From: Benedict V. <ben...@gm...> - 2007-08-17 13:30:20
|
Hi, i moved my vservers to UML but in the process, i ran into a problem. I need to access the /home partition from several uml's. I first thought of using hostfs and leaving /home on the host machine. This for instance resulted in saving emails from a user with root rights. Anyway, to solve this, i thought of making file to share between the umls and putting all data from /home in there. I found out about ocfs2 and it seems this would allow just that. I've set up etc/ocfs2/cluster.conf/, with the host and 2 guests as node. The host too because i want /home to be in the file (home_fs) and not anywhere else. I'm however not sure this is the correct way to proceed and how and what components i need from ocfs2. I installed the tools and as i said, i made the cluster.conf file, copied it to the 2 uml's. The ocfs2 services are started but when i want to mount it (to first copy /home over), i get this error: # mount -t ocfs2 /storage1/vm/home_fs /mnt/debinst ocfs2_hb_ctl: The block size is smaller than the sector size on this device while reading uuid mount.ocfs2: Error when attempting to run /sbin/ocfs2_hb_ctl: "Operation not permitted" I formated the file like this: mkfs.ocfs2 -b 4k -C 32K -L "ocs" -N 4 home_fs I know that afterwards i need to specify it at start up with an added c: ... ubd2c=home_fs ... What am i missing ? Is there any specific documentation to getting this to work with UML or another way i can share parts between UML's? Regards, Benedict |
From: Jeff D. <jd...@ad...> - 2007-08-17 15:54:58
|
On Fri, Aug 17, 2007 at 03:24:59PM +0200, Benedict Verheyen wrote: > I first thought of using hostfs and leaving /home on the host machine. > This for instance resulted in saving emails from a user with root rights. > Anyway, to solve this, i thought of making file to share between the > umls and putting all data from /home in there. hostfs should work in this case. If you have a UML running as user, importing the host's /home/user, the permissions should be OK. The one odd thing, which shouldn't hurt, is that if the user inside UML is root, and saves files, they will be owned by user, not root. > I found out about ocfs2 and it seems this would allow just that. > I've set up etc/ocfs2/cluster.conf/, with the host and 2 guests as node. > The host too because i want /home to be in the file (home_fs) and not > anywhere else. ocfs2 should work, but setting up a cluster is overkill for what you want. Jeff -- Work email - jdike at linux dot intel dot com |
From: Benedict V. <ben...@gm...> - 2007-08-18 00:53:57
|
Jeff Dike schreef: <snip> Thanks for your answers Jeff. > hostfs should work in this case. If you have a UML running as user, > importing the host's /home/user, the permissions should be OK. OK, but if want to import all of /home and not just /home/usr. Is hostfs still usable in this case? Because then the other users homes would also have the permissions of the user running the UML? > The one odd thing, which shouldn't hurt, is that if the user inside > UML is root, and saves files, they will be owned by user, not root. Indeed, that wouldn't be bad. > ocfs2 should work, but setting up a cluster is overkill for what you > want. But it's probably the only way to share a device file between UML's or are there other technologies that do allow that and maybe at less overkill? Thans, Benedict |
From: Benedict V. <ben...@gm...> - 2007-08-21 21:00:15
|
Jeff Dike schreef: > On Fri, Aug 17, 2007 at 03:24:59PM +0200, Benedict Verheyen wrote: >> I first thought of using hostfs and leaving /home on the host machine. >> This for instance resulted in saving emails from a user with root rights. >> Anyway, to solve this, i thought of making file to share between the >> umls and putting all data from /home in there. > > hostfs should work in this case. If you have a UML running as user, > importing the host's /home/user, the permissions should be OK. > > The one odd thing, which shouldn't hurt, is that if the user inside > UML is root, and saves files, they will be owned by user, not root. > >> I found out about ocfs2 and it seems this would allow just that. >> I've set up etc/ocfs2/cluster.conf/, with the host and 2 guests as node. >> The host too because i want /home to be in the file (home_fs) and not >> anywhere else. > > ocfs2 should work, but setting up a cluster is overkill for what you > want. I tried starting the uml as my user. This is part of my uml startup script: # Creating tap device $UMLUSER is set to "benedict" d_create_device() { # create tun device if it doesn't exist yet + give appropriate rights if [ ! -d /dev/net ] then # create the directory mkdir -p /dev/net echo " /dev/net created" #else # echo " /dev/tun exists" fi if [ ! -e /dev/net/tun ] then # create the node mknod -m 660 /dev/net/tun c 10 200 chown root:uml /dev/net/tun chmod 660 /dev/net/tun echo "/dev/net/tun created" # insert rules voor udev if [ ! -f /etc/udev/rules.d/011-udev.rules ] then echo "udevrules created" touch /etc/udev/rules.d/011-udev.rules cat 'KERNEL="tun", NAME="net/%k", GROUP="uml", MODE="0660"' >> /etc/udev/rules.d/011-udev.rules #else # echo " udevrules exists" fi else #echo " /dev/net/tun exists" chown root:uml /dev/net/tun fi # create tap device if we aren't doing bridging if [ $BRIDGING -eq 0 ] then echo "Creating $TAP" tunctl -u $UMLUSER -t $TAP ifconfig $TAP $IP_TAP up route add -host $IP_VM dev $TAP bash -c 'echo 1 > /proc/sys/net/ipv4/conf/'$TAP'/proxy_arp' arp -Ds $IP_VM $INT pub fi } The tun device is owned by root though. Does this also have to be my user? The UML startup line: screen -S loki -d -m /storage1/vm/vmlinux_2.6.22.2 mem=64M devfs=nomount rw ubd0=/storage1/vm/root_fs_loki ubd1=/storage1/vm/swap_fs_loki eth0=tuntap,tap1 umid=loki con=null con0=fd:0,fd:1 When getmail then gets mail (what's in a name :)), the mail is saved in my Maildir but still as root:root. My UML's fstab ... none /home hostfs defaults,/home 0 0 What am i doing wrong? Thanks, Regards, Benedict |
From: Jeff D. <jd...@ad...> - 2007-08-22 17:34:41
|
On Tue, Aug 21, 2007 at 10:59:52PM +0200, Benedict Verheyen wrote: > The tun device is owned by root though. Does this also have to be my user? No - it just needs to be accessible to whoever is running the UML. > When getmail then gets mail (what's in a name :)), the mail is saved in my > Maildir but still as root:root. So, mail lands in /home/benedict/Maildir, and it's owned by root? This is done inside the UML? And if you look at the file on the host, it's owned by root? Jeff -- Work email - jdike at linux dot intel dot com |
From: Benedict V. <ben...@gm...> - 2007-08-22 23:42:58
|
Jeff Dike schreef: Thanks Jeff for answering my questions. Much appreciated. >> The tun device is owned by root though. Does this also have to be my user? > > No - it just needs to be accessible to whoever is running the UML. OK. >> When getmail then gets mail (what's in a name :)), the mail is saved in my >> Maildir but still as root:root. > > So, mail lands in /home/benedict/Maildir, and it's owned by root? Yes. For example: -rw------- 1 root root 5169 2007-08-23 00:55 1187823336.M269442P1290V000000000000000FI0002252A_0.loki,S=5169:2, > This is done inside the UML? Yes, i'm trying to move my vserver mail setup (getmail, exim4, courier, maildrop, spamassassin, clamav) moved to uml. The config files are exactely the same yet on vserver it works. > And if you look at the file on the host, it's owned by root? Yes, it's owned by root. How can i be certain that my uml is started as user benedict? Thanks, Benedict |
From: Jeff D. <jd...@ad...> - 2007-08-23 03:24:35
|
On Thu, Aug 23, 2007 at 01:42:38AM +0200, Benedict Verheyen wrote: > > And if you look at the file on the host, it's owned by root? > Yes, it's owned by root. Then the UML is running as root on the host, which is not recommended. > How can i be certain that my uml is started as user benedict? I.e. how can you check that it is, or how can you ensure that it is? For the first, ps will obviously tell you. For the second, be benedict when you start UML. Jeff -- Work email - jdike at linux dot intel dot com |
From: Benedict V. <ben...@gm...> - 2007-08-23 08:01:16
|
Hi, Hmmm it's indeed running as root then. The reason is this: all uml's get started automatically at the start of the system because they are meant to act as virtualized servers. In my scripts, i also make a tap device and then delete it again when the uml stops. I also do arping in the script which doesn't work as a normal user. What is a good solution if i want the UML's to start on system startup and keep the ability for the script to create the tap device and do arping or would it be better if put the creating & deleting of the tapdevices in a startup script of it's own? This is full startup script of the uml i'm talking about: ============================================================ #! /bin/sh set -e if [ "x$1" = "x-v" ]; then VERBOSE=1 shift else VERBOSE=0 fi VERBOSE=1 e() { test $VERBOSE = 1 && echo $@; $@; } # Stabdard script options PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DESC="uml virtual machine" SCRIPTNAME=/etc/init.d/uml_$NAME NAME="loki" # Uml options BRIDGING=0 TAP="tap1" IP_TAP="192.168.1.121" IP_VM="192.168.1.21" INT="eth1" MYOPTIONS="mem=64M" UML="/storage1/vm" KERNEL="vmlinux_2.6.22.2" UMLUSER="benedict" OPTIONS="$MYOPTIONS devfs=nomount rw ubd0=$UML/root_fs_$NAME ubd1=$UML/swap_fs_$NAME eth0=tuntap,$TAP umid=$NAME" d_create_device() { # create tun device if it doesn't exist yet + give appropriate rights if [ ! -d /dev/net ] then # create the directory mkdir -p /dev/net echo " /dev/net aangemaakt" #else # echo " /dev/tun bestaat" fi if [ ! -e /dev/net/tun ] then # create the node mknod -m 660 /dev/net/tun c 10 200 chown root:uml /dev/net/tun chmod 660 /dev/net/tun echo "/dev/net/tun aangemaakt" # insert rules voor udev if [ ! -f /etc/udev/rules.d/011-udev.rules ] then echo "udevrules aangemaakt" touch /etc/udev/rules.d/011-udev.rules cat 'KERNEL="tun", NAME="net/%k", GROUP="uml", MODE="0660"' >> /etc/udev/rules.d/011-udev.rules #else # echo " udevrules bestaat " fi else #echo " /dev/net/tun bestaat" chown root:uml /dev/net/tun fi # create tap device if we aren't doing bridging if [ $BRIDGING -eq 0 ] then echo "Creating $TAP" tunctl -u $UMLUSER -t $TAP ifconfig $TAP $IP_TAP up route add -host $IP_VM dev $TAP bash -c 'echo 1 > /proc/sys/net/ipv4/conf/'$TAP'/proxy_arp' arp -Ds $IP_VM $INT pub fi } # # Function that starts the daemon/service. # d_start() { #start-stop-daemon --start --quiet --pidfile $PIDFILE \ # --exec $DAEMON d_create_device e screen -S $NAME -d -m $UML/$KERNEL $OPTIONS con=null con0=fd:0,fd:1 } # # Function that stops the daemon/service. # d_stop() { #start-stop-daemon --stop --quiet --pidfile $PIDFILE \ # --name $NAME if [ -d /root/.uml/$NAME ] then e uml_mconsole $NAME cad e sleep 8 fi # remove the tap settings if we aren't doing bridging if [ $BRIDGING -eq 0 ] then echo "Deleting $TAP" arp -i $INT -d $IP_VM pub route del -host $IP_VM dev $TAP ifconfig $TAP 0.0.0.0 promisc up tunctl -d $TAP fi } # # Function that sends a SIGHUP to the daemon/service. # d_reload() { start-stop-daemon --stop --quiet --pidfile $PIDFILE \ --name $NAME --signal 1 } case "$1" in start) echo "Starting $DESC: $NAME" d_start echo "." ;; stop) echo "Stopping $DESC: $NAME" d_stop echo "." ;; restart|force-reload) # # If the "reload" option is implemented, move the "force-reload" # option to the "reload" entry above. If not, "force-reload" is # just the same as "restart". # echo -n "Restarting $DESC: $NAME" d_stop sleep 1 d_start echo "." ;; *) # echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0 ============================================================ Regards, Benedict > On Thu, Aug 23, 2007 at 01:42:38AM +0200, Benedict Verheyen wrote: > >>> And if you look at the file on the host, it's owned by root? >>> >> Yes, it's owned by root. >> > > Then the UML is running as root on the host, which is not recommended. > > >> How can i be certain that my uml is started as user benedict? >> > > I.e. how can you check that it is, or how can you ensure that it is? > > For the first, ps will obviously tell you. > > For the second, be benedict when you start UML. > > Jeff > > |
From: Jeff D. <jd...@ad...> - 2007-08-24 17:06:42
|
On Thu, Aug 23, 2007 at 10:01:03AM +0200, Benedict Verheyen wrote: > Hmmm it's indeed running as root then. The reason is this: > all uml's get started automatically at the start of the system because they > are meant to act as virtualized servers. > What is a good solution if i want the UML's to start on system startup > and keep > the ability for the script to create the tap device and do arping or > would it be > better if put the creating & deleting of the tapdevices in a startup > script of > it's own? > > This is full startup script of the uml i'm talking about: > e screen -S $NAME -d -m $UML/$KERNEL $OPTIONS con=null con0=fd:0,fd:1 You want a sudo -u $UMLUSER before that screen. > tunctl -u $UMLUSER -t $TAP Which would be consistent with the tunctl setup. Jeff -- Work email - jdike at linux dot intel dot com |
From: Benedict V. <ben...@gm...> - 2007-09-03 14:26:54
|
Jeff Dike schreef: > >> e screen -S $NAME -d -m $UML/$KERNEL $OPTIONS con=null con0=fd:0,fd:1 > > You want a sudo -u $UMLUSER before that screen. > Jeff, that solved it for me. The uml now starts as user benedict and in the UML, the mails are no longer saved as root:root ! I'm happy, it works. When i have more time, i'll test the behaviour of mails sent to a 2nd user but also handled by that UML. Thanks, Benedict |
From: Jeff D. <jd...@ad...> - 2007-09-04 22:34:19
|
On Mon, Sep 03, 2007 at 04:26:13PM +0200, Benedict Verheyen wrote: > that solved it for me. The uml now starts as user benedict and in the > UML, the mails are no longer saved as root:root ! > I'm happy, it works. > When i have more time, i'll test the behaviour of mails sent to a 2nd > user but also handled by that UML. This is where you'll start seeing hostfs permissions break down If you send mail to user@benedict-uml, and user's maildir is a hostfs mount, that email will end up being owned by benedict. The host is ultimately in charge of the permissions, and it sees the files being created by a process owned by benedict. hostfs is usable for personal UMLs, but once you have multiple users within a UML using hostfs, you'll start seeing problems from this. Jeff -- Work email - jdike at linux dot intel dot com |
From: Jeff D. <jd...@ad...> - 2007-09-04 22:34:20
|
On Tue, Sep 04, 2007 at 02:20:48PM +0200, Benedict Verheyen wrote: > I got round to testing with another user and that doesn't work. > Let me explain: The UML runs several mail services (exim, courier, ...) > and if i want to view mail via webmail (connection from another uml to > this one as it runs courier), i get this: > > imapd: chdir Maildir: Permission denied I think my previous mail should answer this. > How can i get an uml to behave like a physical machine in regards with > these permission issues as i would very much want to stay with this > technology ? Don't use hostfs for this and UML will behave like any other system. Jeff -- Work email - jdike at linux dot intel dot com |
From: Benedict V. <ben...@gm...> - 2007-09-05 08:08:28
|
