Where can I find more information about vps capabilities, i.e. what
exactly is:

NET_BIND_SERVICE
KILL
LINUX_IMMUTABLE
NET_ADMIN
SYS_CHROOT
VE_ADMIN

Is there any ocumentation about that available?

- Dietmar

Dietmar Maurer wrote:
> Where can I find more information about vps capabilities, i.e. what
> exactly is:
> 
> NET_BIND_SERVICE
> KILL
> LINUX_IMMUTABLE
> NET_ADMIN
> SYS_CHROOT

these are std linux capabilities, so you can look at any documentation related to it,
plus comments in kernel in include/linux/capability.h and kernel sources.

> VE_ADMIN

it is a restricted subset of CAP_SYS_ADMIN+CAP_NET_ADMIN capability for VE root.
it allows to do a lot of thing allowed for std root, like configuring firewalls,
network devices, etc. but not everything, e.g. VE root can't change mtrr registers,
can't issue raw SCSI commands, etc.

Thanks,
Kirill

Ah -i see. So it is possible to run vzctl inside a vps and do most vps
admin tasks there?

- Dietmar

>> VE_ADMIN
>
>it is a restricted subset of CAP_SYS_ADMIN+CAP_NET_ADMIN capability for
VE root.
>it allows to do a lot of thing allowed for std root, like configuring
firewalls,
>network devices, etc. but not everything, e.g. VE root can't change
mtrr 
>registers, can't issue raw SCSI commands, etc.

Most likely there answer is - possible, but not easily.
vzctl requires access to some of vps files, global
configs, ve configs etc. Theoretically it can be fixed
and adopted (e.g. to have 2 global configs: one in VE0 for
admin VPS start and one in admin VPS; files from all VEs
can also be accessiable via bind mount to admin VE),
but on practice no one tried it.

Thanks,
Kirill


Dietmar Maurer wrote:
> Ah -i see. So it is possible to run vzctl inside a vps and do most vps
> admin tasks there?
> 
> - Dietmar
> 
> 
>>>VE_ADMIN
>>
>>it is a restricted subset of CAP_SYS_ADMIN+CAP_NET_ADMIN capability for
> 
> VE root.
> 
>>it allows to do a lot of thing allowed for std root, like configuring
> 
> firewalls,
> 
>>network devices, etc. but not everything, e.g. VE root can't change
> 
> mtrr 
> 
>>registers, can't issue raw SCSI commands, etc.
> 
> 
>

> Most likely there answer is - possible, but not easily.
> vzctl requires access to some of vps files, global configs, 
> ve configs etc. Theoretically it can be fixed and adopted 
> (e.g. to have 2 global configs: one in VE0 for admin VPS 

or also do a bind mount for /etc/vz/ ?

> start and one in admin VPS; files from all VEs can also be 
> accessiable via bind mount to admin VE), but on practice no 
> one tried it.

I guess i will try it out ;-)

- Dietmar

Dietmar Maurer wrote:
>  
> 
> 
>>Most likely there answer is - possible, but not easily.
>>vzctl requires access to some of vps files, global configs, 
>>ve configs etc. Theoretically it can be fixed and adopted 
>>(e.g. to have 2 global configs: one in VE0 for admin VPS 
> 
> 
> or also do a bind mount for /etc/vz/ ?

yep.

>>start and one in admin VPS; files from all VEs can also be 
>>accessiable via bind mount to admin VE), but on practice no 
>>one tried it.
> 
> 
> I guess i will try it out ;-)

one bigger problem - networking setup (e.g. routes) in VE0 :/

Kirill