1111105111 J * Tbery ~tb@84.242.127.4 1111105117 M * Tbery Hi 1111105153 M * Tbery have you any body here new deb for 204 1111105157 M * Tbery vservers? 1111105164 M * Tbery I have only for 196 1111105171 M * Tbery deb 1111105521 M * daniel_hozac unstable is supposed to have 0.30.204 1111105959 M * pusling experimental had 203 one week ago 1111106156 M * Tbery yes? 1111106165 M * Tbery I have trobles on 2.6.11 with mysql a postgresql 1111106931 N * Bertl_oO Bertl 1111106939 M * Bertl evening folks! 1111106945 M * Bertl Tbery: what issues? 1111106958 M * Doener wb Bertl 1111106962 M * Bertl thanks! 1111110649 J * chairuou ~chairuou@210.245.70.41 1111110685 M * Bertl welcome chairuou! 1111110761 M * Bertl Doener: what are your plans for tonight? 1111110787 M * Doener nothing yet 1111110803 M * Bertl intested in hacking a little more on ngnet? 1111110911 M * Doener hm, guess i'm not up for that tonight, already getting a little tired, would be too much for my brain to handle... if you got some idea to discuss/tell about i'm all ears, but i guess actual hacking is not a good idea 1111110948 M * Bertl okay, then maybe a brainstorming regarding disk I/O accounting? 1111110993 M * Doener ok 1111111042 M * Bertl recently I had a look at the memory mapping stuff ... 1111111079 M * Bertl and it occured to me that 90% of the disk Reads are triggered by actual page-ins 1111111119 M * Bertl I also consider swapping the main source of unwanted I/O 1111111126 M * Doener yep 1111111158 M * Bertl all paging is now tightly tied to mm/vma structures as far as I could see 1111111172 M * Bertl so accounting them per context should not be hard ... 1111111237 M * Bertl was thinking about adding a counter to get_user_pages() for each type of fault/error 1111111275 M * Bertl that might already be sufficient for classifying a typical context 1111111276 M * Doener sounds reasonable... 1111111295 M * Bertl although it is not real I/O accounting ... 1111111335 M * Doener but could help to lower impact of swapping on other contexts, right? 1111111354 M * Bertl yes, that's the basic idea 1111111356 M * Doener i.e. we could give a penalty to a context that causes swapping 1111111371 M * Bertl I thought about generalizing the token buckets 1111111392 M * Bertl (and using a bunch of them for different classifications/penalties) 1111111505 M * Doener hm... what did you have in mind there? 1111111527 M * Bertl the basic idea is to synchronize those buckets 1111111538 M * Doener iow what's the gain compared to just removing tokens from the current bucket when we want to penalize a context 1111111569 M * Bertl so you lock down all of them ... and add a calculated amount each time a process is scheduled 1111111622 M * Bertl then the different operations like 'fork' or 'page-in' would drain from their individual bucket 1111111643 M * Bertl and could, if such a bucket is depleted force a reschedule 1111111730 M * Bertl I think the buckets can provide valuable information if separated, a combined bucket will not have that information 1111111751 M * Doener right. 1111111775 M * Doener how much overhead would you expect such a solution to have? 1111111801 M * Bertl that's hard to tell, guess that will need some profiling ... 1111111814 M * Bertl but IMHO the scheduler stuff has the most overhead right now 1111111953 M * Bertl we did discuss the scheduler some time ago, and I think once the cpusets are solved (mainline wise) we can do better there with 'smarter' queues 1111111965 M * Bertl (we being Sam and myself here) 1111111991 M * Doener yeah, i tried to read that discussion several times, got disrupted each time :/ 1111112020 M * Doener s/disrupted/interrupted/ 1111112032 M * Bertl but back to I/O stuff ... maybe the io-schedulers could be used for accounting? 1111112066 M * Bertl * This is the per-process anticipatory I/O scheduler state. 1111112075 M * Bertl include/linux/blkdev.h 1111112097 M * Bertl so I deduce that the schedulers have per-process structures ;) 1111112140 M * Doener sounds good... hooking into the i/o schedulers should also help giving priorities to i/o requests from different contexts 1111112160 M * Bertl precisely! 