From: Dennis Roos (dennis_at_intouch.nl)
Date: Fri 04 Jun 2004 - 17:42:41 BST
On 4 Jun 2004 at 10:15, Gregory (Grisha) Trubetskoy wrote:
> IMHO snmp is very complex by design and as a consequence of that is a
> significant security threat. If I was a potential customer of your and
> you insisted that I must run snmpd in my server, I'd balk.
The SNMPD application is supposed to run on the host, not within
the vserver itself... That, I agree, would be a security threat, and an
unnecessary resoource allocation.
> There are probably ways to accomplish anything you do via snmp by
> other means. E.g. to count bits in and out, I found that using
> iptables (as described in Paul Sladen's Vserver FAQ) works great.
It works great, I agree, however, SNMP is a generic and proven way
to do monitoring of a wide variety of devices (routers, servers,
> As to handling authentication, it's not hard to verify the user's
> password against the hash in their passwd file. Here is the source for
> a little program that we use:
Authentication handling is not a hard task, handling a distributed
authentication mechanism involves a lot more work (database
authentication, session management, etc.)
> You give this program one argument, the root of the vserver, pipe
> "userid:password" to its stdin, and its exit code will tell you
> whether the credentials are satisfied. It has to be a setuid program
> if you're going to be running it from a webserver (which I'm assuming
> isn't running as root).
Think of a 100 vserver nodes, running 500 vservers, this involves a
lot of administration and is almost undoable by hand. The
configuration data, etc. - in our case - is already in the database.
Maintainance can be done from a central management server. And
monitoring as well... Monitoring is done via SNMP, why not do the
management via SNMP as well ?
That was the question I intended to ask ;)
1097 BS Amsterdam
Tel: +31 (0)20 6752060
Fax: +31 (0)20 6758429
Vserver mailing list