[00:00] this sets up a rule and table for 192.168.0.x ... [00:00] @jack, oaky? [00:01] Yes [00:02] chbind --ip 192.168.0.2 ping -c 2 128.130.2.3 [00:02] works perfectly with this ... [00:02] chbind --ip 192.168.0.2 --ip 192.168.0.2 ping -c 2 128.130.2.3 [00:02] gives Network is unreachable ... [00:03] it took me some time to find the reason for this behaviour ;) [00:03] Interesting because ping is using raw packet and does not involve most of the code in the vserver [00:03] yes, but it uses connect() [00:03] I was not aware of that (ping using connect). I guess it does this to learn the output interface to use [00:03] and you have two different codepathes depending on the number of iproots ... [00:04] here a short printf debugging sequence ... [00:04] # chbind --ip 192.168.0.2 ping -c 2 128.130.2.3 [00:04] Yes one for a single IP, forcing this IP to be the source and one where the source is selected dynamcly, introduced in ctx-17a [00:04] ipv4root is now 192.168.0.2 [00:04] ··· [z1] initial src=0.0.0.0 dst=128.130.2.3 [00:04] ··· [a1] post src=0.0.0.0 dst=128.130.2.3 [00:04] ··· [a2] post src=0.0.0.0 dst=128.130.2.3 [00:04] ··· [a3] post src=192.168.0.2 dst=128.130.2.3 [00:04] ··· [x1] src=192.168.0.2 dst=128.130.2.3 [00:04] ··· [z2] final pre src=192.168.0.2 dst=128.130.2.3 [00:04] ··· [z3] final post src=192.168.0.2 dst=128.130.2.3 err=0 [00:05] .. where in the second case ... [00:05] ··· [z1] initial src=0.0.0.0 dst=128.130.2.3 [00:05] ··· [a1] post src=0.0.0.0 dst=128.130.2.3 [00:05] ··· [m1] ip_route_connect() ipv4root=192.168.0.2 [00:05] ··· [m2] pre ip_route_output() src=0.0.0.0 dst=128.130.2.3 [00:05] the code checks if n>1 and then calls ip_route_output() [00:05] with the original src ... which fails for 0.0.0.0 ;) [00:06] and instead of using the first or second or whatever src for routing calculations, it simply fails ... [00:06] I don't understand. Using connect with src=0.0.0.0 is the standard way. Why is it failing for ping [00:06] this has severe inpact on how vservers 'calculate' the route ... [00:07] because there is no 'default' gateway, if the src address is 0.0.0.0 ... [00:07] Ok, you mean when you setup iproute2 with the special route for 192.168.0.0/24 ? [00:08] yes, this _is_ a problem if you want to have more than one network, with different default gateways ... [00:08] IIRC we had some reports on this ... and that it didn't work as expected ... [00:09] I understand. We are using ip_route_output to find the route so we can select the proper source IP, but this can't work [00:09] because it has to know the source IP before hand. How can this be solved ? [00:09] yeah, that is the problem ... [00:09] I was thinking about this, and I have two solutions ... [00:10] a) just 'define' that the first ip is the source in such cases, it would not matter anyway ... [00:10] ok, fallback to ipv4root[0] in all cases ? [00:10] b) try all defined IPs and take the first which succeeds ... [00:10] Ok. We would do the following [00:10] I'm not sure if the 0.0.0.0 test should be done anyway ... [00:11] try the current strategy. If it fails, picks each IP and find the one which works [00:11] 0.0.0.0 has to be done. the purpose is to find the best source IP. Unless you have special routing (per source iP) rule [00:12] hmm, how does the unmodified kernel decide this? [00:12] all source address are ok. I mean, I am allowed to send 192.168.0.2 address on 192.168.1.0/24 network. This is valid. [00:12] It uses ip_route_output as well with 0.0.0.0 [00:13] hmm ... yes, you are right ... haven't checked that before ... [00:14] we need per context routing tables! [00:14] Hum, I suspec that a ping may kind of fail as well even on a standard kernel with say two interfaces and two routing table, unless there is a default gateway [00:14] in the default route table. [00:14] yeah, checked this a few seconds ago ... [00:15] Its a chicken and egg problem [00:15] okay, what do you think of the following: [00:16] what if we add the xid to every connection/packet and hadnle/route this via some separate routing table ... [00:17] Are you talking about the private loopback or the ping problem above ? [00:17] well, the network per se ... of course the loopback can be solved that way too ... [00:18] You mean to tell people about using routing table selected by XID and then force vservers to tag every outgoing packet at the source (the XID could be the security context) [00:19] yes, sorry, I'm using xid like uid for context ;) [00:19] Hum. Not sure if the details but I like it. In fact, this could be a different thing from the security context. [00:20] yeah, sure, not necessarily bound to the context id ... [00:20] We could very well have a network ID as part of the set_ipv4root system call. [00:20] associated with a routing table ... [00:20] does vservers work with non ethernet devices ? [00:20] This could be a very useful feature. Currently, people have to set the IDs (IP marks) using iptable filter, but they lack the original context [00:21] could be even a netfilter extension and we could also tag/check for context marking ... [00:21] Yes jon. vserver really do not care about devices. The patch is really dealing with IP (ipv4 for now) only. You can setup vservers on loopback or dummy device if you want [00:22] jack: thanks [00:22] This network ID, I like it a lot. What I like is this is bigger than vserver. For example, someone could do the following [00:22] chbind --netid X execute this server [00:22] No --ip option, just a new --netid X option. [00:23] jup, should work ... [00:23] Now every packet sent by this server would be tagged and people could setup speed limit and quota for that service whatever the port it is using. [00:23] nevertheless I would like to have a virtual network interface for vserver ... [00:24] this way 'default' behaviour would be possible, and security would allow to process/check every packet ... [00:24] Ok, this netid stuff should really be pursued. Fun. back to the private loopback and virtual devices [00:25] for the loopback, I think it would be sufficient to add a context id to the sock structure ... [00:25] This network ID stuff does not help (I think) to solve the private loopback issue. The checks done by the kernel only look at IP, not device, not IDs [00:26] The sock structure already as the s_context in it. This is how netstat knows (or don't know) which socket to print in a vserver. [00:26] This was my idea to solve the private loopback. [00:26] ahh okay ... so this should be sufficient, right? [00:26] In the tests we do to find if a bind to 127.0.0.1:port is ok, the 127.0.0.1 would become a special case and the test would include the s_context field. [00:27] which function is this, do you know? [00:27] I think this would be enough and easy to solve have a real private loopback. Now, the virtual devices could serve other purposes [00:28] Let me check in the source. This is the stuff I changed back in ctx-16 allowing one vserver to have several IPs and do a bind ANY on them. Just a minute [00:29] Ok, got it, in net/ipv4 in function tcp_ipv4_addr_conflict [00:29] ahh yes ... [00:29] This function was added for the vserver project. Basically, the kernel does not care too much if many processes are bound to the same IP,same port. This [00:30] function checked this. [00:30] used in tcp_bind_conflict and udp_v4_get_port ... [00:31] Later, when we try to connect a socket, we use tcp_v4_lookup_listener. [00:31] The trick would be to match 127.0.0.1 and s_context and port when we match 127.0.0.1, not just 127.0.0.1 and port. [00:31] by the way, what would we need to allow ipv6 to work (for vserver) [00:31] This way we would end up with private loopback working normally [00:32] ipv6 would probably need the exact same hack we have now. [00:32] because we have a lot of people able and willing to test ipv6 ... [00:32] Same hack in route.h, in bind, connect etc... [00:33] I'm still hoping that we can find a 'virtualization' method which doesn't require the modifications at all ... [00:33] You talked about 1.2.0 lately. If we could have private loopback working and the limit stuff and the other stuff you think is reliable, we could attack ipv6 in 1.3 [00:34] I agree [00:34] FYI, I changed the dynamic context allocation in the latest release ... [00:34] I have push back the multiple IP bind any solution for a long time because I tought it would slow down things. It turns out to be not so bad [00:35] What's new ? [00:35] (sorry did not read the mailing list yesterday and today) [00:35] well, we had a possible deadlock .. when all dynamic IDs are used up .. [00:35] and a SMP race in dynamic allocation, holding a spinlock while calling kmalloc indirectly ... [00:36] btw, why did you picked such a high number (49000) ? [00:36] to get the dynamic stuff out of the static range already used ... [00:36] You needed that many static context ? [00:37] no, but folks tend to use 1000 or 10000 as base ... [00:37] Ok, not that I care. [00:37] and it is a #define anyway ... [00:37] Ok, back to private loopback. Do you agree about my private loopback solution ? [00:38] it sounds good, maybe some test implementation would be beneficial ... [00:38] Sure. Ok, I will look at it. Now back to chrootsafe() [00:38] I saw your trick and came with a very little solution, kind of weird to make chrootsafe() work in all case. Less general though. [00:38] okay, as far as I understood enrico, it cant work if we store only the last inode/path [00:39] actually enrico is doing all the chrootsafe() breaking stuff ;) [00:39] This is the idea. A process would have up to 3 bins to store the safe root. They are start NULLed [00:40] When you do chrootsafe(), it fills one saferoot (say saferoot0). When you do a second, it uses saferoot1 and so on. [00:40] When the kernel does it checks, instead of checking saferoot, it checks saferoot0,1 and 2. [00:40] This way, it never forget one saferoot. But you are limited to 3 imbeded chrootsafe() call. [00:40] guess that works, but not if you limit the number ... [00:41] What do you mean, limit the number [00:41] you would have to record a stack/list of barrier inodes ... [00:41] Yes this is true, this explains why I limit that to 2 ou 3 saferoots [00:42] The check done in the vfs accesses would still be very fast [00:42] personally I favour a different approach ... using namespaces instead of the chroot stuff ... [00:43] Another solution would be to have chrootsafe doing namespace stuff. I mean instead of a userland solution, chrootsafe would do everything. No need to let the process do remounts [00:43] hello, stackable chroot's will not protected against cross-vserver attacks when vservers are having different roots and sharing a filesystem [00:43] ahh, hello enrico ... [00:44] Why ? [00:45] since 2 vservers can have a distinct set of chrootsafe-bins. Now, first vserver transmits direcotry fd to second one, which can escape [00:46] Interesting. How does namespaces handle this ? [00:46] with namespace + remouting/pivot_root there is nothing before / [00:47] I would suggest a chroot replacement call, which 'crafts' the namespace for the task ... [00:47] What happens when the other vserver sends an fd of a directory from another namespace ? [00:48] jack: I never tried it, but either, it got's an IO error, or can walk in namespace of the first vserver only [00:48] make sens [00:49] maybe we could do something like the context for namespaces ... this way, you could enter 'named' namespaces ... [00:49] Bertl: I am not sure if such a syscall is really needed [00:49] usual CLONE_NEWNS + mount --rbind should work [00:50] the idea would be to 'associate' a namespace with a context or some namespace identifier .. this way you could 'join' such a namespace ... [00:52] btw, we should have a new capability to allow mount --bind. This is a general solution (mount --bind) to solve administrative task in a vserver and should not requires CAP_SYS_ADMIN [00:52] ahh okay, that is something I suggested some time ago, and we already have discussed an interface for that ... [00:53] so called 'per context capabilities' ... [00:54] this is a capability array, associated with the context, which allows to control the 'linux' capabilities in a finer grained way ... without adding capabilities to the default cap system ... [00:55] At some point we will have to connect with the LSM [00:55] that is true ... [00:58] LSM ? [00:58] Linux Security Modules ... [00:58] okay [01:01] ahh okay, before I forget, jack, does 0.28 support the kill_context stuff? [01:02] enrico, is this supported in 0.26 or some alpha version? [01:02] Bertl: adding ctx -> namespace relationship is good and imo necessarily because of security reasons. But it (should) work out of the box without an extra syscall. E.g. you can start a vserver with 'new-namespace { mount --rbind / ; chcontext } ... ', where the '{ ... }' part is a separate program [01:02] Bertl: no [01:03] okay, I just realized that this would immediately solve two of the to-do issues ... [01:03] Bertl: am I interpreting it right, that you have to know the ctx of a pid to use this syscall? Or is it be possbile to say 'ctx_kill(0, pid, 9)'? [01:04] No. Is this in 1.1.6 ? [01:04] yes, it's in 1.1.5 ;) [01:04] Bertl: would it break something to reomve the first line from [01:04] @enrico sec, looking at the code ... [01:04] + if (p->vx_id == id) [01:04] + retval = send_sig_info(vc_data.sig, &info, p); [01:04] + if (p->vx_id == id) [01:04] + retval = send_sig_info(vc_data.sig, &info, p); [01:05] oops, jittered too much. Should drink less coffee... [01:06] In 1.1.5, I have vc_ctx_kill as an empty function returning -ENOSYS. Am I missing something ? [01:06] ahh okay, you can do that with the admin context ... [01:06] @jack yes, there was the interface, the functionality is in 1.1.6 ... [01:07] Ok, I will implement this over the weekend. Will work also on private loopback [01:07] @enrico, using xid=1 and you can kill any pid ... [01:08] hmm sorry, I'm confused ... you can do that with xid=0 ... [01:10] Zoiah (Zoiah@81.17.52.139) got netsplit. [01:10] apw (~apw@212.104.150.41) got netsplit. [01:10] ccooke (~ccooke@80.1.164.238) got netsplit. [01:10] micah (micah@192.101.188.235) got netsplit. [01:10] mmh, I do not understand how... xid is not used in vc_ctx_kill() (1.1.6 patch) [01:11] ccooke (~ccooke@80.1.164.238) returned to #vserver. [01:11] micah (micah@192.101.188.235) returned to #vserver. [01:11] apw (~apw@212.104.150.41) returned to #vserver. [01:11] Zoiah (Zoiah@81.17.52.139) returned to #vserver. [01:11] if (!vx_check(0, VX_ADMIN)) [01:11] return -EPERM; [01:11] this allows only context id = 0 ... [01:11] if you specify a pid, the default path is used ... [01:12] this results in sending the signal to the task with that pid ... [01:12] no further security check ... [01:12] ah ok, but the '(p->vx_id == id)' checks are succeeding iff the given ctx is equal to the ctx of the process [01:12] this is only done if you specify pid<= 0 ... [01:13] no, default: has this check also [01:13] oops .. right ... [01:14] okay I change that to (!id || (p->vx_id == id)) [01:15] or would you prefer context 1 for that? [01:15] 0 is ok for me [01:16] @jack last time enrico and I talked about moving the context flags to a per context flagword ... which can be changed at runtime, what do you think about that? [01:18] Not sure I understand. Currently, if you set a vserver with a given flag and then you change the flag and reenter the vserver, the flag is change for all processes [01:19] yeah, we talked about 'moving' this interface to a separate syscall command, and extend it by the per context capabilities, this way removing the -1/-2/... hacks for the 'original' syscall ... [01:21] JonB (~jon@129.142.112.33) left irc: Quit: Client exiting [01:21] Zoiah (Zoiah@81.17.52.139) got netsplit. [01:21] apw (~apw@212.104.150.41) got netsplit. [01:21] ccooke (~ccooke@80.1.164.238) got netsplit. [01:21] micah (micah@192.101.188.235) got netsplit. [01:21] ccooke (~ccooke@80.1.164.238) returned to #vserver. [01:21] micah (micah@micha.hampshire.edu) joined #vserver. [01:21] Zoiah (Zoiah@matryoshka.zoiah.net) joined #vserver. [01:22] apw (~apw@212.104.150.41) returned to #vserver. [01:22] Bertl: you can check for '-1' instead of 0/1. This has a more clean semantic (no process can have ctx -1, but 0/1 are possbile) [01:23] okay ... [01:23] Yes -1, -2 -3 is very ugly. This was the cause of the security flaw in vserver 0.27. [01:23] Having a new entry in the switch is a good idea [01:23] -3 ? [01:23] no -3 does not exist. Just to mean the magic value are just hacks [01:24] okay, I draft the interface for that, and we talk about the semantics next time .. or via email, okay jack, enrico? [01:24] ok [01:25] http://vserver.13thfloor.at/Experimental/patch-killctx-fix.diff [01:25] this will be in 1.1.7 ... [01:29] @jack regarding the routing/source ip issues, what would be the consequences, if you specify --ip 0.0.0.0 for chbind? [01:41] It means you are out of it. No ipv4root restriction on this process. This is how it works now and only ctx0 can do that [01:42] It is an important feature. When you log to a root server using v_sshd, you may need to escape out of ipv4root to start some services [01:42] hmm, okay ... [01:43] also if you log using v_sshd and try to start another vserver, you must be allowed to select a totally different IP set [01:43] something completely different, I recently noticed some strange /dev/pts issues ... [01:44] first, devpts is 'adapted' but the devfs 'pts' is not ... but I'll add this soon ... I guess ;) [01:44] but that has nothing to do with the following: [01:45] sshd[2085]: Accepted password for ... from ... port ... ssh2 [01:45] sshd[2085]: error: openpty: No such file or directory [01:45] sshd[2087]: error: session_pty_req: session 0 alloc failed [01:46] and this is somewhat reproducible, but I'm currently not able to debug this ... everytime I do a debug trace and/or strace this issue completely disappears ... [01:46] I'm not even sure this _is_ a vserver issue ... [01:48] perhaps related with mc/w3m issues? [01:49] hmm, what do you mean? [01:49] I rad in maillist that w3m fails and mc sometime in vservers [01:50] hmm, do they allocate pseudo ttys ? [01:50] mc does it; dunno about w3m. pty's are just a guess, I never traced it [01:51] if this is reproducible somehow, I am willing to track this down ... [01:51] I read in the maillist archive about it... [01:51] okay .. will search for it ... [01:52] found nothing suspicious in the code, though ... but that doesn't say much ;) [01:52] has anybody had a look at the vskel stuff? [01:52] but it is probably vserver unrelated since I see similar faults on an embedded device with minimal /dev also [01:54] @jack,enrico recently somebody asked me, why there are two vserver tools, and why you do not work together on one version ... I had no answer to that question, maybe you could explain that? [01:59] Bertl: you asked me to create a second toolset ;) [01:59] is jack still there? [02:00] and "working together"... mmh ... vserver is too small and two cooks are ruining the pulp... [02:01] enrico, I'm totally indifferent to that, and I like your work, so don't get me wrong, I just passed this question on ... [02:04] enrico, IIRC, you do not want to maintain the newvserver script and some of the vunify stuff, right? [02:06] Bertl: you are right on newvserver. But vunify is needed, but requires a complete new implementation so that I will stay at it [02:06] and we are still missing a test suite for new releases ... [02:06] true... [02:07] well, the current situation is okay for me, as long as there _are_ new tools for new features ... so I'm not complaining at all ... [02:08] actually I'm happy that there are tools, and thank you all for doing this stuff ... [02:11] struct vcmd_ctx_caps_v0 { [02:11] uint32_t maxcaps; [02:11] uint32_t subcaps; [02:11] }; [02:11] would this be okay for capability settings? [02:12] for normal and per context ... [02:13] get and set command for that ... [02:13] do we need a mask for subcaps and/or maxcaps? [02:14] what are maxcaps and subcaps? [02:14] subcaps would be the per context capabilities ... [02:15] and maxcaps would be the upper bound for per context capabilities ... [02:17] hmm, should we propagate cap changes to the processes? [02:17] mmh, I do not understand why this is needed since capabilities can be removed only (but not gained) [02:19] okay, if we allow to take away/give capabilities on-the-fly from outside ... how would/should we handle that? [02:21] do we allow this? ctx is created with caps of parent ctx. After this initialization, caps can be removed only [02:23] yes, that is the current behaviour, but my impression was, that we would like to make this modifyable while the server is running ... maybe that isn't such a good idea at all ... at least not for the linux capabilities ... [02:26] do you have any application for this? [02:27] well, probably use for this is limited ... so let's scratch it ... [02:28] okay, what is the reason for the capability stuff in the new_s_context syscall command anyway? [02:30] probably, since there does not exist another way to set the ctx capabilities [02:37] okay, so we need cap_bset, but we don't want to change it at runtime, right? [02:42] you can change it at runtime, but its semantic would be 'remove', not 'set' [02:42] hmm, you could also 'add' or am I missing something? [02:43] parent process removes caps between 'create' and 'migrate' [02:43] yes, but as 'root' you can transfer capabilities, right? [02:44] current linux-caps would require CAP_PSET which has init only [02:45] that was the question, I could imagine that you 'add' the required capabilities on the fly from outside ... [02:46] I am back for few minutes: Why vunify need a new implementation ? [02:47] The problem with capability is that without the vserver project it is useless. Hum ? [02:47] Let me explain [02:48] jack: it is too specific for package management. I want something which is unifies filesystem trees [02:48] Capability are useful if you can tag them to files. This is not available now in linux. So while process may loose capability, setuid process are regaining them all [02:49] there is a hack in the kernel just for that. Everytime you execute a new program, you regain all capability. So vserver introduce the capability ceiling and setuid programs (root) [02:49] can't have more. [02:50] About vunify, it relies on packages and is distribution independant since it uses the distrib-info script to learn. Pick another name for the new tool. [02:50] jack: new vunify tool will have a legacy mode... [02:51] In fact the whole problem with capabilities is that it is useless anyway except for vservers. I mean, this is too broad. For example [02:51] (which calls the old tool) [02:51] Don't call it a legacy mode. Legacy means deprecated. Vunify uses package to perform unification and it unifies what needs and is fast. People may want to unify using other strategy (sam did that) [02:52] but this is less universal. vunify works with package so it let packages updates properly and do not confuse users. [02:52] Create another tool. [02:53] Or create new mode. Use the option --strategy for example (--strategy package, --strategy something), but not legacy. [02:54] and put a VUNIFYSTRATEGY= in /etc/vservers.conf or something like that, since vrpm and friends may want to redo unification after their work. [02:54] @jack what about working together on separate parts of 'the vserver tools?' ... [02:54] jack: this old configuration scheme went away in alpha branch [02:55] While I was away (not too much responding to email), I don't know what happened so can't juge enrico. All I see is that strange decision are being taken and this kind of irritate me. [02:56] I have talked about upgrade path and people did not seem to care. I am supporting quite a few people with hundreds of vserver installation. I do care about compatibility issue. [02:56] What old configuration scheme ? [02:56] okay, maybe I should explain how this happened, as it is partly my fault ... [02:56] the /etc/vservers/.conf based one [02:57] please take a step back from the details ... and look at the picture ... [02:57] new one has /etc/vservers// directory where the parameters are stored in snigle files [02:57] the shell-like configuration is not powerful enough to set certain parameters [02:58] (and makes e.g. C implementations complicated) [02:58] Having one directory per vserver is probably a good idea since other configuration may appear in the future. [02:59] Yes but make shell script potentially complicate. But this is workable. For example we may have a tool call vprintconf which print a set of var= var= values and we can eval that in bash [02:59] Or we can have the reverse where the a script is run and output a more easily parsed file for C. [03:00] when you can read XML: http://savannah.nongnu.org/cgi-bin/viewcvs/util-vserver/util-vserver/doc/configuration.xml?rev=1.2&content-type=text/vnd.viewcvs-markup is the begin of some documentation [03:01] @jack do you miss the smooth migration path, if so, why? and how could we ease that? [03:01] XML is nice and for some reason never kicked off as a configuration format. Not sure why. I guess it turns ugly fast. People seems to like to just # comment away things [03:02] Ok wait wait wait and wait again [03:02] ahh, got some attention there? ;) [03:03] it is not a configuration file, it's the documentation of the configuration ;) [03:03] When I agree to let you drive the project, there were very little things that cause grief. We had missunderstanding on many little things and I could not figure why this was causing such a problem. [03:04] I said, maybe it is me, maybe it is not me. So I decided to let you go and let things happen. I was not confortable with the way things were happening, but I again decide to let it go. [03:05] morning [03:05] I was not confortable with that, but I found my confort zone. Basically, when I decided to continue the vserver package, I found a way to support the current user and continue to contribute. [03:06] the old/legacy configuration will be still supported [03:09] @jack so what is your point? are you not 'satisfied' with the way vserver development evolves? [03:09] I don't think so and this is part of the little problems. Basically, when you said things like newvserver is gone or whatever, it means you do not care. People are using that you know. [03:10] bertl. I am now satisfied with the way the kernel evolves and the packaging you do and the support you give on the mailing list. Seems like you are 24 hours a day on it. [03:10] ahh you got me wrong there ... I never 'eliminated' or 'removed' anything ... and we never broke anything on purpose ... [03:11] Not your bertl. I have let you go on the kernel stuff, the site and so on and I am happy now [03:11] @jack okay, so you are not satisifed with the tools then, right? [03:11] The vserver project is both a small and big project. On the big side of it, it includes administration practice and so on [03:11] (yes the tool) [03:12] well, that is why I suggested to split the tools in at least two parts ... [03:12] The same way debian and redhat may have different way to approach solution and different goals, it seems vserver and util-vserver do have different goals. [03:13] Ok here is a proposition [03:13] and work together on that, because both approaches have advantages over the other ... [03:13] for example, I would not be happy with a one-value-per-file approach, enrico favours (he knows that), but I can see some advantages in doing so ... [03:13] Give me some time. During that time, both vserver and util-vserver will evolve following kind of each other. At some point, we will see how things should be done. [03:14] okay, sounds reasonable, is this okay for you too, enrico? [03:14] So to conclude (I will leave in a few seconds) [03:15] not a problem with me [03:15] Things are rolling again for me with this project. Some false starts and disagreement at the begining. [03:16] we will talk about that, and find a beneficial solution for everything ... [03:16] I will continue vserver stuff and kernel stuff for a while and we will reconsider. One dark/bright side of open source is the fork. The bright side is when the unfork is done :-) [03:17] okay, you will work on what? in the next time (kernel related?) [03:17] just to make sure, we are not working in parallel on the same feature ;) [03:17] Ok, again I have kind of found my confort zone in the new setup and I will cruise this way for a while [03:17] kernel: private loopback first [03:18] okay, if possible, have a look at the ipv6 stuff, this _is_ something requested often ... [03:18] vserver: security feature, trustable root vserver, general administration, monitoring [03:18] I will work on the virtual network interface, and see how far I can get ... [03:19] Anyway, have a good weekend. I am confident we will make a success of this whole thing. [03:19] some info regarding the kernel interface: we will move the rlimit stuff into a separate interface ... [03:19] BTW. Do you know the RMLL ? [03:19] No problem with rlimit [03:20] RMLL means? [03:20] It is a french (france) event in Bordeaux. It is the libre software meeting. This is the fifth year. This is completly open [03:21] Open means free like free beer. [03:21] ahh good, no I don't know it ... [03:21] Basically, they are inviting speakers and various people (generally from europe) atttend. [03:21] I have been there for the last four event in july. [03:22] I expect to be invited again this year. I suggest you register for a talk on vserver this year. Check rmll.org to see when you can register. We can meet there maybe. [03:22] sounds interesting ... I'll see if it's possible ... [03:23] no problem with rlimit means: Yes go for it. [03:23] RMLL can sponsor your trip there btw. [03:23] hmm rmll.org gives funny result ... [03:23] maja|ipv6 (maharaja@ipax.tk) left irc: Read error: Connection reset by peer [03:24] Anyway, I have to leave now. The netid things is interesting to say the least. Maybe I will find a way to plug that while doing the private loopback stuff. [03:24] hehe, red mountain little league! [03:24] try lsm.abul.org [03:25] okay, have a nice weekend ... [03:25] Anyway, we will talk about the rmll later. I think they open for speaker in January [03:25] bye [03:25] jack (~jack@route3.unigiciel.com) left irc: Quit: using sirc version 2.211+KSIRC/1.2.4 [03:26] okay, enrico, how do we proceed regarding the cap_bset for vserver? [03:28] new_cap = ((cap & CAPCTX_PCAP) ? ~0 : cap) & mask [03:29] hmm, please elaborate ... [03:29] mask is passed in the syscall command ... [03:29] cap are the caller's capabilities, mask the syscall parameter, and new_cap the new capability [03:30] second 'cap' should be the ctx-cap [03:30] ctx_cap = ((cap & CAPCTX_PCAP) ? ~0 : ctx_cap) & mask [03:30] ahh okay ... so you 'allow' changes if a special per context CAP_PCAP is set? [03:30] yes [03:31] so it would be new_cap = ((ctx_cap & CAPCTX_PCAP) ? ~0 : cap) & mask , right? [03:32] yes [03:32] okay, and how (if at all?) do we propagate this? [03:32] where to propagate? [03:33] okay, I have a cap_bset per context ... in the current implementation [03:33] this is set by the 'initial' new_s_context ... [03:33] and used for cap change limitations ... [03:33] yes, as new_cap = ctx_cap & ~CAPCTX_CAP [03:33] new_permitted = cap_intersect(bprm->cap_permitted, current->cap_bset); [03:35] okay, maybe we should look at some use-cases ... [03:35] usually we have the --secure capset right? [03:36] people often add CAP_NET_RAW and CAP_RESOURCE *shudder* and CAP_SYS_ADMIN .... [03:36] these caps will be removed between create and migrate [03:36] (or better: create and activate) [03:37] well, yes, they actually are used everytime the capability set is changed ... [03:38] let us ignore the finer grained per context capability set for now ... [03:38] somebody adds CAP_NET_RAW for vserver xyz ... [03:39] no, he can not add it [03:39] well, he could add it to cap_bset ... [03:39] cap_bset contains caps of parent [03:40] no, cap_bset is per context ... [03:40] he can remove ~(xxx & CAP_NET_RAW) from it only [03:40] yes, the caps of the parent context [03:41] intersected with process caps [03:42] * The formula used for evolving capabilities is: [03:42] * [03:42] * pI' = pI [03:42] * (***) pP' = (fP & X) | (fI & pI) [03:42] * pE' = pP' & fE [NB. fE is 0 or ~0] [03:42] * [03:42] * I=Inheritable, P=Permitted, E=Effective // p=process, f=file [03:42] * ' indicates post-exec(), and X is the global 'cap_bset'. [03:42] and the global cap_bset is now per context ... [03:43] what is the value of pI? [03:45] I assume process Inheritable ... [03:45] mmh, new ctx caps must be initialized to process caps of parent. caps of parent ctx are not interesting [03:45] and the issue is, the 'per context' cap_bset is actually a per task feature ... with some kind of 'inheritance' ... [03:46] (in the current implementation) [03:47] I guess this is the result of 'not having' a context info for the host context ... [03:47] sounds complicated... [03:49] it has advantages if you use the reducecap as standalone, Iguess ... [03:50] okay, I see no reason to modify/break that, but we could for example allow to raise/lower that for specific pids .. or for all pids of a context, what about that? [03:50] btw: how can I enable the /proc/virutal interface? I am running 2.4.23 with 1.1.6 but do not see it [03:50] is is not there ... that was an experimental patch ... [03:51] I still have some issues regarding visibility and permissions ... [03:52] I do not see an application for that, and it complicates things. But when you want to keep backward compatibity it is ok [03:54] okay, so we do a syscall to set (or lower?) the cap_bset for a process, right? [03:55] and after 'new context' you just call/use that ... [03:55] before/after migrate ... [03:56] or what do you have in mind? [03:59] yes, I would do this [04:00] lower only I assume ... [04:00] but syscall should be named 'set' ;) [04:00] okay ... [04:00] and now for the per context capabilities ... [04:01] would there a difference? [04:01] yes ... because they _are_ stored in the context info ... [04:01] and will be used/referenced via this path ... [04:02] so they _can_ change on the fly, and _will_ be available immediately ... [04:03] mmh, what happens with cap_bset of a process which migrates? [04:03] good question ... I assume it is unchanged ... [04:03] this must be prohibited [04:03] that's a security risk [04:03] then we have to move it to the context ... [04:05] but this _will_ break the reducecap ... [04:07] why? reducecap is operating in current ctx only [04:08] reducecap is lowering the the capabilites for the 'current' process ... [04:09] and as a sideeffect it can change the flags of a context ;) [04:09] no, it calls vc_new_s_context(-2,remove,flags) and then execv(). [04:10] yes, and? [04:10] this changes caps of current ctx [04:11] you think? well look at this ... [04:11] + /* We keep the same vx_id, but lower the capabilities */ [04:11] + current->cap_bset &= (~vc_data.remove_cap); [04:11] + ret = current->vx_id; [04:11] and current means 'current process' ... [04:12] then, reducecap is redundant with libcap tools [04:12] not exactly ... [04:12] (and can be removed) [04:12] it sets an upper bound to all capabilites ... which can change on suid for example ... [04:15] and capset cannot ignore those caps either ... [04:16] mmh, I do not understand this... [04:16] me neither ;) [04:17] but it is a fact, that the cap_bset is per task, and the reducecap changes this ... and sometimes the flags too ... which should be separated anyway ... [04:19] I would make cap_bset part of the context_info structure and set process caps based on it [04:22] well, depends on how you see that, as a 'context' feature, or as a 'process' feature , so I would suggest to move the flags, and add per context capabilities, which can only be lowered ... (for vserver in vserver) and use that to 'mask' the process capabilities (on migrate) and similar ... [04:23] the per-process feature and suid-issues are unrelated to vserver [04:23] we split them into 'linux cap mask' and 'vserver cap mask' (the subcaps) [04:24] what would be 'vserver cap masks'? [04:24] you had a look at the capabilities? for example CAP_NET_ADMIN ... [04:25] ah, you mean for the virtual interface [04:25] this isn't suitable for vserver ... too much in one capability ... [04:25] ok, when you really can differ between them... [04:25] you want to allow interface configuration for example ... but not clearing stats ... [04:26] or promisc mode, but not multicast ... [04:26] or routing tables but not masquerading ... etc ... [04:27] but here we should really think about cooperation with other projects (lsm, selinux) [04:27] so I intend to add capabilities like the QUOTA_CTL to this, instead of the linux capabilities ... [04:28] per context, not per task ... [04:29] are 32/64 bit enough for the mask ;) [04:29] so you can for example give CAP_NET_ADMIN but it would only allow a subset ... [04:29] for which one, the vserver features or the capability mask? [04:30] you intended vserver features [04:30] hmm, Alex said 32 bit at most, I'm not so sure ... I would like to have 64 bit ... [04:31] but this is something which can be changed/extended easily ... [04:31] so we can start with 32 bit and add in 32 bit chunks if required ... [04:33] ok [04:34] what I'm not sure is, should they limit or extend the linux caps ... [04:35] what I mean, consider XCAP_MULTICAST and XCAP_PROMISC ... [04:36] should CAP_NET_ADMIN automatically give BOTH, or would CAP_NET_ADMIN only allow the selected .... [04:36] I tend to favour the latter, this way you could remove the linux caps in the vserver ... [04:38] yes, in the way you would get problems with initialization semantic [04:39] s!way!other way! [04:40] okay, so we have to 'define' a 'and the remaining' for each cap we break up into smaller pieces ... (if there are remaining features) [04:41] so XCAP_MULTICAST and XCAP_PROMISC would require XCAP_NET_ADMIN_REM for everything else ... or do you have a better idea? [04:43] keep it as-is, but add 'if (!isVcCapable(XCAP_MULTICAST)) return -EACCESS;' to the multicast operations [04:43] you can not come to this place without CAP_NET_ADMIN [04:44] hmm, right, but if I don't want the rest, I would do, what? [04:45] I have to add this check to every CAP_NET_ADMIN check anyway ... [04:47] there won't be another option... [04:47] can we reuse SELinux features there? [04:48] not sure ... maybe ... but it isn't in 2.4 yet ... [04:48] these activities must/will be checked by policies so there must be an interface [04:49] 2.4 is uninteresting for such features... [04:49] concentrate on 2.6 and backport which is senseful [04:49] well, as I see it, we will still have 6-9 months with 2.4 (regarding vserver, at least) [04:51] I would be happy to include such things as grsec and selinux into 2.4 but the patches are not really up to date ... [05:05] hmm, actually the 2.4.20-lsm patch doesn't hgive such a number of rejects ... about 10 actually ... [05:07] do you know anybody who would test se-linux + vserver stuff? [05:08] I mean on 2.4 ... [05:10] I will test selinux, but on 2.6 only [05:10] hmm, would be interesting to see how se-linux works _with_ vserver .. but I guess we'll see that soon enough ... [05:11] vserver functionality is based on linux capabilities which are a separate LSM module in 2.6 [05:12] will this module conflict with selinux? [05:12] riel meant that LSM modules are not stackable... [05:14] well, I'm not sure that we have to choose this path ... vserver could be based on _any_ security feature available .. as long as it allows to limit on a per process base (which is what vserver does) [05:27] okay, enough for today ... have a good night ... [05:28] Nick change: Bertl -> Bertl_zZ [05:30] Simon (~sgarner@apollo.quattro.net.nz) joined #vserver. [07:06] click (click@gonnamakeyou.com) joined #vserver. [07:06] anyone awake? [07:06] :) [07:13] mm [07:17] i've installed a vserver on one of my debian gw-boxes, and use internal 192.168.x.x addresses for allocating them as servers internally, but while trying to fetch packages from some deb-mirror it refuses to find the hosts it asks for. [07:19] ---- [07:21] Methos (mike@203-109-238-105.ultrawholesale.com.au) joined #vserver. [07:21] HI all [07:24] any one here who could answer a question ? [07:26] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) left irc: Read error: Connection reset by peer [07:30] Methos (mike@203-109-238-105.ultrawholesale.com.au) left irc: [07:33] micah (micah@micha.hampshire.edu) left irc: Remote host closed the connection [07:33] micah (micah@micha.hampshire.edu) joined #vserver. [07:41] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [07:46] Simon (~sgarner@apollo.quattro.net.nz) left irc: Quit: so long, and thanks for all the fish [08:31] shuri (~ipv6@cpu183.adsl.qc.bellglobal.com) left irc: Quit: ipv6 [08:50] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Ping timeout: 480 seconds [11:56] serving (~serving@213.186.191.12) left irc: Ping timeout: 496 seconds [12:34] JonB (~jon@129.142.112.33) joined #vserver. [13:03] mhepp (~mhepp@r72s22p13.home.nbox.cz) joined #vserver. [13:03] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Remote host closed the connection [13:04] mhepp (~mhepp@r72s22p13.home.nbox.cz) joined #vserver. [13:04] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Client Quit [13:15] aggh [13:16] herbert, do you have any tips on compiling a 2.6.0 kernel that will work with qemu? [13:16] i know you use it, i have seen your mails to the qemu-devel mailing list :) [13:17] i'm using qemu-5.0, linux-2.6.0-test9, rusty's qemu-page-offset patch and a .config based on the one that comes with the qemu linux-test tarball [13:17] the linux-test kernel/image boots and runs perfectly [13:17] but my kernel just...doesn't [13:37] mhepp (~mhepp@r72s22p13.home.nbox.cz) joined #vserver. [13:37] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Client Quit [13:39] kestrel_: try again ? [13:43] jon, i've compiled so many times today, with so many different combinations... :( [13:44] kestrel_: okay, i didnt know you had tried other options [13:44] kestrel_: how far does it get ? [13:47] serving (~serving@213.186.189.157) joined #vserver. [13:48] i get no output at all from the kernel [13:48] but qemu is actually running because i can use C-a h, etc. to get qemu help [13:49] have you successfully run 2.6.0 under qemu jon? [13:50] kestrel_: i think i compiled it, but i dont think i ever got to run it in my vmware [13:50] bugger [13:50] god it's annoying me [13:51] it's most annoying because i know qemu works with 2.5.74 (the kernel that comes with the qemu linux-test) [13:51] but not for me! [13:53] what is this qemu thingy ? [13:53] it's an x86 cpu emulator, vaguely similar to bochs or vmware [13:54] so you can run a linux "server" inside its own virtual machine [13:54] why not use bochs ? [13:54] perfect for testing kernel patches, etc. [13:54] bochs is as slow as molasses [13:54] sure is [13:54] oh [13:54] well, vmware then ? [13:55] i'll resort to vmware if i have to, but i'm so damn close to getting qemu to work :) [13:55] and i know herbert has it working, because of his mails to the qemu-devel list [13:55] what makes qemu better ? [13:55] http://fabrice.bellard.free.fr/qemu/ [13:55] it doesn't really emulate the code it's running, it tries to translate it to host cpu instructions [13:56] so if you're running i386 on ppc, it will try to convert the i386 code it is executing into ppc instructions [13:56] cool, because i want a ppc [13:56] heh :) [13:57] not sure how solid the ppc code is, i think it is just being worked on now [13:58] it's very cool though [13:58] yeah [13:58] and it is free [13:58] thats good [13:58] definitely [13:58] can i limit the memory usage ? [13:58] yep [13:58] -m [13:59] what about dual cpu ? [13:59] can it simulate that ? [13:59] err, good question...i don't think so [13:59] hmm :( [13:59] bochs can, as you probably know [13:59] no i didnt [13:59] yeah...up to 32 cpus i believe [14:01] how permanently does it translate the code ? [14:01] from reading the docs, it seems that it has a 2MB cache of translated code [14:01] it is not persistent afaik [14:01] ok [14:02] i'm pretty sure herbert uses it for developing vserver [14:02] i tried to use uml, but the 2.6 support is not good [14:03] that would be nice [14:03] oh well, food time [14:04] okay, ciao [14:19] g'day people :) [14:22] got a small and annoying problem here running a vserver, anyone able to lend a hand? [14:22] click: what is the problem ? [14:25] serving (~serving@213.186.189.157) left irc: Ping timeout: 492 seconds [14:25] CLICK! [14:25] i'll draw it, as it's a bit better to see it that way... ------ [14:26] okay [14:26] I added a vserver on the gw, with a local intranet address [14:27] the same as the ethernet at the inside of the machine ? [14:27] it can ping correctly out, but any dns-queries to external dns-servers fails, it just tries over and over again [14:27] yep [14:27] eth0 = external [14:27] eth1 = internal [14:27] it has no access to the outside [14:27] well, it does ping the outside [14:27] that part works well, but any dns-queries fails [14:27] ping is different [14:28] your issue is not vserver related [14:28] hm. so I need to add a new route throught the original interface ? [14:28] but a NAT thingy [14:28] either you need to nat local process too [14:28] (linux kernel option) [14:28] ah, adding lo to the table? [14:29] or, assign a different local ip address for the vserver, and set up a NAT for that ip as well [14:29] dunno about adding lo [14:29] the local NAT assignment is 192.168.1.111-199 for the normal systems in the net, and 201 for the vserver [14:30] with the gw set to the same gw the rest of the NAT'ed net uses [14:30] i think you need a static NAT for the vserver [14:30] yeah [14:30] -j MASQUERADE does not work for vservers [14:31] aaaah [14:31] you need to SNAT to the outbound interface [14:31] that'll explain it. [14:31] it's a pita [14:31] *ponder*... [14:31] why cant i find the NAT local connections in the kernel any more ? [14:32] how annoying, that means that I can't play with the vserver contect on the gw without forcing it to use SNAT/DNAT [14:33] click: just do it for that particular vserver [14:33] click: if you are smart, you assign 192.168.2.x to your vservers, and make one static nat line for the entire /24 [14:34] I'll test at once *rewriting the config* [14:37] kestrel_: i wonder if ping -p 2b2b2b415448300d works on you [14:38] dunno [14:38] what is it? :) [14:39] http://www.daht.com/articles/ath0.htm [14:39] bloody modems [14:40] give it a try jon [14:40] hm. [14:40] hmm, i guess it did work [14:40] hmm [14:41] guess not [14:41] :) [14:41] good [14:41] i saw your pings get dropped by my firewall [14:41] but my modem must not be susceptible [14:42] Action: kestrel_ wipes a bead of sweat off his brow [14:42] which modem do you have ? [14:43] i don't know the model...it's one i bought in the uk and it's hiding behind my desk [14:43] okay [14:44] aaah lovely [14:44] SNAT worked like a dream [14:44] thanks :) [14:45] good :) [14:45] click: soon you'll love vserver [14:45] I love it already :) [14:45] i've used it much in the mainframe, but that was without the NAT/SNAT part [14:45] what mainframe? [14:45] thus, I was a bit confused due to that it didn't support masquerading [14:45] the mainframe is running æinux? [14:46] yep [14:46] s/mainframe/main system [14:46] oh [14:46] i thought you had a S/380 [14:47] my my, that would be nice wouldn't it? :) [14:47] i tried to make it run on the company's 380, didn't quite work as planned - dumped :) [14:47] kestrel_: it sure would [14:47] running a vserver on a 380, which was already emulated throught the hw... gosh :)( [14:48] hehe [14:48] s/380 cheats a little, it has hardware support for virtualisation [14:48] mmm, fun [14:48] that would be a insane idea :) [14:48] click: when you said you tried, did you mean vserver, or linux ? [14:48] what's the performance like on a node in an s/380? [14:48] vserver(ctx) [14:48] kestrel_: _fast_ [14:49] comparable to...? [14:49] click: i think you should talk to Bertl_zZ about vserver on S/380 [14:49] when he gets back that is [14:50] kestrel_: ran at 2ghz (after forcing an adjustment on the 380's context management) [14:50] nice [14:50] i'd like one of those under my desk [14:50] or perhaps that should read..."crushing my desk" [14:51] kestrel_: better that than your foot [14:51] this is true [14:52] i wish herbert would wake up and bless me with his qemu knowledge [14:53] bloody sleep, how much better would it be if we could stay awake and hack all the time [14:53] hm, clocks at somewhere around 4k bogomips with the setup we've got [14:53] click: bogomips are ... well bogo [14:53] yerp [14:53] kestrel_: i've heard about a pill that takes away your sleep without any side effekts (so far non known) [14:54] i reckon that's pretty unlikely [14:54] maybe for one or two days at a time, but what happens to the toxin build up in your system? [14:55] what toxin ? [14:55] generally your kidnies and liver removes toxins round the clock [14:56] i believe, and i'm no expert, that sleep lets your body remove toxins from your system [14:56] kestrel_: besides i ment with no side effects like loosing concentration and stuff like that [14:56] i know i definitely feel like that if i don't get enough sleep...sore joints, sore muscles, etc. [14:56] ah, okay [14:56] or that you have to sleep much longer when you finaly go to sleep [14:56] that would be kind of cool [14:56] like coffee, but better :) [14:58] kestrel_: it sure sounds promissing [14:59] i find caffeine no longer has much of an effect on me, probably because i have drunk too much over the years [14:59] kestrel_: but now you cant live without it [15:00] hehe [15:00] wooooh [15:00] next up must be integrating vserver and grsec [15:00] grsec? [15:00] didn't the WOLK-patch do that? [15:00] grsecurity [15:04] hm, vserver as a honeypot... [15:04] interesting [15:04] be okay unless they got root [15:05] they would soon figure it out i suspect, due to the limited capabilities [15:05] well, doing it this way : [15:05] kestrel_: and ? [15:05] kestrel_: by then you know where the hole is [15:05] vserver_main > vserver > logging goes to another logging vserver [15:05] all traffic logged to a locked vserver [15:06] then you'd have to hack two vservers to clean up [15:07] the primary server and the logging server juist contains the 'barebone' to keep it up, without outside access, ecept for logging [15:07] *except [15:08] jon: that's true [15:08] *testing* [15:20] Action: kestrel_ twiddles his thumbs waiting for herbert [15:22] kestrel_: better change directions regulary [15:23] FSCK!!!! kgroupware is annoying [15:23] true, we don't want rsi to set in [15:23] what is kgroupware? [15:23] www.kolab.org [15:23] the client part [15:24] they have some debian packages [15:24] how ever, they require kdelibs4 and libqt3-mt [15:24] and i have NOT been able to find a set of kdelibs4 and libqt3-mt packages that does not remove the other [15:25] ah [15:25] that is aggravating [15:25] yes [15:25] i have experienced similar things under debian [15:26] well, i only have this problem because i dont use official packages [15:26] but the official packages does not give me the support i want [15:26] of course [15:26] try source perhaps? [15:28] you mean compile? [15:29] Action: kestrel_ nods [15:29] i prefer binary packages because the source might install the wrong place [15:29] use checkinstall, it will generate a .deb from your source build [15:29] then if you don't like it you can nuke it [15:30] ...like a normal package, with dpkg -r [15:30] checkinstall is a goodfriend of mine [15:30] euhm? good friend! [15:30] damn straight, it's awesome [15:30] oh, and how do i get that? [15:30] it's almost a requirement under slackware :) [15:30] apt-get install checkinstall :) [15:30] and how does checkinstall know what files the build needs ? [15:31] it tracks the install process [15:31] and generates a .deb from that [15:31] the process is: ./configure && make && checkinstall [15:31] nice [15:31] mhepp (~mhepp@r72s22p13.home.nbox.cz) joined #vserver. [15:31] 'checkinstall' does a 'make install', tracking what gets installed [15:31] it's a godsend [15:32] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Client Quit [15:32] allright, source it is [15:32] :) [15:32] thanks guys [15:33] Action: kestrel_ has successfully used his awesome powers of persuasion for the greater good! [15:33] ;) [15:33] np jon [15:33] either of you guys used 'arch', the revision control system? [15:34] nope, but there was a discussion about that kind of systems in here not that long ago [15:35] what was the outcome? [15:35] that neither was good enough [15:35] neither arch nor subversion? [15:35] one isnt free [15:35] the other has other trouble [15:36] bitkeeper is not free [15:36] ah [15:36] it was arch/usbversion [15:36] hmm [15:36] i've used cvs in the past [15:36] it was plenty good enough for my use, but i wasn't doing anything tricky with it [15:37] cvs has problems with binary files [15:37] yeah [15:37] and file renames, directories...etc. [15:40] and spaces in file names [15:41] Action: kestrel_ is downloading arch to give it a try [15:45] hm, this was a bit weird... [15:47] ? [15:48] just poking around with the cap_restrictions [15:49] cap_restriction_speak [15:50] hm, I'm sure I saw a vserver+grsecurity implementation somewhere... now, I just can't remember where I found it... *checking* [15:53] serving (~serving@213.186.190.247) joined #vserver. [16:04] JonB (~jon@129.142.112.33) got netsplit. [16:04] apw (~apw@212.104.150.41) got netsplit. [16:04] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [16:04] ccooke (~ccooke@80.1.164.238) got netsplit. [16:04] Medivh (ck@62.93.217.199) got netsplit. [16:04] MedivhWrk (ck@netops.multimedia-centrum.de) got netsplit. [16:04] Bertl_zZ (~herbert@MAIL.13thfloor.at) got netsplit. [16:04] kestrel_ (~athomas@dialup51.optus.net.au) got netsplit. [16:04] sannes (ace@sannes.org) got netsplit. [16:04] sladen (paul@starsky.19inch.net) got netsplit. [16:06] Bertl (~herbert@MAIL.13thfloor.at) joined #vserver. [16:06] JonB (~jon@129.142.112.33) returned to #vserver. [16:06] apw (~apw@212.104.150.41) returned to #vserver. [16:06] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [16:06] ccooke (~ccooke@80.1.164.238) returned to #vserver. [16:06] Medivh (ck@62.93.217.199) returned to #vserver. [16:06] MedivhWrk (ck@netops.multimedia-centrum.de) returned to #vserver. [16:06] kestrel_ (~athomas@dialup51.optus.net.au) returned to #vserver. [16:06] sladen (paul@starsky.19inch.net) returned to #vserver. [16:06] sannes (ace@sannes.org) returned to #vserver. [16:06] hmm interesting ... [16:06] Bertl: yes ? [16:07] Bertl: click has a S/380 he tried to run vserver on [16:07] herbert, what is the trick to running your own kernels with qemu?!?! [16:07] i can not for the life of me get a 2.6.0 kernel running with qemu [16:07] Jon S/380? cool, but no support yet, I assume ... [16:07] bertl: didn't work [16:07] hi click, you still want to make it work? [16:08] @kestrel you have to patch a simple patch, get it from my Experimental page ... or was it Suff? [16:08] would have been interesting [16:08] /s/Suff/Stuff/ [16:08] @click you can test on that machine? [16:09] on a context-server, yeah, no probs [16:09] mmm, okay [16:09] @click are you on the channel in lets say 20 minutes? [16:09] I've decided to hang here for a long time :D [16:09] okay, brb .. have to get something to eat first ;) [16:10] Nick change: Bertl -> Bertl_oO [16:10] oooh, found the ctx+grsec patch... [16:10] *repatching the prodserver* [16:11] so...what is the patch called? a search for qemu turns up zip [16:12] kestrel_: a_simple_patch.tgz ? [16:12] ah, disregard..Stuff [16:12] no jon, that's not it [16:12] kestrel_: did you try googling on his homepage? [16:13] found it! yay! [16:14] kestrel_: cool [16:15] Bertl_zZ (~herbert@MAIL.13thfloor.at) got lost in the net-split. [16:24] righto, let the qemu compile commence [16:25] Action: click recompiles the prod-servers kernel [16:25] 7msg guichtong one more oper-attempt and you're k-lined, remove that script [16:26] ops [16:26] ooh, nasty :) [16:26] click: we wanna see blood [16:26] heheh [16:26] damn compiling QT takes a long time, and after this there is kde too :/ [16:26] just a user that keeps on connecting, and each time he connects, his/her script tries to oper up [16:27] fed up seeing it through the logs [16:27] yeah, all of it c++ [16:27] i guess i better start saving for Tyans quad opteron board [16:27] slooooooooooooooow [16:27] click: what network is that on? [16:27] mmmm, quad...yum [16:27] kestrel_: linknet [16:27] click: isnt it just "*click* and he's k-lined?" [16:28] kestrel_: but not cheap :/ [16:28] jonb: hehe, well, I was tempted, but I try to avoid being a total bofh, I give a single warning first [16:28] don't fight the urge click, just do it [16:29] click: make it so [16:29] [14:27:15] desolée [16:29] [14:28:49] iam don't remove my automatic scripts [16:29] what does desolee mean anyway? [16:29] then bathe in the warm fuzzy feeling of having introduced some punk to the joys of k-lining [16:29] beats me...french? [16:29] yep, french [16:30] Nick change: Bertl_oO -> Bertl [16:30] okay, click, can you tell me anything about this architecture? [16:30] click: http://www.insultmonger.com/ [16:31] righto, qemu...bring it on [16:31] http://www.insultmonger.com/swearing/french.htm [16:31] bertl: not much, I'm just a simple admin [16:31] AGGH [16:32] bertl: the system is a std. equiped 380 [16:32] okay, you compiled a kernel for that one? [16:32] yeah, did all the compilation-work on it [16:33] okay, I assume this is some variant of s390 then, right? [16:33] it's little brother actually [16:33] :) [16:33] in basic it's a 390 with some stripped hw [16:33] herbert: what is the latest 2.6 kernel you have working with qemu and can i have your .config? :) [16:33] I see s390 and s390x in the kernel arch dir, which one is linked? [16:33] 390 [16:34] @kestrel ... of course, sec ... [16:34] @kestrel 2.6.0-test9 was working, 10,11 not tested yet ... [16:35] hmmm [16:35] bloody thing [16:35] i applied rusty's patch as well as yours...correct? [16:35] you found my qemu patches? [16:35] yep [16:35] Stuff/QEMU [16:35] okay, only mine, not rusty's ... [16:35] ah, okay [16:35] Action: kestrel_ will revert rusty's [16:36] and you have to enable qemu in the menu config ;) [16:36] http://vserver.13thfloor.at/Stuff/L26.config [16:36] yep, i have done that [16:36] this is the minimal? config for 2.6 [16:36] excellent, you are a god among men [16:37] I use qemu without sdl/x11 ... by the way ... [16:37] me too [16:38] i think i compiled with --without-sdl [16:38] or similar [16:39] you used the http://vserver.13thfloor.at/Stuff/QEMU/qemu-enable-2.6.x-new.diff I hope ... [16:39] indeed i did [16:40] have you submitted that patch to the qemu guy? [16:40] okay, they changed something between pre3 and per4 ... [16:40] yes, I think I did ... hmm maybe ;) [16:40] hehe [16:40] so i noticed from the mailing list [16:40] the location of the linker script (?) [16:41] i think that was it [16:41] quite some time has passed since ;) [16:41] heh [16:41] okay, repatched and recompiling [16:41] hey herbert, what source control system do you use? [16:41] i just downloaded arch and am about to give it a whirl [16:42] currently I'm using cvs but I would like to switch to arch ... [16:43] tried sv once, but wasn't convinced ... [16:43] no? [16:43] i have heard good things about arch [16:44] some guys in lkml seem to sing its praises quite frequently [16:44] yeah, me too ... that is why I would like to test it ... [16:45] is arch free ? [16:45] yup, GNU free ... [16:46] it's full name is gnu-arch :) [16:47] good [16:47] /tmp/cc2t5YbM.s:925: Warning: value 0x67ffffff truncated to 0x67ffffff [16:47] how odd [16:48] truncated to the same value :\ [16:48] hm, seems like there's no specific grsec+ctx patches avail... [16:48] okay i'm beginning to understand why kgroupware is not more widely used... it's HARD to install [16:48] jonb: splone [16:48] click: ? [16:48] HERBERT!!!!! [16:48] YOU ARE A GOD!!!!! [16:48] jonb: might be somethign to look at if you're looking for some groupware-thingie, tho' I haven't tested it myself yet [16:49] click: oh, why thankts [16:49] -t [16:49] click: google for splone groupware revealed nothing [16:50] @kestrel hmm, that might explain the rain clouds circling over my head ... [16:51] i'll check, might be that I miswrote the projects name. gimme a sec [16:51] :) [16:51] it worked! [16:51] aaah nvmd [16:51] its a cmr [16:51] cms! [16:51] plone [16:51] not splone [16:52] ahhm we are back to the community stuff/wiki engine ... [16:53] click: cms is not the same [16:53] that is a beautiful thing herbert, thank you! :) [16:53] i know, I was thinking groupware, forgot that plone was just a CMS [16:53] click: okay [16:54] checked FM for any others than kgw? [16:54] (freshmeat) [16:54] click: well, kgroupware is so far the only one that can talk to kolab (free groupware server) [16:55] hm, I read an article about something else that integrated to it... [16:55] *checking my bookmarks* [16:55] @click you compiled 2.4.23-rc5-vs1.1.6 ? [16:56] bertl: not on the mainframe, I've downloaded it to one of the boxes at home tho' [16:56] okay .. get it and add http://vserver.13thfloor.at/Experimental/patch-2.4.23-rc5-s390.diff [16:56] and see if it works ;) [16:56] will do [16:58] hmm, nope, not the best idea ... sec ... [17:00] click: well, most can use it as a default imap server, but i want more [17:00] click: and then there is outlook with plugins [17:01] @click okay, if you already downloaded the patch, please reload ... [17:03] herbert, i see you mentioning gdb a lot regarding qemu...does it work at all? [17:04] yes, I tantalized fabrice ... so he implemented it ... [17:05] ah, great stuff [17:06] you have to connect via port 1234 and specify the -s option ... [17:06] i assume you use qemu for developing vserver? [17:06] yeah, i noted that in the documentation [17:06] well, I use it for _testing_ it ... [17:07] and the distinction is? [17:07] development is done with cscope, vi and brain ;) [17:07] by the way, the brain is mine ... *G* [17:08] mkay [17:08] i was assuming that testing was part of development [17:08] Action: kestrel_ shrugs [17:09] hmm, well, good coding doesn't need testing, and if you listen to Linus, testing can be outsourced .... [17:09] aaaaaargh! [17:09] *recompiling* [17:09] huh? [17:09] man, i so don't agree with that [17:09] forgot to add the patch [17:10] *shrug* I'm getting old. [17:10] click: *grin* [17:10] @click stop! [17:10] *frozen!* [17:10] patch it, and just do make bzImage modules .... [17:10] no make clean or something like this ... [17:10] will take about 20 secs to compile ... [17:10] 13.4 [17:10] :) [17:10] clocked it [17:11] i think linus was probably not saying that you don't need testing, more that making random changes and testing it until it works is not good development methodology [17:12] well, if you work according to Linus philosophy, you don't need a debugger at all ... (not that I agree with that, as you know) [17:12] yeah, me either :) [17:13] click: my compile is more like 13 hours [17:13] 13 hours!!! [17:14] ccache and distcc are godsends [17:14] kestrel_: the only other machine i have is a dual p200mmx [17:15] that's two more cpu's!!! :) [17:15] jonb: heh, lowrange systems == long compiles :) [17:15] kestrel_: no, thats 2 paperweights [17:15] hehehe :) [17:15] click: true, but i dont think that my athlon 1600+ and 1280MB ram is a lowrange system [17:16] @jon well depends on the perspective ... [17:16] Bertl: yes [17:16] last time on lkml I read a posting that ps is really slow on a 512 processor machine at SGI ... [17:17] heh [17:17] well, the correct reply was only a few minutes later ... 