[00:00] well that can't be right since if I do a telnet www.google.com 80 from the host it works just fine [00:00] well, you actually did a telnet from the host, just with the source ip of 192.168.2.50 ;) [00:01] sladen, i see no packets in tcpdump (using tcpdump src or dst port 53 in vserver) [00:01] aye, I know mate but it works just fine from the host's regular ip and the router isn't ip-based [00:02] it forwards everything from eth4 (which is the dmz this particular machine is located in) [00:02] ah, okay, so that ip is on another interface than the hosts outbound interface? [00:03] no, there's only one interface on the vserver's host and that is eth0 [00:03] you specify eth0 in your config, but the host server uses eth4? [00:04] ah eth4 is on the router ... [00:04] no no, heh, sorry if I'm not explaining this well enough. the router's eth4 leads to the vserver's hosts eth0. [00:04] aye, exactly [00:04] okay, will you disconnect yourself if you modify the host's ip? [00:05] and if so, is this a problem for a short test? [00:05] you mean disconnect the machine I'm ircing from? no, I'm on eth5 :) [00:05] okay, I would like you to change the hosts eth0 ip to the vserver ip (192.168.2.50) and try to reach the outside (www.13thfloor.at) ... [00:06] disable the vserver before and make sure that this is the only ip ... [00:06] couldn't I just change the vserver's ip to 192.168.1.2 (the host's real ip) instead? [00:07] ah, you want to test the router, nevermind [00:08] vang: what kernel/patch version do you use? [00:08] kernel 2.4.24 plain (no other patches) + vserver 1.26 [00:08] definetely is related to udp. it works on tcp [00:09] could you try the vs1.3.7, we changed the udp/tcp source selection there ... [00:10] i'll try this suggestion (not right now), but anyway, if it'll works, i'll post on the list. [00:11] thanks for help [00:11] you're welcome! [00:12] ah, beautiful Bertl [00:13] sladen: FYI: we (don't rember who actually reported that) discovered a different behaviour between bound and unbound udp traffic (regarding the source address selection) [00:13] norse: means that didn't work as expected? [00:14] you were right, it was a forwarding issue. the host only accepted incoming connections to it's own ip, not to other ips even if it's an alias [00:14] I didn't actually do what you said, I understood what you meant though, works perfectly now [00:14] okay, wonderful ;) [00:14] cheers a bundle mate [00:23] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) joined #vserver. [00:24] hi JonB! [00:25] noel (~noel@p50859A97.dip.t-dialin.net) joined #vserver. [00:25] hi noel! [00:25] hello Bertl [00:27] hey Bertl [00:27] Bertl: how stable and secure is the devel series ? [00:27] very! ;) [00:28] Bertl: ok, the quota setting appear to work correctly inside a verver insteance with my patched quotacheck. and i submitted my patch to the quota-tools people. wouldnt suprise me if its closed with a wont fix though. [00:28] Bertl: and are there userland tools to use your new secure thingy ? [00:30] JonB: jup, all brand new, and special made by enrico ;) [00:31] talon: sounds great, maybe we should write a note to honza (Jan Kara) regarding the entire issue ... [00:31] Bertl: sounds good. how do i get ahold of him? [00:32] i only posted a bug with a patch to the sourceforge site. [00:32] Bertl: good, then i'll try the devel [00:33] vang (~vang@80.86.109.254) left irc: Quit: Leaving [00:34] talon: it might be that we can convince him to add a feature that allows to use ext2/ext3 as fs, and the tools do a smart fallback if they can not open the block device ... [00:35] the issue appers to be that scan_dir() was calling add_to_quota with need_remember set to 0 for the directory of the mount point. and on any directory inodes after that. and its possible doing a recursive scan to see a directory inode more than once. this caused a the quota record to be updated more than once for thsoe directorys