From: Thomas Gelf (vserver_at_gelf.net)
Date: Tue 17 Feb 2004 - 13:14:21 GMT
> I would suggest sendig it to the debian-newvserver maintainer
> whoever that might be atm ...
anyone out there interested? Mark Lawrence? Paul Sladen?
> make sure to use static context ids ...
thank you, we do so. we are currently doing some changes to vserver-copy
to include disk-limit support... I'll post some ideas later.
> hmm, interesting approach, could you also try it with
> the dummy interface (dummy0), that might work as well,
> and if might be a simpler? solution ...
simpler solution up and running:
# apt-get install bridge-utils
brctl addbr br0
ifconfig eth0 0.0.0.0 promisc up
ifconfig dummy1 hw ether 01:02:03:04:05:06
ifconfig dummy1 0.0.0.0 promisc up
ifconfig br0 192.168.124.100 netmask 255.255.255.0 up
brctl stp br0 off
brctl setfd br0 1
brctl sethello br0 1
brctl addif br0 eth0
brctl addif br0 dummy1
route add default gw 192.168.124.1
change /etc/vservers/XX.conf to match dummy1, add S_CAPS="CAP_NET_RAW"
first test: ping and traceroute working, sniffer:
# tcpdump tcpdump: listening on dummy1:vs1 0 packets received by filter 0 packets dropped by kernel
in our first test we used the tunctl interfaces because the idea was to create the following interfaces:
int0:vs1 tom0:vs2 tom1:vs1
now we have:
and so on. it seems that there is no security problem with the "dummy-way", please let me know if I'm wrong!
> not so fast, but yes, we could probably do a lot of those > things, just think nameif and private namespaces ...
hmmm... I've never tried out nameif, but it doesn't seem to help much. private namespaces? can you tell me more about that? our vservers can currently see lo, br0, eth0, dummy1 and dummy1:vsX. hide them all and show only eth0 and lo would be great!
and: try to immagine different bridges, different subnets, vservers (with some more CAPs) acting as routers or firewalls between them - a whole network on one single machine :o)
-- Thomas Gelf <vserver_at_gelf.net>
_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver