[00:00] Bertl: old program to transfer files between computers [00:00] norse: might be, don't know ... run http://vserver.13thfloor.at/Stuff/testme.sh for a test [00:00] norse: that's the message I was getting earlier :) [00:00] JonB: nullmodem cable is hardware, but a 'fastlynx' might have used such a cable ... [00:01] Can't set the new security context\n : Bad address [00:01] Bertl: hmm, i'll look into what i can get [00:01] Mcleod, heh, how did you solve it mate? [00:01] i've seen that error too :) [00:01] norse: i'm yet to solve it :D [00:01] you can get nullmodem adapters at radioshack still i think. just little things that look like gender bendors you plug into teh send of a serial cable that switch the pinouts around. [00:01] ouch [00:01] norse: but that isnÄt the only output, right? please show me the complete output [00:02] mhepp (~mhepp@r72s22p13.home.nbox.cz) left irc: Quit: Tak ja padaaaaM [00:02] ah, sorry mate, didn't want to flood the channel (hence the \n). should I priv you or is there a flood channel on this network? [00:02] norse: however, perhaps do 'ifconfig' and check the broadcast and netmask in the vhost.conf file - check with Bertl :) [00:02] norse: priv is okay [00:02] cheers mate [00:03] Bertl: Linux sanitytech02 2.4.25-vs1.26 #5 SMP Fri Feb 20 05:39:35 CST 2004 i686 unknown [00:03] Bertl: yay! [00:03] norse: tools are to old, 0.22 from Jack wont work anymore, I guess ... [00:04] the tools are more than a year old .. you require at least 0.24 [00:04] but I would suggest to update to util-vserver 0.29 for example [00:04] aye, that's what I did to resolve it the last time [00:04] Mcleod: so what was the problem? [00:05] Bertl: fresh install from theplanet, and sshd/network wasn't set to auto-start :/ [00:05] I must admit I missed that the tools were that old. the only reason I installed this package was due to the debian-specific newvserver. [00:05] i'll bite my tongue and blame myself for not checking.... [00:06] don't do that, you will regret it the minute after ;) [00:07] Bertl: yay, vserver appears to be running [00:07] Bertl: only one quirky thing remaining.. [00:07] Bertl: # vserver yamaha status [00:07] Server yamaha is not running [00:07] but i can indeed enter it [00:07] should not happen ... let's investigate that one [00:07] first step, try the testme.sh on that setup/kernel ... [00:08] alright, one final question and I promise I won't bug you guys for.. oh, at least an hour or two, heh. what is the preferred way to create new virtual servers? is there a standalone script or anything that doesn't require linuxconf? [00:08] Linux-VServer Test [V0.06] (C) 2003-2004 H.Poetzl [00:08] chcontext is working. [00:08] chbind is working. [00:08] Linux 2.4.25-vs1.26 i686/chcontext 0.29/chbind 0.29 [E] [00:08] --- [00:08] [001]# succeeded. [00:08] [011]# succeeded. [00:08] [031]# succeeded. [00:08] [101]# succeeded. [00:08] [102]# succeeded. [00:08] [201]# succeeded. [00:08] [202]# succeeded. [00:09] okay, looks good, now you did start the yamaha vserver? [00:09] norse: I think i can answer that, just my 2c, safe to ignore it though, you can create your own /etc/vservers/myvps.conf, then run 'vserver myvps build' [00:10] norse: http://www.linux-vserver.org/index.php?page=alpha+util-vserver [00:10] Mcleod, does it actually create a working system or is it lfs? for instance, I want my vservers to be debian-based. [00:10] Bertl: it appears to start, but doesn't [00:10] # vserver yamaha start [00:10] Starting the virtual server yamaha [00:10] Server yamaha is not running [00:10] ipv4root is now 69.93.207.112 [00:10] Host name is now yamaha.sanitytechnology.com [00:10] New security context is 49155 [00:11] # vserver yamaha status [00:11] Server yamaha is not running [00:11] okay, now do: 'cat /var/run/vservers/yamaha.ctx' [00:12] [root@sanitytech02 vservers]# cat /var/run/vservers/yamaha.ctx [00:12] S_CONTEXT=49155 [00:12] S_PROFILE=prod [00:12] [root@sanitytech02 vservers]# ps auwxwww | grep 49155 [00:12] [root@sanitytech02 vservers]# [00:12] okay, so it is working as expected, but your server doesn't start any services, so it basically auto terminates [00:13] Bertl, and you save the day again [00:14] hey hey, I saved the world today, everybody's happy now the bad things gone away ... [00:14] Bertl: what should be started on bootup? [00:14] (anything?) [00:14] well, your vserver should start some services ... maybe it requires the fakeinit [00:14] don't know which runlevel scheme or whatever you have in that vserver [00:16] mmm [00:16] util-vserver [00:16] put everything in /usr/local/etc/rc.d/init.d [00:16] whereas redhat wants it in /etc/rc.d/init.d [00:17] look one of my server on startup looks like this: [00:17] # vserver TEST start [00:17] Starting the virtual server TEST [00:17] Server TEST is not running [00:17] ipv4root is now aaa.bb.cc.ddd [00:17] Host name is now TEST.virtual.vs [00:17] Domain name is now [00:17] New security context is 2102 [00:17] Starting system logger: [ OK ] [00:17] Starting X Font Server: [ OK ] [00:17] Starting sshd: [ OK ] [00:17] Starting httpd2: [ OK ] [00:17] Starting postgresql service: [ OK ] [00:17] Starting crond: [ OK ] [00:17] yep, that looks healthy [00:17] :) [00:18] just not sure why mine isn't doing that [00:18] check your yamaha vserver, if it contains a runlevel script, and if the services are enabled (if your distro for the vserver supports sysv init scripts) [00:19] Doener (~doener@pD9E12A72.dip.t-dialin.net) joined #vserver. [00:19] hi Doener! [00:19] hi [00:21] Bertl: i'm starting to think I should go back to vserver-0.28 as that was for redhat at least... [00:22] hmm, vserver-0.28 is a good choice, it doesn't even bother with setting secure caps [00:24] i'm completely unfamiliar with all these different source trees [00:24] it's simple, there _WAS_ vserver (including vserver-0.xx) up to 0.26 [00:25] i don't know why my vserver instance isn't trying to start anything at the moment, but i'm looking into it... [00:25] it was then sporadically maintained by Jacques up to 0.29 (which is broken) [00:25] ahh [00:25] Jackques has disappeared again, and the maintained tree is util-vserver [00:25] my vserver was a copy of the current install [00:25] and had nothing in the startup enabled [00:25] Action: Mcleod slaps himself [00:26] lack of sleep is catching up on me [00:27] quite possibly one of my last questions [00:27] Bertl: could you perhaps explain what the v_httpd v_sshd startup scripts do? [00:27] sure [00:28] they are used on the host (not on the vservers) [00:28] and the idear is, to restrict the services to a limited set of IPs so that they do not collide with the vserver services [00:28] -r [00:30] ok, so they're designed to make the host bind only to its own ip's and not the vserver ips? [00:30] netrose (john877@SP2-24.207.225.23.charter-stl.com) joined #vserver. [00:31] if so, would it make just as much sense to make sure those services were bound to a single ip instead? [00:32] yeah, that is an alternative, if that can be configured with the service [00:32] for example you can use a specific ListenTo startement in sshd/httpd config [00:33] yup [00:33] ok cool [00:33] i do have good news [00:33] the v_* services just enforce this limitation ;) [00:33] my vservers are running :D [00:33] great! [00:33] thank you so much for your help [00:33] you're welcome! [00:34] this is a bit healthier at least [00:34] # vserver yamaha start [00:34] Starting the virtual server yamaha [00:34] Server yamaha is not running [00:34] ipv4root is now 69.93.207.112 [00:34] Host name is now yamaha.sanitytechnology.com [00:34] New security context is 49163 [00:34] Setting network parameters: [ OK ] [00:34] Bringing up loopback interface: Error, some other host already uses address 127.0.0.1. [00:34] arping: socket: Operation not permitted [00:34] [FAILED] [00:34] Bringing up interface eth0: arping: socket: Operation not permitted [00:34] Error, some other host already uses address 69.93.207.112. [00:34] [FAILED] [00:34] Starting system logger: [ OK ] [00:34] Starting kernel logger: [ OK ] [00:34] Starting sshd: [ OK ] [00:34] Starting sendmail: [ OK ] [00:34] Starting crond: [ OK ] [00:34] Starting atd: [ OK ] [00:34] not sure about the binding to 127.0.0.1 error.. [00:34] you should remove the hardware related runlevel scripts [00:34] maybe by commenting the appropriate sections out ... [00:35] the vserver will not be able to mess around with the hardware (detection/configuration) on startup and shutdown ... [00:35] yep that makes sense, i'll have to make the vservers alot more 'minimal', atm its simply a copy of the host [00:49] Bertl: can vserver limit memory usage? [00:49] yes, virtual memory [00:50] Bertl: OK, i hadn't noticed/read about that yet, can you point me at a URL please? [00:51] well, it requires development or exp branch ... [00:51] ah ok [00:52] not overly sure if i want to try something out thats not known to be stable.. [00:56] Bertl: any comments about particular releases in the devel tree? [00:57] what shall I comment on them? [00:57] are they seriously unstable ? :) [00:57] if they where, I would label them 'seriously unstable' right? [00:58] they are under development, so it might be that the one or other thing is broken .. [00:58] or maybe 'experimental' ... ok i'm looking like a numbut [00:58] experimental is the current 2.6 branch [00:59] so if you do use experimental kernels 2.6.x (now called stable ;) [00:59] then this is the branch for you ... because it's the only branch for 2.6 atm [01:00] ok ta, i'll give 1.37 with 2.4.25 a shot [01:03] as much as I hate to reboot again :-) [01:05] Bertl: is the virtual memmory limits an addon or part of the std devel release? [01:05] (sorry for being such a pain, you're just being so helpful!) [01:06] np, it is part of the devel branch ... [01:07] norse: there is a typo on your page ... [01:09] norse: If other words; -> In other words; [01:21] JonB (~NoSuchUse@kg203.kollegiegaarden.dk) left irc: Quit: Leaving [01:31] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) joined #vserver. [01:31] hi james! [01:32] Hi bert.. [01:32] still up? [01:32] seems so ;) [01:32] somebody has to work on vserver, right? [01:32] thats right, [01:33] And thank you for your work.. [01:33] don't mention it ... [01:34] what brings you here? just the community mood? [01:39] bengrimm (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [01:39] hi ben! [01:39] hi Bertl [01:40] how's it going? [01:40] good, working on 0.09 and 1.3.8 as well as q0.14 atm [01:40] and how are you? [01:41] oh good, getting frustrated compiling 2.4.25 for a machine at a colo [01:41] hmm, what's the issue there? [01:42] oh, I think it's just a module that I'm missing [01:42] nothing vserver related [01:42] (except that it's a vserver kernel) [01:42] why not use the 'old' kernel config? [01:42] ah - the old config is the default fedora config... that's no good [01:43] ic [01:43] never had the vserver kernel working on this server yet (or the vanilla kernel for that matter) [01:48] so 1.3.8 is coming out then? [01:48] Nick change: bengrimm -> ben [01:48] yeah, might be out tomorrow ... [01:48] fun fun [02:01] ben: what features do you miss most in vserver? [02:02] hmm [02:05] if it felt more like a real server that would be nice [02:06] i.e. like UML but without the overhead [02:06] especially what aspects? [02:06] emulation of proc would be the nicest feature [02:07] full network access without turning on cap_net_raw [02:07] hmm, so faking entries there, right? which ones? [02:07] yep, more faking of entries [02:08] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Read error: Connection reset by peer [02:09] what for example? [02:09] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [02:09] because there was a direction I called 'stealth' vserver, which addressed this, but there is not much feedback atm [02:10] uptime, *info stat, net, net/ tcp, udp, unix, *stat [02:11] those would be the ones that I've had to turn on to get functionality [02:11] I saw mention of the stealth vserver somewhere [02:12] what I'd like is if/when a vserver is compromised to somehow hide the fact that it's living inside another server [02:13] hmm, well while this might be theoretically possible, it's a little problematic, because you have some things, you just can't allow inside a vserver (but you can allow it in uml for example) so it can be easily detected that you are 'not' on a real server (hardware access for example) [02:14] that's true - without virtualizing the hardware you couldn't do it [02:15] could create dummy devices that behave in predictable ways i suppose [02:15] but that's all fringe - not core to making vservers better [02:16] so while you might fool a program, you will not be able to fool a human ... [02:16] but I agree that 'virtualizing' (this is another approach ;) is useful for things like /proc/mounts for example ... [02:17] right, a person will still know - or if they didn't know immediately, they'd figure it out that the devices that were present don't match up to what you'd expect to find in a server [02:18] but definitely if I had my choice of things to make work better - I'd say proc [02:18] eliminate the need for vproc or setattr [02:19] (although there will probably always be a need for those tools) [02:19] the idea behind that is to find a minimal/optimal set for /proc entries ... which then will be implemented as sane default ... [02:19] sure [02:19] (you can change it, if you want to) [02:20] just need to find the absolute minimum to be able to run without errors [02:20] so many utilities use proc to get their data [02:24] hmmm, what else [02:27] we've got memory protection between contexts, do we have filesystem protection? [02:27] could one context delete a file, and another allocate that disk space and read its contents [02:28] i suppose we don't really even have memory protection in that respect [02:29] isn't