encountered more than once. [00:35] add_to_quota is never called with need_remember for the direct fs scan method. [00:35] and its impossile to see inodes more than once using that method. [00:36] so im not suprised this was never discovered. [00:36] Jan Kara [00:37] he is usually open to suggestions if they make sense ... [00:38] Bertl: the website doesnt say anything about a new util package [00:38] http://www.13thfloor.at/vserver/d_release/v1.3.7/ [00:39] (util-vserver-0.28.195) [00:39] Bertl: does that sound right to you? based on that patch? (home.talon.cosmic-cow.net/quotacheck.patch) i had used some printfs in add_to_quota to see how things were being called. [00:39] kay [00:40] talon: home.talon.cosmic-cow.net no such host? [00:40] erm talon.home.cosmic-cow.net/quotacheck.patch [00:42] should be the root of each vserver also chmod 000 ? [00:43] or only the root of all vservers [00:44] on stable, only the root of all vserver, and only together with the +t flag [00:44] on devel, you just use the barrier flag [00:44] ok thanks [00:48] im not even sure why they checked for directorys at all. when decidcing to set need_remember. performance maybe? doesnt seem to leado to the propper bahavior anyway. and it sure does seem harmless to only account for unique inodes once if the link count is anything other than 1. (directory inodes seem to show up as having a link count of 2) and this patch doesnt seem to interfere with the way add_to_quota is called using the other scan m [00:49] ahh.. hello Bertl [00:49] any progress going on for 2.6 vserver [00:49] johnny: sure ... [00:50] i'll be back around then [00:50] talon: hmm, you did verify your changes with multiple hardlinks and such? [00:50] yeah. [00:51] feel free to try and break it though. [00:51] and 10 hardlinks account as how many inodes? [00:51] you might be able to come up with a case that breaks it. [00:51] just one. [00:52] guess I'll really have to check that, doesn't look so obvious to me ... [00:52] but I trust your testing, otoh, so I'll delay that until it is necessary ;) [00:52] the real thing to look at is add_to_quota() [00:53] infowolfe (~allenp@pcp04891550pcs.frnkmd01.md.comcast.net) joined #vserver. [00:53] add debug prints to add_to_quota to show the arguments. [00:53] ensc: ping? [00:53] ping [00:53] and you will see directory inodes passing through twice with no checks to see if they have been accounted for before. [00:53] without the patch. [00:53] hey... i'm having a problem with e2 something [00:53] aeh... pong [00:53] lol [00:53] one second [00:54] i'm having a problem with an e2fs .h file not being recognized [00:54] infowolfe: which version [00:54] ? [00:54] wtf? [00:54] 0.28... [00:55] wow, just waiting 5 minutes fixed it [00:55] thats the only way i caught it. [00:55] hmm, self healing tools, great work enrico! [00:55] checking for ext2fs-headers... e2fsprogs [00:55] checking ext2fs/ext2_fs.h usability... yes [00:55] checking ext2fs/ext2_fs.h presence... yes [00:55] checking for ext2fs/ext2_fs.h... yes [00:55] checking for vserver... no [00:55] i just figured you might have knownthe reasoning behind teh changed code. [00:56] that's odd... the previous breaks were at ext2fs/ext2_fs.h [00:56] as far as why it tuns off dup inode checks for directorys. [00:56] talon: okay, would you like to contact honza regarding the 'fallback if ext2/ext3 isn't possible' option/feature? [00:56] enrico, the next question is what's the vserver check? [00:56] i guess. i never figured needing that feature. [00:57] as long as theres an mtab. or are you trying ot get rid of the fake mtab entry? [00:57] infowolfe: it's a check if your glibc knows the vserver(2) syscall. It is unlikely that it succeeds before 2006 [00:57] talon: yes, that would be a saner thing to do anyway ... you can refer to me and the vserver context quota stuff, he already knows about it ... [00:57] ensc, the YEAR 2006? [00:57] lol [00:58] ok i will drop him a line and mention the patch and a possibility for fallback for quotacheck. i might even try and come up with a patch for teh fallback unless you already have one? [00:58] i find its a lot easier ot get things fixed if you provide a patch with a bug report/feature request. [01:00] sure, alway easier to accept a patch than to code something yourself, and developers _are_ lazy ... [01:00] honza = ? [01:00] jup Jan Kara = Honza = jack@ucw.cz [01:01] Jan is short for Johann, Honza ~ Hans ~ Johann ... [01:01] cool. glad to see my work on the quota tools mystery wasnt a waste of time. [01:02] it doesnt caus emajor problems for the accountign to be off a bit. but it does cause some of your avialble space ot not be avialable. [01:02] wich i consider a decent sized bug in any case. [01:05] agreed ... [01:05] its nto a major issue for block quotas sinc eits only going ot be off by few 1k blocks depening on how many directorys you have and thier size. but inodes add up faser. [01:06] hmm, bill, was it you who brought up the udp connected/disconnected src handling? [01:06] hopefully i can find more bugs to tackle. [01:07] Bertl: sorry cant take credit fro that one. [01:07] ups [01:07] i think that was brougth up on the ml a long while back. [01:07] do you remember who reported and tested that? [01:07] was just a few days ago ... I can't remember atm ... [01:07] dont think i was around for that. if i was i wasnt paying attention. [01:08] hmm, okay thanks [01:09] i mainly found theaccoutnign off because i was testing using really low quota limits. [01:10] pretty easy to overlook otherwise. [01:11] heh, pretty soon im goign ot start assuming every thing is lieing to me. [01:19] how do you want the fallback support to work? [01:20] if i just happens automatically it coudl cause problems with non vserver systems. [01:20] what if the read form teh raw device fails because of fs corruption? [01:20] well, I would say, if the 'direct' access is compiled in ext2/ext3 and is trying to open the block device, but fails, it should fall back to inode scanning instead of bailing out [01:20] and it just goes on happily? [01:21] hhmm [01:21] and it for sure fails on openening the raw device, so that is a clear perm denied there ,,, [01:22] fstabs inside vserver should be empty? [01:22] ok so it fails on open and not on read or write or lseek calls? [01:22] with the vroot device. [01:22] i could probably easily add a check for that. [01:22] without changing how it acts on a normal system. [01:22] yes, that is the idea, the vroot device is not vserver specific, although it might have no other purpose ... [01:24] i just figured open would succeeed sinc eyou have to open teh device to do an ioctl on it. [01:24] and vroot proxys ioctls. [01:25] hmm, good point, open will succeed, best would be to strace the checkquota and see where it fails ... [01:26] yeah will give that a shot. [01:26] hopeully it iwll give me a useful errno value like EPERM or somthing so i know its not because of a hardware failure or somthing else. [01:26] should do so ... [01:27] only one way to find out. [01:27] this things should only run on main server: firewall, ntpdate, fs mounts [01:28] yup [01:28] s/firewall/firewall script/ [01:28] I am moving my / to /vserver/main :) [01:28] making / very minimal [01:28] only sshd on main which can only be used from main :) [01:29] sshd on main server, which can only be used from main vserver [01:29] :) [01:30] the way it should :) [01:30] does it sound ok what I do? :) [01:30] restricted root even make or rpm stuff remove rename and imunise bit :) [01:31] main server also has the aide ;) [01:31] watching all my vservers [01:31] yes i think its good personnaly i run nothing in root [01:32] is it called root server? [01:32] then I will use that term :) [01:32] not so easy though to move a normal system to full vserver :) [01:33] kinda givce give you organisation probs [01:33] :) [01:34] the sshd on the root server even doesnt run on 22 [01:34] the main vserver has 22 [01:34] iam more messy with vserver :) lots of duplicated stuff fo nothing but thats the fun somewhere [01:34] so bad guys will never come to the root server [01:34] yup could listen only on intranet [01:35] Starting Advanced Configuration and Power Interface daemon: acpid: can't open /proc/acpi/event: Device or resource busy [01:35] or on a high port and leave 22 for a vserver [01:35] hehe ACPI has needs to be on root server [01:35] I have to make list :) [01:35] ACPI daemon, firewall scripts, ntpdate, fs mounts [01:35] so far [01:38] read(3, 0x80dec78, 1024) = -1 EIO (Input/output error) [01:38] nope [01:38] not somthign easy to distinguish from a real io error [01:38] hmm, that is with vroot device? [01:38] yeah. [01:38] give me a second to verify that in the code ... [01:42] hmm, yeah true ... [01:43] fairly productive day so far id say. [01:43] okay, for vserver I can give you a good how-to detect a vroot device ... [01:43] this is something honza will not incorporate, but we could argue for a command line switch ... [01:44] vserver method: check for vroot device major ... [01:44] eerr how do I allow RAWIP stuff? [01:45] I have a bind in a vserver [01:45] what about just a commad line flag to turn off directio ? [01:45] seems a bit more sane and less intrusive. [01:45] yeah, that is what I would suggest to honza, as I said above ... [01:46] but it you really want a patch that checks the major/minor and falls back to scan_dir i can do that. [01:47] let's see what honza does, if there is a way to use it without the mtab hack, we go for that, if not or if he says, well for ufs, that is correct, and on ext2/ext3 it works too, we have to patch anyway ... [01:49] ah CAP_NET_RAW is it [01:49] the flag option is about the same as using the mtab hack. for all practical purposes. since you would still need to edit an rc script to make the quotacheck work correctly. [01:50] mtab at least is a place that works for all possible distros. [01:50] yes, but it looks saner to specify --norawio instead of changing an ext2/ext3 fs entry to ufs ... [01:51] perhaps an environment variable would be nice to set as well for turning off rawio. [01:51] you could probalby even set that in the vserver scripts. before rc.M is called. [01:52] no files would need to be modified. [01:53] just an idea. [01:53] i would add a flag too just for completeness. [01:54] everything is okay with me, specifying ufs is a gross hack, unfortunately the only one working atm [01:54] meebey: CAP_NET_RAW allows to sniff the entire network/interface [01:54] is it possible to set a global ENV enherited by everything before rc.M is called by teh vserver scripts? [01:58] Bertl: its ok its in the main vserver [01:58] Bertl: I have problems with bind though [01:58] Bertl: do I need more caps? [01:58] iuse a tiny dnsmasq cause i dont need bind here :) [01:58] Action: talon pulls out APUE and gets to work. [02:01] hhmm something is strange [02:02] I want all IPs in my main vserver [02:02] ifconfig shows none [02:02] do I need to specify them explicit? [02:03] what is a main vserver? [02:03] I named a vserver "main" :) [02:03] which have all my daemons [02:03] aha ... [02:03] the root server has almost nothing [02:03] now I need to allow that "main" vserver more :) [02:03] aha ... [02:04] I moved / to /vserver/main :) [02:04] s/moved/copied/ [02:04] okay, and what is the idea behind that all ips stuff? [02:05] Feb 12 00:06:20 main named[10842]: refused query on non-query socket from [127.0.0.1].42895 [02:06] maybe the daemons work then better :) [02:06] well, looks like a query from the localhost? [02:06] ifconfig doesnt show any ips, maybe they are confused [02:06] which is rejectted by bind? [02:06] hhhmm [02:07] meebey: i guess you're binding the vserver to 0.0.0.0? [02:07] yes [02:07] I didnt specify the IPROOT so... [02:08] iirc ifconfig in a vserver will only show those interfaces/aliases that are specified in IPROOT [02:08] meebey: why do you want the 'main' vserver to bind to all ips, even those used by other vservers? [02:08] Bertl: there are no other vservers yet [02:08] okay, so how mayn ips do you have atm? [02:09] when the 'main' vserver works, I will move daemons from it to own vserver [02:09] there is some code in the vserver script that sets up some stuff for each ip, so that ifconfig shows them and i guess for 0.0.0.0 (or IPROOT="") nothing is done [02:09] 4 ips [02:09] hmm interesting. that might even be a security problem. [02:09] Action: talon tests somthing [02:09] okay, then specify those 4 ips, maybe with 127.0.0.1 for that server [02:09] ok I will add the IPs manually then [02:09] jep doing [02:11] like I said, not so easy to move a production server to vserver style :) [02:11] i think roots env might be carried over into a vserver when running vserver foo start. [02:12] looks like it does carry over. [02:12] the enviornment should be cleared before teh vserver script changes contexts. [02:12] enrico? [02:12] oohh sounds bad [02:12] yep? [02:13] 00:13 < talon> i think roots env might be carried over into a vserver when [02:13] running vserver foo start. [02:13] I do not know a way to clear the env [02:14] hmm, should not be too hard from a C tool ... [02:14] or do you mean to clear it completely? [02:14] yeah anything needed should be set again by the rc scripts. in theroy anyway. [02:15] maybe clear and then add some 'minimal' default? [02:15] im not 100% sure if thats whats going on though. [02:15] but it looks on the surface like thats what happens. [02:16] talon: should be easy to check: add a set >/tmp/env.log into one of the rc scripts ... [02:16] Action: talon nods [02:16] will try that now. [02:16] rc.M is teh first rc script called by the util-vserver vserver script right ? [02:18] does the unclean environment cause any problem in stable branch? [02:18] might be ... [02:18] ensc: no problems no. its just general practice with security concious tools to sanitize their environment before doing anything. [02:19] no tellign what might be in roots environment when he runs the vserver tool. [02:19] well, it is definitely no security issue from the host to a vserver ... [02:19] might leak stuff intot eh vserver evn he doesnt want people to see. [02:19] but I guess it might be a possible cause for some troubles inside the vservers ... [02:21] hhhmm my bind still makes trouble [02:22] well, the message you pasted above, was a configuration issue anyway ... [02:22] yeah it shows up in in the file. [02:22] other computers on the network also dont get any replies [02:22] when i do a set >/tmp/env.log in the first line of rc.M [02:22] the config was moved from the / system like all other things [02:23] but I am anyhow checking the bind config [02:23] although its slighly a good thing it does this. sinc eyour TERM env get carried over. its very useful for say using vserver foo enter. [02:24] not possibly so good for vserver foo start though. [02:24] hhmm that bind doesnt do any source checks, very open bind [02:24] meebey: also check what ports are actually bound [02:24] k [02:25] tcp 0 0 192.168.0.101:53 0.0.0.0:* LISTEN 12479/named [02:25] tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 12479/named [02:25] that looks good [02:25] no udp? [02:25] oh [02:25] *checking* [02:25] udp 0 0 192.168.0.101:53 0.0.0.0:* 12479/named [02:25] udp 0 0 127.0.0.1:53 0.0.0.0:* 12479/named [02:25] okay, looks good ... [02:25] so queries going to the named is ok [02:26] now use an external host, and tcpdump ... [02:26] tcpdump on the host [02:26] I think the bind has problems quering the outside [02:26] k [02:27] talon.home.cosmic-cow.net/env.log (output from rc.M) noe teh FOO_EXPLOIT=foo env and the other bits of crud inthe env passed to the rc scripts. [02:30] ok, 0.29.190 will have/has the clearenv stuff [02:31] great, btw, why do you