Hello Herbert, I already joined irc and there were people there that helped me out resolve all the pending issues. Thanks and Regards, -Nikolay Kichukov
On Wed, 2006-05-10 at 14:42 +0200, Herbert Poetzl wrote: > On Sun, Apr 30, 2006 at 10:22:22PM +0300, Nikolay Kichukov wrote: > > hello, > > what i DID try to temporarily fix the problem and that did not work was: > > > > vattribute --set --xid <id> --ccap raw_icmp --bcap -1 > > > > something else i wanted to ask was: > > > > Another point that i noticed is, that the df command is no longer > > > > listing the /dev/hdv device. The output is something like: > > > > > > > > > > > > df -ha > > > > > > > > Filesystem Size Used Avail Use% Mounted on > > > > > > > > proc 0 0 0 - /proc > > > > > > > > devpts 0 0 0 - /dev/pts > > > > > > > > > > > > What could be causing this? > > > Within the guest /etc/fstab is now empty. What caused that file to be > > erased? > > somehow I lost the overview about the changes and/or > the effects you observed, I'd suggest to pay a visit > to the IRC channel (#vserver @ irc.oftc.net) where > we should be able to track down whatever causes your > issues ... > > HTH, > Herbert > > > Regards, > > -nik > > > > > > ----- Original Message ----- > > From: "Herbert Poetzl" <[EMAIL PROTECTED]> > > To: "Nikolay Kichukov" <[EMAIL PROTECTED]> > > Cc: <vserver@list.linux-vserver.org> > > Sent: Sunday, April 30, 2006 9:21 PM > > Subject: Re: [Vserver] vserver traceroute > > > > > > > On Sun, Apr 30, 2006 at 10:54:26PM +0300, Nikolay Kichukov wrote: > > > > > > > > Hello, > > > > Just upgraded to the latest development util-vserver release. > > > > > > > > However, when I try to vattribute, I am getting exactly the same > > > > behaviour. sshd is again not accepting connections. When I try to > > > > temporary fix the problem with --bcap -1, there is no update. > > > > > > hmm, maybe you got that wrong, what I meant was: > > > > > > whenever you want to set the ccaps, also add the --bcaps -1 > > > to that command line .. to work around the bug, btw, it > > > works quite fine here with 0.30.210 + patches > > > > > > HTH, > > > Herbert > > > > > > > /usr/local/sbin/vserver-info > > > > > > > > Versions: > > > > > > > > Kernel: 2.6.14.4-vs2.1.0nevir > > > > > > > > VS-API: 0x00020001 > > > > > > > > util-vserver: 0.30.210; Apr 30 2006, 20:31:56 > > > > > > > > Features: > > > > > > > > CC: gcc, gcc (GCC) 4.0.3 (Debian 4.0.3-1) > > > > > > > > CXX: g++, g++ (GCC) 4.0.3 (Debian 4.0.3-1) > > > > > > > > CPPFLAGS: '' > > > > > > > > CFLAGS: '-g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time' > > > > > > > > CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 > > > > -funit-at-a-time' > > > > > > > > build/host: i686-pc-linux-gnu/i686-pc-linux-gnu > > > > > > > > Use dietlibc: yes > > > > > > > > Build C++ programs: yes > > > > > > > > Build C99 programs: yes > > > > > > > > Available APIs: v13,net > > > > > > > > ext2fs Source: e2fsprogs > > > > > > > > syscall(2) invocation: alternative > > > > > > > > vserver(2) syscall#: 273/glibc > > > > > > > > Paths: > > > > > > > > prefix: /usr/local > > > > > > > > sysconf-Directory: /etc > > > > > > > > cfg-Directory: /etc/vservers > > > > > > > > initrd-Directory: > > > > $(sysconfdir)/init.d > > > > > > > > pkgstate-Directory: > > /var/run/vservers > > > > > > > > vserver-Rootdir: > > /var/lib/vservers > > > > > > > > Assumed 'SYSINFO' as no other > > > > option given; try '--help' for more information. > > > > > > > > > > > > > > > > Another point that i noticed is, that the df command is no longer > > > > listing the /dev/hdv device. The output is something like: > > > > > > > > > > > > df -ha > > > > > > > > Filesystem Size Used Avail Use% Mounted on > > > > > > > > proc 0 0 0 - /proc > > > > > > > > devpts 0 0 0 - /dev/pts > > > > > > > > > > > > What could be causing this? > > > > > > > > > > > > Regards, > > > > -nik > > > > > > > > > > > > > > > > > > > > On Sun, 2006-04-30 at 17:03 +0200, Herbert Poetzl wrote: > > > > > On Sun, Apr 30, 2006 at 02:53:20PM +0300, Nikolay Kichukov wrote: > > > > > > Hello Herbert, > > > > > > I see now. So traceroute cannot be used within a guest environment. > > I > > > > > > will try tracepath instead. > > > > > > > > > > > > One more thing I'd like to comment on is that, every time I issue: > > > > > > > > > > > > vattribute --set --xid <id> --ccap raw_icmp > > > > > > > > > > > > on the host, I am getting the following error on the guest when I > > try > > > > > > to ssh to it: > > > > > > > > > > > > fatal: chroot("/var/run/sshd"): Operation not permitted > > > > > > > > > > > > The only way I go around that is to reboot the guest. > > > > > > > > > > > > What am I doing wrong when I am setting the --ccap ? Do I reset some > > > > > > default ccaps or bcaps ? I only have the ccapabilities file and it > > only > > > > > > contain raw_icmp. So is the default startup of a vserver > > initializing > > > > > > some extra flags/capabilities that are not necessarily predefined > > > > > > withing flags/ccapabilities/bcapabilities? > > > > > > > > > > there was a tool bug regarding vattribute, where > > > > > you ahd to specify the bcaps when you want to change > > > > > the ccaps, so you might try the following instead > > > > > > > > > > vattribute --set --xid <id> --bcaps -1 --ccap raw_icmp > > > > > > > > > > or update to a more recent version > > > > > > > > > > HTH, > > > > > Herbert > > > > > > > > > > > Regards, > > > > > > -Nikolay Kichukov > > > > > > > > > > > > > > > > > > On Sat, 2006-04-29 at 19:28 +0200, Herbert Poetzl wrote: > > > > > > > On Fri, Apr 28, 2006 at 10:47:25PM +0300, Nikolay Kichukov wrote: > > > > > > > > Hello Herbert, > > > > > > > > Sorry for the long delay in replying again. > > > > > > > > > > > > > > > > Here is some further info about the traceroute tool I am > > > > > > > > using on the GUEST: > > > > > > > > > > > > > > ah, obviously confused that because I do not use > > > > > > > traceroute myself, just verified that traceroute > > > > > > > tries to open an unlimited raw socket: > > > > > > > > > > > > > > socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = 6 > > > > > > > socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = -1 EPERM (Operation not > > permitted) > > > > > > > > > > > > > > which of course is not permitted inside a guest, > > > > > > > as it would allow to sniff and spoof arbitrary > > > > > > > traffic on a guest ... > > > > > > > > > > > > > > OTOH, the following works quite fine: > > > > > > > > > > > > > > # tracepath 10.0.0.1 > > > > > > > 1: xxxx.test.org (192.168.0.2) 9.773ms pmtu 1500 > > > > > > > 1: 10.0.0.1 (10.0.0.1) 5.306ms reached > > > > > > > Resume: pmtu 1500 hops 1 back 1 > > > > > > > > > > > > > > HTH, > > > > > > > Herbert > > > > > > > > > > > > > > > [EMAIL PROTECTED]:/usr/bin# dpkg --status traceroute > > > > > > > > Package: traceroute > > > > > > > > Status: install ok installed > > > > > > > > Priority: important > > > > > > > > Section: net > > > > > > > > Installed-Size: 60 > > > > > > > > Maintainer: Graham Wilson <[EMAIL PROTECTED]> > > > > > > > > Architecture: i386 > > > > > > > > Version: 1.4a12-20 > > > > > > > > Replaces: netstd > > > > > > > > Depends: libc6 (>= 2.3.5-1) > > > > > > > > Conflicts: suidmanager (<< 0.50) > > > > > > > > Description: traces the route taken by packets over a TCP/IP > > network > > > > > > > > The traceroute utility displays the route used by IP packets on > > their way > > > > > > > > to a > > > > > > > > specified network (or Internet) host. Traceroute displays the > > IP number > > > > > > > > and > > > > > > > > host name (if possible) of the machines along the route taken > > by the > > > > > > > > packets. > > > > > > > > Traceroute is used as a network debugging tool. If you're > > having network > > > > > > > > connectivity problems, traceroute will show you where the > > trouble is coming > > > > > > > > from along the route. > > > > > > > > . > > > > > > > > Install traceroute if you need a tool for diagnosing network > > connectivity > > > > > > > > problems. > > > > > > > > [EMAIL PROTECTED]:/usr/bin# > > > > > > > > > > > > > > > > > > > > > > > > [EMAIL PROTECTED]:/usr/bin# ls -alh traceroute > > > > > > > > lrwxrwxrwx 1 root root 28 Mar 17 00:38 traceroute -> > > > > > > > > /etc/alternatives/traceroute > > > > > > > > > > > > > > > > > > > > > > > > [EMAIL PROTECTED]:/usr/bin# ls -alh /etc/alternatives/traceroute > > > > > > > > lrwxrwxrwx 1 root root 23 Mar 17 00:38 > > /etc/alternatives/traceroute -> > > > > > > > > /usr/bin/traceroute.lbl > > > > > > > > > > > > > > > > > > > > > > > > [EMAIL PROTECTED]:/usr/bin# ls -alh traceroute.lbl > > > > > > > > -rwsr-xr-x 1 root root 18K Aug 30 2005 traceroute.lbl > > > > > > > > > > > > > > > > > > > > > > > > and again that same error message: > > > > > > > > > > > > > > > > [EMAIL PROTECTED]:/usr/bin# traceroute linux-vserver.org > > > > > > > > traceroute: raw socket: Operation not permitted > > > > > > > > > > > > > > > > > > > > > > > > I do have the raw_icmp ccapability enabled. > > > > > > > > > > > > > > > > > > > > > > > > Further information: > > > > > > > > > > > > > > > > [EMAIL PROTECTED]:~# vserver-info > > > > > > > > Versions: > > > > > > > > Kernel: 2.6.14.4-vs2.1.0nevir > > > > > > > > VS-API: 0x00020001 > > > > > > > > util-vserver: 0.30.209; Jan 8 2006, 12:24:41 > > > > > > > > > > > > > > > > Features: > > > > > > > > CC: gcc, gcc (GCC) 4.0.3 20051201 > > (prerelease) > > > > > > > > (Debian 4.0.2-5) > > > > > > > > CXX: g++, g++ (GCC) 4.0.3 20051201 > > (prerelease) > > > > > > > > (Debian 4.0.2-5) > > > > > > > > CPPFLAGS: '' > > > > > > > > CFLAGS: > > > > > > > > '-Wall -g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time' > > > > > > > > CXXFLAGS: > > > > > > > > > > '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time' > > > > > > > > build/host: i486-pc-linux-gnu/i486-pc-linux-gnu > > > > > > > > Use dietlibc: yes > > > > > > > > Build C++ programs: yes > > > > > > > > Build C99 programs: yes > > > > > > > > Available APIs: > > compat,v11,v13,fscompat,net,oldproc,olduts > > > > > > > > ext2fs Source: e2fsprogs > > > > > > > > syscall(2) invocation: alternative > > > > > > > > vserver(2) syscall#: 273/glibc > > > > > > > > > > > > > > > > Paths: > > > > > > > > prefix: /usr > > > > > > > > sysconf-Directory: /etc > > > > > > > > cfg-Directory: /etc/vservers > > > > > > > > initrd-Directory: $(sysconfdir)/init.d > > > > > > > > pkgstate-Directory: /var/run/vservers > > > > > > > > vserver-Rootdir: /var/lib/vservers > > > > > > > > > > > > > > > > > > > > > > > > Assumed 'SYSINFO' as no other option given; try '--help' for > > more > > > > > > > > information. > > > > > > > > > > > > > > > > > > > > > > > > [EMAIL PROTECTED]:~# uname -a > > > > > > > > Linux nevir 2.6.14.4-vs2.1.0nevir #4 Thu Mar 16 19:43:43 EET > > 2006 i686 > > > > > > > > GNU/Linux > > > > > > > > > > > > > > > > > > > > > > > > Let me know if you need any more information to troubleshoot > > that matter. > > > > > > > > > > > > > > > > Thanks, > > > > > > > > -Nikolay Kichukov > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Herbert Poetzl" <[EMAIL PROTECTED]> > > > > > > > > To: "Nikolay Kichukov" <[EMAIL PROTECTED]> > > > > > > > > Cc: <vserver@list.linux-vserver.org> > > > > > > > > Sent: Friday, April 21, 2006 8:08 PM > > > > > > > > Subject: Re: [Vserver] vserver traceroute > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Apr 21, 2006 at 05:30:53PM +0300, Nikolay Kichukov > > wrote: > > > > > > > > > > hi, the version is: > > > > > > > > > > > > > > > > > > > > util-vserver 