On Wed, Jul 12, 2006 at 02:52:08PM -0700, Kathy Kost wrote:
>
> Thanks, Nicolas, for the reply. I have just now and gone and bound
> smtp to their specific IP addresses and restarted postfix on all.
> I can see your point about not wanting to run anything on the root
> server. Despite binding all postfixes, including the root server's,
> the root server postfix still refuses connections.
I'd assume that system security (more specifically
tcpwrappers or iptables) keep your postfix from
accepting connections on the host system, which
probably is a different distro than the guests
> I'm less concerned about that one -- more about the other vservers.
> I will see if I can move that service onto a new vserver and stop
> running things in root.
improves security, simplifies administration and
avoids any clashes with guest services ...
HTH,
Herbert
> Thanks again for the reply.
>
> Kathy
>
> > This is a typical problem with vservers : The root server has the hability to
> > bind on all interfaces, unlike the guests that see only their own
> > interface(s).
> >
> > So, when you start a service in the root server, it is likely to bind on all
> > interfaces, even those "belonging" to the guests. Then, the guests will never
> > be able to bind on the same ports. Moreover, if you try to access a service
> > on an ip/port that should run in a guest, it's the root server that
> > responds !
> >
> > To prevent this, you've got to configure all services that run on the host to
> > bind to only one interface. Or, say, all the interfaces that belong to the
> > host and are not affected to a guest. For example, for Samba, the smb.conf
> > directive is :
> > interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
> > (http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html)
> >
> > For Cups :
> > Listen 1.2.3.4
> >
> > Sshd :
> > ListenAddress 1.2.3.4
> >
> > ...etc.
> >
> > Anyway, NO service should run in the root server (apart from sshd)... ;-)
> >
> > Good luck.
> >
> >
>
>
>
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Thu Jul 13 03:17:00 2006