[00:10] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) joined #vserver. [00:46] serving (~serving@213.186.188.205) left irc: Read error: Connection reset by peer [01:09] Tamama (~Tamama@a62-216-20-152.adsl.cistron.nl) joined #vserver. [01:10] oy [01:12] hey [01:28] nick12 (~nick12@shuttle3.ee.ic.ac.uk) joined #vserver. [01:38] ben (~ben@bengrimm-host225.dsl.visi.com) left irc: Read error: Connection reset by peer [01:49] Tamama (~Tamama@a62-216-20-152.adsl.cistron.nl) left irc: Quit: one little two little three little piggies OINK! OINK! OINK! [02:18] nick12 (~nick12@shuttle3.ee.ic.ac.uk) left irc: Remote host closed the connection [02:23] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Quit: Leaving [02:56] using the host IP as localhost in hosts is a typical vserver setup? [04:00] ilTizio (~foobar@adsl203-149-051.mclink.it) joined #vserver. [04:04] ilTizio (~foobar@adsl203-149-051.mclink.it) left #vserver. [04:56] cdub (~chrisw@fw.osdl.org) left irc: Quit: leaving [05:18] hi [06:08] Bertl_oO (~herbert@MAIL.13thfloor.at) left irc: Ping timeout: 501 seconds [06:13] ben (ben@bengrimm-host229.dsl.visi.com) joined #vserver. [06:20] kestrelw (~athomas@o2rosock0a.optus.net.au) left irc: Remote host closed the connection [06:46] hi [07:03] sladen (~paul@starsky.19inch.net) got netsplit. [07:14] sladen (~paul@starsky.19inch.net) got lost in the net-split. [07:14] sladen (~paul@starsky.19inch.net) joined #vserver. [07:37] serving (~serving@213.186.188.205) joined #vserver. [08:35] <_shur1> hi [08:45] reboot=windows .,,;p 2 in second [08:48] and a third [09:58] Bertl (~herbert@MAIL.13thfloor.at) joined #vserver. [09:59] morning everyone! [10:16] loger joined #vserver. [10:18] kramer (~kramer@80.86.100.172) left irc: Quit: Leaving [10:19] rmoriz (rmoriz@rmoriz.cpan.de) joined #vserver. [10:19] Bertl (~herbert@MAIL.13thfloor.at) joined #vserver. [10:20] Doener_aw (~doener@pD9588C0D.dip.t-dialin.net) joined #vserver. [10:45] zev (~zev@masya.aviaserv.com.ua) joined #vserver. [10:45] hi [10:46] hi zev! [10:46] Berti it seems you are here 24 hours per day :-) any time i join this channel you are here :) [10:47] where are you from? which time zone? :) [10:47] that's my automatic greeting bot ;) [10:47] ahhh [10:47] :) [10:47] I'm from Austria, timezone is CET here [10:48] ok. [10:48] and no, Austria is not where the kangaroos are from ;) [10:48] thats australia i know [10:48] :) [10:49] i want ask you about quota support in stable vserver. [10:49] where is .ua? [10:49] ua - ukraine [10:49] crimea, if you know. [10:49] black sea [10:50] ah yeah, little cold there, well colder than here, right? [10:50] or is this just a 'wrong' assumption, that it is colder there? [10:50] we have -3 just now. [10:51] hmm, okay, we have about 1°C here atm ... [10:51] good, quota on stable was your topic ;) [10:51] :) [10:51] yea [10:52] vserver support quotas on ext3? [10:52] sorry, i have no experiens with disk quotas at all :( [10:53] yes, it does, but atm. there is no journaled quota support [10:53] but just for now we want to make some hosting solution and i want to install CPANEL on vserver in my dedicated [10:53] are you subscribed to the mailing list yet? [10:54] no. is it interesting? [10:54] yep, just posted some useful info regarding quotas, that is why I ask ;) [10:55] web readonly arhive? [10:55] yes, two versions ;) [10:55] is there? [10:55] basically there are two options for 'per vserver quota' if that is what you really want ;) [10:56] i want to make per vserver quota and want establish quotas inside of each vserver. is it possible? [10:56] something often 'confused' with quota, is 'per vserver disk limits' which ensure that a vserver on a 'shared' partition will not be able to use more than an assigned amount of diskspace/inodes. [10:57] so you are probably interested in both ... [10:57] yes. [10:57] but inside vserver is primary task [10:58] okay, you ahve two options there ... [10:58] a) you put each vserver on a separate partition .. (no patches required for this) [10:58] no [10:58] :) [10:58] b) you put them on a shared partition(s) (this will require to tag all files with a context info) [10:59] the tagging is done by the kernel, once you applied the q0.13 patch and enabled the context tagging method [10:59] you trying to answer about per vsererver global quotas? [10:59] no, this is required for both 'per vserver quotas' and 'disk limits' [10:59] this documented on http://www.linux-vserver.org [11:00] brr [11:00] yep it should be somewhat documented there ... [11:00] http://vserver.13thfloor.at/Linux2.6/index.php?page=Per+Context+Quota [11:00] i have 2.4 :) [11:00] this is an example for the per vserver quota (a little outdated, but still valid) [11:01] have a look at it ;) [11:01] ok. reading.... [11:04] seems really hurd to install this, so seems buggy solution. is it stable? [11:05] hurd=hard [11:05] hmm well, it's not very hard, and why do you think it is buggy? [11:05] intuition [11:05] :) [11:06] aha, .. well, if you think so ... [11:07] so. let's talk about this [11:07] if i understand all right. [11:08] i need to make linux inside vserver to think that is's / partition is /dev/hdv1 and quotas will work as usual ? [11:08] okay ... [11:09] is's = it's [11:09] yep, they will work as usual, except if you wan't to make this setup secure too, you'll have to use the vroot device ... which disallows direct block access to the device [11:10] if you do so, you 'currently' require the mtab to list the fs as ufs, as the quotatools, which try to be too smart, do direct access on ext2/ext3, which in turn fails on a secure setup [11:11] (basically a bug or missing feature in the quota tools) [11:11] stop. 3 minutes to smoking and hardly thinking :) [11:11] Action: zev gone [11:11] okay, have to leave in a few minutes too, but will be back on in about an hour ... [11:13] meebey (meebey@meebey.net) got netsplit. [11:13] meebey (meebey@meebey.net) returned to #vserver. [11:17] #vserver: mode change '+o Bertl' by ChanServ!services@services.oftc.net [11:20] okay, have to leave now, will be back in an hour ... [11:20] Nick change: Bertl -> Bertl_oO [11:27] zev (~zev@masya.aviaserv.com.ua) left irc: Read error: Connection reset by peer [11:32] zev_ (~zev@masya.aviaserv.com.ua) joined #vserver. [11:33] zev_ (~zev@masya.aviaserv.com.ua) left irc: Quit: Trillian (http://www.ceruleanstudios.com) [11:33] zev_ (~zev@masya.aviaserv.com.ua) joined #vserver. [11:33] Nick change: zev_ -> zev [13:18] Nick change: Bertl_oO -> Bertl [13:18] hi zev! [13:18] took a little longer as expected ... [13:21] :) [13:22] you back. [13:22] but i'm going to have some food :) [13:22] Action: zev gone for food [13:22] make that ... [13:22] thanks [13:50] good :) [13:56] Berti how to subscribe to the mail list? [13:56] visit list.linux-vserver.org [13:57] ok [13:58] Nick change: Doener_aw -> Doener [13:58] Hi [13:58] morning Doener! [14:20] what exactly is: "Would you like to receive list mail batched in a daily digest?" [14:21] i would receive 1 letter with all messages from list or a short one? [14:25] yeah, the batched digest, is one mail, which contains all the posting ... [14:26] can i later change it? [14:26] I think so ... should not be a problem ... [14:26] ok. [14:26] okay, have to leave again, will be back in an hour ... [14:27] Nick change: Bertl -> Bertl_oO [14:31] zev (~zev@masya.aviaserv.com.ua) left irc: Read error: Connection reset by peer [15:16] kramer (~kramer@80.86.100.172) joined #vserver. [16:07] Nick change: Bertl_oO -> Bertl [16:41] kestrel (athomas@home.swapoff.org) joined #vserver. [16:42] hi there [16:42] hi Alec! [16:42] hey herbert, how are you? [16:42] fine thanks, and you? [16:42] that user mount thing sounds interesting [16:42] hehe ... [16:42] not bad, though it's too hot here at the moment [16:43] 23C at 1AM...that is not special [16:43] what's the temperature where you ar? [16:43] +=e [16:43] we have *brr* about 1-3°C here ... and it is snowing ... [16:45] that is awesome, i am jealous [16:45] I would switch anytime ;) [16:45] heh [16:45] we should have a nerd exchange program [16:45] Doener_zZz (~doener@pD958876A.dip.t-dialin.net) joined #vserver. [16:45] nerds from hot places can switch with nerds from cold places [16:46] that would confuse the ehrders to much ;) [16:46] s/ehrders/herders/ [16:47] where do you live herbert? [16:47] Austria, Europe ... (no kangaroos) [16:47] heh [16:48] i wasn't sure whether your .at meant you were actually in .at [16:48] i have a friend whose domain is cooper.ro, and he is australian...definitely not romanian [16:49] Doener (~doener@pD9588C0D.dip.t-dialin.net) left irc: Ping timeout: 501 seconds [16:50] I'm no poser ... I can headbang ;) [16:50] Nick change: Doener_zZz -> Doener [16:50] okay [16:50] wb doener, good sleep? :) [16:51] morning Doener! [16:51] not really ;) it seems my isp has huge troubles in my area... [16:51] I had that 2 days ago ... [16:51] that nick was just cause Doener was in use [16:51] ah [16:52] for approx. a week i do not have a reconnect every 24 hours but nearly every 8 hours... pretty annoying [17:02] Doener_zZz (~doener@pD958861F.dip.t-dialin.net) joined #vserver. [17:02] Nick change: Doener_zZz -> Doener_ [17:02] :( [17:03] again eh? [17:03] :( [17:03] hmm, shall I kick Doener? [17:04] that won't free my nick, you would have to kill him, and i can stand 5 minutes of dual personality ;) [17:04] hmm, right ... okay Doener_ and Doener ;) [17:05] Doener (~doener@pD958876A.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [17:07] 2.4.25 out [17:07] new kernel exploit [17:08] heissa ... which one, please elaborate! [17:08] http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt [17:08] http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.25 [17:08] 2.4.25 is not a patch-only release [17:08] was hoping that after rc3 ;) [17:08] :) [17:09] can you put up new patches? [17:09] I wanna upgrade :) [17:09] sure, just rediff or should we add something ;) [17:10] it seems to me that there have been an unusually large number of kernel vulnerabilities lately [17:10] I like to use upstream source :) [17:10] right, linux is needs securityweeks like windows ;) [17:10] s/is// [17:10] heh [17:11] well, let me see, like windows, okay we can do that, I'll put up a downloadable binary fix in about ... hmm 4 weeks, okay? [17:11] hehe [17:11] i read an article on slashdot about a vulnerability they had known about for 8 months or something [17:11] spectacular response time [17:11] Bertl: lol [17:12] don't forget to make the patch available primarily through a application that may send sensible information over the net ;) [17:12] /. is cracked ;) [17:12] so UPGRADING PLEASE :) [17:12] just to clarify, it was a windows vulnerability [17:18] is the 2.4.24 patch compatible? [17:18] I dont trust too much smart patch :) [17:20] 2.4.24 patch won't work for 2.4.25 ... [17:20] but I wasn't sleeping (at least not all the time) [17:20] ok [17:20] hehe :) [17:27] meebey 1.26 or 1.3.7 btw? [17:30] I have 1.26 [17:30] hhhmm [17:30] the utils are the problem, so I will stick with stable for now [17:30] I see, what tools? [17:31] I still have the old tools [17:31] old as vserver-0.23? [17:32] Version: 0.29 [17:32] or do they work with 1.3.7? [17:32] vserver-0.29? [17:32] exploit is out [17:32] I need to upgrade [17:33] yes [17:33] the old branch [17:33] okay .. [17:33] if they work with 1.3.7, then I will give it a try [17:33] because of the sendto problem I have [17:34] might be that they work ... I don't know ... 