On Tue, May 07, 2013 at 09:43:41PM +0200, Allan Latham wrote:
> Hi Herbert
> I have no idea where I would set CONFIG_VSERVER_PRIVACY but I
> am using the Debian Squeeze vserver kernel and util vserver
> utils. Is it a kernel compile option?
/proc/config.gz should contain the kernel config
> I have not knowingly set CONFIG_VSERVER_PRIVACY but the
> ncontext command does not give me what I expect:
> root@vservers ~ # cat /proc/net/tcp
> sl local_address rem_address st tx_queue rx_queue tr tm->when
> retrnsmt uid timeout inode
> 0: 79D6C658:0016 00000000:0000 0A 00000000:00000000 00:00000000
> 00000000 0 0 4691 1 ffff88001e748000 300 0 0 2 -1
> 1: 79D6C658:0016 A76A04B2:A1BD 01 00000000:00000000 02:000A95D2
> 00000000 0 0 4462131 3 ffff88001e74c780 23 6 17 4 -1
> root@vservers ~ # ncontext --migrate --nid 1 -- cat /proc/net/tcp
> sl local_address rem_address st tx_queue rx_queue tr tm->when
> retrnsmt uid timeout inode
> Nothing is shown - not from the host or the vservers (there are
> listening tcp services on some of the vservers).
> Interestingly if I use the nid of an actual vserver I do get
> what I expect:
> root@vservers ~ # ncontext --migrate --nid 102 -- cat /proc/net/tcp
> sl local_address rem_address st tx_queue rx_queue tr tm->when
> retrnsmt uid timeout inode
> 0: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000
> 00000000 0 0 4378389 1 ffff88001e749380 300 0 0 2 -1
> root@vservers ~ # ncontext --migrate --nid 102 -- netstat -ant
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
> As a partial solution I can cycle through all the nids but I'd
> prefer a complete picture in one command.
a good solution would be to build your own kernel and
util-vserver and get rid of all the debian related
issues ...
> Any other idea why nid 1 doesn't work?
most likely debian decided that CONFIG_VSERVER_PRIVACY
is a good kernel config option, or they messed up with
the patches (again).
best,
Herbert
> All the best
> Allan
> On 07/05/13 20:24, Herbert Poetzl wrote:
>> On Mon, May 06, 2013 at 07:54:04PM +0200, Allan Latham wrote:
>>> netstat gets the information from:
>>> /proc/net/tcp and /proc/net/udp
>>> The trick must be to make this part of the /proc
>>> tree fully visible at the host level.
>>> How I do that is a complete mystery!
>> it is completely visible from the spectator context
>> so for example:
>> ncontext --migrate --nid 1 -- cat /proc/net/tcp
>> will show the information for all network contexts,
>> given that guest privacy is not enabled, i.e.
>> # CONFIG_VSERVER_PRIVACY is not set
>>> My vservers are skeletons containing only the minimum needed
>>> for the service running in the vserver. Few (none) will have
>>> netstat available to run via 'vserver exec' and its friends.
>>> Therefore the need to monitor them from the host.
>> for obvious reasons, the host context only sees the
>> connections belonging to the host processes, similar
>> to the processes (host context = 0) but the spectator
>> context (1) has all the information.
>> HTC,
>> Herbert
>>> Greetings to all
>>> Allan
>>> On 06/05/13 18:38, Ghislain wrote:
>>>> would be curious too,
>>>> I tried
>>>> sudo ncontext --migrate --nid 1 -- netstat -nlp
>>>> sudo chcontext --silent --ctx 1 netstat -nlp
>>>> but none give me all the sockets :), the closer i got was:
>>>> sudo vsomething vserver --running -- exec netstat -nlp|sort
>>>> perhaps there is not an observer context for network.
>>>> Ghislain.
Received on Wed May 8 21:36:24 2013