OpenVZ Forum: Support

Home » General » Support » Kill in HN

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Kill in HN [message #3206]

Wed, 17 May 2006 09:45

molliver
Messages: 30
Registered: May 2006

Member

Hi,

Is there a way to only see the processes running on the Hardware node if you are logged onto the HN rather than seeing all processes. As I accidently just killed a process running on a VPS thinking it was running on the HN. Surely for security processes from VPS's should not appear listed on the HN otherwise if the main HN gets attacked then anything can be done.

Mark

Report message to a moderator

Re: Kill in HN [message #3210 is a reply to message #3206]

Wed, 17 May 2006 10:37

dev
Messages: 1693
Registered: September 2005
Location: Moscow

Senior Member

You can try the following simple patch for this:

--- ./fs/proc/base.c.procstr	2006-05-11 13:05:40.000000000 +0400
+++ ./fs/proc/base.c	2006-05-17 14:33:14.000000000 +0400
@@ -1745,6 +1745,8 @@ static int get_tgid_list(int index, unsi
 		int tgid = get_task_pid_ve(p, owner);
 		if (!pid_alive(p))
 			continue;
+		if (!ve_accessible_strict(get_exec_env(), VE_TASK_INFO(p)->owner_env))
+			continue;
 		if (--index >= 0)
 			continue;
 		tgids[nr_tgids] = tgid;

http://static.openvz.org/userbars/openvz-developer.png

Report message to a moderator

Re: Kill in HN [message #3211 is a reply to message #3210]

Wed, 17 May 2006 11:17

molliver
Messages: 30
Registered: May 2006

Member

Hi,

I take it that was a patch to the release stable kernel?

Thanks

Mark

Report message to a moderator

Re: Kill in HN [message #3213 is a reply to message #3211]

Wed, 17 May 2006 11:21

dev
Messages: 1693
Registered: September 2005
Location: Moscow

Senior Member

yup. against stable 2.6.8.

Report message to a moderator

Re: Kill in HN [message #3226 is a reply to message #3206]

Wed, 17 May 2006 16:12

John Kelly
Messages: 97
Registered: May 2006
Location: Palmetto State

Member

molliver wrote on Wed, 17 May 2006 05:45

I accidently just killed a process running on a VPS thinking it was running on the HN.

Mistakes can be catastrohpic when logged in as root. On HN, you are "superroot." Why use HN to kill processes? OpenVZ recommends running only sshd on the HN.

molliver wrote on Wed, 17 May 2006 05:45

Surely for security processes from VPS's should not appear listed on the HN otherwise if the main HN gets attacked then anything can be done.

This is the architecture. If you accept it and work with it, OpenVZ is a good solution for many needs. If you work against it, who can you blame besides yourself?

Report message to a moderator

Re: Kill in HN [message #3253 is a reply to message #3206]

Thu, 18 May 2006 22:23

kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia

Senior Member

Seeing all the VPS processes (and files) and ability to do vzctl enter from the hardware node is a principle of OpenVZ. That makes VE mass management and troubleshooting possible. If something is wrong with the VPS, you can kill it from the host system.

At the same time, you are right, this is not good for security. Thus we do not recommend to run anything but the very basic stuff on the hardware node itself -- ideally, the only network port opened on hardware node is port 22, sshd. If you want to run anything else - create a VE and run it in this dedicated VE.

Kir Kolyshkin

Report message to a moderator

Previous Topic:	Can't mount: No such device [SOLVED]
Next Topic:	How to Create different Distro VPS without Template metadata

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Fri Nov 15 08:56:01 GMT 2024

Total time taken to generate the page: 0.04547 seconds