From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 18 Mar 2004 - 16:09:01 GMT
On Thu, Mar 18, 2004 at 03:16:25PM +0100, Thomas Guettler wrote:
> Hi,
Hi Thomas!
first, let me say that I appreciate your constructive
criticism, and the new-user testing (please don't get me
wrong here) is the perfect way to improve in this regard
> I have troubles with the default capabilities of chcontext.
>
> varchiv is virtual, here CAP_SYS_CHROOT is enabled:
>
> varchiv:~ # grep s_context /proc/self/status
> s_context: 49176
> varchiv:~ # reducecap --show | grep -i chroot
> CAP_SYS_CHROOT X X
>
> If I start a new context, I have CAP_SYS_CHROOT:
>
> edison:~ # /usr/local/sbin/chcontext --flag lock --flag nproc --flag sched\
> bash
> New security context is 49184
> edison:~ # reducecap --show | grep -i chroot
> CAP_SYS_CHROOT X X
>
> If I want to change to varchiv, I don't have CAP_SYS_CHROOT:
>
> edison:~ # /usr/local/sbin/chcontext --flag lock --flag nproc --flag sched
> --ctx 49176 bash
> New security context is 49176
> varchiv:~ # reducecap --show | grep -i chroot
> CAP_SYS_CHROOT
>
> Why does chcontext behave different if I give the --ctx option?
/ # chcontext grep Cap /proc/self/status
New security context is 49152
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
/ # chcontext --ctx 100 grep Cap /proc/self/status
New security context is 100
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
/ # chcontext --secure grep Cap /proc/self/status
New security context is 49153
CapInh: 0000000000000000
CapPrm: 00000000d40c04ff
CapEff: 00000000d40c04ff
/ # chcontext --secure --ctx 100 grep Cap /proc/self/status
New security context is 100
CapInh: 0000000000000000
CapPrm: 00000000d40c04ff
CapEff: 00000000d40c04ff
so with and without dynamic contexts, chcontext
behaves the same here (btw, this is 0.09.22/2.6.4)
> ~~~~~~~~~~~~~~
>
> Whishlist:
>
> - Introduction at http://dns.solucorp.qc.ca/miscprj/s_context.hc
> has some old parts.
> - newvserver does not exist (I think you use "vserver foo build" now)
> - Part "The packages":
> Difference between /usr/lib/vserver/vdu and /usr/sbin/vdu
> (I think they are the same)
>
> - Is there a tool which displays the context of all processes.
> vps, vtop don't. (At least I found no way to do this)
>
> - Do you use "vserver foo start" or do you have own scripts?
> I have problems with these script, and think most people who use
> vserver daily have their own scripts. Is this true?
> (The problem at the top is one if it. I just reduced it to the commands
> "vserver foo enter" does execute)
>
> - Would be nice to get a better error message if a context
> does not exist:
> chcontext --ctx 99999 bash
> Can't set the new security context
> : Invalid argument
context ranges from 2-49151 for static context ids, and
from 49152-65534 for dynamic ones (currently) specifying
context 99999 is clearly an 'invalid argument' ;)
> - "vserver foo start" overwrites the file in /var/run/vserver.
> It would be good if this could check if the server is already
> running.
> - "vserver exec bash"
> Host name is now varchiv
> > echo $HOST --> old name
> > hostname --> new name
> Would be nice if $HOST would get updated, too.
>
> - utils: Would be nice to have a debug option
> which displays the commands which get executed.
> I chanaged it myself for debugging.
patches are always welcome ...
> I know my whislist is long. Maybe I have some
> time to send patches.
thanks for testing/using linux-vserver
best,
Herbert
> Regards,
> Thomas
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver