On Wed, Aug 19, 2009 at 07:49:15AM -0400, John A. Sullivan III wrote:
> Hi, Erdem. I'll try to address both issues.
> Yes, I suppose there is the danger of data loss if the data is shared
> between vservers. However, if it is only being used for one vserver
> (which seems to be the case here), one would only delete the data for
> that particular vserver. In effect, there really is only one file
> system with different views into it.
> To get it to work within a vserver guest, you may need to edit your
> capabilities. I do not recall off hand which they are.
within != from the guest config's fstab (see my other reply)
for the latter no additional capabilities are required
> Might I also suggest that you bottom post rather than top post in future
> threads; it makes it a little easier to follow. Thanks - John
you may, but I'd suggest to use 'interleaved posting' aka
inline replying, as it is the only way to keep longer
posts and replies _somewhat_ readable :)
best,
Herbert
> On Wed, 2009-08-19 at 14:32 +0300, Erdem Bayer wrote:
> > Hi
> >
> > I think it is more dangerous than the vserver fstab approach. If you forget to umount the bind before doing a "vserver delete" operation or issuing rm -rf on vserver rootdir, then data on your physical host is lost.
> >
> > But thanks for the tip. I will keep the idea as fallback.
> >
> > Can anyone help me on why secure-mount is writing the error message but mounts the fstab entries anyway?
> >
> > Kind Regards
> > Erdem Bayer
> >
> > On Wed, 19 Aug 2009 07:13:11 -0400
> > "John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:
> >
> > > If anything, I would think it would be safer. I don't recall but you
> > > may need to add specific capabilities to the guests. We only do that as
> > > a last resort to keep our guests as secure as possible.
> > >
> > > Doing your bind mounts from the host gives you a single point of
> > > administration for the guest file systems. It means the filesystem is
> > > in place before the guest starts. It seems to be easier to maintain. I
> > > suppose in an emergency, it also gives you the ability to unbind or
> > > rebind from the host.
> > >
> > > I'm certainly not an expert so, if you think you know better, you
> > > probably do, but this is how we manage our systems which rely very
> > > heavily on bind mounts - John
> > >
> > > On Wed, 2009-08-19 at 14:00 +0300, Erdem Bayer wrote:
> > > > Hi
> > > >
> > > > Is it safe to do the bind mounts from the host? What are the pros and cons?
> > > >
> > > > Kind Regards
> > > > Erdem Bayer
> > > >
> > > > On Wed, 19 Aug 2009 06:51:24 -0400
> > > > "John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:
> > > >
> > > > > On Wed, 2009-08-19 at 13:23 +0300, Erdem Bayer wrote:
> > > > > > Hi
> > > > > >
> > > > > > I have a debian lenny i386 vserver running on lenny amd64 host with the following fstab entry:
> > > > > >
> > > > > > none /proc proc defaults 0 0
> > > > > > none /tmp tmpfs size=256m,mode=1777 0 0
> > > > > > none /dev/pts devpts gid=5,mode=620 0 0
> > > > > > /home /home bind bind 0 0
> > > > > > /iscsi/www /var/www bind bind 0 0
> > > > > > /iscsi/log/concero /var/log bind bind 0 0
> > > > > >
> > > > > > When I start a vserver, I see these errors in the output:
> > > > > >
> > > > > > secure-mount: mount(): Invalid argument
> > > > > > /etc/vservers/concero/fstab:5:1: failed to mount fstab-entry
> > > > > > secure-mount: mount(): Invalid argument
> > > > > > /etc/vservers/concero/fstab:6:1: failed to mount fstab-entry
> > > > > >
> > > > > > But the vserver starts and the directories in fstab file are mounted anyway.
> > > > > >
> > > > > > I don't know if it makes a difference but /home fs is ext3, /iscsi is formatted with ocfs2 and mounted with iscsi. I can mount them manually with the following command:
> > > > > >
> > > > > > sudo mount --bind /iscsi/log/concero /etc/vservers/concero/vdir/var/log
> > > > > >
> > > > > > When I dig deeper I found that secure-mount is called with the following parameters:
> > > > > >
> > > > > > ++ pushd /etc/vservers/concero/vdir
> > > > > > ++ test -w etc -o -w etc/mtab
> > > > > > ++ /usr/lib/util-vserver/secure-mount -a --chroot --fstab /etc/vservers/concero/fstab --rootfs no
> > > > > >
> > > > > > Here are the strace of the manual running of secure-mount (if it helps):
> > > > > >
> > > > > >
> > > > > > chroot(".") = 0
> > > > > > chdir("/") = 0
> > > > > > fchdir(3) = 0
> > > > > > chroot(".") = 0
> > > > > > chdir("/var/www") = 0
> > > > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > > > fchdir(4) = 0
> > > > > > chroot(".") = 0
> > > > > > fchdir(6) = 0
> > > > > > close(6) = 0
> > > > > > mount("/iscsi/www", ".", 0x7fffdf03e67f, MS_NODEV|MS_BIND, 0x7f9ad703f070) = 0
> > > > > > fchdir(3) = 0
> > > > > > chroot(".") = 0
> > > > > > chdir("/var/www") = 0
> > > > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > > > fchdir(4) = 0
> > > > > > chroot(".") = 0
> > > > > > fchdir(6) = 0
> > > > > > close(6) = 0
> > > > > > mount("/iscsi/www", ".", 0x7fffdf03e67f, MS_NODEV|MS_REMOUNT, NULL) = -1 EINVAL (Invalid argument)
> > > > > > write(2, "secure-mount: mount()"..., 21secure-mount: mount()) = 21
> > > > > > write(2, ": "..., 2: ) = 2
> > > > > > write(2, "Invalid argument"..., 16Invalid argument) = 16
> > > > > > write(2, "\n"..., 1
> > > > > > ) = 1
> > > > > > write(2, "/etc/vservers/concero/fstab"..., 27/etc/vservers/concero/fstab) = 27
> > > > > > write(2, ":5:1"..., 4:5:1) = 4
> > > > > > write(2, ": failed to mount fstab-entry\n"..., 30: failed to mount fstab-entry
> > > > > > ) = 30
> > > > > > chdir("/") = 0
> > > > > > fchdir(3) = 0
> > > > > >
> > > > > >
> > > > > > chroot(".") = 0
> > > > > > chdir("/var/log") = 0
> > > > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > > > fchdir(4) = 0
> > > > > > chroot(".") = 0
> > > > > > fchdir(6) = 0
> > > > > > close(6) = 0
> > > > > > mount("/iscsi/log/concero", ".", 0x7fffdf03e6a9, MS_NODEV|MS_BIND, 0x7f9ad703f090) = 0
> > > > > > fchdir(3) = 0
> > > > > > chroot(".") = 0
> > > > > > chdir("/var/log") = 0
> > > > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > > > fchdir(4) = 0
> > > > > > chroot(".") = 0
> > > > > > fchdir(6) = 0
> > > > > > close(6) = 0
> > > > > > mount("/iscsi/log/concero", ".", 0x7fffdf03e6a9, MS_NODEV|MS_REMOUNT, NULL) = -1 EINVAL (Invalid argument)
> > > > > > write(2, "secure-mount: mount()"..., 21secure-mount: mount()) = 21
> > > > > > write(2, ": "..., 2: ) = 2
> > > > > > write(2, "Invalid argument"..., 16Invalid argument) = 16
> > > > > > write(2, "\n"..., 1
> > > > > > ) = 1
> > > > > > write(2, "/etc/vservers/concero/fstab"..., 27/etc/vservers/concero/fstab) = 27
> > > > > > write(2, ":6:1"..., 4:6:1) = 4
> > > > > > write(2, ": failed to mount fstab-entry\n"..., 30: failed to mount fstab-entry
> > > > > > ) = 30
> > > > > > close(5) = 0
> > > > > > _exit(0) = ?
> > > > > >
> > > > > > Kind Regards
> > > > > > Erdem Bayer
> > > > > Might it be faster and easier to do the bind mounts from the host,
> > > > > e.g.,
> > > > > /somesource/iscsi/log/concero /vservers/vserver1/var/log bind bind 0 0
> > > > >
> > > > > --
> > > > > John A. Sullivan III
> > > > > Open Source Development Corporation
> > > > > +1 207-985-7880
> > > > > jsullivan@opensourcedevel.com
> > > > >
> > > > > http://www.spiritualoutreach.com
> > > > > Making Christianity intelligible to secular society
> > > > >
> > > --
> > > John A. Sullivan III
> > > Open Source Development Corporation
> > > +1 207-985-7880
> > > jsullivan@opensourcedevel.com
> > >
> > > http://www.spiritualoutreach.com
> > > Making Christianity intelligible to secular society
> > >
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
Received on Wed Aug 19 13:50:21 2009