wiki:experiences:igraltist:kvm_guest_jail
Releases
Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| wiki:experiences:igraltist:kvm_guest_jail [2009/08/05 21:30] – (old revision restored) 127.0.0.1 | wiki:experiences:igraltist:kvm_guest_jail [2011/01/07 13:39] (current) – (old revision restored) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | - [[wiki: | + | [[wiki: |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - ====== Start kvmguest with rsbac_jail ====== | + | ====== Start kvmguest with rsbac_jail ====== |
| - | - Based on the [[wiki: | + | Based on the [[wiki: |
| - | - | + | |
| - | - ===== kvm-jail-config ===== | + | ===== kvm-jail-config ===== |
| - | - <code bash> | + | <code bash> |
| - | - ; | + | ; |
| - | - ; RSBAC JAIL definition for kvm | + | ; RSBAC JAIL definition for kvm |
| - | - ; 20080507 | + | ; 20080507 |
| - | - ; | + | ; |
| - | - ; Tested by igraltist | + | ; Tested by igraltist |
| - | - ; | + | ; |
| - | - | + | |
| - | - "" | + | "" |
| - | - " | + | " |
| - | - (allow-dev-read | + | (allow-dev-read |
| - | - allow-dev-write | + | allow-dev-write |
| - | - allow-ipc-syslog | + | allow-ipc-syslog |
| - | - allow-ipc-parent | + | allow-ipc-parent |
| - | - allow-inet-raw | + | allow-inet-raw |
| - | - allow-all-net-family) | + | allow-all-net-family) |
| - | - (net-raw | + | (net-raw |
| - | - setgid | + | setgid |
| - | - setuid | + | setuid |
| - | - dac-override | + | dac-override |
| - | - net-admin | + | net-admin |
| - | - dac-read-search | + | dac-read-search |
| - | - sys-resource | + | sys-resource |
| - | - sys-module) | + | sys-module) |
| - | - () | + | () |
| - | - (rlimit) | + | (rlimit) |
| - | - </ | + | </ |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | ===== start kvm-guest ===== | + | ===== start kvm-guest ===== |
| - | - See on this [[wiki: | + | See on this [[wiki: |
| - | - | + | |
| - | - <code bash> | + | <code bash> |
| - | - kvm-admin start example | + | kvm-admin start example |
| - | - uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm), | + | uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm), |
| - | - [Errno 2] No such file or directory: '/ | + | [Errno 2] No such file or directory: '/ |
| - | - Using already existing Tap device. | + | Using already existing Tap device. |
| - | - Setting up tun-tap-device, | + | Setting up tun-tap-device, |
| - | - The follow command would be executing: | + | The follow command would be executing: |
| - | - [' | + | [' |
| - | - </ | + | </ |
| - | - \\ | + | \\ |
| - | - Now I start a guest. | + | Now I start a guest. |
| - | - <code bash> | + | <code bash> |
| - | - kvm-admin start vserver | + | kvm-admin start vserver |
| - | - uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm), | + | uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm), |
| - | - SIOCSIFADDR: | + | SIOCSIFADDR: |
| - | - SIOCSIFFLAGS: | + | SIOCSIFFLAGS: |
| - | - SIOCSIFFLAGS: | + | SIOCSIFFLAGS: |
| - | - SIOCSIFFLAGS: | + | SIOCSIFFLAGS: |
| - | - can't add vserver to bridge eth1: Operation not permitted | + | can't add vserver to bridge eth1: Operation not permitted |
| - | - (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.) | + | (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.) |
| - | - </ | + | </ |
| - | - | + | |
| - | - If we must add the tap-device = vserver manually to the bridge.\\ | + | If we must add the tap-device = vserver manually to the bridge.\\ |
| - | - In the example is the bridge name dmz_bridge and the tun-tap device name is vserver. | + | In the example is the bridge name dmz_bridge and the tun-tap device name is vserver. |
| - | - <code bash> | + | <code bash> |
| - | - brctl addif dmz_bridge vserver | + | brctl addif dmz_bridge vserver |
| - | - ifconfig vserver up | + | ifconfig vserver up |
| - | - </ | + | </ |
| - | - | + | |
| - | - This I see in the rsbac-log, but the guest is running. | + | This I see in the rsbac-log, but the guest is running. |
| - | - <code bash> | + | <code bash> |
| - | - < | + | < |
| - | - < | + | < |
| - | - < | + | < |
| - | - < | + | < |
| - | - < | + | < |
| - | - </ | + | </ |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| - | - | + | |
| + | ===== show-jail-info ===== | ||
| + | Do this: | ||
| + | <code bash>cat / | ||
| + | |||
| + | or you can use this:\\ | ||
| + | [[http:// | ||
| + | \\ | ||
| + | I get this output. Its very similar to the above. | ||
| + | \\ | ||
| + | <code bash> | ||
| + | ./ | ||
| + | Loading Jail info for Processes, done. | ||
| + | -------------------------------------------------------------------------------- | ||
| + | Processname | ||
| + | ntpd 7337 7 1539 50349250 | ||
| + | dmeventd | ||
| + | cupsd | ||
| + | dhcpd | ||
| + | pickup | ||
| + | qemu-system-x86 | ||
| + | master | ||
| + | smbd 7560 10 1538 17302752 | ||
| + | qemu-system-x86 | ||
| + | qmgr 7448 8 67073 -1 0 32 0.0.0.0 | ||
| + | nmbd 7561 11 1538 17302752 | ||
| + | syslog-ng | ||
| + | cron 11428 14 71168 -1 0 32 0.0.0.0 | ||
| + | pdnsd | ||
| + | qemu-system-x86 | ||
| + | qemu-system-x86 | ||
| + | portmap | ||
| + | smbd 7556 10 1538 17302752 | ||
| + | -------------------------------------------------------------------------------- | ||
| + | It took 0.94s seconds. | ||
| + | </ | ||
| + | Fixme: convert numbers in readable names. | ||
| + | |||
| + | [[wiki: | ||
| + | |||
| - | ===== show-jail-info ===== | ||
| - | - Do this: | ||
| - | - <code bash>cat / | ||
| - | - | ||
| - | - or you can use this: | ||
| - | - [[http:// | ||
| - | - \\ | ||
| - | - I get this output. Its very similar to the above. | ||
| - | - \\ | ||
| - | - <code bash> | ||
| - | - ./ | ||
| - | - Loading Jail info for Processes, done. | ||
| - | - -------------------------------------------------------------------------------- | ||
| - | - Processname | ||
| - | - ntpd | ||
| - | - dmeventd | ||
| - | - cupsd | ||
| - | - dhcpd | ||
| - | - pickup | ||
| - | - qemu-system-x86 | ||
| - | - master | ||
| - | - smbd | ||
| - | - qemu-system-x86 | ||
| - | - qmgr | ||
| - | - nmbd | ||
| - | - syslog-ng | ||
| - | - cron | ||
| - | - pdnsd | ||
| - | - qemu-system-x86 | ||
| - | - qemu-system-x86 | ||
| - | - portmap | ||
| - | - smbd | ||
| - | - -------------------------------------------------------------------------------- | ||
| - | - It took 0.94s seconds. | ||
| - | - </ | ||
| - | - Fixme: convert numbers in readable names. | ||
| - | - | ||
| - | - [[wiki: | ||
| - | - | ||
| - | - | ||
wiki/experiences/igraltist/kvm_guest_jail.1249507804.txt.gz · Last modified: 2009/08/05 21:30 by 127.0.0.1