About this list Date view Thread view Subject view Author view Attachment view

From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Wed 21 Aug 2002 - 21:33:43 BST


On Wed, 21 Aug 2002 17:12:12 -0500, Golden Planet Support wrote
> Hello All
>
> I'm having problems vith vunify and vrpm after upgrading from v0.18
> to v0.19. From what I understand the vunify utility should now be
> able to do a unify between the root server and a vserver - but when
> doing a
>
> vunify / vserver1 vserver2 -- ALL
>
> - I get the following error:
>
> /usr/sbin/chroot: cannot execute /bin/rpm: No such file or directory

vunify is using the rpm command found in the vserver, to help
compatibility as much as possible (vserver may be running all kind of
old rpm utilities).

This sounds like /bin/rpm is not installed in the vserver. Where is it ?

> That looks a lot like the behavior of the old vunify command....?

Very little was changed in vunify. Only that since 0.18.

> The vrpm appears to be entirely broken - if I do a
>
> vrpm ALL -- - Uvh package.rpm
>
> - I get this error, once per vserver:
>
> New security context is 4
> error: cannot open Packages index using db3 - Permission denied (13)
> error: cannot open Packages database in /vservers/vserver/var/lib/rpm

This is indeed a bug. Starting with 0.19, vrpm attemps to switch to the
vserver security context to execute the rpm updates. This way, the various
post-install script perform in the proper context.

Now, by switching to a different security context, rpm is knocked by another
feature: The no-man-lang /vservers directory. This directory is set to 000
so even root in a vserver is not allowed to visit it. This solves the chroot
escape problem. Only root in security context 0 can cross this directory.

The solution is to relax this directory permission while doing vrpm

        chmod 755 /vservers
        vrpm ...
        chmod 000 /vservers

In the next kernel, I will change this no-man-land feature. Basically, this
will become a one-way. root will be able to visit /vservers but won't be able
to visit .. when .. is vservers. This will solve this issue, but solve another which
is kind to my heart :-) : vservers inside vservers. This will offer a complete
production/test/backup solution to co-administrators (give 5 ips and 5 security
context to a vserver and now the vserver administrator may rework this
vserver into 5 sub-vservers... still with 100% of the performance :-), still secure...

---------------------------------------------------------
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!
http://www.solucorp.qc.ca/miscprj/s_context.hc


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:42 GMT by hypermail 2.1.3