[Vserver] "Defaults Caps of chcontext" and whish list

Thu, 18 Mar 2004 06:17:01 -0800 

Hi,

I have troubles with the default capabilities of chcontext.

varchiv is virtual, here CAP_SYS_CHROOT is enabled:

varchiv:~ # grep s_context /proc/self/status
s_context: 49176
varchiv:~ # reducecap --show | grep -i chroot
        CAP_SYS_CHROOT     X         X

If I start a new context, I have CAP_SYS_CHROOT:

edison:~ # /usr/local/sbin/chcontext   --flag lock --flag nproc --flag sched\
  bash
New security context is 49184
edison:~ # reducecap --show | grep -i chroot
        CAP_SYS_CHROOT     X         X

If I want to change to varchiv, I don't have CAP_SYS_CHROOT:

edison:~ # /usr/local/sbin/chcontext   --flag lock --flag nproc --flag sched  
--ctx 49176 bash
New security context is 49176
varchiv:~ # reducecap --show | grep -i chroot
        CAP_SYS_CHROOT

Why does chcontext behave different if I give the --ctx option?

~~~~~~~~~~~~~~

Whishlist:

 - Introduction at http://dns.solucorp.qc.ca/miscprj/s_context.hc
   has some old parts.
   - newvserver does not exist (I think you use "vserver foo build" now)
   - Part "The packages":
     Difference between /usr/lib/vserver/vdu and /usr/sbin/vdu
     (I think they are the same)
 
 - Is there a tool which displays the context of all processes.
   vps, vtop don't. (At least I found no way to do this)

- Do you use "vserver foo start" or do you have own scripts?
  I have problems with these script, and think most people who use
  vserver daily have their own scripts. Is this true?
  (The problem at the top is one if it. I just reduced it to the commands
   "vserver foo enter" does execute)

- Would be nice to get a better error message if a context
   does not exist:
   chcontext --ctx 99999 bash
    Can't set the new security context
    : Invalid argument

- "vserver foo start" overwrites the file in /var/run/vserver.
  It would be good if this could check if the server is already
  running.

- "vserver exec bash"
   Host name is now varchiv
   > echo $HOST --> old name
   > hostname --> new name
   Would be nice if $HOST would get updated, too.

- utils: Would be nice to have a debug option
  which displays the commands which get executed.
  I chanaged it myself for debugging.

I know my whislist is long. Maybe I have some
time to send patches. 

Regards,
 Thomas





_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Reply via email to