From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 27 Jan 2005 - 20:25:52 GMT
On Thu, Jan 27, 2005 at 09:05:50PM +0100, Torsten Kurbad wrote:
> Herbert Poetzl:
> > but you should never us it inside a vserver, as devfs gives
> > you access to _all_ devices present on your system, which
> > basically allows any vserver root user to do whatever he
> > likes with your harddisks (and more) ...
> I stopped it and created the device nodes you suggested. The vserver
> still comes up fine.
> > vshelper (and the alpha util-vserver tools) take care of
> > that now, reboot (or reboot -f) inside the vserver is
> > redirected to the helper which in turn cycles the vserver
> > if a vserver manages to reboot your host, then you have
> > some connection to the host init present (like /dev/initctl)
> > or an ancient kernel running (which doesn't know about the
> > helper)
> And that's exactly what still doesn't work.
> On the root system:
> olymp ~ # cat /etc/sysctl.conf | grep vshelper
> olymp ~ # stat /usr/lib/util-vserver/vshelper
> File: `/usr/lib/util-vserver/vshelper'
> Size: 5534 Blocks: 16 IO Block: 4096 regular file
> Device: 805h/2053d Inode: 10739715 Links: 1
> Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
> Access: 2005-01-25 10:55:35.000000000 +0100
> Modify: 2005-01-25 10:55:35.000000000 +0100
> Change: 2005-01-25 10:55:35.000000000 +0100
> olymp ~ # uname -r
> I wouldn't call that kernel exactly ancient (2.6.10-vs1.9.3 gave me
> Oopses during console login on the root server, so I downgraded to this
> - obviously more stable - version...)
> Within the vserver:
> zope3 ~ # reboot
> Broadcast message from root (pts/2) (Thu Jan 27 20:58:04 2005):
> The system is going down for reboot NOW!
> shutdown: /dev/initctl: No such file or directory
> init: /dev/initctl: No such file or directory
I guess the 'reboots the host' issue is gone now, right?
next step is to use 'reboot -f' instead of reboot, if
you do not have some kind of init (inside the vserver)
handling the reboot syscall for you ...
reboot/shutdown/poweroff and friends just send a message
to init (which usually does the reboot), but the -f option
makes those tools (actually copies of init) do the syscall
given that your vserver has the required CAPs (which
should be fine by default) it will call to the vshelper
which in turn will restart the vserver ...
> So, how do I now prevent reboot from accessing /dev/initctl. Or, more
> precisely, why isn't the reboot event handled by vshelper, which works
> perfectly fine from "outside" the vserver?
> Vserver mailing list
Vserver mailing list