Hi, I checked my permissions, they are all 755. Can you (or s.o. else) run my getpcaps test as in my mail (and here below) ? I would like to know wether it is normal that after a chcontext the CAP_SYS_CHROOT capability is not available and cannot be added manually, either.
Thanks a lot, Schlomo PS: Anybody else out there using also the OpenWall patches with vserver ? -- Schlomo Schapiro Senior Consultant Solution Center Novell/Linux mikado AG B�lowstra�e 66 10783 Berlin-Sch�neberg Tel.: (030) 21790-0 Mobil: (0177) 3279060 Fax: (030) 21790-200/ -201 >>> "Dirk Windberg" <[EMAIL PROTECTED]> 2004-02-26 00:23:14 >>> private mail: Hello, I have seen the same error here installing debian as virtual server on a Redhat 7.3 host. If i set the permission to 000 on /vservers/base i cant start base . If i set the permission to only 770 i can start the vserver but cant ssh into the debian server. When the permissions are set to 755 the vserver is starting + ssh is running well. I try to figure out what the reason is. --dirk. ----- Original Message ----- From: "Schlomo Schapiro" < To: <[EMAIL PROTECTED]> Sent: Wednesday, February 25, 2004 2:42 PM Subject: [Vserver] chroot - permission denied > Hi all, > > I just installed VServer on my SuSE9.0 box and compiled a new 2.4.25 > kernel with the OpenWall patches included. > > The vserver kernel subsystems seems to be there (checked with e.g. vps -ax) > > I then downloaded the debian vserver to start testing and it won't start > with this message: > > -------------------------------------------------------------------------- --------- > # vserver debian start > Starting the virtual server debian > Server debian is not running > ipv4root is now 10.1.1.34 > Host name is now gss34.mikado.local > Domain name is now > New security context is 49175 > Can't chroot to directory . (Operation not permitted) > -------------------------------------------------------------------------- --------- > > I started to play around with the chcontext tool and got a very strange > thing: The CAP_SYS_CHROOT capability is not present !: > > -------------------------------------------------------------------------- ------ > # /usr/sbin/chcontext --ctx 49176 bash -c 'getpcaps $$' > New security context is 49176 > Capabilities for `4337': = > cap_chown,cap_dac_override,cap_dac_read_search,cap_setgid,cap_setuid,cap_net _broadcast,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_le ase+ep > -------------------------------------------------------------------------- ------- > > When I do not give the --ctx parameter, all capabilities are present: > -------------------------------------------------------------------------- ------- > # /usr/sbin/chcontext bash -c 'getpcaps $$' > New security context is 49176 > Capabilities for `4334': =ep cap_setpcap-ep > -------------------------------------------------------------------------- -------- > > That seems to be the reason why the vserver start command does not work. > > Do you have any ideas what yould be the problem ? > > Some more questions: > * What about virtualized localhosts ? How can I give each vserver a > private localhost(127.0.0.1) ? > * I am running samba in a chbind environment, however nmbd complains > about not beeing able to bind to the IPs of the other vservers and > doesn't start when I have any IP aliases defined. The error log looks > like this: > -------------------------------------------------------------------------- ---------- > [2004/02/25 12:51:03, 0] nmbd/nmbd.c:main(795) > Netbios nameserver version 2.2.8a-SuSE started. > Copyright Andrew Tridgell and the Samba Team 1994-2002 > [2004/02/25 12:51:03, 1] lib/debug.c:debug_message(258) > INFO: Debug class all level = 1 (pid 3587 from pid 3587) > [2004/02/25 12:51:03, 0] lib/util_sock.c:open_socket_in(804) > bind failed on port 137 socket_addr = 10.1.1.34. > Error = Cannot assign requested address > [2004/02/25 12:51:03, 0] nmbd/nmbd_subnetdb.c:make_subnet(139) > nmbd_subnetdb:make_subnet() > Failed to open nmb socket on interface 10.1.1.34 for port 137. Error > was Cann > ot assign requested address > [2004/02/25 12:51:03, 0] nmbd/nmbd.c:main(873) > ERROR: Failed when creating subnet lists. Exiting. > -------------------------------------------------------------------------- ---------- > > 10.1.1.34 is the IP alias added by the debian vserver I tried to run. I > thought that chbind was supposed to prevent vservers from seeing other > IPs ? Is there a solution to this nmb problem ? > > > Thanks a lot for any help, > Schlomo > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver > _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
