[00:04] Nick change: cgone -> cdub [00:05] hi chris! back again? [00:06] yes [00:07] do you want to continue our discussion? [00:07] ok, i'm compiling on an old ia64, so i should have some spare moments ;-)) [00:08] hey ia64 great, you ahve one? [00:08] it's not mine, it's from OSDL [00:08] but i can use it [00:08] guess 'only' for some compiling or such, right? [00:09] pretty much anything [00:09] hmm, even vserver kernel testing? [00:09] sure [00:09] hmm, how to get access to such stuff? [00:09] sign up for a project [00:10] hmm, how does this work, could you explain? [00:11] i'm trying to find the website [00:11] oh well [00:11] anyway, you sign up as an associate and apply for a project [00:11] because I signed up for STP (OSDL) [00:11] you can do simple compile testing w/out having a project machine [00:12] ah, yes STP is just really compile testing plus some canned tests [00:12] and although it worked fine, it is pretty useless for our purpose atm [00:12] if you want to have full access to a machine you need to set up a project [00:12] http://www.osdl.org/lab_activities/lab_projects/ [00:12] okay, the thing is, I would like to be able to test on many platforms but only from time to time .. [00:13] the propose a project link at the bottom will help [00:13] yeah, i know what you mean. [00:13] it's not setup well for that type of use ;-( [00:13] Action: cdub ponders how to fix that [00:13] maybe it would be better to arrange with some developers, on specific platforms, to get some slots or testing done on that specific platform ... [00:14] that's possible too [00:14] I definitely don't want to ahve a development machine for each platform twiddling thumbs all day ... [00:14] i could share my ia64 machine with you, for example [00:15] argh, /me looks at compilation problems [00:15] it would be more than sufficient to do, let's say a kernel testboot every week (at most) and maybe for each released version ... [00:15] which means, if we release two versions in a week, it would be 2 tests in that week [00:16] one option would be to create STP tests for vserver, but i think that's too much a PITA [00:16] I thought about that, but STP only cover i386 atm [00:16] really? [00:16] argh, that's dumb [00:16] yeah, but up to 8 way xeon or so ... [00:16] Action: cdub has some things to discuss here ;-) [00:18] From: cliff white [00:18] I should be possible but one note: STP is only Intel [00:18] arch at present - different sizes of machines, but [00:18] all Intel. [00:18] bah, that's worthless [00:18] hehe [00:19] well, I was thinking about developing a quota test for that, but I have to admit, I don't know how to do that ... [00:19] Action: cdub looks for cliffw [00:19] hrm, i can help you. but cliffw is the guy to ask, it's what he does. [00:20] well, basically I don't want to use up resources, I don't need atm, so getting some test boots done from time to time would be sufficient for linux-vserver, right now ... [00:21] i will ask about this (well, actually i just already did ;-) [00:24] image53 (~image53@h24-86-32-215.vc.shawcable.net) joined #vserver. [00:24] hi image53! [00:24] Hey Bert... was curious, thought I'd check it out [00:25] The mailing list has certainly livened up a big [00:25] yeah [00:53] miller7 (none@213.239.180.106) left irc: Ping timeout: 492 seconds [01:18] Bertl: still here, just distracted by compilation errors [01:20] I was worried that I lost connection again ;) [01:20] it was sooo quiet here ;) [01:20] where are you, vienna? [01:20] wien [01:20] about 80km away ... pama [01:21] hmmm, i spent one month in wien, no idea about pama though ;-) [01:22] well, I would say about 99 of 100 people in vienna won't know it either ;) [01:22] lol [01:22] or let this make 999 out of 1000 ;) [01:23] how about the tyrol? close by for skiing? [01:23] it's on the north east edge of burgenland, which is jsut below vienna [01:24] tyrol is on the other end of austria in the vicinity to voralberg ... [01:24] ah, ok [01:52] Bertl: is that about right or did i fetch the wrong coordinates? http://www.youam.net/maps/%23vserver.jpg [01:53] Bertl: btw, should i make a "proper" map of #vserver? [01:54] hmm, well yes, looks good to me, but you have to add laaben too, another location where you could find me ;) [01:57] you're in with both positions, and Vienna's out [01:57] anyone else? [02:00] Such a lonely looking map [02:00] I'm in Vancouver, Canada... so much further away [02:04] image53: hey, that's not too far from Portland, OR [02:05] Nope. I'll pass through there in a few weeks on the train to San Jose too [02:05] ah, nice [02:26] hm. i think