0.30.209-2 > > > > > > > > > > > > > > > > > > > > Would you suggest an upgrade to get the traceroute going? It > > is not so > > > > > > > > > > important to make traceroute working. It is the idea that > > stays behind > > > > > > > > > > that. ;-) To have the guest at full operational power as if > > it is a > > > > > > > > > > real machine. > > > > > > > > > > > > > > > > > > can you provide a static binary of that traceroute tool > > > > > > > > > for testing? it is supposed to work with ram_icmp > > > > > > > > > capability enabled ... > > > > > > > > > > > > > > > > > > TIA, > > > > > > > > > Herbert > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks and regards, > > > > > > > > > > -Nikolay Kichukov > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > From: "Herbert Poetzl" <[EMAIL PROTECTED]> > > > > > > > > > > To: "Nikolay Kichukov" <[EMAIL PROTECTED]> > > > > > > > > > > Cc: <vserver@list.linux-vserver.org> > > > > > > > > > > Sent: Thursday, April 20, 2006 9:43 PM > > > > > > > > > > Subject: Re: [Vserver] vserver traceroute > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Apr 20, 2006 at 05:24:00PM +0300, Nikolay Kichukov > > wrote: > > > > > > > > > > > > hello, > > > > > > > > > > > > even trying to traceroute -I is still giving that same > > error > > > > > > > > message. > > > > > > > > > > > > What could be wrong? Do I need to set some extra > > ccapabilities? > > > > > > > > > > > > > > > > > > > > > > > > Also, what does the --secure option of the vattribute do > > ? > > > > > > > > > > > > > > > > > > > > > > that really depends on the tool version, which > > > > > > > > > > > one do you have? > > > > > > > > > > > > > > > > > > > > > > usually it removes most capabilites from the guest > > > > > > > > > > > > > > > > > > > > > > best, > > > > > > > > > > > Herbert > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > -Nikolay Kichukov > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > > From: "Xavier Montagutelli" > > <[EMAIL PROTECTED]> > > > > > > > > > > > > To: <vserver@list.linux-vserver.org> > > > > > > > > > > > > Sent: Thursday, April 20, 2006 3:33 PM > > > > > > > > > > > > Subject: Re: [Vserver] vserver traceroute > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thursday 20 April 2006 13:29, Nikolay Kichukov > > wrote: > > > > > > > > > > > > > > Hello guys, > > > > > > > > > > > > > > Thanks for the advice, and sorry for taking me so > > long to > > > > > > > > respond. > > > > > > > > > > > > > > > > > > > > > > > > > > > > I tried setting: > > > > > > > > > > > > > > > > > > > > > > > > > > > > host# vattribute --set --xid <xid> --secure --ccap > > raw_icmp > > > > > > > > > > > > > > > > > > > > > > > > > > > > and when i try to traceroute a host I am again > > getting: > > > > > > > > > > > > > > > > > > > > > > > > > > > > traceroute: raw socket: Operation not permitted > > > > > > > > > > > > > > > > > > > > > > > > > > On my debian box, traceroute use by default UDP > > packets, not ICMP > > > > > > > > > > packets. > > > > > > > > > > > > > > > > > > > > > > > > > > Try "-I icmp" to use icmp. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any further ideas? > > > > > > > > > > > > > > > > > > > > > > > > > > > > Another problem has now appeared: > > > > > > > > > > > > > > When i try to ssh to the guest sshd, i am getting > > the following > > > > > > > > > > error: > > > > > > > > > > > > > > > > > > > > > > > > > > > > fatal: chroot("/var/run/sshd"): Operation not > > permitted > > > > > > > > > > > > > > > > > > > > > > > > > > > > /var/run/sshd is rwx for root and r-x for the group > > and others > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > > > > > > > > > > > > > > > > > Additional info: > > > > > > > > > > > > > > > > > > > > > > > > > > > > util-vserver 0.30.209-2 debian package > > > > > > > > > > > > > > kernel 1.6.14.4-vs2.1.0 > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, 2006-04-11 at 13:17 +0200, Daniel Hokka > > Zakrisson wrote: > > > > > > > > > > > > > > > Nikolay Kichukov wrote: > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > Thanks for the advise, > > > > > > > > > > > > > > > > I'd like to test that and I already have > > raw_icmp in the > > > > > > > > flags > > > > > > > > > > file > > > > > > > > > > > > for > > > > > > > > > > > > > > > > the vserver, but is there a way i can set that > > without > > > > > > > > rebooting > > > > > > > > > > the > > > > > > > > > > > > > > > > vserver? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > It's a context capability, so you should put it in > > > > > > > > ccapabilities > > > > > > > > > > file. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I've searched for information about chcontext > > and did not > > > > > > > > find a > > > > > > > > > > lot > > > > > > > > > > > > > > > > about setting those caps and flags dynamically. > > Is that > > > > > > > > > > possible? If > > > > > > > > > > > > > > > > yes, how? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > vattribute --set --xid <name or xid of the > > > > > > > > guest> --secure --ccap > > > > > > > > > > > > > > > raw_icmp (add additional --bcaps here if you have > > any, as > > > > > > > > they'll > > > > > > > > > > be > > > > > > > > > > > > > > > reset otherwise) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Also, another question is, i have already > > created(built) the > > > > > > > > > > vserver > > > > > > > > > > > > > > > > without --context NNN, and now I would like to > > get the > > > > > > > > vserver > > > > > > > > > > > > running > > > > > > > > > > > > > > > > only in a specified context, ie. 444. How can i > > implement > > > > > > > > that? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > echo NNN > /etc/vservers/<name>/context > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://www.nongnu.org/util-vserver/doc/conf/configuration.html > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > Vserver mailing list > > > > > > > > > > > > > > Vserver@list.linux-vserver.org > > > > > > > > > > > > > > > > http://list.linux-vserver.org/mailman/listinfo/vserver > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > Xavier Montagutelli Tel : +33 > > (0)5 55 45 77 > > > > > > > > 20 > > > > > > > > > > > > > Service Commun Informatique Fax : +33 > > (0)5 55 45 77 > > > > > > > > 60 > > > > > > > > > > > > > Universite de Limoges > > > > > > > > > > > > > 123, avenue Albert Thomas > > > > > > > > > > > > > 87060 Limoges cedex > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > Vserver mailing list > > > > > > > > > > > > > Vserver@list.linux-vserver.org > > > > > > > > > > > > > http://list.linux-vserver.org/mailman/listinfo/vserver > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > Vserver mailing list > > > > > > > > > > > > Vserver@list.linux-vserver.org > > > > > > > > > > > > http://list.linux-vserver.org/mailman/listinfo/vserver > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > ?????? ??? ????????, ??? ?????. > > > > > > ?? ?????? ??? ?????, ?? ?????? ??? ????????... > > > > > > -????? ????? > > > > -- > > > > ?????? ??? ????????, ??? ?????. > > > > ?? ?????? ??? ?????, ?? ?????? ??? ????????... > > > > -????? ????? > > > > > > > > _______________________________________________ > > > > Vserver mailing list > > > > Vserver@list.linux-vserver.org > > > > http://list.linux-vserver.org/mailman/listinfo/vserver > > > > > > > _______________________________________________ > > Vserver mailing list > > Vserver@list.linux-vserver.org > > http://list.linux-vserver.org/mailman/listinfo/vserver -- Когато сме щастливи, сме добри. Но когато сме добри, не винаги сме щастливи... -Оскар Уайлд _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver