Hello!

I have some random and some unrandom questions about Pound. First of all how
do you acctually create a working chrootjail for it? I did some work in the
area and found this out:

Install pound in some way (yum install pound, apt-get install pound etc).

Create the folder for the chrootjail:

mkdir /var/pound/

Create a structure for pound to work within:

mkdir /var/pound/etc/
mkdir /var/pound/dev/
mkdir /var/pound/log/
mkdir /var/pound/lib/

Then copy the libs needed (it is here I'm not sure!)

cp /lib/libgcc_s* /var/pound/lib
cp /lib/libnss_dns* /var/pound/lib

Create the following devices (I'm not sure on the "log" device)

mknod -m 0644 /var/pound/dev/random c 1 8
mknod -m 0644 /var/pound/dev/urandom c 1 9
mknod -m 0666 /var/pound/dev/null c 1 3

Move the default config

mv /etc/pound.cfg /var/pound/etc
ln -s /var/pound/etc/pound.cfg /etc/pound.cfg

Optional create a foundation for some random stuff
mkdir /var/pound/var
touch /var/pound/var/err500.html
touch /var/pound/var/err503.html
touch /var/pound/var/err414.html

edit the config
RootJail /var/pound
User "nobody"
Group "nobody"
Control "/var/pound/pound.ctl"
LogFacility local1
LogLevel 0
TimeOut 60
Alive 10
DynScale 1

========
Now to some problems:
Im getting segfaults when running poundctl

poundctl -c /var/run/pound.ctl
 0. http Listener 0.0.0.0:0 a
   0. Service active (0)
     0. Backend (UNKNOWN):0 active (0 0.000 sec) DEAD
Segmentation fault

The main pound works fine but the poundctl is giving me trouble.

kernel: poundctl[14473]: segfault at 0000000000000000 rip 0000000000000000
rsp 00007fff6435dff0 error 14

What did I do wrong :D?

Also is there a more comperhensive guide on howto create a chrootjail for
pound? I think I did get it to work but there are no good reading in that
area.

In my experience, segfaults in poundctl are almost always caused by the binary
for poundctl and pound being compiled from different versions or architectures…
Internally the protocol is basically a binary representation of the memory used
in pound… So if you use a 32bit poundctl with a 64bin pound, or poundctl from a
different version, it’s very likely the internal structures don’t match and
badness will ensue.

See other comments inline.

Joe

From: Joakim Dellrud [mailto:blandia(at)gmail.com]
Sent: Wednesday, April 20, 2011 10:57 AM
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Trouble with Poundctl and segfaults

Hello!

I have some random and some unrandom questions about Pound. First of all how do
you acctually create a working chrootjail for it? I did some work in the area
and found this out:

Install pound in some way (yum install pound, apt-get install pound etc).

Create the folder for the chrootjail:
mkdir /var/pound/

Create a structure for pound to work within:
mkdir /var/pound/etc/
mkdir /var/pound/dev/
mkdir /var/pound/log/
mkdir /var/pound/lib/
Then copy the libs needed (it is here I'm not sure!)
cp /lib/libgcc_s* /var/pound/lib
cp /lib/libnss_dns* /var/pound/lib

I’d do /lib/libnss_*, also libresolv*


Create the following devices (I'm not sure on the "log" device)

mknod -m 0644 /var/pound/dev/random c 1 8
mknod -m 0644 /var/pound/dev/urandom c 1 9
mknod -m 0666 /var/pound/dev/null c 1 3
For /dev/log, you want to tell your syslogd to create an additional socket…
syslogd –a /var/pound/dev/log, an additional socket for syslog-ng, or
$AddUnixListenSocket for rsyslogd.  (from outside chroot)

Move the default config

mv /etc/pound.cfg /var/pound/etc
ln -s /var/pound/etc/pound.cfg /etc/pound.cfg

You probably want a rudimentary group and passwd file in /etc…
Other files you’ll want: host.conf, hosts, ld.so.conf, localtime,
nsswitch.conf, resolv.conf

Optional create a foundation for some random stuff
mkdir /var/pound/var
touch /var/pound/var/err500.html
touch /var/pound/var/err503.html
touch /var/pound/var/err414.html
edit the config
RootJail /var/pound
User "nobody"
Group "nobody"
Control "/var/pound/pound.ctl"
LogFacility local1
LogLevel 0
TimeOut 60
Alive 10
DynScale 1

Once you’ve completed all that do a ldconfig –r /var/pound to update the
ld.so.cache file.
Be sure to change the file permissions so the pound user can only read, not
write.
You might also consider setting immutable bits on files the daemon will never
change (which would be everything), using chattr.


Now to some problems:
Im getting segfaults when running poundctl

poundctl -c /var/run/pound.ctl
 0. http Listener 0.0.0.0:0<http://0.0.0.0:0> a
   0. Service active (0)
     0. Backend (UNKNOWN):0 active (0 0.000 sec) DEAD
Segmentation fault

The main pound works fine but the poundctl is giving me trouble.
kernel: poundctl[14473]: segfault at 0000000000000000 rip 0000000000000000 rsp
00007fff6435dff0 error 14

What did I do wrong :D?

Also is there a more comperhensive guide on howto create a chrootjail for
pound? I think I did get it to work but there are no good reading in that area.

Thank you for the comments, one problem is that my pound is not installed
per make ;) and when writing this I'm seeing what I did wrong... Perhaps it
would be smart to acc have the binary in the correct folder to. With the
correct arch.

In any case thank you for the input!

Thirdly, is there a good way to for instance use cacti to graph certain
points of data as, per streams to each and every backend? Like speed or hit?
I'm looking to watch over the amount of connections each backend recives
from the frontend. What I'm looking for is "a simple way" to output data as
per my skilled script:

#!/bin/bash
echo -ne "Active backends: "
poundctl -c /var/lib/pound/pound.ctl | grep Backend | wc -l



2011/4/20 Joe Gooch <mrwizard(at)k12system.com>

>  In my experience, segfaults in poundctl are almost always caused by the
> binary for poundctl and pound being compiled from different versions or
> architectures… Internally the protocol is basically a binary representation
> of the memory used in pound… So if you use a 32bit poundctl with a 64bin
> pound, or poundctl from a different version, it’s very likely the internal
> structures don’t match and badness will ensue.
>
>
>
> See other comments inline.
>
>
>
> Joe
>
>
>
> *From:* Joakim Dellrud [mailto:blandia(at)gmail.com]
> *Sent:* Wednesday, April 20, 2011 10:57 AM
> *To:* pound(at)apsis.ch
> *Subject:* [Pound Mailing List] Trouble with Poundctl and segfaults
>
>
>
> Hello!
>
> I have some random and some unrandom questions about Pound. First of all
> how do you acctually create a working chrootjail for it? I did some work in
> the area and found this out:
>
> Install pound in some way (yum install pound, apt-get install pound etc).
>
> Create the folder for the chrootjail:
>
> mkdir /var/pound/
>
>
> Create a structure for pound to work within:
>
> mkdir /var/pound/etc/
> mkdir /var/pound/dev/
> mkdir /var/pound/log/
> mkdir /var/pound/lib/
>
> Then copy the libs needed (it is here I'm not sure!)
>
> cp /lib/libgcc_s* /var/pound/lib
> cp /lib/libnss_dns* /var/pound/lib
>
>
>
> I’d do /lib/libnss_*, also libresolv*
>
>
>
>
> Create the following devices (I'm not sure on the "log" device)
>
>
> mknod -m 0644 /var/pound/dev/random c 1 8
> mknod -m 0644 /var/pound/dev/urandom c 1 9
> mknod -m 0666 /var/pound/dev/null c 1 3
>
> For /dev/log, you want to tell your syslogd to create an additional socket…
> syslogd –a /var/pound/dev/log, an additional socket for syslog-ng, or
> $AddUnixListenSocket for rsyslogd.  (from outside chroot)
>
>
>
> Move the default config
>
>
> mv /etc/pound.cfg /var/pound/etc
> ln -s /var/pound/etc/pound.cfg /etc/pound.cfg
>
>
>
> You probably want a rudimentary group and passwd file in /etc…
>
> Other files you’ll want: host.conf, hosts, ld.so.conf, localtime,
> nsswitch.conf, resolv.conf
>
>
>
> Optional create a foundation for some random stuff
>
> mkdir /var/pound/var
> touch /var/pound/var/err500.html
> touch /var/pound/var/err503.html
> touch /var/pound/var/err414.html
>
> edit the config
>
> RootJail /var/pound
> User "nobody"
> Group "nobody"
> Control "/var/pound/pound.ctl"
> LogFacility local1
> LogLevel 0
> TimeOut 60
> Alive 10
> DynScale 1
>
>
>
> Once you’ve completed all that do a ldconfig –r /var/pound to update the
> ld.so.cache file.
>
> Be sure to change the file permissions so the pound user can only read, not
> write.
>
> You might also consider setting immutable bits on files the daemon will
> never change (which would be everything), using chattr.
>
>
>
>
> Now to some problems:
> Im getting segfaults when running poundctl
>
>
>
> poundctl -c /var/run/pound.ctl
>  0. http Listener 0.0.0.0:0 a
>    0. Service active (0)
>      0. Backend (UNKNOWN):0 active (0 0.000 sec) DEAD
> Segmentation fault
>
>
> The main pound works fine but the poundctl is giving me trouble.
>
> kernel: poundctl[14473]: segfault at 0000000000000000 rip 0000000000000000
> rsp 00007fff6435dff0 error 14
>
>
> What did I do wrong :D?
>
> Also is there a more comperhensive guide on howto create a chrootjail for
> pound? I think I did get it to work but there are no good reading in that
> area.
>

