[00:38] Nick change: riel -> unriel [02:11] JonB (~jon@194.239.210.194) left irc: Quit: Client exiting [04:08] Nick change: Bertl -> Bertl_zZ [06:55] ensc (~ircensc@134.109.116.202) left irc: Ping timeout: 493 seconds [10:55] infowolfe (infowolfe@68.33.215.209) left irc: Read error: Connection reset by peer [11:54] JonB (~jon@129.142.112.33) joined #vserver. [13:17] serving (~serving@213.186.190.222) left irc: Ping timeout: 492 seconds [13:20] infowolfe (infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [15:23] ccooke (~ccooke@80.1.164.238) joined #vserver. [17:37] serving (~serving@213.186.191.106) joined #vserver. [17:58] Nick change: Bertl_zZ -> Bertl [17:59] hi all! [18:01] hi chip! [18:05] Hi Bertl [18:07] hi! [18:08] how are you? [18:09] hey Bertl [18:09] hi Jon! how are you too? [18:10] Bertl: I am a little worried about sharing ip addresses between vservers... [18:11] Bertl: imagien a hostile person finding a vserver facility that shares an ip address [18:11] hmm sharing is good ;) but why for vserver IPs? [18:12] Bertl: imagien that on this ip address in another vserver is a website running apache and some pay software [18:12] Bertl: this hostile person mirrors this website, and waits until he/she can start apache inside his vserver [18:12] Bertl: and serves the false website [18:13] terrible, who would do such bad things? 8-) [18:13] Bertl: then the apache in the other vserver can not start [18:13] Bertl: evil FreeBSD people (a friend did this to me) [18:13] Bertl: just to point out the problem [18:14] Bertl: i dont have a pay website, but i do have a website [18:15] Bertl: my suggestion would be to include in the .conf file which ports under 1024 this particular vserver is allowed to connect to [18:18] JonB (~jon@129.142.112.33) left irc: Quit: Client exiting [18:20] Action: Bertl is waiting for jon to come back ... [19:01] JonB (~jon@129.142.112.33) joined #vserver. [19:01] Bertl: so, that ip thingy [19:01] just a moment ... [19:23] okay ... [19:23] Bertl: okay :) [19:23] what advantage would a listing of ports give you, if both server would list 80 as allowed ports? [19:24] Bertl: the idea is that both servers would not list the ports [19:24] Bertl: maybe we should do it the other way. Make a list of ports in a file, and then after the port number, the name of the vserver [19:25] well, if both server have different ips there would be no problem, right? [19:25] Bertl: correct [19:25] Bertl: the problem is if they share an ip [19:26] Bertl: and it isnt just web, it is email too [19:27] okay, why would you share one ip between two 'different' (maybe 'rivaling') vservers? [19:27] Bertl: if you only have one ip ? [19:28] you would setup port forwarding and do a lokal network ... right? [19:28] Bertl: why ? [19:28] Bertl: that would cost resources [19:28] this way you can give port 80 to the vserver of your choice ... [19:28] Bertl: and i'd like to squise it dry [19:28] iptables and netfilter don't need that much resources?! [19:29] Bertl: true, not that much [19:29] but they are resourceses none the less [19:29] and there is always a tradeoff ... [19:29] checking for 1024 ports on each bind/connect for sure will eat up resources ;) [19:29] Bertl: the list approach would only be when they start up the services [19:30] Bertl: yes, but thats the wrong way too [19:30] so what is the 'right' way then? [19:30] Bertl: what you do is that then apache start, it looks in the file for port 80, and sees who is allowed to use port 80 [19:30] if it is me, then okay, continue, else, error [19:30] huh? [19:30] Bertl: it doesnt have to be a file, it can be in the kernel [19:31] (example code and patch appreciated ;) [19:31] Bertl: i know [19:31] you don't know how apache binds it's ports, right? [19:31] Bertl: i might do that someday, but not now. I'll write it to the mailing list, maybe someone else will make it [19:32] Bertl: not particular no, why ? [19:32] because if, you would not make such a suggestion ... [19:32] hehe [19:32] Bertl: so, tell me, how do programs bind them selves to a port [19:33] the whole below 1024 port stuff is nonsense, it doesn't give you security nowadays ... [19:33] i would assume that it would be some sort of syscall saying "this program binds to this port" [19:33] well, no, actually you request a socket ... [19:33] a numbered socket, right ? [19:33] then you can 'bind' this to an address/port if you want ... [19:34] what if you dont bind the socket ? [19:34] if you receive a connection, usually the application opens a descriptor on that socket and passes it to some worker ... [19:35] depends, if you send udp packets, you do not need to bind it for example .. [19:35] Bertl: i'm purely talking recieve here [19:36] well, the thing is, you would have to verify on each bind() against a per vserver list of ports ... [19:37] Bertl: why a per vserver list? [19:37] Bertl: why not just one list, with a name/number of the allowed vserver ? [19:37] because maybe someone has more than one ip? [19:37] per ip address then [19:38] and you won't gain anything over a iptables setup, which does postNAT or port forwarding ... [19:38] Bertl: are you _SURE_ that iptables does not have to copy the packets more than once ? [19:38] which by the way, would allow you much more fine grained control over the streams ... [19:39] well, depends on the rules ... [19:40] but whenever possible, packets are not copied, only passed by reference or rewritten in place ... [19:40] Bertl: yes i will, i will gain that not so bright sysadm's doesnt have to do iptables to secure that only one vserver binds to a given port [19:41] Bertl: well, suppose i gave each vserver a 192.168 number, and then made a general mapping from them to my single ip [19:41] hmm, well maybe he should then use something simpler at all ... [19:41] Bertl: then i set up additional rules that states that port 80 can ONLY be 192.168.0.80 [19:41] Bertl: would that work ? [19:41] Bertl: and would packets be copied? [19:42] well, you actually would activate port forwarding from your 'real' ip to 192.168.0.80 for port 80 and make that one local ... [19:43] Bertl: what about ssl connections... [19:43] Bertl: they are usualy made for one single ip [19:44] so now you want ssl on your one IP ... well, one server could use the real IP right? [19:44] Bertl: then they can bind port 25... [19:45] not if iptables doesn't permit it ... [19:46] Bertl: i still think an ip solution is more efford [19:46] much more efford [19:46] security has to be lean, mean and simple [19:47] okay, and what about the 100 reports going, 'my apache doesn't start?, have you enabled the port in the config file??' ... [19:48] Bertl: if the port is not assigned to a named vserver, then i would just let it get it [19:49] okay, so if the admin doesn't set this up, we are back to the 'original' situation, same as with iptables, right? [19:49] Bertl: why yes of course [19:50] so except for some kernel bloat, we have not gained anything? [19:50] if you want to ease the administration, write some vserver userspace tool, which calculates and configures the iptables setup for this ... [19:50] Bertl: okay, so we have to have the list in the vserver.conf file [19:51] Bertl: yeah, i just realised that that was the solution [19:51] I'm checking now how much overhead DNAT would give you ... [19:52] Bertl: but wouldnt that give us FAQ's "my apache is running, but i cant see it from the outside?" [19:52] Bertl: thanks [19:53] Bertl: what if we could iptables --protocol tcp --destination-port 80 --vserver bertl_www -j ACCEPT [19:54] something similar might be possible with the virtual network device ... last time Gandalf said, he will have a look at it this weekend ... [19:54] Bertl: okay, i'll let the guru's do their stuff then [19:55] the NAT stuff not even does the header checksumming, it rewrites the src/dst and 'updates' the checksum ... [19:56] Bertl: is there a previous checksumming done ? [19:56] well, the checksum is in the packet which is received ... [19:56] Bertl: yes, but is it checked? [19:57] yes, it is checked, on reception ... [19:57] ok [20:00] but as I said, if you do some config script, which only takes a list of allowed ports/hosts/etc, and creates a full fledged iptables setup ... you might made some admins very happy ... [20:00] Bertl: well, i happen to run iptables on my machine anyway [20:00] iptables are not used much with vserver, which is bad in my opinion ... [20:01] Bertl: but i dont use internal ip addresses [20:01] I remember the thread about, how could we possibly do vserver traffic accounting ... [20:01] Bertl: yes [20:07] Bertl: i just dont know iptables that well [20:08] well, a chance to learn something new ;) [20:08] Bertl: and i wonder what to do if there is a clash [20:08] Bertl: sure, but i have lots of school stuff i need to learn as well [21:25] apw (~apw@212.104.150.41) joined #vserver. [21:26] hi apw! [21:26] hey [21:29] want to play with vservers, best to start with stable or experimental? [21:29] depends what you want to do (play ...) [21:30] but basically the stable branch is a good start for newcomers ... [21:31] yeah, not got a real application right now, but interested in the technology. possibly with a view to virtualising my DMZ host. [21:31] Bertl: can i run vmware inside a vserver ? [21:32] @Jon I think you have, what it needs to do that ;) [21:33] Bertl: what do you mean ? [21:33] guess it is possible, and you are able to do it ... [21:33] okay [21:38] @apw ever patched a kernel? [21:39] yeah, been known to play with 2.5 and 2.6 [21:39] well, then I guess it will be a 'walk in the park' ... [21:39] devel version sounds fun :) think i'll give it a spin. [21:41] Bertl: is there any 2.6 activity? [21:41] woooohooo, we have another 2.6 tester ;-P [21:43] JonB: well my debian test box is causing me a few issues at the moment, very simple box and it won't boot from initrd. its was easier to put 2.6 on it as i had a config for that ... if there is 2.6 code out there i'm game. [21:44] apw: there is a little. I would test my self if it wasnt because i _NEED_ a 2.4 driver (PPDD) [21:49] @apw yes there is, but it hast only a minimal subset of the stable release [21:49] apw (~apw@212.104.150.41) left irc: Read error: Connection reset by peer [21:49] apw (~apw@212.104.150.41) joined #vserver. [21:49] @apw yes there is, but it hast only a minimal subset of the stable release [21:50] it's somewhat pre-pre-alpha ... [21:50] i guess as the main use of this technology is server farms and the like the call is for the functionality on 'stable' kernel releases. [21:50] you know the vserver home page? [21:50] yes. [21:51] okay there are links for everything .. [21:51] for example http://vserver.13thfloor.at/Linux2.6/index.php?page=To-Be-Tested+Stuff [21:51] where http://vserver.13thfloor.at/Experimental/patch-2.6.0-test9-vs0.01.diff [21:52] is the 2.6 patch ... [21:53] aha, two links to Experimental only the one at the bottom of the page works. the ones on the stable and development pages don't [21:54] ta. [21:54] well, the upper link is reserved for 'official' experimental releases ;) [21:55] ahh, as clear as mud :) fun, fun, fun [21:56] hmm, feel free to change, it's a wiki ;) [00:00] --- Sun Nov 23 2003