[00:02] sorry, i have an phone call [00:02] .. [00:06] i got rejects at 3 files, the first is not really problem, include/net/ip.h.rej but the 2.and 3. include/net/route.h.rej net/ipv4/udp.c.rej was rewritten and i am not an programmer... [00:06] have you tried with the default stock linus kernel ? [00:07] shuri (~ipv6@3ffe:bc0:189:1:6666:6666:6666:6666) joined #vserver. [00:10] no, didnt because of some debian things (cramfs) initrd.., and the changes in route.h looks like a bugfix [00:13] i have given this stuff to a friend of mine, maybe he can fix this. which mailinglist would you prefere to post such things? [00:15] shuri (~ipv6@3ffe:bc0:189:1:6666:6666:6666:6666) left irc: Quit: changing servers [00:15] we only have one [00:16] this one you mean? vserver@list.linux-vserver.org [00:16] yes [00:16] or just talk to bertl here [00:19] ok the friend of mine would take 3days because he doesnt know so much about kernelrouting [00:19] wc -l *.rej [00:22] wc -l include/net/*.rej 16 include/net/ip.h.rej 53 include/net/route.h.rej 69 total wc -l net/ipv4/*.rej 27 net/ipv4/udp.c.rej but as i said, ip.h i can change without programming knowledge [00:23] what about route.h ? [00:23] there are some traffic limits but i am not expert [00:24] should i paste it? [00:24] no [00:24] hh, just a joke [00:25] i dont have a 2.4.23 kernel source in my sid ? [00:26] got it from backports.org [00:27] have to do some update because of kernel-bug [00:28] maybe it would really best to make some default stock kernel? [00:28] that is easier [00:28] but it's not many lines to change [00:29] netrose (~john877@CC3-24.171.21.47.charter-stl.com) joined #vserver. [00:29] yes, not many lines but i cant write C [00:38] ...i will write a message to ML and attach files this would be better i think [00:39] to ML ? [00:39] mailinglist [00:39] but hey, i just downloaded the files [00:39] oh :) [00:39] you are using debian too? [00:40] yeah [00:40] but i have to run an older 2.4.21, or is it 22 [00:40] anyone experienced a problem, that processes hung in D state and load increased steadily? could it be vserver related? [00:40] because i need PPDD [00:41] maybe, you better talk to bertl about that [00:41] or on the mailing list [00:41] frz: and my desktop is 2.6 [00:41] frz: i still use the vs1.0 release [01:43] Nick change: riel -> unriel [01:50] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Quit: Tak ja padaaaaM [01:54] You (~billiam@c-24-4-153-146.client.comcast.net) joined #vserver. [01:54] Action: You have encoutered an error <><> Press Alt+F4 to correct [01:54] You (~billiam@c-24-4-153-146.client.comcast.net) left #vserver. [01:55] hahaha [02:06] hmm, I don't want to encouter an error! [02:07] i wonder if it works in xchat? [02:07] let me test, i'm going to bed anyway [02:07] JonB (~jon@129.142.112.33) left irc: Quit: Client exiting [02:08] JonB (~jon@129.142.112.33) joined #vserver. [02:08] heh, i guess it did work [02:08] well, sleep tight bpys [02:08] boys [02:08] JonB (~jon@129.142.112.33) left irc: Client Quit [02:08] serving (~serving@213.186.190.19) left irc: Ping timeout: 501 seconds [02:14] netrose (~john877@CC3-24.171.21.47.charter-stl.com) left irc: Ping timeout: 480 seconds [02:41] frz (~frz@chello212186127181.14.vie.surfer.at) left irc: Remote host closed the connection [03:20] Nick change: Bertl_oO -> Bertl [03:20] hi everyone! [03:21] hi Beterl! [03:21] err, Bertl [03:21] I don't know how your name got so mangled [03:21] hmm, well I like variations on my name ;) [03:22] how is/was your day? [03:22] oh, it started out bad and got better [03:22] how about yours? [03:23] well, it's fine ... at least until now ... [03:23] kestrel (~athomas@dialup51.optus.net.au) left irc: Ping timeout: 499 seconds [04:00] serving (~serving@213.186.191.101) joined #vserver. [04:08] netrose (~john877@CC3-24.171.21.47.charter-stl.com) joined #vserver. [04:14] serving (~serving@213.186.191.101) got netsplit. [04:14] Alex^ (alex@alex.city17.org) got netsplit. [04:14] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [04:14] aka (~aka@h062040166017.gun.cm.kabsi.at) got netsplit. [04:14] kestrelw (~athomas@o2rosock0a.optus.net.au) got netsplit. [04:14] ensc (~ircensc@ultra.csn.tu-chemnitz.de) got netsplit. [04:14] Medivh (ck@62.93.217.199) got netsplit. [04:14] apw (~apw@212.104.150.41) got netsplit. [04:14] lp (~lpressl@interner.SerNet.DE) got netsplit. [04:14] surriel (~riel@imladris.surriel.com) got netsplit. [04:14] serving (~serving@213.186.191.101) returned to #vserver. [04:14] Alex^ (alex@alex.city17.org) returned to #vserver. [04:14] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [04:14] aka (~aka@h062040166017.gun.cm.kabsi.at) returned to #vserver. [04:14] kestrelw (~athomas@o2rosock0a.optus.net.au) returned to #vserver. [04:14] ensc (~ircensc@ultra.csn.tu-chemnitz.de) returned to #vserver. [04:14] Medivh (ck@62.93.217.199) returned to #vserver. [04:14] apw (~apw@212.104.150.41) returned to #vserver. [04:14] lp (~lpressl@interner.SerNet.DE) returned to #vserver. [04:14] surriel (~riel@imladris.surriel.com) returned to #vserver. [04:14] Topic changed on #vserver by !lepton.oftc.net: http://linux-vserver.org/ || latest stable 1.21, devel 1.3.0 "Revolutions" [04:27] lp (~lpressl@interner.SerNet.DE) got netsplit. [04:27] Medivh (ck@62.93.217.199) got netsplit. [04:27] ensc (~ircensc@ultra.csn.tu-chemnitz.de) got netsplit. [04:27] kestrelw (~athomas@o2rosock0a.optus.net.au) got netsplit. [04:27] aka (~aka@h062040166017.gun.cm.kabsi.at) got netsplit. [04:27] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [04:27] Alex^ (alex@alex.city17.org) got netsplit. [04:27] serving (~serving@213.186.191.101) got netsplit. [04:27] apw (~apw@212.104.150.41) got netsplit. [04:27] surriel (~riel@imladris.surriel.com) got netsplit. [04:27] serving (~serving@213.186.191.101) returned to #vserver. [04:27] Alex^ (alex@alex.city17.org) returned to #vserver. [04:27] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [04:27] aka (~aka@h062040166017.gun.cm.kabsi.at) returned to #vserver. [04:27] kestrelw (~athomas@o2rosock0a.optus.net.au) returned to #vserver. [04:27] ensc (~ircensc@ultra.csn.tu-chemnitz.de) returned to #vserver. [04:27] surriel (~riel@imladris.surriel.com) returned to #vserver. [04:27] lp (~lpressl@interner.SerNet.DE) returned to #vserver. [04:27] apw (~apw@212.104.150.41) returned to #vserver. [04:27] Medivh (ck@62.93.217.199) returned to #vserver. [04:48] Nick change: Doener -> doener_zZ [05:05] omg [05:05] Nick change: doener_zZ -> Doener [05:06] hmm ... that was a short night ... [05:06] cat nap :) [05:06] couldn't let my hands off that server [05:07] nothing serious, it's only that i just found the kswapd oops in the logs 4 days ago [05:43] Nick change: Doener -> doener_zZ [06:17] Nick change: surriel -> | [06:17] Nick change: | -> |\ [06:18] hmm, experimenting with the client, rik? [06:18] Nick change: |\ -> surriel [06:18] nope, it's just that the | nick is reserved [06:19] I could only have it for 20 seconds, which wasn't enough for the text I wanted to quote [06:24] @rik I have the strong feeling that something in 2.4.2x slab management is buggy ... [06:25] @surriel how does the following look to you? http://217.88.132.34/ksymoops.txt [06:29] okay, enough for for today ... wish you all a good whatever ... [06:29] Nick change: Bertl -> Bertl_zZ [06:33] Bertl_zZ: looks like random memory corruption, the other error you showed is sooo unrelated [06:34] Nick change: surriel -> \o\ [06:34] Nick change: \o\ -> surriel [10:09] kestrelw (~athomas@o2rosock0a.optus.net.au) left irc: Quit: ircII EPIC4-1.1.11 -- Are we there yet? [10:42] moin [11:00] kestrel (~athomas@dialup51.optus.net.au) joined #vserver. [11:00] hello [13:50] Doener` (~doener@pD9E12124.dip.t-dialin.net) joined #vserver. [13:58] doener_zZ (~doener@pD9588422.dip.t-dialin.net) left irc: Ping timeout: 501 seconds [14:56] fbc (~fbc@ppp-104-136.26-151.libero.it) joined #vserver. [14:57] fbc (~fbc@ppp-104-136.26-151.libero.it) left irc: Client Quit [15:03] fbc (~fbc@ppp-104-136.26-151.libero.it) joined #vserver. [15:04] hi all [15:04] I've got a little problem... installed kernel 2.4.23 patched with vserver 1.2 on a debian machine [15:05] I created a new vserver with debian inside, it starts, works, but I cannot access via ssh as a normal user [15:05] I can access as root [16:22] do you have user accounts inside the vserver? [16:35] yes [16:35] the password is accepted (reading /var/auth.log) [16:36] run sshd in foreground debug mode: sshd - [16:36] d [16:37] shift-j that line [16:50] [S]ushi (Sushi@pD9512C9F.dip.t-dialin.net) joined #vserver. [16:50] <[S]ushi> hi [16:51] hi ushi [16:51] <[S]ushi> oh... you are here too my doener ;) [16:53] Nick change: Doener` -> doener_aw [16:54] Nick change: [S]ushi -> [S]ushi`sid [17:26] Nick change: Bertl_zZ -> Bertl [17:26] hi all! [17:26] <[S]ushi`sid> huhu Bertl [17:27] @fbc you are Fabio? [17:29] therealtroll (~wvh@D5E015BB.kabel.telenet.be) joined #vserver. [17:30] hello, question here... [17:30] hi troll! [17:30] <[S]ushi`sid> hello... fish here... [17:30] i try to figure out what vps does, it looks like UML???! [17:30] hmm, look again! [17:31] how is it different from User mode linux? [17:31] ik i guess no uml kernel ? [17:31] typo s/ik/ok/ [17:31] think kernel as userspace process, then you have UML ... think many processes, separated by contexts, then you have linux-vserver ... [17:32] advantages / disatvantages ? [17:32] those are orthogonal approaches, you can run linux-vserver on UML and vice versa ... [17:32] some comparison on the website would be nice! [17:32] well, go ahead do them, and write something, after all, it's a wiki! [17:33] ;-) [17:33] the major difference for the provider will be that UML consumes much more resources ... [17:33] this is simply explained ... [17:34] and the separation, memory, cpu ... ? [17:34] UML has to have a complete kernel and all it's buffers running within one user space ... vserver doesn't need that ... [17:35] resource control? [17:35] <[S]ushi`sid> wow... this netinstallation-business-card is really great! [17:36] hi herbert [17:36] @troll basically resource separation is sufficient to be secure ... [17:36] thanks Bertl, for the feedback. [17:37] the limiting stuff, is in development, but UML doesn't provide this either ... [17:38] you ahve to see what is the best solution for your purpose ... [17:38] Do you guys know a good High Availability solution for linux? I checked out LVS but search something like IBM's HACMP for AIX! [17:39] well, I have something called HALinux spinning around in my mind? [17:39] http://www.linux-ha.org/ [17:39] thanks, looks good! [17:39] ur welcome ... [17:40] fabio? [17:40] Bertl: I'm here [17:40] ahh good, so how did you try to track this down? [17:40] very good channel service bye the way - see ya later.. [17:41] I started sshd with -ddd and now I'm trying with strace to grasp something [17:41] seems like the ssh child releases the connection after being launched by the ssh main process [17:42] just before using a pty [17:42] use strace >= 4.5 and -fF option ... [17:42] therealtroll (~wvh@D5E015BB.kabel.telenet.be) left #vserver (Client exiting). [17:42] I'm not ssh expert, so maybe this is bullshit [17:42] perhaps /dev/pts is not mounted or has incorrect permissions... [17:42] well we have to make sure that it _is_ bullshit then ;) [17:42] Errors change if I disable privilege separation... just a minute [17:42] Bertl: :D [17:43] kestrel: devpts is mounted as devpts /dev/pts devpts rw,gid=5,mode=620 0 0 [17:43] and grep :5: /etc/group gives? [17:44] tty [17:44] okay, that should be correct ... [17:44] can you su to unprivileged users inside the vserver? [17:44] ok, I think I found the issue [17:45] hmm, lets hear ... [17:46] well.. I tried kestrel suggestion and "sued" as a normal user.. the reply here is "No shell" [17:46] ahh that looks good indeed ... [17:46] And if I don't use privilege separation in ssh I get the same error [17:47] /bin/bash: Permission denied [17:47] which shell is specified for that user in /etc/passwd [17:47] /bin/bash [17:47] uh oh ... ls -la /bin/bash = [17:47] which has 755 permission [17:47] okay you are using quota patches? [17:47] they are applied but I'm not using userland tools [17:48] qh0.12 et al, I assume? [17:48] yes [17:48] did you mount the partition, the vserver is on with ctxtag or tagctx or tagxid? [17:49] yes [17:49] okay, do you use fixed (static) context ids or dynamic ones? [17:49] static [17:50] did you copy this vserver or change the static id? [17:50] I changed the id to 1000 after it had been created by debian-newvserver [17:50] [S]ushi`sid (Sushi@pD9512C9F.dip.t-dialin.net) left irc: [17:50] have you compiled the lsctx and chctx tools? [17:51] uhm, I don't think, I can't see them [17:51] where are they located? [17:51] okay, there is a patch for the e2fsprogs ... to add this feature ... [17:51] I'll explain what probably happened ... [17:52] if tagxid is enable (the others are synonyms) then each file will get a context tag ... [17:52] and, as the community decided on an opinion poll, inter context file access should not be handled gracefully, but produce an error ... [17:53] now on/after creation your server might have been started with context id 250 for example ... [17:53] and ton the first execution of bash, this binary was changed to this context ... [17:54] then you changed the context id to 1000, and now the bash belongs to another context ... [17:54] the simple way to change this back is to just touch the /bin/bash from the host context 0 [17:55] but you can control/verify that with the lsctx and chctx tools ... [17:55] seems clear, but why root can execute bash with no problem? [17:55] interresting question, indeed ... [17:55] lets see what context this belongs to ... [17:56] Action: Bertl is looking for the patch url ... [17:56] http://vserver.13thfloor.at/Experimental/patch-e2fsprogs-1.34-cti0.01.diff.bz2 [17:58] applied to the e2fprogs source, this will produce two executables (besides the other stuff) lsctx and chctx, just copy them to /usr/local/bin/ (or wherever appropriate) [17:59] I was searching for e2fprogs source [17:59] http://e2fsprogs.sourceforge.net/ [17:59] intuitively under the link 'here' [18:03] they take quite long to compile [18:03] unfortunately .. I hope the userspace tools will pick up something similar soon ... [18:04] actually it's a simple ioctl, and no magic at all ... [18:05] could even be implemented in perl or python ... hey did I say that? [18:06] uhm, is it that simple? I could do that if we resolve this issue [18:07] + r = ioctl (fd, EXT2_IOC_SETCONTEXT, &c); [18:07] this is the magic for changing the context id .. [18:07] + r = ioctl (fd, EXT2_IOC_GETCONTEXT, &c); [18:07] and that for reading it ... [18:08] the fact the EXT2_ is in front doesn't mean anything, by the way ... [18:14] mmmh, what a beautiful day... error compiling e2fsprogs [18:15] hmm ... strange ... [18:15] this is debian? [18:15] yep [18:15] maybe you could try with the debian version of e2fsprogs ;) [18:16] they seem to get more and more incompatible to the source packages ... [18:16] Well, I don't mind if they don't work :) But at least sources should compile on every distro [18:17] The funny thing is that the problem seems related to simple message files... isn't the /po folder meant to contain i18n stuff? [18:19] hmm, maybe disabling localization would work then? [18:19] maybe gettext missing stuff... [18:19] I'm looking at configure --help.. [18:20] A kernel is easier to patch and compile :) [18:21] that's why I avoid userspace stuff where possible, all those dependancies ... ;) [18:22] yoohoo, compilation ok [18:23] it took longer than mozilla :D [18:23] okay grab the two tools and get erid of the rest ... [18:23] s/erid/rid/ [18:26] the output of lsctx on the /bin/bash for my vserver is: #0 /vservers/www/bin/bash [18:27] and the directory above? [18:27] lsctx -d /vservers/www/bin [18:27] the same [18:27] okay then it isn't a context issue .. 