[00:12] #vserver: mode change '+o Bertl_oO' by ChanServ!services@services.oftc.net [00:13] hey Bertl_oO [00:18] [S]ushi (Sushi@pD9E34BAE.dip.t-dialin.net) joined #vserver. [00:19] <[S]ushi> lo [00:19] hey [S]ushi, lucky you, i just ate [00:21] <[S]ushi> arg [00:35] <[S]ushi> ... [01:00] morning [01:00] morning ? [01:00] kestrelw: where do you live? [01:02] australia, jon [01:02] it is 9am in sunny (well, not exactly sunny) sydney [01:03] <[S]ushi> well [01:04] kestrelw: okay [01:04] does anyone have any postfix knowledge? [01:05] nope, sorry, i am an exim person myself [01:06] kestrelw: me too, but i'm trying out kolab (www.kolab.org) ofc. inside a vserver, and kolab uses postfix :/ [01:09] ah [01:09] kind of annoying [01:13] any idea to how i see why a unix socket didnt open ? [01:15] it is inside a vserver ... is sockets seperate between the servers ? [01:18] Nick change: Bertl_oO -> Bertl [01:19] hey Bertl [01:19] hi all, short visit before I go to bed ... [01:19] Bertl: now you are here [01:19] any urgent questions? [01:19] Bertl: i'll turn it into a loooong night ;-P [01:19] <[S]ushi> hi Bertl [01:19] Bertl: *grin* so far just one [01:19] Bertl: are unix sockets seperate between vservers [01:20] hmm, the sock structure has a vx_id ... if that is your question ... [01:21] you mentioned postfix .. what is the issue there? [01:21] Bertl: dunno, i'm running postfix inside a vserver, and it does not deliver mail [01:21] well, that is a problem between screen and chair ... ;) [01:22] it is working for me without any issues ... [01:22] Bertl: maybe, it does seem to complain about a socket [01:22] status=deferred (connect to /kolab/var/kolab/lmtp[/kolab/var/kolab/lmtp]: read timeout) [01:22] jonb: no problems here running postfix [01:23] srwxrwxrwx 1 root root 0 Dec 1 23:00 /kolab/var/kolab/lmtp [01:23] hi paul! do you have a minute? [01:23] sladen: regular postfix, or kolab ? [01:23] okay, i'll guess i mail the kolab people [01:24] jonb: perfectly normal postfix--what on earth have the kolab people done to it? [01:24] <[S]ushi> btw: http://www.debianforum.de/wiki/?page=Postfix+SMTP-AUTH [01:24] postfix normally runs in a chrooted environment ... [01:24] <[S]ushi> ;) [01:24] sladen: dunno [01:24] Bertl: okay [01:25] sladen: i dont know postfix well enough [01:25] <[S]ushi> just found it in my favourites [01:28] @sladen, what was your last information status regarding virtuozzo? [01:30] not very much; there are source dumps that people send me at: [01:30] http://www.paul.sladen.org/vserver/aspcomplete/ [01:31] apw (~apw@212.104.150.41) joined #vserver. [01:31] and a mirror of http://mirrors.paul.sladen.org/www.sw-soft.com/ that I was using to grap for stuff [01:31] grep [01:31] hmm, so they provide source to customers? [01:40] bertl: I think these were from the era when they were being very open about it [01:41] hmm, but according to GPL they have to provide the source for customers, right? [01:41] if I actually knew somebody who was using it I'd be the first to ask them--and once upon a time I signed up for a test-drive on the site and a sales person kept pestering me--I should have got back, tried a shell and investigated what I could find [01:42] bertl: they have to provide source to /you/, if they distribute it to /you/ [01:42] hmm, maybe we should simply search for somebody who uses this ... [01:45] well, thanks for the information, paul ... [01:47] Bertl: i think they have to give the source along, or a written offer valid for 3 years [01:52] okay, any issues with 1.1.6 yet? [01:54] well, you know, just let me know (via email) if something doesn't work as expected ... [01:54] have a good whatever ... [01:54] Nick change: Bertl -> Bertl_zZ [02:00] jonb: source OR a written offer valid for 3 years [02:00] jonb: the central point is that it only applies if /they/ distribute the compiled version to /you/ [02:03] sladen: no, i think the recent slashdot discussion mentioned something about everybody [02:03] sladen: anyway i'm looking into my mail problem... and it is not postfix, but cyrus [02:03] sladen: Dec 02 00:01:26 mail master[31501]: setrlimit: Unable to set file descriptors limit to -1: (1) Operation not permitted [02:04] i wonder if this is because it is inside a vserver ? [02:04] grrrgggh, more stupid software thinking that it was the rights to change its limits [02:04] like bloody bind that tries to raise its own limits... [02:05] sladen: the next line is [02:05] sladen: Dec 02 00:01:26 mail master[31501]: retrying with 1024 (current max) [02:05] Dec 02 00:01:26 mail master[31501]: set maximum file descriptors to 1024/1024 [02:05] so i think it is a little smarter than bind [02:06] <[S]ushi> n8! [02:10] indeed [02:11] [S]ushi (Sushi@pD9E34BAE.dip.t-dialin.net) left irc: [02:21] oh well, sleep time [02:21] JonB (~jon@129.142.112.33) left irc: Quit: zzzzzz [02:39] netrose (~john877@CC3-24.171.21.47.charter-stl.com) joined #vserver. [03:34] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) left irc: Read error: Connection reset by peer [03:39] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [03:39] netrose (~john877@CC3-24.171.21.47.charter-stl.com) left irc: Ping timeout: 480 seconds [04:08] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Ping timeout: 480 seconds [04:08] MrBawb (abob@63.100.31.204) got netsplit. [04:19] MrBawb (abob@63.100.31.204) got lost in the net-split. [04:35] mr [04:43] apw (~apw@212.104.150.41) got netsplit. [04:44] NeshHome (~dmistry@ool-4352413d.dyn.optonline.net) got netsplit. [04:44] virtuoso (~shisha@ip114-115.adsl.wplus.ru) got netsplit. [04:44] virtuoso (~shisha@ip114-115.adsl.wplus.ru) returned to #vserver. [04:44] NeshHome (~dmistry@ool-4352413d.dyn.optonline.net) returned to #vserver. [04:44] apw (~apw@212.104.150.41) returned to #vserver. [04:45] NeshHome (~dmistry@ool-4352413d.dyn.optonline.net) left irc: Read error: Connection reset by peer [04:48] hi [04:48] anyone alive? :) [04:49] been wondering if there's already a patch for 2.4.23 [04:49] bah, I should have checked the page ... only saw someone asking on the mailing list ;) [04:51] YES [04:51] as in, yes, i am alive [04:59] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [05:31] netrose (~john877@CC3-24.171.21.47.charter-stl.com) joined #vserver. [09:56] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) left irc: Read error: Connection reset by peer [10:02] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [15:17] loger joined #vserver. [15:25] serving (~serving@213.186.189.162) joined #vserver. [15:47] loger joined #vserver. [15:47] Medivh (ck@62.93.217.199) joined #vserver. [15:47] BobR (~georg@oglgogl.BMTP.AKH-Wien.ac.at) joined #vserver. [15:52] mcp (~hightower@81.17.110.148) joined #vserver. [15:52] linas (~linas@67.100.217.179) joined #vserver. [15:52] #vserver: mode change '+o mcp' by ChanServ!services@services.oftc.net [15:53] matta (matta@tektonic.net) joined #vserver. [15:53] virtuoso_ (~shisha@ip114-115.adsl.wplus.ru) joined #vserver. [15:53] virtuoso (~shisha@ip114-115.adsl.wplus.ru) left irc: Read error: Connection reset by peer [16:13] [S]ushi (Sushi@pD95127C0.dip.t-dialin.net) joined #vserver. [16:13] <[S]ushi> re [16:26] re sushi [16:54] [S]ushi (Sushi@pD95127C0.dip.t-dialin.net) left irc: [17:19] maja|ipv6 (maharaja@ipax.tk) joined #vserver. [17:19] re [17:19] Nick change: maja|ipv6 -> maja [17:19] hi maja! [17:20] hi bert [17:38] loger joined #vserver. [17:48] where is it the capability system is defined? [17:49] you mean the docu for capabilities? [17:49] or the capability checks in the kernel? [17:49] Bertl: well, i'm trying to start cyrus inside a vserver (cyrus from kolab) and i get errors like [17:50] Dec 02 15:46:11 mail master[2062]: setrlimit: Unable to set file descriptors limit to -1: (1) Operation not permitted [17:50] Dec 02 15:46:11 mail master[2062]: retrying with 65536 (current max) [17:50] Dec 02 15:46:11 mail master[2062]: process started [17:50] Dec 02 15:46:11 mail master[2063]: about to exec /kolab/bin/ctl_cyrusdb [17:50] ctl_cyrusdb: unable to init environment [17:50] fatal error: can't read mailboxes file [17:50] i've tried to update from 1024 to 65536 - no luck [17:50] you mean the setrlimit? [17:51] so now i thought i wanted to give it the capability it needed, and i'd like to know the name i need to give to vserver.conf. I figured i could read myself to that somewhere in the kernel [17:51] okay, what you want is CAP_SYS_RESOURCE ... [17:52] by the way, even though i have ULIMIT="-H -u 256 -n 65536" in the vserver.conf file, running ulimit -a inside the vserver reports 1024 and not 65536 [17:52] Bertl: thanks man [17:52] but if this is a 2.4.22 kernel or later, it might be that this crap^H^H^Hfine piece of software doesn't know about the changes ... [17:52] this is 2.4.21 [17:52] and i am a little worried about that local root exploit [17:52] hmm, local root exploit *grin* [17:53] not that i have any users [17:53] but still [17:53] someone from the outside might gain access :/ [17:53] mail:/# ulimit -a [17:53] open files (-n) 1024 [17:53] should it not say 65536 ? [17:54] try ulimit -Ha [17:55] Bertl: that reports the correct 65536 [17:55] well, yes if you only set the 'hard' limit and not the 'soft' ... [17:56] ULIMIT="-H -u 256 -n 65536" [18:00] S_CAP="CAP_SYS_RESOURCE" [18:00] -H = hard -S = soft [18:00] i still get the Dec 02 15:54:42 mail master[2904]: setrlimit: Unable to set file descriptors limit to -1: (1) Operation not permitted [18:00] Bertl: the S_CAP="CAP_SYS_RESOURCE" does not seem to work, or maybe i wrote it wronly. (One of these days i'm gonna change the wiki to explain the .conf file, i cant be the only one not getting it) [18:00] CAP_SYS_RESOURCE is correct ... [18:00] but S_CAP is wrong should be S_CAPS ;) [18:00] Nick change: BobR -> BobR_oO [18:00] ahh [18:00] Bertl: util-vserver ought to barf [18:01] hmm, whenever an unknown shell env variable is defined? I guess you won't sell that to enrico! ;) [18:01] why not ? [18:02] ever tried set? [18:02] for setting a shell environment variable? yes i have [18:03] but i was thinking of something that parsed .conf [18:03] without arguments for checking what variables are set .. [18:03] well it's a _shell_ script after all ... the way jack did it ... [18:04] Bertl: and? the .conf file just needs to be parsed and fit into a definition [18:04] go ahead ... do it ;) [18:05] Bertl: i guess that would make me learn what can be written in the .conf files [18:05] which would be a good thing [18:06] I proposed a library which would be able to store/retrieve the config data in different formats, based on a property list, which is parsed easily ... for vserver ... [18:06] Bertl: i think that would be usefull [18:06] but jack said, shell is better, and enrico is going to store every config option in a separate file ... [18:07] hmm [18:07] what about a python or perl script ? [18:07] well, maybe shell and 1000 files aren't that bad 8-] [18:07] *grin* [18:11] Bertl: do the order in the .conf file matter ? [18:11] i have a line, S_CAPS="CAP_SYS_RESOURCE" [18:11] Dec 02 16:09:31 mail master[3363]: setrlimit: Unable to set file descriptors limit to -1: (1) Operation not permitted [18:17] loger5 joined #vserver. [18:18] loger (~loger@213.159.118.2) left irc: Ping timeout: 499 seconds [18:18] Nick change: loger5 -> loger [18:20] bash: ulimit: illegal option: -1 [18:20] ulimit: usage: ulimit [-SHacdflmnpstuv] [limit] [18:21] No manual entry for ulimit :( [18:21] man bash ;) [18:21] and hard limits are set. The value of limit can be a number in [18:21] the unit specified for the resource or one of the special values [18:21] hard, soft, or unlimited, which stand for the current hard [18:22] Bertl: it appears like it can not be set to -1 [18:28] Bertl: can i echo it somewhere into /proc ? [18:31] loger5 joined #vserver. [18:31] *pheww* ... try to _read_ the man pages ;) [18:31] but first try # ulimit unlimited hard soft -n [18:31] Bertl: was the a description of the CAP_SYS_??? somewhere ? [18:31] Bertl: the man page of ? setrlimit ? [18:32] linas (~linas@67.100.217.179) got netsplit. [18:32] mcp (~hightower@81.17.110.148) got netsplit. [18:32] CAPABILITIES(7) Linux Programmer's Manual CAPABILITIES(7) [18:32] NAME [18:32] capabilities - overview of Linux capabilities [18:32] loger (~loger@213.159.118.2) got netsplit. [18:32] virtuoso_ (~shisha@ip114-115.adsl.wplus.ru) got netsplit. [18:32] matta (matta@tektonic.net) got netsplit. [18:32] Nick change: loger5 -> loger [18:32] Possible future nick collision: loger [18:33] No manual entry for capabilities [18:33] bad distro, just use mandrake .. *sorry* [18:34] mcp (~hightower@81.17.110.148) returned to #vserver. [18:34] #vserver: mode change '+o mcp ' by unununium.oftc.net [18:34] linas (~linas@67.100.217.179) returned to #vserver. [18:34] virtuoso_ (~shisha@ip114-115.adsl.wplus.ru) returned to #vserver. [18:34] virtuoso (~shisha@ip114-115.adsl.wplus.ru) joined #vserver. [18:34] setrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=RLIM_INFINITY}) = -1 EPERM (Operation not permitted) [18:34] virtuoso_ (~shisha@ip114-115.adsl.wplus.ru) left irc: Read error: Connection reset by peer [18:34] it seems that setting the file limit to unlimited isn't permitted at all ... [18:36] on debian it is manpages-dev that contains setrlimit [18:36] well, then install it ... [18:36] already done that [18:38] linas (~linas@67.100.217.179) got netsplit. [18:38] mcp (~hightower@81.17.110.148) got netsplit. [18:39] split as split can ... we all love to split now and then ;) [18:43] matta (matta@tektonic.net) got lost in the net-split. [18:43] linas (~linas@67.100.217.179) returned to #vserver. [18:49] mcp (~hightower@81.17.110.148) got lost in the net-split. [18:50] now i'm copying the files and i will try in the root server to see if it works there [18:58] as expected, it didnt work in the root server either [18:59] morrigan (~morrigan@MAIL.13thfloor.at) joined #vserver. [18:59] Bertl: does your vserver patches limit, constrain or is in any way related to that not even the root server can run it as it is used to ? [19:07] jonb: maybe you need some dev packages for the capabilities manpage [19:08] JonB: dpkg -S capabilities.7.gz [19:08] manpages: /usr/share/man/man7/capabilities.7.gz [19:09] maja: i probably do, but it is not manpages-dev [19:12] maja: at least not in woody [19:18] linas (~linas@67.100.217.179) got netsplit. [19:19] linas (~linas@67.100.217.179) returned to #vserver. [19:20] in woody/sarge it is manpages [19:20] apt-get install manpages [19:20] done [19:22] netrose (~john877@CC3-24.171.21.47.charter-stl.com) left irc: Ping timeout: 480 seconds [19:22] maja: dpkg -L manpages | grep -i capa [19:23] no luck [19:23] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Quit: Terminated with extreme prejudice - dircproxy 1.0.5 [19:26] morrigan (~morrigan@MAIL.13thfloor.at) left #vserver. [19:28] @jon ad limiting: no, but you can try with vanilla kernel to make sure ... [19:29] JonB: raoul@ipax:/usr/share/man/man7$ apt-cache policy manpages [19:29] manpages: [19:29] Installed: 1.60-3 [19:29] maybe you need an upgrade? [19:30] maja: there is no newer manpage in woody [19:32] i know, but i thought that you might have got 1.50-x or something ;) [19:32] well, then i'm not able to help [19:33] maja: no problemo [19:33] mhm.... [19:34] DOH i should just have tried on my workstation (unstable) *smirk* [19:34] JonB: http://ipax.tk/~raoul/jonb/ [19:34] mhm [19:34] ok [19:34] ;) [19:36] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [19:37] hehe, signed patches on the wishlist ... [19:39] maja: thanks [19:40] what contry is .tk ? [19:41] Tokelau [19:41] where is that ? [19:42] From CIA World Factbook 2002 [world02]: [19:42] Tokelau [19:42] [19:42] Introduction Tokelau [19:42] -------------------- [19:42] Background: Originally settled by Polynesian [19:42] emigrants from surrounding island [19:42] groups, the Tokelau Islands were [19:42] made a British protectorate in 1889. [19:42] They were transferred to New Zealand [19:42] administration in 1925. [19:43] Geographic coordinates: 9 00 S, 172 00 W [19:43] okay [19:44] Area: total: 10 sq km [19:44] cool... [19:44] not big [19:45] ha, I got local-NFS mounting working again with 1.1.6 [19:45] congrats ... [19:45] the trick is the 'tcp' mount option [19:45] but hey, you actually 'installed' it? [19:46] I had to upgrade the kernel [19:46] cause of the local root exp ... [19:46] partly, yes [19:47] with c17 patch, NFS mounting worked without tcp also [19:48] netrose (~john877@CC3-24.171.21.47.charter-stl.com) joined #vserver. [19:48] so you mean there is a regression in udp? [19:50] dunno, there are happening really strange things. At the beginning of the transmission I see 'ftp -> morden' and 'ftp -> morden' NFS packages on lo. But then (after 1 MB transferred data), it becomes 'morden -> morden' and I get the NFS stalled messages) [19:51] perhaps some NFS optimization in 2.4.23 [19:53] hey enrico, Is it possible for someone to exploit that from the VS and do [19:53] stuff on the host server? [19:53] I mean the local root exploit ... [19:53] yes [19:53] you can modify anything in kernel space [19:55] is the patch outthere somewhere for 2.4.21 ? [19:56] Will this patch work for 2.4.22? [19:56] if (!len) [19:56] return addr; [19:56] + if ((addr + len) > TASK_SIZE || (addr + len) < addr) [19:56] + return -EINVAL; [19:56] It should probably work the same for 2.4.21 [19:57] netrose: which file do i need to edit? [19:57] mm/mmap.c [19:57] http://linux.bkbits.net:8080/linux-2.4/diffs/mm/mmap.c@1.32?nav=cset@1.1148.2.2 [19:57] ensc: Do you think that patch will work? I got it off the web. [19:58] netrose: yes, it should work [19:58] Ok. Thank. [19:58] I upgraded all my machines to 2.4.23 and vs1.1.6 yesterday though, everything working fine till now ;) [19:58] I wish there was any way to test if it really does fix the hole or not. Do you know if there is any test or exploit written for it? [19:59] netrose, there is an exploit in the wild, that I know, but I couldn't get my hands on any code yet [19:59] netrose: if it doesnt work there will be another patch [20:00] Can someone write a test for it? [20:01] netrose: "someone" already did [20:03] netrose: just go through sys_brk and construct a value for brk() so that the condition holds [20:04] Bertl: btw: it seems that secure chroots can be constructed with selinux [20:04] hmm, how so? [20:05] with a complicated ruleset [20:05] dammit, why do TV always send kung-fu movies in the middle of night :/ [20:06] a POC code listing was just submitted to the securityfocus list. [20:06] I thought that the se-linux stuff will not work for vservers in vservers ... [20:06] on Fedora rawhide, there is a policy-sources packages which has a chroot_macros.te ruleset file [20:06] It's an assembler listing [20:07] by the way, shall we release the 1.20 vserver stable, or did anybody have any issues with 1.1.6 yet? [20:08] Bertl: selinux seems to offer lots of functionality which is needed for vservers [20:08] and i just compiled :( [20:08] Bertl: could you make patches to upgrade from vs-1.0 to vs-1.2 ? [20:09] Bertl: chbind seems to be the only vserver-feature which is not in selinux (yet) [20:10] well, I guess we'll move development soon to 2.6 anyway ... [20:10] now that Marcelo announced the feature freeze for 2.4 ... [20:10] Bertl: what is the difference between vs-1.0 and 1.2 ? [20:11] the current 1.1.6 will be released (with a minor bugfix in kill_ctx) as 1.2 ... so have a look at the changelog ... [20:12] basically we fixed 2-3 (minor) bugs and added some features .;) [20:12] Bertl: nice [20:17] BobR_oO (~georg@oglgogl.BMTP.AKH-Wien.ac.at) left irc: Remote host closed the connection [20:17] BobR (~georg@oglgogl.BMTP.akh-wien.ac.at) joined #vserver. [20:22] BobR (~georg@oglgogl.BMTP.akh-wien.ac.at) left irc: Quit: leaving [20:23] okay .. have to leave now ... cu l8er ... [20:24] Nick change: Bertl -> Bertl_zZ [20:24] Nick change: Bertl_zZ -> Bertl_oO [20:37] matta (matta@tektonic.net) joined #vserver. [20:37] JonB (~jon@129.142.112.33) left irc: Ping timeout: 480 seconds [20:40] JonB (~jon@129.142.112.33) joined #vserver. [20:45] bye [21:45] JonB (~jon@129.142.112.33) left irc: Ping timeout: 512 seconds [21:47] JonB (~jon@129.142.112.33) joined #vserver. [21:48] JonB (~jon@129.142.112.33) left irc: Client Quit [21:58] netrose (~john877@CC3-24.171.21.47.charter-stl.com) left irc: Ping timeout: 480 seconds [22:08] linas (~linas@67.100.217.179) got netsplit. [22:08] linas (~linas@h-67-100-217-179.HSTQTX02.covad.net) joined #vserver. [22:27] JonB (~jon@129.142.112.33) joined #vserver. [22:45] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Read error: Connection reset by peer [22:46] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [23:00] JonB (~jon@129.142.112.33) left irc: Remote host closed the connection [23:01] JonB (~jon@129.142.112.33) joined #vserver. [23:27] maja (maharaja@ipax.tk) left irc: Quit: leaving [23:41] shaya (~spotter@dyn-wireless-244-16.dyn.columbia.edu) joined #vserver. [23:41] Bertl_oO: you around? [23:44] does anyone know how to use mdadm to create a raid-1 set out of two disks? [23:44] one which already has data? [23:48] micah: the trick is to mark the disk with data as failed [23:48] then start the raid [23:48] mkfs it [23:48] copy data [23:49] and put the disk into the raid [23:49] micah: i know how to do it using mkraid [23:50] JonB: yeah, me too :) I just didn't know how to do it with mdadm [23:50] netrose (~john877@CC3-24.171.21.47.charter-stl.com) joined #vserver. [23:50] JonB: I think I will just use mkraid [23:55] micah: okay [23:57] NeshWork (~dmistry@su-nat.datapipe.net) joined #vserver. [23:57] Bertttt [00:00] --- Wed Dec 3 2003