[00:00] text/css css [00:00] thats what my apache 1.3 has [00:00] well, I ahve that too in my mime.types (in apache/config) [00:01] and that didnt makke it? [00:01] but it is ignored for that part, maybe a config issue or some bug .. [00:01] apache2? [00:01] yup [00:01] then some bug :-P [00:02] 2Bertl: and what about relesing devel branch? [00:02] devel branch will be out today ... was delayed because of the issues ;) [00:02] ογε [00:02] gut [00:02] but hope that issues will be fixed in devel also [00:03] shall we? [00:03] ah, just kidding ;) [00:04] devel already has the barrier flag, so that should not be an issue ... [00:04] any help how can I patch the existing, 1.24 patched kernel with the delta? [00:04] well, you ahve to patch the vs1.24-vs1.25 delta I mentione before ... and then the 1.25-1.26 ;) [00:04] cat delta.diff | patch -p1 [00:04] oki [00:05] Bertl: is the 1.25 security thing very important? [00:05] I did not really understand what the problem is [00:05] hmm, if you do not have vserver root users, no [00:05] what can root users do inside the vserver? [00:05] without 1.25 [00:05] they can escape the chroot() [00:06] what about grsec? [00:06] might help here, don't know ... [00:06] (dont have a vserver+grsec setup but I know it exists) [00:06] grsec does alot chroot() checks/restrictions [00:14] Topic changed on #vserver by Bertl!~herbert@MAIL.13thfloor.at: http://linux-vserver.org/ || latest stable 1.26, devel 1.3.6, exp 0.06 [00:15] bye [00:15] Filther (Filther@nilus-1858.adsl.datanet.hu) left irc: Quit: Leaving [00:20] meebey: could you refresh my memory, what we did last time? [00:20] Bertl: last time? [00:20] when you where around ... [00:20] hhhmmm my memory is also bad :) [00:21] I bet something with vserver? :-P [00:21] good guess ... ;) [00:22] click (click@gonnamakeyou.com) left irc: Ping timeout: 501 seconds [00:27] click (click@gonnamakeyou.com) joined #vserver. [00:29] netrose (~netrose@62.220.216.150) joined #vserver. [00:30] hi bobi! [00:30] Hi. [00:31] netrose (~netrose@62.220.216.150) left #vserver. [00:33] netrose (~netrose@62.220.216.150) joined #vserver. [00:37] Bertl: for what is the '-d' option? Why are you disabling backup there? [00:38] ups -d is a flag? [00:38] my fault, wanted to address the directory ... [00:40] well probably won't hurt, but please add anote that this isn't required ;) [00:44] <_shur1> anybody remember the adress of the site with vserver-distro image? [00:44] <_shur1> redhat8.0.tar [00:44] <_shur1> for exemple [00:48] there is a broken? link on linux-vserver.org? [00:49] <_shur1> yes [00:49] <_shur1> http://www.jvds.com/vserver/ [00:49] <_shur1> do not work anymore [00:49] they probably broke it somehow ... [00:52] netrose (~netrose@62.220.216.150) left irc: [00:57] <_shur1> As the exploit been published? [01:03] don't know ... [01:04] but it's trivial, just do cd /; chmod +x ..; [01:06] but this 'chattr' trick has problems too since this attribute is inherited to all subdirs [01:08] has to be taken care of by the userspace tools which create the vservers ... [01:08] the notail flag is the wrong flag anyways ... [01:10] ah meebey, now I remember what I wanted to tell you ... [01:14] tell me [01:14] the wiki https url you fixed ... [01:14] oh, yes? [01:14] I fixed the wiki ... [01:14] hehe ok :) [01:14] good to know [01:14] well, actually I broke it in the first place ;) [01:15] hehe [01:20] suhcoolbro (~Suh@216-161-89-245.ptld.qwest.net) joined #vserver. [01:20] hi suhcoolbro! [01:20] serving (~serving@213.186.188.205) joined #vserver. [01:24] Bertl: how can i subscribe to mailing list [01:26] there should be a form on list.linux-vserver.org [01:39] ok, release candidate for util-vserver 0.29 has been uploaded to http://www-user.tu-chemnitz.de/~ensc/util-vserver/rc [01:39] but final 0.29 will not happen before next week [01:40] okay, we will test it ;) [01:40] what is new in that release? [01:41] the 'chattr -t' at vserver build [01:41] (although I do not know how much people are using this in the stable tools) [01:42] ah okay, good thinking ... [01:49] what is a chattr? [01:50] a command to change the attributes (flags) of afile or directory [01:51] WSU (~Josh@ny.webpipe.net) joined #vserver. [01:51] hi WSU! [01:52] Hi Bert [01:52] so what is the security hole in chmod? [01:52] How critical is it? [01:53] well, vserver root can leave the chroot() jail, nothing more, nothing less [01:55] as far as "vserver root" what are we talking about? [01:56] root inside a vserver [01:56] afk ::phone:: [02:14] How difficult is the exploit? [02:14] is there any example of it? [02:14] cd /; chmod +x .. [02:14] ok [02:15] um [02:15] wow [02:15] well, you need a chroot() exploit then, but basically that is it ;) [02:15] ::starts preparing for kernel upgrade:: [02:17] good night everybody! [02:17] night! [02:29] suhcoolbro (~Suh@216-161-89-245.ptld.qwest.net) left irc: Quit: NO CARRIER [02:56] frz (~frz@213.235.213.90) joined #vserver. [02:56] hi frz! [02:57] hi Bertl [02:57] how yre you [02:57] fine, thanks .. how are you? [02:57] ;) thx [02:57] have seen 1.2.26 [02:57] ;) [02:57] ah 1.26 [02:57] well luckily not .26 ;) [02:58] ;) [02:59] i just found out that some changing of permissions and making dirs from apt-get doesnt work, this is fixed at 1.26 [02:59] after update tp 1.25 [02:59] that was the reason for 1.26 ;) [02:59] oh fine ;))) just installed 1.25 [03:00] at 5 servers [03:00] well, I guess most security aware folks did ;) [03:00] but its quick with your cool diffs [03:01] but that would not have happened if you told me that 1.25 will break some stuff earlier 8-) [03:01] hey just tried out mutella and couldnt install at server at Interxion ;) [03:02] so i wondered and it didnt need much time to associate with the chroot patch ;)) [03:02] this all only for the new stargate stuff [03:03] terrible ;) [03:03] hh [03:04] all servers running with vserver failover so at kernel update no downtime of services :) [03:04] cool! [03:04] yes just finished the setup this week [03:05] this is for silverserver? [03:05] migration of customers from redhat to debian also nearly finished, that was a lot of work to do [03:05] and i will go for holidays 1 or 2 months :) [03:06] no [03:06] only adsl line is from sil [03:06] its so cheap and good working so far [03:07] ah okay, just thought, because you mentioned interxion ... [03:08] its for an company form salzburg, and their servers are at IX and take care of them [03:08] ic [03:09] and i like it because of the free working style [03:09] just teleworking [03:13] you have friends at sil [03:14] well, austria is small ... you get to know the people ... [03:16] not smaller than anywhere else ;) [03:17] i like the people from sil they make good work [03:17] and its not like telekom.. [03:46] james (~james@h24-71-63-164.ok.shawcable.net) left irc: Quit: Leaving [06:28] kestrelw (~athomas@o2rosock0a.optus.net.au) joined #vserver. [06:40] Bertl: you have a version of the quota patch aganst teh stable release? [06:40] you mean an updated one? [06:40] yeah. [06:40] not yet ... [06:41] because thats the branch im mainly interested in. until the dev stuff goes stable. [06:41] hmm, shouldn't take too long to update that for stable .. but you have to test it yourself ;) [06:42] heh no problem. [06:42] didnt finish that script the other night. was working on cleaning my automate backup scripts. [06:42] np [07:18] afternoon [07:18] how is everybody? [07:19] fine, thanks ... [07:20] that chroot escape was a bit scary, amazing it was present for so long [07:20] basically forever ;) [07:20] yeah [07:20] is it in the mainline kernel, or specific to vserver? [07:21] well, the chroot() stuff in the kernel is broken since ever, and will not be fixed ever ... [07:22] why not? [07:22] Linus said, chroot() is broken per definition, so no need to fix it ;) [07:23] sounds like a linus thing [07:23] i dont htink anyone ever meant chroot to be a security tool when it was created. [07:24] i could be wrong though. [07:24] jack tried to fix it with the barrier, but obviously missed the chmod() ;) [07:25] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Ping timeout: 492 seconds [07:28] Bertl: ive got a slightly different approach to the quota script. since ed isnt powerful enough for what i want. im probably going to generate a shell script into a temporary file that reads the file edquota spits out and massages it with awk or sed and rewrites it according to arguments passed to the shell script that created it. havent done cracked out shel scripts in a while. [07:28] hmm, maybe a 'sed' approach would be sufficient? [07:29] I mean sed instead of the editor [07:29] i have to get the file output by edquota first. and the onyl way i know to do that isbe invoked as an editor for edquota. [07:29] once that process exits it takes that tempfile and uses it. [07:30] yeah, what I meant was some script which 'replaces' the editor, and executes a line of sed on that temp file [07:30] should be pretty easy to replace the second line with some default ;) [07:30] thats basicly what im working on. [07:30] ah okay... [07:31] Bertl: yes but the device part of the line has ot be correct and i think possibly the current file and inode usage as well. [07:31] Frank00polo (~franko@4.13.67.211) joined #vserver. [07:31] its alos possible to have more than one quota line to edit in a file. [07:31] it is? [07:31] unless you want somthing specific to inside a vserver where theres ususally just one like iwht /dev/hdv1 [07:32] Bertl: if you have more than one filesystem mounted with quotas turned on yes. [07:32] ah okay, different filesystems, right ... [07:33] it would probably be easier to just fidn an app written in C that already does this. but i do like writing shell scripts to do things like this just to see i fi can do it ocasionally. [07:33] would certanly be much more direct that way. [07:33] okay, no problem with that ... [07:33] i know at least one program does exist for doing exactly what im doing now. [07:34] you could even add the missing -l option to the edquota ;) [07:34] i just dont remember the name. [07:34] and send the patch to honza ... [07:35] ofcourse teh advantage tot eh shell script is no need to recompile core utilitys. even if it is ugly. [07:35] do you know if the quota utils edit teh quota files directly? [07:36] or if they use a kernel interface to do it? [07:36] havent looked into it on that level. [07:36] well, they actually do both depending on various conditions ... [07:41] Bertl: is there any formal documentation on the linux quota system? none of the linux kernel sites i looked at had anything on it. [07:41] hmm, well honza is the only one working at this stuff, so if it isn't at his pages, I doubt it ... [07:42] is it similar at all to the 4.4 BSD implementation? i have the design and implementation of 4.4BSD on my bookshelf. [07:42] hmm, yes it should be 'similar' [08:05] hmm, well it boots, let's see if it works ;) [08:05] Bertl: teh new quota patch aganst 1.25 ? [08:06] yup [08:11] hmm, seems to work too, impressive ;) [08:12] cool. thats basicly what i was working for. getting a patch aganst stable. since thats what i plan on patching the distro kernel with. [08:13] hmm, and I thought you 'just' wanted the quota fixed ;) [08:14] well yeah i did. but in teh context of the stable release. [08:15] http://vserver.13thfloor.at/Experimental/delta-2.4.24-vs1.24-q0.12-q0.13.diff [08:16] update to 2.4.25 will have to wait a little ... [08:18] okay, enough for today, cu all in the evening ... [08:19] wish you a nice wossname ... [08:19] Nick change: Bertl -> Bertl_zZz [08:41] mmmm, I need to upgrade my laptop to a 2.6 kernel [09:21] Frank00polo (~franko@4.13.67.211) left irc: Quit: ChatZilla 0.9.52B [Mozilla rv:1.6/1] [09:26] ok i got the script finished for setting quotas on the command line if anyone is interested. http://talon.home.cosmic-cow.net/setquota.sh [09:27] thanks will have a look [09:30] it saves teh current EDITOR and VISUAL env, dynamicly generated an awk script based on the command line arguments in /tmp, and then crates a temp shell script to be execuated as a fake editor for edquota. set the EDITOR and VISUAL env to that script and then that script garbs its first argument. cats it through the awk script to a temp file and then overwrites the file given as its first argument. erases the temp file and exits. [09:30] then teh main script removes the temp shell and awk scripts and restore teh VISUAL and EDITOR env. [09:32] lol [09:32] rather complicated [09:33] the end effect ofcourse is to edit the temp file edquota gives to the editor it launches and at teh same time not step on teh toes of other invokations of setquota.sh that might also be running at the same time. [09:34] i could probably do it much cleaner in perl. [09:34] but i havent played with bourne shell and awk in a while so it was a nice chalenge. [09:36] oh heh forgot to remove soem debugging code. [09:37] there now it wont create /tmp/before and /tmp/after [09:40] it doesnt set teh grade periods but most people never change that at least not nearly as often/ [09:42] erm grace periods i mean. [09:50] bailing wire and duct tape solution for sure. [09:52] does your linux distro have mktemp(1) ? [11:19] Action: talon looks at the quotactl man page and trys to make a C version. [11:33] Action: talon looks at teh redhat manpage and thent eh slackware manpage and finds teh redhat manpage a horrible mess in comparason. [12:21] Action: talon gives up and sticks with the shell script. [12:25] tom_ (~tom@pc-3741.ethz.ch) joined #vserver. [12:25] Nick change: tom_ -> tom9 [14:21] click_ (~tulling@ti511110a080-0098.bb.online.no) joined #vserver. [14:28] click (click@gonnamakeyou.com) left irc: Ping timeout: 492 seconds [14:35] click_ (~tulling@ti511110a080-0098.bb.online.no) left irc: Quit: 12( www.nnscript.de 12:: NoNameScript 3.79 12:: www.XLhost.de 12) [14:35] click (~tulling@ti511110a080-0098.bb.online.no) joined #vserver. [14:35] click (~tulling@ti511110a080-0098.bb.online.no) left irc: Client Quit [14:47] chrism (~chris@82-32-130-79.cable.ubr05.hawk.blueyonder.co.uk) joined #vserver. [14:48] anyone alive? [15:02] alive but rather absent [15:10] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) left irc: Ping timeout: 492 seconds [15:48] http://talon.home.cosmic-cow.net/setquota.sh think this is documented well enough? [15:51] hm [15:51] cant quotatools do this? [15:51] (yes, it looks well documented) [15:52] not my version of edquota. [15:52] found it an interesting chalenge. [15:53] quotatool - tool to edit disk quotas from the command line [15:53] ahh not installed on my distro. [15:53] i just have the quotatools package. [15:54] i really just did it for fun. and because i was talking about doign it fromt eh command line with bertl before i kneow about quotatool. [15:54] I mean, cool if you build your own stuff for fun and educational experiences [15:54] Shade (shade@cpe109.bb101.cablesurf.de) joined #vserver. [15:54] Nick change: Shade -> Sh[a]de [15:55] it is just that I have allergic reactions when people reinvent the wheel :) [15:55] hi everybody [15:55] hi Sh[a]de [15:55] it really should be part of the quotatools package though. [15:55] non interactive quota editing that is. instead of needing either a shell script or an extra quotatool command. [15:56] true [15:56] preferably a few extra options to edquota. [15:56] i have a short and maybe offtopic question... but u are my last hope in this problem :/ [15:57] fun, my quota package has a 'setquota' command too [15:57] Sh[a]de: bring it on [15:57] heh so does mine... dont knwo how i missed it. [15:57] anyone know how realizing the follow thing: [15:58] heh was a fun script to write though. [15:58] :P [15:58] emulating an editor with an awk script is creative [15:59] i have a wireless lan and some surfer who whats to surf over that in internet... so we have an intranet page with password field... the surfer must be enter the correkt password to surf in the web, he doesn't do this the only webpage is the intranet site witch invite to enter the password... [15:59] -k+c [15:59] if the password entered the surfer can open any site... [16:00] can i realize this over iptables? [16:00] or any gatekeepers? [16:01] maybe this can be done with squid [16:01] hmm yes squid is installed to for filtering with squidguard [16:01] but i doesn't found anything like this :/ [16:02] maybe delegated does it? [16:03] hmmm [16:03] I dont know an out of the box solution [16:04] k [16:04] i search for a squid solution [16:04] :) thanks [16:04] excuse for the disturbance :) [16:05] mids: it really was just an attempt to releave boredom. and to see if it would actually work. i dont get to do nearly as much shell scripting as i used to looks like somthing i could take to solaris though where i dont see a non interactive quota command. but i could probably use the quotactl interface in C instead much more cleanly. [16:05] hmm [16:05] ok Reverend mids did take your confession, do ten hail maria's and your sin will be forgien [16:06] forgiven [16:06] could I get a login to try the PHP vserver control console? [16:06] please ;) [16:06] a login to try or a login that works? [16:06] I can give you some to try :) [16:06] chrism: yes one sec [16:07] thanks :) [16:25] has anyone started open source work to develop like a user-friendly (modular) customer interface for vserver? [16:25] like webmin, but with more control for the service provider [16:58] chrism: not exactly open source completely. but i am working on a distribution based around vserver that has an interface similar to the cobalt. [16:59] no where near finished with it yet though. its meant to be bundeled with 1U rackmounts. [17:09] i do plan to base all configuration off of a documented perl library though. that all interfaces tie into.command line, menu and web interfaces. [17:11] aha. [17:11] cool [17:12] still wraping my head around vserver and documenting how things work though. i also plan to make the config libs portable enough to make themn work on Solaris 10 zones when Solaris 10 FCS comes out. [17:15] bbl [17:15] chrism (~chris@82-32-130-79.cable.ubr05.hawk.blueyonder.co.uk) left irc: Quit: ..(cyp): [BX] Homer Simpson uses BitchX. D'OH! D'OH! D'OH! [17:25] Action: talon hrms and checks if they made it into the early access beta yet. [17:28] AHTOH (~Anton@212.1.230.115) left irc: Quit: Client exiting [17:38] Doener_zZz (~doener@pD9E121EE.dip.t-dialin.net) left irc: Ping timeout: 492 seconds [17:43] Doener_zZz (~doener@pD9E12687.dip.t-dialin.net) joined #vserver. [17:44] hrm guess not. [17:49] Nick change: Doener_zZz -> Doener [18:33] Nick change: Bertl_zZz -> Bertl [18:34] hello everyone! [18:41] tom9 (~tom@pc-3741.ethz.ch) got netsplit. [18:41] [HvD] (~guess@62.99.252.14) got netsplit. [18:41] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) joined #vserver. [18:41] must.. test.. must.. test.. [18:41] Action: kloo looks to Bertl for fresh code. [18:41] hehe! [18:42] hmm, what would you want to test ... let's see, maybe the userspace reboot helper? [18:42] ... hmm no ... [18:42] hmmm, maybe the XFS iunlink flags? [18:43] ... hmm np --- [18:43] or would you prefer some network related stuff? [18:45] hi Bertl! [18:45] how about something to do with multi-homing? :) [18:45] Action: kloo salivates. [18:45] tom9 (~tom@pc-3741.ethz.ch) returned to #vserver. [18:45] [HvD] (~guess@62.99.252.14) returned to #vserver. [18:45] oh, i actually have a question about the extended attributes. [18:46] yup? [18:47] root_ (~root@jap.globe.cz) joined #vserver. [18:48] on the mailing list something suggested that the current barrier only works for ext[23]. [18:48] in the patch i saw nothing that specific though. [18:48] does it work on any filesystem that supports the extended attributes (chattr)? [18:48] Action: kloo has a few bits on reiserfs. [18:48] s/something/somebody/ (no disrespect, mere neural malfunction) [18:48] Nick change: root_ -> jap [18:48] hi jap! [18:48] okidoki. [18:48] kloo: thing is, latest version uses the iunlink flag [18:49] this flag isn't part of 'normal' xattr, so it works on all fs we have 'patched' [18:49] as xfs wasn't present in 2.4.24 (without additional patches) there is no iunlink support for that yet ... [18:50] which is overloaded on the 'no tail merge' flag, right? [18:50] yeah, guess jap is here to change that ;) [18:51] isn't the barrier use of the flag orthogonal to its iunlink semantics? [18:52] well, yes, but 2.4 filesystems do not support tailmerge per se ... [18:52] right. [18:52] hi all! [18:52] where tailmerge is supported, it is co-opted for iunlink, added otherwise. [18:53] hi jap. [18:53] i'm waiting to herbert - he said, that he should have a testing security patch which can be used with xfs.. [18:53] not sure he will come [18:53] the last 1.26 security fix is working only on ext2/ext3.. [18:53] hewrote to me, that he should come after 18:00 CET [18:54] hmm, maybe he changed his mind? [18:56] you use xfs, are you happy with that choice? [18:57] yes, we test further thisfilesystem and i think it work well [18:58] ( imminent filesystem war^W discussion? :) ) [18:58] sorry, i will be out some time for a dinner.. [18:58] okay, np, cu later [18:58] okay, kloo, what I did is the following: [18:59] I ripped out the src calculation part and now use it in bound and unbound case ... [19:00] I'm not sure that this won't break the udp stuff, but it's worth a try, and if it works, it would simplify the whole thing ... [19:00] miller7 (none@213.239.180.106) joined #vserver. [19:00] hello [19:00] hi miller7! [19:00] hey bert [19:01] by 'ripped out' you mean you abstracted it? [19:01] http://vserver.13thfloor.at/Experimental/patch-2.4.25-rc1-vs1.3.6.4.diff [19:01] yup, replaced it with some 'improved' function ... [19:01] bert, any idea what this is? : [19:02] Starting system logger: /etc/rc3.d/S12syslog: /dev/null: Permission denied [19:02] dup2: Bad file descriptor [19:02] [FAILED] [19:02] and the vserver does not start [19:02] it'll be my first use of the experimental branch. [19:02] does this ring any bells? [19:02] miller7: using quota patches? [19:02] i'll do my best to break it, Bertl. :) [19:02] yes [19:02] using static context ids? [19:02] but I don't have quota on for this vserver [19:02] no [19:02] not at this moment [19:03] using tagxid? [19:03] I have no idea [19:03] okay, which patch version? [19:03] patch-2.4.24-vs1.24-q0.12.diff [19:03] patch-2.4.24-vs1.24.diff [19:03] patch-q0.12-hang-fix.diff [19:04] hmm, okay, my first guess would be, that this /dev/null inside that vserver belongs to another context ... [19:04] :( [19:04] how can I check that? [19:04] that isn't or shouldn't be possible without the tagxid or tagctx option [19:04] /dev/hda4 /vservers ext3 tagctx,noatime 0 1 [19:04] aha [19:05] okay, you _are_ using tagxid so you have context file tagging on [19:05] ok [19:05] which means that you must not use dynamic contexts [19:05] ok [19:05] can I assign a static context now? [19:05] fixing that now is pretty easy [19:05] ok [19:05] first assign the static context id in the .conf [19:06] S_CONTEXT= [19:06] this one? [19:06] yes [19:06] done [19:06] each vserver must have a different context id ... [19:06] sure [19:07] okay, now you have to change the files back to context 0 [19:07] do you use enricos tools? [19:07] yes [19:07] util-vserver-0.28.tar.bz2 [19:07] okay, try lsxid (don't know if it exists there) [19:07] nope [19:08] Bertl: i found that the setquota command does what you want for setting quotas from the command line. however you might find the shell script i wrote before i found out about setquota to be amusing none the less at http://talon.home.cosmic-cow.net/setquota.sh [19:08] miller7: okay, second ... (I'm using the alpha branch) [19:08] ok [19:09] talon: hey great, that could win a programming contest ;) [19:10] for what most complicated pointless reinvention of wheel award? actually i do have a use for it under solaris which doesnt have a command line tool for that yet. (but i might as well write a tool in C using the ioctl interface) [19:10] was still fun to write. [19:11] I guess so ... [19:12] miller7: either you get enricos alpha tools or you patch the e2fsprogs with that patch: http://vserver.13thfloor.at/Experimental/patch-e2fsprogs-1.34-cti0.01.diff.bz2 [19:13] just figured you would find the script an interesting approach. [19:13] both should give you a tool called lsctx or lsxid [19:13] I'd prefer to use the alpha tools for now [19:13] talon: and it's documented ... [19:13] I can always delete them later and get back to the normal ones, right? [19:13] Bertl: i try to document everything i write. esp shell script since they can get unreadable fast. [19:14] miller7: guess so [19:14] talon: my shell scripts usually contain one line prefixed with a '#' [19:16] i just wish i had seen setquota before. but ti wasnt in teh SEE ALSO section of the edquota page. and i didnt bother using man -k [19:17] well, guess I'm guilty too, as I didn't know of it either ... [19:18] ok bert [19:18] lsixd tool is compiled [19:18] I get a 49157 ctx in /vservers/XXX/tmp [19:18] the rest are 0 [19:18] good [19:18] has to be one of the more complicated scripts i ever wrote. ive used a similar method for automating fdisk in OS install scripts. [19:18] it does support the recursive flag, iirc [19:19] in some I get an !!ERR!! [19:19] yes it does [19:19] that's okay, just ignore that error [19:19] ok [19:19] Bertl, has there been any (more) discussion of getting vserver configuration from LDAP? [19:19] miller7: use the chxid utility to recursively change the entire vserver dir to xid=0 [19:20] i brought up that idea a few moons ago. [19:20] well, to be honest, I didn't understand what you where up to? [19:20] it'd be great when you want to dynamically assign virtual servers to pieces of hardware, with the filesystems on a SAN. [19:20] you mean like a vserver cluster? [19:21] a specific kind of cluster, yeah. [19:21] hmm, okay what was that ldap issue again? [19:21] you can fail over vservers. [19:21] Bertl: i just got doen testing the new ctx quota patch delta you rolled for stable. works fine. thanks. [19:21] i don't like the common granularity of failing over processes or applications. [19:22] talon: okay, no hangs, no issues, no wrong accounting, right? [19:22] well there's no issue, there's just no code that i'm aware of. :) [19:22] ah okay, that's an issue of course ;) [19:22] i may hack on it, having just been assigned a private enterprise number by IANA - so I can publish LDAP schemas. [19:22] ok... vserver directories/files are all 0 [19:23] you don't see the immediate utility, do you Bertl? [19:23] miller7: good, now try to start the vserver again [19:23] it says it's already running? [19:23] kloo: you should talk with enrico about that, he is the master of the userspace ... [19:23] Bertl: figureing that out now. need to figure out where a file count of 35 is coming from. [19:24] okidoki, will do. [19:24] should I delete the /var/run/vservers/vvv.ctx? [19:24] miller7: okay, could be, try to stop it ... [19:24] I try to but it does not [19:24] ah [19:24] wait [19:24] it reads the static context now [19:24] that's why [19:24] probably, just comment it out for a second [19:27] :( [19:27] still the same [19:27] Bertl: hmm inode accounting is a bit fishy trying to isolate the cases that cause it and see if they are fixed in the 2.4.25-rc1 patched kernel. [19:28] miller7: it might be, that the stable release is not able to change the device nodes ...# [19:28] try to remove and recreate the /dev/null in that server [19:28] (from the host context) [19:28] talon: keep in mind, that directories are inodes too ... [19:29] working now :) [19:29] bert you're the coolest [19:29] I hope nothing happens to you or enrico cause noone else will know how to fix such things :D [19:29] root@taltest2:~# find / -user talon -print [19:29] find: /proc/1/fd: Permission denied [19:29] find: /proc/758/fd/4: No such file or directory [19:29] root@taltest2:~# find / -user talon -print [19:29] find: /proc/1/fd: Permission denied [19:29] find: /proc/758/fd/4: No such file or directory [19:29] grr forgot about / in irc clients. [19:30] miller7: ah, don't worry, nobody is unreplaceable ... [19:30] or is this in-replaceable or non-replaceable? [19:30] true... nowadays it's been replaced by "apache" [19:31] root@taltest2:~# find / -user talon -print [19:31] find: /proc/1/fd: Permission denied [19:31] find: /proc/758/fd/4: No such file or directory [19:31] home/talon [19:31] home/talon/.screenrc [19:31] home/talon/.bash_history [19:31] Disk quotas for user talon (uid 1000): [19:31] Filesystem blocks quota limit grace files quota limit grace [19:31] /dev/hdv1 20 0 0 4 13 13 [19:32] where is files 4 comming from ? [19:32] home, talon, .* [19:32] or what about the journal? [19:33] that might be accounted incorrectly ... [19:33] but the main thing that was odd was when i deleted my copy of /usr/share and it said 37 files [19:33] when tehre was clearly much less than that. [19:33] runnign quotacheck returned it to 4 [19:34] hmm, okay, that sounds like a bug then ... [19:34] just wondering if it sayign 4 files might be odd too. [19:34] but depends on how you check [19:34] maybe theres somthign being duplicated. [19:34] first you should check with quota, not repquota [19:35] because quota uses the 'in kernel' version in any case [19:35] i am using the quota command not repquota. [19:35] then you should do a sync [19:35] because it might be that the fsop was delayed ... [19:36] don't do a quotacheck, as it 'scans' the disk and replaces the in kernel values .... [19:36] you would only hide bugs with that ;) [19:36] hmm odd. i just copied /usr/sahre to my homedir until the inode limit stopped it. did a rm -r on the coipied folder. [19:36] bbl, off to try and break Bertl's code, hoping I can't. :) [19:36] and now quota says i dont have any inodes or files. [19:37] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) left irc: Quit: Client exiting [19:37] even though i still have dotfiles. [19:37] could be, if they do not belong to that context ... [19:37] Action: talon tries an lsctx [19:38] i remember recursively setting the context of everything inteh vserver some time ago. [19:38] it's also a little tricky to get the stuff right, because the quotacheck doesn't set the quota according to the xids [19:39] Bertl: before i go any further im going to see if the 2.4.25-rc1 kernel does this. [19:39] since there were quota improvements. [19:39] unless you want to continue with 2.4.24 [19:40] well, best way to test the quota accuracy would be to use xid=0 hash only ... [19:40] (not changing into any context) [19:40] i will try that as well. [19:41] might as well try that with teh current kernel. [19:48] looks normal with just ctx0. [19:48] okay, next step is to change all files (and dirs) into a context, then change into that context [19:49] and run quotacheck on the filesystem [19:49] then do not use chctx anymore and test ... [19:49] now when you meant ctx 0 you meant using a user in ctx 0 with a homedir on the fs with quotas enabled right ? [19:50] hmm, yes, with a quota hash for xid=0 [19:51] yes. [19:51] settign everythign to ctx0. [19:53] shoudl i reboot afterwards or just run quotacheck form the state its in now ? [19:53] if you want to make sure (and have another test ;) turn quota off, remove the hashes, and unmount that filesystem [19:53] then remount, hashes, quota on again [19:57] ok ran quotacheck after removing the hash, truning off quotas and unmounting, remounting and adding the hash for ctx0. [19:57] oncei enable quotas what next? [19:58] hmm, well, you did test from xid=0, but not from xid!=0 yet, right? [19:58] right. [19:58] hwo does that work with all files set to ctx0 [19:59] seems to be workign as expected in ctx0. [19:59] okay, best thing to test xid!=0 would be to move everything into xid=100 for example [19:59] then make sure that the xid=0 hash is removed, add a xid=100 hash [20:00] file count seems to be right for the users home dir countign as 1 inode. and teh two dotfiles counting as the other two. [20:00] thats in the xid0 test. [20:00] im going to disable quotas in xid0 while testing xid!=0 [20:00] and remove the hash. thats how i started. [20:01] and thats what seemd to cause strangeness last time around. [20:02] and run quotacheck, which now should work like xid=0 [20:03] oops that was quite a delay ... [20:04] havent started the new ctx yet. was switching file contexts. [20:04] quotacheck and quotaon are run automatically on vserver start. [20:05] as part of teh rc scripts. [20:06] hmm files are still 4 for talon. [20:06] even though there should be nothing in the vservers dir with that uid. [20:07] aside from the 2 dotfiles. [20:07] and his homedir. [20:07] which at least makes three [20:07] well, anyway, that is something set by quotacheck, so no influence on that ... [20:09] hmmm [20:09] oh my.... [20:10] i just bypassed inode file limits. [20:10] hmm, how so? [20:10] i got a warnign that the write failed for at least one file durning a recursive copy of /usr/share ot my homedir. [20:10] but ti kept coipying. [20:10] noel_ (~noel@pD952C66D.dip.t-dialin.net) joined #vserver. [20:10] i have the whole /usr/share in my homedir. [20:10] talon: sure? [20:10] and much much more than the 13 inode hard limit set. [20:11] hi noel_! [20:12] talon@taltest2:~$ find /home/talon -type f | wc -l [20:12] 6226 [20:12] Disk quotas for user talon (uid 1000): [20:12] Filesystem blocks quota limit grace files quota limit grace [20:12] /dev/hdv1 628 0 0 13* 13 13 [20:12] hmm, they are not 0 in size, by any chance? [20:14] talon@taltest2:~$ find /home/talon -size 0b | wc -l [20:14] 6 [20:14] i dont think the block count is quite right either. [20:15] hmm .. [20:15] let em see what happens when i enable quotas in ctx0. [20:15] it will either magically start workign again or have no effect. [20:16] both won't help a bit :( [20:18] noel- (~noel@pD9FFA44F.dip.t-dialin.net) left irc: Ping timeout: 504 seconds [20:18] after restarting vserver and the quotacheck has the actual values heres what i really managed to put in my dir despite limits. and awarnign that i had been stopped.. [20:18] root@taltest2:/# quota -u talon [20:18] Disk quotas for user talon (uid 1000): [20:18] Filesystem blocks quota limit grace files quota limit grace [20:18] /dev/hdv1 77508 0 0 8095* 13 13 [20:18] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) joined #vserver. [20:18] UDP seems to work properly now Bertl. [20:19] and nothing