On Mon, Apr 24, 2006 at 06:40:22PM +0200, Jonathan Dray wrote: > 2006/4/24, Herbert Poetzl <[EMAIL PROTECTED]>: > > > networking in Linux-VServer happens on the host to > > provide highest possible performance, which atm > > means that the iptable entries have to be set on > > the host too, this might change in the future, but > > usually it doesn't pose any problem ... > > I've read something about virtual network devices and the ngnet > project. Is it the futur changed you are talking about?
yes, ngnet will provide the features (and overhead) virtual networking has, for those who desperately want it ... > Do you have any other solution for virtual hosting services to > provide guests firewall management ? usually there is no real point in doing per guest firewalling, but it can be easily done by assigning an iptable chain for each guest, and allowing the guest admins to maintain those entries (e.g. via web interface) of course, this requires policy to restrict the number of table entries and a pre-selection based on guest IPs to ensure that the guest doesn't do anything evil with that ... > > typically you have about 8 devices in your guest, > > which are created with the 'build' methods, and you > > really don't want more than those inside a guest for > > security reasons, so there is really no point in > > using devfs or udev ... > > > > I understand the security recommandations to limit devices > inside a guest and agree with them. > I was asking because when entering a guest I get the following error > message mesg: /dev/pts/1: Operation not permitted which is because you bring your pts/1 from the host into the guest, and now the guest tries to access it (which is not permitted, for security reasons) > Any clue ? using recent tools and patches (magic word is vlogin) should handle this by allocating a new pts inside the guest (on enter), but the canonical way is to enter the guest via ssh, which will do all the proper stuff automagically ... > thanks for your help you're welcome! best, Herbert > Jon _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
