1108080423 M * micah any unification experts around? 1108080482 M * Bertl hmm? 1108080483 M * micah i have a reference server that has mysql, apache, php and postfix installed. I want to clone that to other vservers so I can manage all the individual vservers through unification from the reference 1108080503 M * micah but I have a mental block that is keeping me from understanding some key concepts :P 1108080524 M * Bertl any specific questions? 1108080545 M * micah yes, can you remove my mental block? :) 1108080551 M * micah two specific questions 1108080557 M * Bertl I hope so, next! ;) 1108080566 M * micah ;) 1108080614 M * micah The way I understood it was that I would run all of these daemons in the reference server 1108080632 M * micah and the clones would be using those same daemon's in kernel space (to reduce overhead) 1108080644 M * micah except isolated 1108080653 M * Bertl unification is at file level, not process level 1108080720 M * micah right, so shared libraries, and files that are unified are using very little disk footprint 1108080737 M * micah but memory and CPU footprint is not "shared"? 1108080754 M * Bertl memory can be shared if the files are mapped ro 1108080769 M * micah I mean.. I thought that if glibc took up 5megabytes in 10 vservers shared it would only take up .5MB each 1108080778 Q * prae Quit: leaving 1108080778 M * micah reducing memory footprint 1108080789 M * Bertl yes, that is true for shared libs (which are mapped ro) 1108080795 M * micah aha! ok 1108080815 M * Bertl it is also true for executables which are unified (the code part) 1108080841 M * micah so.... when I do the unification it takes care of mapping shared libs ro and the executables? 1108080863 M * Bertl no, it doesn't change any properties of the libs/executables 1108080886 M * micah i guess what I am trying to ask is that if I have apache in 10 vservers, am I starting 10 different apache's and using 10x the amount of resources? 1108080902 M * Bertl basically yes 1108080926 M * micah Bertl: oh the properties of the libs/executables is dependant on those libs/executables, nothing I can do to make them behave that way? 1108080927 M * Bertl for apache, the shared part will be small ... 1108080994 M * Bertl ad properties, you could compile libraries different, but it doesn't make sense, as they are well defined ... 1108081033 M * micah I am trying to conceptualize the best setup for a LAMP machine for multiple non-profits that satisfies the criteria: as much isolation as possible with as minimal resource overhead as possible 1108081057 M * Bertl if you want to 'share' as much resources as possible, it's best to setup _one_ apache and use different virtual hosts (see apache config) 1108081103 M * Bertl if you want each party to administrate their own apache config, you have to start different apaches ... 1108081126 M * micah the options seem to be: 1. make a separate vservers with separate apaches/mysqls etc (completely isolated); 2. Setup an apache vserver that has virtual host configs and connects into other pieces (less isolation more resource sharing); 1108081149 M * Bertl yes, precisely ... 1108081173 M * Bertl of course you can have various 'mixed' setups ... 1108081211 M * Bertl for example, you could use a single apache, but have several vservers (or chroots) which allow sshd access to the dirs 1108081246 M * micah if I have a specific "apache" vserver, then I would probably have a specific mysql vserver, a specific postfix vserver. 1108081262 M * Bertl or you could make several vservers and distribute related pages on virtual hosts located at the same vserver 1108081304 M * Bertl micah: always depends on what you want to allow your 'clients' to do ... 1108081317 M * micah this isolates those services, which is good... but I am concerned about a user installing something bad like phpnuke and them getting compromised and it affecting others 1108081366 M * micah which means, all the virtual setups in the apache vserver are then compromised 1108081368 M * Bertl and another question is, about what number of isolated areas (vservers) are we talking here? 1108081423 M * micah well, I want to isolate individual users as much as possible so that they don't impact others, I dont think it would be more than 100 1108081471 M * Bertl what machine(s) do you want to use for that? 1108081506 M * micah what kind of hardware? 1108081509 M * Bertl yep 1108081515 M * micah it is a Xeon P4 1108081527 M * micah 2.7Ghz 1108081537 M * Bertl single CPU HT-Xeon P4 1108081543 M * micah yes 1108081547 M * micah with about 1 gig of memory I think 1108081585 M * Bertl okay, 100 vservers on that are overkill ... 1108081606 M * micah you mean the machine is too powerful, or 100 vservers is too much for that machine? 1108081620 M * Bertl 100 vservers is too much for that machine ... 1108081639 M * Bertl the memory footprint alone will take that machine into trashing ... 1108081656 M * micah hmm 1108081672 M * Bertl (especially if you have apache postfix and mysql running) 1108081694 M * micah for each vserver, yes 1108081712 M * Bertl I would say it can handle about 20-30 vservers max (with 2.6 kernel) 1108081723 M * Bertl without impact on the usability ... 1108081725 M * micah 20-30 under load? 1108081746 M * Bertl under normal usage that is ... 1108081797 M * micah but can I setup vservers to act like a jail? 1108081808 M * micah well, yes of course I can 1108081812 M * Bertl sure ;) 1108081840 M * Bertl you can make 100+ sshd logins, which bounce the user into a separate context ... 1108081840 M * micah but without running individual processes in them 1108081873 M * Bertl the limit on such a machine (process wise) will be around 800-1000 processes 1108081945 A * micah tries to sort everything out 1108081948 M * Bertl a typical vserver (with apache, postfix and friends) will have about 50 processes running 1108081978 M * Bertl well, not running but started (and not processes but threads) 1108082017 M * micah I got my mysql/apache vserver down to 17 processes (including cron, syslog and a bash) 1108082033 M * micah but that has no postfix 1108082034 M * Bertl well, what happens if you serve pages? 1108082052 M * Bertl apache usually spawns worker threads and mysql does so too ... 1108082059 M * micah ah true 1108082085 M * Bertl but assumed you keep that at 17 .. 100*17 is still 1700 ;) 1108082095 M * micah yes I see 1108082114 M * micah I thought things were shared more than that 1108082139 M * micah let me see what the options are 1108082150 M * Bertl even if there was some kind of magic memory sharing, it would not buy you that much ... 1108082165 M * Bertl unless all your vserver serve the same pages ;) 1108082171 M * micah 1. Make separate vservers for software suites (such as a vserver for all the people who want drupal installed) 1108082207 M * micah 2. Put an arbitrary number of users into separate vservers (10 users in 1 vserver, then create another for the next 10) 1108082258 M * micah (trying to think of a third) 1108082328 M * Bertl 3. use a common/shared apache and mysql (if the users are somewhat trusted), but have separated dirs and config sections for each of them and a vserver jail for sshd/ftpd logon 1108082417 M * Bertl (you could move 'special' clients into their own vserver) 1108082439 M * micah 4. Variation on #1: Make a separate vserver for each software suite (drupal, moveable type, etc.) that is shared with everyone using that suite and each user has separated dirs and configs with a vserver jail for sshd/ftpd login 1108082461 M * micah (4 is sort of a hybrid of 1 and 3) 1108082499 M * Bertl IIRC you are doing that for some non profit organizations, right? 1108082520 M * micah yes, correct 1108082534 M * micah the users are trustable, but it is the people hacking into bad software that are not :) 1108082571 M * micah and most people will not do anything (I will handle it) or at the most only do scp/ftp 1108082658 M * Bertl okay, so IMHO the best approach would be to have a central shared apache and postgrsql database in this case as well as a shared/central postfix with vmail config 1108082691 M * Bertl and separated access via ssh/ftp to the 'assigned' dirs ... 1108082729 M * Bertl you do not need separated ips for most of them either (at least IMHO) 1108082821 M * micah Bertl: but one thing I was hoping to solve with vservers was the rogue phpnuke 1108082846 M * micah or some other software that is not known to be so full of security holes, but happens to get one 1108082907 M * Bertl yes, I understand ... well, it might be interesting to mape a special php/cgi exec version which uses vserver contexts to run the stuff ... 1108082915 M * Bertl s/mape/make/ 1108082926 M * micah it is not so much a problem that the users sshd are isolated (they either do not know unix or the permissions are set already so they cannot do anything, and they wouldn't try anyways) 1108083003 M * micah that was why I was thinking maybe making a shared apache/DB vserver for each "type" of software, so if phpnuke got compromised, it would only compromise the phpnuke vserver people 1108083017 M * Bertl yes, right ... 1108083033 M * micah and we would not have 200 different kinds of software :) 1108083057 M * Bertl makes sense ... 1108083067 M * micah but there is of course much more administrative overhead 1108083070 M * Bertl you could also isolate different services 1108083081 M * Bertl e.g. put postgresql in one vserver 1108083089 M * Bertl and the apache in another ... 1108083104 M * Bertl (which would keep the host safe) 1108083154 M * micah isn't that what I would be doing? 1108083181 M * Bertl yes, that was just agreement from my side ;) 1108083223 M * micah I was saying make a vserver called "phpnuke", inside is apache and mysql and phpnuke users. Another vserver might be called "moveable type" inside is apache, mysql and moveable type users. 1108083240 M * micah ohhh :) I thought maybe you were suggesting to fragment the vservers even more so that: 1108083285 M * micah I create an apache vserver called "phpnuke_apache" and a mysql vserver called "mysql_phpnuke" and then a vserver called "phpnuke" that had the files and those vservers were pulled together somehow 1108083293 M * micah that sounds very complex :) 1108083322 M * Bertl well, you can get away with _one_ mysql or postgresql server 1108083336 M * Bertl but different apache servers for example ... 1108083373 M * Bertl IMHO it won't buy you much to separate the database further ... 1108083408 M * micah yes, I agree 1108083499 M * micah so maybe I will make one mysql vserver that all the others communicate with 1108083524 M * micah and maybe one postfix vserver... hmm maybe I cannot do that 1108083591 M * Bertl I would prefer postgresql over mysql if you have several databases and apache/php clients ... 1108083591 M * micah because each individual vserver will need to be able to send mail somehow, but I guess that can be done without a full MTA installed 1108083622 M * micah Bertl: postgresql works better with vservers? 1108083673 M * Bertl well, IMHO it's more responsive when serving more than one client, and it is easier to secure ... 1108083690 M * Bertl (not vserver related) 1108084455 M * Zoiah micah: for the mail, nullmailer. :) 1108085220 M * micah Zoiah: nullmailer installed on each vserver which just sends its mail to the main postfix vserver? 1108090035 Q * Loki|muh Read error: Connection reset by peer 1108090268 J * Loki|muh loki@satanix.de 1108090812 N * Doener|zZz Doener 1108091122 M * Bertl morning Doener! 1108091922 M * Bertl Doener: sleep walking? 1108092527 M * Vantage Bertl: you wouldn't happen to still be around, would you? 1108092848 M * Bertl no, of course not ;) 1108092869 M * Bertl what's up? 1108092869 M * Vantage heh, sorry i had to take off earlier. was running late for a class 1108092920 M * Bertl teaching or listening? 1108092933 M * Vantage playing ;) 1108092951 M * Bertl hmm, theatre or music? 1108092956 M * Vantage it's an improv class. 1108092960 M * Vantage so theatre 1108092997 M * Bertl ah, something like: pretend to be an apple! ;) 1108093029 M * Vantage heh, nothing so esoteric. though I somehow did end up being a vat a grease for a period of time :) 1108093096 M * Vantage any chance you can finish walking me through the tests we were going through before? 1108093124 M * Bertl well, we where at the unmount and re-mount stage ... 1108093154 M * Vantage right. so I umount both and then remount both? 1108093199 M * Bertl yep, after that we check again with the vxid tool ... 1108093217 M * Bertl vxid -i /vservers/X{,/a,/b} 1108093238 M * Bertl (don't forget the tagctx/tgxid option for the mount) 1108093255 M * matti Uh ;] 1108093261 M * Vantage should it be -o tagctx,tgxid or just tagctx? 1108093265 M * matti Bertl: :-) 1108093294 M * Bertl either tagctx or tagxid (tgxid was a typo) 1108093301 M * Bertl matti: :] 1108093343 M * Vantage k 1108093353 M * Vantage xid= 200, flags=0x000000c8, /vservers/X 1108093358 M * Vantage xid= 100, flags=0x00000064, /vservers/X/a 1108093364 M * Vantage xid= 200, flags=0x000000c8, /vservers/X/b 1108093379 M * Bertl so everything works as expected .. 1108093395 M * Vantage sure :) (of course I have no idea what we just did) :) 1108093403 M * matti Bertl: Hm, did you ever use embedded board like Soekris/WRAP? 1108093520 M * Bertl well, like that, yes ... 1108093530 M * matti ;] 1108093542 M * matti Bertl: Which one? 1108093576 M * Bertl Vantage: so I'd say the strange behaviour you observed before (with changing context ids) was the result of a bad script maybe? 1108093636 M * Bertl matti: I developed for a special EX386 based board and the MOPSlcd3 1108093796 M * Vantage Bertl: wasn't using a script. just using 1108093801 M * Vantage find /var/lib/vservers/vserver1/ |xargs vxid -i -x 0 2>/dev/null 1108093814 M * matti Bertl: But you're don't familiar with WRAP/Soekris in case of work for/at EX386, etc? 1108093825 M * matti Bertl: I need an opinion... 1108093831 M * matti ;] 1108093924 M * Bertl well, every embedded system is a world of its own ... 1108093948 M * Bertl Vantage: okay, so what happens when you start a vserver now? 1108093961 M * Vantage well if I run 1108093967 M * Vantage find /var/lib/vservers/vserver1/ |xargs vxid -i 2>/dev/null |grep -v "xid= 0" |wc 1108093970 M * Bertl (with static xid, I hope ;) 1108093979 M * Vantage i still get 106 non xid=0 entries 1108093994 M * Bertl okay, let's see some of them ... 1108093997 M * Vantage xid=44836,xid=60412 1108094003 M * Vantage xid=60412, flags=0x0000ebfc, /var/lib/vservers/vserver1/home 1108094016 M * Vantage xid=60412, flags=0x0000ebfc, /var/lib/vservers/vserver1/etc/exim4/conf.d/router/200_exim4-config_primary 1108094032 M * Vantage xid=44836, flags=0x0000af24, /var/lib/vservers/vserver1/etc/bash_completion 1108094056 M * Bertl hmm, could it be that those are symlinks? 1108094059 M * matti Hm... You're right as usual, but Soekris/WRAP are very common boards... Sorry for bother you... :/ 1108094076 M * matti :> 1108094105 M * Bertl as I said, no idea about those specific boards ... 1108094106 M * Vantage i'm guessing /etc/host.conf isn't a symlink ;) 1108094121 M * matti Bertl: :-) 1108094132 M * Bertl Vantage: okay, let's pick that one then and do an 1108094164 M * Bertl vxid -i /var/lib/vservers/vserver1/etc/host.conf 1108094199 M * Vantage xid=45097, flags=0x0000b029, /var/lib/vservers/vserver1/etc/host.conf 1108094222 M * Bertl what about the error messages? 1108094239 M * Vantage getxflg:: Inappropriate ioctl for device 1108094406 M * Bertl and when you do: 1108094418 M * Bertl vxid -i -x 0 /var/lib/vservers/vserver1/etc/host.conf 1108094425 M * Bertl vxid -i /var/lib/vservers/vserver1/etc/host.conf 1108094430 M * Bertl it shows? 1108094442 M * Vantage getxflg:: Inappropriate ioctl for device 1108094443 M * Vantage xid= 0, flags=0x00000000, /var/lib/vservers/vserver1/etc/host.conf 1108094458 M * Vantage getxflg:: Inappropriate ioctl for device 1108094458 M * Vantage xid= 0, flags=0x00000000, /var/lib/vservers/vserver1/etc/host.conf 1108094472 M * Vantage so it seems to work 1108094474 M * Vantage but 1108094487 M * Vantage if I then run 1108094506 M * Vantage find /var/lib/vservers/vserver1/ |xargs vxid -i -x 0 2>/dev/null 1108094511 M * Vantage it should change back for some reason... 1108094517 M * Vantage let's test it 1108094541 M * Vantage xid=45097, flags=0x0000b029, /var/lib/vservers/vserver1/etc/host.conf 1108094569 M * Bertl okay, let's try: 1108094587 M * Bertl find /var/lib/vservers/vserver1/ | xargs -n 1 vxid -i -x 0 2>/dev/null 1108094619 M * Bertl (maybe the vxid tool is just broken) 1108094681 M * Vantage that worked for all except 1108094687 M * Vantage xid=-1073762421, flags=0xbfffaf8b, /var/lib/vservers/vserver1/dev/reboot 1108094687 M * Vantage xid=-1073746845, flags=0xbfffec63, /var/lib/vservers/vserver1/etc/network/ifstate 1108094713 M * Bertl check what kind of inodes those are ... 1108094734 M * Vantage what does the -n 1 switch in xargs do? 1108094750 M * Vantage how do you check that? 1108094768 M * Bertl ls -la /var/lib/vservers/vserver1/dev/reboot /var/lib/vservers/vserver1/etc/network/ifstate 1108094795 M * Vantage srw------- 1 root root 0 2005-02-10 15:56 /var/lib/vservers/vserver1/dev/reboot 1108094819 M * Vantage lrwxrwxrwx 1 root root 11 2005-02-10 15:47 /var/lib/vservers/vserver1/etc/network/ifstate -> run/ifstate 1108094840 M * Bertl so one is a socket and the other a symlink 1108094860 M * Bertl (both cannot be changed with the 'old' api) 1108094865 M * Vantage so safe to ignore them, or should they be changed by hand? 1108094867 M * Vantage ah... 1108094895 M * Bertl just remove the symlink and recreate it 1108094911 M * Bertl (-n 1 btw does call the vxid with only one arg at a time) 1108094921 M * Vantage ah.... 1108094930 M * Bertl the /dev/reboot is bogus anyway 1108094959 M * Vantage should the symlink be recreated from within the vserver or outside of it? 1108094972 M * Bertl from outside 1108094976 M * Bertl $ ls /dev/ 1108094976 M * Bertl full log= null ptmx pts/ random tty urandom zero 1108095005 M * Bertl (just to give you an idea how a vserver /dev should look like ;) 1108095157 M * Vantage i think I know why the symlink didn't work 1108095335 M * Vantage it was a broken link 1108095388 M * Bertl doesn't matter, symlinks cannot be changed with the legacy api 1108095447 M * Vantage so should the xid be set to 0 or would it be more prudent to change it to something like 100? 1108095520 M * Bertl depends on what you want to account (and how you want it to be accounted) 1108095564 M * Bertl a) a file belonging to xid=0, will migrate to xid=100 on write (adding to the total amount of space used) 1108095571 M * Vantage the xid should be the same as the S_CONTEXT, right? 1108095595 M * Vantage oh, so would it be better to leave it all at 0 and let it migrate to 100 gradually? 1108095606 M * Bertl b) a file belonging to xid=0 is visible in every context, and doesn't account to the space when deleted 1108095640 M * Bertl c) unified (i.e. shared between contexts) files must belong to xid=0 1108095662 M * Vantage ah, that's very cool 1108095923 M * Vantage so even though the files are in the vserver1 folder, they're shared between contexts? so what happens when I make a new vserver? or they copied into that file as well? 1108095957 M * Bertl they are shared if you have unified them with others 1108095977 M * Bertl (unification is nothing done automatically yet) 1108095985 M * Vantage ah... 1108096652 M * Vantage so when playing around with cqdlim what's a good way to determine the number of inodes to assign? 1108096690 M * Bertl df -i 1108096762 M * Vantage well let's say I want to give them 200Megs of space. So I set that in blocks, but what would be an appropriate inode setting to go with that? 1108097004 M * Bertl well, let's assume you have one square mile space, how many people would you allow to visit your concert? 1108097054 M * Vantage point taken. so I guess we just make something up, eh? ;) 1108097086 M * Bertl resonable amounts can be deduced from the 'current' usage 1108097130 M * Bertl find /path/to/vserver | wc 1108097154 M * Bertl you probably want to allow for at least twice as many 1108097164 M * Vantage good advice thanks. 1108097187 M * Vantage well, everything seems to be working just the way it should. thanks again for all your help. I really appreciate it. 1108097188 M * Bertl starting from the other end, you would not want to give more than total/#vservers to each 1108097213 M * Bertl good to hear, and you're welcome! 1108097563 Q * nox Ping timeout: 480 seconds 1108097574 J * nox ~nox@c135090.adsl.hansenet.de 1108098021 P * Vantage Kopete 0.9.1 : http://kopete.kde.org 1108101871 M * Bertl off to bed now ... night everyone! 1108101878 N * Bertl Bertl_zZ 1108105248 M * micah good night 1108105248 M * micah ! 1108108807 J * Hollow ~bene@home.xnull.de 1108108826 J * prae ~prae@ezoffice.mandrakesoft.com 1108108965 Q * Hollow Remote host closed the connection 1108109004 J * Hollow ~Hollow@home.xnull.de 1108113527 J * rs rs@ice.aspic.com 1108113540 M * rs hi 1108114814 Q * Loki|muh Ping timeout: 480 seconds 1108114880 J * Loki|muh loki@satanix.de 1108118533 J * BWare ~bware@212.26.196.154 1108121750 J * mhepp ~mhepp@r72s22p13.home.nbox.cz 1108122616 Q * halorgium Ping timeout: 480 seconds 1108122996 J * halorgium tim@halorgium.net 1108124964 Q * mhepp Quit: mhepp caught signal: Autobus error 1108125831 J * ghulam_mustafa ~ghulam_19@66.198.90.129 1108126024 M * ghulam_mustafa hi all here 1108128055 M * ntrs Doener, are you around? 1108128064 M * Doener yep 1108128073 M * ntrs I am having a problem restarting a vserver 1108128096 J * witchdoc ~witchdoc@3ece4aae.datahighways.de 1108128099 M * witchdoc hi all 1108128122 M * ntrs # vserver blah start 1108128122 M * ntrs vsched: WARNING: the '--cpu_mask' parameter is deprecated and will not have any effect 1108128122 M * ntrs No command given; use '--help' for more information. 1108128122 M * ntrs An error occured while executing the vserver startup sequence; when 1108128122 M * ntrs there are no other messages, it is very likely that the init-script 1108128123 M * ntrs () failed. 