul.sladen.org/vserver/archives/200609/0016.html

dpkg fails when upgrading hashified setuid files
http://www.paul.sladen.org/vserver/archives/200608/0045.html

suggestion for hashify improvement
http://www.paul.sladen.org/vserver/archives/200609/0163.html

seem's paul has the better vserver mailing list archive, at least in
google's opinion. ;-)

i can't vouch for tim's patch against vhashify because i haven't gotten
around to applying it (but i plan on doing it when i upgrade from sarge to
etch and upgrade the util-vserver package).  please let us know how it
goes if you do it.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Hashify 'etch' trouble?

2007-05-10 Thread Corey Wright
On Thu, 10 May 2007 17:46:48 +0100
Ben Green [EMAIL PROTECTED] wrote:

 What I want to know is can vhashify be used within older vserver setups,
 specifically Debian 'etch' with it's none COWed kernel. What precautions
 would I need to take and what things can't I do inside these guest
 servers?

my setup for nearly 1.5 years:
- debian sarge
- ubuntu  debian 2.6 kernels
- 2.0.x vserver kernel patches
- util-vserver backported from etch/testing (0.30.208-0.30.210)

i've been vhashifying that whole time.  (that was one of my motivations for
using vserver as i wanted to efficiently run over a dozen apache  thttpd
servers each in their own guest.)

the only problems i've encounter without COW is:

1. slapping my forehead when i accidentally vhashify /etc, try to modify a
config file, and spend several minutes trying to figure out why i can't
modify the file though i've set it u+w.  (that happened sometime in the
beginning and only happened once. ;-)

2. upon upgrading or uninstall a package containing set[ug]id files, dpkg
tries to unset the set[ug]id bit of the files (as a security precaution in
case someone has hardlinked it and is keeping it around waiting for an
exploit to be found in it).  of course this fails as the hashified file
cannot be modified, but even worse dpkg stumbles on making a mess without
reporting an error/failure.  i patched dpkg to not unset the file.  another
debian user patched vhashify to skip set[ug]id files, which is the more
proper solution (i only patched dpkg because it was the easier solution
having already found the problematic code in dpkg while debugging the
problem).  see the vserver mailing list archives for our patches.  see bug
http://bugs.debian.org/382760 for my dpkg bug report.

those are the two problems i've ever found.

a tip is to rehashify your vservers and prune your .hash directory after
package updates.  you can find a discussion on pruning scripts that i
prompted on the mailing list sometime ago.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] apt-proxy on vserver host

2007-02-09 Thread Corey Wright
On Fri, 9 Feb 2007 12:52:37 + (GMT)
Konstantinos Pachopoulos [EMAIL PROTECTED] wrote:

 Hi,
 i am trying to set-up apt-proxy on the root server
 of my virtual network. Do i need to tweak the
 iptables? In general, i think that i have to change
 the iptables settings only when vserver guests need to
 communicate with each other.

i don't know what your exact requirements are, but here's my apt-proxy
setup:
- debian sarge guest called apt-proxy (both vserver name, host name, and
dns name) with non-internet-routable ip address (same as local network)
- apt-proxy, and only apt-proxy, installed in apt-proxy guest
- all other guests retrieve updates by way of apt-proxy in apt-proxy guest
- apt-proxy installation currently only used by guests on same host, not
because of technical limitations, but i only use that apt-proxy for sarge
and all my sarge installations are guests on that same host

you shouldn't have to use iptables unless maybe the host has the only
externally accessible ip address (either accessible by the local network or
internet) and you'll have to route connections received by the host to the
guest.

i've never had to do any unique routing with my vserver installation (except
port-forwarding from the firewall to the ip address of the guests as my
local network is behind a NAT).

maybe i'm missing something unique about your setup and you need to share
your network configuration (ie guest, host, network).

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: Fw:Re: [Vserver] ACL on guest

2007-02-03 Thread Corey Wright
On Sat,  3 Feb 2007 13:57:53 +0100
Jean-Michel Caricand [EMAIL PROTECTED] wrote:

 I use this path and this kernel : vs2.0.2.1, 2.6.17.13
 
 On my guest (lifc-svnlmd) :
 -
 
 lifc-svnlmd:/# mount
 /dev/hdv1 on / type ufs (defaults)
 none on /proc type proc (0)
 none on /tmp type tmpfs (size=16m,mode=1777)
 none on /dev/pts type devpts (gid=5,mode=620)
 lifc-svnlmd:/#
 
 lifc-svnlmd:/# cat /proc/mounts
 rootfs / rootfs rw 0 0
 /dev/root / ext3 rw,data=ordered 0 0
 none /proc proc rw,nodiratime 0 0
 none /tmp tmpfs rw,nodev 0 0
 none /dev/pts devpts rw 0 0
 lifc-svnlmd:/#
 
 lifc-svnlmd:/# export LC_ALL=C LANG=C
 lifc-svnlmd:/# touch /tmp/toto; setfacl -m u:root:rxw /tmp/toto
 setfacl: /tmp/toto: Operation not supported
 lifc-svnlmd:/#
 
 Apparently, I can't use ACL in my guest. I am surprised
 because I can use ACL on the host (the root filesystem for the
 guest is mounted with ACL support on the host).
 
 On my host (lifcsys3) :
 -
 
 lifcsys3:~# mount
 /dev/hda3 on / type ext3 (rw,errors=remount-ro)
 proc on /proc type proc (rw)
 sysfs on /sys type sysfs (rw)
 devpts on /dev/pts type devpts (rw,gid=5,mode=620)
 tmpfs on /dev/shm type tmpfs (rw)
 /dev/hda2 on /boot type ext3 (rw)
 /dev/mapper/host-usr on /usr type ext3 (rw)
 /dev/mapper/host-var on /var type ext3 (rw)
 /dev/mapper/host-lifc--webmail on
 /var/lib/vservers/lifc-webmail type ext3 (rw)
 /dev/mapper/host-lifc--glpi on /var/lib/vservers/lifc-glpi
 type ext3 (rw)
 /dev/mapper/host-lifc--darkvador on
 /var/lib/vservers/lifc-darkvador type ext3 (rw)
 usbfs on /proc/bus/usb type usbfs (rw)
 /dev/mapper/host-lifc--svnlmd on /var/lib/vservers/lifc-svnlmd
 type ext3 (rw,acl)
 lifcsys3:~#
 
 lifcsys3:~# cat /proc/mounts
 rootfs / rootfs rw 0 0
 /dev2/root2 / ext3 rw,data=ordered 0 0
 proc /proc proc rw,nodiratime 0 0
 sysfs /sys sysfs rw 0 0
 devpts /dev/pts devpts rw 0 0
 tmpfs /dev/shm tmpfs rw 0 0
 /dev/hda2 /boot ext3 rw,data=ordered 0 0
 /dev/mapper/host-usr /usr ext3 rw,data=ordered 0 0
 /dev/mapper/host-var /var ext3 rw,data=ordered 0 0
 /dev/host/lifc-webmail /var/lib/vservers/lifc-webmail ext3
 rw,data=ordered 0 0
 /dev/host/lifc-glpi /var/lib/vservers/lifc-glpi ext3
 rw,data=ordered 0 0
 /dev/host/lifc-darkvador /var/lib/vservers/lifc-darkvador ext3
 rw,data=ordered 0 0
 usbfs /proc/bus/usb usbfs rw 0 0
 /dev/host/lifc-svnlmd /var/lib/vservers/lifc-svnlmd ext3
 rw,data=ordered 0 0
 lifcsys3:~#
 
 lifcsys3:~# setfacl -m u:testuser:rwx
 /var/lib/vservers/lifc-svnlmd/tmp/toto
 lifcsys3:~# getfacl /var/lib/vservers/lifc-svnlmd/tmp/toto
 getfacl: Removing leading '/' from absolute path names
 # file: var/lib/vservers/lifc-svnlmd/tmp/toto
 # owner: root
 # group: root
 user::rw-
 user:testuser:rwx
 group::r--
 mask::rwx
 other::r--
  
 lifcsys3:~#
 
 If it's possible to use ACL in a guest, where is my error ?

the difference is due to namespaces.

when you write to /var/lib/vservers/lifc-svnlmd/tmp/ from context 0, you
are writing to the device /dev/host/lifc-svnlmd.

when you write to /tmp from the context of the guest, you are writing to
the tmpfs.

the tmpfs was mounted from the context of the guest, so context 0 (the
host or any other context) cannot see the mounted filesystem.  instead,
the host is writing to the original filesystem, not the mounted filesystem
as it cannot see it.

but of course since the tmpfs filesystem is mounted within the context of
the guest, the guest can see and write to it.  but the tmpfs was not
mounted with ACL support (if tmpfs even supports ACLs), so the guest cannot
use ACLs on the tmpfs, ie /tmp.  trying using ACLs somewhere else within
the guest and it should work.

to better illustrate the point, do this:

host# vserver guest start
host# vserver guest enter
guest# mkdir /tmp/foo
guest# touch /tmp/foo/bar
guest# vserver guest exit
host# ls -al /var/lib/vservers/guest/tmp/
host# touch /var/lib/vservers/guest/tmp/foo/bar

the last command should generate an error for obvious reasons (after you
analyze the output of ls -al for the tmp directory and realize the foo
directory you created within the guest is not there, or at least not
visible/accessible from the host).

this is no different than on a non-vserver host creating files within a
directory that serves as a mountpoint, then mounting a filesystem at that
mountpoint.  the files you created within the directory are still there
(under the newly mounted filesystem), but you cannot see them.  as soon as
you unmount the filesystem, you will again see the files within the
mountpoint directory.  the only difference is with vserver both the
mountpoint directory and the newly mounted filesystem are accessible at the
same time, just within different namespaces/contexts (host and guest).

it's all about different namespaces.  (and it really gets ugly when you
have to create a lvm snapshot within the context of the host, but mount it
within the context of several running guests, because you have to
separately mount it within 

Re: [Vserver] future vserver on ubuntu

2006-11-23 Thread Corey Wright
On Thu, 23 Nov 2006 18:33:44 +
Martin [EMAIL PROTECTED] wrote:

 On Thu, 2006-11-23 at 11:30 -0500, Philippe Clérié wrote:
  It looks like Ubuntu is no longer going to include kernel-patch-vserver
  in the distribution. It's not in feisty. 
  
  The patch included in edgy does not apply to the stock linux sources
  (2.6.17) and edgy does not include 2.6.12/2.6.13/2.6.15 which the patch
  requires. And, there are no images at ubuntu.uni-klu.ac.at. 
  
  Does anyone know what the plans are?
 Debian have removed kernel-patch-vserver from testing/unstable but have
 started shipping a package with it pre-built on the current Debian
 kernel version, see linux-image-2.6-vserver-$ARCH .  As I understand it
 Ubuntu releases start from a partial snapshots of unstable, so the same
 is probably true.

wouldn't bet on it.  ubuntu maintains their kernels separate from debian.
don't know if they'll follow debian's lead in this area or not, but if they
do it won't be because they are simply reusing debian's packages from
unstable.

to answer the original poster: if you want an edgy kernel patched with
vserver, then download the kernel source package from
http://ubuntu.uni-klu.ac.at/ubuntu.uniklu/dists/dapper/uniklu-vserver/source/*2.6.17*
and build it yourself.  yes, the binary package appears to target dapper
(at least it's in the dapper repository; haven't compared the dependency
versions to see if they are the same as in dapper), but the source package
can probably be built on edgy no problem (as i simply rebuild the dapper
kernel on debian sarge).

my guess is that Gerald Hochegger is building/backporting the edgy kernel
for dapper because they've probably settled on dapper but need the newer
kernel version (2.6.17 vs 2.6.15) to support newer hardware.  (i'm
interested in how ubuntu handles supporting people/companies/organizations
running dapper long-term but needing to support newer machines not
supported in dapper's 2.6.15.  is dapper's long term support for
hardware going to be stuck in the year 2006?)

hth.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] jabber in a guest

2006-10-17 Thread Corey Wright
On Sat, 14 Oct 2006 23:12:02 -0400
Chuck [EMAIL PROTECTED] wrote:

 do i need any special b or c capabilities to run jabber 2 in a guest?

i'm running jabberd 1.4.3 in a guest with standard capabilities and no
problems.

i run all my transports in the same guest, all through 127.0.0.1 with no
problems.  for temporary testing purposes i have used transports in a
different guest connecting to the jabberd, by way of network ip address (ie
192.168.0.1), with no problem.

my jabberd is configured to accept s2s connections (ie talk.google.com) and
that works.

 i keep getting logs like this for its various elements:
 
 Oct 14 23:02:12 jabber jabberd/s2s[27854]: attempting connection to
 router at 127.0.0.2, port=5347
 Oct 14 23:02:12 jabber jabberd/s2s[27854]: [4] [router] write error: 
 Connection refused (111)
 Oct 14 23:02:12 jabber jabberd/s2s[27854]: connection to router closed
 
 
 or is it I just have to figure out configurations better?  i tried the
 same configs on the host and that ran.

if something doesn't work, i would say the problem is either in your use of
127.0.0.2 (which is network-wise no different than 127.0.0.1, an
internal-machine-routable-only ip address, but i still don't understand
vserver's handling of 127.0.0.0/8 as my usage of 127.0.0.1 has always
worked the way i needed) or your iptables configuration.

 the host of course protects the guests using iptables, and the 5222 port
 is passed but none of the other internal ones such as 5347. do i have to
 include them too? i am trying to move it off a host into a guest.  i
 tried mapping everything to the guest primary ip as well, but that didnt
 do anything different.

have iptables log all rejections/denials and then you'll quickly learn if
the problem is your firewall rules.  i don't use iptables on my vserver
host (probably should, but haven't been able to justify it), but if you've
accepted 127.0.0.0/255.0.0.0, then accepting individual ports for
jabber transports isn't necessary.

 im using amd64 with the following:
 
 2.6.18-vs2.0.2-gentoo-r8
 util-vserver-0.30.211

i'm also using amd64 but on ubuntu's 2.6.15 with debian testing's
backported util-vserver 0.30.210, but i don't think any of that matters in
this context.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] memory usage

2006-10-13 Thread Corey Wright
On Fri, 13 Oct 2006 06:31:21 -0400
Chuck [EMAIL PROTECTED] wrote:

 is there a way to see how much memory a particular guest is using? maybe 
 something similar to the free command? i have no memory limitations on
 these first few.

i use vserver-stat for informational purposes and not for placing resource
limits.

to decipher vsz  rss (as used in vserver-stat), see
http://oldwiki.linux-vserver.org/Memory+Management.

of course, memory accounting seems to be such a variable thing from command
to command and os to os (see the many internet discussions at large
trying to explaining the memory usage reported by top). witnessed within
vserver's very own wiki:

from http://oldwiki.linux-vserver.org/Memory+Management:

the RSS (resident set size) is the amount of pages which are currently in
RAM (physical memory)

from http://linux-vserver.org/Memory_Limits:

The Resident Set Size (rss) is the amount of virtual memory (RAM + swap)
that the context is allowed to use

so from the vserver wiki (both old  new) it appears that for vserver-stat
rss = guests' RAM usage, but for memory limits rss = guest's RAM + swap.
and then in my case i use vhashify, so all guests using apache have memory
shared among them, so properly accounting that shared memory is tricky
(does the total shared memory get accounted to each guest, or do you divide
the total shared memory equally among all guests, etc).

but if you don't have to account for shared usage amoung vservers, then i
presume vserver-stat is pretty accurate of each guests' specific memory
usage and the difficulty is choosing policy (do you want to limit RAM usage
or a guest's total memory usage, ie RAM + swap, if you can even have that
granularity in memory limits).

i looked into memory limits a year ago or so and gave up as i'm in control
of all guests (though it would be nice to keep a process from running away,
either from a memory leak or DOS attack).

hopefully somebody will correct me if i'm wrong in my details above, but
at least look to vserver-stat as a possible answer to your question.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] NFS recommendations?

2006-09-29 Thread Corey Wright
On Fri, 29 Sep 2006 15:57:42 +0200
Herbert Poetzl [EMAIL PROTECTED] wrote:

 On Fri, Sep 29, 2006 at 03:03:13PM +0200, Laurent Vallar - aka Val wrote:
  If you plan to serve NFS from a guest nfs-user-server work fine but
  without lock support.
 
 is that missing lock support an nfs-user-server issue or
 is that some restriction of the guest which keeps it from
 using/having proper locking?

i presume it is irregardless of vserver.

There is currently no support for file locking.
- http://packages.debian.org/unstable/net/nfs-user-server

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] installing Guest From CDROM

2006-08-20 Thread Corey Wright
On Sun, 20 Aug 2006 12:28:28 +0400
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

 How can I install Gust fc4  sarge3.1 from CDROM *on sarge-3.1* ?

pieced together from my network usage of vserver-build and the debian sarge
release notes
(http://www.debian.org/releases/stable/i386/apcs04.html.en#id2534199).

vserver name build -m debootstrap insert other vserver options here --
-d sarge -m file:/cdrom/debian

i've never ran debootstrap or vserver-build against physical installation
media because instead i load the debs from the media into my apt-proxy
installation (http://www.debian-administration.org/articles/406#comment_4).

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] dpkg fails when upgrading hashified setuid files

2006-08-16 Thread Corey Wright
On Sun, 13 Aug 2006 03:41:35 -0500
Corey Wright [EMAIL PROTECTED] wrote:

 this email is to serve as a notification of a problem and a survey of
 possible workarounds/solutions.
 
 the problem: when using dpkg to upgrade a package that contains setuid/gid
 files which have been unified/hashified, dpkg wants to first chmod 600 the
 files before unlinking them (in case somebody has hardlinked to a security
 susceptible file which will remain even after the upgrade because of the
 hardlink).  of course, as the files are immutable, the chmod fails, but
 this behavior is never seen for all other files because dpkg unlinks them
 without chmoding them first (and unlinking is allowed).

my final solution is attached, which is a patch to dpkg disabling the
behavior of chmodding a setuid/gid file 600 before removing it.  this still
doesn't address the security problem of a non-root user hardlinking a
locally-exploitable setuid file before upgrade and it still being available
to exploit after upgrade.  the solution to that is limiting users to
writing on a partition (/home) separate from setuid files (/  /usr) (which
is already a best practice, but hard to justify on small-sized vserver
guests).

so anyways, this is the patch that i applied to dpkg that i installed only
on my hashified/unified vserver guests, not the vserver host.

corey
-- 
[EMAIL PROTECTED]
--- dpkg-1.10.28/debian/changelog.orig	2006-08-13 03:56:24.0 -0500
+++ dpkg-1.10.28/debian/changelog	2006-08-13 03:58:01.0 -0500
@@ -1,3 +1,9 @@
+dpkg (1.10.28-0vserver1) stable; urgency=low
+  
+  * do not chmod before unlinking a sticky or set-id file
+
+ -- Corey Wright [EMAIL PROTECTED]  Sun, 13 Aug 2006 03:51:49 -0500
+
 dpkg (1.10.28) unstable; urgency=low
   
   The Awh, yeah?  Ripper! Release.
--- dpkg-1.10.28/main/help.c.orig	2004-11-10 21:16:33.0 -0600
+++ dpkg-1.10.28/main/help.c	2006-08-13 03:47:36.0 -0500
@@ -440,10 +440,10 @@ int chmodsafe_unlink(const char *pathnam
   struct stat stab;
 
   if (lstat(pathname,stab)) return -1;
-  if (S_ISREG(stab.st_mode) ? (stab.st_mode  07000) :
-  !(S_ISLNK(stab.st_mode) || S_ISDIR(stab.st_mode) ||
+  if (!(S_ISREG(stab.st_mode) ||
+  S_ISLNK(stab.st_mode) || S_ISDIR(stab.st_mode) ||
S_ISFIFO(stab.st_mode) || S_ISSOCK(stab.st_mode))) {
-/* We chmod it if it is 1. a sticky or set-id file, or 2. an unrecognised
+/* We chmod it if it is an unrecognised
  * object (ie, not a file, link, directory, fifo or socket
  */
 if (chmod(pathname,0600)) return -1;
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


[Vserver] dpkg fails when upgrading hashified setuid files

2006-08-13 Thread Corey Wright
this email is to serve as a notification of a problem and a survey of
possible workarounds/solutions.

the problem: when using dpkg to upgrade a package that contains setuid/gid
files which have been unified/hashified, dpkg wants to first chmod 600 the
files before unlinking them (in case somebody has hardlinked to a security
susceptible file which will remain even after the upgrade because of the
hardlink).  of course, as the files are immutable, the chmod fails, but
this behavior is never seen for all other files because dpkg unlinks them
without chmoding them first (and unlinking is allowed).

the problem exhibits itself as such:

dpkg: error processing 
/var/cache/apt/archives/passwd_1%3a4.0.3-31sarge8_amd64.deb (--unpack):
 failed to rmdir/unlink `//usr/bin/chage.dpkg-tmp': Operation not permitted

the relevant line in an strace:

6516  chmod(//usr/bin/chage.dpkg-tmp, 0600) = -1 EPERM (Operation not 
permitted)

sam vilain brought up this issue 4 years ago in
http://lists.debian.org/debian-dpkg/2002/06/msg00105.html.

more recently i think sebd encountered this problem and shared it with
herbert in irc, recorded in
http://irc.13thfloor.at/LOG/2005-03/LOG_2005-03-19.txt.

this is especially problematic because currently dpkg emits an error,
aborts the upgrade, and returns a non-zero exit status, but lists the new
package version as being installed without error (though none of the new
files were installed).  i reported this bug at
http://bugs.debian.org/382760.

one solution is to manually remove all setuid/gid files before upgrading
them (which i did before tonight when i would have had to do that for a
dozen files on 14 vservers due to upgrading login  passwd packages; that
crossed my threshold).  but that still doesn't deal with the security
implication brought up by ben collins in response to sam vilain's email.
that's not a major concern for me because currently i only use vservers as
personal per-process super chroot's, so if somebody besides me is
creating hardlinks to setuid files, and believe me i'm not, then i already
have bigger security problems.  but if i should ever want to provide
semi-public user-level access to my vservers, then what are my options?
how do other distros address this problem, or do they ignore it or are
unaware of it?

i'm currently implementing the workaround as a patch to dpkg disabling the
chmod.  that's good enough security-wise for my particular need.  it means
i'll have to maintain the patch against dpkg and build a new package
every time dpkg is updated, but i run stable (currently sarge) on my
server and in my vservers, so it shouldn't happen that frequently.  i
thought about writing a wrapper around dpkg, but that would be fairly
complex as dpkg accepts a lot of different options that i would have to
take into consideration and i would have to insure the unique interaction
between apt-get and dpkg didn't break.

so what are other people doing to work around this problem?  is this not an
issue for anybody else because i'm the only debian user with
unified/hashified vservers?

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] dpkg fails when upgrading hashified setuid files

2006-08-13 Thread Corey Wright
On Sun, 13 Aug 2006 03:41:35 -0500
Corey Wright [EMAIL PROTECTED] wrote:

 the problem: when using dpkg to upgrade a package that contains setuid/gid
 files which have been unified/hashified, dpkg wants to first chmod 600 the
 files before unlinking them (in case somebody has hardlinked to a security
 susceptible file which will remain even after the upgrade because of the
 hardlink).  of course, as the files are immutable, the chmod fails, but
 this behavior is never seen for all other files because dpkg unlinks them
 without chmoding them first (and unlinking is allowed).

one solution to the security issue that i forgot to mention is to keep
user-writable directories on seperate file systems than setuid/gid files as
hardlinks cannot cross file systems.

i implement this philosophy on all my larger installations (ie the vserver
host, my workstation), but i haven't done this within vserver guests
because there are no user directories (ie /home/*) and most of my guests
are small (= 200 MB as they merely provide a single service, not host tons
of data).

it seems somewhat cumbersome, though definitely doable, to have two
partitions in every vserver with user-level access, especially for smaller
vservers.

are there any other options?

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] UN - vhashify - ing

2006-07-13 Thread Corey Wright
On Thu, 13 Jul 2006 09:03:29 -0700
Roderick A. Anderson [EMAIL PROTECTED] wrote:

 Corey Wright wrote:
  On Wed, 12 Jul 2006 14:53:51 -0700
  Roderick A. Anderson [EMAIL PROTECTED] wrote:
  
  
 Is there a neat trick to un-hashify a guest?
  
  
  find / -type f \
  | while read FILE; do
  cp -av ${FILE} ${FILE}.remove-hashification
  rm ${FILE}
  mv ${FILE}.remove-hashification ${FILE}
done
  
  that's just an example, but should convey the idea well enough.
 
 Will this work from both inside and outside the guest?  It a filesystem 
 thing being exploited ( utilized probably sounds better ) by
 Linux-Vserver?

yes, copying a file, deleting the original, and moving (or copying) the
copy back, will work in both the context of the host  guests, as it is a
mechanism based on the filesystem and not namespaces.

the above can be done more selectively/intelligently by insuring a file is
immutable and unlinkable using either showattr and/or lsattr.

by analyzing my hashified files (confirmed with ls -i):

if (showattr ${FILE} | grep ^ui. /dev/null); then
  echo copy, rm, and mv
fi

or

if (showattr ${FILE} | grep ^i /dev/null); then
  echo copy, rm, and mv
fi

i'm not sure which, if any, is correct to find an immutable-but-unlinkable
file created in the process of hashifying as documentation on the subject
is scarce and i don't feel like reading/reverse-engineering the source code.

but that should give you a good jump start on the subject.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] UN - vhashify - ing

2006-07-12 Thread Corey Wright
On Wed, 12 Jul 2006 14:53:51 -0700
Roderick A. Anderson [EMAIL PROTECTED] wrote:

 Is there a neat trick to un-hashify a guest?

find / -type f \
| while read FILE; do
cp -av ${FILE} ${FILE}.remove-hashification
rm ${FILE}
mv ${FILE}.remove-hashification ${FILE}
  done

that's just an example, but should convey the idea well enough.

 It would probably help me understand better what vhashify 
 is doing ... without going through the code.

http://archives.linux-vserver.org/200605/0098.html
http://archives.linux-vserver.org/200605/0228.html

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Hashification

2006-05-24 Thread Corey Wright
 I've been struggling to fully understand how vhashify works for a while
 now. I want to know more about it. It would be nice if someone could
 answer the following questions for me or point to some document which
 can help me understand the vhashify and unify better:

isn't there a vhashify.c? ;-)

 1) What files and how does vhashify step through and compare for
 unification?

dunno.  i've wondered that myself, and postulated some, but the proof is
in the pudding so i haven't questioned it too much.

i'm guessing here, but every file in /etc/vservers/vserver/vdir not
explicitly excluded by some pattern in
/etc/vservers/vserver/apps/vunify/exclude or
/usr/lib/util-vserver/defaults/vunify-exclude is hashed, looked up in a
hash table (ie files within /etc/vservers/.defaults/apps/vunify/hash/0
named after value of hash of contents), file attributes are compared
against the hardlink in the hash table, and if found equal, then the files
are unified.

so how close did i get? :-D

herbert, daniel, somebody correct me if i'm wrong.

 2) What things are compared to determine if the files can be unified? In
 other words, what properties of the file should be the same?

all properties besides file name.  at least that's my guess according to
http://www.debian.org/doc/manuals/debian-tutorial/ch-advanced.html#s-advanced-files-hardlinks
as unification just takes advantage of hardlinks (with the special
property of being immutable but unlinkable).

 3) What is the format of an exclude file?

from http://linux-vserver.org/alpha+util-vserver, under Directory/vserver
unification:

It has rsync-like excludelists, so that you can e.g. exclude anything
under /etc/ except /etc/termcap; the corresponding excludelist would be

+/etc/termcap
/etc

further see http://samba.anu.edu.au/ftp/rsync/rsync.html, specifically the
FILTER RULES and INCLUDE/EXCLUDE PATTERN RULES sections.

take all the above with a grain of salt as i'm just making educated
guesses.  hopefully somebody will at least confirm whether i'm right or
wrong.

corey
-- 
[EMAIL PROTECTED]

___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Making and using devices inside vservers

2006-05-24 Thread Corey Wright
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Hello all,

 Could someone elaborate on how to make devices available inside a
 vserver? (/dev/tty[0-9] or /dev/mem) etc.

can't you just copy the desired file from /dev to /vservers/name/dev or
do a mknod, either one as root from the host?

 I would like to be able to burn a cd under a vserver, or even run X.

appears you need some additional capabilities for writing optical media. 
search for Akito's conversations in these irc transcripts.

http://irc.13thfloor.at/LOG/2005-12/LOG_2005-12-19.txt
http://irc.13thfloor.at/LOG/2005-12/LOG_2005-12-21.txt

if that doesn't get you all the way there, it should at least give you
enough key words to perform google searches on.

corey
-- 
[EMAIL PROTECTED]

___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Cant get Autofs working

2006-05-23 Thread Corey Wright
On Tue, 23 May 2006 15:27:17 +0200
peter [EMAIL PROTECTED] wrote:

 Hello all,
 
 I have a problem with vserver.
 Here my setup:
 
 The Host is a small Home-Server for Internet Routing and Fileserver.
 
 The Guest is a Desktop with running X and related (works very good).
 
 Both running Debian Sarge.
 Now I wanted to have all this nice removable usb devices 
 (usb-sticks,sdcard-reader,...) and floppy/cdrom to work.
 
 On the Host I have setup autofs and this is running fine for the Host.
 On the Guest side i configured fstab to rbind the autofs-folder.
 
 Now the Problem:
 If I cd into the binded folder from the Guest, I see all the possible
 drives (because of the --ghost automounter option). If I cd into one of
 these the drive get mounted on the Host. But I cannot see any Files in
 this Folder from the Guest. In the Host all is working.
 
 I searched the documentation and mailinglist and cant find any solution
 to this.
 
 Is there a fstab option I missed or a capabiltity or any other solution
 to this? Maybe there is a better solution without fstab ?

mount device for use by vserver:
* vnamespace -e vserver mount /dev/loop /vservers/vserver/mnt/

reference:
http://deb.riseup.net/vserver/usage/#mounting_a_directory_from_one_vserver_into_another

how to integrate that into autofs is left as an exercise to the reader (as
i don't have a clue, not using autofs).

hth.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Quick question

2006-05-23 Thread Corey Wright
 2006/5/23, ADNET Ghislain [EMAIL PROTECTED]:
 sorry to jump on the thread, just a little test : when you make the
 vserver-util, do the make check  worked for all tests ?
 i have issue on the  unify test on debian, perhaps you have something
 related or a beecrypt issue ?

 You cannot use Debian-supplied beecrypt. Grab the source of 4.0 or
 newer from sourceforge or wherever (4.0.0 is fine, as is 4.1.2, tested
 on these two versions). It should be in the archives btw, because I
 remember writing about this earlier.

i presume you are referring to the beecrypt released with sarge.

if anybody is using the util-vserver (and necessary beecrypt) from sarge,
they have my sympathies.

on sarge i use the packages from backports.org, versions 0.30.210 and
4.1.2.  instructions for using backports.org are at
http://backports.org/instructions.html.

to provide background to my previous post in this thread, the vhashify
demonstration, i'm running debian sarge with ubuntu's linux 2.6.12 source
(from breezy) patched with vserver 2.0 using util-vserver 0.30.210.

corey
-- 
[EMAIL PROTECTED]

___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Quick question

2006-05-22 Thread Corey Wright
On Mon, 22 May 2006 10:29:20 -0400
Fareha Shafique [EMAIL PROTECTED] wrote:

i assume you are following the process outlined on
http://linux-vserver.org/alpha+util-vserver under vhashify.

 I just wanted to make sure hashify only unifies rpm packages, right?

no.  vhashify (the helper application called with vserver name hashify)
has no knowledge of the rpm database and what files are installed by rpm
and which are unique to the specific vserver (whether generated by an rpm
post-installation script or manually created by the user).

 Any 
 other files I want to unify I will have to manually hardlink them?

no.  when you run vhashify it creates hardlinks
within /etc/vservers/.defaults/apps/vunify/hash/0 to all files that are not
explicitly excluded within /usr/lib/util-vserver/defaults/vunify-exclude
(well, that's the file within the debian package; location may vary).

again, all files are unified that are not explicitly excluded.

here's something i had to learn the hard way: you can specify exclusions
for a specific vserver, but the vserver-specific exclusions are
supplementary, not complimentary.  so when you
create /etc/vservers/name/apps/vunify/exclude it's best to begin that
file with a copy of /usr/lib/util-vserver/defaults/vunify-exclude.

again, if a vserver-specific exclusion list exists, then the default
exclusion list is totally disregarded, and only the vserver-specific
exclusion list is consulted when running vhashify on that vserver.

 And vdu gives the disk space counting only files that have one hardlink, 
 but when I do a vdu on my vserver directory I get 0...why is that?

i've never used vdu, so i'll defer that question to someone more
knowledgable.  i don't have any personal experience with managing the
vserver file systems (ie quotas) besides vhashify, though i intend to get
to that eventually.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Quick question

2006-05-22 Thread Corey Wright
On Mon, 22 May 2006 13:44:48 -0400
Fareha Shafique [EMAIL PROTECTED] wrote:

 when you run vhashify it creates hardlinks
 within /etc/vservers/.defaults/apps/vunify/hash/0 to all files that are
 not explicitly excluded
 within /usr/lib/util-vserver/defaults/vunify-exclude (well, that's the
 file within the debian package; location may vary).
 
 again, all files are unified that are not explicitly excluded.
   
 
 If hardlinks are created the inode numbers should be the same. But when 
 I hashified 2 of my vservers (I first used the -nv option to see which 
 files would be unified) I checked the files that were supposed to have 
 been unified and I don't get the same inode number? I don't get any 
 error messages, I'm not sure if my hashify is working? How can I check?
 Like I mentioned in another thread, I created the second vserver using a 
 template of the first one. The number of links on most files in the 
 template is already more than one, and hashify does not increase the 
 number of these links.

hopefully the line wrapping doesn't visually destroy the following too much.

# ls -1i /home/vservers/*/bin/bash | cut -d' ' -f1 | uniq -c
 13 6751094

(all thirteen instances of /bin/bash within vservers occupy inode 6751094.)

# ls -il /home/vservers/{test,client}/bin/bash*
6751094 -rwxr-xr-x  14 root root 729640 2005-05-02
17:39 /home/vservers/client/bin/bash
6751094 -rwxr-xr-x  14 root root 729640 2005-05-02
17:39 /home/vservers/test/bin/bash

(there are 14 hardlinks: 13 belonging to vservers, and the master one
within /etc/vservers/.defaults/apps/vunify/hash/0.)

# cp -av /home/vservers/client/bin/bash{,.unlinked}
`/home/vservers/client/bin/bash' -
`/home/vservers/client/bin/bash.unlinked'
# ls -1i /home/vservers/{test,client}/bin/bash*
6751094 /home/vservers/client/bin/bash
 573454 /home/vservers/client/bin/bash.unlinked
6751094 /home/vservers/test/bin/bash
# rm /home/vservers/client/bin/bash
rm: remove write-protected regular file `/home/vservers/client/bin/bash'? y
# mv /home/vservers/client/bin/bash{.unlinked,}
# ls -il /home/vservers/{test,client}/bin/bash*
 573454 -rwxr-xr-x   1 root root 729640 2005-05-02
17:39 /home/vservers/client/bin/bash
6751094 -rwxr-xr-x  13 root root 729640 2005-05-02
17:39 /home/vservers/test/bin/bash
# vserver client hashify -nv
Initializing exclude-list for /home/vservers/client (client)
Starting to traverse directories...
snip
unifying   '/bin/bash'
snip
# vserver client hashify
# ls -il /home/vservers/{test,client}/bin/bash
6751094 -rwxr-xr-x  14 root root 729640 2005-05-02
17:39 /home/vservers/client/bin/bash
6751094 -rwxr-xr-x  14 root root 729640 2005-05-02
17:39 /home/vservers/test/bin/bash

so, that's how it works for me.

this is how i set it up, synthesized from
http://linux-vserver.org/alpha+util-vserver under vhashify.

* mkdir -p /etc/vservers/.defaults/apps/vunify/hash
* mkdir -p /home/vservers/.hash
* ln -s /home/vservers/.hash /etc/vservers/.defaults/apps/vunify/hash/0
* mkdir -p /etc/vservers/vserver/apps/vunify
* customize exclusions (if necessary)
 o cp
-av /usr/lib/util-vserver/defaults/vunify-exclude 
/etc/vservers/vserver/apps/vunify/exclude
 o echo '/usr/src/*' /etc/vservers/vserver/apps/vunify/exclude
* vserver vserver hashify -nv | less
* vserver vserver hashify

all but the first three steps should be repeated for each vserver.

note: /etc/vservers/.defaults/apps/vunify/hash/0, 
/etc/vservers/.defaults/vdirbase,
and correspondingly /etc/vservers/*/vdir must all be (or symlink to
directories) on the same filesystem, otherwise hardlinks cannot be
created.

hth.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Re: Basic Question

2006-05-10 Thread Corey Wright
On Tue, 09 May 2006 14:02:51 -0400
Fareha Shafique [EMAIL PROTECTED] wrote:

 Fareha Shafique wrote:
 
  Corey Wright wrote:
 
  storage space is conserved because files only exist in one place, but 
  are
  referenced within multiple vservers though special hard links.
 
  memory space is conserved because binaries and shared libraries (and
  any item in the file cache, i suppose) only exist in memory once,
  though many
  vservers may be executing/using the file.  the idea is to extend the
  concept of shared libraries to vservers, so that just as a
  shared library may be referenced by multiple applications and it only
  exists in memory once, the same is true for a shared library 
  referenced by
  multiple vservers (by way of vhashify).
 
  all the examples i have seen enable vhashify for vserver guests, not
  the host.  i presume it is possible, but it is never applicable in my
  case because hard links are only shared on a single filesystem (where
  i mount my
  host's executables/libraries on /usr and my vservers on /home).
 
  hth.
 
  corey
   
 
  Thanks, that explaination helps :)
  Now, is it only libraries and binaries that can be shared or can a 
  vserver be an exact replica of the host. 
 
 Oh sorry, that was already answered. I guess anything on the filesystem 
 can be shared.

let me again emphasize: i have never seen vhashify used to unify the host
with guests.  i don't know if the vhashify application allows for such.
you might be able to do it by creating a skeleton configuration
in /etc/vservers representing the host (ie /etc/vservers/host) with a vdir
that symlinks to /. just be sure to exclude /etc/vservers or you may
experience recursive problems.  but that's a total hack, unsupported, and
may even void the warranty. ;-)

  How about if I want the filesystem of vserver vs1 to be an exact 
  replica of the host, and only when I write/modify any file a local 
  copy should be created for vs1 (using COW)? Is this possible?
 
 Let me explain this better. Say I want to upgrade some software or 
 install new software on my host machine. Before doing this, I would like 
 to test the upgrade in an environment that is an exact replica of the 
 host machine. Is it possible to create a vserver identical to the host 
 so that it can be used as the test environment?

why don't you instead have two vservers: one test  one production.  push
all your production applications/configuration from the host into a test
guest.  when the test guest works how you want, just copy the test
guest to the production guest and unify the two.

i do something similar.  i have a test guest (that's literally the name
of the guest) where i test applications and when everything works like i
want, i apt-get install or copy the tested application on a
production guest, copy over the configuration, vhashify the production
guest, and start it.

the added benefit of having your production environment contained within
a guest is that to relocate the production environment you simply stop the
guest, tarball/cpio/rsync/scp/etc it (the guest and its configuration) to
another vserver host, and start it there.

i think you are trying to push a square peg into a round hole with your
current design and should reconsider if possible.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Re: Basic Question

2006-05-09 Thread Corey Wright
On Mon, 08 May 2006 13:30:45 -0400
Fareha Shafique [EMAIL PROTECTED] wrote:

 The following is taken from the Short 
 Introduction, can someone please explain it to me:
 Resource sharing: Since vservers can share binaries and libraries
 without interfering, a second vserver generally cost 40-100 megs of disk
 space only. Most of this space is a copy of the packaging database.
 Independent updates: Vservers are updated independently even if they
 share binaries with other vservers.
 
 Does this mean, that as I install programs (like sshd, and other 
 packages) on my vserver that are already installed on my host server, 
 the binaries will be shared?

search for vhashify on http://linux-vserver.org/alpha+util-vserver for
the practical how-to.  the resource sharing is not automatic; you must
enable it.

i'll try to explain the theory briefly.

storage space is conserved because files only exist in one place, but are
referenced within multiple vservers though special hard links.

memory space is conserved because binaries and shared libraries (and any
item in the file cache, i suppose) only exist in memory once, though many
vservers may be executing/using the file.  the idea is to extend the
concept of shared libraries to vservers, so that just as a
shared library may be referenced by multiple applications and it only
exists in memory once, the same is true for a shared library referenced by
multiple vservers (by way of vhashify).

all the examples i have seen enable vhashify for vserver guests, not the
host.  i presume it is possible, but it is never applicable in my case
because hard links are only shared on a single filesystem (where i mount my
host's executables/libraries on /usr and my vservers on /home).

hth.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Sharing directories

2006-05-09 Thread Corey Wright
On Mon, 8 May 2006 22:23:46 +0300
ehab heikal [EMAIL PROTECTED] wrote:

 I want some directories of data to be shared across vservers on the same
 host, will  linking the directories from the host work?

yes.  you can use a hardlink or mount --bind.  you might have to use
vnamespace with mount --bind for the guest to see the new mount (as i do
when i mount a loopback from the host into a guest).

 Can two vservers share the same IP so that one uses some ports and the
 other uses the rest?

i know the host's ip can be shared with a guest, but i don't know about
between two guests.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] What is the best way to add a localhost in each vserver under debian sarge

2006-05-09 Thread Corey Wright
On Mon, 08 May 2006 21:17:31 +0200
Sébastien CRAMATTE [EMAIL PROTECTED] wrote:

 Hello
 
 *What is the best way to add a localhost in each vserver  under debian
 sarge
 
 I've found a solution using dummy module
 I will prefer a global one to add automaticaly  lo interface in each 
 vserver . Maybe with nat ?
 
 With dummy module I don't know how can I reduce  lo net mask  so ... :(

i'm running debian sarge (on amd64) on my host and guests.

i have a guest with apache, squirrelmail, and imapproxy.

squirrelmail is configured to connect to localhost where imapproxy caches
the connection to the real imap server (on another server elsewhere).  that
works.

within the same guest wget http://localhost/squirrelmail; says Connecting
to localhost [127.0.0.1]:80... connected. and retrieves the squirrelmail
login page. this guest is the only one with squirrelmail installed.  so i
know within this guest that 127.0.0.1 resolves to the same guest.

so the functional equivalent of the lo network interface already exists
in each guest.

i think i'm not understanding what you are trying to do.

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] how can I remove this in a Vserver : perl: warning: Falling back to the standard locale (C)...

2006-04-20 Thread Corey Wright
On Wed, 19 Apr 2006 22:36:05 +0200
Sébastien CRAMATTE [EMAIL PROTECTED] wrote:

 Per Andreas Buer a écrit :
  Sébastien CRAMATTE wrote:

  perl: warning: Falling back to the standard locale (C).
  locale: Cannot set LC_CTYPE to default locale: No such file or
  directory 
 
  Have you installed the locales package in your vserver? Could you
  please try this?
 
 I don't have installed locales
 It is really necesary ?  I need a lightweight debian ...
 If I keep my messages in english it's ok for me

try setting 'LANG=C' within /etc/environment.

/etc/environment is parsed by pam_env.so as used in /etc/pam.d/{login,su}
and maybe /etc/pam.d/ssh, which accounts for nearly all interactive
processes where you would see perl complain (though i am interested in the
output of perl scripts ran from cron jobs).

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] strange error on vserver stop

2006-04-15 Thread Corey Wright
On Sat, 15 Apr 2006 14:58:01 +0200
Sébastien CRAMATTE [EMAIL PROTECTED] wrote:

 When I stop a vserver I obtain this message
 
 /usr/sbin/vserver: line 85: 14982 Processus arrêté
 [EMAIL PROTECTED] ${USE_VNAMESPACE:+$_VNAMESPACE --enter $S_CONTEXT --
 } $_VCONTEXT $SILENT_OPT --migrate --chroot --xid $S_CONTEXT --
 [EMAIL PROTECTED]

i believe i received that message (but in english ;-) until i took the time
to audit the default shutdown scripts in a debin sarge guest and remove
the ones that weren't applicable (to a vserver).

here's part of my guest setup:

for RUNLEVEL in 0 6; do
  for FILE in K25hwclock.sh \
  K89klogd \
  S30urandom \
  S31umountnfs.sh \
  S35networking \
  S36ifupdown \
  S40umountfs \
  S90halt \
  S90reboot; do
mv /etc/rc${RUNLEVEL}.d/{,~}${FILE}
  done
done

 #uname -a
 Linux debian 2.6.16.5-vs-2.0.2rc16 #1 Fri Apr 14 22:02:02 CEST 2006 i686
 GNU/Linux

yep, that above action is for debian guests.  (i also happen to host those
debian guests on a debian host.)

 #dpkg -l util-vserver
 ii  util-vserver   0.30.210-5bpo1 tools for Virtual private servers and
 context
 
 (I use version from www.backports.org)

ah, so backports.org has started producing util-vserver packages.  i might
stop backporting it myself now that i know this (though i really only did
it once and my 209 is doing fine for me on 2.0 and 2.0.1).

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] locale and interface binding problem

2006-03-20 Thread Corey Wright
On Mon, 20 Mar 2006 14:56:30 +0100
Eugen Leitl [EMAIL PROTECTED] wrote:

 I keep having those nasty
 
 perl: warning: Setting locale failed.
 perl: warning: Please check that your locale settings:
 LANGUAGE = en_DE:en_US:en_GB:en,
 LC_ALL = (unset),
 LANG = en_US
 are supported and installed on your system.
 perl: warning: Falling back to the standard locale (C).
 
 messages in a vserver created by
 
 vserver v17 build --force -n v17 --hostname v17.ativel.com --context 17
 --interface eth0:192.168.1.17/24 -m debootstrap -- -d sarge -m
 http://amd64.debian.net/debian-amd64/
 
 and gone through the usual apt-setup and apt-get update / upgrade
 orgies.
 
 locales is installed, and locales generated. Is this a known
 problem, or something broken in am64-land? I don't recall
 this in vanilla Debian Sarge. Websearches don't show anything
 conclusive.

just another data point...

note: extraneous application output represented by 

# uname -a
Linux kings 2.6.12-10.26+1-amd64-k8 #1 Sat Jan 28 15:43:54 CST 2006 x86_64 
GNU/Linux
# mkdir chroot
# debootstrap sarge ./chroot http://apt-proxy:/debian-sarge-amd64
...
# chroot ./chroot
# perl -e 'print hello world\n'
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = en_US:en:C,
LC_ALL = (unset),
LANG = en_US
are supported and installed on your system.
perl: warning: Falling back to the standard locale (C).
hello world
# echo deb http://apt-proxy:/debian-sarge-amd64 stable main 
/etc/apt/sources.list
# apt-get update
...
# apt-get install locales
...
select generate en_US ISO-8859-1, en_US.ISO-8859-15 ISO-8859-15, en_US.UTF-8 
UTF-8
select default en_US
...
# perl -e 'print hello world\n'
hello world

to reconfigure locale generation  default locale, just run dpkg-reconfigure 
locales.

i don't think that there is any difference in configuring locales between a 
vserver and a plain chroot (assuming both are installed using debootstrap).

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Invalid Release file, no entry for main/binary-amd64/Packages

2006-02-27 Thread Corey Wright
On Mon, 27 Feb 2006 12:29:11 +0100
Eugen Leitl [EMAIL PROTECTED] wrote:

 I've been able to build util-vserver-0.30.210.tar.bz2 as usual
 via ./configure etc., by manually resolving missing dependencies until no
 more warnings occured during ./configure.

i'm using util-vserver 0.30.209 backported from unstable (some weeks ago,
so it's probably -1 instead of the newer -2).

 However, when trying to build a vserver I'm running into the bug
 described at
 http://savannah.nongnu.org/bugs/?func=detailitemitem_id=13844

i don't encounter that problem on my amd64 sarge vserver host.

 I presume it's an apt sources problem, since 
 debootstrap --arch amd64 sarge /pure64/
 http://amd64.debian.net/debian-amd64/ completes fine. What should I stick
 where to make it work?

here's the vserver build template that i use:

vserver vserver build -m debootstrap --context ctx --hostname vserver
--interface name0=if0:ip0/24 -- -d sarge -m
http://apt-proxy:/debian-sarge-amd64

the backends for that apt-proxy url are (ie
http://apt-proxy:/debian-sarge-amd64; is the same as...):
- http://mirror.espri.arizona.edu/debian-amd64/debian
- http://debian.csail.mit.edu/debian-amd64/debian

(apt-proxy is worth looking into if you are running/providing/supporting
multiple debian hosts, real or virtual.  i can provide an example
apt-proxy-v2.conf and a sources.list that references the apt-proxy server.)

to merge my template with your usage (or rather herbert's example in the
bug report):

vserver test101 build -m debootstrap --hostname t101.foo.org --context 101
--interface hansi=dummy0:192.168.0.101/16 -- -d sarge -m
http://bach.hpc2n.umu.se/debian-amd64/debian

if that doesn't work, i'd attribute the problem to the util-vserver version
(as 0.30.209 works for me).

 I'm still not sure whether I should stick with an unsupported AMD64 Sarge
 or go with a vanilla i386 Sarge (the machine only has 4 GBytes) -- i.e.
 will it hurt performance badly? 2 GByte/process limit won't bite, will
 absence of twice as many registers in AMD64 mode? But gcc-3.3/gcc-3.4
 doesn't support AMD64 all that well anyway, right?

i don't personally have benchmark numbers (have yet to install a i386
guest), but the performance reported by others (due to the extra registers)
is the entire reason i purchased amd64 hardware, waiting until debian had a
stable/sarge amd64 release.  you might be able to get a comparable
speed-up on amd64 with a 32-bit kernel and/or user-land by recompiling all
packages with a more specific -mtune (ie 32-bit instruction set but
including scheduling, MMX, SSE, SSE2 support) than debian's i386 packages
(ie -mtune=i486), but i'll leave that trouble to gentoo users. ;-)

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] multiple interfaces and subnets/limit resource question(rlimits)

2006-02-02 Thread Corey Wright
On Thu, 02 Feb 2006 16:08:40 +0100
J.Paechnatz [EMAIL PROTECTED] wrote:

 I played with the rlimits, rss/as are working fine. but how could I 
 limit cpu usage, for example 25% of the hosts cpu capacity? the cpu 
 directive is for cpu time in secondshow much is realistic!? and how 
 it's measured?

- scheduler parameters (http://linux-vserver.org/Scheduler+Parameters)
- flags (http://linux-vserver.org/Caps+and+Flags)
- mini-howto (http://list.linux-vserver.org/archive/vserver/msg08478.html)

scheduler parameter hints

* echo sched_prio /etc/vservers/vserver/flags
* editor /etc/vservers/vserver/schedule
* format:
 o token fill rate (tokens/interval)
 o token fill interval (jiffies)
 o initial tokens
 o minimum tokens (timeout length)
 o maximum tokens (burst length)
 o don't care
* cat /proc/virtual/$(cat /etc/vservers/vserver/run)/sched

corey
-- 
[EMAIL PROTECTED]
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver