About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Wed 29 Sep 2004 - 12:47:01 BST


On Tue, Sep 28, 2004 at 05:21:56PM -0700, Cathy Sarisky wrote:
>
> Thanks to Herbert for quite a bit of help in IRC!

you're welcome!

> The problem looks to be the kernel version. The one where it works is
> 2.4.25 (yes, I need to upgrade), the one where it doesn't is 2.4.27.
> Herbert tracked it down to a change that now requires cap_sys_admin to
> mount, which of course the vserver didn't have.
>
> I've worked around the problem by doing the mount from the host server,
> but long term, the client would like to be able to set things up himself.
>
> So here's another question: Is there a means to allow a client with two
> vservers (on separate hosts) to set up some sort of sharing between them
> without intervention from the host server? Is nfs the right tool for
> this, or should we be looking at something else?

hmm, basically the 2.6 devel branch supports something
we call 'secure mounts' which can be done from within
a vserver, but basically nfs (or other kernel based
network filesystems) have two implications if used from
_within_ a vserver:

 a) you are doing kernel stuff (which might bring down
    your machine, or just hang it infinitely)
 b) with a network fs mount, you basically risk that
    somebody creates some device nodes, he isn't
    supposed to have (for example for your root dev)

userspace solutions should be a viable alternative to
the kernel network fs here, for example using ftp or ssh
protocols to share data between those servers (this can
be completely transparently to applications using the
network data)

HTH,
Herbert

> Many thanks in advance for your thoughts,
>
> Cathy
>
> On Tue, 28 Sep 2004, Cathy Sarisky wrote:
>
> >
> > Hello!
> >
> > Running vs1.26, a user within a vserver can do an nfs mount like so:
> > mount servername:/tmp /a
> >
> > Running vs1.28, a user within a vserver attempting the same command gets
> > the error:
> > mount: permission denied
> >
> > I think I've ruled out a config file problem, as attempts to mount with
> > /etc/exports or /etc/hosts.allow produces "mount: servername:/tmp failed,
> > reason given by server: Permission denied" instead.
> >
> > I think I've ruled out a firewall problem.
> >
> > I can do the nfs mount from the parent server, but not within a vserver
> > under kernel 1.28
> >
> > So, here's my question(s):
> > - What do I need to do to get mounting an nfs-partition working within a
> > vserver running vs1.28?
> > - What are the security consequences of doing so?
> >
> > Many thanks!
> >
> > p.s. I have a kludgy workaround in that I can do the mounts from the
> > parent server, but since I'd like my customers do be able to do their own
> > nfs mounts, this is sub-optimal...
> >
> > _______________________________________________
> > Vserver mailing list
> > Vserver_at_list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
> >
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 29 Sep 2004 - 12:47:25 BST by hypermail 2.1.3