obviously? start at 190? [02:31] where should I start else? [02:32] 42 for example ... [02:32] 42 would be somewhere in the stable-devel area [02:33] okay, please does anybody understand enricos numbering scheme, (no enrico, you do not count) [02:33] it is described in the Wiki [02:34] Action: Bertl is reading up on that wiki page ... [02:34] ensc: when and where does it clear the env? is it inteh chcontext command? or only in a certain part of the vserver script. should probably only bother to clear env if start/stop are being used. and just carry them over for enter. [02:34] it is a separate command and happens only at 'start' [02:35] it happens between save_ctxinfo and capchroot [02:37] ensc: I would have understood 10 and 100, even 100 and 200, but 90 and 190? [02:37] ok cool. im working on a patch to the quotacheck command that will turn off attempts to rawio if an env var is set or a flag is specified. i figured it would work nicely if the vserver scripts set that var so no actual files needed to be changed provided you have an up to date quotatool. [02:38] (given that the upt to date quota tools check this env var automagically ;) [02:39] I support scriptlets which will be executed with 'source' so you can set such a variable there [02:39] sounds good. [02:44] morning [02:44] Doener (~doener@pD9588458.dip.t-dialin.net) left irc: Read error: Connection reset by peer [02:44] hi kestrelw! [02:45] hhmm [02:45] what will happend when I ssh to a vserver, ssh from there to the root server [02:45] and restart the vserver which I am in [02:45] :) [02:45] I guess it will kill my session [02:46] Doener (~doener@pD9588458.dip.t-dialin.net) joined #vserver. [02:46] probably ... [02:46] so I need to ssh directly to the root server [02:46] otherwise I run very fast into real problems :) like if the ssh doesnt start in the vserver [02:46] then I am in deep s**** [02:47] well hopefully the main server has an sshd you can get to directly. [02:47] nope I planned only to allow connects from a vserver [02:47] but I change this now.. [02:47] tcp 0 0 127.0.0.1:1000 0.0.0.0:* LISTEN 3232/sshd [02:47] that is what I had [02:49] noel (~noel@p50859A97.dip.t-dialin.net) left irc: Remote host closed the connection [02:52] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Quit: zzzzzzzz [02:54] infowolfe (~allenp@pcp04891550pcs.frnkmd01.md.comcast.net) left irc: Quit: [BX] Mr. Rogers uses BitchX. Won't you be my neighbor? [02:54] back to the named problem [02:59] I can see requests going into bind [02:59] 01:00:17.576303 192.168.0.1.33009 > 192.168.0.101.53: 59284+ A? ntps1-0.cs.tu-berlin.de.qnetp.net. (51) (DF) [02:59] .1 is my computer, .101 is the server+vserver [02:59] okay, and bind doesn't answer, but insted prints a message which says? [03:00] Feb 12 01:00:17 main named[12479]: refused query on non-query socket from [192.168.0.1].33009 [03:00] hhhmm strange [03:00] according to netstat.... [03:00] its a query socket [03:01] refused means refused, so bind says no ... pasta ... [03:01] I know, he belives for some reason inside the vserver that its not a query-socket [03:02] same for localhost [03:02] anyone running bind8 in a vserver? [03:02] I thought it was bind9 ? [03:02] nope [03:03] I will try to specify the IP where bind should bind to [03:03] strange sentence [03:04] ah worked [03:04] I specified the IP adress in named.conf [03:05] query-source address 192.168.0.101 port 53; [03:05] was before: [03:05] so a bind/configuration issue M( [03:05] so a bind/configuration issue ;) [03:05] query-source address * port 53; [03:06] yeah I guess some bind8 pitty [03:07] norse (~norse@h118n2fls35o804.telia.com) left #vserver (wargames.unix.se). [03:07] Feb 12 01:09:02 main named[18782]: listening on [127.0.0.1].53 (lo) [03:07] Feb 12 01:09:02 main named[18782]: listening on [192.168.0.101].53 (eth0) [03:07] Feb 12 01:09:02 main named[18782]: listening on [10.1.0.2].53 (eth0:1) [03:07] Feb 12 01:09:02 main named[18782]: listening on [10.1.0.100].53 (eth0:2) [03:07] Feb 12 01:09:02 main named[18782]: listening on [10.1.0.101].53 (eth0:3) [03:07] that looks ok though, right? [03:08] with * or 0.0.0.0 it doesnt like to answere [03:11] hmm, probably the ip scanning doesn't work, but do you care? [03:13] okay, folks, I'll go to bed now ... [03:13] cu tomorrow ... have a nice wossname ... [03:13] Nick change: Bertl -> Bertl_zZ [03:13] gn8 Bertl [03:13] its definitive a bind buggy thing :) [03:13] I specified the IPs and bind still binds to all IPs [03:14] I mean I only specified 2 IPs, and it binds to all :) [03:20] If anyone is interested - the 1.3.7 patch applies cleanly to 2.4.25-rc2 [03:20] (that is, the patch that's meant for rc1) [03:53] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) left irc: Quit: Leaving [04:13] ok talon.home.cosmic-cow.net/quotacheck.patch-full for quotacheck with non directio accounting fix + -I flag to disable direct IO for fstypes ext2 and ext3. settinv env QUOTACHECK_NODIO has teh same effect as the -I flag. [05:08] Nick change: cdub -> cgone [05:38] suhcoolbro (~Suh@67-42-232-200.ptld.qwest.net) joined #vserver. [06:06] _shur1 (~shushushu@cpu183.adsl.qc.bellglobal.com) left irc: Quit: http://base2091.com [06:29] _shur1 (~shushushu@cpu183.adsl.qc.bellglobal.com) joined #vserver. [07:11] Doener_zZz (~doener@pD9E12D8C.dip.t-dialin.net) joined #vserver. [07:19] Doener (~doener@pD9588458.dip.t-dialin.net) left irc: Ping timeout: 501 seconds [07:44] Action: talon considers getting cute and patching teh quotacheck manpage. [08:27] Action: talon adds manpage changes documenting the new flag and env to the patch. [09:11] _shur1 (~shushushu@cpu183.adsl.qc.bellglobal.com) left irc: Quit: http://base2091.com [09:21] lilo (levin@lilo.usercloak.oftc.net) left irc: Remote host closed the connection [09:21] lilo (levin@lilo.usercloak.oftc.net) joined #vserver. [10:15] mhepp (~mhepp@r72s22p13.home.nbox.cz) joined #vserver. [10:47] loger0 joined #vserver. [10:48] loger (~loger@213.159.118.2) left irc: Ping timeout: 501 seconds [10:48] Nick change: loger0 -> loger [10:49] mugwump (~sv@218-101-44-220.paradise.net.nz) joined #vserver. [11:40] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Remote host closed the connection [12:30] suhcoolbro (~Suh@67-42-232-200.ptld.qwest.net) left irc: Quit: NO CARRIER [13:29] kramer (~kramer@80.86.100.172) joined #vserver. [13:29] hi all [13:31] i'm having this hard time auto-updating the vservers [13:32] basically, I'm thinking about having a reference Fedora vserver, and hard-linking all the others to it [13:32] and when I'm updating this one, all the hardlinks to point to the new rpms [13:33] setup: Fedora host, mostly Fedora vservers, 2.4.24-vs1.26, util-vserver-0.28 [13:36] i've read all the docs i could put my hands on, but i don't quite seem to get it [13:37] anybody? [13:40] ? [13:40] what did you just mean? [13:40] making a 'stripped' vserver all systems should use? [13:40] as a base, non-writable? [13:41] click: i'm trying to yum update the vservers, and keep them unified [13:42] yup, but why the hardlink.. [13:44] i'm trying to update one server and keep the hard links without vunifying them again [13:46] is that for the rpm's only or for the full base system, except /etc etc? [14:18] click: for the rpm's only [14:20] i'd rather have std-alone vserver with the new packages, and update from that one on a regular basis using either cron or something [14:27] serving (~serving@213.186.188.205) left irc: Read error: Connection reset by peer [14:34] hopefully bertl will release the updated (fixed) bind mount extensions patch. then you can use read only bind mounts instead of unification if its too much of a pain. [14:35] im already using that method. but i have to see what bertl had me change to fix the unmount problem and iknow he has a better patch he was working on. [14:35] very handy on a distro that doesnt use apt or rpm. [14:36]