On Fri, Apr 20, 2018 at 02:06:20PM +0200, Christoph Pleger wrote:
> Hello,
Hey Christoph,
>> If there are userspace processes involved, you might want
>> to try to simply give all capabilities to a guest just to
>> verify, in which case there will be no restrictions compared
>> to the host.
> Is it possible to change an entry in /proc inside a vserver?
Yes and no, really depends on the proc entry ...
> Or even better, set it only once at vserver start?
In case it is 'virtualized' i.e. part of the guest name-
spaces you can change it in one of the pre/post scripts
with util-vserver and given that the guest context lacks
the capabilities to change that entry it will be fixed.
> Probably the problem is that, because of my kernel and
> nftables versions, I have to enable automatic connection
> tracking helpers by
> 'echo 1 > /proc/sys/net/nethelper/nf_conntrack_helper'
> and the vservers do not have the same value in that file
> as the real host.
A quick google search resulted in a few patches to add
netns support for kernel built-in helpers, but I'm not
sure those made it into mainline already, they have been
from summer 2017 ...
Best,
Herbert
> Regards
> Christoph
Received on Fri Apr 20 18:04:25 2018