wiki:experiences:igraltist:kvm_guest_jail
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
wiki:experiences:igraltist:kvm_guest_jail [2009/05/31 15:37]
127.0.0.1 (old revision restored) 		wiki:experiences:igraltist:kvm_guest_jail [2011/01/07 14:39]
127.0.0.1 (old revision restored)
Line 1: Line 1:
-- [[wiki:​experiences/​igraltist|Back to igraltist'​s experiences]]  +[[wiki:​experiences/​igraltist#​kvm_on_rsbac|Back to igraltist'​s experiences/KVM on RSBAC]]  
--  +  
--   +  
--  +  
-- ====== Start kvmguest with rsbac_jail ======  +====== Start kvmguest with rsbac_jail ======  
-- Based on the [[wiki:​experiences/​igraltist/​run-jail#​run-jail|run-jail]] script and [[wiki:​experiences/​igraltist/​kvm#​kvm-admin|kvm-admin]] i do this.  +Based on the [[wiki:​experiences/​igraltist/​run-jail#​run-jail|run-jail]] script and [[wiki:​experiences/​igraltist/​kvm#​kvm-admin|kvm-admin]] i do this.  
--  +  
-- ===== kvm-jail-config =====  +===== kvm-jail-config =====  
-- <code bash>  +<code bash>  
-- ;  +;  
-- ; RSBAC JAIL definition for kvm  +; RSBAC JAIL definition for kvm  
-- ; 20080507  +; 20080507  
-- ;  +;  
-- ; Tested by igraltist  +; Tested by igraltist  
-- ;  +;  
--   +  
-- ""​  +""​  
-- "​0.0.0.0"​  +"​0.0.0.0"​  
-- (allow-dev-read  +(allow-dev-read  
-- allow-dev-write  +allow-dev-write  
-- allow-ipc-syslog  +allow-ipc-syslog  
-- allow-ipc-parent  +allow-ipc-parent  
-- allow-inet-raw  +allow-inet-raw  
-- allow-all-net-family)  +allow-all-net-family)  
-- (net-raw  +(net-raw  
-- setgid  +setgid  
-- setuid  +setuid  
-- dac-override  +dac-override  
-- net-admin  +net-admin  
-- dac-read-search  +dac-read-search  
-- sys-resource  +sys-resource  
-- sys-module)  +sys-module)  
-- ()  +()  
-- (rlimit)  +(rlimit)  
-- </​code>​  +</​code>​  
--  +  
--  +  
--   +   
--  +  
--  +  
--  +  
--  +  
-- ===== start kvm-guest =====  + 
-- See on this [[wiki:​experiences/​igraltist/​kvm#​example kvm-guest-config|example kvm-guest-config]] the content from file.  +===== start kvm-guest =====  
--  +See on this [[wiki:​experiences/​igraltist/​kvm#​example kvm-guest-config|example kvm-guest-config]] the content from file.  
-- <code bash>  +  
-- kvm-admin start example  +<code bash>  
-- uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),​6(disk),​85(usb)  +kvm-admin start example  
-- [Errno 2] No such file or directory: '/​vmserver/​qemu.img'​  +uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),​6(disk),​85(usb)  
-- Using already existing Tap device.  +[Errno 2] No such file or directory: '/​vmserver/​qemu.img'​  
-- Setting up tun-tap-device,​ done ....  +Using already existing Tap device.  
-- The follow command would be executing:  +Setting up tun-tap-device,​ done ....  
-- ['​run-jail',​ '​kvm',​ '/​usr/​local/​kvm/​72/​bin/​qemu-system-x86_64',​ '​-cdrom',​ '/​usr/​src/​ISOS/​debian-40r3-i386-netinst.iso',​ '​-net',​ '​nic,​vlan=0,​macaddr=A9:​B9:​C9:​D9:​E9:​F0,​model=rtl8139', ​'-net', '​tap,​vlan=0,​ifname=iface_test,​script=/​etc/​kvm/​scripts/​kvm-dmz-ifup',​ '​-vnc',​ ':​4',​ '​-m',​ '​265',​ '​-boot',​ '​d',​ '​-k',​ '​en-us',​ '​-pidfile',​ '/​var/​run/​kvm/​example.pid',​ '​-smp',​ '​2',​ '​-L',​ '/​usr/​local/​kvm/​72/​share/​qemu',​ '​-usb',​ '​-usbdevice',​ '​tablet',​ '​-name',​ '​example',​ '​-no-fd-bootchk',​ '​-daemonize',​ '​-std-vga',​ '​-localtime'​]  +The follow command would be executing:  
-- </​code>​  +['​run-jail',​ '​kvm',​ '/​usr/​local/​kvm/​72/​bin/​qemu-system-x86_64',​ '​-cdrom',​ '/​usr/​src/​ISOS/​debian-40r3-i386-netinst.iso',​ '​-net',​ '​nic,​vlan=0,​macaddr=A9:​B9:​C9:​D9:​E9:​F0,​model=rtl8139',​ -net', '​tap,​vlan=0,​ifname=iface_test,​script=/​etc/​kvm/​scripts/​kvm-dmz-ifup',​ '​-vnc',​ ':​4',​ '​-m',​ '​265',​ '​-boot',​ '​d',​ '​-k',​ '​en-us',​ '​-pidfile',​ '/​var/​run/​kvm/​example.pid',​ '​-smp',​ '​2',​ '​-L',​ '/​usr/​local/​kvm/​72/​share/​qemu',​ '​-usb',​ '​-usbdevice',​ '​tablet',​ '​-name',​ '​example',​ '​-no-fd-bootchk',​ '​-daemonize',​ '​-std-vga',​ '​-localtime'​]  
-- \\  +</​code>​  
-- Now start a guest.  +\\  
-- <code bash>  +Now start a guest.  
-- kvm-admin start vserver  +<code bash>  
-- uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),​6(disk),​85(usb)  +kvm-admin start vserver  
-- SIOCSIFADDR:​ Die Operation ist nicht erlaubt  +uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),​6(disk),​85(usb)  
-- SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  +SIOCSIFADDR:​ Die Operation ist nicht erlaubt  
-- SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  +SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  
-- SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  +SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  
-- can't add vserver to bridge eth1: Operation not permitted  +SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  
-- (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.)  +can't add vserver to bridge eth1: Operation not permitted  
-- </​code>​  +(if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.)  
--  +</​code>​  
-- If we must add the tap-device = vserver manually to the bridge.\\  +  
-- In the example is the bridge name dmz_bridge and the tun-tap device name is vserver.  +If we must add the tap-device = vserver manually to the bridge.\\  
-- <code bash>  +In the example is the bridge name dmz_bridge and the tun-tap device name is vserver.  
-- brctl addif dmz_bridge vserver  +<code bash>  
-- ifconfig vserver up  +brctl addif dmz_bridge vserver  
-- </​code>​  +ifconfig vserver up  
--   +</​code>​  
-- This I see in the rsbac-log, but the guest is running.  +  
-- <code bash>  +This I see in the rsbac-log, but the guest is running.  
-- <​6>​0000001281|rsbac_adf_request():​ request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  +<code bash>  
-- <​6>​0000001282|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  +<​6>​0000001281|rsbac_adf_request():​ request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  
-- <​6>​0000001283|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  +<​6>​0000001282|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  
-- <​6>​0000001284|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  +<​6>​0000001283|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  
-- <​6>​0000001285|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3707, ppid 3705, prog_name brctl, prog_file /​sbin/​brctl,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL  +<​6>​0000001284|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  
-- </​code>​  +<​6>​0000001285|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3707, ppid 3705, prog_name brctl, prog_file /​sbin/​brctl,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL  
--  +</​code>​  
--  +  
--  +  
--  +  
--  +  
--  +  
-- ===== show-jail-info =====  +  
-- Do this:  +===== show-jail-info =====  
-- <code bash>cat /​proc/​rsbac-info/​jail</​code>​  +Do this:  
--  +<code bash>cat /​proc/​rsbac-info/​jail</​code>​  
-- or you can use this:\\  +  
-- [[http://​svn.kasten-edv.de/​svn/​rsbac/​trunk/​bin/​ps-jail.py]]  +or you can use this:\\  
-- \\  +[[http://​svn.kasten-edv.de/​svn/​rsbac/​trunk/​bin/​ps-jail.py]]  
-- I get this output. Its very similar to the above.  +\\  
-- \\  +I get this output. Its very similar to the above.  
-- <code bash>  +\\  
-- ./​ps-jail.py  +<code bash>  
-- Loading Jail info for Processes, done.  +./​ps-jail.py  
-- --------------------------------------------------------------------------------  +Loading Jail info for Processes, done.  
-- Processname ​         Pid  Jail-ID Flags Max-caps ​ SCD-get ​ SCD-mod Jail-IP  +--------------------------------------------------------------------------------  
-- ntpd                7337      7  1539 50349250 ​       0  6291491 0.0.0.0  + Processname ​         Pid  Jail-ID Flags Max-caps ​ SCD-get ​ SCD-mod Jail-IP  
-- dmeventd ​           7281      6  1537      -1        0  2113536 0.0.0.0  + ntpd                7337      7  1539 50349250 ​       0  6291491 0.0.0.0  
-- cupsd                7103      3  1546      -1        0      32 0.0.0.0  + dmeventd ​           7281      6  1537      -1        0  2113536 0.0.0.0  
-- dhcpd                7224      5  67083  271555 ​       0        0 0.0.0.0  + cupsd ​               7103      3  1546      -1        0      32 0.0.0.0  
-- pickup ​             3286      8  67073      -1        0      32 0.0.0.0  + dhcpd ​               7224      5  67083  271555 ​       0        0 0.0.0.0  
-- qemu-system-x86 ​     3704    28  71178 16855238 ​       0      32 0.0.0.0  + pickup ​             3286      8  67073      -1        0      32 0.0.0.0  
-- master ​             7441      8  67073      -1        0      32 0.0.0.0  + qemu-system-x86 ​     3704    28  71178 16855238 ​       0      32 0.0.0.0  
-- smbd                7560    10  1538 17302752 ​       0      32 0.0.0.0  + master ​             7441      8  67073      -1        0      32 0.0.0.0  
-- qemu-system-x86 ​   29614    26  71178 16855238 ​       0      32 0.0.0.0  + smbd                7560    10  1538 17302752 ​       0      32 0.0.0.0  
-- qmgr                7448      8  67073      -1        0      32 0.0.0.0  + qemu-system-x86 ​   29614    26  71178 16855238 ​       0      32 0.0.0.0  
-- nmbd                7561    11  1538 17302752 ​       0      32 0.0.0.0  + qmgr                7448      8  67073      -1        0      32 0.0.0.0  
-- syslog-ng ​         11370    13  40448      -1        0        0 0.0.0.0  + nmbd                7561    11  1538 17302752 ​       0      32 0.0.0.0  
-- cron                11428    14  71168      -1        0      32 0.0.0.0  + syslog-ng ​         11370    13  40448      -1        0        0 0.0.0.0  
-- pdnsd              12945    16  71176 17310912 ​ 262144 ​   16416 0.0.0.0  + cron                11428    14  71168      -1        0      32 0.0.0.0  
-- qemu-system-x86 ​   25748    23  71178 16855238 ​       0      32 0.0.0.0  + pdnsd ​             12945    16  71176 17310912 ​ 262144 ​   16416 0.0.0.0  
-- qemu-system-x86 ​   26053    24  71178 16855238 ​       0      32 0.0.0.0  + qemu-system-x86 ​   25748    23  71178 16855238 ​       0      32 0.0.0.0  
-- portmap ​             6242      2  1537      -1        0        0 0.0.0.0  + qemu-system-x86 ​   26053    24  71178 16855238 ​       0      32 0.0.0.0  
-- smbd                7556    10  1538 17302752 ​       0      32 0.0.0.0  + portmap ​             6242      2  1537      -1        0        0 0.0.0.0  
-- --------------------------------------------------------------------------------  + smbd                7556    10  1538 17302752 ​       0      32 0.0.0.0  
-- It took 0.94s seconds.  + --------------------------------------------------------------------------------  
-- </​code>​  +It took 0.94s seconds.  
-- Fixme: convert numbers in readable names.  +</​code>​  
--  +Fixme: convert numbers in readable names.  
-- [[wiki:​experiences/​igraltist/​kvm_guest_jail#​Start kvmguest with rsbac_jail|Top]]  +  
--  +[[wiki:​experiences/​igraltist/​kvm_guest_jail#​Start kvmguest with rsbac_jail|Top]]  
--  +  
   
    
  
//
wiki/experiences/igraltist/kvm_guest_jail.txt · Last modified: 2011/01/07 14:39 by 127.0.0.1

wiki/experiences/igraltist/kvm_guest_jail.txt · Last modified: 2011/01/07 14:39 by 127.0.0.1
This website is kindly hosted by m-privacy