8-) [18:28] GOOD :) [18:28] let's see what goes wrong .. with strace as a user ... [18:34] herbert, i just sent you a small script to get a "top"-like display of each vservers cpu usage [18:35] hmm, to me personally? [18:35] yes [18:37] I find tries to access /dev/log with EACCESS errors. [18:37] @alec hmm, slow mailer then ... I assume [18:38] @fabio hmm /dev/log should be the system logger pipe, right? [18:38] yes [18:38] is it there? ls -la /dev/log [18:38] to what context does it belong? [18:39] Nick change: doener_aw -> Doener [18:39] the socket is there [18:40] but lsctx cannot see it from the outside... [18:40] hmm, try to specify the directory ... [18:41] the dev directory has context 0 [18:41] and lsctx /vservers/www/dev doesn't list them ... [18:42] ./lsctx: No such device or address while reading context on /vservers/www/dev//log [18:42] hmm, okay, this means that no logger is on the other end ... [18:42] uhm, is it still the ssh/no shell issue? [18:43] uhm, wait a minute, /dev/null, /dev/ptmx, /dev/tty and /dev/xconsole have context set to 1000 [18:43] that is okay, if 1000 is your context id ... [18:43] @doener yes, but it seems it isn't a vserver issue at all ... [18:44] i know, i had exactly the same on a host machine some days ago [18:44] if i could only remember what it wasa exactly [18:44] s/wasa/was/ [18:45] @fabio maybe changing the sshd config to not to log via syslog could help? [18:45] I'm trying to start syslog [18:45] ah! [18:45] sorry, I'm on a 56k connection and I react slowly :) [18:45] what permissions doesn't /var have? [18:46] 755 [18:46] s/doesn't/does/ [18:47] hmm... the /var inside the vserver? [18:47] yes [18:47] and the root /var ? [18:47] Action: kestrel tired [18:47] 755 [18:47] Topic changed on #vserver by Alex^!alex@alex.city17.org: http://linux-vserver.org/ || latest stable 1.21, devel 1.3.0 "Revolutions". [18:48] AGoe (~agoeres@D8356.d.pppool.de) joined #vserver. [18:48] netrose (~john877@CC3-24.171.21.47.charter-stl.com) left irc: Ping timeout: 480 seconds [18:48] hmm... i'm quite sure on my machine /var had 000 permissions and this was causing the whole trouble [18:49] however i still don't who changed them to 000 [18:50] insert a 'know' somewhere ;) [18:50] did you have a vserver jail under /var ? [18:50] no [18:51] g'night all [18:51] kestrel: goodnight [18:52] kestrel, g'night [18:55] I tried to strace su now... [18:56] @alec good night! [18:56] @fabio and? [18:56] permission denied on /dev/log, /dev/console and /bin/bash [18:57] I did this after trying to umount and mount the vservers partition without the tagctx option [18:57] and did you succeed (in umounting/mounting)? ;) [18:57] yes :) [18:59] okay, context separation for sshd is enabled or disabled? [18:59] do you mean privilege separation or some option for vserver unknown to me? [19:00] However, the problem seems in /bin/bash permission [19:00] @alec your vtop has arrived ... [19:00] ssh authentication goes well [19:00] sorry priviledge separation .. (don't know where context came from ;) [19:01] Now it is disabled [19:01] But the problem always rises when calling /bin/bash [19:02] okay, so you cant su to any user .. probably you cant even login, so try the folowing, use -s to set the shell for su to something else ... /bin/sh /bin/ash /bin/csh or whatever works ... and gets you a shell ... [19:03] try to copy the shell to /tmp and execute it there ... [19:04] I tried, no results [19:04] always this good EACCES [19:09] .... [19:10] What a stupid issue... permission on the vserver for other users was set to 4 and not to 5 [19:11] Now a question... why on some vserver docs it is mentioned to set permission for the root folder to 000? [19:13] [S]ushi (Sushi@pD9512C9F.dip.t-dialin.net) joined #vserver. [19:14] <[S]ushi> re [19:56] [S]ushi (Sushi@pD9512C9F.dip.t-dialin.net) left irc: [19:58] @fabio sorry missed your question, this is necessary to make the chroot jail secure ... [20:09] shuri (~ipv6@ipv6.electronicbox.net) joined #vserver. [20:20] S3b4St14N (~email@p5081BCAA.dip.t-dialin.net) joined #vserver. [20:21] hey