[00:01] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Ping timeout: 488 seconds [00:09] talon: [00:09] # /bin/mount --bind -o ro /mnt/part1 /mnt/part3 [00:09] # touch /mnt/part3/test/existing_file [00:09] touch: /mnt/part3/test/existing_file: Read-only file system [00:09] # /bin/umount /mnt/part3 [00:09] does this work for you? [00:11] root@test1:~# cd /root [00:11] root@test1:~# touch 1/foo [00:11] root@test1:~# mount -oro --bind 1 2 [00:11] root@test1:~# touch 2/foo [00:11] touch: cannot touch `2/foo': Read-only file system [00:11] root@test1:~# umount 2 [00:11] umount: /root/2: device is busy [00:12] Last message repeated 1 time(s). [00:12] hmm, interesting, works with 2.4.23-bme0.03 here ... [00:13] are part1 and part3 differetn filesystems ? [00:13] mount -t ext2 -o rw /dev/discs/disc1/part1 /mnt/part1 [00:13] /mnt is on / [00:13] ok let me try it with an ext2 fs. [00:13] im just doing this on root which is ext3 [00:14] hmm, thing is I can reproduce, if I ahve the whole test running on that mount, so it _is_ an issue, but I would like to narrow it down somewhat ... [00:18] root@test1:~# mkdir /mnt/part1 /mnt/part2 [00:18] root@test1:~# mount -t ext2 -orw /dev/sdb1 /mnt/part1 [00:18] root@test1:~# cd /mnt [00:18] root@test1:/mnt# touch part1/foo [00:18] root@test1:/mnt# mount -oro --bind /mnt/part1 /mnt/part2 [00:18] root@test1:/mnt# touch /mnt/part2/foo [00:18] touch: cannot touch `/mnt/part2/foo': Read-only file system [00:18] root@test1:/mnt# umount /mnt/part2 [00:18] umount: /mnt/part2: device is busy [00:18] Last message repeated 1 time(s). [00:18] which kernel? [00:19] 2.4.23 [00:19] hmm, interesting ... [00:19] i can try it again with the 2.4.23 without quotas enabled. [00:19] you want my kernel config file ? [00:19] what about that theory: you touched a file _before_ the bind mount was done, and it is still in inode cache? [00:20] now you access that file/dir through the ro --bind mount ... [00:21] sounds about right except fro thse case where i create dirs from scratch and do ro mount and touch a non existing file. [00:22] i really dont know much about teh kernel internals involved. [00:23] no i guess that would touch the cache too. [00:24] but i have mounted after a reboot those same empty dirs as well. [00:24] and cause it to go busy. [00:33] after reboot. [00:33] root@test1:~# mount -t ext2 -orw /dev/sdb1 /mnt/part1 [00:33] root@test1:~# mount -oro --bind /mnt/part1 /mnt/part2 [00:33] root@test1:~# touch /mnt/part2/foo [00:33] touch: cannot touch `/mnt/part2/foo': Read-only file system [00:33] root@test1:~# umount /mnt/part2 [00:33] umount: /mnt/part2: device is busy [00:33] Last message repeated 1 time(s). [00:33] with foo being there form last time. [00:34] erm wait a second. [00:34] foo not being there would be better ;) [00:36] doh... ok foo was always there. becuase its the vservers fs. [00:36] and foo is the name of the ctx100 vserver... [00:36] hmm a directory? [00:36] only ext2fs i have. [00:36] yeah. [00:36] nothing else I test, yoda ;) [00:37] # mount -t ext2 -o rw /dev/discs/disc1/part1 /mnt/part1 [00:37] # /bin/mount --bind -o ro /mnt/part1 /mnt/part3 [00:37] # touch /mnt/part3/test/non_existing_file [00:37] touch: /mnt/part3/test/non_existing_file: Read-only file system [00:37] # /bin/umount /mnt/part3 [00:37] umount: /mnt/part3: Device or resource busy [00:38] so it happens when I touch a file through ro --bind which doesn't exist ... [00:49] root@test1:~# mount -t ext2 -orw /dev/sdb1 /mnt/part1 [00:49] root@test1:~# mount -oro --bind /mnt/part1 /mnt/part2 [00:49] root@test1:~# touch /mnt/part2/foo/quota.txt [00:49] touch: cannot touch `/mnt/part2/foo/quota.txt': Read-only file system [00:49] root@test1:~# umount /mnt/part2 [00:49] umount: /mnt/part2: device is busy [00:49] Last message repeated 1 time(s). [00:49] root@test1:~# ls /mnt/part2/foo/quota.txt [00:49] /mnt/part2/foo/quota.txt [00:50] so teh existign file case doesnt seem to work for me. [01:02] WSU (~Josh@ny.webpipe.net) left irc: Quit: Leaving [01:02] although im guessing your using lvm. instead of raw partitions. [01:03] no idea if htat makes any difference. [01:03] nope just raw partitions ;) [01:03] naming is only because I use devfs ;) [01:08] dont even think i have devfs suport compiled in. [01:08] that should not make any difference, the block device is the same ;) [01:09] dont think it makes any difference either. [01:09] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) joined #vserver. [01:09] hi Jon! [01:09] hey Bertl [01:18] serving (~serving@213.186.188.205) joined #vserver. [01:20] arekm (misiek@ikar.t17.ds.pwr.wroc.pl) joined #vserver. [01:20] arekm_ (misiek@ikar.t17.ds.pwr.wroc.pl) left irc: Read error: Connection reset by peer [01:28] kestrel (athomas@home.swapoff.org) left irc: Quit: ircII EPIC4-1.0.1 -- Are we there yet? [01:37] talon: hmm, want to check something? [01:40] sure. [01:40] _shur1 (~shushushu@vserver.electronicbox.net) left irc: Quit: changing servers [01:40] guess I found it ;) [01:41] starting to run out of steam though. [01:41] Action: talon wonders how many people actually used the bme patch before. [01:42] well, simple, they didn't ;) [01:42] for my purpose it was sufficient, because I do not ever unmount the ro bind mounts ;) [01:42] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Quit: Leaving [01:43] yep, seems fixed now ... [01:43] seems liek a natural thing to do after your done with them. [01:43] fs/namei.c 1048,3-17 [01:43] - return error; [01:43] + goto exit; [01:43] at least when your using them to share vserver files. [01:43] _shur1 (~shushushu@vserver.electronicbox.net) joined #vserver. [01:44] first assumption about missing put() was correct ... [01:45] talon: guess I have to update the Hall of Fame entry soon ;) [01:45] at the speed you find the bugs ... [01:45] god only knows what else i will find tomorrow. [01:46] .. vserver should be bug free in two weeks ;) [01:46] i hope so. :) [01:46] and I appreciate it, and I mean it ... [01:47] so whats teh count so far? [01:47] as far as bugs. [01:47] i count at least 3. if you count getting util-vserver compiled on sparc64 [01:47] well, three different quota bugs, one of them being a general issue [01:48] the bme bug can't be accounted for vserver, as this is no vserver patch ... [01:48] iirc there where 2 userspace issues you found with enrico right? [01:48] i consider it related since thats what i use it for. [01:49] not sure if it was 2. [01:49] well only enrico knows , so the sparc64 is fix, because if, I add the HoF entry immediately ;) [01:49] yeah i think there were two bits we changed. [01:50] rob shoudl be back tomorrow or the day after btw. [01:50] before I forget ... [01:50] i think hes getting on teh train tonight. [01:50] so you should have teh sparc box up soon. [01:51] well if it's only a question of 'rob comming back' then it shouldn't be any issue to consider this done, right? [01:52] yeah shouldnt take long at all onces hes here to get you access to it. [01:52] would you like some company name associated? [01:52] hes probably goign to crash for a day though after he gets off teh train. [01:52] Bertl: Amoebasoft [01:53] okay, you got some Amoebasoft details? [01:53] and some sparc details too if possible? [01:53] nothign written down at the moment. could probably get trinity to write somthing up to date. [01:53] what details do you need for the sparc? [01:54] well, you see the entry at the top of the HoF? [01:55] its an Ultra10 with a 440Mhz UltraSPARC IIi with 256MB of ram i think an 8 gig IDE drive. running gentoo linux. [01:58] trinity is writing up a new description. [01:58] ah okay ... [01:58] Amoebasoft is a developer of advanced software and hardware [01:58] solutions for business. Utilizing current standards and technology, [01:58] they make ideas reality, and help companies achieve their [01:58] pressing business goals. [01:58] that is what I found ;) [01:59] well thats a generic description. [01:59] its a bit too much market speak for my tastes. [02:00] i was hoping maybe trinity could wirte somthign mroe down to earth. [02:00] ;) whatever you prefer ... [02:12] hmm, I guess I add update_atime() support and releas a new bme ... [02:30] hmm probably hold off until we get it online im sure to have somthign by then. [02:31] trintiy told me he wants to come up with a different company name anyway. [02:31] okay ... I'll make a not for now ... [02:31] s/not/note/ [02:31] I really have to refill that 'e's [03:00] hmm, okay that was easy, noatime and nodiratime should now work ... let's see if it compiles ;) [03:22] looks like it is working as expected ... [04:03] okay, I'll call it a day, cu all tomorrow ... [04:03] Nick change: Bertl -> Bertl_zZ [04:17] samsilvester (~sam@office1.adl.e-access.com.au) joined #vserver. [04:24] noel- (~noel@pD9FFA4B2.dip.t-dialin.net) joined #vserver. [04:31] noel (~noel@pD952CD82.dip.t-dialin.net) left irc: Ping timeout: 504 seconds [05:25] loger joined #vserver. [06:12] mmm [06:49] Frank00polo (~franko@4.13.67.211) joined #vserver. [07:06] Frank00polo (~franko@4.13.67.211) left irc: Quit: ChatZilla 0.9.52B [Mozilla rv:1.6/1] [07:32] Hey can anybody tell me if I should be worried about getting unresolved symbols when I do a depmod -a? I've just recompiled 2.4.24 with vs1.25 [07:55] riel (~riel@riel.netop.oftc.net) left irc: Ping timeout: 483 seconds [08:08] surriel (~riel@imladris.surriel.com) joined #vserver. [09:31] samsilvester (~sam@office1.adl.e-access.com.au) left irc: [10:13] Panter (~panter@p50902B51.dip.t-dialin.net) joined #vserver. [10:13] surriel (~riel@imladris.surriel.com) left irc: Ping timeout: 488 seconds [10:14] surriel (~riel@imladris.surriel.com) joined #vserver. [10:37] surriel (~riel@imladris.surriel.com) left irc: Ping timeout: 488 seconds [10:38] surriel (~riel@imladris.surriel.com) joined #vserver. [10:42] Panter (~panter@p50902B51.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [10:52] Medivh (ck@62.93.217.199) got netsplit. [10:53] Medivh (ck@62.93.217.199) returned to #vserver. [10:56] stone (foobar@9593B59FDFCFE9EF220ACDF5A02394B4.lnx.nu) joined #vserver. [10:56] Nick change: Bertl_zZ -> Bertl [10:58] hi stone! [11:02] hi there.. [11:03] Action: stone is a debian developer in "love" with vserver :) [11:03] hmm, is it critical? ;) [11:08] hmm.. my wife is jealous... [11:09] sounds good 8-) debian caused some troubles in the last months, maybe you could help a little there? [11:09] I just joined to my bnc... what's the debian problem? [11:10] mainly non up to date versions, or special adapations which break with newer tools/kernels .. etc [11:11] Bertl: sarge works fine with the development and stable version for me. Woody doesn't build the development kernel/tools, only stable. [11:11] And from what I've heard, sarge is soon to become the new stable version, so I shouldn't worry about woody too much. [11:11] recently we discovered, that the debian 'version' of vserver got the networking stuff wrong, entirely my fault, I have to admit ;) [11:12] The vserver package or? [11:12] the kernel patch ... [11:12] Ahh. [11:12] morning by the way 8-) [11:12] Oh well, I build my own kernel anyhow. :) [11:12] Good morning. [11:13] Just arrived at work after being 1 hour in traffic jams. :| [11:13] most debian users switched to a non-debian kernel, but others had problems [11:14] Maybe somebody should put a pre-compiled version with the .debian configs online? [11:16] So the debian users won't have to mess with building their own kernel. [11:22] hmm, well I don't like precompiled stuff, and I guess debian users do not like it either, but I guess it would be sufficient, if the debian packages where up to date and tested ... [11:24] Well, theorectically it should be possible to build an entire debian machine without any compiler. [11:25] let me put it this way, I would not install a binary only kernel on a linux machine ... [11:25] Precompiled != binary-only. [11:25] how would you verify a precompiled kernel? [11:25] Take the source package and build it? [11:26] Or just check the gpg signature. [11:26] and then? complain about differences? [11:26] Yeah, there shouldn't be any differences if they're build on the same. [11:26] hah! simple change in compiler or binutils, completely different code ;) [11:26] So you don't install any binary packages? [11:27] well, yes I install them, after I rebuilt them ;) [11:27] I trust gpg. :) [11:27] in gpg we trust ;) [11:27] I'm unwilling and uncapable of reading any and every line of code that goes into my system. [11:28] that is probably right, but the kernel? [11:28] s/that goes into my system/of my kernel/ [11:28] :) [11:29] And I trust the stuff that comes from linux-vserver.org and vserver.13thfloor.at. (And yes, I trust dns.) [11:29] Since I don't have enough time for paranoia I'm willing to take my chances. :) [11:29] kestrel (athomas@home.swapoff.org) joined #vserver. [11:29] re [11:30] hi kestrel! [11:30] hey herbert :) [11:31] brb.. [11:34] it's time for a new devel release, don't you think so? [11:36] why the hell not [11:41] Bertl == Herbert :) Aha! [11:42] Then I should take the oppurtunity to thank the developers of Vserver for a great job. [11:43] Vserver plus LVS is two projects I really like and use alot.. [11:43] really, so you combine those? [11:43] Bertl: I have tried but don't run it now.. [11:44] Bertl: I was trying to do a "poor mans" "cluster" :) [11:44] Bertl: When I get the time I will try it again.. [11:44] I thought about that some time ago, it might have some advantages ... especially with failover vserver scenarios [11:45] yeah [11:45] keepalivd + lvs + vserver.. [11:46] It would make life mush easier with upgrades of software etc.. [11:46] something like that, I heard of some folks doing vserver failover, and thus having no downtime when updating the kernel for example ;) [11:46] just to failover to v1 and upgrade the vserver and failover to the upgraded node with v2 and so on.. [11:46] exactly this way ... [11:47] But you need 2 diffrent boxes if you want to upgrade the kernel without downtime :) [11:47] that is true [11:48] (I have read something about someone experimenting with no-reboot-kernel-upgrade) [11:48] well the kernel update per se isn't that complicated without reboot ... [11:49] the processes and the kernel memory is the tough part ... [11:50] Time for some coffe.. bbl.. [12:42] AHTOH (~Anton@212.1.230.115) joined #vserver. [12:42] hi Anton! [12:42] hi Bertl [12:42] no new devel releases? [12:43] 09:35 < Bertl> it's time for a new devel release, don't you think so? [12:43] so I'm on it ;) [12:44] ah good :) [12:45] anything special you are waiting for? [12:45] no just bugfixes, stability etc :) [12:45] got no bug reports regarding 1.3.6 yet ;) [12:45] maybe quota but that is less important for the moment [12:46] im talking about that exploits :) [12:46] ah, i see ... [12:47] i'm ready to start some servers using devel vserver+ stable utils [12:48] what about....memory limits!!! [12:48] :) [12:48] you mean enforced RSS or what? [12:52] YES! :) [12:55] hmm, you have patches which handle RSS limits on 2.4.25? or are we talking about 2.6 here? [12:56] 2.4.25 [12:56] i asked you about it the other day and you said there weren't any current patches... [12:57] Bertl: where can I find the debian