[00:00] crap... have been fiddling all night with some dumb webserver to improve i/o performance and mysql memory consumption as those seemed to be the main problems and now it seems that there is just some shitty memory leak in an apache module or stuff and it just had to kill its childs more often... [00:03] shit happens, how is your vserver today? [00:04] afaik all boxes are quite happy :) [00:05] that is something ... [00:06] yepp, great piece of software you made [00:14] hmm, well although most parts are rewritten now, the basic concepts and routines where done by jacques ... [00:15] i guess there aren't too many ways to do this anyways [00:16] hmm... how experimental is the experimental tree? i'm thinking of abusing my desktop for testing... [00:16] should work very similar to devel ... [00:16] we are approaching a first 'stable' release for 2.6 anyways ... [00:17] great! [00:18] have to leave now, willl be back in an hour or so ... [00:18] ok, cu [00:34] Cmaj (~cmaj@3ffe:bc0:5f3:1:9999:911:c3d3:5431) left irc: Ping timeout: 483 seconds [00:42] brb [00:51] JonB (~NoSuchUse@kg144.kollegiegaarden.dk) left irc: Ping timeout: 501 seconds [00:52] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) joined #vserver. [00:57] expiryjames (~james@cindi.ca) left irc: Quit: Leaving [01:09] sgt_b (~sgt_b@c-24-12-241-181.client.comcast.net) joined #vserver. [01:09] hi sgt_b! [01:09] Hey everyone :) , Can vserver log input? I'm looking for an alternative to UML's ability to do TTY logging [01:09] hi Bert :) [01:10] what do you mean by 'log input'? [01:11] Well, forgive me, but in User-Mode-Linux, when somone connects to their UML. There is an option that allows you to log that UML session (keystrokes) [01:12] ah okay, well, basically this is possible, because you can 'log' all 'keystrokes' on a linux machine ... [01:12] but there is no special vserver support for that feature ... [01:13] oh ok. Its for a security project i'm working on so I'd need that feature. :( [01:13] Thanks for the help though, I appreciate it! [01:14] sgt_b (~sgt_b@c-24-12-241-181.client.comcast.net) left #vserver. [01:33] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Quit: Leaving [01:54] expiryjames (~james@s142-179-54-133.bc.hsia.telus.net) joined #vserver. [01:54] hi expiryjames! [01:54] good day bert [02:08] d'oh... successfully compiled my kernel, but forgot to apply the vserver patch... [02:08] congrats! [02:48] expiryjames (~james@s142-179-54-133.bc.hsia.telus.net) left irc: Remote host closed the connection [02:54] paul (~irssi@p5089E8F6.dip.t-dialin.net) left irc: Quit: leaving [02:59] hmm... how would i set the sgid bit recursivly but only for directories? [02:59] probably with find ... [03:00] find -type d | xargs chmod g+s [03:01] ah! xargs ... i've always tried to understand find's --exec but always failed [03:01] hmm find -type d -exec chmod g+s {} \; [03:01] will do the same, only slower ;) [03:02] what are those curly braces good for? [03:02] this is the 'filename' [03:03] it's even mentioned in the manpage... i've must been drunk or something when i tried it the last time... [03:05] hmm, Doener, could you give the new testme.sh script a try, and let me know how it works? [03:06] http://vserver.13thfloor.at/Stuff/testme.sh-0.07 [03:06] on experimental? [03:06] or stable? [03:06] whatever available, the more the better ... [03:13] sed: -e expression #1, char 49: Extra characters after command [03:14] two times [03:14] [201]# failed. [03:14] GNU sed version 3.02 [03:14] oh 2.4.25-vs.1.26 [03:14] s/oh/on/ [03:14] interesting .. okay, will modify that sed line again ... [03:17] could you try that line for me on one of your hosts? [03:17] echo x | sed '/--\|version/ {s/.*\ \([0-9][0-9.]*\).