[00:00] loger joined #vserver. [00:00] you are still mentioned as the original author there and I made (small) changes [00:03] I can understand having to satisfy the requirements, and making a quick fix... [00:03] but I think it does deserve a bit more discussion. [00:04] hmm, well mark, taking it out of util-vserver would be a solution, right? [00:04] Actually, I would not recommend that, or even push a situation so far. [00:05] I think the benefits of it being distributed, and 'integrated' far outway my minor concerns.. [00:05] what about another solution, like publishing the Mark Lawrence page on the wiki? [00:05] and referring to that in the header of that file? [00:06] Is it a requirement of Savannah that the header only shows the project owner as copyright owner? [00:06] I don't know ... you have to ask savannah or maybe enrico ... [00:06] I would think it reasonable to have perhaps Copyright (c) 2003 Mark Lawrence, 2004 Enrico.... [00:07] ok, I change this in this way [00:07] and we should add you to the Hall of Fame anyway ... [00:07] by the way, I had an improved version which was sent to the list, but wasn't picked up.... [00:08] what else did you add to vserver, just that I mention it correctly? [00:08] I'll add you recent changes and send all together to enrc [00:08] Actually not a whole lot,.... :) [00:08] newvserver-debian: however I don't think anyone is distributing this.... [00:08] markl: for alpha branch it will need lots of changes.... [00:08] Perhaps Enrico would also like to include this in the tools. [00:09] Copyright: you might want to consider the original history of the rest of the files as well. [00:10] copyright: I know some have gone through major rewrites, but others probably have not.. [00:10] alpha branch has a new, modular mechanisms for creating vservers; the old minimal-* stuff went away they [00:11] is the stable util-vserver likely to have a couple more revisions? Might be worth adding anyway. [00:11] I want to do bugfixes for stable branch only [00:12] markl: you are from USA, right? [00:12] Fair enough. I'll put it on the wiki. [00:12] Nope, blue-eyed Aussie. [00:12] == Mark Lawrence (AU) == [00:12] Aber, habe seid zwei jahren in der Schweiz gewohnt... [00:13] mit schokolade, und käse? [00:13] der kase habe ich sehr gern! [00:13] Ich esse der kase! [00:13] especially as it is winter ... although at the moment I am spending Monday to Friday in Madrid.... [00:14] okay, added you to the Hall of Fame on the wiki ... [00:14] But I don't know if any of you are into snowboarding, cause the conditions are at the moment, unreal :) [00:14] if you actually write the userspace reboot helper, I'll add another line ;) [00:15] Groovy. Ok, this is getting late.. I promise either this weekend, or Monday,Tuesday night next week to do all the things I mentioned tonight... [00:16] okay, hope you find a good solution for your nic ... [00:16] Thanks for chatting... [00:16] markl (~mlawren@69-56-241-204.theplanet.com) left irc: Quit: ircII2.8.2-EPIC3.004 --- Bloatware at its finest. [00:17] I'm off to home guys [00:17] good night [00:18] good night! [00:26] miller7 (none@213.239.180.106) left irc: Ping timeout: 480 seconds [00:26] ensc: what is that vserver-djinni? [00:27] it allows to execute privileged operations from the inside of a vserver; e.g. directory mounting, or iptables setup [00:28] hmm, why isn't that on the vserver wiki? [00:28] http://www-user.tu-chemnitz.de/~ensc/fedora.us-build/html/ar01s02.html#sec:components:vserver-djinni [00:28] because it requires the alpha util-vserver ;) [00:29] it was written for another purpose, but can be used generally [00:30] hmm, I don't see a reason for not puttin git on the wiki, do you? [00:31] no