[00:00] so you could load balance mail out to a pair of servers all delivering to the same nfs spool [00:00] mrbawb: i want those moved as well [00:00] I am not aware of anything in existance that will do that [00:00] but obviously the demand is there :) [00:01] mrbawb: i'm not talking about in existance, i'm looking for something that i can do as my master project [00:01] ah [00:01] mrbawb: and i was thinking about something that would allow me to move a vserver to a different physical machine, and reroute the network packets somehow [00:02] re-routing the packets isn't a problem [00:02] mrbawb: thinking a iptables that delayed/froze the packets, move of vserver, restart packets [00:02] that is actually what you could do with LVS ... [00:02] it's the state of the applications [00:02] tcp will retransmit [00:02] mrbawb: but move of vserver takes time [00:02] you don't need to queue the packets [00:02] true [00:02] mrbawb: what about new connections while i move it ? [00:03] yes, so you need to start it before bringing down the old vserver :) [00:03] mrbawb: i want to catch those as well [00:03] just rerouting isn't a good solution ... [00:03] new connections can't be handled at the new vserver till all the staet is moved over [00:03] Bertl: i know, i have to move the future packets as well [00:03] i know [00:04] but think again like load balancing ... [00:04] assume that you have 2 hosts and you are able to 'adjust' how much goes to A and B [00:05] adjusting this to 100%/0% is the 'start' situation ... 0%/100% your 'moved' version ... [00:05] as we know that load balancing works, and will not hurt existing connections ... that's what you want ... [00:06] just keep in mind that anything you do will require lots of kernel modifications :) [00:06] mrbawb: i know [00:07] Bertl: oh, i get your point [00:07] i was thinking of putting the userland processes to sleep [00:07] and restarting them on the new computer, and then just open for the packets [00:07] yeah [00:08] freeze everything, move the state, unfreeze [00:08] and since moving might take time [00:08] that won't allow migration ... [00:08] why not ? [00:09] i would catch any packets for new connections and then send them when the vserver runs the new place [00:09] because you have to make sure that everything, down to the smallest detail is the same when the applications have been moved ... [00:09] that's part of the state :) [00:09] JonB: just simulate a network failure by dropping the packets :) [00:09] Bertl: there is already a patch that makes you suspend to disk [00:09] mrbawb: *grin* ofc [00:10] Bertl: i just want to suspend a vserver only [00:10] well, then the first part would be the ability to migrate a task (including files/ports/sockets) to another machine ... [00:10] if that works, what seems not easy to me (not even *Mosix does this) ... [00:11] you can address the 'simple' packet rerouting stuff ... [00:11] Bertl: yes, and since the vserver uses a 192.168.x.y ip, then giving it the same files/ports/sockets would be easy [00:11] and the lo device belongs to the specific vserver, so you are sure that all ports are free [00:11] same with the eth device [00:13] you don't know much about files and sockets yet, right? [00:14] Bertl: is it that obvious ;-P [00:14] Bertl: they have a unique number, right ? [00:25] Last message repeated 1 time(s). [00:25] well, if that would be the only thing ... [00:26] netrose (~john877@CC3-24.171.21.47.charter-stl.com) joined #vserver. [00:26] you have partially mapped parts for each file, and structures/buffers/inodes ... etc ... [00:26] not to talk about file descriptors and that you have to match/position them for the task ... [00:27] Bertl: suppose that the files are not mapped into memory ? [00:27] on sockets there are bindings and packet queues ... and such stuff ... the task might be waiting on such things via select ... for example [00:28] Bertl: untill it is needed on the new host [00:28] the files could be mapped, in which case you would have to do the exact same mapping ... [00:28] position... isnt that saved in the program ? [00:28] Bertl: but yeah i get your point [00:29] have a look at the 'kernel' structures storing this information, and think about how you could move that to a different machine ... (I don't say it's undoable, it's just much work to do) [00:30] okay, have to leave now ... will be back later ... [00:30] Bertl: work for 2 people for 6 months ? [00:30] Bertl: aka a master project ? [00:30] i have to write a repport about it too [00:31] depends on the people (Linus and Al Viro, maybe ;) [00:31] Nick change: Bertl -> Bertl_oO [00:31] ouch [01:12] serving (~serving@213.186.191.194) joined #vserver. [01:16] mhm [01:17] i found a problem with an iptables accounting programm [01:17] maharaja: wong channel ? [01:17] it uses pthreads and somehow things it cannot be initialised inside the vserver [01:17] it perfectly works outside [01:17] are there any capabilities i need to have inside the vserver for a working iptables setup? [01:18] iptables currently isn't virtualized per vserver [01:18] jonb: nope ;) [01:18] so what does that mean? [01:18] so you'd either need to grant access to all of iptables or none [01:18] and it's at none right now [01:18] i c [01:19] thank you :) [01:19] probably just a capability to grant will give the vserver access to it [01:20] it will now or it will in the future? [01:21] CAP_NET_ADMIN should do it [01:21] like: am i able to accomplish it somehow with v1.1.6 [01:21] or do i have to wait/hack it by myself [01:21] that has a few other side effects [01:22] morning [01:22] worth considering if you want to give a vserver access to mess with the network config [01:23] which capability is it? [01:23] CAP_NET_ADMIN [01:24] and what are the sideeffects? [01:24] the vserver is allowed to change network settings, iptables [01:26] affecting all the processes on the whole box [01:31] ic [01:31] thnx :) [01:42] netrose (~john877@CC3-24.171.21.47.charter-stl.com) left irc: Ping timeout: 480 seconds [01:43] kestrelw (~athomas@o2rosock0a.optus.net.au) left irc: Quit: brb, apt-get dist-upgrade time [02:23] Bawb (abob@swordfish.drown.org) joined #vserver. [02:23] mrbawb (abob@sparky.dok.org) left irc: Quit: -> bawb [02:23] Nick change: Bawb -> MrBawb [02:46] kestrelw (~athomas@o2rosock0a.optus.net.au) joined #vserver. [03:05] Nick change: Bertl_oO -> Bertl [03:05] cool, vskel is quite useful [03:06] MrBawb: what does it do ? [03:07] JonB: makes a copy of the parent server as a skeleton for new vservers [03:07] @dan thanks for the output! [03:07] Bertl: np [03:07] @dan you are evaluating vskel? [03:07] yup [03:07] I approve :) [03:08] MrBawb: i