From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Tue 05 Apr 2005 - 02:12:48 BST
On Tue, Apr 05, 2005 at 12:41:12PM +1200, Michal Ludvig wrote:
> Hi all,
>
> I'm trying to set up vserver on my SuSE Linux 9.2 box running 2.6.11.5
> kernel with vserver 1.9.5 patch and util-vserver-0.30.204.
>
> I met a number of issues, perhaps because this is the first time I play
> with vservers.
>
> 1) vprocunhide (i.e. setattr) spits out a lot of "Bad address" messages.
> Even a simple setattr behaves the same way:
>
> puck:root:~# /usr/local/sbin/setattr /proc/uptime
> /proc/uptime: Bad address
that is at least unusual ... you sure the kernel was
compiled with the vserver patch?
> 2) I created a legacy vserver 'hokpok' with debian-newvserver.sh (0.3.4)
> from http://www.paul.sladen.org/vserver/debian/
I expect the debian users to do such foolish things ;)
but now the SuSE folks start using debian-newvserver too?
please don't! use the tools (vserver <name> build ...)
to create a new vserver, it will get a proper config
then ...
> However starting this up dies with
> ---
> [...]
> New security context is 49169
> capchroot: chroot(): Operation not permitted
make sure that capabilities are compiled into the kernel
and not as module ... (or if module that they are properly
loaded at system bootup)
> ---
> Then I even added CAP_SYS_CHROOT and CAP_SYS_ADMIN to the S_CAPS list
> but to no avail.
don't do that, no caps are required there ... if you
really use an old (legacy) config please leave S_CAPS=""
>
> I traced it down to:
> /usr/local/sbin/chbind --ip 192.168.224.22 --bcast 192.168.224.127 \
> /usr/local/lib/util-vserver/chcontext-compat --cap CAP_NET_RAW \
> --cap CAP_SYS_CHROOT --hostname hokpok --secure \
> /usr/local/lib/util-vserver/legacy/save_s_context \
> /usr/local/var/run/vservers/hokpok.ctx \
> /usr/local/lib/util-vserver/capchroot . /etc/init.d/rc 2
>
> If I replace chcontext-compat with /usr/local/sbin/chcontext it works
> much better, so I did _CHCONTEXT_COMPAT=$_CHCONTEXT in util-vserver-vars.
that's because you have a legacy config! don't change
or exchange the tools unless you know what you're doing
(which you are obviously not ;)
> 3) Now it even seems it boots up:
> puck:root:~# vserver -v hokpok start
> [...]
> Starting OpenBSD Secure Shell server: sshd.
> Starting deferred execution scheduler: atd.
> Starting periodic command scheduler: cron.
> puck:root:~#
>
> but I can't see the context was running with vserver-stat, nor I can
> enter it with 'vserver hokpok enter /bin/bash' which says:
> puck:root:~# vserver hokpok enter /bin/bash
> WARNING: can not find configuration, assuming legacy method
> WARNING: can not access /proc/uptime. Usually, this is caused by
> procfs-security. Please read the FAQ for more details
> http://www.linux-vserver.org/index.php?page=Linux-Vserver+FAQ
> Error: /proc must be mounted
> To mount /proc at boot you need an /etc/fstab line like:
> /proc /proc proc defaults
> In the meantime, mount /proc /proc -t proc
> Failed to parse ps-output
> ipv4root is now 192.168.224.22
> vcontext: vc_create_context(): Device or resource busy
the result of your changes ...
> I guess all these problems are caused by the "setattr -> Bad address"
> issue.
no, but I would investigate this anyway, because
vprocunhide is very simple ...
> Any ideas?
yes, start with the testme.sh and see if it passes all
tests, if not, then either tools or kernel aren't working
as expected, and we have to investigate this ...
http://vserver.13thfloor.at/Stuff/SCRIPT/testme.sh
HTH,
Herbert
> Thanks in advance!
>
> Michal Ludvig
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver