No War
(or all the question I can't be arsed to answer, yet again,
as of 2003 March 9th 2005 January 17th)
Thanks for contributions received from Herbert Pötzl
Exactly the same way as you signed up! As you are clearly an intelligent person you can probably remember how you managed to sign up and do the same to unsubscribe. If you've forgotten, you can go to the mailing-list control on the main vserver site:
Sebastian Wolfgarton reminded me (2005-01-17) that the URL is now:
Vlad unfortunately had to stop running them. A full set going back to 2001 October can be found here:
The problem comes if you bind to `0.0.0.0' in the
host server without using a `v_sshd'
script. This then snatches all the addresses on the server
(including all vserver addresses), even if the vservers haven't
been started yet.
The best way is not to run much (or anything) in the host
server--except SSH--and to make sure you either use a `v_ssh[d]'
script, or manually set SSHd to bind to one IP address in the host
server (including chbind'ing or remembering to disable
`inetd').
If you are *just* running the SSH daemon (and NTP), my preferred option is to put the
ListenAddress 1.2.3.4 # Host Server
directive in the `/etc/ssh/sshd_config' file).
This will get rid of alot of your `problems' and allow you to find
out what is happening more clearly. (But might cause some
troubles if you change the host servers' IP Address
;-)
Note: the following is correct, works and is highly illustrative, however newer versions of the vserver tools use a different method.
Lets, for example, take a look at a sample `v_httpd':
# description: Wrapper to start httpd bound to a single IP IP=eth0 exec /usr/sbin/chbind --ip $IP /etc/init.d/httpd $*
the `chbind' tool `binds' (reduces) the IP
address(es) to the given ones give in the
`--ip $oneip' paramater (in this case the
first IP address on eth0 and then calls the
original script to start their service.
Jacques Gelinas' main site for the `s_context' (security context)
Linux kernel patches and the vserver home page is:
The "Paul Sladen Mirror Service" provides a European mirror here:
Sam's immutable-linkage-flag stuff can now be got here:
Read Herbert Pötzl's Quota Howto and get the Tools/Patches here:
Alexey Lyashkov provides patches against the Red-Hat source trees here:
Adam Pendleton also provides source-RPMs of the above:
Herbert Pötzl provides unoffical patches on his page:
Apparently, ``To patch the kernel you need:''
and to apply them in that order. ``First apply the ac3 and then the ctx12 patch (the patches fail if applied in the other way). ac3 patches perfectly. ctx12 patches with some fuzz (no rejects).''
Additionally, some -ac patches are used in RH
kernels so Alex's RH patches may (or may not) be helpful aswell:
There is a `newvserver' and small patch to fix
set-group-id (gid=tty) mounting `/dev/pts' under Debian systems
here:
http://www.paul.sladen.org/vserver/debian/http://www.paul.sladen.org/vserver/archives/200211/0150.htmlThese second `.deb's were originally done for private
use: (make sure you read the README file if you want to read them)
Mark Lawrence orginally did a `.deb' package and
newvserver script. Opal has also done an out-of-date
one that is in the Debian archive and requires messing about with
Sid (view
bug page). A while ago there was old stuff at this.is
too.
NTP is used to keep the kernel clock synchronized to GMT/UTC. This is a system level function and should be done in the host server.
Changing the timezone in a vserver is merely about telling Libc
in that vserver what the current timezone offset is. This is done
my changing the /etc/localtime file (and normally linking
it to a different timezone).
This can be done by running `tzconfig' under
Debian, or `timeconfig' on Red Hat based systems.
du' complain about /proc access?du: cannot change to directory `./proc/1/fd': Permission denied
This is related to the fakeinit fiddling that goes on to make
the first-process in a context look-like it has pid=1
(pretending to be init, whereas the real
pid=1a process is in a different context and so you
can't access its resources.
`du' will give the correct answer though, it's much like the cosmetic
problems with `lsof'.
klogd give an error?Kernel logger (klogd) requires access to the kernel messages
buffer which could allow klogd running inside vserver to ``steal''
messages intended for the root server. This is a
"low-level" and should only be done in the main server
and not within a vserver.
You should run `syslogd' in each server normally
to continue monitoring the rest of the services.
A new userspace and most of this lot by my reckoning:
It goes against the Unix design of irreversible
giving up privileges and actually tries to raise its own
`ulimit' privileges which is restricted in a vserver to
stop anybody raising their processes above other vserver
users.
It is Bind that is ``broken''. It can be fixed by recompiling with:
./configure --disable-linux-caps
which fixes this stupidity. Curse the bind8 exploits, curse
the maintainers who leave `--enable-linux-caps' on by default and
curse the ISC coders for putting it in there in the first place!
;-)
The problem is actually slightly worse than this and is down to
the bad assumptions that Bind9 makes about threads, linux and
capabilities. Without fixing their over-intelligent detection
code, you can only run Bind9 under vserver as root
(uid=0). Since this is already running in a secure
vserver this is less of a problem.
