Hello,
Just upgraded to the latest development util-vserver release.
However, when I try to vattribute, I am getting exactly the same
behaviour. sshd is again not accepting connections. When I try to
temporary fix the problem with --bcap -1, there is no update.
/usr/local/sbin/vserver-info
Versions:
Kernel: 2.6.14.4-vs2.1.0nevir
VS-API: 0x00020001
util-vserver: 0.30.210; Apr 30 2006, 20:31:56
Features:
CC: gcc, gcc (GCC) 4.0.3 (Debian 4.0.3-1)
CXX: g++, g++ (GCC) 4.0.3 (Debian 4.0.3-1)
CPPFLAGS: ''
CFLAGS: '-g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time'
CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0
-funit-at-a-time'
build/host: i686-pc-linux-gnu/i686-pc-linux-gnu
Use dietlibc: yes
Build C++ programs: yes
Build C99 programs: yes
Available APIs: v13,net
ext2fs Source: e2fsprogs
syscall(2) invocation: alternative
vserver(2) syscall#: 273/glibc
Paths:
prefix: /usr/local
sysconf-Directory: /etc
cfg-Directory: /etc/vservers
initrd-Directory:
$(sysconfdir)/init.d
pkgstate-Directory: /var/run/vservers
vserver-Rootdir: /var/lib/vservers
Assumed 'SYSINFO' as no other
option given; try '--help' for more information.
Another point that i noticed is, that the df command is no longer
listing the /dev/hdv device. The output is something like:
df -ha
Filesystem Size Used Avail Use% Mounted on
proc 0 0 0 - /proc
devpts 0 0 0 - /dev/pts
What could be causing this?
Regards,
-nik
On Sun, 2006-04-30 at 17:03 +0200, Herbert Poetzl wrote:
> On Sun, Apr 30, 2006 at 02:53:20PM +0300, Nikolay Kichukov wrote:
> > Hello Herbert,
> > I see now. So traceroute cannot be used within a guest environment. I
> > will try tracepath instead.
> >
> > One more thing I'd like to comment on is that, every time I issue:
> >
> > vattribute --set --xid <id> --ccap raw_icmp
> >
> > on the host, I am getting the following error on the guest when I try
> > to ssh to it:
> >
> > fatal: chroot("/var/run/sshd"): Operation not permitted
> >
> > The only way I go around that is to reboot the guest.
> >
> > What am I doing wrong when I am setting the --ccap ? Do I reset some
> > default ccaps or bcaps ? I only have the ccapabilities file and it only
> > contain raw_icmp. So is the default startup of a vserver initializing
> > some extra flags/capabilities that are not necessarily predefined
> > withing flags/ccapabilities/bcapabilities?
>
> there was a tool bug regarding vattribute, where
> you ahd to specify the bcaps when you want to change
> the ccaps, so you might try the following instead
>
> vattribute --set --xid <id> --bcaps -1 --ccap raw_icmp
>
> or update to a more recent version
>
> HTH,
> Herbert
>
> > Regards,
> > -Nikolay Kichukov
> >
> >
> > On Sat, 2006-04-29 at 19:28 +0200, Herbert Poetzl wrote:
> > > On Fri, Apr 28, 2006 at 10:47:25PM +0300, Nikolay Kichukov wrote:
> > > > Hello Herbert,
> > > > Sorry for the long delay in replying again.
> > > >
> > > > Here is some further info about the traceroute tool I am
> > > > using on the GUEST:
> > >
> > > ah, obviously confused that because I do not use
> > > traceroute myself, just verified that traceroute
> > > tries to open an unlimited raw socket:
> > >
> > > socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = 6
> > > socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = -1 EPERM (Operation not permitted)
> > >
> > > which of course is not permitted inside a guest,
> > > as it would allow to sniff and spoof arbitrary
> > > traffic on a guest ...
> > >
> > > OTOH, the following works quite fine:
> > >
> > > # tracepath 10.0.0.1
> > > 1: xxxx.test.org (192.168.0.2) 9.773ms pmtu 1500
> > > 1: 10.0.0.1 (10.0.0.1) 5.306ms reached
> > > Resume: pmtu 1500 hops 1 back 1
> > >
> > > HTH,
> > > Herbert
> > >
> > > > root@vn:/usr/bin# dpkg --status traceroute
> > > > Package: traceroute
> > > > Status: install ok installed
> > > > Priority: important
> > > > Section: net
> > > > Installed-Size: 60
> > > > Maintainer: Graham Wilson <graham@debian.org>
> > > > Architecture: i386
> > > > Version: 1.4a12-20
> > > > Replaces: netstd
> > > > Depends: libc6 (>= 2.3.5-1)
> > > > Conflicts: suidmanager (<< 0.50)
> > > > Description: traces the route taken by packets over a TCP/IP network
> > > > The traceroute utility displays the route used by IP packets on their way
> > > > to a
> > > > specified network (or Internet) host. Traceroute displays the IP number
> > > > and
> > > > host name (if possible) of the machines along the route taken by the
> > > > packets.
> > > > Traceroute is used as a network debugging tool. If you're having network
> > > > connectivity problems, traceroute will show you where the trouble is coming
> > > > from along the route.
> > > > .
> > > > Install traceroute if you need a tool for diagnosing network connectivity
> > > > problems.
> > > > root@vn:/usr/bin#
> > > >
> > > >
> > > > root@vn:/usr/bin# ls -alh traceroute
> > > > lrwxrwxrwx 1 root root 28 Mar 17 00:38 traceroute ->
> > > > /etc/alternatives/traceroute
> > > >
> > > >
> > > > root@vn:/usr/bin# ls -alh /etc/alternatives/traceroute
> > > > lrwxrwxrwx 1 root root 23 Mar 17 00:38 /etc/alternatives/traceroute ->
> > > > /usr/bin/traceroute.lbl
> > > >
> > > >
> > > > root@vn:/usr/bin# ls -alh traceroute.lbl
> > > > -rwsr-xr-x 1 root root 18K Aug 30 2005 traceroute.lbl
> > > >
> > > >
> > > > and again that same error message:
> > > >
> > > > root@vn:/usr/bin# traceroute linux-vserver.org
> > > > traceroute: raw socket: Operation not permitted
> > > >
> > > >
> > > > I do have the raw_icmp ccapability enabled.
> > > >
> > > >
> > > > Further information:
> > > >
> > > > root@nevir:~# vserver-info
> > > > Versions:
> > > > Kernel: 2.6.14.4-vs2.1.0nevir
> > > > VS-API: 0x00020001
> > > > util-vserver: 0.30.209; Jan 8 2006, 12:24:41
> > > >
> > > > Features:
> > > > CC: gcc, gcc (GCC) 4.0.3 20051201 (prerelease)
> > > > (Debian 4.0.2-5)
> > > > CXX: g++, g++ (GCC) 4.0.3 20051201 (prerelease)
> > > > (Debian 4.0.2-5)
> > > > CPPFLAGS: ''
> > > > CFLAGS:
> > > > '-Wall -g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time'
> > > > CXXFLAGS:
> > > > '-g -O2 -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time'
> > > > build/host: i486-pc-linux-gnu/i486-pc-linux-gnu
> > > > Use dietlibc: yes
> > > > Build C++ programs: yes
> > > > Build C99 programs: yes
> > > > Available APIs: compat,v11,v13,fscompat,net,oldproc,olduts
> > > > ext2fs Source: e2fsprogs
> > > > syscall(2) invocation: alternative
> > > > vserver(2) syscall#: 273/glibc
> > > >
> > > > Paths:
> > > > prefix: /usr
> > > > sysconf-Directory: /etc
> > > > cfg-Directory: /etc/vservers
> > > > initrd-Directory: $(sysconfdir)/init.d
> > > > pkgstate-Directory: /var/run/vservers
> > > > vserver-Rootdir: /var/lib/vservers
> > > >
> > > >
> > > > Assumed 'SYSINFO' as no other option given; try '--help' for more
> > > > information.
> > > >
> > > >
> > > > root@nevir:~# uname -a
> > > > Linux nevir 2.6.14.4-vs2.1.0nevir #4 Thu Mar 16 19:43:43 EET 2006 i686
> > > > GNU/Linux
> > > >
> > > >
> > > > Let me know if you need any more information to troubleshoot that matter.
> > > >
> > > > Thanks,
> > > > -Nikolay Kichukov
> > > >
> > > > ----- Original Message -----
> > > > From: "Herbert Poetzl" <herbert@13thfloor.at>
> > > > To: "Nikolay Kichukov" <hijacker@oldum.net>
> > > > Cc: <vserver@list.linux-vserver.org>
> > > > Sent: Friday, April 21, 2006 8:08 PM
> > > > Subject: Re: [Vserver] vserver traceroute
> > > >
> > > >
> > > > > On Fri, Apr 21, 2006 at 05:30:53PM +0300, Nikolay Kichukov wrote:
> > > > > > hi, the version is:
> > > > > >
> > > > > > util-vserver 0.30.209-2
> > > > > >
> > > > > > Would you suggest an upgrade to get the traceroute going? It is not so
> > > > > > important to make traceroute working. It is the idea that stays behind
> > > > > > that. ;-) To have the guest at full operational power as if it is a
> > > > > > real machine.
> > > > >
> > > > > can you provide a static binary of that traceroute tool
> > > > > for testing? it is supposed to work with ram_icmp
> > > > > capability enabled ...
> > > > >
> > > > > TIA,
> > > > > Herbert
> > > > >
> > > > > >
> > > > > > Thanks and regards,
> > > > > > -Nikolay Kichukov
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Herbert Poetzl" <herbert@13thfloor.at>
> > > > > > To: "Nikolay Kichukov" <hijacker@oldum.net>
> > > > > > Cc: <vserver@list.linux-vserver.org>
> > > > > > Sent: Thursday, April 20, 2006 9:43 PM
> > > > > > Subject: Re: [Vserver] vserver traceroute
> > > > > >
> > > > > >
> > > > > > > On Thu, Apr 20, 2006 at 05:24:00PM +0300, Nikolay Kichukov wrote:
> > > > > > > > hello,
> > > > > > > > even trying to traceroute -I is still giving that same error
> > > > message.
> > > > > > > > What could be wrong? Do I need to set some extra ccapabilities?
> > > > > > > >
> > > > > > > > Also, what does the --secure option of the vattribute do ?
> > > > > > >
> > > > > > > that really depends on the tool version, which
> > > > > > > one do you have?
> > > > > > >
> > > > > > > usually it removes most capabilites from the guest
> > > > > > >
> > > > > > > best,
> > > > > > > Herbert
> > > > > > >
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > -Nikolay Kichukov
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Xavier Montagutelli" <xavier.montagutelli@unilim.fr>
> > > > > > > > To: <vserver@list.linux-vserver.org>
> > > > > > > > Sent: Thursday, April 20, 2006 3:33 PM
> > > > > > > > Subject: Re: [Vserver] vserver traceroute
> > > > > > > >
> > > > > > > >
> > > > > > > > > On Thursday 20 April 2006 13:29, Nikolay Kichukov wrote:
> > > > > > > > > > Hello guys,
> > > > > > > > > > Thanks for the advice, and sorry for taking me so long to
> > > > respond.
> > > > > > > > > >
> > > > > > > > > > I tried setting:
> > > > > > > > > >
> > > > > > > > > > host# vattribute --set --xid <xid> --secure --ccap raw_icmp
> > > > > > > > > >
> > > > > > > > > > and when i try to traceroute a host I am again getting:
> > > > > > > > > >
> > > > > > > > > > traceroute: raw socket: Operation not permitted
> > > > > > > > >
> > > > > > > > > On my debian box, traceroute use by default UDP packets, not ICMP
> > > > > > packets.
> > > > > > > > >
> > > > > > > > > Try "-I icmp" to use icmp.
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Any further ideas?
