Re: [Vserver] routing: 2 different virtual subnets on the same machine
if you want some automatisation, and you know what you're doing: http://people.linux-vserver.org/~harry/scripts/ pre-start and post-stop check them out :) greetz Chuck wrote: hope it helps. iproute2 is an absolute Godsend. I use the simplest of its configurations and get what I want easily.. If you wanted to get into some really complicated things, iproute2 has so many additional advanced config options it could take weeks to read up on them all but from what I can gather, it can solve the most complicated of needs and do things that previously would have you banging your head against the wall trying to solve :) I now use iproute2 on everything, even on simple workstation installations, so it is there if additional configuration is ever needed. -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry Nobody notices when things go right. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0 : where is the changelog?
that's one of the reasons i patch the vserver kernel with grsec too. also you get PAX (aslr, mprotect stuff,...) features (www.grsecurity.net) which makes it extremely hard to write to /dev/kmem, /dev/mem, it hides dangerous addresses to make exploitation harder, etc... if you want enhanced security and you know something about grsecurity (which means, you know how to secure a box): http://people.linux-vserver.org/~harry there you'll find the info you need. since this is ... well... personal choice in what to enable/disable, you're not gonna find this together with some distro. nevertheless, i include example configs (for dell and HP servers at work) good luck with it :) Martin wrote: At the risk of sounding ungreatful for all of the hard work done on vserver - what is the 'use case' for this feature? As I understand it there is nothing to keep the host from playing with /dev/kmem or otherwise tampering with the kernel, so I can't see how a feature like this will provide any strong guarentees; unless heirarchies of contexts (which would be extreemly cool) are planned. Or is it just intended as a 'speed bump' / politeness feature? -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry Nobody notices when things go right. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Patch 2.6.20
can i be a bitch and say: it's NOT a compile error, it's a programming error, making compiling it, impossible and fail tnx btw :) Roman Fiedler wrote: Could it be that the line + #include linux/vs_base.h is missing in patch for fs/jffs2/ioctl.c (patch-2.6.20-vs2.3.0.10.diff)? Adding it solved a compile error (dereferencing pointer to incomplete type). -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry thinking always leads to conclusions... and those can be extremely dangerous -- me ;) Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Compiling 2.6.19.1 with vs+grsec
Johan Marcusson wrote: Hi I just tried compiling kernel 2.6.19.1 patched with vs2.2.0-rc6-grsec2.1.9 (latest upcoming stable). I doesn't seem to work very well however, I get this error message: saturn linux-2.6.19.1 # make all make modules_install CHK include/linux/version.h CHK include/linux/utsrelease.h CHK include/linux/compile.h CC fs/proc/array.o fs/proc/array.c: In function ‘proc_pid_status’: fs/proc/array.c:329: error: ‘nx_info’ undeclared (first use in this function) fs/proc/array.c:329: error: (Each undeclared identifier is reported only once fs/proc/array.c:329: error: for each function it appears in.) fs/proc/array.c:329: error: ‘nxi’ undeclared (first use in this function) fs/proc/array.c:331: warning: ISO C90 forbids mixed declarations and code make[2]: *** [fs/proc/array.o] Error 1 make[1]: *** [fs/proc] Error 2 make: *** [fs] Error 2 I get this error both with GCC 4.1.1 and GCC 3.4.6 Anyone else having the same problem? that bug is fixed in the patch i updated this weekend (sry for that), but to keep things up to date, there is a new patch available too its for 2.6.19.2 it has the latest and greatest grsec 2.1.10 also the latest update from vserver: 2.2.0-rc7 have fun with it, all!!! -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry thinking always leads to conclusions... and those can be extremely dangerous -- me ;) Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] openpty(): No such file
might be a good idea!:) let me know if that fixes the problem. could you give me the grsec config part of your kernel? tnx! Oliver Heinz wrote: Am Samstag, 18. November 2006 21:46 schrieb Herbert Poetzl: On Sat, Nov 18, 2006 at 01:05:48PM +0100, Oliver Heinz wrote: Am Freitag, 17. November 2006 18:48 schrieb Oliver Heinz: Am Freitag, 17. November 2006 17:49 schrieb Herbert Poetzl: On Fri, Nov 17, 2006 at 11:05:52AM +0100, Oliver Heinz wrote: Am Donnerstag, 16. November 2006 13:11 schrieb Daniel Hokka Zakrisson: Oliver Heinz wrote: Hello, yesterday I upgraded my development server from vmlinuz-2.6.12.5-vs2.0 to 2.6.17.14-grsec2.1.9-vs2.0.2.1 and util-vserver from util-vserver-0.30.210 to util-vserver-0.30.211. All Debian/Ubuntu guests are running fine, but for the old Suse9.0 guest when entering via vserver servername enter i get an error: [EMAIL PROTECTED]:/usr/src/packages# vserver dakar enter vlogin: openpty(): No such file or directory [EMAIL PROTECTED]:/usr/src/packages# Any Idea what's wrong? Entering via ssh works fine, all services are running, so it's not a major issue, just annoing. Does it have /dev/ptmx and a mounted /dev/pts? When you log in through ssh, what tty are you on? dakar:~ # w 10:56:59 up 1 day, 1:03, 2 users, load average: 0.16, 0.16, 0.29 USER TTYLOGIN@ IDLE JCPU PCPU WHAT oheinz ttyp1 10:28 11:22 0.10s 0.10s -bash root ttyp2 10:560.00s 0.04s 0.00s w ~ looks like legacy ptys .. haven't seen them for some time now, not sure that is related though .. I was wondering too, when I ssh to a real physical host with suse 9.0 and kernel 2.4 I get ptys what does /dev contain in your guest? Just those few devices that are SuSE default ;-) - I tried to attach the List but: Message body is too big and nobody approved it yet. Is there someting special you are interessted? ttys?pts? ahem, this is what your guest should actually have in its /dev, nothing more ... # ls /dev console full log= null ptmx pts/ random tty urandom zero maybe an additional hdv1, but that's it, everything else is not required and reduces your guest's security which is why the tools do not put stuff there besides the entries listed above ... Thanks for that advice, but this vserver is an internal development platform for a real server, which (of course) does have all those /dev entries . So security in this guest is not an issue. But it probably is not a good idea to have all that static dev entries that are for 2.4 kernels running with a 2.6 vserver enabled kernel, idn't it. So I did remove all that crap, left only crw--- 1 root tty 5, 1 2006-11-19 15:14 console crw-rw-rw- 1 root root 1, 7 2005-07-12 14:14 full prw--- 1 root root0 2006-11-19 15:14 initctl crw-rw-rw- 1 root root 1, 3 2005-07-12 14:14 null crw-rw-rw- 1 root tty 5, 2 2006-11-19 15:12 ptmx drwxr-xr-x 2 root root 4096 2006-11-15 18:34 pts crw-rw-rw- 1 root root 1, 8 2005-07-12 14:14 random crw-rw-rw- 1 root tty 5, 0 2006-11-19 15:04 tty -rw-r--r-- 1 root root 582 2006-11-19 15:13 tty10 cr--r--r-- 1 root root 1, 9 2006-11-15 18:34 urandom crw-rw-rw- 1 root root 1, 5 2005-07-12 14:14 zero But now I get an: [EMAIL PROTECTED]:~# vserver dakar enter vlogin: ioctl(): Not a typewriter [EMAIL PROTECTED]:~# and login via ssh is now broken too :-( Nov 19 15:08:56 dakar sshd[1912]: error: openpty: No such file or directory Nov 19 15:08:56 dakar sshd[1912]: error: session_pty_req: session 0 alloc failed Should I check with an non grsec vserver-kernel? Maybe it's grsec related? Thanks so far, Oliver best, Herbert TIA, Oliver TIA, Herbert dakar:~ # mount /dev/hda2 on / type reiserfs (rw) proc on /proc type proc (rw) devpts on /dev/pts type devpts (rw,mode=0620,gid=5) dakar:~ # ls -la /dev/ptmx crw-rw-rw-1 root tty5, 2 Sep 23 2003 /dev/ptmx Thanks so far, Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry thinking always leads to conclusions... and those can be extremely dangerous -- me ;) Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] using of 'vlimit --cpu', problems with 'gcc'
Jaroslav Tomecek wrote: I'm testing 'vserver' for some organisation. They want me to test everything ;-). Btw. I tried cpu scheduling. I set 1/5 of cpu for the first and 4/5 of cpu for the second 'vserver'. Then I ran two identical programs, each in one 'vserver'. It computed some floating stuff. After each e.g. 1000 cycles it printed dot. I expected that there would be five times more dots in the second vserver after some time. But the numbers of dots were identical. # cat /etc/vservers/test1/schedule 1 5 100 200 10 dummy # cat /etc/vservers/test1/schedule 4 5 100 200 10 dummy Is it the right way? it is, but can you do a : cat /etc/vservers/test1/flags ? you should ENABLE the scheduler like this: echo sched_prio /etc/vservers/test1/flags then restart your vps'es and see what happens then... you could also do sched_hard which... wel... read the docs ;) good luck -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org thinking always leads to conclusions... and those can be extremely dangerous -- me ;) Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] advanced routing per vps
Herbert Poetzl wrote: you do not need an ip address to bring an interface up :) ifconfig eth2 up ifconfig eth2 down as said... if i restart interfaces, i don't want weird old ip addresses on the interface, so i put 0.0.0.0 on it ;) not really sure if that makes sense, but... don't even know if that's a good idea... anyone comments? this config option will become a 'vlandev' in the near future (probably already is in CVS/SVN), which will make more sense here ... mkay, tnx :) use counts are generally a bad idea, as we already saw with the mainline behaviour on removing the primary ip, etc ... mainly because you would have to account for host actions too ... but feel free to write your own 'book keeping' scripts and hook them into the startup/shutdown yeah, you don't want a real use count, but you COULD check if there are routes over that vlan, if there are still routes, that means, there are still ip's on that vlan, so don't remove. or am i wrong here? wouldn't it be more appropriate to add those routes to the appropriate tables? how do you mean? i don't think i completely get it... you see the scripts, what should be changed??? right now, i have 1 table per configured vlan. you suggest 1 table per virtual server? greetz, -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] lvremove: Can't remove open logical volume
Try to unmount your volume for each active name space: vnamespace -e [namespace of context xid] umount /your/lvm/volume i scripted it like this: gandalf:~# cat /usr/local/bin/unmount_vserver #!/bin/sh if [ -n $1 ] then for i in `ls -1 /proc/virtual | egrep -v 'info|status'`; do vnamespace -e $i umount $1; done exit 0; fi exit 1; you just do unmount_vserver /vservers/bleh and it makes sure it's unmounted in all namespaces. it doesn't do much checking, but you get the picture, feel free to add more sanity/safety checks ;) greetz, -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] advanced routing per vps
heya all,
since yesterday , i found it necessary to do my routing per vserver.
so what did i do: (i put everything in /usr/local btw ;))
gandalf:~# cat /usr/local/etc/vservers/.defaults/scripts/pre-start
#!/bin/sh
HOSTNAME=$2
IF=`cat /usr/local/etc/vservers/${HOSTNAME}/interfaces/0/dev`
IP=`cat /usr/local/etc/vservers/${HOSTNAME}/interfaces/0/ip`
NETMASK=`cat /usr/local/etc/vservers/${HOSTNAME}/interfaces/0/prefix`
# this is the case on all our networks... might not work for you ;)
GW=`ipcalc -n $IP $NETMASK |grep HostMax:| awk '{print $2}'`
NETWORK=`ipcalc -n $IP $NETMASK |grep Network:| awk '{print $2}'`
ip route add $NETWORK dev $IF table $IF-net
ip route add default via $GW dev $IF table $IF-net
ip rule add from $IP/32 table $IF-net pref 1000
EOF
gandalf:~# cat /usr/local/etc/vservers/.defaults/scripts/post-stop
#!/bin/sh
HOSTNAME=$2
IF=`cat /usr/local/etc/vservers/${HOSTNAME}/interfaces/0/dev`
IP=`cat /usr/local/etc/vservers/${HOSTNAME}/interfaces/0/ip`
ip rule del from $IP/32 table $IF-net pref 1000
EOF
now... i NEED to have all the interfaces in /etc/iproute2/rt_tables to
make this work (no problem, a routing table per VLAN suits me fine ;))
i also have to make sure the interfaces are all up @ boot (no problem,
since:
gandalf:~# cat /etc/network/interfaces
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
auto lo
iface lo inet loopback
auto eth0.49
iface eth0.49 inet manual
pre-up ifconfig eth0 hw ether 00:15:BA:DC:0D:ED
up ifconfig eth0.49 0.0.0.0 up
auto eth0.164
iface eth0.164 inet manual
pre-up ifconfig eth0 hw ether 00:15:BA:DC:0D:ED
up ifconfig eth0.164 0.0.0.0 up
auto eth1
iface eth1 inet static
address 192.168.28.30
netmask 255.255.254.0
broadcast 192.168.29.255
gateway 192.168.29.254
post-up route add -net 192.168.30.0 netmask 255.255.255.0 gw
192.168.29.253
pre-down route del -net 192.168.30.0 netmask 255.255.255.0 gw
192.168.29.253
auto eth2.94
iface eth2.94 inet static
address 134.58.241.34
netmask 255.255.255.0
broadcast 134.58.241.255
auto eth2.95
iface eth2.95 inet manual
up ifconfig eth2.95 0.0.0.0 up
(the static ip on eth2.94 is for allowing nfs in a vps... it seems
impossible to make the source address for nfs the same as the vps
address... but that's another problem ;))
i use vlans, so i have to set every vlan UP @ boottime and all guests
novlandev.
now my questions:
1. the device i have to use for my hosts is: eth2.94, so i put that in
dev. if i boot my machine, i don't have eth2 up, because the host itself
doesn't need to have an ip address on that network. if i want to start a
vps on eth2.94, and let vserver create the vlan for me, it doesn't
work if eth2 isn't up... why is that? can't vserver check if eth2 is up,
and if it's not, then set it up? what's the reason for that?
sollution: bring up eth2 at boottime without an address and all works
fine. but this gets us to the next problem...
2. the vps sets up the vlan nicely, sets up networking, scripts make
sure routing is done fine. but when i set up 2 hosts on the same vlan,
and i shut down 1 of those vps'es, it REMOVES the vlan dev, and the
other vps lose their network, while it's still in use!!!
sollution: put a novlandev in each hosts config. BUT (here we go again)
that means i have to do the vlan config myself again. (not that it's a
problem, since you can see my interfaces file now).
3. how hard is it to implement a use count or so for those kind of
things? just check if there are other vps'es using the vlan dev. if
noone uses it, THEN bring it down. if there are vps'es using the vlan:
leave it alone. that way, the last vps using the vlan will disable it,
the first one needing it, will start it.
for ip addresses, we have net.ipv4.conf.all.promote_secondaries=1
something alike for vlan devs would be nice ;)
4. totally different now... the way i start my advanced routing, it
allways says (except the first time off course):
RTNETLINK answers: File exists
RTNETLINK answers: File exists
(normal, the route to that network exists)
That's the reason i can't delete the routing for the network when i stop
the vps... others may still need it. and if it allready exists, it's ok
by me, so that error is just fine.
does anyone have a clean sollution for that?
that's about it for the moment, i think...
just to be clear: it all works fine now... so there is not really a
problem, just some practical questions!
greetz,
--
harry
aka Rik Bobbaers
K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
[EMAIL PROTECTED] -=- http://harry.ulyssis.org
Work hard and do your best, it'll make it easier for the rest
-- Garfield
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] lvremove: Can't remove open logical volume
Mehdi Bennani wrote: Hi, Thanks a lot, but my lv's are the root of each vserver so I have to stop them before umounting, then the namespace is no longer in use and I get: vnamespace: vc_enter_namespace(): No such process Obviously if I try it before stopping the vserver, I get: umount: /vservers/vtest3: device is busy if you stop a vserver, the namespace is gone. so that's never the problem. but the OTHER running virtual servers still have the dir mounted in its namespace. that's why my script loops over all the running namespaces, and unmounts them there. i just adapted my script to: gandalf:/var/log# cat /usr/local/bin/unmount_vserver #!/bin/sh if [ -n $1 ] then for i in `ls -1 /proc/virtual | egrep -v 'info|status'`; do vnamespace -e $i umount $1; done umount $1 exit 0; fi exit 1; EOF if you use this, you can safely remove the logical volume without having that problem. ps. i have the same setup as you... 1 LV per vserver :) greetz -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] grsec + vserver
hey all, since there is no more support for 2.6.16 from grsecurity and vserver, i now made a patch for 2.6.17.7 (yesyes, the latest... certainly not the greatest (all hail 2.0.40! ;)) http://ludit.kuleuven.be/software/vserver/patch-2.6.17.7-vs2.0.2-rc26-grsec2.1.9.diff (and my config: http://ludit.kuleuven.be/software/vserver/config-2.6.17.7-g-v ) what's new?: kernel: - the prctl local root bugfix and many many others!!! (will there ever be a good kernel again??) - check the diffs/changelog! ;) vserver: - upgrade to 2.0.2-rc26 - removed the naming of vsbleh in Makefile, and moved it to localversion-vserver (as is the new standard) - changed the define of ET_DYN_something to the original (as pax people suggested) - changed the order of arguments in a function (can't remember the name, sry) to match with what grsecurity does (add custom arguments after the standard ones... i just like it better like that :)) grsec: - new version of the 2.1.9 (allmost release time according to spender) - minor bugfix that removes a compiler warning - adjustments so that it works with vserver (2 includes in some grsec code) - bugfix when you don't use PAGEEXEC or SEGMEXEC (tnx tgk and pipacs!) that's about it... it should work without any problems (it does so on a production server here) have fun with it all!!! -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: linux-vserver patch 2.0.x for kernel 2.6.16
Herbert Poetzl wrote: I think so, who is going to maintain it? if you give me the diffs between rc's, i'll keep them up to date for 2.6.16 (as i'm not that fond of 2.6.17 kernel just yet... i'll wait for a 2.6.17.20 or so, before i consider that one stable) as for grsec + vserver patches, i'm afraid i'll have to go to 2.6.17 rather fast, since spender doesn't support 2.6.16 kernels anymore... when vs2.0.2 comes out, and grsec 2.1.9, i'll try to fix a general patch for 2.6.16 aswell as 2.6.17, if people are still interested in 2.6.16 by then :) well, 2.6.17 should have all that fixes, no? problem is, that 2.6.17 has a lot of new code == bugs. (just check that sctp connection tracking stuff... it's... horrible. if there is great demand and/or some good reason to do that, we will probably go that way ... what's the ETA on vs2.0.2 ? what are the issues on that one? greetz, -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] linux-vserver patch 2.0.x for kernel 2.6.16
dag gentse collega!, ik ben van plan de 2.6.16.22 patch te maken met de laatste rc van vserver (en de laatste grsec). deze zal je altijd kunnen vinden op : http://ludit.kuleuven.be/software/vserver/ natuurlijk moeot je zelf kiezen of je grsec wilt enablen of niet :) groeten, Bert De Vuyst wrote: Dear Herbert, Is it possible to maintain a linux-vserver patch for the kernel 2.6.16.x series? - kernel 2.6.16 is the kernel used by some large distributions for there next release (fedora and suse ?) - kernel 2.6.16 did receive a large number of fixes. Some people will use it as there stable kernel for the next months. (they will skip 2.6.17) The vserver-2.0.2-rcXX patches have some very nice fixes. It would be nice to have a 2.6.16.x-vs2.0.2 patch in the near future. Thanks, Bert. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] linux-vserver patch 2.0.x for kernel 2.6.16
sorry guys, this was supposed to be to Bert only, that's why it was in dutch... just ignore :) Rik Bobbaers wrote: dag gentse collega!, ik ben van plan de 2.6.16.22 patch te maken met de laatste rc van vserver (en de laatste grsec). deze zal je altijd kunnen vinden op : http://ludit.kuleuven.be/software/vserver/ natuurlijk moeot je zelf kiezen of je grsec wilt enablen of niet :) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] new patches
hey all, http://ludit.kuleuven.be/software/vserver/ there is a new grsec+vserver patch enhancements: grsec: - some minor changes - a few bugfixes vserver: - code cleanups - exit fix - lock fix (will also be in rc20 normally) kernel itself: - some bugfixes (one from our own daniel! ;)) so... if you need a grsec + vserver kernel... this is the one to get! ;) greetz (and thanks to all who helped :)) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] grsec + vserver
On Friday 28 April 2006 16:21, Rik/harry Bobbaers wrote: hey all, i know it's been a while... but!!! http://harry.ulyssis.org/vserver/patch-2.6.16.11-vs2.0.2-rc18-grsec2.1.9.di ff well... you've probably seen the linux kernel tree has another baby... 2.6.16.12 ... the grsec people made an update (nothing new for grsec/pax tough) for the kernel... so ... i did too! ;) http://harry.ulyssis.org/vserver/patch-2.6.16.12-vs2.0.2-rc18-grsec2.1.9.diff for those who want to see the changelog: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.12 i really hate it when they release this much patches... but at least you got the chance to upgrade again :) btw. the localversion-grsec problem with make-kpkg... it's solved here :) Have fun with it! -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] search for vserver kernel 2.6.16-15 + grsecurity
On Saturday 15 April 2006 18:01, Sébastien CRAMATTE wrote: Hello I search for grsecurity 2.1.8 patch for vserver with .config file example I've applied 2.0.2-rc16 patch over 2.6.16.5 kernel heya, i've not made a patch for 2.6.16.x + vserver + grsec just yet... i'm still waiting for spender to release his grsec 2.1.9 officially... (or maybe not ;)) i'll try to get a grsec + vserver patch ready for 2.6.16 somewhere this week... the latest patch is for 2.6.14.6, and is at: http://harry.ulyssis.org/vserver -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Anybody patched grsec+vserver for 2.6.16 yet?
On Wednesday 22 March 2006 11:26, Wolfgang Hennerbichler wrote: Hi! I seem to have some problems with 2.1.0 development version for vserver - bind stalled as mysql did, in the mean time several times (never logs anything, just stops responding). I'm using this kernel: 2.6.14.7-vs2.1.0-grsec-2.1.9, because I got the patch from http:// harry.ulyssis.org/vserver/. I think I might give an updated version a try (I'd prefer the stable version of vserver, but I didn't find one that was merged with grsecurity). I am a bad c-programmer, that's why I can't do it on my own (I've tried, but this led to some weird things in the kernel :)) since there is no grsec for 2.6.16 yet, i havent been able to update the merges for that kernel. i haven't seen spender and pipacs for a while on irc, so i don't know when they will release a new pax/grsec as soon as they release a new grsec, i will talk to herbert on what vserver patch i will merge it with... we just need to be patient ;) ps. updating grsec to 2.6.16 myself is not such a good idea, since i'm not THAT familiar with grsec and pax code... greetz, -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver and grsec
On Wednesday 01 March 2006 14:04, Daniel Ortiz wrote: I take the same kernel (2.6.14.4 kernel) and patch with patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff witch: match -p0 patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff PAX is disabled, when I try to run gradm 2.17 or gradm 2.18 the system says to me: incompatible gradm and grsecutity versions # hi there, you have to use the correct software for gradm to work... i never used gradm before myself, but i tried it on the latest patch... try the following patch: http://harry.ulyssis.org/vserver/patch-2.6.14.7-vs2.1.0-grsec2.1.9.diff.gz with this gradm: http://harry.ulyssis.org/vserver/gradm-2.1.9-200602141850.tar.gz that should work seemless (btw. this is a completely new patch, merged from scratch... as far as i know it works without any problems... so please test and let me know if there are any problems with it (which aren't there in the default vserver 2.1.0 patch off course... backporting the 2.1.1-rc9 has proven to be a bit too much work, so i fear, unstable)) so... upgrade all!!! :) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] hints on kernel configuration using Grsec and Vserver
On Wednesday 08 February 2006 09:05, Thorsten Büker wrote: Dear list, making use of http://list.linux-vserver.org/archive/vserver/msg11839.html I recently patched a 2.6.14.5-Kernel as my first contact with VServer. After starting vprocunhide (from package util-vserver) on the Sarge system I tried to create a first box: vserver vhost0 build -m debootstrap --hostname vhost0.DOMAINNAME.de --force --context 50 -- -d sarge -m http://update.pureserver.info/debian After extracting all packages the process breaks... W: Failure trying to run: chroot /etc/vservers/.defaults/vdirbase/vhost0 mount -t proc proc /proc ...while dmesg says: grsec: From MYIPADDRESS: denied mount of proc as /home/vservers/vhost0/proc from chroot by /home/vservers/vhost0/bin/mount[mount:105] uid/euid:0/0 gid/egid:0/0, parent /var/tmp/debootstrap.6KTNNr/usr/sbin/debootstrap[debootstrap:5863] uid/euid:0/0 gid/egid:0/0 I assume this prevention is connected to Grsecurity's /proc-hiding, the relevant parts of the current kernel configuration follow below. In case this is correct, Grsecurity offers various ways of CONFIG_GRKERNSEC_PROC -- but I've got no idea, which one is the right ;-) Any advise from your side on a better configuration regarding the needs of Vserver is appreciated! heya, first thing... vserver uses capabilities... so you should make sure you disable capability restrictions, otherwise, your vservers will not work... these are my kernel options: CONFIG_VSERVER=y CONFIG_VSERVER_LEGACYNET=y # # Linux VServer # CONFIG_VSERVER_LEGACY=y # CONFIG_VSERVER_LEGACY_VERSION is not set CONFIG_VSERVER_DYNAMIC_IDS=y # CONFIG_VSERVER_NGNET is not set CONFIG_VSERVER_COWBL=y CONFIG_VSERVER_PROC_SECURE=y CONFIG_VSERVER_HARDCPU=y CONFIG_VSERVER_HARDCPU_IDLE=y # CONFIG_INOXID_NONE is not set # CONFIG_INOXID_UID16 is not set # CONFIG_INOXID_GID16 is not set CONFIG_INOXID_UGID24=y # CONFIG_INOXID_INTERN is not set # CONFIG_INOXID_RUNTIME is not set # CONFIG_XID_TAG_NFSD is not set CONFIG_XID_PROPAGATE=y CONFIG_VSERVER_DEBUG=y CONFIG_VSERVER_HISTORY=y CONFIG_VSERVER_HISTORY_SIZE=64 # # PaX # CONFIG_PAX=y # # PaX Control # CONFIG_PAX_SOFTMODE=y CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set # # Non-executable pages # CONFIG_PAX_NOEXEC=y CONFIG_PAX_PAGEEXEC=y CONFIG_PAX_SEGMEXEC=y # CONFIG_PAX_DEFAULT_PAGEEXEC is not set CONFIG_PAX_DEFAULT_SEGMEXEC=y CONFIG_PAX_EMUTRAMP=y CONFIG_PAX_MPROTECT=y CONFIG_PAX_NOELFRELOCS=y CONFIG_PAX_KERNEXEC=y # # Address Space Layout Randomization # CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y CONFIG_PAX_NOVSYSCALL=y # # Grsecurity # CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MEDIUM is not set # CONFIG_GRKERNSEC_HIGH is not set CONFIG_GRKERNSEC_CUSTOM=y # # Address Space Protection # CONFIG_GRKERNSEC_KMEM=y CONFIG_GRKERNSEC_IO=y CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_HIDESYM=y # # Role Based Access Control Options # CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=y CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y # CONFIG_GRKERNSEC_CHROOT_CAPS is not set # # Kernel Auditing # # CONFIG_GRKERNSEC_AUDIT_GROUP is not set # CONFIG_GRKERNSEC_EXECLOG is not set CONFIG_GRKERNSEC_RESLOG=y # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set CONFIG_GRKERNSEC_AUDIT_MOUNT=y # CONFIG_GRKERNSEC_AUDIT_IPC is not set CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set # # Executable Protections # CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_SHM=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_RANDPID=y # CONFIG_GRKERNSEC_TPE is not set # # Network Protections # CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_RANDSRC=y # CONFIG_GRKERNSEC_SOCKET is not set # # Sysctl support # CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSCTL_ON=y # # Logging Options # CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 # CONFIG_KEYS is not set # CONFIG_SECURITY is not set -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Disclaimer: By sending an email to ANY of my addresses you are agreeing that: 1. I am by definition, the intended
[Vserver] vserver and grsec
hey all, for those interested... i took a vanilla linux 2.6.14.4 kernel patched it with an updated version of grsec 2.1.7 and applied vserver 2.1.0 patch (including the sendfile patch and a optimisation for some weirdness in grsec) i put it all in a patch , which can be located at: http://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff.gz http://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff 1 thing... if you can't start your vservers and get the following error message: vcontext: vc_set_cflags(): Operation not permitted you need to enable capabilities in chroots. you can do this with: echo 0 /proc/sys/kernel/grsecurity/chroot_caps (or the appropriate sysctl command ;)) if people think it 's a good thing to merge the patches... just let me know, i'll see what i can do to keep this a little bit up to date. have fun all! -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Disclaimer: By sending an email to ANY of my addresses you are agreeing that: 1. I am by definition, the intended recipient 2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it on usenet. 3. I may take the contents as representing the views of your company. 4. This overrides any disclaimer or statement of confidentiality that may be included on your message. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [EMAIL PROTECTED]: Re: [Users] VServer vs OpenVZ]
On Tuesday 06 December 2005 15:45, Eugen Leitl wrote: Any counter-comments, from a VServer strengths point of view? i'll try to get some points together here... i'm not an experienced user of vserver, but i have some remarks here... - Forwarded message from Kir Kolyshkin [EMAIL PROTECTED] - From: Kir Kolyshkin [EMAIL PROTECTED] Date: Tue, 06 Dec 2005 17:17:18 +0300 To: [EMAIL PROTECTED] Subject: Re: [Users] VServer vs OpenVZ User-Agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929) Reply-To: [EMAIL PROTECTED] My view of subject is definitely biased towards OpenVZ, but still: there are areas where OpenVZ is definitely more developed than VServer. Let me concentrate on three of these. First is stability. By sticking to old (currently 2.6.8) kernel and backporting all the bug fixes, security fixes and hardware driver updates, we make OpenVZ kernel very stable. We do a lot of kernel testing in house, including stress testing. stable: yes, secure... well... as far as possible, BUT! multipath using devicemapper in their kernel? almost impossible, unless the backported that entirely from 2.6.13 (of some 2.6.12 rcX) a lot of other enhancements in 2.6.8+ kernels... it's for a reason that kernels get updated, you know... Second is resource management. There are a lot of resources that can be abused from inside VServer guest or OpenVZ VPS, leading to at least DoS; some of those resources are not under control of traditional UNIX means such as ulimit. In OpenVZ we have User Beancounters (UBC for short), which accounts and limits about 20 of such resources (including IPC objects, various kernel buffers etc). there is a decent resource management in vserver too... it's not easy at all to dos an entire vserver. (you have rlimits map for every vserver if you want, where you can choose what the limits are) Third is virtualized network stack. AFAIK VServer's ngnet is not yet ready for prime time yet, while OpenVZ's venet is here. Without fully virtualized network stack people are experiencing problems like this one: http://www.paul.sladen.org/vserver/archives/200511/0165.html http://www.paul.sladen.org/vserver/archives/200511/0189.html there are sollutions to this BIND problem (check the manual(s)) further... i don't know about any other advantages/disadvantages... anyone??? ;) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Disclaimer: By sending an email to ANY of my addresses you are agreeing that: 1. I am by definition, the intended recipient 2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it on usenet. 3. I may take the contents as representing the views of your company. 4. This overrides any disclaimer or statement of confidentiality that may be included on your message. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
