From: Henrik Heil (hhml_at_zweipol.net)
Date: Mon 19 Jul 2004 - 11:05:43 BST
>>+ $EXEC $NICECMD $CHBIND_CMD $SILENT $IPOPT --bcast $IPROOTBCAST \
>>- $NICECMD $CHBIND_CMD $SILENT $IPOPT --bcast $IPROOTBCAST \
>> $CHCONTEXT_CMD $SILENT $DISCONNECT $CAPS $FLAGS $CTXOPT
>>$HOSTOPT $DOMAINOPT --secure \
>> $SAVE_S_CONTEXT_CMD /var/run/vservers/$1.ctx \
>> $CAPCHROOT_CMD $CHROOTOPT . $STARTCMD
>>
>>I am quite new to vserver and would like to ask you if you see a
>>security problem with this concept.
>
>
> hmm, except for the connection between the processes
> in and outside no ...
o.k. -- thanks.
As far as i know the process in the vserver cannot trick runsv to do
something bad.
>>For illustration -- my vpstree output looks like this:
>>
>>|-runsvdir(207)---runsv(211)-+-runit(466)-- ...
>>| |
>>| `-svlogd(215)
>>
>>where the runit(466) is the init of the vserver and runs in a vserver
>>context while runsv(211) runs in context 0 and sends the signals with
>>vc_ctx_kill to 466.
>>
>>Any comments are appreciated.
>
> I do not see a point (yet) in doing that, so what
> is the idea behind this 'solution'?
I have some normal services converted to supervised processes which i
admit is just my personal preference -- i would like to treat the
vservers alike.
> if it is knowing when a vserver exits (is destroyed)
> you can get this info via the vshelper, if it is
> automatically restarting a 'rebooting' vserver, then
> this should be already done by the scripts ...
I didn't look into vshelper yet because i only used the stable vserver +
utils branch -- i think there is no equivaltent to vshelper -- is there?
I know that rebootmgr restarts a rebooting or dying vserver. Its just
that if there is no security or other downside to it i would prefer a
process-supervision scheme.
> please elaborate on your requirements ...
Just to be consistent with my other services.
I can use runsvstat for status/uptime, runsvctl for start/stop etc...
I know this is a 'special' requirement -- so i didn't mean to propose a
patch for inclusion (on the other hand -- if it doesn't hurt anyone).
Best regards,
Henrik
-- Henrik Heil, zweipol Coy & Heil GbR http://www.zweipol.net/ _______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver