[00:00] a) good question - probably it is not needed on dummy0 (e0) - it is needed on eth0 to forward all packets from the lan [00:00] d) what implications would it ahve if the e0 is changed from a vserver? [00:00] [00:00] b) br0 will be the hosts default interface - eth0 has no ip address [00:01] can I set my reference vserver up to have the same IP as the host? [00:01] c) I gave CAP_NET_RAW to my vservers, works. I tried CAP_NET_ADMIN - configuring the interface gave me strange errors - wait a minute, I'll try it out [00:02] (strange error message inside the vserver, no way to disturb the others) [00:02] micah: sure, just make sure that you either do not start it, or 'reuse' the already configured ip ... [00:02] d) division by zero - question cannot be applied [00:02] Bertl: if I just enter and setup the IP to be the same, then it should be ok? [00:03] if done properly, yes [00:03] Bertl: but it has to be done outside of the vserver? [00:03] because inside, I get: [00:03] /sbin/ifconfig eth0:zunz 216.162.197.194 [00:03] SIOCSIFADDR: Permission denied [00:03] SIOCSIFFLAGS: Permission denied [00:04] you ahve to remove the eth0: part [00:04] from the config file ... [00:04] (that is what I meant with properly) [00:04] I've just got: [00:04] IPROOT="216.162.197.194" [00:04] IPROOTDEV="eth0" [00:04] in my .conf [00:04] IPROOTDEV="" would be okay [00:04] do I remove the IPROOTDEV? [00:05] ok, did that [00:05] it works :) [00:05] bengrimm (~ben@bengrimm-host225.dsl.visi.com) left irc: Ping timeout: 480 seconds [00:08] bengrimm (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [00:09] Bertl: I am trying to remove an oldvserver [00:10] but it wont let me rm -rf it [00:10] because: [00:10] /dev/pts and /dev/shm wont let me remove [00:10] rm: cannot unlink `pts/0': Operation not permitted [00:10] rm: cannot remove directory `pts': Device or resource busy [00:10] you didn't stop it properly and there are mounts left ... [00:10] umount /vservers/server/dev/pts [00:10] ah [00:12] I can't rmeove the proc stuff though [00:12] /vservers/server/proc [00:12] micah: what could be the solution? [00:12] well, umount /vservers/server/proc doesn't help [00:13] so you probably have processs still running in this vserver then? [00:13] no [00:13] but doing mv /vserver/server /vserver/foo and then rm -rf /vserver/foo worke [00:14] i had not run anything in the vserver [00:16] hmm, unusual ... [00:16] bertl: any idea what this means: "Unable to handle kernel NULL pointer deference at virtual adress" [00:16] a friends kernel hangs with this messages during boot [00:16] looks like a kernel bug, which kernel? [00:17] Method (Method@ip68-12-167-163.ok.ok.cox.net) left irc: Quit: AnacønÐa · "Everything takes longer than you think" [00:17] and usually there is a long message (kernel oops) attached [00:17] JonB (~NoSuchUse@kg229.kollegiegaarden.dk) joined #vserver. [00:18] Bertl: sorry, I was away for a phonecall - in the meantime I tested ifconfig on the bridged dummy0 interface: [00:18] in vs4: ifconfig e0:vs4 192.168.124.227 [00:18] (e0 == dummy0) [00:18] and? [00:18] bertl: 2.4.20 (gentoo src) [00:18] SIOCSIFFLAGS: Cannot assign requested address [00:18] bertl: it is [00:19] BUT it changes the ip address of e0:vs4 on the host [00:19] hmm, okay, could you try giving the 192.168.124.227 to the vserver allowed ips too? [00:19] btw, where does gentoo keep list of patches in their kernels? [00:20] Hest (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) joined #vserver. [00:20] maharaja: well you can debug the oops with ksymoops, if you recompile the kernel accordingly ... [00:20] hi Hest! [00:23] Bertl: and now comes the very strange thing: [00:23] Bertl: "Hey, it's me George" [00:23] ifconfig on the host shows .227 - vserver vs4 exec ifconfig shows still the old .204 [00:24] if I change the ip back, everything works as before [00:25] Bertl: what do you mean by "allowed ips"? [00:25] Hest: hmm, George who? [00:25] Bertl: from the schweepes commercial [00:26] dilox (~dilox@host2-9.pool8249.interbusiness.it) joined #vserver. [00:26] JonB (~NoSuchUse@kg229.kollegiegaarden.dk) left irc: Ping timeout: 499 seconds [00:26] hi bertl [00:26] hi dilox! [00:26] Nick change: Hest -> JonB [00:27] ah, Jon in disguise ... [00:27] pazzo: the vserver has a list of allowed ips [00:28] IPROOT="192.168.124.227 192.168.124.204" would be interesting ... [00:28] IPROOT ? [00:28] this might allow you to switch between those two ips ... [00:28] Bertl: exactly [00:29] ok, ath the moment I have IPROOT="e0:192.168.124.204/255.255.255.0" - I'll test IPROOT="e0:192.168.124.204/255.255.255.0 e0:192.168.124.227/255.255.255.0" [00:31] no, forget the e0: [00:31] just leave that to the vserver ... [00:31] IPROOT="192.168.124.204/255.255.255.0 192.168.124.227/255.255.255.0" [00:31] this will not create/setup any e0 alias ... [00:32] so you preset the e0 before the start to one of those addresses [00:32] Bertl: this creates e0:vs4 and e0:vs41 [00:32] yeah, and we do not want that ;) [00:32] Doener (~doener@pD9588E0E.dip.t-dialin.net) left irc: Quit: Leaving [00:33] changing ip addresses works (I can use .204 and .227) [00:33] hehe, thought so ... [00:33] but there seems to be a bug: if I'm limited to the ip addresses in IPROOT - why can I change them anyway? [00:34] inside the vhost it gives me a deny and the address remains the same - but on the host the address IS CHANGED! [00:34] this is because this was never meant to happen, but some checks are already there [00:35] so basically we have half the way ... [00:35] aaaaaaaaaaaargh - and I can assign addresses to other interfaces!!! [00:35] of course ... [00:36] okay, now lets check the other end .... [00:36] what about that promisc settings ... what about moving eth0 ip to the bridge [00:36] ok, so we need to limit the view of the addresses - I've been able to do so using vproc - is that secure enough? [00:36] nope, but let us put that issue on hold ... for now [00:37] Zoiah (Zoiah@matryoshka.zoiah.net) joined #vserver. [00:37] Bertl: at the moment I have br0->192.168.124.222, eth0->0.0.0.0 promisc (from inside a vserver I changed this to 10.0.0.1), ... [00:37] example: [00:37] ...and vs1 - vs6 use e0:192.168.124.201 - 206 [00:38] what if you leave eth0 as w/o bridge and configure the dummy0 to a new ip [00:38] this way packets addressed to the dummy0 ip, will arrive at eth0 anyway, right? [00:38] then I have to use routing to allow the vservers access to my lan - I have to add another network segment or to do nat! [00:38] nope [00:39] just try it, configuring an ip on the dummy, automatically enables this ip [00:39] ok, slowly again - what would you like to do? [00:39] ok, wait a minute... [00:39] for example: ifconfig eth0:192.168.124.222 [00:39] ifconfig dummy0 192.168.124.204 [00:40] and the host will respond to a ping at .204 [00:40] all vservers stopped, I have only eth0 with 192.168.124.222 now [00:40] okay, now configure a dummy0 at .204 [00:40] then from outside the host (on the lan) try to ping that ip [00:41] aaaaah, cool - is dummy0 accessible from any network segment??? [00:41] how does this work? [00:41] it responds to pings from the lan [00:41] yeah [00:41] that is because addresses and interfaces are separated in the kernel [00:42] (at least if you do not disable that) [00:43] hmmmm... so can I assign dummy0:1 an ip address from a network segment on eth0 and dummy0:2 an ip address from another network segment on eth1 ? [00:43] sure ... [00:43] hmmm... and two routes for the sem subnet to two interfaces (eth0 and dummy0) cause no problems???? [00:44] I'm sure that would burn down any cisco router :o) [00:44] you do not need two routes ... as the outgoing interface is only eth0 [00:45] linux adds a route for 192.168.124.0/24 to dummy0 if I give it an ip address [00:45] and ther is also 192.168.124.0/24 on eth0 [00:45] yes, but that is interface specific ;) [00:45] the actual 'route' is the default route ... [00:45] serving (~serving@213.186.190.121) joined #vserver. [00:46] if I ping 192.168.124.123 I do not use the default route! [00:46] it might become a problem, if you use the same ip on both 'lans' internal and external [00:46] okay, let's see if the next step works ... [00:46] now use this dummy interface for a vserver ... [00:46] (I do not agree with this routing thing, but let's go on) [00:47] bengrimm (~ben@bengrimm-host225.dsl.visi.com) left irc: Ping timeout: 480 seconds [00:47] Doener (~doener@pD9588E0E.dip.t-dialin.net) joined #vserver. [00:47] ipv4root is now 192.168.124.201 [00:47] (vserver vs1 running) [00:48] can you bind that ip from inside, and does the bind actually work? [00:48] ...and it does all the networking staff [00:48] bengrimm (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [00:48] (I can ssh to it) [00:48] fascinating, isn't it? [00:48] and I can ping servers some hundred kilometers away [00:49] so let's make a short recapitulation ... [00:49] we have a 'separate' interface for the vserver [00:49] the vserver can change this interface in some ways ... [00:50] ettercap: [00:50] ec_inet_linux:237 ioctl(SIOCGIFADDR) | ERRNO : 99 | Cannot assign requested address [00:51] the interface works for the outside too, and it's visible on both the vserver and the host, right? [00:51] yes [00:51] (additionally there are many other interface visible, which will be corrected later) [00:51] ok [00:52] now the basic question, does this allow to sniff packages between servers and host or to the host? [00:52] see above: it results in a strange error [00:52] and more important, does it allow to tcpdump the vserver (something we would like) [00:52] give CAP_NET_RAW and tcpdump will work [00:53] it HAS CAP_NET_RAW [00:53] apt-get install tcpdump [00:54] tcpdump works - and see's no packet as before [00:54] does it see packets targeted at the vserver? [00:54] even not the packets directed to this vserver [00:55] (that would be nice to have) [00:55] okay, but did this work with the bridge setup? [00:56] no, this didn't work with the bridge setup - seems to be a dummy0 feature - let's try a tun/tap interface! [00:56] try, it will not work either ;) [00:57] shit, typing too fast - I've shut down something wrong, I'll be back soon! [00:57] is this forbidden by vserver or by dummy? [00:57] neither nor ... [00:58] it is an intrinsic feature of the network stack [00:59] ? [00:59] you can only tcpdump interfaces which are transporting packets [00:59] tell me more! [00:59] aaah! [00:59] both dummy0 and tun/tap do not transport any packets in your setup [00:59] then let's see if tun/tap transports packets [00:59] sure they don't? [01:00] try it out, can't hurt, can it? [01:00] I had to run downstairs to restart the server :o) [01:01] and I've had a snowboard accident, so running hurts since 3 weeks :-))) [01:01] that's bad, you should not leave your snowboard lying around on the stairs 8-) [01:01] hmm, you shouldn't put in on in the first place... [01:02] snowboard hurts :( [01:02] skiing is easy [01:02] snowboarding hurts... and learning it REALLY hurts ;) [01:03] snowboarding is real fun - learnig it was hard - but today - it is really great fun!!! [01:04] hmm... i wouldn't know - i tried learning the same way I learned to ski - I get on biggest hill around and tried riding down... [01:05] me too - it took me 2 hours :) [01:05] learning to ski is easy at the beginning - but it is difficult to become really good [01:07] Topic changed on #vserver by Bertl!