Re: [Vserver] pam rlimits
Thanks Ben, That solves the error reporting. Are those limits only set outside of the guest and do they not apply per guest basis? Thanks, -Nik On Thu, 2006-06-15 at 11:08 -0400, Benoît des Ligneris wrote: Hello, Quick and dirty solution : you can edit the files that refer to pam_limits.so in your /etc/pam.d/ Generally, system-auth is concerned. You simply have to comment the line that refers to pam_limits #session required pam_limits.so The cause of the problem is that pam_limits try to set limits that are already sets _outside_ of the guest. If you want to play with the limits sets, you can modifiy /etc/security/limits.conf of the guest... [ All this was tested on a Mandriva guest but it sould be similar for other systems ] Ben Nikolay Kichukov a écrit : Hello everybody, I found out in thread http://list.linux-vserver.org/archive/vserver/msg10043.html that Thorsten Gunkel was having the same issue I experience right now with pam limits generating a lot of error output in the auth.log file on the guest. /var/log/auth.log : snip... Jun 15 14:09:01 vn pam_limits[20957]: setrlimit limit #12 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:09:01 vn CRON[20957]: (pam_unix) session closed for user root Jun 15 14:10:01 vn CRON[20973]: (pam_unix) session opened for user venkas by (uid=0) Jun 15 14:10:01 vn pam_limits[20973]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20973]: setrlimit limit #8 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20973]: setrlimit limit #11 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20973]: setrlimit limit #12 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn CRON[20975]: (pam_unix) session opened for user venkas by (uid=0) Jun 15 14:10:01 vn pam_limits[20975]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20975]: setrlimit limit #8 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20975]: setrlimit limit #11 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20975]: setrlimit limit #12 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn CRON[20977]: (pam_unix) session opened for user venkas by (uid=0) Jun 15 14:10:01 vn CRON[20978]: (pam_unix) session opened for user psycho by (uid=0) Jun 15 14:10:01 vn CRON[20981]: (pam_unix) session opened for user o2crew by (uid=0) Jun 15 14:10:01 vn CRON[20982]: (pam_unix) session opened for user o2crew by (uid=0) Jun 15 14:10:01 vn CRON[20979]: (pam_unix) session opened for user o2crew by (uid=0) Jun 15 14:10:01 vn pam_limits[20977]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20978]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn CRON[20975]: (pam_unix) session closed for user venkas Jun 15 14:10:01 vn pam_limits[20981]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20982]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20979]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20977]: setrlimit limit #8 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn CRON[20973]: (pam_unix) session closed for user venkas Jun 15 14:10:01 vn pam_limits[20978]: setrlimit limit #8 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20981]: setrlimit limit #8 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20982]: setrlimit limit #8 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20979]: setrlimit limit #8 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20977]: setrlimit limit #11 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20978]: setrlimit limit #11 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20981]: setrlimit limit #11 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20982]: setrlimit limit #11 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Jun 15 14:10:01 vn pam_limits[20979]: setrlimit limit #11 to soft=-1
[Vserver] pam rlimits
) CXX: g++, g++ (GCC) 4.0.3 (Debian 4.0.3-1) CPPFLAGS: '' CFLAGS: '-g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time' CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time' build/host: i686-pc-linux-gnu/i686-pc-linux-gnu Use dietlibc: yes Build C++ programs: yes Build C99 programs: yes Available APIs: compat,v11,fscompat,v13,net,oldproc,olduts ext2fs Source: e2fsprogs syscall(2) invocation: alternative vserver(2) syscall#: 273/glibc Paths: prefix: /usr/local sysconf-Directory: /etc cfg-Directory: /etc/vservers initrd-Directory: $(sysconfdir)/init.d pkgstate-Directory: ${prefix}/var/run/vservers vserver-Rootdir: /var/lib/vservers/ How can this problem be solved? Regards, -Nikolay Kichukov ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Problem installing util-vserver-0.30.210-2mdk.i586
