[00:07] talon_afk (talon@host-63-149-223-100.irwinresearch.com) got netsplit. [00:07] Mcleod (~altec@202.9.60.199) got netsplit. [00:07] kestrel (athomas@home.swapoff.org) got netsplit. [00:07] chaosle (~yvan@bragi.fh-brandenburg.de) got netsplit. [00:07] serving (~serving@213.186.190.121) got netsplit. [00:07] Doener_zZz (~doener@pD9E12E60.dip.t-dialin.net) got netsplit. [00:07] Doener_zZz (~doener@pD9E12E60.dip.t-dialin.net) returned to #vserver. [00:07] serving (~serving@213.186.190.121) returned to #vserver. [00:07] chaosle (~yvan@bragi.fh-brandenburg.de) returned to #vserver. [00:07] kestrel (athomas@home.swapoff.org) returned to #vserver. [00:07] Mcleod (~altec@202.9.60.199) returned to #vserver. [00:07] talon_afk (talon@host-63-149-223-100.irwinresearch.com) returned to #vserver. [00:12] Nick change: cgone -> cdub [00:15] Doener_zZz (~doener@pD9E12E60.dip.t-dialin.net) left irc: Quit: Leaving [00:15] Doener (~doener@pD9E12E60.dip.t-dialin.net) joined #vserver. [00:36] chaosle (~yvan@bragi.fh-brandenburg.de) left irc: Remote host closed the connection [00:40] netrose_ (john877@FL3-24.217.241.239.charter-stl.com) left irc: [00:40] netrose (john877@FL3-24.217.241.239.charter-stl.com) joined #vserver. [00:48] paul (~irssi@p5089E005.dip.t-dialin.net) left irc: Quit: leaving [00:50] interesting [00:54] miller7 (~none@adsl49-static-gw1.access.acn.gr) left irc: Ping timeout: 485 seconds [01:02] talon_afk (talon@host-63-149-223-100.irwinresearch.com) got netsplit. [01:02] Mcleod (~altec@202.9.60.199) got netsplit. [01:02] kestrel (athomas@home.swapoff.org) got netsplit. [01:02] serving (~serving@213.186.190.121) got netsplit. [01:02] talon_afk (talon@host-63-149-223-100.irwinresearch.com) returned to #vserver. [01:02] serving (~serving@213.186.190.121) returned to #vserver. [01:02] kestrel (athomas@home.swapoff.org) returned to #vserver. [01:03] Mcleod[Zzz] (~altec@202.9.60.199) joined #vserver. [01:13] Mcleod (~altec@202.9.60.199) got lost in the net-split. [01:19] Renegade-2000 (~Renegade-@shuttle3.ee.ic.ac.uk) left irc: Quit: Leaving [01:22] soor_ (~as@pD958A0ED.dip.t-dialin.net) joined #vserver. [01:25] soor (~as@pD958A735.dip.t-dialin.net) left irc: Ping timeout: 499 seconds [01:42] Nick change: Bertl_oO -> Bertl [01:45] matta: vmware has troubles with 2.6.3 w/ or w/o vserver ... [01:45] Nick change: cdub -> cgone [01:46] . [01:46] hi bobi! [01:46] Hi. [02:08] okay, I'll call it a day ... cu all tomorrow ... [02:08] Nick change: Bertl -> Bertl_zZ [02:40] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Ping timeout: 499 seconds [04:40] Mcleod (~altec@202.9.60.199) joined #vserver. [04:43] Mcleod[Zzz] (~altec@202.9.60.199) left irc: Ping timeout: 499 seconds [04:52] Mcleod (~altec@202.9.60.199) left irc: Ping timeout: 480 seconds [04:53] Mcleod[Zzz] (~altec@202.9.60.199) joined #vserver. [06:34] broo (~broo@host30-5.btbx.net) joined #vserver. [06:35] quick question. I'm runing 2.6.3 with the 0.9 patches on a debian unstable system. should I be using the util-vserver or the vserver package for the vserver tools [06:35] currently I have vserver 0.29 installed [06:36] but I can't do a ps when I vserver enter (says I need /proc mounted), I even tried mounting proc to the vservers /proc from the main server but no go. do I need to allow a new capability? this same setup had no probs under a 2.4.20 kernel [06:40] oh and I can't do a vps in the main server gives the same need proc mounted error [06:50] /usr/sbin/chcontext --ctx 1 /bin/ps [06:50] New security context is 1 [06:50] Error: /proc must be mounted [06:52] hmm I wonder if its my ps thats the issue, I also run selinux on that box on occasion so its a selinux aware ps [06:53] then again maybe not, looks like it belongs to procps deb package [06:58] _shur1 (~shushushu@vserver.electronicbox.net) left irc: Quit: changing servers [07:05] _shur1 (~shushushu@vserver.electronicbox.net) joined #vserver. [09:10] Mister_A_ (~mab@nat01-clo-ext.Rutgers.EDU) joined #vserver. [09:10] Bertl are you there? [09:11] I have a vserver that was workign fun, but now in the last day - ps -ax doesnt show mysql or httpd processes [09:11] which is odd [09:11] and mysql wont start "already binded to port 3306" [09:22] Mister_A_ (~mab@nat01-clo-ext.Rutgers.EDU) left irc: [09:41] _shur1 (~shushushu@vserver.electronicbox.net) got netsplit. [09:41] _shur1 (~shushushu@vserver.electronicbox.net) returned to #vserver. [10:06] loger joined #vserver. [10:10] kestrela (~athomas@syd-h43C.adsl.AlwaysONLINE.net.au) left irc: Remote host closed the connection [10:11] netrose (john877@FL3-24.217.241.239.charter-stl.com) left irc: Ping timeout: 480 seconds [11:05] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [11:13] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Ping timeout: 480 seconds [11:16] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [11:24] surriel (~riel@imladris.surriel.com) left irc: Ping timeout: 499 seconds [11:30] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Ping timeout: 480 seconds [11:39] surriel (~riel@imladris.surriel.com) joined #vserver. [11:43] rs (rs@ice.aspic.com) joined #vserver. [11:43] morning guys [11:51] mogge [12:03] Nick change: Bertl_zZ -> Bertl [12:03] okay, short visit ... any urgent issues? [12:06] netrose (john877@FL3-24.217.241.239.charter-stl.com) joined #vserver. [12:08] broo: u around? [12:09] surriel (~riel@imladris.surriel.com) left irc: Ping timeout: 480 seconds [12:14] broo: you are hitting the procfs security, see http://www.linux-vserver.org/index.php?page=Proc-Security for details ... [12:15] broo: either use vproc or the util-vserver alpha setattr tool to make the entries visible in xid=1 or other contexts ... [12:15] okay, leaving now, will be back in 1-2 hours ... [12:15] Nick change: Bertl -> Bertl_oO [12:36] nano_ (~nano@175.Red-217-127-186.pooles.rima-tde.net) joined #vserver. [12:36] hello [12:37] I want to know if there is some vserver patch for apply to RedHat Enterprise Linux 3 ES kernel. [12:38] nano_ (~nano@175.Red-217-127-186.pooles.rima-tde.net) left irc: Quit: [12:45] miller7 (~none@adsl49-static-gw1.access.acn.gr) joined #vserver. [12:45] hellot o all [12:47] kestrel (athomas@home.swapoff.org) left irc: Quit: bye [13:16] surriel (~riel@imladris.surriel.com) joined #vserver. [13:22] Renegade-2000 (~Renegade-@shuttle3.ee.ic.ac.uk) joined #vserver. [13:22] valen_ (~john@sprocket.hosting365.ie) left irc: Quit: I'm outta here man, I'm going to town... [13:24] surriel (~riel@imladris.surriel.com) left irc: Ping timeout: 480 seconds [13:37] loger9 joined #vserver. [13:38] loger (~loger@213.159.118.2) left irc: Ping timeout: 480 seconds [13:38] Nick change: loger9 -> loger [13:50] surriel (~riel@imladris.surriel.com) joined #vserver. [13:53] kestrel (~athomas@syd-h43C.adsl.AlwaysONLINE.net.au) joined #vserver. [13:53] hello [13:54] Nick change: Bertl_oO -> Bertl [13:55] I'm back, at least for now ... [14:00] surriel (~riel@imladris.surriel.com) left irc: Ping timeout: 480 seconds [14:08] miller7 (~none@adsl49-static-gw1.access.acn.gr) left irc: Ping timeout: 480 seconds [14:15] okay, cu later ... [14:15] Nick change: Bertl -> Bertl_oO [14:23] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [14:31] surriel (~riel@imladris.surriel.com) joined #vserver. [14:50] stubbsd (~stubbsd@217.206.216.194) joined #vserver. [14:54] Renegade-2000 (~Renegade-@shuttle3.ee.ic.ac.uk) left irc: Quit: Leaving [15:05] miller7 (~none@adsl49-static-gw1.access.acn.gr) joined #vserver. [15:11] nano_ (~nano@175.Red-217-127-186.pooles.rima-tde.net) joined #vserver. [15:12] hello [15:13] nano_ (~nano@175.Red-217-127-186.pooles.rima-tde.net) left #vserver. [15:51] jes (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) joined #vserver. [15:51] Hi all [15:52] can someone answer a newbie question for me? [15:53] the best course of action is to just ask your question and wait for answer/rtfm, [15:53] asking if you can ask usually just wastes people's time [15:55] lol true [15:56] also, be patient [15:56] the guy who knows the answer to your question might just be out to lunch [15:56] ok, I'm just looking into setting up vserver on an AMD64 box, I understand how to configure each virtual machine (internally) for email, http etc, but I can't quite see how to get external requests to go to the right virtual machine [15:56] and only see your question when he comes back [15:57] for example, would I setup Apache on the "main" host to route virtual domains to the virtual machines and likewise for email, get postfix to accept email for domain1, domain2 etc but to forward it onto each virtual domain? [15:57] dakotadan (~root@213.228.220.48) joined #vserver. [16:00] dakotadan (~root@213.228.220.48) left #vserver. [16:05] Nick change: Bertl_oO -> Bertl [16:05] back from lunch ;) [16:05] jes: depends on what you want to achive/setup [16:06] amd64 is a nice platform and vserver should support it ... [16:07] virtual domains != virtual server, so you can have many virtual servers on different ips (or on the same ip) each running apache, having several virtual domains inside the virtual server [16:07] think of a virtual server like of a separate machine, just sharing some resources with the host [16:10] hmmmm [16:10] ok...what I want to achieve is - [16:11] I have a single static public IP address, so far I've been using apache virtual hosts and postfix tricks etc to host multiple www sites and emails [16:11] but to be honest, it becomes quite messy after a while and the configuration becomes a nightmare [16:21] loger joined #vserver. [16:22] rs (rs@ice.aspic.com) joined #vserver. [16:33] Nick change: Bertl -> Bertl_oO [17:03] jes (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) joined #vserver. [17:11] so is the debian util-vserver (0.29) not the most current, cause the showattr and setattr don't respond to any of the commands on that proc-security web page [17:14] jes (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) left irc: Quit: Leaving [17:26] serving (~serving@213.186.190.121) left irc: Read error: Connection reset by peer [17:42] nano_ (~nano@175.Red-217-127-186.pooles.rima-tde.net) joined #vserver. [17:43] hello [17:43] nano_ (~nano@175.Red-217-127-186.pooles.rima-tde.net) left irc: Quit: [17:55] I compiled the 0.28.195 tools and they do show the attributes as described, so I guess I see what I can do with them and just uninstall the 0.29 deb util-vserver [17:56] ben (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [17:59] morning [17:59] miller7 (~none@adsl49-static-gw1.access.acn.gr) joined #vserver. [17:59] (or evening as the case may be) [18:01] ben (~ben@bengrimm-host225.dsl.visi.com) left #vserver. [18:02] ben (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [18:12] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [18:18] what in /proc do I need to change with setattr in order to do a vps? [18:18] *info [18:18] (debian unstable, 2.6.3, 0.9, 0.28.195) [18:18] and stat [18:18] broo (~broo@host30-5.btbx.net) left irc: Remote host closed the connection [18:19] broo (~broo@host30-5.btbx.net) joined #vserver. [18:21] iirc vps needs /proc/stat, /proc/uptime, /proc/sys, /proc/sys/kernel, /proc/sys/kernel/pid_max, /proc/meminfo in watch context, but you'll want those visible everywhere, to be able to run ps in the vservers [18:22] to find it out what needs to be visible, try this: strace ps 2>&1 | grep proc | more [18:23] hmm setattr doesn't seem to set anything on those [18:23] which kernel? [18:23] 2.6.3 [18:23] tools? [18:23] 0.9 patch set, 0.28.195 tools [18:24] hmm... i'm using 0.29.196... i'll try 0.28.195, just a sec.. [18:24] where can I get the 0.29 stuff? [18:25] http://www-user.tu-chemnitz.de/~ensc/util-vserver/ <-- is this the place? [18:26] yepp [18:26] in the alpha dir... [18:27] I'll try the 0.29.196 tools and see if that solves the issue [18:30] broo: are you getting the /proc must be mounted message? [18:31] yes [18:31] broo: ok, seems like alot of people (including myself) have had that [18:31] Bertl_oO (~herbert@MAIL.13thfloor.at) left irc: Ping timeout: 499 seconds [18:32] broo: go to the linux-vserver.org website, and go to the latest stable release [18:32] broo: and download the vproc tools [18:32] broo: so click vserver 1.26 [18:33] broo: and get the tools at the bottom "vproc-0.01" [18:33] broo: then tar xfz vproc ; make ; cp vproc /usr/local/bin ... [18:33] hmm I can't seem to get to the 13th floor [18:34] Mcleod[Zzz]: he's on 0.09, i'm not sure if vproc-0.01 will behave as expected... [18:34] broo: a default way to give vserver access to everything in /proc would be... ; vproc -e /proc/*[a-z] /proc/*/*[a-z] /proc/*/*/*[a-z] [18:34] flag logic has changed [18:34] Bertl_oO (~herbert@MAIL.13thfloor.at) joined #vserver. [18:35] mr Bertl will confirm if vproc is what he's after [18:35] pretty sure it is [18:35] setattr should do the job as well and has direct flag control... [18:36] okay I did a setattr --watch /proc/* [18:36] is there anything wrong with context 1 being able to access it all? [18:36] vps works now after doing that [18:36] broo: context 0 / 1 are reserved iirc [18:37] so use 2 and above [18:37] broo: fyi, you'll need to do that setattr command on each boot [18:37] yeah the --watch was to set the flags for context 1 [18:37] paul (~irssi@82.207.132.154) joined #vserver. [18:37] because it looks like vps does a chcontext to 1 before doing the ps [18:38] yeah, it has to to be able to see all processes [18:38] hi [18:44] is there a doc to describe the new structure for the vserver config, looks like name.conf is deprecated (or at least considered legacy) [18:49] broo - it's in the tar file of the util-vserver package [18:49] doc/configuration.xml [18:50] (doesn't seem to be installed when you use build an rpm of it) [18:51] but that describes the layout of the /etc/vservers/ directory [18:56] jes (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) joined #vserver. [18:58] interesting most of the old options are split to separate files and a whole bunch of new controls added [18:58] hello [18:59] well thx all for the help, I'll chew on this for a bit and see how it goes [18:59] have fun [19:00] anybody have some advice on getting a vserver with a private address to route through the host which has a public address? [19:01] masqueraded that is [19:01] <_shur1> setting NAT/MASQ on the root server... [19:01] doh, where'd I miss that ;-) [19:02] you might also need ip_forward set to 1 [19:02] <_shur1> of course [19:03] <_shur1> echo 1 > /proc/sys/net/ipv4/ip_forward [19:03] yep, that's turned on - using shorewall [19:03] <_shur1> ok [19:04] <_shur1> you use a script [19:07] I've just downloaded the experimental release (for 2.6.3), do I need to down seperate patches for the quota stuff or is it included in that release? [19:13] _shur1, were you saying that there's a vserver setting for NAT/MASQ? [19:13] or were you suggesting that I use iptables to create a masq entry? [19:14] jes: I don't know if its included inside another diff but there wasn't a separate quota diff file in the 0.09 patch set [19:15] ben: when I did mine under 2.4 I used iptables for the masq (with ip_forward) and it worked fine [19:17] broo: I've got the vservers bound to eth1 which is on a 10.x.x.x network [19:18] and I'd want them to use eth0 as a default route [19:18] but just can't seem to get that working [19:18] it seem like it would be really straight forward [19:19] let me try on this new set up [19:19] ahhh ok thanks broo....sorry I was AFK [19:21] is there a "rough" figure for how much extra load each vserver will add to a host? For example realistically how many vservers could I expect to be able to run on a dual opteron machine (assuming most of the vservers are relatively idle) without experiencing slowdown? [19:21] single figures? double figures? [19:22] serving (~serving@213.186.190.121) joined #vserver. [19:22] <_shur1> jes i run 5 vserver on a 133 mhz with 96 meg of ram [19:23] <_shur1> one with apache mysql [19:23] <_shur1> other with postfix [19:23] <_shur1> other for tests [19:23] jes: its basically the overhead of the services you are running, the vservers themselves have little overhead [19:23] ahhh ok [19:24] ok, I've just about got my head around what they do now....but I'm still a bit puzzled how I would achieve this - say I setup a couple of different vservers each with their own http and email domains, given that I've only got a single static (public) ip address, how would I route the emails and http from the "main" server to the right vserver? [19:25] is that possible? [19:25] jes - you could use squid [19:25] ben: I just realized I don't have a second ethernet card in this machine, so I can't test that setup and mine masqs correct cause it all goes out the same interface [19:25] set up as a reverse proxy [19:26] ahhhh good thinking ben [19:26] <_shur1> well for the best results having a lot of ip is perfect [19:26] I'm not sure if there's any other way to do it with only one ip [19:26] <_shur1> i got a subnet ip 256 ip here [19:26] lol yeah _shurl, unfortunately not an option at the moment [19:26] I think apache has a proxy pass option as well [19:26] <_shur1> but if you got only one ip [19:26] sure sure - anything capable of reverse proxy [19:27] <_shur1> run http in one server [19:27] <_shur1> mail server in other [19:27] <_shur1> do not need proxy.. [19:27] I'm just wondering if somehow I could get the postfix server on the main machine to somehow "forward" the emails to the right vserver [19:27] <_shur1> with one ip [19:27] _shurl, I want to have seperate "self-contained" http domains [19:27] <_shur1> you need to run only one postfix.. [19:27] <_shur1> jes [19:28] <_shur1> even without vserver you can do this.. [19:28] <_shur1> virtual host apache.. [19:28] yes I know, thats what I'm doing at the moment, virtual apache and virtual postfix [19:28] but it's becoming very "messy" (for want of a better word) [19:28] <_shur1> well [19:28] so I was thinking about ring-fencing each domain with vservers [19:29] <_shur1> with one ip [19:29] <_shur1> humm [19:29] yes [19:29] <_shur1> dont think is possible [19:29] <_shur1> if is it [19:29] <_shur1> it will be more messy that virtual apache.. [19:30] hmmmm [19:30] which side is the messy side, apache or postfix [19:30] _shur1 - it should be possible to do both postfix and apache [19:30] <_shur1> yes of courses is possible [19:30] well neither in isolation broo, just the combined maintenance nightmare alltogether [19:30] a front end postfix can relay to the vservers [19:30] thats what I was thinking ben [19:30] <_shur1> but you cannot run 2 apache server opn port 80 on 2 vserver... [19:31] <_shur1> on the same ip.. [19:31] _shurl, but they wouldn't need to run on the same port [19:31] nope, you'd need to run your vservers on private addrs [19:31] say the main httpd runs on port 80 of the host [19:31] <_shur1> ok then [19:31] so vs1 bound to 10.0.0.1 [19:31] *nods* [19:31] etc... [19:31] <_shur1> ok then [19:31] and then I should just be able to proxy from the main host httpd? [19:32] <_shur1> i do not have this problem with 250 IPS:P [19:32] yep [19:32] jes we use postfix to feed