problem, but as said already, it requires the alpha util-vserver [00:31] well, a note on that should do it, right? [00:31] (I mean a not explaining what the alpha util-vserver is ;) [00:31] s/not/note/ [00:33] ok, what would be the right place in the twiki? [00:33] I'd say either Tools or Important Links ... [00:35] maybe we should create a section 'Useful Tools' ... [00:35] or rename the Useful Patches to Useful Patches/Tools [00:36] or even Useful Addons [02:12] ccooke (~ccooke@spc1-walt1-4-0-cust238.lond.broadband.ntl.com) joined #vserver. [02:12] ccooke (~ccooke@spc1-walt1-4-0-cust238.lond.broadband.ntl.com) left irc: Client Quit [02:13] ccooke (~ccooke@spc1-walt1-4-0-cust238.lond.broadband.ntl.com) joined #vserver. [04:14] ccooke (~ccooke@spc1-walt1-4-0-cust238.lond.broadband.ntl.com) left irc: Ping timeout: 480 seconds [04:36] Nick change: Doener -> doener_zzz [05:01] MrBawb (abob@swordfish.drown.org) left irc: Ping timeout: 480 seconds [07:25] noel- (~noel@pD9FFAA9D.dip.t-dialin.net) left irc: Ping timeout: 504 seconds [08:15] loger joined #vserver. [08:31] AHTOH (~anton@cs3640-m9.ti.ru) joined #vserver. [08:32] hi anton! [08:32] hi [08:34] no ideas about sshd bug? [08:34] hmm, please refresh my memory, where did we stop last time? [08:39] that the problem is in NICE permission [08:39] if we start sshd from initscript ----- when user tries to login -- it tries to nice some pts etc (if fails we have closed connection after correct auth) [08:40] if we start manually sshd ----- at login time no nice requiried [08:40] thats vey strange [08:40] ah yes, I remember, did you compare two straces and look for some differences? [08:40] now i will try 1.3.6 cause i need memory limits [08:41] oh, no, i ll make them now and will do a diff, ok [08:43] and it would be also a good idea to try to compile the sshd by hand, and check if that version does act similar ... [08:44] hmm, where can i have sshd sources? or maybe i ll try src.rpm? [08:45] hmm, src.rpm will 'hopfully' produce the same binary ... [08:45] but the src.rpm contains the 'unpatched' sources too, so doing rpm -i will put them into /usr/src/*/SOURCES/ [08:49] ok [08:49] what else features has an devel comparable to stable (except memory limits) [08:50] and if i need per context quotas -- i need an devel patch and then an quota patch? [08:50] or quotas are included into devel? [08:50] quotas are not yet included in devel [08:52] additional features: xfs support (no quota), some experimental interfaces, new procfs, uptime fake and vshelper [08:52] ahh and I forgot, fakeinit is now working with static context ids [09:09] what does that mean "fakeinit is now working with static context ids " ? [09:09] hmmm xfs in 2.4 -- never use it? [09:09] it still gives me an concurrent race, hanging system [09:09] 2.6 solves it while latest 2.4 is bad about it [09:10] hmm, xfs? [09:10] yeah [09:10] interesting ... [09:10] i copy my 20Gb file -- and 100% probabilty to hang a system [09:10] with 2.4.25-pre7? [09:11] pre5 was latest i tried, but havent seen anything fixed in changelog about my troublem [09:11] did you report that on lkml or so? [09:12] no :) i have hypothesis of when this is repeatble -- but i m not sure and i cant repeat experimnets- -- no free space to test that [09:12] likely when 100+GB partition is almost full, writing 20GB file gives that [09:13] cause i managed to write first 6*20 GB, problem is about the last one [09:13] hmm, you are the master of strange issues, I guess ;) [09:13] :( [09:13] that was solved by installing 2.6, thank god, and developers :) [09:15] well, did you try the vs0.06 for 2.6? [09:15] no [09:16] BTW i use 2.6 at home/desktop [09:16] but vserv is for production server [09:17] using experimental patches there is bad idea AFAIK [09:18] yeah probably right ... [09:19] Hi [09:19] :) [09:19] which one quota patch i need for 1.3.6? patch2.4.23-rc5-vs1.1.6-qh0.12.diff or # patch-2.4.23-rc5-vs1.1.6-qh0.12-cx0.07-cq0.12.diff opatch-2.4.24-vs1.24-q0.12.diff ?r [09:19] Hi [09:19] hi Cmaj! [09:19] he he [09:20] Hi Bertl and AHTOH [09:21] AHTOH: I would suggest http://vserver.13thfloor.at/Experimental/patch-2.4.24-vs1.3.4-q0.12.diff [09:21] that has the best chance to apply and work ;) [09:22] I compiled well 1.24 plus Owl did not try yet i got a up 11 days 9:00, with 1.24 :) [09:23] sounds good ... [09:24] yess very good . i use too have a local network bug it was because i keep puting off the router :) maybe its a fW prob [09:25] hey is i have a box wiyh ctx14 what is the better production relleASE :) [09:26] ;p [09:27] 2.4.19ctx-14 #4 [09:27] not me [09:27] ;) [09:27] hmm, now I'm confused, what are you trying to tell me? [09:28] shuld i upgrade [09:28] well, if ctx14 is working for you, why would you upgrade ... [09:28] ok weel good [09:28] besides the issues 2.4.19 has and of course the bugs in ctx14 ... [09:29] I assume nobody can logon to that machine, and you do not use SMP or extensive proc ... [09:30] weelll .. yeas I C capitalised :) [09:30] what i tought [09:30] But i am not the master of this bx [09:31] but i can ...ok thankx for the advice [09:32] np [09:39] Cmaj (~cmaj@3ffe:bc0:5f3:1:9999:911:c3d3:5431) left irc: Ping timeout: 483 seconds [09:51] ah devel is for pre nly [09:52] latest devel, is for pre only ;) [09:52] ok i ll have to got latest pre8 [09:52] hmm, pre8 is out? [09:53] right, almost missed that ... [09:53] yeah [09:53] marcelo working while linus kengeroos somewhere [09:55] ACPI, smbfs and USB, USB, USB ... [09:57] usb forever [09:57] and i never say never use an ACPI [09:59] damn [09:59] 1.3.4 q 0.12 has several hunk failures [09:59] in ext3 [10:00] i have 25-pre8, then 25-pre7.1.3.6, then quota [10:01] that is bad, you can try to specify '-l' for the patch [10:01] but I doubt, that will work, guess you have to wait for an updated version ... [10:02] how long can it be? [10:03] mainly depends on how nice you ask ;) [10:03] i just want to see my options for know [10:03] i just want to see my options for now [10:04] what cn i try now at what should i wait for [10:04] well, the options are clear, no patch for 2.4.25-vs1.3.6 atm [10:12] okay while now i will try devel with no quota [10:23] kestrel (athomas@home.swapoff.org) left irc: Quit: Hey! Where'd my controlling terminal go? [10:23] okay, it was a long night, I'll go to bed now ... [10:23] have fun, cu all later ... [10:23] Nick change: Bertl -> Bertl_zZz [11:21] [root@oxygen util-vserver-0.27.199]# vserver-stat [11:21] open(): No such file or directory [11:21] anyone can help -- devel is not working for me [12:11] kernel713 (~4051cc98@humbolt.nl.linux.org) joined #vserver. [12:11] kernel713 (~4051cc98@humbolt.nl.linux.org) left irc: Client Quit [12:13] miller7 (none@213.239.180.106) joined #vserver. [12:13] morning guys [12:16] kestrel (athomas@home.swapoff.org) joined #vserver. [12:55] AHTOH (~anton@cs3640-m9.ti.ru) left irc: Quit: Leaving [13:27] evening [13:36] morning [13:36] hi there [13:45] Action: infowolfe has a new testing box [13:51] what is it? [14:08] dual athlon mp 1500+ 256M ram... [14:08] will be dual 2400+ 1GB ram shortly :-D [14:08] (next week, when i get my megaraid controller) [14:09] i'm testing a crapload of 250GB S/ATA drives on it tonight [14:25] nice one :) [14:25] i'm jealous [14:25] lol [14:25] i wish i could sell this fucking dual opteron :( [14:25] i'll give you $5 for it! [14:25] asking $6k US [14:25] lol [14:25] lop that k off and we have a deal [14:26] 4x 250GB S/ATA 7200rpm 8M cache on a 4port Megaraid... 2x Opteron 240, 4GB ram, 1U chassis [14:27] powerful machine [14:27] word [14:28] lol [14:28] makes my new server at home... seem pitiful [14:28] lmfao [14:28] did you see the 4GB ram part? [14:28] that's in 1GB half height sticks... DDR ECC registered... [14:28] they were close to $1,500 a pop when the machine was built :-p [14:28] :( [14:29] very nice :) is it a work machine? [14:29] the guy that built it built kernel.org's internal master server as a demo for a client... but things didn't come together... [14:29] and they didn't buy it [14:29] and in fact, it was in the desktop case that is currently at my feet when it was built originally [14:29] mmm, bet he loved that [14:30] between that one and an overheating 24 x 250GB S/ATA 4U array... he's upset [14:30] hehe [14:30] at $350 apiece for the drives [14:30] ? [14:30] what company does he work for? [14:30] he owns http://www.amnet-comp.com [14:31] check kernel.org [14:32] that's cool [14:32] i work with solaris boxes all day, so that dual opteron is probably about 10 times faster than any of our servers ;) [14:36] lol [14:36] slowlaris? [14:37] hilarious [14:37] that's the one [14:37] i've seen solaris bog on an E10k [14:37] lmfao [14:42] which is kinda sad... [14:42] *sigh* [14:42] sun has all this great hardware... and decides to screw it up with their operating system :-p [14:42] linux on sparc... VERY quick... [14:42] solaris on sparc? laughable [14:43] as far as i remember, threads handling has always been better on solaris [14:44] maharaja, a lot of day to day tasks unfortunately aren't threaded... [14:44] thats true :) [14:44] therefore threading is useless if you're using solaris on a machine used as a desktop [14:44] gnome on aurora whoops the hell out of gnome on sol9 in responsiveness [14:45] and with 2.6's memory management... solaris is... nauseating... [14:45] Action: infowolfe wonders what 2.6 kernel module to use with a SiI 3112 SATARaid Controller :-\ [14:55] infowolfe: siimage [14:55] Zoiah, i'm thinking you're right, but i'm not seeing it... [14:55] in my current gentoo beta livecd :-p [15:51] loger joined #vserver. [16:17] loger joined #vserver. [16:33] Local-God (~hell@202.79.44.30) joined #vserver. [16:34] Local-God (~hell@202.79.44.30) left #vserver. [17:01] youam (~youam@sc-gw.scientific.de) left irc: Quit: hardware maintenance [17:17] youam (~youam@sc-gw.scientific.de) joined #vserver. [17:27] serving (~serving@213.186.190.24) left irc: Read error: Connection reset by peer [18:22] loger joined #vserver. [19:04] Last message repeated 1 time(s). [19:04] Xirzon (~Xirzon@pD9E75E7E.dip.t-dialin.net) joined #vserver. [19:05] is there a reliable way to detect if a system is running linux-vserver? [19:23] serving (~serving@213.186.190.24) joined #vserver. [19:29] Nick change: shuri_awa -> _shuri [20:29] _shuri (~shushushu@3ffe:bc0:8000::5bb) left irc: Quit: changing servers [20:29] _shuri (~shushushu@vserver.electronicbox.net) joined #vserver. [20:42] kestrel (athomas@home.swapoff.org) left irc: Ping timeout: 492 seconds [20:48] xirzon: nope, it just looks like a normal cap'ed system. [21:23] Nick change: Bertl_zZz -> Bertl [21:23] hi folks! [21:57] cdub (~chrisw@fw.osdl.org) joined #vserver. [21:57] hi chris! [21:57] Bertl: hi [21:58] Bertl: have you given any further look to lsm possibility? [21:58] well, we are (not very intensive though) investigating it ... [21:58] hehe [21:58] can i help in any way? [21:59] sure, you know something about it, right? [21:59] yeah [21:59] you made that list some time ago ... [21:59] so you might be the perfect person to help here ;) [21:59] it might have been as much as two years ago [22:00] it's probably in any old vserver archvies [22:00] (if there are any) [22:00] enrico, are you around? [22:01] he knows a lot more about se-linux and lsm than I do ... [22:01] ah, kewl. well, i'll idle here, poke if if he's around ;-) [22:01] well, I have some questions, anyway [22:02] ok [22:02] the following things are spinning in my head for some time now: [22:02] a) network/ip limitations, can they be done with lsm? [22:02] b) the chroot barrier, is it easy to do with se-linux/lsm [22:03] c) what about immutable and iunlink (linkage invert)? [22:03] and finally d) hostname/uts virtualization [22:03] ok [22:03] d) not possible [22:03] c) have to look at code again (been quite a while) [22:04] b) ditto, although we have some similar limitations [22:04] a) as i mentioned the only problem in /net i recall is bind IP_ADDR_ANY [22:04] in the bind case, do you succeed, but actually only bind to available ip in context? [22:05] currently we do a bind to IP_ADDR_ANY, and check the connections later ... [22:05] c) immutable is ioctl to ext2/3 code, so you patch that? [22:05] ah, ok [22:05] yeah, same should work [22:06] as accept, etc, are hooked [22:06] and there are similar things in other security mdules [22:06] yes, I found that in the lsm 2.6.2 too: [22:06] CONFIG_SECURITY_NETWORK: [22:06] This enables the socket and networking security hooks. [22:06] If enabled, a security module can use these hooks to [22:06] implement socket and networking access controls. [22:06] If you are unsure how to answer this question, answer N. [22:06] yeah [22:07] what does the 'security module can use' mean? [22:07] do we have to implement a lsm which hooks into that hooks? [22:07] the hooks are callbacks to a module [22:07] like the ipfilter hooks? [22:07] if the module implements the callbacks ("use") then it can make policy decisions [22:07] yeah, exactly [22:08] okay, about immutable and iunlink ... [22:08] and they are only called if CONFIG_SECURITY_NETWORK is set, of course [22:08] yes? [22:08] enrico said something about, that somebody said ;) it might be only a one-line-rule ... [22:09] 20:48 < ensc> it will something like 'allow vserver_t refserver_t:file { [22:09] read,link,unlink,lock,rename }' [22:09] but I don't see how this should/could work, and enrico couldn't explain it to me ... [22:10] ok, can you tell me the immutable and iunlink feature again? [22:10] no problem, [22:10] Action: cdub looks for his vserver patch [22:10] there is the immutable flag (extended attribute) [22:10] hold on... [22:10] this is quite common (and almost every fs implements it) [22:10] the chattr +i flag? [22:10] yes [22:10] ok, not "true EA" [22:11] okay it is called xattr so I consider it extended attribute ;) [22:11] fair enough [22:11] but okay, whatever [22:11] we added another flag, which is (now) called iunlink [22:11] similar to +i, which allows to have 4 states [22:12] 0) normal file [22:12] 1) immutable file [22:12] 2) a file which can be appended/written to but not unlinked [22:12] 3) a file which can not be modified but unlinked [22:12] 0,1, and 3 are mandator, 2 is a bonus [22:13] +y [22:13] this is the basic building block unification uses ... [22:13] basically it would be possible to add some constraints [22:14] ok [22:14] like that 3 is only valid if there are more than one hardlinks [22:14] or that it only works inside a vserver ... etc [22:14] if only one hardlink it can be modified? [22:14] ell it could be, it wouldn't matter ... [22:14] +w [22:14] ok [22:14] hrm, this seems enforceable in lsm [22:15] the idea is just to have hardlinks instead of separate files ... [22:15] (secure hardlinks which span vservers) [22:15] of course, viro