wiki:experiences:igraltist:kvm_guest_jail
=>  Releases

Current version
Git/Snapshot: 1.5.3
Release: 1.5.0

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
wiki:experiences:igraltist:kvm_guest_jail [2009/08/05 23:30]
127.0.0.1 (old revision restored)
wiki:experiences:igraltist:kvm_guest_jail [2011/01/07 14:39] (current)
127.0.0.1 (old revision restored)
Line 1: Line 1:
-- [[wiki:​experiences/​igraltist|Back to igraltist'​s experiences]]  +[[wiki:​experiences/​igraltist#​kvm_on_rsbac|Back to igraltist'​s experiences/KVM on RSBAC]]  
--  +  
--   +  
--  +  
-- ====== Start kvmguest with rsbac_jail ======  +====== Start kvmguest with rsbac_jail ======  
-- Based on the [[wiki:​experiences/​igraltist/​run-jail#​run-jail|run-jail]] script and [[wiki:​experiences/​igraltist/​kvm#​kvm-admin|kvm-admin]] i do this.  +Based on the [[wiki:​experiences/​igraltist/​run-jail#​run-jail|run-jail]] script and [[wiki:​experiences/​igraltist/​kvm#​kvm-admin|kvm-admin]] i do this.  
--  +  
-- ===== kvm-jail-config =====  +===== kvm-jail-config =====  
-- <code bash>  +<code bash>  
-- ;  +;  
-- ; RSBAC JAIL definition for kvm  +; RSBAC JAIL definition for kvm  
-- ; 20080507  +; 20080507  
-- ;  +;  
-- ; Tested by igraltist  +; Tested by igraltist  
-- ;  +;  
--   +  
-- ""​  +""​  
-- "​0.0.0.0"​  +"​0.0.0.0"​  
-- (allow-dev-read  +(allow-dev-read  
-- allow-dev-write  +allow-dev-write  
-- allow-ipc-syslog  +allow-ipc-syslog  
-- allow-ipc-parent  +allow-ipc-parent  
-- allow-inet-raw  +allow-inet-raw  
-- allow-all-net-family)  +allow-all-net-family)  
-- (net-raw  +(net-raw  
-- setgid  +setgid  
-- setuid  +setuid  
-- dac-override  +dac-override  
-- net-admin  +net-admin  
-- dac-read-search  +dac-read-search  
-- sys-resource  +sys-resource  
-- sys-module)  +sys-module)  
-- ()  +()  
-- (rlimit)  +(rlimit)  
-- </​code>​  +</​code>​  
--  +  
--  +  
--   +   
--  +  
--  +  
--  +  
--   +  
--+
  
- ===== start kvm-guest =====  +===== start kvm-guest =====  
-- See on this [[wiki:​experiences/​igraltist/​kvm#​example kvm-guest-config|example kvm-guest-config]] the content from file.  +See on this [[wiki:​experiences/​igraltist/​kvm#​example kvm-guest-config|example kvm-guest-config]] the content from file.  
--  +  
-- <code bash>  +<code bash>  
-- kvm-admin start example  +kvm-admin start example  
-- uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),​6(disk),​85(usb)  +uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),​6(disk),​85(usb)  
-- [Errno 2] No such file or directory: '/​vmserver/​qemu.img'​  +[Errno 2] No such file or directory: '/​vmserver/​qemu.img'​  
-- Using already existing Tap device.  +Using already existing Tap device.  
-- Setting up tun-tap-device,​ done ....  +Setting up tun-tap-device,​ done ....  
-- The follow command would be executing:  +The follow command would be executing:  
-- ['​run-jail',​ '​kvm',​ '/​usr/​local/​kvm/​72/​bin/​qemu-system-x86_64',​ '​-cdrom',​ '/​usr/​src/​ISOS/​debian-40r3-i386-netinst.iso',​ '​-net',​ '​nic,​vlan=0,​macaddr=A9:​B9:​C9:​D9:​E9:​F0,​model=rtl8139', ​'-net', '​tap,​vlan=0,​ifname=iface_test,​script=/​etc/​kvm/​scripts/​kvm-dmz-ifup',​ '​-vnc',​ ':​4',​ '​-m',​ '​265',​ '​-boot',​ '​d',​ '​-k',​ '​en-us',​ '​-pidfile',​ '/​var/​run/​kvm/​example.pid',​ '​-smp',​ '​2',​ '​-L',​ '/​usr/​local/​kvm/​72/​share/​qemu',​ '​-usb',​ '​-usbdevice',​ '​tablet',​ '​-name',​ '​example',​ '​-no-fd-bootchk',​ '​-daemonize',​ '​-std-vga',​ '​-localtime'​]  +['​run-jail',​ '​kvm',​ '/​usr/​local/​kvm/​72/​bin/​qemu-system-x86_64',​ '​-cdrom',​ '/​usr/​src/​ISOS/​debian-40r3-i386-netinst.iso',​ '​-net',​ '​nic,​vlan=0,​macaddr=A9:​B9:​C9:​D9:​E9:​F0,​model=rtl8139',​ -net', '​tap,​vlan=0,​ifname=iface_test,​script=/​etc/​kvm/​scripts/​kvm-dmz-ifup',​ '​-vnc',​ ':​4',​ '​-m',​ '​265',​ '​-boot',​ '​d',​ '​-k',​ '​en-us',​ '​-pidfile',​ '/​var/​run/​kvm/​example.pid',​ '​-smp',​ '​2',​ '​-L',​ '/​usr/​local/​kvm/​72/​share/​qemu',​ '​-usb',​ '​-usbdevice',​ '​tablet',​ '​-name',​ '​example',​ '​-no-fd-bootchk',​ '​-daemonize',​ '​-std-vga',​ '​-localtime'​]  
-- </​code>​  +</​code>​  
-- \\  +\\  
-- Now I start a guest.  +Now I start a guest.  
-- <code bash>  +<code bash>  
-- kvm-admin start vserver  +kvm-admin start vserver  
-- uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),​6(disk),​85(usb)  +uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),​6(disk),​85(usb)  
-- SIOCSIFADDR:​ Die Operation ist nicht erlaubt  +SIOCSIFADDR:​ Die Operation ist nicht erlaubt  
-- SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  +SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  
-- SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  +SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  
-- SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  +SIOCSIFFLAGS:​ Die Operation ist nicht erlaubt  
-- can't add vserver to bridge eth1: Operation not permitted  +can't add vserver to bridge eth1: Operation not permitted  
-- (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.)  +(if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.)  
-- </​code>​  +</​code>​  
--  +  
-- If we must add the tap-device = vserver manually to the bridge.\\  +If we must add the tap-device = vserver manually to the bridge.\\  
-- In the example is the bridge name dmz_bridge and the tun-tap device name is vserver.  +In the example is the bridge name dmz_bridge and the tun-tap device name is vserver.  
-- <code bash>  +<code bash>  
-- brctl addif dmz_bridge vserver  +brctl addif dmz_bridge vserver  
-- ifconfig vserver up  +ifconfig vserver up  
-- </​code>​  +</​code>​  
--   +  
-- This I see in the rsbac-log, but the guest is running.  +This I see in the rsbac-log, but the guest is running.  
-- <code bash>  +<code bash>  
-- <​6>​0000001281|rsbac_adf_request():​ request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  +<​6>​0000001281|rsbac_adf_request():​ request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  
-- <​6>​0000001282|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  +<​6>​0000001282|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  
-- <​6>​0000001283|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  +<​6>​0000001283|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  
-- <​6>​0000001284|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  +<​6>​0000001284|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3706, ppid 3705, prog_name ifconfig, prog_file /​sbin/​ifconfig,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL  
-- <​6>​0000001285|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3707, ppid 3705, prog_name brctl, prog_file /​sbin/​brctl,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL  +<​6>​0000001285|rsbac_adf_request():​ request MODIFY_SYSTEM_DATA,​ pid 3707, ppid 3705, prog_name brctl, prog_file /​sbin/​brctl,​ uid 0, audit uid 1003, remote ip 192.168.1.5,​ target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL  
-- </​code>​  +</​code>​  
--  +  
--  +  
--  +  
--  +  
--  +  
--  +  
 +===== show-jail-info =====  
 +Do this:  
 +<code bash>cat /​proc/​rsbac-info/​jail</​code>​  
 +  
 +or you can use this:\\  
 +[[http://​svn.kasten-edv.de/​svn/​rsbac/​trunk/​bin/​ps-jail.py]]  
 +\\  
 +I get this output. Its very similar to the above.  
 +\\  
 +<code bash>  
 +./​ps-jail.py ​   
 +Loading Jail info for Processes, done.  ​ 
 +--------------------------------------------------------------------------------  
 + Processname ​         Pid  Jail-ID Flags Max-caps ​ SCD-get ​ SCD-mod Jail-IP  
 + ntpd                7337      7  1539 50349250 ​       0  6291491 0.0.0.0  
 + dmeventd ​           7281      6  1537      -1        0  2113536 0.0.0.0  
 + cupsd ​               7103      3  1546      -1        0      32 0.0.0.0  
 + dhcpd ​               7224      5  67083  271555 ​       0        0 0.0.0.0  
 + pickup ​             3286      8  67073      -1        0      32 0.0.0.0  
 + qemu-system-x86 ​     3704    28  71178 16855238 ​       0      32 0.0.0.0  
 + master ​             7441      8  67073      -1        0      32 0.0.0.0  
 + smbd                7560    10  1538 17302752 ​       0      32 0.0.0.0  
 + qemu-system-x86 ​   29614    26  71178 16855238 ​       0      32 0.0.0.0  
 + qmgr                7448      8  67073      -1        0      32 0.0.0.0  
 + nmbd                7561    11  1538 17302752 ​       0      32 0.0.0.0  
 + syslog-ng ​         11370    13  40448      -1        0        0 0.0.0.0  
 + cron                11428    14  71168      -1        0      32 0.0.0.0  
 + pdnsd ​             12945    16  71176 17310912 ​ 262144 ​   16416 0.0.0.0  
 + qemu-system-x86 ​   25748    23  71178 16855238 ​       0      32 0.0.0.0  
 + qemu-system-x86 ​   26053    24  71178 16855238 ​       0      32 0.0.0.0  
 + portmap ​             6242      2  1537      -1        0        0 0.0.0.0  
 + smbd                7556    10  1538 17302752 ​       0      32 0.0.0.0  
 + --------------------------------------------------------------------------------  
 +It took 0.94s seconds.  
 +</​code>​  
 +Fixme: convert numbers in readable names.  
 +  
 +[[wiki:​experiences/​igraltist/​kvm_guest_jail#​Start kvmguest with rsbac_jail|Top]]  
 +  
  
