About this list Date view Thread view Subject view Author view Attachment view

From: Schlomo Schapiro (Schlomo.Schapiro_at_mikado.de)
Date: Thu 26 Feb 2004 - 08:56:12 GMT


 Hi,

I checked my permissions, they are all 755. Can you (or s.o. else) run my getpcaps test as in my mail (and here below) ? I would like to know wether it is normal that after a chcontext the CAP_SYS_CHROOT capability is not available and cannot be added manually, either.

Thanks a lot,
Schlomo

PS: Anybody else out there using also the OpenWall patches with vserver ?

-- 
Schlomo Schapiro
Senior Consultant
Solution Center Novell/Linux
mikado AG
Bülowstraße 66
10783 Berlin-Schöneberg

Tel.: (030) 21790-0 Mobil: (0177) 3279060 Fax: (030) 21790-200/ -201

>>> "Dirk Windberg" <dirk.windberg_at_web.de> 2004-02-26 00:23:14 >>> private mail:

Hello, I have seen the same error here installing debian as virtual server on a Redhat 7.3 host.

If i set the permission to 000 on /vservers/base i cant start base . If i set the permission to only 770 i can start the vserver but cant ssh into the debian server. When the permissions are set to 755 the vserver is starting + ssh is running well.

I try to figure out what the reason is.

--dirk.

----- Original Message ----- From: "Schlomo Schapiro" < To: <vserver_at_list.linux-vserver.org> Sent: Wednesday, February 25, 2004 2:42 PM Subject: [Vserver] chroot - permission denied

> Hi all, > > I just installed VServer on my SuSE9.0 box and compiled a new 2.4.25 > kernel with the OpenWall patches included. > > The vserver kernel subsystems seems to be there (checked with e.g. vps -ax) > > I then downloaded the debian vserver to start testing and it won't start > with this message: > > -------------------------------------------------------------------------- --------- > # vserver debian start > Starting the virtual server debian > Server debian is not running > ipv4root is now 10.1.1.34 > Host name is now gss34.mikado.local > Domain name is now > New security context is 49175 > Can't chroot to directory . (Operation not permitted) > -------------------------------------------------------------------------- --------- > > I started to play around with the chcontext tool and got a very strange > thing: The CAP_SYS_CHROOT capability is not present !: > > -------------------------------------------------------------------------- ------ > # /usr/sbin/chcontext --ctx 49176 bash -c 'getpcaps $$' > New security context is 49176 > Capabilities for `4337': = > cap_chown,cap_dac_override,cap_dac_read_search,cap_setgid,cap_setuid,cap_net _broadcast,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_le ase+ep > -------------------------------------------------------------------------- ------- > > When I do not give the --ctx parameter, all capabilities are present: > -------------------------------------------------------------------------- ------- > # /usr/sbin/chcontext bash -c 'getpcaps $$' > New security context is 49176 > Capabilities for `4334': =ep cap_setpcap-ep > -------------------------------------------------------------------------- -------- > > That seems to be the reason why the vserver start command does not work. > > Do you have any ideas what yould be the problem ? > > Some more questions: > * What about virtualized localhosts ? How can I give each vserver a > private localhost(127.0.0.1) ? > * I am running samba in a chbind environment, however nmbd complains > about not beeing able to bind to the IPs of the other vservers and > doesn't start when I have any IP aliases defined. The error log looks > like this: > -------------------------------------------------------------------------- ---------- > [2004/02/25 12:51:03, 0] nmbd/nmbd.c:main(795) > Netbios nameserver version 2.2.8a-SuSE started. > Copyright Andrew Tridgell and the Samba Team 1994-2002 > [2004/02/25 12:51:03, 1] lib/debug.c:debug_message(258) > INFO: Debug class all level = 1 (pid 3587 from pid 3587) > [2004/02/25 12:51:03, 0] lib/util_sock.c:open_socket_in(804) > bind failed on port 137 socket_addr = 10.1.1.34. > Error = Cannot assign requested address > [2004/02/25 12:51:03, 0] nmbd/nmbd_subnetdb.c:make_subnet(139) > nmbd_subnetdb:make_subnet() > Failed to open nmb socket on interface 10.1.1.34 for port 137. Error > was Cann > ot assign requested address > [2004/02/25 12:51:03, 0] nmbd/nmbd.c:main(873) > ERROR: Failed when creating subnet lists. Exiting. > -------------------------------------------------------------------------- ---------- > > 10.1.1.34 is the IP alias added by the debian vserver I tried to run. I > thought that chbind was supposed to prevent vservers from seeing other > IPs ? Is there a solution to this nmb problem ? > > > Thanks a lot for any help, > Schlomo > _______________________________________________ > Vserver mailing list > Vserver_at_list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver >

_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 26 Feb 2004 - 08:57:08 GMT by hypermail 2.1.3