*/\1/g;p;q}' [03:17] I guess it reports the same error, right? [03:17] yepp [03:18] could you change the 'q' to a 'Q' and try again? [03:21] sed: -e expression #1, char 48: Unknown command: ``Q'' [03:21] hmm, okay ... [03:22] I guess I have to find an old sed for testing ... [03:22] thanks ... [03:23] ah, adding a semicolon after the q does the trick ... [03:25] just found out the same ;) [03:26] okay, updated the script, please either reload it, or add the modifications by hand, if you use it again ... [03:26] okay, testme runs clean, only #201 fails [03:26] that is expected on stable with older non util-vserver tools [03:27] hmm... those are util-vserver tools... [03:27] which version? [03:27] 0.26 [03:27] yeah, was fixed in 0.28 IIRC ;) [03:27] ah, okay [03:28] confirmed ;) 0.28 suceeds in all tests [03:29] Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl [03:29] New security context is 1 [03:29] chcontext is working. [03:29] chbind is working. [03:29] Linux 2.6.3 i686/0.29.196/0.29.196 [Ea] [03:29] --- [03:29] [001]# succeeded. [03:29] [011]# succeeded. [03:29] [031]# succeeded. [03:29] [101]# succeeded. [03:29] [102]# succeeded. [03:29] [201]# succeeded. [03:29] [202]# succeeded. [03:38] ccooke (~ccooke@spc1-walt1-4-0-cust238.lond.broadband.ntl.com) left irc: Ping timeout: 480 seconds [05:23] serving (~serving@213.186.188.205) left irc: Read error: Connection reset by peer [05:32] serving (~serving@213.186.188.205) joined #vserver. [07:18] expiryjames (~james@cindi.ca) joined #vserver. [07:18] expiryjames (~james@cindi.ca) left irc: Client Quit [07:18] expiryjames (~james@cindi.ca) joined #vserver. [07:19] hmm, hi james? [07:19] good morning [07:21] so how is the sunday? morning with vserver? [07:42] so far so good, [07:43] compiled up 1.26 with the lates kernel and the quota hashes [07:44] still saturday here.. [07:44] now I"m just reading the mailing lists.. [07:45] on quota's [07:45] yeah, talon is working on a howto ... [07:46] any specific questions atm? [07:47] nope.. just reading.. [07:48] how come you seem to work nights? :) [07:49] working at night is just more comfy for me than at day ... [07:49] I can see that.. quiet.. less distractions [08:41] okay, I'm tired, have a good wossname, cu all around ... [08:41] Nick change: Bertl -> Bertl_zZ [08:49] kestrel (athomas@home.swapoff.org) left irc: Quit: brb [10:42] kestrel (athomas@home.swapoff.org) joined #vserver. [10:42] hello [10:56] kestrel (athomas@home.swapoff.org) left irc: Quit: bugger [11:00] kestrel (athomas@home.swapoff.org) joined #vserver. [11:01] kestrel (athomas@home.swapoff.org) left irc: Client Quit [11:01] kestrel (athomas@home.swapoff.org) joined #vserver. [11:01] hi [11:23] Mcleod[Zzz] (~altec@202.9.60.199) left irc: Read error: Connection reset by peer [11:56] Mcleod[Zzz] (~altec@202.9.60.199) joined #vserver. [13:23] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) joined #vserver. [14:35] ccooke (~ccooke@spc1-walt1-4-0-cust238.lond.broadband.ntl.com) joined #vserver. [16:27] sladen (~paul@starsky.19inch.net) left irc: Ping timeout: 488 seconds [16:32] s1aden (paul@starsky.19inch.net) joined #vserver. [16:57] Doener (~doener@pD9E129EB.dip.t-dialin.net) left irc: Quit: Leaving [17:57] Doener (~doener@pD958824B.dip.t-dialin.net) joined #vserver. [18:01] hi [18:02] hey [18:10] BobR_ (~georg@chello080109062083.15.14.vie.surfer.at) joined #vserver. [18:18] BobR_ (~georg@chello080109062083.15.14.vie.surfer.at) left irc: Quit: leaving [18:18] BobR_ (~georg@chello080109062083.15.14.vie.surfer.at) joined #vserver. [18:18] BobR_ (~georg@chello080109062083.15.14.vie.surfer.at) left #vserver. [18:32] Doener (~doener@pD958824B.dip.t-dialin.net) left irc: Quit: Leaving [18:42] Doener (~doener@pD958824B.dip.t-dialin.net) joined #vserver. [18:44] Nick change: Bertl_zZ -> Bertl [18:44] hi everyone! [18:45] hi Bertl [19:05] _shur1 (~shushushu@3ffe:bc0:1cf:1:2:3:4:9) left irc: Ping timeout: 483 seconds [19:15] _shur1 (~shushushu@vserver.electronicbox.net) joined #vserver. [19:41] _shur1 (~shushushu@vserver.electronicbox.net) left irc: Ping timeout: 483 seconds [19:42] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Ping timeout: 501 seconds [19:48] _shur1 (~shushushu@vserver.electronicbox.net) joined #vserver. [19:57] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) joined #vserver. [20:14] _shur1 (~shushushu@vserver.electronicbox.net) left irc: Quit: changing servers [20:15] _shur1 (~shushushu@vserver.electronicbox.net) joined #vserver. [20:15] virtuoso (~shisha@206ppp.telegraph.spb.ru) joined #vserver. [20:15] hi virtuoso! [20:17] Bertl: is it intentional that 0.08 does not set EXTRA-VERSION? [20:17] yup [20:18] starting with 0.09, I'll splitup the patches (probably) and it will get an EXTRA-VERSION [20:19] is there anything specific you'd like to be tested on 0.08? [20:20] hmm, no, 0.09 is aimed to 'replace' 1.3.x on 2.6 ... [20:20] so genreal tests, usability, stability, etc ... [20:20] s/genreal/general/ [20:21] ok [20:21] basically I'm interested in any issues or 'unusual' behaviour you encounter ... [20:21] btw. I would test with 0.08.4 [20:21] http://vserver.13thfloor.at/Experimental/delta-2.6.3-vs0.08-vs0.08.4.diff [20:38] *burp* [20:38] evening lads [20:39] hmm, evening click, drunk again? [20:39] nah, just stuffed [20:40] okay ;) [20:40] beef, fried potatoes and all [20:40] an a beer ofcourse [20:40] Bertl: how long time do you think file handles and tcp sockets could take ? [20:41] Bertl: what about udp sockets ? [20:41] and other ip packets? [20:41] maybe network in general ? [20:41] you mean network limitations? [20:41] Bertl: the email you sent out [20:42] although Alex always pointed out that netfilter and iptables isn't fast enough for real use, I adhere to the minimal changes concept, some fancy network stuff can be done with existing tools/kernel features ... [20:43] Bertl: the freevps vs. vserver mail [20:43] so for example limiting the bandwith of a vserver is just a question of proper tc/ip usage [20:43] Bertl: and limiting file handles? [20:43] and tcp sockets? [20:43] that is something we can add ... [20:44] how long time do you think it would take me adding that ? [20:44] there was just no request for it for now ... [20:44] i know [20:44] but i HAVE to do 2 projekts anyway this spring [20:44] well, if you take a close look at the limits patch ... [20:44] adding this would probably take you a week, including the testing ... [20:44] hmm [20:44] and the report writing [20:44] hmm [20:44] it's gonna be a small one [20:45] i'd see what i can get the professor to agree on [20:45] it's fairly simple .. a better (more advanced) thing would be to get the RSS accounting/enforcement useable [20:45] that could be project number 2 [20:46] how long time do you think RSS would take ? [20:46] hmm, what do you know of the linux memory system? [20:47] i did have a one semester course on the linux kernel [20:47] ever done anything with the memory subsystem? [20:47] no [20:48] will probably take you 2-3 weeks to get into it, and an additional month to get it right ... [20:48] hmm, so it's not big enough to be the big final graduate project [20:49] and I can't guarantee, that I won't attack it earlier ... [20:49] i know [20:52] but I might have something else ... [20:52] that emulation you talked about ? [20:53] no, something different, are you interested in verifying gcc/binutil validity? [20:53] tell me more [20:55] well, I'm currently trying to get a usable cross compiling setup, to make kernel test compiles for all linux supported archs ... [20:55] yes ? [20:55] and one of the heavier discussions on lkml about my approach (building the toolchain without (g)libc) which I don't need for kernel compiling ... [20:56] .. resulted in the following idea from Dan Kegel: [20:56] That said, you might consider actually running the gcc regression [20:56] tests against a simulator as an optional part of your script, [20:56] and only trusting the kernel compilation results on those arches [20:56] that pass the gcc tests. There are simulators built into gdb, [20:56] and the gcc regression tests are all set up to run against them. [20:56] I haven't done this myself, but it's a really good idea :-) [20:57] what is regression ? [20:57] unwanted changes/broken stuff from one release to the next [20:57] opposite from progression ;) [20:57] what creates that [20:59] what creates what? [20:59] the regression [20:59] i dont understand how one can automaticaly test against it [20:59] hmm, okay let me give an example ... [20:59] you know the testme.sh script? [20:59] a kernel script ? [21:00] logon to the dual pentium machine I show you ... [21:00] resize to an 80 by 25 terminal [21:01] got it [21:01] okay, now type screen -x [21:02] what do you see? [21:02] wget output [21:02] okay [21:02] watch [21:02] see, it fails .. no tools installed so far ... [21:03] hmm, did i forget to install the vserver tools ? [21:03] probably ... but that wasn't what I wanted to show you, so we will fix this ... sec [21:06] Doener (~doener@pD958824B.dip.t-dialin.net) left irc: Quit: Leaving [21:07] JonB: any suggestions? [21:07] (you can type too) [21:09] Doener (~doener@pD958824B.dip.t-dialin.net) joined #vserver. [21:10] it is a debian stable, upgraded with bunks backported packages [21:10] i suppose we could install the testing [21:10] or unstable [21:10] compiler was missing ;) [21:10] yes [21:11] but still, stable is rather old [21:11] but it works [21:11] and it is a known state [21:11] I'm rather old too ;) [21:11] bunk are new packages from unstable backportet to stable [21:11] hehe [21:12] i want checkinstall in as well [21:12] to build a .deb vservertools package [21:13] easier to upgrade the system then [21:15] so that was what I wanted to show ... [21:15] but how can that be done for a different arch ? [21:16] if I now change something in the kernel, which let's say, breaks the way fakeinit is handled, one or more of those tests will show up red ... [21:16] this is called regression, because something which obviously worked, now fails ... [21:16] okay? [21:16] does this test everything in the kernel [21:17] no, it should but it doesn't yet ... [21:17] okay. where does the gdb part come in ? [21:17] there are about 2200 tests for the gcc compiler suite [21:17] some of them are only compile tests (to see if it compiles) [21:18] otheres are tested by executing them ... [21:18] while the compile tests still show correct results, when used for a cross compiler, the execute tests will fail ... [21:19] naturaly [21:19] but the gdb supports target simulation for simple code ... [21:19] ahh, nice [21:19] so you can actually 'run' a simple sparc program on i386 [21:19] but is the kernel simple ? [21:20] no, but the gcc regression tests are ;) [21:21] so, what parts are not made yet ? [21:21] the regression is easy i suppose [21:21] well, it seems that nobody actually used the gdb sim target to 'emulate' the regression tests for gcc ... [21:22] okay [21:22] do you think all regression tests could work using gdb sim target ? [21:22] it would be nice to have a 'script' which does the regression tests for a given binutils/gcc toolchain and reports some verification results ... [21:22] hmm, time to make that ? [21:23] hard to tell, could be from a week to two months, but it needs good documentation ... and a lot of testing ... [21:23] cool [21:24] the dokumentation could probably be a big part of the report i have to make anyway [21:24] and the best part: [21:25] this would be really useful for a lot of people, kernel folks, gcc folks and vserver, and I do not want to attack this in the near future ;) [21:25] *grin* [21:25] i wonder why noone made it so far then [21:26] well, the gcc people are a special kin ... [21:26] aha ? [21:29] are you on later tonight ? [21:30] guess I will, currently preparing dinner ;) [21:30] when do we eat ;-P [21:30] if you come over, I'll add some more steaks ... [21:31] i'll go shop for some dinner, and then i'd probably write up a small project suggestion which i'd prefer if you would go over [21:32] i really like the "using GDB sim target to "emulate" the gcc regression tests" [21:32] okay, I would suggest to do some googling before you write it ... [21:33] ofc [21:33] gome [22:08] hmm... i hope we won't see a feature war on the ml... [22:11] hehe, no, but I thought a feature comparison would be nice ... [22:11] herb? [22:11] yup? [22:11] is the ip-list static on startup, or can I add new interfaces to a vserver without any major problems? [22:12] without downing the vs that is [22:12] uhm... in what way is the /vserver barrier handled in 2.6.x, i.e. what do i need to make it secure? [22:13] click: basically that is possible, but there is no userspace/kernel interface for that atm ... [22:13] Doener: --barrier flag ... [22:13] bertl: needs to be scripted up? [22:13] bertl: or just not avail in kernelspace yet? [22:14] eh, stupid sentence [22:14] i ment... [22:15] Adding a new interface to a running vserver requires it to be rebooted, due to that one can't allocate new interfaces while it runs [22:15] correct? [22:15] (as there are no userspace tools that does it yet) [22:15] well, the ipv4root stuff only ensures that there is no bad access ... [22:16] basically it's a list of ip addresses ... so that can be changed on the fly [22:16] what can not be changed is: [22:16] - already bound services [22:16] well, services is not a problem [22:16] those can be restarted [22:16] - ongoing connections [22:17] hm, so adding a new connection will rewrite the interface-list and also interupt ongoing conenctions? [22:17] and what currently is missing, is a way to identify the ipv4root of a vserver [22:35] loger joined #vserver. [22:41] click: doesn't need to interrupt conenctions, unless you restrict the ips ;) [23:05] Mister_A_ (~mab@nat01-clo-ext.Rutgers.EDU) joined #vserver. [23:05] hi Mister_A_! [23:05] Hi - what should the /etc/fstab file of a vserver look like? [23:05] Hi Bertl [23:06] ps - im using cap_sys_admin [23:06] depends on the actual use .. but usually .. [23:06] the reason im asking is beacuse i need to use mount so that i can mount the file /dev/Tmp as the /tmp partition (with no execution rights) for security [23:06] /dev/hdv1 / ext2 defaults 1 1 [23:06] can i use ext3? [23:07] or /dev/hdv1 / ufs rw,usrquota,grpquota 1 1 [23:07] if you use quota ;9 [23:07] you can whatever fs you prefer, even vfat it just doesn't matter [23:07] +use+ [23:07] excellent [23:07] thanks :-D [23:07] gonna try it now [23:08] CAP_SYS_ADMIN? hmm not very secure ... [23:09] is there a way for me to mount a file in a vserver without it? [23:09] from outside, yes, from inisde, no ... [23:09] How can i do it from outside? [23:10] mount -o loop path/to/file path/to/vserver/mount/point [23:10] ah i see what you're saying [23:10] can i still use teh noexec argument? [23:10] sure, whatever option you want ... [23:11] (and is supported ;) [23:11] we'll probably add some kind of restricted mount in the future [23:11] (only with nodev and such) [23:12] ok [23:13] thanks :-D [23:13] np [23:13] hm - i cant get the vserver back to its chroot :( [23:14] which means? [23:14] if i do a df -m it shows [23:14] Filesystem 1M-blocks Used Available Use% Mounted on [23:14] /dev/hdv1 28614 16771 10390 62% / [23:14] which is normal (inside teh vserveR) [23:14] but if i do ls -la /home [23:14] it shows teh /home of the main server [23:15] well, either you left the vserver, or you mounted the host /home over the vserver ... (or both) [23:16] what does cat /proc/mounts show? [23:16] in the vserver? [23:17] can i use vserver NAME enter if teh vserver isnt started yet? [23:17] yes, you can ... but the result might be different to a running one ... [23:18] rootfs / rootfs rw 0 0 [23:18] /dev/root / ext3 rw 0 0 [23:18] /proc /proc proc rw 0 0 [23:18] /dev/sda1 /boot ext3 rw 0 0 [23:18] none /dev/pts devpts rw 0 0 [23:18] none /dev/shm tmpfs rw 0 0 [23:18] /dev/sda2 /usr ext3 rw 0 0 [23:18] /dev/sda3 /var ext3 rw 0 0 [23:18] /dev/sda7 /home ext3 rw 0 0 [23:18] none /home/vservers/ray/proc proc rw 0 0 [23:18] none /home/vservers/ray/dev/pts devpts rw 0 0 [23:18] /dev/loop0 /tmp ext3 rw,nosuid,noexec 0 0 [23:18] /dev/loop1 /var/tmp ext3 rw,nosuid,noexec 0 0 [23:18] none /dev/shm tmpfs rw 0 0 [23:18] /dev/sda2 /usr ext3 rw 0 0 [23:18] /dev/sda3 /var ext3 rw 0 0 [23:18] /dev/sda7 /home ext3 rw 0 0 [23:18] none /proc proc rw 0 0 [23:18] none /dev/pts devpts rw 0 0 [23:18] i can ssh and ftp into the vserver, it says teh hostname is the vservers hostnaem but the directory listings show form the main server :( [23:18] then something is definitely wrong ... [23:19] first step, give this a spin on the host: http://vserver.13thfloor.at/Stuff/testme.sh [23:20] and let me know what it says ... [23:22] Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl [23:22] chcontext is working. [23:22] chbind is working. [23:22] Linux 2.4.24-vs1.22 i686/0.26/0.26 [E] [23:22] --- [23:22] [001]# succeeded. [23:22] [011]# succeeded. [23:22] [031]# succeeded. [23:22] [101]# succeeded. [23:22] [102]# succeeded. [23:22] [201]# failed. [23:22] [202]# succeeded. [23:23] hmm, okay now ssh into the vserver and do the following: [23:24] grep context /proc/self/status [23:24] s_context: 49163 [ -16373] [23:24] hmm, looks a little weird, did you get any error messages on context startup? [23:25] like what? [23:26] why is that a little wierd? [23:26] okay, just for the fun of doing it, stop the vserver context ... [23:26] with 'vserver ray stop'? [23:26] well this vserver is pinny [23:26] there is a vserver ray but its working fine [23:27] okay, then do a vserver pinny stop [23:27] did [23:27] and now try again to ssh to it ;) [23:27] cant connect [23:27] okay, now restart it ... [23:28] and let me have a look at the messages [23:28] [root@sopher etc]# vserver pinny start [23:28] Starting the virtual server pinny [23:28] Server pinny is not running [23:28] ipv4root is now 207.113.28.167 207.113.28.12 207.113.28.13 [23:28] Host name is now pinny.elitehosts.com [23:28] New security context is 49165 [23:28] Starting iptables: [ OK ] [23:28] ls: ifcfg*: No such file or directory [23:28] Setting network parameters: [ OK ] [23:28] Bringing up loopback interface: ./ifup: configuration for ifcfg-lo not found. [23:28] Usage: ifup [23:28] [FAILED] [23:28] everythign else is [ OK ] [23:29] is there a line about starting the sshd? [23:29] if i do ls /root on the vserver its different than the host server [23:29] i tihnk just /home [23:29] maybe /usr/ and /var are also mounted to the main hd [23:29] Starting sshd: [ OK ] [23:30] but 'mount' doesnt show anything odd [23:30] /dev/sda5 on / type ext3 (rw) [23:30] none on /proc type proc (rw) [23:30] /dev/sda1 on /boot type ext3 (rw) [23:30] none on /dev/pts type devpts (rw,gid=5,mode=620) [23:30] none on /dev/shm type tmpfs (rw) [23:30] /dev/sda2 on /usr type ext3 (rw) [23:30] /dev/sda3 on /var type ext3 (rw) [23:30] /dev/sda7 on /home type ext3 (rw) [23:30] none on /vservers/ray/proc type proc (rw) [23:30] none on /vservers/ray/dev/pts type devpts (rw) [23:30]