[00:00] next step, remove the CAPS you added to the vserver config [00:00] did [00:00] okay, now let's have a look at the mounttab with 'cat /proc/mounts' [00:02] rootfs / rootfs rw 0 0 [00:02] /dev/root / ext3 rw 0 0 [00:02] /proc /proc proc rw 0 0 [00:02] /dev/sda1 /boot ext3 rw 0 0 [00:02] none /dev/pts devpts rw 0 0 [00:02] none /dev/shm tmpfs rw 0 0 [00:02] /dev/sda2 /usr ext3 rw 0 0 [00:02] /dev/sda3 /var ext3 rw 0 0 [00:02] /dev/sda7 /home ext3 rw 0 0 [00:02] none /home/vservers/ray/dev/pts devpts rw 0 0 [00:02] /dev/loop0 /tmp ext3 rw,nosuid,noexec 0 0 [00:02] /dev/loop1 /var/tmp ext3 rw,nosuid,noexec 0 0 [00:02] [root@sopher dev]# umount /home/vservers/ray/dev/pts [00:02] umount: /home/vservers/ray/dev/pts: device is busy [00:02] probably something is using it ... somehow ... terminal/ssh/etc [00:03] ok tahts ray we'll do taht after [00:03] ok so now what? [00:03] start pinny? [00:03] now we check the runlevel scripts ... [00:03] cd /home/vservers/pinny [00:03] cd etc/ [00:04] rc.d/rc.local is emtpy for pinny [00:04] okay what about rc3.d? [00:04] ist all normal [00:04] please show me the entries ... [00:05] ok [00:05] K05kudzu K45arpwatch K65identd S08iptables S17keytable S34named S80sendmail S94admserv S99local [00:05] K13portmap K46radvd K74nscd S09isdn S20random S39poprelayd S85gpm S95anacron [00:05] K20nfs K50snmpd K74ypserv S10network S25netfs S55sshd S90crond S95atd [00:05] K28autofs K50snmptrapd K74ypxfrd S12syslog S26apmd S56rawdevices S90mysql S97rhnsd [00:05] K34yppasswdd K60lpd S08ipchains S14nfslock S26ntpd S56xinetd S90xfs S98httpd [00:05] okay, this is inside the vserver? [00:05] ya [00:06] (just to make sure you are not messing with the host runlevels ;) [00:06] okay everything hw related isn't useful inside a vserver ... [00:06] ok [00:06] kudzu [00:06] K05kudzu S20random S26apmd S85gpm S09isdn [00:07] ok [00:07] will remove those [00:07] this can go without any questions ... [00:07] same is K45arpwatch K28autofs S56rawdevices S08ipchains S08iptables [00:07] ok [00:08] Last message repeated 1 time(s). [00:08] ah and S17keytable [00:08] what is K46radvd ? [00:08] is there a way to use iptables in vservers? [00:08] i dont know [00:08] not from inside a vserver [00:08] but you can define iptable rules for vservers [00:08] okay, show me the remaining services once again ... [00:10] K45arpwatch K65identd S34named S80sendmail S94admserv S99local [00:10] K13portmap K74nscdn S39poprelayd S95anacron [00:10] K20nfs K50snmpd K74ypserv S10network S25netfs S55sshd S90crond S95atd [00:10] K28autofs K50snmptrapd K74ypxfrd S12syslog S56rawdevices S90mysql S97rhnsd [00:10] K34yppasswdd K60lpd S14nfslock S26ntpd S56xinetd S90xfs S98httpd [00:11] okay, following services are dubious for me, so they should be removed for now: [00:11] K28autofs [00:11] K45arpwatch [00:11] K50snmpd [00:11] K50snmptrapd [00:11] K60lpd [00:11] S56rawdevices [00:12] don't know what the S25netfs is [00:12] now have a look at the vservers init.d/syslog script [00:12] this probably starts syslog and the klogd shortly one after the other ... [00:13] ok [00:13] im tryignto build /dev on ray, but it says [00:13] [root@sopher dev]# umount /vservers/ray/dev/pts [00:13] umount: /vservers/ray/dev/pts: device is busy [00:14] what do i do about syslog - it looks normal? [00:15] is there a line for syslogd and a second for klogd? [00:15] hm i have to run [00:15] ill be back later [00:15] thanks! [00:15] ok cu [00:19] paul (~irssi@pD9FF14FA.dip.t-dialin.net) joined #vserver. [00:19] hi [00:19] hi paul! [00:21] Mister_A_ (~mab@nat01-clo-ext.Rutgers.EDU) left irc: [00:26] Bertl: GDB does not have an x86 sim target [00:27] Bertl: but thats a minor detail [00:29] Bertl: is this what you were looking for ? [00:29] Bertl: http://bitrange.com/temporary/a-place-to-test-gcc-webpages--do-not-bookmark/simtest-howto2.html [00:30] hmm, basically the right direction, but a long way to the regression tests ... [00:30] Bertl: okay [00:30] well, not too long ... [00:31] but yes,this is a good start [00:33] has been some time since, so maybe new targets, but might be also that some stuff is already broken :( [00:33] Bertl: that wouldnt be good [00:34] are the regression tests code specific? like some tests are not useable on the kernel ? [00:34] basically the regression tests are simple C programs ... [00:34] some apply to the kernel, others not (for example those using float) [00:35] but this doesn't matter, basically gcc should be able to compile all those tests correctly [00:35] (for every arch it supports) [00:35] so, how does this benefit your work ? [00:36] heh, I'm currently trying to get a cross compiling kernel environment up and running ... [00:36] http://vserver.13thfloor.at/Stuff/Cross/ [00:36] and I take a shortcut for the toolchain 8-) [00:36] http://vserver.13thfloor.at/Stuff/Cross/howto.info [00:38] hmm' [00:40] and the response from the gcc and cross compiling folks was intense ... [00:40] this cat't work, because we always did it with (g)libc ... [00:41] how often would the regression test run ? [00:41] hmm, which one, kernel, gcc, 'your simulation'? [00:42] maybe it's because i miss some knowledge [00:42] i think you mentioned it at some point, but i can not find it when i scroll back [00:42] just ask again ... ;) [00:43] i seem to remember you said something about you would use the regression tests to test if your new code changed the way fakeinit worked ? [00:43] nope [00:43] the chain of thought - usefullness is this: [00:44] linux kernel -> cross compile [00:44] linux kernel + vserver patches + cross compile -> platform check [00:44] vserver + crosscompile + time/releases -> regression checks [00:45] and to do that, we need MANY, MANY cross compiling toolchains, which just WORK [00:45] ?? you cross compile the kernel, or the kernel can cross compile [00:45] now I think I have found a way to get them easily ... [00:46] what I do is compiling a MIPS kernel on an i386 for example ... [00:46] to see if vserver would compile on MIPS ;) [00:47] and the time/releases ? [00:47] well, if I test for example vs0.08 on alpha, sparc, mips ... [00:47] and a little later vs0.09 on alpha, sparc, mips, and suddenly mips has an error, which wasn't there before, then this is a regression [00:48] now the question is, what causes the error ... [00:48] ofc [00:48] it could be a change in the kernel (which can be tested by comparing it to the vanilla kernel build) [00:48] or it could be a 'regression' in vserver [00:49] or it could be an error in the cross compiling toolchain ;) [00:49] ben (ben@bengrimm-host229.dsl.visi.com) left irc: Read error: Connection reset by peer [00:49] and that is, where the gcc 'regression' tests come into play [00:49] ahhh [00:49] to verify that the toolchain for mips is working ... we have to do the gcc regression tests ... [00:49] and because it is cross platform, it could be tested using the GDB sim target [00:50] as the regression tests fall in two categories, a) compile only, b) compile and execute ... the b) part needs either a mips or a sim [00:51] but how can you be sure the GDB sim is good enough ? [00:51] how often do the toolchain change ? [00:52] well, I can't, but this could be used to do several things: [00:52] a) compare the fast patch I have chosen to the slow (g)libc toolchain [00:52] b) verify general gcc regression stuff and compare it from time to time to real hardware [00:53] c) if the regression + sim works, everything is okay, if not, the tests/gcc must be investigated ... [00:54] why are your patch faster? what makes glibc slow, does that have to be rebuilt with every kernel ? [00:55] okay, one question at a time: [00:56] my path (did I write patch again?) is faster because it doesn't require the glibc and headers to be built for the cross compiling arch [00:56] what is required to build ? [00:57] ls [00:57] sorry, wrong window... [00:58] building glibc takes about 4-5 times as long as binutils+gcc [00:58] but that is not the only problem, for many archs, it's not even possible to build a sane glibc ... [00:59] Dan Kegel is working on cross compiling toolchains for a long time now ... [00:59] http://gcc.gnu.org/simtest-howto.html [01:00] using his crosstool build system, I managed to get the following toolchains working [01:01] alpha, i686, ia64, m68k, mipsel, powerpc, sh4, sparc [01:01] compiling did take about a day ... [01:02] total ? [01:02] using my approach, I built the following in about 4 hours [01:02] alpha, arm, cris, hppa, hppa64, i386, ia64, m68k, [01:02] mips, mips64, ppc, ppc64, s390, sh, sh4, sparc, [01:02] sparc64, v850, x86_64 [01:03] and while we are talking, I'm probably adding s390x ... [01:03] kay i can see the advantage [01:04] but, I can not proove that thos toolchains will compile the kernel as expected ... [01:04] well, actually nobody can proove this for any toolchain ;) [01:05] but I would like to know if, when and maybe in what aspect, my toolchain deviates from the 'default' toolchain ... [01:05] ofc. [01:06] and as a side effect, the gcc people can be blamed for errors in the compiler ;) [01:07] if there are any [01:08] well, I'm sure there are, and there always will be ... [01:09] yep, s390x toolchain finished ... [01:09] with Dan's crosstool, s390 doesn't even build ;) [01:10] (not his fault, probably broken glibc ...) [01:10] TheCount (~count@pD9E7C7FA.dip0.t-ipconnect.de) joined #vserver. [01:10] hi! [01:10] uh - help! :O) [01:10] hi Count! [01:10] http://www.securityfocus.com/bid/9596/exploit/www.securityfocus.com/vulns works on 1.26, and I'm unable to help myself :( [01:11] (the chroot exploit) [01:11] unfortunate ... (you are #22 if my counting is correct) [01:11] I've been googling etc. quite a while now, but didn't have any success? [01:11] hi Bertl [01:11] Bertl: so, what do I do? [01:11] probably something wrong ;) [01:12] lets just check the obvious ... [01:12] http://vserver.13thfloor.at/Stuff/testme.sh [01:12] what does this give on the host? [01:12] one moment :) [01:13] [201]# failed. [01:13] I shouldn [01:13] I shouldn't paste that here, should I? no fails [01:14] paste it in private ... [01:14] done [01:15] okay .. looks good ... [01:15] JonB: this is normal for stable and older utils ... [01:16] what filesystem do you use for the vserver part, and where/how is it mounted? [01:16] me? [01:17] no, the counte [01:17] -e [01:18] Bertl: uhm, ext3 [01:18] mounted on / [01:19] okay ... now where are the vservers? [01:19] Bertl: debian, thus /var/lib/vservers [01:19] Bertl: in /vservers, a ext2 mounted on /vservers [01:19] ext3 [01:19] okay so let us have a look at the folowing output ... [01:20] ls -lad /var/lib/vservers /var/lib [01:20] ( ls -lad /vservers / for you Jon) [01:20] Bertl: got it, pasting in private [01:20] d--------x 16 root root 4096 Nov 21 22:21 /var/lib [01:20] d--------x 14 root root 4096 Dec 12 18:45 /var/lib/vservers [01:21] and the same with lsattr -d /var/lib/vservers /var/lib [01:21] only - [01:21] ( lsattr -d /vservers / for you jon) [01:22] none as well [01:22] congrat, both setups are insecure ;) [01:22] now we are going to secure them ... [01:22] cool [01:22] chmod 000 /var/lib/vservers (TheCount) [01:23] chattr +t /var/lib/vservers (TheCount) [01:23] done ;) [01:23] chattr +t /vservers (JonB) [01:24] as you are going to test this setup (I suppose ;) please make sure that you leave the vserver first (maybe even restart it) [01:24] ? [01:25] i did this in the root server [01:25] Bertl: umm .. ok. [01:25] yeah, but for testing any exploits ;) [01:25] well, i'm still confused [01:25] I assume TheCount did check with the exploit and still has a terminal open ;) [01:25] Bertl: works! :O) thanks [01:26] if you want to add yourself to the list of happy vserver users, feel free to do so ... [01:27] http://www.linux-vserver.org/index.php?page=VServer+Users [01:28] will think about it ;) [01:29] yeah, no need to hurry ... [01:31] hmmm... i can't get vserver build to do anything useful... [01:31] what do you want it to do? [01:31] build a vserver ;) [01:31] and what does vserver test build do for you? [01:32] No