wiki:experiences:igraltist:kvm_guest_jail
Releases
Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| wiki:experiences:igraltist:kvm_guest_jail [2009/05/31 13:37] – (old revision restored) 127.0.0.1 | wiki:experiences:igraltist:kvm_guest_jail [2011/01/07 13:39] (current) – (old revision restored) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | - [[wiki: | + | [[wiki: |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - ====== Start kvmguest with rsbac_jail ====== | + | ====== Start kvmguest with rsbac_jail ====== |
| - | - Based on the [[wiki: | + | Based on the [[wiki: |
| - | - | + | |
| - | - ===== kvm-jail-config ===== | + | ===== kvm-jail-config ===== |
| - | - <code bash> | + | <code bash> |
| - | - ; | + | ; |
| - | - ; RSBAC JAIL definition for kvm | + | ; RSBAC JAIL definition for kvm |
| - | - ; 20080507 | + | ; 20080507 |
| - | - ; | + | ; |
| - | - ; Tested by igraltist | + | ; Tested by igraltist |
| - | - ; | + | ; |
| - | - | + | |
| - | - "" | + | "" |
| - | - " | + | " |
| - | - (allow-dev-read | + | (allow-dev-read |
| - | - allow-dev-write | + | allow-dev-write |
| - | - allow-ipc-syslog | + | allow-ipc-syslog |
| - | - allow-ipc-parent | + | allow-ipc-parent |
| - | - allow-inet-raw | + | allow-inet-raw |
| - | - allow-all-net-family) | + | allow-all-net-family) |
| - | - (net-raw | + | (net-raw |
| - | - setgid | + | setgid |
| - | - setuid | + | setuid |
| - | - dac-override | + | dac-override |
| - | - net-admin | + | net-admin |
| - | - dac-read-search | + | dac-read-search |
| - | - sys-resource | + | sys-resource |
| - | - sys-module) | + | sys-module) |
| - | - () | + | () |
| - | - (rlimit) | + | (rlimit) |
| - | - </ | + | </ |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - ===== start kvm-guest ===== | + | |
| - | - See on this [[wiki: | + | ===== start kvm-guest ===== |
| - | - | + | See on this [[wiki: |
| - | - <code bash> | + | |
| - | - kvm-admin start example | + | <code bash> |
| - | - uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm), | + | kvm-admin start example |
| - | - [Errno 2] No such file or directory: '/ | + | uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm), |
| - | - Using already existing Tap device. | + | [Errno 2] No such file or directory: '/ |
| - | - Setting up tun-tap-device, | + | Using already existing Tap device. |
| - | - The follow command would be executing: | + | Setting up tun-tap-device, |
| - | - [' | + | The follow command would be executing: |
| - | - </ | + | [' |
| - | - \\ | + | </ |
| - | - Now i start a guest. | + | \\ |
| - | - <code bash> | + | Now I start a guest. |
| - | - kvm-admin start vserver | + | <code bash> |
| - | - uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm), | + | kvm-admin start vserver |
| - | - SIOCSIFADDR: | + | uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm), |
| - | - SIOCSIFFLAGS: | + | SIOCSIFADDR: |
| - | - SIOCSIFFLAGS: | + | SIOCSIFFLAGS: |
| - | - SIOCSIFFLAGS: | + | SIOCSIFFLAGS: |
| - | - can't add vserver to bridge eth1: Operation not permitted | + | SIOCSIFFLAGS: |
| - | - (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.) | + | can't add vserver to bridge eth1: Operation not permitted |
| - | - </ | + | (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.) |
| - | - | + | </ |
| - | - If we must add the tap-device = vserver manually to the bridge.\\ | + | |
| - | - In the example is the bridge name dmz_bridge and the tun-tap device name is vserver. | + | If we must add the tap-device = vserver manually to the bridge.\\ |
| - | - <code bash> | + | In the example is the bridge name dmz_bridge and the tun-tap device name is vserver. |
| - | - brctl addif dmz_bridge vserver | + | <code bash> |
| - | - ifconfig vserver up | + | brctl addif dmz_bridge vserver |
| - | - </ | + | ifconfig vserver up |
| - | - | + | </ |
| - | - This I see in the rsbac-log, but the guest is running. | + | |
| - | - <code bash> | + | This I see in the rsbac-log, but the guest is running. |
| - | - < | + | <code bash> |
| - | - < | + | < |
| - | - < | + | < |
| - | - < | + | < |
| - | - < | + | < |
| - | - </ | + | < |
| - | - | + | </ |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - ===== show-jail-info ===== | + | |
| - | - Do this: | + | ===== show-jail-info ===== |
| - | - <code bash>cat / | + | Do this: |
| - | - | + | <code bash>cat / |
| - | - or you can use this:\\ | + | |
| - | - [[http:// | + | or you can use this:\\ |
| - | - \\ | + | [[http:// |
| - | - I get this output. Its very similar to the above. | + | \\ |
| - | - \\ | + | I get this output. Its very similar to the above. |
| - | - <code bash> | + | \\ |
| - | - ./ | + | <code bash> |
| - | - Loading Jail info for Processes, done. | + | ./ |
| - | - -------------------------------------------------------------------------------- | + | Loading Jail info for Processes, done. |
| - | - Processname | + | -------------------------------------------------------------------------------- |
| - | - ntpd 7337 7 1539 50349250 | + | Processname |
| - | - dmeventd | + | ntpd 7337 7 1539 50349250 |
| - | - cupsd 7103 3 1546 -1 0 32 0.0.0.0 | + | dmeventd |
| - | - dhcpd 7224 5 67083 271555 | + | cupsd |
| - | - pickup | + | dhcpd |
| - | - qemu-system-x86 | + | pickup |
| - | - master | + | qemu-system-x86 |
| - | - smbd 7560 10 1538 17302752 | + | master |
| - | - qemu-system-x86 | + | smbd 7560 10 1538 17302752 |
| - | - qmgr 7448 8 67073 -1 0 32 0.0.0.0 | + | qemu-system-x86 |
| - | - nmbd 7561 11 1538 17302752 | + | qmgr 7448 8 67073 -1 0 32 0.0.0.0 |
| - | - syslog-ng | + | nmbd 7561 11 1538 17302752 |
| - | - cron 11428 14 71168 -1 0 32 0.0.0.0 | + | syslog-ng |
| - | - pdnsd 12945 16 71176 17310912 | + | cron 11428 14 71168 -1 0 32 0.0.0.0 |
| - | - qemu-system-x86 | + | pdnsd |
| - | - qemu-system-x86 | + | qemu-system-x86 |
| - | - portmap | + | qemu-system-x86 |
| - | - smbd 7556 10 1538 17302752 | + | portmap |
| - | - -------------------------------------------------------------------------------- | + | smbd 7556 10 1538 17302752 |
| - | - It took 0.94s seconds. | + | -------------------------------------------------------------------------------- |
| - | - </ | + | It took 0.94s seconds. |
| - | - Fixme: convert numbers in readable names. | + | </ |
| - | - | + | Fixme: convert numbers in readable names. |
| - | - [[wiki: | + | |
| - | - | + | [[wiki: |
| - | - | + | |
wiki/experiences/igraltist/kvm_guest_jail.1243777051.txt.gz · Last modified: 2009/05/31 13:37 by 127.0.0.1