[00:26] Bertl (~herbert@212.16.62.51) left irc: Ping timeout: 493 seconds [01:04] Bertl (~herbert@MAIL.13thfloor.at) joined #vserver. [01:04] infowolfe (infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) left #vserver. [01:05] hmm, hmm ... what happened? [01:06] seems like I lost 3 hours ... ;) [01:10] infowolfe (infowolfe@68.33.215.209) joined #vserver. [01:10] hi chip! [01:11] Bertl: [19:56:27] hmm, feel free to change, it's a wiki ;) [01:11] [22:26:51] <-- Bertl has quit (Ping timeout: 493 seconds) [01:11] Bertl: [23:04:41] --> Bertl (~herbert@MAIL.13thfloor.at) has joined #vserver [01:11] hehe, but not on my client :( [01:12] I just wondered, why the channel was so silent ... [01:13] Bertl: it's saturday evening [01:13] well so nobody said anything in the meantime? [01:15] Bertl: NOBODY [01:15] in this case, I didn't miss anything, right? [01:15] Bertl: nothing [01:31] okay .. guess this is it for today ... cu all 2morrow ... [01:31] Nick change: Bertl -> Bertl_zZ [01:33] matta (~matta@69.56.241.195) joined #vserver. [01:57] hello... [01:58] hey matta [02:17] JonB (~jon@129.142.112.33) left irc: Quit: Client exiting [02:50] iceberg (~infowolfe@68.33.215.209) joined #vserver. [02:50] infowolfe (infowolfe@68.33.215.209) left irc: Read error: No route to host [03:06] am i still here [03:06] ? [03:06] oops :-p [03:06] Nick change: iceberg -> infowolfe [03:10] matta (~matta@69.56.241.195) got netsplit. [03:10] ccooke (~ccooke@80.1.164.238) got netsplit. [03:10] mcp (~hightower@81.17.110.148) got netsplit. [03:10] linas (~linas@67.100.217.179) got netsplit. [03:10] virtuoso (~shisha@195.131.114.115) got netsplit. [03:10] unriel (~riel@riel.netop.oftc.net) got netsplit. [03:11] matta (~matta@69.56.241.195) returned to #vserver. [03:11] ccooke (~ccooke@80.1.164.238) returned to #vserver. [03:11] mcp (~hightower@81.17.110.148) returned to #vserver. [03:11] virtuoso (~shisha@195.131.114.115) returned to #vserver. [03:11] unriel (~riel@riel.netop.oftc.net) returned to #vserver. [03:11] linas (~linas@67.100.217.179) returned to #vserver. [03:11] Topic changed on #vserver by !unununium.oftc.net: http://linux-vserver.org/ || latest stable 1.00, devel 1.1.5 [03:31] matta (~matta@69.56.241.195) left irc: Quit: The light at the end of the tunnel may be an oncoming dragon. [04:24] monako (~monako@194.186.248.53) joined #vserver. [04:28] monako (~monako@194.186.248.53) left irc: Client Quit [04:47] Action: apw is away: I'm busy [13:56] JonB (~jon@129.142.112.33) joined #vserver. [14:17] serving (~serving@213.186.191.106) left irc: Ping timeout: 493 seconds [14:29] mhepp (~mhepp@r72s22p13.home.nbox.cz) joined #vserver. [14:38] serving (~serving@213.186.190.41) joined #vserver. [14:57] JonB (~jon@129.142.112.33) left irc: Quit: later [15:59] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Read error: Connection reset by peer [20:56] JonB (~jon@129.142.112.33) joined #vserver. [20:56] Nick change: Bertl_zZ -> Bertl [20:56] hi Jon! [20:57] Bertl: hi [21:01] you are always concerned about security, right? [21:01] Bertl: yes, but i'm not actualy doing anything about it *snicker* [21:02] hmm, you are 'thinking' about it, that is already something in my book ;) [21:04] Bertl: :) [21:04] Bertl: any particular reason for your question ? [21:04] if you ask my users, they will say that i do something about it too, and that i'm annoying about security [21:05] well, I was a little suprised how unnoticed my 0.27 release Alert remained ... [21:07] Bertl: i've been busy doing school project all day, and besides, my own vserver is not that importent [21:07] Bertl: why are the alert not on the website? [21:08] I have to verify it agains the 'latest' 0.27 release, as usual jack has more than one 0.27 release :( [21:11] but it seems tha alert is still valid ... [21:11] Bertl: what is the alert ? [21:12] well, chcontext --secure isn't secure anymore ... so basically all vserver get _ALL_ capabilities (except for one ;) [21:12] OUCH [21:13] what happened? [21:13] don't know jet ... [21:13] s/jet/yet/ [21:13] discovered it by one of my routine tool tests ... [21:15] Bertl: good thing you have that [21:15] Bertl: does it apply to all vserver releases ? [21:15] 'only' development ... [21:15] okay [21:19] MrBawb (abob@sparky.dok.org) left irc: Ping timeout: 492 seconds [21:21] MrBawb (abob@63.100.31.204) joined #vserver. [21:28] @Jon what would you like to see in the upcoming stable release and the next devel releases? [21:29] (and what not ;) [21:29] Bertl: a working chcontext --secure [21:30] ;-P [21:30] well, that is a userland issue, and util-vserver does this ;) [21:30] okay, good [21:30] i use util-vserver [21:30] lets see... [21:30] DoS protection [21:31] meaning i want to be able to limit a vservers memory and disk i/o, network i/o can be handled with iptables (i suppose) [21:32] well and qdisc ... for example ... [21:32] qdisc ? [21:32] Bertl: and what about cpu schedule stuff ? [21:32] queuing disciplines (for network) [21:33] okay [21:33] ipv6 support is not that importent to me [21:34] hmm, memory and disk I/O! limits ... [21:34] mhepp (~mhepp@213.211.38.19) joined #vserver. [21:34] hi mhepp! [21:34] @Jon I don't think the admins are ready for those limits ... [21:35] Bertl: admins ? [21:35] Bertl: do you have other suggestions yourself ? [21:35] or to be more precise, I fear that we get a 1000 complaints about memory limits not working, and vserver failing ... [21:36] why would we get that ? [21:36] issue is that: linux 2.4.x vanilla does not support RSS limits/accounting ... [21:36] we can do VM accounting/limits ... but that is something no linux admin has faced yet ;) [21:36] VM ? [21:37] virtual memory (pages) [21:37] anyway, i'll go eat, and then we can talk (in several hours) [21:37] okay, enjoy your meal ... [21:49] Gandalf (~gandalf@tux.rsn.bth.se) left irc: Remote host closed the connection [22:43] say-out (~say@212.86.243.154) left irc: Ping timeout: 483 seconds [22:50] back [22:51] and did you enjoy it? [22:51] yeah sure i did [22:51] i had lamb frontleg [22:51] roasted in the oven [22:52] and besides that potato slices roasted below the lamb, with cream over the potato's [22:52] sounds good, indeed ... [23:00] where was I .. ahh the VM limits ... [23:05] Bertl: yes [23:06] I said, this would probably lead to many 'bug' reports ... from vserver admins ... [23:07] why would we get that ? [23:07] hmm, well a 'normal' linux system basically has no limit on VM ... [23:09] ja ? [23:09] ja! [23:11] yes, correct, it has no limits, but why will people have that problem in a vm ? [23:11] inside a vserver people should just see the memory as a limit [23:11] you run top [23:11] and you see you've got 103MB ram [23:11] we have a patch, that does exactly that, vm limiting ... and it results in OOM situations killing tasks ... [23:12] what happens if you run a normal linux server and you run out of memory ? [23:12] well that is one of the misunderstandings, RAM == RSS and not VM ... VM is _much_ larger than RAM ... [23:12] RSS = Resident Set Size ... [23:13] let me give an example ... [23:13] not if you dont have swap [23:13] suppose you mmap() a 1GB file ... how would you assume that this 'memory' will be accounted? [23:14] okay, lets get some numbers [23:15] suppose i have a machine with 128MB ram, and 256MB swap [23:15] okay, you mmap that same 1GB file ... [23:15] yes, then we put 120MB into the ram [23:16] well, what would happen on a 'normal' system? simple you have ~1.2GB virtual memory and no swap usage ;) [23:18] okay, and why cant we do the same inside a vserver ? [23:18] mhepp (~mhepp@213.211.38.19) left irc: Remote host closed the connection [23:18] Bertl: the vserver just can not allocate any more than 128MB ram, and 256MB swap [23:18] well, we can, and we currently do .. no limits at all ;) [23:19] mhepp (~mhepp@213.211.38.19) joined #vserver. [23:19] but RSS is not accounted and can not easily be limited ... [23:19] Bertl: does it need to be limited ? [23:19] and swap (anonymous pages) are even harder ... [23:19] if you want to have a vserver with 128MB ram on a 1GB ram host, yes ... [23:20] Bertl: why ? [23:20] what else will you limit? [23:20] Bertl: back to the server has only 128 mb real ram [23:20] okay ... [23:21] Bertl: there you could mmap the file anyway [23:21] yes ... [23:21] Bertl: suppose i have 7 hosts running on my 1G ram maskine, with 128MB ram for each vserver, and 128 for the root server [23:21] Bertl: what happens if all 7 vservers mmap a file ? [23:21] mhepp (~mhepp@213.211.38.19) left irc: Remote host closed the connection [23:22] depends on how the 128MB per vserver are done ... [23:22] Bertl: yes ? [23:22] that actually _is_ the question, how to restrict a vserver to 128MB ram ... ;) [23:24] Bertl: when ever a process running inside context Y allocates memory, we check if the limit is reached or not [23:24] if it is reached, the allocation fails [23:24] aha, but that allocation will not be RAM, it will be VM ... [23:24] no process ever allocates RAM ;) [23:25] Bertl: not completely true [23:25] okay, give me an example, how a process could allocate RAM ... [23:25] Bertl: it allocates VM [23:26] okay, that we can agree on ... [23:26] and when it tries to read or write to the allocated memory, the kernel maps the memory to real ram [23:26] that is also true ... but if that fails, you are in real trouble, no? [23:26] when ever that happens, i want a warning at a certain level [23:27] and at a higher level i want a "panic" [23:27] Bertl: yes, but that is not different than a real server [23:27] hum hum ... and what about pagin in/out? [23:27] Bertl: actualy i would prefer that when this happens, then it just pages that memory onto swap [23:27] Bertl: so when you reach the HARD limit, you just start using swap [23:28] but it will not do that for a read mmaped() file for example ... why should it, by the way? [23:28] it will not do what ? [23:28] page to swap ... [23:28] mmap of files should not be swapped no [23:29] what happens in a real 128MB ram machine ¿ [23:29] when you do that [23:29] what? [23:29] your proccesses allocate vm [23:29] mhepp (~mhepp@213.211.38.19) joined #vserver. [23:29] nothing, absolutely nothing, no checks, no warning ... [23:30] the kernel allocates all ram and all swap, and you mmap a file [23:30] Bertl: why cant we do the same in a vserver ? [23:30] actually we do at the moment, (doing nothing ;) [23:30] no no [23:31] at the moment we will let one vserver trash all the others [23:31] i want it to only trash it self [23:31] okay, so how to accomplish that? [23:32] Bertl: by counting the real ram it uses [23:32] and either give it all the swap it wants [23:32] or put a limit on that too [23:32] and if it has used it all, shut it down [23:32] maybe start it up again [23:33] okay, we are back to RSS the amount of actual RAM used for one vserver ... [23:34] sort of [23:34] if there is unallocated memory, i would allow the vserver to use it [23:34] lets assume that we can account this ... (not with vanilla kernel) [23:34] but if some other vserver needs it, and it still has free [23:34] then the evil vserver has to die [23:35] what is the action we take, once RSS reaches the limit ... [23:35] the same as a real machine would [23:35] probably freeze [23:35] but i'd prefer that it is shutdown [23:35] and possibly restarted [23:35] well, the real machine does not reach the limit ... as it doesn't page in more than the actual RAM available ;) [23:36] it's really very tricky to do the right accounting and take appropriate measures ... [23:37] well, then we do the same [23:37] we dont page in more than the limit of the vserver [23:37] actualy there are 2 limits [23:37] ram and swap [23:38] okay, let us for a moment assume, we can account RSS correctly, and we decide not to page in more than available for one vserver ... [23:39] this would result in increased swapping in/out for the limited server ... [23:39] correct [23:39] which would trash the server.. [23:39] which would trash _all_ servers ;) [23:39] unless we count the swapping in/out as part of the scheduler [23:39] meaning, that each vserver has a certain ammount of cpu time [23:39] when that cputime is gone... [23:39] where we come to I/O bandwidth limitations ... [23:40] you can not swap [23:40] well, unfortunately the swapping is done by the system, in case of a page fault ... [23:41] so, yes we could charge the process for that .. but no we can not delay/stop that ... [23:41] Bertl: fine, we charge it, and it waits a penalty time in the box [23:41] untill either team has scored a goal [23:41] or 2 minuted [23:41] minutes [23:42] yes ... for example that is something we could do ... [23:42] Bertl: i would find that acceptable [23:42] it would be like a real system [23:42] you swap [23:42] and you wait [23:43] but it would not go well with a CPU slice guarantee ... [23:43] why not ? [23:43] you can't guarantee 10% of the CPU while at the same time slowing down because of swap penalties ... [23:44] brb .. 4mins or so ... [23:44] We guarantee 10% of the CPU [23:45] unless you use swap, that will steal time from your CPU slice [23:54] mhepp (~mhepp@213.211.38.19) left irc: Remote host closed the connection