will say namespace is right way to do this [22:15] this is used for binaries and libraries ... [22:15] yes, it's coming back to me ;-) [22:16] i recall advocating for bind mounts, but, that's just me ;-) [22:16] actually we where thinking about that, but nobody answered the basic questions about pivot_root not working ... [22:16] so, where is the attribute stored? [22:16] oh, i missed pivot_root() ? [22:16] +broken [22:16] well, we are trying to get the namespace stuff working in userspace, without nasty kernel hacks, but so far we failed ... [22:17] anyway, it wouldn't be very useful in that particular case, as it would not help protecting those shared files, right? [22:18] with things like per vfsmount attributes it would [22:18] as you could mark things r/o [22:18] just remember --bind mounts can't be RO for now ... [22:18] that's temporary ;-) [22:18] well, I know, I provide the patches to overcome this ;) [22:18] yes, i've seen them, nice work [22:19] they will go in eventually, i've had similar stuff in 2.4, and viro always said...later... [22:19] but it doesn't seem as if this a) has high priority, or b) is considered for inclusion by the kernel folks ... [22:19] well, viro has different agenda [22:20] what I mean is, it won't help us in the near future, period. [22:20] hrm, point. [22:20] okay, the flags are stored as (extended) attributes like noatime or immutable itself ... [22:20] the checks are minimal 2 IIR in the vfs layer ,... [22:21] yes, this is private to fs, no? [22:21] well, we have to define it for every filesystem, but the checks itself are on the inode ... [22:22] brabel [22:22] we have to define the flag values for each fs, but the check is based on the inode flags, inside vfs [22:23] so you have 4 new flags for iunlink? ATTR_FLAG_IUNLINK[0-3]? [22:24] http://www.13thfloor.at/vserver/d_release/v1.3.6/split-2.4.25-pre7-vs1.3.6/08_2.4.25-pre7_iunlink.diff.asc [22:24] this is the broken out iunlink stuff ;) [22:24] nice,t hanks [22:24] no we actually have two new flags, one is the iunlink flag, the other is a 'new' barrier flag (just experimental stuff) [22:25] if I get around, It'll get some color too ... do you know any good unified diff highlighting code in php or perl? [22:26] not from top of my head, i've seen it in use, of course [22:27] well, probably going to write it myself anyway, not so complicated ... [22:27] no [22:27] cvsweb has one, i doubt it's modular though [22:28] so, SELinux method would be to move this to real extended attribute [22:28] which takes that code out of each fs [22:28] (of course, fs must support EA) [22:29] hmm, okay so it would be a separate implementation which uses EA stuff instead of xattr stuff, right? [22:29] then make policy decision based on EA as codified in the configs [22:29] yes [22:29] and all the hooks are there for read/write/unlink/etc... [22:29] and that would add a single rule, if that EA is set, then treat this file in that role in such way, etc ? [22:29] yu [22:29] yup [22:30] okay, I guess I'm beginning to understand, but it would not be possible without the EA flag/attribute, right? [22:30] it would be, but it's uglier [22:30] and that flag/attribute can be set via something called label? [22:30] w/out, you have no perisiten store on each inode [22:30] so you have to load it from a database (config file, whatever) [22:30] yes, label is how it'd be done [22:31] and this manipulates the EA in memory or on disk? [22:31] yes ;-) [22:31] okay ;) [22:31] there is ondisk and memory format [22:31] the ondisk tends to be simple, compact [22:32] yeah, I know ... but that sounds pretty good ... [22:32] i think it will suit your needs [22:32] so we can simply switch to EA for that attributes ... [22:32] yeah [22:32] another question, is EA supported for procfs? [22:33] heh, good question [22:33] or is the LSM/Se-linux stuff capable of hiding proc entries based on roles? [22:33] hiding doesn't work so well [22:33] that's a problem [22:33] but gaining actual access...not a problem [22:33] hmm, maybe we can fix that, our hiding works well ;) [22:33] yes, it's a common request [22:34] but I have to admit, we added flags to the proc entries ... [22:34] describing the visibility ... [22:34] hiding /proc// is easier than rest of /proc [22:35] well, the flags theoretically work on both, but are only used for 'the rest' ;) [22:35] heh, oops [22:35] the process view /proc/ is restricted by other means ;) [22:35] solar mainly does /proc/ [22:36] which is most common request [22:36] how do you do /proc/? [22:36] simple, each task already has an xid, we just skip pids in the list generation which do not belong to the specific context ... [22:36] acutally, and how do you do rest? [22:36] ok, in the for_each loop [22:37] http://www.13thfloor.at/vserver/d_release/v1.3.6/split-2.4.25-pre7-vs1.3.6/05_2.4.25-pre7_proc.diff.asc [22:37] there is all the magic ;) [22:37] --- linux-2.4.25-pre7/fs/proc/virtual.cThu Jan 1 01:00:00 1970 [22:37] looking [22:38] you can skip that one, it's only the new procfs ... [22:41] so it's just the get_pid_list part? [22:41] for the pids, yes [22:42] and of course a check if you try to access it ... [22:42] yea [22:42] and for the rest, we decide based on the flags [22:42] the readdir part is gonna be tougher than the lookup part [22:42] do { [22:42] +if (!vx_weak_check(0, de->vx_flags)) [22:42] +goto skip; [22:42] if (filldir(dirent, de->name, de->namelen, filp->f_pos, [22:43] that is everything needed for the readdir ;) [22:43] right, i mean in lsm [22:43] well, we can do that in 2.6 too, it doesn't need to be all lsm ;) [22:44] that's true, i was just looking for a way to do it in common code, since it's common request [22:44] so no big deal for vserver, but maybe we can adapt that idea to lsm too ;) [22:44] ok [22:44] maybe just doing EA on procfs would be a good idea ... [22:44] guess that would solve at least some of the issues ... [22:45] how about the performance impact of LSM/se-linux on the whole system? [22:45] lsm is in the noise [22:45] selinux is a few percent overhead [22:46] hmm, all that EA stuff? and the rules and managers? [22:46] I'm asking because vserver will make heavy use of that ... [22:46] yes, let me see if i have some old perf numbers [22:46] well, consider you can use raw lsm too [22:47] for example we are already hitting readdir limits in proc on the host [22:47] ok, readdir and /proc are better in 2.6 [22:47] so this may help quite a bit [22:47] the get 20 pids and next time 40 (keeping only 20) and so on in 2.4 is bad ... [22:47] the whole task list is _much_ better [22:48] now that it's a hash which doubles for pid, tgid, sid, etc.. [22:48] oops, i have to go, be back in an hour or so [22:48] yes, I'm just concerned about loosing 2.6 performance for 'generalization' done with lsm/se-linux which obviously isn't needed ... [22:48] np, cu later ... thanks for the info ;) [22:48] sorry, bbl [22:48] Nick change: cdub -> cgone [23:11] zev (~zev@213.179.234.67) joined #vserver. [23:11] hello. [23:12] hi zev! [23:12] Bertl i was there not long ago. asking question. but now i have 1 installation :-) and have many more questions :) [23:13] have you some time to help me? [23:13] no problem ... [23:13] i've installed vs1.24+2.4.24 on a redhat 9 system. [23:14] Xirzon (~Xirzon@pD9E75E7E.dip.t-dialin.net) left #vserver (Client exiting). [23:14] my question is about loopback iface. [23:14] hmm, yes? [23:14] can