europe is going to get crowded [02:26] cdub, image53: you're on it now [02:27] well reduce me to 'just' the name ;) [02:28] heh [02:34] Bertl: they're thinking about how to work out the "i just need the hardware once a week" [02:35] Bertl: in the meantime you could propose a project and use the hardware (idle time and all) [02:36] as an alternative, i could do it on my ia64 time (x86 isn't so much trouble) [02:44] hmm, [02:44] well, I have no problem with 'proposing' a project whatever thant means ;) [02:45] but I think if you 'know' some developers, who would 'share' their hardware for an occasional test, that would be more than sufficient ... [02:46] it just means going to that page and filling about the project proposal [02:46] url? [02:46] lastlog http ? ;-) [02:46] and didn't I do that for the STP already? [02:47] there's two different things. an associate, so you can use STP, and a project, where you get a login account on a machine, etc.. [02:47] it was this. http://www.osdl.org/lab_activities/lab_projects/ [02:47] ah okay, and just a few questions ... [02:47] ok [02:48] let me guess... Bad Credit? No Problem 8) [02:48] because as I said, I don't want to 'allocate' resources, which I do not need ... [02:48] Action: cdub *nod* [02:48] what exactly do you get on that ia64 machine for example ... [02:49] it depends. probably a SMP (2-16 way), 4G, scsi...whatever distro you want (although odd ones probably won't work) [02:49] is that what you mean? [02:50] hmm, no ... [02:50] okay, let me put it the other way around ... [02:50] ok [02:50] I have a development system, provided by rosehosting, which has (one of my requirements) a serial connection and some way to reset that machine remotely [02:51] yes, you get similar [02:51] terminal server, and remote power [02:51] this way kernel debugging is possible ... on that machine (it was RHx installed) I installed my own version of Mandrake ;) (remotely) [02:52] which has everything I need to do that work ... [02:52] heh. yes i do kernel debugging on this [02:52] now currently there is no need to get 'another' machine to develop on, unfortunately I can't develop on more than one at a time ;) [02:53] I'm working on that part, bilocation and multitasking is the secret ;) [02:54] imaginary friends and split personalities helps too [02:54] currently I'm working on a cross compiling environment which seems to get into a working state very soon ... [02:54] binutils-alpha-2.14.90.0.8-1mdk [02:54] binutils-hppa-2.14.90.0.8-1mdk [02:54] binutils-hppa64-2.14.90.0.8-1mdk [02:54] binutils-i386-2.14.90.0.8-1mdk [02:54] binutils-ia64-2.14.90.0.8-1mdk [02:54] binutils-m68k-2.14.90.0.8-1mdk [02:54] binutils-mips-2.14.90.0.8-1mdk [02:54] binutils-mips32-2.14.90.0.8-1mdk [02:54] yeah, well with ia64, compile is very slow, so it's very helpful too [02:54] binutils-mips64-2.14.90.0.8-1mdk [02:54] binutils-ppc-2.14.90.0.8-1mdk [02:54] binutils-ppc64-2.14.90.0.8-1mdk [02:55] binutils-s390-2.14.90.0.8-1mdk [02:55] binutils-sparc-2.14.90.0.8-1mdk [02:55] binutils-sparc64-2.14.90.0.8-1mdk [02:55] binutils-x86_64-2.14.90.0.8-1mdk [02:55] and the according gcc for kernel compiles ;) [02:55] ooh, nice! [02:55] x86 as host? [02:55] so that should not be the issue too, what I end up with is a kernel, which is compiled for let's say sparc64 .. and I would like to have it run, with some tests ... [02:55] (yes x86 is the host) [02:56] http://vserver.13thfloor.at/Stuff/Cross/ [02:56] here is the spec file ;) [02:56] that's what the hardware is here for [02:56] nice [02:56] I didn't manage to fix the ia64 includes yet, had a lot of help from enrico, but no luck yet ... [02:57] funny part is the i386 cross compiler on i386 ;) [02:57] haha [02:57] best thing is, it needed fixed headers too ;) [02:57] ugh [02:57] sad [02:58] well, that is done, so when I sleep that machine will compile kernels ... [02:58] just adjusting the scripts around that ... [02:58] excellent [02:58] so sure that will be much faster on a 8way xeon ... [02:58] yes [02:58] but I doubt, that it would be more useful ... [02:59] well, if you can run it somewhere it would help [02:59] no? [02:59] well currently I can run it somewhere, the machine provided is a dual P3 as mentioned on the 'Hall of Fame' page on the wiki ... [03:00] so no immediate problem/requirement there ... might change if that machine isn't available in the future ... [03:00] sure, but for the other arches [03:00] it does all archs in one pass ;) [03:00] as I said I tried to automate that process, and I guess it will be done this weekend ... [03:00] Nick change: surriel -> riel [03:01] woops, i misunderstood, i was talking about running the vserver packages on non x86 hardware [03:01] so what I actually need is a 'real' architecture, as simulation isn't so advanced that I could emulate something else than i386 ... [03:02] to test the built kernels and for enrico to test the userspace tools on the specific arch ... [03:02] yes, so this is where the ia64, for example [03:02] hrm, that's not english ;-) [03:03] yeah, but I got you ... [03:03] ok [03:03] but I don't need an ia64 24/7 ... [03:03] i understand [03:03] put it this way [03:03] if the machine is not in use right now [03:03] it's even more idle than you using it once a week ;-) [03:04] and if it is in use, it isn't available [03:04] and i poked at the folks here [03:04] they are looking into making it avaliable in smaller timeslices [03:04] hmm, right, but if I use it, it's not available for somebody who actually would use it 24/7, right? [03:04] Bertl: not sure if there is anybody ATM (I really don't know) [03:05] and that is definitely something I do not want to happen, so maybe if the osdl folks cannot solve this, the developers for sure should be able to do it ... [03:05] and if you put in your project proposal that you only need it for brief periods at regular intervals then they can work on providing this service [03:06] Bertl: here is what i have: [03:06] "he could submit his project and I can work on the campaign thing...i just need to get it down to being hour based rather than day based or something" [03:06] (campaign is what they call a project that doesn't require dedicated access to hardware, i don't know why they picked that name) [03:07] yeah, I'm on it, filling out that proposal ;) [03:07] so, a project proposal from you is what can kickstart the process, make sense? [03:07] kewl [03:09] do I have to repeat my name under Team Members? [03:09] i'm not sure [03:18] what is that Developer Resources stuff at the bottom? [03:19] Action: cdub goes to look [03:19] by the way, what should I enter at Requested system access start date:, and duration? [03:19] asap, and forever? [03:20] yeah, that's what i put (as long as possible) [03:20] might note that you only need it periodically [03:20] linux vserver currently supports (in theory) the following architectures: [03:20] alpha, hppa, hppa64, i386 [03:20] m68k, mips, mips64, ppc, ppc64 [03:20] s390, sparc, sparc64, x86_64 [03:20] it would be very beneficial to test the kernel and the userspace tools (as well as their interaction) on those platforms whenever a new kernel patch or tool version is released. this would require a machine of that architecture for about 3-4 hours each week or maybe less. kernel compilation will be done on ix86 via cross compiling, userspace on the actual architecture. [03:21] looks good [03:22] okay, what with the fields below? empty? [03:22] i don't know what the last field is for (developer resources) [03:22] i guess so, they can always ask you for more data [03:22] okay, so I leave it empty ... [03:23] okay [03:23] okay, what's next? [03:23] submit proposal button [03:24] well, I already did that ... 8-) [03:24] and then you'll get some feedback (typically it's quick...but the guy who handles that is travelling right now, so it could take a few days) [03:24] okay, so just wait ... [03:24] *nod* [03:25] let me know if you haven't heard anything by early next week and i'll go and poke at some people [03:25] okay, will do so, thanks [03:25] np [03:25] (btw, i think the only free arch's right now are x86 and ia64) [03:34] image53 (~image53@h24-86-32-215.vc.shawcable.net) left irc: Remote host closed the connection [03:36] okay, started a testrun of my automated cross compiling script ... [03:37] how long does it take [03:38] depends ... on the kernel and on the config ... [03:38] this is 2.6.1 with default config ... [03:39] alpha already done, hppa,hppa64 failed (as expected), i386 running now [03:40] nice [03:57] kestrel (athomas@home.swapoff.org) joined #vserver. [03:57] hi alec! [04:00] hey herbert :) [04:01] i reckon if somebody changed their nick to 'nickserver', they would get heaps of people accidentally sending their passwords [04:01] hmm, did you try? ;) [04:20] not yet, but it's on my list of cool things to try [06:10] Nick change: cdub -> cgone [09:13] noel (~noel@pD9FFA52B.dip.t-dialin.net) joined #vserver. [09:14] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Ping timeout: 501 seconds [11:52] Nick change: Bertl -> Bertl_zZz [13:33] miller7 (none@213.239.180.106) joined #vserver. [13:33] hello ppl [14:04] miller7 (none@213.239.180.106) left irc: Read error: Connection reset by peer [15:17] Cyrix (~master@hmbg-d9ba8760.pool.mediaWays.net) joined #vserver. [15:17] hello everyone [15:19] hi [15:22] hi mids, do you know of a search engine for the vserver mailing-list archive ? [15:24] yes, google [15:24] add site:list.linux-vserver.org to they query [15:25] oh, good ieda :) [15:25] s/they/their/ [15:25] s/ieda/idea [15:36] damn, can't find anything appropriate :( [15:37] my vserver can ping und resolve dns, but times out when trying to establish a http or ftp connection [15:38] what are you looking for? [15:38] ah [15:38] do you use an alias? [15:39] yes [15:39] shouldn't I ? [15:40] no idea :) it works for me [15:40] do you have a firewall? [15:40] maybe it is set to deny outgoing / incoming tcp packages [15:41] yes I have an It is configured with a deny policy... but then there should be something on the logs... [15:43] the host system is the firewall....that was a problem reagrding the internet-connection [15:44] but I solved this problem with SNAT [15:45] and you have forwarding on in /proc ? [15:48] my host is masquerading my internal network so I'm sure it is set [15:49] but I don't know for the vserver .... does it have its own /proc or isn't it just bound to the host's one ? [15:50] a great problem is that apt-get does not work on the vserver now so I don't have much software to run tests [15:56] can you connect with it to the host system? [15:59] yepp [16:00] you could consider running apt-proxy [16:00] until you did fix the issues [16:02] i'll consider it ... just running some tests with firewall configurations but util now no change detected [16:17] hmm... in the apt-proxy man page there is no hint how to configure the clients to be able to get updates/fixes which the host system gathers from security.debian.org [16:18] any idea or is this solved automagically ? [16:23] on the host: [16:23] add_backend /security/ \ [16:23] $APT_PROXY_CACHE/security/ \ [16:23] http://security.debian.org/ [16:23] on the vserver: [16:23] deb http://APTPROXY:9999/security stable/updates main contrib non-free [16:24] thx just found it :) [16:58] grmpf ... although i've set up everything as suggested in the docs, an apt-get call from the vserver only gives me 404 errors [17:00] weird [17:00] want me to publish my apt-proxy.conf and sources.list? [17:00] although my host says it got connections ... I also haven't implemented any new firewallrule, so everything of the vserver can only run through the localhost-interface [17:02] that would be nice but as of the apt-proxy.conf you just need to post the add_backend statements [17:02] kestrel (athomas@home.swapoff.org) left irc: Quit: Hey! Where'd my controlling terminal go? [17:10] what about this :: in the URLs ? in your config only the last line of every backend has it, in my provided conf every line has it. I thought this was apt-proxy specific and left it untouched [17:11] I think that I did only touch the add_backend lines in apt-proxy.conf [17:12] the other stuff was default upon installations [17:12] those :: things seem to be rsync specific [17:12] I didnt touch them either [17:16] also the front of every line of yours begins with http://, this is missing on my side ... (OT: kind of weird to use ftp-servers with http://) [17:19] (that is because they are mirrors) [17:19] (I think) [17:19] http://ftp.nl.debian.org/debian/ = webmirror of ftp://ftp.nl.debian.org/ [17:20] = webmirror of ftp://ftp.nl.debian.org/debian/ [17:21] hmm.... but if you can you should use ftp, caus its faster. http is only provided for those who are sitting behind firewalls not allowing ftp access [17:22] I'm now using ftp://ftp.de.debian.org/debian/ and it's working :) [17:23] (I am behind a firewall, picked http so I didnt have to do active ftp kernel tricks) [17:25] serving (~serving@213.186.190.24) left irc: Read error: Connection reset by peer [17:26] for outgoing ftp there is no need for tricks if you are behind a masquerading netfilter firewall :) [17:27] ok [17:28] many thanks for your support....everything is running perfect now ;) [17:40] serving (~serving@213.186.190.24) joined #vserver. [17:42] awesome [17:49] arekm_ (misiek@ikar.t17.ds.pwr.wroc.pl) left irc: Ping timeout: 501 seconds [17:54] arekm (misiek@ikar.t17.ds.pwr.wroc.pl) joined #vserver. [18:15] serving (~serving@213.186.190.24) left irc: Ping timeout: 501 seconds [20:10] serving (~serving@213.186.191.180) joined #vserver. [20:48] Nick change: Bertl_zZz -> Bertl [20:49] hi everyone! [20:53] moin [20:54] hi mids! thanks for helping Cyrix ;) [20:56] <_shuri> hi Bertl [20:58] hi _shuri! [20:59] <_shuri> hi Bertl [20:59] <_shuri> how are you [20:59] fine, thanks, how are you? [21:01] <_shuri> fine [21:01] <_shuri> to cold outside [21:01] hmm, but I hope warm in the house? [21:02] <_shuri> hehe [21:02] <_shuri> computer make warm [21:02] that's right, especially if you make them work ... [21:05] by the way, is anybody interested to do some kernel configuring for linux-vserver? [21:05] s/to do/in doing/ [21:06] <_shuri> what that mean? [21:09] hi Bertl ;) [21:10] hi Cyrix! [21:10] _shuri: well let me explain ... [21:11] the last few days Enrico and I where working on a cross compiling environment to allow kernel compilations for all supported platforms on ix86 ... [21:12] <_shuri> ok [21:13] we now have crosscompilers for alpha,hppa/64,i386,m68k,mips/64,ppc/64,s390,sparc/64 and x86_64 [21:13] <_shuri> great [21:13] and I wrote some shell script to build a kernel and various patches in an automated way ... [21:13] on all those platforms ... [21:14] the idea is to have a vanilla kernel build, and one with vserver and list the differences in the warnings/error messages ... [21:15] mef (~mef@h-68-167-252-15.STTNWAHO.dynamic.covad.net) joined #vserver. [21:15] hello [21:15] hi mef! [21:16] <_shuri> ok [21:16] <_shuri> i only got i386 computer [21:16] I'm now sure that SNAT is not working with anything other than ICMP because DNS and now apt-get are both handled by the host system [21:16] do people from the planet-lab project hang out on this irc? [21:17] maybe? [21:17] _shuri: okay, now for a start I did a defaultconfig for 2.4 and 2.6 [21:18] which actually fails for hppa/64,m68k,mips/64,sparc/64 [21:18] <_shuri> ok [21:18] which only documents that the different archs are not that well maintained in 2.4 and in 2.6 [21:19] now I think at least some of thos platforms will compile, if they get a proper default config for linux-vserver purposes ... [21:20] mef (~mef@h-68-167-252-15.STTNWAHO.dynamic.covad.net) left #vserver. [21:20] <_shuri> k [21:20] so the idea is to experiment with the config, starting from a base config (which I can provide) and try to find the minimal changes to make it run on whatever arch ... [21:20] yes the support of i386 is far better than any other... I'm sorry I would gladly help out at m68k but unfortunately I only own one M68000 and linux reuired at least a M68020 [21:20] <_shuri> but we need otger arch base computer? [21:21] Cyrix: the magic workd is crosscompiler ;) [21:21] gcc-m68k-3.3.2-2mdk [21:21] this allows you to do that on ix86 ,) [21:21] <_shuri> cool [21:22] i know you can compile it on an ix86 but shouldn't you at least test if it works correctly on a computer of that arch ? [21:22] okay, I already made the cross compiling stuff public ... I'll update it now, and if somebody is interested in helping he can choos one architecture ... [21:22] (or more if he wants to ;) [21:23] <_shuri> ok [21:23] <_shuri> brb in 1 hours [21:23] ok, but first I need my own vserver running ;) [21:23] <_shuri> will test it [21:23] perfect ... any preference regarding the arch? [21:24] Cyrix: okay, let me see what we can do for you ;) [21:25] I could do m68k to support Amiga users (i am still one and will ever be ;) ) [21:26] sounds good, but now to your vserver issues, as you said, let us get your vserver running ;) [21:26] nathan_ (~nathan@207.44.202.162) joined #vserver. [21:26] hi [21:27] he is running about a week now, that not the problem...there are just some network issues unresolved ;) [21:27] hi nathan_! how are you? [21:28] not bad, you? [21:28] busy :/ [21:28] Cyrix: network issues? lets hear about them [21:28] nathan_: I'm good, working on vserver is still fun! [21:28] hehe thats good [21:29] what brings you here? [21:29] just saying hi and seeing how everything is going [21:30] nothing has blown up [21:30] hehe [21:30] just clearing up loose ends too, sending vproc.c.diff now as well [21:30] as I already told you, my vserver has no network problem reagarding local network or connections to the host...but when I try to connect directly to the Internet there is no response and there are no traces on my firewall of any blocked connection attempts [21:31] okay, ready for some tests? [21:31] sure [21:33] I hope you could figure out my network architecture from the files I sent to you [21:33] I'm working on it ;) [21:34] maybe i should paint a draft for you ;) [21:34] that would be nice ... [21:34] ok give me some time [21:38] pleas try to install tracepath/traceroute and hping2 on the vserver and on the host, and tcpdump on the host ... [21:44] nathan_: could you have a look at enricos alpha branch, which includes the vproc tool in a somewhat modified version, and maybe add your changes as well as some useful extensions to that too, if you have some time left? [21:50] Bertl, yea where is the repository for that? [21:51] http://www-user.tu-chemnitz.de/~ensc/util-vserver/ [21:57] so this is very basic but should do it: http://mitglied.lycos.de/cyrix/network-draft.gif [21:58] great, okay, did you manage to install hping2/tcpdump and friends? [21:59] just read it ;) brb [21:59] np [22:03] there is no tracepath ... but everything else is installed now...i have to say goodbye to someone, brb [22:04] tracepath should be part of iputils ... [22:05] nathan_ (~nathan@207.44.202.162) left irc: Read error: Connection reset by peer [22:15] E: Couldn't find package iputils [22:16] okay, forget it for now ... [22:16] now in one sentence, explain me what you want to accomplish? [22:17] I want my vserver to establish a direct connection to the internet, for example lynx linux-vserver.org. [22:19] hmm, you are trying masquerading, I assume? [22:19] yes, as shown on the draft, masquerading is already working [22:20] okay, but masquerading doesn't work for packets generated on the same host, you know that? [22:20] it is a limitation of the ipfilter/network stack ... [22:21] i searched the mail-archive of linux-vserver where this issue was mentioned ... they provided SNAT to solve this problem [22:21] you could use SNAT for that, to obtain a similar effect ... [22:21] what SNAT rules did you try? [22:21] Termin4t0r (Termin4t0r@pD904A857.dip.t-dialin.net) joined #vserver. [22:21] hi [22:21] hi, what version? [22:22] do you mean me, bertl ? [22:22] cat /etc/ppp/ip-up.d/vserv-online [22:22] #!/bin/sh [22:22] anyone knows where to get a demo account fot the php interface for vservers ? [22:23] sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source $IPLOCAL [22:24] okay, can you show me your nat table? [22:24] iptables -t nat -L [22:26] what are we exactly looking for ? [22:26] the rules ;) [22:26] nobody ? [22:27] just asking because there are some sensitive lines ;) [22:27] sorry Termin4t0r (unknown version), but look at the archives ... [22:27] hmm, okay we try without ... [22:27] hping is available, yes? [22:28] wait a minute...i will post it with some lines changed ;) [22:29] Chain PREROUTING (policy ACCEPT) [22:29] target prot opt source destination [22:29] net_dnat all -- anywhere anywhere [22:29] Chain POSTROUTING (policy ACCEPT) [22:29] target prot opt source destination [22:29] ppp0_masq all -- anywhere anywhere [22:29] Chain OUTPUT (policy ACCEPT) [22:29] target prot opt source destination [22:29] Chain net_dnat (1 references) [22:29] target prot opt source destination [22:29] DNAT tcp -- anywhere anywhere tcp dpts:highports to:someclient [22:29] Chain ppp0_masq (1 references) [22:29] target prot opt source destination [22:29] MASQUERADE all -- 192.168.0.0/24 anywhere [22:30] just forget it, we make some tests instead ... [22:31] ok...but thats really all it showed [22:31] host or vserver ? [22:31] first the obvious, tcpdump on the host, interface eth1 [22:32] tcpdump -vvnei eth1 port 80 [22:32] then on the vserver we try to make a connection with telnet [22:32] ok [22:33] telnet 216.239.59.99 80 [22:33] now I need the output ... [22:33] tcpdump: listening on eth1 [22:34] thats all for now :( [22:34] well, that means absolutely nothing is working?! [22:34] i can see anything [22:34] does the telnet complain? [22:34] s/can/can't [22:35] no it's still at Trying 216.239.59.99... [22:35] okay, let's try it on the host first ;) [22:36] the telnet connection ? [22:36] yup! [22:36] ok lemme just check my firewall configuration... [22:37] maybe you should for the short time of testing disable it entirely ;) [22:37] maharaja (~maharaja@ipax.tk) left irc: Ping timeout: 501 seconds [22:38] ok i oversaw we are going at port 80 not the telnet port, sorry ;) [22:39] i dont think this is necessary despite there should be errormessages in the logs if its the firewalls fault ;) [22:39] okay, we'll see ... [22:40] Trying 216.239.59.99... [22:40] Connected to 216.239.59.99. [22:40] Escape character is '^]'. [22:40] that looks good [22:40] okay, this was on the host? [22:40] yepp [22:40] maharaja (maharaja@ipax.tk) joined #vserver. [22:40] you know how to stop that telnet? [22:40] STRG+C or quit? [22:41] okay .. [22:41] now try from the vserver, and reset the tcpdump ... [22:42] i already escaped it to try telnet [22:43] hmmmm...weird...telnet isn't responding to STRG+C [22:43] arekm_ (misiek@ikar.t17.ds.pwr.wroc.pl) joined #vserver. [22:43] arekm (misiek@ikar.t17.ds.pwr.wroc.pl) left irc: Read error: Connection reset by peer [22:44] okay try CTRL-] and then type quit ;) [22:44] (that was why I was asking ;) [22:45] that doesn't help either cause then its ] and not ^] [22:46] holding CTRL and pressing ] _does_ help, trust me ;) [22:47] ] is AltGr+9 on my keyboard and STRG+AltGr+9 does not help, trust me ;) [22:47] press Strg-AltGr-9 a '^]' will appear, then hit enter ... [22:47] i've now done kill -9 11824 ;) [22:47] you get a prompt telnet> [22:47] there you can type quit [22:48] we should hang on here too much :) [22:48] ok....tcpdump again [22:49] no change [22:50] which means? [22:50] 'tcpdump: listening on eth1 [22:50] on the host [22:50] and Trying 216.239.59.99... on the vserver [22:51] okay, could you a) disable any firewalls/iptable setups on that host ... [22:52] and b) try to reduce the network traffic going through this box to a minimum, so that we can look at _all_ the packets? [22:52] the eth0, NoIP on your chart is somehow weird?! [22:52] the router is connected via that interface, right? [22:53] I assume you are doing PPoE (via a bridging DSL router) [22:53] hmmm...ok, I could do this because everything I'm doing now is ssh'ing to the host and to the vserver [22:54] yes, I though this was obvious [22:54] well, it isn't obvious, because it usually requires two ips (10.0.0.1/10.0.0.2) on that network ;) [22:54] ah sorry no there is no briging router....the linux host does the routing [22:55] so the modem is on a serial line? [22:55] as you can see it is directly connected to the DSL-Modem [22:55] your drawing shows eth0/NoIP ----- router ppp0 [22:56] which is rather confusing?! [22:56] the host and the modem are conncted via 10MBit ethernet on the host's eth0 [22:56] without any ip? [22:56] what do they talk= [22:56] what do they talk? [22:56] appletalk? [22:57] _shuri (~shushushu@vserver.electronicbox.net) left irc: Ping timeout: 483 seconds [22:57] eth0 does not need any ip...ppp0 is bound to eth0 and providing the ip...have a look at the ifconfig -a i gave to you [22:57] they talk PPPoE [22:58] I have, but it looks weird to me .. as I said, I know some setups, but all have 'normal' routing on the ethernet connection ... [22:58] then you are using PPTP or something like that i think [22:59] possible ... okay, lets try with tcpdump on ppp0 then ... [23:00] and start a new telnet inside ther vserver ... [23:01] for easier understanding...when i connect the log shows something like this: [23:01] Jan 30 00:06:44 6x86er pppd[27707]: pppd 2.4.1 started by root, uid 0 [23:01] Jan 30 00:06:44 6x86er pppd[27707]: Serial connection established. [23:01] Jan 30 00:06:44 6x86er pppd[27707]: Using interface ppp0 [23:01] Jan 30 00:06:44 6x86er pppd[27707]: Connect: ppp0 <--> /dev/pts/2 [23:01] Jan 30 00:06:47 6x86er pppd[27707]: kernel does not support PPP filtering [23:01] Jan 30 00:06:48 6x86er pppd[27707]: local IP address 83.121.27.183 [23:02] hmm, okay, I guess this can be handled like a serial modem ... [23:03] kind like [23:03] theres somethin going on [23:04] okay, please let me have a look at it ... [23:04] tcpdump: listening on ppp0 [23:04] 21:04:48.767490 ip: 192.168.0.101.1637 > 216.239.59.99.80: S [tcp sum ok] 1258918002:1258918002(0) win 5648 (DF) [tos 0x10] (ttl 64, id 42436, len 60) [23:04] 21:04:51.763148 ip: 192.168.0.101.1637 > 216.239.59.99.80: S [tcp sum ok] 1258918002:1258918002(0) win 5648 (DF) [tos 0x10] (ttl 64, id 42437, len 60) [23:04] 21:04:57.762084 ip: 192.168.0.101.1637 > 216.239.59.99.80: S [tcp sum ok] 1258918002:1258918002(0) win 5648 (DF) [tos 0x10] (ttl 64, id 42438, len 60) [23:04] 21:05:09.759972 ip: 192.168.0.101.1637 > 216.239.59.99.80: S [tcp sum ok] 1258918002:1258918002(0) win 5648 (DF) [tos 0x10] (ttl 64, id 42439, len 60) [23:04] okay, this basically means that your SNAT isn't active ... [23:05] strange...i showed you my ip-up.d script [23:05] well, flush the nat table if possible, we'll try to write some rules, okay? [23:05] ok [23:06] iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to 83.123.102.13 [23:14] Cyrix (~master@hmbg-d9ba8760.pool.mediaWays.net) left irc: Ping timeout: 492 seconds [23:14] hmm, I guess he disabled his connection ;) [23:20] Doener_aw (~doener@p5082D3E6.dip.t-dialin.net) joined #vserver. [23:21] hi Doener_aw! [23:21] Nick change: Doener_aw -> Doener [23:21] hi bertl [23:22] are you interested in helping to enhance arch support for vserver? [23:24] what would be the requirements? [23:24] Cyrix (~master@hmbg-d9ba829b.pool.mediaWays.net) joined #vserver. [23:24] well, simple a ix86 machine, which you can utilize ... [23:25] wasn't so good the idea of stopping the firewall ;/ [23:25] Doener: to make it short, we did some cross compiling stuff, for most architectures, but the default kernel config has to be evaluated for different archs .... [23:26] Cyrix: okay, you are back with a minimalistic nat table? [23:26] yepp almost [23:26] did you get my iptables line? [23:26] 21:07 < Bertl> iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to 83.123.102.13 [23:27] yes i did and already implemented it [23:27] important point is that the masq rules do not interfere with that one ... [23:28] doener_zzz (~doener@pD9588C28.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [23:28] ok there are no one left [23:28] Chain PREROUTING (policy ACCEPT) [23:28] target prot opt source destination [23:28] Chain POSTROUTING (policy ACCEPT) [23:28] target prot opt source destination [23:28] SNAT all -- anywhere anywhere to:83.123.102.13 [23:28] Chain OUTPUT (policy ACCEPT) [23:28] target prot opt source destination [23:28] good, now let's try the tcpdump on ppp0 and the vserver telnet again ... [23:29] Doener: interested? [23:29] erm... here my limited knowledge comes into play ;) what exactly would that mean? [23:29] 21:30:43.813828 ip: 83.123.102.13.1642 > 216.239.59.99.80: S [tcp sum ok] 2883969060:2883969060(0) win 5648 (DF) [tos 0x10] (ttl 64, id 30054, len 60) [23:30] Termin4t0r (Termin4t0r@pD904A857.dip.t-dialin.net) left irc: [23:30] Doener: simple, you install one of the cross compilers, for an architecture that currently fails ... and then modify the config file with make menuconfig and try to compile that kernel until it succeeds ,... taking some notes, what was changed ;) [23:31] should be straight forward and quite simple ... [23:32] ok, i think i'll be able to do that ;) and i guess if i get stuck you'll be around anyways *g* [23:32] cyrix: okay, that looks good to me ... [23:32] Doener: sure, you have my support from point zero ... [23:33] is your distro RPM based? [23:33] how do I need to implement SNAT and MASQ so that both do not interfere ? [23:34] mainly by adding selection criteria, which addresses are affected by what rules ... [23:35] for example adding a -s 192.168.0.101 to that rule should limit it to that vserver [23:36] no, i'm on debian [23:36] no problem ... [23:36] first step is to build the binutils ... [23:36] ok sounds clear to me [23:36] Doener: http://vserver.13thfloor.at/Stuff/Cross/binutils-cross.spec [23:37] get the binutils-2.14.90.0.8.tar.bz2 source ... [23:37] unpack it and specify the command lines to ./configure used in the spec file ... [23:37] should I insert to correct SNAT line now ? [23:38] well, I would limit the masq to some address space, and let the rest be snated [23:38] why not otherwise ? [23:38] because the masq is a permit to the outside network, the snat is host internal [23:39] so assuming that your host is safe, it's safe to have that snat ;) [23:39] but allowing masq for arbitrary ips could result in some security issues ... [23:40] my intention to run vserver on my firewall is for security reasons and because i dont have any other machine running 24/7 ;) [23:41] you could add the -s to every rule you do ... [23:43] hmm...isn't this slowing the routing magnificantly down when tehre are too many rules ? [23:43] does your DSL router have Gigabit? [23:44] no just 768/128 but my host is only an IBM Cyrix6x86-P166+/133MHz ;) [23:44] well, I guess you won't notice ... [23:45] if you say so ... i'm just a bit paranoid ;) [23:46] ok lets try now ... just deleting your old line first... [23:49] ok its working now and you were right rearding the telnet escape charachter *layingatyourfeetpraying* ;) [23:49] well, I guess you owe me a ... shrubbery? [23:49] 8-) [23:51] oh my god ... i've been helped by a gardener 8-) [23:51] well, you know who's ther murderer, right? [23:52] okay, guess you are happy now, and I'm happy that vserver isn't involved ;) [23:52] you opened up my eyes ;) [23:53] yes masq was guilty [23:53] I know we often hit that issue, because people see the vserver as separate host (which is good, but not correct for the network stack) [23:55] maybe this will get easier if there's an option of doing it like uml ... with TUN/TAP devices and virtual ethernet bridging ;) I already heard of a vserver-patch for this... [23:56] great, where can I find it? ;) [23:56] but i don't like too much patching ;) [23:57] i'm not sure where i found it....theres only the vserver mailing list archive im my mind no but i would bet on it [23:57] wouldn't [23:58] i would search for it but i need to get my firewall reconfigured and up for that ;) [00:00] --- Sun Feb 1 2004