Jeff Dike schreef: >> How can i get an uml to behave like a physical machine in regards with >> these permission issues as i would very much want to stay with this >> technology ? > > Don't use hostfs for this and UML will behave like any other system. OK, but i'm not sure how to handle this in a good way. What i have on my physical machine per user is this: * a home directory, made available to windows via samba * a Maildir I think i would better split this up: * move the homedirectories to an UML with samba installed to share the files so they are accessible via samba * create home directories on the mail UML to store email. So mails & files will be stored on 2 different UML's but it doesn't seem like a huge problem? Also, i will have homedirectories on the physical server too but not for all users and not all of them will be logging in on the physical server. Is this a doable/good approach? Regards, Benedict |
From: Jeff D. <jd...@ad...> - 2007-09-10 17:34:31
|
On Wed, Sep 05, 2007 at 10:07:51AM +0200, Benedict Verheyen wrote: > > Don't use hostfs for this and UML will behave like any other system. > > OK, but i'm not sure how to handle this in a good way. > > What i have on my physical machine per user is this: > * a home directory, made available to windows via samba > * a Maildir > > I think i would better split this up: > * move the homedirectories to an UML with samba installed to share the > files so they are accessible via samba > * create home directories on the mail UML to store email. > > So mails & files will be stored on 2 different UML's but it doesn't seem > like a huge problem? Also, i will have homedirectories on the physical > server too but not for all users and not all of them will be logging in > on the physical server. > > Is this a doable/good approach? This seems reasonable. Jeff -- Work email - jdike at linux dot intel dot com |
From: Benedict V. <ben...@gm...> - 2007-09-11 06:26:26
|
Jeff Dike schreef: >> I think i would better split this up: >> * move the homedirectories to an UML with samba installed to share the >> files so they are accessible via samba >> * create home directories on the mail UML to store email. >> >> So mails & files will be stored on 2 different UML's but it doesn't seem >> like a huge problem? Also, i will have homedirectories on the physical >> server too but not for all users and not all of them will be logging in >> on the physical server. >> >> Is this a doable/good approach? >> > > This seems reasonable. > > Jeff > > I tried it like i said, moving files & mails to 2 different UML's and it works. My setup is now how i like it :) Thanks for all the help ! Regards, Benedict |
From: Benedict V. <ben...@gm...> - 2007-09-04 12:28:05
|
Benedict Verheyen schreef: > Jeff Dike schreef: >>> e screen -S $NAME -d -m $UML/$KERNEL $OPTIONS con=null con0=fd:0,fd:1 >> You want a sudo -u $UMLUSER before that screen. >> > > Jeff, > > that solved it for me. The uml now starts as user benedict and in the > UML, the mails are no longer saved as root:root ! > I'm happy, it works. > When i have more time, i'll test the behaviour of mails sent to a 2nd > user but also handled by that UML. > > Thanks, > Benedict I got round to testing with another user and that doesn't work. Let me explain: The UML runs several mail services (exim, courier, ...) and if i want to view mail via webmail (connection from another uml to this one as it runs courier), i get this: imapd: chdir Maildir: Permission denied That's with a user different than mine (my user works) and with the uml started as my user. I could probably solve this by starting the uml as root but then i have a security issue and my email would be saved again as root:root. I'm not if UML can handle this kind of setup? Is it possible to mimic a physical server with uml where you have several services servicing multiple users? As far as i've seen with my tests, it isn't able to do this right now. Or am i still missing something? How can i get an uml to behave like a physical machine in regards with these permission issues as i would very much want to stay with this technology ? Thanks, Benedict |