> > > > > > > > > >
> > > > > > > > > > Another problem has now appeared:
> > > > > > > > > > When i try to ssh to the guest sshd, i am getting the following
> > > > > > error:
> > > > > > > > > >
> > > > > > > > > > fatal: chroot("/var/run/sshd"): Operation not permitted
> > > > > > > > > >
> > > > > > > > > > /var/run/sshd is rwx for root and r-x for the group and others
> > > > > > > > > >
> > > > > > > > > > Any ideas?
> > > > > > > > > >
> > > > > > > > > > Additional info:
> > > > > > > > > >
> > > > > > > > > > util-vserver 0.30.209-2 debian package
> > > > > > > > > > kernel 1.6.14.4-vs2.1.0
> > > > > > > > > >
> > > > > > > > > > On Tue, 2006-04-11 at 13:17 +0200, Daniel Hokka Zakrisson wrote:
> > > > > > > > > > > Nikolay Kichukov wrote:
> > > > > > > > > > > > Hi,
> > > > > > > > > > > > Thanks for the advise,
> > > > > > > > > > > > I'd like to test that and I already have raw_icmp in the
> > > > flags
> > > > > > file
> > > > > > > > for
> > > > > > > > > > > > the vserver, but is there a way i can set that without
> > > > rebooting
> > > > > > the
> > > > > > > > > > > > vserver?
> > > > > > > > > > >
> > > > > > > > > > > It's a context capability, so you should put it in
> > > > ccapabilities
> > > > > > file.
> > > > > > > > > > >
> > > > > > > > > > > > I've searched for information about chcontext and did not
> > > > find a
> > > > > > lot
> > > > > > > > > > > > about setting those caps and flags dynamically. Is that
> > > > > > possible? If
> > > > > > > > > > > > yes, how?
> > > > > > > > > > >
> > > > > > > > > > > vattribute --set --xid <name or xid of the
> > > > guest> --secure --ccap
> > > > > > > > > > > raw_icmp (add additional --bcaps here if you have any, as
> > > > they'll
> > > > > > be
> > > > > > > > > > > reset otherwise)
> > > > > > > > > > >
> > > > > > > > > > > > Also, another question is, i have already created(built) the
> > > > > > vserver
> > > > > > > > > > > > without --context NNN, and now I would like to get the
> > > > vserver
> > > > > > > > running
> > > > > > > > > > > > only in a specified context, ie. 444. How can i implement
> > > > that?
> > > > > > > > > > >
> > > > > > > > > > > echo NNN > /etc/vservers/<name>/context
> > > > > > > > > > >
> > > > > > > > > > > http://www.nongnu.org/util-vserver/doc/conf/configuration.html
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Vserver mailing list
> > > > > > > > > > Vserver@list.linux-vserver.org
> > > > > > > > > > http://list.linux-vserver.org/mailman/listinfo/vserver
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Xavier Montagutelli Tel : +33 (0)5 55 45 77
> > > > 20
> > > > > > > > > Service Commun Informatique Fax : +33 (0)5 55 45 77
> > > > 60
> > > > > > > > > Universite de Limoges
> > > > > > > > > 123, avenue Albert Thomas
> > > > > > > > > 87060 Limoges cedex
> > > > > > > > > _______________________________________________
> > > > > > > > > Vserver mailing list
> > > > > > > > > Vserver@list.linux-vserver.org
> > > > > > > > > http://list.linux-vserver.org/mailman/listinfo/vserver
> > > > > > > > >
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Vserver mailing list
> > > > > > > > Vserver@list.linux-vserver.org
> > > > > > > > http://list.linux-vserver.org/mailman/listinfo/vserver
> > > > > > >
> > > > >
> > --
> > ?????? ??? ????????, ??? ?????.
> > ?? ?????? ??? ?????, ?? ?????? ??? ????????...
> > -????? ?????
-- Когато сме щастливи, сме добри. Но когато сме добри, не винаги сме щастливи... -Оскар Уайлд _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserverReceived on Sun Apr 30 19:00:06 2006