1108128124 M * ntrs Common causes are: 1108128126 M * ntrs * /etc/rc.d/rc on Fedora Core 1 and RH9 fails always; the 'apt-rpm' build 1108128128 M * ntrs method knows how to deal with this, but on existing installations, 1108128130 M * ntrs appending 'true' to this file will help. 1108128132 M * ntrs Failed to start vserver 'blah' 1108128167 M * Doener how did you build the vserver? 1108128168 M * ntrs The server was running for quite some time and then I wanted to restart it and this happened. 1108128180 M * ntrs It's a template we use for a long time. 1108128201 M * ntrs It's a Debian Sarge vserver 1108128409 M * Doener seems the configuration got 'damaged' 1108128426 M * Doener could you make the output of "vserver --debug blah start" available? 1108128438 M * ntrs sure 1108128468 M * ntrs you want just the relevant part or the whole thing? 1108128544 Q * ghulam_mustafa Quit: 1108128934 Q * prae Quit: Client exiting 1108129123 M * witchdoc i use the alpha+utils with the 2.6.9-1.9.3 kernel and i want to know - how i start vserver automaticly with the host-system? 1108130480 M * witchdoc i am reading the "flower" page, but i dont real find it 1108130538 M * Loki|muh look at /etc/init.d/vservers-default 1108130557 M * Loki|muh ## putting the flavor into /etc/vservers//apps/init/mark 1108130689 M * witchdoc *look* thanks Loki|muh 1108130694 M * Loki|muh :) 1108130761 J * prae ~prae@ezoffice.mandrakesoft.com 1108131043 M * witchdoc Loki|muh: do you know how i can use the fedora-guest image with the 2.6.9-1.9.3 vserver? (http://debian.marlow.dk/vserver/guest/) i got the same init error with these images 1108131070 M * Loki|muh sorry, I know nothing about fedora 1108131071 M * witchdoc i make a skeleton vserver an tar xvfj -C the image into it 1108131102 M * witchdoc me too, i use debian, but in a vserver :-) i can learn a littlebit fedora 1108131137 M * witchdoc hmm maybe i try the other image 1108132205 J * pusling_ ~pusling@195.215.29.124 1108132219 Q * pusling Read error: Connection reset by peer 1108132220 A * TheSeer a fedora fan 1108132235 M * TheSeer that reminds me that i really have to write the fc2/fc3 howto 1108132256 M * TheSeer darn.. yet another point for my todo list of the weekend.. 1108132266 M * TheSeer looks like i need a 5 day weekend this time *g* 1108132816 M * witchdoc hehe 1108133035 M * witchdoc time to say goodby, feierabend 1108133046 M * witchdoc cya 1108133054 Q * witchdoc Quit: bye und wech 1108133415 J * Tbery-NOTE ~tb@147.32.129.39 1108133441 M * Tbery-NOTE where are patch on 2.6.10?? 1108133746 N * pusling_ pusling 1108133855 Q * ndim Ping timeout: 480 seconds 1108134079 J * ndim U2FsdGVkX1@helena.bawue.de 1108134241 M * Doener http://vserver.13thfloor.at/Experimental/RC-1.9.4/ 1108134273 M * Doener guess you can use the rc4-rc5 delta to get a rc5 for 2.6.10 1108134943 Q * nox Quit: I shouldn't really be here - dircproxy 1.0.5 1108135012 J * nox ~nox@c135090.adsl.hansenet.de 1108135939 Q * stupidawy Quit: Caught signal 15, Terminated 1108136739 Q * pusling Read error: Connection reset by peer 1108136742 J * pusling_ ~pusling@195.215.29.124 1108137248 J * remedy ~remedy@office.softzone.com.ua 1108137253 M * remedy hello everyone! 1108137290 M * remedy as there seems to be no documentation covering my problem i've got a question. if anyone might get around to answering i would be very thankful 1108137412 M * remedy i am using the new configuration layout and i cannot get any vserver started. it bails out with Failed to start vserver 'vs0' after /usr/sbin/vserver vs0 start 1108137417 M * remedy is anyone alive? 1108137521 M * Loki|muh sure ;-) 1108137523 M * Loki|muh what means bails out? 1108137544 M * remedy means that it finishes working 1108137556 M * remedy like jumps out 1108137603 M * remedy do you by any chance know where the problem is? 1108137633 A * remedy hopes that assumptions like "in DNA" won't arise 1108137661 M * Loki|muh http://sial.org/pbot/ <-- paste there the output 1108137736 M * remedy there is no channel called "vserver" on the list 1108137753 M * Loki|muh choose channel (none) ;) 1108137791 M * remedy doon 1108137795 M * Loki|muh and paste the url in here which the server gave you back ;) 1108137815 M * remedy http://sial.org/pbot/7429 1108137844 M * remedy it seems to be so adamant to everything 1108137880 M * Loki|muh this other vserver starts correct? 1108137941 M * remedy well this is what i can get if i start it in the legacy mode. but in this case i won't be able to stop it 1108137951 M * Loki|muh ah ok 1108137978 M * remedy it would say chcontext: vc_new_s_context(): Operation not permitted 1108137990 M * Loki|muh yeah, I don't like that legacy stuff 1108137998 M * Loki|muh I had several problems with it, too 1108138016 M * Loki|muh mom 1108138018 M * remedy but the legacy mode is the only usable mode i've been able to start anything with so far 1108138047 M * Loki|muh try: vserver --debug vs0 start 1108138050 M * remedy without it i would get as far 1108138079 M * Loki|muh that will give more output 1108138139 M * remedy let me trace through what its given 1108138729 M * remedy well with --debug its much more fun 1108138734 M * remedy cheers for having shown me 1108138833 M * Loki|muh is there anything helpful? 1108138875 M * remedy well yeah i've gone thru much further than before 1108138933 M * remedy could you please tell me where /etc/vservers/vs0/run should point to? 1108138992 M * Loki|muh for me it is /usr/var/run/vservers/vs0 1108138994 M * Loki|muh this is a file 1108138998 N * Bertl_zZ Bertl 1108139008 M * Loki|muh the only content is the context-number 1108139011 M * Bertl morning folks! 