Re: [Vserver] vserver traceroute

Herbert Poetzl Sat, 29 Apr 2006 10:29:11 -0700

On Fri, Apr 28, 2006 at 10:47:25PM +0300, Nikolay Kichukov wrote:
> Hello Herbert,
> Sorry for the long delay in replying again.
> 
> Here is some further info about the traceroute tool I am 
> using on the GUEST:


ah, obviously confused that because I do not use
traceroute myself, just verified that traceroute
tries to open an unlimited raw socket:

socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = 6
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = -1 EPERM (Operation not permitted)

which of course is not permitted inside a guest,
as it would allow to sniff and spoof arbitrary
traffic on a guest ...

OTOH, the following works quite fine:

# tracepath 10.0.0.1
 1:  xxxx.test.org (192.168.0.2)                 9.773ms pmtu 1500
 1:  10.0.0.1 (10.0.0.1)                         5.306ms reached
     Resume: pmtu 1500 hops 1 back 1 

HTH,
Herbert

> [EMAIL PROTECTED]:/usr/bin# dpkg --status traceroute
> Package: traceroute
> Status: install ok installed
> Priority: important
> Section: net
> Installed-Size: 60
> Maintainer: Graham Wilson <[EMAIL PROTECTED]>
> Architecture: i386
> Version: 1.4a12-20
> Replaces: netstd
> Depends: libc6 (>= 2.3.5-1)
> Conflicts: suidmanager (<< 0.50)
> Description: traces the route taken by packets over a TCP/IP network
>  The traceroute utility displays the route used by IP packets on their way
> to a
>  specified network (or Internet) host.  Traceroute displays the IP number
> and
>  host name (if possible) of the machines along the route taken by the
> packets.
>  Traceroute is used as a network debugging tool.  If you're having network
>  connectivity problems, traceroute will show you where the trouble is coming
>  from along the route.
>  .
>  Install traceroute if you need a tool for diagnosing network connectivity
>  problems.
> [EMAIL PROTECTED]:/usr/bin#
> 
> 
> [EMAIL PROTECTED]:/usr/bin# ls -alh traceroute
> lrwxrwxrwx 1 root root 28 Mar 17 00:38 traceroute ->
> /etc/alternatives/traceroute
> 
> 
> [EMAIL PROTECTED]:/usr/bin# ls -alh /etc/alternatives/traceroute
> lrwxrwxrwx 1 root root 23 Mar 17 00:38 /etc/alternatives/traceroute ->
> /usr/bin/traceroute.lbl
> 
> 
> [EMAIL PROTECTED]:/usr/bin# ls -alh traceroute.lbl
> -rwsr-xr-x 1 root root 18K Aug 30  2005 traceroute.lbl
> 
> 
> and again that same error message:
> 
> [EMAIL PROTECTED]:/usr/bin# traceroute linux-vserver.org
> traceroute: raw socket: Operation not permitted
> 
> 
> I do have the raw_icmp ccapability enabled.
> 
> 
> Further information:
> 
> [EMAIL PROTECTED]:~# vserver-info
> Versions:
>                    Kernel: 2.6.14.4-vs2.1.0nevir
>                    VS-API: 0x00020001
>              util-vserver: 0.30.209; Jan  8 2006, 12:24:41
> 
> Features:
>                        CC: gcc, gcc (GCC) 4.0.3 20051201 (prerelease)
> (Debian 4.0.2-5)
>                       CXX: g++, g++ (GCC) 4.0.3 20051201 (prerelease)
> (Debian 4.0.2-5)
>                  CPPFLAGS: ''
>                    CFLAGS:
> '-Wall -g  -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time'
>                  CXXFLAGS:
> '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time'
>                build/host: i486-pc-linux-gnu/i486-pc-linux-gnu
>              Use dietlibc: yes
>        Build C++ programs: yes
>        Build C99 programs: yes
>            Available APIs: compat,v11,v13,fscompat,net,oldproc,olduts
>             ext2fs Source: e2fsprogs
>     syscall(2) invocation: alternative
>       vserver(2) syscall#: 273/glibc
> 
> Paths:
>                    prefix: /usr
>         sysconf-Directory: /etc
>             cfg-Directory: /etc/vservers
>          initrd-Directory: $(sysconfdir)/init.d
>        pkgstate-Directory: /var/run/vservers
>           vserver-Rootdir: /var/lib/vservers
> 
> 
> Assumed 'SYSINFO' as no other option given; try '--help' for more
> information.
> 
> 
> [EMAIL PROTECTED]:~# uname  -a
> Linux nevir 2.6.14.4-vs2.1.0nevir #4 Thu Mar 16 19:43:43 EET 2006 i686
> GNU/Linux
> 
> 
> Let me know if you need any more information to troubleshoot that matter.
> 
> Thanks,
> -Nikolay Kichukov
> 
> ----- Original Message -----
> From: "Herbert Poetzl" <[EMAIL PROTECTED]>
> To: "Nikolay Kichukov" <[EMAIL PROTECTED]>
> Cc: <vserver@list.linux-vserver.org>
> Sent: Friday, April 21, 2006 8:08 PM
> Subject: Re: [Vserver] vserver traceroute
> 
> 
> > On Fri, Apr 21, 2006 at 05:30:53PM +0300, Nikolay Kichukov wrote:
> > > hi, the version is:
> > >
> > > util-vserver 0.30.209-2
> > >
> > > Would you suggest an upgrade to get the traceroute going? It is not so
> > > important to make traceroute working. It is the idea that stays behind
> > > that. ;-) To have the guest at full operational power as if it is a
> > > real machine.
> >
> > can you provide a static binary of that traceroute tool
> > for testing? it is supposed to work with ram_icmp
> > capability enabled ...
> >
> > TIA,
> > Herbert
> >
> > >
> > > Thanks and regards,
> > > -Nikolay Kichukov
> > >
> > >
> > > ----- Original Message -----
> > > From: "Herbert Poetzl" <[EMAIL PROTECTED]>
> > > To: "Nikolay Kichukov" <[EMAIL PROTECTED]>
> > > Cc: <vserver@list.linux-vserver.org>
> > > Sent: Thursday, April 20, 2006 9:43 PM
> > > Subject: Re: [Vserver] vserver traceroute
> > >
> > >
> > > > On Thu, Apr 20, 2006 at 05:24:00PM +0300, Nikolay Kichukov wrote:
> > > > > hello,
> > > > > even trying to traceroute -I is still giving that same error
> message.
> > > > > What could be wrong? Do I need to set some extra ccapabilities?
> > > > >
> > > > > Also, what does the --secure option of the vattribute do ?
> > > >
> > > > that really depends on the tool version, which
> > > > one do you have?
> > > >
> > > > usually it removes most capabilites from the guest
> > > >
> > > > best,
> > > > Herbert
> > > >
> > > > >
> > > > > Regards,
> > > > > -Nikolay Kichukov
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Xavier Montagutelli" <[EMAIL PROTECTED]>
> > > > > To: <vserver@list.linux-vserver.org>
> > > > > Sent: Thursday, April 20, 2006 3:33 PM
> > > > > Subject: Re: [Vserver] vserver traceroute
> > > > >
> > > > >
> > > > > > On Thursday 20 April 2006 13:29, Nikolay Kichukov wrote:
> > > > > > > Hello guys,
> > > > > > > Thanks for the advice, and sorry for taking me so long to
> respond.
> > > > > > >
> > > > > > > I tried setting:
> > > > > > >
> > > > > > > host# vattribute --set --xid <xid> --secure --ccap raw_icmp
> > > > > > >
> > > > > > > and when i try to traceroute a host I am again getting:
> > > > > > >
> > > > > > > traceroute: raw socket: Operation not permitted
> > > > > >
> > > > > > On my debian box, traceroute use by default UDP packets, not ICMP
> > > packets.
> > > > > >
> > > > > > Try "-I icmp" to use icmp.
> > > > > >
> > > > > > >
> > > > > > > Any further ideas?
> > > > > > >
> > > > > > > Another problem has now appeared:
> > > > > > > When i try to ssh to the guest sshd, i am getting the following
> > > error:
> > > > > > >
> > > > > > > fatal: chroot("/var/run/sshd"): Operation not permitted
> > > > > > >
> > > > > > > /var/run/sshd is rwx for root and r-x for the group and others
> > > > > > >
> > > > > > > Any ideas?
> > > > > > >
> > > > > > > Additional info:
> > > > > > >
> > > > > > > util-vserver 0.30.209-2 debian package
> > > > > > > kernel 1.6.14.4-vs2.1.0
> > > > > > >
> > > > > > > On Tue, 2006-04-11 at 13:17 +0200, Daniel Hokka Zakrisson wrote:
> > > > > > > > Nikolay Kichukov wrote:
> > > > > > > > > Hi,
> > > > > > > > > Thanks for the advise,
> > > > > > > > > I'd like to test that and I already have raw_icmp in the
> flags
> > > file
> > > > > for
> > > > > > > > > the vserver, but is there a way i can set that without
> rebooting
> > > the
> > > > > > > > > vserver?
> > > > > > > >
> > > > > > > > It's a context capability, so you should put it in
> ccapabilities
> > > file.
> > > > > > > >
> > > > > > > > > I've searched for information about chcontext and did not
> find a
> > > lot
> > > > > > > > > about setting those caps and flags dynamically. Is that
> > > possible? If
> > > > > > > > > yes, how?
> > > > > > > >
> > > > > > > > vattribute --set --xid <name or xid of the
> guest> --secure --ccap
> > > > > > > > raw_icmp (add additional --bcaps here if you have any, as
> they'll
> > > be
> > > > > > > > reset otherwise)
> > > > > > > >
> > > > > > > > > Also, another question is, i have already created(built) the
> > > vserver
> > > > > > > > > without --context NNN, and now I would like to get the
> vserver
> > > > > running
> > > > > > > > > only in a specified context, ie. 444. How can i implement
> that?
> > > > > > > >
> > > > > > > > echo NNN > /etc/vservers/<name>/context
> > > > > > > >
> > > > > > > > http://www.nongnu.org/util-vserver/doc/conf/configuration.html
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Vserver mailing list
> > > > > > > Vserver@list.linux-vserver.org
> > > > > > > http://list.linux-vserver.org/mailman/listinfo/vserver
> > > > > >
> > > > > > --
> > > > > > Xavier Montagutelli                      Tel : +33 (0)5 55 45 77
> 20
> > > > > > Service Commun Informatique              Fax : +33 (0)5 55 45 77
> 60
> > > > > > Universite de Limoges
> > > > > > 123, avenue Albert Thomas
> > > > > > 87060 Limoges cedex
> > > > > > _______________________________________________
> > > > > > Vserver mailing list
> > > > > > Vserver@list.linux-vserver.org
> > > > > > http://list.linux-vserver.org/mailman/listinfo/vserver
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Vserver mailing list
> > > > > Vserver@list.linux-vserver.org
> > > > > http://list.linux-vserver.org/mailman/listinfo/vserver
> > > >
> >
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] vserver traceroute

Reply via email to