[00:01] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Remote host closed the connection [00:07] I haven't had grsec running yet ... [00:09] i am rady to test grsec with vserver [00:09] the grsec patch behaves as expected? [00:10] behaves %? [00:10] let me look at the dictionnary [00:10] :P [00:10] well, it does the same as grsec under 2.4.22? [00:10] shuri@beta:/$ dmesg [00:10] klogctl: Operation not permitted [00:10] yes [00:10] i am in LOW Security setting [00:11] and it work [00:11] LOW setting are: [00:11] linking restrictions ł [00:11] ł fifo restrictions ł [00:11] ł random pids ł [00:11] ł enforcing nproc on execve() ł [00:11] ł restricted dmesg ł [00:11] ł random ip ids ł [00:11] ł enforced chdir("/") on chroot [00:12] while assuring that none of your software will have any ł [00:12] ł conflicts with the additional security measures. [00:12] hehe [00:12] okay, give me a few minutes, I'll adapt that to c17f ... [00:12] ok [00:12] test a little more ... [00:13] .. in the meantime ... especially the proc features are interesting ... [00:22] humm [00:22] abuo tproc [00:22] proc [00:22] yup? [00:22] i got to switch top medium [00:22] or high security [00:23] which means? [00:23] only got enforcing nproc on execve() in LOW feature [00:23] okay, is there a problem? [00:23] no [00:23] how i can test got enforcing nproc on execve() :P [00:24] maybe someone using grsec can answer ;) [00:25] will read the docs.. [00:26] http://www.grsecurity.net/gracldoc.htm [00:33] mcp (~hightower@wolk-project.de) left irc: Ping timeout: 483 seconds [00:38] http://vserver.13thfloor.at/Stuff/patch-2.4.23-pre7-c17f-grsec-1.9.12.diff.bz2 [00:39] okay, that should be the c17f version ... [00:40] ok [00:40] so you apply it 'ontop' the c17f ... [00:41] ok [00:42] humm [00:42] troubles? [00:42] c17f is for .22 [00:43] there is a 2.4.23-pre7 version too ;) [00:43] http://vserver.13thfloor.at/Stuff/patch-2.4.23-pre7-c17f.diff.bz2 [00:43] ha [00:43] :P [00:50] compile time [00:52] mcp (~hightower@wolk-project.de) joined #vserver. [01:06] mcp (~hightower@wolk-project.de) left irc: Ping timeout: 492 seconds [01:16] mcp (~hightower@wolk-project.de) joined #vserver. [01:26] Linux beta 2.4.23-pre7-c17f with grsec [01:31] JonB (~jon@kg184.kollegiegaarden.dk) left irc: Quit: Client exiting [01:34] @shuri and, looks good? [01:34] it work [01:34] but i got to learn how grsec work [01:38] well, learn it fast 8-) [01:45] ken (~icechat@NS2.kasystems.com) joined #vserver. [01:46] hi ken! [01:46] ken (~icechat@NS2.kasystems.com) left irc: Client Quit [02:05] unriel (~riel@riel.netop.oftc.net) left irc: Ping timeout: 480 seconds [02:48] serving- (~serving@213.186.189.26) joined #vserver. [02:49] serving (serving@213.186.190.15) left irc: Ping timeout: 483 seconds [03:41] hmm, anybody interested in testing O(1) scheduler? [04:06] aleki (~john@b59.brno.mistral.cz) joined #vserver. [04:06] aleki (~john@b59.brno.mistral.cz) left irc: Remote host closed the connection [05:06] netrose (~john877@cc-ubr03-24.171.20.14.charter-stl.com) left irc: Ping timeout: 492 seconds [05:06] matta (matta@tektonic.net) joined #vserver. [05:07] hi matt! [05:14] hi [05:14] must go, bye [05:15] short visit! [05:23] hehe [05:34] @shuri and do you know how grsec works now? [05:40] not realy [05:41] if i enable it [05:41] with the gradm [05:41] i can diasable it [05:41] cant [05:41] and sverver do not work [05:41] hmm, maybe the not disable is a feature ... [05:41] but what is the issue with the vserver? [05:42] if i enable it i cannot switch on contex1 [05:42] but i think is beacuse is not well configure [05:43] are you able to switch to any context with chcontext ? [05:43] no [05:43] then you probably lost the required capability ... [05:44] yes [05:44] but [05:44] if i now enable it [05:44] it work [05:45] so is the ACL stuff that cause that [05:45] if you enable what? [05:45] grsec [05:45] # gradm -a [05:45] Password: [05:45] Could not open /proc/sys/kernel/grsecurity/acl [05:45] open: Permission denied [05:45] hehe [05:46] hmm, what is gradm supposed to do? [05:46] the admin for grsec [05:46] hmm, and when you enable what? this error happens? [05:47] Options: [05:47] -E, --enable Enable the grsecurity ACL system [05:47] -D, --disable Disable the grsecurity ACL system [05:47] -P, --passwd Create password for ACL administration [05:47] -R, --reload Reload the ACL system while in admin mod [05:47] i got not enough permission [05:47] okay after -E you are doomed, right? [05:47] for vsrver [05:47] tarting the virtual server deb2 [05:47] Server deb2 is not running [05:47] SIOCSIFADDR: Permission denied [05:47] SIOCSIFFLAGS: Permission denied [05:47] SIOCSIFNETMASK: Permission denied [05:47] ACL == access control lists (for files?) [05:48] hmm, this is network permissions ... [05:48] nha [05:49] the messages you copied are all network specific ... [05:49] beta:~# gradm -E [05:49] beta:~# vserver-stat [05:49] vserver-stat: unable to switch in context security #1 [05:50] and if i what to disable grsec [05:50] beta:~# gradm -D [05:50] Password: [05:50] Could not open /proc/sys/kernel/grsecurity/acl [05:50] open: Permission denied [05:50] hehe [05:50] i cannot [05:50] okay that I understood ... [05:50] check if /proc/sys/kernel/grsecurity/acl exists and what are the permissions? [05:51] ls -la /proc/sys/kernel/grsecurity/acl /proc/sys/kernel/grsecurity [05:51] and about vserver-stat: unable to switch in context security #1? [05:51] wait ... 1 step after the other ... [05:52] ls -la /proc/sys/kernel/grsecurity/acl /proc/sys/kernel/grsecurity [05:52] -rw------- 1 root root 0 Oct 11 19:14 /proc/sys/kernel/grsecurity/acl [05:52] but [05:52] if i enable grsec [05:52] it disaper [05:53] ahh okay .. that _is_ a hint ... [05:53] let me have a look at the code ... 1 minute [05:53] no [05:53] it no disapere [05:53] but i connot acess it [05:54] i dont undernetsa why i cannot disable grsec [05:54] i do what i read on the doc [05:55] hmm, maybe the patch (rediff) isn't perfect (grsec) [05:55] could you try with the 2.4.22 and the 'original' grsec? [05:55] ok [05:56] go to recompile [05:56] got [05:56] but let us make some tests with the context first .. [05:56] [P] chcontext --ctx 100 ls [05:56] mc [05:56] beta:/usr/src# mv linux-2.4.22 linux-2.4.23 [05:56] mv: cannot create directory `linux-2.4.23': Permission denied [05:56] dam [05:56] chcontext --ctx 100 ls [05:56] Can't set the new security context [05:56] : Operation not permitted [05:57] [P] strace chcontext --ctx 100 ls [05:57] arff i cannot install strace [05:57] dpkg: error processing /var/cache/apt/archives/strace_4.4-1.2_i386.deb (--unpack): [05:58] error creating directory `./usr/share/doc/strace': Permission denied [05:58] dam [05:58] lol [05:58] it's pretty secure ;) [05:59] server-stat [05:59] CTX PROC VSZ RSS userTIME sysTIME UPTIME NAME DESCRIPTION [05:59] 0 21 25MB 2kB m02.70 m10.75 m34.37 root server [06:00] looks good .. [06:00] when i do not start gradm -E [06:00] okay so the ACL enable screws up the system ... [06:01] -CAP_SYS_TTY_CONFIG [06:01] -CAP_LINUX_IMMUTABLE [06:01] -CAP_NET_RAW [06:01] -CAP_MKNOD [06:01] -CAP_SYS_ADMIN [06:01] -CAP_SYS_RAWIO [06:01] -CAP_SYS_MODULE [06:01] -CAP_SYS_PTRACE [06:01] -CAP_NET_ADMIN [06:01] -CAP_NET_BIND_SERVICE [06:01] -CAP_SYS_CHROO [06:02] okay check the acl stuff between 2.4.22-grsec and 2.4.23-grsec ... if this shows differences in behaviour, something _is_ wrong ... [06:03] forget about the c17f for