prefer debiannewserver.sh from mr. Sladen [03:08] JonB: ah, does it handle unification? [03:08] @dan please verify for me that the 'resulting' server has sane/secure /dev entries ... [03:08] MrBawb: no [03:09] $ ls /dev | wc -l [03:09] 11 [03:09] MrBawb: but, you have to handle unification at a later point when you upgrade [03:09] full, log, null, ptmx, pts, random, reboot, shm, tty, urandom, zero [03:09] JonB: ah, ok [03:10] I like the idea of just cloning an on-disk install [03:10] MrBawb: how would you do that ? [03:10] hmm reboot and shm is? [03:10] shm is a dir [03:10] reboot is a socket from rebootmgr [03:10] I added shm [03:10] ahh okay ... [03:11] so people still use rebootmgr ... [03:11] JonB: it takes the parent install and copies it into /vserver/.skel/[name] [03:11] MrBawb: copies or hardlinks ? [03:11] JonB: copies [03:11] the vserver installs use hardlinks [03:12] MrBawb: okay, i thought it hardlinks [03:12] so you have one copy for your parent server and one copy for all of your unified vservers [03:12] Bertl: is there a replacement for rebootmgr? [03:12] MrBawb: what when you there is a security update? [03:13] JonB: that's tricky [03:13] you update the skel and all the vservers [03:13] and then you have to re-unify them [03:13] MrBawb: why not just run that script continuesly ? [03:14] @dan, sure, people bugged me that they want the userspace helper replacement ... I added it in vs1.1.4 or so ... there was a posting how to use it ... [03:14] as in, install the vserver again? [03:14] MrBawb: especialy if it is customers that install the security updates them selves [03:14] Bertl: ah, ok. I'll go look for it [03:14] MrBawb: no, the script that unifies [03:14] oh, the unification process is disk-intensive [03:15] running it every night or so would be okay if you didn't have that much content [03:16] i would seperate content and system [03:16] like /vserver//var/www is not processed [03:16] same with log [03:16] and ... [03:16] but /usr is [03:17] yeah, that'd be a good policy [03:19] MrBawb: i suppose that there is a difference between whether or not you expect the vservers to be customers that updates them, or yours [03:19] if they were yours, you would know when you needed to run the re-unify script [03:20] anyway, i think i'll go to bed [03:20] JonB (~jon@kg188.kollegiegaarden.dk) left irc: Quit: zzz [03:34] netrose (~john877@CC3-24.171.21.47.charter-stl.com) joined #vserver. [03:39] Nick change: apw -> apw-zzz [04:50] Nick change: Bertl -> Bertl_zZ [04:56] grepmaster-afk (~chatzilla@66-101-59-73.oplnk.net) left irc: Quit: ChatZilla 0.8.31 [Mozilla rv:1.4/20030813] [07:10] iceberg (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) left irc: Quit: Trillian (http://www.ceruleanstudios.com) [07:10] iceberg (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [07:11] iceberg (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) left irc: Client Quit [07:13] iceberg (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [07:50] [1]James (~James@ip68-96-180-27.lv.lv.cox.net) joined #vserver. [07:50] <[1]James> hello all [08:11] kestrel (~athomas@dialup51.optus.net.au) left irc: Ping timeout: 480 seconds [08:22] micah (micah@micha.hampshire.edu) left irc: Ping timeout: 500 seconds [08:31] iceberg (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) got netsplit. [08:31] MrBawb (abob@swordfish.drown.org) got netsplit. [08:31] sannes (ace@sannes.org) got netsplit. [08:31] MedivhWrk (ck@netops.multimedia-centrum.de) got netsplit. [08:31] Medivh (ck@62.93.217.199) got netsplit. [08:31] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [08:32] iceberg (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) returned to #vserver. [08:32] MrBawb (abob@swordfish.drown.org) returned to #vserver. [08:32] Medivh (ck@62.93.217.199) returned to #vserver. [08:32] MedivhWrk (ck@netops.multimedia-centrum.de) returned to #vserver. [08:32] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [08:32] sannes (ace@sannes.org) returned to #vserver. [08:53] sannes (ace@sannes.org) left irc: Ping timeout: 480 seconds [08:53] sannes (ace@sannes.org) joined #vserver. [09:00] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [09:00] MedivhWrk (ck@netops.multimedia-centrum.de) got netsplit. [09:00] Medivh (ck@62.93.217.199) got netsplit. [09:00] MrBawb (abob@swordfish.drown.org) got netsplit. [09:00] iceberg (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) got netsplit. [09:00] serving (~serving@213.186.191.194) got netsplit. [09:00] apw-zzz (~apw@212.104.150.41) got netsplit. [09:00] CosmicRay (~jgoerzen@glockenspiel.complete.org) got netsplit. [09:00] click (click@gonnamakeyou.com) got netsplit. [09:00] say (~say@212.86.243.154) got netsplit. [09:00] maharaja (maharaja@ipax.tk) got netsplit. [09:00] matta (matta@tektonic.net) got netsplit. [09:00] linas (~linas@h-67-100-217-179.HSTQTX02.covad.net) got netsplit. [09:00] [1]James (~James@ip68-96-180-27.lv.lv.cox.net) got netsplit. [09:00] netrose (~john877@CC3-24.171.21.47.charter-stl.com) got netsplit. [09:00] Bertl_zZ (~herbert@MAIL.13thfloor.at) got netsplit. [09:00] sannes (ace@sannes.org) got netsplit. [09:00] kestrelw (~athomas@o2rosock0a.optus.net.au) got netsplit. [09:00] mcp (~hightower@wolk-project.de) got netsplit. [09:00] ensc (~ircensc@ultra.csn.tu-chemnitz.de) got netsplit. [09:01] click (click@gonnamakeyou.com) returned to #vserver. [09:01] say (~say@212.86.243.154) returned to #vserver. [09:01] maharaja (maharaja@ipax.tk) returned to #vserver. [09:01] linas (~linas@h-67-100-217-179.HSTQTX02.covad.net) returned to #vserver. [09:01] matta (matta@tektonic.net) returned to #vserver. [09:01] Bertl_zZ (~herbert@MAIL.13thfloor.at) returned to #vserver. [09:01] #vserver: mode change '+o Bertl_zZ ' by arion.oftc.net [09:01] netrose (~john877@CC3-24.171.21.47.charter-stl.com) returned to #vserver. [09:01] Topic changed on #vserver by ChanServ!services@services.oftc.net: http://linux-vserver.org/ || latest stable 1.00, devel 1.1.6 [09:01] iceberg (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) returned to #vserver. [09:01] MrBawb (abob@swordfish.drown.org) returned to #vserver. [09:01] Medivh (ck@62.93.217.199) returned to #vserver. [09:01] MedivhWrk (ck@netops.multimedia-centrum.de) returned to #vserver. [09:01] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [09:01] Topic changed on #vserver by !arion.oftc.net: http://linux-vserver.org/ || latest stable 1.00, devel 1.1.6 [09:01] [1]James (~James@ip68-96-180-27.lv.lv.cox.net) returned to #vserver. [09:01] #vserver: mode change '-o Bertl_zZ' by ChanServ!services@services.oftc.net [09:02] serving (~serving@213.186.191.194) returned to #vserver. [09:02] apw-zzz (~apw@212.104.150.41) returned to #vserver. [09:02] CosmicRay (~jgoerzen@glockenspiel.complete.org) returned to #vserver. [09:02] sannes (ace@sannes.org) returned to #vserver. [09:02] kestrelw (~athomas@o2rosock0a.optus.net.au) returned to #vserver. [09:02] mcp (~hightower@wolk-project.de) returned to #vserver. [09:02] ensc (~ircensc@ultra.csn.tu-chemnitz.de) returned to #vserver. [09:15] kestrel (~athomas@dialup51.optus.net.au) joined #vserver. [09:37] [1]James (~James@ip68-96-180-27.lv.lv.cox.net) left irc: Ping timeout: 512 seconds [09:42] micah (micah@micha.hampshire.edu) joined #vserver. [09:51] iceberg (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) left irc: Ping timeout: 480 seconds [09:52] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [10:10] [1]James (~James@208.186.78.254) joined #vserver. [10:32] JonB (~jon@kg188.kollegiegaarden.dk) joined #vserver. [10:53] micah (micah@micha.hampshire.edu) got netsplit. [10:53] micah (micah@micha.hampshire.edu) returned to #vserver. [10:58] micah (micah@micha.hampshire.edu) left irc: Ping timeout: 512 seconds [11:23] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [11:23] MedivhWrk (ck@netops.multimedia-centrum.de) got netsplit. [11:23] Medivh (ck@62.93.217.199) got netsplit. [11:23] MrBawb (abob@swordfish.drown.org) got netsplit. [11:23] MrBawb (abob@swordfish.drown.org) returned to #vserver. [11:23] Medivh (ck@62.93.217.199) returned to #vserver. [11:23] MedivhWrk (ck@netops.multimedia-centrum.de) returned to #vserver. [11:23] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [11:24] <[1]James> hello? [11:35] hi [11:43] Morning guys. [11:44] Did they rename sys_call_table[] in 2.4.22 or have I missed something? [11:51] <[1]James> no idea [11:58] I've wrote a workaround module for recent mm/mmap.c/do_brk vulnerability and it loads into 2.4.20 perfectly, but for 2.4.22 it complains of undefined symbol sys_call_table. [12:12] [1]James (~James@208.186.78.254) left irc: Quit: HydraIRC -> http://www.hydrairc.com <- The dawn of a new age [12:18] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [12:18] MedivhWrk (ck@netops.multimedia-centrum.de) got netsplit. [12:18] Medivh (ck@62.93.217.199) got netsplit. [12:18] MrBawb (abob@swordfish.drown.org) got netsplit. [12:18] MrBawb (abob@swordfish.drown.org) returned to #vserver. [12:18] Medivh (ck@62.93.217.199) returned to #vserver. [12:18] MedivhWrk (ck@netops.multimedia-centrum.de) returned to #vserver. [12:18] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [12:37] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [12:37] MedivhWrk (ck@netops.multimedia-centrum.de) got netsplit. [12:37] Medivh (ck@62.93.217.199) got netsplit. [12:37] MrBawb (abob@swordfish.drown.org) got netsplit. [12:38] MrBawb (abob@swordfish.drown.org) returned to #vserver. [12:38] Medivh (ck@62.93.217.199) returned to #vserver. [12:38] MedivhWrk (ck@netops.multimedia-centrum.de) returned to #vserver. [12:38] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [12:45] TamaPanda (~a@193.173.84.237) joined #vserver. [12:45] morn [12:45] hey TamaPanda [12:45] hm i just tried something in vserver.. maybe someone could clarify [12:46] yes ? [12:46] after ssh'ing to a vserver, i did fdisk... it could write the partition, but not read (but of course, after writing the damage is already done) [12:46] or did it fake 'write' it? [12:46] dunno, try it [12:46] stop using swap [12:47] change swap from swap to a linux [12:47] how do i stop swap? :) [12:48] swapoff [12:48] but, before you try this [12:48] tell me what capabilities your vserver has [12:48] i specified no additional capabilities [12:50] let me see your .conf file please [12:51] 6 lines, want it in here? [12:52] sure [12:52] ok i changed swap partition type to linux [12:52] lets see if it holds after a reboot [12:52] IPROOT=eth0:192.168.2.152 [12:52] IPROOTDEV=eth0 [12:52] S_HOSTNAME=steelsoul [12:52] S_NICE=15 [12:52] S_FLAGS=lock sched [12:52] ULIMIT=-H -u 1000 [12:52] okay, no extra capabilities [12:53] okay, now, use top to see if you have any swap [12:53] it has to boot first :) [12:53] use top in the real server [12:53] of course [12:54] hm takes longer than usual [12:55] can't ssh yet [12:56] if this the real server or the vserver ? [12:56] real [12:56] ah tehre is the login prompt :) [12:56] the vserver doesnt auto-start yet [12:56] ok i have a top.. what is the swap thing? [12:57] hm [12:57] it held [12:57] what number is just left of swap ? [12:57] what held ? [12:57] no swap, and cfdisk shows 2 linux partitions [12:57] are they in usage ? [12:57] well i rebooted the entire server [12:57] so i guess so... [12:58] mount [12:58] are they used ? [12:58] which vserver are you running ? [12:59] /dev/hdc2 on / type ext2 (rw) [12:59] devpts and proc [12:59] no hdc1 ? [12:59] no, but top still says it has 512MB swap (the size of the original partition) [12:59] maybe if i completely removed the partition... [13:00] no [13:00] it never really showed swap in mount for me anyway [13:00] look in /etc/fstab and tell me where swap is [13:00] hdc1 [13:01] /dev/hdc1 swap swap defaults 0 0 [13:01] how far are you from the server ? [13:01] hm.. a city away. It is sitting in my bedroom, i'm at work :) [13:02] not really a biggy if it 'poop's [13:02] is it your ass if it doesnt come back up again ? [13:02] okay [13:02] fdisk -l /dev/hdc [13:02] in a verserver or in root? [13:03] s/ver/v [13:03] root [13:03] /dev/hdc1 1807 1868 498015 83 Linux [13:03] /dev/hdc2 * 1 1806 14506663+ 83 Linux [13:04] swapoff /dev/hdc1 [13:04] partitions are not in disk order.. swap is the last 512MB of the disk [13:04] top shows swap 0 [13:04] swapoff /dev/hdc1 [13:04] (after swapoff) [13:04] okay [13:05] mhepp (~mhepp@r72s22p13.home.nbox.cz) joined #vserver. [13:05] and now? [13:06] enter the vserver [13:06] there [13:06] fdisk /dev/hdc [13:06] mind if i cfdisk? i like it better :) [13:07] just delete swap? [13:07] no [13:07] change the partition type of the swap device from linux to swap [13:07] swap is number 82 (if i remember correctly) [13:08] ok done [13:08] it now has linux ext2 and linux swap [13:08] save [13:08] Wrote partition table, but re-read table failed. Reboot to update table [13:09] reboot [13:09] the real server [13:09] when it comes up again, let me know the output of fdisk -l /dev/hdc [13:09] its rebooting.. [13:10] *pompompom* [13:10] ;) [13:11] /dev/hdc1 1807 1868 498015 82 Linux swap [13:11] /dev/hdc2 * 1 1806 14506663+ 83 Linux [13:11] NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO [13:11] seems to have been changed [13:11] heh [13:11] 'bye bye security' [13:11] ;) [13:11] okay, are you _SURE_ you were inside the vserver ? [13:11] yes [13:11] okay [13:11] you want to have a go yourself/ [13:12] i can give real root and vserver root if you want [13:12] no, i want to know something else [13:12] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [13:12] MedivhWrk (ck@netops.multimedia-centrum.de) got netsplit. [13:12] Medivh (ck@62.93.217.199) got netsplit. [13:12] MrBawb (abob@swordfish.drown.org) got netsplit. [13:12] sure [13:12] enter your vserver [13:12] Jonny (~oseufer@interner.SerNet.DE) joined #vserver. [13:12] ls -la /dev/hdc [13:12] vserver web enter [13:12] New security context is 49152 [13:12] root@steelsoul:/# ls -la /dev/hdc [13:12] brw-rw---- 1 root disk 22, 0 Jun 9 2002 /dev/hdc [13:13] okay, now, rm -rf /dev/hdc [13:13] done [13:13] then mknod hdc b 22 0 [13:13] inside the vserver [13:14] in /dev dir or anywhere? [13:14] root@steelsoul:/dev# mknod hdc b 22 0 [13:14] mknod: `hdc': Operation not permitted [13:15] Hello, I think there is a wrong behaviour in the vserver patch. When you connect from a vserver to 127.0.0.1 the destination is set to the vserver adress, but the source is still 127.0.0.1. I think it's a problem in route.h. Where can I send a patch or a mail? [13:15] vserver@list.linux-vserver.org [13:15] or talk it over with bertl here [13:16] TamaPanda: okay, so the problem is that you had the entry in /dev [13:16] hm so what devices are 'safe' to have there? [13:16] MrBawb (abob@swordfish.drown.org) returned to #vserver. [13:16] Medivh (ck@62.93.217.199) returned to #vserver. [13:16] MedivhWrk (ck@netops.multimedia-centrum.de) returned to #vserver. [13:16] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [13:16] TamaPanda: my suggestion is that you write an email to the list where you ask if the only way to prevent a vserver from doing this fdisk is by removing the entry in /dev [13:17] do you run debian ? [13:17] slack [13:17] 9.0 with 2.4.23 kernel, vserver 1.1.6 [13:17] okay, i think you should use the new vskel util [13:17] it makes a skeleton from your root server [13:18] in mine i have full log null ptmx pts random shm tty urandom xconsole zero [13:18] created with Mr. Sladens debiannewserver.sh [13:18] i'm not sure that the vserver should have access even if the /dev entry is there [13:18] ... [13:19] well it can not read.. [13:19] apperantly [13:19] heh [13:19] no, it can read [13:19] else you wouldnt know what the partition table was [13:20] right, but the fdisk utility says it cant [13:21] it says it can re-read it [13:21] it says this because it tells the kernel that the partition has been updated [13:22] and the kernel then either says "okay' using new" or "sorry, error, reboot" [13:22] ah so it can't 'activate' it [13:22] but it says re-read [13:23] well, that doesnt matter, because if you did this in the real server, it would say the same [13:23] ok [13:24] the kernel just says "sorry, error" if it has mounted partitions [13:26] anyway, email, but dont say it is a bug [13:26] would it be possible to make a device node without mknod? [13:26] just ask if it is supposed to be like this [13:26] i dont think so [13:27] also ask what about devfs [13:27] Nick change: apw-zzz -> apw [13:29] vserver@list.linux-vserver.org? [13:29] yes [13:29] do i need to be on the list? [13:30] apw (~apw@212.104.150.41) left #vserver (Client exiting). [13:31] i think so, but you could also just ask on this channel later tonight [13:31] serving (~serving@213.186.191.194) left irc: Ping timeout: 492 seconds [13:33] i'll just register on the list [13:33] okay, i think that the option is just to remove the dev entries, but i'm not sure [13:35] mount inside a vserver does show a different "device" mounted as / [13:35] i cant see why it should have access to any other blockdevices [13:35] hm it doesnt here [13:36] root@steelsoul:/# mount [13:36] devpts on /dev/pts type devpts (rw,gid=5,mode=620) [13:36] proc on /proc type proc (rw) [13:36] /dev/hdc2 on / type ext2 (rw) [13:36] /dev/sda1 on / type ext2 (rw,errors=remount-ro) [13:36] this is inside my vserver [13:36] hm irc client doesnt like / [13:37] and it is ide disks [13:37] outside vserver: /dev/hdc2 on / type ext2 (rw) [13:37] i know [13:37] it was inside i was thinking at [13:37] inside vserver: /dev/hdc2 on / type ext2 (rw) [13:38] in another it is /dev/hdv1 on / type vfs (none) [13:38] hm werent you using lvm ? :) [13:40] i am [13:40] all vservers has their own LV [13:40] 2 of them are encrypted [13:48] mail sent [13:53] lets see what happens :) [13:58] for now i just removed the nodes i dont need [14:41] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Quit: Tak ja padaaaaM [14:50] JonB (~jon@kg188.kollegiegaarden.dk) left irc: Quit: Client exiting [15:03] BobR (~georg@149.148.78.13) joined #vserver. [15:11] Nick change: Bertl_zZ -> Bertl [15:12] hi everyone! [15:13] hi [15:14] it seems my root from vserver got pooped :) [15:14] hm no.. too hasty.. its just using 100% cpu heh [15:14] 13:17:47 up 2:04, 2 users, load average: 78.29, 376.77, 823.43 [15:15] hmm, what processes are running/active? [15:15] no idea i let someone play with it with the intend to b0rk it :) [15:16] i'm talking to him now heh [15:16] did you use nproc/sched ? [15:16] but i guess this could be avoided by applying quotas [15:16] well i have sched in the config but when i start a vserver it has /usr/local/sbin/vserver: line 11: sched: command not found [15:17] huh? [15:17] could you provide the config? [15:17] maybe i just forgot something.. [15:17] the config of the vserver i run or.. [15:18] yes [15:18] hm i pasted it in here before.. 6 lines [15:19] IPROOT=eth0:192.168.2.152 [15:19] IPROOTDEV=eth0 [15:19] S_HOSTNAME=steelsoul [15:19] S_NICE=15 [15:19] S_FLAGS=lock sched [15:19] ULIMIT=-H -u 1000 [15:19] okay, I search ... [15:19] ahh okay ... you need quotes around "lock sched" [15:19] oh [15:19] and same for the ULIMIT ... [15:20] i just copy/pasted the site think [15:20] the/a [15:20] oh boy... haha [15:20] hmm, funny .... it is normal shell syntax, so X=1 2 gives [15:20] you bash: 2: command not found [15:20] that guy ran a fork/disk thing.. keep forking and filling the disk :) [15:21] exactly the things i knew i didnt look at yet haha [15:23] it seems its not shutting down the vserver [15:23] note: disk full, processes most likely depleted [15:23] you need some 'new' features to do this ... [15:24] Bertl: quota thing? [15:24] vs1.1.6 allows to send a signal to each process of a context ... [15:24] serving (~serving@213.186.190.25) joined #vserver. [15:24] this way you could SIGSTOP or SIGTERM them ... [15:24] i did vserver web stop [15:24] but i guess that tries it the 'nice' way [15:25] how can i shutdown a vserver with a kill command then? the vserver doesnt appear in my ps list [15:26] yeah, as I said, you need the new interface to do that on an overloaded vserver ... [15:27] you can get some 'preliminiary' tools from my site, or enricos latest version should? already contain this ... [15:27] it will be included in the next stable release (in a few days) [15:28] http://vserver.13thfloor.at/Experimental/vkill-0.01.tar.bz2 [15:32] ok i guess i need something else too [15:32] since i cant get the process id to kill :) [15:32] you can get the context id ... right? [15:33] how? [15:34] well look in the /var/run/vservers dir for your vserver name ... [15:34] S_CONTEXT=49163 [15:34] that thing? [15:35] yup, that is you 'dynamic' context id ... [15:35] so i can vkill that? [15:35] now you can send a signal to all processes within this context ... [15:35] ah [15:36] how? :D [15:36] vkill -h [15:37] root@steelsoul:/var/run/vservers# vkill -h [15:37] Process id -h not found. [15:37] you are not using the tools I gave you a link for, right? [15:37] yes [15:37] i made that vkill thingy [15:38] ah [15:38] nm [15:38] path ;) [15:38] okay, there already _is_ a vkill in the vserver distro ... [15:38] so vkill -n 9 -x 49163 [15:38] should put an end to this ... [15:39] sorry -k not -n [15:39] i did vkill -x sesid.. that stoped it already [15:40] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [15:40] MedivhWrk (ck@netops.multimedia-centrum.de) got netsplit. [15:40] Medivh (ck@62.93.217.199) got netsplit. [15:40] MrBawb (abob@swordfish.drown.org) got netsplit. [15:41] Bertl: Hi. [15:41] hi virtuoso! [15:42] Bertl: I've a dumb question again, how is sys_call_table called in 2.4.22? [15:43] MrBawb (abob@swordfish.drown.org) returned to #vserver. [15:43] Medivh (ck@62.93.217.199) returned to #vserver. [15:43] MedivhWrk (ck@netops.multimedia-centrum.de) returned to #vserver. [15:43] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [15:44] what is sys_call_table? ;) [15:53] Action: TamaPanda rm -f's /vserver/web/tmp/.z (11gig, drive full.. lol) [15:55] i wonder why it takes so long to delete a file.. [15:56] many inodes need many changes in the dirs/superblocks ... [15:56] i guess [15:56] 500 mb free'd in ... a minute [15:56] heh [15:56] oh well [15:57] quota is the first think i'll look into.. werent you the one to talk to about that? ;) [15:57] huh, me? (yeah sure ;) [15:59] lp (~lpressl@interner.SerNet.DE) joined #vserver. [16:00] it says per context quota is experimental [16:00] how experimental? :) [16:00] (hi) [16:00] hi lp! [16:00] @TamaPanda there are 3 patches to get context quota ... [16:01] the first one, rearranges the existing quota system to allow something called quota hashes ... [16:01] Bertl: I thought it is an array with all syscall vectors. [16:02] @virtuoso like in /arch/i386/kernel/entry.S (ENTRY(sys_call_table) [16:03] @TamaPanda the quota hashes themselves behave just like the normal quota, and all tests showed no differences to that system [16:03] so I would call this part 'very' stable ... [16:04] (or at least as stable as the current quota system) [16:04] hm ok [16:04] the docs say something about a seperate partition for vservers [16:05] let me continue to explain it ... [16:05] ok :) [16:05] the second patch, is a simple one, although it is very intrusive ... [16:06] it adds something called 'context tagging' for every filesystem ... [16:07] to allow per context quota or disk limits, it is necessary to add a persistant tag to every file, to know to which context it belongs ... [16:08] there are 3 ways to do this (currently) [16:08] you can use the upper half of the group id (16 bit) for context information, leaving 16 bit for groups ... [16:09] or you can use the upper quarter of both group and user id (8 bit each) for context info, which leaves 24bit for groups and users ... [16:09] or you can use a (yet) unused part of the on disk inode to store this data ... [16:10] in any case, this is intrusive, and if something goes wrong here, you filesystem data will be corrupted ... [16:10] right.. [16:10] so it better not go wrong! ;) [16:10] on the other hand, I tried hard not to screw up and used the existing functions ... [16:11] so in my opinion it should be considered at least stable ... [16:11] but you ahve to keep in mind, that for example, if you use UID24/GID24 and then switch back to a non tagxid kernel ... you'll end up with funny uid/gid values ... [16:12] that is one reason why you should use a separate partition for the vservers ... [16:12] not necessarily for each vserver ... [16:13] the third patch adds the actual quotaing per context and the inter context changes/transfers ... [16:13] this is not so critical, well tested, but still experimental ... [16:14] right [16:14] for some safety on your root system in case of 'oops' [16:15] yeah, and for the unexpected case that you boot with a non-vserver context tagging kernel ;) [16:16] in the first version I had context tagging for every filesystem, this was really fun, only one vserver could be started ;) [16:17] lp (~lpressl@interner.SerNet.DE) got netsplit. [16:17] serving (~serving@213.186.190.25) got netsplit. [16:17] BobR (~georg@149.148.78.13) got netsplit. [16:17] TamaPanda (~a@193.173.84.237) got netsplit. [16:19] lp (~lpressl@interner.SerNet.DE) returned to #vserver. [16:19] serving (~serving@213.186.190.25) returned to #vserver. [16:19] BobR (~georg@149.148.78.13) returned to #vserver. [16:19] TamaPanda (~a@193.173.84.237) returned to #vserver. [16:23] @TamaPanda did this answer your question regarding stability? [16:25] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) left irc: Ping timeout: 499 seconds [16:32] i guess :) [16:32] looks like i'll have to repartition my drive hehe [16:33] you should at least separate /usr and /var from / anyway ;) [16:33] the root server doesnt need that much space, it's all in vservers anyway.. [16:33] bert: oh? why? heh [16:33] i just have a / [16:33] /var (or /var/tmp and /tmp) is world writeable, right? [16:34] and you have suid/gid root files on /usr and / [16:34] var is root writable, not world [16:34] further you have your binaries in /usr or / [16:35] check /var/tmp ;) [16:35] ;) [16:35] i just have /tmp [16:35] okay, so this is ... right? [16:35] but its world writable.. i dont see how that matters for the vservers... [16:36] as the vservers wont even be on the same partition :) [16:36] not for vservers, for system security per se ... [16:36] but hey, it's your system ... do what you want, and enjoy it, as long as you can ;) [16:36] heh [16:36] you mean they can flood /var/tmp and fill the root system right? [16:37] for example ... or hard-link suid binaries ... [16:37] well if they can do that... dont you think you have more of a problem already? [16:38] everybody can do this, if /tmp is on the same partition and you have read access to the 'original' ;) [16:38] hm [16:38] still, what can a hard link to a file you dont own do? [16:39] you run as a different user as well [16:39] it can preserve a 'known bad' version of a binary you updated ... [16:40] as I said, it's entirely up to you, and I'm sure any setup will be more secure than the average Win***s setup ... [16:40] hm in a vserver [16:41] they would need shell access to my root server to be able to play around with it.. which is not running any outside services other than ssh (ok, it has holes prolly but if they get past that you're screwed anyway) [16:43] with a ip filter and disallowing ssh connect from localhost, should be ok ne? [16:43] okay, lets give another example: your log files fill up your root partition, and you can't even log in via ssh, because there is no space left ... [16:43] wont the log files log in the vservers? [16:43] yes, but you do not have any log/syslog on the host? [16:44] well how could they fill that up when only ssh runs? [16:44] by logging kernel messages? [16:44] do something forbidden in a vserver ... you get a kernel log message, right? [16:45] and they are routed to the root kernel logger? [16:45] there is only one kernel logger ... [16:45] figures [16:46] ok so / and /var then to solve that.. why /usr? [16:46] btw, i appreciate the explenation.. :) [16:47] no problem ... /usr primary because of accidents ... [16:47] you compile a new packet on this server and it installs into /usr right over your existing tools ... [16:48] s/packet/package/ [16:48] i dont see how a /usr will help in that.. [16:48] mount -o ro /usr [16:49] ok, but that means you cant install any new packages [16:49] not before you did mount -o remount,rw /usr [16:50] right [16:50] which you will be doing every time you install a new package.. [16:51] exactly ... saves some trouble ... if you are lazy ... [16:52] well i dont plan to install any packages [16:52] :D [16:53] they can go inside the vservers [16:53] once the root is running, just keep it as is [16:53] hm about that... i was wondering [16:54] is it possible to block a certain ip-port in a specified vserver? [16:54] no, as the ip isn't vserver related ... [16:54] but you can block with iptables the port on a specific IP ... [16:54] thought so.. iptables wouldnt be able to do that [16:55] so the safest way to avoid 'port-stealing' would just be having 2 ips.. 1 vserver 1 root [16:55] that would be useful anyway ;) [16:56] ne? [17:03] would require 2 ip's vor each physical server though [17:03] you can do masquerading/nat ... [17:04] hm give each vserver it's own local ip? [17:04] (for the vserver), and nat them from the main ip? [17:04] would be one solution ... [17:06] Nick change: BobR -> BobR_oO [17:10] mcp (~hightower@wolk-project.de) left irc: Ping timeout: 483 seconds [17:13] another would be? [17:13] you can use masquerading to accomplish similar ... [17:18] guess i'm not too well versed in terminology O.o [17:19] well masquerading is a special 'stateful' form of nat ... [17:19] nat usually means map 192.168.0.1 to 128.130.2.3 for example ... [17:19] where masquerading will adjust ports to a pool of ports ... [17:20] which might not be what you want for a server ... [17:20] mcp (~hightower@wolk-project.de) joined #vserver. [17:20] local port forwarding is another option ... [17:21] well as long as it can have functional ssh, ftp and http servers running, its all good :D [17:22] if you have two vserver, and only one 'public' ip, you have to rearrange the ports ... [17:22] for example 80/81 for http, but this could be 80/80 on the vservers ... [17:23] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [17:23] MedivhWrk (ck@netops.multimedia-centrum.de) got netsplit. [17:23] Medivh (ck@62.93.217.199) got netsplit. [17:23] MrBawb (abob@swordfish.drown.org) got netsplit. [17:24] MrBawb (abob@swordfish.drown.org) returned to #vserver. [17:24] Medivh (ck@62.93.217.199) returned to #vserver. [17:24] MedivhWrk (ck@netops.multimedia-centrum.de) returned to #vserver. [17:24] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [17:26] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [17:26] hi infowolfe! [17:27] 1515,01hi Bert! [17:27] 1515,01it's snowing here :-D [17:27] nice ... [17:28] 1515,01so bert, basically, i have to go through and figure out what userspace stuff is using init? [17:28] to accomplish what? [17:28] 1515,01am i typing in odd colors? [17:28] 1515,01to squash the /dev/initctl thing that i keep seeing from my redhat contexts [17:29] hmm must have slipped my mind ... funny how I tend to ignore such things ... ;) [17:29] argh, colours [17:29] hmm, not on my irc client ... [17:29] 0101,00better? [17:30] this now is reverse ... [17:30] inverted I mean ... [17:30] TamaPanda (~a@193.173.84.237) left irc: Ping timeout: 512 seconds [17:31] 0101,01how about now? [17:31] now it's black on black ;p [17:31] yeah, cool ... [17:31] I can do that too ... [17:31] 1,01how about now? [17:34] TamaPanda (~a@193.173.84.237) joined #vserver. [17:36] hm [17:36] I just came to the conclusion that in the background after killing a vserver the hard way... something is still running :) [17:37] 15:39:00 up 4:26, 2 users, load average: 748.94, 408.24, 926.70 [17:37] hmm, did you do a vserver stop afterwards? [17:39] 1,01TamaPanda, you must have a very nice machine to be running with that load average :-p [17:39] black on black [17:39] heh [17:39] ;) [17:39] 1,01tama, attempt to issue an /etc/init.d/vservers stop [17:40] 1,1thisishardto read you know.. [17:40] hmm, if you want to talk black on black, do it on an other channel, okay? [17:41] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) left #vserver. [17:41] i dont have an init.d [17:42] did you call vserver stop after you killed all processes? [17:42] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [17:43] hm i think i found it out already [17:43] am i better yet? [17:43] much better ... [17:43] the guy messing it up put his 'lets fork and fork' in the rc.local script of the vserver.. so the next time i started it.. [17:43] lol [17:43] thanks [17:43] sorry [17:45] Jonny (~oseufer@interner.SerNet.DE) left irc: Quit: Leaving [17:47] so far this has been a good excersize [17:47] :D [17:48] http://www.13thfloor.at/vserver/s_release/overview/ (we accomplished a lot ...) [17:48] is there a way to easily make a partition smaller ? [17:48] well yes, sfdisk or fdisk ... [17:48] without killing the data on it... [17:49] you have to resize the filesystem first ... [17:53] goodie [17:53] well my config is hozed anyway [17:53] i might as well just reinstall :) [17:56] hmm [17:56] I really have to update my servers [17:57] But this requires me to go out and buy $MANY CDRs :-) [17:57] get dvd's, you need less of them ;) [17:57] hmm, why do you think you need CDRs to update? [17:57] bertl: because each server boots from CD [17:58] heh [17:58] hmm, okay, that is a good reason 8-) [17:58] very nice it is too [17:58] ccooke, custom cd boot disks? [17:58] infowolfe: aye [17:58] quite nice ones, too [17:58] ccooke, what distro, if you don't mind me asking? [17:59] fully automated installation of images based on MAC [17:59] infowolfe: Debian. [17:59] sounds nice [17:59] (based upon) [17:59] it is. [17:59] especially since the tools can upload images as well as download them [18:00] I'm currently upgrading our live webservers [18:01] this involves: imagetool shutdown www live; imagetool uninstall www live; imagetool fetch www 1.004; imagetool install www live 1.004; imagetool boot www live [18:01] (on each server in turn) [18:02] why are you booting from cd.. safety? [18:02] safety, ease of upgrade... [18:02] the CD contains all the imaging tools [18:03] for me, installing a new webserver is as simple as burning a CD, sticking it in the new server and booting it [18:03] (the admin stuff assumes I want a webserver if it doesn't know the MAC, and writes a temporary MAC entry for it) [18:03] the work before you get to having a cd is still work though :) [18:04] that took about three months of work :-) [18:04] on and off [18:04] hehe [18:04] worth it, though [18:04] i can imagine [18:04] especially for stuff like the mail server [18:04] hm? [18:04] how do you cope with small modifications/fixes? [18:05] i guess he just commented on "having to buy a lot of cdr's" [18:05] heh [18:05] the webserver has a cronjob that does an upload every hour, and there's a seperate image for each mail server [18:05] bertl: the uses a ramdisk for the scripts and utils... and copies the latest versions from the admin server when it boots [18:06] s/the/the cd/ [18:07] (well, s/ramdisk/tmpfs/ to be exact) [18:07] okay ... so you need it only for kernel updates, right? [18:07] or ssh vulnerabilities [18:07] that's it [18:08] hmm, are there any new ssh issues? [18:08] why not get the ssh stuff from the main server also? [18:08] not for a while [18:08] tamapanda: I will, when I've got the cleaned-up version finished [18:08] right now, the tools and scripts are a bit rough, and too hard coded [18:08] I'm half-way through a rewrite so I can release this [18:09] sounds good ... [18:09] one thing is, it doesn't use any of the vserver tools other than chcontext and chbind [18:09] I can't remember why I didn't use them - I know it was a good reason at the time... :-) [18:09] heh [18:10] so it does things in different ways [18:10] basically, it's based on slots - each service (www, mail, firewall, whatever) has two slots - live and test [18:10] different isn't bad if well tested ... [18:11] each service/slot pair is given a seperate network address [18:11] so, live web servers are 192.168.128.0/22 [18:11] test web servers are 192.168.132.0/22 [18:11] each server is given an offset address ( convention has my webservers as 1.something) [18:12] so, the first webserver is currently (live) 192.168.129.2 and (test) 192.168.133.2 [18:12] how many servers are we talking about here? :) [18:13] TamaPanda, i'm wondering the same thing... [18:13] if I were to tell that box to install a mail server, (imagetool fetch mail main-1.001; imagetool install mail live main-1.001; imagetool boot mail live), it'd come up on 19.2168.161.2 [18:13] well, there's space for just over a thousand servers... [18:13] bert? why do you release new stuff so quickly? :-p [18:13] lol [18:13] I currently have about 20 [18:14] that is, there are 1022 different *offsets*, of course [18:14] Action: infowolfe is off to go recompile his kernel :( [18:14] lol [18:14] and each server is given an offset... [18:15] did anyone get my announcement via the mailing list? [18:15] so you can bring up any service, live or test, and it'll Just Work [18:15] bertl: fairly sure I did... [18:15] yep i just received it [18:15] Nick change: TamaPanda -> Tamama [18:15] i did [18:15] that'd be why i complained about recompiling my kernel ;-) [18:16] okay, becaus I didn't get it yet ... maybe I was unsubscribed ... [18:16] Action: ccooke grumbles while waiting for www-1.004 to download [18:16] does that combined patch also add those quota patches? :D [18:16] I wish rsync could use bzip2 :-) [18:17] Bertl, for some reason, i keep getting Makefile.rej :( [18:17] what's your -p normally? [18:17] ahh no daffy is on the spam list ... [18:17] hmm Makefile.rej on what? [18:17] patch-2.4.23-vs1.20.diff [18:18] patch -p1 < ../vserver/patch-2.4.23-vs1.20.diff spit out a Makefile.rej on the kernelversion portion of the makefile [18:19] specificially, it doesn't like how you changed extraversion [18:19] and what's in this rej? [18:19] and what does your Makefile in this section look like? [18:20] Bertl, vanilla sources... would you like me to email it to you? [18:20] ;) just show me the lines around extraversion ... [18:21] i think i figured it out [18:21] maybe [18:21] apw (~apw@212.104.150.41) joined #vserver. [18:21] possibly [18:21] ;) [18:21] nevermind [18:22] everything okay now? [18:22] Bertl, how many lines? [18:22] +/- 3 ... [18:22] herbert, i just mailed you the output of cat Makefile.rej [18:23] it's like 10-15 lines total [18:24] yup, you have vs1.1.6 there? what patch is this? [18:24] this is patch-2.4.23-vs1.20.diff [18:25] and it did the same thing on vs1.1.6 [18:25] okay, wait ... please check the md5sum ... [18:26] hm, is there a way to see in the root server how much a vserver uses in resources? [18:26] what md5sum? [18:26] there isn't one for "kernel release 2.4.23" on the site [18:27] http://www.13thfloor.at/vserver/s_release/v1.20/md5sum.asc [18:28] md5sums check fine [18:28] okay, then explain me, where you get the vs1.1.6 from ... it isn't in the patch ... [18:29] argh [18:29] let me kill Makefile.reg [18:29] rej* [18:29] i patch -Rp1 < ../vserver/patch-2.4.23-vs1.1.6.diff before i attempted to patch to vs1.20 [18:30] my mistake [18:30] <~~ feels dumb [18:31] okay, lets forget it ... ;) [18:31] Bertl, are there any new config options in the kernel between 1.1.6 and 1.2.0? [18:31] config options like? [18:32] virtual root device support in block devices? [18:32] options that are selected via make {config,xconfig,menuconfig}? [18:34] hmm, yes the vroot device was included ... [18:34] i know it was... lol, i'm wondering if there's anything else you've added... [18:34] that was an example [18:34] nothing with a kernel config ... IIRC ... [18:34] thanks [18:34] i'm basically wondering if i can use the same config without any problems... [18:36] hmm [18:36] (is there any help on what the vroot device *is*) [18:36] on a 2.4.23-vs1.1.6 to 2.4.23-vs1.20 [18:36] it seems to be compiling find [18:36] @ccooke yes, you can get it on the irc channel ;) [18:37] Bertl: good! what is it? ;) [18:37] it is a block device proy for quota ioctls ... [18:37] s/proy/proxy/ [18:37] you have the problem, if you want to do quota on a vserver, you need access to the block device to issue the quota ioctls ... [18:38] why would you want to do quota on a vserver? ;) [18:38] right. only interesting if you need quotas. [18:38] Okay, cheers [18:38] simply putting the block device nod into the vserver would mean a big security hole ... [18:38] As i discovered! [18:38] lol [18:38] tamama: oh? [18:38] cracks? [18:38] fdisk :D [18:39] lol [18:39] so this vroot device allows to proxy quotactls but blocks other stuff like direct access ... [18:39] ok [18:39] so now we have quotas for virtual users that are in a virtual server .. virtual quotas then :) [18:40] netrose (~john877@CC3-24.171.21.47.charter-stl.com) left irc: Ping timeout: 480 seconds [18:40] hm, when we're talking quota anyway... can you put a quota on a directory instead of on a user? [18:41] not with the current approach ... [18:42] there is something called tree quotas, which is very similar to what we do ... [18:42] and I did mount point quotas for --bind mounts for some time ... [18:45] ideally i would want to just limit a user dir size, and have services such a user want that take up space to be included [18:45] or something [18:45] heh [18:46] well most quota issues arise from the fact that an inode does not belong to a directory ... [18:48] i guess i could just do user quota and 'du' from time to time [18:48] just to check [18:50] or just make those files user-owned and set the group to the service id [18:53] what is next in vserver? :) [18:55] you mean after 1.20? [19:08] yes [19:09] well, like in Matrix ... the next motto is 'revolutions' ... [19:15] Bertl, care to explain that further? [19:16] hehe .. yes, sorry I'm just doing 3-4 things at a time ... [19:16] no worries [19:16] we will modify/enhance the inner core of vserver again ... [19:16] cool [19:17] this time replacing the create call by several syscall commands ... [19:17] bertl: hmm. any way of limiting access when using devfs? [19:17] I really need that... [19:17] this adds more flexibility ... also the limits will be addressed and the scheduler maybe ... [19:18] @ccooke just use devpts together with devfs ... [19:18] Bertl, also, when using devfs, does the vroot device have to be re-created? [19:18] nope, it is devfs aware ... [19:18] bertl: but devfs will give access to the block devices, right? [19:18] you do not need devfs for 7 devices do you? [19:19] 7? [19:19] Bertl, would you mind re-explaining how to bring up a vroot? [19:19] full hdv1 null ptmx pts/ random tty urandom zero [19:19] that is everything a vserver should have in /dev [19:19] work day over, bbiab [19:19] Tamama (~a@193.173.84.237) left irc: [19:19] hmmm [19:20] hdv1 is a fake or the vroot device ... [19:20] pts is the mountpoint for devpts ... [19:21] I was thinking about modifying the devfs too, but it really makes no sense ... (at least for now, and to me ;) [19:39] yay. There goes the server upgrade :-) [20:35] netrose (~john877@CC3-24.171.21.47.charter-stl.com) joined #vserver. [20:51] apw (~apw@212.104.150.41) got netsplit. [20:51] BobR_oO (~georg@149.148.78.13) got netsplit. [20:51] serving (~serving@213.186.190.25) got netsplit. [20:51] lp (~lpressl@interner.SerNet.DE) got netsplit. [20:51] apw (~apw@212.104.150.41) returned to #vserver. [20:51] lp (~lpressl@interner.SerNet.DE) returned to #vserver. [20:51] serving (~serving@213.186.190.25) returned to #vserver. [20:51] BobR_oO (~georg@149.148.78.13) returned to #vserver. [22:17] kestrelw (~athomas@o2rosock0a.optus.net.au) left irc: Ping timeout: 483 seconds [22:40] kestrelw (~athomas@o2rosock0a.optus.net.au) joined #vserver. [22:45] grepmaster (~chatzilla@66-101-59-73.oplnk.net) joined #vserver. [22:46] hi gm! [22:46] topic reset, topic reset! :) [22:46] hey hey [22:46] right ... [22:46] Topic changed on #vserver by Bertl!~herbert@MAIL.13thfloor.at: http://linux-vserver.org/ || latest stable 1.20, devel 1.1.6 [22:47] gentoo is still giving me lip, but some stuff from the mailing list archives has helped... may get it fully working soon [22:48] sounds good ... make sure to document/add to the wiki/report on the mailing list ... [22:49] yeah, will do [22:50] finals are next week but i may yet make a grsecurity for vs1.20 patch today [22:51] well, if you did for 1.1.6, it should be quite easy ... [22:51] yeah [22:51] you might have troubles with the older kernels tough ... [22:52] older meaning < .23 ? [22:52] yup ... [22:54] is there an incremental 1.1.6 -> 1.20 ? [22:55] I knew somebody would ask .. ;) [22:55] netrose (~john877@CC3-24.171.21.47.charter-stl.com) left irc: Ping timeout: 480 seconds [22:55] heh [22:55] the moment I decided not to do the 1.1.6->1.20 .. I knew it ... [22:55] okay give me a few secs ... [22:55] hehe. ok cool [22:56] you need it for .23 only, right? [22:56] yeah i figure i'll try that first, then go back to manual merge if need be [22:56] corrrect [22:58] http://vserver.13thfloor.at/Stuff/delta-2.4.23-vs1.1.6-vs1.20.diff [22:58] thx :) [22:59] for .22 and .21 at the same place ... [22:59] ok [23:00] cool, offset 59 lines, 49 lines, 9 lines, and 9 lines [23:00] only the makefile chunk failed [23:22] where should i stick grsecurity on the wiki? documentation? [23:23] hmm ... let me have a look at the wiki ... [23:24] I would add a link below 'Paul Sladens stuff' to your 'patch repository' ;) [23:24] allrighty [23:24] and somethin in the docu ... [23:36] done [23:37] just to take load off from enrico, (and have some fun myself) may I ask you where you have the signed md5sums? [23:37] ahh i suppose i should generate some [23:38] done [23:39] well not signed [23:39] bah [23:39] i'll get around to gpg next week or something... [23:39] I tend to put them all into one file ... (md5sum) but that is just a suggestion ... [23:40] all right [23:41] howto looks good, maybe a link to the grsec patches/site? [23:44] changed [23:45] perfect ... [23:45] :) [23:46] i'd like to go take a shower but our gas got shut off so there's no hot water, and it's 59 F outside... [23:46] bah [23:46] hmm ... maybe some cold tea then? [23:55] perhaps, perhaps [23:55] Nick change: grepmaster -> grepmaster-afk [00:00] --- Sat Dec 6 2003