From: Charles Dale (bug_at_aphid.net)
Date: Wed 26 Nov 2003 - 05:50:39 GMT
It's a bit hard to read what you posted because after a certain point all
the hard returns seem to have been folded. But I think you have this in your
redhat9.conf:
S_CAPS="CAP_NET_RAW CAP_SYS_ADMIN CAP_NET_ADMIN"
Change that to
S_CAPS="CAP_NET_RAW CAP_SYS_RESOURCE"
Do you really need CAP_SYS_ADMIN and CAP_NET_ADMIN in the vserver? Setting
those for a vserver is like running "chmod -R 777 /". i.e. it's not a good
idea unless you have an MS-DOS view of security...
Chuck
> -----Original Message-----
> From: vserver-admin_at_list.linux-vserver.org
> [mailto:vserver-admin_at_list.linux-vserver.org] On Behalf Of
> mile1_at_bellsouth.net
> Sent: Wednesday, 26 November 2003 4:30 PM
> To: vserver_at_list.linux-vserver.org
> Subject: RE: RE: [Vserver] Rpms for vserver 0.27 (got it)
>
>
> Here it is,
>
> Last login: Sun Nov 23 21:53:32 2003
> [root_at_rdhat01 root]# ls
> anaconda-ks.cfg install.log install.log.syslog vps
> [root_at_rdhat01 root]# vi /etc/vservers/redhat9.conf #
> Description: RedHat 9 VPS Server
>
> if [ "" = "" ]; then
> PROFILE=prod
> fi
> case $PROFILE in
> prod)
> # Select the IP number(s) assigned to the virtual server
> # These IPs will be defined as IP alias
> # The alias will be setup on IPROOTDEV
> # You can specify the device if needed
> # IPROOT="eth0:1.2.3.4 eth1:3.4.5.6"
> IPROOT="172.16.0.109"
> # You can define on which device the IP alias will be done
> # The IP alias will be set when the server is started
> and unset
> # when the server is stopped
> # The netmask and broadcast are computed by default
> from IPROOTDEV
> #IPROOTMASK=
> #IPROOTBCAST=
> IPROOTDEV=eth0
> # You can set a different host name for the vserver
> # If empty, the host name of the main server is used
> S_HOSTNAME=redhat9.icanreach.com
> ;;
> backup)
> IPROOT=""
> #IPROOTMASK=
> #IPROOTBCAST=
> IPROOTDEV=eth0
> S_HOSTNAME=
> ;;
> esac
> # Set ONBOOT to yes or no if you want to enable this
> # virtual server at boot time
> ONBOOT=yes
> # Control the start order of the vservers
> # Lower value start first
> PRIORITY=100
> # You can set a different NIS domain for the vserver
> # If empty, the current on is kept
> # Set it to "none" to have no NIS domain set
> S_DOMAINNAME=
> # You can set the priority level (nice) of all process in the
> vserver # Even root won't be able to raise it S_NICE= # You
> can set various flags for the new security context # lock:
> Prevent the vserver from setting new security context #
> sched: Merge scheduler priority of all processes in the vserver
> # so that it acts a like a single one.
> # nproc: Limit the number of processes in the vserver
> according to ulimit
> # (instead of a per user limit, this becomes a per
> vserver limit)
> # private: No other process can join this security context.
> Even root # Do not forget the quotes around the flags
> S_FLAGS="lock nproc" # You can set various ulimit flags and
> they will be inherited by the # vserver. You enter here
> various command line argument of ulimit # ULIMIT="-H -u 200"
> # The example above, combined with the nproc S_FLAGS will
> limit the # vserver to a maximum of 200 processes ULIMIT="-HS
> -u 1000" # You can set various capabilities. By default, the
> vserver are run # with a limited set, so you can let root run
> in a vserver and not # worry about it. He can\'t take over
> the machine. In some cases # you can to give a little more
> capabilities \(such as CAP_NET_RAW\) # S_CAPS="CAP_NET_RAW"
> S_CAPS="CAP_NET_RAW CAP_SYS_ADMIN CAP_NET_ADMIN" # Select an
> unused context (this is optional) # The default is to
> allocate a free context on the fly # In general you don't
> need to force a context #S_CONTEXT=
>
> >
> > From: "Charles Dale" <bug_at_aphid.net>
> > Date: 2003/11/25 Tue PM 08:16:37 EST
> > To: <vserver_at_list.linux-vserver.org>
> > Subject: RE: RE: [Vserver] Rpms for vserver 0.27 (got it)
> >
> > [snip]
> >
> > > Nov 24 12:00:13 redhat9 named: named: capset failed: Operation not
> > permitted
> > > Nov 24 12:00:13 redhat9 named: named startup failed
> >
> > Looks to me like CAP_SYS_RESOURCE hasn't been enabled for
> some reason
> > for that vserver. Please post contents of the vserver conf file.
> >
> > BTW, (to list in general), how do I easily find out which caps a
> > particular context has?
> >
> > Chuck
> >
> > _______________________________________________
> > Vserver mailing list
> > Vserver_at_list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
> >
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-> vserver.org/mailman/listinfo/vserver
>
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver