wiki:experiences:igraltist:kvm_guest_jail
Releases
Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| wiki:experiences:igraltist:kvm_guest_jail [2009/04/13 00:30] – (old revision restored) 127.0.0.1 | wiki:experiences:igraltist:kvm_guest_jail [2011/01/07 13:39] (current) – (old revision restored) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | comment1, http://tebios.ifrance.com/pretty-girl-naked.html ygdkjpa, | + | [[wiki:experiences/igraltist# |
| + | |||
| + | |||
| + | |||
| + | ====== Start kvmguest with rsbac_jail ====== | ||
| + | Based on the [[wiki: | ||
| + | |||
| + | ===== kvm-jail-config ===== | ||
| + | <code bash> | ||
| + | ; | ||
| + | ; RSBAC JAIL definition for kvm | ||
| + | ; 20080507 | ||
| + | ; | ||
| + | ; Tested by igraltist | ||
| + | ; | ||
| + | |||
| + | "" | ||
| + | "0.0.0.0" | ||
| + | (allow-dev-read | ||
| + | allow-dev-write | ||
| + | allow-ipc-syslog | ||
| + | allow-ipc-parent | ||
| + | allow-inet-raw | ||
| + | allow-all-net-family) | ||
| + | (net-raw | ||
| + | setgid | ||
| + | setuid | ||
| + | dac-override | ||
| + | net-admin | ||
| + | dac-read-search | ||
| + | sys-resource | ||
| + | sys-module) | ||
| + | () | ||
| + | (rlimit) | ||
| + | </code> | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | ===== start kvm-guest ===== | ||
| + | See on this [[wiki: | ||
| + | |||
| + | <code bash> | ||
| + | kvm-admin start example | ||
| + | uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk), | ||
| + | [Errno 2] No such file or directory: '/vmserver/qemu.img' | ||
| + | Using already existing Tap device. | ||
| + | Setting up tun-tap-device, | ||
| + | The follow command would be executing: | ||
| + | [' | ||
| + | </ | ||
| + | \\ | ||
| + | Now I start a guest. | ||
| + | <code bash> | ||
| + | kvm-admin start vserver | ||
| + | uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk), | ||
| + | SIOCSIFADDR: Die Operation ist nicht erlaubt | ||
| + | SIOCSIFFLAGS: | ||
| + | SIOCSIFFLAGS: | ||
| + | SIOCSIFFLAGS: | ||
| + | can't add vserver to bridge eth1: Operation not permitted | ||
| + | (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.) | ||
| + | </code> | ||
| + | |||
| + | If we must add the tap-device = vserver manually to the bridge.\\ | ||
| + | In the example is the bridge name dmz_bridge and the tun-tap device name is vserver. | ||
| + | <code bash> | ||
| + | brctl addif dmz_bridge vserver | ||
| + | ifconfig vserver up | ||
| + | </code> | ||
| + | |||
| + | This I see in the rsbac-log, but the guest is running. | ||
| + | <code bash> | ||
| + | < | ||
| + | < | ||
| + | < | ||
| + | < | ||
| + | < | ||
| + | </code> | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | ===== show-jail-info ===== | ||
| + | Do this: | ||
| + | <code bash>cat / | ||
| + | |||
| + | or you can use this:\\ | ||
| + | [[http://svn.kasten-edv.de/svn/ | ||
| + | \\ | ||
| + | I get this output. Its very similar to the above. | ||
| + | \\ | ||
| + | <code bash> | ||
| + | ./ps-jail.py | ||
| + | Loading Jail info for Processes, done. | ||
| + | -------------------------------------------------------------------------------- | ||
| + | Processname | ||
| + | ntpd 7337 7 1539 50349250 | ||
| + | dmeventd | ||
| + | cupsd | ||
| + | dhcpd | ||
| + | pickup | ||
| + | qemu-system-x86 | ||
| + | master | ||
| + | smbd 7560 10 1538 17302752 | ||
| + | qemu-system-x86 | ||
| + | qmgr 7448 8 67073 -1 0 32 0.0.0.0 | ||
| + | nmbd 7561 11 1538 17302752 | ||
| + | syslog-ng | ||
| + | cron 11428 14 71168 -1 0 32 0.0.0.0 | ||
| + | pdnsd | ||
| + | qemu-system-x86 | ||
| + | qemu-system-x86 | ||
| + | portmap | ||
| + | smbd 7556 10 1538 17302752 | ||
| + | -------------------------------------------------------------------------------- | ||
| + | It took 0.94s seconds. | ||
| + | </code> | ||
| + | Fixme: convert numbers in readable names. | ||
| + | |||
| + | [[wiki: | ||
| + | |||
| + | |||
| + | |||
| + | |||
wiki/experiences/igraltist/kvm_guest_jail.1239582631.txt.gz · Last modified: 2009/04/13 00:30 by 127.0.0.1