~herbert@MAIL.13thfloor.at: http://linux-vserver.org/ || latest stable 1.26, devel 1.3.8, exp 0.09.8 [01:07] pazzo: problem was - I learned on blue track that was a bit icey.... anyhooo... 4hours later I was all wet and with few slightly fractured ribs and promised myself not to touch that evil board for at least another month;) [01:11] eyck: the first thing you have to know if you want to learn snowboarding: you have to be relaxed: Jaegermeister is your friend! [01:12] (or tequila, if you can find nothing else :o) [01:15] bertl? ever tried tcpdump -i eth0 ? [01:16] inside a vserver? [01:17] yes [01:18] IT WORKS [01:18] I've been testing with tun/tap, now I changed back to dummy0 - it still works [01:18] # tcpdump -i eth0 [01:18] tcpdump: socket: Operation not permitted [01:18] pazzo: what capabilities do you have assigned to that vserver? [01:18] CAP_NET_RAW [01:19] you forget that cap NET_RAW and other isn't secure atm [01:19] ok, and that's the big remaining problem [01:19] hmm [01:19] why would you give CAP_NET_RAW to vserver? [01:19] pazzo: yeah, hackers can always enter your server through the network, better remove the network from the server [01:20] pazzo: let us not be concerned with that issue atm ... [01:20] pazzo: but must hacking jobs are done from within the company itself, so, you better remove the keyboard as well [01:20] using dummy0, tun/tap, eth0 or whatever you want - all works mor or less the same but we can not assign CAP_NET_RAW until we have a limited view/access to only some interfaces [01:21] okay, so we actually have three remaining issues: [01:21] JonB: I would like to have CAP_NET_RAW - I don't like stupid daemons or userspace utilites just to have a working ping [01:21] a) tcpdump on the vserver interface doesn't work [01:22] b) we have to restrict access only to the 'allowed' interfaces and ips [01:22] c) we have to disallow the 'creation' of other interface ;) [01:22] pazzo: i can see that [01:23] pazzo: You're aiming for a fly with a nuclear missle by using CAP_NET_RAW for ping, hmm [01:24] pazzo: IMHO a) can be postponed (as a nice to have feature, right?) [01:24] hmm, i thinks it's rather general issue with CAPs granularity [01:24] eyck: that is why we now have vserver caps ;) [01:24] ouh, smeagol talk [01:25] hmm, we have vserver caps? [01:25] what vserver caps? [01:25] yes, we do ... [01:25] JonB: and do not really fear hackers (some time ago I was a little bit mor paranoid - I have a server without a graphic card, vga disabled in the kernel, no cdrom, bios password, no keyboard support - now I have to change this machine as it has more than 800 days uptime - it will be a mess to access this system - I was sooooo stupid) [01:25] Bertl: a) would be a nice to have feature, yes [01:26] pazzo: buy a new ? [01:26] but it shouldn't give you access to ethß [01:26] pazzo: hmm, that wouldn't be stupid if you had full-featured serial access... like SUN or SGI systems do. [01:26] so b) and c) is mandatory ... but after that, we have a solution which is what you where looking for, rifht? [01:26] eyck: this machine hase serial access - but not to the bios [01:26] eyck: i have serial access [01:26] oh [01:26] that much [01:26] eyck: todays server boards offer this too [01:26] realveasel [01:27] pazzo: exactly. not to the bios. damn PC shaizzz [01:27] damjan (~damjan@legolas.on.net.mk) left irc: Ping timeout: 480 seconds [01:27] pazzo: hmm, haven't seen proper serial access in servers around here... [01:27] I have two new servermicro boards (p4) here, it should work with the bios, I didn't try it out [01:28] HP/Compaq ships nice menagement interface though... [01:28] okay, I guess we all should think a little about the network stuff, and maybe we can talk again tomorrow ... [01:28] ehm - supermicro serverboards, not servermicro [01:28] eyck: realveasel, a add on card [01:28] Bertl: I agree with b) and c) [01:28] JonB: not available around here :( [01:29] it's easier to buy SGI server with proper serial then to buy such addon card;) [01:30] eyck: the point is: normal ping doesn't work without CAP_NET_RAW - customers complain "you give me a root server and even ping doesn't work? what a crap!" - there has to be a better solution, whatever it is! [01:30] found it [01:30] http://www.realweasel.com/pcivga.html [01:30] eyck: no addon card, motherboard! [01:30] pazzo: supermicro? hp/compaq doesen't sell those ;) [01:31] eyck: http://www.supermicro.com/PRODUCT/MotherBoards/875/P4SCE.htm [01:31] jes_ (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) joined #vserver. [01:31] evening all [01:31] hi jes! [01:31] heya Bertl [01:32] hmm, where can I find the docs about those new caps? wiki? [01:32] eyck: use the source ... [01:32] quick question...I've just managed to hide /proc/stat on my host by using setattr....doh! [01:32] how can I get it back? [01:32] eyck: These are the last server motherboards I bought some month ago - and the serial stuff should work, but as said before I still have to try it out [01:32] eyck: it's currently very experimental, and the caps are not fixed yet [01:33] jes_: completely, even for xid=1 [01:33] ? [01:33] yes Bertl [01:33] I did a "setattr --hide /proc/stat" [01:33] and now its gone ;) [01:33] that means reboot ... [01:33] lol damn [01:34] well, it might be that unmounting it completeley, from all mount points would help too [01:34] but that is basically not an option, as the host /proc will not want to unmount ... [01:34] bengrimm (~ben@bengrimm-host225.dsl.visi.com) left irc: Read error: Connection reset by peer [01:35] *nods* [01:36] I wonder how I managed to hide it [01:36] ok, I'll leave - have a good night! [01:37] because I hide /proc/cpuinfo and that worked fine [01:37] goodnight pazzo [01:37] goodnight jes! [01:37] bertl, eyck, JonB - cu! [01:38] night! [01:38] pazzo (~pazzo@host130-250.pool8172.interbusiness.it) left irc: Quit: there are only 10 kind of people on this world - those who understand binary and those who don't :o) [01:40] bengrimm (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [01:41] damjan (~damjan@217.16.68.253) joined #vserver. [01:41] cu [01:41] mcp (~hightower@wolk-project.de) left irc: Ping timeout: 480 seconds [01:49] ok, to hide it Bertl I do "setattr --hide /proc/stat" for example right? [01:49] depends on the version ... [01:49] alpha [01:49] .29.196 [01:49] with 1.3.8/vs0.09.x you have to deactivate the admin and watch flag to make it disappear [01:51] damjan (~damjan@217.16.68.253) left irc: Quit: Leaving [01:51] mcp (~hightower@wolk-project.de) joined #vserver. [01:52] so..."setattr --admin --watch --hide /proc/stat" ? [01:52] on 1.3.7 this will make it disappear [01:53] on 1.3.8 only for the vserver [01:53] ahhhh [01:54] the 'new' logic is explained on the wiki somewhere ... [01:55] but I'm on alpha [01:56] (kernel 2.6.3) [01:56] is that 1.3.8 logic? [01:57] again, depends on the version, latests 0.09.7/8 should have the new logic, not sure when it was introduced .. might be there since 0.09 ;) [01:57] lol ok ty [01:59] is there since 0.09 :) [02:00] jes_: that man should know it, he wrote the wiki page ;) [02:01] i actually tried it, i'm still on 0.09 [02:01] ;) [02:02] ahhhh ty Doener [02:06] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) left irc: Quit: Leaving [02:07] Bertl: have you read http://www.isi.edu/~johnh/PAPERS/Heidemann91a.html ? [02:07] hmm, not yet ... [02:09] Method (Method@ip68-12-167-163.ok.ok.cox.net) joined #vserver. [02:10] ok, so i made a chroot, the step by step guide says to check the config file but i have none [02:10] i don't see docs on creating one either [02:10] im currently buildng a BSD kernel with union mount support to play with it. its based off of the statcable filesystem paper. [02:11] stackable i mean. [02:11] 19:27 < Bertl> vserver TEST build -m skeleton --hostname TEST --netdev eth0 [02:11] --interface 192.168.0.1/24 --context 1001 --force -- -d gentoo [02:11] ok [02:12] Can not find vserver-setup [02:12] have a chat with enrico n(he should be around ensc) he probably knows the best way to do it ... [02:14] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Quit: Leaving [02:14] Method: when do you see 'Can not find vserver-setup'? [02:14] bengrimm (~ben@bengrimm-host225.dsl.visi.com) left irc: Read error: No route to host [02:15] bengrimm_ (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [02:16] bengrimm_ (~ben@bengrimm-host225.dsl.visi.com) left #vserver. [02:16] nm [02:18] server gentoo-1 start [02:18] Action: ensc is using binutils in the vserver scripts? ;) [02:18] /usr/sbin/vserver: line 381: ip: command not found [02:18] Method: you need iproute(2) [02:18] Hmmm....just tried compiling http://www-user.tu-chemnitz.de/~ensc/util-vserver/alpha/util-vserver-0.29.197.tar.bz2 and get errors [02:18] oh, ok [02:18] Action: cdub tosses iproute2 at Method ;-) [02:18] jes_: where? [02:19] gcc -g -O2 -std=c99 -Wall -pedantic -W -o src/.libs/vunify src/vunify.o lib_internal/libinternal.a lib/.libs/libvserver.so -Wl,--rpath -Wl,/usr/local/lib [02:19] lib_internal/libinternal.a(matchlist-initmanually.o)(.text+0x356): In function `getConfigfileList': [02:19] lib_internal/matchlist-initmanually.c:133: undefined reference to `errno' [02:19] lib_internal/libinternal.a(matchlist-initmanually.o)(.text+0x6f4): In function `EreadAll': [02:19] ensc_wrappers/wrappers-io.hc:98: undefined reference to `errno' [02:19] lib_internal/libinternal.a(unify-deunify.o)(.text+0x298): In function `WwriteAll': [02:19] ensc_wrappers/wrappers-io.hc:33: undefined reference to `errno' [02:19] lib_internal/libinternal.a(unify-deunify.o)(.text+0x2b3):ensc_wrappers/wrappers-io.hc:35: undefined reference to `errno' [02:19] collect2: ld returned 1 exit status [02:19] make[2]: *** [src/vunify] Error 1 [02:19] .29.196 compiles fine [02:19] jes_: which compiler? with dietlibc? [02:20] no, without dietlibc.....doesn't compile with diet on my box for some reason [02:20] gcc 3.3.3 [02:22] strange... I verified it on debian-woody,sarge, fc1, fc1.90 and rawhide [02:22] this is Mandrake x86-64 [02:23] hmm, did you try the mandrake src rpm yet? [02:23] no [02:24] http://www.13thfloor.at/vserver/d_release/v1.3.8/util-vserver-0.29.196-1mdk.src.rpm [02:24] compiles here without any issues ... [02:24] yeah 196 works fine Bertl, it was 197 I was trying [02:24] jes_: made you a 'make clean' after your dietlibc experiments? [02:24] sorry I wasn't clear [02:24] just trying that now ensc ;) [02:25] http://vserver.13thfloor.at/Experimental/util-vserver-0.29.197-1mdk.src.rpm [02:26] gah....that was it ensc...doh! [02:26] yeah compiles fine [02:26] apologies ;) [02:26] but 0.29.197 will not work with 0.09.8 it requires some syscall commands not done yet [02:26] ahhh ok Bertl [02:26] Is there some sort of "table" somewhere that says what tools work with which patches? [02:27] not yet, but you can start one on the wiki ;) [02:27] Bertl: the tools for the new syscalls are there, but they are not used [02:27] lol...did I just shoot myself in the foot there? [02:28] hrm [02:28] what do you make of this [02:28] gentoo-1 / # ls proc [02:28] 1 22063 22078 mounts self [02:28] gentoo-1 / # ps -ef [02:28] Error: /proc must be mounted [02:28] To mount /proc at boot you need an /etc/fstab line like: [02:28] In the meantime, mount /proc /proc -t proc [02:29] ensc: hmm, in my tests 0.29.197 fails with 0.09.8, where 0.29.196 works fine [02:29] Bertl: which api version are you announcing there? [02:29] the new one ;) [02:30] chcontext is now a script which calls for chcontext-compat for <0x00010012 and is a noop (for now) else [02:30] (so probably my fault ;) [02:30] will be later a 'vcontext --create vflags ... vcaps ... vcontext --migrate' sequence [02:31] Oual (~val@valzone.zbla.net) joined #vserver. [02:31] hi [02:31] Nick change: Oual -> Val_ [02:32] hi Val_ ! [02:32] Bertl : hi, 2.4.25 vs1.26 & 2.6.3 vs0.09.8 works fine on debian boxes [02:32] Bertl : many thanks [02:32] Method: you'll need to make proc entries visible to the vservers. http://www.linux-vserver.org/index.php?page=Proc-Security [02:32] Bertl : you can add URL http://vallar.linuxfr.org/debian for all packages [02:32] s/\'ll// [02:33] Val_: please add a note/link to the wiki ... [02:33] hu, i have to register myself [02:33] ...ok i try [02:33] Doener: which ones are relavent? why aren't there reasonable defaults? [02:34] Bertl : in "Distribution specific stuff" [02:35] I'd say under Important Links ... [02:36] Method: i still haven't found the time to try out which ones are actually essential... for ps: stat, uptime, sys/, sys/kernel, sys/kernel/pid_max, meminfo ... [02:36] a good concept is /proc/*info and /proc/stat* [02:36] to find out what is needed i currently use: strace ps 2>&1 | grep proc ... maybe Bertl knows a better way :) [02:36] but that is not all ... [02:37] in 1.3.8 there is a 'trace' feature ... [02:37] you can enable the trace flag, and then any access to that entry will be logged [02:41] Bertl : done [02:42] okay, thanks ... [02:44] Bertl : I'll put a link to vserver on linuxfr.org main page [02:44] monrad (~monrad@213083190235.sonofon.dk) left irc: Quit: Leaving [02:45] great, thanks again! [02:45] Bertl : perhaps a big news on it too [03:20] Bertl : i submited a news about vserver on linuxfr.org, now waiting for moderators :) [03:20] great! [03:21] you'll be a star in France ;-) [03:34] bertl: thank you for making the new release [03:35] huh? why's that paul? [03:35] bertl: your effort is appreciated even if I'm still extremely annoyed over one little point [03:35] bertl: because you've put the time into doing it [03:35] bertl: and I now my post to the list isn't exactly positive [03:37] hmm, well as I explained several times, I do not see any reason for changing the interface again ... [03:40] paul (~irssi@195.202.59.90) left irc: Quit: leaving [03:43] so, time to sleep :) [03:44] Bertl : bye, i'll be back [03:44] bye all [03:44] Val_ (~val@valzone.zbla.net) left irc: Quit: zZz [03:46] sladen: but you comment isn't that negative anyway ... [03:46] jes_ (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) left irc: Quit: Leaving [03:48] Action: Doener decides to take a break and read up on that vshelper stuff... [03:48] sladen: do you really think that it is that essential to have the syscall (or kernel function?) which calls the vshelper for a 'reboot' in one of the arguments? [03:50] I cannot imagine any situation where a) an environmental variable wouldn't work, and b) I'd care which kernel function requests a reboot ... [03:51] okay, anyway, time to go to bed ... have a nice one, everyone ... [03:52] Nick change: Bertl -> Bertl_zZ [03:56] Action: sladen thinks about wrapping umount reboot [03:59] youam (~youam@ciara.youam.de) left irc: Ping timeout: 480 seconds [04:01] youam (~youam@ciara.youam.de) joined #vserver. [04:04] dilox (~dilox@host2-9.pool8249.interbusiness.it) left irc: Ping timeout: 499 seconds [04:12] hmmm... [04:31] Bertl: "Yes. I believe that the syscall argument is crucial." [04:32] Bertl: "Yes. I believe anything that is _crucial_ should be passed in argv[]." [04:34] sladen: are those quotes from irc discussions? [04:36] doener: they are statements that I have made just now. You are free to quote them if you wish. [04:37] ah ok... just thought i could have missed something about the vshelper issue in my logs... [04:54] doener: if you grep the last 3 months or so, you'll see several blocks [04:54] yeah, just did that... [05:01] basically it's 'just' about the syscall that invokes vshelper being handed over in argv[] or not... if vshelper just does rebooting (where vsreboot may be more appropriate) then that does not make much sense... if vshelper should do more than just rebooting then the syscall could be used to determine what action is to be taken, as said on the ml, two different syscalls may somehow handover poweroff or whatever as the action to vshelper... [05:02] right? [05:07] Nick change: cdub -> cgone [05:08] what is the status of the 2.6 patches? [05:09] i just started sshd in my vserver but it didn't work :\ [05:09] also, is the host system suppose to have eth0:1 with the vserver ip? because it doesn't? [05:09] how do you bind ip's without using aliases? [05:12] soor (as@pD951A5FE.dip.t-dialin.net) joined #vserver. [05:13] Method: ip can bind multiple ip adresses without using aliases [05:13] ip addr will show you the current bindings [05:13] what is the advantage of that? [05:14] and why did my host sshd respond on my guests ip? [05:14] so i need to configure sshd to bind to specific ports? [05:14] soor_ (~as@p5080BA62.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [05:14] probably your host sshd is listening on 0.0.0.0 [05:14] sorry, addresses [05:14] grr, that is inconvenient because my host is dhcp [05:15] is there a solution to this? [05:17] and also, how can a non-root user get console access to a vserver? [05:17] hmm... there used to be a tool called vsyswrapper that binds a process to the first ip available... but alpha tools don't seem to have it... [05:18] hmm... as non-root you can't enter a vserver from the host (except ssh) [05:18] hrm.. that seems like a bad limitation [05:19] what if you are developing on vservers [05:19] on solaris zones you can enter any zone, you have to login though, that seems appropriate [05:21] method: i have a shell replacement that enters normal users into vservers [05:22] ie. you have something like this: athomas:x:1000:1000:athomas@vs0:/:/bin/vslogin [05:27] a setuid root script should also do the trick... content is basically: vserver "$1" suexec "$USER" bash ... assuming the username is the same on the host and the vserver... dunno how secure this is... [05:28] http://swapoff.org/LinuxVServer [05:28] scripts can not be setuid [05:28] NINJA (~NucIaIh7@dsl81-215-32007.adsl.ttnet.net.tr) joined #vserver. [05:28] oh... [05:28] but as you say, a small c wrapper would do the trick [05:30] hi [05:30] how are you [05:30] hello ninja [05:30] good [05:30] hi NINJA [05:31] if just i could get rid of that flu... [05:32] where do you come from? [05:32] germany... has been pretty cold here the last few days... [05:50] _shur1 (~shushushu@3ffe:bc0:1cf:1:2:3:4:9) joined #vserver. [05:50] _shur1 (~shushushu@3ffe:bc0:1cf:1:2:3:4:9) got netsplit. [05:55] _shur1 (~shushushu@3ffe:bc0:1cf:1:2:3:4:9) returned to #vserver. [05:55] Topic changed on #vserver by NINJA!~NucIaIh7@dsl81-215-32007.adsl.ttnet.net.tr: 0,4C*0,1Turkye0,4C* [05:56] Last message repeated 1 time(s). [05:56] NINJA (~NucIaIh7@dsl81-215-32007.adsl.ttnet.net.tr) left #vserver. [05:56] NINJA (~NucIaIh7@dsl81-215-32007.adsl.ttnet.net.tr) joined #vserver. [05:56] NINJA (~NucIaIh7@dsl81-215-32007.adsl.ttnet.net.tr) left #vserver (4[4,1 BLuEYeS 12ScRipT8v4.o XP 0,12 http://bluteam.sitemynet.com 4]0,4New). [05:56] err [05:56] NINJA (~NucIaIh7@dsl81-215-32007.adsl.ttnet.net.tr) joined #vserver. [05:56] NINJA (~NucIaIh7@dsl81-215-32007.adsl.ttnet.net.tr) left #vserver (4[4,1 BLuEYeS 12ScRipT8v4.o XP 0,12 http://bluteam.sitemynet.com 4]0,4New). [05:56] NINJA (~NucIaIh7@dsl81-215-32007.adsl.ttnet.net.tr) joined #vserver. [05:57] Topic changed on #vserver by netrose!john877@SP2-24.207.231.2.charter-stl.com: 'http://linux-vserver.org/ || latest stable 1.26, devel 1.3.7, exp 0.09.8 ' [05:59] netrose: the announcement that was just sent out [05:59] the next stable will be 1.40? [05:59] Topic changed on #vserver by Doener!~doener@pD9588E0E.dip.t-dialin.net: 'http://linux-vserver.org/ || latest stable 1.26, devel 1.3.8, exp 0.09.8 ' [06:01] Yes, I only changed it to the original one since NINJA changed it to C*TurkyeC* [06:01] Sorry for the mixup, I didn't see the announcement. [06:02] youam (~youam@ciara.youam.de) got netsplit. [06:03] that guy was almost as funny as that wiki hacker... [06:03] youam (~youam@ciara.youam.de) returned to #vserver. [06:03] Topic changed on #vserver by !unununium.oftc.net: 'http://linux-vserver.org/ || latest stable 1.26, devel 1.3.7, exp 0.09.8 ' [06:04] oh yes, I was just asking because I didn't understand [06:04] hehe, seems oftc does not like the latest devel. :) [06:08] NINJA (~NucIaIh7@dsl81-215-32007.adsl.ttnet.net.tr) left irc: Quit: 4[4,1 BLuEYeS 12ScRipT8v4.o XP0,12 http://bluteam.sitemynet.com 4]0,4New - Farklý Kaliteli !  [06:08] mmm, that is beatiful and colourful [06:08] yeah, looks like a clow vomittefd [06:09] hehehe [06:09] true [06:10] maharaja (maja@ipax.tk) left irc: Quit: changing servers [06:12] maharaja (maja@ipax.tk) joined #vserver. [06:28] maharaja (maja@ipax.tk) left irc: Quit: changing servers [06:28] maharaja (maja@ipax.tk) joined #vserver. [07:11] why does this happen? [07:11] localhost gentoo-1 # vserver gentoo-1 start [07:11] capchroot version 0.28.195 [07:11] capchroot --nochroot directory [ --suid user ] command argument [07:11] --nochroot remove the CAP_SYS_CHROOT capability [07:11] after the chroot system call. [07:11] --suid switch to a different user (in the vserver context) [07:11] before executing the command [07:32] Method (Method@ip68-12-167-163.ok.ok.cox.net) left irc: Read error: Connection reset by peer [09:35] Moebius (~Moebius@adsl-220-150-220.gnv.bellsouth.net) joined #vserver. [11:14] pollar (bc3@dievai.net) joined #vserver. [11:14] Moebius (~Moebius@adsl-220-150-220.gnv.bellsouth.net) left #vserver (Leaving). [11:46] rs (rs@ice.aspic.com) joined #vserver. [11:46] hello dudes [11:59] is the console support in 2.6.3 broken? [12:06] ydupont (~ydupont@lamier.cri.univ-nantes.fr) joined #vserver. [12:06] maharaja: I don't think so, I'm using it right now :) [12:07] hello everybody [12:10] hi all, heh why vserver doesn't have an ipv6 support :) maybe there is some 'tricks' to make ipv6 working on vserver? [12:10] Well, I think IPv6 support has to be written [12:10] I'd lisk to see this one too, but haven't time (nor skills) to du this myself [12:12] heh, i see... :) [12:12] rs: damn, what am i doing wrong? [12:12] grub is showing up, but my kernel messages won't [12:12] Booting 'linux-2.6.3-red-smp (Debian GNU/Linux)' [12:12] root (hd0,0) [12:12] Filesystem type is ext2fs, partition type 0x83 [12:12] kernel /vmlinuz-2.6.3-red-smp root=/dev/md0 rw [12:12] [Linux-bzImage, setup=0xa00, size=0x1609ad] [12:13] savedefault [12:13] boot [12:13] then the status in minicom is offline [12:13] maharaja: did you pass the console argument to you kernel ? [12:13] something like console=ttyS0 [12:13] oh [12:13] hehe [12:13] no [12:13] duh :) [12:13] :) [12:14] when i pass this parameter, is the output console only, or both, local and console? [12:15] if you want local and serie you should pass to parameters [12:15] and somehow, i fail to enter the bios because it won't catch my f2 [12:15] i now got: kernel /vmlinuz-2.6.3-red-smp console=ttyS0 root=/dev/md0 rw [12:15] like console=ttyS0 console=tty0 [12:16] but the messages do not show up [12:16] maybe wrong com port.. *think* [12:16] anyways, gotta go right now [12:17] any idea what's not working? [12:18] did you test your cable ? [12:18] grub is showing [12:18] the bios is showing [12:18] ok [12:18] i can fiddle around with grub [12:18] :) [12:19] anybody using experimental (2.6 version here ?) [12:19] not me [12:20] maharaja: my grub config look like this: kernel /vmlinuz root=/dev/sda1 console=ttyS0 console=tty0 [12:20] mhm [12:20] ydupont: yes I am [12:20] the arangment should not matter, should it? [12:20] (of the parameter) [12:20] hmm I'm not sure [12:21] well, ill try your line [12:21] (damn, im late for work) [12:22] maybe my config options are wrong? [12:22] CONFIG_VT=y [12:22] CONFIG_VT_CONSOLE=y [12:22] CONFIG_HW_CONSOLE=y [12:22] CONFIG_SERIAL_8250_CONSOLE=y [12:22] CONFIG_SERIAL_CORE_CONSOLE=y [12:22] CONFIG_VGA_CONSOLE=y [12:22] CONFIG_DUMMY_CONSOLE=y [12:23] CONFIG_SERIAL_8250=y [12:23] it should be ok [12:24] CTRL-A Z for help |115200 8N1 | NOR | Minicom 2.1 | VT102 | Offline [12:24] damn thing :) [12:24] rs: Well, I have a ton of already working vservers [12:24] rs: and like to migrate one or two on an experimental kerenl + utils [12:25] maharaja: hehe you should be in 9600 [12:25] mhm [12:25] why? [12:25] rs: But the won't start ; Is there something special to do ? Rewrite the /etc/vservers/*.conf, for example ? [12:25] the kernel is set up in 9600 by default [12:25] k [12:25] ill search how to change then :D [12:25] 9600 is far too slow [12:26] I think it's in the console parameter [12:27] something like console=ttyS0,115200,8N1 but I'm not sure [12:28] ydupont: I don't know, I am a new vserver user, so I didn't used old version [12:30] french news about vserver: http://linuxfr.org/2004/03/02/15597.html :) [12:30] rs: ok... anyway it's working ?? [12:30] ydupont: yes it is [12:31] rs: you're on redhat ?? [12:31] no under debian [12:31] rs: oh, like me ... [12:31] you have to use the util-vserver package and not the vserver package BTW [12:32] rs: when I start a vserver i have : testsinfo2004:/etc/vservers# /usr/local/opt/VSERVER/sbin/vserver-stat [12:32] open("/proc/uptime"): No such file or directory [12:32] rs: yes. I tried the alpha branch wich is mandatory i think [12:33] rs: you did use some tools to create a new vserver, that is, vserer-copy for example ? [12:33] ydupont: have you done the vproc command trick ? [12:33] rs: no :) [12:34] ok i think that it's your pb :) [12:34] rs: well, I'm used to vservers, and thoses versions seems quite different [12:34] rs: I'll have to dig the docs [12:34] search 'vproc site:linux-vserver.org' on google [12:35] ok, soi you need the vproc tool [12:35] which wasn't the case before [12:35] yep or the setattr command supplied by the util-vserver package (i think) [12:36] yep before the whole proc was shown into vservers [12:37] rs: yes . It was not a problem for me as there is no real user on my vservers [12:37] rs: anywhay, vproc IS a good thing [12:37] :) [12:38] rs: hum... anyway doesn-t seems to work [12:39] rs: ./vproc -e [12:39] /usr/local/opt/VSERVER/sbin/vserver-stat [12:39] open("/proc/uptime"): No such file or directory [12:39] I don't think tha vproc -e do what you want [12:40] rs: for the moment I just want to "emulate" old behaviour [12:41] so apply the -e on all files in you proc directory [12:45] rs: uhhh ok :-) [12:45] rs: seems better now [12:49] rs: ok, i'm not hit by the infamous Can not find vserver-setup but saw messages about it on the vserver list [12:49] rs: i'm now hit... sorry for the typo... [13:14] stubbsd (~stubbsd@217.206.216.194) joined #vserver. [13:22] rs: well. Seems to work well with 0.28, but not with 0.29.xxx [13:39] rs: are you using 0.29 or 0.28 tools ? [14:14] Nick change: Bertl_zZ -> Bertl [14:15] Topic changed on #vserver by Bertl!~herbert@MAIL.13thfloor.at: 'http://linux-vserver.org/ || latest stable 1.26, devel 1.3.8, exp 0.09.8 [14:15] Action: Bertl sighs ... [14:26] tanjix (~tanjix@p5091FDB2.dip.t-dialin.net) joined #vserver. [14:26] hi together [14:27] Bertl: that was not a forkbomb [14:30] i've a strange problem: once a day my debian vserver host server seems to crash.. ping replies are there but the vservers dont work [14:37] eyck: oaky, what is it then? [14:38] jes_ (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) joined #vserver. [14:38] morning all [14:38] hi jes_! [14:39] hi tanjix! [14:39] hiya Bertl [14:39] tanjix: hmm, what version/machine/hw? [14:40] quick question Bertl, there's no way to control quotas with alpha at the moment is there? [14:40] jes, once again, 2.6 isn't called alpha ;) and yes there is, use a separate partiton ... [14:41] ahhh ok, sorry Bertl ;) [14:41] stable/devel/experimental [14:41] the tools have an alpha branch, that is correct ... [14:41] apologies [14:46] hmmm no sorry, I meant user and group quotas from within the vserver [14:46] yes, that is available if you put each vserver on a separate partition [14:46] I can't seem to mount the main partition with usrquota option [14:46] what is the 'main' partition? [14:47] well on the host, the vservers are at /usr/local/vservers [14:47] in the vserver it has /dev/hdv1 mounted as / [14:48] okay [14:48] so I tried modifying /etc/fstab within the vserver to include usrquota, but no dice [14:48] have I got the wrong end of the stick again? [14:48] that is correct, you add usrquote to the /etc/mtab of the vserver [14:49] /etc/fstab isn't ever looked at ... [14:49] ahhh ok [14:49] but as I said, you need a separate partition for each vserver [14:50] this will be solved with porting the quota patch to 2.6 