Nothing official that I know of.

I have a cronjob that runs:

TS=$(date +"%Y%m%d.%H%M")
POUNDCTL=/usr/bin/poundctl

$POUNDCTL -f -X -c /var/pound/poundcontrol.sock > /opt/poundstats/live-$TS &&
ln -f /opt/poundstats/live-$TS /opt/poundstats/live-current

Every minute… And then other perl scripts that will read into those saved files
with XML::Parser and extract the stats I want.
Then I run the stats out to rrd’s and generate PNGs.

But it’s all specific to my environment.

Joe

From: Joakim Dellrud [mailto:blandia(at)gmail.com]
Sent: Wednesday, April 20, 2011 1:34 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Trouble with Poundctl and segfaults

Thank you for the comments, one problem is that my pound is not installed per
make ;) and when writing this I'm seeing what I did wrong... Perhaps it would
be smart to acc have the binary in the correct folder to. With the correct
arch.

In any case thank you for the input!

Thirdly, is there a good way to for instance use cacti to graph certain points
of data as, per streams to each and every backend? Like speed or hit? I'm
looking to watch over the amount of connections each backend recives from the
frontend. What I'm looking for is "a simple way" to output data as per my
skilled script:

#!/bin/bash
echo -ne "Active backends: "
poundctl -c /var/lib/pound/pound.ctl | grep Backend | wc -l



2011/4/20 Joe Gooch
<mrwizard(at)k12system.com<mailto:mrwizard(at)k12system.com>>
In my experience, segfaults in poundctl are almost always caused by the binary
for poundctl and pound being compiled from different versions or architectures…
Internally the protocol is basically a binary representation of the memory used
in pound… So if you use a 32bit poundctl with a 64bin pound, or poundctl from a
different version, it’s very likely the internal structures don’t match and
badness will ensue.

See other comments inline.

Joe

From: Joakim Dellrud [mailto:blandia(at)gmail.com<mailto:blandia(at)gmail.com>]
Sent: Wednesday, April 20, 2011 10:57 AM
To: pound(at)apsis.ch<mailto:pound(at)apsis.ch>
Subject: [Pound Mailing List] Trouble with Poundctl and segfaults

Hello!

I have some random and some unrandom questions about Pound. First of all how do
you acctually create a working chrootjail for it? I did some work in the area
and found this out:

Install pound in some way (yum install pound, apt-get install pound etc).

Create the folder for the chrootjail:
mkdir /var/pound/

Create a structure for pound to work within:
mkdir /var/pound/etc/
mkdir /var/pound/dev/
mkdir /var/pound/log/
mkdir /var/pound/lib/
Then copy the libs needed (it is here I'm not sure!)
cp /lib/libgcc_s* /var/pound/lib
cp /lib/libnss_dns* /var/pound/lib

I’d do /lib/libnss_*, also libresolv*


Create the following devices (I'm not sure on the "log" device)

mknod -m 0644 /var/pound/dev/random c 1 8
mknod -m 0644 /var/pound/dev/urandom c 1 9
mknod -m 0666 /var/pound/dev/null c 1 3
For /dev/log, you want to tell your syslogd to create an additional socket…
syslogd –a /var/pound/dev/log, an additional socket for syslog-ng, or
$AddUnixListenSocket for rsyslogd.  (from outside chroot)

Move the default config

mv /etc/pound.cfg /var/pound/etc
ln -s /var/pound/etc/pound.cfg /etc/pound.cfg

You probably want a rudimentary group and passwd file in /etc…
Other files you’ll want: host.conf, hosts, ld.so.conf, localtime,
nsswitch.conf, resolv.conf

Optional create a foundation for some random stuff
mkdir /var/pound/var
touch /var/pound/var/err500.html
touch /var/pound/var/err503.html
touch /var/pound/var/err414.html
edit the config
RootJail /var/pound
User "nobody"
Group "nobody"
Control "/var/pound/pound.ctl"
LogFacility local1
LogLevel 0
TimeOut 60
Alive 10
DynScale 1

Once you’ve completed all that do a ldconfig –r /var/pound to update the
ld.so.cache file.
Be sure to change the file permissions so the pound user can only read, not
write.
You might also consider setting immutable bits on files the daemon will never
change (which would be everything), using chattr.


Now to some problems:
Im getting segfaults when running poundctl

poundctl -c /var/run/pound.ctl
 0. http Listener 0.0.0.0:0<http://0.0.0.0:0/> a
   0. Service active (0)
     0. Backend (UNKNOWN):0 active (0 0.000 sec) DEAD
Segmentation fault

The main pound works fine but the poundctl is giving me trouble.
kernel: poundctl[14473]: segfault at 0000000000000000 rip 0000000000000000 rsp
00007fff6435dff0 error 14

What did I do wrong :D?

Also is there a more comperhensive guide on howto create a chrootjail for
pound? I think I did get it to work but there are no good reading in that area.

Yeah was looking for something to use via the cacti server and parse there
but the output of poundctl will do
Den 20 apr 2011 20.07 skrev "Joe Gooch" <mrwizard(at)k12system.com>:
>
> Nothing official that I know of.
>
>
>
> I have a cronjob that runs:
>
>
>
> TS=$(date +"%Y%m%d.%H%M")
>
> POUNDCTL=/usr/bin/poundctl
>
>
>
> $POUNDCTL -f -X -c /var/pound/poundcontrol.sock > /opt/poundstats/live-$TS
&& ln -f /opt/poundstats/live-$TS /opt/poundstats/live-current
>
>
>
> Every minute… And then other perl scripts that will read into those saved
files with XML::Parser and extract the stats I want.
>
> Then I run the stats out to rrd’s and generate PNGs.
>
>
>
> But it’s all specific to my environment.
>
>
>
> Joe
>
>
>
> From: Joakim Dellrud [mailto:blandia(at)gmail.com]
> Sent: Wednesday, April 20, 2011 1:34 PM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Trouble with Poundctl and segfaults
>
>
>
> Thank you for the comments, one problem is that my pound is not installed
per make ;) and when writing this I'm seeing what I did wrong... Perhaps it
would be smart to acc have the binary in the correct folder to. With the
correct arch.
>
>
>
> In any case thank you for the input!
>
>
>
> Thirdly, is there a good way to for instance use cacti to graph certain
points of data as, per streams to each and every backend? Like speed or hit?
I'm looking to watch over the amount of connections each backend recives
from the frontend. What I'm looking for is "a simple way" to output data as
per my skilled script:
>
>
> #!/bin/bash
> echo -ne "Active backends: "
> poundctl -c /var/lib/pound/pound.ctl | grep Backend | wc -l
>
>
>
>
>
>
> 2011/4/20 Joe Gooch <mrwizard(at)k12system.com>
>
> In my experience, segfaults in poundctl are almost always caused by the
binary for poundctl and pound being compiled from different versions or
architectures… Internally the protocol is basically a binary representation
of the memory used in pound… So if you use a 32bit poundctl with a 64bin
pound, or poundctl from a different version, it’s very likely the internal
structures don’t match and badness will ensue.
>
>
>
> See other comments inline.
>
>
>
> Joe
>
>
>
> From: Joakim Dellrud [mailto:blandia(at)gmail.com]
> Sent: Wednesday, April 20, 2011 10:57 AM
> To: pound(at)apsis.ch
> Subject: [Pound Mailing List] Trouble with Poundctl and segfaults
>
>
>
> Hello!
>
> I have some random and some unrandom questions about Pound. First of all
how do you acctually create a working chrootjail for it? I did some work in
the area and found this out:
>
> Install pound in some way (yum install pound, apt-get install pound etc).
>
> Create the folder for the chrootjail:
>
> mkdir /var/pound/
>
>
> Create a structure for pound to work within:
>
> mkdir /var/pound/etc/
> mkdir /var/pound/dev/
> mkdir /var/pound/log/
> mkdir /var/pound/lib/
>
> Then copy the libs needed (it is here I'm not sure!)
>
> cp /lib/libgcc_s* /var/pound/lib
> cp /lib/libnss_dns* /var/pound/lib
>
>
>
> I’d do /lib/libnss_*, also libresolv*
>
>
>
>
> Create the following devices (I'm not sure on the "log" device)
>
>
> mknod -m 0644 /var/pound/dev/random c 1 8
> mknod -m 0644 /var/pound/dev/urandom c 1 9
> mknod -m 0666 /var/pound/dev/null c 1 3
>
> For /dev/log, you want to tell your syslogd to create an additional
socket… syslogd –a /var/pound/dev/log, an additional socket for syslog-ng,
or $AddUnixListenSocket for rsyslogd.  (from outside chroot)
>
>
>
> Move the default config
>
>
> mv /etc/pound.cfg /var/pound/etc
> ln -s /var/pound/etc/pound.cfg /etc/pound.cfg
>
>
>
> You probably want a rudimentary group and passwd file in /etc…
>
> Other files you’ll want: host.conf, hosts, ld.so.conf, localtime,
nsswitch.conf, resolv.conf
>
>
>
> Optional create a foundation for some random stuff
>
> mkdir /var/pound/var
> touch /var/pound/var/err500.html
> touch /var/pound/var/err503.html
> touch /var/pound/var/err414.html
>
> edit the config
>
> RootJail /var/pound
> User "nobody"
> Group "nobody"
> Control "/var/pound/pound.ctl"
> LogFacility local1
> LogLevel 0
> TimeOut 60
> Alive 10
> DynScale 1
>
>
>
> Once you’ve completed all that do a ldconfig –r /var/pound to update the
ld.so.cache file.
>
> Be sure to change the file permissions so the pound user can only read,
not write.
>
> You might also consider setting immutable bits on files the daemon will
never change (which would be everything), using chattr.
>
>
>
>
> Now to some problems:
> Im getting segfaults when running poundctl
>
>
>
> poundctl -c /var/run/pound.ctl
>  0. http Listener 0.0.0.0:0 a
>    0. Service active (0)
>      0. Backend (UNKNOWN):0 active (0 0.000 sec) DEAD
> Segmentation fault
>
>
> The main pound works fine but the poundctl is giving me trouble.
>
> kernel: poundctl[14473]: segfault at 0000000000000000 rip 0000000000000000
rsp 00007fff6435dff0 error 14
>
>
> What did I do wrong :D?
>
> Also is there a more comperhensive guide on howto create a chrootjail for
pound? I think I did get it to work but there are no good reading in that
area.
>
>