From: Gaz Wilson (dragon_at_dragons.org.uk)
Date: Wed 04 May 2005 - 16:15:52 BST
Hi again!
I discovered earlier that yes indeed, if you configure the host up with the
relevant binfmt stuff, the vservers adopt those settings, so all is well and
good.
I am having trouble with grsec though - I have set it for medium security, and
yet the vserver refuses to start complaining that the capabilities don't
exist - yet I checked the kernel and the default capabilities are set
(monolithically, not as a module) - just checking all kernel options and
recompilng, in case there's some difference between my working kernel
with grsec disabled and this one...
In the meantime, if anyone has used grsec along with vservers, I'd be
interested to hear any stories about making it work!!!
Thanks all!
Gary Wilson
On Wed, 4 May 2005, Herbert Poetzl wrote:
> On Wed, May 04, 2005 at 10:01:49AM +0100, Gaz Wilson wrote:
> >
> > Hi - sorry for asking again - Normally I like to research such things
> > properly, but time is not on my side for this project, so I come in
> > hope of a quick solution.
> >
> > I need to install binfmt support within a vserver, however proc is
> > secured in such a way as it cannot install properly:
> >
> > Setting up binfmt-support (1.2.3) ...
> > mount: permission denied
> > update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on
> > /proc/sys/fs/binfmt_misc.
> > Enabling additional executable binary formats: mount: permission denied
> > update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on
> > /proc/sys/fs/binfmt_misc.
> > binfmt-support.
>
> binfmt or more precisely misc binary format support
> is not available inside vserver, because it need userspace
> helpers which have to 'run' in the proper context, and
> that has just not be done yet ... you can use it on the
> host though ... and it might reach/map into vservers
> (not tested)
>
> best,
> Herbert
>
> > Is there a (good) way to allow this to happen without removing proc security
> > entirely? I didn't see anything in the docs I have skimmed through...
> >
> > thanks and apologies for asking without doing much research first.
> >
> > --
> > / Gary Wilson, aka dragon/dragonlord/dragonv480 \
> > .'(_.------. e: dragon_at_northernscum.org.uk MSN: dragonv480 .------._)`.
> > < _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ >
> > `.( `------' w: http://volvo480.northernscum.org.uk `------' ).'
> > \ w: http://www.northernscum.org.uk /
> > _______________________________________________
> > Vserver mailing list
> > Vserver_at_list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
>
-- / Gary Wilson, aka dragon/dragonlord/dragonv480 \ .'(_.------. e: dragon_at_northernscum.org.uk MSN: dragonv480 .------._)`. < _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ > `.( `------' w: http://volvo480.northernscum.org.uk `------' ).' \ w: http://www.northernscum.org.uk / _______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver