[[wiki:experiences/igraltist#kvm_on_rsbac|Back to igraltist's experiences/KVM on RSBAC]]	 
		 
 
		 
====== Start kvmguest with rsbac_jail ======	 
Based on the [[wiki:experiences/igraltist/run-jail#run-jail|run-jail]] script and [[wiki:experiences/igraltist/kvm#kvm-admin|kvm-admin]] i do this.	 
		 
===== kvm-jail-config =====	 
<code bash>	 
;	 
; RSBAC JAIL definition for kvm	 
; 20080507	 
;	 
; Tested by igraltist	 
;	 
 
""	 
"0.0.0.0"	 
(allow-dev-read	 
allow-dev-write	 
allow-ipc-syslog	 
allow-ipc-parent	 
allow-inet-raw	 
allow-all-net-family)	 
(net-raw	 
setgid	 
setuid	 
dac-override	 
net-admin	 
dac-read-search	 
sys-resource	 
sys-module)	 
()	 
(rlimit)	 
</code>	 
		 
		 
	 
		 
		 
		 
		 

===== start kvm-guest =====	 
See on this [[wiki:experiences/igraltist/kvm#example kvm-guest-config|example kvm-guest-config]] the content from file.	 
		 
<code bash>	 
kvm-admin start example	 
uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)	 
[Errno 2] No such file or directory: '/vmserver/qemu.img'	 
Using already existing Tap device.	 
Setting up tun-tap-device, done ....	 
The follow command would be executing: 	 
['run-jail', 'kvm', '/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', -net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime']	 
</code>	 
\\	 
Now I start a guest.	 
<code bash>	 
kvm-admin start vserver	 
uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)	 
SIOCSIFADDR: Die Operation ist nicht erlaubt	 
SIOCSIFFLAGS: Die Operation ist nicht erlaubt	 
SIOCSIFFLAGS: Die Operation ist nicht erlaubt	 
SIOCSIFFLAGS: Die Operation ist nicht erlaubt	 
can't add vserver to bridge eth1: Operation not permitted	 
(if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.)	 
</code>	 
		 
If we must add the tap-device = vserver manually to the bridge.\\	 
In the example is the bridge name dmz_bridge and the tun-tap device name is vserver.	 
<code bash>	 
brctl addif dmz_bridge vserver	 
ifconfig vserver up	 
</code>	 
 
This I see in the rsbac-log, but the guest is running.	 
<code bash>	 
<6>0000001281|rsbac_adf_request(): request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
<6>0000001282|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
<6>0000001283|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
<6>0000001284|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
<6>0000001285|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3707, ppid 3705, prog_name brctl, prog_file /sbin/brctl, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL	 
</code>	 
		 
		 
		 
		 
		 
		 
===== show-jail-info =====	 
Do this:	 
<code bash>cat /proc/rsbac-info/jail</code>	 
		 
or you can use this:\\	 
[[http://svn.kasten-edv.de/svn/rsbac/trunk/bin/ps-jail.py]]	 
\\	 
I get this output. Its very similar to the above.	 
\\	 
<code bash>	 
./ps-jail.py 	 
Loading Jail info for Processes, done.	 
--------------------------------------------------------------------------------	 
	Processname          Pid  Jail-ID Flags Max-caps  SCD-get  SCD-mod Jail-IP	 
	ntpd                7337      7  1539 50349250        0  6291491 0.0.0.0	 
	dmeventd            7281      6  1537      -1        0  2113536 0.0.0.0	 
	cupsd                7103      3  1546      -1        0      32 0.0.0.0	 
	dhcpd                7224      5  67083  271555        0        0 0.0.0.0	 
	pickup              3286      8  67073      -1        0      32 0.0.0.0	 
	qemu-system-x86      3704    28  71178 16855238        0      32 0.0.0.0	 
	master              7441      8  67073      -1        0      32 0.0.0.0	 
	smbd                7560    10  1538 17302752        0      32 0.0.0.0	 
	qemu-system-x86    29614    26  71178 16855238        0      32 0.0.0.0	 
	qmgr                7448      8  67073      -1        0      32 0.0.0.0	 
	nmbd                7561    11  1538 17302752        0      32 0.0.0.0	 
	syslog-ng          11370    13  40448      -1        0        0 0.0.0.0	 
	cron                11428    14  71168      -1        0      32 0.0.0.0	 
	pdnsd              12945    16  71176 17310912  262144    16416 0.0.0.0	 
	qemu-system-x86    25748    23  71178 16855238        0      32 0.0.0.0	 
	qemu-system-x86    26053    24  71178 16855238        0      32 0.0.0.0	 
	portmap              6242      2  1537      -1        0        0 0.0.0.0	 
	smbd                7556    10  1538 17302752        0      32 0.0.0.0	 
	--------------------------------------------------------------------------------	 
It took 0.94s seconds.	 
</code>	 
Fixme: convert numbers in readable names.	 
		 
[[wiki:experiences/igraltist/kvm_guest_jail#Start kvmguest with rsbac_jail|Top]]