1111112196 M * Bertl but I havent found the location where those per-process structures are allocated 1111112500 J * tad ~tad@h000f3d19edcc.ne.client2.attbi.com 1111112577 M * Bertl welcome tad! 1111112640 M * tad Hi Bertl hope all is well 1111112652 M * Bertl yep, everything fine so far, and for you? 1111112653 M * jd86 Bertl: how do i have list all of the vservers on the system so the user can choose to start one? 1111112687 M * Doener new or old configuration style? 1111112687 M * tad Very well thank you. 1111112694 M * Bertl jd86: hmm, maybe ls -d /etc/vservers/* 1111112709 M * Doener hm, my connection seems pretty laggy... 1111112721 M * Doener 03:24:50 tad Very well thank you. 1111112722 M * Doener 03:24:56 Bertl jd86: hmm, maybe ls -d /etc/vservers/* 1111112730 M * jd86 :) 1111112765 M * Bertl Doener: no, that's me lagging behind ;) 1111112789 M * Bertl drive_stat_acct() looks interesting ... 1111112895 M * jd86 Bertl: how do i check if they are running? 1111112924 M * Bertl if their context (xid) is present in /proc/virtual/* they are running 1111112937 M * Bertl (you can also look for the reverse entry in /var/run/* 1111112954 M * jd86 ok 1111112976 M * jd86 is there a way of listing the name for a context? 1111112979 M * jd86 some program do that? 1111112998 M * Bertl it is part of the utsname settings present in /proc/virtual 1111113017 M * Doener Bertl: the io context is allocated in get_io_context() 1111113050 M * Doener in drivers/block/ll_rr_blk.c 1111113138 M * Doener s/rr/rw/ 1111113157 M * Bertl yeah, thanks, I'm using cscope ;) 1111113189 M * Doener me too ;) 1111113207 A * Doener .oO( hmm... Bertl told me about cscope back then... ) 1111113264 M * Bertl ah, btw, I still have an annoying cscope/vim issues, you are not by any chance using it from/with vim? 1111113278 M * Bertl (only one so issue ;) 1111113298 M * Doener vim is the only editor on my box ;) so yes, i use it with/from vim 1111113309 M * Bertl excellent, hehe ;) 1111113340 M * Bertl okay, if I move over request (for example) on drive_stat_acct() 1111113362 M * Bertl and press CTRL-] (to look that up) 1111113385 M * Doener you get thousands of hits 1111113387 M * Bertl then I get a horizontal split with 3 lines 1111113397 M * Bertl saying: 1 38 1111113406 M * Bertl Hit ENTER or type command to continue 1111113412 M * Bertl pressing enter shows me 1111113421 M * Bertl 2 225 1111113432 M * Bertl which doesn't really help in locating the right one ;) 1111113444 M * Doener ah, that's nice indeed :) 1111113452 M * Bertl is that something which just happens here? 1111113539 M * Bertl CTRL-\s works fine for example ... 1111113557 M * Doener sometimes i have it start asking me to scroll right from the start, but the split always gets up to 100% cscope if it's needed 1111113567 M * Doener what about ^\g ? 1111113603 M * Bertl yes, works too .. just CTRL-] seems not to work ;) 1111113617 M * Bertl or at least not as I expect it to work ... 1111113623 M * Bertl but it works sometimes ;) 1111113683 M * Doener hm, what's your mapping for ^] ? 1111113773 M * Bertl should be the default ctag mapping 1111113801 M * Bertl sec 1111113831 M * Bertl yeah, as I thought, no special/additional mapping 1111113888 M * Doener hm, try this one: map g :cs find 1 =expand("") 1111114007 M * Bertl hmm, no effect ... 1111114071 M * Bertl ah, well, I can live with the C-\ and C-@ macros ... 1111114323 M * Bertl so back to the I/O requests ... do you think that an request might exist 'long' after the process died? 1111114383 M * Doener hm, i'd expect the request to be trashed... 1111114417 M * Bertl tsk->io_context should be removed with task termination I guess 1111114456 M * Bertl ah, yes 1111114457 M * Bertl void exit_io_context(void) 1111114464 M * Bertl /* Called by the exitting task */ 1111114545 M * Bertl so it might be acceptable to add a ref to the vxi there ... 1111114879 M * Bertl okay, Doener, guess you are ready for bed now ... I'll try to implement something like that, and tomorrow we'll see if that gives useful data/works ;) 1111114910 M * Doener yep, guess you're right, my answering-speed is below zero ;) 1111114925 M * Doener good night and good luck! 1111114930 N * Doener Doener_zZz 1111114933 M * Bertl thanks, sweet dreams! 1111117782 M * tad Anyone want to help with some alpha utils questions? 1111117790 Q * lilo Read error: Operation timed out 1111117843 M * Bertl tad: sure, always ;) 1111117883 M * Bertl just ask, don't ask for permission to ask ;) 1111117890 M * tad I'm trying to understand the vcopy and vunify utilities. 1111117914 M * tad I have a server set up roughly the way I want and would like to use it as the reference 1111117937 M * tad When I tried a straight vcopy of it, lots of stuff went missing (passwd files etc) 1111117953 M * tad When I tried the --strict option, other oddments occured. 1111117962 M * Bertl vcopy or vserver-copy? 1111117970 M * tad What is the general approach to copying a (modified) reference server? 1111117984 M * tad vcopy 1111118032 M * Bertl # vcopy 1111118032 M * Bertl /bin/sh: vcopy: not found 1111118037 M * Bertl where is that from? 1111118051 M * tad Sorry - it's really /usr/lib/util-vserver/vcopy 1111118066 M * Bertl ah ... so internal tools ... k 1111118080 M * tad Ah --- shouldn't be looking there eh? 1111118095 M * Bertl no problem with that, just didn' even know it existed ;) 1111118133 M * tad I suspect it isn't really supposed to be used, given that it doesn't have hooks into the overlal vserver utility 1111118186 M * tad Is it sufficient for me to just do a filesystem cp of the relevent dirs from the host, then change 1111118198 M * Bertl I guess it's utilized by vserver copy ... (now or in the future) 1111118213 M * tad ip's etc for the newly copied server, possibly unifying it after the fact? 1111118294 M * Bertl well, cp -va is probably a good start, then unify it with the template ... 1111118329 M * Bertl maybe cp -xa to keep on one filesystem 1111118333 M * tad OK - I'll poke at that for a while (tomorrow probably - it's getting late here...) 1111118337 M * tad Thanks! 1111118351 M * Bertl k, have a good night then! 1111118446 J * lilo ~lilo@lilo.usercloak.oftc.net 1111118463 M * Bertl wb lilo! 1111118753 Q * tad Remote host closed the connection 1111119218 J * lilo_ ~lilo@lilo.usercloak.oftc.net 1111119307 Q * lilo Ping timeout: 480 seconds 1111119421 Q * Seraph Remote host closed the connection 1111119445 J * Seraph kk@projects.verfaction.de 1111121251 J * nox- ~nox@213.39.192.146 1111121573 Q * nox Ping timeout: 480 seconds 1111121606 N * nox- nox 1111122563 M * ciphernaut is there a diagram that shows how netfilter/ip tables works with nat filtering and vservers? 1111122616 M * Bertl hmm, bascially the same as without ... 1111122623 M * ciphernaut something allong the lines of http://coombs.anu.edu.au/~avalon/ipfil-flow.html ... 1111122731 M * Bertl you are looking for something describing linux kernel iptables filtering? 1111122760 M * ciphernaut im trying to figure out the best way to share a mysql server between vservers, and protect it from the outside world 1111122866 M * ciphernaut atm i have a table per vserver and access based on user/ip address as per the alias 1111122907 M * Bertl http://www.csh.rit.edu/~mattw/proj/nf/ 1111122946 M * Bertl (probably the closest to the ipfilter flow) 1111122955 M * ciphernaut cool, thanks bertl 1111122982 M * Bertl but basically I would assign a private network 10.0.1.x for example for the mysql 'networkÄ 1111122987 M * Bertl *network' 1111123010 M * Bertl and then block any incoming/outgoing packets for that network 1111123048 M * Bertl the communication between the vservers will be local traffic, so it can be permitted easily 1111123174 M * ciphernaut so build the vserver with --interface eth0:__real_ip_addr__ --interface dummy0:10.0.1.x ? 1111123204 M * Bertl if you like dummy, then yes ... 1111123232 M * Bertl it will use lo anyways (as it is local traffic) 1111123267 Q * erwan_taf Ping timeout: 480 seconds 1111124041 J * DuckMaster ~Duck@dyn-83-157-148-124.ppp.tiscali.fr 1111124459 Q * duckx Ping timeout: 480 seconds 1111125660 Q * Tbery Read error: Connection reset by peer 1111125671 J * erwan_taf ~erwan@81.80.43.68 1111126390 M * DaPhreak|off Bertl: ? 1111126402 N * DaPhreak|off DaPhreak 1111126441 M * Bertl yep? 1111126551 M * DaPhreak morning ;) 1111126566 M * Bertl yeah, good morning to you too ;) 1111126600 M * DaPhreak you've got a strange day/night rythm :) well the question is, if i am able to get screen working in a vserver ... since it is looking for /dev/pts/1 1111126667 M * Bertl well, are you sure that you are _in_ the vserver, and not just entered from the host? 1111126692 M * Bertl because if you just entered, then the /dev/pts is still outside ;) 1111126719 M * DaPhreak ah .. yeah i entered from the host :) you're right ... 1111126733 M * DaPhreak i gonna try this in the evening 1111126773 M * Bertl if you want to have a screen anyway, you have to start it _before_ entering the vserver ... 1111126833 M * DaPhreak via vserver name exec ... 1111126867 M * Bertl no, via screen ;) 1111126890 M * DaPhreak ah, yeah :) and entering in the screen :) 1111126930 M * Bertl precisely 1111127402 M * Bertl okay, I'm off to bed for now ... back later ... 1111127417 N * Bertl Bertl_zZ 1111128149 M * ciphernaut have a good weekend all 1111128212 N * ciphernaut ciphernaut_zz 1111128256 J * anonc ~nwalsh@shaggy.internode.com.au 1111128900 M * anonc q 1111128902 M * anonc \quit 1111128903 Q * anonc Remote host closed the connection 1111130358 Q * DukeGangsta|aw Quit: ( www.nnscript.de :: NoNameScript 3.81 :: www.XLhost.de ) 1111131418 J * Pazzo ~thomas@adsl136-175.aknet.it 1111132387 J * erwan_ho ~erwan@lns-vlq-39f-81-56-133-136.adsl.proxad.net 1111132498 Q * erwan_ho Remote host closed the connection 1111136746 Q * meebey Remote host closed the connection 1111138041 M * rs hi there 1111139051 M * Pazzo hi rs! 1111139249 Q * chairuou Quit: 1111140814 J * meebey meebey@meebey.net 1111141716 M * Vudumen hi 1111145862 Q * miller7 Ping timeout: 480 seconds 1111147603 N * Doener_zZz Doener 1111147610 M * Doener morning! 1111147802 M * DaCa morning doener 1111147907 M * DaPhreak morning Doener, DaCa 1111148256 M * Pazzo moin doener, all 1111148736 M * ndim Hmm. Is there anybody using a vserver setup with SELinux MAC? 1111150376 Q * lilo_ Quit: brb 1111150746 J * lilo ~lilo@lilo.usercloak.oftc.net 1111153088 J * prae ~prae@134.106-14-84.ripe.coltfrance.com 1111153430 N * BobR_oO BobR 1111153838 N * BobR BobR_afk 1111154212 J * miller7 ~none@adsl49-static-gw1.access.acn.gr 1111154343 Q * Radiance Remote host closed the connection 1111154445 J * Radiance kryptonite@wrath.shellfx.net 1111154615 Q * Radiance Remote host closed the connection 1111154664 J * Radiance kryptonite@wrath.shellfx.net 1111154680 Q * Radiance Remote host closed the connection 1111154995 J * Radiance kryptonite@wrath.shellfx.net 1111155035 J * tad ~newbie@static-151-204-232-50.bos.east.verizon.net 1111155131 Q * tad Quit: 1111155154 J * tad ~truex@static-151-204-232-50.bos.east.verizon.net 1111160216 N * BobR_afk BobR 1111161932 Q * Pazzo Quit: Download Gaim: http://gaim.sourceforge.net/ 1111163060 N * BobR BobR_oO 1111163528 N * Bertl_zZ Bertl 1111163549 M * Bertl evening folks! 1111163885 M * SiD3WiNDR heya Bertl 1111163888 M * SiD3WiNDR did you just wake up? : 1111163888 M * SiD3WiNDR :) 1111164070 M * Bertl yep, about 20 minutes ago ;) 1111164073 M * Zoiah SiD3WiNDR: you really show up everywhere, don't you? :) 1111164079 M * SiD3WiNDR lol. 1111164090 M * SiD3WiNDR I've been here for quite a while ;) 1111164103 M * SiD3WiNDR Zoiah: are you a LIR?:p 1111164138 M * Zoiah SiD3WiNDR: nah. 1111164141 M * Zoiah SiD3WiNDR: I don't have LIR money. :) 1111164153 M * SiD3WiNDR do you know a LIR who could get me an ASN :p 1111164171 M * Zoiah That's quite off-topic here. 1111164175 M * SiD3WiNDR true :p 1111167346 Q * Vudumen Read error: Connection reset by peer 1111167881 Q * erwan_taf Remote host closed the connection 1111168204 J * monrad ~monrad@213083190130.sonofon.dk 1111170009 J * duckx ~Duck@dyn-83-157-148-124.ppp.tiscali.fr 1111170021 Q * DuckMaster Ping timeout: 480 seconds 1111170071 M * Bertl okay, folks .. off for now .. back later ... 1111170081 N * Bertl Bertl_oO 1111171181 Q * prae Quit: Client exiting 1111172909 J * erwan_ho ~erwan@lns-vlq-39f-81-56-133-136.adsl.proxad.net 1111173398 Q * erwan_ho Remote host closed the connection 1111173682 J * erwan_ho ~erwan@lns-vlq-39f-81-56-133-136.adsl.proxad.net 1111174190 N * Snow-Man_ Snow-Man 1111174870 J * samuel ~samuel@levinux.UQAR.UQUEBEC.CA 1111174885 M * samuel hi 1111175082 M * samuel i need a production system using vserver this summer 1111175090 M * samuel i've already used the vserver system on gentoo 1111175239 M * samuel should I use 1.9 or 1.2 serie 1111175293 Q * erwan_ho Read error: Operation timed out 1111175673 J * erwan_ho ~erwan@lns-vlq-39f-81-56-133-136.adsl.proxad.net 1111175894 A * samuel is away: (Auto-Away after 10 mins) [BX-MsgLog On] 1111176187 J * aba ~aba@sol.turmzimmer.net 1111176409 M * micah samuel: use 1.9 1111177082 Q * erwan_ho Remote host closed the connection 1111177265 M * samuel micah: ok, can I ask why? 1111177279 M * samuel i've see a lot more feature in 1.9 1111177304 M * samuel but, it's ok for production (i know it's under dev. but..) 1111177310 M * micah samuel: although 1.9 is labeled "development" its really stable and is much easier to use than 1.2 1111177317 M * samuel there is any road map? 1111177326 M * samuel micah: nice 1111178915 Q * ndim Ping timeout: 480 seconds 1111179210 J * ndim hun@helena.bawue.de 1111180211 J * Vudumen vudumen@perverz.hu 1111180227 M * Vudumen re 1111180898 Q * tad Remote host closed the connection 1111182332 Q * samuel Quit: BitchX-1.1-final -- just do it. 1111183214 J * alex234 new@p548C9C0D.dip.t-dialin.net 1111183390 P * alex234 1111185033 Q * jd86 Read error: Connection reset by peer 1111185934 N * Bertl_oO Bertl 1111185944 M * Bertl evening folks! 1111186486 M * Vudumen hello Bertl 1111186521 M * Bertl hey Vudumen! everything fine? 1111187884 J * yarihm ~yarihm@217-162-204-144.dclient.hispeed.ch 1111187912 M * Bertl welcome yarihm! 1111188035 M * yarihm yo Bertl, sup? 1111188062 M * Bertl nothing unusual, working on new features today ;) 1111188091 M * Doener evening! 1111188099 M * Bertl evening Doener! 1111188219 M * yarihm Bertl: nice to hear ... :) 1111188242 M * Bertl btw, any features you are missing in linux-vserver? 1111188346 M * Bertl Doener: first try http://vserver.13thfloor.at/Experimental/FOR-1.9.6/delta-blkio-feat01.diff 1111188615 M * Vudumen Bertl: thanks 1111188624 M * Vudumen i'm a bit tired but everything is fine :) 1111188642 M * Vudumen Bertl: i was wondering about testing the new networking code 1111188652 M * Vudumen is it supported by util-vserver 0.30.203? 1111188661 M * Bertl yes and no ;) 1111188680 M * Bertl basically ngnet requires you to do some things via helper scripts 1111188694 M * Bertl and the other half of the setup from inside the context 1111188703 M * Vudumen hmm, am i right if i say that with the new code it's possible to use iptables inside the VPSes? 1111188726 M * Bertl it _will_ be possible, it is not possible right now 1111188731 M * Vudumen okay :) 1111188771 M * Bertl but I'm not very worried about the iptables stuff, it will fit in nicely 1111188884 M * Vudumen what will happen if i use vserver + grsec and in a VPS a malicious user (or the root of the VPS) uses his root privileges to access kernel-memory to hack the host system? 1111188938 M * Bertl I don't know what role the grsec plays here, but on normal linux-vserver the root user in a guest will not have access to the kernel memory ;) 1111188945 M * Doener root inside the vserver shouldn't have the apropriate caps 1111188958 M * Doener s/apropriate/required/ 1111188975 M * Vudumen fine :) 1111188990 M * Vudumen sorry for these silly quoestions but i'm new in these VPS technologies :) 1111189006 M * Doener no problem, see topic ;) 1111189006 M * Bertl np, we are too ;) 1111189017 M * Vudumen Bertl: I don't think :) 1111189056 M * yarihm Bertl: you mean features I personally am missing? 1111189079 M * Bertl Vudumen: well, it's all relative, I remember the job descriptions around 2000 which required at least 10 years of Java experience ;) 1111189096 M * Bertl yarihm: yes, something you would like to see there ... 