- ===== show-jail-info =====  ​ 
-- Do this:​  ​ 
-- <code bash>cat /​proc/​rsbac-info/​jail</​code>​  ​ 
--   
-- or you can use this:​\\  ​ 
-- [[http://​svn.kasten-edv.de/​svn/​rsbac/​trunk/​bin/​ps-jail.py]]  ​ 
-- \\   
-- I get this output. Its very similar to the above.  ​ 
-- \\   
-- <code bash>​  ​ 
-- ./​ps-jail.py   
-- Loading Jail info for Processes, done.  ​ 
-- --------------------------------------------------------------------------------  ​ 
-- Processname ​         Pid  Jail-ID Flags Max-caps ​ SCD-get ​ SCD-mod Jail-IP  ​ 
-- ntpd ​               7337      7  1539 50349250 ​       0  6291491 0.0.0.0  ​ 
-- dmeventd ​           7281      6  1537      -1        0  2113536 0.0.0.0  ​ 
-- cupsd ​               7103      3  1546      -1        0      32 0.0.0.0  ​ 
-- dhcpd ​               7224      5  67083  271555 ​       0        0 0.0.0.0  ​ 
-- pickup ​             3286      8  67073      -1        0      32 0.0.0.0  ​ 
-- qemu-system-x86 ​     3704    28  71178 16855238 ​       0      32 0.0.0.0  ​ 
-- master ​             7441      8  67073      -1        0      32 0.0.0.0  ​ 
-- smbd ​               7560    10  1538 17302752 ​       0      32 0.0.0.0  ​ 
-- qemu-system-x86 ​   29614    26  71178 16855238 ​       0      32 0.0.0.0  ​ 
-- qmgr ​               7448      8  67073      -1        0      32 0.0.0.0  ​ 
-- nmbd ​               7561    11  1538 17302752 ​       0      32 0.0.0.0  ​ 
-- syslog-ng ​         11370    13  40448      -1        0        0 0.0.0.0  ​ 
-- cron ​               11428    14  71168      -1        0      32 0.0.0.0  ​ 
-- pdnsd ​             12945    16  71176 17310912 ​ 262144 ​   16416 0.0.0.0  ​ 
-- qemu-system-x86 ​   25748    23  71178 16855238 ​       0      32 0.0.0.0  ​ 
-- qemu-system-x86 ​   26053    24  71178 16855238 ​       0      32 0.0.0.0  ​ 
-- portmap ​             6242      2  1537      -1        0        0 0.0.0.0  ​ 
-- smbd ​               7556    10  1538 17302752 ​       0      32 0.0.0.0  ​ 
-- --------------------------------------------------------------------------------  ​ 
-- It took 0.94s seconds.  ​ 
-- </​code>​  ​ 
-- Fixme: convert numbers in readable names.  ​ 
--   
-- [[wiki:​experiences/​igraltist/​kvm_guest_jail#​Start kvmguest with rsbac_jail|Top]]  ​ 
--   
--   
   
    
  
//
wiki/experiences/igraltist/kvm_guest_jail.txt · Last modified: 2011/01/07 14:39 by 127.0.0.1

wiki/experiences/igraltist/kvm_guest_jail.txt · Last modified: 2011/01/07 14:39 by 127.0.0.1
This website is kindly hosted by m-privacy