Re: [Vserver] v_sshd wrapper script and freenx remote access app:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: [Vserver] v_sshd wrapper script and freenx remote access app

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Sun 02 Jul 2006 - 16:38:34 BST
Message-ID: <20060702153834.GC15440@MAIL.13thfloor.at>

On Fri, Jun 30, 2006 at 08:50:49PM -0400, Paul S. Gumerman wrote:
> Sorry about the previous thread hijacks --- I didn't realize what the
> list server was using to do the threading.
>
>
> I have been working on getting the freenx remote X access aplication
> working on a vserver host machine.
>
> When using the v_sshd wrapper, it fails, fairly late in the process of a
> login.

yes, that is kind of expected, the v_sshd wrapper should
probably have been removed a long time ago IMHO, but you
know "enough rope to shoot yourself in the foot", so we
left it as is ...

> If I do not use the wrapper, and start sshd from the standard initscript
> with the following lines in sshd_config, it works fine.
>
> ListenAddress 192.168.1.42
> ListenAddress 127.0.0.1
>
> It appears that the v_sshd wrapper does not allow sshd to listen to the
> loopback address, but only the interface's primary IP addresses, and
> that is causing the problem with freenx.

the problem here is that using ssh (via the sshd wrapper)
already puts you in a network namespace, which basically
makes it impossible to manage network namespaces in a
sensible way ... we might (in the future) declare special
admin spaces/capabilities which will remove that 'issue'

> Is there some reason that this limitation is necessary?

yes, you basically cannot have a restriction to ssh, but
none to the spawned children, as this would circumvent
the network isolation

> If not, can it be fixed?

not with the current concept and certainly not with a big
change in semantics, but the good news is, the ssh (or
maybe telnet/rlogin/etc) service is the 'only' one which
does require this 'restriction' on the host, for all other
the v_* wrappers are fine, as they do not try to 'change'
the network namespace afterwards ...

HTC,
Herbert

> Best regards,
> Paul
>
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sun Jul 2 16:39:18 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sun 02 Jul 2006 - 16:39:23 BST by hypermail 2.1.8