From: Thomas Gelf (vserver_at_gelf.net)
Date: Tue 17 Feb 2004 - 11:07:44 GMT
Hello together!
I'm new on this list so please be patient with me! My English
is not that good, but it seems that I'm not alone with this
problem :o)
We started testing vserver one week ago, I found this great
project while looking for an alternative to UML which we have
currently running on different Web-, Mail and DNS-Servers.
UML is great, but I'm not satisfied with the performance of
Loopback-mounted sparse-files.
We compiled about 30-40 Kernels last week, vserver's documentation
was not really helpful (please don't hit me :o) - we did some
changes to debian-newvserver.sh to make it possible to run it
with the exploit-proof "chattr +t /vservers"-directory. If
someone is interested in it (it was not that difficult) - mail me!
We haven't been able to compile kernel 2.6, maybe Herbert's
patch (http://list.linux-vserver.org/archive/vserver/msg06189.html)
will help. Currently we are running 2.4.25-rc2, also using context-
based disk-limits.
I'll stop indroduction now, let's start with my first question to
this list: We would like to improve vserver's networking support.
Like with our UML-Servers we did the following today (on debian):
# apt-get install uml-utilities
# apt-get install bridge-utils
# mkdir -p /dev/net
# mknod -m 660 /dev/net/tun c 10 200
# chmod 660 /dev/net/tun
# chown root.uml-net /dev/net/tun // group uml-net added by debian
now stop all your vservers, we did the following on a debian box
with eth0:192.168.124.100, using this script (change ip addresses):
--- #!/bin/sh tunctl -u root -t tom0 brctl addbr br0 ifconfig eth0 0.0.0.0 promisc up ifconfig tom0 0.0.0.0 promisc up ifconfig br0 192.168.124.100 netmask 255.255.255.0 up brctl stp br0 off brctl setfd br0 1 brctl sethello br0 1 brctl addif br0 eth0 brctl addif br0 tom0 route add default gw 192.168.124.1 --- this also works during a ssh connection, but I'm not responsible if it doesn't - and no, you don't have to use "tom0" :)change /etc/vservers/XX.conf to match the new interface "tom0".
now we tried to add S_CAPS="CAP_NET_RAW" - tadaaaaaaaaaa! just try to use the standard "ping" program. starting a sniffer works, but you will see absolutely nothing.
we did all this tests this morning (it's 12:05 in south tyrol/italy now) and will go on installing a default web hosting environment on our new vservers.
what do you think about this approach? is it secure? is it worth to invest time to enhance it? we are not kernel hackers so we need help for the following features: hide real interfaces in vservers, show them a "eth0" interface instead of "tom0:vs1", add a virtual loopback device.
linux-vserver is a great project, compliments to all guys contributing to it. we would like to help to improve this project, doing tests, posting our ideas, maybe writing documentation (english with your help, german, italian) or little howto's, userspace utilities... And we need your feedback to go on faster!
yours sincerly Thomas Gelf
-- Thomas Gelf <vserver_at_gelf.net>
_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver