Forum Debian Users Gang

Novi-cjusz · 2016-02-11 12:56:46

Zamierzam (w wolnej chwili) utworzyc implementacje kontroli ruchu na desktopie z Debianem Jessie w oparciu o:
- CGroups
- podsystem net_cls
- restrykcyjny skrypt iptables.
A wiec po kolei:

Kod:

robin@debian:~$ su
Password: 
root@debian:/home/robin# uname -a
Linux debian 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux
root@debian:/home/robin# lssubsys -a 
memory
cpuset
cpu,cpuacct
devices
freezer
net_cls,net_prio
blkio
perf_event
root@debian:/home/robin# dpkg -l|grep lxc
ii  lxc                                   1:1.0.6-6+deb8u2                     amd64        Linux Containers userspace tools
root@debian:/home/robin# dpkg -l|grep cgroup-bin
ii  cgroup-bin                            0.41-6                               all          control and monitor control groups (transitional package)
root@debian:/home/robin# grep CGROUP /boot/config-`uname -r`
CONFIG_CGROUPS=y
# CONFIG_CGROUP_DEBUG is not set
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
# CONFIG_CGROUP_HUGETLB is not set
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_SCHED=y
CONFIG_BLK_CGROUP=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NET_CLS_CGROUP=m
CONFIG_CGROUP_NET_PRIO=y
CONFIG_CGROUP_NET_CLASSID=y
root@debian:/home/robin# find /lib/modules/`uname -r` -iname "*cgroup*"
/lib/modules/3.16.0-4-amd64/kernel/net/netfilter/xt_cgroup.ko
/lib/modules/3.16.0-4-amd64/kernel/net/sched/cls_cgroup.ko
root@debian:/home/robin# sudo modprobe cls_cgroup
root@debian:/home/robin# sudo mount -t cgroup -o net_cls none /sys/fs/cgroup/net_cls
mount: none is already mounted or /sys/fs/cgroup/net_cls,net_prio busy
root@debian:/home/robin#

Skad ten ostatni komunikat?

Kod:

 mount: none is already mounted or /sys/fs/cgroup/net_cls,net_prio busy]

uzytkownikubunt · 2016-02-11 13:00:37

2705

Ostatnio edytowany przez uzytkownikubunt (2016-12-01 01:34:19)

Novi-cjusz · 2016-02-11 13:12:07

Chyba przyczyna jest jednak inna (;-(

Kod:

root@debian:/home/robin# mount -t cgroup -o net_cls none /sys/fs/cgroup/net_cls
mount: none is already mounted or /sys/fs/cgroup/net_cls,net_prio busy
root@debian:/home/robin#

uzytkownikubunt · 2016-02-11 13:14:02

2707

Ostatnio edytowany przez uzytkownikubunt (2016-12-01 01:34:21)

Novi-cjusz · 2016-02-11 13:18:13

O,k zle zrozumialem.
Ale dalej nie mam pomyslu.

Ps. Jest topic "morfik" https://forum.dug.net.pl/viewtopic.php?id=23867&p=1
Ale czy to ten problem?

Dodatkowe info:

Kod:

root@debian:/home/robin# /sys/fs/cgroup# ls -al
bash: /sys/fs/cgroup#: No such file or directory

Wyglada na to, ze cgroups sa wlaczone:

Kod:

lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.16.0-4-amd64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

a problem musi byc w podsystemie net_cls?

Kod:

root@debian:/home/robin# cat /proc/cgroups
#subsys_name    hierarchy    num_cgroups    enabled
cpuset    2    1    1
cpu    3    1    1
cpuacct    3    1    1
memory    0    1    0
devices    4    73    1
freezer    5    1    1
net_cls    6    1    1
blkio    7    1    1
perf_event    8    1    1
net_prio    6    1    1

Wyglada, ze podsystemy zamontowane:

Kod:

root@debian:/home/robin#  mount | grep cgroup
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)

Moduly:

Kod:

root@debian:/home/robin# zgrep -i cgroup /proc/config.gz 
gzip: /proc/config.gz: No such file or directory

i jaki z tego wniosek?

Ostatnio edytowany przez Novi-cjusz (2016-02-11 13:56:58)

morfik · 2016-02-11 14:55:07

No ten podsystem cgroups jest montowany automatycznie już i nie trzeba go ręcznie montować.

Novi-cjusz · 2016-02-11 17:03:43

Dziekuje, i zamierzam kontynuuowac nastepujaco:
Opcja pierwsza:
- utworzenie w podsystemie net_cls dwoch folderow ( Przegladarka, Multimedia )
Niestety:

Kod:

root@debian:/home/robin#  ls /sys/fs/cgroup
blkio  cpuacct        cpuset   freezer  net_cls,net_prio    perf_event
cpu    cpu,cpuacct  devices  net_cls  net_prio        systemd
root@debian:/home/robin# cd sys/fs/cgroup/net_cls
bash: cd: sys/fs/cgroup/net_cls: No such file or directory

mimo, ze posystem net_cls wydaje sie obecny i zamontowany to jest komunikat:

Kod:

root@debian:/home/robin#  ls /sys/fs/cgroup
blkio  cpuacct        cpuset   freezer  net_cls,net_prio    perf_event
cpu    cpu,cpuacct  devices  net_cls  net_prio        systemd
root@debian:/home/robin# cd sys/fs/cgroup/net_cls
bash: cd: sys/fs/cgroup/net_cls: No such file or directory

Dlaczego?
Bede musial jeszcze poczytac nt " Refer to the man page for tc to learn how to configure the traffic controller to use the handles that the net_cls adds to network packets."

Kod:

root@debian:/home/robin# apt-get install cgroup-bin
Reading package lists... Done
Building dependency tree       
Reading state information... Done
cgroup-bin is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 103 not upgraded.
root@debian:/home/robin# service cgred start
Failed to start cgred.service: Unit cgred.service failed to load: No such file or directory.
root@debian:/home/robin# service cgconfig start
Failed to start cgconfig.service: Unit cgconfig.service failed to load: No such file or directory.
root@debian:/home/robin# cat /proc/cgroups
#subsys_name    hierarchy    num_cgroups    enabled
cpuset    2    1    1
cpu    3    1    1
cpuacct    3    1    1
memory    0    1    0
devices    4    74    1
freezer    5    1    1
net_cls    6    1    1
blkio    7    1    1
perf_event    8    1    1
net_prio    6    1    1

Dlaczego cgroups nie sa wlaczone?

Opcja druga:
- kolejkowanie HTB, utworzenie class, przypisanie procesu do class.
- konfiguracja pasma:
- podzial lacza na klasy
- Ustanowienie filtrow, ktore decyduja ktory pakiet do ktorej klasy.
- restrykcyjny skrypt iptables, ktory zamyka dostep do Internetu dla wszystkiego z wyjatkiem zaakceptowanych przeze mnie klas.

Bede ogromnie wdzieczny za kazda merytoryczna uwage czy sugestie !

Ostatnio edytowany przez Novi-cjusz (2016-02-15 11:00:08)

Time (s)	Query
0.00014	SET CHARSET latin2
0.00008	SET NAMES latin2
0.00130	SELECT u., g., o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='18.227.209.218' WHERE u.id=1
0.00160	UPDATE punbb_online SET logged=1720196295 WHERE ident='18.227.209.218'
0.00075	SELECT * FROM punbb_online WHERE logged<1720195995
0.00087	SELECT topic_id FROM punbb_posts WHERE id=297376
0.00116	SELECT id FROM punbb_posts WHERE topic_id=28265 ORDER BY posted
0.00089	SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=28265 AND t.moved_to IS NULL
0.00008	SELECT search_for, replace_with FROM punbb_censoring
0.00139	SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=28265 ORDER BY p.id LIMIT 0,25
0.00156	UPDATE punbb_topics SET num_views=num_views+1 WHERE id=28265
Total query time: 0.00982 s

Forum Debian Users Gang

Ogłoszenie

#1 2016-02-11 12:56:46

Novi-cjusz - Użytkownik

Restrykcyjne iptables - krok po kroku.

Kod:

Kod:

#2 2016-02-11 13:00:37

uzytkownikubunt - Zbanowany

Re: Restrykcyjne iptables - krok po kroku.

#3 2016-02-11 13:12:07

Novi-cjusz - Użytkownik

Re: Restrykcyjne iptables - krok po kroku.

Kod:

#4 2016-02-11 13:14:02

uzytkownikubunt - Zbanowany

Re: Restrykcyjne iptables - krok po kroku.

#5 2016-02-11 13:18:13

Novi-cjusz - Użytkownik

Re: Restrykcyjne iptables - krok po kroku.

Kod:

Kod:

Kod:

Kod:

Kod:

#6 2016-02-11 14:55:07

morfik - Cenzor wirtualnego świata

Re: Restrykcyjne iptables - krok po kroku.

#7 2016-02-11 17:03:43

Novi-cjusz - Użytkownik

Re: Restrykcyjne iptables - krok po kroku.

Kod:

Kod:

Kod:

Stopka forum

Informacje debugowania