but I guess this will take some time ... [14:50] ahhh ok [14:52] hmmm yeah, adding usrquota to mtab doesn't make it appear within the vserver either [14:52] ok ty Bertl [14:53] you add it to the mtab entry inside the vserver ... [14:53] I did [14:53] and what does mount show? [14:54] [root@shellprompt root]# mount [14:54] /dev/hdv1 on / type ext2 (defaults) [14:54] none on /proc type proc (defaults) [14:54] none on /tmp type tmpfs (size=16m,mode=1777) [14:54] none on /dev/pts type devpts (gid=5,mode=620) [14:55] [root@shellprompt root]# cat /etc/mtab [14:55] /dev/hdv1 / ext2 defaults 0 0 [14:55] none /proc proc defaults 0 0 [14:55] none /tmp tmpfs size=16m,mode=1777 0 0 [14:55] none /dev/pts devpts gid=5,mode=620 0 0 [14:55] and the entry in mtab seems to disappear when I restart the vserver [14:55] what tools do you use? [14:55] like its being overwritten somewhere [14:55] 0.29.196 [14:55] with private namespaces? [14:55] errr.... [14:55] ummm..... [14:55] pass [14:55] probably ... [14:55] lol [14:56] what does that mean? [14:56] that is something you should ask enrico ;) [14:56] lol...noted [14:56] basically it is an interesting issue, I didn't think of yet ... [14:56] but if you edit the /etc/mtab file to [14:57] /dev/hdv1 / ext2 defaults,usrquote,grpquota 0 0 [14:57] and make sure that /dev/hdv1 is the 'real' block device [14:57] (which is very insecure ;) [14:57] then quota should work inside the vserver [14:57] [root@shellprompt root]# ls -al /dev/hdv1 [14:57] -rw-r--r-- 1 root root 0 Feb 27 09:54 /dev/hdv1 [14:58] should that be a block device? [14:58] this is a file ... [14:58] yes, the blockdevice for that vserver partition [14:58] but as I said, very insecure ... [14:58] *nods* [14:58] ok...scrap that then...lol defeats the point of making it a vserver [14:59] it's just a could have lived without the per-vserver quotas for now, if I could have had per-user inside the vserver quotas (if that makes sense) [14:59] hmm, not really ... [14:59] s/just a could/just i could [15:00] but if you like to sponsor vserver-quota development ... I have no problem giving priority to that ... [15:01] jes_ (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) left irc: Read error: Connection reset by peer [15:03] tanjix (~tanjix@p5091FDB2.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [15:08] tanjix (~tanjix@p5091D659.dip.t-dialin.net) joined #vserver. [15:08] re [15:09] got disconnected [15:09] happens now and then ... [15:09] jes_ (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) joined #vserver. [15:10] bah, damn pesky power cable [15:10] right next to my foot...thats just ASKING for trouble ;) [15:11] any ideas bertl ? [15:12] regarding your foot? [15:12] errr that was my foot Bertl...not tanjix's [15:12] bertl yes [15:12] oh :) [15:12] 12:41 < Bertl> tanjix: hmm, what version/machine/hw? [15:12] lol [15:13] jes_: just for the case you missed that: [15:13] 13:02 < Bertl> but if you like to sponsor vserver-quota development ... [15:13] (which I probably did) [15:13] I have [15:13] no problem giving priority to that ... [15:13] ;) [15:14] lol...any link on your site where it defines "sponsor" ? [15:15] hmm, not yet, but it is quite simple ... I have to earn my living (which isn't very expensive) so I can only dedicate a certain amount to vserver ... [15:15] of course [15:17] well if you stick up a paypal link or something, I'd be more than willing to donate...given how much use I'm getting out of it [15:17] http://www.13thfloor.at/vserver/donate/ [15:17] (done) [15:18] bertl it is debian 3.0, amd xp 2800+, 2gig ram and vserver v1.26 [15:18] tanjix: and the server stops working? [15:19] sometimes yes.. all ips (host and vservers still reply) but ssh does not work on vservers or when i enter "vserver-stat" in the host there is no reaction [15:20] also stopping vservers fails [15:20] done Bertl [15:20] like I said...not a huge amount, but every little helps ;) [15:20] (btw thats not for the quota stuff...thats just a general "I'm very impressed and thanks for all the hard work") [15:21] okay, thanks, any support is appreciated ... [15:22] no problem...you're providing a VERY good service ;) [15:23] tanjix: sounds like something is locking your system ... [15:23] did you have a look at the log files? [15:23] especially dmesg and kernel log? [15:24] mh i do not know what to look for there :( [15:24] jes_: thanks, I try ... unfortunately most people only take and do not give ... [15:24] tanjix: make it available somewhere ... (via web) [15:25] Bertl, do you have sort of figures as to how many people use vserver? [15:26] well, we have at least 150 subscribed to the ml, and I know of at least 12 companies using linux-vserver but I guess the inofficial numbers are higher [15:28] I'm guessing most of the companies using it are using it to webhost? [15:28] yeah, probably or to provide virtual servers they sell [15:29] Shame they're not donating more to you then....have you seen what people like cPanel and Plesk charge *just* for their web control panels for webhosting companies? [15:31] yeah, well, I'm not doing this to make money, so it's okay for me ... [15:31] *nods* [15:31] tanjix: what about the syslog? [15:35] hmm, besides, I wouldn't like vserver to turn into specialised 'webhosting solution'. [15:36] it's a general 'paradigm shift' solution ;) [15:37] Bertl how about ipv6, will it be supported in near future? :) [sorry my english sucks] [15:38] hmm, same comment ... if you want to sponsor ipv6 development, no problemo ... [15:39] heh, so no donations - no ipv6 and etc? :) [15:40] nope, that's not what I meant ... [15:40] no donations == other stuff gets priority [15:40] exactly ... [15:40] currently it seems important to me to get a final 1.4 and a basic 2.6.x version [15:41] hopefully other developer will join and start developing stuff ... [15:42] ipv6 will require that I read up a big deal on this stuff ... so it is far down on my todo list ... [15:42] heh, clear :) [15:42] is anyone really using ipv6 at the moment anyway? [15:42] yes. [15:43] what for? [15:43] I'm too concerned by the lack of IPv6 in vserver [15:43] but most of them I've read about, have been test projects, and they still allow routing over ipv4 [15:43] for the same services that IPv4 [15:43] hmm, like email? [15:44] We have here (Renater, france) native IPv6 transport [15:44] I trid last summer but didn't have time to do it [15:44] ydupont: hmm, I thought crypto is banned in france? [15:44] ipv6 has nothing to do with crypto [15:44] oh yes it does... [15:44] in fact, it has but you're not have to use ipsec [15:45] and crypto is not banned in france [15:45] well... the whole point of ipv6 was to use crypto [15:45] no. [15:45] yes. [15:45] if you want crypto you can uses ipsec with ipv4 too [15:45] ipsec is ipv6 technology [15:45] or ssh tunnelling [15:45] the wole point is to have just a better and cleaner protocol [15:46] and more adresses too [15:46] exactly. WITH crypto and authentication built-in [15:46] I thought the point was to extend the addresses range of IP [15:46] that WAS the main motivation [15:46] and to not uses NAT, for example [15:46] and to simplify routing tables [15:46] etc, ect [15:47] since when do france allow crypto? [15:47] Since some years now [15:47] oh, I must've missed something [15:48] there are lot's of adverts around here for Solaris sysadmins in france.. I used to avoid those due to this crypto mess [15:48] loads of countries allow cryptop eyck, it's just the US is a bit harsh on allowing it to be exported [15:48] s/cryptop/crypto [15:49] jes: it's been allowed since the bernstein case, you just need to notify the gov. when you export something. [15:49] jes_: hmm, have you read the memo? France banned crypto... for example microsoft had to create special france-tailored products with '0-length crypto keys' [15:49] So, actually no one is active on IPv6 developpement ? [15:49] lol@0-length keys [15:49] I can try to put student here [15:50] But it will be hard to find someone with the skill needed [15:50] jes_: seriously. I had disks with such software in my very hands. [15:51] eyck, still nice to see a good work-around from Microsoft ;) [15:51] ydupont: hmm, one can acquire skills... that's what studying is all about ;) [15:54] if you want to know the exact status : http://www.ssi.gouv.fr/fr/reglementation/regl_crypto.html [15:55] (sorry, it's in french) [15:55] the point is : if you use > 128 bit key you need a declaration [15:56] eyck: yes , but often the delay is short [16:01] if I understand correctly they can easily brake 128 bit crypto? no matter what algorithms? They can brake elliptic-curves based crypto? [16:01] man gov't agencies are good... [16:02] what is 'fourniture' ? [16:03] hmm... so, if using >128b crypto is banned... and I came with laptop containing 2kbit key-encrypted files do they arrest me? [16:04] yeah, unless you 15/16 of your key ;) [16:04] you+ give them .. [16:05] that's sick. [16:05] fourniture : how translate that (my english is bad, sorry) the fact to give - fournish ? [16:06] Bertl: do you need strictly alpha branch util-vserver for 2.6 ? [16:06] nope [16:06] it starts working with vserver-0.24 [16:06] but for newer feature, you need newer tools ... [16:06] furnish ydupont? [16:06] Bertl: OK. I have it corrcetly with 0.28 but don't with 0.29 [16:07] vserver-0.29 is broken ... [16:07] jes_ : probably, yes :) [16:07] Bertl: ok. So I don't take risks with 0.28 ? It seems to works ok [16:07] 0.28 is insecure ... [16:08] check your caps inside a vserver with vserver-0.28 [16:08] Bertl : just for 2.6 or also for 2.4 ? [16:08] for all ... [16:08] Bertl: So the right answer is ??? [16:09] well, I'd suggest to use the stable util-vserver tools [16:09] (for stable vserver setups, current version is 0.29) [16:12] Bertl: Ooooops sorry, that's what I use, really ;-) 0.29, not 0.28 [16:12] Bertl: Now wearing a brown bag... [16:13] hmm, okay, for a start, let's see what the testme.sh