Back to Home / #uml / 2009 / 03 / Prev Day | Next Day
#uml IRC Logs for 2009-03-18

---Logopened Wed Mar 18 00:00:23 2009
00:05-!-jdike [~jdike@pool-98-118-58-90.bstnma.fios.verizon.net] has quit [Quit: Leaving]
00:53-!-Basic [~Basic@c-75-73-131-27.hsd1.mn.comcast.net] has quit [Quit: Linghu - Level 80 Hunter - Executus US]
01:03-!-anderiv_ [~anderiv@207-67-87-34.static.twtelecom.net] has joined #uml
01:05-!-anderiv [~anderiv@207-67-87-34.static.twtelecom.net] has quit [Ping timeout: 480 seconds]
01:36-!-anderiv [~anderiv@207-67-87-34.static.twtelecom.net] has joined #uml
01:38-!-anderiv_ [~anderiv@207-67-87-34.static.twtelecom.net] has quit [Ping timeout: 480 seconds]
03:39-!-Basic [~Basic@c-75-73-131-27.hsd1.mn.comcast.net] has joined #uml
06:45-!-aindilis [~aindilis@75.146.96.198] has quit [Ping timeout: 480 seconds]
07:17-!-ToreadorVampire [~ToreadorV@cpc2-bsfd6-0-0-cust74.cmbg.cable.ntl.com] has joined #uml
07:20<ToreadorVampire:#uml>I may be missing something really obvious here, and I apologise if my understanding of how networking virtual machines via TUN affects things... But am I right in thinking it's normal behaviour that UML guests can't make use of tcpwrappers?
07:22<ToreadorVampire:#uml>EG: On a UML guest I have tried using hosts.deny to prevent SSH connections (specifically I was trying out DenyHosts on a UML machine before implementing it on a real server) and the hosts.deny file was having no effect ...
07:23<ToreadorVampire:#uml>... am I being stupid ("of course you can't use hosts.deny! tcpwrappers won't work on UML guests!") or am I missing a config step that needs to be done to make tcpwrappers work with UML?
07:26*ToreadorVampire:#uml activates lurk, but if there's an answer to that - highlight me ;)
12:30-!-darodrig [c6ceb5b6@webchat.mibbit.com] has joined #uml
12:32-!-Basic [~Basic@c-75-73-131-27.hsd1.mn.comcast.net] has quit [Quit: Basic]
12:44-!-jdike [~jdike@pool-98-118-58-90.bstnma.fios.verizon.net] has joined #uml
12:44<jdike:#uml>Hi guys
12:51<ToreadorVampire:#uml>Aha!
12:51<ToreadorVampire:#uml>If anyone knows the answer to my question - you will :D
12:52<ToreadorVampire:#uml>(reposting for jdike - apologies to those who have already seen it):
12:52<ToreadorVampire:#uml><ToreadorVampire> I may be missing something really obvious here, and I apologise if my understanding of how networking virtual machines via TUN affects things... But am I right in thinking it's normal behaviour that UML guests can't make use of tcpwrappers?
12:52<ToreadorVampire:#uml><ToreadorVampire> EG: On a UML guest I have tried using hosts.deny to prevent SSH connections (specifically I was trying out DenyHosts on a UML machine before implementing it on a real server) and the hosts.deny file was having no effect ...
12:52<ToreadorVampire:#uml><ToreadorVampire> ... am I being stupid ("of course you can't use hosts.deny! tcpwrappers won't work on UML guests!") or am I missing a config step that needs to be done to make tcpwrappers work with UML?
12:52<jdike:#uml>there's no difference
12:53<jdike:#uml>I bet you're missing a config step that needs to be done anywhere
12:53<ToreadorVampire:#uml>oh? That's very strange then ...
12:54<ToreadorVampire:#uml>I'm using debian, and on a "virgin installation" of nothing but debian base system and openssh server into my guest image file, hosts.deny is not working ...
12:54<ToreadorVampire:#uml>... but on an equivalent "virgin install" without using UML it does work
12:55<jdike:#uml>how does tcpwrappers work?
12:56<jdike:#uml>it affects how xinetd deals with incoming connections?
12:56<ToreadorVampire:#uml>Oh, hmm, I guess the installs might not be exactly equivalent though ... since the deployment to my UML guest was done by a scripted debootstrap and the "actual machine" was an interactive install from disc ...
12:57<ToreadorVampire:#uml>Oh - no, nothing to do with inetd/xinetd at all - tcpwrappers (AFAIK) is just a standard kernel feature - more commonly known as the "hosts.accept" and "hosts.deny" files
12:57<ToreadorVampire:#uml>eg: /etc/hosts.deny
12:58<jdike:#uml>I doubt it's a kernel thing
12:58<ToreadorVampire:#uml>If I list sshd: xxx.xxx.xxx.xxx in my /etc/hosts.deny then IP xxx.xxx.xxx.xxx won't be able to connect to the ssh server, regardless of whatever
12:59<ToreadorVampire:#uml>But yeah ... I tried it on a UML guest and it just plain didn't work - the IP address wasn't denied access to the sshd
12:59<ToreadorVampire:#uml>Same test on a physical box and it worked just fine
13:00<jdike:#uml>the thing to do is figure out where the blocking is implemented
13:01<ToreadorVampire:#uml>Indeed, it's not kernel
13:01<jdike:#uml>The functionality behind TCP wrappers is provided by libwrap.a, a library that network services, such as xinetd, sshd, and portmap, are compiled against.
13:01<jdike:#uml>https://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/ch-tcpwrappers.html
13:02<ToreadorVampire:#uml>Yeah, I'm just poking around that myself ...
13:03<ToreadorVampire:#uml>Right
13:03<ToreadorVampire:#uml>libwrap is installed, so the problem is not that it wasn't installed
13:04<jdike:#uml>ldconfig?
13:06<ToreadorVampire:#uml>test-server:~# ldd /usr/sbin/sshd | grep libwrap
13:06<ToreadorVampire:#uml> libwrap.so.0 => /lib/libwrap.so.0 (0x40020000)
13:08<jdike:#uml>ok, it ain't that
13:09<jdike:#uml>tcpdump an sshd connection and compare what you see with your hosts.deny
13:10<ToreadorVampire:#uml>From hosts.deny:
13:10<ToreadorVampire:#uml>sshd: 172.16.0.50
13:11<ToreadorVampire:#uml>From tcpdump:
13:11<ToreadorVampire:#uml>17:09:55.940466 IP 172.16.0.50.46335 > 172.16.0.10.ssh: P 2722093781:2722093833(52) ack 2705629730 win 64699
13:11<ToreadorVampire:#uml>17:09:55.943098 IP 172.16.0.10.ssh > 172.16.0.50.46335: P 1:53(52) ack 52 win 8576
13:11<ToreadorVampire:#uml>17:09:55.943610 IP 172.16.0.10.ssh > 172.16.0.50.46335: P 53:105(52) ack 52 win 8576
13:11<ToreadorVampire:#uml>17:09:55.943768 IP 172.16.0.50.46335 > 172.16.0.10.ssh: . ack 105 win 64595
13:11<ToreadorVampire:#uml>(yeah, that's only a few lines of many, but "yes I was able to log in successfully")
13:12<ToreadorVampire:#uml>The server instance (where I am implementing hosts.deny) is at 172.16.0.10
13:12<jdike:#uml>have you tried restarting sshd?
13:13<ToreadorVampire:#uml>Yeah, plus rebooting the guest instance
13:15<ToreadorVampire:#uml>Also, heh - had an amusing experience yesterday - and I feel a little silly for not realising it would affect me before it did ...
13:15<ToreadorVampire:#uml>... but don't install ntpd on a UML guest!
13:16<ToreadorVampire:#uml>Heh, my host machine didn't have ntp installed, installed it on the guest and it de-sync'd the host/guest clocks - locked myself out of ssh :s
13:16<ToreadorVampire:#uml>Thankfully it was only a mess about instance, so I just trashed it and rebuilt but heh ...
13:17-!-Basic [~Basic@gatekeeper.real-time.com] has joined #uml
13:18<jdike:#uml>your hosts.deny doesn't seem to conform to the man page
13:18<jdike:#uml>A string that ends with a ‘.´ character. A host address is
13:18<jdike:#uml> matched if its first numeric fields match the given string.
13:18<jdike:#uml>An expression of the form ‘n.n.n.n/m.m.m.m´ is interpreted as a
13:18<jdike:#uml> ‘net/mask´ pair. An IPv4 host address is matched if ‘net´ is
13:18<jdike:#uml> equal to the bitwise AND of the address and the ‘mask´.
13:19<jdike:#uml>also, you don't have a contradicting hosts.allow?
13:19<ToreadorVampire:#uml>hosts.allow is empty
13:19<ToreadorVampire:#uml>"client_list is a list of one or more host names, host addresses, patterns or wildcards (see below)"
13:20<ToreadorVampire:#uml>I think you're reading the "patterns" section - which only describes "ways to match multiple hosts" - I am not using a 'pattern' rather a specific address
13:21<ToreadorVampire:#uml>I am 100% certain that that line should work in hosts.deny - especially because on an equivalent machine the same hosts.deny line works with the desired effect (IE: The host was denied access via ssh)
13:21<jdike:#uml>OK, right
13:21<ToreadorVampire:#uml>Well, denied the connection
13:21<ToreadorVampire:#uml>Nothing to do with authentication
13:21<ToreadorVampire:#uml>Woah woah woah
13:21*ToreadorVampire:#uml headdesks
13:22<ToreadorVampire:#uml>Just 1 moment ...
13:22<ToreadorVampire:#uml>Lemme try something ...
13:22<ToreadorVampire:#uml>Where the damn did this line come from? I have never (ever) touched my hosts.allow, something has put a contradicting line in there ...
13:23<ToreadorVampire:#uml>I say it was "empty" but I only *assumed* it was empty because I'd never edited it
13:23<jdike:#uml>hah
13:23<ToreadorVampire:#uml>zomg - ok ... now I shall go and shoot myself ...
13:24<jdike:#uml>I was suspecting that the installation considered the host "special" somehow and gave it a hosts.allow entry
13:24<ToreadorVampire:#uml>... and shortly after that I shall go shoot the debian lenny maintainer for sshd/librwap
13:24<ToreadorVampire:#uml>No ... the hosts.allow comes with a default "sshd: allow all" style line
13:24<ToreadorVampire:#uml>But debian etch doesn't do that
13:25<ToreadorVampire:#uml>It has changed between debian versions
13:25<jdike:#uml>... thus accomplishing history's first suicide/murder, as opposed to the more standard murder/suicide
13:26<ToreadorVampire:#uml>Well, I said shoot myself ... that doesn't mean "shoot myself somewhere critical"
13:27<jdike:#uml>hehe
13:27<ToreadorVampire:#uml>But damn
13:27<ToreadorVampire:#uml>I would have to call that a debian lenny bug - since it means that "DenyHosts" (by default) is totally useless on lenny
13:27<jdike:#uml>for ssh anyway
13:27<ToreadorVampire:#uml>Denyhosts is made exclusively for ssh :s
13:28<ToreadorVampire:#uml>Sorry - hosts.deny and denyhosts are different things
13:29<ToreadorVampire:#uml>denyhosts is a daemon that monitors your ssh connection-attempt logs and (when thresholds on incorrect-password-attempts are breached) dynamically adds rules into hosts.deny in order to ban the offending IP
13:29<ToreadorVampire:#uml>It's really a way of preventing brute force attacks against ssh
13:34<darodrig:#uml>Hi all. I am new here and I wonder if I can ask questions here about uml?
13:36<jdike:#uml>that's what this place is for
13:36<darodrig:#uml>Thanks jeff. I did not know.
13:37-!-kos_tom [~thomas@humanoidz.org] has quit [Ping timeout: 480 seconds]
13:37<darodrig:#uml>Last month I was able to do gdb on the vmlinux startup sequence to debug some kernel modules. But After we upgrade the host (and mainly the gdb ) I can not.
13:39<darodrig:#uml>My main problem is when vmlinux runs uml_net. I get now an msg as:Executing new program: /usr/bin/uml_net (no debugging symbols found) Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command. Cannot access memory at address 0x57e58959 (gdb)
13:40-!-Basic [~Basic@gatekeeper.real-time.com] has quit [Quit: Basic]
13:40<jdike:#uml>hmmm
13:40<jdike:#uml>UML has confused gdb before
13:42<darodrig:#uml>I am able to attach to the vmlinux correctly after the tuntap interfaces has been setup.
13:43<ToreadorVampire:#uml>Well, that's my main issue solved ... and gah I hate it when things end up being stupid overlooked stuff like that
13:43<jdike:#uml>that was going to be my suggestion
13:44<darodrig:#uml>yes. But my question was to how I can stop before it inserts some kernel modules I want to debug from the rcS script so that I can attach before the init comes up.
13:46<ToreadorVampire:#uml>Second main question was really about how to get to a UML guest's console session from the host machine - I understand it's possible but I've not managed to figure it out yet ...
13:47<jdike:#uml>ToreadorVampire, what do you mean, exactly?
13:49<ToreadorVampire:#uml>jdike> So, in my current setup, I am running UML and dropping it into a detached screen session (I've not had success managing to just fork it into the background in a normal way) - now the guest is running - normally I administer it via ssh
13:49<ToreadorVampire:#uml>But can't I get to something vaguely equivalent to a terminal session via the host OS?
13:50<jdike:#uml>as in a login prompt in the screen session?
13:50<ToreadorVampire:#uml>jdike> Well, any way really ... "a way of logging into the guest that doesn't involve ssh"
13:51<jdike:#uml>since you've now blocked it
13:51<jdike:#uml>successfully
13:51<ToreadorVampire:#uml>Oh no ...
13:51<jdike:#uml>add a getty for tty0 in inittab
13:51<ToreadorVampire:#uml>I've not locked myself out of the guest (and trying to get back in)
13:52<ToreadorVampire:#uml>I have a whole set-up for an array of virtual servers (for development purposes) based on UML
13:52<jdike:#uml>that's security
13:53<ToreadorVampire:#uml>I've written a script for the automation of building new UML guests, starting them, stopping them etc (making sure I don't overcommit RAM by accident and hang them, oops, did that once)
13:53<ToreadorVampire:#uml>But atm the whole set-up relies on ssh, which makes it less-than-optimal for testing things that might blow networking up on guest machine
13:54<ToreadorVampire:#uml>(and I am vaguely aware that I have reinvented the wheel to an extent, but I created this partially to teach myself bash)
13:57<ToreadorVampire:#uml>I'll have to come back another day (when I have more time) and ask a few more specific questions - such as working out if I can run uml as a nonprivileged user ... atm I'm running all of the uml instances as root (they don't seem to work if I don't) - and I'm sure there must be a way of not running them as root ...
13:58<jdike:#uml>they can be
13:58<jdike:#uml>the only tricky part is networking
13:58<ToreadorVampire:#uml>Yeah, I thought that was where the problem was when I was running them as non-root
13:59<ToreadorVampire:#uml>I didn't seem to get any errors exactly, but I couldn't connect to them from anything
14:07<darodrig:#uml>Jeff. I tried to change uml_net to not execute setreuid () and I change the privilege of /dev/net/tun to be changed by others and it boots correctly but when I do ifconfig inside the UML it complains with permission errors. Is there a way I can do tuntap without root privileges?
14:13-!-Rounin [~david@rounin.409.no] has joined #uml
14:13-!-Rounin [~david@rounin.409.no] has quit []
14:31<jdike:#uml>you can set up the tap device by hand before UML runs
14:32<darodrig:#uml>Can I do that without root privileges?
14:35<jdike:#uml>no
14:35<jdike:#uml>I misread what you said
14:35<jdike:#uml>you can run UML without needing uml_net
14:36<jdike:#uml>but you need to have the tap device already set up
14:37<darodrig:#uml>But can I setup the tap device up front without root privileges let say by changing the permissions on /dev/net/tun..I can test that right now.
14:39<jdike:#uml>no
14:40-!-kos_tom [~thomas@humanoidz.org] has joined #uml
14:40<jdike:#uml>you will need to ifconfig it and set routes and stuff
14:40<darodrig:#uml>Nope. i can not as you said so. TUNSETIFF: Operation not permitted
14:40<jdike:#uml>and that requires root
14:41<darodrig:#uml>So my best bet is to find a way to stop the uml once it is booting up so I can attach via gdb before some insmod is executed on the rcS scripts.
14:46<darodrig:#uml>Thanks for the help. I'll try to stick around now that I know. keep the good work on UML.
14:56-!-darodrig [c6ceb5b6@webchat.mibbit.com] has quit [Quit: http://www.mibbit.com ajax IRC Client]
15:05-!-ram_ [~ram@pool-173-50-136-46.ptldor.fios.verizon.net] has joined #uml
15:07-!-pcacjr [~pcacjr@189.81.116.73] has quit [Remote host closed the connection]
15:30-!-jdike [~jdike@pool-98-118-58-90.bstnma.fios.verizon.net] has quit [Quit: Leaving]
16:08-!-Basic [~Basic@gatekeeper.dpd-info.com] has joined #uml
17:26-!-darodrig [c6ceb5b6@webchat.mibbit.com] has joined #uml
18:15-!-Basic [~Basic@gatekeeper.dpd-info.com] has quit [Quit: Basic]
18:29-!-Basic [~Basic@gatekeeper.real-time.com] has joined #uml
19:27-!-Basic [~Basic@gatekeeper.real-time.com] has quit [Quit: Basic]
19:52-!-ToreadorVampire [~ToreadorV@cpc2-bsfd6-0-0-cust74.cmbg.cable.ntl.com] has quit [Quit: ... and now back to the REAL fantasy world!]
19:59-!-darodrig [c6ceb5b6@webchat.mibbit.com] has left #uml []
20:12-!-Basic [~Basic@c-75-73-131-27.hsd1.mn.comcast.net] has joined #uml
21:56-!-Basic [~Basic@c-75-73-131-27.hsd1.mn.comcast.net] has quit [Quit: Basic]
21:58-!-Basic [~Basic@c-75-73-131-27.hsd1.mn.comcast.net] has joined #uml
21:58-!-pcacjr_ [~pcacjr@189.81.116.73] has joined #uml
21:58-!-pcacjr_ [~pcacjr@189.81.116.73] has quit [Remote host closed the connection]
21:59-!-pcacjr_ [~pcacjr@189.81.116.73] has joined #uml
22:12-!-pcacjr_ is now known as pcacjr
23:14-!-Basic [~Basic@c-75-73-131-27.hsd1.mn.comcast.net] has quit [Quit: Basic]
23:59-!-VS_ChanLog [~stats@ns.theshore.net] has left #uml [Rotating Logs]
23:59-!-VS_ChanLog [~stats@ns.theshore.net] has joined #uml
---Logclosed Thu Mar 19 00:00:28 2009