patches? I can't find them through http://www.13thfloor.at/vserver/s_release/overview/. [12:59] http://vserver.13thfloor.at/Experimental/patch-2.4.24-1-vs1.24.1.diff [13:02] Ok, thanks. [13:02] np [13:13] bertl -- is lsxid problem fixed in 1.3.6.3 version? [13:14] hmm, please refresh my memory, what was the issue again? [13:14] (because it sounds very quota related ;) [13:15] gmmm i remeber we started two contextes 200 and 300 and vreated .tmp/x and /tmp/y [13:15] than 0 and 0 lsxids for them were only after reboot [13:15] yeah, that was the quota stuff, that should be fixed in q0.13, which will be out soon ... [13:15] you said me to comment me some line in kernel/inode.c and that fixed [13:16] exactly ... [13:16] what changed from 3 to 4 susubversion of 1.3.6 [13:16] ? [13:16] hmm, could not be much, probably the network stuff ... [13:17] 1.3.6 -> 1.3.7 has minimal changes ... [13:17] but that is a good sign, as we are approaching 1.4 ;) [13:18] :) [13:23] it's interesting that most people want to limit the RAM for a vserver, where the I/O system is much more critical, but nobody mentioned any limitations there yet ... [13:25] Bertl: because it's easier to sell "you have 256MB RAM" than it is to sell "you have 5MB/s disk i/o"? [13:25] hmm, good point, but in this case, it would be a feature to sell a vserver with 2GB instead of 256MB at the same price, right? [13:26] really needed a limitation on a vm -- a failed to make that work [13:26] Bertl: I don't really understand what you mean? [13:27] AHTOH: hmm, 1.3.x has vm limits, they should work as expected?! [13:27] Bertl: and for most uses and purposes disk i/o isn't the limitation, but memory is. [13:27] (And cpu). [13:28] Zoiah: was a kind of bad joke ... I meant the 'missing' limitation can be seen as 'more' memory ... [13:28] that logic means we dont need limitaions [13:28] Bertl: ahh, heheh, that confused me. : [13:30] guess we still have problems to define a good way how to 'handle' RSS limits ... or what the provider wan't to sell as 'RAM' for a vserver [13:30] s/wan't/wants/ [13:39] well, speaking for myself, the absolute pinnacle would be when you type "free" it reports a limited amount of memory and a limited amount of swap [13:39] and, of coure, those limits were enforced for processes [13:40] hmm, the fake display is easy, but how to enforce them? [13:40] yeah, that's the question alright [13:41] I'm not talking about a process consuming some memory vm/rss .. what about caches and shared stuff? [13:41] yes, exactly [13:42] if you started tracking cache usage per vserver, that would get nasty...ugh [13:42] kestrel: hmm... imho it would be nicer to have guaranteed minimum ressource available to each vserver instead of limiting the maximum ressources [13:43] and it would be kind of defeating the purpose, because if I do not allow a server to use shared caches, then you would end up with doing full partitioning like Xen ... [13:43] well, i wasn't thinking explicitly of a maximum, more of a "this is how much you have" [13:43] so it's a minimum and a maximum [13:44] herbert: that would not be good [13:44] minimum guaranteed is just bookkeeping for the admin ... [13:44] so that under high load each vserver still has some resources left, but when there's little activity on the majority, the remaining vservers grab whatever is left [13:45] s/grab/can grab/ [13:45] hmm.. any comments on the mail by Michael Hilscher (11:14am as of today) [13:45] tracking shared cache usage would be difficult, i imagine..? ie. if a context touches a cached page, it "owns" it and it is taken into account for its memory quota [13:45] i'm confused if i should update my 1.25 to 1.26 ;> [13:46] or if there will be a 1.27 any minute anyway.. [13:46] theseer: that is a bit of a concern [13:50] hmm, well, let us, once again verify that ... [13:50] TheSeer: i would've answered on the list, if i'd know the exact backgrounds, but as i see it he's missing the chattr +t call and has done a chmod +t instead [13:51] by backgrounds i mean what that chattr call does ;) [13:51] ahh, good spotting, I should actually read the mails more carefully [13:52] ah.. :) [13:52] so rebooting to 1.26 with chattr +t done should be safe for a while? [13:52] i don't like to reboot that box on a daily basis ;> [13:52] even setting the immutable flag on the /vserver dir is safe for some while ;) [13:53] hehe.. okay :) [13:54] as some guy already worte on the list, there should be a howto on what to do exactly to create a secure environment [13:54] hopeless 8-) [13:54] even though my setup seems to work nicely, i have hardly any clue if it is actually secure *g* [13:54] IIRC I posted something regarding security, and it should be available on the wiki too [13:55] TheSeer: we considered the 000 barrier secure for some years ;) [13:55] *g* [13:55] what about the /proc stuff? [13:55] is it true to say that if you are using xfs, it is impossible to secure vserver? [13:56] nope, the 1.3.7 devel release will contain xfs barrier stuff ... [13:57] Bertl: what do you do for a living anyway? I do support a lot of OS based projects.. but i can only dream of having the time to support AND develop such a big (?) thing.. [13:57] ..while still having some time left to actually make some money at a day-job [13:57] well, I do consulting from time to time ... [13:58] and I do not need much for myself ... [13:58] judging from the kernel-knowledge you must have, you prolly are a good consultant ;) [13:58] too good, nobody needed more than 5-6 hours ;) [13:58] hehe [13:59] i know that problem ;) [13:59] i should sell windows boxes [13:59] at least they require maintenance ;) [13:59] couldn't sell something I do not trust nor believe in ;) [14:00] me neither.. that's the problem.. [14:00] so i keep installing linux and hardly have to touch the box again :) [14:00] i just recently updated a RH5.2 box i basically forgot about [14:00] it just kept working [14:01] cd ..: Permission denied [14:01] chmod: Operation not permitted [14:01] Exploit seems to work. =) [14:01] [root@XXXX /]# [14:01] [root@XXXX /]# ls / [14:01] okay, verified once again vs1.26 is secure (at least agains that exploit) [14:01] bad [14:01] good [14:01] no, good ;> [14:01] hehe [14:03] Doener: do you want to answer that poor guy, or shall I? [14:03] i can do it, but i guess i can't be wrong if he is told what that chattr call is good for, and i don't know ;) [14:04] s/guess i/guess it/ [14:04] hmm, that is easy, man chattr ;) [14:05] it tells me that files won't share their last block with other files anymore, but that doesn't make much sense to me in that context [14:05] to me neither actually [14:06] you where talking about what chattr does, not what the +t is for, right? [14:06] or is the attribute just 'borrowed' for vserver specific stuff? [14:06] well, i actually meant that specific call in the context of the exploit [14:06] well, it is not borrowed, it was simply abused, thanks for that go to Sam Vilain ,... [14:07] because of compatibility reasons, we didn't change it until now ... [14:08] 'T' looks like a better fit [14:08] semantically, at least [14:09] hmm, well we have a BARRIER flag and an IUNLINK flag in 1.3.7, both not visible via lsattr/chattr [14:09] Medivh (ck@62.93.217.199) got netsplit. [14:09] Medivh (ck@62.93.217.199) returned to #vserver. [14:09] even better [14:13] ok, replied... [14:14] too late ;) [14:14] well, it won't hurt ... [14:15] guess so... [14:16] sounded to me like you would prefer me to answer ... [14:16] and to me, it sounded like you would prefer me to read the man-page and answer myself ;) [14:18] it's no problem for me, if it isn't one for you ... [14:18] Topic changed on #vserver by Bertl!~herbert@MAIL.13thfloor.at: http://linux-vserver.org/ || latest stable 1.26, devel 1.3.7, exp 0.06 [14:19] surely not, and reading man-pages can't be wrong anyways [14:24] @ALL: by the way, what is your opinion regarding FreeVPS [14:25] ? [14:27] wait a sec', i need to refresh my memory [14:27] i wonder if freevps has that vulnerability [14:28] nope, should not, as they use private namespaces ... [14:29] the feature set is nice, but it's supported platform is too limiting [14:30] although, vserver appears to be converging, feature wise [14:31] do you have any references for freevps use of private namespaces? [14:31] are you reading the mailing list? [14:31] the vserver one, yes [14:32] well, every second answer from Alexey, is ' a better solution is private namespaces, as FreeVPS does it' or 'that would not happen with private namespaces' ... [14:34] hmmm [14:34] the other answers are, 'we have virtualized network, that is the only solution' ;) [14:34] heh, yeah, i've read that [14:36] he's persistent [14:38] i wonder what he means [14:40] arekm (misiek@ikar.t17.ds.pwr.wroc.pl) left #vserver. [14:42] herbert, did you decide whether to do a "simple" port of vserver to 2.6, or are you going to do a full port to all the new 2.6 featuers? [14:43] yes, the decision was simple, after the replies I got on the ml ... [14:44] cool [14:44] there will be a 'final' 1.4 for 2.4.x, and two branches for 2.6 one, which does it the way it is done now, and the other which will favor SE and other 'new' 2.6 stuff ... [14:45] very cool [14:45] we'll see, probably one has a better takeup than the other ... [14:45] but I assume both branches will coexist for a while ... well, actually the SE branch will need some time to start off first ;) [14:46] heh, yeah [14:47] has anybody downloaded the 1.3.7 patch yet? [14:48] i have not [14:48] i can try it at work on my sparc though [14:48] the two other vservers i run are production, so... [14:48] just locked down the download, because I discovered that the patch was incorrect ... [14:49] or to be precise, incomplete ... [14:51] i wonder if freevps is vulnerable to that recent kernel vulnerability...it's based on 2.4.18 [14:51] probably ... [14:52] I think the proc security is also an issue there ... [14:52] don't know if they fixed the stability issues ... [14:52] mmm, yes [14:54] i wonder if anybody has done vserver migration with shared disk of some description [14:54] scsi, or fc [14:54] that would be cool [14:56] kestrel: I can't see why it wouldn't work. I have a bunch of MSA1000 stuff at work but that's all used in production. :| [14:57] damn production, can't be used for anything, keeps everybody fromt esting 8-) [14:57] okay, 1.3.7 is corrected ... [14:58] Even though some of the stuff isn't even is used, but has to be kept in stand-by permanently. :) [14:59] yeah, it would be cool to play with it [15:01] surriel (~riel@imladris.surriel.com) left irc: Ping timeout: 488 seconds [15:15] okay, everything should be fine now, quota will follow this evening, I guess, now it's time for siesta ;) [15:16] have a good snooze herbert [15:19] hmm, not yet, another 'exploit still working' [15:21] they're coming thick and fast [15:55] click (click@gonnamakeyou.com) joined #vserver. [15:56] hi click! [15:56] damn, I never remember to add this chan and network to autorejoin [15:56] there, added. [15:58] re click [15:58] heya :) [15:58] bertl: any idea why telneting to an eggdrop inside a vserver doesn't work? [15:59] seems to connect, but fails after some time [15:59] hmm, try with 1.3.7 if the issue still remains, we talk about it ;) [15:59] it's on the vserver with the huge amount of IP's [15:59] Vi ønsker alle en riktig god jul! [15:59] 1.3.7? [15:59] haha yup. old page :) [15:59] never got around to remove it [15:59] hm, which I should... [16:00] click: it works for my friends eggdrops that run in a vserver. [16:01] bertl: new page, I should have some banner for the vserver project there as well [16:01] zoiah: I'll just start a sniffer and see [16:02] click: hmm, probably black on black, right? [16:02] I cna change that, no probs [16:05] I hope everybody here has voted 10 for vserver on freshmeat.net (or at least 9?) [16:07] 10 from my side, would have been 50 if that was an option [16:08] good ;) [16:08] okay, nap attack here ... need some sleep, cu later ... [16:08] Action: kestrel goes to rate vserver [16:09] Nick change: Bertl -> Bertl_zZ [16:15] LOL! [16:15] that stupid coadmin that had problems with this eggie had it on the wrong friggin port [16:15] DOOOH! [16:16] click: yay. :) [16:16] I've got to say I've mixed myself into some stupid co-admins [16:16] Who does the work? Me. [16:17] Who comes up with solutions when they say 'its impossible' ? me [16:28] herbert: here is the kernel live upgrade you might have been referring to: http://www.scyld.com/products/beowulf/software/monte.html [16:29] kestrel: ever seen $ host pc.insidegamer.nl [16:29] pc.insidegamer.nl has address 217.67.239.246 [16:29] pc.insidegamer.nl has address 80.247.198.49 [16:29] uhh. [16:29] Wrong paste. [16:29] Bah. :) [16:29] kestrel: http://developer.osdl.org/rddunlap/kexec/whitepaper/kexec.html [16:30] that's pretty cool [16:35] talon: http://www.cs.ucsb.edu/projects/ufo/index.html <-- file system driver for solaris [16:55] kestrel (athomas@home.swapoff.org) left irc: Quit: brb [16:56] kestrel (athomas@home.swapoff.org) joined #vserver. [17:18] wasn't java meant to be platform-independent? [17:19] one app i wrote gives different results even on just two linux boxes... [17:25] same jre version? [17:27] Doener: bah, you won't believe the amount of trouble I have with enterprise java shit. (oracle, steeleye, etc..). That stuff is NOT platform-independent. :) [17:27] Doener: even on the same system I have to use the exact version of the exact JRE they want otherwise it wont work... [17:29] ACC-=OPR+(tmpC?1:0); <-- this one is causing trouble ;) ACC is 0x0ff, OPR is 0x0dd and tmpC is false, values are echoed to the console, they are correct... one box gives (correctly) 0x022, the other keeps telling me 0x0ff as the resulting value in ACC... [17:30] i don't wanna know what's gonna happen when it comes to real applications :) [17:42] kestrel: cool! [17:42] i didnt knwo you coudl do that via proc. [17:42] thoguht you needed at least screw with the dynamic linker. [17:43] gotta see if it works with a staticly compiled binary. [17:43] if it does i have some ideas on how ot use that for samba mounts. [17:43] not exactly a real filesystem module but still cool none the less. [17:43] yeah [17:44] Action: talon wonders if hes sober enough this morning ot find more bugs. [17:45] drunk coding eh? [17:47] no. drunk form last night. [17:47] recovering. [17:48] heh [17:49] crap. [17:49] its a binary only. [17:50] Action: talon wonders why university projects alwasy seem to do shit like that. [17:50] Action: talon emails teh address where soucrce is supposedly avialable on request [17:51] somehow i bet nobody is reading that mailbox anymore. [17:51] yeah, i've noticed that about universities [17:51] so much for "free" knowledge [17:51] like htey couldnt have posted teh source code... no email me for source.... [17:52] oh well i hope tehat usenix paper has good info in it. [17:52] might be able to recreate it. [17:54] oh well sent a mail anyway. [17:54] hope it doesnt bounce. [17:55] i wonder if i will get the code with a message saying "your nto licensed to redistribute this source code. [18:02] hmm looks liek samba has an smbsh command that does similar. only it uses dynamic linker tricks. [18:03] Action: talon reads teh usenix paper to make sure thats not what ufo is doing as well. [18:03] if i can at the very least make it work with backup scripts on a solaris box reliably that would be a plus. not quite as nice as having a real mount though. [18:06] hmm yeah. [18:06] they use teh tracing facilitys. [18:06] not sure what performance inpact that has though. [18:06] probably slightly slower than using dynamic loader tweaks. [18:07] more flexible though. [18:12] Action: talon reads more [18:23] definatly like this approach. you can dynamicly alter any process. as far as what it sees at any time. [18:25] Action: talon imagines a daemon that installs system call tracer/interceptors for processes upon request. [18:27] combine somthing like that with FAM and you could have a totally userland automounter for unsupported filesystems. [18:30] also would be nice for implementing encrypted file systems. for each user. [18:30] they have an encrypted file in their homedir and start a userland program to give themselves access to it. [18:30] as a mounted fs. [18:33] certanly trust issues with the userland program. but i think it coudl still be useful. [18:39] also far more useful would ge as a generic framework for developing new filesystem types form userland. you could probably also plug in userland network stacks that way. [19:59] AHTOH (~Anton@212.1.230.115) left irc: Quit: Client exiting [20:08] Nick change: Bertl_zZ -> Bertl [20:08] Bertl: did you post teh new bme and quota patches to teh website? i dont seem to see them on 13thfloor.at [20:09] morning, nope they are not released yet, needed some more testing .. but bme is nice with noatime ... [20:09] want me to do more testing of those two patches? [20:10] if you can come up with some stress tests i could probably make some scripts. [20:10] as I said, that would be great, and useful, not only for vserver ... [20:10] sorry to say i havent tried to find any new bugs today yet. [20:11] ahh, damn! that is a shame 8-) [20:11] kind of recovering from last night. [20:11] needed some sleep too, h s/h foudn out today everythign here is logged. :\ [20:13] hmm, yeah we tried to keep that secret for long now, that's why it only has one line on the frontpage ,) [20:14] Zoiah: yeah those projects are what I referred to .. (linux on linux boot) [20:14] i had an idea for a QA script. that is run off of a database. that contains a bug description and a code plugin to verify its existance. the purpose of that is you can make sure bugs dont reappear. in new patch revisions. [20:15] that is called regression tests, right? [20:15] if you coupled that with somthign like vmware you could test sevral different kernel patches at once. [20:16] I'm working to combine it with QEMU ;) [20:16] QEMU? [20:16] free vmware with lot of useful features ... [20:16] the quota tests I posted you, are from testing with qemu ... [20:17] will have ot take a look at it. most things ive tried were not really as good as vmware for me. [20:17] http://fabrice.bellard.free.fr/qemu/ [20:17] well it has three advantages (at least) for me over vmware ... [20:18] 13floor referes to the sci-fi movie right? i forgot all about that movie until it clicked the other day. [20:18] yup, that was one of my favorites ... [20:20] Bertl: i will probably want to write a testign framework for my distro anyway. but thats getting a bit ahead of myself for now. but im eventually going ot want to verify new kernels before i release them. wont catch everything but could at least catch the more obvious things. [20:21] okay talon, you really want to get famous and develop a quota verification script/tool? I'll help you where I can, but it will be a lot of work ... [20:22] (okay, I lied, you are not going to be famous, you just get a bunch of complaints, that it isn't working ;) [20:22] ive never written a test suite before. but it shoudl be interesting to try. [20:22] heh the setquota.sh script was fun enough if rather pointless. [20:23] this would probably be as well documented. [20:23] if for no other reason than i need ot be able to look at it and understand what i was thinking at the time. [20:23] i have a very short memory. [20:23] okay, the basic concept behind quota testing consistst of several orthogonal parts, resulting from the quota implementation in the kernel ... [20:24] I assume you (now) know how quota works in the userspace ... [20:25] do you have a recent kernel (non vserver patched) at hand? [20:25] yeah at least the basics of quotacheck, quota repquota and quotaon/quotaoff [20:25] and editing quotas. [20:25] especially that ltter one ;) [20:25] yeah i have a 2.4.25-rc1 with bme patch. i can revert it to just vanilla. [20:25] but i see where you are going. [20:26] create a baseline and compare it with the patched kernel. [20:27] hmm, well I'm going to explain some of the quota fundamentals to you, they didn't change in the quota patches very much (only got a little complicated ;) [20:27] ok, im goign to try and write this all down and compile some notes out of it. [20:27] okay, you know how to use cscope or vi/whatever with ctags? [20:28] WSU (~Josh@ny.webpipe.net) joined #vserver. [20:28] ive used cscope/vi without ctags. [20:28] okay cscope is sufficient ... [20:28] HI [20:28] hi WSU! [20:29] probably going ot set up a new vmware for this particular testing. [20:29] talon: cscope -kRp2 (inside the kernel dir for best results ;) [20:30] have to bring up the vmware just a second. [20:32] building symbol database. [20:33] going to take a while. [20:37] Bert, I am having troubles binding many IP's to one VS [20:37] ok teh symbol database is finished. [20:37] WSU what kind of troubles? [20:38] I originally bound 26 ip's to one VS [20:38] said only dupports 16 [20:38] *it only supprts [20:39] hmm, yes, that is correct ... [20:39] so I split it in half [20:39] 16 on one [20:39] 10 on the other [20:39] taht isn't the half exactly ;) [20:39] :p [20:39] okay, shall be .. what next ... [20:40] what are your troubles? [20:42] THe original vs with the 16 IPs are bound fine [20:42] the second vs where I added the other 10 (in the conf file) [20:43] only bind it's first original IP [20:43] /bin/sh: log: command not found [20:44] I enter the VS and it says [20:44] WSU might it be that you use the same name for the server? or some extra long name? [20:44] ipv4root is now (10 IP addresses) [20:44] and I do an ifconfig and only see one [20:44] bothe 8 charachter named [20:45] names, and they are different [20:45] restarting each VS changes nothing [20:45] haven't reboot root server, trying to avoid that [20:45] okay, I'll ned both config files and the output of 'ip addr show' as well as the result of the testme.sh script [20:46] could you make this somewhere available on the net? [20:47] yep [20:49] mhepp (~mhepp@r72s22p13.home.nbox.cz) joined #vserver. [20:49] hi mhepp! [20:54] http://vserver.zevlag.com/vs/ [20:54] those are the 2 config [21:05] okay, ip addr output and testme.sh? [21:09] Bertl: i have cscope ready. [21:10] okay, first query 'quot' in the filename section ... [21:11] (find this file), then type '^ grep -v xfs' [21:13] you should now see a list of 8 files, do you? [21:15] okay, I'll break for dinner, will be back in about 15min ;) [21:15] Nick change: Bertl -> Bertl_oO [21:18] yes althoguh i didnt need to do a grep. [21:19] 0 fs/dquot.c [21:19] 1 fs/quota.c [21:19] 2 fs/quota_v1.c [21:19] 3 fs/quota_v2.c [21:19] 4 fs/xfs/quota/xfs_dquot.c [21:19] 5 fs/xfs/quota/xfs_dquot.h [21:19] 6 fs/xfs/quota/xfs_dquot_item.c [21:19] 7 fs/xfs/quota/xfs_dquot_item.h [21:19] 8 fs/xfs/quota/xfs_qm.c [21:37] Nick change: Bertl_oO -> Bertl [21:38] talon: hmm, what kernel did you say? [21:38] its 2.4.25-rc1 [21:38] do you want a specific kernel? [21:38] nope, just that one should have a bunch of xfs files with quot in it ... [21:39] hrm this appears ot be a vs patched kernel. [21:39] 0 fs/dquot.c [21:39] 1 fs/quota.c [21:39] 2 fs/quota_v1.c [21:39] 3 fs/quota_v2.c [21:39] 4 include/linux/quota.h [21:39] 5 include/linux/quotacompat.h [21:39] 6 include/linux/quotaio_v1.h [21:39] 7 include/linux/quotaio_v2.h [21:39] 8 include/linux/quotaops.h [21:39] that is what you should get after the grep ;) [21:40] actually nine files ;) [21:40] the grep didnt work for me. [21:40] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) joined #vserver. [21:40] hmm, old version of cscope? [21:40] hi ExpiryJames! [21:40] hello [21:40] 15.4 [21:41] cscope: version 15.5 [21:41] after i do find this file qith quot i type ^ [21:41] but 15.4 should have that ... [21:41] yeah, and what happens then? [21:41] and then type grep -v xfs [21:41] root@test1:/usr/src/vserver/linux-2.4.25-rc1# cscope -kRp2 [21:41] Press the RETURN key to continue: [21:42] and that happens. [21:42] okay, and after pressing enter? [21:42] oh i see now. [21:42] yeah i have what you wanted. [21:42] good, that is 'pipe through filter' [21:43] you can get a help with ? [21:43] the bit where it said press return to continue threw me off and i didnt see teh change in the list. [21:43] okay, so now you are looking at the nine quota specific files ... [21:44] yeah. [21:44] quota.c is the core part, which contains everything other parts are linked to ... [21:45] basically syscalls and such stuff ... [21:45] dquot contains the actual quota code (whell some part is spread over the .h files too) [21:46] and quota_v1{1,2} contains the on disk quota formats and the required code for that ... [21:46] quota_v{1,2} I mean [21:47] most userspace relevant parts are in the .h files ... [21:48] have a look at quotaops.h [21:48] this is where the accounting macros are defined ... [21:49] what's interesting there, is that we have ALLOC and PREALLOC macros ... that is because the vfs/fs layer preallocates inodes on writing (up to 8 IIRC) [21:49] s/inode/blocks/ [21:49] for inodes, there is no preallocation ... [21:55] any specific questions so far? [21:57] im trying to fllow along. ALLOC and PREALLOC are macros for internal kernel code right not userland? [21:57] kernel code, yes [21:58] im guessing those are the hooks to attach quotas to teh filesystem. [21:58] they are used throughout the entire vfs/fs layer [21:59] i really havent done anything with kernel internals before. [21:59] np there, just want you to have a look at the lowest level of quota ... [22:01] so what happens with the vanilla quota system, is basically that sequence: [22:01] some file needs to be created or extended (written to) [22:01] the quota system verifys that the space/inodes are available [22:01] if not, they issue a kernel warning, we'll see where that is done [22:02] and the eentire operation is rolled back or stopped [22:03] if there is enough space, then the operation (preallocation, allocation/creation) is executed, and the quota is reserved (actually most times the other way round ;) [22:05] a central function for that is the dquot_transfer function you already know ... [22:05] know is a harsh word there. [22:05] let's have a look at this function, as it shows the basic quota principles in more detail [22:05] i know youve had me change lines in it. and you explined some of how it applies to contexts. [22:06] _force_ (force@brln-d9ba1f0f.pool.mediaWays.net) joined #vserver. [22:06] <_force_> hello! someone there? [22:06] talon: you know how to navigate to that function? __dquot_transfer? [22:06] _force_: hmm, nope, nobody here ;) [22:07] <_force_> id like to have some informations if possible about this chroot exploit [22:07] <_force_> ive patched my 2.4.24 kernel with vserver 1.26 and the quota patch [22:07] <_force_> but the exploit still works!? [22:07] <_force_> hi Bertl :) [22:07] there now. [22:08] dquot.c line 1297 [22:08] _force_: hmm, okay, could you show me your 'ls -ld /vservers' and 'lsattr -d /vservers'? [22:08] i think i goofed and used a vs patched kernel when i started cscope. (as in using the wrogn source tree) [22:08] <_force_> paste here? [22:09] should be two lines, so yes ;) [22:09] <_force_> d--------- 33 root root 4096 Feb 7 14:00 /vservers [22:09] <_force_> -----------t- /vservers [22:09] okay, and the exploit is working for you with that setup? [22:09] <_force_> what do you mean with setup? [22:10] with the current /vservers modes/permissions/flags [22:10] <_force_> S_CAPS="CAP_NET_RAW" [22:10] <_force_> S_CAPS="CAP_SYS_RESOURCE" [22:11] <_force_> or what do you mean? [22:11] hmm, well that is insecure anyway, but what does the exploit report? [22:12] talon: are you in the vanilla sources now? [22:12] <_force_> gerrit:/# ./a.out [22:12] <_force_> mkdir baz: File exists [22:12] <_force_> Exploit seems to work. =) [22:13] and what does 'ls -ld /vservers' and 'lsattr -d /vservers' report now? [22:13] Bertl: not yet have to let cscope reindex teh vanilla tree. [22:13] <_force_> after i executed the exploit? [22:14] yep [22:14] <_force_> d--------x 33 root root 4096 Feb 7 14:00 /vservers [22:14] <_force_> -----------t- /vservers [22:14] okay, please give that script a try: http://vserver.13thfloor.at/Stuff/testme.sh [22:15] (on the host, and let me know what it reports) [22:16] <_force_> http://nopaste.php.cd/7851 [22:16] <_force_> theres the output [22:16] <_force_> ARGH [22:17] <_force_> wtf, sorry, forget everything what i said :( [22:17] doesn't convince me that you are running 1.26 ;) [22:17] <_force_> i didnt boot the correct kernel :( [22:17] and you didn't use the current script either ;) [22:17] <_force_> damn, i copied the entries for the kernel in the lilo.conf but forgot to edit the paths :} [22:17] <_force_> which script? [22:18] the testme.sh, current version is 0.06 ;) [22:18] <_force_> ehm, well i did a wget on the link you gave me :) [22:18] talon, could you please verify that? [22:18] cant find __dquot_transfer in vanilla sources dquot_transfer exists in dquot.c though. [22:19] that is okay, was the reason I was asking ;) [22:19] Bertl: verify that the explit works with 1.26 vs ? [22:19] have to change kernels. and reboot. [22:20] nope, what version the testme.sh has for you ... [22:20] http://vserver.13thfloor.at/Stuff/testme.sh [22:20] oh [22:20] just dosnload it and run it or look at the source version [22:21] eecho $eY "Linux-VServer Test [V0.06] (C) 2003-2004 H.Poetzl" [22:21] okay _force_ probably you had it already, and now it's named testme.sh.1 ... [22:21] <_force_> hm, could be, ill check when the server is back up.. just rebooted :) [22:21] or some dumb caching proxy has got you ... [22:22] talon: okay, back to dquot_transfer (which is present in vanilla ) [22:22] it starts with /* Clear the arrays */ [22:23] which assign the magic NODQUOT (means no quota) to both, to and from, and sets the warning to nowarn [22:24] then there is the 'build the transfer_to list' part, which 'creates' or 'finds' dquot entries for the inode if the superblock supports it ... [22:25] the basic identifier for dquots is a pair of (sb,id,type) [22:25] when in the process is dquot_transfer called ? [22:25] hmm tuple is a better name ... [22:25] trying to get a good idea of code leading up to that point. [22:26] dquot_transfer is basically called whenver a file changes from one owner to another ... [22:26] so basicly like chown. [22:26] not only, also write and other things ... [22:27] but if you want to see who calls it, use cscope ;) [22:28] Action: talon wonders if theres a program that can show a graph of what calls what from the syscall level down. [22:28] to see what code woudl be triggerd for calling a certian syscall. [22:28] yup, there is a script/tool combo called callgraph or something like that [22:29] but it requires a modified C compiler, so it isn't that useful ... [22:29] <_force_> Bertl ok, now im running the correct kernel, and yes, there was a old testme.sh :] [22:30] and now the exploit is not working? [22:30] <_force_> mkdir baz: File exists [22:30] <_force_> Exploit seems to work. =) [22:30] <_force_> :] [22:30] you did change back the /vservers dir? [22:30] definatly have to read up on the vfs stuff. im sure a lot of this will be much clearer after i do that. [22:31] <_force_> oh [22:31] <_force_> no forgot [22:31] talon: I'm sure that will help, but that isn't required for now ... [22:32] just keep in mind, there is a dquot for each superblock, id and type [22:32] where id is the uid or gid and the type is either user or group [22:32] so one dquot for each filesystem. [22:33] or more liek two if you have group quotas in use. [22:33] one dquot for each filesystem _and_ user _and_ _group_ [22:33] <_force_> hm, ok it still gives the message Exploit seems to work. =) but it doesnt seem to work :) [22:33] <_force_> alot of cd ..: Permission denied [22:33] yup, you can fix the exploit to report the correct result ... [22:33] 8-) [22:33] <_force_> hehe [22:34] <_force_> ok, great this works *puh* .. now i dont have to worry about all those kiddies on that server @_@ ;) [22:34] by the way 1.3.7 does use a different protection ... [22:34] <_force_> is it safe to use 1.3.7 ? [22:34] is it safe to use the 2.4.25-rc1 kernel? [22:35] <_force_> i mean is it already stable? :) [22:35] no, otherwise it would be labeled stable not devel ;) [22:35] <_force_> heh [22:35] but it can be considered a prerelease to the next stable release [22:36] cant wait to see how the virtualized netwokring and syscall switch stuff turns out. [22:36] <_force_> k, great :) im looking forward to it! [22:36] <_force_> thanks for your help, and your development work! :) [22:36] <_force_> 0_o [22:37] <_force_> have to go, cya! [22:37] _force_ (force@brln-d9ba1f0f.pool.mediaWays.net) left irc: Quit: Der Mensch wird vom Geist geleitet. In der Wüste bin ich das wert, was meine Gottheiten wert sind. [22:39] okay talon, ready to continue the journey? [22:40] yeah. [22:41] probably going ot have to go through the logs and piece togeather notes to really get it all but yeah lets keep going. [22:41] okay next step is the transfer from which includes the limit check ... [22:42] this is simply a duplicating references and verifying if there is any limit reached/passed [22:43] then in the last step the quota is actually transfered, and the dquot references released ... [22:44] any warnings are issued whenever they happen .. [22:44] what exactly are kernel warnings? [22:45] printk nothing else ... [22:45] so what might we have learned from that quota procedure? [22:46] - dquots are the atomic units of the quota system [22:46] - the primary (unique) key is (sb,id,type) [22:46] - quota is transfered from dquot A to dquot B [22:47] what we didn't see, but what is very similar is: [22:47] - on creation or destruction the dquot X is manipulated similar to the transfer, but only one dquot for each quota is involved (usually usr/grp) [22:49] what we won't see without a closer look is, that dquots are created and destroyed, whenever they are needed or not needed anymore, and that they are stored in a hash, and some other nasty details ... [22:50] the vserver 'quota' patch is composed of 4 parts, only two of them are really quota related [22:50] the first and the third (qh and cq) [22:51] the first does completely reorganize the quota internals, without any effect on the API [22:51] the userspace should not even be able to detect that change [22:52] the second patch (cx) adds the context tagging for files, which isn't directly quota related, but required for per context disk stuff in general [22:53] ever consider writing up a page with notes on the vserver patch internals? [22:53] how it all fits togeather and how everythign is implemented? [22:53] the third patch uses the flexibility gained in the first patch, which splits up the quota hash into per superblock hashes, and the xid information to build per context hashes. [22:53] (not yet, but maybe I will) [22:54] 2.6 seems a good candidate for that ... especially in the SE branch ... [22:54] chrism (~chris@82-32-130-79.cable.ubr05.hawk.blueyonder.co.uk) joined #vserver. [22:54] hi chris! [22:54] would probably encourage people to dig into it and help with development. [22:54] people I need your help :) [22:54] hey Herbert :) [22:54] if some of the mystery was removed. [22:55] I installed 1.26 and did the chmods and the chattrs and the exploit no longer works, however; [22:55] vservers are installed to /var/lib/vservers [22:55] I set the chattr and chmod on /var/lib/vservers [22:55] there is a webserver serving from /var/www [22:55] and the +t is inherited ... [22:55] it was to start with [22:56] but I did an lsattr throughout [22:56] and nothing showed [22:56] oka [22:56] +y [22:56] please continue! [22:56] but the webserver now throws back: [22:57] [Mon Feb 9 19:53:23 2004] [error] [client 82.32.130.79] (13)Permission denied: access to /index.php failed because search permissions are missing on a component of the path [22:57] but as another user on the system I can pull /var/www/index.php [22:58] Cmaj (~cmaj@3ffe:bc0:5f3:1:9999:911:c3d3:5431) joined #vserver. [22:58] an strace on apache reports it as -EACCES Permission denied. [22:58] stat64("/var/www", 0x810786c) = -1 EACCES (Permission denied) [23:00] hmm, okay and what does ls -lad /var /var/www /var/www/index.php report? [23:00] hi Cmaj! [23:02] melisanthi:/# ls -lad /var /var/www /var/www/index.php [23:02] drwxr-xr-x 16 root root 4096 Jul 8 2003 /var [23:02] drwxr-xr-x 12 root root 4096 Dec 16 09:24 /var/www [23:02] -rw-r--r-- 1 root root 560 Nov 13 23:51 /var/www/index.php [23:03] hmm, might be that your apache uses 'secure' mode? [23:03] try to change the ownership of /var/www/index.php to apache or www or whatever user you entered in the config [23:03] same goes for php secure mode if enabled ... [23:04] it was owned to root:www-data because the webserver runs as www-data [23:04] and that's how it was working before [23:04] but yes, the chattr had nuked permissions on /var but I fixed those [23:06] for a start you could add a index.html, that should be displayed by the apache if a+r is set ... [23:06] tried it [23:06] same thing :( [23:06] is the apache inside the vserver or on the host? [23:06] on the host [23:07] okay, try the following: su to the apache/httpd user with 'su - ' [23:07] melisanthi:/# su - www-data [23:07] Unable to cd to "/var/www" [23:08] interesting ;)# [23:08] interesting ;) [23:08] mm [23:08] ------------- ./var [23:08] another barrier, nice ;) [23:08] melisanthi:/# lsattr /var | grep 'www' [23:08] ------------- /var/www [23:09] okay, let's start with cd /var [23:09] su www-data [23:09] melisanthi:/# usermod -d /var www-data [23:09] melisanthi:/# su - www-data [23:09] Unable to cd to "/var" [23:10] okay so soemthing with var isn't right atm ... [23:10] mmm.. [23:10] ls -lad /var; lsattr -d /var [23:10] melisanthi:/# ls -lad /var; lsattr -d /var [23:10] drwxr-xr-x 16 root root 4096 Jul 8 2003 /var [23:10] ------------- /var [23:10] looks perfectly fine to me ... [23:10] what about / [23:11] ls -lad /.; lsattr -d /. [23:12] ew. [23:12] melisanthi:/# ls -lad /.; lsattr -d /. [23:12] d--------x 21 root root 4096 Feb 9 19:41 /. [23:12] ------------- /. [23:12] hmm looks exploited to me ;) [23:12] drwxr-xr-x 26 root root 1024 Feb 9 08:40 /./ [23:13] Doener_zZz (~doener@pD9588773.dip.t-dialin.net) joined #vserver. [23:13] hooray. [23:13] fixed. [23:13] I should start a new channel 'Unix ermissions 101' ;) [23:13] :/ [23:13] +p [23:14] but do not worry, chris, everybody has problems to get the permissions right atm ... [23:14] melisanthi:/var/www# ls -lad /. [23:14] drwxr-xr-x 21 root root 4096 Feb 9 19:41 /. [23:14] thank you for that. I was standing by to pull my hair out [23:15] np, have fun [23:15] i havent even bothered withthe permission fix on my devlopment box. considering it has no users. [23:15] okay talon, still interested in quota and testing? [23:16] yeah. [23:16] the last part of the quota secrets are the quota files ... [23:18] when initialized, the dquot values are read from those files, and when the dquots are destroyed (or on a quota sync) the values are written back to that file [23:19] to avoid some issues, the quota files themselves do not get any quota ... [23:20] Doener (~doener@pD9E12F72.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [23:20] so what would a 'general' quota test do to test quota operation? [23:21] - initialize quotas on a partition with quotacheck [23:21] - query start values with repquota and store them as a 'bias' [23:21] serving (~serving@213.186.188.205) left irc: Read error: Connection reset by peer [23:21] then enable quota on that partition/fs [23:22] and do some structured tests in random order, specifically: [23:22] - creating empty files [23:22] - creating files with contents [23:22] - creating dirs [23:22] - destorying files and dirs [23:22] - chowning files and dirs [23:23] -chgrping files and dirs [23:24] for example creating 100 files in random sequence distributed over 10 dirs should be an interesting test, with a well defined result (biased on the initial values) [23:24] chowning thos 100 files to 100 different uids (not equal 0), would be another interesting test [23:25] removing the upper 50 files and chowning back the rest to 0 yet another [23:25] same for group quota [23:26] writing to files from different uids is another interesting test, which should give well defined results, when done in block amounts, and fs specific results if done in smaller chunks [23:27] especially allocating +/- 1 byte around a block size could be interesting [23:27] does the quota system account in anything finer grained than 1k blocks? [23:28] yes, the dquots themselve have to account on byte basis otherwise there would be funny exploits possible [23:28] can i get tha infromation somehow? [23:28] pritn total bytes instead of blocks. [23:29] hmm, not really, the data is distributed over the inodes ... [23:31] it might be possible to add a new syscall interface to request that value, but currently it's not available to userspace [23:31] btw, the current 'logical' block size for quotas is 2^10 (so 1k) [23:32] hmm interesting. [23:32] and that is independant from the fs block size ... [23:32] sorry to interrrupt. but [23:33] when i enable quotas on the /vservers fs and use repquota user talon has 8 used blocks and 2 used inodes. [23:33] now if i fire up a vserver with per context quotas. [23:33] the quota useage inside the context is reported diffreently. [23:34] for that user. [23:34] well, it's a separate quota hash, and probably quotacheck does report different initial values [23:35] (micht be the result of the limited scope) [23:35] s/micht/might/ [23:36] basicly i seem to be getting blocks and inodes attributed to me that im not using. [23:37] on the host? [23:38] in the context. here let me save the repquota report from teh vanilla kernel with quotas for that fs. and boot into the kernel we patched the other day. [23:39] been scratching my head over it for a while. [23:40] one of the reasons i wsa intrested in getting quota test descriptions. [23:42] inside the context the user talon is reported as [23:42] talon -- 12 0 0 3 [23:43] outside hes reported as [23:43] talon -- 8 0 0 2 [23:43] by repquota. [23:43] inside that vserevr instance is the only place on the vservers fs that has files owned by uid 1000 (talon) [23:44] hmm, well I would suggest to do the following for a start: [23:44] edit the /etc/mtab on the host to use ufs as filesystem [23:45] then repeat the quotacheck [23:45] ok [23:45] see if that changes anything ... [23:46] and it might be possible that those files 'inside' the context, partially belong to the host, and the context .. that can be verified with lsxid ... [23:46] yup [23:46] it sure does. [23:46] now the host reports the same as the context. [23:47] see, that is because the quota tools still access the fs on a low level ... and probably do some stuff wrong there ;) [23:48] but that is only the bias, accounting is done in the kernel and will be correct in both cases ... [23:49] so your saying basicly that repquota and quota(1) are reporitng incorrectly but the kernel has the right picture? [23:50] heres the vservers fs reported before the ufs change to mtab. [23:50] Block grace time: 7days; Inode grace time: 7days [23:50] Block limits File limits [23:50] User used soft hard grace used soft hard grace [23:50] ---------------------------------------------------------------------- [23:50] root -- 439816 0 0 28659 0 0 [23:50] bin -- 8 0 0 1 0 0 [23:50] daemon -- 16 0 0 4 0 0 [23:50] lp -- 20 0 0 3 0 0 [23:50] uucp -- 844 0 0 27 0 0 [23:50] talon -- 8 0 0 2 0 0 [23:50] test -- 28 0 0 7 0 0 [23:50] and after. [23:50] Block grace time: 7days; Inode grace time: 7days [23:50] Block limits File limits [23:50] User used soft hard grace used soft hard grace [23:50] ---------------------------------------------------------------------- [23:50] root -- 848008 0 0 57227 0 0 [23:50] bin -- 16 0 0 2 0 0 [23:50] daemon -- 32 0 0 8 0 0 [23:50] lp -- 40 0 0 6 0 0 [23:50] uucp -- 1688 0 0 42 0 0 [23:50] talon -- 12 0 0 3 0 0 [23:50] test -- 36 0 0 9 0 0 [23:50] yes, as a matter of fact, it's even worse ... [23:51] because the quotacheck, which is the root of all evil here ;) does not differenciate between different contexts/xids at alll [23:51] so a quotacheck accounts any files belonging to uid=1000 for example, regardless of the xid [23:52] adding hashes for the host, and the context, and 'resetting' both with quotacheck, will give differing results when one of those files is removed for example ... [23:52] because either it belongs to xid=200 for example or xid=0 but never both [23:53] so it will be decremented in one hash, but not the other ... [23:53] Bertl: how do I easily flush my disk caches? [23:53] for what purpos? [23:53] Bertl: benchmarking with a cold cache [23:53] I really have to refill those e-s [23:54] hmm, cache tests, well there was a 'trick' to do that, let me see if I can find it (umount/mount works anyways) [23:54] so why does it work correctly with ext2 as teh fstype and look horribly wrong with ufs? [23:55] no it doesn't work correctly with any setup [23:55] looks exactly the same in the context as far as teh numbers being really out of whack. [23:55] a special xid aware quotacheck would be required to make it work correctly [23:57] Zoiah: http://www.ussg.iu.edu/hypermail/linux/kernel/9907.1/1122.html [23:58] hmm ok i think i see what its doing. when its set to ext2 it trys to read the file information directly from disk. [23:58] how does it attempt to find the right info with fstype = ufs ? [23:59] with 'normal' vfs/fs calls ... [23:59] recursive search/stat and accounting [00:00] --- Tue Feb 10 2004