Re: [Vserver] New and having problems to 'build' my 1st vserver...
Herbert, Which Linux Host OS would you reccomend for a new users, as the easiest setup for a vserver configuration? I am not trying to start a religious war, just help out new users. --Luke ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to start server with quota's enabled
Herbert Poetzl said: well, I'd say you added the S_CONTEXT=100 after you encountered the first issues ... but you can check with the lsxid tool doing lsxid /vservers/web1/etc/init.d/rc lsxid /vservers/web1/bin/bash and you can probably fix it by doing: mv /vservers/web1 /vservers/web1.old cp -va /vservers/web1.old /vservers/web1 (everything after having mounted sda1 with tagxid) Got it! Herbert your fast on answers. Works great. 2 questions. 1.)I cannot find the lsxid command for debian, even after doing a google for it. 2.)Where can I host vserver+grsec2+tagctx kernel packages for debian? They appear production stable. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unable to start server with quota's enabled
Herbert Poetzl said: They appear production stable. what about the 'known' grsec-vserver incompatibilities? I have not encountered any bugs that have caused my vservers to crash, or had a security exploit, or data corruption... I was not aware their were any major bugs. Grsec has prevented one of my vservers from beign cracked from a vulnerablephpbb2 exploit, or having it escalated to a root exploit. The problem I am encountering is the need to backport security patches for arbitrary kernels. For example the 2.4.23,2.4.25, and 2.4.27 kernels. I prefer backporting security erratta if the systems are stable to minimize change in the kernel. Guess I will have to upgrade my kernels. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] documentation for cq-tools
I cannot find any documentation for cq-tools, other then a few command line examples here: http://vserver.13thfloor.at/Linux2.6/index.php?page=Per+Context+Disk+Limits Is their additional documentation on this tool? -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] New and having problems to 'build' my 1st vserver...
Nicolas Costes said: Second thing: This forces me to install a Debian vserver... Well, I was planning to try Debian, but not this soon ;-) !!! I'd like to keep up use debian as your vserver host, it's much easier to manager vservers on a debian box. I've used redhat/mandrake as vserver host, and very very much prefer using debian. I dont' remember the steps to get it to work with redhat/mandrake. I remember a lot of steps. You can always try with debian then switch back to mandrake when you see how it all works... -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] unable to start server with quota's enabled
Running the 29 version of vserver. When I enable quota's, i am unable to start a vserver. The steps I follow are: #enabled config option in kernel. CONFIG_INOXID_GID24=y #installed kernel.. #created ext3 file system mkfs -t ext3 /dev/sda1 #mounted system with options. mount -t ext3 -o tagctx /dev/sda1 /vservers #stopped vserver vserver web1 stop; #set CONTEXT for vserver in conf file. S_CONTEXT=100 #enabled quota cqhadd -x 100 -v /dev/sda1 #set quota for context via hqadm cqdlim -x 100 -S 0,200,0,1000,10 -v /dev/sda1 tried to start vserver, which gives error: vserver web1 start; Server web1 is not running ipv4root is now 153.90.199.58 Host name is now web1 New security context is 100 Can't execute /etc/init.d/rc (Permission denied) If I mount the filesystem without the tagctx option, then start the vserver, it starts fine. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] logging onto a vserver takes me to host's root
Herbert Poetzl said: so using the ListenAddress directive for sshd (in the config) is the usually preferred way of doing it (on the host) or run ssh on another port on the master, if they master is using a dhcp assigned address. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] packaging review for new Debian packages
Stephen Frost said: As I mentioned in the other thread- please don't. It doesn't make sense and it's really not a sane thing to do for Debian. It just makes it more complex, with no real benefit. I would reccomend keeping it the same 2 packages. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] NFS problem
Robert Cope said: What I've got is a vserver that needs to mount a few NFS shares. The vserver has two IP addresses, a public and a private, on two network interfaces. The NFS shares are mounted over the private network. The problem is that the NFS server is getting the wrong IP sent to it (but over the right interface), causing the the mount to fail. use chbind to mount with a particular ip address. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] error starting nis on debian vserver
Bert De Vuyst said: It's fixed in debian sarge (3.1). (S18portmap) I'm not sure they will change it in debian woody. Bert. my guess is no, as it's a functional change, not a security fix. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] heartbeat haresource file for vserver
I am trying to create new haresource script to cover vserver. Does anyone have a haresource script for vserver, they would like to share? And could not find more information on doing this. high availability wiki: http://linuxha.trick.ca high availability homepage: http://www.linux-ha.org/ google: mailing list archive: http://www.progressive-comp.com/Lists/?l=linux-har=1w=2#linux-ha I am doing this on debian testing using heartbeat 1.2. Using vserver -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] HA+Vserver [Was :(no subject)]
Thanks, this is exactly what I am looking for. I will try and translate it to english. I understand all the configuration files, so it is useful. Do you have more then one vserver active on the same host server at a time? Alberto Cammozzo said: If reading a few lines in italian does not bother you, here [0] is the installation log of the following setup: - 2 hosts with kernel 2.4.26 + vserver vs1.28 + fpu-state-fix (kernel installation log covered here: [1]) One host server active, second in standby. - drbd (0.7_pre10_20040709) sharing the /vserver partition - debian woody - heartbeat between hosts (serial, eth0, eth1) - wrote short 'cluster' script in /etc/ha.d/resource.d/cluster for vserver [shutdown]/migration/restart: the core line is: drbd primary all mount $SHARED_MOUNTPOINT vserver start - arp takeover in /etc/vserver/name.conf BTW, I wish to thank very much the developers of vserver project and all the community: vservers really changed my life (my problem now is vserver names shortage :) Cheers Alberto [0] http://homes.stat.unipd.it/mmzz/Papers/NewVserver/Cluster.html [1] http://homes.stat.unipd.it/mmzz/Papers/NewVserver/kernel+vserver-II.html -- Alberto CammozzoV.Cesare Battisti 241/243. PADOVA ITALY System/Network Manager e-mail: [EMAIL PROTECTED] Universita` di Padova -IT tel : +39 49 8274175 ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] (no subject)
I am trying to create new haresource script to cover vserver. Does anyone have a haresource script for vserver, they would like to share? high availability wiki: http://linuxha.trick.ca high availability homepage: http://www.linux-ha.org/ google: mailing list archive: http://www.progressive-comp.com/Lists/?l=linux-har=1w=2#linux-ha And could not find more information on doing this. I am doing this on debian testing using heartbeat 1.2. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] spam on the list
Robert Cope said: Jon Bendtsen wrote: have you considered using greylisting? Greylisting really does work well. I implemented it on my antispam smtp servers and its effect was amazing. Enable surbl in spamassassin. My (Vserver) external mail server does this, and it will grab a lot of spam seen on this list. Most of the spam seen on the list I am automatically moving to my spam folder based on surbl. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] create debian vserver using util-vserver
Is the correct method to use when creating a new vserver using util-vserver on debian, (per mailing list.) I am switching my debian servers from vserver to util-vserver as per debian maintainer's remarks. I worked with the following and had much success: vserver NAME build --help (you don't trust me and want to read the options) vserver NAME build -m debootstrap --interface eth0:IPADDRESS/NETMASK --hostname NAME -- -d sid The netmask should be a simple number 8 = 255.0.0.0 16 = 255.255.0.0 You will get a debian host with this example. Before starting it, I would do the following: chroot /vservers/NAME update-rc.d -f klogd remove update-rc.d -f klogd pcmcia echo deb http://ftp.debian.org/debian unstable main /etc/apt/sources.list apt-get update apt-get install ssh passwd #set rootpassword exit on your host server, you have to limit ssh to its actual ip EDITOR /etc/ssh/sshd_config: ListenAddress PublicIP This option needs to be writen for every ip it should listen on. 0.0.0.0 = nono! vserver does not get a port to run properly Important: /etc/init.d/ssh restart Almost done? Yes: no public IP - you should run iptables with the following option: iptables -t nat -A POSTROUTING --src VSERVERIP -j SNAT --to PUBLICIP You can start the vserver!!! vserver NAME start Need help to find a package within debian: apt-cache search NAME I hope it helps, it is the best I can come up with Ciao, Matthias -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] comparison of vserver with user mode linux
Are their any comparisons between vserver and user mode linux? It would appear they both do something very similar. http://list.linux-vserver.org/archive/vserver/msg03122.html This seems to indicate vserver is much faster than user mode linux. Any suggestions on the advantages of one system over the other greatly appreciated. Quite frankly, it is the performance issue. UML is a linux inside linux. vservers is faking that. The other is the ease of administration (you can enter a vserver context without having any network service running). Jacques Gelinas [EMAIL PROTECTED] easier to share disk space, and better performance. http://list.linux-vserver.org/archive/vserver/msg03136.html -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: convert from normal server to vserver
Lucas Albers wrote: Is their any documentation on converting a production server to run as a vserver? Any reason why it would not be mounting proc when I start the imported vserver? -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VServer, heartbeat and drbd
[snip problems using drbd with rebootmgr, as it has a file handle open.] Is vshelper a stable utility? Is it supported on debian? I can't seem to find any deb packages for it. Herbert Poetzl said: there is an alternative to the rebootmgr, it's called vshelper, and it should not have this issue ... best, Herbert -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] spam filtering on vserver mailing list.
Lucas Albers said: The easiest thing to do, is subscribers only post, like you mentioned. and enable in spamassassin: surbl+razor+dcc+pyzor, and then set the spam reject threshold to 4.0. As nothing any of us post should post higher then a 3.0. Closed lists appear to be a reasonable choice, or an open list with an extremelly aggressive rejection level for posts from non-subscribers. Subscribers get accepted with a score of 5. and non subscribers get rejected with a score of 3 or more. Enable surbl and all the spamassassin plugins to get the best filtering. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] hostname in hosts
Result: Changing vserver name after creation, keeps hostname in vserver the same. Repro: Create vserver, set ip address to 192.168.1.1. Then change ip address in /etc/vservers/servername.conf. When starting apache on the vserver it uses the original ip address listed in: /etc/vservers/hosts. Item: Should vserver complain about this problem? Should the user just remember to change this? ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VServer management
Dariush Pietrzak said: Hmm, there is another issue here - if you already use app like HP Open View to do your other management, then putting it in control of vservers might be the wisest choice. -- What would be some useful cluster commands? What are some common vserver operations? Move vserver from one machine to another. Determine if any vservers are stopped. Stop,start,create vservers. The most useful imo is the replication. Steps: rsync vserver from one machine to another. copy over conf files. stop the old vserver. replicate the data. start the new vserver. Currently I do this by hand, if it was scripted I would have less chance of screwing it up, and shorter downtime on the move. I ran into proc problems when I replicated a vserver that was running to another one, when I attempted to start the new one it gave stat proc errors and hung on startup. Assuming you exclude proc, then you can sync a running vserver from one machine to another. I had a disk fail this week and had to switch from one vserver to another. Sure was a lot easier then methods I've used before to replicate. Only had about 60 seconds of downtime. If I had done a synchronized shutdown/rsync/restart I would have probable shaved 30 seconds off the downtime. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] grsecurity ending
It appears the grsecurity project, is ending. The developer was not getting the support he required to continue the project. If anyone else use grsecurity with vserver, perhaps you could offer him some support to keep working on it. http://developers.slashdot.org/article.pl?sid=04/05/31/1949241mode=threadtid=106tid=126tid=172tid=185 He currently has 10 sponsors and is looking to make enough to pay for his expenses. In any case just thought I'd let you know. I use grsecurity on my vserver project for additional security, and it has worked well. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] grsecurity ending
Dariush Pietrzak said: So... noone wants to maintain vserver+grsec... and now noone wants to maintain grsec itself? Well he's borrowing money to buy food. So he can't support himself and spend all his time doing grsecurity. One of his sponsors failed to pay him, so he's stuck. The current vserver+grsecurity is working perfectly well for me on my systems. I've been using Sandino Araico Sanchez's vserver+grsec patch and they've been stable as a rock. From: Sandino Araico Sánchez [EMAIL PROTECTED] I've just uploaded the patch Vserver 1.27 + GR Security 1.9.14 against 2.4.25 to http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.27.patch.gz -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] rsyncing vservers from one machine to another
I have been busy rsyncing vservers from machine to machine to handle failed disks in a raid volume. When you rsync systems, do you usually exclude proc? Can anyone post a sample of what options they use when rsyncing vservers from system to system. I currently use these rsync options: azP I do an rsync, then take the system offline, rsync again, then start it up on the other system. Or should I just rsync when the system is up? -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VServer, heartbeat and drbd
Gebhardt Thomas said: We are running this type of setup here but don't yet have any experience with real hardware failures but only with test situations. Yes, you are right: heartbeat doesn't need to manage the ip takeover, vserver does. We emit an unsolitcited arp reply in the vserver pre-start script in order to inform all hosts in the local subnet about the takeover. We don't run the rebootmgr because we noticed that its open socket in the vserver filesystem prevented heartbeat from unmounting the vserver filesystem and the takeover hangs. Our heartbeat resources are datadisk, vserver and MailTo, where the vserver resource script is just a symbolic link to the standard vserver script. Off-topic: If you are using drbd, how are you managing the synchro when the master BA comes online again? Don't know what you want to know here. We have heartbeat configured with auto_failback off, so when BA comes up again, the vserver stay on BB until we interactively force the takeover. So we can have a look at BA and eventually start drbd on BA if that doesn't happen automagically. If you want to force a full sync, you have to delete all files in /var/lib/drbd before reconnecting BA. After drbd has synced the disk(s) you can do a /usr/lib/heartbeat/hb_standby foreign on BB to force the failback of the vservers. Cheers, Thomas Could you post more details about this? 1.The startup script you have for a vserver which does the arp takeover. Assume listed in /etc/vservers/servername.sh How do you disable rebootmgr if you are using vserver? Does this break other items? 2.) Your Heartbeat script. 3.) Your Sample drbd config. Any other changes you had to make to vserver to get this to work. I'll go ask on the drbd list for more drbd specific information. Thanks. I'll write this up if I can get more information on this, thanks. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] unixbench results: vanilla/1.9.1 host/1.9.1 vserver
Would it make any difference to the benchmark what the native file system on the base system is? It mounts the vserver as a virtual ext3 filesystem. Would it make any difference whether the native file system was ext3 or reiser? -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver service command
The command: vserver service on debian is non-functional, correct? As debian has no equivalent service commmand, this is just a carryover from redhat. This is as part of the vserver package. vserver [ options ] server-name command ... server-name is a directory in /var/lib/vservers The commands are: build : Create a virtual server by copying the packages of the root server enter : Enter in the virtual server context and starts a shell service : Control a service inside a vserver -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Security Context?
Dude, read the documentation, you are asking rtm questions. Gilbert said: Just curious if anyone would know what this happens to mean: [EMAIL PROTECTED] vservers]# vserver test start Starting the virtual server test Server test is not running ipv4root is now 69.64.37.50 New security context is 49165 Thanks Gilbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 1.27
I have been using this patch combination on my dual-proc p4 system. It has been surprising stable, even with all my attempts to crash it with ltp. Even when running computational jobs, and ltp-kernel tests it has been uber stable. I have only been using for a week of hardcore stress testing. Is their a patch out for 2.4.26 yet? I am currently using the following grsecurity options: # Grsecurity # CONFIG_GRKERNSEC=y CONFIG_CRYPTO=y CONFIG_CRYPTO_SHA256=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MID is not set # CONFIG_GRKERNSEC_HI is not set CONFIG_GRKERNSEC_CUSTOM=y # # PaX Control # CONFIG_GRKERNSEC_PAX_SOFTMODE=y CONFIG_GRKERNSEC_PAX_EI_PAX=y CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS=y # CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS is not set # CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set # # Address Space Protection # CONFIG_GRKERNSEC_PAX_NOEXEC=y CONFIG_GRKERNSEC_PAX_PAGEEXEC=y CONFIG_GRKERNSEC_PAX_SEGMEXEC=y # CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set CONFIG_GRKERNSEC_PAX_MPROTECT=y # CONFIG_GRKERNSEC_PAX_NOELFRELOCS is not set CONFIG_GRKERNSEC_PAX_ASLR=y CONFIG_GRKERNSEC_PAX_RANDKSTACK=y CONFIG_GRKERNSEC_PAX_RANDUSTACK=y CONFIG_GRKERNSEC_PAX_RANDMMAP=y CONFIG_GRKERNSEC_PAX_RANDEXEC=y CONFIG_GRKERNSEC_KMEM=y # CONFIG_GRKERNSEC_IO is not set CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_HIDESYM=y # # ACL options # CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=y CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y # CONFIG_GRKERNSEC_CHROOT_DOUBLE is not set CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y # CONFIG_GRKERNSEC_CHROOT_CHMOD is not set CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y # CONFIG_GRKERNSEC_CHROOT_CAPS is not set # # Kernel Auditing # # CONFIG_GRKERNSEC_AUDIT_GROUP is not set # CONFIG_GRKERNSEC_EXECLOG is not set CONFIG_GRKERNSEC_RESLOG=y # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set CONFIG_GRKERNSEC_AUDIT_MOUNT=y # CONFIG_GRKERNSEC_AUDIT_IPC is not set CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y # # Executable Protections # CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_RANDPID=y # CONFIG_GRKERNSEC_TPE is not set # # Network Protections # CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_RANDISN=y CONFIG_GRKERNSEC_RANDID=y CONFIG_GRKERNSEC_RANDSRC=y CONFIG_GRKERNSEC_RANDRPC=y # CONFIG_GRKERNSEC_SOCKET is not set # # Sysctl support # CONFIG_GRKERNSEC_SYSCTL=y # # Logging options # CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 and it is doing great! I also installed the libsafe package, as that provides additional protection for c-string overruns. From the output of paxtest, you can see it is blocking most exploits: PaXtest - Copyright(c) 2003 by Peter Busser [EMAIL PROTECTED] Released under the GNU Public Licence version 2 or later Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Killed Executable bss (mprotect): Killed Executable data (mprotect) : Killed Executable heap (mprotect) : Killed Executable shared library bss (mprotect) : Killed Executable shared library data (mprotect): Killed Executable stack (mprotect) : Killed Anonymous mapping randomisation test : 16 bits (guessed) Heap randomisation test (ET_EXEC): 13 bits (guessed) Heap randomisation test (ET_DYN) : 25 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (ET_DYN) : 17 bits (guessed) Shared library randomisation test: 16 bits (guessed) Stack randomisation test (SEGMEXEC) : 23 bits (guessed) Stack randomisation test (PAGEEXEC) : 23 bits (guessed) Return to function (strcpy) : Libsafe version 2.0.16 Detected an attempt to write across stack boundary. Terminating /usr/lib/paxtest/rettofunc1. uid=0 euid=0 pid=21402 Call stack: Killed Return to function (strcpy, RANDEXEC): Libsafe version 2.0.16 Detected an attempt to write across stack boundary. Terminating /usr/lib/paxtest/rettofunc1x. uid=0 euid=0 pid=21406 Call stack: Killed Return to function (memcpy) : Libsafe version 2.0.16 Detected an attempt to write across stack boundary. Terminating /usr/lib/paxtest/rettofunc2. uid=0 euid=0 pid=21410 Call stack: Killed Return to function
Re: [Vserver] vserver + other security patches
Dariush Pietrzak said: Is it possible to get these 3 patches working together: ctx+grsecurity+vserver. ctx IS vserver? you mean ctx quota+grsec+vserver? Possible. Yes, the ctx quota patch. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver + other security patches
Is it possible to get these 3 patches working together: ctx+grsecurity+vserver. I need grsecurity to protect against numerous and repeated shell cracking atttempts from my students on the login server. I need the ctx patch to force disk quota's on the server's they use.. Is their any problem with using 2.4.25+patch-2.4.25-vs1.27-q0.14.diff and then a ctx patch? The archives contain conflicting opinions on this. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 1.27
I got an error applying the grsec patch, appears to be trying to delete a non-existent file on my system. (link listed below.) Other then that error, it applied clean. ** The next patch would delete the file arch/x86_64/ia32/ptrace32.c.orig, which does not exist! Assume -R? [n] Apply anyway? [n] y can't find file to patch at input line 6008 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -- |diff -uriN linux-2.4.25/arch/x86_64/ia32/ptrace32.c.orig linux-2.4.25-grsec-1.9.14-vserver-1.27/arch/x86_64/ia32/ptrace32.c.orig |--- linux-2.4.25/arch/x86_64/ia32/ptrace32.c.orig 2004-02-19 14:47:07.0 -0600 |+++ linux-2.4.25-grsec-1.9.14-vserver-1.27/arch/x86_64/ia32/ptrace32.c.orig 1969-12-31 18:00:00.0 -0600 -- File to patch: Skip this patch? [y] ** Sandino Araico Sánchez said: I've just uploaded the patch Vserver 1.27 + GR Security 1.9.14 against 2.4.25 to http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.27.patch.gz I have not tested it yet in production but it should work since I saw no significant difference from previous patch. Herbert Poetzl wrote: Hi Folks! vserver stable isn't dead yet ;) I updated the 1.2 (stable) branch to vs1.27, which includes a few bugfixes and contributions ... * the 'notail' flag used for the barrier is no longer inherited from dir to files ... * the 'bind sequence is important' issue was fixed (thanks to Cathy Sarisky for reporting) * the 'secure ipv6 on host' patch was added (kudos go to Ivo De Decker) you can download an all-in-one patch for 2.4.25 and 2.4.26-pre5 or tar archives of the broken out patches as well as a 2.4.25 incremental at: http://www.13thfloor.at/vserver/s_release/overview enjoy, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- Sandino Araico Sánchez -- Lo que no mata engorda. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Nearly dancing
I've runt the ltp test project on my servers before production deployment to test them out. Debian has the ltp and ltp-kernel-test packages for installing this. I just setup a quad xeon and let it run 5 days of memory/cpu/process stress testing, and it passed. Last summer I had a system that had unstable hardware, and the only way to find it was to run ltp for 1-2 days before it core dumped. well, basically I'm happy if you do some heavy stress testing, with around 30-40 vservers or similar there are some 'stress' tools and/or methods I can provide to do additional stability tests ... -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
Herbert Poetzl said: 201 is known to fail with stable branch and legacy tools (vserver-0.XX) it works with experimental, and util-vserver tools (0.29.3 for example) I read through the archives and could not find any more information about this particular error. that is the reason, why I do not include the vserver tools on the download page (vs1.26/vs1.27), only the util-vserver ones ... Herbert, Are their any more newvserver diff's or complaints? I'm filing all of the patches/bugs for it on the debian site, for the newvserver maintainer. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] reiserfs and barrier ...
Which item is this protecting against? Herbert Poetzl said: Hi everyone! yesterday we spent a few hours to find out the (for reiserfs users?) obvious about reiserfs and attributes like immutable or iunlink ... reiserfs (as in 2.4.25) requires an additional mount option called 'attrs' to honor those flags (and of course, to make the barrier work) so if you use reiserfs, keep in mind to activate this option, otherwise it will not be secure with linux-vserver ... HTH, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver+drbd
Are their any updated directions on using HA+drbd+vserver for high availiablity vserver clustering? I'm looking for some setup directions on how to use all these items together for HA vserver clustering. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Using software raid with vserver
I recently wrote a document on using the mdadm tools on linux for debian systems. imo Mdadm is much easier then raidtools or raidtools to use for software raid. It include directions on configure a system to switch the root parttion to software raid, and confgiguring software raid. While this is a bit off topic, I thought you might be useful if you want to switch your systems to software raid. I use raid5 software raid on my vserver install. It was the only way I could get a big enough volume for all my vservers. http://rootraiddoc.alioth.debian.org/ Please contact me with any erratta or vserver specific software raid items. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Can't set the new security context
When trying to stop a vserver instance I get the following error: Can't set the new security context see complete error here: -- vserver web2 stop; Stopping the virtual server web2 Server web2 is running ipv4root is now 153.90.199.59 : Invalid argument sleeping 5 seconds Killing all processes --- debian 2.4.25 kernel with vs 1.26 vserver 0.29-2 I used debian newvserver to create the vserver instance. It starts fine, but does not want to stop. I ran herbert's test script http://vserver.13thfloor.at/Stuff/testme.sh and it indicates failure on test number 201. Test Output: --- Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl chcontext is working. chbind is working. Linux 2.4.25-vs1.26-grsec18 i686/0.29/0.29 [J] --- [001]# succeeded. [011]# succeeded. [031]# succeeded. [101]# succeeded. [102]# succeeded. [201]# failed. [202]# succeeded. --- The verbose failure is: [201]# chcontext --ctx 100 --flag fakeinit grep 'initpid: 0' /proc/self/status [201]# failed. I thought at first it was because I had include the vserver+grsec patch, so I recompiled a new kernel without any grsecurity options, and it still had the same error. I read through the archives and could not find any more information about this particular error. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Can't set the new security context
Lucas Albers said: When trying to stop a vserver instance I get the following error: Can't set the new security context It looks like when I run the vserver script, it does not define the correct context: Here is the line from my vserver script to stop or start a vserver. isn't it supposed to have a number defining the context right after --ctx? relevant output from running vserver stop webx; --- /usr/sbin/chbind --ip 153.90.xxx.xx --bcast 153.90.xxx.xxx /usr/sbin/chcontext --secure --ctx /usr/lib/vserver/capchroot . /etc/init.d/rc 6 ipv4root is now 153.90.xxx.xx --- -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] determine version of vserver
I am running the sourceforge.net wolk 4.11s kernel. I has vserver as part of the package, but I am unable to determine the version of vserver. Is it possible to determien the vserver version from a running system? I did not see any user space utilities to do this. Nor could I find anythign in /proc or /dev that indicated this. Nor could I find anything in dmesg. Any ideas, on what I am overlooking? -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] debian dependency question
I installed the testing version of vserver for debian(!). And I was curious to know why it had this dependency: gcc-3.3-base -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