Hi, this does not look like kernel/patch related issue. It seems to be a dependency problem. I am not sure how the rpm works so I cannot be of greater help here ;-( Why not try to manually ./configure make make install make install-distribution the util-vserver ? regards, -Nikolay Kichukov - Original Message - From: Nicolas Costes [EMAIL PROTECTED] To: vserver@list.linux-vserver.org Sent: Monday, June 12, 2006 1:39 PM Subject: [Vserver] Problem installing util-vserver-0.30.210-2mdk.i586 ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] howto apply patch
hello Varun, the patch can be applied once you navigate to your kernel's core direcotry ( i.e. /usr/src/linux-2.16.18/ ) and then isssue the command: patch -p1 patch-2.6.16.17-vs2.0.2-rc21.diff Hope that helps, -Nikolay Kichukov On Sun, 2006-06-04 at 10:10 +0530, varun wrote: Hello, Howto apply the following patch : patch-2.6.16.17-vs2.0.2-rc21.diff Thanks Varun ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Когато сме щастливи, сме добри. Но когато сме добри, не винаги сме щастливи... -Оскар Уайлд ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] traffic accounting and shaping
Thanks Herbert, I will definately keep testing to see if all works as said. If there are any issues, I will let the list know. btw, is it normal that the routing table in a guest looks something like: the same as the one on the host, except for the default gw? All the fields for default gw show 0.0.0.0 ? Regards, -nik On Sat, 2006-05-13 at 16:50 +0200, Herbert Poetzl wrote: On Sat, May 13, 2006 at 03:45:38PM +0300, Nikolay Kichukov wrote: Good afternoon all. The topic I would like to discuss here is how one is able to setup the host so it does traffic accounting with iptables and traffic shaping and policing with iproute2 for a guest on the host. What brought me to this was a recent posting named What is the best way to connect from 1 vserver to other vserver within the same host ? There I learned that the guest connections actually go through the host lo interface?! Which alternatively made me think why do I ever created a file called dev with one of my interfaces there if the traffic from the guest goes through the host loopback device? Can someone please elaborate a bit more on this topic? well, it's the way the linux (and probably many other) network stack works, local traffic is sent via lo, remote traffic is sent via some network card/interface check out this ancient posting for some ideas: http://archives.linux-vserver.org/200311/0470.html Then, having the following setup: dev=eth0 which is the interface that is connected to the internal LAN ip=localIPaddress of the vserver in this scenario I have an entry in the nat table on the host that allows the guest to use the internet on the $EXTERNALINTERFACE : iptable -t nat -A -s localIPaddress/32 -SNAT --to $EXTERNALIP is there a way I can go without that if I configure the guest with nodev? dev vs nodev does not change _anything_ regarding the way how the routing, nat and networking works 'dev' means that on guest startup, the 'ip' is created on that device, and on guest shutdown the same ip is removed again. 'nodev' just means that no ip is created at all, and the specified 'ip' is considered to exist already ... Now about the traffic accounting topic, which are the tables that the packets generated from the guest and going back to the guest traverse to get to the internet on the $EXTERNALINTERNET eth1? If dev contains eth0, that is the internal interface and the other variant with nodev? there is no 'internal' interface except for lo for local traffic, for the 'external' traffic, the routing and device setup will decide which ip and interface is used ... The other point is about traffic shaping and policing. I use tc to do traffic shaping and policing for computers in the LAN and for the host itself. Now if I want to add limits for the guest, can I use eth0 to limit the max allowed outgoing speed? And then the max download speed on eth0? As a summary - will the packets on the guest go through the eth0? everything, including the traffic accounting and network shaping work like on a normal linux system, all connection from a guest can be considered like the host connections, so all that stuff is identical to a linux system without the Linux-Vserver patch Maybe that e-mail got too long and difficult to follow. Any help or further questions will be appreaciated... HTH, Herbert Thanks and Regards, -Nik -- ?? ??? , ??? ?. ?? ?? ??? ?, ?? ?? ??? ... -? ? ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Когато сме щастливи, сме добри. Но когато сме добри, не винаги сме щастливи... -Оскар Уайлд ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver build docs, and vserver docs in general
Hi all, I would totally agree with ADNET. Full documentation is badly needed for that project. I am sure, that a technical writer can be involved to follow up with software updates and kernel patches and thus upgrade the documentation accordingly. Anyone may comment on that further? I consider that building complete and thorough documentation at this stage is already a must. Many new people are being attracted to the vserver project, and if it cannot provide complete definitions for all it does, I consider that a pitfall. However, I believe a documentation project will be started as soon as the developers have some more free time on their hands. Another possible idea is, developers to describe the changes in the new versions and send them to the list, like what functionality has been added, what new tools have been included/removed, etc, so someone can modify already built documentation. But we will need complete documentation on the first place to keep up with the updates later on. Regards, -nik On Sun, 2006-05-14 at 21:26 +0200, ADNET Ghislain wrote: Hi, I found a lot of place for constructing Vservers with vserver build. But i am a little confused as i do not find anything about what are the vserver build parameters and documentation. I have searched the wiki, googled and such without success. Anyone can give me a hand ? I do not know if this is me but to find a easy guide with all the options of the vserver and vserver utils would be a great help. Even the great flower page can be seen as a funny private joke but i certainly think that this private joke is quite repelling to any user trying to unsderstand this project (yes we can select the style page but really). I think perhaps this is time to washify the docs to gets the core doc into one comprehensive document not linked to a particular user or distrib like all the how-to present on the site that are very helpfull but not enough oficials and all geared toward specific items like feudora or debian or ubuntu, nothing general, no practical exemple in a general presentation . All this is confusing no ? I think really a manual with: 1/ concept 2/ technical way this is done (general level) 3/ how to install a vserver kernel ( neutral vanilla most details, debian, feudora exemple ) -- until here those allready exist so are just to be compiled together 4/ how to install util-veser( neutral vanilla most details, debian, feudora exemple ) 5/ how to build a vserver guest and the various options ( debian guest, ubuntu guest, feudora guest ) 6/ How to configure and limit guest systems with a flower page without the private joke 7/ Practical exemples ( guest using the main eth0, guest NATED, guest quota, guest bandwidht limits, guest CPU limitation, guest load balancing, guest washification etc... ) 8/ Where to find more, with links to the contribued how to and the wiki etc..., mailing list link 9/ contrib page, we welcome your help Will greatly help the project stand against other virtualisation technology, does it make sense to you or is it just me ? I think this manual can stay in vanilla/debian/feudora land and let contributed how-to complete the picture. Also the mix of 1.0 and 2.0 FAQ/how-to is troubling me, is there any way to put 1.0 and 2.0 docs in two separate part ? -- Когато сме щастливи, сме добри. Но когато сме добри, не винаги сме щастливи... -Оскар Уайлд ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver traceroute
Hello Herbert, I already joined irc and there were people there that helped me out resolve all the pending issues. Thanks and Regards, -Nikolay Kichukov On Wed, 2006-05-10 at 14:42 +0200, Herbert Poetzl wrote: On Sun, Apr 30, 2006 at 10:22:22PM +0300, Nikolay Kichukov wrote: hello, what i DID try to temporarily fix the problem and that did not work was: vattribute --set --xid id --ccap raw_icmp --bcap -1 something else i wanted to ask was: Another point that i noticed is, that the df command is no longer listing the /dev/hdv device. The output is something like: df -ha FilesystemSize Used Avail Use% Mounted on proc 0 0 0 - /proc devpts 0 0 0 - /dev/pts What could be causing this? Within the guest /etc/fstab is now empty. What caused that file to be erased? somehow I lost the overview about the changes and/or the effects you observed, I'd suggest to pay a visit to the IRC channel (#vserver @ irc.oftc.net) where we should be able to track down whatever causes your issues ... HTH, Herbert Regards, -nik - Original Message - From: Herbert Poetzl [EMAIL PROTECTED] To: Nikolay Kichukov [EMAIL PROTECTED] Cc: vserver@list.linux-vserver.org Sent: Sunday, April 30, 2006 9:21 PM Subject: Re: [Vserver] vserver traceroute On Sun, Apr 30, 2006 at 10:54:26PM +0300, Nikolay Kichukov wrote: Hello, Just upgraded to the latest development util-vserver release. However, when I try to vattribute, I am getting exactly the same behaviour. sshd is again not accepting connections. When I try to temporary fix the problem with --bcap -1, there is no update. hmm, maybe you got that wrong, what I meant was: whenever you want to set the ccaps, also add the --bcaps -1 to that command line .. to work around the bug, btw, it works quite fine here with 0.30.210 + patches HTH, Herbert /usr/local/sbin/vserver-info Versions: Kernel: 2.6.14.4-vs2.1.0nevir VS-API: 0x00020001 util-vserver: 0.30.210; Apr 30 2006, 20:31:56 Features: CC: gcc, gcc (GCC) 4.0.3 (Debian 4.0.3-1) CXX: g++, g++ (GCC) 4.0.3 (Debian 4.0.3-1) CPPFLAGS: '' CFLAGS: '-g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time' CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time' build/host: i686-pc-linux-gnu/i686-pc-linux-gnu Use dietlibc: yes Build C++ programs: yes Build C99 programs: yes Available APIs: v13,net ext2fs Source: e2fsprogs syscall(2) invocation: alternative vserver(2) syscall#: 273/glibc Paths: prefix: /usr/local sysconf-Directory: /etc cfg-Directory: /etc/vservers initrd-Directory: $(sysconfdir)/init.d pkgstate-Directory: /var/run/vservers vserver-Rootdir: /var/lib/vservers Assumed 'SYSINFO' as no other option given; try '--help' for more information. Another point that i noticed is, that the df command is no longer listing the /dev/hdv device. The output is something like: df -ha FilesystemSize Used Avail Use% Mounted on proc 0 0 0 - /proc devpts 0 0 0 - /dev/pts What could be causing this? Regards, -nik On Sun, 2006-04-30 at 17:03 +0200, Herbert Poetzl wrote: On Sun, Apr 30, 2006 at 02:53:20PM +0300, Nikolay Kichukov wrote: Hello Herbert, I see now. So traceroute cannot be used within a guest environment. I will try tracepath instead. One more thing I'd like to comment on is that, every time I issue: vattribute --set --xid id --ccap raw_icmp on the host, I am getting the following error on the guest when I try to ssh to it: fatal: chroot(/var/run/sshd): Operation not permitted The only way I go around that is to reboot the guest. What am I doing wrong when I am setting the --ccap ? Do I reset some default ccaps or bcaps ? I only have the ccapabilities file and it only contain raw_icmp. So is the default startup of a vserver
Re: [Vserver] chkrootkit
I hope that is normal and there is no need to worry. Nice one Chuck! ;-) Regards, -Nikolay Kichukov On Sat, 2006-04-29 at 23:23 -0400, Chuck wrote: i just ran chkrootkit on our vserver host and got this... i suspect this is a result of the vserver patches and is normal? or should i worry? Checking `bindshell'... INFECTED (PORTS: 465) Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed -- Когато сме щастливи, сме добри. Но когато сме добри, не винаги сме щастливи... -Оскар Уайлд ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver traceroute
hello, what i DID try to temporarily fix the problem and that did not work was: vattribute --set --xid id --ccap raw_icmp --bcap -1 something else i wanted to ask was: Another point that i noticed is, that the df command is no longer listing the /dev/hdv device. The output is something like: df -ha FilesystemSize Used Avail Use% Mounted on proc 0 0 0 - /proc devpts 0 0 0 - /dev/pts What could be causing this? Within the guest /etc/fstab is now empty. What caused that file to be erased? Regards, -nik - Original Message - From: Herbert Poetzl [EMAIL PROTECTED] To: Nikolay Kichukov [EMAIL PROTECTED] Cc: vserver@list.linux-vserver.org Sent: Sunday, April 30, 2006 9:21 PM Subject: Re: [Vserver] vserver traceroute On Sun, Apr 30, 2006 at 10:54:26PM +0300, Nikolay Kichukov wrote: Hello, Just upgraded to the latest development util-vserver release. However, when I try to vattribute, I am getting exactly the same behaviour. sshd is again not accepting connections. When I try to temporary fix the problem with --bcap -1, there is no update. hmm, maybe you got that wrong, what I meant was: whenever you want to set the ccaps, also add the --bcaps -1 to that command line .. to work around the bug, btw, it works quite fine here with 0.30.210 + patches HTH, Herbert /usr/local/sbin/vserver-info Versions: Kernel: 2.6.14.4-vs2.1.0nevir VS-API: 0x00020001 util-vserver: 0.30.210; Apr 30 2006, 20:31:56 Features: CC: gcc, gcc (GCC) 4.0.3 (Debian 4.0.3-1) CXX: g++, g++ (GCC) 4.0.3 (Debian 4.0.3-1) CPPFLAGS: '' CFLAGS: '-g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time' CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time' build/host: i686-pc-linux-gnu/i686-pc-linux-gnu Use dietlibc: yes Build C++ programs: yes Build C99 programs: yes Available APIs: v13,net ext2fs Source: e2fsprogs syscall(2) invocation: alternative vserver(2) syscall#: 273/glibc Paths: prefix: /usr/local sysconf-Directory: /etc cfg-Directory: /etc/vservers initrd-Directory: $(sysconfdir)/init.d