[00:00] infowolfe, out o curiosity, what are you getting? [00:06] click (click@gonnamakeyou.com) joined #vserver. [00:07] /usr/lib/util-vserver/vserverkillall: fork: Resource temporarily unavailable [00:07] infowolfe: weeks I know that error! [00:07] eeks I mean [00:07] nathan, could be the nproc thing popping it's ugly again [00:07] infowolfe: I got the same with 1.3.3 [00:07] must be new bug then [00:07] meebey, it was supposed to be fixed in 1.3.4, i guess it wasn't [00:08] nathan, would you let Bertl know that it's happening again [00:08] Herbert thought it was just my normal kernel behavoiur :) [00:08] nathan_, S_FLAGS="lock nproc sched" on that vserver [00:08] infowolfe: lock I used too [00:08] i gotta run, if you're US and need to talk to me, 410-961-8311 [00:08] nproc not, sched not [00:09] infowolfe: I can also tell Herbert [00:09] meebey, i appreciate your help, but nathan knows more about the nuts and bolts of the vserver patches [00:09] :) [00:10] nathan_, even with S_FLAGS unset, it displays same behavior [00:10] and /bin/bash: fork: Resource temporarily unavailable [00:10] so it's a problem with things forking i guess [00:11] i gotta run, nathan, i assume you're us? if you are, call me, let it ring twice and i'll call you back if you need more info on that vserver [00:11] hhmm Herbert let me put some debug printk() into the fork code, but I didnt get any log entries... [00:15] dont under estimate meebay info :) [00:15] sorry i was talking to someone [00:15] ill take a look when i get back i gotta run out [00:18] JonB (~jon@129.142.112.33) joined #vserver. [00:34] tanjix (ViRu_@pD9049C23.dip.t-dialin.net) left irc: [01:14] WSU (~Josh@ny.webpipe.net) joined #vserver. [01:14] Hi [01:15] I am just looking for the VSkel package that Simon Garner released [01:15] anyone have it? [01:19] anyone around? [01:20] i'm here [01:21] You wouldn't happen to have a copy of the vskel script would you? [01:22] nope [01:22] I have a vskel-0.20.tar.gz [01:23] http://swordfish.drown.org/vskel-0.20.tar.gz [01:23] Great! [01:23] thanks [01:23] mind if I add your link to the wiki? [01:23] yeah, make a note that it's a mirror [01:23] or a copy [01:23] -k- [01:32] monako (~monako@ts1-a95.Perm.dial.rol.ru) joined #vserver. [01:33] Hello monako [01:34] hi [02:12] JonB (~jon@129.142.112.33) left irc: Quit: Client exiting [02:12] Nick change: Bertl_oO -> Bertl [02:13] hi WSU! [02:13] hi monako! [02:16] hi Bertl [02:16] Just recompiling kernel to 2.4.24 [02:17] damn security holes [02:17] hey that can be done by recompiling? I always had to patch ;) [02:17] lol [02:17] patch and recompile [02:20] hi Bertl! [02:21] everything fine here? [02:21] no [02:21] everything sucks [02:21] lol [02:22] hmm why do you think so? tell me about your problems! /eliza off [02:31] /usr/lib/util-vserver/vserverkillall: fork: Resource temporarily unavailable [02:31] Action: infowolfe clears throat [02:31] *ahem* [02:32] okay, what versions, what compiler? [02:34] q [02:34] hey bert [02:35] hi nathan_! [02:35] wolfe is here so i guess i dont need to relay his problem [02:39] hmm, not sure he hasn't already shot himself ... [02:41] /usr/lib/util-vserver/vserverkillall: fork: Resource temporarily unavailable [02:41] nathan, could be the nproc thing popping it's ugly again [02:41] nathan, would you let Bertl know that it's happening again [02:41] nathan_, S_FLAGS="lock nproc sched" on that vserver [02:41] nathan_, even with S_FLAGS unset, it displays same behavior [02:41] and /bin/bash: fork: Resource temporarily unavailable [02:41] not sure if you had that in your buffer :) [02:42] hmm, yeah I had ;) [02:43] Action: infowolfe says *BANG* oops, i'm dead [02:43] Bertl, it's 2.4.24-ck1-vs1.3.4... [02:43] gcc 3.2.3 afaik, lemme check [02:44] okay, I assume there is something bad happening to the process accounting ... [02:44] are you interested in locating/fixing that one? [02:44] Action: Bertl hehe good question! [02:48] Bertl, are you talking to me? [02:48] Action: infowolfe isn't a programmer [02:48] Action: infowolfe is merely a guinea pig [02:48] yeah sure I'm talking to you! [02:49] locating/fixing huh? [02:49] i think that kinda thing is outta my league :( [02:49] well you could run some tests for me ... [02:49] i can do that anyway [02:49] and you could describe your setup [02:49] or you could just tell me some jokes, while I'm fixing that issue ;) [02:50] when I know what 'really' happens, then I might be able to reproduce it here, and if this is possible, it's only a small step to fix it ... [02:51] So this pirate walks into a bar... [02:51] :) [02:51] lol [02:51] Action: infowolfe says ARRRRR [02:51] most times fixing something is the easiest part, finding where it is bronken, is hard ... [02:51] Bertl, what would you like to know? [02:51] everything ;) [02:51] gcc (GCC) 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r3, propolice) [02:52] you already have the kernel version [02:52] yeah, what did you do ... until the issue popped up out of nowhere? [02:52] http://thor.hardcore-linux.net/weed.conf [02:52] that's the vserver configuration [02:52] um.... [02:52] hrm.. [02:52] i ran vs1.22 and it worked? [02:52] lol [02:53] and when i switched to 2.4.24-ck1-vs1.3.4 it broke when i attempted to do a vserver start [02:53] hmm, okay, so let me note, your fault probably was: running a working 1.22 before ... [02:53] lol [02:54] so I guess I won't get more info out of you, besides 'bertl, it fails!' right? [02:55] i don't know what information you'd like [02:55] here [02:55] hold on [02:55] http://thor.hardcore-linux.net/weed.txt [02:55] enjoy [02:55] that's all i have [02:56] tell me where to look and i might find some more info for you... but i really don't know what you want [02:56] and no... "everything" isn't descriptive enough [02:56] well no problem, I'm good at guessing ... [02:56] lets play some Q&A okay? [02:56] ok [02:57] how many vservers are on that system? [02:57] a few [02:57] how many vserver are started at the same time? [02:57] 5 [02:58] do you enter the vserver with vserver enter? [02:58] Tamama (Pluh@a62-216-20-152.adsl.cistron.nl) joined #vserver. [02:58] oy [02:58] hoi Tamama! [02:58] can i enter it? [02:58] yah [02:58] gutenmorgen :D [02:58] bash: fork: Resource temporarily unavailable [02:58] [root@vserver:weed /] [02:59] do you usually 'enter' them or o you logon via ssh, for example? [02:59] s/o/do/ [02:59] i usually start them via init script and then leave them the hell alone :-p [02:59] lol [02:59] ssh usually [03:00] Action: infowolfe thinks it could be his own ulimit stuff, brb [03:01] heh [03:02] i got my suexec/php to work in a vserver :D [03:02] congrats,! [03:02] by using binfmts in the kernel to a vserver path ;) [03:02] hmm, isn't that some overkill? [03:02] works like a charm [03:03] Bertl, i'm getting the fork: Resource temporarily unavailable all over the place now [03:03] why? i can now start .php files from the command line, like a normal executable.. and it does not need the #!/usr/.... stuff [03:03] with ULIMIT= [03:03] with ULIMIT set from -u 200 to -u 1000 [03:03] okay, infowolfe can we now continue the Q&A? [03:05] sure [03:05] okay, when you start the vserver, how many processes are started (estimation) [03:06] 5-10 daemons [03:06] how long does it take (approximately) until this shows up? [03:06] from what point? [03:07] from the point where a vserver is started [03:07] depends on the vserver, sometimes immediately sometimes not [03:07] but i can't get the one to *STOP* ... [03:07] so i can start it and figure out how long it'll take [03:07] well, you can actually with 1.3.4 [03:08] how? [03:08] there is a new syscall to wipe out an entire context ... [03:08] and IIRC enricos tools support this sycall ... [03:08] so you can send a TERM followed by a KILL to all processes,w hich will stiop the context ... [03:09] using vkill? [03:09] or from inside the verserver [03:09] yes, using vkill [03:09] you can use my tool too ... it does the same ... [03:10] what's your tool? [03:10] the vkill utility ... I thought you where refering to that ... [03:10] http://www.13thfloor.at/vserver/d_release/v1.3.0/vkill-0.01.tar.bz2 [03:10] lol... [03:10] umm, there's another vkill i think [03:11] yeah, probably is .. jacks tools also have one ;) [03:11] but that one requires to 'enter' the context ;) [03:12] ah... [03:12] so, assuming context id is 10... (since i can't comprehend your -h right now) [03:12] what do i type :-p [03:13] hmm could you provide my -h, I can't remember ;) [03:13] vkill: invalid option -- - [03:13] This is vkill V0.01 [03:13] options are: [03:13] -h print this help message [03:13] -k kill (signal num) [03:13] -p target pid (def. 0) [03:13] -x context id [03:13] -V verify interface version [03:13] -- end of options [03:13] okay vkill -x 10 -k 15 [03:13] alright [03:14] should send a term to all processes in ctx 10 [03:14] it says no such process :-p [03:14] ok [03:14] try vkill -x 10 -k 15 -p 0 [03:14] on stop.. [03:15] /etc/rc6.d/S01reboot: fork: Resource temporarily unavailable is after "send all processes TERM signal" [03:15] RoMo (rmoriz@rmoriz.cpan.de) left irc: Read error: Connection reset by peer [03:16] it starts just fine... [03:17] hey, i'm running to the store really quick [03:17] brb in 10 minutes [03:17] hmm, nathan? [03:23] ok [03:23] i'm home [03:24] Tamama (Pluh@a62-216-20-152.adsl.cistron.nl) left irc: Ping timeout: 492 seconds [03:24] hmm, I'd call that quick! [03:24] it's COLD outside [03:24] hmm, how cold? [03:24] umm [03:24] 1 sec [03:25] Action: infowolfe taps out www.weather.com [03:25] wrong unit, it should be degree or such ... [03:25] 30F feels like 18F [03:25] which in centegrade... is umm, i dunno :-p less than 0C :-p [03:25] hmm, cold? it is -10°C here ... [03:26] 30 is -1C [03:26] C = (F - 32) / 1,8 [03:26] but it *feels like* -7C [03:26] F = (C x 1,8) + 32 [03:26] or something like that [03:27] okay, would you be able to run some tests with a patched kernel? [03:29] lol [03:29] sure [03:29] but