About this list Date view Thread view Subject view Author view Attachment view

From: Gaz Wilson (dragon_at_dragons.org.uk)
Date: Wed 04 May 2005 - 16:30:55 BST


Self-followup - sorry!

I have sorted grsec with vservers and so far everything is working nicely
now :)

Fingers x'd :)

Thatnks for everyone's help to date.

gary

On Wed, 4 May 2005, Gaz Wilson wrote:

>
>
> Hi again!
>
> I discovered earlier that yes indeed, if you configure the host up with the
> relevant binfmt stuff, the vservers adopt those settings, so all is well and
> good.
>
> I am having trouble with grsec though - I have set it for medium security, and
> yet the vserver refuses to start complaining that the capabilities don't
> exist - yet I checked the kernel and the default capabilities are set
> (monolithically, not as a module) - just checking all kernel options and
> recompilng, in case there's some difference between my working kernel
> with grsec disabled and this one...
>
> In the meantime, if anyone has used grsec along with vservers, I'd be
> interested to hear any stories about making it work!!!
>
> Thanks all!
>
> Gary Wilson
>
>
> On Wed, 4 May 2005, Herbert Poetzl wrote:
>
> > On Wed, May 04, 2005 at 10:01:49AM +0100, Gaz Wilson wrote:
> > >
> > > Hi - sorry for asking again - Normally I like to research such things
> > > properly, but time is not on my side for this project, so I come in
> > > hope of a quick solution.
> > >
> > > I need to install binfmt support within a vserver, however proc is
> > > secured in such a way as it cannot install properly:
> > >
> > > Setting up binfmt-support (1.2.3) ...
> > > mount: permission denied
> > > update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on
> > > /proc/sys/fs/binfmt_misc.
> > > Enabling additional executable binary formats: mount: permission denied
> > > update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on
> > > /proc/sys/fs/binfmt_misc.
> > > binfmt-support.
> >
> > binfmt or more precisely misc binary format support
> > is not available inside vserver, because it need userspace
> > helpers which have to 'run' in the proper context, and
> > that has just not be done yet ... you can use it on the
> > host though ... and it might reach/map into vservers
> > (not tested)
> >
> > best,
> > Herbert
> >
> > > Is there a (good) way to allow this to happen without removing proc security
> > > entirely? I didn't see anything in the docs I have skimmed through...
> > >
> > > thanks and apologies for asking without doing much research first.
> > >
> > > --
> > > / Gary Wilson, aka dragon/dragonlord/dragonv480 \
> > > .'(_.------. e: dragon_at_northernscum.org.uk MSN: dragonv480 .------._)`.
> > > < _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ >
> > > `.( `------' w: http://volvo480.northernscum.org.uk `------' ).'
> > > \ w: http://www.northernscum.org.uk /
> > > _______________________________________________
> > > Vserver mailing list
> > > Vserver_at_list.linux-vserver.org
> > > http://list.linux-vserver.org/mailman/listinfo/vserver
> >
>
>

-- 
   /           Gary Wilson, aka dragon/dragonlord/dragonv480            \
 .'(_.------.  e: dragon_at_northernscum.org.uk MSN: dragonv480   .------._)`.
<   _       |  Skype:dragonv480 ICQ:342070475 AIM:dragonv480   |       _   >
 `.( `------'     w: http://volvo480.northernscum.org.uk       `------' ).'
   \                w: http://www.northernscum.org.uk                   /
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 04 May 2005 - 16:31:16 BST by hypermail 2.1.3