OpenVZ Forum


Home » General » Support » See connections from other VE's in netstat
icon4.gif  See connections from other VE's in netstat [message #38457] Mon, 21 December 2009 12:26 Go to next message
ceelian is currently offline  ceelian
Messages: 11
Registered: October 2006
Junior Member
Hi,

When i run netstat -tapn i can see the connections of ip's from other VE's on the same hardware node.
In the netstat column Local Adress (inside the VE) there are the "neigbour" VE ips beside mine. I think there only should be connections from my VE IP not from the others too.

Is that a feature or a security critical bug.

How can i disable that, or is it neccessary?

Devices in VE's are venet Devices.

Thx.

Report message to a moderator

Re: See connections from other VE's in netstat [message #38458 is a reply to message #38457] Mon, 21 December 2009 12:40 Go to previous messageGo to next message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member
What kernel is it? Please provide output of 
uname -a
cat /proc/vz/version

Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png

Report message to a moderator

Re: See connections from other VE's in netstat [message #38459 is a reply to message #38458] Mon, 21 December 2009 12:45 Go to previous messageGo to next message
ceelian is currently offline  ceelian
Messages: 11
Registered: October 2006
Junior Member
Hi,

uname -a
Linux testhn2 2.6.26-2-openvz-amd64 #1 SMP Wed Aug 19 23:15:49 UTC 2009 x86_64 GNU/Linux

cat /proc/vz/version 
036test001


The HN is a Ubuntu Jaunty System with the Debian OpenVZ Kernel (Ubuntu has AFAIK no OpenVZ Kernel officially supported). The vzctl comes from the official Ubuntu Jaunty APT-Repository. I wonder why the version is "...test...". I thought Ubuntu Jaunty ships with a stable vzctl.

Regards,
ceelian

[Updated on: Mon, 21 December 2009 16:52]

Report message to a moderator

Re: See connections from other VE's in netstat [message #38536 is a reply to message #38457] Tue, 29 December 2009 17:15 Go to previous messageGo to next message
ceelian is currently offline  ceelian
Messages: 11
Registered: October 2006
Junior Member
After some research i found out that it might be the capability NET_ADMIN:on which causes this effect.

Can anyone agree with this or is it impossible that the NET_ADMIN can cause this effect?

Anyway if I use NET_ADMIN:on, which must be set for OpenVPN to work properly, can Containers interfere in an "Attacking way" due to this setting? I mean can anyone break in someones other container due to that option turned on? Or is the worst thing that can happen that a neighbors container can sniff the network traffic?

thx,
ceelian

Report message to a moderator

Re: See connections from other VE's in netstat [message #38557 is a reply to message #38457] Thu, 31 December 2009 22:16 Go to previous message
hfb9 is currently offline  hfb9
Messages: 6
Registered: November 2008
Junior Member
We are now seeing this behavior on:

2.6.26-2-openvz-amd64

Which is the latest OpenVZ Kernel in the Debian Lenny stable repositories.

Does this mean packet sniffing between virtual servers on the same hardware is now possible?

Report message to a moderator

Previous Topic: vzyum not found => disappeared?
Next Topic: Kernel Panic
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Sat Nov 09 02:46:24 GMT 2024

Total time taken to generate the page: 0.03185 seconds
Powered by FUDforum Powered by Virtuozzo Containers