÷ óÒÄ, 25.01.2006, × 19:51, Herbert Poetzl ÐÉÛÅÔ:
> On Wed, Jan 25, 2006 at 07:27:11PM +0200, Alex Lyashkov wrote:
> > ? ???, 25.01.2006, ? 19:07, Herbert Poetzl ?????:
> > > On Wed, Jan 25, 2006 at 06:51:14PM +0200, Alex Lyashkov wrote:
> > > > ? ???, 25.01.2006, ? 18:47, Herbert Poetzl ?????:
> > > > > On Wed, Jan 25, 2006 at 03:35:23PM +0100, Andreas Schultz wrote:
> > > > > > Hi,
> > > > > >
> > > > > > It seems that abstract UNIX sockets "leak" from a vserver. I'm trying to run
> > > > > > the same java app inside two vservers and only the first one started succeeds.
> > > > > >
> > > > > > The critical piece from strace is:
> > > > > >
> > > > > > 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5
> > > > > > 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0
> > > > > > 20397 bind(5, {sa_family=AF_FILE, path=@var/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use)
> > > > > >
> > > > > > Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket
> > > > > > hashes are identical across all vservers and that no additional context check
> > > > > > is used. There is a context check in include/net/af_unix.h, but this
> > > > > > does not seem to be used when creating sockets from unix_bind().
> > > > > >
> > > > > > Any ideas?
> > > > >
> > > > > this should help ...
> > > > >
> > > > > --- linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-21 18:28:17 +0100
> > > > > +++ linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-25 17:22:11 +0100
> > > > > @@ -238,6 +238,8 @@ static struct sock *__unix_find_socket_b
> > > > > sk_for_each(s, node, &unix_socket_table[hash ^ type]) {
> > > > > struct unix_sock *u = unix_sk(s);
> > > > >
> > > > > + if (!vx_check(s->sk_xid, VX_IDENT|VX_WATCH))
> > > > > + continue;
> > > > > if (u->addr->len == len &&
> > > > > !memcmp(u->addr->name, sunname, len))
> > > > > goto found;
> > > > >
> > > > > thanks for spotting this ...
> > > > >
> > > > this not a full fix.
> > > > this not fix issue for FS based unix sockets.
> > >
> > > sorry Alex, but the filesystem case is already covered
> > > by the namespaces, which you can verify easily ...
> > >
> > > so everything fine here ...
> > >
> > don`t. inode must have one context id (just are error or if
> > unification), but access/bind from an other context.
>
> could you provide an example where it fails for you?
>
look into unix_bind.
you can`t create unix socket if fs consist fs object with same name. One
object can be create via chroot or via full path and second is program
inside VPS.
-- FreeVPS Developers Team http://www.freevps.com Positive Software http://www.psoft.net _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserverReceived on Wed Jan 25 18:25:39 2006