1108139019 M * Loki|muh morning Bertl :) 1108139058 M * remedy /var/run/vservers/vs0.ctx? or just /var/run/vservers/vs0 ? 1108139099 M * Loki|muh the last 1108139188 M * remedy and what about run.rev? 1108139223 M * remedy wheww... thanks to you i am somewhere at the last stage 1108139237 M * remedy just tell me where run.rev should point to, please :) 1108139275 M * Loki|muh hmmm did you build your configuration with vserver build -m skeleton? 1108139304 M * Loki|muh it points to /etc/vservers/.defaults/run.rev 1108139323 M * remedy no, with vskel 1108139349 M * Loki|muh hmmm, vskel is part of the legacy tools? 1108139355 M * remedy i think so 1108139378 M * Loki|muh did you read http://linux-vserver.org/alpha+util-vserver? 1108139405 M * Bertl remedy: short question: what disto and what kernel version? 1108139421 M * remedy FC3 1108139488 M * remedy 2.6.9 1108139514 M * remedy and what do you have in /etc/vservers/.defaults/run.rev? 1108139622 M * Loki|muh Bertl: do you know why the latest util-vserver depends on vlan? Is this because of the ngn? 1108139622 Q * nox Remote host closed the connection 1108139622 J * nox ~nox@c135090.adsl.hansenet.de 1108139661 M * Tbery-NOTE where are tools ?? 1108139666 M * Tbery-NOTE for debian?? 1108139669 M * Bertl Loki|muh: AFAIK completely unrelated, just the tools are able to handle vlans too, so they depend on the setup tools for that 1108139676 M * Tbery-NOTE for 2.6.1?? 1108139680 M * Tbery-NOTE for 2.6.10? 1108139701 M * Tbery-NOTE or sources.. 1108139716 M * meebey ioctl(3, 0x5393, 0xbffffa20) = -1 EINVAL (Invalid argument) 1108139717 M * meebey write(2, ":-( unable to INQUIRY: ", 23:-( unable to INQUIRY: ) = 23 1108139717 M * meebey write(2, "Invalid argument\n", 17Invalid argument 1108139726 M * Bertl Tbery-NOTE: http://linux-vserver.org/alpha+util-vserver 1108139726 M * meebey hm 1108139728 M * no_maam meebey: bluetooth? 1108139738 M * meebey nope that dvd+rw-tools 1108139742 M * no_maam meebey: ok 1108139743 M * Bertl Tbery-NOTE: http://www-user.tu-chemnitz.de/~ensc/util-vserver/alpha/ 1108139751 M * meebey I tried CAP_SYS_RAWIO and CAP_SYS_ADMIN 1108139770 M * Tbery-NOTE I need download it.. 1108139774 M * Tbery-NOTE where are?? 1108139777 M * Bertl meebey: it works at the host? 1108139813 M * Bertl Tbery-NOTE: (second link ;) 1108139830 M * meebey Bertl: eerr don't ask :-P 1108139839 M * meebey maybe I should enter a DVD or so, damnit 1108139848 M * Bertl good idea ;) 1108139922 M * rs re 1108139953 M * Bertl welcome rs! 1108139976 M * rs how are you ? 1108139993 M * Bertl fine, thanks! and you? 1108140014 M * rs not that bad :) 1108140062 M * rs I have a question for you 1108140082 M * rs is IPC shared mem virtualized ? 1108140130 M * remedy it says save_ctxinfo: symlink("/etc/vservers/vs0","/etc/vservers/vs0/run.rev/49163"): No such file or directory 1108140139 M * meebey server-8:/# dvd+rw-mediainfo /dev/scd0 1108140139 M * meebey INQUIRY: [RICOH ][DVD+RW MP5308D ][1.B2] 1108140139 M * meebey GET [CURRENT] CONFIGURATION: 1108140139 M * meebey :-( non-DVD media mounted, exiting... 1108140146 M * meebey fuck ide-scsi 1108140155 M * meebey fuck module autoloader, damnit 1108140172 M * remedy why on earth does /etc/vservers/vs0 has to point to /etc/vservers/vs0/run.rev/49163? 1108140177 M * Tbery-NOTE hecking for vconfig... no 1108140177 M * Tbery-NOTE configure: error: Can not find the 'vconfig' tool within '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/sbin:/usr/sbin:/usr/local/sbin' 1108140180 M * meebey it was just a linux problem not vserver related ;) 1108140192 M * Tbery-NOTE where can I download vconfig 1108140206 M * Tbery-NOTE for debian.. 1108140249 M * rs Bertl: look at this: 1108140251 M * rs strace -Ff -e trace=ipc -s 100000 httpd 1108140256 M * rs semget(IPC_PRIVATE, 1, IPC_CREAT|0600) = -1 ENOSPC (No space left on device) 1108140274 M * rs ipcs report that all shared mem is empty 1108140290 M * Tbery-NOTE do you know?? 1108140318 M * Bertl rs: hmm, ipcs? 1108140331 M * rs ipcs 1108140331 M * rs ------ Shared Memory Segments -------- 1108140331 M * rs key shmid owner perms bytes nattch status 1108140331 M * rs ------ Semaphore Arrays -------- 1108140331 M * rs key semid owner perms nsems 1108140333 M * rs ------ Message Queues -------- 1108140336 M * rs key msqid owner perms used-bytes messages 1108140345 M * Bertl yes, that is the 'per vserver' list I guess, right? 1108140352 M * rs yeah 1108140362 M * Bertl well, there is a system wide limit for that 1108140370 M * rs hmm interesting 1108140379 M * Bertl so you are probably hitting that ... 1108140389 M * rs yeah, but is there a per vserver limit for that ? 1108140466 M * remedy DOOOON!!! 1108140469 M * remedy :)) 1108140474 M * remedy Cheers everybody! 1108140475 M * remedy :) 1108140483 M * Bertl rs: hmm, don't think so ... 1108140500 M * remedy i've got the whole bunch of problems brought off with your help :) 1108140533 M * rs Bertl: thus I guess we have a "security" issue there 1108140636 M * Bertl yeah, probably, but a very old one, right? 1108140670 M * Bertl (anyway, I guess they are accounted with the file descriptors) 1108140671 M * rs yeah 1108140700 M * Bertl but I'm completely for a new limit for them .. just needs testing ... 1108140713 M * Bertl remedy: hmm? 1108140740 M * rs Bertl: I'm ready for testing things :) 1108140755 M * remedy i've just adapted vskel.pl so that it creates configuration files for both the old and the new versions 1108140813 J * ntrs_ ~ntrs@Dardeene-68.188.50.87.charter-stl.com 1108140838 M * remedy just because i've got a neat skel and i do not want to remake it in no ways whatsoever 1108140986 Q * ntrs Read error: Operation timed out 1108141026 M * rs Bertl: to see all shared memory segment it should be in the context 0 not 1 right ? 1108141113 M * rs Bertl: you are accounting segments in with file handles but not segment size right ? 1108141127 M * Bertl remedy: sounds good! 1108141161 M * rs is the size of segments unlimited (read, only limited by the system) 1108141168 M * Bertl rs: context 1 should see all (if any) and yes, you are right! 1108141191 M * rs In my case, context 0 see a lot of segments and context 1 sees none 1108141253 M * Bertl rs: maybe that's a bug ... 1108141268 M * remedy yeah it does. merely because it works :) 1108141270 M * rs hunting day :) 1108141272 M * remedy thanks guys 1108141301 M * Bertl you are testing with 1.9.4-rc5 I assume? *G* 1108141302 M * Doener evening folks! 1108141316 M * rs Bertl: no indeed not :) 1108141324 M * Doener Bertl: it's just been my bouncer that got disconnected and decided to change my nick ;) 1108141362 M * Bertl remedy: now that you know old and new style config and worked through the vskel stuff. maybe you want to write a perl conversion tool from old into new-style config? guess folks would love you for that? 1108141565 M * Bertl Doener: ahh, good ;) 1108141585 M * Bertl rs: so you want to hunt down some issues today? did I get that right? 1108141765 M * rs yeah why not :) 1108141779 M * rs is it safe to show /proc/sysvipc/* into vservers ? 1108141796 Q * remedy Quit: using sirc version 2.211+KSIRC/1.3.11 1108142005 M * Bertl rs: hmm .. pros/cons? 1108142028 M * rs I guess ipcs won't work if not shown 1108142056 M * rs but if shown, is the content virtualized? 1108142257 M * Bertl no idea, we'll ahve to check the source ... 1108142299 M * rs I just tested, it's virtualized 1108143252 M * Bertl okay, so what exactly do we want to account? 1108143560 M * rs I guess segment/allocated pages and total size ? 1108143636 M * rs maybe allocated pages isn't that important, total size is the most important as well a segments 1108143641 M * Bertl well, I guess we want to account all IPC stuff ... 1108143676 M * rs yeah, this was only for shared memory but messages and semaphore accounting would be nice too 1108144311 Q * rs Quit: leaving 1108144811 Q * prae Quit: Client exiting 1108144912 J * chrish01 ~chrish01@69.90.131.25 1108144925 M * Bertl welcome chrish01! 1108144930 M * chrish01 hi Bertl 1108145239 Q * Tbery-NOTE Quit: Ukončuji 1108145804 Q * BWare Ping timeout: 480 seconds 1108147351 Q * chrish01 Quit: chrish01 1108149049 J * juxt ~juxt@adsl-068-213-216-087.sip.bct.bellsouth.net 1108149062 M * juxt hello, i am considering installing vserver for the first time 1108149065 M * juxt i got some questions 1108149071 M * juxt that should help me better understand it 1108149092 M * juxt lets say i have 3 vservers and the main server is running postfix 1108149093 M * juxt for mail 1108149107 M * juxt do i have to install separate copies of postfix into the vservers? 1108149167 M * Bertl well, depends what you want to do? 1108149189 M * juxt i'd like to be able to store mail that is for domains that are say on vserver1 on their disk space 1108149207 M * juxt instead of storing that mail on the main accounts disk space 1108149236 M * Bertl something you can do without linux-vserver (i.e. use seprate mail boxes, right?) 1108149245 M * juxt yes 1108149264 M * juxt generally i want vservers to "share" my postfix 1108149270 M * juxt instead of running separate copies 1108149299 M * Bertl you cannot 'share' a process, but you can share the functionality (if you deliver to vserver specific dirs) 1108149311 M * juxt ok 1108149334 M * juxt so generally a user with a vserver can have access to his maildirs within his vserver 1108149361 M * Bertl look, a linux-vserver consists of several parts ... 1108149373 M * Bertl first, a chroot() environment 1108149398 M * Bertl then a context which isolates it from the other context (including the host context) 1108149425 M * Bertl and in addition to that, a network binding, which restricts the available ips 1108149438 M * juxt i got the network and the chroot part 1108149450 M * juxt now the context idea is a bit blurry 1108149461 M * Bertl the context part is a 'chroot' for processes ... 1108149489 M * Bertl i.e. processes inside context A will not see or be able to influence processes in context B 1108149528 M * juxt ok... fair 1108149539 M * juxt let me try this again... 1108149550 M * juxt say my host has apache installed and i want to give apache functionality to a vhost 1108149570 M * juxt can i simply configure a virtual host on apache and point the documentroot to a vhost directory? 1108149596 M * Bertl vhost = guest (i.e. virtual server ) 1108149633 M * Bertl yes, you can, but the guest will not have control over the apahce in this setup ... 1108149641 M * juxt that's fine 1108149667 M * juxt so the apache installed on the main host will have no problem binding to the ip that is dedicated to a vhost? 1108149753 M * Bertl not unless somebody inside the guest has bound a http service too 1108149768 M * juxt ok cool 1108149773 M * juxt that makes sense 1108149796 M * juxt i am just trying to eliminate maintenance but also lock up my "friendly" users from each other 1108149833 M * juxt e.g. i have friends who have accounts on my system that are knowlegeble enought to be dangerous 1108149940 M * Bertl well, you should be aware that those 'friends' might be smart enough to use the apache on the host to execute arbitrary stuff on the host ... by putting special files inside the vserver 1108149983 M * Bertl (a solution with separate httpds would avoid such issues) 1108149998 M * juxt valid point 1108150054 M * juxt i wonder how do mass hosting companies do this 1108150059 M * juxt do they install spearate httpds? 1108150070 M * Doener suexec 1108150073 M * Doener ;) 1108150085 M * Doener and no modules for php/perl/whatever 1108150092 M * juxt elaborate? 1108150127 M * Doener suexec switches the user/group for cgi execution 1108150154 M * Doener not a solution in the scenario Bertl describes, but quite fine for 'just web mass hosting' 1108150180 M * juxt how do apache modules work in such setup? 1108150180 M * Doener of course php's safe mode f.e. is also worth considering 1108150199 M * Doener apache modules always run with the webservers user/group 1108150220 M * Doener thus i said no modules, that would allow arbitrary execution 1108150242 M * Doener dunno about perl for cgi script, probably that's not as limitable as php is 1108150243 M * juxt so installing php as a cgi would also allow suexec 1108150261 M * Doener yep, there's even a module to do that, mod_suexec 1108150271 M * Doener s/suexec/suphp/ 1108150305 M * Doener but as i said, not a solution for the vserver<->host scenario, execution would still happen in the host 1108150345 M * juxt this is quite tricky. hard to find a balance between security and scalability 1108150388 M * Bertl what nobody did yet .. but what I'd consider very useful is ... 1108150401 M * Doener some kind of suexecchcontext? 1108150403 M * Bertl to make a special apache module, which does the chroot/chcontext 1108150411 M * Bertl exactly! 1108150446 M * juxt well perhaps in my situation vserver isn't a solution, but what i need is just a very secure setup with suexecs and stuff 1108150450 M * Doener hm, could be possible at least for fastcgi stuff... 1108150493 M * juxt maybe LIDS 1108150622 M * Bertl juxt: how many 'friends' do you have? 1108150637 M * juxt right now 3 1108150740 M * juxt only 1 is really dangerous LOL 1108150775 M * Bertl what machine do you want to use for that? 1108150790 M * juxt it's a dual opertron box 1108150808 M * Bertl okay, put them in separate vservers, limit them and be done ... 1108150825 M * Bertl each one gets a separate apache/postfix/whatever ... 1108150892 M * Doener hm, only 3 friends, but a dual opteron box... there's something wrong ;) 1108150926 M * juxt i inherited the box :-) 1108151226 Q * halorgium Remote host closed the connection 1108151242 M * Bertl companies like lycos put 30 and more such vservers on a similar machine, populated with 'potentially evil' customers ;) 1108151243 J * halorgium tim@halorgium.net 1108151425 M * Bertl Doener: okay, do you want to test anything regarding the changes we did, because if not, I'll start my release cycle (to get 1.9.4 out) 1108151504 M * Doener get it out :) 1108151810 M * Bertl yess sir! ;) 1108152203 Q * halorgium Remote host closed the connection 1108152210 J * halorgium tim@halorgium.net 1108154200 J * mhepp ~mhepp@r72s22p13.home.nbox.cz 1108154217 M * Bertl wb halorgium! mhepp! 1108154383 J * duckx ~Duck@dyn-83-157-155-9.ppp.tiscali.fr 1108154392 M * Bertl wb duckx! 1108154424 M * mhepp Ahoj everybody! 1108154536 J * stupidawy foo@you.wish.you.were.pimp.olicio.us 1108154568 M * Bertl wb stupidawy! 1108155656 P * juxt 1108156037 Q * mhepp Quit: mhepp caught signal: Autobus error 1108156493 J * Tbery ~tb@rt-pha-1.karneval.cz 1108156496 M * Tbery HI 1108156537 M * Bertl hey Tbery! 1108156544 M * Tbery all is ok.. 1108156547 M * Tbery 2.6.10 1108156569 M * Tbery vmachine runs well 1108156577 M * Bertl working for you? great! 1108157644 J * DuckMaster ~Duck@dyn-83-157-149-120.ppp.tiscali.fr 1108157859 Q * duckx Ping timeout: 480 seconds 1108157894 M * Tbery Yeah.. 1108158052 J * yarihm ~yarihm@217-162-112-120.dclient.hispeed.ch 1108158457 M * Bertl welcome yarihm! 1108159319 M * yarihm hi Bertl 1108159448 M * yarihm I'm glad to see that your project has a growing userbase. when I first entered this channel there were much fewer people here :) thanks for the good work, I use it daily. hope you have the time to keep it up 1108159630 M * Bertl thanks for the flowers! currently I have the time to continue with linux-vserver and I can say, fur sure it's fun, especially because of the userbase ... 1108159642 M * Bertl s/fur/for/ 1108159707 M * Tbery http://147.32.129.104/quido/kernel/ 1108159717 M * Tbery virtual mirror/./ 1108159727 M * Tbery http://147.32.129.104/ 1108160689 Q * Tbery Quit: Ukončuji 1108160963 M * yarihm just felt like telling ... dunno why ,) 1108161070 M * Bertl it's good to get such feedback now and then ... 1108161180 M * yarihm sure 1108161224 M * yarihm I too tend to take it granted what there is around for free, so it might not hurt to say "thank you" from time to time I guess ... 1108161253 M * yarihm by the way, do you work on vserver as a hobby or are you sponsored by someone? 1108161261 Q * halorgium Remote host closed the connection 1108161268 J * halorgium tim@halorgium.net 1108161288 Q * DuckMaster Ping timeout: 480 seconds 1108161313 M * Bertl it is my hobby, but fortunately some folks are 'sponsoring' development now and then ... so that I can focus on that (instead of doing other stuff to pay my bills ;) 1108162493 J * pusling ~pusling@195.215.29.124 1108162499 Q * pusling_ Read error: Connection reset by peer