build-method specified :) [01:32] ah newer, even alpha utils? [01:32] http://www.linux-vserver.org/index.php?page=alpha+util-vserver [01:33] read that... results in a vserver root like this: [01:33] dev etc proc [01:33] Creates the vserver foo with the Fedora Core 1 distribution and apt-rpm method. [01:33] (for example) [01:33] vserver build -m skeleton [01:33] or this to build from a skeleton ... [01:34] vserver build -m debootstrap * -- -d sarge [01:34] or this to build via debootstrap on debian ... [01:37] all of them give me the above result... [01:37] which tools version? [01:38] "vserver creation within a Fedora Core 1 host" ... hmm, i didn't read that one... [01:38] i'm on debian... [01:39] then the debootstrap method is the simplest ... [01:39] 0.29.196 [01:39] vserver test2 build -m debootstrap -- -d woody [01:39] or sarge for example ... [01:40] make sure that debootstrap is installed ... [01:41] i just recalled the line i used before and now it works?! [01:42] vserver magic, no vserver tool would fail in my presence ... [01:42] ;) [01:42] hehe [01:44] ok, whenever a vserver tools fails for me again, i'll create a Bertl user and try to trick it ;) [01:44] ever tried to trick Murphy, by washing your car, just to make it rain? [01:46] but i dont want to make it rain [01:46] hehe [01:47] Bertl: *grin* [01:47] no, but i'll try to make it rain to have Murphy wash my car :) [01:47] *sigh* why can't that fucking hostmaster decide... [01:47] click: too little fucking lately? [01:48] finished up the mailserver-thingie, and now he wants me to move it BACK again, as his scripts didn't work. (no wonder, as all the scripts are on another box) [01:48] TheCount: me or him? me, yeah, dunno' about him. [01:53] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Quit: Leaving [01:54] Simon (~sgarner@apollo.quattro.net.nz) joined #vserver. [01:54] hi Simon! [01:54] hi Bertl :) [01:54] good to see u again! [01:55] Just trying to upgrade kernels and stuff... has 2.4.25-vs1.26 been tested under x86_64? [01:55] guess not, same for 1.3.7 [01:55] Ok, I get this when making: [01:55] gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -mno-red-zone -mcmodel=kernel -pipe -fno-reorder-blocks -finline-limit=2000 -fno-strength-reduce -Wno-sign-compare -fno-asynchronous-unwind-tables -fno-unit-at-a-time -nostdinc -iwithprefix include -DKBUILD_BASENAME=vswitch -c -o vswitch.o vswitch.c [01:55] In file included from /usr/src/linux-2.4.25/include/linux/vcontext.h:83, [01:55] from /usr/src/linux-2.4.25/include/linux/vswitch.h:5, [01:55] from vswitch.c:17: [01:55] /usr/src/linux-2.4.25/include/asm/current.h: In function `stack_current': [01:56] /usr/src/linux-2.4.25/include/asm/current.h:20: error: `THREAD_SIZE' undeclared (first use in this function) [01:56] hmm, let me see ... [01:57] try to add #include to include/linux/vcontext.h [01:58] cool, that did the trick :) [01:59] I'm working on a cross compile farm, to avoid such errors in the future ... [02:04] nice [02:12] anything I should watch out for, upgrading from 2.4.22-c17h to 2.4.25-vs1.26? [02:13] phew ... reality might catch up soon ... ;) [02:13] beware there are a zillion new features and at least 3-4 exploits fixed ;) [02:13] yeah yeah ;) [02:15] have any of the old extra patches (quota etc) been rolled in? [02:15] vroot [02:15] and the quota was updated to 0.13 ... will soon be upped to 0.14 [02:16] what about file context ids, ili, is that all still the same? [02:17] ili is basically the same, contexts are similar [02:17] cool [02:17] you should use the vproc security stuff, and the chroot barrier ... [02:17] hey, before you upgrade, could you give my testscript a run? [02:17] what is the vproc stuff? [02:17] sure thing [02:18] http://vserver.13thfloor.at/Stuff/testme.sh [02:18] never got around testing it on ancient setups ;) [02:18] although it could have been ctx-13, right? [02:25] Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl [02:25] chcontext is working. [02:25] chbind is working. [02:25] Linux 2.4.22-c17h x86_64/0.23.93/0.23.93 [E] [02:25] --- [02:25] [001]# succeeded. [02:25] [011]# succeeded. [02:25] [031]# succeeded. [02:25] [101]# succeeded. [02:25] [102]# succeeded. [02:25] [201]# failed. [02:25] [202]# succeeded. [02:25] hmm, not so bad ... [02:26] what is vproc, what do I do with it? :) [02:26] sec [02:28] http://archives.linux-vserver.org/200401/0125.html [02:28] paul (~irssi@pD9FF14FA.dip.t-dialin.net) left irc: Quit: leaving [02:37] hmmm.... setattr crashed and i guess /proc is 'damaged' now, as for example ps just hangs... [02:37] hmm, you mean you hit the oops with setattr? [02:37] yepp [02:37] hmm, not too shabby .. thought nobody would find it ;) [02:39] http://doener.homeip.net/Oops [02:39] Not Found [02:39] The requested URL /Oops was not found on this server. [02:40] http://doener.homeip.net/doener/Oops [02:40] yeah, that's it ... [02:42] ok, can i safely restart my box or will /proc be messed up? [02:43] nope, you can restart, no problem there ... [02:43] what tools are you currently using? [02:43] 0.29.196 [02:43] current alpha tools [02:43] on 0.08 or later? [02:44] 0.08.4 as you suggested [02:44] hmm, sec [02:44] anything i should do before restarting? [02:44] pray? [02:45] owkie... reboot in progress... [02:45] *brb* [02:45] hmm, what API version does vserver-info report? [02:45] erhm... none? [02:46] [*] Select task to kill on out of memory condition (NEW) [02:46] bertl? [02:46] a good thing ? [02:46] kernel upgrade [02:46] for some ... [02:47] well, we're a shellprovider [02:47] at least vserver-info --help doesn't... should this be done in an other way? [02:47] (shell, web, etc) [02:48] Doener: vserver-info - SYSINFO [02:48] VS-API: 0x00010011 [02:48] click: well, do you want to select the task which is killed in a oom condition? [02:49] Doener: thanks ... [02:49] Doener: if you wait a few minutes, you could try the 0.09 prerelease, which should fix this ... [02:50] no, all running processes are maintained and I've checked that they won't cause trouble. the only thing I want killed is for instance forkoffs, that allocates mem and forks like f.... [02:50] i'm not quite sure if it just kills on random, or the latest spawning task [02:50] thinking of fork-bombs [02:50] basically the oom killer kills what he thinks is the best candidate for killing ... [02:51] (for example huge apache servers ;) [02:51] ups... [02:51] hm [02:51] what about forkbombs? [02:51] the oom just takes out the largest procs? [02:51] well, they are tiny in regard to the memory footprint [02:51] hm, darned. [02:51] got to set up some protection for forkbombs in grsec then [02:52] OOOH! grsec does that, I've forgot [02:53] too tired I guess [02:53] still haven't slept [02:54] 48+ hours [02:54] are you sure you aren't dead already? [02:54] Bertl: ok, i'll wait, i've got plenty of time today... too late to go to bed, i'd miss my test at university tomorrow if i'd go to bed... [02:54] Bertl: just checked, I've got pulse, but it's weak :) [02:55] thanks for caring :) [02:56] Doener: http://vserver.13thfloor.at/Experimental/patch-2.6.3-vs0.09-rc1.diff [02:59] Bertl, what's the chroot barrier? [03:00] a security feature to block chroot escape exploits ... [03:01] on ctx-17h for example, a simple 10 line C proggy, manages to leave the vserver if you are root on that vserver [03:01] d'oh [03:01] you then have 'root' access to the host ... [03:01] is it a kernel patch? [03:01] which one? the exploit? or the barrier? [03:02] the barrier :) [03:02] Action: Medivh wonders if the recent kernel exploit can used to break out of context? [03:02] the barrier is included in vs1.25/1.26/1.3.7 and vs0.08 and later [03:02] s/used/be used/ [03:02] but it requires userspace support ... [03:03] Medivh: you mean the mmap part 2 exploit? [03:03] oh ok, how do I get that? [03:03] Bertl, exactly [03:03] mremap() or what is was [03:03] bah, s/is/it/ ... can't type today ;) [03:03] it's not trivial to use this exploit ... but yes, it might be used for many things ... [03:04] ok, then i better go upgrade my vserver machine [03:04] not of my machines, but customers' ... sucks enough tho [03:04] Simon: with vs1.26 the only thing you have to make sure is to set the vservers dir permissions correctly ... [03:04] 000? [03:04] chmod 000 /vservers [03:04] and [03:04] chattr +t /vservers [03:05] or wherever your vservers dir is ... [03:05] ok cool, I need new util-vserver as well? [03:06] hmm, the 0.23.xx you had might work ... [03:06] 0.23.93 ... [03:06] but this is a devel release, so maybe using a recent stable isn't such a bad idea, we are at 0.29 ;) [03:07] okey doke :) [03:07] . The default behaviour is to, as soon as no freeable memory and no swap . [03:07] . space are available, kill the task which tries to allocate memory. . [03:07] . The default behaviour is very reliable. [03:07] hm, it seems it's primary task is to kill the fork as well? [03:08] got to find out about this... [03:08] depends on the exact kernel version, every day a new chance ... [03:08] 2.4.25 [03:08] not sure but stable (2.4.25) should not enable the OOM by default [03:09] hm. [03:09] ok, grsec _should_ stop forkbombs anyway [03:09] yup [03:10] the only problem might be mem-munging procs [03:10] thats also restrictable, so not a big problem [03:10] well, I'll leave it 'off', and recompile if needed. [03:11] the default is always a sane decision ... [03:11] hm, btw, while I remember it... [03:11] I've never tampered much with the vroot support. [03:11] care to give a small explanation of it? [03:12] np, it's quite simple ... [03:13] the vroot device is a blocker and proxy ... [03:14] it blocks direct block device access, and proxies quota ioctls to the real device [03:14] if you do not use quota in the servers, you need no vroot device [03:14] TheCount (~count@pD9E7C7FA.dip0.t-ipconnect.de) left irc: Quit: Hit any user to continue. [03:14] well, we do [03:14] so, in other words... [03:14] okay, setting it up is pretty simple ... [03:14] you know how to operate losetup? [03:15] yeah, all the vserver devices are currently loopbacks [03:15] err, vserver-disks [03:15] (slow but I dont care) [03:15] okay, vroot is configured with a tool called vrsetup [03:15] and basically the syntax is the same as with losetup [03:16] vrsetup /dev/vroot0 /dev/real/dev [03:16] and [03:16] vrsetup -d /dev/vroot0 [03:16] then you use the /dev/vroot0 inside the vserver instead of the 'real' device [03:17] ah, so it can be used over a loop-device as well? [03:17] as in the setup we've got now [03:17] for each partition (loopback device in you case) you need a separate vroot device [03:17] mhm [03:18] currently your setup is probably insecure ... [03:18] (means I could destroy your host in a few minutes) [03:18] it most probably are, I haven't had time to follow stuff in a while [03:19] any special things that needs being done asap? [03:19] yeah, might even have been before your time with vserver [03:19] let's see, the current security checklist: [03:19] - kernel >= 2.4.25 [03:19] thats going in as we speak, I had to wait for the 2.4.25 grsec-stuff [03:20] - vserver >= vs1.25/vs1.3.7 [03:20] vs1.26 [03:20] - chmod/chattr (or barrier flag on 1.3.7) barrier intact [03:20] - minimal devices in vserver /dev [03:20] full null ptmx pts/ random tty urandom zero [03:20] + the hdv1 (vroot device ;) [03:21] - no additional capabilities (in vserver config) [03:21] - nproc and sched to ensure a little protection [03:22] well basically that's it ... [03:29] let's see what we've got here then... [03:30] - chmod 0000 and chattr - on the dir containing each vserver [03:30] ? [03:30] each vserver only has the absolutely needed procs already [03:31] chattr -t /vservers [03:31] each vserver has S_FLAGS="lock nproc sched" set [03:31] that is sufficient, anything else isn't required and might brake something else [03:31] (that was regarding the flags) [03:31] S_CAPS="CAP_NET_RAW" [03:32] hrm, not required, allows sniffing ... [03:32] *removed* [03:32] ULIMIT="-u 256 -n 1024 -H" [03:32] default. [03:32] no need to change [03:33] -HS is better [03:33] and best is to use "-HS -u 256 -n 1024" [03:33] added [03:33] because this is actually what you want ... [03:34] Bertl: shouldn't it be chattr +t /vservers ? [03:35] hm, /vserver is the dir containing the dirs that holds the vservers on normal setups isn't it..? [03:35] (not using default setup here) [03:35] chattr -t /home/vservers [03:35] Doener: sure ... [03:36] best is chattr =t /home/vservers [03:36] sorry click the -t is wrong, my fault ... [03:36] np, I'm just glad I get to learn more [03:37] the + options always confuse me ... [03:37] mx1:/dev# ls [03:37] console full null ptmx pts random shm tty urandom zero [03:38] well, the console is your part, but yes ... [03:38] shm isn't needed unless you want to mount a memory device? [03:38] it's due to that we log everything to a screen [03:38] shm is used, got a memlock-watchdog on the system [03:39] and you probably need the hdv1 (vroot device) to enable quota [03:39] what do you expect from a memlock-watchdog inside a vserver? [03:39] hm, good question [03:39] *removing* [03:41] ok, that part is done [03:42] mx1:/dev# ls [03:42] full null ptmx pts random tty urandom zero [03:43] full null ptmx pts/ random tty urandom zero [03:44] looks good ;) [03:45] ah, now I know where the darned shm comes from in the vs'es. debians bootstraper [03:46] or rather, the deb vserver setup-tools [03:49] regarding the quota-patch, is it needed in my case? [03:50] the q0.12 that is [03:50] q0.13 that is ;) [03:50] hehe, ok, 0.13 :) [03:50] nope, if you have a partition per vserver you do not need it ... [03:51] ok, going to boot 0.09-rc1 now... [03:51] Doener (~doener@pD958824B.dip.t-dialin.net) left irc: Quit: Leaving [03:51] Bertl: i can't keep up with you when you bump revisions and doesn't update the pages :D [03:52] hm, I got to fetch my mail as well :/ [03:52] 670+ mail in the mailbox [03:52] might be that you've announced it there :) [03:52] hmm, did I forget to update the page again? [03:52] somewhere in that large bunch of unread mail :/ [03:52] yup, latest is 0.12 there [03:53] http://www.13thfloor.at/vserver/s_addons/quota/ [03:53] on the wiki that is [03:53] my fault [03:53] hmm, where on the wiki is 0.12 the latests? [03:53] 6 Dec: [Context Quota/Disk Limits q0.12] released. [03:53] http://linux-vserver.com/ [03:53] hm, might not be your page [03:54] ah okay so I did no new announcement there ... [03:54] will add that ... [03:55] hm, should have had a forum for this instead of the wiki [03:55] (my neanderthal ideas again...) [03:55] well the ml is fine, you 'just' have to read it ... [03:56] Doener (~doener@pD958824B.dip.t-dialin.net) joined #vserver. [03:56] in my case: download my mail more often [03:57] (haven't downloaded it the last week or two) [03:57] hm, six days since last download [03:57] well, time to fetch my mail [04:00] Bertl: http://doener.homeip.net/doener/Oops-0.09-rc1 [04:00] still oopsing [04:01] could you strace the setattr which leads to this oops? [04:01] sure [04:02] btw, does this oops too? [04:02] showattr / [04:02] no, but showattr /proc does [04:03] ah very good ... [04:03] Feb 23 02:04:21 doener kernel: [vc_get_iattr+257/288] vc_get_iattr+0x101/0x120 [04:03] Feb 23 02:04:21 doener kernel: [sys_newlstat+55/64] sys_newlstat+0x37/0x40 [04:03] Feb 23 02:04:21 doener kernel: [sys_vserver+434/704] sys_vserver+0x1b2/0x2c0 [04:03] Feb 23 02:04:21 doener kernel: [syscall_call+7/11] syscall_call+0x7/0xb [04:04] lstat("self", {st_mode=S_IFLNK|0777, st_size=64, ...}) = 0 [04:04] SYS_273(0x26010001, 0, 0xbffff7b0, 0xbffff7f4, 0xbffff828 [04:04] +++ killed by SIGSEGV +++ [04:04] ah okay, thanks ... [04:05] that's from showattr [04:05] hmm... the showattr Oops does not cause ps to hang [04:06] interesting ... [04:06] lstat(".", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0 [04:06] SYS_273(0, 0x3f, 0, 0, 0) = 65553 [04:06] SYS_273(0x26020001, 0, 0xbffff430, 0, 0 [04:06] +++ killed by SIGSEGV +++ [04:07] that's from setattr -R --~hide * [04:07] hmm ... [04:07] hmm, i'll have to restart a few times... seems after the showattr oops the setattr oops no longer renders ps useless... [04:08] investigating ... [04:08] ah, the lstat(".") happens in /proc/1 if that is of interest [04:10] anything else that might be useful? if not i'm going to do some reboots... [04:12] go ahead, I guess I know where it is, just not why ... [04:13] Doener (~doener@pD958824B.dip.t-dialin.net) left irc: Quit: Leaving [04:15] brb, reboot in progress! [04:18] click (click@gonnamakeyou.com) left irc: Quit: System going down in a few minutes. Back in five. [04:20] Doener (~doener@pD958824B.dip.t-dialin.net) joined #vserver. [04:21] hmm... okay... when setattr oopses first, then ps is completly broken, if showattr oopses first only some ps options cause it to hang, ps -f for example will hang... [04:22] yeah, seems to be some stray pointer ... [04:27] TheCount (~count@pD9E7C7FA.dip0.t-ipconnect.de) joined #vserver. [04:27] hi again! :) [04:28] uhm - how do I assign multiple IPs to one vserver? [04:28] just add them in the .conf file, seperated by spaces [04:29] wow, easy. thanks :) [04:29] the first IP stays the main one, right? [04:29] IPROOT="1.2.3.4 5.6.7.8" <-- like this.. [04:29] iirc process trying to bind to 0 get the first one... [04:30] but you'd better ask Bertl about that ;) [04:31] *grin* [04:31] I [04:31] I'll simply try as soon as the IPs are there [04:31] btw, how about the quality of the 2.6.x stuff? I'd love to run a different scheduler, but vserver on 2.6. doesn't seem to work for me [04:32] click (click@gonnamakeyou.com) joined #vserver. [04:32] TheCount: what is the issue on 2.6? [04:33] Bertl: .o( I'll refrain from switching totally to german ) [04:33] Bertl: well, maybe I'm just trying to use a very recent 2.6.x with a vserver patch that is for a slightly older kernel [04:34] Bertl: can't remember, but when I tried the last time I think the patch wouldn't even apply [04:34] Bertl: whats the status of it? [04:34] hmm, well most things should work fine ... [04:34] current release is 0.08 for 2.6.3 with a 0.09 prerelease we are currently testing ;) [04:35] Bertl: hmmm. [04:35] Bertl: okay. I think we'll discuss this on our admin meeting this evening [04:36] Bertl: do you think the code's okay for semi-production? [04:36] the scheduler stuff is missing, as well as the uptime fakes [04:37] reboot helper isn't there yet [04:37] rest should be okay ... [04:37] Bertl: okay, so basically, would work, but don't try to depend on it too much .. ;) [04:37] .o( and don't hope it'll reboot or something ) [04:38] yes, I'm sure there are some flaws .. compared to vs1.26 [04:38] but it should be at least as stable as vs1.3.7 ;) [04:39] heh, thats one reboot that went smoothly [04:39] was a bit worried, it took its time to go up again [04:39] 8 hours drive to get to the box :) [04:42] virtuoso (~shisha@206ppp.telegraph.spb.ru) left irc: Ping timeout: 501 seconds [04:46] click: what shall I say: remote console, remote console ... [04:46] ordered a KVM-card, going in next week [04:46] :) [04:46] ccooke (~ccooke@spc1-walt1-4-0-cust238.lond.broadband.ntl.com) left irc: Ping timeout: 501 seconds [04:54] Doener: that one is tricky, but I know what it is .. will be fixed in a few minutes ... [04:54] ok :) [04:55] my hoster provides a network-boot-feature ;) [04:55] if I fscked up the machine, I can say 'rescue system' and 'hard reset' via a webinterface, and the box boots a debian rescue system off the network. quite cool. [04:56] is a nice concept .. [04:57] TheCount: well, this card is better, gives me full bios access, allowing me to reboot it and still see the output [04:57] search on google for 'eric KVM' [04:58] eRIC KVM even [04:58] http://www.techland.co.uk/index/eric [04:58] that's what's been ordered and going into the box next week :) [05:01] Doener: I hate it, when somebody doesn't read my remarks, especially if that one is me ;) [05:04] Bertl: you have that problem as well? :) [05:04] Doener: http://vserver.13thfloor.at/Experimental/delta-iattr-fix-02.diff [05:04] click: obviously ... [05:05] Bertl: seems like all geniouses has that problem [05:05] :D [05:05] *grin* [05:05] click: nice card. sounds expensive ;) [05:05] click: and I'd need an extra network uplink, as it seems [05:05] TheCount: a couple of dollars helps, but its a darnd good insurance [05:05] TheCount: nah, just NAT your original box ;] [05:06] well, we've got spare space on the router etc, so it's no biggie for us. [05:06] click: I can use the ethernet interface from the box itself(, too)? [05:06] eRIC + co is nice, but overfeatured ... [05:06] definitely overfeatured. [05:07] I got servers in locations all over the world, so .. if I'd be running an own location, I'd use that or something comparable, I think [05:07] Bertl: well it's one hell of a card tho', and yup, it's overfeat'ed. But it does it's job darned well. Already got three of those suckers running on some other servers [05:08] TheCount: I've got too much hardware around as well [05:08] click: what's the price tag? btw, you didn't answer the ethernet part ;) [05:08] well, click, I won't send it back if you sent me such a card ;) [05:09] me neither *grin* [05:09] Bertl: it's not that expensive. Around £250 last time we got one [05:09] I'd put it into the system that runs the CIS of CCC [05:09] okay, you can get a hole computer for that .. oh, wait. it IS a whole computer ;) [05:09] doh :D [05:11] well, we're sometimes sending spare systems to people in argentinia, afghanistan, etc, where they have absolutely nothing, not come to talk about computers at all. [05:11] I was thinking about building something similar some time ago ... but the project was always 'avoided' by a simpler (and cheaper) solution ;) [05:11] if you think in that context, 250 EUR is _quite_ a lot. [05:14] ok, going to reboot... [05:14] Doener (~doener@pD958824B.dip.t-dialin.net) left irc: Quit: Leaving [05:14] btw, if you got spare hardware you'd otherwise throw away - consider giving it to someone less fortunate than you :) [05:15] I'll go catch some sleep now, have a nice .. [05:15] agreed ... [05:15] you too cu around ... [05:15] TheCount (~count@pD9E7C7FA.dip0.t-ipconnect.de) left irc: Quit: Hit any user to continue. [05:17] Doener (~doener@pD958824B.dip.t-dialin.net) joined #vserver. [05:18] Bertl: no more Oops :) [05:20] yeah, a stupid mistake ... [05:21] but the oops was misleading ... [05:21] serving (~serving@213.186.188.205) left irc: Read error: Connection reset by peer [05:21] okay, what flags should be set where? [05:21] well for a second .. at least ... [05:22] default is everything off in /proc [05:22] so you probably want some /proc entries enabled for vservers [05:23] /proc/*info and /proc/stat* are good candidates [05:23] hmm... i guess --[~]hide is the flag of choice? [05:23] simplest way to make them visible is 'removing' the admin flag .. [05:24] the userspace tool is a little misleading atm [05:24] basically each proc entry has 3 bits [05:24] the admin bit = (bit 0) [05:24] the watch bit (bit 1) [05:25] and the hide bit (bit 2) [05:25] if you ever turn on the hide bit, the entry is gone forever :( [05:25] (well until you reboot ;) [05:26] the 4 remaining configs are (00 = visible) (01 = admin only) (10 = watch only) (11 = admin + watch) [05:26] where admin = context 0 (xid = 0) [05:26] and watch = context 1 (xid = 1) [05:29] hm.. ok, there goes the next reboot... had tried to set hide on all entries to see if it Oopses... [05:29] hmm, you could try unmounting proc ... [05:29] never tried that actually ... [05:31] hmm... device is busy [05:32] brb [05:32] Doener (~doener@pD958824B.dip.t-dialin.net) left irc: Quit: Leaving [05:38] Doener (~doener@pD958824B.dip.t-dialin.net) joined #vserver. [05:38] hmm... okay, i can umount proc in rl 1... [05:39] but whenever i mount it /proc and it's entries get: Awhbi- [05:39] i already rebooted... [05:39] hmm, so mounting it does what? [05:40] umount -> mount does quite the same as rebooting... result is showattr giving Awhbi- [05:41] okay, but mounting it again, on another mount point, does not reset it right? [05:41] didn't test that... i'll go to rl 1 once more ... [05:42] no need [05:42] just mount it on /tmp/xxx [05:42] mkdir /tmp/xxx [05:42] mount -t proc none /tmp/xxx [05:43] Awhbi- [05:43] umount it, change some flags for some entry, mount it again, verify that the flags are there/gone [05:44] i can't change any flags... [05:44] ah okay, so you suffer from the very same issue I see here ;) [05:46] virtuoso (~shisha@97ppp.telegraph.spb.ru) joined #vserver. [05:46] hmm... setattr --admin xxx causes showattr to output Axxxxx, with --~admin i get axxxxx [05:47] okay, that means at least something is working ;) [05:47] is that correct? i'd suspect it to go -xxxxxx [05:47] nope [05:47] - would mean not supported ... [05:47] ah! [05:47] so lower case = disabled, upper case=enabled? [05:48] yup, not my decision ... [05:48] but it makes a little sense, if you know it ... [05:49] hmm... ok, then it works [05:49] i was just misunderstanding the output... [05:49] okay, and mounting it on /mnt/yyy does reset the flags, or keep them as they are? [05:49] or /tmp/yyy [05:50] keeps them... [05:50] okay, that is good ... [05:51] hmm... making it only visible in ctx 1 locks it there... [05:51] you have to change into ctx 1 to move it back ;) [05:52] stat: Function not implemented [05:52] heh, that is a bug ;) [05:55] expiryjames (~james@cindi.ca) left irc: Quit: Leaving [05:57] Doener: could you revert the last patch and add a different one? [05:59] sure [05:59] ok, sec preparing ... [06:01] the 2.6 kernel build system is really nice, you do not want to go back to 2.4 after some time ;) [06:02] yeah, you can save quite some time [06:04] did the hide flag work for you? [06:04] I mean did it hide the entries? [06:05] yepp, cron is happily sending mails as it can't find the stat entry [06:05] interesting ... I get the hide flag set here (in my test setup) but the entries are still there ... [06:08] will the barrier flag on /vservers be kept over a reboot? [06:08] yes [06:08] onyl the proc flags are volatile .. [06:09] ah ... okay if any other flag is set the hide is ignored ... [06:09] could be seen as an user error protection ;) [06:11] http://vserver.13thfloor.at/Experimental/delta-iattr-fix-02b.diff [06:11] this should now fix the 'bad' behaviour, as well as correct the change back from xid=1 [06:11] hmm.... when i think about it... imho it would make more sense when the admin/watch flag wouldn't mean only in those, but always in those... [06:12] hmm, please elaborate ... [06:12] ah okay, I see your point [06:13] but actually that is the case, only that the 00 is special [06:13] admin flag set means visible in admin [06:13] watch flag set means visible in watch [06:13] no flag set means visible everywhere ... [06:14] I know this exception breaks the general rule ... but it wouldn't be better the other way around, would it? [06:14] i mean: (A|a)(W|w)h = everywhere, AwH = only in ctx 0, aWH = only in ctx 1, AWH = only ctx 0 and 1 [06:15] hmm and awH hidden ... [06:15] oh, forgot that one.. sure... [06:15] let me see if I could map this logic easily ... [06:16] my concern is that there is a flag called 'hide' but other's also hide... not that logical to me... [06:16] what is with awh ? [06:16] ah visible [06:16] just as it is now [06:17] awh = awh visible [06:17] AwH = Awh [06:17] Last message repeated 2 time(s). [06:17] awH = awH hidden [06:17] yeah [06:17] that would mean just inverting the H when any a,w is set ... [06:18] basically, "only in admin/watch" becomes "always in admin/watch" and all hiding is controlled by the hide flag [06:21] hmm, let me see if I can implement that easily ... [06:25] yep, seems pretty trivial ... [06:25] hmm... !h || (!ctx && a) || (ctx==1 && w) [06:25] well, no, actually I use a vx_weak_check() there [06:26] and this now has become vx_hide_check(), which changes the (m) to (m & VX_HIDE) [06:28] whatever you decide ;) i've no idea about that code, so i'll just be happy [06:29] hehe [06:33] what do you think, we are carrying some legacy code around (in 2.6) shall we drop this before the first stable 2.6 release? [06:33] ok... you got me ;) what means legacy? my english really needs some polish ... [06:34] np, legacy means 'left over for compatibility' [06:35] old cruft, just there because it was always there ;) [06:35] ah, so for example the proc entries? [06:35] the old proc entries for example, yes [06:35] there are new ones, btw, in /proc/virtual ;) [06:35] hehe [06:36] but mainly compatibility with 'older' tools and such ... [06:37] you can basically run vs0.08 with vserver-0.24 ... [06:39] hmm... hard decision... normally i'd say keep them to keep a given interface, but as 2.6 itself did break some stuff (module-init-tools, procps) i guess this is the right point to get rid of old stuff [06:39] and the tools are using the new interface anyways, i guess, so it's just another package installed/updated on the side of the sysadmin [06:39] that was my thought too, but for now I'm collecting opinions ;) [06:40] especially as some features require the new tools anyway ... [06:41] also worth a thought, is that _now_ there aren't so many 'third party' tools around, in the future there maybe some more, and the maintainers probably wouldn't be happy about a change in the interface [06:42] hmm, right, good point [06:43] okay, it compiles, now let's see if it works ... [06:45] seems to work, only the default is now wrong ;) [06:45] hmm.. but shouldn't hurt... hide is off by default [06:46] yes, but the entries _are_ visible everywhere ... [06:47] ah, was thinking stable, forgot that exper. has them visible only in 0 by default... [06:47] ok, my test is in ~5 hours... i'll review some stuff... so please mention my nick if i don't respond ;) [06:47] np, patch will be available in a few minutes ... if you want to test ... [06:47] sure [06:51] okay, here it is: [06:51] Doener: http://vserver.13thfloor.at/Experimental/delta-iattr-fix-02c.diff [06:51] actually I like 'your' logic pretty much ... it is easier to explain ... [06:52] nice to hear :) [06:53] but it is easy to explain how I ended up with that somewhat weird logic in the first place ... [06:53] the admin/watch flags where already there, and no 'hide' flag was known ... [06:54] later I added the hide to make it invisible ... which ended up as a fifth state ... [06:59] hmm... my box is trying to make fun of me... without a reason it cutted the number of kernel modules in half... and actually that is correct, it has been building far more than i had chosen the last times... [06:59] interesting ... [07:00] maybe some 'timing' issue? [07:00] hm? [07:00] I once had a kernel which didn't want to build ... [07:01] until I discovered, that the timestamps where inthe future, (or to be precise, my clock was in the past) [07:02] serving (~serving@213.186.188.205) joined #vserver. [07:02] hmm, serving? [07:03] ok, gonna reboot now [07:03] brb [07:03] Doener (~doener@pD958824B.dip.t-dialin.net) left irc: Quit: Leaving [07:07] Doener (~doener@pD958824B.dip.t-dialin.net) joined #vserver. [07:08] hmm... those are different from the rest: [07:08] Awhbi- /proc/mounts [07:08] awhbi- /proc/self [07:09] yeah, actually we have 3 categories here [07:09] the dynamic entries like /proc/ [07:09] and the process directories [0..9]+ now have somewhat 'random' awh flags, before they had --- [07:10] hmm, okay that is another bug ... well a missing check probably [07:11] okay, will fix that immediately ... [07:12] okay, setattr now works in ctx 1 [07:14] you know how to use vi, right? [07:14] (or whatever editor ;) [07:15] i'd not call me a vim expert but i'm pretty used to it [07:15] kernel/vserver/inode.c line 45, there is a comment // check for specific inodes [07:15] just below that comment there is an assignment: [07:15] *mask |= IATTR_FLAGS; [07:15] change that to: [07:16] if (entry) [07:16] *mask |= IATTR_FLAGS; [07:16] ok [07:17] that should bring back the 'correct?' behaviour for the pid entries [07:21] ok, rebooting... i guess i'll be the new holder of the 'most channel joins' record :) [07:21] Doener (~doener@pD958824B.dip.t-dialin.net) left irc: Quit: Leaving [07:24] Doener (~doener@pD958824B.dip.t-dialin.net) joined #vserver. [07:25] ok, they're back at ---bi- now [07:25] okay ... [07:26] hmm.. is /proc/mounts already implemented to be recognized as 'special', i.e. that it has to be visible everywhere? [07:27] it should be ... [07:27] ok, just wondered why it hasn't set the hide flag [07:27] it's actually a link, and if I got it right, it should be there ... [07:27] hmm, why should it have the hide flag? [07:28] just saw that it was different from the others, that's all [07:28] ah [07:28] okay, yeah, symlinks should get this flagging ... [07:28] there is not much use in hiding them ... [07:31] hmm... if i'd describe the processes behaviour with flags we'd have this: aWH + visible in own context, right? [07:32] hmm, yeah [07:40] i wonder if there would be a way to write/an actual use for 'context-aware' applications... say the process would no longer be hidden and could somehow recognize from which context a request comes... so some kind of inter-vserver ipc... [07:41] well, sure, but where would be the use? I mean you can have that without vserver ;) [07:42] only thing that came to my mind was the rebootmgr... iirc that one handled it through unix sockets, what actually should be sufficient, i guess... [07:42] you can forget that, the rebootmanager is replace by the vshelper .. [07:43] very similar to the usb hotplug helper ... [07:43] i know, but it was the only thing that actually had inter-vserver ipc [07:43] well, kind of, more vserver to host ... [07:44] ok, inter-context fits better [07:44] btw, did you test/use the vshelper? [07:44] (on devel) [07:45] never used devel... just 7 production boxes on stable, and my desktop that i don't want to go back to 2.4 [07:45] and no money for a testing box... [07:45] okay, because I have a vshelper patch for 2.6 here ... [07:46] just untested ;) [07:49] hmm... i'll give it a try in the evening, i better 'really' start learning now, i have a feeling that i'm missing something.... [07:50] okay, didn't want to stop you from learing ... [07:50] didn't think so ;) [07:50] thanks for the good idear with the flags, and all the testing ... [07:50] np [07:52] hmm... would 'you're welcome' fit in here? i never understand in what situations that sentence is appropriate... [07:53] hehe, me neither ... but I asked, as you do now ... [07:53] you're welcome is a correct answer, as well as no problem ... [07:54] ok, thanks, i'll be gone then, have a good 'night' :) [07:54] you too, cu around ... [09:40] esands (~nic@mdr11-port292.jetstart.maxnet.co.nz) joined #vserver. [09:41] hey [09:43] I'm getting this error I can't figure [09:43] [nic@stateless:~] sudo vserver status [09:43] Can not find util-vserver installation; aborting... [09:49] hi esands! [09:49] ignore that I think its because debian has moved util-vserver-vars to /usr/lib/util-vserver/util-vserver-vars [09:50] what version of util-vserver do you use? [09:50] [nic@stateless:~] dpkg --list util-vserver | grep ii [09:50] ii util-vserver 0.29-1 tools for Virtual private servers and contex [09:51] okay, this is the latest stable ... [09:51] together with vs1.26? [09:51] will that work ok with 1.3.7? [09:51] [nic@stateless:~] uname -r [09:51] 2.4.25-vs1.3.7 [09:51] should work with 1.3.7 too, although not all features are supported [09:52] you can test basic functionality with this script on the host: [09:52] http://vserver.13thfloor.at/Stuff/testme.sh [09:53] All succeeded. [09:54] perfect .. [09:54] I think the major problem is the debian util-vserver package is stuffed. [09:54] would not be the first time ... [09:54] ${UTIL_VSERVER_VARS:=$(dirname $0)/util-vserver-vars} vs the actual location /usr/lib/util-vserver/util-vserver-vars [09:55] ie. /usr/sbin/vserver thinks /usr/sbin/util-vserver-vars, but its actually /usr/lib/util-vserver/util-vserver-vars [09:55] hmm, that should not hurt, because it uses the path for the script ... [09:55] but obviously the script was moved up ;) [09:56] The debian version does this: [09:56] : ${UTIL_VSERVER_VARS:=/usr/lib/util-vserver/util-vserver-vars [09:56] test -e "$UTIL_VSERVER_VARS" || { [09:56] echo "Can not find util-vserver installation; aborting..." [09:56] exit 1 [09:56] } [09:56] . "$UTIL_VSERVER_VARS" [09:56] sometimes it seems to me that the debian package maintainer do not even test their packages ... [09:56] Actually I just modified it. Now it works. ;) [09:57] Action: esands nods. [09:57] perfect, please let the package maintainer know about it ... [09:57] Definitely going to file a bug report [09:57] Topic changed on #vserver by Bertl!~herbert@MAIL.13thfloor.at: http://linux-vserver.org/ || latest stable 1.26, devel 1.3.7, exp 0.09 [09:58] question. On debian the two packages vserver and util-vserver conflict with each other. Is this true in general? Is there a newserver method for util-vserver? [09:58] the util-vserver tools replace the vserver tools ... [09:59] in util-vserver (at least in the source and in RPM packages ;) there is a legacy module/part [09:59] this contains the original 'newvserver' slinuxconf script [09:59] but there is a special debian newvserver somewhere ... [09:59] What is the best way to create the inital vserver? [10:00] and if you want to try something new (and probably simpler) you could have a look at the alpha branch of util-vserver [10:00] http://www.linux-vserver.org/index.php?page=alpha+util-vserver [10:00] this reduces it to: [10:00] vserver build -m debootstrap * -- -d sarge [10:00] for debian ... [10:01] (ofc, woody is an option too) [10:01] nice. looks goods. [10:01] I've read the woody doesn't run well on top of sarge [10:02] hmm, don't know, I assume that inside a vserver it shouldn't matter ... [10:02] we had a RH vserver on a debian system and vice versa ... [10:02] something to do with libc issue or something. [10:03] well, they do not use the same libs (inside and outside vserver) just the same kernel ... [10:05] I guess I'll see how it goes. [10:05] make that, and have fun with linux-vserver [10:08] I'm off to bed, cu around ... [10:08] Nick change: Bertl -> Bertl_zZ [10:09] thanks for the help. 8) [11:53] virtuoso (~shisha@97ppp.telegraph.spb.ru) left irc: Read error: Connection reset by peer [11:54] virtuoso (~shisha@132ppp.telegraph.spb.ru) joined #vserver. [11:55] eyck (~eyck@62.233.189.138) joined #vserver. [11:56] eyck (~eyck@62.233.189.138) left irc: Client Quit [12:00] rs (rs@ice.aspic.com) joined #vserver. [12:00] hi dudes [12:27] ccooke (~ccooke@spc1-walt1-4-0-cust238.lond.broadband.ntl.com) joined #vserver. [12:48] virtuoso_ (~shisha@67ppp.telegraph.spb.ru) joined #vserver. [12:52] virtuoso (~shisha@132ppp.telegraph.spb.ru) left irc: Read error: No route to host [12:58] virtuoso_ (~shisha@67ppp.telegraph.spb.ru) left irc: Read error: Connection reset by peer [13:24] Simon (~sgarner@apollo.quattro.net.nz) left irc: Quit: Trillian (http://www.ceruleanstudios.com) [13:27] ccooke (~ccooke@spc1-walt1-4-0-cust238.lond.broadband.ntl.com) got netsplit. [13:27] esands (~nic@mdr11-port292.jetstart.maxnet.co.nz) got netsplit. [13:27] Doener (~doener@pD958824B.dip.t-dialin.net) got netsplit. [13:27] serving (~serving@213.186.188.205) got netsplit. [13:27] kestrel (athomas@home.swapoff.org) got netsplit. [13:27] maharaja (maja@ipax.tk) got netsplit. [13:27] riel (~riel@riel.netop.oftc.net) got netsplit. [13:27] Bertl_zZ (~herbert@MAIL.13thfloor.at) got netsplit. [13:27] stupidawy (foo@198.77.239.131) got netsplit. [13:27] deadguy (deadguy@bananajoe.big.du.se) got netsplit. [13:27] TheSeer (~theseer@border.office.salesemotion.net) got netsplit. [13:27] talon (talon@host-63-149-223-100.irwinresearch.com) got netsplit. [13:27] mcp (~hightower@wolk-project.de) got netsplit. [13:27] Zoiah (Zoiah@matryoshka.zoiah.net) got netsplit. [13:27] Zoiah (Zoiah@matryoshka.zoiah.net) returned to #vserver. [13:27] maharaja (maja@ipax.tk) returned to #vserver. [13:28] ccooke (~ccooke@spc1-walt1-4-0-cust238.lond.broadband.ntl.com) returned to #vserver. [13:28] Bertl_zZ (~herbert@MAIL.13thfloor.at) returned to #vserver. [13:32] *grmph* and who forgot to change NB_IPV4ROOT before compile... [13:32] <--- [13:33] so, second run, and second reboot on a production server. [13:33] this is as fun as watching paint dry up [13:38] kestrel (athomas@home.swapoff.org) got lost in the net-split. [13:38] riel (~riel@riel.netop.oftc.net) got lost in the net-split. [13:38] stupidawy (foo@198.77.239.131) got lost in the net-split. [13:38] deadguy (deadguy@bananajoe.big.du.se) got lost in the net-split. [13:38] TheSeer (~theseer@border.office.salesemotion.net) got lost in the net-split. [13:38] talon (talon@host-63-149-223-100.irwinresearch.com) got lost in the net-split. [13:38] mcp (~hightower@wolk-project.de) got lost in the net-split. [13:38] serving (~serving@213.186.188.205) got lost in the net-split. [13:38] Doener (~doener@pD958824B.dip.t-dialin.net) got lost in the net-split. [13:38] esands (~nic@mdr11-port292.jetstart.maxnet.co.nz) got lost in the net-split. [13:40] stupidawy (foo@you.wish.you.were.pimp.olicio.us) joined #vserver. [13:40] surriel (~riel@imladris.surriel.com) joined #vserver. [13:41] TheSeer (~theseer@border.office.salesemotion.net) joined #vserver. [13:41] click (click@gonnamakeyou.com) left irc: Remote host closed the connection [13:41] esands (~nic@mdr11-port292.jetstart.maxnet.co.nz) joined #vserver. [13:41] Doener (~doener@pD958824B.dip.t-dialin.net) joined #vserver. [13:43] mcp (~hightower@wolk-project.de) joined #vserver. [13:44] paul (~irssi@p5089EE6B.dip.t-dialin.net) joined #vserver. [14:41] miller7 (~none@adsl49-static-gw1.access.acn.gr) joined #vserver. [14:41] hello people [14:44] esands (~nic@mdr11-port292.jetstart.maxnet.co.nz) left irc: Quit: TE) (Swing them udders [15:09] JonB (~NoSuchUse@83.89.173.209) joined #vserver. [15:11] Bertl_zZ: present? [15:11] he's sleeping I think L( [15:11] :) [15:12] it's about 13 where he is [15:12] that does not mean he is not sleeping :) [15:14] no, but i dont think he is sleeping [15:14] anyway, i was just wanting to know if there is a bootloader that supports usb-serial/firewire-serial [15:21] serving (~serving@213.186.188.205) joined #vserver. [15:31] deadguy (deadguy@bananajoe.big.du.se) joined #vserver. [15:31] talon (talon@host-63-149-223-100.irwinresearch.com) joined #vserver. [15:32] kestrel (athomas@home.swapoff.org) joined #vserver. [16:09] infowolfe (~infowolfe@66.93.53.207) joined #vserver. [16:09] good morning lilo [16:09] gm everyone else [16:09] does anybody know who's doing the PBVSC? [17:01] Doener_zZz (~doener@pD9E12E6B.dip.t-dialin.net) joined #vserver. [17:03] miller7 (~none@adsl49-static-gw1.access.acn.gr) left irc: Quit: ring ring it's 7am, move yourself to go again [17:08] Doener (~doener@pD958824B.dip.t-dialin.net) left irc: Ping timeout: 485 seconds [17:21] Nick change: Bertl_zZ -> Bertl [17:22] hi everyone! [17:24] good morning Bertl! [17:24] brb [17:24] infowolfe (~infowolfe@66.93.53.207) left irc: [17:24] morning infowolfe ... [17:40] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) joined #vserver. [17:40] hi. [17:40] hi kloo! [17:41] i'm only dropping by to see what's up Bertl, no bug report this time. :) [17:41] sure? 8-) [17:41] for now. :) [17:41] well vs0.09 is up ... go find some bugs ;) [17:42] yes, i haven't tried the experimental branch so far. [17:42] it uses namespaces right? [17:42] it allows to use namespaces ... [17:43] i'll be happy to see that replace the current barrier. [17:44] it's a good option, now that enrico solved all the prereqs in userspace ... [17:44] the other day i moved amanda to the root server to simplify backups, i.e. no longer having to install amanda in every vserver. [17:45] amanda chokes on the mode 0 /vserver directory though, won't traverse it. [17:45] hmm, interesting, I always knew why I don't use amanda ... [17:45] i've been meaning to look into it, it will probably work if it runs just a bit more code as root than is otherwise necessary. [17:46] amanda's fine in my experience. [17:46] anyway, this is not a bug report. ;) [17:46] I used it some time ago, but now I prefer plain and simple dumps ... [17:47] for my private use i've been looking at boxbackup. [17:48] perhaps of some interest to you: http://www.fluffy.co.uk/boxbackup/ [17:49] hmm, sounds good ... for me, the critical question is, does it handle hardlinks and xattribs correctly? [17:50] probably not ... as most backup solutions do not ... [17:50] indeed, probably not. [17:51] i'll check when i play with it. [17:51] okay, let me know ... [17:51] xattribs should be easy enough to add to the meta-data, hardlinks might be difficult. [17:52] is vs0.09 semi-stable Bertl? [17:52] basically it's a question of the perspective, if you do inode based backups (like dump does) it's not worth thinking about it a second time ... [17:52] vs0.09 is rock solid .... ;) [17:52] i don't have a spare box but i can run it on my desktop if it sort of works. :) [17:53] seriously, it should be as stable as the 2.6.x kernel itself ... [17:53] Action: kloo nods, regarding dump. [17:53] Bertl: does grub support usb-serial console ? [17:54] hmm, I doubt it does usb stuff, but if that console is initialized by the bios as serial device, it might be possible ... [17:55] Bertl: i dont know if a mac has a bios [17:55] a mac has a firmware ,,, [17:55] correct [17:55] bengrimm (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [17:56] but does the firmware support serial console of some sort ? [17:56] JonB: but i don't think that grub will run on mk68? [17:56] Bertl: it could be ported ;-P [17:56] sure ... hehe every day a new project ;) [17:56] hi ben! [17:57] hi bertl! [17:58] Bertl: yeah [18:01] Bertl: I just read the thread about vserver vs freeVPS, and one question comes to my head: why the freeVPS didn't contribuate to the vserver project instead of forking ? [18:02] +the freeVPS author [18:02] Nick change: bengrimm -> ben [18:02] hmm, I can only speculate .. management reasons? [18:02] because they want to make money [18:02] Action: ben nods [18:02] free isn't quite free [18:03] Because it was 'maintained' by Jack at the time. [18:03] and the vserver project can't get some intresting code in freeVDS ? [18:03] you see 'how much' even the simple Free(VPS) version is better than what the free software guys do ... ;) [18:04] Bertl: their webpages does initialy have a more proffesional look [18:04] Bertl: but, looking closely you notice it is all business speak [18:04] from time to time I have a look at the recent patches (or what I think is recent), and everytime I'm surprised that is can be maintained (can it?) [18:05] has anybody had a look at the code and (just for comparison) at the vs0.09 code/patches? [18:05] they only go against the latest rh kernel right? [18:05] latests means latests RH 7.3 ... unless something suddenly changed [18:06] their network features seems to look nice, isn't it ? [18:06] it's a very intrusive change, and I'm not convinced that it pays off ... [18:06] er yep - rh 7.3 [18:07] rs: sure it looks nice to have eth0 instead of eth0:WOSSNAME ... [18:07] that wouldn't be too hard to implement though - fake eth devices [18:08] it's not a big deal [18:08] I'm almost convinced that with a little trickery, this will be doable without the intrusive changes ... [18:08] we just haven't found out how to do it properly yet ... [18:08] for example, the namespaces ... [18:09] Alexey always told (look it up on the ml archives) that this can't be done from userspace [18:09] you said that your alpha patch use namespace for virtual root, can you tell me more about that ? [18:09] now a few weeks (days?) ago, enrico managed to get it working without kernel support ... [18:10] rs: if you want, you can try it, just install vs0.09, and get the alpha tools ... [18:10] It work on a 2.6 kernel ? [18:10] well, you can also try it without the kernel support ... [18:10] but that is just half the fun ;) [18:11] rs: yes, it works on 2.6 and on 2.4 [18:11] ok but before, can you point me to some documentation about that ? [18:11] Bob_R (~georg@chello080109062083.15.14.vie.surfer.at) joined #vserver. [18:11] not really because there is none so far ... [18:11] JonB (~NoSuchUse@83.89.173.209) left irc: Quit: Leaving [18:12] ot question - is there any way to get strace to follow changes in context? [18:12] Bob_R (~georg@chello080109062083.15.14.vie.surfer.at) left irc: Client Quit [18:12] hmm, not yet ... [18:12] you said that it's rock solid, so do you think that it's a good idea to use the alpha version for a project witch should be in production in 6 month ? [18:13] that would be useful ;) [18:13] rs: in six months vs0.09 will have become the stable branch ;) [18:14] ben: well, what exactly do you need it for? [18:14] debugging a bit [18:14] Bertl: ok, so I'll point my work on this version instead of the beta branch :) [18:15] ben: enxample? [18:15] ben: even example? [18:15] I set up another vserver and when I try to run vapt-get it errors with chdirSecure(): no such file or directory [18:16] but can't figure out which dir it's looking for [18:16] inside the vserver? [18:16] outside [18:17] hmm, let me check this ... [18:17] strace of course can't follow after new-namespace is executed [18:17] Bertl: oups, the devel branch is the alpha branch ?? I think I'm confused [18:18] Bertl: I'm sure I did something to set this server up incorrectly, it's another new one [18:20] Mcleod[Zzz] (~altec@202.9.60.199) left irc: Ping timeout: 480 seconds [18:20] Mcleod[Zzz] (~altec@202.9.60.199) joined #vserver. [18:20] ben, try to give CAP_SYS_PTRACE to the server [18:22] rs: enrico has three branches/levels [18:22] stable, devel and alpha ... [18:23] Bertl - one sec [18:23] ok I just understood [18:28] Mcleod[a] (~altec@202.9.60.199) joined #vserver. [18:28] Mcleod[Zzz] (~altec@202.9.60.199) left irc: Read error: Connection reset by peer [18:29] Doener_aw (~doener@pD9E12AC2.dip.t-dialin.net) joined #vserver. [18:29] hmm, hi Mcleod[a]? [18:30] Nick change: Mcleod[a] -> Mcleod [18:30] Doener_zZz (~doener@pD9E12E6B.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [18:30] hi [18:30] vs0.09 available for testing, and other things ... [18:31] ah k [18:31] i've already got people on what i installed a few days ago :) [18:31] so i can't go fiddling with it ftm :) [18:32] which reminds me to make an official announcement ... [18:32] might start testing on a new box again in the near future tho [18:32] I've been hanging out in here trying to help other people to repay my debt for the help I received :-) [18:33] your karma should have improved by now 8-) [18:33] thanks for doing so ... [18:34] pleasure [18:36] one particular thing that i found unclear was vproc security, there isn't a link to vproc in the 1.37 tree [18:36] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) joined #vserver. [18:37] bertl, it works to a point, but still can't follow forks through the context - the process hangs [18:38] you could disable the ptrace check for your kernel (requires a recompile), but I'm not sure this would work ... [18:38] oh well ;-) I'm sure I'll find it [18:38] (if you want to try, just search for VX_ADMIN in /arch//kernel/ptrace.c and remove the entire check) [18:39] ben: why not putting an strace before the apt-get? [18:40] this, for sure is in a defined context, right? [18:40] in the script, yep, was going to do that next [18:42] deadguy (deadguy@bananajoe.big.du.se) left irc: Ping timeout: 485 seconds [18:42] deadguy (deadguy@bananajoe.big.du.se) joined #vserver. [19:02] matta (matta@tektonic.net) joined #vserver. [19:02] heya matt! [19:03] hi!!!! [19:03] how are things going [19:03] so you are not dead?! 8-) [19:03] no, i am alive and overworked [19:03] hehe, as usual ... [19:03] very overworked right now, too many stupid customers :) [19:03] things are good, vs0.09 is out ... [19:03] yeah, just saw that [19:04] i also saw alex's post regarding better vm limits... [19:04] have you figured out what he means yet? [19:04] yeah, basically ... [19:04] that's very interesting that he found another way [19:04] is he like counting up the shared memory and subtracting that from the total of the VS ? [19:04] well, it's not so new, we discussed that a few months ago [19:05] basically he is counting every memory area, and assigning it to the contexts ... [19:05] this allows to avoid counting the same vma twice ... if the vm is reserved by a sharing thread in the same context [19:06] so the end effect is that the vm accounting is more 'realistic' [19:06] i remember big problem before was apache, like alex said [19:06] it's very intrusive, but I don't see the benefit yet [19:06] have you tested the recent memory accounting (not the enforcement) for VM and RSS with for example apache? [19:07] no, my newest server is still only 1.24 [19:07] i've got 3 vserver servers still, 1.00, 1.20, 1.24 [19:07] been stable.. [19:08] hmm, hopefully no vserver root users on them ... [19:08] yeah, i know [19:08] i've got to upgrade [19:09] would you consider 1.37 to be fairly stable now? [19:09] i'd like to upgrade to that for the ck patchset [19:09] hmm, you got a patch for 1.3.7 ck? [19:09] no, i thought all 1.3 was based on the ck patchset [19:10] er, assumed [19:10] nope, we had some ck releases, but the response wasn't overwhelming ... [19:10] oh [19:10] well, actually I got no response regarding ck at all ... [19:10] i thought ck was needed for the TBF stuff? [19:10] yep [19:10] yeah [19:10] i remember the TBF was very impressive [19:11] sometimes not getting any feedback is good :) [19:11] well we'll ahve it back in 2.6.x [19:11] ah [19:12] btw, the ck patchset for 2.4 is now called lck and maintained by Eric not Con [19:12] Action: _shur1 testing exp 0.09 [19:12] yeah [19:12] i run it on other servers [19:12] shouldn't be to hard to get 1.3.8 working for the lck ... [19:12] paul (~irssi@p5089EE6B.dip.t-dialin.net) got netsplit. [19:12] mcp (~hightower@wolk-project.de) got netsplit. [19:12] surriel (~riel@imladris.surriel.com) got netsplit. [19:13] but I'm not sure anybody will use it ... [19:14] paul (~irssi@p5089EE6B.dip.t-dialin.net) returned to #vserver. [19:14] mcp (~hightower@wolk-project.de) returned to #vserver. [19:14] surriel (~riel@imladris.surriel.com) returned to #vserver. [19:14] # cat /proc/virtual/1001/limit [19:14] PROC: 15/-1 [19:14] VM: 13642/-1 [19:14] VML: 0/-1 [19:14] RSS: 5156/-1 [19:14] yeah [19:14] this is with apache and such ... [19:14] that's pages, correct? [19:14] and VML is VM limit? [19:14] nope VML is VM locked [19:14] ah [19:14] the limit is currently the -1 [19:14] (means unlimited) [19:15] now this is after apache got some load [19:15] # cat /proc/virtual/1001/limit [19:15] PROC: 15/-1 [19:15] VM: 13656/-1 [19:15] VML: 0/-1 [19:15] RSS: 5201/-1 [19:15] what is the size of the pages? 8k? [19:15] 4k? [19:16] so that's like 54MB of usage [19:16] you have 1.3 confirmed to work under AMD64, right? [19:16] now that is after apache got a lot load [19:16] # cat /proc/virtual/1001/limit [19:16] PROC: 28/-1 [19:16] VM: 34411/-1 [19:16] VML: 0/-1 [19:16] RSS: 14541/-1 [19:17] 278 root 2848 S httpd2 -f /etc/httpd/conf/httpd2.conf -DAPACHE2 -DHAV [19:17] 279 root 2848 S httpd2 -f /etc/httpd/conf/httpd2.conf -DAPACHE2 -DHAV [19:17] about 30 of those running ... [19:17] well, 25 actually ... [19:17] 4k pages right? [19:18] yes, but I just don't remmeber if this is in pages or kb atm ;) [19:18] 34411*4096 = 140947456 [19:18] if it's memory, that's cool [19:18] if it's pages... very off [19:19] have a look at the RSS, that is what actually is important [19:19] 2848 * 25 = 71200 [19:19] not if you can only limit the VM :) [19:19] well, what I thought about was, why shouldn't we enforce -ENOMEM based on RSS, if we have it? [19:20] it's not correct (strictly speaking) it's not perfect, but it makes a lot of sense ... [19:21] Bertl: that would be ideal i think [19:21] (and more than that, it doesn't require an intrusive vma accounting to work) [19:21] i'd say let the vsize go up to whatever, or even some much higher limit [19:21] but like for me [19:22] having like a 64MB RSS limit and a 256MB VM limit would be nice [19:22] well, there should be an upper VM limit too, just to avoid DoS ... [19:22] and hitting either two would be enforced [19:22] exactly my thinking ... [19:22] that would be perfect [19:22] as rss seems to be very close to 'real' usage [19:23] and the vm should be roughly 4x the rss limit, for DoS and stuff like you say [19:23] yeah, or maybe 8x, doesn't really matter ... [19:23] right [19:23] some arbitrary limit that is less than the hosts memory essentially [19:24] yep, and 2.6 kernel will allow us to do some swap stuff too, when hitting the RSS [19:24] oh, so bascially... [19:24] this combined with the penalizing of the contexts .. we discussed some time ago, would make it work ... I guess [19:25] RSS = in memory limit, after that the vserver's apps will be swapped out, but only to the limit of VM [19:25] well, we introduced three limits some time ago ... [19:25] minimum, soft and hard [19:25] yeah [19:25] so hard would be -ENOMEM, soft would mean swapout/penalize in this case [19:26] and minimum is guaranteed [19:26] yeah, later on ... [19:27] still needs a lot of testing if this is applicable to 'real world' servers, but all tests so far, show that it should work just fine .... [19:27] it seems it will work out very nice [19:28] I hope so, but only time can tell ... [19:29] casn you refresh me to some docs or points on what needs to be done to upgrade to the latest patches [19:29] i know i will need the latest util-vserver [19:30] and vshelper [19:30] Nick change: Doener_aw -> Doener [19:30] doesn't something need to be done for proc ? [19:30] Hi [19:30] hi! [19:30] matta: it's not that complicated, first give the testme.sh a run to see what's there ... [19:30] testme.sh ? [19:30] http://vserver.13thfloor.at/Stuff/testme.sh [19:31] did you use the changed flag logic in the 0.09 release? [19:31] run it on the host(s), then paste it in private ... [19:31] Doener: yep! [19:32] matta: okay, you should have no issues when upgrading to 1.26 [19:32] oh [19:32] you need the vproc tool [19:32] i thought something happenned to the proc interface? [19:32] to make procfs secure [19:32] oh, so by default the vservers see all of proc [19:32] and you need to tell it what to hide [19:32] and you'll ahve to chmod 000/chattr +t the vserver dior [19:33] in stable yes ... [19:33] compatibility over security ;) [19:33] what about in 1.37 ? [19:33] 1.3.7 uses the barrier flag ... which requires newer tools [19:34] is 1.4 soon to be released? [19:35] well, I'm currently finishing 1.3.8 and I hope we can avoid a 1.3.9 ;) [19:35] does this answer your question? [19:35] so there are known problems in 1.3.7 ? [19:35] yes, but nothing critical ... and some missing features [19:36] in 1.3 memory limits do you use the fakemem function or it still shows the host memory? [19:36] infowolfe (~infowolfe@66.93.53.207) joined #vserver. [19:36] i'm back Bertl :-p [19:36] ... finally [19:37] matta: still shows the host memory ... [19:37] but the limits are better defined now, so doing the fake with VM/RSS should be quite easy ... [19:38] infowolfe: running vs0.09 I presume ;) [19:38] Bertl, do you know who created the PBVSC? [19:38] i'd recommend faking it if the limit is set [19:38] actually, Bertl, I'll probably be working on that next week [19:39] wasn't that Shade? [19:39] my Ford Contour (your Mondeo) decided that 100k miles was a good time to eat it's pistons, so i'm working on getting a new engine installed this week (i hope it'll all be done friday) [19:39] yepp, that was Shade, but afaik erm... nobs or so is current project leader [19:39] virtuozzo does not fake it and a complaint I see on the web hosting forums is that people who purchase virtuozzo VPS's complain they don't know how much memory they are using [19:39] and will just randomly get denied [19:39] Doener, thanks for the info [19:40] #pbvsc on irc.bongster.de [19:40] matta: hmm, sounds reasonable ... will look into it ... [19:41] i guess i'm just gonna upgrade to 1.26 now [19:41] really need to [19:41] matta, something that you may not have seen on those forums about virtuozzo is not only can you not see how much memory you're using unless the ISP has HSPComplete, but if you run out of memory, you get all kindsa fun fork() errors [19:42] infowolfe: which is what you get under vserver also [19:42] which i was just talking with herbert about trying to avoid :) [19:43] speaking of which [19:43] Bertl: do you know for sure if you still get the fork() errors of if you get the "Out of memory!" error? [19:43] the second is what a real system returns when it runs out of physmem + swap [19:43] well, fork() doesn't give out of memory ... [19:44] the error used to be "fork(): fail to malloc" or something to that affect [19:44] so if you hit the VM limit for fork() it will give a can't fork [19:44] yeah [19:45] but I guess this can be 'adjusted' just needs some expert testing ;) [19:45] Doener: thanks for the follow up! [19:46] well, that's why i'm here :) [19:46] great! [19:46] np [19:46] consider me greedy, UML is great and all... but it's cutting into my profit margin big time :) [19:46] okay, matt just let me finish the 1.3.8 release, update your stable boxes in the meantime ... [19:47] i was just thinking back [19:47] and in an hour or so, we attack the memory thingy again okay? [19:47] on a dual athlon 2000+ w/ 3GB of ram I was running 60 vservers and it was running fine, just before the SMP/network fixes with that many processes it crashed a lot [19:47] now with similiar configs I can run about 32 uml's before it begins to lag [19:48] so vserver is very superior in the performance department [19:48] naturally ... [19:48] but UML has other qualities ... [19:50] yes, the other big 'show stopper' feature for vserver is the virtualized network [19:50] I wouldn't call it showstopper, but yes, it's one of the UML features ... [19:50] i think with the memory limits, tbf scheduler, and virtualized network, along with the already implemented features such as reboot() it is getting towards the area where more people will look to it [19:51] Bertl: depends on what you use it for [19:51] it's a show stopper for hosting services [19:52] the consensus is that [19:52] give it some time, the future looks bright, and one or the other surprise is on the road ... [19:52] look for vserver list subject 'old issue review' [19:52] I know #3 is fixed, is #1 still a problem? [19:53] i believe the virtualised network would fix #1 too, I know alex claimed to have it working properly [19:53] recently enrico finished the private namespace stuff ... which was long time considered to require kernel support ... [19:53] private namespace = allow mount inside vserver? [19:53] for example ... but shh! not too loud ;) [19:55] matta... ummm, yum! [19:55] Action: infowolfe goes and yells YAY! MOUNT INSIDE VSERVER SUPPORT IS COMING! [19:55] lol [19:55] when alex did this, he had to write a 'vpsinit' script that mounted proc/devpts early in the boot [19:55] which made it very redhat specific [19:56] of course, freevps is (very old) redhat specific [19:56] is the immutable linkage invert feature works on an ext3 fs with the last alpha patch ? [19:56] rs: should ... [19:56] he really needs to update to at least rh9, preferrably FC1 [19:56] damjan (~damjan@legolas.on.net.mk) joined #vserver. [19:56] matta: or he could do something generic... [19:56] hi damjan! [19:57] Bertl: hi [19:57] matta: since some of us really don't like running anything having to do with redhat or rpm :-D [19:58] I would be surprised if the FreeVPS patches could be adapted to anything else that easily ... [19:58] yeah, they really screwed themselves sticking with RH7.3 [19:59] more than once, I suggested to split them up, into logcal parts ... but that isn't Alexs devel style ... [20:04] so am I still here? [20:04] yes you are. [20:05] it was suddenly so quiet, and the netsplits are here again ... [20:06] stubbsd (~stubbsd@217.206.216.194) joined #vserver. [20:07] hi stubbsd! [20:07] Hi Bertl, vservers running, great! -- thanks. [20:07] great! [20:07] which version do you favor? [20:08] sorry ? [20:08] stable, devel experimental? [20:08] the version of vserver. [20:08] stable are pressent. [20:09] ah okay ... just curious ;) [20:09] All most all of our infostuture and test boxs run on three servers under vservers, it the devel stable? [20:10] hehe, no, otherwise it would be labeld stable, wouldn't it? [20:10] just thought I would ask :-) [20:10] seriously, we are approaching a new stable release 1.4, so 1.3.8 for example should be pretty stable ... [20:10] :-) [20:10] hrm [20:11] i'm not upgrading till the 25th [20:11] if 1.3.8 is tested by then perhaps I will just use that :) [20:11] let me re-setup a test vserver box [20:11] 25th? interesting ... [20:12] i gotta give people notice... [20:12] can't just reboot servers whenever I wish [20:12] anybody running java inside a vserver?, I have 4 box's, but one is doing silly things. [20:12] sorry 4 boxs running java, [20:12] define silly ... [20:13] stubbsd: i have a few customers running resin/tomcat under vserver [20:13] crashing, accessing the file system, its just a wiki. [20:13] with permision denied. [20:14] hmm, sounds more like some permission issues, or maybe badly configured vserver [20:14] most probaly the latter... [20:15] no worries, we will carry on and see if we can find anything else, just thought that I would ask. [20:16] do you ahve any example errors somewhere? [20:16] one moment, [20:24] All of our dev's have gone home, but the I bet it's something I have setup wrong. [20:24] I will setup a new vserver server from scratch and see if I have the same problems. [20:25] I might even have a go with the 1.3.7 release :-) [20:25] But I know one thing, Vservers are Wonderfull. [20:25] wait a few minutes and use 1.3.8 [20:26] Sounds great! [20:26] Bertl: so what's actually new in 1.4? [20:27] http://www.linux-vserver.org/index.php?page=Release+FAQ [20:35] anybody tryed running a vserver thats file system is on nfs? [20:35] JonB (~NoSuchUse@83.89.173.209) joined #vserver. [20:35] hmm, could work, for the flags (iunlink) you need a vserver patched server [20:36] (NFS server I mean) [20:36] hi Jon! [20:36] hey Bertl [20:36] Bertl: do you have a ppc to test vserver on ? [20:36] Do I just need to take the NFS Server and add the vserver patch to it? [20:37] Not just the server thats running the vservers? [20:37] JonB: not yet ... [20:38] Bertl: i found out that the firmware has a serial console, if the mac has a serial port [20:38] stubbsd: if you want to use the iunlink flags, the NFS server has to be patched too, otherwise it doesn't matter [20:38] JonB: sounds good ... [20:38] Bertl: and it appears that if it has an internal modem, then one can get a connector that makes it into a serial port [20:39] Bertl: but that needs the openfirmware [20:39] well, should not be that hard, right? [20:41] Bertl: I think I read this on the list, but I was to confirm [20:41] vserver runs under x86_64 just fine? [20:41] Doener_zZz (~doener@pD9588247.dip.t-dialin.net) joined #vserver. [20:42] matta: should ... [20:42] IIRC stable requires a simple #include ... [20:42] sorry to be silly but what is "iunlink", I have just been lookin for it but can't find an explanation? [20:44] it's explained in the documentation [20:44] see post 1.3.6 on x86_64 [20:44] i wonder why he has to use a 32-bit kernel [20:44] ok, thanks [20:44] Bertl: i dont know if it is hard or not, some company sells this device for $49.95, leading me to believe "it's gotta be more than just a silly cable" [20:45] all the guest's 32-bit apps should work under a 64-bit kernel i think [20:45] hrm, his post is confusing [20:45] he stated he has 1.3.5 running under 2.6.1 [20:45] JonB: you are talking about the modem or the firmware? [20:46] matta: which post do you refer to? [20:47] (hint archives.linux-vserver.org) [20:47] subject "1.3.6 on x86_64" [20:47] Doener (~doener@pD9E12AC2.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [20:47] stubbsd: iunlink is the immutable link(age) invert ... [20:47] eh, i'll just have to try it [20:47] should have a dual opteron by the end of the day [20:48] Bertl: I unstand ... [20:48] Action: stubbsd brain dribbles out of his ears.. [20:49] Bertl: it's a card that replaces the internal modem [20:50] Bertl: so one needs that, or one with a built in serial [20:50] I see, but it (the amchine) has a serial port too? [20:50] some has [20:50] some has not [20:53] okay, I see ... [20:54] bertl... another thing I was thinking about [20:54] alex found a way for bind to not need --disable-linux-caps [20:54] i believe he allows CAP_SYS_RESOURCE [20:55] yeah, that is possible, but I'm not sure that I want that either ... [20:55] is it safe to allow CAP_SYS_RESOURCE under the devel branch since all limits are done via syscall now? [20:55] well, let me explain to you a situation... [20:55] no, it is never safe ... [20:55] in the hosting world, a big benefit of VPS's over a dedicated server is the fact that normally the vps host update ssoftware [20:55] (ie. up2date) [20:56] cPanel (most popular web control panel) also performs auto updates of it's packages [20:56] so... even if I were to install the custom bind RPM, as soon as a new version is released customers bind software will stop working [20:56] resources) */ [20:56] /* NOTE: ext2 honors fsuid when checking for resource overrides, so [20:56] you can override using fsuid too */ [20:56] /* Override size restrictions on IPC message queues */ [20:56] /* Allow more than 64hz interrupts from the real-time clock */ [20:56] /* Override max number of consoles on console allocation */ [20:56] /* Override max number of keymaps */ [20:57] you do not want that in a vserver ... [20:57] what we will have soon, is per vserver finer grained capabilities, allowing 'some' aspects of CAP_SYS_RESOURCE [20:57] that would be good [20:58] because that bind issue is a major one when it comes up software that updates itself [20:58] which is becoming increasingly common [20:59] you can get dedicated servers for like $60/mo these days [20:59] well, bind is broken ... in this aspect ... [20:59] so the justification for paying more for a VPS is auto security updates, backups, and RAID [20:59] along with ability to "peak" [21:00] well, right, but they were just trying to make bind more secure [21:00] i think it should have been an option to have to enable, but it's not.. [21:01] hrm, I do not consider an application which is 'raising' system wide resource limits, doing something 'more secure' [21:01] it raises? [21:02] i thought it was releasing caps, my bad :) [21:02] ii wonder what virtuozzo does for that [21:02] it is releasing, later on ... [21:02] do they use the linux caps? [21:02] guess not, don't know much about it ... [21:03] nobody ever running it did succeed in getting the source, and bringing it here ... [21:04] aspcomplete :) [21:09] Bertl: i have the sun online finally. [21:12] where would you like me to send the connection info? [21:12] best to my account, herbert@13thfloor.at [21:13] and greetings, btw ... [21:18] Nick change: cgone -> cdub [21:18] hi cw! [21:19] ok its sent. [21:19] the vserver-dev.cosmic-cow.net DNS doesnt seem to be working everywhere yet. [21:19] but the ip does work. [21:22] cpu: TI UltraSparc IIi (Sabre) [21:22] fpu: UltraSparc IIi integrated FPU [21:22] promlib: Version 3 Revision 25 [21:22] prom: 3.25.3 [21:22] cool ... [21:23] subversion is 1.0 [21:23] <_shur1> hi Bertl [21:23] <_shur1> i got this erreor with 2.6.3 [21:23] <_shur1> server deb enter [21:23] <_shur1> Error: /proc must be mounted [21:23] <_shur1> To mount /proc at boot you need an /etc/fstab line like: [21:23] <_shur1> In the meantime, mount /proc /proc -t proc [21:24] <_shur1> the fstab is ok [21:24] talon: you can change the root password to something else now ... [21:24] Bertl: hy [21:24] _shur1: vproc security ... [21:25] Bertl: just pick a passwd [21:25] <_shur1> ok [21:27] see you tomorow dudes [21:27] rs (rs@ice.aspic.com) left irc: Quit: back home [21:27] <_shur1> dam [21:27] <_shur1> where is the vproc utils [21:31] damjan (~damjan@legolas.on.net.mk) left irc: Quit: Leaving [21:32] _shur1: for which release? [21:34] <_shur1> 2.6.3 [21:34] <_shur1> 09 [21:35] you need the alpha util-vserver tools ... [21:35] they include a tool called setattr ... [21:35] this and it's companion showattr does this ... [21:35] <_shur1> 1.37? [21:35] 1.3.7? [21:36] <_shur1> this is the alpha tool? [21:36] <_shur1> look [21:36] http://www.linux-vserver.org/index.php?page=alpha+util-vserver [21:37] <_shur1> i want to test the latest 2.6.3 with 0.09 [21:37] just get the util-vserver 0.29.196 or such ... [21:37] <_shur1> ok [21:38] <_shur1> thx [21:56] up2date slooooow [21:58] urpmi quite nice ;) [21:58] stubbsd (~stubbsd@217.206.216.194) left irc: Quit: Leaving [22:01] Testing package set / solving RPM inter-dependencies... [22:01] Traceback (most recent call last): [22:01] File "/usr/sbin/up2date", line 1188, in ? [22:01] sys.exit(main() or 0) [22:01] oh wow, that's nice [22:01] way to go redhat [22:01] fucking up2date NEVER works [22:01] <_shur1> use apt-get [22:02] <_shur1> for redhat [22:02] try yum directly instead [22:02] well, fedora is depreciating apt-get [22:02] no longer provided [22:02] i'm trying to move to FC2 [22:03] last i read, the supported method was ISO, not up2date ;-( [22:03] hmm, since when is Fedora depreciating apt-get? [22:03] Bertl: it's no longer provided in FC2 [22:03] hmm apt-rpm ... I mean ... [22:04] 'apt' let's say [22:04] <_shur1> http://apt.freshrpms.net/ [22:04] http://ayo.freshrpms.net/fedora/linux/development/i386/core/RPMS/ [22:04] not in the list... [22:04] _shur1: right, problem is... [22:04] you need FC2 to install the FR apt [22:04] but if you use the FR apt to upgrade it wants to remove apt [22:04] plus freshrpm's is out of sync [22:04] a bunch of the rpm's in their pkglist don't actually exist [22:04] <_shur1> use debian!! [22:04] <_shur1> :P [22:04] <_shur1> rpm sux a lot! [22:05] <_shur1> is my opinion.. [22:08] yeah, was a problem with using fedora.redhat.com [22:08] read on lists people had the same problem [22:08] mirrors.kernel.org is working fine [22:09] hmm, I have no troubles so far with Mandrake rpms ... [22:12] okay 1.3.8 seems sane now, expect a rc in a few minutes [22:14] ok i have a test vserver vmware setup [22:20] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [22:20] hi [22:21] hi enrico! [22:21] how was your weekend? [22:21] like every other weekend [22:22] unproductive ... [22:22] yep [22:22] well, we have some options now ... [22:23] there is a sparc waiting for us .. [22:23] vs0.09 is out with some interesting fixes/enahncements [22:23] and vs1.3.8 is just ready ... [22:24] sorry it took so long to get the sparc up. things are a bit chaotic around here lately.. [22:24] (final compile test is running) [22:24] hey talon, nothing to be sorry about, we thanks you very much for making this possible at all [22:25] which reminds me that I have to update the Hall of Fame ... [22:26] just put it down under my name for now. i just took over amoebasoft. and i havent gotten around to writeing a new company description or getting a new website set up. [22:27] hould get that streightended out inthe next week or so. [22:28] ome network guru here ? [22:28] i have a question [22:28] yup? [22:30] the headquaters split a 192.168.119 [22:30] so we have the upper parts [22:30] the lower parts are somewhere else [22:30] i need to add a route though [22:30] 192.168.119.128 0.0.0.0 255.255.255.128 U 0 0 0 eth2 [22:30] i'd like some route to the lower part [22:30] well, im off to finish upgrading my workstation to Solaris 9 8/03 [22:31] 192.168.119.0 .. 255.255.255.128 [22:31] route add -net 192.168.119.0 netmask 255.255.255.127 gw [22:31] no [22:31] okay [22:31] same netmask [22:31] i'll do that then [22:31] route add -net 192.168.119.0/25 gw ... [22:32] i just dont understand why they even bother splitting it when they use a private subnect [22:32] -c [22:32] fun of doing it ;) [22:32] must be a machosist [22:32] maybe he didn't find the 10.xx range yet ... [22:33] ugh [22:33] sure he did [22:33] he just uses [22:33] 10.101.0.0 [22:33] along with [22:33] 127.18.2.0 [22:33] and 192.168.116-122 [22:33] 172.18.2 [22:33] ive split up rfc1918 adress space before. i turned the 10.0.0.0 /8 into slices of /16 one for each campus. when i worked for a school district. [22:33] http://vserver.13thfloor.at/Experimental/patch-2.4.25-vs1.3.8rc1.diff [22:34] matta: here it is ... [22:34] what's new? [22:34] most of that handed out by dhcp. [22:34] i doubt they will ever run out of space. [22:34] compared to 1.3.7? [22:34] yes [22:35] talon: well, thats more natural [22:35] - lot of arch stuff [22:35] talon: but mine is so tight [22:35] - private namespace support [22:35] - improved proc iattr interface [22:35] Bertl: so if I try to mount inside a vs it should work? [22:36] - the fakeinit zombie fix [22:36] or is just the support there [22:36] - rlimit stuff fixes [22:37] - the primary bind order fix ;) [22:37] what is rlimit fixes? [22:39] matta: ad mount, if you have the right caps, it works .. [22:40] matta: rlimit interface was improved [22:43] extraversion is wrong ... atm [22:46] it seems that I'm always missing the gcc releases ... [22:53] are disk limits part of 1.3.8 ? [22:53] nope, not yet ... [22:53] oh, n/m [22:53] qh isn't even part of it? [22:53] but the q0.13 will be updated soon to a q0.14 ... [22:54] I have an nfs fix pending for that ... [22:54] so i just need q0.13 [22:54] and then the dl0.06 [22:54] q0.13 + fix should work for 1.3.8 [22:54] dl is included in q0.13 [22:54] oh [22:54] oh, i see [22:54] the disk limit is for 1.1.6 [22:57] ext2/3 are still the only fs's that support the quota hash/limits ? [22:58] monako (~monako@ts1-a71.Perm.dial.rol.ru) joined #vserver. [22:58] matta: yep, reiser doesn't know about quota, xfs quota system is different ... [22:58] monako: hi! [23:01] hmm does reiserfs support quota? I see some patches mentioned ... [23:03] hmm, looks like a guy called mason does quota support for reiserfs ... [23:03] http://mirror.mcs.anl.gov/suse-people/mason/patches/reiserfs/quota-2.4/2.4.23/ [23:03] JonB (~NoSuchUse@83.89.173.209) left irc: Quit: Leaving [23:07] matta: from looking at the reiser quota patches, this could be made working (even could work?) with the q0.13 hashes [23:10] JonB (~NoSuchUse@83.89.173.209) joined #vserver. [23:10] Bertl: how do i route 172.16.0.0? using netmask 255.255.0.0 ? or 255.0.0.0 ? [23:10] monako (~monako@ts1-a71.Perm.dial.rol.ru) left irc: Ping timeout: 480 seconds [23:11] depends on the network/mask ... default is /16 [23:12] Bertl: /16 is 255.255.0.0 ? [23:12] yup [23:13] Bertl: thanks [23:13] Bertl: one more question... [23:14] Bertl: i have a 192.168.1.0 on eth0, and that is the default route, what happens if i later on add a 192.168.0.0 netmask 255.255.0.0 to route a different way, can it still reach the 192.168.1.0 thorugh the right eth ? [23:19] surriel (~riel@imladris.surriel.com) left irc: Ping timeout: 485 seconds [23:19] well, depends on the order ... [23:19] but I would not suggest adding overlapping routes ... [23:20] (unless you know what you do) basically smaller network segments always get priority if not specified otherwise ... [23:20] i dont know what i do ;-P [23:23] Bertl: i might get an SMP sun box in the future to put up, would that be more useful than the Ultra10 even if it was a slightly slower dual cpu machine? [23:26] probably, because it would also allow to spot sparc SMP races ... [23:27] but I guess the real advantage is to have a sparc machine available for compiling and testing ... [23:28] ok, i will keep my eye out for an old dual CPU Ultra 1 or 2 on ebay. probably wont be looking into really for another month or two. [23:28] surriel (~riel@imladris.surriel.com) joined #vserver. [23:30] JonB (~NoSuchUse@83.89.173.209) left irc: Quit: Leaving [23:31] esands (~nic@mdr11-port292.jetstart.maxnet.co.nz) joined #vserver. [23:31] i hate people. [23:31] hmm ... me too? [23:31] some customers... you just don't want. [23:31] i just figured ihavea cable modem and plenty of spare ips i can tunnel in i might as well use some of my spare hardware for some good. [23:31] hi esands! [23:31] but you can't turn em away, because then they go out to forums and bash you. [23:32] hey [23:32] got a couple questions. just finishing breakfast first. 8) [23:33] Bertl: intereted at all in SGI MIPS based machines? [23:35] as far as for testing i mean. [23:35] well, sure, but I can only test on so many machines ... so somebody Interested in testing and reporting specific archs would be required to make this scale ... [23:36] I built and installed util-vserver (29.196) in /usr/local/. No problems. After a bit of fiddling I got "vserver #name build -m debootstrap" to work. (Although I would like to know where to change the mirror setting) [23:36] nahh, i dont have the time. just figured i would ask in case you were looking. because i can grab those cheap. [23:37] talon: I'm sure we can find someone willing to test on a regular basis, so it doesn't have to be you ;) [23:37] esands: /etc/vservers/.defaults/apps/debootstrap/uri or mirror (resp. /usr/local/etc) [23:38] I'm not sure how to set the interfaces for this version of util-vserver, as it seems different from the previous version. [23:39] Bertl: so echo "file:/mirror/apt/" > /etc/vservers/.defaults/apps/debootstrap/uri would be sufficent? [23:39] if someone does want to test with diffrent archs i wouldnt mind putting up a few more machines. im guessing you already have alpha and PA-RISC test machines. [23:39] esands: not 'file:/' but only '/' [23:40] esands: ensc is the author of the tools, you can trust him ;) [23:40] Action: esands grins. [23:40] Always good to talk to the experts. 8) [23:41] esands: or what do you mean with 'mirror'? The mirror of the debootstrap-package, or the general package mirror? [23:41] the debootstrap package will be searched at http://ftp.debian.org/debian/pool/main/d/debootstrap/debootstrap_0.2.26_i386.deb [23:41] apt-move mirror. ie. general debian mirror [23:42] the apt-sources mirror is in $(sysconfdir)/vservers/.defaults/apps/debootstrap/mirror [23:42] eventually when I get a vserver running, I'll set up a local http servicing mirror [23:43] So I'd put /var/cache/apt/archive in ../uri and "file:/mirror/apt/" in ../mirror ? [23:45] in 'uri' is the uri of the debootstrap package (when debootstrap is not installed) [23:46] Oh, I see. 8) [23:46] Obviously no need for that on a debian machine. 8) [23:47] ensc: matt told us that Fedora has depreciated apt-rpm, do you know something? [23:47] (same goes for riel, if he's listening) [23:48] Bertl: it's a battle between the pro- and contra-people [23:48] So format for ../mirror is either http://mirror.whereeever/debian or "/path/to" [23:48] esands: this is teh value which will be given to the debootstrap command [23:48] ensc: and what is that yum thingy? [23:49] talon: do you remember the latest q0.13 fixes we did? [23:49] Cool. thanks [23:49] Bertl: a gentoo-bootstrapping would be probably faster than a yum one... [23:50] never heard of yum before, what is it? [23:50] (well it sounds tasty ;) [23:50] Bertl: similarly to apt, but written in python [23:50] (and not so powerful and very sloooow) [23:51] hmm okay, I vote for apt, I'm no python fan ... [23:51] http://www.dulug.duke.edu/yum/ [23:52] Bertl: the latest fix was the vfs fix. [23:52] for the nfs oops. [23:52] ah right ... thanks ... [23:53] np [23:53] Nick change: talon -> talon_afk [23:54] will probably be back sometime later tomorrow or the day after with more howto updates. have to finish rebuilding my workstation now. [23:55] just dropped by to let you know about the sun. [23:55] okay, thanks again ... [23:57] yeah [23:57] i noticed when yum updates [23:57] it downloads a 3k text file for every package [23:57] with thousands of packages... [00:00] --- Tue Feb 24 2004