vserver development mailing list: Re: [vserver] Virtual Server Packages

Re: [vserver] Virtual Server Packages:
vserver development mailing list
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: Adam H. Pendleton (fmonkey_at_fmonkey.net)
Date: Mon 16 Dec 2002 - 19:36:49 GMT

Previous message: Paul Sladen: "Re: [vserver] ip info"
In reply to: Cathy Sarisky: "Re: [vserver] Virtual Server Packages"
Next in thread: Lyashkov Alexey: "Re[2]: [vserver] Virtual Server Packages"
Reply: Lyashkov Alexey: "Re[2]: [vserver] Virtual Server Packages"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="=====================_7495546==.ALT"

- --=====================_7495546==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed

This is a RedHat 7.3 box, using the most recent RedHat kernel,
2.4.18-18.7.x, modified with the vserver patches from the "~shadow" link in
the FAQ.

ahp

At 12:35 12/16/2002, you wrote:
>Adam, which version of the kernel are you using? This is a big deal if a
>user in the vserver can knock the whole box offline... especially for
>those of us with less-trusted users playing with root in the vserver.
>
>THanks!
>
>On Mon, 16 Dec 2002, Adam H. Pendleton wrote:
>
> > At 10:44 12/16/2002, you wrote:
> > >On Mon, 16 Dec 2002, Adam H. Pendleton wrote:
> > > > The `vserver <name> build` operation worked great, with one problem
> [..]
> > > >
> > > > A `vserver <name> stop` operation runs [..] `/etc/init.d/network stop`,
> > > > which kills all network connectivity to the box!!
> > >
> > >This should fail in a vserver (or have you given the vserver more
> > >capabilites like CAP_NET_ADMIN to allow it access to the kernel
> > >networking interfaces that are otherwise denied)?
> >
> > No additional capabilities were given to the vserver, at least not by my
> > hand. :) The /etc/init.d/network script calls /sbin/ifdown to stop
> > interfaces. The interface is passed the name of the device (e.g. eth0),
> > not an IP, so when executing `vserver <name> stop` the RedHat init
> lines go
> > by, until I see
> >
> > blah blah blah [OK]
> > Stopping interface eth0...
> >
> > and then it's off-line.
> >
> >
> > > > I assume the only way to prevent this is to delete/modify /etc/init.d/
> > >
> > >Best to delete them (or rather the runlevel sysvinit symlinks to them).
> > >My Debian install script currently does `update-rc.d foo remove' on:
> > >
> > > klogd hwclock.sh setserial urandom networking umountfs halt reboot
> > >
> > >(Anything related to hardware or kernel management which is going to fail
> > >anyway just sitting there and timing out).
> >
> > I will be sure to delete them, but not because they're timing out. :)
> >
> >
> > > -Paul
> > >--
> > >Nottingham, GB
> >

- --=====================_7495546==.ALT
Content-Type: text/html; charset="us-ascii"

<html>
<body>
This is a RedHat 7.3 box, using the most recent RedHat
kernel, 2.4.18-18.7.x, modified with the vserver patches from the
"~shadow" link in the FAQ. 
ahp 
At 12:35 12/16/2002, you wrote: 
<blockquote type=cite class=cite cite>Adam, which version of the kernel
are you using?  This is a big deal if a 
user in the vserver can knock the whole box offline... especially for
 
those of us with less-trusted users playing with root in the
vserver. 
THanks! 
On Mon, 16 Dec 2002, Adam H. Pendleton wrote: 
> At 10:44 12/16/2002, you wrote: 
> >On Mon, 16 Dec 2002, Adam H. Pendleton wrote: 
> > > The `vserver <name> build` operation worked great,
with one problem [..] 
> > > 
> > > A `vserver <name> stop` operation runs [..]
`/etc/init.d/network stop`, 
> > > which kills all network connectivity to the box!! 
> > 
> >This should fail in a vserver (or have you given the vserver
more 
> >capabilites like CAP_NET_ADMIN to allow it access to the
kernel 
> >networking interfaces that are otherwise denied)? 
> 
> No additional capabilities were given to the vserver, at least not
by my 
> hand.  :)  The /etc/init.d/network script calls
/sbin/ifdown to stop 
> interfaces.  The interface is passed the name of the device
(e.g. eth0), 
> not an IP, so when executing `vserver <name> stop` the RedHat
init lines go 
> by, until I see 
> 
> blah blah
blah                                     
[OK] 
> Stopping interface eth0... 
> 
> and then it's off-line. 
> 
> 
> > > I assume the only way to prevent this is to delete/modify
/etc/init.d/ 
> > 
> >Best to delete them (or rather the runlevel sysvinit symlinks to
them). 
> >My Debian install script currently does `update-rc.d foo remove'
on: 
> > 
> >   klogd hwclock.sh setserial urandom networking
umountfs halt reboot 
> > 
> >(Anything related to hardware or kernel management which is
going to fail 
> >anyway just sitting there and timing out). 
> 
> I will be sure to delete them, but not because they're timing
out.  :) 
> 
> 
> >         -Paul 
> >-- 
> >Nottingham, GB 
> </blockquote></body>
</html>

- --=====================_7495546==.ALT--

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPf4rWd0rskLi2W+SEQKvegCgq9GjWSE5CYmGrnqBnaIkUU+JZmEAn14K
wPEueRX/72rsMtcBl79qOPn4
=6o3t
-----END PGP SIGNATURE-----

Previous message: Paul Sladen: "Re: [vserver] ip info"
In reply to: Cathy Sarisky: "Re: [vserver] Virtual Server Packages"
Next in thread: Lyashkov Alexey: "Re[2]: [vserver] Virtual Server Packages"
Reply: Lyashkov Alexey: "Re[2]: [vserver] Virtual Server Packages"

About this list	Date view	Thread view	Subject view	Author view	Attachment view

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 16 Dec 2002 - 19:59:45 GMT by hypermail 2.1.3