pkgstate-Directory: /var/run/vservers vserver-Rootdir: /var/lib/vservers Assumed 'SYSINFO' as no other option given; try '--help' for more information. Another point that i noticed is, that the df command is no longer listing the /dev/hdv device. The output is something like: df -ha FilesystemSize Used Avail Use% Mounted on proc 0 0 0 - /proc devpts 0 0 0 - /dev/pts What could be causing this? Regards, -nik On Sun, 2006-04-30 at 17:03 +0200, Herbert Poetzl wrote: On Sun, Apr 30, 2006 at 02:53:20PM +0300, Nikolay Kichukov wrote: Hello Herbert, I see now. So traceroute cannot be used within a guest environment. I will try tracepath instead. One more thing I'd like to comment on is that, every time I issue: vattribute --set --xid id --ccap raw_icmp on the host, I am getting the following error on the guest when I try to ssh to it: fatal: chroot(/var/run/sshd): Operation not permitted The only way I go around that is to reboot the guest. What am I doing wrong when I am setting the --ccap ? Do I reset some default ccaps or bcaps ? I only have the ccapabilities file and it only contain raw_icmp. So is the default startup of a vserver initializing some extra flags/capabilities that are not necessarily predefined withing flags/ccapabilities/bcapabilities? there was a tool bug regarding vattribute, where you ahd to specify the bcaps when you want to change the ccaps, so you might try the following instead vattribute --set --xid id --bcaps -1 --ccap raw_icmp or update to a more recent version HTH, Herbert Regards, -Nikolay Kichukov On Sat, 2006-04-29 at 19:28 +0200, Herbert Poetzl wrote: On Fri, Apr 28, 2006 at 10:47:25PM +0300, Nikolay Kichukov wrote: Hello Herbert, Sorry for the long delay in replying again. Here is some further info about the traceroute tool I am using on the GUEST: ah, obviously confused that because I do not use traceroute myself, just
Re: [Vserver] vserver traceroute
Hello Herbert, Sorry for the long delay in replying again. Here is some further info about the traceroute tool I am using on the GUEST: [EMAIL PROTECTED]:/usr/bin# dpkg --status traceroute Package: traceroute Status: install ok installed Priority: important Section: net Installed-Size: 60 Maintainer: Graham Wilson [EMAIL PROTECTED] Architecture: i386 Version: 1.4a12-20 Replaces: netstd Depends: libc6 (= 2.3.5-1) Conflicts: suidmanager ( 0.50) Description: traces the route taken by packets over a TCP/IP network The traceroute utility displays the route used by IP packets on their way to a specified network (or Internet) host. Traceroute displays the IP number and host name (if possible) of the machines along the route taken by the packets. Traceroute is used as a network debugging tool. If you're having network connectivity problems, traceroute will show you where the trouble is coming from along the route. . Install traceroute if you need a tool for diagnosing network connectivity problems. [EMAIL PROTECTED]:/usr/bin# [EMAIL PROTECTED]:/usr/bin# ls -alh traceroute lrwxrwxrwx 1 root root 28 Mar 17 00:38 traceroute - /etc/alternatives/traceroute [EMAIL PROTECTED]:/usr/bin# ls -alh /etc/alternatives/traceroute lrwxrwxrwx 1 root root 23 Mar 17 00:38 /etc/alternatives/traceroute - /usr/bin/traceroute.lbl [EMAIL PROTECTED]:/usr/bin# ls -alh traceroute.lbl -rwsr-xr-x 1 root root 18K Aug 30 2005 traceroute.lbl and again that same error message: [EMAIL PROTECTED]:/usr/bin# traceroute linux-vserver.org traceroute: raw socket: Operation not permitted I do have the raw_icmp ccapability enabled. Further information: [EMAIL PROTECTED]:~# vserver-info Versions: Kernel: 2.6.14.4-vs2.1.0nevir VS-API: 0x00020001 util-vserver: 0.30.209; Jan 8 2006, 12:24:41 Features: CC: gcc, gcc (GCC) 4.0.3 20051201 (prerelease) (Debian 4.0.2-5) CXX: g++, g++ (GCC) 4.0.3 20051201 (prerelease) (Debian 4.0.2-5) CPPFLAGS: '' CFLAGS: '-Wall -g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time' CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time' build/host: i486-pc-linux-gnu/i486-pc-linux-gnu Use dietlibc: yes Build C++ programs: yes Build C99 programs: yes Available APIs: compat,v11,v13,fscompat,net,oldproc,olduts ext2fs Source: e2fsprogs syscall(2) invocation: alternative vserver(2) syscall#: 273/glibc Paths: prefix: /usr sysconf-Directory: /etc cfg-Directory: /etc/vservers initrd-Directory: $(sysconfdir)/init.d pkgstate-Directory: /var/run/vservers vserver-Rootdir: /var/lib/vservers Assumed 'SYSINFO' as no other option given; try '--help' for more information. [EMAIL PROTECTED]:~# uname -a Linux nevir 2.6.14.4-vs2.1.0nevir #4 Thu Mar 16 19:43:43 EET 2006 i686 GNU/Linux Let me know if you need any more information to troubleshoot that matter. Thanks, -Nikolay Kichukov - Original Message - From: Herbert Poetzl [EMAIL PROTECTED] To: Nikolay Kichukov [EMAIL PROTECTED] Cc: vserver@list.linux-vserver.org Sent: Friday, April 21, 2006 8:08 PM Subject: Re: [Vserver] vserver traceroute On Fri, Apr 21, 2006 at 05:30:53PM +0300, Nikolay Kichukov wrote: hi, the version is: util-vserver 0.30.209-2 Would you suggest an upgrade to get the traceroute going? It is not so important to make traceroute working. It is the idea that stays behind that. ;-) To have the guest at full operational power as if it is a real machine. can you provide a static binary of that traceroute tool for testing? it is supposed to work with ram_icmp capability enabled ... TIA, Herbert Thanks and regards, -Nikolay Kichukov - Original Message - From: Herbert Poetzl [EMAIL PROTECTED] To: Nikolay Kichukov [EMAIL PROTECTED] Cc: vserver@list.linux-vserver.org Sent: Thursday, April 20, 2006 9:43 PM Subject: Re: [Vserver] vserver traceroute On Thu, Apr 20, 2006 at 05:24:00PM +0300, Nikolay Kichukov wrote: hello, even trying to traceroute -I is still giving that same error message. What could be wrong? Do I need to set some extra ccapabilities? Also, what does the --secure option of the vattribute do ? that really depends on the tool version, which one do you have? usually it removes most capabilites from the guest best, Herbert Regards, -Nikolay Kichukov - Original Message - From: Xavier Montagutelli [EMAIL PROTECTED] To: vserver@list.linux-vserver.org Sent: Thursday, April 20, 2006 3:33 PM Subject: Re: [Vserver] vserver traceroute On Thursday 20 April 2006 13:29, Nikolay Kichukov wrote: Hello guys, Thanks for the advice, and sorry for taking me so long
Re: [Vserver] vserver traceroute
Hello guys, Thanks for the advice, and sorry for taking me so long to respond. I tried setting: host# vattribute --set --xid xid --secure --ccap raw_icmp and when i try to traceroute a host I am again getting: traceroute: raw socket: Operation not permitted Any further ideas? Another problem has now appeared: When i try to ssh to the guest sshd, i am getting the following error: fatal: chroot(/var/run/sshd): Operation not permitted /var/run/sshd is rwx for root and r-x for the group and others Any ideas? Additional info: util-vserver 0.30.209-2 debian package kernel 1.6.14.4-vs2.1.0 On Tue, 2006-04-11 at 13:17 +0200, Daniel Hokka Zakrisson wrote: Nikolay Kichukov wrote: Hi, Thanks for the advise, I'd like to test that and I already have raw_icmp in the flags file for the vserver, but is there a way i can set that without rebooting the vserver? It's a context capability, so you should put it in ccapabilities file. I've searched for information about chcontext and did not find a lot about setting those caps and flags dynamically. Is that possible? If yes, how? vattribute --set --xid name or xid of the guest --secure --ccap raw_icmp (add additional --bcaps here if you have any, as they'll be reset otherwise) Also, another question is, i have already created(built) the vserver without --context NNN, and now I would like to get the vserver running only in a specified context, ie. 444. How can i implement that? echo NNN /etc/vservers/name/context http://www.nongnu.org/util-vserver/doc/conf/configuration.html ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver traceroute
hello, even trying to traceroute -I is still giving that same error message. What could be wrong? Do I need to set some extra ccapabilities? Also, what does the --secure option of the vattribute do ? Regards, -Nikolay Kichukov - Original Message - From: Xavier Montagutelli [EMAIL PROTECTED] To: vserver@list.linux-vserver.org Sent: Thursday, April 20, 2006 3:33 PM Subject: Re: [Vserver] vserver traceroute On Thursday 20 April 2006 13:29, Nikolay Kichukov wrote: Hello guys, Thanks for the advice, and sorry for taking me so long to respond. I tried setting: host# vattribute --set --xid xid --secure --ccap raw_icmp and when i try to traceroute a host I am again getting: traceroute: raw socket: Operation not permitted On my debian box, traceroute use by default UDP packets, not ICMP packets. Try -I icmp to use icmp. Any further ideas? Another problem has now appeared: When i try to ssh to the guest sshd, i am getting the following error: fatal: chroot(/var/run/sshd): Operation not permitted /var/run/sshd is rwx for root and r-x for the group and others Any ideas? Additional info: util-vserver 0.30.209-2 debian package kernel 1.6.14.4-vs2.1.0 On Tue, 2006-04-11 at 13:17 +0200, Daniel Hokka Zakrisson wrote: Nikolay Kichukov wrote: Hi, Thanks for the advise, I'd like to test that and I already have raw_icmp in the flags file for the vserver, but is there a way i can set that without rebooting the vserver? It's a context capability, so you should put it in ccapabilities file. I've searched for information about chcontext and did not find a lot about setting those caps and flags dynamically. Is that possible? If yes, how? vattribute --set --xid name or xid of the guest --secure --ccap raw_icmp (add additional --bcaps here if you have any, as they'll be reset otherwise) Also, another question is, i have already created(built) the vserver without --context NNN, and now I would like to get the vserver running only in a specified context, ie. 444. How can i implement that? echo NNN /etc/vservers/name/context http://www.nongnu.org/util-vserver/doc/conf/configuration.html ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Xavier Montagutelli Tel : +33 (0)5 55 45 77 20 Service Commun Informatique Fax : +33 (0)5 55 45 77 60 Universite de Limoges 123, avenue Albert Thomas 87060 Limoges cedex ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver traceroute
Hi, Thanks for the advise, I'd like to test that and I already have raw_icmp in the flags file for the vserver, but is there a way i can set that without rebooting the vserver? I've searched for information about chcontext and did not find a lot about setting those caps and flags dynamically. Is that possible? If yes, how? Also, another question is, i have already created(built) the vserver without --context NNN, and now I would like to get the vserver running only in a specified context, ie. 444. How can i implement that? Thanks and regards, -Nikolay Kichukov On Tue, 2006-04-11 at 00:33 +0200, Herbert Poetzl wrote: On Tue, Apr 11, 2006 at 02:31:09AM +0300, Nikolay Kichukov wrote: Hi everybody, I am having a problem tracerouting from a guest. Here is the output: As root: traceroute 192.168.0.2 traceroute: raw socket: Operation not permitted please try with the raw_icmp context capability (http://linux-vserver.org/Caps+and+Flags) assigned to your guest, if that still fails, please let me know ... TIA, Herbert Some further information: Versions: Kernel: 2.6.14.4-vs2.1.0nevir VS-API: 0x00020001 util-vserver: 0.30.209; Jan 8 2006, 12:24:41 Features: CC: gcc, gcc (GCC) 4.0.3 20051201 (prerelease) (Debian 4.0.2-5) CXX: g++, g++ (GCC) 4.0.3 20051201 (prerelease) (Debian 4.0.2-5) CPPFLAGS: '' CFLAGS: '-Wall -g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time' CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time' build/host: i486-pc-linux-gnu/i486-pc-linux-gnu Use dietlibc: yes Build C++ programs: yes Build C99 programs: yes Available APIs: compat,v11,v13,fscompat,net,oldproc,olduts ext2fs Source: e2fsprogs syscall(2) invocation: alternative vserver(2) syscall#: 273/glibc Paths: prefix: /usr sysconf-Directory: /etc cfg-Directory: /etc/vservers initrd-Directory: $(sysconfdir)/init.d pkgstate-Directory: /var/run/vservers vserver-Rootdir: /var/lib/vservers Assumed 'SYSINFO' as no other option given; try '--help' for more information. Thanks, -Nikolay Kichukov ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver traceroute
Hi everybody, I am having a problem tracerouting from a guest. Here is the output: As root: traceroute 192.168.0.2 traceroute: raw socket: Operation not permitted Some further information: Versions: Kernel: 2.6.14.4-vs2.1.0nevir VS-API: 0x00020001 util-vserver: 0.30.209; Jan 8 2006, 12:24:41 Features: CC: gcc, gcc (GCC) 4.0.3 20051201 (prerelease) (Debian 4.0.2-5) CXX: g++, g++ (GCC) 4.0.3 20051201 (prerelease) (Debian 4.0.2-5) CPPFLAGS: '' CFLAGS: '-Wall -g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time' CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time' build/host: i486-pc-linux-gnu/i486-pc-linux-gnu Use dietlibc: yes Build C++ programs: yes Build C99 programs: yes Available APIs: compat,v11,v13,fscompat,net,oldproc,olduts ext2fs Source: e2fsprogs syscall(2) invocation: alternative vserver(2) syscall#: 273/glibc Paths: prefix: /usr sysconf-Directory: /etc cfg-Directory: /etc/vservers initrd-Directory: $(sysconfdir)/init.d pkgstate-Directory: /var/run/vservers vserver-Rootdir: /var/lib/vservers Assumed 'SYSINFO' as no other option given; try '--help' for more information. Thanks, -Nikolay Kichukov ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] shutdown on the guest
Hi there, if i type shutdown -r now on the guest I get the following output: The system is going down for reboot NOW! (pts/1) (Fri Apr 7 14:25:36 2006): shutdown: timeout opening/writing control channel /dev/initctl init: timeout opening/writing control channel /dev/initctl is that normal? Additional information: ls -alh /dev/initctl prw--- 1 root root 0 Apr 2 10:58 /dev/initctl vserver-info Versions: Kernel: 2.6.14.4-vs2.1.0nevir VS-API: 0x00020001 util-vserver: 0.30.209; Jan 8 2006, 12:24:41 Features: CC: gcc, gcc (GCC) 4.0.3 20051201 (prerelease) (Debian 4.0.2-5) CXX: g++, g++ (GCC) 4.0.3 20051201 (prerelease) (Debian 4.0.2-5) CPPFLAGS: '' CFLAGS: '-Wall -g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time' CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time' build/host: i486-pc-linux-gnu/i486-pc-linux-gnu Use dietlibc: yes Build C++ programs: yes Build C99 programs: yes Available APIs: compat,v11,v13,fscompat,net,oldproc,olduts ext2fs Source: e2fsprogs syscall(2) invocation: alternative vserver(2) syscall#: 273/glibc Paths: prefix: /usr sysconf-Directory: /etc cfg-Directory: /etc/vservers initrd-Directory: $(sysconfdir)/init.d pkgstate-Directory: /var/run/vservers vserver-Rootdir: /var/lib/vservers Assumed 'SYSINFO' as no other option given; try '--help' for more information. Regards, -Nikolay Kichukov ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] host and guest UID and GID
Hello Guys, I have the following situation, where users on the host become owners of the home directories of the users of the guest. [EMAIL PROTECTED]:/var/lib/vservers/vn/home# ls -alh total 44K drwxr-xr-x 11 root root 4.0K Mar 25 18:42 . drwxr-xr-x 20 root root 4.0K Mar 17 00:39 .. drwxr-xr-x 3 services services 4.0K Mar 24 00:16 agra drwxr-xr-x 6 spectre spectre 4.0K Mar 25 13:30 cipri ... As you can see user services on the HOST can now have full access to the home directory of user agra on the guest. Is there a way this can be solved, or do I have to start numbering the UIDs and GIDs on the Guest from higher numbers? Regards, -Nikolay Kichukov p.s. Some useful information would be: [EMAIL PROTECTED]:/usr/sbin# vserver-info Versions: Kernel: 2.6.14.4-vs2.1.0nevir VS-API: 0x00020001 util-vserver: 0.30.209; Jan 8 2006, 12:24:41 Features: CC: gcc, gcc (GCC) 4.0.3 20051201 (prerelease) (Debian 4.0.2-5) CXX: g++, g++ (GCC) 4.0.3 20051201 (prerelease) (Debian 4.0.2-5) CPPFLAGS: '' CFLAGS: '-Wall -g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time' CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time' build/host: i486-pc-linux-gnu/i486-pc-linux-gnu Use dietlibc: yes Build C++ programs: yes Build C99 programs: yes Available APIs: compat,v11,v13,fscompat,net,oldproc,olduts ext2fs Source: e2fsprogs syscall(2) invocation: alternative vserver(2) syscall#: 273/glibc Paths: prefix: /usr sysconf-Directory: /etc cfg-Directory: /etc/vservers initrd-Directory: $(sysconfdir)/init.d pkgstate-Directory: /var/run/vservers vserver-Rootdir: /var/lib/vservers Assumed 'SYSINFO' as no other option given; try '--help' for more information. [EMAIL PROTECTED]:/usr/sbin# ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] host and guest UID and GID
Hi, thanks for the advise, but that did not work. Did you mean chmod -R 000 /var/lib/vservers? Regards, -Nikolay Kichukov - Original Message - From: Peter Mann [EMAIL PROTECTED] To: vserver@list.linux-vserver.org Sent: Sunday, March 26, 2006 2:13 PM Subject: Re: [Vserver] host and guest UID and GID On Sun, Mar 26, 2006 at 01:31:47PM +0300, Nikolay Kichukov wrote: Is there a way this can be solved, or do I have to start numbering the UIDs and GIDs on the Guest from higher numbers? chmod 000 /var/lib/vservers -- 5o Peter.Mann at tuke.sk ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] host and guest UID and GID
thanks for the effort all. That did indeed work. It was my mistake listing the files and directories under the root account only and again seeing the bogous ownerships. Now it is fine ;-) Thanks, -Nikolay Kichukov - Original Message - From: Peter Mann [EMAIL PROTECTED] To: vserver@list.linux-vserver.org Sent: Sunday, March 26, 2006 4:31 PM Subject: Re: [Vserver] host and guest UID and GID On Sun, Mar 26, 2006 at 01:31:47PM +0300, Nikolay Kichukov wrote: I have the following situation, where users on the host become owners of the home directories of the users of the guest. [EMAIL PROTECTED]:/var/lib/vservers/vn/home# ls -alh total 44K drwxr-xr-x 11 root root 4.0K Mar 25 18:42 . drwxr-xr-x 20 root root 4.0K Mar 17 00:39 .. drwxr-xr-x 3 services services 4.0K Mar 24 00:16 agra drwxr-xr-x 6 spectre spectre 4.0K Mar 25 13:30 cipri ... As you can see user services on the HOST can now have full access to the home directory of user agra on the guest. On Sun, Mar 26, 2006 at 03:45:06PM +0300, Nikolay Kichukov wrote: thanks for the advise, but that did not work. Did you mean chmod -R 000 /var/lib/vservers? no ... i mean chmod 000 /var/lib/vservers ... your ls -alh command is root command, so 'spectre' or 'services' is only output of 'ls' command ... if you don't have some uid/gid on host, you see only numerical value try 'ls' command as user 'spectre', not root ... so they're not real owners ... http://linux-vserver.org/chroot-barrier -- 5o Peter.Mann at tuke.sk ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver