From: Luís Miguel Silva (lms_at_ispgaya.pt)
Date: Wed 07 Jan 2004 - 07:19:54 GMT
I forgot to mention that this is happening on ALL my vservers since I
upgraded to kernel 2.4.24-vs1.22!
Best,
+-------------------------------------------
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5 F: +351 22 3745738
| G: +351 93 6371253 E: lms_at_ispgaya.pt
| H: http://lms.ispgaya.pt/
+-------------------------------------------
-----Original Message-----
From: vserver-admin_at_list.linux-vserver.org
[mailto:vserver-admin_at_list.linux-vserver.org] On Behalf Of Luís Miguel Silva
Sent: quarta-feira, 7 de Janeiro de 2004 7:14
To: 'Herbert Poetzl'
Cc: vserver_at_list.linux-vserver.org
Subject: RE: [Vserver] Problem with kernel 2.4.24 + vs1.22
Hello Herbert (and all others),
Here are my configurations and tools versions:
root_at_leonardo-root /usr/src/installs/new-vserver# ls
patch-vserver-0.29-fix01.diff util-vserver-0.26/ util-vserver-0.26.tar.bz2
vserver-0.29/ vserver-0.29.src.tar.gz
root_at_leonardo-root /usr/src/installs/new-vserver# cat /etc/vservers.conf
# Configuration file for the vservers service
# BACKGROUND=yes
# start the vservers on tty9, in background so the rest of the
# boot process end early
BACKGROUND=no
# This variable controls where the vservers are stored.
# This file is sourced by the various vservers configuration files
# in /etc/vservers. Each vserver may redefine the value so it points
# elsewhere. So vservers may be located in various places on the system.
# To make it simple, when you want to learn what is the vserver root
# source one vserver configuration and you will learn what is the
# actual vserver root for this vserver
VSERVERS_ROOT=/vservers
# When starting or entering a vserver, its /etc/mtab is generated on
# the fly so it matches the various volumes mounted inside the vserver
GENERATEMTAB=yes
root_at_leonardo-root /usr/src/installs/new-vserver# cat
/etc/vservers/srmi.conf
# Description: sapienflex-rmi
# Select an unused context (this is optional)
# The default is to allocate a free context on the fly
# In general you don't need to force a context
#S_CONTEXT=
# Select the IP number assigned to the virtual server
# This IP must be one IP of the server, either an interface
# or an IP alias
IPROOT=192.168.3.86
# You can define on which device the IP alias will be done
# The IP alias will be set when the server is started and unset
# when the server is stopped
# The netmask and broadcast are computed by default from IPROOTDEV
#IPROOTMASK=
#IPROOTBCAST=
IPROOTDEV=eth0
# Uncomment the onboot line if you want to enable this
# virtual server at boot time
ONBOOT=yes
# You can set a different host name for the vserver
# If empty, the host name of the main server is used
S_HOSTNAME=sapienflex-rmi.server.pt
# You can set a different NIS domain for the vserver
# If empty, the current on is kept
# Set it to "none" to have no NIS domain set
S_DOMAINNAME=
# You can set the priority level (nice) of all process in the vserver
# Even root won't be able to raise it
S_NICE=
# You can set various flags for the new security context
# lock: Prevent the vserver from setting new security context
# sched: Merge scheduler priority of all processes in the vserver
# so that it acts a like a single one.
# nproc: Limit the number of processes in the vserver according to ulimit
# (instead of a per user limit, this becomes a per vserver limit)
# private: No other process can join this security context. Even root
# Do not forget the quotes around the flags
S_FLAGS="lock nproc"
# You can set various ulimit flags and they will be inherited by the
# vserver. You enter here various command line argument of ulimit
# ULIMIT="-HS -u 200"
# The example above, combined with the nproc S_FLAGS will limit the
# vserver to a maximum of 200 processes
ULIMIT="-HS -u 500"
# You can set various capabilities. By default, the vserver are run
# with a limited set, so you can let root run in a vserver and not
# worry about it. He can\'t take over the machine. In some cases
# you can to give a little more capabilities \(such as CAP_NET_RAW\)
#S_CAPS="CAP_NET_RAW"
S_CAPS=""
root_at_leonardo-root /usr/src/installs/new-vserver# ls /var/run/vservers/ -l
total 28
-rw-r--r-- 1 root root 27 Jan 6 21:57 ciisp.ctx
-rw-r--r-- 1 root root 27 Jan 6 21:57 lsmb-nss.ctx
-rw-r--r-- 1 root root 27 Jan 6 21:57 ns2.ctx
-rw-r--r-- 1 root root 27 Jan 6 21:57 shares.ctx
-rw-r--r-- 1 root root 27 Jan 6 21:58 srmi.ctx
-rw-r--r-- 1 root root 27 Jan 6 21:58 sweb.ctx
-rw-r--r-- 1 root root 27 Jan 6 21:58 www.ctx
root_at_leonardo-root /usr/src/installs/new-vserver# ls -ld /var/run/vservers
drwx------ 2 root root 4096 Jan 6 21:58 /var/run/vservers/
root_at_leonardo-root /usr/src/installs/new-vserver#
To sum it all up:
a) I didn’t change any configuration from version 2.4.23-vs1.00 to
2.4.24-vs1.22
b) I changed the /etc/vservers.conf cause it couldn’t find my /vservers dir
c) iam using the versions of the tools you recommend on your site
Do you need any extra information I can provide? :o)
Thanks,
+-------------------------------------------
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5 F: +351 22 3745738
| G: +351 93 6371253 E: lms_at_ispgaya.pt
| H: http://lms.ispgaya.pt/
+-------------------------------------------
-----Original Message-----
From: Herbert Poetzl [mailto:herbert_at_13thfloor.at]
Sent: quarta-feira, 7 de Janeiro de 2004 0:02
To: Luís Miguel Silva
Cc: vserver_at_list.linux-vserver.org
Subject: Re: [Vserver] Problem with kernel 2.4.24 + vs1.22
On Tue, Jan 06, 2004 at 09:41:14PM -0000, Luís Miguel Silva wrote:
> Hello all,
>
> Today I updated my servers kernel to 2.4.24-vs1.22 and im having some
> trouble when I try to stop the vserver.
could you provide the type and version of your tools
and the config for that vserver, please?
TIA,
Herbert
> root_at_leonardo-root /usr/src/installs/new-vserver# vserver srmi stop
> Stopping the virtual server srmi
> Server srmi is running
> ipv4root is now 192.168.3.86
> Can't set the new security context
> : Invalid argument
> sleeping 5 seconds
> Killing all processes
> chcontext version 0.29
> chcontext [ options ] command arguments ...
> chcontext allocate a new security context and executes
> a command in that context.
> By default, a new/unused context is allocated
> --cap CAP_NAME
> Add a capability from the command. This option may be
> repeated several time.
> See /usr/include/linux/capability.h
> In general, this option is used with the --secure option
> --secure removes most critical capabilities and --cap
> adds specific ones.
> --cap !CAP_NAME
> Remove a capability from the command. This option may be
> repeated several time.
> See /usr/include/linux/capability.h
> --ctx num
> Select the context. On root in context 0 is allowed to
> select a specific context.
> Context number 1 is special. It can see all processes
> in any contexts, but can't kill them though.
> Option --ctx may be repeated several times to specify up to 16
> contexts.
> --disconnect
> Start the command in background and make the process
> a child of process 1.
> --domainname new_domainname
> Set the domainname (NIS) in the new security context.
> Use "none" to unset the domain name.
> --flag
> Set one flag in the new or current security context. The following
> flags are supported. The option may be used several time.
>
> fakeinit: The new process will believe it is process number 1.
> Useful to run a real /sbin/init in a vserver.
> lock: The new process is trapped and can't use chcontext anymore.
> sched: The new process and its children will share a common
> execution priority.
> nproc: Limit the number of process in the vserver according to
> ulimit setting. Normally, ulimit is a per user thing.
> With this flag, it becomes a per vserver thing.
> private: No one can join this security context once created.
> ulimit: Apply the current ulimit to the whole context
> --hostname new_hostname
> Set the hostname in the new security context
> This is need because if you create a less privileged
> security context, it may be unable to change its hostname
> --secure
> Remove all the capabilities to make a virtual server trustable
> --silent
> Do not print the allocated context number.
>
> Information about context is found in /proc/self/status
> root_at_leonardo-root /usr/src/installs/new-vserver# uname -a
> Linux leonardo-root.ispgaya.pt 2.4.24-vs1.22 #1 SMP Tue Jan 6 09:52:07 WET
> 2004 i686 unknown unknown GNU/Linux
> root_at_leonardo-root /usr/src/installs/new-vserver#
>
>
> Is this the problem with vkill you mention on your site (Herbert)?
>
> Best,
> +-------------------------------------------
> | Luís Miguel Silva
> | Network Administrator@ ISPGaya.pt
> | Rua António Rodrigues da Rocha, 291/341
> | Sto. Ovídio • 4400-025 V. N. de Gaia
> | Portugal
> | T: +351 22 3745730/3/5 F: +351 22 3745738
> | G: +351 93 6371253 E: lms_at_ispgaya.pt
> | H: http://lms.ispgaya.pt/
> +-------------------------------------------
>
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver