1102550994 N * Bertl_oO Bertl
1102551006 M * Bertl greetings folks!
1102551012 M * Loki|muh good morning *g*
1102551041 M * Bertl hey Loki|muh! everything fine?
1102551048 M * Loki|muh sure
1102551053 M * Loki|muh just set up another vserver
1102551058 M * Bertl good!
1102551128 M * Loki|muh yeah
1102551172 M * Loki|muh I thought about aplha-utils packages for ubuntu (debian-clone) 
1102551177 M * Loki|muh are there some yet?
1102551194 M * Bertl not that I know of ... 
1102551242 M * Loki|muh its a bit annoying to install a complete develop enviroment to compile the utils on each server *g*
1102551390 M * Bertl yeah, I know, therefore I made the mandrake rpms ;)
1102551447 M * Loki|muh it is now the 5th vserver and i'm fed up with compiling everything manually *g* 
1102551975 M * Bertl hey, sounds like major deployment!
1102551982 A * albeiro hibernates
1102552001 M * albeiro not to be confused with sleeping ;p
1102552008 M * Bertl okay ;)
1102552155 M * Loki|muh yeah, my boss is very glad about the vserver project :)
1102552733 M * Bertl excellent, that's the way it should be!
1102552948 M * matti :]
1102553803 M * lilo Bertl: I'm doing pretty well....keeping busy
1102553828 A * lilo measures the latencies in his conversation with Bertl using geological time indicators
1102553851 M * Bertl only fractions of a microsecond then ;)
1102553864 M * lilo whoops, another mountain ground down into dust 8)
1102553911 M * lilo Bertl: I'm hanging in there....no complaints
1102553951 A * lilo is just getting over a nasty cold
1102553971 M * Bertl did you start _using_ linux-vserver yet?
1102553981 M * Bertl or still just watching the game?
1102553999 M * lilo I'm currently still watching the game....I haven't been using much but gnucash lately 8)
1102554004 M * matti lilo: Thanks for help with "%" ban ;-)
1102554009 A * lilo spent a nice long time figuring out accounts for PDPC
1102554017 M * lilo matti: happy to assist
1102554022 M * matti lilo: :-]
1102554056 M * lilo I'm just now beginning to spend some time on things other than accounting
1102554069 M * lilo not as much as I'd like, but some 8)
1102554283 A * lilo goes off to read about linux-vserver
1102554360 M * matti lilo: :-)
1102555885 M * Bertl Doener: hmm, are you here?
1102555986 M * matti albeiro: I've some trouble with hardware for your RSBAC machine...
1102558216 Q * berni_ Remote host closed the connection
1102558708 J * berni ~berni@obelix.ipv6.birkenwald.de
1102558734 M * Bertl wb berni!
1102564094 J * no_maam ~erik@datenzone.de
1102564142 M * Bertl welcome no_maam!
1102564214 M * matti Huh.
1102564229 M * matti Torrent is a little bit crazy thing :]
1102564252 M * Bertl hmm?
1102564267 M * matti I've almost 3.55 MB/s UP ;)
1102564280 M * Doener Bertl: just got home
1102564296 M * Bertl hey Doener!
1102564316 M * matti But... 944 KB/s DN ;D
1102564320 M * matti Not bad...
1102564321 M * matti :>
1102564394 M * Bertl Doener: I got a confusing puzzle for you ...
1102564406 A * Doener loves puzzles :)
1102564487 M * Bertl http://vserver.13thfloor.at/Experimental/NGNET/delta-2.6.10-rc3-vs1.9.3.10-ng7-ng7.2.diff
1102564501 M * Bertl okay, I added an auto-removal of vnet devices
1102564538 M * Bertl vnet_destroy_dev() is supposed to remove a vnet device completely
1102564549 M * Bertl it basically does:
1102564556 M * Bertl         unregister_netdevice(vndev);
1102564561 M * Bertl         free_netdev(vndev);  
1102564593 M * Bertl if you look at the unregister_netdevice() code you will see that this code checks if the if is up, and if so, it will take it down ...
1102564626 M * Bertl now if I test this in the following way:
1102564629 M * Bertl /tmp/vnet3_setup.sh 
1102564641 M * Bertl # chcontext --ctx 100 killall sleep
1102564655 M * Bertl I get:
1102564656 M * Bertl unreaped device 83e5b800:lo [#100]
1102564656 M * Bertl unregister_netdevice: waiting for lo to become free. Usage count = 1
1102564672 M * Bertl (forever ...)
1102564682 M * Bertl if I do:
1102564689 M * Bertl /tmp/vnet3_setup.sh 
1102564725 M * Bertl # chcontext --ctx 100 ifconfig lo down
1102564731 M * Bertl # chcontext --ctx 100 ifconfig en0 down
1102564741 M * Bertl # chcontext --ctx 100 killall sleep
1102564744 M * Bertl I get:
1102564748 M * Bertl unreaped device 83e6e800:lo [#100]
1102564748 M * Bertl unreaped device 83e6e400:en0 [#100]
1102564754 M * Bertl and everything is fine ;)
1102564838 M * Doener in the first case, you also get those messages for en0, right?
1102564853 M * Doener or is just lo failing?
1102564867 M * Bertl well, it 'hangs'
1102564878 M * Doener ah ok
1102564879 M * Bertl it basically locks the entire kernel ...
1102564894 M * Bertl in a look, stating the message every second or so
1102564901 M * Bertl s/look/loop/
1102564917 M * Bertl if I take the lo down, it hangs with the en0
1102564933 M * Doener thought it may at least do something worthwhile while waiting ;)
1102564977 M * Bertl nope, starting the kill in the background also hangs everything 
1102565336 M * Doener can you still kill send sigs from ctx 0 to arbitrary processes?
1102565364 M * Bertl huh?
1102565396 M * Doener can you send a signal from context 0 to a process in context X!=0 ?
1102565413 M * Bertl hmm, probably not, but I didn't check ...
1102565445 M * Bertl yes, you can ...
1102565484 M * Doener ok, if you just "kill <pid-of-sleep>" instead of "chcontext --ctx killall", some result?
1102565488 M * Doener s/some/same/
1102565496 M * Bertl same result ...
1102565503 M * Bertl unregister_netdevice: waiting for lo to become free. Usage count = 1
1102565503 M * Bertl unregister_netdevice: waiting for lo to become free. Usage count = 1
1102565503 M * Bertl unregister_netdevice: waiting for lo to become free. Usage count = 1
1102565516 M * Doener ok, was a weird idea anyways...
1102567310 M * Bertl okay, enough for me, have to get up early ...
1102567318 M * Bertl have a good whatever everyone!
1102567321 M * Doener so you get up now? ;)
1102567328 M * Doener sweet dreams!
1102567341 M * Bertl well, in a few hours ...
1102567348 N * Bertl Bertl_zZ
1102574510 M * Eyck goodnight?
1102579043 J * jsambrook ~jsambrook@host-62-69-64-93.bsve.net
1102582828 Q * ensc Ping timeout: 480 seconds
1102583548 A * mugwump yawns
1102584041 J * ensc ~ircensc@ultra.csn.tu-chemnitz.de
1102584533 Q * ensc Ping timeout: 480 seconds
1102585084 N * Bertl_zZ Bertl_oO
1102585107 M * no_x morning bertl !
1102585479 J * ensc ~ircensc@ultra.csn.tu-chemnitz.de
1102587501 J * rs rs@ice.aspic.com
1102587512 M * rs hi
1102587531 M * Doener morning rs!
1102587570 M * rs hey Doener!
1102589608 M * rs Doener: do you know if epoll() is virtualized or if there can be security problems with it ?
1102589654 M * Doener no
1102591376 N * Bertl_oO Bertl
1102591408 M * Bertl morning folks!
1102591505 M * Loki|muh hehe, get up early *g*
1102591541 M * Bertl well, I already drove about 100km ...
1102591548 M * Loki|muh oh, okay
1102591581 M * Bertl so I had about 4h sleep ...
1102591610 M * Loki|muh uh, thats not so much... like me last night... but today 9hours, thats fine :)
1102591636 M * Bertl yeah, usually I need about 9-12h ...
1102591905 M * Doener Bertl: tracked down my issue with cscope... gentoo guys applied an truly ingenious patch :)
1102591916 M * Doener                 (void) fclose(refsfound);
1102591916 M * Doener -               if ( (refsfound = myfopen(temp1, "wb")) == NULL) {
1102591916 M * Doener +               if ( (refsfound = myfopen(temp1, "w+xb")) == NULL) {
1102591936 M * Bertl LOL
1102591961 M * Bertl well, what can I say, never use a distro for important work ;)
1102591984 M * Doener where x means O_EXCL and this will obviously fail, since temp1 never changes :)
1102592069 M * Bertl okay, back in about 20-30 minutes ...
1102592078 N * Bertl Bertl_oO
1102592079 J * BobR_ ~georg@MAIL.13thfloor.at
1102592204 Q * BobR_ Quit: 
1102592234 J * BobR_ ~georg@MAIL.13thfloor.at
1102592234 Q * sannes Read error: Connection reset by peer
1102592257 Q * BobR_ Quit: 
1102592266 J * BobR_ ~georg@MAIL.13thfloor.at
1102592355 Q * BobR_ Quit: 
1102592494 J * Mega\work ~Megabart2@host111-101.pool80182.interbusiness.it
1102592500 M * Mega\work Hi
1102592540 M * Mega\work I have a problem with a kernel 2.4.28+grsecurity
1102592597 M * Mega\work I don't succeed to patch the kernel with a vserver patch
1102592672 M * Mega\work If I use the not patched grsecurity kernel, the vserver patch works! 
1102592676 M * Mega\work why?
1102592682 J * BobR ~georg@MAIL.13thfloor.at
1102592695 P * BobR 
1102592739 M * Doener because some files are modified by both patches, and they don't play nice together
1102592745 M * Loki|muh Mega\work: look, if the patch would changed something changed by grsecurity or if patch is just confused by the grsecurity patches
1102592785 M * Mega\work ok, but also who i can resolv the problem?
1102592829 M * Mega\work ok, but also how i can resolv the problem?
1102592956 M * Mega\work exists a method to have both patches to works together?
1102592990 M * Loki|muh yes
1102592995 M * Loki|muh patch it by hand
1102593001 M * Loki|muh get http://www.13thfloor.at/vserver/s_release/v1.29/split-2.4.28-vs1.29.tar.bz2
1102593008 M * Loki|muh there are all patches splitted up
1102593015 M * Loki|muh try to get them in seperatly
1102593058 M * Loki|muh and the ones which fail you should check it manually if it conflicts or patch is just confused
1102593073 M * Loki|muh if it conflicts then I guess it will not work so easy
1102593095 M * Loki|muh and I am _not_ a kernel or vserver expert
1102593102 M * Loki|muh but I would try it this way
1102593111 M * Loki|muh no guarantee that this will work :(
1102593125 M * Doener i guess you can be pretty sure that it is more than just getting the patches to apply
1102593162 M * Doener s/it is more/there's more to it/
1102593178 M * daniel_hozac could someone take a quick peek at util-vserver-0.30.196/lib/vserver.h:vc_getfilecontext and util-vserver-0.30.196/lib/syscall_getiattr.c and tell me if vc_getfilecontext is supposed to work?
1102593263 M * Mega\work Doener, I don't understand!
1102593314 M * Doener "even if you get both patches to apply, there will be problems left"
1102593665 M * Doener daniel_hozac: i'd say it'll always return VC_NOCTX. there's getFileContext in src/lsxid.c if you need such functionality
1102593746 M * daniel_hozac Doener: yeah, but the fix is pretty simple. just wanted a second opinion on the brokenness :)
1102593806 M * Doener yeah, just make it look like getFileContext ;)
1102593908 M * Mega\work if i use uml, I would not have a problem, but uml is not easy to install
1102593912 M * daniel_hozac heh, yeah.
1102593935 M * daniel_hozac thanks.
1102593939 M * Doener daniel_hozac: hmm... does the check for the return in getFileContext make sense?
1102593961 M * daniel_hozac Doener: why wouldn't it?
1102593979 M * Mega\work vserver is very more easy
1102594021 M * daniel_hozac Doener: if no xid is set, mask &= ~VC_IATTR_XID;
1102594076 M * Doener where does that happen?
1102594093 M * Mega\work Therefore I must choose if i want a kernel with grsecurity or I want to use vserver
1102594132 M * Mega\work it is right?
1102594148 M * Doener or make the patches play nice together...
1102594180 M * Doener daniel_hozac: ok, got it
1102594181 M * Mega\work ohhhhhhhh
1102594227 N * Bertl_oO Bertl
1102594268 M * Mega\work no Doener 
1102594297 M * Bertl Mega\work: thought grsec was discontinued?
1102594316 M * Mega\work I am not able
1102594373 M * Mega\work Bertl: grsec and vserver patches don't works togheter
1102594389 M * Bertl well, yes and no, IIRC some folks where doing mixed patches
1102594418 M * Bertl but I got the impression that grsec patches weren't updated anymore?
1102594451 M * daniel_hozac hmm, latest release: 11/23/04
1102594469 M * Bertl sounds like grsec is back then, excellent!
1102594481 M * Mega\work Bertl
1102594496 M * Mega\work my kernel is 2.4.28
1102594549 M * Mega\work therefor both patches are update
1102594632 M * Bertl http://www.firehead.org/~jeffrey/linux-vserver/
1102594643 M * Bertl linked from:
1102594645 M * Bertl http://linux-vserver.org/Tools+and+patches
1102594658 M * Mega\work I don't succeed to compile a kernel with both patches
1102594667 M * Mega\work thank's
1102594693 M * Mega\work Now I see the link
1102594721 M * Bertl you're welcome!
1102594744 M * Bertl please report back if the patches worked for you ...
1102594755 M * Mega\work Bertl: is a solution to my problem!!!!!!!!!
1102594814 M * Mega\work excuse me for my bad english!
1102594847 M * Bertl no problem, most folks here are not native english speakers either ... and we can communicate, that is what matters!
1102594972 M * Mega\work I'm italian, but I like english
1102594973 M * weasel 'Multiple exclamation marks,' he went on, shaking his head, 'are a sure sign of a diseased mind.'
1102594980 M * weasel  -- TP   :)
1102594999 M * Bertl ;)
1102595218 M * Mega\work Bertl: you use vserver with grsecurity?
1102595477 M * Mega\work wath is the difference between vs1.29-diff-for-grsecurity-2.0.2-2.4.28.patch.bz2 and vs1.29-diff-for-grsecurity-2.0.2-2.4.28.patch.bz2??
1102595487 M * Mega\work *What
1102595559 M * Loki|muh you pasted 2 times the same string ;)
1102595589 M * Mega\work excuse me
1102595592 M * Mega\work :D
1102595604 M * Bertl so the answer should have been, none! ;)
1102595633 M * Mega\work wath is the difference between  grsecurity-2.0.2-2.4.28-vs1.29.patch.bz2  and vs1.29-diff-for-grsecurity-2.0.2-2.4.28.patch.bz2 ???
1102595655 M * Mega\work *What
1102595677 M * Doener i guess the former applies to 2.4.28 and the latter to 2.4.28-grsec-2.0.2
1102595698 M * Mega\work ah, ok
1102595712 M * Doener both resulting in 2.4.28-grsec-2.0.2-vs1.29
1102595712 M * Bertl IIRC that was a little trickier with jeffreys patches
1102595785 M * Bertl yep, the vs1.29 ... patch is a patch to patch the grsec patch, to make it apply ;)
1102595811 M * Bertl (if you didn't understand that, it's quite understandable)
1102595821 M * Mega\work I have patched with 2.4.28-grsec-2.0.2-vs1.29, but during the process, i have had this message
1102595822 M * Mega\work 2.4.28-grsec-2.0.2-vs1.29
1102595824 M * Mega\work ops
1102595837 M * Mega\work Hunk #2 succeeded at 589 (offset -2 lines).
1102595837 M * Mega\work Hunk #3 succeeded at 617 (offset -2 lines).
1102595837 M * Mega\work Hunk #4 succeeded at 722 (offset -2 lines).
1102595837 M * Mega\work Hunk #5 succeeded at 752 (offset -2 lines).
1102595837 M * Mega\work Hunk #6 succeeded at 882 (offset -2 lines).
1102595839 M * Mega\work Hunk #7 succeeded at 1008 (offset -2 lines).
1102595860 M * Mega\work Is it normal?
1102595860 M * Bertl well, that is fine ...
1102595884 M * Bertl if you get lines with 'fuzz' or rejects ... then it's bad
1102595908 M * Mega\work yes
1102595909 M * Mega\work 1 out of 16 hunks FAILED -- saving rejects to file linux-2.4.28-vs1.29/kernel/sys.c.rej
1102595909 M * Mega\work patching file linux-2.4.28-vs1.29/kernel/sysctl.c
1102595909 M * Mega\work Hunk #1 succeeded at 39 (offset -1 lines).
1102595909 M * Mega\work Hunk #2 succeeded at 135 (offset -2 lines).
1102595909 M * Mega\work Hunk #3 FAILED at 300.
1102596131 M * Bertl did you patch the vanilla (unpatched) kernel from kernel org with vs1.29 first?
1102596172 M * Mega\work yes
1102596205 M * Mega\work but without vs1.29 patch
1102596233 M * Mega\work i try to patch kernl vanilla without any patch
1102596233 M * Bertl the grsec patch from jeffrey is _ontop_ of the vs1.29 aptched sources
1102596251 M * Mega\work I don't understand
1102596294 M * Mega\work first a must patch the kernel with vserver patch?
1102596304 M * Bertl yep, you do
1102596314 M * Bertl linux-2.4.28
1102596319 M * Bertl then you patch with vs1.29
1102596337 M * Mega\work and after with grsec patch from jeffrey
1102596339 M * Bertl then you patch with the grsec patch (grsecurity-2.0.2-2.4.28-vs1.29.patch.bz2)
1102596344 M * Mega\work yeah
1102596344 M * Bertl exactly!
1102596396 M * Mega\work Bertl: you are the vserver god!
1102596409 M * Bertl am I?
1102596448 M * Mega\work you are a god!
1102596459 M * Mega\work vserver god!
1102596504 M * Loki|muh ack ;)
1102596531 M * Mega\work what is ack?
1102596609 M * Loki|muh acknowledged
1102596671 M * Mega\work ohhh
1102596692 M * Loki|muh ack is the response of the server to a syn from the client when you build a tcp connection
1102596693 M * Mega\work yes, now i understand :D
1102596773 M * Mega\work two ways hundeshake or similar
1102596780 M * Mega\work syn/ack etc
1102596781 M * Mega\work :D
1102596839 M * Mega\work I'm little stupid, but something I've studed
1102596857 M * Loki|muh hehe ;)
1102596881 M * Bertl well, if you _were_ stupid, you would not use linux-vserver ;)
1102596928 M * Mega\work eheheheh
1102597062 M * Mega\work if I wasn't a stupid, I would have resolved a problem, without ask you!
1102597138 A * no_x is  relieved to hear that statement *g*
1102597167 M * Doener hm, guess i'm stupid as well then, since i couldn't help you, either ;)
1102597405 M * Mega\work :D
1102597718 M * Mega\work YESSSSSSSSSSSSSSSSSSSS
1102597734 M * Bertl hmm, sounds like it works ;)
1102597745 M * Mega\work kernel with grsec and vserver build
1102597750 M * Mega\work ahahahahahah
1102597759 M * Mega\work yeah Bertl!!!!!
1102597885 M * Mega\work Today is my fortunate day.........And all thanks to Bertl!!!!!!!!!
1102597899 M * Mega\work THANK'S Bertl THANKS'S!!!!
1102598281 M * Bertl you're welcome!
1102599331 M * Bertl Mega\work: don't forget to thank jeffrey for doing the patches ...
1102599344 M * Bertl http://www.linux-vserver.org/grsecurityHowto
1102599419 J * sannes ~ace@home.skarby.no
1102599938 M * Bertl welcome sannes!
1102600140 J * ydupont ~ydupont@lamier.cri.univ-nantes.fr
1102600155 M * Bertl welcome ydupont!
1102600289 M * ydupont Bertl: Hello !
1102600304 M * ydupont I have a question about NGNET
1102600328 M * Bertl yes? let's hear!
1102600335 M * ydupont are alpha vserver-tools enough to start testing?
1102600355 M * Bertl no, you need a little more .. and some patience ...
1102600364 M * ydupont i have patience ;-)
1102600374 M * Bertl http://vserver.13thfloor.at/Experimental/NGNET/
1102600389 M * Bertl you need a patched iptables on the host
1102600391 M * Bertl http://vserver.13thfloor.at/Experimental/NGNET/iptables-1.2.9-vnet.diff
1102600407 M * Bertl you need the vs1.9.3.10 kernel plus:
1102600415 M * Bertl http://vserver.13thfloor.at/Experimental/NGNET/diff-2.6.10-rc3-vs1.9.3.10-ng7.diff
1102600419 M * ydupont I missed the iptables patch
1102600423 M * Bertl plus
1102600425 M * Bertl http://vserver.13thfloor.at/Experimental/NGNET/delta-2.6.10-rc3-vs1.9.3.10-ng7-ng7.2.diff
1102600434 M * ydupont but have the later (her... previous version in fact)
1102600437 M * Bertl you also need the:
1102600439 M * Bertl http://vserver.13thfloor.at/Experimental/NGNET/vnet-0.02.tar.bz2
1102600451 M * ydupont ok didn't get this one
1102600453 M * Bertl and you should start with the 
1102600456 M * Bertl http://vserver.13thfloor.at/Experimental/NGNET/vnet3_setup.sh
1102600458 M * Bertl script
1102600461 M * ydupont oki
1102600470 M * Bertl it basically sets up two contexts with separate networks
1102600481 M * Bertl separate ips on the same network that is
1102600489 M * ydupont so. basically a patched kernel without vnet can't work...
1102600504 M * ydupont bacause the kernelk booted but event eth0 did'nt respond
1102600509 M * ydupont ok, I have my answer :)
1102600528 M * ydupont I'm testing in on newer xeon nocoma 64 bits, 
1102600549 M * Bertl the recent patches also support vshelper context calls
1102600550 M * ydupont and bascially vserver seems to cope well with 64 bits
1102600559 M * Bertl yeah, I hope it does!
1102600575 M * Bertl if not, it's a bug, and you should report it ;)
1102600583 M * ydupont ok, going to retest this afternoon
1102600601 M * ydupont well OK, it is afternoon , so going to test it now
1102600617 M * Bertl ;)
1102600660 M * Bertl the vshelper calls where added because it is a little tricky to setup the interfaces for an existing vserver ...
1102600703 M * ydupont reading vnet3_setup ATM
1102600727 M * Bertl btw, it is advised to start with a config similar to http://vserver.13thfloor.at/Experimental/NGNET/kernel-ng5.config
1102600738 M * Bertl (especially regarding network config)
1102600749 M * ydupont ok, so basically even eth0 is treated specially and need the VNET target...
1102600767 M * Bertl per default there are _no_ interfaces in a context
1102600776 M * ydupont yes understood
1102600785 M * Bertl you have to create a 'clone' of lo and ethX ...
1102600804 M * ydupont ok the vnet utils does this, right ?
1102600818 M * Bertl yep, and those new interfaces have to be configured from inside the context
1102600853 M * ydupont ok. so now from a context you have en0 poseudo interface
1102600884 M * Bertl yeah, you could also name it eth0, but I chose en0 just to show that it is different
1102600905 M * ydupont ok
1102600914 M * Bertl in the future, it will probably be called eth0
1102600916 M * ydupont well, going to test this :)
1102600933 J * meebey meebey@meebey.net
1102600937 M * meebey hi all
1102600938 M * meebey Bertl: ping
1102600940 M * Bertl welcome meebey!
1102600945 M * meebey hiya Bertl 
1102600950 M * meebey good timing :-P
1102600954 M * ydupont hello
1102600968 M * meebey do you plan on adding the proc write access patch for 1.30?
1102600973 M * ydupont ok; so going to resync my kernel and download vnet
1102600985 M * meebey if not, I need to forward port it on each release from now on
1102600986 M * ydupont Bertl: thanks
1102601003 M * Bertl you're welcome!
1102601030 M * meebey Bertl: it's a pretty simple patch which hardly can break anything
1102601039 M * Bertl meebey: first there is a 1.3.0 already and much more confusingly the next stable release will be 1.210 ;)
1102601050 M * meebey Bertl: without it though I am not able to run things like freeswan/openswan inside vservers
1102601058 M * meebey Bertl: hrhr
1102601071 M * Bertl do you have a link to that patch?
1102601086 M * meebey lemme check
1102601109 M * ydupont Bertl: is the iptables patch an absolute necessity ?
1102601135 M * Bertl yep, you can't create the vnet table rules without
1102601169 M * meebey Bertl: http://doener.homeip.net/doener/vserver/2.4.27-vs1.29-proc-access.diff
1102601178 M * meebey Bertl: http://doener.homeip.net/doener/vserver/util-vserver-0.29-proc-access.diff
1102601189 M * ydupont mhh ok. 
1102601233 M * ydupont do you thin you have chances it can be adopted upstream ?
1102601262 M * ydupont because I already use some iptables extensions (pom-ng) wich requires an iptables recompilation
1102601268 M * Bertl well, I don't think so, as it makes zero sense on a non-vserver kernel
1102601285 M * ydupont not a problem in itself, but i'm afraid it can slow adoption on vserver...
1102601288 M * daniel_hozac wouldn't it be possible to add it to pom-ng though?
1102601293 M * ydupont off vservers
1102601300 M * Bertl but the patch doesn't affect much, it just adds two extensions
1102601302 M * ydupont grr ... not speking well today
1102601304 M * ydupont yes
1102601315 M * ydupont i'm reviewing it at the moment
1102601339 M * Bertl so the worst thing which could fail is the list of extensions
1102601355 M * Bertl (and I probably can adjust the patch to cope with that)
1102601366 M * ydupont just - in a distibution point of view -
1102601375 M * ydupont let's take a debian user, for exemple
1102601389 M * meebey Bertl: 3 server use that proc access patch, running perfectly
1102601419 M * ydupont for him it's quite simple : take th evserver-utils, the kernel patch and that's fine
1102601425 M * Bertl ydupont: debian users have to recompile everything from scratch ...
1102601438 M * ydupont that's what i make ;-)
1102601444 M * Bertl because the debian packages are not only outdated but broken ...
1102601476 M * meebey Bertl: hu?
1102601478 M * Bertl I'm still confident that will change ... sometime ...
1102601482 M * meebey Bertl: 0.30 is outdated?
1102601494 M * Bertl for 2.6.x kernels, yes
1102601500 M * ydupont it's the last official , no ?
1102601502 M * meebey Bertl: the maintainer packages stable mainstream
1102601516 M * meebey Bertl: which is right for debians stable target
1102601522 J * Johan ~johan@fia204-8-100.dsl.mxposure.nl
1102601528 M * Bertl welcome Johan!
1102601528 M * Johan Hi all
1102601547 M * Doener meebey: IIRC 2.6 patches are also packaged...
1102601551 M * ydupont yep... well ;-) don(t want to start a flameware
1102601556 M * ydupont flame war
1102601565 M * Bertl http://ars.userfriendly.org/cartoons/?id=20040111
1102601570 M * ydupont that what just a qiestion
1102601591 M * ydupont so... going to test vnet
1102601615 M * Bertl well, and the 'original' answer was/is simple: get the iptables stuff into mainline, or not ... I do not really care ;)
1102601642 M * Johan I am struggling with quota support (using the docs on linux-vserver.org) but get the error "adding quota hash for /dev/vroot/0 ... failed: No such device" when running cqhadd. anyone?
1102601721 M * Bertl ydupont: it's really funny btw, originally I wanted to 'abuse' the mark target of iptables, and the first comment on that was: hey but what if somebody uses that for his firewall/wossname/thingy? so I added a separate table and a separate target for that purpose ... now folks come and complain that it requires a modified iptables?!
1102601749 M * Bertl Johan: have you configured the vroot device? does it exist?
1102601766 M * Bertl btw, where is that howto?
1102601792 M * Johan Bertl: o no damn, I forgot something.... a stupid mistake, sorry :)
1102602288 J * cereal ~cereal@217.20.127.85
1102602300 M * Bertl meebey: basically I'm fine with the patch, but what exactly is it you need that kind of access for?
1102602307 M * Bertl welcome cereal!
1102602317 M * cereal hi Bertl :)
1102602324 M * cereal and all the others
1102602368 M * meebey Bertl: freeswan/openswan needs to change network settings via /proc
1102602383 M * meebey Bertl: like disabling the rp_filter which breaks ipsec
1102602388 M * Bertl but those changes will be host wide ...
1102602393 M * meebey sure
1102602407 M * Bertl so why are they not done on/from the host?
1102602447 M * meebey oh it has also ipsec entries in /proc
1102602457 M * meebey which it writes to
1102602484 M * Bertl so every vserver can mess up the hosts config?
1102602494 M * meebey /proc/net/ipsec:
1102602495 M * meebey birth  eroute  klipsdebug  spi  spigrp  stats  tncfg  version  xforms
1102602497 M * meebey like that stuff
1102602510 M * meebey Bertl: rp_filter is just the return path check
1102602515 M * Bertl which isn't virtualized or isolated, right?
1102602540 M * meebey Bertl: that is hostwide, yes, all other settings are required for the ipsec module
1102602583 M * Mega\work I have a question
1102602590 M * meebey Bertl: the other vservers would not do anything with VPN
1102602600 M * meebey Bertl: they can use the VPN network if they are allowed to
1102602603 M * Bertl Mega\work: yep?
1102602604 M * meebey Bertl: ipsec0 interface
1102602616 M * Mega\work How you use vserver?
1102602638 M * Doener meebey uses vservers for separation in the first place, security in second place ;)
1102602700 M * Bertl Mega\work: vservers have many applications, they can be used for service separation, host virtualization, testing, development or security enhancement
1102602704 M * Mega\work What vserver do in your case?
1102602719 M * Mega\work ok
1102602745 M * meebey Doener: hiya btw
1102602749 M * Mega\work I want to use vserver, for have more server in one machine
1102602752 M * Doener hi meebey 
1102602756 M * Bertl Mega\work: for me they are basically service separation and hosting stuff
1102602758 M * Mega\work mail server, http
1102602758 M * meebey Doener: I like your patch, it does exactly what I need
1102602771 M * Doener glad to hear that
1102602775 M * meebey Doener: but bertl is not sure if its generic/good enough seems so
1102602800 M * Mega\work This use is just?
1102602813 M * Mega\work is this use just?
1102602813 M * Doener i'd say bertl is more concerned about the sense of it... think "host stuff should be done in the host"
1102602827 A * albeiro is looking for some rar password cracker, anybody have some ? :D
1102602829 M * meebey Bertl: there is no doubt that allowing write proc access lowers security and effect all other vservers and the host itself
1102602835 M * Bertl well, to be honest, it allows too much IMHO and it adds a new flag ... which needs additional support from the tools, etc ...
1102602837 M * meebey Bertl: but it removes a limit if you need it
1102602867 M * meebey Bertl: the userspace tool needs to know one flag more, yes, doener patch that with 3 lines of code
1102602876 M * Bertl and the patch is simple, so forward porting it will take ... hmm 30 seconds each month?
1102602908 M * Bertl guess you already spent a year of porting time to convince me to include this patch ;)
1102602910 M * meebey Bertl: and I need to compile/built the package each time, and add extra patch for the kernel, instead of just using
1102602928 M * Bertl which package?
1102602934 M * Doener *g*
1102602952 M * meebey Bertl: the debian package of util-vserver
1102602969 M * Bertl well, why not convince the debian folks to include it then?
1102602979 A * Doener was just about to say the same
1102602982 M * meebey I did
1102602983 M * Bertl (doesn't make much sense to me if I include it, does it?)
1102602986 M * meebey they want it upstream
1102603023 M * meebey upstream would allow others this feature too, I see your point that it lowers the security if its used wrong
1102603036 M * Bertl ah, looks like you already spent a century equivalent of forward porting ;)
1102603036 M * meebey but if you use vserver without thinking, then its too late anyhow
1102603043 M * meebey regardless if vserver allows something or not
1102603051 M * Mega\work Bertl: I can call you in pvt?
1102603061 M * Bertl if you need to, yes ;)
1102603082 M * Mega\work in chan i do not succeed to follow
1102603088 M * meebey Bertl: I am now on 2.4.28 kernel and will now going to forward port it
1102603115 M * meebey Bertl: when I said I run vpn inside a vserver other vserver was interested in that too
1102603126 M * meebey Bertl: so I thought its maybe good enough for going upstream
1102603133 M * meebey Bertl: not just because I am lazy or whatever
1102603185 M * Bertl well, I guess you made your point (or let's say, stated your request), I'll consider it and decide on the next release ...
1102603195 M * meebey since ipsec is kernel space there is no way doing it userspace in a nice way of vserver
1102603204 M * meebey Bertl: allright
1102603218 M * albeiro well, ipsec in 2.4 sucks raw eggs anyway
1102603241 M * meebey albeiro: openswan gives you working ipsec stack
1102603253 M * albeiro i know and i've been using it, but...
1102603274 M * albeiro it's working more or less, but could not be implemented in worse way
1102603321 M * albeiro packets are comming on normal ethernet interface, than somehow magicaly they appear on ipsec interface... eh
1102603333 M * albeiro it's breaking many things
1102603348 M * meebey they get routed to the ipsec0 interface, whats the prob?
1102603364 M * albeiro rp_filter for example ?
1102603380 M * meebey "somehow magicaly" == routed
1102603412 M * albeiro btw - ipsec in 2.6 (ported from bsd and done better than original of course) is so powerfull
1102603417 M * meebey 192.168.7.0     62.80.20.121    255.255.255.0   UG    0      0        0 ipsec0
1102603421 M * albeiro cleanly designed, etc
1102603426 M * meebey that doesnt looke like any magic to me
1102603437 M * albeiro and written by Aleksey Kuznetsov
1102603438 M * meebey a simple and clean device route
1102603460 M * albeiro gues why kernel devs never accepted it :)
1102603486 M * meebey albeiro: yes thats the 2.6 ipsec branch, so? 2.4 works, there is always a better way of doing it
1102603501 M * meebey albeiro: there is no stable vserver, do you see any?
1102603505 M * meebey albeiro: for 2.6
1102603523 M * albeiro 2.6 is all unstable development version
1102603529 M * albeiro i mena kernel
1102603546 M * meebey albeiro: so there is no choice, ugly working stable implementation, or bleeding edge unstable
1102603570 M * albeiro unstable -> not that it is unstable in terms of working
1102603586 M * albeiro but code is constantly changing in important places like VM
1102603594 M * meebey when sarge is released and vserver got a stable release for 2.6, I will swap
1102603612 J * mboman ~michael@cm168.sigma231.maxonline.com.sg
1102603612 M * Bertl ah, sarge will be released?
1102603617 M * albeiro you could also try some userspace vpn implementation
1102603618 M * Bertl welcome mboman!
1102603618 M * albeiro at least one is known to be good
1102603622 M * meebey sure, we are working on it
1102603710 M * meebey albeiro: no those I dont like
1102603710 Q * sannes Read error: Connection reset by peer
1102603724 M * meebey albeiro: they don't use ipsec, like tinc openvpn etc
1102603759 M * mboman Hi Bertl
1102603764 M * meebey about 1,5 years we use VPN for our national wide network
1102603766 M * meebey works perfect
1102603771 M * albeiro the only not exploitable implementation is openvpn
1102603779 M * meebey more stable than permament ISDN lines
1102603780 M * Johan I am struggling with quota and when I run quotacheck inside the vserver I get the following error: "quotacheck: Scanning /dev/hdv1 [/] quotacheck: error (2133571364) while opening /dev/hdv1" Anyone an idea what I might doing wrong?
1102603783 M * mboman Bertl: Have you heard any success/failure stories about vserver and RHEL 3?
1102603806 M * Bertl Johan: where is that strange howto you are following? ;)
1102603809 Q * grecea Remote host closed the connection
1102603838 M * Johan Bertl: on linux-vserver.org, here is the link: http://vserver.13thfloor.at/Linux2.6/index.php?page=Per+Context+Quota
1102603839 M * Bertl Johan: I'd say you did not copy the vroot device into the vserver ... and/or forget to change the mtab entry inside the vserver
1102603870 M * Bertl did you do the equiv of:
1102603872 M * Bertl  cp -va /dev/vroot/device /vservers/<name>/dev/hdv1
1102603884 M * Johan Bertl: I copied the vroot device into the vserver as /dev/hdv1  and I changed the mtab entry to: /dev/hdv1 / ext3 rw,usrquota,grpquota 0 0
1102603903 M * Bertl okay, change the ext3 there to ufs
1102603909 M * Bertl (as mentioned in the howto ;)
1102603914 M * Johan ok
1102604033 J * grecea ~grecea@h-195-22-237-74.mdl.net
1102604035 M * Johan Bertl: It seems quotacheck works now but now qutaon is picky. It says ""quotaon: using //aquota.group on /dev/hdv1 [/]: Operation not permitted" and "quotaon: using //aquota.user on /dev/hdv1 [/]: Operation not permitted"
1102604074 M * Bertl make sure that you have the CAP_QUOTACTL set for your vserver
1102604104 M * Johan Ah ok, I can define that in the conf file I assume ?
1102604138 M * daniel_hozac mboman: seen http://vserver.13thfloor.at/Experimental/OUTDATED/patch-2.4.21-20.EL-vs1.29.4.diff ?
1102604181 M * Bertl Johan: yeah!
1102604186 M * mboman daniel_hozac: nope, not yet...
1102604473 M * mboman daniel_hozac: any good/bad news about that patch?
1102604522 M * daniel_hozac mboman: i don't really know. check the logs ;)
1102604600 M * rs re
1102604608 M * Bertl welcome rs!
1102604634 M * Bertl mboman: I adapted it after somebody buged me that there is no RHEL patch ...
1102604650 M * Bertl some stuff (like the scheduler) is missing ...
1102604720 M * mboman Bertl: ok, in plain english - what does that mean?
1102604868 M * rs Bertl: do you think that epoll is safe in a vserver ?
1102605345 M * Loki|muh Bertl: what about the ngn stuff? wouldn't vpns work inside this separatly for each vserver?
1102606340 M * Bertl yeah, they should ...
1102606369 M * Bertl mboman: that the stuff is almost untested but seems to work ...
1102606383 M * Bertl rs: hmm ... please elaborate ...
1102606424 M * mboman Bertl: ok.. well, I am just doing to use them (the vservers) as RPM build environments anyway - not having any other ppl using them so it should be ok then?
1102606463 M * Bertl probably is, no guarantees though ...
1102606631 M * Bertl rs: I uploaded a patch for the cmask stuff
1102606651 M * albeiro RHEL kernel may not be modyfied with loosing support if it is
1102606657 M * albeiro that's what i heard
1102606684 M * Bertl yep, that is correct (and reasonable)
1102606714 M * albeiro i agree, it is reasonable
1102606742 M * albeiro it's just like vanilla kernels ;p
1102606749 M * albeiro and lkml
1102606797 M * Bertl well, lkml doesn't care as long as the sources are available
1102607301 M * Johan Bertl: Quota is working! :) However I still have a strange _situation_. I just copied a small/basic slack install as vserver to test with. When I run vserver slack start, then vserver slack stop I can't start it again, even after a reboot not. I get the error "Can't chroot to directory . (Permission denied)"
1102607365 M * Bertl hmm, for you I hope that you are using static context ids, not dynamic ones, but it looks like you are not :/
1102607435 M * Johan Bertl: Context id's, hmmm wait. Every vsever has a context ID right ? This is randomly choosen, or can it be defined in its config ?
1102607459 M * Bertl for context quota and disk limits it _has_ to be chosen ...
1102607473 M * Bertl i.e. you need to assign a _fixed_ id for each vserver
1102607491 M * Bertl otherwise you will end up with permission denied ;)
1102607514 M * Johan Hmmm where can I set that? (can't remember I read anyhign in the docs about this..., but lemme read them again:))
1102607590 M * Bertl http://vserver.13thfloor.at/Linux2.6/index.php?page=Per+Context+Disk+Limits
1102607606 M * Bertl To make use of the Per Context Disk Limits the vservers have to be assigned a static Context ID. In this case here the /etc/vservers/test.conf should have the variable S_CONTEXT=100.
1102607629 M * Bertl (same is true for the context quota)
1102607665 M * Bertl btw, it couldn't hurt to update the docs, and maybe do a quota howto?
1102607679 M * Johan Ah now I (think I) understand
1102607681 N * cereal cereal|away
1102607702 M * Johan Bertl: ehm, is that a question to me ? :)
1102607720 M * Bertl well, not a question more a suggestion actually ...
1102607731 M * Johan I can write some docs in my spare time if you want 
1102607743 M * Johan if that's what you mean :)
1102607773 M * Bertl if you want to ease the quota setup for the next person coming along, then this would be a very useful thing to do ...
1102607796 M * Bertl and of course you would be mentioned on linux-vserver.org ;)
1102607807 M * Bertl (think of all that fame!)
1102607867 M * Johan Haha to be ohnest I am not interested in fame, but I am interested in contributing. So I will write some docs when i have time
1102607924 M * Johan But first time to assign a context id to my vserver 
1102607954 M * Bertl you can fix most of the issue you encounter now by moving the entire context back into xid=0
1102607982 M * Bertl (simpleast way to do so is touching each file from the host context)
1102608013 M * Johan just touch everyfile ? like find -exec touch {} \; ?
1102608034 M * Bertl well, yes, basically that should be enough, there are also tools which operate on the xid itself
1102608043 M * Johan Ok, lets give it a try then
1102608045 M * Bertl of course you can use them too ...
1102608143 M * Johan Well how does this xid work ? It just assigns a id (context id (xid)?) flag to a file that's within a vserver so that the software can recognize to wich vserver it belongs?
1102608252 Q * ydupont Quit: Leaving
1102608306 M * Bertl http://www.13thfloor.at/old/VServer/Concepts.shtml
1102608333 M * Johan Ah :)
1102608360 M * Bertl http://www.13thfloor.at/old/VServer/HowTo.shtml <- might be useful for new docu too ...
1102608444 M * Mega\work hi all
1102608445 M * Bertl http://linux-vserver.org/Linux-VServer-Paper-04 (04.5)
1102608470 M * Mega\work I am of return
1102608503 M * Johan Bertl: ok I am noting those urls, they might come handy.
1102608585 M * Johan I need some food now. Thanx and talk to you ppl later, bye
1102608590 Q * Johan Quit: Leaving
1102608603 M * meebey hrhr
1102608604 M * meebey openswan-modules-2.4.28-vs1.29p_2.2.0-2.backports.org.1+gsd.1_i386.deb
1102608613 M * meebey cool version number mess, isn't it?
1102609213 M * Mega\work What do you use for admin (create, remove ecc) vserver?
1102609229 M * Mega\work Vserver tools or util-vserver?
1102609501 M * Mega\work in debian ther's vserver-debiantools in a precompilate package
1102610805 J * sannes ~ace@home.skarby.no
1102611105 M * Bertl Mega\work: you can use whatever you like ... util-vserver is up to date with the development ... I can't tell about other tools ...
1102611136 M * Mega\work ok
1102611150 M * Mega\work another question
1102611152 M * Mega\work :D
1102611201 M * Mega\work  debian31-2004082701.tar.bz2
1102611231 M * Mega\work How can I use this system image?
1102611273 M * Bertl haven't tried yet, but from the way it is packaged I'd say you unpack it somewhere and use that as a vserver (or template) ;)
1102611358 M * Mega\work therefore, the system image is not used by any tools for create vserver, is try?
1102611374 M * rs re
1102611377 M * Bertl wb rs!
1102611386 M * rs Bertl: about the epoll question
1102611400 M * rs a customer asked why we disabled epoll in the kernel
1102611418 M * Bertl because we (you?) are evil!
1102611421 M * rs and I wondering if it would be safe to enable it and create an epoll device in each vserver
1102611480 M * Bertl make a patch, test it ...
1102611493 M * rs a patch ?
1102611516 M * rs a patch with what ?
1102611517 M * Bertl well, don't know is epoll usable in the vanilla kernel yet?
1102611542 M * rs dunno :)
1102611553 M * rs I don't know much about epoll at all
1102611578 M * Bertl well, and if, you would have to virtualize/isolate that
1102611590 M * Bertl after all it's an event interface
1102611596 M * rs ok so this is the answer I was expecting
1102611605 M * rs thx
1102611617 M * rs was just to be sure before to send my answer
1102611633 M * Bertl well, would need some testing ...
1102611675 M * Bertl looks like epoll is bound to filedescriptors
1102611693 M * Bertl so it might be that it is automatically virtualized 
1102611723 M * rs good news
1102612077 M * Bertl okay, then please create a test program which utilizes the epoll interface and we see how/if we can do that in a vserver ...
1102612107 M * rs I can ask the guy who when to test it
1102612196 M * Bertl sure, sounds reasonable ...
1102612241 M * rs maybe the man page example could be enough
1102612303 M * Bertl probably
1102612817 M * rs so you got a patch for cap mask ?
1102612818 Q * sannes Read error: Connection reset by peer
1102612847 M * Bertl yep, update the original stuff, not including the debug printks
1102612885 M * Bertl http://vserver.13thfloor.at/Experimental/delta-2.6.10-rc3-vs1.9.3.10-vs1.9.3.10.1.diff
1102612907 M * Bertl it would be a good idea to add the printks as we did tough ...
1102612955 M * rs was really verbose
1102612961 M * rs too verbose I'd say
1102612988 M * rs generate 15MB of throughtput to the syslog machine :) :)
1102612994 M * rs bytes
1102613129 M * Bertl well, but it helped to identify the issue, didn't it?
1102613149 M * rs hmm we didn't use it
1102613161 M * Bertl huh? what about the --- 1,0
1102613170 M * rs yeah I'm not talking about this one
1102613192 M * rs but the one I compiled before your diner
1102613207 M * rs we didn't test it together
1102613218 M * Bertl ah, okay ... the +++ stuff
1102613222 M * rs yeah
1102613263 M * Bertl okay, guess we don't need that one yet .. so the --- should be enough
1102613327 M * rs k
1102613616 Q * mboman Quit: One day I'll get that peer and reset HIS connection!
1102614615 J * DuckMaster ~Duck@dyn-83-154-131-93.ppp.tiscali.fr
1102614622 M * Bertl welcome DuckMaster!
1102614635 M * TheSeer anyone here using postfix as mailserver?
1102614642 M * Bertl yep
1102614669 M * TheSeer i need to "port" a qmail-solution to postfix
1102614678 M * TheSeer i have a .qmail-file like this
1102614687 M * TheSeer |/path/to/script
1102614697 M * TheSeer ./Maildir
1102614705 M * rs I did the same kind of migration two years ago
1102614721 M * TheSeer whereas qmail first calls script and depending on its return-code the 2nd line is called - or not
1102614721 M * rs qmail -> postfix-ldap
1102614728 M * rs good luck :)
1102614734 M * TheSeer ;-P
1102614741 M * TheSeer don't tellme postfix can't do that?
1102614742 M * TheSeer *g*
1102614745 M * rs it can
1102614755 M * Bertl well, postfix works a little different
1102614841 M * TheSeer i figured that much ;)
1102614887 M * Bertl I really don't know qmail .. so you have to explain the (at first glance trivial) details to me
1102614951 M * TheSeer okay.. no problem
1102614952 M * rs qmail is really different, you map a domain to a user or virtual user, then all is file based (with .qmail files)
1102614971 M * TheSeer a .qmail file is comparable to .forward
1102614983 M * TheSeer with the difference that .qmail can be of mutliple lines
1102614989 M * rs it's the advantage and the inconveniant of qmail...
1102615001 M * rs TheSeer: .forwards too :)
1102615002 M * TheSeer depending of the return-code of each line the processing ends or is continued
1102615006 M * Bertl well, procmail does that, right?
1102615038 Q * DuckKing Ping timeout: 480 seconds
1102615045 M * TheSeer yeah.. kind of the same thing
1102615062 M * TheSeer the good thing is that adding an appliction within the processing is pretty simple
1102615091 M * TheSeer you just add it to a .qmail file and tell it to exit 99 if delivery should go on
1102615101 M * Bertl well, you can easily define procmail or any other script as filter in postfix
1102615138 M * Bertl but the question is 'when should that procmail check happen?'
1102615162 M * TheSeer why does this somehow sound way more complicated then qmail ;)
1102615181 M * Bertl because it is somehow more simple and secure ;)
1102615189 M * TheSeer i doubt it's more secure
1102615194 M * Bertl and of course it's completely different!
1102615200 M * rs TheSeer: it's the same thing with .forward btw
1102615214 M * TheSeer rs: it is? i nerver really used .forward ;>
1102615226 M * TheSeer can postfix handle .forward? *g*
1102615230 M * Bertl yes
1102615241 M * Bertl but actually it isn't postfix handling that
1102615248 M * Bertl it is the procmail which does this
1102615270 M * TheSeer but rc 99 is ok for that to work?
1102615273 M * rs Bertl: to handle what ?
1102615280 M * TheSeer or do i have to modify my script
1102615283 M * Bertl and nowadays you use procmailrc which can do much more than your example
1102615289 M * rs TheSeer: I'm not sure, check the local manpage
1102615295 M * TheSeer ;)
1102615346 M * TheSeer Bertl: well.. the mail is auto generated by an app and it's triggering some processing and returns some data
1102615355 M * TheSeer basically a webserver done via email ;)
1102615358 M * TheSeer er
1102615360 M * TheSeer webservice
1102615391 M * Bertl well, that is fine, but I don't see what that has to do with postfix ...
1102615408 M * TheSeer somehow i need that mail to get piped into my handling process
1102615411 M * Bertl postfix will do the mail delivery, fine ...
1102615432 M * Bertl you have to 'act' on that and do whatever you want to do ...
1102615468 M * TheSeer the problem is that there is no information if an incoming mail is for my script or not
1102615479 M * TheSeer well, actually there is due to the header
1102615486 M * Bertl so how do you decide then?
1102615495 M * TheSeer i check for my custom header
1102615506 M * TheSeer and i just learned that i can have postfix do that too
1102615512 M * Bertl yes
1102615522 M * TheSeer so in case my header is in there, i tell it to pass that mail to process
1102615532 M * Bertl but is this email sent to somebody?
1102615545 M * Bertl or do you intend to capture any email?
1102615563 M * TheSeer i just intend to capture mail which is to be handled by my script
1102615569 M * TheSeer the mail is then droped after processing
1102615583 M * Bertl well, look, I would do it like this:
1102615584 M * TheSeer if its not for my script, the mail should be delivered as any other mail would
1102615585 M * rs TheSeer: I guess pcre maps could help there, or procmail
1102615608 M * Bertl I would create an account called 'automaton'
1102615630 M * Bertl then teach postfix the necessary stuff to deliver email (including to this account)
1102615646 M * TheSeer rs: what about header_checks and a redirect on a match?
1102615652 M * Bertl in the account 'automaton' I would setup a oneliner in procmailrc
1102615673 M * Bertl which checks for the 'magic' header (if necessary) and pipes the stuff into a script
1102615689 M * rs TheSeer: it's not meant for that
1102615690 M * Bertl that script would have to 'understand' and 'act' upon that email
1102615708 M * Bertl and if it likes, it could send back email too ...
1102615733 M * TheSeer hmm.. 
1102615739 M * TheSeer okay.. sounds like a solution
1102615746 M * TheSeer thanx :)
1102615752 M * Bertl and it's easy, simple and done in a few minutes ...
1102615756 M * Bertl you're welcome!
1102617303 M * rs Bertl: ok 10.1 running
1102617320 M * rs and it works fine
1102617325 M * Bertl really? great!
1102617366 M * Bertl so you have now the VXC_SET_RLIMIT off and the CAP_SYS_RESOURCE given, right?
1102617389 M * rs exactly
1102617394 M * Bertl and ulimit isn't permitted to raise the limits
1102617400 M * rs yeah
1102617400 M * Bertl but bind works fine ...
1102617405 M * rs yes
1102617422 M * Bertl now I wonder why bind 'thinks' it needs CAP_SYS_RESOURCE
1102617452 M * Bertl I guess this code is more broken that I ever assumed ... ;)
1102617463 M * rs I think it doesn't really need it, if fail during reduce cap
1102617498 M * rs I guess it assume we have this cap and want to remove it, but while it doesn't have it, it fails
1102617501 M * rs IIRC
1102617504 M * Bertl anyway, looks like a good way to go in the future ...
1102617510 M * rs yeah
1102617528 M * Bertl next step is to make the VXC_SET_RLIMIT depend on the CAP_SYS_RESOURCE
1102617544 J * tanjix tanjix@pD9FAC813.dip.t-dialin.net
1102617549 M * tanjix hi together
1102617550 M * Bertl welcome tanjix!
1102617558 M * tanjix ttuerel:~# mknod /dev/net/tun c 10 200
1102617558 M * tanjix mknod: `/dev/net/tun': Operation not permitted
1102617561 M * rs maybe to fix the bind problem we should just remove all capabilities given by this cap
1102617569 M * tanjix can openvpn be installed within a vserver?
1102617600 M * Bertl tanjix: sure it can, don't know if it works ;)
1102617612 M * rs gotta go home, bbl
1102617617 M * Bertl okay, cya
1102617622 Q * rs Quit: home
1102617668 M * tanjix hmm
1102617703 M * Bertl does it require kernel support?
1102617750 M * tanjix dont really know it's just a customer who asked that - have never used openvpn mysqlf
1102617756 M * tanjix myself
1102617817 M * Bertl well, let's see what google knows about it
1102617929 M * tanjix i found something that CAP_NET_ADMIN should be active.. i did that but did not give any success
1102617970 M * Bertl well, I would not suggest allowing for CAP_NET_ADMIN, unless you want to lose that machine ...
1102618010 M * Bertl if the customer does 'ifdown eth0' your connectivity is gone ... 
1102618093 M * Bertl looks like it uses tap/tun devices ... which means it will have to wait a little until ngnet is up and working 
1102618529 M * tanjix that means?`
1102618562 M * Bertl for 2.4 definitive no, for 2.6 not yet, probably in 2-3 weeks or so
1102618569 J * JonB ~NoSuchUse@kg144.kollegiegaarden.dk
1102618690 M * Bertl welcome JonB!
1102618794 M * JonB hey ber
1102618796 M * JonB bertl
1102618823 M * Bertl how are your 'projects'?
1102618848 M * JonB i turned in my RFC project
1102618854 M * JonB 1-10
1102618863 M * JonB no grade yet
1102618884 M * JonB i'm trying to get IETF to make it a standard
1102618907 M * Bertl sounds good ...
1102618919 M * JonB then i'm doing one for a company
1102618927 M * JonB ssl in 20k
1102618934 M * JonB maybe 25k
1102618942 M * JonB for a 8 bit micro controller
1102619002 M * Bertl sounds good too, what about linux-vserver? still using it?
1102619048 M * JonB yes
1102619052 M * JonB and it is still running
1102619062 M * JonB the test server also
1102619075 M * JonB however, you should probably use 194.239.210.28 as the entrance now
1102619094 M * JonB and the testserver needs to have .1 as the default gateway
1102619163 M * JonB do you have access to a dual G5 you can test on ?
1102619252 M * JonB my RFC is here
1102619253 M * JonB https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=12349&rfc_flag=0
1102619305 Q * Mega\work Quit: Leaving
1102619310 M * Bertl no access to a dual G5 yet ;)
1102619324 M * JonB i'm thinking about getting one
1102619335 M * JonB my powerbook is too small
1102619340 M * Bertl would be nice to test on that ...
1102619347 M * Bertl (now and then of course)
1102619349 M * JonB yes, i can imagien
1102619377 M * JonB and thats the only i would offer, because it would be my default computer
1102619397 M * JonB mostly because i dont want to 
1102619404 M * JonB 1) detach usb
1102619408 M * JonB 2) close lid
1102619417 M * JonB 3) detach other cables (3)
1102619431 M * JonB put it in tucaco 2.skin
1102619435 M * JonB put in bag
1102619440 M * JonB remember PSU
1102619452 M * JonB and reverse when i get home
1102619475 M * JonB and i've grown to like mac's
1102619509 M * Bertl yeah, sounds very lappy ;)
1102619569 M * JonB as for my next project
1102619572 M * JonB the big final one
1102619577 M * JonB i dont know yet
1102619594 M * JonB i might do vserver migration
1102619605 M * JonB because i want that possibility
1102619611 M * JonB WHILE still running
1102619649 M * Bertl excellent, don't let us stop you ;)
1102619674 M * JonB i know i know
1102619683 M * JonB but there are so many other things that i want as well
1102619736 M * JonB like a distributed encrypted filesystem, that supports groups, versioning, ...
1102619794 J * sannes ~ace@home.skarby.no
1102619933 M * JonB Bertl: however, subversion already supports distributed, filesystem, with groups and versioning
1102619946 M * JonB Bertl: so, maybe i should try the vserver migration
1102619985 M * daniel_hozac as well as encryption ;)
1102619995 M * JonB daniel_hozac: no, it doesnt
1102620003 M * JonB daniel_hozac: not the way i want it anyway
1102620012 M * JonB daniel_hozac: i want it encrypted on the server
1102620021 M * daniel_hozac ah, ok.
1102620040 M * JonB daniel_hozac: because i do NOT trust the systemadministrator (me)
1102620071 M * daniel_hozac hehe
1102620132 M * JonB after working in a company that uses CVS to distribuate their data, i do not believe in network filesystems
1102620147 M * JonB the versioning is just that much better
1102620157 M * JonB and the speed is exelent as well
1102620204 M * JonB and subversion appears so promising
1102620212 M * JonB now we just need distributed writing
1102620630 M * flock JonB: use openvms then:)
1102620674 M * flock you can get one for free via the openvms hobbyist program
1102620700 M * JonB flock: i can get what?
1102620718 M * flock OpenVMS
1102620780 M * JonB flock: what will that give me
1102620780 Q * sannes Read error: Connection reset by peer
1102620815 M * flock it's filesystem, supporting versions natively.
1102620824 M * JonB flock: distributed?
1102620825 M * flock hold on
1102620829 M * flock http://en.wikipedia.org/wiki/OpenVMS_filesystem
1102620830 M * flock totally:)
1102620841 M * flock going to go shower, see you later guys
1102621030 M * Bertl okay, folks, I'm moving out ... back later ...
1102621049 M * Bertl nice to see you here again, JonB!
1102621065 N * Bertl Bertl_oO
1102622611 N * cereal|away cereal
1102624548 J * jack ~jack@route3.unigiciel.com
1102626512 Q * tanjix Quit: 
1102627932 J * sannes ~ace@home.skarby.no
1102628027 Q * jsambrook Ping timeout: 480 seconds
1102629256 M * Doener OT: anyone got a suggestion what i could show to a guy that wants 'a screenshot of a kernel'?
1102629281 Q * tchan Remote host closed the connection
1102629747 M * daniel_hozac take a screenshot of some random source file?
1102630267 M * ndim Screenshot of a kernel panic?
1102630423 N * cereal cereal|away
1102630776 J * tchan ~tchan@c-24-13-81-164.client.comcast.net
1102631524 N * Bertl_oO Bertl
1102631546 M * Bertl evening folks!
1102631577 M * JonB hi again Bertl 
1102632487 Q * pusling Quit: Leaving
1102632513 J * pusling ~pusling@cpe.atm4-0-7285.0x50c44806.boanxx19.customer.tele.dk
1102632521 M * Bertl wb pusling!
1102632609 M * Bertl so Jon, you want to make linux-vservers migrateable then, if I got that right?
1102632644 M * Zoiah Bertl: I don't suppose you know of a nice script that would migrate my legacy vservers to flower-page vservers? ;)
1102632655 M * Zoiah If not, I'll just start from skeleton and go from there. :)
1102632684 M * Bertl Doener: there is only one thing you _can_ show ... http://lug.oregonstate.edu/projects/kernelmap/map.php
1102632698 M * JonB Bertl: yes, i want to do that
1102632736 M * Bertl Zoiah: no, although I suggested to write such a script several times, nobody _did_ write it yet, AFAIK
1102632756 M * JonB what is flower-page vservers?
1102632774 M * Bertl yeah, quite some time passed since you left linux-vserver ... ;)
1102632788 M * Doener Bertl: yeah!
1102632807 M * JonB i feel left behind ;-p
1102632818 M * Bertl http://linux-vserver.org/alpha+util-vserver
1102632856 M * Zoiah Bertl: any reason not to go with static contexts?
1102632875 M * JonB i tried running 2.6.9 at work the other week, and i had to change back to regularly 2.4 (no vserver patches)
1102632883 M * JonB is 2.6 still not stable ?
1102632890 M * Bertl Zoiah: nope, dynamic contexts are depreciated anyway ...
1102632897 M * Zoiah Bertl: good. :)
1102632922 M * Bertl JonB: linux-vserver for 2.6 is as stable as the 2.6 kernel itself ;)
1102632928 M * JonB i know
1102632939 M * JonB but i ment, isthe 2.6 kernel still not stable ?
1102632954 M * Bertl it's Linus development branch atm ...
1102632962 M * JonB oki
1102632981 M * Bertl so we get 'funny' features(bugs) every week ;)
1102632983 M * JonB Bertl: anyway, as for migration... yeah i would probably do that
1102633023 M * Bertl well, I would love to see such a project .. especially as my todo list is quite long (regarding linux-vserver)
1102633046 M * Bertl and folks have asked for similar features quite often ...
1102633070 M * JonB i have to start something during this spring
1102633075 M * JonB like marts or something
1102633086 M * JonB and i think that is big enough
1102633100 M * Bertl would require something like GFS to do it, but I guess we will integrate that anyway (for replication purposes)
1102633119 M * JonB Bertl: i'm not sure i agree
1102633133 M * Zoiah /lib/util-vserver/legacy/vserverkillall: fork: Resource temporarily unavailable
1102633135 M * Zoiah Goody! ;)
1102633146 M * Bertl Zoiah: use vkill
1102633157 M * JonB i'm thinking more like: let the user handle identical files by them selves
1102633185 M * Zoiah Bertl: ahh, that works, thanks. :)
1102633238 M * Bertl JonB: well, yes, right you are ... but I guess some kind of shared filesystem (over nodes) has to be done (in an xid/context aware way)
1102633253 M * JonB probably
1102633272 M * JonB in the beginning i was thinking of just using rsync/cvs to move stuff
1102633272 M * Bertl and we had a lot of stuff to do with NFS for example
1102633297 M * Bertl btw, NFS is working with linux-vserver, even xid tagged
1102633319 M * JonB NFS?
1102633322 M * JonB *sigh*
1102633326 M * Bertl (was a requirement lycos had)
1102633339 M * JonB oh? they paied for it ?
1102633350 M * Bertl they sponsored development ...
1102633354 M * JonB nice
1102633392 M * Bertl well, lycos folks also work with the community in a really nice way ...
1102633433 M * Bertl (check the logs for 'rs' for example)
1102633434 Q * sannes Read error: Connection reset by peer
1102633435 M * JonB lycos that had the great idea to DDoS spammers?
1102633455 M * Bertl yeah, read about the screensaver ...
1102633477 M * JonB well, the problem is that ALOT of people heard about it
1102633489 M * JonB so now someone are sending emails with a trojan
1102633508 M * JonB and people are more inclined to trust it is real, because they heard of lycos doing this
1102633527 M * Bertl well, doesn't hurt us, does it?
1102633540 M * JonB only indirectly
1102633558 M * JonB one more cracked computer out there
1102633575 M * JonB to be used for spamming and cracking other computers
1102633634 M * Bertl yeah, right, so what should we do? make win* securer? provide the source, we'll do it ;)
1102633670 M * JonB LARTS, LOTS OF LARTS
1102633701 M * JonB and start educating people
1102633762 M * Bertl I do my part of educating win* users whenever I meet one ...
1102633769 M * JonB which reminds me that i probably should do my part as well
1102633788 M * JonB by putting the infected computers in my dorm to a "protected" vlan
1102633809 M * Bertl didn't you do/try that a few months ago?
1102633864 M * JonB never got arround to doing it
1102633875 M * Bertl so it seems like flock couldn't convince you of openvms ...
1102633886 M * flock :)
1102633932 M * JonB Bertl: what makes it seem like that?
1102634106 M * Bertl ah, just got that feeling ...
1102634138 M * JonB well i dont know
1102634141 M * JonB it sure seems nice
1102634149 M * JonB i wonder why noone portet that to linux
1102634548 Q * Zoiah Ping timeout: 480 seconds
1102634567 M * JonB flock: why isnt it ported?
1102634597 M * flock JonB: elaborate
1102634610 M * JonB flock: the smart openvms filesystem
1102634611 M * JonB to linux
1102634622 M * flock no idea
1102634638 M * flock it's not scalable for smaller setups, like linux
1102634648 M * flock openvms is ran on grids and clusters, mostly
1102634717 M * flock the hobbyist is for people who own itanium/alpha/vax boxes and have nothing to do but read the tons of documentation it has;)
1102634733 M * JonB aha
1102634963 M * Bertl Doener: got any idea/solution to the vnet puzzle yet?
1102634993 M * Doener no, didn't find too much time for time... hope to continue with it in about an hour
1102635035 M * Bertl no need to hurry ... it's not a big issue for me right now ...
1102635477 Q * JonB Ping timeout: 480 seconds
1102636190 J * Zoiah Zoiah@matryoshka.zoiah.net