From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sat 06 Mar 2004 - 04:17:57 GMT
On Sat, Mar 06, 2004 at 03:44:01AM +0100, Bjoern Steinbrink wrote:
> On Sat, 2004-03-06 at 03:19, Kern Wolfgang wrote:
> > Hello folks,
> >
> > today i have updated one of our development servers to kernel 2.4.25
> > and vs-1.26 with enricos util-vserver-0.29 and have some problems.
> >
> > After we build up a v-child all works fine, if i would like to start
> > one of the new build up v-childs it tells me only this:
> >
> > developmuc01:/# vserver vm1 start
> > Starting the virtual server vm1
> > Server vm1 is not running
> > ipv4root is now 192.168.1.31
> > Host name is now vm1
> > New security context is 49159
> > developmuc01:/#
this means, that for whatever reason no runlevel
scripts where executed, maybe none are selected,
maybe the config is just wrong ...
> > developmuc01:/# vserver-stat
> >
> > CTX PROC VSZ RSS userTIME sysTIME UPTIME NAME
> > DESCRIPTION
> >
> > 0 34 802MB 15kB 4m32.51 1m22.41 8h26m11 root server
> >
> IIRC vserver-stat works by looking at the processes and in what context
> they are running, so when no processes are started in a context,
> vserver-stat won't show that context
correct, no daemons started inside the vserver, so
no vserver context information will be shown ...
> > It seems like no vm1 v-child is running. But i can enter and ping this
> > v-child without problems.
> You can always enter a vServer, upon entering you basically just get a
> bash in the context of the vServer, not matter if it is running or not.
> The vServer is pingable, as the script brings up the interface (or just
> adds an adress to an existing interface, don't know what's true für
> 0.29) upon starting the vServer. Normally that interface is brought down
> when stopping the vServer but as the vServer does not start any process,
> the script thinks it is already stopped. (To Enrico: Is there anything i
> don't know that fixes this case?)
> > So we need the output from ???vserver-stat??? for our PBVSC (PHP Based
> > vServer Control). If i would like to stop this v-child it tells me:
> >
> > developmuc01:/# vserver vm1 stop
> > Stopping the virtual server vm1
> > Server vm1 is not running
which is true, as there are no processes ...
> > But it???s still pingable and i can enter it??? oh one thing, why only
> > root can ping? ;)
> >
> > developmuc01:/# vserver vm1 enter
> > ipv4root is now 192.168.1.31
> > Host name is now vm1
> > New security context is 49159
> > root_at_vm1:/# ping 192.168.1.1
> > ping: ping must run as root
> >
> The vServer 'lacks' the CAP_NET_RAW capability, actually this is a good
> thing. You won't need this cap and it is a security leak as it allows
> sniffing on the network interface. IIRC there was hping2 or something
> that you can use instead of ping.
comment: ping is evil, in that way, that it builds
the icmp packets itself, which requires a raw socket
which in turn requires CAP_NET_RAW, which makes the
vserver somewhat insecure ...
> Björn
HTH,
Herbert
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver