gmane.linux.vserver

Re: Mini-Kernel - Working dot-config

Allan Latham — 2013-05-24T05:46:31

Hi all

I have a version that works for me (so far at least).

I may have taken out some bits you need which I don't e.g. various
filesystems like vfat, nfs...

It can probably be pared down some more but this will do for now.

As expected it's much smaller. The size itself is no great problem these
days but I hope it is safer for having removed lots of features and
drivers that are not needed in KVM vm.

vmlinux is 2.1M vs 2.8M
initrd is 3.8M vs 11M
/lib/modules is 11M vs 107M

If anyone wants to try it the attachment is the .config file.

Raw oversimplified instructions:

apt-get install linux-source-vserver-3.2-beng
tar -cjf it to create the linux source directory
gunzip attachment
move/copy it to the linux source directory
cd to linux source dir
make menuconfig
tweak the config to your liking
nohup make-kpkg --initrd kernel_image > ~/log 2>&1 &

This makes a .deb in the directory above.

Install it with

dpkg -i xxx.deb

set grub to boot it once only (just in case!)
PS you need to have configured your grub to allow 'saved'

grub-reboot 2

reboot to try it

Many thanks to Ben for making these kernel in the first place and for
the helpful advice.

All the best

Allan

On 22/05/13 19:34, Ben Green wrote:

Re: Mini-Kernel - What and where are the latest sources?

Allan Latham — 2013-05-23T12:30:48

Hi Ben

The reason I wanted to compile util-vserver was to get the library
behind it.

This page interested me:

http://linux-vserver.org/Running_runit-supervised_services_inside_a_vserver

I looked at what signal-relay does and how it does it and I can so see
no reason why this functionality cannot be built into runsv - but that
would need the vserver library. It would save one process per vserver
and reduce the complexity (one less program to run) at the cost of what
I think will be a small patch to runsv which itself has been stable for
years.

I have a working init system which will suffice for what I want but a
variation on that outlined on the web page would be rather more elegant.

It's not at the top of my list yet!

All the best

Allan

On 22/05/13 19:34, Ben Green wrote:

Re: Mini-Kernel - What and where are the latest sources?

Ben Green — 2013-05-22T17:34:37

Quoting Allan Latham <alatham< at >flexsys-group.de>:

You can use the util-vserver packages I provide, so why not use those?  
There's compile instructions on the linux-vserver wiki though if you  
want, the source on linux-vserver will build debs for you also.

In terms of building the kernel, I use make-kpkg. It's the simplest  
tool for build kernels in to .deb files.

Cheers,
Ben

Re: Mini-Kernel - What and where are the latest sources?

Allan Latham — 2013-05-22T14:45:46

Hi Ben

Thanks for the very quick anser.

I've got my brand new Wheezy development environment in a vserver and
I'm ready to begin.

When I last compiled Linux (about ten years ago) I used to do:

make menuconfig

do the config change

make bzImage && make modules && make modules_install

I never thought I would need to this again since the major distros
contain reliable up-to-date kernels - regrettably Debian dropped vserver
support.

I have read of several way to build 'the Debian way' so that the result
is a .deb package with the new kernel. Do you have a suggestion - please
point me to a suitable web page.

I don't seem to be able to download your util-verser sources with
apt-get. Is this what I should be doing? I have the original tar from
http://linux-vserver.org/Welcome_to_Linux-VServer.org. Maybe I should
just compile this.

Thank you in advance

Allan

On 22/05/13 12:14, Ben Green wrote:

Re: Mini-Kernel - What and where are the latest sources?

Ben Green — 2013-05-22T10:14:45

Quoting Allan Latham <alatham< at >flexsys-group.de>:


The latest versions are listed here.
http://linux-vserver.org/Welcome_to_Linux-VServer.org

The latest util-vserver being at the bottom of the page.

For a mini-kernel, you can use the linux-sources packages from  
repo.psand.net (e.g. linux-source-vserver-3.2-beng), or get mainline  
and then patch your own. 3.2 is the latest kernel I currently support  
on that repo.

Cheers,
Ben

Re: Mini-Kernel - What and where are the latest sources?

Allan Latham — 2013-05-22T09:59:49

Hi all

I have had good results testing the latest -beng kernel:

3.2.44-vs2.3.2.16-beng #1 SMP Thu May 16 23:46:34 BST 2013 x86_64

Now I wanted to try to make a mini-kernel and compile util-vserver so
that I know I have the latest.

I am not certain I can find the latest. For example I am running the
following util-vserver (also from beng):

 0.30.216-pre3038-1 amd64

The latest sources I can find are 0.30.215 from 2008.

This does not fill me with confidence that I have the right versions.

There is a lot of old documentation for vservers which has already
confused me enough. I now know how to use the current version for what I
want to do and I want to build on that.

What and where are the latest sources?

Thanks in advance, All the best

Allan

PS If someone (Ben) could make available to me the exact compile
environment and procedure as used for the -beng kernels it would give me
more confidence that my configuration is derived from what I am already
using.


On 17/05/13 15:33, Allan Latham wrote:

Re: kernel/guest parameter tuning for wordpress

Eugen Leitl — 2013-05-21T13:24:05

3.2.42-vs2.3.2.16-beng

I haven't changed anything -- pointers to the knobs and
which values to tweak would be welcome.


It seems my problem might be not related to vserver
guest limits, but to nginx fcgi php brokenness
(the dread 502 bad gateway).

Re: kernel/guest parameter tuning for wordpress

Ben Green — 2013-05-21T12:57:34

Quoting Eugen Leitl <eugen< at >leitl.org>:


There's loads, but you might want to supply more details. What kernel  
are you using? What have you set so far? VIRT_MEM? and cgroup  
parameters? What exactly constitutes "crapping out"?

Cheers,
Ben

kernel/guest parameter tuning for wordpress

Eugen Leitl — 2013-05-21T10:40:41

I have a chronical problem with wp (nging+fastcgi) blogs
crapping out really easily in vserver guests. Before I
investigate this as a wp/nginx problem, are there
any suggestions for tunable parameters for kernel/guests?

Thanks.

[build script for wheezy guest]

Sergiusz Pawlowicz — 2013-05-18T22:51:17

Hi,
I want to share my simple guest build script for wheezy:

http://linux-vserver.org/Wheezy-guest-build-scripts

If you have any other useful build scritps, share them on the wiki!

cheers,
Serge

Re: Zero day privilege escalation exploit for kernels 2.6.37=>3.8.10(CVE-2013-2094)

Lukasz Czarnowski — 2013-05-17T15:04:44

Hi,

Linux PERF_EVENTS root exploit - CVE-2013-2094 (quick way to fix it)

http://arighi.blogspot.it/2013/05/linux-perfevents-root-exploit-cve-2013.html

Best regards,

Mini-Kernel (was: Zero day privilege escalation exploit for kernels 2.6.37=>3.8.10 (CVE-2013-2094))

Allan Latham — 2013-05-17T13:33:52

Hi Ben

Many thanks for your efforts.

I use your util-veserver packages but I am still currently using the
Debian Squeeze vsserver kernel.

I intend to move away from this kernel during the next phase of the
testing I am doing - either to yours or I will roll my own. It's years
since I needed to compile the kernel and I see that Linux is now about
10 times the size!

One thought occurs to me and I would be interested in the opinions of
others.

Basis is a suitable computer (x86_64) at one of the many server farms
world wide:

1. The base kernel should come from whatever the server supplier
recommends. He knows it supports his hardware, network etc. e.g. a
minimal Squeeze or Wheezy installation will do fine.

2. On this kernel load the kvm modules. Besides supporting the
hardware,lvm and starting one or more kvms this bare-metal kernel does
nothing.

3. Run vservers inside kvm.

This means that the kernel for the vservers can be vastly simplified.
Most of the server configuration is devoted to hardware which disappears
inside the vm. It is a standardised environment.

Less is generally safer.

I know a kvm is less efficient than bare-metal but I don't really care.
The fact that I have an inner system which I can (near) instantly be
moved to any server supplier is worth far more.

What are your thoughts on such a 'standard mini-kernel' for use within a
kvm? I suspect it could even be built without modules.

All the best and once again thanks for all you're doing.

Allan

On 17/05/13 11:38, Ben Green wrote:

Re: Zero day privilege escalation exploit for kernels 2.6.37=>3.8.10 (CVE-2013-2094)

Ben Green — 2013-05-17T09:38:03

Quoting Ben Green <ben< at >bristolwireless.net>:


Done, kernels now ready for download from the Psand repositories.  
Who'd have thought 3 characters in the whole of the kernels source  
code could cause such a fuss. Package and metapackage examples are as  
follows:

Package: linux-image-vserver-3.2-beng
Version: 3.2.44-2.3.2.16+squeeze1

Package: linux-image-3.2.44-vs2.3.2.16-beng
Source: linux-source-3.2.44-vs2.3.2.16-beng
Version: 0.2+squeeze1

Note particularly the version number.

Cheers,
Ben

Re: Zero day privilege escalation exploit for kernels 2.6.37=>3.8.10 (CVE-2013-2094)

Ben Green — 2013-05-16T22:12:23

Quoting Eugen Leitl <eugen< at >leitl.org>:


Interesting thought Eugen, I'll think about that.

In other news, it was not possible to disable CONFIG_PERF_EVENT in the  
3.2.44 kernel. There's a build in the Psand repos now that represents  
my attempt to do that. You really can't disable it, CONFIG_X86=y turns  
it on again, which obviously is something I can't turn off.

I'm rebuilding now with the relevant patch in place, a simple 1 liner.  
I'll upload to the Psand repos in the morning.

Cheers,
Ben

Re: Zero day privilege escalation exploit for kernels 2.6.37=>3.8.10 (CVE-2013-2094)

Eugen Leitl — 2013-05-16T11:15:45

By the way, thanks for all the work. In case you have a
tip jar, I'm sure your grateful users would contribute.

Re: Zero day privilege escalation exploit for kernels 2.6.37=>3.8.10 (CVE-2013-2094)

Ben Green — 2013-05-16T10:58:13

Quoting Sergiusz Pawlowicz <sergiusz< at >pawlowicz.name>:


I'm still rolling kernels for Precise Pangolin.

Cheers,
Ben

Re: Zero day privilege escalation exploit for kernels 2.6.37=>3.8.10 (CVE-2013-2094)

Sergiusz Pawlowicz — 2013-05-16T10:40:27

great, please remember about ubuntu kernels as well, ben!

s.

Re: Zero day privilege escalation exploit for kernels 2.6.37=>3.8.10 (CVE-2013-2094)

Ben Green — 2013-05-16T10:31:45

Quoting Jean Weisbuch <jean< at >phpnet.org>:


The next version will have that config re-enabled. I'll do this when  
there's a mainline kernl and a Linux-vserver patch available.

Anyone who wants to use perf in the mean time will need to stick with  
the older kernel.

Cheers,
Ben

Re: Zero day privilege escalation exploit for kernels 2.6.37=>3.8.10 (CVE-2013-2094)

Jean Weisbuch — 2013-05-16T09:03:14

Hi,

Thanks for the quick response.

About the PERF_EVENTS, I dont think that disabling it in the long run is 
the best operation as perf is a very powerful and useful tool.


Regards,

*Jean Weisbuch*
System and Network Administrator | *Predictys* | _www.predictys.fr 
<http://www.predictys.fr/>_

Le 16/05/2013 10:50, Ben Green a écrit :

Re: Zero day privilege escalation exploit for kernels 2.6.37=>3.8.10 (CVE-2013-2094)

Ben Green — 2013-05-16T08:50:40

Quoting Sergiusz Pawlowicz <sergiusz< at >pawlowicz.name>:


I'm re-compiling without CONFIG_PERF_EVENTS right now.

Cheers,
Ben

Re: Zero day privilege escalation exploit for kernels 2.6.37=>3.8.10 (CVE-2013-2094)

Sergiusz Pawlowicz — 2013-05-14T23:51:19

do we need PERF_EVENTS in the kernel at all? i would recon to remove it.

s.