From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Wed 15 Jun 2005 - 14:49:21 BST
On Wed, Jun 15, 2005 at 09:59:27AM +0200, Moritz Rudert wrote:
> Herbert Poetzl wrote:
> >On Wed, Jun 15, 2005 at 12:05:37AM +0100, Matthew Walster wrote:
> >>This sounds like a really bad idea - theoretically it's possible to
> >>assign eth0 and eth1 to a virtual server, but you're asking for trouble.
> >hmm, it is?
> >>It would be far better to do it in real kernel space as the
> >>security risks are minimal if existant.
> >like? I mean how to do that?
> >>If you WERE to go ahead with it, you may have to resort to using eth0:0
> >>and eth0:1, as I'm not sure how to assign eth1 in a user-mode process,
> >>(I'm only really familiar with tun/tap, literally only just installing
> >>vserver at this time after playing with uml) and I'm sure someone else
> >>will fill you in on that.
> >hum, maybe you are too deep into UML here ;)
> >>Just reconsider - why are you compartmentalising this service? Is it due
> >>to security or just because you don't want the main server having _any_
> >>services above kernel-mode?
> >hmm, kernel-mode services ....
> >well, was fun reading, so thanks,
> >>Matthew Walster
> >>On Tuesday 14 June 2005 22:22, Herbert Poetzl wrote:
> >>>On Tue, Jun 14, 2005 at 08:34:18PM +0200, Moritz Rudert wrote:
> >>>>I want to run a debian-router in my VServer. So I need to use a real
> >>>>Interface (eth1). My question: Is it posible to do this?
> Okay, thanks for your answers and I really want to try this. But how I
> setup the real NIC in the vserver-config? I read the IP-Tutorial (Maybe
> it names differently), but I didn't find anything.
you do not set it up at all, you have to give the guest
CAP_NET_ADMIN and CAP_NET_RAW to gain access to _all_
interfaces and chbind the guest to 0.0.0.0 or not at all
this will allow you to do arbitrary things to the network
stuff including interfaces, iptables, routing, etc ...
there is no concept of 'assigning' an interface to a guest
(but there will be with ngnet in the future)
> Moritz Rudert
> Vserver mailing list
Vserver mailing list