cyrus 2.2.x via lmtp, nothing special needs to be setup in postfix and cyrus 2.2.x separates the mail into the domains quite nicely [19:32] lol@_shurl [19:32] we have probably 16 domains in there at the moment [19:32] broo....I always want real unix users, not just virtual ones [19:32] always = also [19:33] and I like the idea of someone ssh'ing into a vserver and only seeing stuff relating to their "domain" [19:33] hehe, jes I'm just the opposite, if I can have the user never have a real account so much the better :) [19:33] if that makes sense? [19:33] yep if you need ssh access then vservers make a lot of sense [19:34] hmmm ok thats good then....at least nobody has said "nope that'll never work" [19:34] ;) [19:35] ok...next techie question.... [19:36] given that I have a single ip address, and I want to allow users to ssh directly into a vserver, I can either have them listen on different ports (2022, 3022 etc) [19:36] stubbsd (~stubbsd@217.206.216.194) joined #vserver. [19:37] surriel (~riel@imladris.surriel.com) joined #vserver. [19:37] jes, yeah, I think that'd be the old wayu [19:37] or I can have a single sshd listening on the default port 22 of the host and change the users profile to do something like "ssh my_vserver" [19:37] or...is it possible to somehow get the host to port-forward directly to the vserver based on the user logging in? [19:37] if you had user accounts on the host server you could do something like that [19:38] *nods* ben [19:38] I must be having dns issues, I'm having a heck of a time going places today [19:38] the only drawback I can see is that with "w", "finger" etc that all the users on the vserver would be coming from the host, rather than the remote host [19:39] it'd be nice to have the user ssh to the host, which then "transparently" opens a forwarded session to their vserver....but I have no idea if that's possible [19:39] jes, if you were using telnet ;-) you could set up a telnet proxy [19:39] lol ben [19:40] I think there are ssh proxies [19:40] have the host resolution take place within the proxy and they could just log in ;-) [19:40] broo, you may be right [19:40] hmmm, ty broo I'll have a look for some [19:41] or you might be able to use ssl-telnet with a telnet proxy :) [19:43] hmmm not looking promising so far, most of the solutions seem to rely on the client end changing their configuration (which I'd rather not make them do) [19:49] if you don't mind modifying sshd you could have certs set up in the base server that have ssh access into the vservers then just execute an ssh (via cert) into the appropriate vserver based on user that logged in [19:51] hmmmmm [19:51] Action: broo is away: hey look over there -> [19:51] yeah that sounds like an idea [19:53] so broo, you use private addr's on eth0 and then masquerade them and that works [20:02] Nick change: Bertl_oO -> Bertl [20:02] evening everyone ... [20:04] hiya Bertl [20:05] hi jes, quite some questions there, any left? [20:08] hi Bert [20:09] hey ben! how's your vserver? [20:09] they're looking good [20:09] I'm playing with routing now [20:09] iproute2? [20:09] sure ;-) [20:09] good [20:09] ! [20:10] just trying to figure out the minimum to get a vserver bound to a private addr to route through the public interface [20:10] w/o nat? [20:11] w/ nat [20:11] hmm, SNAT/DNAT ... [20:11] no routing required ... [20:11] yeah, that's what I thought [20:12] but? [20:12] but seems like my packets just end up in the ether [20:12] unreplied [20:12] hmm, they leave the interface? [20:12] not sure [20:13] tcpdump? [20:13] I'm using shorewall to control the iptables [20:13] one sec... [20:14] hrm, IIRC we had some troubles with that some time ago ... [20:14] yep [20:15] they're leaving as the source address though [20:15] not masq'd for some reason [20:15] have a look at the POSTROUTING table ... [20:16] does it show a n SNAT target? [20:16] using iptables? [20:16] well, yeah? [20:16] iptables -t nat -L POSTROUTING [20:17] didn't see the postrouting table without the -t nat [20:17] but it returned: [20:17] eth0_masq all -- anywhere anywhere [20:17] eth0_masq is: [20:17] and that's it? [20:18] eht0_masq is probably _not_ doing SNAT ... [20:19] MASQUERADE all -- 10.0.0.0/8 anywhere [20:19] I don't know how you are going to tell it to the shorewall stuff, but you need a target like this: [20:20] woohoo...*almost* solved my ssh fowarding problem ;) [20:20] iptables -t nat -A POSTROUTING -o -j SNAT --to [20:20] I can get that working [20:21] yes: you want to ssh in as user xy and become vserver root? [20:21] s/yes/jes/ [20:21] almost Bertl [20:21] I can just so long as I'm ssh'ing in from a "known" host [20:22] but that is _what_ you want, right? [20:22] example: external_host1 -> public_host -> vserver1 [20:22] public_host = host ip [20:22] almost Bertl....I need it to work from *any* external host [20:22] yep [20:22] vserver1 = vserver ip [20:23] how to discriminate different vservers? [20:23] based on incoming ip atm I guess? [20:23] no, I've done it per user [20:23] since I only have a single ip [20:23] incoming ip != host ip ;) [20:23] in each users ~/.ssh/authorized_keys I've set a forwarding command to their vserver [20:24] looks like? [20:25] command="ssh cerberus" ssh-rsa AAAAB= jes@gateway [20:25] hmm, okay why ssh? [20:25] so when the jes@gateway key is used, it runs that command [20:25] why not 'vserver enter' ? [20:25] for people who don't have console access [20:25] maybe 'sudo vserver enter' [20:26] hmm, so you are doing ssh for root and non root vserver users? [20:26] I don't want to give them ssh access to my gateway, just "transparently" let them ssh directly to the vserver they've been assigned to from over the internet [20:26] well non-root at the moment yes [20:26] thats right [20:27] okay, and what is the criterion to select the destination vserver? [20:27] purely username will do, I can give unix ids on the host for each vserver user [20:28] if you have jon@vserver1 and jon@vserver2 = [20:28] s/=/?/ [20:28] yeah say user jon has an account in vserver1, bob has an account in vserver2, I can create an account for bob & jon on the host [20:29] what about using different ports? [20:29] and I want it so when they ssh to my public ip address, it takes them directly into their assigned vserver [20:29] thats an option...just a bit "annoying" to have to have 1,2,5,20+ different ports for sshd [20:30] plus there's always the chance that a user might use the wrong port then wonder why their login doesn't work ;) [20:30] yeah, but you do not have to configure any user data on the host ... [20:30] true [20:30] Nick change: cgone -> cdub [20:30] still the question is, how to handle jon@vserver1 and jon@vserver2 ? [20:31] I could make sure that usernames are unique across vservers [20:31] which would actually make it easier giving them unix id's on the host, since that would be a safeguard [20:32] well, if that is what you want ... [20:32] hi cw! [20:32] lol it's just experimenting at the moment Bertl [20:32] you could make their usernames blah@domain.com [20:32] okay, don't let me stop you ... [20:33] yeah true broo [20:35] Bertl: the setattr etc worked fine, turned out i needed a newer set, so now I'm using the 0.29.196 tools, thx for the help on that [20:36] okay, np, did you let enrico know of that? probably yes, and probably he already knew, right? [20:37] I didn't and don't know :) [20:37] bert, thanks for the help - all is well now [20:37] great! np [20:42] Doener_zZz (~doener@pD9E121CC.dip.t-dialin.net) joined #vserver. [20:42] bert, figured it out using shorewall specifics as well [20:43] just had to specify the outbound address to use [20:43] so much more handy than using iptables directly ;-) [20:43] hi [20:43] how are things going? [20:43] fine, thanks matt, how are you? [20:44] but you end up forgetting the specifics of one method in favor of another [20:44] ben, the choice of tools is yours ... [20:44] bert, yep [20:45] good [20:45] they are ok [20:45] netrose (john877@FL3-24.217.241.239.charter-stl.com) left irc: Ping timeout: 480 seconds [20:46] having a bitch of a time with an opteron and hpt374 raid card [20:46] shorewall is a very elegant solution to defining firewall rules, but it hides some of the nuances of iptables from you [20:47] Bertl: hi [20:47] matta: what issues? [20:47] cdub: looks like nobody likes a 'simple' cross toolchain ;) [20:48] Bertl: yeah, guess so [20:49] Bertl: everybody must have a fast machine to not worry about glibc compile or soemthing ;-) [20:50] Doener (~doener@pD9E12E60.dip.t-dialin.net) left irc: Ping timeout: 499 seconds [20:50] well, if it was only the compile time, I wouldn't care either ... [20:50] honestly, how often do you recompile the toolchain? [20:50] infrequent at best [20:50] netrose (john877@FL3-24.217.241.239.charter-stl.com) joined #vserver. [20:50] netrose (john877@FL3-24.217.241.239.charter-stl.com) left irc: Client Quit [20:50] netrose (john877@FL3-24.217.241.239.charter-stl.com) joined #vserver. [20:51] but, what else is the headache, getting glibc to bootstrap? [20:51] yeah, but for most archs, I didn't even manage to get the crosstool stuff working? [20:51] and it seems, Dan didn't either ... [20:51] right [20:51] where the libc hack works (at least for me) [20:52] yes, i guess the full toolchain would be useful for a wider audience [20:53] but then, nobody seems to do the work ;-/ [20:53] looks like like 350 in functions needs to reference DEFAULT_VSERVERDIR [20:53] well I don't wan't to get flamed to crisp for asking why the arm/cris/ toolchain/glibc doesn't build? [20:54] oops sorry line 105 [20:54] broo: which tools do you use? [20:54] 0.29.196 [20:54] hmm, that should configure the dirs on install? [20:55] did you move the tools around? [20:55] test -d "$VDIR" || VDIR=/vservers/$vserver is what it is, looks like should be test -d "$VDIR" || VDIR=$DEFAULT_VSERVERDIR/$vserver [20:56] I did a configure --with-vrootdir=/export/vserver followed by a make; make install [20:56] hmm, sounds correct ... [20:56] please modify and test, if it works, send a note to enrico ... [20:57] okay [20:57] cdub: last time I asked for parisc, how to compile the kernel ... and they said: simple get the binary toolchains, and compile it ... [20:57] haha [20:57] cdub: I then asked, hmm, can't find the source, where is it ... [20:57] Bertl: that's sad [20:58] they told me, that is too complicated to compile, only one person knows,a nd the precompiled debs work ... [20:58] what shall I answer to something like this? [20:59] but even funnier was the 'please reserve a syscall for vserver' [21:00] Bertl: i saw that [21:01] Bertl: it's not too nice to have no way to repeat something [21:01] who knows, btw? [21:02] you mean 'how to recompile the parisc chain?Ä [21:02] yeah [21:02] well I know now, because I did recompile it ;) [21:02] ahhh [21:02] (including glibc ;) [21:02] nice [21:03] never figured out who should know it, but probably that guy who puts up the bin packages [21:03] hrm, i see. just wondering. i know at least one of the parisc guys [21:04] http://www.parisc-linux.org/software/index.html#xcs [21:05] taggart@fc.hp.com [21:05] (just an educated guess ;) [21:05] right ;-) [21:10] so do you have any idea how to proceed with the osdl cross compiling archs? [21:10] Well, funny thing is, what we do is compile kernel, so we could use same "simple" one [21:11] well, basically I don't care what toolchains are used ... [21:11] But, we started down the path of using Dan's, and I guess his work is more generally useful as a full cross toolchaniin [21:11] so I have no problem with that ... [21:11] so getting Dan's stuff working across arches would help the next step then? [21:11] (i am agnostic here too) [21:12] sure, but I do not want to waste my time on fixing libc issues for kernel compile tests ;) [21:12] no way, i dont' blame you [21:12] that is something I leave to Dan, he knows how to fight that dragon ... [21:12] i would hope we could get some resources here to hep it out [21:12] help, even [21:12] is it likely that Dan will do this? [21:13] or is he happy with what he has? [21:13] guess yes, he seemed interested in feedback and further development ... [21:13] but I don't know if it's even possible for all archs ... [21:13] ok. i can ask the folks here if they'd work on setting up more crosschains, would that help? [21:13] Nick change: Doener_zZz -> Doener [21:14] definitely .. but check first what to do about missing archs ... [21:14] part of the problem is many less popular arches require patches first [21:14] because their kernels lag behind mainline [21:14] maybe a good approach would be to have both ways (dans and mine) in comparison? [21:14] ok, what would be the "metric" for comparison? [21:15] simple: compiles/doesn't medium: warnings/errors advanced: assembler code comparison ? [21:15] heh, interting [21:16] intersting, assembler part, that is [21:16] bah, i can't type [21:16] yeah, thought about compiling not only .o files but .s too on the way we go ... [21:16] that way, you get both, compiled kernel and assembler sources ... [21:17] comparing them with diff seems pretty easy then ... [21:17] btw, odsl does only use one compiler (for each arch) to compile the kernels right? [21:18] yeah (AFAIK) [21:18] http://vserver.13thfloor.at/Stuff/Cross/Comparison/ [21:18] I found it quite interesting to see what changed ... [21:19] between the compilers (some small patches from dan) [21:19] what's -linux vs. -unkkonw [21:19] unknown is dans toolchain [21:19] and the other is yours? ok [21:19] http://vserver.13thfloor.at/Stuff/Cross/Comparison/TEST-alpha.diff [21:19] wierd! [21:19] yep [21:20] and then the comparison between 3.3.2 and 3.3.3 [21:20] http://vserver.13thfloor.at/Stuff/Cross/DIFF-2.4.25-gcc3.3.2-gcc3.3.3/ [21:20] miller7 (~none@adsl49-static-gw1.access.acn.gr) left #vserver. [21:20] (same is available for 2.6.x) [21:21] nice work [21:22] well, it's only a tool on the way for me .. I want to compare non vserver with vserver kernels ... [21:22] yes [21:22] where my metric is simple: any new warning/error is a bug ;) [21:22] right ;-) [21:25] matta: still around? [21:36] how do I kill vservers that aren't managed? I have a few vservers running from when I was using the old tools, they show up in /proc/virtual but I can't do a status or stop on them [21:36] you should have a vkill