the moment ... [06:04] ok [06:06] well i will no do this tonigt [06:06] no problem, do whenever you like ... [06:13] alekibango (~john@62.245.97.59) left irc: Remote host closed the connection [06:41] Bertl you there [06:41] yep! [06:42] i am running ctx18 pre1 from jaques and it work fine [06:42] why you do not work with this patch? [06:42] because it introduces at least two buggy things ... and one new thing we do not know about ... [06:43] the memory limits are implemented wrong ... [06:43] the chsaferoot() we do not know about ... [06:43] we got to test to know :P [06:44] well vserver in vsevrer do not work [06:44] it adds also two new syscalls, where we are trying to reduce the existing two to one ... [06:44] ok [06:44] it is funny for experimental things ... and we probably will include the chsaferoot() soon ... [06:45] very funny lol [06:45] you are funny to [06:45] :) [06:45] hmm, why's that? [06:46] juste kidding [06:46] ah okay ... so I can take my red nose off now 8-) [06:46] no [06:47] New security context is 5 [06:47] Kernel do not support chrootsafe(), using chroot() [06:47] usr/sbin/vserver: line 708: 6964 Illegal instruction $CHBIND_CMD $SILENT $IPOPT --bcast $IPROOTBCAST $CHCONTEXT_CMD $SILENT $FLAGS $CAPS --secure $CTXOPT $HOSTOPT $DOMAINOPT $SAVE_S_CONTEXT_CMD /var/run/vservers/$VSERVER.ctx $CAPCHROOT_CMD --suid $USERID $CHROOTOPT . "$@" [06:47] i try to enter a gentoo verver [06:48] with c17f now? [06:48] yes [06:49] hmm, what platform is this? [06:49] debian i386 [06:49] hmm, illegal instruction is funny ,... [06:50] is this reproducible? [06:50] ? [06:50] can you repeat it? [06:50] yes [06:51] if i try to start the gentoo [06:51] Can't execute /etc/rc.d/rc (No such file or directory) [06:51] if i try to enter [06:51] i got the error [06:52] hmm, illegal instruction means that one of the userspace programs is bad (or the syscall has some bad instruction) [06:52] have a look at the syslog ... [06:52] a kernel fault, should produce a stack trace ... (something like an oops) [06:52] nothing [06:52] tail -f /var/log/syslog [06:52] okay then it's userspace ... [06:53] lets check the tools ... one after the other ... [06:53] but it only do this with gentoo [06:53] gentoo vserver [06:53] no, I assume it is some option in the conf file ... [06:54] i run debian vserver m redhat and suse without this error [06:54] could you try to change those options a little ... [06:54] hot can i fix Can't execute /etc/rc.d/rc (No such file or directory) [06:54] fakeroot? [06:54] modify .. /etc/vservers/.conf [06:55] yhaw i know [06:55] IPROOTDEV= [06:55] ONBOOT=yes [06:55] S_NICE="" [06:55] S_FLAGS="lock nproc" [06:55] ULIMIT="-H -u 256 -n 1024" [06:55] S_CAPS="CAP_NET_RAW [06:55] a missing "? [06:55] no [06:55] cut and past isssue [06:56] okay the other "working" servers? [06:56] yes [06:56] how does the config file look for them? [06:56] is the same conf [06:57] hmm, so maybe the fakeinit produces the illegal instruction? [06:57] or whatever is started inside the server ... [06:57] Can't execute /etc/rc.d/rc (No such file or directory) [06:57] so it connot start [06:57] there is no rc in gentoo [06:58] netrose (~john877@cc-ubr03-24.171.20.14.charter-stl.com) joined #vserver. [06:58] hmm, I've read something about that on one of our docu wikis ... [06:58] and somebody mentioned adapting something for gentoo ... [06:59] ok [06:59] ln -s runlevel/ /etc/init.d [06:59] not working [06:59] i tried it [07:00] From: Jesper FA <424242424242424242@j-f.dk> [07:00] look for this mail ... [07:01] Message-Id: <200309191443.59674.424242424242424242@j-f.dk> [07:01] it has a modified vserver script to start gentoo servers ... [07:02] got it [07:32] and, does it work? [07:57] mdaur__ (mdaur@p509163A6.dip.t-dialin.net) joined #vserver. [08:04] mdaur_ (mdaur@p509150C1.dip.t-dialin.net) left irc: Ping timeout: 483 seconds [08:30] Nick change: Bertl -> Bertl_zZ [08:55] shuri (~ipv6@cpu183.adsl.qc.bellglobal.com) left irc: Read error: Connection reset by peer [10:50] Big__John (~Big___Joh@208.34.109.171) joined #vserver. [10:50] Big__John (~Big___Joh@208.34.109.171) left irc: Quit: Client exiting [11:25] JonB (~jon@kg184.kollegiegaarden.dk) joined #vserver. [11:25] pruuuh [11:43] JonB (~jon@kg184.kollegiegaarden.dk) left irc: Quit: Client exiting [11:43] JonB (~jon@kg184.kollegiegaarden.dk) joined #vserver. [13:24] mhepp (~mhepp@213.211.38.19) joined #vserver. [14:17] JonB (~jon@kg184.kollegiegaarden.dk) left irc: Quit: Client exiting [14:40] mcp (~hightower@wolk-project.de) left irc: Ping timeout: 483 seconds [14:49] mcp (~hightower@wolk-project.de) joined #vserver. [15:24] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) left irc: Ping timeout: 492 seconds [15:25] mcp (~hightower@wolk-project.de) left irc: Ping timeout: 492 seconds [15:40] mcp (~hightower@wolk-project.de) joined #vserver. [16:17] Hi all :) [16:17] v_sshd and other scripts are part of what package ? [16:22] how can I get them and if I have the already ;) then where are they :)) [16:25] nm [16:25] they are in /etc/rc.d/init.d [16:28] JonB (~jon@kg184.kollegiegaarden.dk) joined #vserver. [16:44] mhepp (~mhepp@213.211.38.19) left irc: Remote host closed the connection [17:35] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) joined #vserver. [17:37] hey kloo [17:55] hi JonB. [19:12] JonB (~jon@kg184.kollegiegaarden.dk) left irc: Quit: Client exiting [20:08] shadow (shadow@217.106.90.251) joined #vserver. [20:08] Hi all [20:09] Nick change: Medivh -> _DasTier [20:15] shadow [20:15] big problem [20:15] HUGE [20:15] i really need your help [20:23] shuri (~ipv6@cpu183.adsl.qc.bellglobal.com) joined #vserver. [20:25] Nick change: _DasTier -> Medivh [20:28] netrose (~john877@cc-ubr03-24.171.20.14.charter-stl.com) left irc: Ping timeout: 492 seconds [20:30] llamer_ (~lm@mail.kolej.mff.cuni.cz) joined #vserver. [20:39] llamer_ (~lm@mail.kolej.mff.cuni.cz) left #vserver. [20:54] Nick change: Bertl_zZ -> Bertl [20:55] hi all! [20:55] Hi Herbert [20:55] hi alex! [20:56] I was thinking about the inodes without quota ops ... [20:56] maybe this actually is some quota bug ... [20:58] JonB (~jon@kg184.kollegiegaarden.dk) joined #vserver. [21:03] i want ask Matt add some debug lines to quotaops.h for show - what inodes not have quota ops. [21:03] and? found anything? [21:04] yes. [21:04] first all virtual filesystems like proc etc ... [21:06] but all calls quota drops first check - is quota init for that inode. excecpts this clear_inode function.. [21:08] well, what I think is that DQUOT_INIT is called somewhere ... and sets the S_QUOTA flag ... but the quota ops are either not present or removed later without resetting the S_QUOTA ... [21:09] quota_drop remove S_QUOTA... [21:11] anybody interested in testing O(1) scheduler? [21:11] for c17x ? [21:11] yes, i would [21:11] not yet, but 2.4.23-pre7 ;) [21:11] oh [21:11] Bertl> You merge it part from Sam patchs ? [21:11] well it's the base for a ctx version ... [21:12] @shadow no, I merged andreas version ... [21:12] basically the ingo scheduler ... [21:12] life sucks sometimes [21:13] i can't even comprehend how the server went from fine to this oddball error [21:13] http://vserver.13thfloor.at/Stuff/patch-2.4.23-pre7-O1.diff.bz2 [21:13] if somebody is interested in testing ... [21:13] i'm in a high stress situation right now. [21:13] what differnts between andreas and Sam patches for O(1) scheduler ? [21:14] @shadow don't really know ... I was looking for a minimal solution, minimum changes outside the scheduler ... [21:14] now I have the list_t, runque and bitops, and of course the scheduler ... [21:17] shadow: any other ideas? [21:17] isp says they will not be able to read the errno for me [21:18] Action: shadow selebrate his birthday [21:18] happy birthday! [21:18] @shadow congrats! [21:18] thnx :) [21:18] how old? [21:18] hey, it's mine tooo [21:19] 27 years old.. [21:19] 29 [21:19] @jon congrats tooo! (the chances age good for this) [21:19] Bertl: the chances age good for this?????????????? [21:19] JonB my selebrats for you. [21:19] shadow: thanks, and congratulations to you too [21:22] two people celebrating on the same day ... [21:23] Bertl: yeah, whats the odds for that [21:24] by 50 people you have a 97% chance ;) [21:24] not in same.. my 8 of October.. but selebrate with family in current.. [21:24] Bertl: we arent 50 in here [21:24] shadow: cheater [21:24] with 22 people already 50% ... [21:24] it's something you would not expect ... [21:25] for that i return form sevastopol to taganrog for few days... [21:25] Bertl: true, i wouldnt [21:25] Bertl: how do you calculate it ? [21:26] i asume births are distribuated evenly arround the year [21:26] probability/statistics ... you want a formula? [21:26] yeah [21:26] with explanation? [21:27] Bertl: yes please [21:27] okay .. assume you have n people ... [21:27] with different birthdays ... [21:27] now the (n+1)th comes along ... [21:28] the probablility for him/her to have a different birthday is (365-n)/365 [21:28] for N people those inverse probabilities multiply ... [21:29] so you get 365 x 364 x ... (365-N) / 365^N [21:29] and the probability for having the same birthday then is [21:30] 1 - (365 p N)/365^N [21:30] what is p ? [21:31] P^365_N == (365 p N) == (365 x 364 x ... (365 - N + 1) x (365 - N) [21:31] the permutation ... [21:31] okay [21:32] you could also calc 365!/(365-N)! ... [21:32] :) [21:32] actually the (365-N) term is wrong *G* [21:32] (365 x 364 x ... (365 - N + 1) is right ... [21:33] so for example for 50 people you get 1- 365!/316!/365^50 [21:34] which is ~ 97% ... [21:35] hmm, confused? [21:35] Bertl: no [21:35] ahh, good then ... [21:35] Bertl: your explination makes sense [21:35] though i havent calculated it myself [21:36] if you have to estimate such probabilities you are almost always wrong ;) [21:37] unfortunately the same is valid for system failures ;) [21:38] hehe [21:47] @alex but I'm going to use a mix of Sam's ctx17 port and your scheduler stuff ... [21:48] whell. i want to sleep.. 12 hours travel in bus.. it hard.. [21:48] @alex well then have a good night ... or whatever ;) [21:49] thanx :) [21:52] shadow (shadow@217.106.90.251) left irc: Quit: óęîńîëŕďčë [21:54] mcp (~hightower@wolk-project.de) left irc: Excess Flood [21:54] mcp (~hightower@wolk-project.de) joined #vserver. [21:55] hi marc! [22:13] alekibango (~john@b59.brno.mistral.cz) joined #vserver. [22:23] netrose (~john877@cc-ubr03-24.171.20.14.charter-stl.com) joined #vserver. [22:24] didn't rik say he was gonna release a better rmap in a few weeks? [22:24] ..a few weeks ago [22:37] @matt yeah, but it seems rik is very busy now ;) [23:14] you played with xen at all? [23:14] according to those guys you can run vserver on top of xen [23:15] heard so .. but I don't see the advantage yet ... [23:15] anyway, if they are interested in vservers I'm willing to help them keep those patches up to date ... [23:27] matta: the -rmap code is still being tuned ;) [23:27] hopefully not D-minor ;) [23:28] (and to my luck, mcp is helping) [23:28] @riel what did you promise him? [23:28] whom ? [23:29] mcp? [23:29] I already gave him the first patch to test [00:00] --- Mon Oct 13 2003