0.29 vserver was buggy for me ... [17:34] ic [17:35] vs1.26 should be available in 5min [17:35] hi all (again) [17:35] hi kramer! [17:35] I'm starting to like it here :) [17:35] yeah? great! [17:35] Action: Bertl offers kramer a cup of tea and some cookies ... [17:35] After some three weeks of testing, I'm trying to go stable [17:36] ... to set up v-servers for the isp I work for [17:36] well, I still have some issues [17:36] hmm, what are the results of your testing? [17:37] great software, this v-server thingie :) [17:38] but I need to install quotas and proc protection [17:38] my question: are the howtos still up-to-date? [17:39] Especially the quota howto... [17:39] nope, they are not ... [17:39] I understand that vroot is in stable since 0.20 [17:39] aha [17:39] the exploit: [17:39] http://lists.netsys.com/pipermail/full-disclosure/2004-February/017498.html [17:40] kramer: talon is working on an updated how-to ... [17:40] kramer: but the 2.6 testing pages (regarding quota) are almost up to date ... [17:41] Bertl: ok, thanx; in the meantime, can you give me a primer on lvm/quotas on the latest stable kernel? [17:41] well, if you use lvm/loop devices for each vserver, you do not need the quota patches, you just configure the vroot device, that's it ... [17:42] everything else is done from inside the vserver with the quota tools ... [17:43] *waiting for the upload* [17:43] I don't really want to go devel - company policies and good sense tells me that I shouln't really try to set up a possibly buggy service [17:44] ok, how's that done? configuring the vroot device? [17:44] using vserver build? [17:45] nope, you enable the vroot device in the kernel ... [17:45] ah... ok, done that :) [17:45] depend on if you use devfs or not, the vroot devices appear in you /dev or have to be created by hand (devicenodes) [17:46] Nesh (~dmistry@su-nat.datapipe.net) joined #vserver. [17:47] Morning. [17:47] morning! [17:47] meebey: http://www.13thfloor.at/vserver/s_release/v1.26/ [17:47] hey bert! [17:47] Bertl: thanks! [17:47] how do I unsubscibe from mailing list i want to use another email address. [17:48] visit list.linux-vserver.org [17:48] yeah i am there dun see anything [17:49] tells me how to sign up [17:49] :) [17:53] You have been unsubscribed. [17:53] :) [17:54] hmm, so should I consider this solved, dinesh? [17:55] Bertl heh yup :) [17:55] *2.4.25 building* [17:56] s/building/compiling/ [17:56] let me know if it works ;) [17:56] _if_?? wtc :) [17:56] s/c/f/ [17:56] hehe, tiny little joke, of course it is tested ;) [17:56] :) [17:56] but not very extensively, as you can guess ... [17:56] thats why it took so long :-P 10 min or so [17:57] yeah, I'm lazy ... [17:57] main problem was, I had to reboot my machine and fix an email server in the meantime too ... [17:58] ok reboot comming soon [17:58] but I have to fix priorities first [17:58] or I will get a mess [17:59] priorities? [17:59] PRIORITY= [17:59] I hope that works with those old tools [18:00] lower number == loaded earlier? [18:00] probably, never used that ... [18:03] ben_ (ben@bengrimm-host229.dsl.visi.com) joined #vserver. [18:03] hi ben! [18:04] Hi Bertl [18:04] how's things? [18:04] good, new kernel, new exploits ;) [18:05] hehe, if I had a dollar for every time I heard that [18:05] I want a dollar for every vulnerable windows box ;) [18:05] even a penny [18:06] yeah, would be quite enough ... [18:06] tanjix (tanjix@pD904A10D.dip.t-dialin.net) joined #vserver. [18:06] hi together [18:06] hi tanjix! [18:06] =)("$/()§$/()§)§%)§$%/§$&$§ [18:06] BAD BAD BAD key [18:06] hmm, means you have forgotten to ...? [18:06] root_bullfrog:/etc/vservers# rm * ~ [18:06] rm: `/root' is a directory [18:06] root_bullfrog:/etc/vservers# ls [18:06] root_bullfrog:/etc/vservers# [18:06] configs from scratch, cool [18:07] I hate those fucking backup files [18:07] file~ [18:07] so turn them off? [18:07] means I have to change the config of at least 30 servers [18:07] 30 real servers? [18:08] about 20 real servers [18:08] hmm [18:08] that's what ssh keys and bash scripts are for ... [18:08] still should be easy [18:08] yep - what bertl said [18:08] Bertl: I have that :) [18:08] but I hate to copy always my bash login script [18:09] when I make a change [18:09] and with root worse [18:09] hmm, there is also rsync ;) [18:09] crap I didnt make a backup because my setup was not finished [18:09] rsync is a better option certainly [18:09] shit [18:10] have the servers pull their config from a central source [18:10] meebey: ext2 undelete? [18:10] -rw------- 1 root root 744334 Feb 2 00:02 etc.tar.9.gz [18:11] hhmm thats old [18:11] Bertl: I dont believe in such tools [18:11] me neither, nevertheless they do work sometimes ;) [18:12] LD_PATH=/vservers/main/usr/lib /vservers/main/usr/bin/mc [18:12] thats the real path called? [18:12] for finding libs [18:12] /vservers/main/usr/bin/mc: error while loading shared libraries: libgpm.so.1: cannot open shared object file: No such file or directory [18:12] I dont have mc on the root server, if I install it, it will overwrite my files :) [18:13] ben_ (ben@bengrimm-host229.dsl.visi.com) left irc: Quit: Trillian (http://www.ceruleanstudios.com) [18:13] so I have to use somehow the mc of a vserver [18:13] Action: Bertl refuses to think about that ... [18:13] ?? [18:14] if I want to undelete any files on partition, it would have been unmounted by now ;) [18:16] works so far [18:16] unmount the main system, haha [18:16] that would mean a shutdown, which means TONS of files are written [18:16] how can I mount it readonly? [18:16] ben (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [18:16] mount -o remount,ro / [18:18] /dev/hda1 on / type ext3 (ro,errors=remount-ro) [18:18] done, thanks [18:19] /dev/hda1 on / type ext3 (ro,errors=remount-ro) [18:19] ups [18:20] rmoriz (rmoriz@rmoriz.cpan.de) left irc: Read error: Connection reset by peer [18:20] *pray* [18:20] maybe he finds some [18:22] hey this is very cool [18:22] all vservers are on a diff partition [18:22] than the root server [18:22] even the root server is now ro mountet, all vserver still work great :) [18:23] fascinating [18:23] *g* [18:23] Bertl: the patches still seem to be working fine. [18:23] and nfs still seems ot be behaving. [18:24] hi talon! after all we did to them? [18:24] well, i didnt know if you were waiting on anything as far a teh nfs fix was concerned. [18:25] sure, always waiting ... ;) [18:26] also re teh quotacheck i was looking in the wrong place. it does check for a diffrent fs in teh right places. although i cant get files allocated by root to match up perfectly on a mounted root fs all other users are accounted for perfectly. so im not goign to waste any more time on it. [18:26] but seriously, I would appreciate a report/statement on the mailing list ... [18:26] talon: did you consider the quota files themselves? [18:27] Bertl: those are also accounted for in the quotacheck code. [18:27] ah, okay, thought they wheren#t ... [18:27] threes actually code to to take care of that. [18:28] including removing space taken up by the temp quota file. [18:28] okay, so we'll add the vfs unlink patch to q0.13 and this should be fine for now, right? [18:29] yeah looks like a good fix to me. i havent run an nfs benchmark on it. but otherwise moving large amounts of files around over nfs doesnt seem to cause anything to go wrong. [18:30] including the accounting, right? [18:30] hmm. i havent