else is broken? [20:19] also this box feels a lot faster with 2.4.25-rc1, scary. [20:19] not as far as i have been able to tell. [20:19] could you test two things for me? [20:19] i'll keep running it on this desktop. [20:19] sure. [20:19] hmm your right does nothing. [20:20] i remove all files andi get this bogus count. [20:20] kloo: a) check the slabinfo before and after some connections/packets [20:20] Disk quotas for user talon (uid 1000): [20:20] Filesystem blocks quota limit grace files quota limit grace [20:20] /dev/hdv1 1852 0 0 1420* 13 13 [20:20] talon@taltest2:~$ [20:20] even after sync [20:20] kloo: b) verify that in/outbound tcp and udp is working as expected [20:20] thsi is with ctx0 added and quotas enabled on ctx 0 as well for extra measure. [20:21] hmm ok. this time the limits do kick in. [20:21] should i be looking for something in the slabinfo, or do you want to see the figures? [20:21] cant recopy after i remove them. [20:21] probably because of the bogus file count the kernel thinks i have. [20:21] but if i start with a low file count i can cause this to be bypassed somehow all togeather. [20:21] probably as a result of odd inode/block acocunting. [20:22] kloo: look for 'packet' size slabs if we leak something ... [20:22] talon: I'm trying to reproduce this .. just a second [20:22] definatly have to see what the 25-rc1 kernel does now. [20:22] yeah check that [20:23] going ot have to pas out soon though. havent been to sleep since way before you went to bed last. [20:23] hmm, okay ... [20:24] going ot try the rc1 kernel out first though. [20:24] could just be the old quota code. [20:25] I doubt it, but might be ... [20:26] blah forgot about teh vproc stuff. [20:28] i'll report back in due course Bertl. [20:28] ok [20:30] ugh [20:30] same behavior. [20:31] talon@taltest2:~$ cp -r /usr/share . [20:31] sd(8,17): write failed, user file limit reached. [20:31] talon@taltest2:~$ find /home/talon -type f | wc -l [20:31] 6222 [20:31] the cp -r command continues after the warning for some time. [20:31] and then reeturns to teh shell prompt. [20:32] and inodes limits are blissfulyl ignored. [20:32] using jsut touch though i think it fails. [20:33] you think bind mounts might confuse the quota system in any way? [20:33] might be, but unlikely ... [20:33] /usr/share is bind mounted to another dir onthe /vserves fs [20:33] could you test with vanilla 2.4.25-rc1 ? [20:34] no vserver patches? [20:34] well, vserver if you like, but not required ... [20:34] should probalby work as id expect quotas to. but i can try. [20:34] just to make sure ... [20:34] i onyl see odditys when im using ctx !=0 [20:35] but ok. [20:35] have to compile a new vanilla kernel. [20:35] hmm, so xid=0 does the limit correctly? [20:35] yeah let me test again to make sure i wasnt seeing things. [20:36] okay, have to get something to eat, back in 15-20 minutes [20:37] Nick change: Bertl -> Bertl_oO [20:39] jap (~root@jap.globe.cz) left irc: Quit: leaving [20:40] root_ (~root@jap.globe.cz) joined #vserver. [20:40] Nick change: root_ -> jap [20:42] yeah seems to work like it should in ctx0 [20:43] Action: talon sets a vanilla rc1 building just incase. [20:52] hmm. is it possible for teh inode acocunting to get so screwed up that it goes out of bounds (like having a negative inode count? [20:56] sorry i had to bring up such a tricky problem. [20:56] just when i think its safe to go back to userland stuff the kernel pulls me back in. [21:00] Nick change: Bertl_oO -> Bertl [21:02] talon: the block accounting in xid!=0 works as expected? [21:03] Bertl: no that doesnt seme to work right either at least once the inode accounting goes haywire. but i could check that a bit more methodically too. [21:04] but ater i manage to get the whole directory copied despite limits the block coutn doesnt get updated propperly. [21:04] and whem removing all teh files it doesnt go down. [21:04] does it work properly if you do not cross the limits? [21:04] will have to try that. [21:05] okay, will start splitting up the code soon, and verify that systematically .. [21:06] probably would be a good idea to make some scripts to try different combinations. [21:06] would probably save a lot of time. [21:06] would be great ... [21:10] anyone here using these images? http://www.jvds.com/vserver/ [21:10] dont know if this will provide any insight or not. but [21:10] root@taltest2:/# quota -u talon [21:10] Disk quotas for user talon (uid 1000): [21:10] Filesystem blocks quota limit grace files quota limit grace [21:10] /dev/hdv1 77508 0 0 8093* 13 13 [21:11] root@taltest2:/# find /home/talon -type f | wc -l [21:11] 6224 [21:11] root@taltest2:/# find /home/talon -type d | wc -l [21:11] 453 [21:11] i dont think the files add up. [21:15] anyway testing with everythign clean for blocks now. [21:15] or i thgouht i was... [21:16] it hung turning off quotas shutting down the vserver [21:17] guess it doesn tliek shuting down quotas with things higly out of whack. [21:18] hmm ... [21:18] tryign form a reboot. [21:18] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) left irc: Read error: No route to host [21:19] probably wishing i never tried quotas aboout now i bet :) [21:22] pRiV (dbox3@81.92.166.46) left irc: Ping timeout: 492 seconds [21:23] talon: well, that is one way to handle problems, don't to anything, don't touch anything ;) [21:24] not exactly a good way to do anything. but certanly saves countless hours of bug hunting. [21:24] id rather find somthign like this than not. [21:25] i just seem to be cursed with finding things like this though.... [21:25] that is a gift, not a curse ;) [21:26] jap: seems I ahve something which is working with xfs, now it's your turn, testing it ;) [21:28] Bertl: whast the best way to calculate the number of 1k blocks used in a directory? i dont use the du command often. [21:28] i have a suspsicion that my block count is wrong. [21:28] hmm, du -skx [21:29] should give kilobytes [21:29] Bertl: for all files in a directory ? [21:29] hmm, -c could be useful too [21:29] in that case i get 16 and quota says im using 20. [21:30] 16 /home/talon [21:30] 16 total [21:32] okay, just a weird idea, could you test with ext2 instead of ext3? [21:32] ok i copied an 8 block file. [21:32] and i got the block count raised to 32 [21:32] from 20 [21:32] should have been 28 [21:33] hmm, funny, let me check that here ... [21:33] hello, i'm back [21:33] okay, what 'patches' are you using? [21:34] now i try to compile 2.4.25-rc1 with patch patch-2.4.25-pre7-vs1.3.6.diff [21:34] okay, you can get a newer one for 2.4.25-rc1 ;) [21:34] patch-2.4.25-rc1.bz2 patch-2.4.25-rc1-vs1.3.6.3.diff patch-2.4.25-rc1-vs1.3.6.3-q0.13pre3.diff [21:35] but i have now another problem - i downgrade (need vserver) from 2.6.1 to 2.4.x and my kernel now get panic after any call to modprobe :-( [21:35] where can i get this patches? [21:35] please explain your current setup? 