says ;) [16:13] http://vserver.13thfloor.at/Stuff/testme.sh [16:17] Mcleod[Zzz] (~altec@202.9.60.199) joined #vserver. [16:17] Mcleod (~altec@202.9.60.199) left irc: Read error: Connection reset by peer [16:19] testsinfo2004:~# sh testme.sh [16:19] Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl [16:19] chcontext is working. [16:19] chbind is working. [16:19] Linux 2.6.3 i686/0.29/0.29 [J] [16:19] --- [16:19] [001]# succeeded. [16:19] [011]# succeeded. [16:19] [031]# succeeded. [16:19] [101]# succeeded. [16:19] [102]# succeeded. [16:20] [201]# succeeded. [16:20] [202]# succeeded. [16:20] okay, looks good, is this the 'default' vserver-0.29 or the patched version? [16:20] default [16:21] okay, at least static contexts don't work, other things might be broken too (don't know exactly) [16:21] I've pût an "OLD" 2.4 vserver on this, seems to be working ok [16:21] try specifying S_CONTEXT=1000 in the config file ... [16:22] i'll do now, but is there a benefit to use static context ? [16:22] it is required for any file tagging ... [16:23] ok. for quta, for examples ?. [16:23] -> vserver started with context 1000. and then ? [16:23] it did? [16:23] yes [16:24] hmm, interesting, you seem to have a special version ... [16:24] ?? [16:24] kernel 2.6.3 + patchs [16:24] pristine 0.29 [16:24] all compiled by myself [16:24] http://www.13thfloor.at/vserver/s_release/v1.22/patch-vserver-0.29-fix01.diff [16:25] @@ -69,5 +69,6 @@ else [16:25] printvar S_CAPS $S_CAPS [16:25] printvar S_NICE $S_NICE [16:25] printvar S_FLAGS $S_FLAGS [16:25] +printvar S_CONTEXT $S_CONTEXT [16:25] fi [16:25] printconf does not contain the S_CONTEXT info ... [16:27] Val (~val@valzone.zbla.net) joined #vserver. [16:27] hi [16:27] hi val! [16:27] hi Bertl :) [16:27] Bertl : take a look at http://linuxfr.org ;-) [16:27] the first news [16:28] hey great! what does it say? [16:28] Code : Linux VServer, pour ceux qui ne connaissent pas... [16:29] Bertl : it present Linux-VServer project, say that linuxfr team use it and is happy with and give thanks to a man called Herbert ;-) [16:29] after much careful consideration, i have concluded that libxml is fucked! [16:30] Val: ah okay, thanks for the efficient translation ;) [16:30] lol is that a technical term kestrel? [16:30] Bertl : it's an interesting news because there's already 49 comments on it [16:30] yep :) [16:30] Val: and what do they comment on? [16:30] UML vs Vserver or so it seems [16:31] the documentation is pathetic, and just plain wrong in several places [16:31] dipshits [16:31] Action: kestrel arrghs [16:31] Bertl : that it rulez, and some person talk about UML (pouah) [16:32] Bertl: This patch is for util-verser ? [16:32] no, for vserver-0.29 [16:33] Bertl : I'll add a "powered by Linux-VServer" on the bottom of the main page too [16:33] cool, so now we expect hords of french programmers implementing ipv6 support and stuff? ;) [16:33] I hope so ... [16:33] eyck : yeah, i want it :) [16:33] ooops.. I **HAVE** util-vserver [16:33] eyck : but if we've got some good hackers :-/ [16:34] Val: hmm, then you probably installed both [16:34] which explains why it is actually working ;) [16:34] util-vserver-0.29 is okay ... [16:34] arf :) [16:34] yes i tested debian unstable package [16:34] many new tools [16:34] side note : maybe two **MORE differents** names could be a good idea [16:35] i'll test them [16:35] vserver vs util-vserer, with the sames release numbers is quite confusing [16:35] lol, so I'm not the only one? [16:35] ok. [16:35] well, I suggested cahnging the numbering to 1.x [16:35] so util-vserver 0.29 is ok [16:35] could be a good idea [16:35] but enrico said, he doesn't feel like 1.0 yet ;) [16:35] but dependencies replace old vserver with util-vserver in debian so no problemo [16:36] but I do not promote the vserver (not util-vserver) tools anymore, as they are not maintained ... [16:37] so dependencies are good :) [16:37] debian IS good ;-) [16:37] we where hoping that both tool branches will merge at some point, but jack has disappeared again ... [16:37] ydupont : sure ! :) [16:37] ...let's go back to work [16:37] bye all, i'll be back ;-) [16:37] have a nice day [16:37] cya [16:37] u2 [16:38] Val (~val@valzone.zbla.net) left irc: Quit: work work work [16:38] Bertl: If you want some more tests ... [16:38] Bertl: I'll try to port some Busy vservers on 2.6, to sse how it works [16:39] Bertl: And, once again i'll try to see how we can do to have IPv6 on 2.6 [16:39] sure, I'd appreciate it, but you should know 2.6 version is not considered stable ... [16:39] yes sure [16:39] don't worry. It's not production servers [16:40] but if you are brave, you can tune the scheduler ... [16:40] 0.09.8 has TB-sched support ;) [16:40] But as I have lots of migration to plan in the next months, I have to know the status [16:40] TB-sched ? that is ? [16:41] do you remember the Token Bucket scheduler modifications Sam Vilain did some time ago? [16:41] no, sorry :-( [16:42] oaky, basically it's a tunable scheduler ... (kind of cpu bandwidth manager) [16:42] ok. [16:42] this is interesting [16:43] Matt tested this some time ago, and he was very happy about it ... [16:43] I can if yopu want [16:43] I have a mchine just for that :) [16:43] if you want to test this, sure ... [16:43] yes. I imagine I have to simulate a load somewhere, right ? (on One vserver ?) [16:44] it should handle a fork bomb if set up properly, without the need to limit it ... [16:44] but you need to activate and configure it ... [16:44] well, at least activation is required ... [16:45] uhuh. This could have been of usage when an old amavis-ng has forked like mad :) [16:45] load > 200 ... etc etc [16:54] Nick change: Mcleod[Zzz] -> Mcleod [16:56] linuslove (ph0@host200-189.pool8021.interbusiness.it) joined #vserver. [16:56] bengrimm_ (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [16:56] Nick change: bengrimm_ -> ben [17:01] linuslove (ph0@host200-189.pool8021.interbusiness.it) left irc: Quit: Mirc 6.12 su http://www.io2page.it/ [17:06] hmm, there's an info about 'Zones' in new Solaris: http://groups.google.com/groups?selm=c1j796%2424c%241%40news1nwk.SFbay.Sun.COM&oe=UTF-8&output=gplain [17:07] yes, I read a little about the 'new' features ... [17:07] well... those are 'new' in both linux and solaris [17:08] we must be carefull not to make mainframe people laugh too much ;) [17:08] hmm, we didn't find too much difference to vserver ... [17:08] (beside the fact, that vserver disk quota and limits are not supported ...) [17:09] but of course it will contain some parts which are better either by design or by implementation ... [17:09] hmm, what does inherit-pkg-dir do? [17:10] something like mount-binding stuff ? [17:10] very likely ... [17:11] hmm, those zoneadm and zonecfg tools seem nice. [17:11] it is based on a 'management daemon' ... [17:11] tom9 (~tom@pc-3741.ethz.ch) left irc: Quit: Client exiting [17:12] wouldn't it be nice to re-create them? We would thus provide nice 'upgrade' path for solaris users ;) [17:12] no problem with that, do you need any help? ;) [17:13] hmm, well.. an hour or two of free would be nice;) [17:17] hmmm seems quite nifty (that solaris thing), wonder if it'll run on my IPC ;) [17:17] IPC? [17:18] Intel PC? [17:19] Sun Sparc IPC [17:19] 25Mhz pc, 24Mb of ram [17:19] ;) [17:20] ah, sure it will ... [17:20] lol [17:20] you jsut have a smaller number of features ;) [17:20] lol like the ability to login within 8 hours ;) [17:20] login? who said anything about login? [17:20] lol true [17:23] eyck: while you read up on zones and zone administration, please use the opportunity to compare it to vserver and report all the missing (or nice to have) features on the ml ... [17:23] sure, [17:28] serving (~serving@213.186.190.121) left irc: Read error: Connection reset by peer [17:31] frist thing I already mentioned - inheritpkg - this would be linux equivalent of mount -o bind,ro /opt /vserver/test/opt ... [17:31] this currently doesen't work :( [17:31] hmm, it does ... [17:32] not on my system. [17:32] http://www.13thfloor.at/patches/ [17:32] hmm, under what conditions it works? [17:32] aaah... [17:33] I also have an updated version ... [17:33] this adds noatime and nodiratime ;) [17:33] very very cool. [17:33] hmm, why isn't it in mainline? [17:34] well about a year ago, I tried for some time to get it in .. no luck, bnobody needs this ;) [17:34] http://vserver.13thfloor.at/Experimental/patch-2.4.25-rc1-bme0.04pre1.diff [17:34] (this is the updated version) [17:34] thanks. [17:34] and for vserver [17:34] http://vserver.13thfloor.at/Experimental/patch-2.4.25-rc3-vs1.26-bme0.04.diff [17:35] you're welcome ... [17:37] There's an even better doc on the zones thing at - http://www.sun.com/bigadmin/content/zones/sys-admin-rm.pdf [17:37] jes_: well.. what do you mean by 'even better'? The one you mention is THE doc on zones ;) [17:39] lol sorry, I meant a bit better (i.e. more detail) than the usenet posting [17:42] Heey, they describe my setup as 'best practices' for zones ;) [17:44] hmm, that probably means that I'm not very creative :( [17:47] lol [17:49] hmmm I'm on page 85 of that doc, and I'm pretty much lost (no change there then!) [17:50] start at 165 [17:51] so is their concept of "project" similar to vservers "context" ? [17:51] and their docs are pretty clear... especially compared to what vserver has to offer ;) [17:51] lol yes eyck, but we have Bertl here to poke with a stick when we need help ;) [17:52] well, they have whole bunch of engineers hanging around on forums [17:53] well I thought about spending a month or two on documentation .. what do you think? [17:53] NO! [17:53] you do the hard work... [17:53] maybe someone with writing skills will come around and help with documentation ;) [17:53] it's not that hard, it's soft-ware after all 8-) [17:53] Bertl...I would say that was a waste of a talented mind ;) [17:54] let me rephrase then: [17:54] 'you do the cool work...' [17:54] well, everytime somebody new comes here, the first thing I hear is "The documentation sucks!" [17:54] then I say, well go ahead, improve it ... [17:55] the answer is usually "sure I will, but first I need to understand that stuff ..." [17:55] Well (speaking as a newbie!) I don't think it's so much the documentation, as the fact that there's a lot to take in at first [17:55] now you all can see 'how' the quality of documentation increases ;) [17:57] sorry guys, I guess I'm in a bad mood today ... [17:58] no need to apologise Bertl, you're completely right [18:24] riel (~riel@riel.netop.oftc.net) joined #vserver. [18:24] hi rik! [18:27] tanjix (~tanjix@p5091D659.dip.t-dialin.net) left irc: [18:31] re [18:31] hi rs! [18:31] hello Bertl, how are you ? [18:32] I found paper about the Solaris vserver like feature [18:32] lol we were just discussing it rs [18:32] I'm in a bad mood ... [18:33] oups, I didn't read my backlog [18:33] sorry [18:33] Bertl...sue Sun ;) [18:34] so, what do you think about their tool interface ? [18:34] well, I have no problem with Sun ... it should be obvious that a company with 1000 and more people (who get paid for) can code up something ... [18:35] Action: riel just used his /. karma to get a link to linux-vserver.org high on the page [18:37] Bertl, vserver has a FAR wider audience than the Sun one ever will I think [18:38] I think too [18:38] now that companies are moving away from the "Must buy named hardware" mentality [18:39] Hi [18:39] hi Doener! [18:39] anyway, the sun implementation doesn't answer all our needs [18:40] but their tool "interface" look pretty to me :) [18:40] well for a small price you can get the sources, then you can enhance it ;) [18:41] maybe we should get ideas from them [18:41] Bertl: you're right [18:43] well I'm downloading it to have a look at it, I'll have it setup in a couple of days if you want to have a look at it "live" Bertl [18:44] as I said, I'm always interested in nice to ahve features and good ideas ... [18:51] harhar .. that is a good one : RFID Tags in New US Notes Explode When You Try to Microwave Them [18:52] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) joined #vserver. [18:52] Hi James! [18:55] I'm having a problem trying to use vserver over nfs, it keeps saying "Permission denied", abody managed it? [18:58] stubbsd: which version? [19:00] 1.2.6 I tryed the 1.3.7 but I keeped getting errors starting the vservers, [19:00] I have just notice that 1.3.8 is out :-) [19:00] what tools do you use? [19:01] 0.29.196 [19:01] and you have problems with 1.3.7? [19:02] tell me about them ... [19:02] I will have to kick the server over on the the kernel to get the out put but [19:03] it was something like invalided.... something but give me about 20 mins, I'll have to get it out of the rack. [19:03] hmm, in that case, try with 1.3.8 [19:03] will do. [19:03] thanks, [19:07] np [19:08] Bertl: hmm... on 0.09 exec login kicks me out of the vserver back to where i came from... my fault, i.e. broken server config? or maybe vserver related? [19:10] Renegade-2000 (~Renegade-@shuttle3.ee.ic.ac.uk) joined #vserver. [19:11] hmm, depends try with exec bash [19:11] works as expected... [19:11] so probably a login issue .. try with exec strace login [19:12] (something like console/tty can not be found/opened) [19:12] Renegade-2000 (~Renegade-@shuttle3.ee.ic.ac.uk) left irc: Client Quit [19:14] stat64("/dev/pts/2", 0xbfffd19c) = -1 ENOENT (No such file or directory) [19:14] rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0 [19:14] looks good, /dev/pts is mounted in the vserver? [19:15] no, wasn't mounted... works now... [19:16] that reminds me of the fact that proc also is not mounted by vserver xxx start... [19:16] hmm, strange ... should be ... [19:16] doener, I've had trouble with that with the new tools [19:17] hehe... stopping the vserver actually just killed the terminal on which i issued the stop... [19:17] but in my case it actually is mounted, but I can't see it from the main server [19:18] ben: you are using the private namespace ... [19:18] hi ben, btw! [19:18] must be, just defaults [19:18] and hi right back at ya! [19:19] i.e. I can see the mounts when I ssh into a vserver started with the new tools [19:19] but I can't see them when I do a vserver xxxx enter [19:19] which tools? [19:19] 0.29.197 [19:20] but I've had problems with all of the 0.29 series [19:20] I can use the 0.28.xxx no problem [19:20] okay, probably not using the namespace enter for now ... [19:20] ben: try 'vnamespace -e vserver xxxx enter' where is the xid of xxxx [19:21] ben: or do 'touch /etc/vservers/.defaults/nonamespace [19:21] ah hi enrico! [19:21] hi enrico! [19:21] trying... [19:22] without namespace works as expected [19:22] thanks! [19:23] ben: is mentioned at http://www.linux-vserver.org/index.php?page=alpha+util-vserver too ;) [19:23] (I wanted to make 'ATTENTION' red, but do not know how to make it in the Wiki ;)) [19:24] I think if I'd looked at that page recently I would have noticed it ;-) [19:26] what would be the issue with changing the enter and stop scripts to use namespaces? [19:27] serving (~serving@213.186.190.121) joined #vserver. [19:28] (if it's as simple as using the vnamespace command) [19:29] ben: this will require some (more or less) deeper changes in the scripts which I want to combine with the new context creating stuff [19:29] (see the 'vcontext' command) [19:29] which I still havent finished *sigh* [19:29] ahh [19:30] cool cool - well I'll test namespaces later ;-) [19:33] ensc: if you do not tell anyone, I can tell you how to make it red ;) [19:34] Bertl: do you allow direct html commands? [19:34] nope [19:35] how else? [19:35] and can I make blink it also? [19:36] and a cool background sound? [19:37] yeah, cool background song, in midi of course ... [19:38] bertl, but wouldn't anyone editing that page of the wiki be able to figure it out? :) [19:39] ahh, good that you remind me of that, have to put the wiki security in place first ;) [19:39] Bertl: btw, the 'vnamespace -c' command is very dangerously... [19:39] why is that so? [19:39] using vserver with 1.3.8 says the same Can't execute /sbin/rc (Permission denied) :-(. [19:40] stubbsd: okay, let's try something, what is the xid of your server? [19:41] Bertl: try it ;) [19:42] is that the context number, if so I haven't set it manualy. [19:42] I have set it to 30. [19:42] Bertl: perhaps 'vnamespace --enter' should fail when current namespace == requested namespace [19:42] why should it? [19:43] I mean the syscall will not fail if you do a transition to the same namespace ... [19:43] it will just not change anything ... [19:43] 'vnamespace --enter vnamespace -c' would have bad effects when 'xid' is running in host namespace [19:44] you mean the cleanup will cleanup everything, right? [19:44] stubbsd: okay, do chcontext --ctx 30 /bin/bash [19:44] then go to the vservers / dir [19:44] (maybe the other way round ;) [19:45] ensc: is that what you mean? [19:45] Bertl: yep; but going to vserver's / would not change anything... [19:45] yep, [19:45] e.g. when host has /usr mounted, this will be lost after vnamespace -c [19:45] yes, that was meant for stubbsd ;) [19:46] but enrico, we separated the syscall, so the enter doesn't do any cleanup, right? [19:47] you explicitely call the cleanup syscall command, so not doing this will prevent any bad stuff ... [19:48] Bertl: I have also changed rooted in to the vserver dir, while in ctx 30 and that worked to ? [19:48] Bertl: yes, but I can not check if it would do harm. So adding a contraint that 'vnamespace -e' would *change* the namespace would make things much safer [19:48] you can get a return value telling you 'that' the namespace actually changed, would that help? [19:49] Bertl: there is no way to see whether 'vnamespace -c' will be called in host-namespace or ctx-namespac [19:49] e [19:49] Bertl: yep, such a return value would help [19:50] stubbsd: okay, now have a look at the /sbin/rc [19:50] is it visible?, is it executable? [19:50] [root$FE02]::/> ls -la /sbin/rc [19:50] -rwxr-xr-x 1 root root 16455 Feb 10 14:01 /sbin/rc [19:50] yep. [19:51] what does the shebang line contain? [19:51] #!/bin/bash [19:52] and this does exist and is executable too? [19:52] -rwxr-xr-x 1 root root 638336 Feb 10 14:00 /bin/bash [19:52] yep [19:52] okay, let's try to chroot to that vserver / [19:53] infact, if I chcontext, then change root, the rc will work? [19:53] I have messed something up I think, just not sure what, [19:53] hmm, enrico, any ideas? [19:53] ensc: btw, consider the return value doen ... [19:54] s/doen/done/ [19:57] is it tagged with an xid? [19:57] (it === /sbin/rc + /bin/bash + libraries) [19:57] sorry, tagged with xid not sure what you mean, sorry. [19:57] do you use the quota patches: (answer probably no) [19:57] no. [19:58] is it mounted noexec? [19:58] 10.1.0.55:/vservers on /vservers type nfs (rw,rsize=8192,wsize=8192,addr=10.1.0.55,addr=10.1.0.55) [19:58] no, [19:58] enrico, would it work in this case after the chcontext/chroot? [19:58] oooh... NFS... [19:59] no_root_squash enabled? [19:59] yep, [19:59] no, [20:00] /vservers 10.1.0.0/16(rw,no_root_squash,async) [20:00] is the exports entry for the vserver-IP too? [20:00] stubbsd: can you try nfs-over-tcp? [20:00] enrico, it is executing if he does it manually! [20:00] not sure how to, but I'm sure I can. [20:01] what is the difference between executing it manually and the failed execution? The chbind? [20:01] might be ... [20:02] okay stubbsd, try with chbind --ip 127.0.0.1 [20:02] ydupont (~ydupont@lamier.cri.univ-nantes.fr) left irc: Quit: Leaving [20:02] stubbsd: specify the 'tcp' flag when mounting /vservers [20:02] 127.0.0.1 does probably fail since 10.1.0.0/16 is allowed only [20:04] yep, its the chbind, if I chbind to 10.1.0.119 it fails with Permission denied, [20:04] just going to add the tcp option to the exports, on min [20:05] stubbsd: not to /etc/exports but to fstab [20:05] just found that one out, :0) [20:05] sorry, [20:06] dudes, I would like to know if with the iunlink feature, I can expert that a library unified in serveral context will be loaded once in memory ? [20:06] libraries [20:08] question too on unification - just started playing with it a few minutes ago - getting link() operation not permitted on all files.... ideas? [20:09] witch filesystem ? same partition ? tru NFS ? [20:09] thru [20:09] rs, same parition [20:09] or partition even [20:10] ext3 [20:10] works!!!!! thanks all, it was the tcp option.. [20:11] and while I knew it would work, I've already tried creating a hard link manually [20:14] so I'm stumped [20:14] stubbsd: hum?! [20:14] works....., thanks. [20:14] wait a minute ... you changed from udp to tcp, and that did it? [20:14] just had to add the tcp option to the nfs mount. [20:15] just worked then. [20:15] okay, this is what vserver version? [20:15] 1.3.8? [20:15] 1.3.8 [20:15] hum very interesting ... [20:17] ben: please explain it once again, I didn't get it ... [20:23] bertl, just started playing with unification a few minutes ago [20:23] okay ... so far so good ;) [20:24] and when I try to unify a server against a refserver it tries to work ;-) [20:24] linking every file it's supposed to, but returning an error on each: [20:24] link(): Operation not permitted [20:24] stubbsd (~stubbsd@217.206.216.194) left irc: Quit: Leaving [20:24] the servers are on the same mount [20:25] and I can use ln or link to create hard links between files in the two directories (which of course should work) [20:26] strace shows it going through the motions of doing it, but the link call returns the error [20:26] ben: what tells 'lsattr' about them? [20:26] (the source-file, and the destination directory) [20:27] that might be it [20:27] ex: [20:27] ------------- devweb01/sbin/ldconfig [20:27] ----i------t- refweb01/sbin/ldconfig [20:29] Nick change: cgone -> cdub [20:30] ben: and 'lsattr -d devweb01/sbin'? [20:30] all -'s [20:30] likewise for refweb01 [20:31] you are running 'vunify' in host context? [20:31] vserver devweb01 unify [20:31] so yes [20:31] tried using vunify manually as well [20:32] devweb01 was created with 0.29.197 [20:32] refweb01 was created earlier with 0.28.199 [20:32] so that may explain the differences in attributes [20:33] Bertl: it was supposed that 'ln a b' works when 'a' has i+t ext2 flags, right? [20:33] (when called from host ctx) [20:33] yes, it should work ... [20:33] ben, what patch is this? (kernel) [20:34] 1.3.7 [20:34] woudl 1.3.8 work better? [20:34] sec, testing ... [20:35] or should I just remove the flags from the ref server? [20:35] ben: they will be set by 'vunify' [20:36] ahh [20:36] ben: 'ln refweb01/sbin/ldconfig{,_}' does not work, right? [20:36] right, just tried that and it does not work [20:36] hmm, interesting it fails ... [20:36] linking ordinary files would [20:36] work correctly [20:37] ... but is insecure [20:37] bertl, so I should upgrade to 1.3.8? [20:37] (if I want to be able to unify) [20:37] no, fails in 1.3.8 too, just verified ... [20:37] ah ok [20:38] works in 1.26 [20:38] but works with stable ... [20:38] ;) [20:38] hehe [20:38] it's a bug! [20:38] well i have no real need to unify, but thought it would be interesting to test [20:39] I'd suggest using solaris in the meantime ... (will be fixed today ;) [20:40] solaris has it easy... they do not need to run debian, slackware and gentoo vservers on their Fedora Core machines... [20:40] they use fedora? [20:40] they can just 'mount --bind' the directories [20:41] dunno ;) [20:41] right --bind,ro doesn't work in linux, well who needs that anyway ;) [20:41] Doener_zZz (~doener@pD9E120C3.dip.t-dialin.net) joined #vserver. [20:42] Nick change: Doener_zZz -> Doener_ [20:42] paul (~irssi@muedsli-wan118.citykom.de) joined #vserver. [20:42] hey power joining! [20:43] ensc: what about the From: "Schlomo Schapiro" [20:43] I played around a little more and found out that it seem to be the util-vserver [20:43] +package that is guilty. [20:43] hi [20:44] hi paul! [20:45] difficultly to read... tofu, no references, long lines... [20:46] ben: could you add a line to the kernel and recompile? [20:49] Doener (~doener@pD9588E0E.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [20:55] ensc: have you heard anything from the linuxtag people? [20:55] _shur1 (~shushushu@3ffe:bc0:1cf:1:2:3:4:9) left irc: Read error: Connection reset by peer [20:55] _shur1 (~shushushu@vserver.electronicbox.net) joined #vserver. [20:56] Bertl: nope [20:59] argh! [21:00] it's not my day!!! definitely! [21:00] I'm going to bed now ... [21:00] ensc: it is working as expected, no bug in 1.3.x or 0.09.x ... [21:02] ben: you can test unification if you like to .. [21:04] ensc (~ircensc@ultra.csn.tu-chemnitz.de) left irc: Ping timeout: 480 seconds [21:05] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [21:08] Bertl: what do you mean with '[21:00] ensc: it is working as expected, no bug in 1.3.x or 0.09.x ...' [21:08] ? [21:09] well, that we are both old and senile ... [21:09] Usage: setattr [-Rx] [--[~]iunlink] [--[~]admin] [--[~]watch] [--[~]hide] [--[~]barrier] [--] + [21:09] +t is no more ... [21:10] Bertl: yes, I am setting the 'iunlink' flag which is probably mapped to 'it' on ext2 [21:10] 'it' means? [21:11] the 'i' and the 't' flag ;) [21:11] wrong! [21:11] i = immutable, and t = notail and iunlink = something different [21:12] (3 flags) [21:12] how else can I reach the 'host can link the file, but nobody else can modify it' semantik? [21:12] bertl, back now - what should I do? [21:12] I have [21:12] #define VC_IATTR_BARRIER 0x00010000 [21:12] #define VC_IATTR_IUNLINK 0x00020000 [21:12] only [21:12] ben: I repaired your kernel in the meantime ... [21:13] ben: it now works as expected ... [21:13] ensc, ben: you ahve to chattr +i and setattr --iunlink the file ... [21:13] the +t flag isn't used in 1.3.x and 0.09.x [21:14] (because of the collision with notail) [21:15] bertl, chattr which file? source or dest? [21:15] ben, you do [21:15] touch /tmp/x [21:15] chattr +i /tmp/x [21:15] setattr --iunlink /tmp/x [21:15] (now it's iunlink + immutable) [21:16] ln /tmp/x /tmp/y [21:16] Bertl: this is a bad semantic... please add a flag for the iattr syscall so that it can be set at once [21:16] ensc: so we should silently modify the immutable? [21:17] bertl, so that will work once I update my kernel? [21:17] well, what kernel do you use? [21:18] 2.4.25-vs1.3.7 [21:18] that works with that kernel ... [21:18] hmm [21:18] doesnt' seem to [21:18] try the sequence I posted [21:18] just tried it [21:18] ln: creating hard link `y' to `x': Operation not permitted [21:18] I do not need 4 states... so I have no problems when IUNLINK would modify 'i' too (or whatever is needed to make it unmodificable) [21:19] ensc: wrong! [21:19] there are 4 states and all 4 make sense [21:19] 0 0 normal file [21:19] 0 1 immutable file [21:19] 1 0 append only file [21:19] 1 1 immutable unlink only [21:19] the 'i' alone has nothing to do with vserver and is a general setting [21:20] okay, that is why we do _not_ set it with the iunlink ;) [21:20] append only can be done with 't' and is not vserver related [21:20] no 't' doesn't exist anymore ... [21:21] which sense has 'append only' for vservers? [21:21] well Sam pointed out that this functionality is intentional and should not be removed .. so I did not remove it (actually I reenabled it, after the cleanup, which removed it) [21:22] then add a new IATTR flag which sets 'i' [21:22] but I have no problem to add a --immutable (for example) to the syscall [21:22] exactly [21:23] that was actually what I suggested last time we discussed this, but obviously I failed to make my point ... [21:23] ok, I will add a '--iunlink-but-do-not-make-it-immutable' flag to setattr ;) [21:24] okay, so I add an --immutable flag to the syscall ... [21:24] bertl, ideas for why i can't link with +i turned on? [21:24] touch /tmp/x [21:24] chattr +i /tmp/x [21:24] setattr --iunlink /tmp/x [21:24] did you do all three steps? [21:25] yep, did all that [21:25] in this sequence? [21:25] ben: which kernel api do you have? [21:25] (vserver-info - SYSINFO) [21:25] okay, I'm leaving now, cu later or tomorrow ... [21:25] ps 1.3.8 + 0.29.196 does work (tested) [21:25] bertl - ok i may have to upgrade [21:26] 1.3.7 should work, has the same interface ... [21:26] Kernel: 2.4.25-vs1.3.7 [21:26] 0x00010011 is required [21:26] VS-API: 0x00010010 [21:26] util-vserver: 0.29.197; Mar 1 2004, 17:03:31 [21:26] (but not tested) [21:26] Nick change: Bertl -> Bertl_oO [21:26] else, the ext2 ioctls will be used [21:26] ensc, thanks - makes sense [21:26] just wasn't sure if I'd need the newer patch or not [21:33] Termin4t0r (Termin4t0r@pD904A83C.dip.t-dialin.net) joined #vserver. [21:33] hi [21:33] /usr/local/sbin/vserver: line 713: ulimit: max user processes: cannot modify limit: Invalid argument [21:33] what's going wrong :) [21:38] rs (rs@ice.aspic.com) left irc: Quit: home [22:00] jes_ (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) left irc: Quit: Leaving [22:18] Termin4t0r: what patch/tools are you using? [22:25] Termin4t0r: probably you have -H on the ulimit line in the xxx.conf file... change that to -HS [22:41] Doener_: it is vs1.26 [22:42] ULIMIT="-H -u 256 -n 1024" [22:48] using -HS has solved that prob [22:49] but the next problem: [22:49] therrmann:/# updatedb [22:49] /usr/bin/find: /proc/1/fd: Permission denied [22:49] /usr/bin/find: /proc/2041/fd/4: No such file or directory [23:05] Last message repeated 2 time(s). [23:05] hmm... i wonder why updatedb is looking at proc... [23:10] could you try updatedb --prunefs='proc' [23:12] mcp (~hightower@wolk-project.de) left #vserver (blo§ wech hier ... ;-)). [23:14] therrmann:/# updatedb --prunefs='proc' [23:14] /usr/bin/find: /proc/1/fd: Permission denied [23:14] /usr/bin/find: /proc/6800/fd/4: No such file or directory [23:25] hmm... [23:26] what does mount say? [00:00] --- Wed Mar 3 2004