i have some on my vserv? [23:14] sure, but currently it is shared among all vservers ... [23:15] hmm. [23:15] it's bad, i think. [23:15] so if you want to do some local network, it would be better to use dummy device [23:16] so, i can ifconfig on each vsers it's own dummy iface with 127.0.0.1 on it? [23:16] and bind services, such local mysql on it? [23:16] yup, sure, but you won't get the immediate packet comes back the loopback does ... [23:17] don't understand.. [23:17] english :( [23:17] but usually there is no need to do so, you can use the 'assigned' ip quite nicely for mysql (and local mysql connections) [23:18] so if you have 10.0.0.2 for that vserver, for example ... just configure that for mysql, and you are done, local connections only ... [23:18] aaaa, i can run dummy iface with IP not 127.0.0.1 and it run's without any slow down? [23:19] well, there will be a slowdown, because lo is special in that regard, but it will be unnoticeable ... [23:20] ok. i can understand this. [23:20] the packet has to travel the network stack, which wouldn't be required with lo, but the iverhead is minimal [23:20] s/iverhead/overhead/ [23:20] ok. ok. i need local iface only to not to install firewall. i beleave you understand me. [23:21] for security purposes not for speed. [23:21] there is also the option to use unix sockets for communication IIRC, that would work without the interface ... [23:23] ok. next question. [23:24] i need 2 or more ip's on 1 vserv and i need ssh listen on all this ip's [23:24] not only ssh, mysql postfix and others for example [23:25] and i couldn't find any way to do so on vsers because 0.0.0.0 bind's is not acceptable. [23:25] set up a vserver, and add IP's to the vserverconfig [23:25] well, if you assign tow or more ips, and bind sshd to 0.0.0.0 (IP_ADDR_ANY) that should work [23:25] yes. this is done [23:25] are you sure? [23:25] <--doing it now [23:25] pretty sure, what is your problem with that? [23:26] hmmm, may be i missed something... [23:26] just on the host binding to 0.0.0.0 isn't such a good idea ... [23:26] because you grab all interfaces, even those reserved for the vservers ... [23:26] i think you right. [23:26] bertl: i capped the if output on the root-server btw. [23:27] bertl: additonal vserver util to see all if's [23:27] click: hi, and which means? ;) [23:27] bertl: stops mysql, bind etc from seeing the root-servers eth0:vservername1 ip's [23:28] doener_zzz (~doener@p5082D839.dip.t-dialin.net) left irc: Ping timeout: 492 seconds [23:28] hmm, like inside a vserver? [23:28] outside as well [23:28] it shows up with a secondary vifconfig [23:28] extra tool to allow root-servers to see all if's [23:28] hmm, okay, sounds interesting, any patches? [23:29] or is this a userspace solution? [23:29] userspace [23:29] hmm, how do you prevent sshd from binding? if not with chbind? [23:29] actually, it's a cap-module that blocks specific interfaces, kind of like the rootkits does it [23:30] allowing access to see specific interfaces by certain processes only [23:30] hmm, can I have a look at that? [23:30] or is it top secret development ;) [23:30] :-) [23:32] not top secret, but still beta - I just ripped the "interface hide"-part from a rootkit I've been tampering with [23:32] quite simple, but effective [23:32] works for non-vs'ed kernels as well ;] [23:35] url? [23:36] doener_zzz (~doener@pD9588C28.dip.t-dialin.net) joined #vserver. [23:37] none yet, the rootkit is the old tuxkit slightly modified [23:40] which one? tuxkit.tgz, tuxkit-1.0.tgz, or tuxkit-short.tgz ? [23:42] zev (~zev@213.179.234.67) left irc: Quit: thank's a lot! bye.. [23:43] tuxkit.tgz [23:44] <- a bit slow here, in a BF1942 fight [00:00] --- Sat Jan 31 2004