sebastian! [20:21] hi [20:22] gibt es irgendwo eine anleitung wie man einen vserver installiert? [20:22] cool plasma.oftc.net working again [20:22] humm need a french verserver channel:P [20:22] @S3b there are some howtos on the linux-vserver.org page under documentation ... [20:23] @shuri he asked if there is some howto for vserver installation ;) [20:23] ok [20:23] german? [20:24] the language? yes ... [20:24] ok [20:24] when are the howtos finished? [20:26] hopefully never, as this would mean stagnancy ... [20:27] okay, please help sebastian if he has any questions, I'll be back soon ... [20:28] Nick change: Bertl -> Bertl_oO [20:28] ok [20:28] is it complycated to install vserver? [20:29] no [20:30] only need to patch the kernel , recompil ans install the vserver-tool [20:30] then you can use the newdebian.sh script to create a debian vserver from scratch [20:31] ok thank you i will test it... [20:36] how could I install the kernel? [20:39] you didn't ever compile the kernel yourself, did you? [20:40] no sorry.. [20:40] i use linux a few months [20:42] where must i put the files from kernel-2.4.21ctx-17c.tar.gz ? [20:42] netrose (~john877@CC3-24.171.21.47.charter-stl.com) joined #vserver. [20:43] hm.. that's not the current release [20:44] http://www.13thfloor.at/vserver/s_release/overview/ [20:45] i need "split", richt? [20:45] right [20:45] Nick change: Bertl_oO -> Bertl [20:45] what kernel sources do you have? [20:45] @S3b .. no you jsut need the patch [20:46] the split-outs are for developers, who try to 'adapt' this patch to other kernels/patches ... [20:46] Linux debian 2.2.20-idepci [20:46] they contain the same as the patch, but separated into logically independant pieces ... [20:47] debian has a special 2.4.22-3 release ... and something older 2.2.x will not be supported by recent vserver patches ... [20:48] @S3b there is a debian vserver howto on the docu page ... [20:50] compiling the kernel is simple ... we had this several times on the mailing list, let me see where you can read this ... [20:51] where could i get the debian kernel 2.4.22? [20:52] http://list.linux-vserver.org/archive/vserver/msg00970.html [20:52] (this is for building the kernel) [20:55] Ola Lundqvist does the debian stuff .. maybe http://www.opal.dhs.org/involved/patch/index.oml is some hint/base .. see the debian faq/howto for more details ... [20:56] @s3b the debian package name is kernel-source-2.4.22 [20:57] now i'm downloading linux-2.4.23.tar.bz2 [20:57] is that right? [20:57] yes [20:57] shouldn't there be a debian package for 2.4.22-3-vs1.21? or why am I doing those patches? [20:59] hm, i'll update my sources [20:59] if not, maybe a short reminder to Ola would be appropriate ... [21:01] at least my sid system doesn't show up anything [21:04] ah, it's named kernel-patch-ctx, d'oh, no wonder searching for 2.4.22 didn't give any results [21:05] but anyways it doesn't sound like s3b is using sid [21:06] okay I give up, I don't understand that debian stuff ... ;) [21:12] it's just that debian has 3 branches stable/testing/unstable (aka sid) and all stuff takes a long long way from unstable to stable, all vserver stuff is in unstable atm while s3b seems to be using a stable setup [21:13] okay, and you can't install an 'unstable' kernel on a stable release? [21:14] Bertl: sorry, I went to lunch and I missed your last reply... [21:15] because of dependencies it can be quite hard to keep a mixed setup [21:15] @fabio which one? *G* [21:15] the most recent kernel for stable ist 2.4.18 [21:15] Bertl: the question is: 000 means secure jail, but if I set the jal directory to 000 nothing works as a normal user [21:15] s/ist/is/ [21:15] 17:58 < Bertl> @fabio sorry missed your question, this is necessary to make the chroot jail secure ... [21:16] Bertl: exactly that one [21:16] @Doener but it works with 2.4.22-3 too, or am I wrong? [21:17] @fabio okay if you want more details, enrico can explain it to you ... but basically chroot isn't safe without this barrier ... [21:18] Bertl: I know the issue, but this means I cannot run vservers with normal users in? [21:19] hmm sure you can, this barrier should not influence the vserver at all ... [21:19] hmm, just reread your statement ... enrico? [21:19] Bertl: our machines are using vanilla kernel + patches, the debian packages are of interest only to those using a unstable setup (debian-unstable doesn't mean it is really unstable it's just less tested) [21:20] yeah, I know this concept, Mandrake calls it cooker ... [21:20] Bertl: the problem is that setting the vserver base dir to 000 causes the ssh and su problem seen this afternoon [21:21] ahh you should only change the parent of the base dirto 000 [21:21] Bertl: a lot of users are using the unstable tree and gain the benefits of a debian package, while the ones using stable just fall back to vanilla kernels as we do [21:22] AGoe (~agoeres@D8356.d.pppool.de) left irc: Quit: de cetero censeo aliquem necesse dormire [21:23] Bertl: Ah, ok... is there an url with a technical explanation on this issue? [21:23] IIRC the statement is chmod 000 /path/to/vserver/.. [21:23] fbc: http://list.linux-vserver.org/archive/vserver/msg00729.html [21:23] there are some pieces ... http://dns.solucorp.qc.ca/howto.hc?projet=vserver&id=62 for example ... [21:25] in 2.6 we can probably use extended attributes instead of chmod [21:26] thanks to all, I recalled to have read to chmod 000 every vserver folder, not the parent [21:27] @enrico are eattr supported on all filesystems yet? [21:27] (in 2.6 I mean) [21:27] afaik, only the main ones (ext2/3, xfs, nfs; dunno about reiser) [21:28] well, that should be sufficient then ... [21:28] we can test this in the next 2.6 release ;) [21:29] currently, 2.6 kills my 2.4 filesystems :( [21:29] hey cool ... how so? [21:29] (after playing with attributes/selinux) [21:30] when trying to access them, I get something like 'tried to access block 33252355223, max=83553' [21:30] can be fixed partly by removing 'has_xattr' attribute with debugfs and calling fsck. But then, all symlinks are gone [21:30] hmm, this is with 2.6-test11? [21:31] I used 2.6-test11, called selinux's 'make relabel' (which sets xattr) and tried to went back to 2.4.23 [21:32] there must be existing a fix by Stephen Tweedie since last friday, but I have not reached him yet [21:48] netrose (~john877@CC3-24.171.21.47.charter-stl.com) left irc: Ping timeout: 480 seconds [22:28] shuri (~ipv6@ipv6.electronicbox.net) left #vserver. [22:40] > Aha - the vserver code uses a var called PROFILE which is set to prod [22:40] > (meaning production). Unsetting has allowed the compile to run as [22:40] > normal. [22:40] hmm .. maybe we should unset some variables ... [22:41] shuri (~ipv6@ipv6.electronicbox.net) joined #vserver. [22:54] hallo noch jemand da? [22:54] nope, everyone left .. ;) [22:54] somebody here? [22:54] hm [22:54] what do you need? [22:55] humm, let me see... yepp, i'm there ;) [22:55] now i entered /sbin/lilo, but then linux says: Fatal: open /vmlinuz: No such file or directory [22:55] probably /vmlinuz doesn't exist? [22:55] of course it exists [22:56] hmm, why should lilo say this then? [22:56] debian:/# dir vmlinuz [22:56] vmlinuz [22:56] debian:/# [22:56] it exists^^ [22:56] try ls -la /vmlinuz [22:57] ok [22:57] and let me have a look at your lilo.conf .. either via web, dcc or mail ... [22:57] you have VNC? [22:58] wait.. [22:58] you mean virtual network client? [22:58] yes [22:58] yes, there should be one somewhere, just a minute ... [22:59] TightVNC viewer version 1.2.5 (based on VNC 3.3.3r2) [23:05] Nick change: surriel -> riel [23:27] what is the debian package required for vserver-0.29 utils? [23:40] netrose (~john877@CC3-24.171.21.47.charter-stl.com) joined #vserver. [23:45] vserver [23:45] it contains the std base vserver-stat software etc [23:45] hmm, vserver-0.29 (jack) seems to require ext2 libs (devel) [23:47] and sebastian was looking for that package ... [23:47] libe2fs-dev [23:48] i just recompiled to 0.29 myself [00:00] --- Sat Dec 13 2003