2.6? [21:36] 2.4 and 2.6 modutils are different ... [21:36] i use before days 2.4.21, then upgrade to 2.6.1 - all works fine - but now i need to use vserver, but for 2.6.x i think it isn't really available [21:36] i installed module-init-tools before upgrade to 2.6 [21:37] well, there is some experimental stuff for 2.6, but I guess you do not want to use that [21:37] do you mean, that i should remove module-init-tolls and install back modutils? [21:37] i read, that it's very experimental.. [21:37] you know the post-halloween docs? [21:37] no, should i know? [21:38] they describe the changes between 2.4 and 2.6 and how to migrate [21:38] http://armin.emx.at/kernel_2.6/kernel_2.6_howto.html [21:38] Bertl: i know nothing about the quota system. but it "feels" like certain things are being counted more than once. and possibly getting corrupted someplace. [21:39] does this happen with ext2 too? [21:40] teh fs im usign quotas on is ext2 [21:40] i read some other docs about migration, but now i migrate back - from 2.4.x to 2.6.x it was ok, but back is problem [21:40] the root fs is ext3 [21:40] or am i gettign tangled with the other conversation? [21:40] interesting is, that i have done the same downgrade on other server and w/o any problems.. [21:40] jap: http://vserver.13thfloor.at/Experimental/patch-2.4.25-rc1-vs1.25.diff [21:41] ok, i try this patch [21:41] http://vserver.13thfloor.at/Experimental/delta-2.4.25-rc1-vs1.25-xfs.diff [21:41] that should add xfs support for the flags ... [21:45] Bertl: i think, this is a delta patch against 1.25 patch, but i don't see anywhere base vserver patch to 2.4.25-rc1 - or should i use the patch for 2.4.24? [21:46] http://vserver.13thfloor.at/Experimental/patch-2.4.25-rc1-vs1.25.diff [21:46] Bertl: sorry, i found it a pair seconds before. tnx [21:46] np [21:50] Action: talon is probably going ot have dreams about playing with quotas again tonight.... [21:51] at least its not as bad as the one where im trapped in an NT 4 GUI and cant get out. [21:51] well, dream well, I'll analyze it in the meantime ... [21:51] havent had that oen sincei stoped havign to admin windows. [21:52] i hope ive given you enough to go on. [21:52] guess you did ... [21:52] nevertheless it would be a great idea to add automated quota testing, maybe a project for the future ... [21:53] yeah. if you can come up with some scripts for testing things or at least some general descriptions of stress tests. i could probably roll them into a perl or bourne shell script. [21:54] would save a lot of typing. [21:54] I'll think about it, while I verify that quota code ... [21:54] will take some notes, what seems critical ... [21:54] guess this would be useful for STP, and kernel in general [21:55] cool. will pass out now. no idea how long i will sleep. i hope the test script will be as fun to write as teh redundant setquota.sh script. [21:55] Bertl: kernel patched, compiling.. [21:55] ok [21:57] Bertl: what did you think of teh general style of the setquota script? [21:58] very structured and well documented ... [22:06] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) joined #vserver. [22:06] Bertl? [22:06] yup? [22:07] i found a difference in behaviour with your experimental patch, but i have to finish a telephone conversation first. :) [22:07] there. [22:07] with TCP to localhost, the source address used to be localhost. [22:07] with the experimental patch, the source address is instead the vserver's primary address. [22:08] .. as is the destination, because localhost as a destination is replaced. [22:08] that might be ... a feature? [22:09] it's not a feature when you inadvertently change TCP behaviour with a UDP fix, is it? :) [22:09] as I said, it isn't udp only, it's source address calculation ... [22:09] certainly. [22:09] does this result in any issues? [22:09] but you did not mean to change behaviour in the localhost case. [22:09] yes. [22:10] let's hear .. and yes it was intentional [22:10] sometimes the localhost source address is used for authentication purposes. [22:10] it broke my MTA. [22:10] well, lo isn't part of a vserver, so localhost isn't that useful, right? [22:10] now this can be worked around by changing the configuration, however default configurations and HOWTO's and so on will no longer work. [22:11] why did you change this behaviour when abstracting the source address selection? [22:11] it wasn't broken, it only wasn't applied (correctly) to unbound sockets, right? [22:12] well, there where different implementations for each part ... [22:12] i think that when writing a program it is safe to assume that there is a localhost. [22:12] each case udp conencted/unconnected/tcp had his own implementation ... [22:13] we can now change that easily, but for all cases ... [22:13] and really i think that ideally localhost would work normally in a vserver. [22:13] so the real question is, is it better to have localhost without lo or no localhost ip at all [22:13] this replacing of the localhost destination address is kludgy, don't you agree? [22:14] the whole network stuff is kludgy ... [22:14] a separate virtual interface would be much nicer ... [22:14] i vote to have a localhost, things will break or at least be counterintuitive otherwise. [22:14] how do you 'use' tha localhost ip without lo? [22:15] by connecting to 127.0.0.1. [22:15] which doesn't exists, right? [22:15] because it doesn't currently exist, it is replaced by the vserver's primary address - the kludge. [22:16] however, that kludge should not interfere with setting the source address to 127.0.0.1. [22:16] the lo interface not existing is not clear-cut. [22:16] it is not assigned to the interface true, but packets are still routed over it. [22:16] okay, so the src should remain localhost? [22:16] if you send to 127.0.0.1 (which will be rewritten), the packets fly over the lo interface, you can see this with tcpdump. [22:17] pRiV (dbox3@81.92.166.46) joined #vserver. [22:17] yes. [22:17] hi pRiV! [22:17] hi. =) [22:17] kloo: let me have a look at the source once again [22:17] it limits the scope of the kludge, if you will. [22:17] the kludge then is only the destination address, not also the source address. [22:17] and this is not theoretical, as evidenced by my MTA breaking. [22:19] hmm, if the src = 127.0.0.1, no modification will be done [22:20] ah, but when? [22:20] the source is INADDR_ANY. [22:20] if src = 0 [22:20] does the src perhaps get selected after the dst has been changed? [22:21] and if src == 0 and no source is found, and dst = 127.0.0.1, the src should be changed to 127.0.0.1 too [22:21] but is the dst still 127.0.0.1 at that point? [22:22] should be ... [22:22] interested in adding some debugging info? [22:22] sure. [22:22] okay, I'll add something which describes the actions and decisions on the way ... [22:23] what arch are you testing on, by the way? [22:23] silly old IA32. [22:24] just because I was unsure, why jack used 