From: Ehab H. <ehab@ELMOTAHEDA.COM> - 2003-09-22 09:48:51
|
Do I understand the following features of UML correctly, please correct me if I am wrong. You can back up and entire UML and move it to another server ( provided you move the IP too ) and it will work right away ( with some minor installation ) A UML, the root can do anything, anything EXCEPT ONE thing, that is recompile the kernel. A UML can not currently use a two processor server, but if you have more than one they will be divided so that you will utilize the both CPU but only one per UML. You can run one or two UML's without a SKAS patch on a prodictioin server and it will be stable more UML would need skas for stability. |
From: Lars D. <ld...@st...> - 2003-09-24 15:20:02
|
Hi Ulf, > And from the me-as-uml-provider-view: The more problems the user can > solve on his own, the longer will my phone stay quiet! Be careful - allowing customers compiling their own kernel will get you most probably in big trouble, beginning from: "I have a problem on compiling my own kernel" up to running a patched kernel, which may disturb other uml-session or even DOS your complete host. Thats a very critical security question. greetings, Lars |
From: <Ulf...@t-...> - 2003-09-24 15:44:18
|
Am Mit, 2003-09-24 um 17.21 schrieb Lars Duesing > > And from the me-as-uml-provider-view: The more problems the user can > > solve on his own, the longer will my phone stay quiet! > > Be careful - allowing customers compiling their own kernel will get you > most probably in big trouble, beginning from: "I have a problem on > compiling my own kernel" that will be directed to a not-so-cheap 0190 phone number }:-) > up to running a patched kernel, which may > disturb other uml-session or even DOS your complete host. thats subject for further investigations... > Thats a very critical security question. I'm still looking for answers. Atm I have no customers with evil thoughts... only some umls that dont need more security like systems living in the same LAN where the co-workers have some basic trust with each other... I hope while I'm trying to get some things automated and the host's setup specialized for running umls, knowledge and features on security will grow... I want to end in a system where I can do these things without security risks... Meanwhile the test runs are UMLs in my LAN, mostly little services and development sandboxes... My friends are waiting for something being an uml but feeling like a real system... so the kernel thingy needs to be done that way... our first public reachable server sure will be used by some folks working with each other instead of fighting... I'm thinking of minimizing unfair resource usage by looking for a fair scheduler, maybe giving each uml an own harddisk (own heads!) and having a look at other things to limit user's access... for now I only would give someone an uml who would get a normal login here... that's my benchmark of trust... ...but I still need some more time to get all the parts together in a nice way... |
From: Geoff T. <ge...@ge...> - 2003-09-24 15:25:54
|
Hi there, On September 24, 2003 10:59 am, Ulf Bartelt wrote: > Am Mit, 2003-09-24 um 10.59 schrieb Paul Fee: > > Yes the Linux kernel + UML patch can be compiled inside the UML node, > > however how can a user trapped inside UML boot the new UML kernel? > > Do it like the BIOS does... launch a loader... > > Use an UMLkernel as grub substitute to grab the kernel from the UML's > FS if it is partitioned or use debugfs if it is partitionless... Given the versioning that was put into the COW stuff recently, why not look at doing this as an extension in the next COW version? What I mean is that the COW layer sitting on top of the underlying (read-only) file system could include a dedicated "space" for whatever you cook up as a UML equivalent for lilo (or you could simply put the kernel in this space and assume it won't need to load modules for the file system). It seems to me that the real pain about booting a UML kernel is not finding a way to pull it out of the filesystem, but having to understand the filesystem itself. Ie. if your UML filesystem(s) have a type that is not supported by the host kernel, you've got no choice but to move the UML kernel outside the filesystem to run it. OTOH: if the COW format supported a "clear-text" space for the kernel image itself, your UML boot loader would not need to parse the filesystem to get at the kernel, it would merely need to be able to read the appropriate COW headers. I guess it would also be possible for UML's ubd driver to support this COW extension in some way to allow you to "mount" it? (Ie. so you can flash a new kernel image from within UML itself). In this way, the bootloader could automatically reboot UML if it attempts a restart and this would pick up any recompiled kernels. Then again, perhaps this might all be incredibly painful to do ... just my $0.02. Cheers, Geoff -- Geoff Thorpe ge...@ge... http://www.geoffthorpe.net/ |
From: <Ulf...@t-...> - 2003-09-24 15:48:40
|
Am Mit, 2003-09-24 um 17.25 schrieb Geoff Thorpe: > Hi there, > > On September 24, 2003 10:59 am, Ulf Bartelt wrote: > > Am Mit, 2003-09-24 um 10.59 schrieb Paul Fee: > > > Yes the Linux kernel + UML patch can be compiled inside the UML node, > > > however how can a user trapped inside UML boot the new UML kernel? > > > > Do it like the BIOS does... launch a loader... > > > > Use an UMLkernel as grub substitute to grab the kernel from the UML's > > FS if it is partitioned or use debugfs if it is partitionless... > > Given the versioning that was put into the COW stuff recently, why not > look at doing this as an extension in the next COW version? I want it to feel like a real system. A real system has a bios and a loader why should it be bad to go exactly that way? The script doing this via debugfs is small enough to fit in the MBR... That's the way to go! |
From: Paul F. <pf...@ta...> - 2003-09-24 15:44:18
|
Argh, you mean I had a huge money spinner and I threw it away! Oh well. Anyway, back to reality. I agree that splitting the UML boot process in two will allow the UML owner to upgrade the UML kernel from inside the UML node. The boot loader (e.g. grub) would live in host space, the UML kernel would be stored in the UML filesystem). However is such a scheme also workable from a UML sandbox point of view. It's the job of the UML application (in host space) to stop processes inside the UML node from breaking out into host space. If a UML user is allowed to recompile the UML kernel (and hence a host space application), then they could change it so that it no longer protected the host from dangerous UML processes. --- Also, Christian mentioned letting UML access the host file system where the "linux" application is stored (via hostfs). If a UML user recompiles UML linux and updates the "linux" file stored on the host and then reboots, will UML pick up the new application? Unless written explicitly to exec() the new program (stored in the same place as the original), would UML not reboot to the same state as before? When you update a program file, existing processes exec()ed from that file don't change until stopped and reloaded. I suppose that could easily be achieved by wrapping "linux" in a shell. The UML user could issue "halt", allowing UML to completely finish, then the shell script could start the new instance of UML. -- Paul Ulf Bartelt wrote: > Am Mit, 2003-09-24 um 10.59 schrieb Paul Fee: > >>Yes the Linux kernel + UML patch can be compiled inside the UML node, >>however how can a user trapped inside UML boot the new UML kernel? > > > Do it like the BIOS does... launch a loader... > > Use an UMLkernel as grub substitute to grab the kernel from the UML's FS > if it is partitioned or use debugfs if it is partitionless... > > >>You could argue the case that a hosting company might want to deliver >>the complete virtual linux box experience, including upgrading your own >>kernel. > > > Mega big point! > > I would not spend a cent for an uml system somewhere when I cannot > compile my own kernel... > > And from the me-as-uml-provider-view: The more problems the user can > solve on his own, the longer will my phone stay quiet! > > >>I don't know if there's any desire for anyone to do this (I don't need >>it), but that's how I understood the statement. > > > I strongly believe that having a bootloader for UMLs making this > possible is the best way for the uml provider and the user and am > building such a solution here. > > My thoughts even go into the direction of having kinda uml-netboot-rom > too... (to be patented soon }:-) ) > > > I'll cry out loud here when I have some things worth to be shown... > |
From: <Ulf...@t-...> - 2003-09-24 18:27:11
|
Am Mit, 2003-09-24 um 17.44 schrieb Paul Fee: > Argh, you mean I had a huge money spinner and I threw it away! Oh well. ;-) > Anyway, back to reality. > I agree that splitting the UML boot process in two will allow the UML > owner to upgrade the UML kernel from inside the UML node. The boot > loader (e.g. grub) would live in host space, the UML kernel would be > stored in the UML filesystem). An uml is a user's job running on some host... I'd really like to see it compared to any other job of that user on that host? Where is the point why I should treat a running hercules (an emulator that can use a tap too and so has all the net security problems like uml) or TeX run by that user which might lead to memory outage different than uml? I'd like to see two levels of security discussed: Uml compared with all things a user with a login on my system might do. Uml in a jailed way that the user has only the right to run his uml and nothing else. For now I am using umls in a friendly environment. Uml is just another program on my system and some taps and some logical volumes are given to some userids... optionally. I dont think of hosting only, I want the LAN-in-a-box for giving some mostly idle systems some additional tasks and having them encapsulated a bit. And when that feels good (and it does up to now) I'll make some dedicated uml hives with one harddisk per uml and hotswap to simplify my net. In this step it mostly is used for my personal education but is kinda prototype to launch similar strategies in other places (production) too... I know some places where they wait for such scalable things: start with n servers on m real systems, n>m and if it grows, just migrate a guest to a new or more idle hive... hotplug! and they only need as much security as you have in a normal LAN... at least in the beginning... > However is such a scheme also workable from a UML sandbox point of view. > It's the job of the UML application (in host space) to stop processes > inside the UML node from breaking out into host space. It is the job of quota, ulimit, eb/iptables and so on to cap your users... Why shall I treat uml differently? > If a UML user is allowed to recompile the UML kernel (and hence a host > space application), then they could change it so that it no longer > protected the host from dangerous UML processes. Users start applications. For decades now... and the world still exists... ;-) |
From: Rus F. <rg...@fs...> - 2003-09-22 10:06:28
|
Hi There, > Do I understand the following features of UML correctly, please correct > me if I am wrong. > > You can back up and entire UML and move it to another server ( provided > you move the IP too ) and it will work right away ( with some minor > installation ) You can eiter have UML running out of an image or have a standard image then a COW (Copy on Write File) which you transfer across. However generally you are correct that it will just work (assuming the new host machine has a correctly comiled kernel) > > A UML, the root can do anything, anything EXCEPT ONE thing, that is > recompile the kernel. Pretty mcuh and also a few network related things. > A UML can not currently use a two processor server, but if you have more > than one they will be divided so that you will utilize the both CPU but > only one per UML. This is the behaviour I have seen but I've got a niggling feeling it might no be 100% true. I'm sure someone else will be along in a minute. > You can run one or two UML's without a SKAS patch on a prodictioin > server and it will be stable more UML would need skas for stability. I always run the skas patch as it makes the process list a lot easier to understand. TBH I would just run it anyway Rus -- w: http://www.jvds.com | Virtual Dedicated Servers from $15/mo e: rg...@jv... | Dontations made to Debian, FreeBSD t: +44 7919 373537 | and Slackware t: 1-888-327-6330 | email: sa...@jv... |
From: Goetz B. <bo...@bl...> - 2003-09-22 11:08:40
|
On Mon, Sep 22 '03 at 11:07, Rus Foster wrote: > > You can back up and entire UML and move it to another server ( provided > > you move the IP too ) and it will work right away ( with some minor > > installation ) > > You can eiter have UML running out of an image or have a standard image > then a COW (Copy on Write File) which you transfer across. However > generally you are correct that it will just work (assuming the new host > machine has a correctly comiled kernel) Well, if you want to be able to move UML images, you should not use COW. The COW file reader is _VERY_ picky about the backing and the COW file. Neither may change _ANY_ file attributes (critical are a-time, m-time and position) So just copying a COW file to a new server will not work. Using simple images does work. -- /"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting \ / (c) 2003 as GNU FDL 1.1 X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ] / \ [ 3. Reply to the list - 4. Read the archive *before* you post ] |
From: Jeff D. <jd...@ad...> - 2003-09-23 20:16:21
|
ehab@ELMOTAHEDA.COM said: > A UML, the root can do anything, anything EXCEPT ONE thing, that is > recompile the kernel. Ummm, where did you get the idea that there's something special about a kernel build? It's just a bunch of compiles and links. I do them all the time. Jeff |
From: Paul F. <pf...@ta...> - 2003-09-24 09:00:09
|
Jeff Dike wrote: > ehab@ELMOTAHEDA.COM said: > >>A UML, the root can do anything, anything EXCEPT ONE thing, that is >>recompile the kernel. > > > Ummm, where did you get the idea that there's something special about a > kernel build? It's just a bunch of compiles and links. I do them all > the time. > > Jeff Maybe the meaning is that the root user inside UML can do all the things a root user on a physical host could do except install a new kernel. Yes the Linux kernel + UML patch can be compiled inside the UML node, however how can a user trapped inside UML boot the new UML kernel? You could argue the case that a hosting company might want to deliver the complete virtual linux box experience, including upgrading your own kernel. I don't know if there's any desire for anyone to do this (I don't need it), but that's how I understood the statement. -- Paul |
From: Christian J. <chr...@et...> - 2003-09-24 12:18:13
|
At 9:59 Uhr +0100 24.09.2003, Paul Fee wrote: >Yes the Linux kernel + UML patch can be compiled inside the UML >node, however how can a user trapped inside UML boot the new UML >kernel? I'm using hostfs, so the user can copy the kernel image to let's say /mnt/host/usr/bin/linux, and "reboot". But I'm running the uml's as non-root user in a minimal chroot, thus there's not much risk letting the uml user escape the uml. (No production usage yet, though) Christian. |
From: <Ulf...@t-...> - 2003-09-24 14:59:52
|
Am Mit, 2003-09-24 um 10.59 schrieb Paul Fee: > Yes the Linux kernel + UML patch can be compiled inside the UML node, > however how can a user trapped inside UML boot the new UML kernel? Do it like the BIOS does... launch a loader... Use an UMLkernel as grub substitute to grab the kernel from the UML's FS if it is partitioned or use debugfs if it is partitionless... > You could argue the case that a hosting company might want to deliver > the complete virtual linux box experience, including upgrading your own > kernel. Mega big point! I would not spend a cent for an uml system somewhere when I cannot compile my own kernel... And from the me-as-uml-provider-view: The more problems the user can solve on his own, the longer will my phone stay quiet! > I don't know if there's any desire for anyone to do this (I don't need > it), but that's how I understood the statement. I strongly believe that having a bootloader for UMLs making this possible is the best way for the uml provider and the user and am building such a solution here. My thoughts even go into the direction of having kinda uml-netboot-rom too... (to be patented soon }:-) ) I'll cry out loud here when I have some things worth to be shown... |