my kernel is currently patched :-p [03:29] lo [03:29] lol [03:29] Action: infowolfe is being difficult [03:30] yeah, but I'll provide some additional fun patches, okay? [03:31] like? [03:31] like the one, I'm currently hacking together, just for you ;) [03:31] Action: infowolfe doesn't like the sound of that [03:34] http://vserver.13thfloor.at/Experimental/iw01.diff [03:36] what does this one do? :) [03:36] add some proc info ... [03:46] nathan_: I would like to do a backport of the 1.3.3 stuff for 1.23 to remove the locking issues, would you be able and willing to test this? [03:47] Bertl, is that one for me? [03:47] yeah sure iw01 = InfoWolfe 01 =) [03:47] ah [03:47] thanks [03:50] compiling [03:51] Tamama (Pluh@a62-216-20-152.adsl.cistron.nl) joined #vserver. [03:51] weirdness [03:51] yeah, I agree, I thought you where already here?! [03:51] somehow the network interface stopped responding on this computer [03:52] had to reset my router as well [03:52] a vserver issue? [03:52] no this is a w2000 machine [03:52] ah a Micro$oft issue ... [03:54] something like that [03:55] well seems that i got most of this to work so far... [03:55] does anyone currently have redhat kernel + vserver packages? [03:55] you mean, precompiled or patches? [03:56] well, either patches against recent redhat kernels. or packages [03:56] precompiled [03:56] hmm, what is a recent RH kernel? [03:57] and what redhat distribution? [03:57] redhat 9 [03:58] afk, brb [03:58] hmm, no kernel version? [03:59] hm so far i got most of the stuff i need to work in vservers [03:59] sounds good, what doesn't work yet? [03:59] no idea, im still installing :) [04:00] ahh, godd keep installing ... [04:00] but mysql/apache/bind/php/etc all work fine [04:01] i dont even want nasty stuff like hardlinked socket inodes [04:01] heh [04:02] hm [04:02] Bertl, rebooting with the new patch [04:02] 246 MB used memory [04:03] but 155MB is in buffers [04:03] whatever that means heh [04:05] that means, that linux was smart enough, not to throw away, in memory copies of files you accessed some time ago ... [04:06] so it started using my swap instead :D [04:06] Bertl, didn't work [04:06] infowolfe: how could you tell? [04:06] /etc/rc6.d/S01reboot: fork: Resource temporarily unavailable\ [04:06] bash doesn't give the fork error [04:06] and things *look* a bit cleaner [04:07] I was hoping that you get that one, this patch didn't fix anything, it just added some instrumentation to get a closer look at the issue ;) [04:07] lol [04:07] lol [04:07] what a butthead :-p [04:07] but a small placebo effect can be observed, nice ;) [04:08] okay, vserver is running? [04:08] xid = ? [04:10] gah.. im getting those stupid errors again ... heh [04:11] 10 again [04:11] okay, what does 'cat /proc/virtual/10/limit' output? [04:12] VM: 0/-1 [04:12] VML: 0/-1 [04:12] RSS: 0/-1 [04:13] hmm, you might have forgotten to apply the patch at all, or compiled the wrong kernel, or booted the old one ... [04:14] i forgot to apply the patch :( [04:15] *oops* [04:16] rebuilding now [04:16] how do you 'rebuild' [04:16] make dep clean modules modules_install install [04:16] hmm, you could save some time by just doing [04:17] make dep bzImage modules install modules_install [04:20] save time? [04:20] oh [04:20] yah... [04:20] but i don't like bzImage... :-p [04:20] lol [04:21] i am sure bzimage doesnt like you either :D [04:24] nathan_: still around? [04:25] hm so far vservers have been a great help to me... every time i really screw up with an install, i just delete the vserver and remake it :D [04:26] I'm glad you like it ;) [04:27] PROC: 1/500 [04:27] VM: 0/-1 [04:27] VML: 0/-1 [04:27] RSS: 0/-1 [04:27] hmm, we are getting somewhere ... [04:28] and cat /proc/virtual/10/status ? [04:30] ensc: enrico, are you there? [04:31] yep [04:31] regarding the initpid issue on 1.22 [04:32] RefC: 3 [04:32] Flags: 00000007 [04:32] Ticks: 0 [04:32] nr_threads: 3 [04:32] nr_running: 0 [04:32] I'm looking at the code, and it seems like it requires a second syscall with xid=-2 to set this .... [04:32] max_threads: 0 [04:32] total_forks: 49\ [04:32] infowolfe: okay, and this context gives you the for() message, when you do what exactly? [04:33] s/for/fork/ [04:33] attempt to stop it [04:34] that is the only way to cause this? [04:34] afais, chcontext is doing this second syscall... [04:34] could you verify? [04:34] but without the flags... [04:35] hmm, wrong, the VX_INFO_INIT is required ... [04:36] well, I don't think that the way it works in 1.22 is smart anyway, and therefor I removed this specialities in 1.3.x [04:37] Jacques used this second call to set the hostname (first call with full capabilities, second one reomves them) [04:37] those quotas ar weird [04:37] ensc: yeah, actually the -2 call does the following: [04:37] - vx_set_initpid(vc_data.flags); [04:37] if ret=0 [04:38] current->cap_bset &= (~vc_data.remove_cap); [04:38] if (vc_data.flags & VX_INFO_INIT) [04:38] current->s_info->initpid = current->tgid; [04:38] current->s_info->flags |= vc_data.flags; [04:38] so it is quite weird ... [04:39] would it hurt when second call has all flags, or should I set INIT only? [04:40] doesn't hurt, if the flags are appropriate ... [04:41] hm [04:41] ensc: I'm not even sure that this is required at all, let me dig a little deeper ... [04:45] nathan_, hey im here [04:45] im heading over to my girlfriend sbut ill be back on when i get there [04:46] Bertl, yea i can test the 1.23 [04:46] okay .. cu l8er [04:46] im heading over there now, ill be on in like 20m. [04:46] see you soon [04:46] nathan_ (~nathan@209-6-130-26.c3-0.sbo-ubr1.sbo-ubr.ma.cable.rcn.com) left irc: Quit: [BX] Reserve your copy of BitchX-1.0c20cvs for Windows CE today! [04:48] ensc: I guess jack never tried (or even considered) this code path, or the possibility of having a static context and a fakeinit ... [04:48] Bertl, let me know what to try next [04:49] infowolfe: it would be interesting to do the shutdown process line by line if that is possible ... [04:49] Tamama (Pluh@a62-216-20-152.adsl.cistron.nl) left irc: Ping timeout: 499 seconds [04:49] or do you know any other way to 'get' those fork() messages? [04:50] Bertl, i'll investigate the script that seems to be causing the problems [04:51] try to narrow it down with some printf (yeah bash can do that) or sleeps ... [04:51] i know it can [04:53] yummy [04:54] infowolfe: add 'set -x' at the top of the script [04:54] Bertl, if i vserver weed stop and it fails out due to the fork() problems... and then i attempt to enter and edit /etc/rc.d/rc it freaks out [04:55] okay, please explain 'freaks out'? [04:55] and *everything* gives a bash fork error [04:55] perfect ... [04:55] show me the proc values now [04:55] Tamama (Pluh@a62-216-20-152.adsl.cistron.nl) joined #vserver. [04:55] hm.. [04:56] definately a router prob [04:56] + egrep -q '(daemon |action |success |failure )' /etc/rc6.d/S00killall [04:56] Bertl, with it alive or dead [04:56] /etc/rc.d/rc: fork: Resource temporarily unavailable [04:56] what does chcontext --ctx 10 true [04:56] return? [04:57] new security context is 10 [04:57] from inside or outside the vserver [04:57] outside ... inside would probably be very complicated to do ... [04:57] lol [04:57] [root$thor]::root> chcontext --ctx 10 true [04:57] New security context is 10 [04:57] okay, chcontext --ctx 10 bash [04:57] then? [04:58] ooh, thor :) [04:58] that's it [04:58] RefC: 2 [04:58] Flags: 00000007 [04:58] Ticks: 0 [04:58] nr_threads: 2 [04:58] nr_running: 0 [04:58] max_threads: 0 [04:58] total_forks: 143 [04:58] that's the status [04:58] okay, and the /proc/virtual/10/limit ? [04:59] PROC: -4/500 [04:59] VM: 0/-1 [04:59] VML: 0/-1 [04:59] RSS: 0/-1 [04:59] aha, there we go ... [04:59] accounting issue on the NPROCs ... [04:59] now we have to find the cause for PROC being below 0 [05:00] uninitialised variable? *whistles* [05:00] I'll give you some commands to execute, and after each one, you do the following and report the result: [05:00] ok [05:00] grep PROC /proc/virtual/10/limit [05:01] (this is the one to be repeated after each command) [05:01] PROC: -4/500 [05:01] good [05:01] oh, oh [05:01] ok* [05:01] chcontext --ctx 10 false [05:02] New security context is 10 [05:02] PROC: -5/500 [05:02] okay, guess this is it ... [05:02] -4 to -5 [05:02] wow [05:02] :) [05:02] every time you enter the context, nothing is changed, and every time you exit inside the context, the limit is decremented [05:03] tnichols (~tnichols@202.6.150.242) joined #vserver. [05:03] hi tnichols! [05:03] ah [05:03] howdy people [05:03] infowolfe: so we try now to fix that issue ... [05:03] what did you do to get /proc/virtual ? [05:03] stubbsd (~stubbsd@public2-birk1-6-cust242.manc.broadband.ntl.com) left irc: Ping timeout: 499 seconds [05:05] is there any way i can check if that happens for me too? no /proc/virtual entry [05:05] what version? [05:05] 1.22 [05:05] there is no such check/accounting in 1.22 you should be safe ... [05:05] hm [05:06] do you get the same/a similar error? [05:07] hm [05:07] how come vserver-stat gives me ctx 0 + vservers [05:07] yet chcontext --ctx 0 _some_command_ needs actually ctx 1 to see root? [05:08] well, ctx 0 is the 'HOST' context, which actually means 'no context at all' [05:09] so why does 1 gets to be 0 ? [05:09] no, '1' is the VIEW or SPECTATOR context, which actually sees all processes [05:09] oh.. now that you mention it.. it does have a lot more ;) [05:10] the idea behind that is that you probably don't want to see all processes in the HOST context ... [05:10] Herbet referred me to here from the mailing list, anyone here able to help me with the "Invalid Argument" / tunnel errors I am having? [05:10] learn something usefull every day :) [05:10] so this was moved to the 'special' context 1, and tje HOST context only sees the processes without a context ... [05:11] tnichols: lets hear about it ... [05:11] our box "vsm" is running a number of IPIP tunnels to remote networks, as well as running virtual servers [05:12] when we upgraded to 1.22 we also swapped to use the v_sshd wrapper and took out the ListenAddress bind [05:12] ssh worked fine, could do whatever we wanted [05:13] any network that went via a tunnel is inaccessable with the "Invalid Argument" error, however [05:13] infowolfe: try http://vserver.13thfloor.at/Experimental/iw02.diff ontop of your current kernel ... [05:13] running a standard sshd with ListenAddress does not have this issue, and within virtual servers we are able to access the sites with no probs [05:14] tnichols: ah okay, and probably you specified 'only' the ssh ip address in the v_sshd wrapper, right? [05:14] yeah .. well we had "eth0" and "eth1" listed [05:14] I guess I understand you setup now ... [05:14] and I know why it doesn't work with the v_sshd wrapper ... [05:14] ah ok [05:15] let me explain, you'll se why it can't work this way ... [05:15] the v_sshd wrapper does nothing else but calling chbind with some arguments ... [05:16] chbind in turn, _ensures_ that no address outside the given range/set can be bound/connected ... [05:16] while the sshd will work fine with that setup, the processes started via that setup, will be limited to those addresses too .. [05:17] yeah that makes sence, the thought crossed my mind [05:17] now creating some tunnel/etc ... over this sshd can't work ... [05:17] unless you either specify the used addresses ... [05:17] well the tunnels are established on bootup (outside of any context) [05:17] Bertl... [05:18] vcontext.c: In function `vx_migrate_task': [05:18] vcontext.c:363: incompatible type for argument 1 of `atomic_dec' [05:18] vcontext.c:366: incompatible type for argument 1 of `atomic_inc' [05:18] infowolfe: add a & after the ( [05:18] tnichols: what adresses do they use? [05:19] an example for one tunnel: [05:19] ip tunnel add tun14 remote 202.191.111.2 local 202.191.97.17 mode ipip [05:19] ip addr add 192.168.0.218/30 dev tun14 [05:19] ip link set tun14 up [05:19] route add -net 192.168.24.0/24 gw 192.168.0.217 [05:19] bertl, which "(" [05:20] infowolfe: there is only one '(' in each of the reported lines ;) [05:20] atomic_inc(&vxi->limit.res[RLIMIT_NPROC]); ?? [05:20] tnichols: and what is you sshd config? [05:20] not the actual sshd.conf [05:20] the vserver config in /etc/vservices/sshd.conf ... [05:21] [root@vsm rc.d]# cat /etc/vservices/sshd.conf [05:21] #!/bin/sh [05:21] IP="eth0 eth1" [05:21] so you bind for eth0/eth1 ... those will work, others not ... [05:21] the wierd thing though, if I set the source IP it did work [05:21] what source ip? [05:22] let me check (it was a couple hours ago that I tried experimenting with this stuff :-) [05:22] infowolfe: yup, in both cases .... [05:25] ah bugger.. i tried my experiment again and it worked this time... ;-) [05:25] either that or I have done something different (more likely) [05:26] [root@vsm rc.d]# chbind --ip tun7 --ip eth1 sshd -p 2244 [05:26] ipv4root is now 192.168.0.249 172.16.0.1 [05:26] [tnichols@syc-it tnichols]$ ssh -p 2244 vsm [05:26] Last login: Wed Jan 7 12:22:32 2004 from syc-it.syc.net.au [05:26] [tnichols@vsm tnichols]$ ping syc-it [05:26] PING syc-it.syc.net.au (192.168.10.3) from 192.168.0.249 : 56(84) bytes of data. [05:26] 64 bytes from syc-it.syc.net.au (192.168.10.3): icmp_seq=1 ttl=254 time=83.4 ms [05:27] and without the tun7 it fails, right? [05:27] hhm strangely enough it is actually working still... [05:27] Tamama (Pluh@a62-216-20-152.adsl.cistron.nl) left irc: Ping timeout: 499 seconds [05:27] [root@vsm rc.d]# chbind --ip eth1 sshd -p 2244 [05:27] ipv4root is now 172.16.0.1 [05:32] hmm *ponder* [05:32] this does work now too? [05:33] if so, give it a few minutes too cool down the arp cache ... [05:34] yeah I just started up sshd using exactly the same arguments as v_sshd and it is now using the public IP of the box to ping, getting a reply from the public IP of the router (when pinging a machine behind the router) [05:34] [tnichols@vsm tnichols]$ ping syc-it [05:34] PING syc-it.syc.net.au (192.168.10.3) from 202.191.97.17 : 56(84) bytes of data. [05:34] 64 bytes from syc-na-gw.syc.net.au (202.6.150.242): icmp_seq=1 ttl=238 time=84.3 ms [05:34] ipv4root: 1161bfca/f8ffffff 010010ac/00ffffff [05:34] ipv4root_bcast: ff0010ac [05:35] it appears that running with eth1 then eth0 provides the correct results now [05:35] strange :-) [05:35] well, the current implementation asks the routing cache first, and then replaces the source address ... [05:36] if nothing is found ... [05:36] and it behaves differently if one ip is used than with more addresses ... [05:37] is it possible that with all the fritzing and experiments that it has gotten past the "Invalid Argument" stuff and now doing more sane things but after a reboot will cause the same issues? [05:37] I guess this setup is metastable .. [05:38] I would suggest to either wait some time until the routing/arp cache is expired ... [05:38] ok [05:39] or flush those caches [05:39] whats the way to flush the routing cache? [05:39] and I don't see a point in using the chbind in your case at all ... although it might be an interesting experiment ... [05:40] well thats a very good point :-) [05:40] I tell you, I don't know, maybe there is none, besides rebooting, I'm no network expert ... [05:41] i probably shouldn't experiment on a production machine I might just set it up to use standard sshd with the ListenAddress' set [05:43] thanks for all your help -- at least I feel I understand what the issue was now [05:43] the idea behind the v_* wrappers is, to ease setup for the default user ... [05:43] they 'should' just limit to the 'real' addresses ... I guess they are not appropriate for your advanced setup ... [05:44] ensc: http://vserver.13thfloor.at/Stuff/Logic.txt [05:44] Bertl, the new kernel is up [05:45] Bertl: thx, but sure that xid==0 works in the described way? afair, this gives -EINVAL [05:47] and it's happy [05:48] Bertl, the fix worked, as usual [05:48] infowolfe: great ... [05:53] ensc: I forgot the switch_user_struct() [05:53] ensc: updated it ... [05:53] Bertl, so is that going into 1.3.5? [05:53] yup [05:53] it's a crystal clear bug ... [05:55] and you found it ;) [05:57] Bertl: are there any details about the /proc issue? [05:58] or solutions? [05:59] which one? [06:00] will the next kernel patch solve it? [06:00] i'm leaving... later folks [06:00] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) left #vserver. [06:01] enrico, which one? [06:01] Bertl: mounting it read-only can break too much things (e.g. a later 'sysctl -p' in the host) [06:01] Bertl: I mean writing into /proc files [06:01] ah okay ... [06:01] nathan and I are 'thinking' about solutions ... [06:02] I was thinking about adding the RO bind mount patch to vserver ... [06:02] IMO, that writing into scsi is allowed is a bug in scsi.c [06:03] I have no problem with fixing 'all' those bugs in /proc but how do we find them? [06:04] nathan_ (~nathan@h0800460766be.ne.client2.attbi.com) joined #vserver. [06:04] find /proc -type f | xargs write-into-file [06:05] okay, please do that for me, but please with all drivers loaded ... [06:07] hi nathan_, what does you girlfriend say, when you are kernel hacking instead of ... [06:07] I do know if using a more general solution like mounting /proc readonly in non-host contexts would be good. E.g. with new /proc interface for vservers, some parent vservers might want to do something there for their children [06:08] what about the ro --bind solution, would that be better? [06:09] same; there might be valid reasons for a vserver to write into /proc/virtual// [06:09] (when you have something to write there...) [06:10] hmm, do we want something to write there? [06:10] personally I don't like the proc write interface at all ... [06:10] I do not know the future... ;) [06:11] so without good reason, I would not add any write stuff there ... [06:11] as I see it, we have 3 options [06:12] a) add a generic wrapper, which makes (maybe depending on a flag) procfs read only in a vserver [06:12] b) do not mount procfs inside a vserver, use mount --bind for that (with ro) [06:13] when will b) working? [06:13] c) add a check for all proc writeable stuff ... [06:13] you mean when will b) b working? ;) [06:14] a) does not make much sense; I do not have servers with CAP_SYSADMIN running and a writeable /proc would be equal at the moment [06:15] does your 2.6 patch coexists with SELinux? [06:15] hmm why doesn't it make sense then? I mean to restrict that based on a flag? [06:16] what part of SELinux is in 2.6? [06:16] because every vserver would have this flag... [06:17] and be protected, yeah, why not? [06:17] what do you mean with 'which part'? [06:17] which part dof SELinux in 2.6 do you think will/could interfere? [06:18] the usual access restrictions; when you say role X can access /proc/scsi/scsi only, and run vserver with role Y, it would protect you (although I am not really sure, how this restrictions are working on pseudo filesystems) [06:19] patch-2.6.0-test3-bme0.03.diff applies to 2.6.0 without any issues ... [06:20] if the checks are coded properly, they will work on the dentry level ... [06:21] so they should work on procfs too ... [06:21] the only reason for such effects like remounting procfs ro, changes every proc mount is [06:21] regarding the flag: doing it in this way would require that parent-vservers are somehow special privileged (and can shutdown the machine or remove scsi devices) [06:21] that there are SINGLE filesystems (which means they have only one superblock) [06:22] Bertl, she gets angry at me and tells me to rub her back [06:22] yeah, that is correct, but they would be priviledged too if they would have write access to the proc in the first place, right? [06:23] nathan_: greetings to her, and do not rub her off ... [06:23] hehe [06:24] hmm, enrico, you could make certain parts of proc readable with --bind mounts ... [06:24] Bertl: when entire /proc would be protected by capabilities, this would not be an issue [06:25] eh, writeable I mean ... [06:25] does this work? [06:25] sure, why not? [06:25] Bertl, sounds like we are talking about using bind points instead of a new sb flag? [06:26] it's an option, or better something which crossed my mind ... [06:26] '--bind -o ro' does not work, as you know. So '--bind -o rw' will probably fail also [06:26] okay, I'm assuming that bme patch is applied ;) [06:26] the original /proc would be mounted rw [06:26] you would do a --bind -o ro [06:26] and then a --bind ontop of that [06:27] any reasons why this patch is not in the official kernel yet? [06:27] does that work as expected with the vanilla kernel or is that what the bme adds? [06:27] ensc: yeah, Al Viro had no time for me yet, and Marcelo + Andrew said, if Al Viro says, it's okay, we put it in ... [06:28] and I'm tired of sending that old patch over and over again ... [06:28] man cron ;) [06:29] yeah, sometimes I actually consider that an appropriate approach [06:31] okay, nathan_ what was your progress on the flag stuff? [06:31] Bertl, parse_options is not being executed as i had expected [06:32] hmm, I was wondering about those options in the first place ... [06:32] okay, but you can force that flag, just for testing, right? [06:33] yea and in doing that it seemed that vfs_permission() didnt catch what was needed in proc [06:35] hmm, I almost expected that ... certainly feared it ... [06:36] so basically we have the following options to implement this: [06:36] if we were to go global with it and just add it on to IS_RDONLY, would that really be that bad? [06:36] a) do the same I do with the ro --binds (means on a per mount basis) [06:37] b) change/intercept every write funtion for proc inodes [06:38] c) find an other solution, maybe by reducing procfs per se ... [06:38] any other ideas? [06:39] #define IS_RDONLY originalcheck || VX_RDONLY(inode) :) [06:39] did you try that? [06:39] testing right now [06:39] it hold one issue, namely not being able to do it on a per mount basis ... [06:40] Bertl, VX_PROC? [06:40] vx_check(0, VX_PROC) [06:40] or VX_RWFS or whatever would make sense [06:40] yeah, but only a single superblock, I forgot about that last time :( [06:41] Bertl, right the sp will flag us as to wheather we should check the vx permissions and then we check for a VX_PROC flag in the ctx [06:41] tnichols (~tnichols@202.6.150.242) left irc: Quit: Leaving [06:42] not very granular but i think it would work [06:42] yeah, but either this flag is set, which means that the check will be done for all mounts of proc, or it is not ... [06:42] ah right so the full check will be done for all proc accesses [06:43] obviously no longer a simple and [06:43] and in all vserver, no excuse ... [06:44] yea so thats less than ideal [06:44] we could replace that flag by a compile time option ... [06:44] this would actually save some code when disabled ... [06:44] Bertl, does the bme allow the --bind to work correctly in ro on a proc? [06:45] havent tried, but it should work, that's what it is designed for ... [06:45] so assuming that worked, make a few changes in the scripts and that seems like a decent solution? [06:46] well, it's the best solution I can envision atm. [06:46] but maybe we are 'just' missing something ... [06:47] and as someone pointed out i imagine something like mount -o rw --bind /proc/virtual /vservers/procvirtual/ would work as well? [06:47] in the event that someone in a vsever needs to write to proc [06:47] not exactly transparent, but workable [06:47] yeah ... [06:47] but maybe we can solve this in a totally different way ... [06:48] and even gain some benefit from it ... [06:49] enrico, ignoring this /proc issue, would the --bind ro mounts be useful for your setup/server creation/installation/update stuff? [06:55] infowolfe (~infowolfe@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [06:55] hey bertl, getting something interesting with apache [06:56] let's hear ... [06:56] it won't bind to anything but the primary ip it seems [06:57] cat /proc/self/status inside that vserver gives you? [06:59] Bertl: yes, this '--bind ro' would save *lots* of trouble [06:59] http://www.cshcl.net/status.txt [07:00] fe9cd03f/00ffffff fb9cd03f/00ffffff [07:00] meaing? [07:00] hmm, you did only bind to one address. but twice? [07:00] monako (~monako@ts1-a95.Perm.dial.rol.ru) left irc: Read error: Connection reset by peer [07:01] ah no fe and fb, sorry ... [07:01] 63.208.156.254 and 63.208.156.251 [07:01] 254, 251 yep ... [07:01] nathan_ (~nathan@h0800460766be.ne.client2.attbi.com) left irc: Quit: BitchX-1.0c20cvs -- just do it. [07:02] ensc: so it would be advantageous to add this stuff anyway? [07:02] infowolfe: hmm, how does apache refuse? to bind to the other addresses? [07:03] Bertl, i've got listens for 251/254:80/443 and it fails on binding for 443... [07:03] hmm, could it be that this address is already bound by some apache on the host? [07:03] couldn't be [07:04] Bertl: yes, but I do not want to overpatch my kernel and to have a long REQUIREMENTS list for my util-vserver [07:04] ensc: well, the latter should not be an issue, if we decide to put bme into the vserver patch, right ;) [07:04] yes ;) [07:05] but the solved problems are orthogonally... [07:05] I assumed that ... [07:06] infowolfe: could you try to setup apache in such way, that it _only_ tries to attach to that failing address/port? [07:06] ah, by the way, did you enable ipv6? [07:07] sure... [07:07] no [07:10] Bertl, user error [07:10] well, those are very common, I guess ... ;) [07:11] lol [07:11] especially with me [07:12] well, I have no problem with that, what I really hate is when somebody comes here, shouts around, what crap this vserver stuff is, until we prove that it is his fault, and then leaves without any comment ... [07:12] lol [07:13] fortunately this doesn't happen (very often ;) on the vserver channel 8-) [07:20] ensc: what interface could you envision to limit the procfs in it's entries (from the userspace side)? [07:21] ideally the existing ones: kernel caps and/or SELinux permissions [07:22] hmm, well we don't have a 'working' selinux for 2.4 right? [07:22] else, there is no problem to add '--bind -o rw' entries to the vserver's fstab file for writable areas [07:23] Bertl: I am looking into the future ;) [07:23] an SELinux *exists* for 2.6 already [07:23] I was more thinking of an interface to limit proc per se, not the access ... reducing the actual entries, for example ... [07:24] or does this work with selinux too? [07:24] no, selinux can not do this. E.g. you see other processes in /proc but can not access them [07:25] but, why do we want to remove entries from /proc? [07:25] for security/stealth purposes maybe? [07:26] does the knowledge about the existence of a proc-entry reduce security? [07:26] might be, just think about counting the pids, for example ... [07:28] ok, this is solved by vserver patch already, but this number can be determined by other ways also (e.g. fork() subsequently and count the holes) [07:29] sure, but for example such things like the mounts or scsi entries, they might leak information ... [07:31] mounts could be solved by CLONE_NS perhaps. scsi by access restrictions of /proc/scsi [07:31] the reason why I'm asking for an interface, actually is, that there already is some kernel side implementation, which would allow to act on special markers inside the proc and simply blend out marked entries (even on a per vserver basis) [07:32] ok, this could happen between create and migrate. Syscall could take an array of filenames (will need 2 user2kernel copy-operations) [07:33] or can this be done namespace related? [07:34] Then, proc-entry hiding could happen everytime [07:34] hmm ... well currently it's inode based ... and I don't know if it would work on a namespace (dentry) basis ... [07:37] well, for a start we could 'hardcode' certain /proc patterns and 'select' them at compile time or via some option ... [07:39] ok, scsi would be a good candidate ;) [07:40] lm-sensors are honoring caps [07:41] I'm not sure what we do about the /mounts stuff, I was hoping this would be solved by now (with a change to CLONE_NS ;) [07:41] at least for the writing-part. Perhaps the read values should be censored to [07:41] o [08:05] loger joined #vserver. [08:06] suhcoolbro (~Suh@216-161-89-24.ptld.qwest.net) joined #vserver. [08:14] okay and hi suhcoolbro! [08:15] serving: I scanned the entire 2.4.23-vs1.22 for a message like this, but I could not find one .. can you reproduce this? [08:24] hola. [08:29] Bertl: hmm. it happens when I do nslookup domian [08:29] could you try to strace this with strace >= 4.5 [08:30] 1 sec [08:38] ok 2 sec [08:38] http://213.186.189.203/vserver/yahoo [08:38] :) [08:40] and for the fun of doing it the same with strace -fF ;) [08:40] ok [08:41] ensc: if (check_mnt(nd->mnt) && (!recurse || check_mnt(old_nd.mnt))) { [08:41] you have to 'ensure' that the 'old' path is a mountpoint for recursive mounts ... [08:42] http://213.186.189.203/vserver/yahoo2 [08:43] hmm, but I don't see the message you mentioned? [08:44] maybe add -s 1000 -x to the -fF [08:47] ok [08:48] is this ok ? strace -fF -s 1000 -x nslookup www.yahoo.com [08:48] I hope so ... [08:49] the pattern is not there either [08:50] hmm, I don't know how or why this message is produced ... [08:50] http://213.186.189.203/vserver/yahoo4 [08:51] the messge appears even when strace is writing to file [08:51] check with dmesg, for a kernel message [08:52] request_module[net-pf-10]: fork failed, errno 1 [08:53] repeated 10 times [08:53] hmm execute logger 'karli' [08:53] then try again ... see if there is a new dmesg entry ... [08:53] or syslog entry ... [08:55] andersen (~andersee@codepoet.org) joined #vserver. [08:55] howdy [08:55] hi andersen! [08:55] request_module[net-pf-10]: fork failed, errno 1 is incremented with everytime the error appears [08:56] Nick change: andersen -> andersee [08:56] Bertl: hi [08:56] how stable is the latest devel stuff [08:56] serving: hmm, seems like your userspace module laoder isn't able to load a network module ... [08:56] andersee: hmm, depends ... [08:57] i.e. should I expect it to wedge my colocated server solid if I install it? [08:57] :-) [08:57] yeah, you should always expect that ;) [08:57] phew. thank God. I thought it was something serious ;)) [08:57] Bertl: heh [08:58] Action: andersee has run daemons within a chroot and such, but not tried vserver yet [08:58] well, I would wait for the 1.3.5 release ... but testing is always appreciated ;) [08:59] if you are looking for something stable to get a first impression, use 1.00 or 1.22 ... [08:59] Bertl: when things wedge, does it tend to hose the host system, or mostly just the client systems? [08:59] Bertl: k [09:00] usually only vservers (clients) are affected by errors/bugs, but races for example, can take down the entire machine, so will do kernel panics ... [09:00] Bertl: has anyone done a comparison, of say, vmware vs UML vs vserver? i.e. for speed and resource utilization? [09:00] hmm, not really, they are somewhat orthogonal ... [09:01] somewhat. [09:01] for example you can run UML in vservers and vserver under uml ... [09:01] sure [09:02] and how for example would you compare features like unification or COW ... [09:02] The net result in either case is a 100% sandboxed Linux system that can be connected to the net [09:02] hmm, not really ... [09:02] Bertl: oh? [09:02] Bertl: perhaps I have misunderstood something then? [09:02] vservers for example, won't allow you to use a separate kernel for each vserver ... [09:03] Bertl: true [09:03] Bertl: a vserver is sortof like chroot on steroids, right? [09:03] but you might reduce the overhead significantly by using only parts (building blocks) of vserver ... [09:03] yeah, chroot, chcontext and chbind ... [09:04] each one addressing different aspects, filesystem, process space and networking [09:04] Bertl: One can break out of a chroot [09:04] well, not on vserver ... [09:04] Bertl: One should not be able to break out of a vserver [09:04] right [09:05] All disk space is shared under right? [09:05] could be, not required ... [09:05] with some provision for quotas [09:06] there is per context quota and disk limits on a shared partition ... [09:06] (with some additional patches) [09:07] sounds very nice [09:07] well, it is very nice, indeed ;) [09:08] :-) [09:10] is resource utilization for daemon running within a vserver comparable to running that daemon within a chroot? [09:11] yes, the overhead is unnoticeable .. could only be measured by micro benchmarking ... [09:11] cool [09:11] running a daemon within uml has quite a hit, both in speed and memory use [09:12] actually the overall performance is sometimes improved .. as the resources are shared ... [09:12] Bertl: i.e. shared kernel buffer cache? [09:12] this allows a SMP system with 2x 1GHz and about 1.5GB Memory to host about 40 vserver ... [09:13] Bertl: excellent [09:13] mainly inode cache and cpu resources ... [09:13] Bertl: not a chance of hosting that many uml sessions on such a box [09:13] as the kernel is only running once .. for all vserver ... [09:14] Bertl: right [09:14] it can be quite efficient on the disk resources too ... [09:14] a typical vserver setup, might take about 600MB disk space [09:15] but usually about 500MB of those 600MB can be shared, if the vserver use the same distribution [09:15] Bertl: hmm [09:15] so actually the required disk space is 500MB+ 100MB x #vserver [09:15] Bertl: i.e. so you can upgrade then all in a single pass, rather than N passes [09:16] that would certainly come in handy [09:16] well, no actually you upgrade one after the other, and 'unify' each new one, against the first, or a reference ... [09:16] but the result is the same ... [09:17] how stable is 1.22 stable? [09:17] those are the hardest questions ... [09:18] heh. I don't mind hacking as needed locally [09:18] but my colocate box is several thousand miles away [09:18] and a bit harder to reset should it lock up [09:18] sometimes I think, vserver is more stable than the kernel itself ... at other times I think everything might be unstable ;) [09:19] Action: andersee hacks on the kernel regularly [09:19] so he knows all about unstable [09:20] any majorly cool features one misses out on using stable? [09:20] one of our community members recently enjoyed the merits of netconsole, and I prefer some remote serial console and reset/power tool ... [09:20] descriptions how to 'build' them is on the vserver page ;) [09:20] hmm, cool features ... let me look at the changelog ;) [09:21] ahh, yes, the ck1 port is new ... [09:22] it brings O(1), Lowlat and Preemption ... [09:23] the uptime virtualization ... [09:23] some local loopback tricks ... [09:23] that's it ... [09:24] k [09:24] Action: andersee looks over patch-2.4.24-vs1.22.diff [09:24] if you see some obvious bugs, please report them ;) [09:25] k [09:25] Action: andersee hasn't gotten any patches into the kernel since earlier today [09:25] :-) [09:26] sigh, and I still have 56 patches locally [09:27] Bertl: is it possible to make a vserver entirely read only? [09:28] what do you mean by readonly? [09:28] Bertl: to restrict its ability to mount i.e. tmpfs [09:29] you have all what linux capabilities can do .. this includes disallowing mount, which is usually done ... [09:29] Bertl: i.e. suppose I wanted to run cvs pserver in a vserver [09:29] Bertl: and I wanted that to be anon access only [09:29] Bertl: so it would have no need to write anything [09:29] Bertl: we all know how secure pserver is.... [09:30] Bertl: so should someone eventually break in, and obtain root within the vserver... [09:30] hmm, well a ro mount of the data would help there ... [09:31] Bertl: is it possible to have the rootfs exposed within a vserver rw by the host system, but ro for the client vserver system? [09:32] well you could do that with ro --bind mounts, right? [09:33] I currently use a --bind mount for the chrooted anon cvs perver for busybox.net and uclibc.org [09:33] sadly, ro --bind mounts don't work [09:34] well, not for you ... but they do for me 8-) [09:34] hmm [09:34] didn't work when I set things up [09:34] http://vserver.13thfloor.at/Experimental/patch-2.4.22-rc2-bme0.03.diff [09:34] perhaps that has improved? [09:34] http://vserver.13thfloor.at/Experimental/patch-2.6.0-test3-bme0.03.diff [09:34] Action: andersee reads [09:34] nope hasn't improved, Al Viro still had no time for me ... [09:35] outright rejected? [09:35] or ignored? [09:35] nope, ignored! [09:36] he answered my first posting, with, ... but basically that is the right way. and that was it ... [09:36] didn't bother to implement noatime and the intermezzo stuff yet ... [09:37] I have found one needs considerable persistance to get patches accepted [09:38] you should keep trying [09:38] yeah, well, obviously there are no users besides myself ... as nobody raised a voice or requested something like inclusion, etc ... [09:38] Action: andersee likes it [09:38] I plan to review it a bit more carefully, but I am definately adding it to my collection [09:39] well, if there is demand, I have no problem updating and reannouncing it ... [09:39] I recommend it [09:39] are you reading lkml? [09:39] yep [09:39] been reading it since ~96 [09:40] hmm, obviously missed my announcements then ;) [09:40] Action: andersee used to maintain all the cdrom drivers before passing the job to Jens Axboe [09:40] actually I do recall seeing it now [09:40] I intended to get back to it and take a closer look [09:40] hmm, maybe you know someone who knows how the MS_REC bind stuff is supposed to work? [09:41] but I was out of town on business at the time as I recall, guess i forgot [09:41] Bertl: for user space for kernel space? [09:41] well, actually we are trying to replace the chroot stuff by something smarter ... [09:42] yeah [09:42] chroot is nice, but it has its limits [09:42] and it seems that mount() with MS_REC|MS_BIND succeeds, even creates a mnt struct, but nothing is seen in userspace :( [09:42] # mount --bind /tmp/cb /tmp/ca [09:42] ··· mount_is_safe: 0 [09:42] ··· path_lookup(old): »/tmp/cb« 0 [09:42] ··· check_mnt: 1 [09:42] ··· check_mnt(old): 1 [09:42] ··· action: 0 [09:42] ··· got mnt?: 911663e0 [09:42] ··· graft_tree: 0 [09:42] ··· path_release: 0 [09:43] this is a normal --bind mount [09:43] # ./enrico [09:43] ··· mount_is_safe: 0 [09:43] ··· path_lookup(old): »/tmp/ca« 0 [09:43] ··· check_mnt: 1 [09:43] ··· check_mnt(old): 1 [09:43] ··· action: 16384 [09:43] ··· got mnt?: 91166420 [09:43] ··· graft_tree: 0 [09:43] ··· path_release: 0 [09:43] this is the MS_REC bind mount ... [09:43] hmm [09:43] but everything in the namespace is like before ... [09:43] (in userspace) [09:43] Action: andersee checks busybox [09:44] I wasn't personally the one that added bind mount support to busybox mount [09:45] the patch itself was trivial, for the user space side of thing [09:45] it seems that there is no 'real' documentation about the MS_REC bind mount ... [09:45] Ive never looked at the kernel parts [09:46] cept in Al's head [09:46] :-) [09:46] but I guess it is supposed to do something ... [09:46] well, gues I have to dig into that a little deeper ... [10:01] hmm, andersee, which version of busybox has support for the --rbind? [10:02] Bertl: its in the 1.0.0 -pre series [10:02] added quite a while back [10:02] http://www.busybox.net/cgi-bin/cvsweb/busybox/util-linux/mount.c [10:02] oops I guess I'm far behind with that then ,,, BusyBox v0.60.5 [10:03] 2 years, 7 months ago [10:03] :-) [10:03] well, still works like a charm 8-) [10:03] sure [10:03] thats the joy of a stable series [10:03] if it ain't broke... [10:04] I managed to get my vserver test server down to 16M in total ;) [10:04] heh [10:04] I can build you one a bit smaller than that with busybox and uClibc [10:04] :-) [10:05] I guess so, but I still need the 'large' libraries for the userspace tools ... [10:05] Action: andersee has a debian system build entirely with uClibc [10:05] s/build/built/ [10:06] well, you are not the 'usual' vserver user ;) [10:06] I imagine not [10:07] Once I get things solid, I plan to put vserver on box I have hosting busybox.net and uclibc.org [10:07] ah, you lied to me ... I'm only 1 year 2 month an a few days behind ;) [10:07] split services onto a few seperate systems [10:07] Bertl: :-) [10:09] is it hard to have uClibc and glibc side by side? [10:09] I mean on a development system ... [10:11] Bertl: not a problem at all [10:12] http://www.uclibc.org/FAQ.html#development [10:12] :-) [10:15] hmm, why is there no parisc support? *G* [10:16] Bertl: hah [10:16] Action: andersee looks around his desk and sees no parisc boxes [10:16] well, vserver actually has parisc support, and it is working ;) [10:16] :-) [10:18] for now I think I'll stick with the piles of systems I already own [10:18] :-) [10:18] I havn't even seen a parisc box since I was in school, working on hpux boxes [10:28] if you want access to the parisc(64) machine, just let me know ... [10:29] I probably have access to one via debian [10:30] and I may well get around to porting uClibc to it some time [10:30] well Erik, was nice talking to you, but it's 8:27 in the morning here, and I'm going to bed now ... [10:30] heh [10:30] night [10:30] cu [10:30] Nick change: Bertl -> Bertl_zZ [10:33] noel- (~noel@pD9FFAB23.dip.t-dialin.net) joined #vserver. [10:36] mhm [10:36] i've got an error with udp6 and ck1-vs1.3.4 [10:36] is there something broken? [10:36] udp.c: In function `udp6_get_info': [10:36] udp.c:985: error: structure has no member named `vx_id' [10:41] noel_ (~noel@pD9FFAE1C.dip.t-dialin.net) left irc: Ping timeout: 504 seconds [11:13] morning [11:13] is the problem cleared with fork() resource problem? [11:23] andersee (~andersee@codepoet.org) left irc: Quit: Client exiting [11:36] Tamama (Pluh@a62-216-20-152.adsl.cistron.nl) joined #vserver. [11:37] hm [11:37] morn [12:13] click (click@gonnamakeyou.com) left irc: Remote host closed the connection [13:17] loger joined #vserver. [13:18] Bertl_zZ: is it allowed to load a module in a vserver? [13:24] TamaPanda (~a@193.173.84.237) joined #vserver. [13:24] oy [13:32] hm guess i did not log out at home [13:34] down to 17MB [13:34] hm? [13:38] mini debian system for vserver [13:38] without trash :) [13:41] heh [13:41] thats pretty small [13:41] jep [13:41] my base install was 250MB lol [13:42] I so love compilers... [13:42] I dont have a compiler included [13:42] trash :) [13:42] i figured that [13:42] at least my vservers dont need it [13:42] so you install everything from rpm or something? [13:43] debian based system, I install new things via apt-get or dpkg [13:43] the package manger I left on the system [13:43] same thing, precompiled packages [13:43] Hi guys. [13:45] still, 17MB .. what does that contain? [13:46] :) [13:46] bash, base tools [13:47] init.d system [13:47] root programs (adduser, passwd etc) [13:50] that's all? [13:51] i think i even duped the man pages :D [13:54] now I have manpages [13:54] they are very important :) [13:55] heh [13:55] 40MB ;) [13:58] less programs less manpages [13:59] true [14:00] ok lets see how large an install from me gets if i remove all compiler packages [14:00] as well as the image libs :P [14:01] ./vs dup skel test [14:01] 250MB later on... pkgtool! :D [14:08] it will become completely useless though... heh [14:11] also dump all caches [14:18] well that was interresting.. [14:18] apperantly it also killed utils like 'ls' [14:18] that was fun... [14:28] lol [14:28] no ls is pain [14:35] ah now i see [14:35] i remove 'sed' [14:35] pkgtool needs 'sed' [14:35] heh [14:36] that smells [14:37] but it did go down to 140MB :) [14:40] vserver-stat is .. different [14:40] apperantly i have 544MB of VSZ in 1 vserver [14:41] i wonder how it got that... [14:51] I love vserver [14:51] now all my chroots can goto hell; [14:51] i'd love a girlfriend.. see i know my priorities ;) [14:51] lol meebey that is how i use it.. no chroots ;) [14:52] jep, me too now :)) [14:52] putting all the dangerous daemons into vserver [14:53] yep [14:53] same here.. and when this server is getting over-loaded i'll just copy a vserver to another server and voila :) [14:54] hehhee yeah [14:55] backups are pretty easy too.. copy vserver :D [15:06] ccooke (~ccooke@spark.gkhs.net) left irc: Quit: leaving [15:10] ccooke (~ccooke@80.1.164.238) joined #vserver. [16:13] TamaPanda: is your shutdown clean of the vserver? [16:13] TamaPanda: mine is still kinda "sloppy" it tries to set rtc, unmount stuff etc [16:13] well, since it does not call any startup scripts ... [16:14] i dont HAVE a shutdown script.. [16:14] lol [16:14] hehehe [16:14] I have a full debian init.d [16:14] i wouldnt even know how to set up a shutdown script so that it would work :) [16:14] all i have is an empty /etc/rc.d/rc file to start with lol [16:15] hehe [16:15] its annoying though.. the scripts are there, just dont get called [16:16] a shutdown script with quotaoff -a would help a lot.. [16:16] rc is called with parameter stop on shutdown I guess [16:16] so check in rc what $1 is [16:17] hm not a bad idea :) [16:17] I am not sure though if this is the case, it could be also that rc has to detect if its start or stop by checking runlevels :) [16:18] vserver tools though call something on shutdown for sure [16:18] when i _enter_ it does not call rc at all [16:18] hm [16:18] guess i need to stop it first :D [16:19] vserver yourvserver start [16:19] that calls the rc [16:19] its called with runlevel [16:19] vserver yourvserver stop [16:19] stop: /etc/rc.d/rc 6 [16:19] so there you go ;) [16:19] start: /etc/rc.d/rc 3 [16:19] hmkay so that helps [16:20] :) [16:20] hhhm it would be very cool if I could tweak port settings for vservers [16:20] like saying port 21 and 80 are allowed in vserver X [16:21] or a range [16:23] hm this is nice [16:24] meebey: well you can restrict IP [16:24] so just assign a local IP and reroute the public IP to those local_ip:ports :) [16:25] Doener_aw (~doener@p5082DF3B.dip.t-dialin.net) joined #vserver. [16:27] oh yeah that shutdown script works :D [16:27] great :D [16:33] Doener_zZz (~doener@p5082DFF3.dip.t-dialin.net) left irc: Ping timeout: 499 seconds [16:34] i just assign a unique public IP to them.. easier :D [16:34] hm.. i was wondering.. can you remove capabilities ? [16:35] eg, i want my cdrom player to be available in each vserver... but i dont want them to be anle to eject it! :D [16:36] hm i guess i could make a shared RO partition for shared data... [16:36] but cdrom would be handier :D [16:41] :) [16:48] S_CAP="NO_EJECT_NEENERNEENER!" [16:48] or something :D [16:54] S_CAP="NO_HACKING" [16:56] S_CAP="NO_YOU_CANT_DO_THAT" [17:10] S_CAP=-"NUKE_THE_SITE_FROM_ORBIT" ? [17:10] wouldnt that be the default non-vserver? ;) [17:12] serving- (~serving@213.186.189.38) joined #vserver. [17:13] serving (~serving@213.186.189.203) left irc: Ping timeout: 492 seconds [17:31] wtf [17:32] s_context: 49154 [ -16382] [17:32] S_CONTEXT=1001 [17:32] hhmm 1.22 doesnt have the feature? :) [17:36] hm? [17:36] i use it [17:36] in 1.22 [17:36] no problems on that [17:46] hhmm strange then [17:46] I use 1.22 + vserver tools [17:46] maybe I need util-vserver for that? [17:47] you use vserver-0.29? [17:47] those tools? [17:48] they are flawed.. [17:48] use util-vserver instead [17:49] there is no debian package for it [17:49] so? [17:50] ever used a source tarbal? ;) [17:50] on productions server I dont compile things [17:51] the package system will not fix security updates [17:51] I would have to watch manually for updates and compile again on all servers [17:52] hm i compile everywhere with a prefab script :) [18:00] i guess i could move it in a pkg [18:05] DazeDark (~chris@82-32-130-79.cable.ubr05.hawk.blueyonder.co.uk) joined #vserver. [18:06] i've broken my vserver somehow ;) [18:06] i do that occasionally [18:07] root@template:/var/lib/dpkg/info# ls -l libssl0.9.6.list [18:07] -rw-r--r-- 1 root root 247 Nov 1 09:26 libssl0.9.6.list [18:07] try and pico that file and "Read permission denied" ;) [18:07] and you are root? [18:07] root@template:/var/lib/dpkg/info# whoami [18:07] root [18:07] and the file context is correct? [18:08] ah well that's another story [18:08] (you can't see that in a vserver) [18:08] something went around and changed lots of file contexts to #2 instead of #0 [18:08] heh [18:09] chctx --ctx 0 your_vserver_dir [18:09] or did it need a -R too.. hm dont remember [18:10] or just touch the files you want to alter [18:10] (from outside the vserver) [18:10] it didn't fancy doing 'proc' [18:10] but seems to be ok [18:10] yeah proc it hates [18:11] proc/27968: Function not implemented [18:11] ;) [18:11] stop the vserver first next time you do chctx ;) it will unmount /proc [18:13] if I ever do a vserver project from scratch again [18:13] I won't be using debian [18:13] lol [18:13] it's a serious pig [18:13] slack is your daddy :D [18:14] not if I want package management it isn't :P [18:14] pkgtool [18:14] :D [18:14] Debian rockz you slackers. ;-) [18:14] we'll just keep slacking and you can do whatever you want :D [18:15] how's that? :D [18:15] Your choice. :) [18:15] sou desu ne... [18:15] Sounds fun: 'slack you!' [18:16] eww you have some debian on your face :D [18:16] Or 'slack yourself'. [18:16] :) [18:16] debian does rock, but it's given me nothing but headaches with vserver. [18:16] heh [18:16] DazeDark: Why? [18:16] its all the same kernel anyway [18:16] If i wasn't doing it with vserver, i'd choose Debian any day. [18:16] DazeDark: Ain't there a useful debootstrap tool? [18:16] if you dont need a desktop, its all pretty much the same [18:17] Kernel heh. [18:17] virtuoso: Kernels. As much as you'd love to customise them and bring them up to date, you'll invariably upset something. [18:17] Like debian 'stable' quota support. [18:17] 3.04 is 'stable'. It's also broken as hell. [18:18] With anything decent from the 2.4 branch [18:18] Huh. [18:18] No easy way to unify packages across vservers using apt (yet). [18:18] I'm starting to use 2.6 on my debian desktop also from today. [18:18] Yes, but quotas are very important to this project. [18:18] There are ways. [18:18] At least ideas. [18:19] And compiling quota-3.09 from source isn't pretty. [18:19] Do you use woody? [18:20] I know people using woody. They're either paranoid as hell or I don't know what. [18:20] The host vserver runs sid, the actual servers run woody. [18:20] I'd prefer -testing at least. :) [18:21] The decision to use the stable branch was not my own, I guarantee you. [18:21] Do your customers care? :) [18:21] No, but my employers do ;) [18:21] hm setting up a kernel with context quotas is pretty simple (once you know how lol (thanks Bertl_zZ ;))) [18:22] This is true. [18:22] But debian's quota package (3.04) gets confused with aquota/quota.user, as well as spitting at your virtual root device. [18:23] i thought debian was so good ; [18:23] It is, just not for vserver. [18:23] There aren't enough people out there using it for there to be a wide range of good applications. [18:23] so we came to the conclusion that no distribution is 'best' :D [18:23] Redhat has well supported it from what I can see, but I'm not using Redhat, end of story. [18:24] Every distro has it's annoyances., [18:24] Although... Debian is entirely volunteer-driven project so what do you expect?.. [18:25] debian-- # but i have to use it [18:26] MM. [18:26] slack slack slack i am a slacker whoohoo [18:26] ;) [18:26] But, bearing in mind that Debian support is actually pretty damn good. [18:26] Action: virtuoso . o O ( 'slack off!' :) ) [18:26] It has a huge development base. [18:26] They just have this worry about taking things from testing to stable. [18:26] slack supports everythiung... just get the source tarbal and compile :D [18:26] Which means packages in stable are grossly out of date. [18:27] Everybody complains about that. [18:27] pflanze (~chris@cc-linux4.ethz.ch) joined #vserver. [18:27] If you're forced to use woody, you have to compile things by hand probably. [18:27] Or backport the packages. [18:27] hello [18:27] pflanze: Hi. [18:28] very strange, lilo refuses to install 2.4.24+vs. Says system is unbootable. [18:28] No idea if it's because of vs. [18:28] maybe the kernel is just b0rked, your lilo is not updates or .. well oculd be anything [18:29] updated [18:29] virtuoso: there are vserver tools backports avialable [18:29] why is the s so close to the d.. *grumbl* [18:29] 2.4.23+vs *did* install on this machine a few weeks ago. [18:29] unchanged lilo.conf. [18:30] meebey: Not talking about vserver-utils but of quota etc. vserver-utils are very easy to compile even if there was no package at all. :) [18:30] yeah it just needs a make :D [18:30] virtuoso: I know, but every programs selfcompiled is a step to a hard-to-administrate-linux [18:31] meebey: Say this to TamaPanda. :) [18:31] hehe [18:31] its not a bother to me.. ./install.mysql (does everything :) .. rm -R /usr/local/mysql (and its gone) [18:31] i dont see how that is hard :D [18:32] meebey: Who of us cares about 'hard-to-administrate-linux'? :) [18:33] the install just takes longer.. since it needs to compile.. but other than that... its just as easy as installing an .rpm or whatever package you use [18:33] TamaPanda: Hm. And how simple is upgrading of glibc? :) [18:33] + the configs i use do not even HAVE packages (modufied versions/patches) [18:33] virtuoso: hehe [18:34] virtuose: uuh.. pkginstall tarbal :D [18:34] TamaPanda: Do you build everything statically? [18:34] most of it [18:35] slack-slack [18:35] heh [18:35] Action: virtuoso doesn't like that. [18:35] then again, if you upgrade your glibc, you would have to.... uuh.. re-install all packages using shared libs yay [18:36] *cough* [18:36] Do you know this is automated. :) [18:36] One would not care much if, say, apt-* binaries are built statically. [18:36] how can it be.. i just said my installs do not even have packages :) [18:37] But when there are only huge static binaries in the RAM it's a pity. :) [18:37] dont see a install with a modified apache/suexec lying around somewhere.. nope i dont [18:38] You mean trojaned? :) [18:38] i'd just initiate a 'vs web_build' and i get a new vserver.. who cares about upgrades, i can just move vservers anyway [18:38] trojaned? uuh, no actually it is more closed down :) [18:39] why would i trojan my own server lol [18:39] makes no sense [18:39] Just kidding. :) [18:39] even with suexec and user/group settings just as suexec wants it, it is possible to read other peoples files .. heh [18:40] What would you do if you need to replace a buggy ssh daemon in, say, 15 vservers? [18:40] i dont have 15 sshs [18:40] since my vservers do not have ssh :) [18:41] Let's imagine such a situation? :) [18:41] heh [18:41] ./install.ssh [18:41] :) [18:41] install-into-all-vservers.ssh [18:42] :) [18:42] all tasks i needed to do to set this server up, are automated.. just not using your 'o so beloved' debian package system [18:42] but i can get a new vserver up in seconds running as it should [18:43] Me too. :) [18:43] vs dup skel newvserver; ./install.service newvserver [18:43] voila [18:43] Ooh, another question which someone may be able to answer. [18:44] When I 'stop' a vserver with quota 3.09, it gets to "Turning off quotas" then hangs the shutdown procedure. [18:44] right [18:44] I had that :) [18:44] you can kill the process from another terminal, but Ctrl+C/anything fails to stop it [18:44] ooh :) [18:44] in fact, at every reboot my filesystem was cleanly unmounted :) [18:44] erm [18:44] unclean [18:44] did you fix it? [18:44] sure [18:45] linux-2.4.3-vs1.22-ctxqt-somenumber :D [18:45] vs1.22? muh [18:46] Linux 2.4.23-vs1.22 i686/chcontext 0.26/chbind 0.26 [18:46] actually.. guess the quota patch didnt get to the list heh [18:46] right.. i dont use debian.. ;) [18:46] what version are you toying with? [18:47] Linux template 2.4.23-vs1.1.6 [18:47] and how did you set up the quotas in your vservers? [18:47] per-user [18:48] i dont know what is in that template [18:49] without CAP_SYSADMIN for the vserver can someone still write to /proc from inside the vserver? [18:49] how do you mean? [18:49] netrose: try it [18:49] i found out i could change my disk partition because i had the /dev entry ;) [18:50] DazeDark: what exactly did you have to do to get the quota thing to work? (and does it work... per context?) [18:51] unique ctxes, a .sh script to add a quota hash to every vserver on startup, and to cqhrem afterwards [18:51] then a /dev/hdv1 link in every vserver [18:51] looks familiar [18:51] :) [18:52] changes the /etc/mtab too in the vservers? [18:52] yeah [18:52] erm [18:52] there doesn't appear to be a 'current' quota patch [18:53] cq0.12 (Per Context Quota Support) [18:54] for 1.22 at least.. i think it works on older versions too [18:54] should this be applied against 2.4.23 or is it safe for 2.4.24? [18:54] that i dont know [18:54] probably works since its the same branch [18:55] you'll get errors if the patch fails so... [18:55] Summary of changes from v2.4.23 to v2.4.24-rc1 [18:55] 3 changes [18:55] i think it's pretty safe :) [18:56] hm some iptables OOPS fix [18:56] maybe 2.4.24 isnt that bad :D [18:56] let's give it a bash ;) [18:57] i'll compile a 2.4.24 kernel this evening (when i have my fast server running .. finally) [18:57] its just plain *pluh* on a p2-350 [19:04] Nick change: Bertl_zZ -> Bertl [19:04] welcome to the land of the awake people :) [19:05] morning everyone! [19:05] evening :) [19:07] what did I miss? [19:07] not a lot... [19:07] (please no stupid 1:1 copy) [19:07] fixed my vserver startup/stop scripts [19:08] and i think i helped out a bit... but i dont really know about the helped part LOL [19:08] oh and we had a nice 'Debian sux0rs, slack owns' discussion :) [19:09] Action: TamaPanda snickers [19:12] does vs1.22 include q0.12? [19:12] no [19:12] not that i know off.. [19:13] i'm guessing patch-2.4.23-vs1.20-q0.12 will work against 2.4.24 then ;) [19:14] why not take vs1.22 and q0.12 ? [19:14] that's what I'm doing [19:14] your patch showed 1.20 :) [19:15] I can't see a vs1.22-q0.12 patch [19:15] there isnt any [19:15] but the vs1.20-q0.12 patch applied cleanly [19:15] that's why I didn't take it then :p [19:15] that is why i mentioned them seperately :) [19:15] didnt 1.22 have some fixes? [19:16] bugfix tasklist_lock/uts_sem issue [19:16] yes, 1.22 is a bugfix version of 1.20 [19:16] bugfix in tcp_ipv4_addr_conflict() [19:16] yesss [19:16] but q0.12 isn't available for vs1.22 [19:16] it is, it is the same [19:16] right [19:16] it is just not mentioned as such [19:16] so i've got vs1.22 [19:16] and patched q0.12 against it [19:16] well, I am lazy, and I tend not to make updates of patches which basically change nothing ... [19:17] http://www.vangog.net/docs/vs-quota.simple-walkthrough.txt (yes i've been there already :) [19:18] hm Bertl how hard is it to set up some doc thing that allows people to add comments to it? [19:18] like the docs on apache.org and php.net ? [19:19] get people to add to the danged documentation themselves hehe [19:19] we have that. it's called wiki, and working on linux-vserver.org ... [19:19] hm [19:20] Doener_aw (~doener@p5082DF3B.dip.t-dialin.net) left irc: Quit: Leaving [19:20] guess i could upload it to there :D [19:20] Bertl: did you hear the problems with 1.3.4? [19:21] Action: DazeDark scratches head over devfs [19:21] Bertl: someone was getting those fork() resource unavailable with 1.3.4 like I got it with 1.3.3 [19:22] ok bertl.. i uploaded it.. now what happens? :) [19:22] meebey: I already fixed them yesterday ;) [19:23] that accounting thing? [19:23] at least we know the limits work ;) [19:23] well, actually they didn't work ;) [19:24] Bertl: you found the problem? [19:24] well the fork failed.. so some limits must have been working ;) [19:24] yes, infowolfe had some time to do some testing, we located the issue, and it will be fixed in 1.3.5 ... [19:24] allright :) [19:24] so I can switch again to dev version then? :) [19:25] I can upload a patch, if you want? [19:25] btw does 1.22 support S_CONTEXT? [19:25] but 1.3.5 isn't released yet ... [19:25] I can wait for the release [19:25] 1.22 does supprot S_CONTEXT [19:25] hm bertl did you need SMP testing? ;) [19:25] hhmm strange [19:26] unpatches 0.29 er unpatched tools don't ... do not ask me why! [19:26] "New security context is 49154" [19:26] S_CONTEXT=1001 [19:26] i already told him they didnt work and get util-vserver :) [19:26] unpatched 0.29er tools ...# [19:26] in my vserver config [19:26] oh [19:26] allright :) [19:26] TamaPanda: you didnt tell me that my S_CONTEXT will be fixed with that patch [19:27] you use vserver-0.29? [19:27] those tools? [19:27] they are flawed.. [19:27] use util-vserver instead [19:27] there is no debian package for it [19:27] ;) [19:27] it was in that context that i said it so.. i did :) [19:27] if i didnt.. i still did.. lol [19:28] well, do not search somebody to blame, fix it ;) [19:28] that sound like "vserver tools sUcK0rz!! use those 1337 Util-Vs3Rv3R [19:28] I have a note on the release page regarding 0.29 ... [19:28] meebey: if you read it as such.. sure.. i'm just a slacker.. i am not a r33t debian user like y00 [19:28] what else should I do? [19:29] Bertl: kill that slacker! [19:29] just remove the link to vserver-tools 0.29? [19:29] Bertl: the note is perfect :) [19:29] Bertl: or change 0.29 into 0.30 so the debian maintainer may get the clue :) [19:29] TamaPanda: what was that about SMP testing? [19:29] Bertl: 0.30 (fix included) [19:30] tanjix (ViRu_@pD904A891.dip.t-dialin.net) joined #vserver. [19:30] did you need it? [19:30] hi [19:30] well, I always need SMP testing, are you volunteering? [19:30] I will have a perty fast server in a few days with 2 cpus ... i can use it to testdrive-crunch for a week [19:30] does anybody use the vserver-0.2.9 addon? i think there is a problem with them [19:31] LOL [19:31] meebey: I avoid updating the tool version whenever possible, because as soon as I do, Jack releases with the same version I use ... [19:31] Bertl: he does? :) [19:32] we played that with the ctx-17{a,b,c,d,e,f,g} releases ... [19:33] where possible, I leave the userspace to the utility folks (Enrico and Jack) [19:33] and Enrico does a pretty good job in updating his tools and adding features I need ... [19:34] tanjix: if you mean vserver-0.29, then make sure to add the _FIX_ ... [19:34] Bertl: ic :) [19:35] Bertl: those userspace programmer? :) [19:35] bertl: happen to know some utility that would be able to crunch for a week orso testing most of the things vserver changes in the kernel? [19:36] does quotas only work if you have CAP_QUOTA_CTL in? (i.e. it won't work if CAP_SYS_ADMIN is in?) [19:36] its time for me to go home.. bbiab [19:36] TamaPanda (~a@193.173.84.237) left irc: [19:37] well you need CAP_QUOTA_CTL to pass quota ioctls through the vroot device ... [19:38] so usually, if you use this device (which is required to make vserver quota secure) you'll need CAP_QUOTA_CTL ... [19:41] aha, ok [19:41] that might explain why it's not working, then [19:44] hmm, any particular issues besides 'not working'? 8-) [19:45] is there a stable kernel patch that properly supports quotas? [19:46] quotas are supported by 2.4.23 and 2.4.24 kernel patches ... [19:46] the vs1.22? [19:46] well, I'm upgrading to vs1.22 because quota-3.09 was hanging on vserver shutdown [19:46] "Turning off quotas" [19:46] no the linux-2.4.23 and 2.4.24 'kernel' patches ... [19:46] and it'd sit there [19:47] forever [19:47] WSU: you mean per context quota? [19:47] yes [19:48] http://www.13thfloor.at/vserver/s_addons/quota/ [19:51] Let me make sure I understand this properly, and this is what I want. I am going to be running the vskel utilities. I want to be able to limit each vserer to 5gb's each. [19:51] all vservers wiill be on the same physical partition [19:53] will they share binaries (called unification)? [19:54] anyway, you'll need the quota tagging and per context disk limit stuff, for that to work (means q0.12) [19:55] okay brb ... [19:55] Nick change: Bertl -> Bertl_oO [20:00] BobR (~georg@MAIL.13thfloor.at) joined #vserver. [20:01] bertl: i added th fix [20:05] Nick change: BobR -> BobR_oO [20:22] sladen (paul@starsky.19inch.net) left irc: Ping timeout: 480 seconds [20:24] Nick change: Bertl_oO -> Bertl [20:27] the q0.12 patch, does include the same stuff from vs1.22 or do I patch after applying 1.22? [20:27] *it include [20:27] Nick change: noel- -> noel [20:27] you patch vs1.22, then q0.12 ... [20:28] -k- [20:34] tanjix (ViRu_@pD904A891.dip.t-dialin.net) left irc: Read error: Connection reset by peer [20:42] what does the vroot device addon do? [20:44] the vroot device is required to make quota on a vserver secure, it adds a device (or several devices) called vroot0 .. vrootN, similar to loop0 ... loopN, capable of proxying quota ioctls to the 'real' root device ... [20:45] cd .. [20:45] wrong window [20:46] by the way, it is included in 1.2x ... [20:50] -k- [20:50] Should I be using the patchset? instead of the individual patch? [20:51] you mean the 2.4.23vs1.22-01 patchset? [20:51] yes [20:51] well, that is the combination of patches I used on my servers ... [20:52] if you find them useful, then use them, otherwise no need to ... [20:54] what do they all do? [20:55] kconfig adds the kernel config in /proc/config.bz2 [20:55] devfs, lvm and zlib are kernel updates to the newest version [20:56] s/newest/latest/ [20:56] i2c + lm_sensors add harware sensor support [20:56] device mapper is the next gen lvm [20:57] floppy fallback and route fix are some 'fixes' of behaviour I consider appropriate ... [20:57] -k- [20:57] I will try them out [21:06] when doing my kernel config file, what do I need to make sure I enable? [21:06] with quota patches? [21:06] and the vserver patches [21:06] yes [21:07] well, you need the vroot device to be secure, then a quota file tagging method 24/24 for example, quota itself of course and that's it .. [21:07] -k- [21:08] well you also need a filesystem which supports 'normal' quota and other stuff to make the kernel run ... [21:08] right [21:08] We found the problem for the lilo "failure". [21:09] cool, a solution too? [21:09] Looks like lilo creates a file /boot/map with chattr +t flag. [21:09] This file could not be removed/renamed anymore. [21:09] ahh, and this collides with the ili stuff ;) [21:09] Thus lilo failed when it tried to move it to the backup name. [21:09] I knew that issue would pop up ... [21:10] I thought it was only restricting permissions in vserver contexts, not on the host? [21:10] guess we'll have to fix that in the next release by usining an unused flag ... [21:10] cool. cu, going to lunch [21:11] you could try with the latest experimental code, this should work better in this aspect ... [21:11] bye [21:11] pflanze (~chris@cc-linux4.ethz.ch) left irc: Quit: [x]chat [21:23] sladen (paul@starsky.19inch.net) joined #vserver. [21:26] Hi paul [21:37] suhcoolbro (~Suh@216-161-89-24.ptld.qwest.net) left irc: Quit: NO CARRIER [22:28] Bert? [22:29] yup? [22:29] gcc -D__KERNEL__ -I/usr/src/linux-2.4.23/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686 -DMODULE -DMODVERSIONS -include /usr/src/linux-2.4.23/include/linux/modversions.h -nostdinc -iwithprefix include -DKBUILD_BASENAME=saa5249 -c -o saa5249.o saa5249.c [22:29] saa5249.c:261: warning: initialization from incompatible pointer type [22:29] saa5249.c:262: warning: missing braces around initializer [22:29] saa5249.c:262: warning: (near initialization for `i2c_driver_videotext.name') [22:29] saa5249.c:264: warning: initialization makes integer from pointer without a cast [22:29] saa5249.c:264: initializer element is not computable at load time [22:29] saa5249.c:264: (near initialization for `i2c_driver_videotext.name[2]') [22:29] saa5249.c:265: warning: initialization makes integer from pointer without a cast [22:29] saa5249.c:265: initializer element is not computable at load time [22:29] saa5249.c:265: (near initialization for `i2c_driver_videotext.name[3]') [22:29] saa5249.c:267: warning: initialization makes integer from pointer without a cast [22:29] saa5249.c:267: initializer element is not computable at load time [22:29] saa5249.c:267: (near initialization for `i2c_driver_videotext.name[4]') [22:29] saa5249.c:267: initializer element is not constant [22:29] saa5249.c:267: (near initialization for `i2c_driver_videotext.name') [22:29] make[3]: *** [saa5249.o] Error 1 [22:29] make[3]: Leaving directory `/usr/src/linux-2.4.23/drivers/media/video' [22:30] make[2]: *** [_modsubdir_video] Error 2 [22:30] make[2]: Leaving directory `/usr/src/linux-2.4.23/drivers/media' [22:30] make[1]: *** [_modsubdir_media] Error 2 [22:30] make[1]: Leaving directory `/usr/src/linux-2.4.23/drivers' [22:30] make: *** [_mod_drivers] Error 2 [22:30] compiling with your patchset [22:30] well looks like a broken saa5249 driver ... [22:30] don't select it, when it is broken ... it's neither vserver nor patchset related ... [22:30] -k- [22:38] noel (~noel@pD9FFAB23.dip.t-dialin.net) left irc: Remote host closed the connection [23:13] tanjix (ViRu_@pD9049C46.dip.t-dialin.net) joined #vserver. [23:13] re @ll [23:16] bertl, what else could be the problem to the vserver 0.29 tools - i applied the patch as well [23:18] well, I didn't test them, that is Jacks job ... maybe everything is broken, I don't know, I use Enricos tools ... [23:27] can you give him an info about that prob ? [23:27] to check that ? [23:29] well, you can write hin an email ... [23:29] he'll probably read it in the next 3-4 months ... [23:29] lol [23:42] JonB (~jon@129.142.112.33) joined #vserver. [23:44] hi jon! [23:45] hey Bertl [23:46] Bertl: when i get my dual testserver up and running, do you want an account like that other dude? [23:49] well, can't hurt ... including serial console/reboot option? [23:50] Bertl: ofc [00:00] --- Thu Jan 8 2004