headers
Suno Ano | 3 Jul 2009 16:31
Gravatar

filesystem-level encryption and OpenVZ

Hi folks,

often we want to have encryption but then full-disk encryption (e.g.
dm-crypt and LUKS) might not be an option because be already have some
up and running HN and do not want to install from scratch.

Another reason would be that we just have/own a VE. In both cases
filesystem-level encryption can help us.

I wrote
http://sunoano.name/ws/public_xhtml/debian_security.html#filesystem-level_encryption
which also takes an OpenVZ setup into account.

Maybe someone finds it useful ... 

_______________________________________________
Users mailing list
Users@...
https://openvz.org/mailman/listinfo/users
Permalink | Reply | 0 comments |
headers
Daniel Lüdeking | 3 Jul 2009 18:06
Picon

Running 32 bit guests on 64 bit host system

Greetings,

I'm having my first attempts using openVZ for virtualization.
As I read in the documentation and the wiki pages, it is generally possible to run 32 bit guests on a 64 bit host system.

My question is, if it is working under any circumstances.
I'm running 2.6.26-2-openvz-amd64 and created a container with debian-4.0-i386-minimal.tar.gz inside.

In the host system uname -a displays:
Linux host 2.6.26-2-openvz-amd64 #1 SMP Sun Jun 21 06:01:29 UTC 2009 x86_64 GNU/Linux

In the guest system uname -a displays:
Linux guest 2.6.26-2-openvz-amd64 #1 SMP Sun Jun 21 06:01:29 UTC 2009 i686 GNU/Linux

Does that nevertheless mean, that the guest now will behave like a 'native' 32bit host would?
What are your experiences in running a 32bit guest on a 64bit host system?

Regards,
Daniel
Permalink | Reply | 1 comment |
headers
John Drescher | 3 Jul 2009 18:15
Picon

Re: Running 32 bit guests on 64 bit host system

On Fri, Jul 3, 2009 at 12:06 PM, Daniel Lüdeking<mail@...> wrote:
> Greetings,
>
> I'm having my first attempts using openVZ for virtualization.
> As I read in the documentation and the wiki pages, it is generally possible to run 32 bit guests on a 64 bit
host system.
>
> My question is, if it is working under any circumstances.
> I'm running 2.6.26-2-openvz-amd64 and created a container with debian-4.0-i386-minimal.tar.gz inside.
>
> In the host system uname -a displays:
> Linux host 2.6.26-2-openvz-amd64 #1 SMP Sun Jun 21 06:01:29 UTC 2009 x86_64 GNU/Linux
>
> In the guest system uname -a displays:
> Linux guest 2.6.26-2-openvz-amd64 #1 SMP Sun Jun 21 06:01:29 UTC 2009 i686 GNU/Linux
>
> Does that nevertheless mean, that the guest now will behave like a 'native' 32bit host would?
> What are your experiences in running a 32bit guest on a 64bit host system?
>
>
I have had absolutely no problems with this configuration on several
systems. Even real 32 bit hw nodes I just copied and made into a
guest.

John
Permalink | Reply | 0 comments |
headers
Vidhya Nagarajan | 7 Jul 2009 21:58
Picon

Disk device

Hello,

How do I share a disk device between a Host node and a Container? I am running a software in the container that needs to access /proc/diskstats and I hit segmentation fault.

When I ran strace, this is what i find: open("/proc/diskstats", O_RDONLY)       = -1 ENOENT (No such file or directory)

Please help me with this!

Thanks,
Vidhya

_______________________________________________
Users mailing list
Users@...
https://openvz.org/mailman/listinfo/users
Permalink | Reply | 0 comments |
headers
Vidhya Nagarajan | 8 Jul 2009 20:55
Picon

Re: Segmentation Fault

Steve,

Can you please tell me how a container can be granted access to real devices like network interfaces, serial ports, disk partitions, etc ?

Thanks a lot for your time!

Vidhya

On Fri, Jun 26, 2009 at 1:45 PM, Vidhya Nagarajan <vids85-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
Hello Steve,

Thanks for you reply! Here is what I get when I do an strace.

I guess the container need a dedicated disk device and since it doesn't have one at the momet, its seg faulting. How would I share a disk device with a container?


[root <at> rajeshr-linux bin]# strace ./monitord -s localhost -p 8367 -d -v
execve("./monitord", ["./monitord", "-s", "localhost", "-p", "8367", "-d", "-v"], [/* 17 vars */]) = 0
brk(0)                                  = 0x9c4f000
uname({sys="Linux", node="rajeshr-linux", ...}) = 0
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=9708, ...}) = 0
mmap2(NULL, 9708, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ffb000
close(3)                                = 0
open("/lib/libpthread.so.0", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360G\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=127700, ...}) = 0
mmap2(NULL, 94688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x888000
mmap2(0x89c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13) = 0x89c000
mmap2(0x89e000, 4576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x89e000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320`\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1670312, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ffa000
mmap2(NULL, 1390032, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d1000
mmap2(0x41f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14e) = 0x41f000
mmap2(0x422000, 9680, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x422000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ff9000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7ff96c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0x41f000, 8192, PROT_READ)     = 0
mprotect(0x89c000, 4096, PROT_READ)     = 0
mprotect(0x856000, 4096, PROT_READ)     = 0
munmap(0xb7ffb000, 9708)                = 0
set_tid_address(0xb7ff9708)             = 3761
set_robust_list(0xb7ff9710, 0xc)        = 0
rt_sigaction(SIGRTMIN, {0x88c2e0, [], SA_RESTORER|SA_SIGINFO, 0x895290}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x88c360, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x895290}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
uname({sys="Linux", node="rajeshr-linux", ...}) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
brk(0)                                  = 0x9c4f000
brk(0x9c70000)                          = 0x9c70000
open("/etc/resolv.conf", O_RDONLY)      = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=20, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ffd000
read(4, "nameserver 10.0.2.1\n", 4096)  = 20
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0xb7ffd000, 4096)                = 0
uname({sys="Linux", node="rajeshr-linux", ...}) = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(4)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(4)                                = 0
open("/etc/nsswitch.conf", O_RDONLY)    = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=1696, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ffd000
read(4, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1696
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0xb7ffd000, 4096)                = 0
open("/etc/ld.so.cache", O_RDONLY)      = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=9708, ...}) = 0
mmap2(NULL, 9708, PROT_READ, MAP_PRIVATE, 4, 0) = 0xb7ffb000
close(4)                                = 0
open("/lib/libnss_files.so.2", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\30\0\0004\0\0\0"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=50840, ...}) = 0
mmap2(NULL, 45712, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x649000
mmap2(0x653000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x9) = 0x653000
close(4)                                = 0
mprotect(0x653000, 4096, PROT_READ)     = 0
munmap(0xb7ffb000, 9708)                = 0
open("/etc/host.conf", O_RDONLY)        = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=17, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ffd000
read(4, "order hosts,bind\n", 4096)     = 17
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0xb7ffd000, 4096)                = 0
futex(0x4237e0, FUTEX_WAKE, 2147483647) = 0
open("/etc/hosts", O_RDONLY)            = 4
fcntl64(4, F_GETFD)                     = 0
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
fstat64(4, {st_mode=S_IFREG|0644, st_size=42, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ffd000
read(4, "127.0.0.1 localhost.localdomain "..., 4096) = 42
close(4)                                = 0
munmap(0xb7ffd000, 4096)                = 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ffd000
write(1, "Just defined sockaddr->sin_addr."..., 50Just defined sockaddr->sin_addr.in_addr=(100007f)
) = 50
open("/proc/stat", O_RDONLY)            = 4
fstat64(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ffc000
read(4, "cpu  107 0 137 3102929 8 0 0 0\nc"..., 4096) = 159
close(4)                                = 0
munmap(0xb7ffc000, 4096)                = 0
open("/proc/diskstats", O_RDONLY)       = -1 ENOENT (No such file or directory)
--- SIGSEGV (Segmentation fault) <at> 0 (0) ---
+++ killed by SIGSEGV +++

Thanks,
Vidhya


On Fri, Jun 26, 2009 at 12:06 PM, Steven Tardy <sjt5-Q2pGrLd+7x9cusGGlJDZ6w@public.gmane.org> wrote:
Vidhya Nagarajan wrote:
Hello everyone,

I am new to OpenVZ and so far I have liked it a lot. The Quick installation
guide is extremely useful. I am trying to run a thermal emulation model
inside a container. I have installed all the necessary packages, However,
When I run the thermal emulation software which basically collects the power
consumed by the components(cpu,network,disk) of the machine, I get a
segmentation fault. When I run the same in the host node, I don't get any
error and the software runs smoothly.

For the thermal emulation model I need to set the /dev/sda properly. However
when I tried to run /dev from the container I could not get sda or hda but
rather found "pts". what does that mean?


>From inside the container :

[root <at> rajeshr-linux bin]# ./monitord -p 8367 -s localhost -d -v
Just defined sockaddr->sin_addr.in_addr=(100007f)
Segmentation fault

Is it because the container is not given access to the power modules in the
host node? I have mounted three of the folders from the host node to the
container using the command

that software probably reads from something in /proc

troubleshooting 101 (strace):
 strace ./monitord -p 8367 -s localhost -d -v

see what errors strace returns

--
Steven Tardy
Systems Programmer
Information Technology Infrastructure
Information Technology Services
Mississippi State University
sjt5-Q2pGrLd+7x/GPkg1PMG5MA@public.gmane.orgedu
_______________________________________________
Users mailing list
Users-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org
https://openvz.org/mailman/listinfo/users



_______________________________________________
Users mailing list
Users@...
https://openvz.org/mailman/listinfo/users
Permalink | Reply | 0 comments |
headers
Greg | 9 Jul 2009 22:23
Picon
Favicon

SSL in cloned VEs

Hi,
I'm currently creating a debian based VE for my site web services and i'm planning to duplicate on 2 other servers. Usually with real servers we need to install seperately on each server and get the SSL info for each. How does it work with VEs. If I install it on the VE before cloning, will it work on the clone directly or will i need to reissue certificate for each clone. I'm looking for best way to do it.
Thanks
Greg
_______________________________________________
Users mailing list
Users@...
https://openvz.org/mailman/listinfo/users
Permalink | Reply | 3 comments |
headers
Greg | 9 Jul 2009 22:29
Picon
Favicon

Firewall on HN or VE?

Hi,
 On one server setup with proxmox i intent to have 4 VE (web, dns, mysql, mail). I guess i'll have 1 IP for each VE. Concerning the firewall i'm thinking of configuring iptables but my concern is to do it on HN or on each VE. I'm looking for best way to do it  so your ideas are more than welcome. 
Thanks
Greg
_______________________________________________
Users mailing list
Users@...
https://openvz.org/mailman/listinfo/users
Permalink | Reply | 1003 comments |
headers
Gregor at HostGIS | 9 Jul 2009 22:36

Re: SSL in cloned VEs

> How does it work with VEs. If I install it on the VE before 
> cloning, will it work on the clone directly or will i need to reissue 
> certificate for each clone.

An invalid SSL certificate, even a self-signed or expired one, will 
still "work" as far as encrypting data. If you're talking internal use, 
and don't care about browser complaints, the SSL security is just fine 
even with an invalid certificate or non-matching hostname.

The concern is the browser complaining when the hostname doesn't match 
up, e.g. a certificate for https://clone-master.whatever.com/ is being 
presented by https://clone1.whatever.com/ so the browser will raise the 
"Invalid certificate" complaint. Your browser may let you "just accept 
it" but that may not be appropriate depending on your customers/users.

If you are concerned about the certificates being valid, or at least 
having the right hostname, it's best to generate them inside the VPS. 
Technically, you don't even need the container running: you can chroot 
and call openssl with appropriate arguments.

--

-- 
HostGIS, Open Source solutions for the global GIS community
Greg Allensworth - SysAdmin, Programmer, GIS Person, Security
Network+   Server+   A+   Security+
Permalink | Reply | 0 comments |
headers
John Drescher | 9 Jul 2009 22:42
Picon

Re: SSL in cloned VEs

On Thu, Jul 9, 2009 at 4:23 PM, Greg<parism70@...> wrote:
> Hi,
> I'm currently creating a debian based VE for my site web services and i'm
> planning to duplicate on 2 other servers. Usually with real servers we need
> to install seperately on each server and get the SSL info for each. How does
> it work with VEs. If I install it on the VE before cloning, will it work on
> the clone directly or will i need to reissue certificate for each clone. I'm
> looking for best way to do it.
> Thanks
> Greg
>

I just deleted the certificate after the clone was up and had a new
one generated.

John
Permalink | Reply | 0 comments |
headers
Gregor at HostGIS | 9 Jul 2009 22:44

Re: Firewall on HN or VE?

We do the firewall confguration on the HN, not in the VE. This keeps it 
safely out of the customers' hands and in our centralized control.

By "safely out of their hands" I mean not only the customers' 
inexpertise, but also accidental deletion/chmoding of the firewall 
script in their VE, or a hacker modifying/dropping the firewall.

But if you WANT for your customers in their VEs to self-manage their 
firewalls, having it in the VE would be just the ticket.

--

-- 
HostGIS, Open Source solutions for the global GIS community
Greg Allensworth - SysAdmin, Programmer, GIS Person, Security
Network+   Server+   A+   Security+
Permalink | Reply | 0 comments |

Gmane