'nobody except you will ever notice ;)' [17:18] sgi tried to flog us a 64-cpu server running linux, at my work [17:21] sleep time, thanks for the help with qemu herbert [17:21] Nick change: kestrel_ -> kestrel_Zzz [17:22] my pleasure ... [17:22] @click what is the status? [17:23] seems to compile correctly, got to clean up a few bits and bobs in the kernel as well [17:24] hmm, okay so you are not at the booting stage, yet ;) [17:24] not yet, going for it in a few, just have to do my job too :) [17:24] no problem ... take your time ... [17:25] does a dual machine half compile time ? [17:25] jonb: no [17:25] if used properly, yes ... [17:25] jonb: depends if the compiler can use SMP properly [17:25] click: gcc [17:25] no, depends on the -j option to make ;) [17:26] bertl: true, number of jobs [17:26] bertl: I tend to underestimate users when explaining :/ [17:26] *grin* [17:26] click: me too [17:27] guess it has to do with that i've been too long into the support/admin-sections [17:27] @click BOFH type? [17:27] bertl: *cough* no comment - I try not to, but it's hard :D [17:27] click: ever made someone cry ? [17:28] jonb: both myself, a customer and someone at sales [17:28] click: why yourself ? [17:29] a real bummer, I erased my own testuser account, and forgot to move some stuff from it - well, didn't cry but I was a wee bit pissed off [17:29] oh [17:29] and, as normal... big admins don't backup [17:29] i hate when that happens [17:51] click : big as in fat? heh.. tought it was something along the lines .. hard men never takes backups but cries alot.. [17:51] and real men, put it on a webserver, and let the world mirror it ;) [17:52] Bertl : but who puts it back into the wiki? [17:52] :> [17:52] Bertl: i would, but RIAA and MPAA is not so happy when i do [18:01] [S]ushi (Sushi@pD9E34EAB.dip.t-dialin.net) joined #vserver. [18:01] <[S]ushi> hi [18:01] hi Sushi! [18:03] Action: JonB eats sushi [18:04] <[S]ushi> oh no [18:04] hum, thats not nice ;) [18:04] <[S]ushi> dont do it [18:04] <[S]ushi> try nemo instead of me [18:04] okay okay [18:05] <[S]ushi> is there a way/bugfix to add more than 16 ips to a vserver? [18:05] yes! [18:06] [S]ushi: thats alot, why do you need that many ? [18:06] <[S]ushi> its internal, LAN [18:06] [S]ushi: yes, but 16 ? [18:07] <[S]ushi> Bertl: and how to do it? [18:08] NB_IPV4ROOT is #defined to 16 ... just raise it ... [18:09] <[S]ushi> oh, i c (: [18:09] but the algorith, processing the packets is linear with the number of IPs on _every_ packet ;) [18:10] include/linux/vcontext.h is where it is defined ... by the way ;) [18:17] <[S]ushi> file doesnt exist :P [18:17] wrong version error ;) [18:17] which patch do you use? [18:18] <[S]ushi> 2.4.22-c17f [18:18] okay, please upgrade at least to vs1.00 ... [18:19] include/linux/sched.h (is the location) [18:19] I would advise to use vs1.1.6, because some bugs where fixed ... [18:22] <[S]ushi> okay, great help, thx [18:22] <[S]ushi> will try it [18:23] ur welcome ... [18:23] <[S]ushi> another question.. got a second small server with debian and 2.4.18-bf24 kernel [18:23] <[S]ushi> does this one work too? [18:23] work too means? [18:24] <[S]ushi> can I apply the patches to this kernel [18:24] nope ... [18:24] but there is a 2.4.22-3 debian kernel ... [18:25] and we have patches for that one ... [18:25] 2.4.18 might be older than the vserver project ;) [18:28] okay, it's not older, just verified 2.4.18 was release Feb/march 2002 ;) [18:29] <[S]ushi> "packages.debian.org is down at the moment. [18:29] <[S]ushi> " [18:29] <[S]ushi> damn [18:32] [S]ushi: yeah, it's annoying [18:33] @Sushi what do you need? only the kernel? [18:34] <[S]ushi> wanted to have a look at the infopage first [18:34] okay, can't help you there ;) [18:46] Nick change: [S]ushi -> [S]ushi`f00D [19:05] [S]ushi`f00D (Sushi@pD9E34EAB.dip.t-dialin.net) left irc: [19:24] shuri (~ipv6@cpu183.adsl.qc.bellglobal.com) joined #vserver. [19:34] hi shuri! [19:46] hi Bertl [19:47] how are you, any news? [19:48] i am fine little busy so i am not here often [19:48] but still use vserver [19:49] ahve you tested any recent patches? [19:49] i saw you conversation with jack yesterday [19:50] and, your opinion? [19:50] vrtual network device! [19:50] :P [19:51] i will test next dev patch with 2.4.23 [19:52] yeah, I was hoping that Gandalf would help a little, but I guess he is still running ... ;) [19:52] hahha [19:52] Linux 2.6.0 Expected In Mid-December [19:53] who would have guessed ;) (2.4 deja vu) [19:53] do you think vserver will be ready ? [19:53] shuri: no way [19:53] no .. not for production ... [19:53] shuri: there is no 2.6 testers [19:53] nobody is testing it ... [19:54] i did it [19:54] okay jon, please do the conversation for me ;) [19:54] haha [19:54] give me the patchs! [19:54] Bertl: okay, then you can concentrate on coding [19:54] i will test it! [19:54] i can be the 2.6 beta tester [19:54] shuri: one is not enough [19:54] ok [19:55] shuri: i'd like to test my self too, but i never seem to get the time :( [19:55] hey, that isn't the way I would do the conversation! *G* [19:55] http://vserver.13thfloor.at/Experimental/patch-2.6.0-test9-vs0.01.diff [19:55] Bertl: go back to coding ;-P [19:56] actually I'm testing the quota stuff, right now ... [19:56] Bertl i tested it [19:56] what, the new quota stuff? [19:56] but i dont know what to test with 2.6 [19:56] i cannot start a vserver [19:56] is not ready yet [19:57] well, you can use chcontext ... that works ... [19:57] hmpf, never let me near a zyxel router again [19:58] Action: Bertl notes, never let click near a zyxel router ... [19:58] just click it off [19:58] horrifying experience [19:58] i got to say I don't like zyxOS [19:58] thank god for cisco and junipers [19:59] well, people at Zyxel don't like it either ... [19:59] but you know, there is this strange 'compatibility' issue and the 'customer is used to it' phrase ... [19:59] figures, it's a pain in the ass to work with, at least on a serious base [20:00] yeah, the 'stupid users gets it their way' [20:00] same as with most desktop products from Redmont ... [20:01] *cough* :) no comment on that one [20:02] uname -a [20:02] Linux VS 2.6.0-test9 #2 SMP Tue Nov 18 02:56:53 EST 2003 i686 unknown [20:02] vserver-stat [20:02] CTX PROC VSZ RSS userTIME sysTIME UPTIME NAME DESCRIPTION [20:02] 0 0 0B 0B m00.00 m00.00 m31.39 root server [20:02] VS:~# [20:02] try chcontext --ctx 100 true [20:02] chcontext --ctx 100 true [20:02] New security context is 100 [20:02] wow, it works ;) [20:03] hehe [20:04] any other test? [20:04] well, not really, I know that the /proc is somehow buggy ... [20:04] ok [20:04] but I haven't had time to fix it yet ... [20:05] ok [20:05] i shut down the server:P [20:05] the problem is, we will need new tools to handle 2.6 vserver ... [20:05] and I try to get a common interface for 2.6 and 2.4 ... [20:10] @shuri did you test the qh0.12 patches for 2.6 yet? [20:11] @click hmm, any news regarding the 380 kernel? [20:15] continuing later tonight, got a bucketload of work to complete first [20:19] click: work? on a saturday? [20:26] yup, got a project that's due before christmas [20:27] nasty [20:34] @click which year? [20:38] [S]ushi (Sushi@pD9E34EAB.dip.t-dialin.net) joined #vserver. [20:40] okay, seems that the quota/dlimit stuff is working, after all the changes I did ... fascinating ;) [20:48] <[S]ushi> primary language here is english? [20:48] yup ... [20:48] <[S]ushi> any other too? [20:48] what do you ahve in mind? [20:48] [S]ushi: what other language would you talk ? [20:49] <[S]ushi> just interested :P [20:49] <[S]ushi> as you can see "t-dialin.net" .... German ;) [20:49] you can talk german to me in private ;) [20:50] <[S]ushi> not necessary atm ;) [20:52] serving (~serving@213.186.190.247) left irc: Ping timeout: 492 seconds [21:13] serving (~serving@213.186.191.66) joined #vserver. [21:22] anybody interested in testing context quota/disk limits? [21:23] <[S]ushi> *still waiting for packages page* [21:23] Action: JonB stares at some interesting point at the wall... [21:24] <[S]ushi> JonB: ohhh bah.. spider at 10 o`clock [21:24] [S]ushi: hehe [21:25] <[S]ushi> brb.. disconnect [21:25] [S]ushi (Sushi@pD9E34EAB.dip.t-dialin.net) left irc: [21:30] mhepp (~mhepp@r72s22p13.home.nbox.cz) joined #vserver. [21:30] hi mhepp! [21:30] Hi! [21:32] [S]ushi (Sushi@217.255.136.58) joined #vserver. [21:33] Bye! [21:33] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Client Quit [21:33] hmm, well, what shall I say :( [21:35] Bertl: boller fra kohberg [21:36] shuri (~ipv6@cpu183.adsl.qc.bellglobal.com) left irc: Read error: Connection reset by peer [21:37] @jon, are you reading insults.net again? [21:37] Bertl: no no [21:37] Bertl: this is just a stupid danish commercial [21:38] Bertl: i just cant do 3290878 things at once [21:39] Bertl: but testing is neasesary [21:39] hmm ... such a high load? [21:47] hm, boller, can't translate that to any closer than bun.. but that is all wrong.. rolls? .. hm [21:48] sannes: no, it is a bun [21:48] JonB : sure? it just doesn't "feel" right.. [21:51] sannes: well, boller is a fist sized piece of round white bread [21:52] and soft [21:52] i suppose that is a bun ? [21:54] but it is sweeter.. hm [21:54] you have a bun for your hamburgre, or hot dog or whatever.. [21:56] yeah [21:57] what is this with all these paris hilton spam mails i get ? [21:58] hmm, a misconfigured mail server on your side ;) [21:59] anyone got that? heh j/k [21:59] Bertl: heh, it does mark them as spam [22:26] <[S]ushi> cya [22:27] byebye ... [22:27] <[S]ushi> heute ist nicht alle Tage, ich komm` wieder... keine Frage! [22:28] well, next time you should use paulchen as nick ... [22:30] sempai ? [22:30] [S]ushi (Sushi@217.255.136.58) left irc: [22:41] linas (~linas@67.100.217.179) got netsplit. [22:41] mcp (~hightower@81.17.110.148) got netsplit. [22:41] mcp (~hightower@81.17.110.148) returned to #vserver. [22:41] linas (~linas@67.100.217.179) returned to #vserver. [22:41] Topic changed on #vserver by !nova.oftc.net: http://linux-vserver.org/ || latest stable 1.00, devel 1.1.6 [22:53] kestrel_Zzz (~athomas@dialup51.optus.net.au) left irc: Ping timeout: 480 seconds [23:16] kestrel_Zzz (~athomas@dialup51.optus.net.au) joined #vserver. [00:00] --- Sun Nov 30 2003