tried quotas over nfs yet. [18:30] ah okay ... [18:30] but i wasnt planning to. [18:30] i guess i could try that. [18:30] id have to go through the troubble of enabling them onthe host and starting rpc.quotad [18:31] erm i mean the nfs server. [18:31] tanjix (tanjix@pD904A10D.dip.t-dialin.net) left irc: [18:31] could be interesting. [18:32] what sort of ml statement do you mean? [18:32] something like, tested q0.13 + vfs fix, works fine here .. bla bla [18:33] tanjix (tanjix@pD904A10D.dip.t-dialin.net) joined #vserver. [18:34] kramer (~kramer@80.86.100.172) left irc: Remote host closed the connection [18:35] ok, will probably sugest the feature change to honza today as well. (turn off raw fs scan with flag or env var) [18:39] hmm list.linux-vserver.org doesnt seem to be working. [18:39] at least none of the links to it apper to do anything but time out. [18:40] works here ... [18:43] Action: talon trys from a different host [18:45] hmm, ok i wonder what squid is doing. [18:46] do I need to quote the variables in the vserver.conf? [18:46] like IPROOT=192.168.0.100 192.168.0.101 [18:46] IPROOT="192.168.0.100 192.168.0.101 [18:46] IPROOT="192.168.0.100 192.168.0.101" [18:53] yep, need to be quoted [18:54] they're read in by the scripts as env variables [18:54] so anything you'd quote in a bash script, you'd have to quote in the vserver.conf [18:56] ah ic, thanks [18:56] sure thing [18:56] I'm still new at this too [18:59] okay, if anybody is interested, I also updated the devel branch to 2.4.25 ;) [19:00] great! thanks [19:02] just in time for me to go into production with my vservers [19:02] using development code! weee [19:03] if you intend to do that, I have some 'fixes' in my queue you could apply ... [19:03] anything serious? [19:04] things seem pretty stable so far [19:04] hmm, nope not really ... [19:04] just small fixes/corrections ... [19:04] sure, I can apply them [19:05] not using quotas, really just using vservers for the security contexts [19:05] it's up to you, if you tested the 1.3.7 extensively, it would be better to use that 'tested' release without any modifications ... [19:05] s/would/might/ [19:06] I wouldnt' say I've tested it 'extensively' - but things work as I'd expect them to [19:06] I'm not sure what I'd try to break things [19:06] sounds great! [19:07] I found the proc entries that I needed to enable to get the servers to shutdown cleanly [19:08] just the *info entries [19:08] and then a few entries in /proc/net [19:08] to let things like netstat work [19:10] but I'll take a look at the fixes and see if they might have an impact [19:10] these are kernel patches? [19:14] yes, actually checked the only patch which might be interesting for you is the zombie fix patch ... [19:14] http://vserver.13thfloor.at/Experimental/delta-zombie-fix.diff [19:16] so the files on http://www.13thfloor.at/vserver/d_release/v1.3.7/ appear to all be empty [19:17] that is bad ... let me check .. [19:17] gzips of empty files [19:17] at least all of the 2.4.25 patches [19:18] (and split tar) [19:18] yeah, I just saw ... investigating ... [19:21] okay found it ... will take about 10 mins until the tests are complete ... [19:21] okey [19:26] patches are updated, tests still running ... [19:28] so is there any way to hide 'mounts' in /proc? [19:28] yes, there is a patch for that ... [19:29] http://vserver.13thfloor.at/Experimental/no-proc-mounts-vs1.24.diff [19:29] ahh [19:29] if it doesn't apply cleanly to 1.3.x let me know, I can update it ... [19:30] it's no problem - I'm just looking for good enough right now [19:31] i.e. if a vserver is taken over by an attack - to be confident that the rest of the server is not vulnerable [19:32] obviously it will still be to some extent [19:32] click (click@gonnamakeyou.com) joined #vserver. [19:32]