Making /tmp noexec

Discussion in 'General Discussion' started by jmfrisch, May 11, 2005.

  1. virtuoso

    virtuoso Kilo Poster

    Messages:
    46
    /etc/sysconfig/vz-scripts/vz-postinst is not found on my server.
    What should I do?
     
  2. virtuoso

    virtuoso Kilo Poster

    Messages:
    46
    Anyone? :)
     
  3. Wintermute

    Wintermute Mega Poster

    Messages:
    119
    Sounds like a good Feature request...

    How about a nice button on the VZPP to make /tmp noexec ?

    nice and easy...

    ~winter
     
  4. barmaley

    barmaley Mega Poster

    Messages:
    233
    Matter of opinion. I personally believe that this button is pointless.
    As well as vzagent and friends - vzmc, vzpp, vzcc - you name it
     
  5. rackset

    rackset Kilo Poster

    Messages:
    27
    Just to clarify, may you please let me know, on a new installed virtuozzo server, we have 1 OS for the Hardware Node, and 1 OS for the Service VPS.

    If i'm right, should we secure all /tmp for Hardware Node and Service VPS OSs and any other VEs that we install, or just new VEs should have Secured /tmp.

    Thanks. :)
     
  6. rackset

    rackset Kilo Poster

    Messages:
    27
    Anyone ?
     
  7. rackset

    rackset Kilo Poster

    Messages:
    27
    I used above scripts to setup server wide noexec /tmp. Ok, it works fine in 2 VPS, however I get this error every other days:
    Disk quota exceeded. (/tmp not writable)

    I checked everything I know, /tmp disk usage at last time I got this error was 5% of 150MB. All files counted on /tmp and was 1999.

    Anyone faced this issue? or can point something to resolve this issue?

    Any help appreciated.
     
  8. GARMTECH

    GARMTECH Mega Poster

    Messages:
    103
    Issue in SWSoft KB: http://kb.swsoft.com/article_130_648_en.html

    I'm only confused by last paragraph: Please note that it will be impossible to migrate the VPS with /tmp mounted in this way without manual intervention.

    What kind of manual intervention? What will be if we'll try to migrate as usual?
    :confused:
     
  9. rackset

    rackset Kilo Poster

    Messages:
    27
    lack of SWSOFT support? heh...

    I just changed VPSTMP_BLOCKS & VPSTMP_INODES values to support 350MB for /tmp + 10000 inodes.

    @GARMTECH

    I've found that simple solve of this issue is to backup /tmp then remove /tmp and on mount we can restore /tmp contents to each VPS.

    I have rewrited the original script by barmaley. It works like a charm for me, now about 4 months, but USE IT AT YOUR OWN RISK.


    [root@98 ~]# cat /etc/sysconfig/vz-scripts/vps.mount
    #!/bin/bash
    #
    # This script is global and executed for every VPS at startup time.
    # We are going to create and mount a temp area with nosuid, nodev and noexec,
    # which will have vzquota configured and running.

    # Current issues:
    # 1) vzquota accepts only numeric and does it in a very weird way. Details below.
    # 2) not clear how to handle on->off and off->on changes for tmp area--i.e. what to do with files
    # under /tmp and /var/tmp.
    # it's possible to move files back and forth on mount/umount stage--i.e.
    #
    # mv tmp temptmp
    # mount tmparea
    # tar -cf - -C temptmp . | tar xpf - -C tmp
    #
    # on mount and opposite action on umount but it may take considerable time - we have quotas already
    # running, it's copying across mountpoits etc.
    # 3) perhaps tmp should be added to /etc/fstab
    # 4) completely unclear what to do with second-level quotas.

    # script works with $VEID and $VE_CONFFILE vars which are passed as environment
    # variables. All the rest can be defined
    # a) in /etc/sysconfig/vz as a system-wide
    # and b) in VE config file.


    # tmp sizes/limits
    VPSTMP_BLOCKS=$((350*1024))
    VPSTMP_INODES=10000


    # tmp 'path' - we might want have it outside
    # of /vz
    TMPPATH="/vz/private"
    VPSTMP="$VEID-temparea"

    VPSTMPBAK="$VEID-temparea-bak"

    # currently service VPS just doesn't work right
    # with a dedicated nosuid / noexec TMP.

    if [ $VEID -eq 1 ]; then
    exit 0
    fi

    # source configs.
    if [ -f /etc/sysconfig/vz ]; then
    . /etc/sysconfig/vz
    else
    exit 1
    fi

    if [ -f $VE_CONFFILE ]; then
    . $VE_CONFFILE
    else
    exit 1
    fi

    # a special var from either global file or VPS config.
    if [ -z "$VPS_TMP_AREA" ]; then
    # TMP area not configured in neither config.
    exit 0
    fi

    if [ "$VPS_TMP_AREA" != "yes" -a "$VPS_TMP_AREA" != "YES" ]; then
    # TMP area is disabled in either config
    exit 0
    fi

    # after sourcing configs we might have blocks/inodes in limit:barrier form
    # and have to handle it. Perhaps we need to check that soft < hard here.

    if [ "$VPSTMP_BLOCKS" = "${VPSTMP_BLOCKS/:/}" ]; then
    VPSTMP_BLOCKS_SOFT=$VPSTMP_BLOCKS
    VPSTMP_BLOCKS_HARD=$VPSTMP_BLOCKS
    else
    VPSTMP_BLOCKS_SOFT=${VPSTMP_BLOCKS%%:*}
    VPSTMP_BLOCKS_HARD=${VPSTMP_BLOCKS##*:}
    fi

    if [ "${VPSTMP_INODES}" = "${VPSTMP_INODES/:/}" ]; then
    VPSTMP_INODES_SOFT=$VPSTMP_INODES
    VPSTMP_INODES_HARD=$VPSTMP_INODES
    else
    VPSTMP_INODES_SOFT=${VPSTMP_INODES%%:*}
    VPSTMP_INODES_HARD=${VPSTMP_INODES##*:}
    fi

    # it seems that vzquota not only doesn't work with non-numeric but also silently
    # removes non-numeric chars from supplied , without reporting errors.
    # this indeed is very unfortunate since we have to use something like $00001
    # instead of $VEID-tmparea for --otherwise there're some weird interaction
    # between VPS and temparea quotas.

    ### WARNING!!!!!!#####
    # VPS ID can not be more than 2^32-1, if you use "big" IDs for VPSs, you have to
    # modify a var below to have VPSTMP_QUOTAID below the VPS ID "limit"
    # (this limit also applies to quota IDs)

    VPSTMP_QUOTAID=${VEID}1111

    # other constants
    # VZ_PRIVATE=/vz/private

    # strip trailing slashes from TMPPATH
    TMPPATH=${TMPPATH%%/?}

    # extra sanity check
    if [ "$TMPPATH/$VPSTMP" = "/" ]; then
    exit 1
    fi

    # if we don't have "vzfs filesystem" for the temp
    # area, we have to create it, and init quota on it.
    if [ ! -d "$TMPPATH/$VPSTMP" ]; then
    mkvzfs $TMPPATH/$VPSTMP
    RETVAL=$?
    if [ $RETVAL -ne 0 ]; then
    # some logging?
    exit $RETVAL
    fi
    vzquota init $VPSTMP_QUOTAID -p $TMPPATH/$VPSTMP \
    -c /var/vzquota/quota.$VPSTMP_QUOTAID \
    --block-softlimit $VPSTMP_BLOCKS_SOFT \
    --block-hardlimit $VPSTMP_BLOCKS_HARD \
    --block-exptime 0 \
    --inode-softlimit $VPSTMP_INODES_SOFT \
    --inode-hardlimit $VPSTMP_INODES_HARD \
    --inode-exptime 0
    RETVAL=$?
    if [ $RETVAL -ne 0 ]; then
    # some logging?
    exit $RETVAL
    fi


    cp -pR $TMPPATH/$VPSTMPBAK/* $TMPPATH/$VPSTMP/root/


    fi

    # turning quota on. We might have it already running for
    # whatever reason - so stop it first.
    vzquota off $ > /dev/null 2>&1
    vzquota on $VPSTMP_QUOTAID
    RETVAL=$?
    if [ $RETVAL -ne 0 ]; then
    # some logging
    exit $RETVAL
    fi

    # OK, assuming that everything is done. Now we need to mount tmp.
    if [ ! -d "$TMPPATH/$VPSTMP" ]; then
    # something really is broken.
    exit 1
    else
    mount -t vzfs \
    -o noatime,nosuid,noexec,nodev,rw,/vz/template:$TMPPATH/$VPSTMP \
    /vz/template:$TMPPATH/$VPSTMP $VE_ROOT/tmp
    RETVAL=$?
    if [ $RETVAL != 0 ]; then
    # some logging
    exit $RETVAL
    fi
    # we want tmp to have 1777 mode
    chmod 1777 $VE_ROOT/tmp
    fi

    # if we are here, everything is good so far
    # we want to make /var/tmp to be symlink to /tmp.

    if [ ! -L $VE_ROOT/var/tmp ]; then
    rm -rf $VE_ROOT/var/tmp
    ln -s /tmp $VE_ROOT/var/tmp
    fi

    exit 0
    [root@98 ~]# cat /etc/sysconfig/vz-scripts/vps.umount
    #!/bin/bash
    #
    # this script is global and executed for every VPS at stop time
    # we're going to umount a temp area and stop vzquota for it.

    # script works with $VEID and $VE_CONFFILE vars which are passed as environment
    # variables. All the rest can be defined
    # a) in /etc/sysconfig/vz as a system-wide
    # and b) in VE config file.

    TMPPATH="/vz/private"
    VPSTMP="$VEID-temparea"

    VPSTMPBAK="$VEID-temparea-bak"

    # currently service VPS just doesn't work right
    # with a dedicated nosuid / noexec TMP.

    if [ $VEID -eq 1 ]; then
    exit 0
    fi

    # source configs.
    if [ -f /etc/sysconfig/vz ]; then
    . /etc/sysconfig/vz
    else
    exit 1
    fi

    if [ -f $VE_CONFFILE ]; then
    . $VE_CONFFILE
    else
    exit 1
    fi

    # script is really simple and most likely should be changed completely


    ## Changes from original ##
    if [ -d $TMPPATH/$VPSTMPBAK ]; then
    mv -f $TMPPATH/$VPSTMPBAK $TMPPATH/${VPSTMPBAK}1
    fi

    mkdir $TMPPATH/$VPSTMPBAK
    cp -pR $TMPPATH/$VPSTMP/root/* $TMPPATH/$VPSTMPBAK/
    rm -fr $TMPPATH/$VPSTMP
    ## End of changes ##


    VPSTMP_QUOTAID=${VEID}1111

    if grep -q $VPSTMP /proc/mounts; then
    umount $VE_ROOT/tmp
    RETVAL=$?
    if [ $RETVAL -ne 0 ]; then
    ## some logging?
    ## do we need 'umount -f' here?
    exit $RETVAL
    fi

    vzquota off $VPSTMP_QUOTAID
    RETVAL=$?
    if [ $RETVAL -ne 0 ]; then
    # some logging?
    exit $RETVAL
    fi
    fi

    exit 0
     
  10. GARMTECH

    GARMTECH Mega Poster

    Messages:
    103
    Thanks for the reply rackset! But I was interested in migration question (from one hardware node to other). Knowledge base says that "it will be impossible to migrate the VPS with /tmp mounted in this way without manual intervention". Any tried migration of such VEs (with /tmp mounted) to another HW Nodes? Any problems? What does KB means by "manual intervention"?
     
  11. faris

    faris Guru

    Messages:
    934
    Please forgive my ignorance, but would I be correct in thinking that the steps and variations mentioned in this thread aren't really necessary with Virtuozzo 3.0sp1 ?

    i.e. you just need to do
    Code:
    #vzctl set [VPS-id] --bindmount_add /var/tmp,noexec,nosuid,nodev --save
    #vzctl set [VPS-id] --bindmount_add /tmp,noexec,nosuid,nodev --save
    
    It seems to work and is migration-friendly.

    Faris.
     
  12. shortcut

    shortcut Kilo Poster

    Messages:
    99
    The migration agent generally uploads into /tmp and runs from there, so that is why the migrations will b0rk, because the agents cant run!

    -S
     
  13. faris

    faris Guru

    Messages:
    934
    Thanks Shortcut.

    Hmm....I don't recall if things were different in the VZ4 beta....I think I need to set up more than one machine to test but I don't have enough spare hardware at the moment.
     
  14. HowardWDrive

    HowardWDrive Bit Poster

    Messages:
    1
    i will change my domain asap.
     
  15. ntclick

    ntclick Bit Poster

    Messages:
    2
    Thanks helping
     

Share This Page