that type of stuff in grsec? [02:29] well, the memory/disk security question is the same as with normal server users, right? [02:29] yep, believe so [02:30] so the idea would be to add further isolation between vservers [02:30] well, the question is, for what purpose would you like to separate the memory between vservers better, as the memory is separated between users now? [02:31] but i'm not sure the memory is really separated between users [02:31] once freed it can be allocated by any process [02:31] yes, and? [02:31] and freeing memory doesnt clear its contents [02:32] allocation to userspace does [02:32] cdub, so memory is cleared upon malloc? [02:32] ben: no [02:32] ben: it's cleared when a page is given to userspace [02:33] malloc() may reuse (w/in the process) after free() [02:33] glibc has an allocator that sits on top of kernel allocator [02:33] ah - so between processes there's no danger [02:33] since the memory goes back to the kernel [02:33] yeah. otherwise we'd have big problem already ;-) [02:34] ;-) still learning about the kernel [02:34] ben: userspace still needs to memset(addr, 0, len) to be sure, because it could have come from local reuse of buffer [02:34] ben: well, insightful thought, anyhow ;-) [02:35] gotcha - I'm sure that's where I was getting that idea from [02:35] so disk allocation then, probably not zero'd [02:35] ben: and to do separation between vservers is not realistic [02:35] what do you mean by disk allocation? [02:36] when you allocate space for a file (without filling it with anything) [02:36] hmm, with the allocate_space_for_file syscall? [02:36] like truncate()? [02:36] think so [02:36] these are not mapped until written [02:37] so you can get zero page when you read from it [02:37] so it's safe too [02:37] ah - ok [02:37] maybe I'm thinking windows ;-) [02:38] ben: heh, maybe, although it's a _serious_ problem for an OS not to do such [02:38] I would say so, but as you say - it's already taken care of by the kernel [02:39] yes [02:39] the only thing grsec adds in that area is adress space randomization (per process) and non-exec stack (via PaX) [02:41] cool cool - learn something new every day [02:42] I've been using linux since '96 and never really cared too much about how/why it works [02:43] heh, fun to poke under the hood ;-) [02:43] i think the first thing i changed - and only because I had to - was a disk geometry calculation [02:44] it wouldn't recognize my drive [02:44] got a bigger disk? [02:44] yep, back when 40G was 'bigger' [02:44] heh, yeah [02:47] anyhow - vservers are good things [02:47] i get to have entire servers fail over with heartbeat - rather than just processes [02:48] and beyond that I can have production, test and dev all living on the same real server [02:48] with the same paths for all ot them, just can't beat it [02:49] ben: why would you failover between two vservers? what's the secenario you're working with? [02:49] just for testing? [02:49] not fail between vservers - but fail a vserver to another real server [02:50] hmmm, is the other real server running vserver too? [02:50] (just trying to understand the use case ;-) [02:50] yep, pair of real servers [02:50] both have vserver kernel [02:50] both running drbd [02:51] and heartbeat [02:51] and vserver is just to isolate the app you care about from the rest of the host? [02:51] real server -> raid 1 -> drbd -> vserver -> database [02:51] right - vservers to isolate applications from each other [02:51] *nod* [02:52] you use multicast? [02:52] or broadcast? [02:52] (or the serial stuff?) [02:52] the servers have 3 nics and serial [02:52] 1 out to the net [02:52] one interesting aspect of failover vserver use would be to disable synchronization on purpose (somehow?) update a vserver on one machine, switch over to that one, and sync up ... [02:52] 1 connected to a 100M switch and 1 1000M crossover [02:53] but - broadcast - yes [02:53] ben: ah, you should try multicast ;-) [02:53] er - hrmm, one sec [02:54] yeah broadcast [02:54] Bertl: you mean to break the vserver and reunify it? or the drdb replication? [02:54] is multicast better somehow? [02:54] ben: waaaay better, heheh [02:54] the drdb replication ;) [02:54] Action: cdub wrote it [02:54] even over a crossover? [02:54] ahhh [02:54] ;-) [02:56] bertl, you could definitely do that [02:56] Bertl: yeah [02:56] depends on the app though [02:57] morning [02:58] norse (~norse@h118n2fls35o804.telia.com) left #vserver (wargames.unix.se). [02:58] morn alec! [03:00] top of the morning [03:01] hi mids! [03:02] Action: cdub looks at his clock...morning? ;-) [03:02] cdub, isolation the big benefit for me though [03:03] ben: yeah [03:03] yeah I've got 6pm here... ;-) [03:03] Bertl: do you care for unix socket communication? or other local ipc? [03:04] care as in 'take care of separation for vserver' or as in 'use it somewhere'? [03:04] the former [03:04] we try to .. but I guess it is a little untested ... [03:04] hrm, just thinking about it, because heartbeat uses named pipes [03:05] well, any good tests are apreciated, as always ... [03:05] and a patch i'm reviewing right now ignores those things as well [03:06] Bertl: hrm, ok, i'll look into it tomorrow, i think i can use the same test for both cases [03:06] (meaning vserver and the patch i have here) [03:06] a grep into the aptch tells me that there is something ;) [03:06] hehe [03:06] diff -NurpP --minimal linux-2.4.25/ipc/util.c linux-2.4.25-vs1.26/ipc/util.c [03:06] diff -NurpP --minimal linux-2.4.25/ipc/util.h linux-2.4.25-vs1.26/ipc/util.h [03:07] but a test will be appreciated ;) [03:08] Bertl: anything that uses the filesystem can be somewhat taken care of with the vserver /root [03:09] well, it should be, but what about communicated pipes? [03:10] do you mean named pipes? or just regular pipe? [03:10] named ones .. [03:11] what do you say to the following: [03:11] # vuname -s --xid 100 --machine "abc" [03:11] # chcontext --ctx 100 uname -a [03:11] New security context is 100 [03:11] xyz (none) 2.6.3 #12 Fri Feb 20 01:04:55 CET 2004 abc unknown [03:11] hrm, also, there's fd passing, so it could be any fd... [03:11] nice ;-) [03:12] or [03:12] # vuname -s --xid 100 --release "1.0.0" [03:12] # chcontext --ctx 100 uname -a [03:12] New security context is 100 [03:12] FATAL: kernel too old [03:12] just in for the community, ( bert to answer your question from when I joined) [03:12] # vuname -s --xid 100 --release "2.2.0" [03:12] # chcontext --ctx 100 uname -a [03:12] New security context is 100 [03:12] Linux (none) 2.2.0 #12 Fri Feb 20 01:04:55 CET 2004 i686 unknown [03:14] i like it [03:14] hehe [03:14] we like it too 8-) [03:19] Heya Bert, the other day you told me to upgrade my util-verver tools to get static ctx's , I did and they still aren't working.. How can I tell if the utils verstion is correct? [03:19] chcontext --help [03:19] chcontext version 0.29 [03:19] chcontext [ options ] command arguments ... [03:24] hmm, test with the testme.sh script first [03:24] http://vserver.13thfloor.at/Stuff/testme.sh [03:33] thanks, [03:36] everything succeeded [03:36] could you show me the first 4 lines, maybe in private? [03:37] Linux-VServer Test [V0.06] (C) 2003-2004 H.Poetzl [03:37] chcontext is working. [03:37] chbind is working. [03:37] Linux 2.4.24-vssmp1.23 i686/chcontext 0.29/chbind 0.29 [E] [03:37] 2.4.24-vssmp1.23 was the latest compiled version [03:38] hmm, intersting ... enrico, any ideas? [03:38] what is the error? [03:39] just that the static context doesn't seem to work [03:40] okay, could you provide your vserver config somewhere? [03:40] what means "not work"; fails chcontext, or do you get a dynamic ctx? [03:41] hmm, this morning it gave a dynamic context, i restarted it sometime today and didn't look at the context but it is corr3ect [03:42] however i can't seem to stop the vserver [03:42] hmm, you probably started with the old tools, and didn't stop the vserver before updating, right? [03:42] gettin a failed for everything... [03:42] or changed from dynamic to static while the vserver was running? [03:43] I instlled the tools yesterday and hat a boot since then [03:43] hmm, okay, that should work then [03:43] maybe that wass it [03:43] what does vserver-stat report? [03:44] that musta been the problem [03:44] I/the other admin changed the ctx while it running [03:48] thanks, [03:48] okay, so it _is_ working now, right? [03:49] yes, its working correctly. [03:49] problem between keyboard and chair [03:49] okay, perfect, np [03:50] i meant only to lurk, i tend to learn alot from the chatter [03:51] well, that is very similar to the testing/stable issue [03:52] if everybody is waiting until a version is stable, and nobody actually tests it, it will never happen ... [03:52] same if everybody just 'listens' and doesn't say anything here, nobody will hear/learn anything, right? ;) [03:53] i'm going to test a 1.26 against my fedora workstation(smp) in a few minutes, so i'll be leaving for today.. [03:53] okay, cu around ... [03:54] I do plan on contributing as much as I can once I get my project finished, [03:54] hmm, what project? [03:54] unfortunately i can't code, but i'll have equipment to test with [03:55] We are virtualizing our server room into a few Vservers [03:55] sounds interesting ... [03:55] including running ensim in a root, and hopefully a couple of cobalts as well [03:56] sorry running ensim in a vserver [03:57] I have to figure out how to fake a /dev/LCD panel :) [03:57] hehe [03:57] but anyway, i'm going to drop off and see if this succker boots [03:58] goodnight [03:58] night! [03:58] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) left irc: Quit: Leaving [04:06] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) joined #vserver. [04:11] well it booted.. [04:11] great! [04:11] was a short night, then ... [04:12] I was missing a few modules for you know not important things like a mouse.. [04:13] Mcleod (~altec@202.9.60.199) left irc: Read error: Connection reset by peer [04:13] so I'm back to the fedora kernel.. [04:13] ic [04:14] you don't happent to have the .config that was used for the v1.23smp kerenl? [04:14] I did not even know of it's existance ... [04:15] where exactly do you have it from? [04:16] i think that it was a compiled kernel taken from the solucorp site [04:16] really, interesting ... let's have a look, Jack always had a config lying around too ... [04:17] the lead admin din't know about the 13thfloor/linux-vserver sites [04:17] (my lead admin consultant) [04:18] ftp://ftp.solucorp.qc.ca/pub/vserver/kernel-2.4.24-vssmp1.23.tar.gz [04:18] this one? [04:18] hmm, what is a lead admin consultant good for, if he doesn't know that? ;) [04:19] i'm starting to wonder... :) [04:20] and what do you pay him for bad consulting? [04:20] he set up the vservers that we had running.. But when I started having to start supporting them I have been readign as much as I can [04:21] he still blows me away in his knowledge.. [04:21] he just musta missed the email :) [04:22] hmm, did I mention that I do consulting too? [04:23] I'll certainly remember that [04:23] heh, i was waiting for that part ;-) [04:24] cw: well, it usually is a simple plot, right? [04:24] ExpiryJames: Bertl is knowledgeable, nice, and helpful! [04:24] indeed [04:24] Once i'm done this move, I'm going to be devoting time to the project, and I'll see if i can't get some money outa the boss for the vservers [04:25] cw: thanks for the flowers ... [04:25] Bertl: no problem [04:25] Bertl: sorry, I missed valentine's day ;-)) [04:25] ExpiryJames: well with or without money, you will find help here if it is vserver related ... [04:26] I do see a config on the ftp://ftp.solucorp.qc.ca/pub/vserver but its a couple of versions out for the latest kernel [04:26] I would try that, as Jack didn't change the configs very often ... [04:27] I hope to have quite a few smp boxes laying around in the next month... [04:27] well there is no need to change them very often, so this is a sane thing to do ... [04:27] ExpiryJames: you know about the Commercial/Private Vserver User pages? [04:28] would ftp://ftp.solucorp.qc.ca/pub/vserver/config-2.4.22smp work against a newer kernel? [04:28] sure, just copy it into the kernel source tree, and do a make oldconfig [04:28] the sponser?user pages on 13thfloor? [04:29] i'll try that... [04:29] http://www.linux-vserver.org/index.php?page=VServer+Hosting [04:29] http://www.linux-vserver.org/index.php?page=VServer+Users [04:29] just got there... [04:31] I'put a link in... sometime.. [04:31] feel free to do so ... whenever you want ... [04:34] hmm new release against 2.6.. cool.. [04:35] we'll probably have another one in a few hours ... [04:42] thanks for the help/chat.. [04:42] goodnight again.. [04:43] you're welcome ... have a good one this time [04:43] yikes its late over there? [04:43] 2:40 am CET here [04:43] have a good morning.. [04:44] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) left irc: Quit: Leaving [05:01] Nick change: cdub -> cgone [05:24] serving (~serving@213.186.188.205) left irc: Read error: Connection reset by peer [05:48] Mcleod (~altec@202.9.60.199) joined #vserver. [05:48] hi Mcleod, back again? [05:48] not for any particular reason, don't worry :) [05:49] still waiting on host to restart it back to the vs1.26 version or take a look at why its not running with vs1.37 [05:49] (kernel that is, box hasn't come back up since last reboot about 4 hours ago) [05:49] hmm, that should not be vserver stable/devel related ... [05:51] yeah probably isn't, so i'm just here in the channel for uhm, idling purposes ;) [05:52] okay, idle around, as long as you want ... [05:54] mm... [05:54] Linux sanitytech02 2.4.25-vs1.3.7 #8 SMP Fri Feb 20 08:25:29 CST 2004 i686 unknown [05:54] so now its running - i hope my host gives me an idea why the heck is wasn't running for once... everytime i reboot the thing something goes wrong :/ [05:54] completely vserver unrelated so i'll be quiet :) [06:23] okay, have a good wossname everyone, I'm off to bed now ... [06:25] Nick change: Bertl -> Bertl_zZ [06:41] expiryjames (~james@cindi.ca) joined #vserver. [06:44] <_shur1> gnit ben [06:44] <_shur1> Bertl_zZ [07:20] serving (~serving@213.186.188.205) joined #vserver. [07:26] # ./vserver-build --force -m legacy --interface=69.93.207.112 -n yamaha [07:26] vc_new_s_context(): Invalid argument [07:26] *repeat* [07:27] if anyones alive and might know what the heck? vs1.37... [07:59] mm.. error on build again.. [07:59] ./vserver-build -m legacy -n yamaha --interface=69.93.207.112 --context 1 --force [07:59] Error: /proc must be mounted [07:59] To mount /proc at boot you need an /etc/fstab line like: [07:59] In the meantime, mount /proc /proc -t proc [07:59] Failed to parse ps-output [11:38] ben (~ben@bengrimm-host225.dsl.visi.com) left irc: Ping timeout: 501 seconds [11:54] virtuoso (~shisha@187ppp.telegraph.spb.ru) joined #vserver. [11:54] re all [12:08] virtuoso (~shisha@187ppp.telegraph.spb.ru) left irc: Read error: Connection reset by peer [13:00] rs (rs@ice.aspic.com) joined #vserver. [13:00] hi guys [13:14] BobR (~georg@MAIL.13thfloor.at) joined #vserver. [13:14] BobR (~georg@MAIL.13thfloor.at) left #vserver. [15:07] hi [15:22] surriel (~riel@imladris.surriel.com) joined #vserver. [15:36] Mcleod: regarding the vserver-build problem you mentioned 'just' 7,5 hours ago ;) you can't use context 1 for a vserver, that one is reserved for being 'global', i.e. the processes of all contexts show up there [15:42] Doener: ok, I was still getting the /proc must be mounted error with all vservers tho at the time [15:42] Doener: i've reverted to v1.26 for the moment [15:44] hmm.. 1.3.7 has vproc security, iirc you have to allow vservers to use proc entries ... but don't ask me how, i'm still happy with 1.26, although i'd like to mess around with testing/experimental there's no box i could use for that... [15:48] *nod* .. i was unable to find doc's about that.. [15:50] Doener: actually, do you know how to edit the default route for vserver instances? [15:52] hm? [15:52] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Read error: Connection reset by peer [15:52] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [15:54] ah n/m, just trying to sort something out [15:54] like is this normal? [15:54] ping 139.130.4.4 [15:54] ping: icmp open socket: Operation not permitted [15:54] are you in the vserver? [15:54] ping is not permitted if you don't have CAP_NET_RAW [15:55] regarding vproc: http://archives.linux-vserver.org/200401/0125.html [15:56] i guess devel handles it the other way round, so all proc entries are disabled by default(?) [15:56] sorry i'm really new to all this - ok, looks like i'll look into that and might try 1.37 another shot [15:57] btw, what is CAP_NET_RAW? I see that in the config file but... ? [15:58] i don't know exactly, just that you need it for pinging from inside the vserver, but it also grants permission to use tcpdump for example, so sniffing is possible [15:59] ok thankyou, simply enabled it and it's OK [15:59] now to learn about vproc! [16:13] Doener: so you haven't done anything with the devel tree yourself? [16:14] not so far [16:15] i'm thinking about buying a small box to have something to play with, but there must be a hole in my wallet ;) [16:34] vserver yamaha status [16:34] Error: /proc must be mounted [16:34] To mount /proc at boot you need an /etc/fstab line like: [16:34] In the meantime, mount /proc /proc -t proc [16:34] Failed to parse ps-output [16:34] Vserver 'yamaha' is running at context '49154' [16:34] Number of processes: 0 [16:34] Uptime: 00:00 [16:34] :( [16:36] you said that the CAP_NET_RAW capability permit to tcpdump, so what the tcpdump allow to see ? all interface packets or just packets for this context ? [16:36] my question is: is raw packets are context aware ? [16:37] i think he was suggesting no [16:40] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Read error: No route to host [16:40] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [16:42] rs: you'd see all packets that pass through the interface [16:42] it's a serious security (or privacy) problem :/ [16:42] Doener: is there a way to search the mailing list? or anything on how to use vproc, as I have this error on starting up vservers execvp(): Permission denied [16:43] Mcleod: google ? [16:43] rs: that'd be why its disabled by default :) [16:44] Mcleod: yep but allowing people into vserver to ping without the ability to dump all the interface trafic could by a good feature (maybe it's not possible) [16:46] mmm, i wish there was some docs about vproc as this mounting /proc problem seems very trivial [16:46] but no one seems to know the answer :( [16:46] Mceod: /proc is mounted, just the variables aren't visible in contexts other than 0/1 by befault in in 1.3.x [16:47] Zoiah: OK, so how do I resolve this? [16:48] rs: iirc there actually was a posting on the ml that provided a solution allowing CAP_NET_RAW without the ability to sniff... [16:49] Mcloed: use setattr. [16:49] Mcloed: I don't know the exact stuff you need from the top of my head though. [16:49] rs: http://list.linux-vserver.org/archive/vserver/msg06205.html [16:50] Doener: oh ok thx it a insideful info :) [16:50] Zoiah: mm, I've never used setattr before so i don't know what i'd be doing with it [16:53] Zoiah: wasn't it vproc that controlled proc visibilities? only xxattr stuff i remember is the +t barrier in 1.25+ ... [16:58] Nick change: Bertl_zZ -> Bertl [16:58] and the patched imputable attr for hard links [16:59] morning everyone! [16:59] Bertl: hiya :) [16:59] hello Bertl [16:59] Bertl: maybe you can tell me how to use vproc? :D [16:59] Mcleod: you are hitting the /proc security! [16:59] Bertl: what time is it in your country ? :) [16:59] 15:00 CET [17:00] Mcleod: ever tried vproc -h ? [17:00] Bertl: yes but i don't know what /proc entries i have to touch [17:00] me neither, but you can experiment a little ... [17:01] Doener_zZz (~doener@pD9E12E78.dip.t-dialin.net) joined #vserver. [17:01] haha [17:01] it depends on the distro [17:01] well 'ifconfig' complains about /proc not being mounted [17:01] so i guess that's a start [17:01] you get the same, insecure, setting as with the stable branch if you do: [17:02] vproc -e /proc/[a-z]* /proc/[a-z]*/* /proc/[a-z]*/*/* [17:02] btw, it doesn't have to be insecure, largely depends on your drivers and kernel setup [17:03] ben (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [17:03] hi ben! [17:03] hi there [17:04] Mcleod: which util-vserver version are you using ? [17:04] Nick change: Doener_zZz -> Doener_ [17:04] rs: 0.28.195 [17:04] latest listed in the 1.3.7 tree [17:04] hi Doener_! [17:05] hi Bertl [17:05] no matter what time i choose for my 24h disconnect, it's always hitting me in the middle of a conversation... [17:05] Mcleod - I had better luck with .199 [17:06] @all: it's not always the latest version listed in the releases, it's the version which was available as the release did happen ... [17:06] currently enricos alpha tools are at 0.29.196 IIRC [17:06] cheers [17:07] that is I had better luck with 0.28.199 [17:08] mm... [17:08] # vserver yamaha start [17:08] symlink(): Permission denied [17:08] and it doesn't seem to try and start? [17:08] Doener (~doener@pD9E12A72.dip.t-dialin.net) left irc: Ping timeout: 501 seconds [17:09] bertl, I'm seeing 0.29.192 at http://www-user.tu-chemnitz.de/~ensc/util-vserver/alpha/ [17:09] Nick change: Doener_ -> Doener [17:23] Mcleod: hmm, sounds interesting, what script does the symlink()? [17:23] ben: http://www-user.tu-chemnitz.de/~ensc/util-vserver/test/ [17:24] Bertl: uhm, not sure how to identify that... [17:24] sec, afk, brb [17:24] Mcleod: try bash -x `which vserver` yamaha start [17:25] cheers [17:25] ++ cd /usr/local/etc/vservers/yamaha/vdir/ [17:25] ++ /usr/local/sbin/chbind --silent /usr/local/lib/util-vserver/exec-ulimit /usr/local/etc/vservers/yamaha/ulimits /usr/local/sbin/chcontext --silent --secure /usr/local/lib/util-vserver/save_ctxinfo /usr/local/etc/vservers/yamaha /usr/local/lib/util-vserver/capchroot . [17:25] symlink(): Permission denied [17:26] your vservers are located in /vservers/ ? [17:26] err... forgot it .... [17:27] lsattr /usr/local/etc /usr/local/etc/vservers [17:28] what does that show? just the lines concerning, /usr/local/etc/vservers and /usr/local/etc/vservers/yamaha [17:28] nothing in /usr/local/etc/vservers apart from the directory [17:28] # lsattr /usr/local/etc /usr/local/etc/vservers [17:28] -------------- /usr/local/etc/vservers.conf [17:28] -------------- /usr/local/etc/init.d [17:28] -------------- /usr/local/etc/vservers [17:28] -------------- /usr/local/etc/pear.conf [17:28] -------------- /usr/local/etc/vservers/yamaha [17:28] -------------- /usr/local/etc/vservers/samsung [17:29] hmm... so you're not using the +t barrier... [17:30] ? [17:30] Action: Doener does not know if it's needed in devel at all... [17:30] doener: where is the use of setattr documented? [17:31] somwhere in the wiki? [17:31] ben: what's that setattr at all? never heard of it... [17:32] Mcleod: there's an exploit that allows to access the root filesystem... in stable one has to use the +t flag that's abused to block that kind of attack... [17:32] is there a debian package of the last enrico util-vserver somewhere ? [17:32] Doener: what is the +t flag? [17:32] rs: yesterday it showed up in the unstable tree, don't know about stable/testing [17:33] I use unstable [17:33] setattr comes with the util-vserver package [17:33] and I use the devel context patch [17:33] you can set attributes of files, etc... set barrier [17:34] but I can't find any doc for it other than the source ;-) [17:34] but the vserver package in debian doesn't seem to work with the 1.3.7 kernel patch [17:34] okay, I'm back ;) [17:34] rs, I don't believe that it will work [17:34] rs, think you need the alpha util-vserver package [17:34] @all setattr on devel/exp is an alternative to vproc [17:35] ben: yes I think so [17:35] but is the alpha util-server package exists for debian ? [17:35] Bertl: does that info about chbind complaining about symlink(): permission denied make any sense to you? [17:35] rs: yes, it's named util-vserver ;) [17:35] Mcleod: the +t flag ensures on stable that nobody can escape the chroot barrier (together with 000) [17:36] Doener: in the main debian sources ?? [17:36] Bertl: ok, but what is the +t flag and how do I set it? [17:36] Mcleod: no, never heard of the symlink() issue ... [17:36] Mcleod: do you use stable or devel atm? [17:36] devel 1.3.7 [17:36] okay, on devel you just forget about the +t flag [17:36] rs: yeah... http://packages.debian.org/cgi-bin/search_packages.pl?keywords=util-vserver&searchon=names&subword=1&version=all&release=all [17:36] damn you're right, how could I have missed it :) [17:37] Mcleod: there is a barrier flag, which can be set with setattr --barrier [17:37] Nick change: surriel -> riel [17:38] hi Rik! [17:38] is rmap already available? [17:38] Doener: and the devel context patch is also packaged somewhere ? [17:39] rs: kernel-patch is still at 1.21... [17:40] ok, it what I thought [18:17] ccooke (~ccooke@spc1-walt1-4-0-cust238.lond.broadband.ntl.com) joined #vserver. [18:17] hi ccooke! [18:18] afternoon [18:20] expiryjames (~james@cindi.ca) left irc: Quit: Leaving [18:30] IlyaM123 (~ilya@nat.R1.bsim.ru) joined #vserver. [18:30] hi IlyaM123! [18:31] Hello Bertl [18:31] eth1: Too much work at interrupt, status=0x4050. ...is this vserver releated [18:32] sure, without vserver, you would never get this much load on eth0 ;) [18:32] sorry eth1 ;) [18:32] realtek card? [18:32] lol, mids, same question i was just gonna type [18:32] if it's realtek, the solution is to replace by intel or 3com ;> [18:33] nmo its a eepro 100 ;) well i was transfering between ftp [18:33] or edit your kernel source and comment that line out [18:33] Cmaj: which driver? [18:33] eepro100 20556 1 [18:33] mii 2400 0 [eepro100] [18:33] take the e100 driver ... [18:34] oky :) i compiled both .. [18:34] the eepro driver is more than two years old ... [18:34] Can anybody elaborate me how networking works for vservers. I started vserver, it created alias on lo: 172.16.0.1/255.0.0.0. Why I can connect to daemons inside vserver via 172.16.0.1 but not via 172.16.0.2? [18:35] networking on vservers works like networking on the host with aliases ... [18:35] the chbind (used by vservers) restricts the number of possible IPs to the given IPs [18:36] binds to INADDR_ANY only bind to those ... [18:36] thx to be so fast ...:) [18:36] does netmask affect the range of possible IPs? [18:37] yes [18:37] and good afternoon #vserver [18:37] hi click! [18:37] IlyaM123: well, the netmask is usually used to create the aliases, but only for some special tests in the vserver code [18:38] Nesh (~dmistry@su-nat.datapipe.net) left irc: Read error: Connection reset by peer [18:40] do I understand correctly that even if interface used by vserver is 172.16.0.1/255.0.0.0 daemon can bind only to 172.16.0.1 but not other IP address [18:41] hey i just got my hand on Linux unleashed fourth edition and at some point it talk about Jacque gelinas and linuxconf ... i had a little smile ...maybee nest edition will have vserver docs in .. [18:41] IlyaM123: yes [18:42] thnx [18:48] IlyaM123 (~ilya@nat.R1.bsim.ru) left irc: Quit: Client Exiting [19:03] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) joined #vserver. [19:04] jam? [19:04] james? I mean ... [19:04] Bertl: sorry to both you again, you made reference to 'rlimit' earlier for memory limits, however there doesn't appear to be a particular program called that in util-vserver-0.29 .. ? [19:05] vlimit [19:05] ahh [19:05] rlimit is the interface, I might have mixed that up ... [19:05] sorry i closed the query window so didn't have it in front of me anymore [19:06] don't