On Sat, Jul 29, 2006 at 10:52:48AM -0700, Martin Fick wrote: > I know that all the documentation says that you > cannot run the nfs kernel server within a vserver and > I was wondering why and what are the issues?
you cannot run it in a somewhat safe way ... > I thought that I read somewhere that it would be > hard to do in a secure fashion. So I have to ask: > does that mean that if security were not an issue, it > would be doable? yes, given the necessary capabilities and using the proper helpers (portmap, etc) it should work quite fine, not sure what the advantage over a host system would be though ... > Would the vserver in question simply need to have all > restrictions removed (all capabilities added?) that would be one option > Is there an easy way to add all capabilities, or not > remove them in the first place, even if this involved > hacking the vserver-start script? yes definitely, it would be the simplest to 'just' add them to the bcapabilities list > If I cannot get it to work in an actual vserver, > would there be away to get it to work it in some > pseudo-vserver environment? What I mean is that, it > seems to work in a simple chrooted environment, can I > keep adding the various vserver abstractions (chbind > ...) right up until the point before it no longer > works? Has anyone tried anything crazy like that? should work too, probably your boundaries are: - required caps to start kernel threads (nfsd) - enough ips/ports to communicate with portmap (including localhost) > Is there an easy way to go about debugging such a setup? > I don't have a very good understanding of what a > vserver is, does what I am asking even make sense? not sure it does, as I said, you are probably better off if you run the kernel nfsd on the host system not inside a guest ... > Is there an effort to try and get an nfs-kernel server to > work within a vserver already on going somewhere? not that I know of ... HTH, Herbert > -Martin > > > Note: This is being asked from a hacking standpoint, > so warnings about it being a bad thing are welcomed as > long as they are accompanied by "but this is how you > could do it". Please do not just tell me that it > would be a bad idea. > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver