1417136402 Q * fstd Remote host closed the connection 1417136443 J * fstd ~fstd@xdsl-87-78-191-46.netcologne.de 1417137833 J * Aiken_ ~Aiken@d63f.h.jbmb.net 1417138272 Q * Aiken Ping timeout: 480 seconds 1417140371 Q * fstd Remote host closed the connection 1417140513 J * fstd ~fstd@xdsl-87-78-191-46.netcologne.de 1417155706 M * Bertl_oO off to bed now ... have a good one everyone! 1417155708 N * Bertl_oO Bertl_zZ 1417160616 J * Ghislain ~aqueos@adsl1.aqueos.com 1417163878 J * jsg_ ~chatzilla@62.116.207.125 1417164209 Q * jsg Ping timeout: 480 seconds 1417164221 N * jsg_ jsg 1417164838 J * jsg_ ~chatzilla@62.116.207.125 1417165169 Q * jsg Ping timeout: 480 seconds 1417165181 N * jsg_ jsg 1417172529 M * Ghislain daniel_hozak: daniel if i want to enable a guest to create some device, i want to limit the opening to a few, those needed to systemd so cap_mknod is not ok, is there a way ? I was wondering if we should use the cgroup system for that or not 1417172625 M * Ghislain my guess would be: give the guest mknod capability and add cgroup drestrictions. 1417177540 Q * Aiken_ Remote host closed the connection 1417177678 J * jsg_ ~chatzilla@62.116.207.125 1417178012 Q * jsg Ping timeout: 480 seconds 1417178021 N * jsg_ jsg 1417179244 N * Bertl_zZ Bertl 1417179250 M * Bertl morning folks! 1417179605 Q * fstd Remote host closed the connection 1417179645 J * fstd ~fstd@xdsl-87-78-12-62.netcologne.de 1417179881 M * Ghislain hello bertl, i started to open the can of worm, i therefor hit hard my clueless mind into a wall ;p 1417179922 M * Ghislain perhaps i will find time to go a little more into the systemd project :) 1417179933 M * Bertl hopefully 1417179952 M * Ghislain i have a question thought, the secure-mount, what is it limiting exactly ? 1417179992 M * Bertl you mean the capability, yes? 1417180089 M * Ghislain yes :) 1417180165 M * Ghislain i mean i know it create a virtualcop asking things so no terrorist pass but i wonder the details, do he knows kung fu ? 1417180233 M * Bertl VXC_SECURE_MOUNT is tested in may_mount() and proc_mount() as far as I can tell 1417180251 M * Bertl (in recent kernels) 1417180393 M * Bertl I remember that it also adjusted the mount flags somewhat, but I don't see that code in recent kernels anymore 1417180463 M * Bertl yeah, we moved that to VXC_DEV_MOUNT 1417180515 M * Bertl so it allows certain mounts to work without the actual linux capability 1417180600 M * Bertl it doesn't include "binary style" mounts, we have a separate context capability for that 1417180656 M * Ghislain i am looking on it because from what i read systemd want to mount /sys, /proc and /dev/pts /dev/shm so i need to let the guest mount those without letting it mount /dev/sda 1417180670 M * Ghislain or other dangerous thing 1417180861 M * Bertl well, preventing node creation is a good way to do that 1417180881 M * Bertl you can even configure the guest to allow certain devices and deny others 1417180893 M * Ghislain secure mount is only forbidding certain flags nothign more if i read right 1417180918 M * Ghislain yes you mean using cgroups for that ? 1417180923 M * Bertl yep 1417180951 M * Bertl you can use the Linux-VServer device mapper for this feature as well, especially on older kernels 1417180958 M * Ghislain so basicaly i would give mknod and securemount then put a bunch of device in the cgroup whitelist 1417180993 M * Ghislain well as we search systemd compatibility i will target 3.4 + 1417182852 M * Ghislain okay will try for the we then thanks bertl 1417184372 M * undefined Ghislain: i use the cgroup device whitelist controller for pbuilder (debian application for using chroots to build debian packages) 1417184424 M * undefined i've migrated from vdevmap to it 1417184465 M * undefined doesn't integrate well with util-vserver 1417184478 M * undefined infeasible to put entries in /etc/vservers//cgroup/devices.{allow,deny} 1417184483 M * undefined files in /etc/vservers//cgroup are processed alphabetically 1417184489 M * undefined generic deny policy (devices.deny) has to be added before specific allow policies (devices.allow) are accepted 1417184505 M * undefined so i wrote a script 1417184509 M * undefined i'll paste it 1417184756 M * undefined http://pastebin.com/SqCMmkpA 1417184831 M * undefined feel free to add that to the wiki if you find it useful 1417185016 M * Bertl a patch for util-vserver to special case the sorting might help? 1417185137 M * undefined yeah, Bertl if you could write a patch to special case cgroup device whitelisting that would be great! ;) 1417185169 M * Bertl I probably won't have the time for that, but I'm sure daniel_hozac would accept such a patch ;) 1417185543 M * Ghislain undefined: thanks, will do take a look at it 1417185924 M * Ghislain hum i have a lot of complain about /proc/cmdline not being here, do you think i could create one dummy with the tools or will it require dev changes ? 1417185984 M * Ghislain hum procunhide should work 1417185999 M * Ghislain do not see a risk in it as this is only the ro kernel boot option 1417186136 M * Ghislain it would be even great to be able to create a false one ^^ 1417186145 M * Ghislain systemd reads it for debug options 1417186152 M * undefined the bigger (theoretical) problem is systemd going to do something incorrectly because it's trying to react to the host's /proc/cmdline? 1417186165 M * undefined "incorrectly" doesn't mean security-wise 1417186187 M * Ghislain i really think it only search for the systemd options but could be wrong 1417186204 M * Ghislain perhaps it could read ipv6 flags or such 1417186338 M * undefined btw, thanks for looking into systemd integration; that's my biggest concern for linux-vservers future (running guests that require it), but i haven't had time and it's not a pressing until debian jessie 1417186355 M * undefined pressing *issue* 1417186377 M * Bertl a --bind mount should suffice for /proc/cmdline 1417187118 M * Ghislain i have the same issue, apart from a huge upgrade problem ion sevral key infra on my side i need to know if i could use vserver next year. I do not trust the lxc guys for me bertl has the right mindset and knowledge to make container rigth 1417187161 M * Guy- undefined: fwiw, it's still possible to install Debian without systemd 1417187163 M * Ghislain thnks i will try the bind mount thing 1417187175 M * Guy- (also sid) 1417187187 M * Guy- but yes, it's getting harder, unfortunately 1417187202 M * Ghislain yes but as every distrib switch to it by default the domino effect will soon make more than gnome request it 1417187277 M * Guy- kde already depends on it indirectly, via udisks2, fwiw :( 1417187292 M * Guy- I really hope uselessd gets some traction 1417187352 M * Ghislain i am not against any system seeing change is inevitable , the init.d system is quite lacking in a lot of area. do not know if systemd is ideal i do not know enoughh about it at all 1417187374 M * Ghislain anyway if all switch to it it must solve more than one problem 1417187775 M * Ghislain uselessd could give some more option,the name is rude but it provide a usefull option. 1417187783 Q * fstd Remote host closed the connection 1417187793 M * Ghislain more on this this WE hopefully 1417188105 J * fstd ~fstd@xdsl-87-78-12-62.netcologne.de 1417188337 M * Ghislain the commandline is specificaly forbidden in the procunhide file: -/proc/cmdline 1417188337 M * Ghislain is there a reason ? 1417188890 M * Bertl the purpose is to prevent leaking host specific information into the guest 1417188891 M * Guy- I suppose it could contain sensitive stuff you wouldn't want to expose to guests 1417188896 M * Guy- yes 1417189592 Q * xdr Remote host closed the connection 1417189830 M * Ghislain k 1417190259 M * Ghislain i will send a patch to allow vserver name neter as an alias to enter, i make this mistake 10time per hour :p 1417190324 M * Ghislain ok the bind root to a dummy file work ! 1417190444 M * Ghislain i do nto see it in ls but i can read it 1417190864 M * Bertl if you mount a dummy cmdline, you can also unhide it (if you like) 1417190883 M * Bertl (unless the guest is permitted to unmount the bind mount) 1417191155 M * Ghislain i tried to unhide it but seems that it does nto show, i added it in apps/vprocunhide 1417191155 M * Ghislain with no success 1417191347 M * Ghislain i just cp /usr/share/util-vserver/defaults/vprocunhide-files to the guest removing the '-' before the line and restarted, the cmdline was not shown and was permission denied, then i bind mounted a dummy file and now i can read it but not see it in 'ls' 1417192437 J * jsg_ ~chatzilla@62.116.207.125 1417192772 Q * jsg Ping timeout: 480 seconds 1417192780 N * jsg_ jsg 1417192975 M * Ghislain hum so if i am not mistaken or i am doing it worng or there is a problem no ? 1417192985 M * Ghislain i should see /proc/cmdline in the guest 1417193053 M * Ghislain i perfectly see /proc/version for exemple 1417193136 M * Ghislain hum if i put -/proc/version in /etc/vservers/.defaults/apps/vprocunhide and restart the guest i still sees it 1417193186 M * Ghislain do you guys see /proc/sys/dev/raid/ in their guest ? 1417193218 M * Ghislain i do so i must have a vprocunhide issue 1417193427 M * Ghislain i also see /proc/sys/debug/ that is on the blacklist 1417194322 M * daniel_hozac Ghislain: you can mount most things from the guest's fstab. 1417194374 M * daniel_hozac vprocunhide is system global, you'll have to restart the service for changes to take effect. 1417194454 M * Ghislain ok, i have /etc/vservers/.defaults/apps/vprocunhide with -/proc/version 1417194509 M * Ghislain for test, i stop the guest and /etc/init.d/vprocunhide restart 1417194513 M * daniel_hozac you mean /etc/vservers/.defaults/apps/vprocunhide/files, right? 1417194539 M * Ghislain nope so that is my 108997823th mistake 1417194542 M * Ghislain thx 1417194547 M * Ghislain trying again 1417194664 M * Ghislain wonderfull how things works when done corectly no ? that works ok in this case 1417194712 M * Ghislain cmdline shows nos 1417194714 M * Ghislain now 1417194732 M * daniel_hozac are you running systemd in container mode? it doesn't seem like it should read /proc/cmdline in that case. 1417194773 M * Ghislain for now i have a base install i just scratch the surface 1417194841 M * daniel_hozac http://pastebin.com/6UC4wskK is the guest's fstab that i tried with. 1417195030 M * daniel_hozac i set apps/init/cmd.start to echo -e '/bin/env\ncontainer=vserver\n/sbin/init' too 1417195126 M * Ghislain ok, /etc/vservers/.defaults/apps/init/environment could not be used ? 1417195141 M * Ghislain perhaps it is set jst after ? 1417195165 M * daniel_hozac i was doing a few other things, like sleeping to be able to strace systemd too. 1417195199 M * daniel_hozac apps/init/environment should be fine. 1417195230 M * Ghislain k 1417195250 M * Ghislain for now i just stage the thing i will try hard this we if murphy does not ring 1417195262 M * Ghislain but thanks for the hints ! :) 1417195389 M * Ghislain shoudl i see the env container from a shell after a vserver xx enter ? 1417195397 M * daniel_hozac no 1417195410 M * Ghislain ok 1417195925 M * Ghislain i love the systemd page: What You Shouldn't Do : Do not drop CAP_SYS_ADMIN , Do not drop CAP_MKNOD 1417195937 M * Ghislain well why use container if they have full acces ? 1417196150 M * daniel_hozac yeah... 1417196170 Q * Defaultti Quit: Quitting. 1417196481 J * Defaultti defaultti@lakka.kapsi.fi 1417203271 J * Aiken ~Aiken@d63f.h.jbmb.net 1417207268 J * bonbons ~bonbons@2001:a18:201:5a01:9522:5915:27fc:d0e4 1417213100 J * zerick ~zerick@190.118.16.131 1417214461 Q * zerick Read error: Connection reset by peer 1417214934 Q * bonbons Quit: Leaving