wiki:experiences:igraltist:kvm_guest_jail
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

This is an old revision of the document!


- Back to igraltist's experiences - - - -

Start kvmguest with rsbac_jail

- Based on the run-jail script and kvm-admin i do this. - -

kvm-jail-config

-

-	;	 
-	; RSBAC JAIL definition for kvm	 
-	; 20080507	 
-	;	 
-	; Tested by igraltist	 
-	;	 
-		 
-	""	 
-	"0.0.0.0"	 
-	(allow-dev-read	 
-	allow-dev-write	 
-	allow-ipc-syslog	 
-	allow-ipc-parent	 
-	allow-inet-raw	 
-	allow-all-net-family)	 
-	(net-raw	 
-	setgid	 
-	setuid	 
-	dac-override	 
-	net-admin	 
-	dac-read-search	 
-	sys-resource	 
-	sys-module)	 
-	()	 
-	(rlimit)	 
-	

- - - - - - - -

===== start kvm-guest =====	 

- See on this example kvm-guest-config the content from file. - -

-	kvm-admin start example	 
-	uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)	 
-	[Errno 2] No such file or directory: '/vmserver/qemu.img'	 
-	Using already existing Tap device.	 
-	Setting up tun-tap-device, done ....	 
-	The follow command would be executing: 	 
-	['run-jail', 'kvm', '/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', '-net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime']	 
-	

-
- Now I start a guest. -

-	kvm-admin start vserver	 
-	uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)	 
-	SIOCSIFADDR: Die Operation ist nicht erlaubt	 
-	SIOCSIFFLAGS: Die Operation ist nicht erlaubt	 
-	SIOCSIFFLAGS: Die Operation ist nicht erlaubt	 
-	SIOCSIFFLAGS: Die Operation ist nicht erlaubt	 
-	can't add vserver to bridge eth1: Operation not permitted	 
-	(if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.)	 
-	

- - If we must add the tap-device = vserver manually to the bridge.
- In the example is the bridge name dmz_bridge and the tun-tap device name is vserver. -

-	brctl addif dmz_bridge vserver	 
-	ifconfig vserver up	 
-	

- - This I see in the rsbac-log, but the guest is running. -

-	<6>0000001281|rsbac_adf_request(): request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
-	<6>0000001282|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
-	<6>0000001283|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
-	<6>0000001284|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
-	<6>0000001285|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3707, ppid 3705, prog_name brctl, prog_file /sbin/brctl, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL	 
-	

- - - - - -

===== show-jail-info =====	 

- Do this: -

cat /proc/rsbac-info/jail

- - or you can use this:
- http://svn.kasten-edv.de/svn/rsbac/trunk/bin/ps-jail.py -
- I get this output. Its very similar to the above. -
-

-	./ps-jail.py 	 
-	Loading Jail info for Processes, done.	 
-	--------------------------------------------------------------------------------	 
-	Processname          Pid  Jail-ID Flags Max-caps  SCD-get  SCD-mod Jail-IP	 
-	ntpd                7337      7  1539 50349250        0  6291491 0.0.0.0	 
-	dmeventd            7281      6  1537      -1        0  2113536 0.0.0.0	 
-	cupsd                7103      3  1546      -1        0      32 0.0.0.0	 
-	dhcpd                7224      5  67083  271555        0        0 0.0.0.0	 
-	pickup              3286      8  67073      -1        0      32 0.0.0.0	 
-	qemu-system-x86      3704    28  71178 16855238        0      32 0.0.0.0	 
-	master              7441      8  67073      -1        0      32 0.0.0.0	 
-	smbd                7560    10  1538 17302752        0      32 0.0.0.0	 
-	qemu-system-x86    29614    26  71178 16855238        0      32 0.0.0.0	 
-	qmgr                7448      8  67073      -1        0      32 0.0.0.0	 
-	nmbd                7561    11  1538 17302752        0      32 0.0.0.0	 
-	syslog-ng          11370    13  40448      -1        0        0 0.0.0.0	 
-	cron                11428    14  71168      -1        0      32 0.0.0.0	 
-	pdnsd              12945    16  71176 17310912  262144    16416 0.0.0.0	 
-	qemu-system-x86    25748    23  71178 16855238        0      32 0.0.0.0	 
-	qemu-system-x86    26053    24  71178 16855238        0      32 0.0.0.0	 
-	portmap              6242      2  1537      -1        0        0 0.0.0.0	 
-	smbd                7556    10  1538 17302752        0      32 0.0.0.0	 
-	--------------------------------------------------------------------------------	 
-	It took 0.94s seconds.	 
-	

- Fixme: convert numbers in readable names. - - Top - -

//
wiki/experiences/igraltist/kvm_guest_jail.1249507804.txt.gz · Last modified: 2009/08/05 23:30 by 127.0.0.1

wiki/experiences/igraltist/kvm_guest_jail.1249507804.txt.gz · Last modified: 2009/08/05 23:30 by 127.0.0.1
This website is kindly hosted by m-privacy