0x0100007f to specify the local ip [22:24] yeah, i noticed you changed that. [22:24] unnamed constants are icky. [22:24] (well I'm still not sure about that, but I left it that way for now) [22:25] Bertl: in the meantime, before compilations ends, can i ask you something? we run this version 2.4.23-xfs+vs1.22 on nameserver. bind9 is running on multiple ip addresses withing his own vserver - all semms to be ok, but we encounter, that some questions to bind functioning not well when the client use other address than the "master" ip of bind-vserver.. to avoid this situation, i must do something like iptables ... -j DNAT --to master_ip.. [22:26] here is config of the vserver: S_HOSTNAME="bind" [22:26] IPROOT="eth0:62.229.221.2/255.255.255.128 eth0:62.229.221.3/255.255.255.128 eth0:62.229.221.5/255.255.255.128 eth0:62.229.221.6/255.255.255.128 eth0:62.229.221.7/255.255.255.128" [22:26] IPROOTDEV="" [22:26] ONBOOT="yes" [22:26] S_NICE="" [22:26] S_FLAGS="lock nproc" [22:26] ULIMIT="-H -u 256 -n 1024" [22:26] S_CAPS="CAP_NET_RAW CAP_SYS_RESOURCE" [22:27] # *NOT* DNS domain name, for NIS only [22:27] S_DOMAINNAME="" [22:27] and only 62.229.221.2 is working well, other ip have problems - one example is "host -la zone".. [22:31] hmm, strange shuld not happen ... [22:32] Bertl if i read the code right, you do replace dst with ip_info->ipv4[0] before matching a src address. [22:32] just swapping the lines should do it. [22:32] kloo: line? [22:33] ah okay, I see ... yeah [22:33] for both udp and tcp. [22:34] okay, can't hurt, give it a try, but move the if* below the return err [22:34] (famous last words ;) [22:35] jap: any tcpdumps of that failing connects? [22:35] Action: kloo nods. [22:36] btw, i said yesterday that there logically can be no primary vserver address. [22:37] that's not true, this localhost destination rewriting needs it. :) [22:37] Bertt: i can try to catch some tcpdumps [22:38] that would be great, sorry about that prank I played on you ... I hope you are not angry anymore ... [22:41] Bertl: i use this idion "primary address" as synonym for first defined ip in config [22:41] which is correct [22:44] Bertl: tcpdump: 20:40:52.794839 jhs.panoch.net.32774 > 62.229.221.3.domain: S 1734480041:1734480041(0) win 5840 (DF) [22:44] 20:40:52.794882 62.229.221.3.domain > jhs.panoch.net.32774: R 0:0(0) ack 1734480042 win 0 (DF) [22:44] and client says: jhs:~# host -la globe.cz 62.229.221.3 [22:44] Trying "globe.cz" [22:44] ;; Connection to 62.229.221.3#53(62.229.221.3) for globe.cz failed: connection refused. [22:44] when i try 62.229.221.2 instead of .3 - all ok [22:45] bind9 is configured okay i think, before ve use vserver, the configuration was the same [22:45] 62.229.221.2,3,4,5 are nameservers? [22:46] yes, but the are server by one running bind9 [22:47] okay, are they available outside? [22:47] can I query them? [22:47] yes, you can try, it's open [22:47] listen-on { [22:47] // localhost [22:47] 127.0.0.1; [22:47] // ns.globe.cz [22:47] 62.229.221.2; [22:47] // go.ip.cz [22:47] 62.229.221.3; [22:47] // ns.servery.com [22:47] 62.229.221.5; [22:48] // ns.dns4.net [22:48] 62.229.221.6; [22:48] // hermes.hosting.cz [22:48] 62.229.221.7; [22:48] }; [22:48] this is bind9 config cut.. [22:48] okay, [22:49] could you add some entry for me, just to verify that the server answered correctly? [22:50] maybe, which entry you need? [22:50] 42.0.0.127.in-addr.arpa. 604800 IN PTR bertl. [22:52] Action: kloo reboots. [22:52] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) left irc: Quit: Client exiting [22:55] Bertl: done, record added [22:56] okay, answers correctly to my requests .. let's do some more checks on my side ... [22:57] man dig [22:57] sorry ;) [22:57] np [22:58] hmm, seems like it's working as expected on all ips tcp/notcp [22:58] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) joined #vserver. [22:59] seems alright at first glance Bertl. [22:59] okay do some more testing, and see if that doesn't brake something else ;) [23:00] s/brake/break/ [23:00] Action: kloo nods. [23:00] thinking about it, i can see some minor problems though. [23:00] jap, 62.229.221.2-62.229.221.5 seems to answer correctly on tcp and udp domain requests ... [23:01] maybe the problem is on outgoing requests? [23:01] (recursive) [23:01] a daemon that has an unbound UDP socket for sending replies to whomever, also has a socket for receiving. [23:01] if the UDP protocol were broken in the not too uncommon way of sending its own IP address, things could go bad. [23:02] the listening socket could not use 127.0.0.1, but the outgoing packets can. [23:02] that's a minor theoretical nit, might not ever happen. [23:02] another issue is the lack of isolation with regards to localhost. [23:03] any vserver can make a grab for all the ports on localhost, causing denial of service for other vservers. [23:03] yes, right. any idea to avoid this problem? [23:04] yes, Bertl had already solved it by breaking my MTA. ;) ;) [23:04] i'm just starting to consider these issues jap. [23:04] :-)) [23:06] imho it's great issue to have a lot of vservers and in one starts sshd (without your key and pass) and you lost in principe access to the master server :-))) [23:06] jap, how should htat happen? [23:08] no problem - you install new vserver and sshd is installed by default. the problem is, that vservers start before sshd in master master server.. [23:08] Bertl, have you considered what virtualizing the IP stack would mean? [23:08] jap: but they have no access to a 'master' ip [23:09] i recall it was once done on FreeBSD, though for other purposes. [23:09] kloo: well Alex and Say did that ... not sure that this is the best approach though ... [23:10] Action: kloo neither. [23:10] ideally each vserver would have its own localhost at 127.0.0.1, and that breaks a fundamental property. [23:11] but in practice i have not run into too much trouble, at least all networking semantics problems so far have been solvable in the current framework. [23:12] jack is?/was working on a virtualized lo .. so that seems doable ... [23:12] has he released any code i could look at? [23:12] not that I know of ... [23:13] i imagine it takes some iffy special-casing in the networking code path. [23:13] hmm, might be, might also be solvable with adding xid to the interfaces ... [23:14] interfaces and sockets.. and then what about packets? [23:15] they are either bound to a socket, or gone ;) [23:15] if i inject a packet with destination localhost using a tun device or a raw socket, where should it end up? :) [23:16] if all interfaces have xids and not just lo, that's already partial stack virtualization isn't it? [23:16] probably ... [23:16] not sure we want that either ... [23:16] Action: kloo smiles. [23:16] i'm intrigued by the difficulty. [23:17] jap: hmm, maybe I missed something about your issues, could you elaborate? [23:36] loger joined #vserver. [00:00] --- Sun Feb 8 2004