suppose you know the syntax and how to apply it to vservers on startup? I'm trying to grasp how to use it [19:09] vlimit --help isn't extremely helpful :) [19:09] give me a second ... [19:11] Usage: vlimit [-c|--ctx ] [-a|--all] [-MSH -- ]* [19:11] so, this emans: [19:11] vlimit --ctx [19:11] good morning [19:11] hi James! [19:11] i figure i should select a persistant context id for each.. and then use vlimit -c -MSH 32 ... maybe? :) [19:11] the -M -S and -H are for Minimum SoftLimit and HardLimit [19:12] -- is the RLIMIT number of that particular limit [19:12] and value is the value you want to set it to ... [19:12] was there quota patches for the 2.6 kernel? doesn't seem to be on the site [19:12] in kb? [19:13] what does vlimit -a show you? [19:13] sorry vlimit --ctx -a [19:13] where xid is the xid of your vserver context [19:14] alot of this [19:14] ah crap, cut/paste not working [19:14] 2 N/A N/A 0xbfffdfss [19:15] *similar to above repeated* [19:15] okay, look for 4,5 they should give something useful, if not something is broken ... [19:16] nah, none of the lines are useful [19:16] that is bad ... [19:16] lines 4,5,8 call vc_get_rlimit() but yeah, nothing useful [19:16] anyway, the set might work ... [19:16] check with cat /proc/virtual//limit [19:17] with the xid of one of your vservers [19:17] that's useful [19:17] PROC: 11/1000 [19:17] VM: 5580/-1 [19:17] VML: 0/-1 [19:17] RSS: 1-37/-1 [19:17] 1-37? [19:17] 1037/-1 [19:17] okay *phew* [19:17] cut/paste isn't working for some reason so my fingers are getting a workout [19:18] okay, those are the current limits and values [19:18] hmmm [19:18] so -1 means unlimited [19:19] whats the unit of measurement? [19:19] kb/mb/? [19:19] you ahve currently 11 processes using 5580 pages (I think it was pages ;) [19:19] you are allowed to run 1000 processes in this vserver [19:20] and no limit on the VM/VML/RSS [19:20] OK [19:20] btw, what was that setattr (?) or similar command that I did on /proc/ which simply allowed everything? that seems to have been undone on a reboot [19:21] oh it was vproc wasn't it [19:21] yep, this is only valid as long as proc exists ... [19:22] so i'm going to have to run it at startup then.. [19:22] okay, RLIMIT_AS = 9 [19:22] helpful to know [19:22] that is the virtual memory [19:22] so using vlimit --ctx -H -9 10000 [19:22] should change that ... [19:23] what i basically want to do, is limit vservers to 32Mb ram [19:24] yeah, that is _basically_ what everybody wants ;) [19:24] but this is not possible atm [19:25] which means, the current kernel does not support this ... [19:26] the memory scheme isn't that simple, that you assign some memory space to a bunch of tasks, this doesn't work in a shared environment ... [19:26] would have to reserve ram space etc etc so although i don't have a good understanding i understand that its not straight forward [19:26] so what does vlimit particularly acheive? [19:27] RSS does/will come very close to what you expect, but it isn't enforceable in vaniller 2.4.25 kernel [19:27] the RSS (Resident Set Size) is equiv to the actual in memory use [19:28] what you can limit for now, is the Virtual Memory, but this has two implications [19:28] normal 2.4.x kernels do not limit the VM at all, so some apps might break after limiting the VM [19:29] and the VM limits have to be higher than the actual ram limits you consider ... [19:30] 2.6 should allow to limit the RSS too, but I doubt that this will be too useful, because it only increases swapping out that memory, which isn't good for performance ... [19:31] <_shur1> re [19:31] we'll probably have to invent something like a memory penalty and use this to affect the scheduler ... [19:31] hi _shur1! [19:33] Bertl: this afternoon I'm on a concall with the IBM folks about CKRM [19:35] heard about it, unfortunately it's not free for outside US [19:36] but you willkeep us up to date, I guess ... [19:37] of course [19:38] tape it:) [19:38] yeas [19:41] hmm, ideed, that would be a good idea, rik? [19:42] providing it as ogg-vorbis or something similar? [19:49] Mcleod: hi, your symlink error happens probably when save_ctxinfo tries to create a symlink at /var/run/vservers.rev/ [19:49] (or whatever you have configured as your localstatedir) [19:51] should be /usr/local/etc/vservers/yamaha/run.rev/ [19:52] sorry i've reverted to util-vserver-0.29, so i'm unable to recreate the error [19:57] ensc: I gave a fair bit of detail above tho, scroll back 2.5-3 hours [19:58] yes, I see it. but the run.rev directories was not mentioned there [20:00] ok, that directory did exist i remember that (well, the symlink to a directory) [20:00] i think I pasted where those symlinks went to, to Bertl, he may will have it in his history [20:01] sorry i'v ejust got it working i don't really want to try and get the other util-vserver tools goign again :) [20:04] okay, dinner is almost ready ... will be back soon .. [20:04] Nick change: Bertl -> Bertl_oO [20:07] Nick change: Mcleod -> Mcleod[sleep] [20:15] is it normal that /proc/mounts show all real mounts and the mount command shows fake mount info ? [20:16] AND that I'm not able to hide the /proc/mounts with the vproc command ? [20:18] Nick change: cgone -> cdub [20:20] tanjix (tanjix@pD904A01D.dip.t-dialin.net) joined #vserver. [20:20] hi [20:20] rs, yeah that's the behavior I see [20:21] maybe someone can help me on this when starting a vserver [20:21] SIOCSIFADDR: File exists [20:21] SIOCSIFFLAGS: Cannot assign requested address [20:21] SIOCSIFNETMASK: Cannot assign requested address [20:21] SIOCSIFBRDADDR: Cannot assign requested address [20:21] SIOCSIFFLAGS: Cannot assign requested address [20:21] there's a patch to hide it [20:23] hi tanjix, which version are you running? [20:23] vs 1.26 [20:24] hmm, I've only used 1.3.7, but maybe can help [20:24] maharaja (maharaja@ipax.tk) left irc: Read error: Connection reset by peer [20:24] Nick change: Bertl_oO -> Bertl [20:24] but Bertl knows everything ;-) [20:25] do I? [20:25] didn't know that yet ;) [20:26] ben: and do you knows why mounts info returned by mount is different from what is in /proc/mounts ? [20:27] rs: because mounts looks at /etc/mtab ;) [20:27] see, he knows everything ;-) [20:28] you right [20:28] hehe [20:29] so is it planned to hide /proc/mounts info in the main ctx patch ? [20:29] hmm, no not planned, but it is possible ... [20:31] Bertl: hi [20:31] it would be a good behavior for VDS providers [20:31] hi tanjix! [20:32] do you know s.th. about the error above ? [20:32] rs: there is a patch to disable /proc/mounts ;) [20:32] it is vs 1.26 on debian [20:32] tanjix: no error, you are trying to create an interface alias which already exists [20:32] won't they be "deleted" when i stop a vserver [20:33] probably, but there are several methods of doing it entirely wrong .. let's see which one you did choose ... [20:33] vserver stop [20:33] what is the name of your vserver [20:33] prloens [20:34] okay, you did a stop now? [20:34] yes [20:35] on stopping i get the same "errors" [20:35] okay, save the current network info with ifconfig -a >/tmp/config01.log [20:36] done [20:36] now do 'grep IPROOT /etc/vservers/prloens.conf' [20:37] if possible let me have a look at this [20:37] IPROOT="217.20.117.162" [20:37] IPROOTDEV="eth0" [20:38] okay, now do 'grep 217.20.117.162' /tmp/config01.log [20:38] okay, now do 'grep 217.20.117.162 /tmp/config01.log [20:39] okay, i saw the error [20:39] eth0:1 already exists with that ip [20:39] okay, either remove the eth0 from the config [20:39] or do an ifconfig eth0:1 down [20:40] yep i deleted all the virt. interfaces that were created [20:40] (by hand) [20:40] okay, now try again with the vserver start [20:40] works :) [20:41] Starting domain name service: namednamed: capset failed: Operation not permitted [20:41] . [20:41] Starting domain name service: lwresdlwresd: capset failed: Operation not permitted [20:41] . [20:41] you owe me _another_ shrubbery ... [20:41] this is s.th. with CAP_NET_RAW i need to change isn't it [20:42] nope this is smething with bind you have to change ;) [20:42] @all, a new Vulnerability! [20:42] http://lists.netsys.com/pipermail/full-disclosure/2004-February/017613.html [20:42] 8-) [20:46] Bertl: i should have some more of the howto to show you in about an hour or two. at least covering how to patch and configure a 2.4.25 kernel and explaining what things in teh document are likely to change as it gets out of date. [20:47] tanjix (tanjix@pD904A01D.dip.t-dialin.net) left irc: [20:48] talon: okay will have a look at it/do some proofreading if that is what you want ... [20:48] Bertl: can you purchase to ITMS from country ? [20:48] rs: what is ITMS? [20:48] ITune Music Store [20:49] the services that your 'vulnerability' talk about [20:49] ah, don't know, just found it funny ... [20:49] eheh ok :) [20:50] those are the vulnerabilities we want to see here, right? [20:51] yeh right :) [20:53] I'm going home, so have a nice week-end guys :) [20:54] rs (rs@ice.aspic.com) left irc: Quit: home [20:58] Bertl: heh i wouldnt bother with proofreading. some comments on teh content would be nice though. just figured you would be interested in how it was comming along. [20:58] sure I am ... [21:16] Bertl: host -t MX shellparadise.net [21:16] give me the results please [21:16] host -t MX shellparadise.net [21:16] shellparadise.net mail is handled by 20 mx1.shellparadise.net. [21:16] shellparadise.net mail is handled by 10 mx2.shellparadise.net. [21:16] thankyou :) [21:16] it propagates [21:17] dp they resolve? [21:17] *do [21:25] Action: lilo waves to Bertl, with some time delay [21:25] Action: Bertl waves back .. with almost no delay [21:25] hehe [21:25] I have too many windows 8) [21:25] I have an OFTC connection up for the channels I'm interested in, but I hardly ever manage to get over here [21:25] I don't use windows at all ;) [21:25] hehe [21:26] well, I use 'windows' in an approximate sense, I run Linux only, and I'm on an xterm shell running screen :) [21:26] guess that is legitimate ... [21:26] but I have irssi divided up into separate screen areas 8) [21:27] of course, most of them are invisible (I've never quite gotten happy with irssi's windowing support, it's too different from the ircii I grew up on) [21:27] well, I like it (irssi) it's intuitive and fast ... [21:28] yes....it's a real breath of fresh air after ircii in a number of ways [21:28] I used to have to do everything in scripting on ircii and it tended to segfault from time to time 8) [21:28] I find scripting in irssi to be a bit less intuitive [21:28] but I don't end up doing much of it [21:29] so you are interested in linux-vserver? [21:29] I like that it's perl (ircii has a horrid and crufty language) but the architecture seems a little too involved [21:29] yes [21:29] ever got around using/testing it? [21:29] not so far....I just haven't had time to play with it [21:30] you should give it a spin ... [21:30] but it's the sort of thing we need, has to provide some excellent service options for hosting [21:30] and I hear good things about it [21:30] I will have to, when I manage to come up for air 8) [21:36] http://talon.home.cosmic-cow.net/howto.html [21:36] thats all i have for the moment. [21:37] im working on teh kernel config bit as we speak. [21:37] theres also howto.txt howto.ps and howto.pdf [21:37] okay, we will update the quota stuff to 0.14 before you release it [21:38] I did some minor fixes to allow it to compile with quota turned off ;) [21:38] bind moutn [21:38] yeah ignore the typos i will ferret them out later. [21:38] okay [21:38] just thought you would like to see teh general style. [21:39] root@darkstar:/usr/src/vserver# cd linux-2.4.25 [21:39] root@darkstar:/usr/src/vserver/linux-2.4.25# [21:39] root@darkstar:/usr/src/vserver/linux-2.4.25# wget http://www.13thfloor.a [21:39] don't do this, do not download the patches into the kernel source [21:39] keep it one level higher ... [21:39] and maybe you could 'suggest' the cp -la trick, you know it? [21:40] Bertl: yeah i will sugest that too. and thanks for the patch advice. [21:40] skip the boring applying the patches stuff ... only show 3-4 entries and use elipsis ... [21:41] i usually keep teh patches in a directory called patches in subdirs called exp2 exp2 etc. but i ususally copy them over ot the link tree before applying them. but i will change teh examples to referencing the patches from outside the kernel tree. [21:41] the reason i even copy them over at all is so i can tell which patches ive applied. [21:41] by doing an ls. [21:42] sounds reasonable, but is unpractical for doing diffs for example [21:42] Action: talon nods your way is a bit better. [21:42] I usually do the naming in the kernel dir [21:42] linux-2.4.25 (vanilla kernel) [21:43] linux-2.4.25-vs1.26 (patched vserver 1.26 stable) [21:43] linux-2.4.25-vs1.26-q0.14 ... [21:43] gets kind of long though when you have upwards of 4 patches. [21:44] talon: general structure seems useful .. but not much to look at for now ;) [22:36] loger joined #vserver. [22:39] Bertl: as my project progresses im going to be writing more documentation about vserver for both internal and end-user use. i will try to make the bits that apply to just vserver itself available as well. [23:30] loger joined #vserver. [23:37] Cyrix (~master@d51-95.dsl.easysurfnet.de) joined #vserver. [23:37] good evening [23:48] kestrel (athomas@home.swapoff.org) left irc: Ping timeout: 492 seconds [23:48] kestrel (athomas@home.swapoff.org) joined #vserver. [23:55] ben (~ben@bengrimm-host225.dsl.visi.com) left irc: Read error: Connection reset by peer [23:56] i have a problem... my vservers are on a LVM-Partition which I want to resize now, but I need to umount it for that purpose first. Although i ran an vserver servername stop for my running vservers I get an device busy when I try to unmount it ... any idea what I may have forgotten ? [00:00] --- Sat Feb 21 2004