in newer tools ... if not let me see there is a separate tar package ... [21:36] http://www.13thfloor.at/vserver/d_release/v1.3.1/vkill-0.01.tar.bz2 [21:37] ah yes vkill, thx again [21:37] you need to know the though ... [21:37] yeah I get that from /proc/virtual [21:37] good ;) [21:47] jes (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) left irc: Quit: Leaving [21:49] stubbsd (~stubbsd@217.206.216.194) left irc: Quit: Leaving [21:56] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) joined #vserver. [21:56] hi james! [22:03] rs (rs@ice.aspic.com) left irc: Quit: pula [22:06] good mornin [22:17] stupidawy (foo@you.wish.you.were.pimp.olicio.us) left irc: Quit: Caught signal 15, Terminated [22:17] anybody interested in testing new stuff on 2.6.3 (soon)? [22:21] I am [22:22] okay, we are currently working on something, when would you be able to test it? [22:23] whenever, today/tonight works fine or later in the week as well [22:24] great! thanks ... expect something to test soon ;) [22:28] stupidawy (foo@you.wish.you.were.pimp.olicio.us) joined #vserver. [22:33] hi stupidawy! [22:40] /bin/insmod exited abnormally [22:40] mount: error 6 mounting ext3 [22:40] Kernel Panic No init found [22:40] hrm [22:40] that's not good [22:40] Bertl: i'd be willing to test 2.6 [22:40] did you get vmware working? [22:40] it seems 1.3.x is about golden (afaik) [22:40] and all the cool new features need 2.6 anyway :) [22:41] well [22:41] i might have to try 2.6 on this opteron [22:41] where the f*ck do people take all those opterons? [22:41] I want one too! [22:41] or two [22:41] eyck: buy one [22:42] yeah, sure, wanna buy a liver? [22:43] opteron's are cheap [22:43] hmm, you should consider a kidney, they bring more ... [22:43] much cheaper than xeon's [22:43] i might have a lot more free time [22:43] hmm, can I get a xeon with a mb for a kidney? [22:44] i just outsourced my hosting support to india :) [22:44] havn't officially started yet, so I gotta see how much of my time it actually frees [22:44] eyck: dual xeon including mb and casing should be possible ... ;) [22:45] oooh, goodie goodie. [22:45] gotta run, need to find some kidney-cutting-out shop [22:45] what do you supposed that error I posted could mean bertl? [22:45] the insmod? [22:45] I think that you couldn't mount your partition [22:46] that means that you are using old modutils not able to cope with 2.6.x [22:46] it was a 2.4.25 kernel [22:46] then that you've probably compiled ext3 as amodule and using initrd, which fails ... [22:46] ext3 is built-in [22:47] modutils 2.4.25 [22:47] hmm, okay, any more details I should know about? [22:47] 2.4.25 is compatable with 2.6 correct? [22:48] guess so ... [22:48] any stuff around that error? [22:48] did you try init=/bin/bash ? [22:49] did you try root=/dev/ [22:49] yes [22:49] i think the problem is this driver [22:49] it's a hpt374 [22:49] vendor driver... linux doesn't support it [22:49] this is remote btw [22:49] it's working under the fedora stock kernel with their driver compiled for it [22:49] just fine [22:49] ah, you where talking about that one ... [22:50] but for 2.4.25... it takes a dump [22:50] i've done everything [22:50] kernel has ramdisk/initrd support, scsi built as modules [22:50] let me see, I remember having a similar issue some time ago ... [22:50] I compile kernel/modules [22:50] install kernel [22:50] copy the hpt374.o to kernel/drivers/scsi [22:50] i re-run depmod (just to make sure!) [22:50] make my initrd [22:51] modules.conf is correct [22:51] which bios for the controller? [22:51] how can I check? :) [22:51] scsi0 : hpt374 [22:51] Vendor: HPT3xx Model: RAID 5 Array Rev: 3.00 [22:51] Type: Direct-Access ANSI SCSI revision: 00 [22:51] Attached scsi disk sda at scsi0, channel 0, id 0, lun 0 [22:51] SCSI device sda: 312602880 512-byte hdwr sectors (160053 MB) [22:52] on bootup, it should give a message, options are 3.01 - 30.3 [22:52] 3.03 [22:52] http://www.highpoint-tech.com/374drivers_down.htm [22:52] yeah [22:53] iu think that's the 3.00 [22:53] weird though, runs fine under fedora's stock kernel [22:54] update the bios, have a look at the driver sources ... [22:54] hmm, maybe the other way round ;) [23:23] fucking werd [23:23] got it [23:25] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) joined #vserver. [23:25] Bertl: evening [23:26] hi jon! [23:26] Bertl: the professor said that your project idea was not enough independent work [23:27] which one ;) [23:29] Bertl: the regression test [23:30] hmm ... [23:31] click (click@gonnamakeyou.com) joined #vserver. [23:32] Action: JonB clicks click [23:32] hi click! [23:34] heya herbert and job [23:34] uuh [23:34] JON! [23:34] damned laptop kbd [23:41] click (click@gonnamakeyou.com) left irc: Quit: Fuck, brb! [00:00] --- Thu Feb 26 2004