This seems to have come up a couple of times since:
http://www.paul.sladen.org/vserver/archives/200302/0186.htmlhttp://www.paul.sladen.org/vserver/archives/200301/0034.htmlhttp://www.paul.sladen.org/vserver/archives/200302/0200.htmlThe conclusion is to: run it as root within a vserver.
iptables -A INPUT -i eth0 -d 10.0.0.42 iptables -A OUTPUT -o eth0 -s 10.0.0.42 iptables -A INPUT -i eth0 -d 10.0.0.43 iptables -A OUTPUT -o eth0 -s 10.0.0.43
and typing `iptables -xvL' will give you output something like:
Chain INPUT (policy ACCEPT 7157991 packets, 932430425 bytes) pkts bytes target prot opt in out source destination 246 19163 all -- eth0 any anywhere 10.0.0.42 3298 230541 all -- eth0 any anywhere 10.0.0.43 5158 339958 all -- eth0 any anywhere 10.0.0.44 Chain OUTPUT (policy ACCEPT 7574898 packets, 3080985747 bytes) pkts bytes target prot opt in out source destination 2054 344237 all -- any eth0 10.0.0.42 anywhere 2634 466259 all -- any eth0 10.0.0.43 anywhere 4059 734240 all -- any eth0 10.0.0.44 anywhere
Or, to have all that setup and cron'ed collection done nicely for you, use the
IP-Accounting-Next-Generation Package (ipac-ng):
No. Although it should be very easy to basically copy across the code from the IPv4 mangling. If anyone fancies doing it should basically be a cut and paste job. Jacque's last offical statement was in this thread:
chroot() isn't secure?Lucky we fixed it then isn't it!... Remember to do:
chmod 000 /vservers
Some people consider this a kludge; it is achieved by
the addition of the following code to `fs/namei.c' in
the kernel source:
/*
A dir with permission bit all 0s is a dead zone for
process running in a vserver. By doing
chmod 000 /vservers
you fix the "escape from chroot" bug.
*/
if ((mode & 0777) == 0
&& S_ISDIR(mode)
&& current->s_context != 0) return -EACCES;
If a directory with permissions `000' (shown as
`d---------') is accessed by a vserver, then
`-EACCES' is returned regardlessly and
permission is denied. (Normally a `000'ed file is
only access by root and this changes to only accessible by root
within the host-server).
alpha and beta are hosting servers running
the `s_context' patch. uno is the vserver to
copy:
alpha% rsync -aPxvze ssh --delete --stats --numeric-ids {,beta:}/vservers/uno/
Preserve attributes, show progress and continue
where interrupted, don't cross filesytems, do be
verbose, use SSH, dodelete files no-longer present
on the alpha copy, show statistics.
Francois Deppierraz adds: ``The --numeric-ids rsync option is [required] to avoid messing with files ownership.''
With the `vserver' userspace tools version 0.22
onwards it may be worth investigating the `PROFILE='
options which may help with keep backups synchronized, but not
running.
Another method for backing up vservers (or duplicating between
machines for failover) is to use the `dump' and
`restore' tools which allow incremental backup and
compression. Since these operate on the inode level they
handle open files correctly (aswell as efficiently
handling hardlinks in a unified setup).
Herbert Pötzl also has had good experiences with
`dump' 0.4b32 producing pretty small (zlib/bzip2
compressed) images of a template server together with its clones
using the following command:
# dump 0zf <backup-file> /vservers/{<template>,<clone1>,<clone2>,...}
A practical example would be:
# dump 0zf /backup/daily.dump /vservers/{ISRV,IS01,IS02,IS03}
Tomcat 3.3.1 can be made to work in a vserver by explicitly
setting its IP address in the `server.xml' config
file. However Tomcat 4.x apparently has a bug filed against it
that implies that ``it cannot be fully configured to use an
arbitrary IP address''.
Consider the following setup:
SERV (template used for vservers) SV01 (first vserver/clone) SV02 (second vserver/clone) SV03 (third vserver/clone)
and the package `wossname-0.1.noarch.rpm' needs to
be updated on all the vservers to a newer version called
`wossname-0.2.noarch.rpm', then usually this would be
done with the following command on each vserver:
rpm -U wossname-0.2.noarch.rpm
In vserver setup, you could do it the same way, by
copying the package to each vserver SV01,SV02,SV03,... and
manually installing it. A much better solution would be to use
the `vrpm' wrapper script to upgrade all the vservers
at once with the following command:
# vrpm SERV SV01 SV02 SV03 -- -U wossname-0.2.noarch.rpm
Or even better:
# vrpm --unify SERV SV01 SV02 SV03 -- -U wossname-0.2.noarch.rpm
which actually unifies the packages after installation/update.
# /usr/lib/vserver/vunify <template> <clone1> <clone2> -- <packages>
For example to locate all the files from the
`apache', `apache-conf' and
`mod_php' RPM Packages three vservers/clones
(IS01-03) from a common template
(ISRV), use:
# /usr/lib/vserver/vunify ISRV IS01 IS02 IS03 -- apache apache-conf mod_php
(This is better because unification is a little more than just a hardlink; it is a hardlink with additional immuteability [except for removal]. Therefore you are not be able to change the file or link in the root server until you remove the immutable flag or the file. The script handles this correctly for you).
The kernel NFS server isn't available within a vserver. The userspace nfs client/server may work.
Normally you restrict everything you can in a vserver, to do
with accessing hardware or system-related features of the kernel
(eg: filesystem mounting, rebooting, creating device nodes or
setting the system clock). vservers are often given the
`CAP_NET_RAW' to allow a vserver to produce low-level
packets such as ICMP ping. Sometimes you may wish to
allow them additional capabilites:
The `/usr/include/linux/capability.h' Include file
helpfully lists the actual capabilities available and the
following LIDS Howto (Linux Intrusion Detection System) lists what
each capability enables/disables:
http://www.lids.org/lids-howto/node34.html (via archive.org)Update 2018: Joel Stephens noted that the original LIDS project website is down. But that a good comparision overview of a number of Linux-related intrusion-detection systems can be found at:
This is answered in many places, such as the Kernel-HOWTO:
http://www.miredespa.com/wmaton/linux/kernel-patch-HOWTO.htmlhttp://www.linuxhq.com/ldp/howto/Kernel-HOWTO-6.htmlhttp://www.google.com/search?q=kernel+patch+howtoSee the section for where to download patches above.
Some more vserver stuff.
Back to the rest of Paul Sladen.