Setcap is not working for raw sockets on custom distro - linux

I'm in the process of building a small linux distro based on Debian for automated network testing. I am running into a pretty annoying problem though. A number of applications like paris-traceroute, ping, dublin-traceroute and so forth are not working correctly. They return an error of being unable to open a raw ICMP socket. I have tried using 'setcap cap_net_raw+ep ./application' and it's not working even though getcap indicates that the bits have been set.
I'm also running into the same problem if I try to use them as setuid root. They only work under sudo. So I'm wondering if I screwed up permissions on some intervening library or if there is some other issue.
Anyone run into something like this or have a solution?
Thanks!

In case anyone comes across this I'll explain why this is failing.
What I didn't mention is that the applications (like ping, etc) are actually installed in /opt. In this distro /opt actually and encfs file system that is only mounted after the livecd has been authorized against a licensing type of server (there are valid reasons for this - it automatically tests network connections and send the results to network engineer. We only want it to run within a specific time frame that would be associated with the user trouble ticket). So /opt isn't a real filesystem - it's an encrypted file mounted via fuse to looks like a file system. As such setcap and setuid don't actually work and likely cannot work.

Related

Are there any benefits to keep your files (scripts) on WSL filesystem

When reading the WSL documentation, it is stated that:
"Unlike our practice with trying to exclusively install programs and software on Ubuntu, our files and folders need to live exclusively on the Windows FS [...] Windows and Windows Apps can only read and write Windows files, and VSCode will be making our changes."
I understand the reasoning behind this and indeed, if one uses VSCode for example, it all makes sense. But my question is:
Is there any real reason why you couldn't keep your files (i.e. scripts) on the WSL filesystem itself? More specifically, if you don't ever intend to use the Windows filesystem (i.e you won't ever need a GUI or else), is there any sense in placing the files in the Windows FS?
Obviously you need to make sure you backup your data (GitHub or else) but aside from that, is there any downside? I guess what I'm saying is: can I use WSL like a VM? Can I keep BOTH software AND scripts all in WSL, separate from the Windows filesystem?
PS: The reason for avoiding a VM in this context is because I have a low spec laptop which has struggled a lot in the past with VMs (slow, not enough RAM), and so far, WSL seems be running much more smoothly.
Thanks
The simple answer is yes, you can use WSL as if it were a VM. WSL is for the most part fully-fledged Linux, and you can use Linux as your primary operating system, ignoring the fact you need to start it from within Windows. I haven't tried WSL 2, but it's said to be implemented as a fast VM, which is exactly what you ask for. (Further, the lack of GUIs can be mitigated using built in support for sending X data over SSH to the Windows half of your computer, and display it with an X Server. If I remember correctly, these two articles got me most of my way there.)
However, if you want to get pedantic, you can't store any files separate from your Windows filesystem on WSL 1. If you run e.g. Ubuntu, your Linux filesystem is instead always contained within %USERPROFILE%\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState, so it'll technically not be separate. I can't test WSL 2, but according to this article, WSL 2 also stores its data in that folder, just as a single VDHX image. Presumably every WSL distro stores its data on the Windows filesystem.
Warning: Do not access the files themselves in your Linux filesystem within AppData using Windows tools, or you run a high risk of corrupting those files.
Yes, you can, and only place files in the Windows filesystem if you want to share them with Windows programs. Moreover, in Windows 1903 you don't need to place files in Windows filesystem to share them with Windows Programs, they can access them.
In WSL2 they encourage you to keep everything in WSL filesystem to take advantage of the filesystem's performance improve.
So, yes you can and you should.

Windows program to communicate with Virtualbox

I am wondering if it is possible to write a program on Windows that communicates with a program within a Linux Virtualbox on the same machine. If this is possible, what is the best approach to doing this? Is there a way to do this without using the internet to communicate?
I found instructions showing how you could potentially use SSH, but I have never tried doing this before, so I do not know if using SSH to communicate would be the best option.
I was going to put this as a comment to a very vague question, but then it got too long.
It depends what you mean by "communicate"....
If the Windows machine should start a program on the Linux VM, you probably want plink.exe - see here.
If you want to transfer whole files, you probably want scp or FTP or FileZilla - see here.
If you want to send small messages occasionally, maybe netcat, also known as nc - see Netcat Cheatsheet here.
If you want full-on, high speed, continuous messages, maybe sockets or some messaging protocol like mqtt.
If you want to share data structures, like lists, queues or sets, you could allow both Windows and the Linux machine to access a shared Redis database - see here.
Or maybe it is enough to share a filesystem between the two machines - in which case you can make a Shared Folder in VirtualBox on your host and the VM can just mount that and read/write it. See diagram:

inotify - what is the best way to go about it?

I have inotify on my linux server. I looked up a whole lot of posting online on how to use inotify and found a sample c code that watches a directory for file create/delete. It worked fine on both local directory and nfs direcory(which is what i really need)
Now looking at opitons on how to make this a always running process i see there are the below options at least from what i understand
I guess try to run this c code with a wait and never close it?
incrond - which apparently is a daemon process. I dont seem to have it on my linux server i have rhel5 so i guess i need to install it. Not very clear on how the incrond would work.
inotify-tools - this sounds the easiest as it says i can just use commands in a shell script
I also have questions like what happens when the nfs mount is removed, server shuts down etc., would inotify know to pick up from where it left?!
I know this is a lot of questions but any pointers would help me a great deal. Thanks in advance. Meanwhile i will continue playing with the sameple c code.
I don't think that inotify(7) works reliably with network file systems (either NFS or CIFS).
It could work (on the local host) if the local host is modifying/writing some NFS mounted system.
It won't work (on the local host) if some remote client is modifying/writing some NFS mounted system (mounted by the local host).
Because the NFS protocol (at least those that I know, pre NFS4) is an RPC protocol, and there is no way for the remote NFS server (mounting that NFS system) to signal to distant clients that something is happenning.

Starting Gnome 3 in a read-only environment

First off, my intention is to create a portable, bootable USB drive containing a GNU/Linux distribution. Specifically, I want to use Arch Linux with a squashfs read-only root filesystem.
The squashfs image is based on a snapshot of a working VM. The base system with it's services like ssh work out of the box as expected. But when trying to launch gnome via systemd (systemctl start gdm), all I see is a black screen (supposedly the X-Server started but gdm fails to load). I already tried to figure out whats happening, but failed to identify the exact problem.
Home directories are writeable
/tmp is writeable
/var/log is writeable
/var/run & /run are writeable anyway
/var/log/gdm gets created but stays empty.
Which modules may require write access to any other files? Is there any documentation? What would make sense to strace or similar?
My desire is to know the root of the problem and fix it, instead of using workarounds like unionfs. Thanks for any help or hints!
Although it's not relevant, for those who might wonder why I want to do this, here are some points to consider:
Stability - as you cannot modify system files, you cannot mess up the system (unless you write bogus directly to the drive of course)
Storage - as files are compressed, more data fits on the drive
Performance - as I/O on most USB drives is slow, compression gives you higher I/O speed
Portability - no special treatment for read-only storage, you might copy it on a CD or any other read-only technology and it will still work the same way as it would on a writeable disk
Update
I figured out that the problem was actually at /var/lib/gdm. GDM tried to access files in there an (silently) failed doing so giving me a black screen.
I figured out that the problem was actually at /var/lib/gdm. GDM tried to access files in there an (silently) failed doing so giving me a black screen.
journalctl was the debugging command i was missing in the first place.

Vagrant, shared folder: take advantage of inotify over NFS

Our Symfony2 webapp uses the Assetic watcher in development mode to re-compile assets on the go.
The webapp runs in a Docker container which runs in a Vagrant VM (Ubuntu 12.04 Precise).
The host is OSX 10.9 Mavericks and it shares the code folder with the VM through a NFS (v3) share and the code is mounted in the container via a host/guest volume in Docker.
Since inotify seems to not be able to detect file modifications over NFSv3, the watcher works in polling mode which can be very slow (~1/2 minutes to detect the modification).
I've read that NFSv4 is inotify compliant but I did not found any good ressource on that.
Is there a way to make NFS/inotify works together?
Unfortunately, inotify cannot work on NFS. inotify works by hooking itself in the VFS (virtual filesystem) layer, in the kernel. Whenever a modification happens, inotify knows about it, because the modification happens on the same machine, therefore in the same kernel — which makes the whole thing possible.
With NFS, modifications happen on the server, and notifications are expected on the client. But the NFS doesn't notify the clients when a change is made. Otherwise, it wouldn't scale. NFS has been designed (and operated) to have thousands of clients on a single server. Imagine if you do a tiny change, and the server has to push it to all clients!
Of course, you could say "hey, there should be a subscription mechanism in the NFS protocol, so that clients can tell the server that they want to know about changes happening in a specific location". Well, NFS was designed 30 years ago, so forgive them for not including this subscription/notification system :-)
I'm not familiar with Assetic, but maybe you could have a custom script to watch for changes manually, and re-compile assets each time you detect a change. Just walk through the directory containing the source for the assets, keep track of the mtime of each file in an associative array, and each time you detect a new file (or a new mtime), recompile. Boom!
See also this other SO question about inotify and NFS.
Here is a plugin which aim to solve this: https://github.com/mhallin/vagrant-notify-forwarder
Just install it and reload your boxes to have inotify notifications forwarded to your guests machine:
vagrant plugin install vagrant-notify-forwarder
You might be interested in this tool called Guard it listens to the file changes made on host OS, and then on Guest it pulls and update those. This worked for me, and now my assets are updated almost instantaneously.
https://serverfault.com/questions/453826/vagrant-shared-folder-and-file-change-events

Resources