1111189155 M * Vudumen Bertl: here most job descriptiosn requires java, asp.net, c#, unix/linux/bsd knowledge, c, c++, windows, osx, etc. they want to work with gods :) 1111189176 M * Vudumen ohh i forgot php :) 1111189182 M * yarihm Bertl: well, there is everything it seems ... hmm ... quotas (never set them up, but i know that would work) ... probably more a scheduler-thing, but something like hardlimits on certain ressources would be nice (or does that already exist?) say hardlimit on memory used by a vserver, or CPU-time? 1111189247 M * Doener Vudumen: hm, no perl? or maybe befunge or brainfuck? 1111189277 M * yarihm what's this with this brainfuck language ... is that just a joke or is there really something like brainfuck? 1111189282 M * Bertl yarihm: yep we have that, not cpu time but cpu usage (per time unit) 1111189285 M * Vudumen Doener: they like php more than perl... perl is required just sometimes 1111189296 M * Doener yarihm: http://www.muppetlabs.com/~breadbox/bf/ 1111189313 M * Bertl yarihm: there are better languages than BF, see Ook! for example ;) 1111189345 M * Doener there was some language that started like 'Mar...'something... that was completely insane 1111189433 M * Doener ah, malbolge... 1111189435 M * Doener http://www.acooke.org/andrew/writing/malbolge.html 1111189457 M * Vudumen Bertl: how the new networking code will work? on the host side do i have to define aliases for the ips used in the VPSes or something else? 1111189465 M * yarihm Bertl: well, it's rather nice then ... i prefer it much over freebsd's jail-implementation which has more limits and handling is harder ... the only drawback is that vserver is for linux which turns out to have so much holes in the kernel I could cry ... using linux has a strange taste nowdays, the security-concept being more of "we do everything (GRSec/RSBAC) to make sure those insecure services we have to run won't do havoc on our sy 1111189466 M * yarihm stems" ... but hey, that's not you guys fault and applies to the BSDs as well (just that they have a more "reliable" kernel in these terms) ... 1111189469 M * Doener notice the nice comment for the hello world program: it's not perfect - i ignored case to make the problem simpler (completion left as an exercise for the reader - it should be _possible_). 1111189521 M * Bertl Vudumen: no, basically every guest and the host has separate interfaces 1111189543 M * yarihm but given that vserver is for linux, it is the best implementation of this "jailing" thing i've ever seen ... i'll have a look at xen soon, but i feel it's overkill for my needs to run multiple kernels even if they are close to native speed. vserver has no performance hit, that's very very cool, and maintainability of the vservers is great too ... 1111189544 M * Vudumen so i have to route on the host system? 1111189557 M * yarihm i mean it's not for nothing solaris copies it with their zones ... 1111189568 M * Bertl Vudumen: the host creates the interfaces for the guests and allows certain 'bindings' (or packets) to pass to and from ... 1111189611 M * Vudumen fine :) 1111189614 M * Bertl yarihm: thanks for the flowers, you truly seem to be a 'happy vserver user' ... 1111189648 M * Bertl (btw, did you add yourself to the wiki page listing those?) 1111189668 M * Bertl it's not required, just if you like to ;) 1111189865 M * yarihm Bertl: well, it's just better than any other similar implementation i've yet seen ... ok, i've worked a bit with Solaris' Zones and FreeBSD's jails ... UML too ... 1111189888 M * yarihm Bertl: just one thing i'm wondering if you are around right now ... 1111189906 M * yarihm (BTW, i'll add myself to your happy users of course) 1111189942 M * Bertl yeah, what you are wondering about? 1111189946 M * yarihm if sec-holes in the kernel are discovered, as so often lately, are malicious users contained in a vserver able to exploit those? 1111189980 M * Bertl it really depends, and I guess we have to differentiate between different cases ... 1111189999 M * Bertl first, there is the typical local root exploit 1111190032 M * Bertl you trick the system into executing non priviledged code in a priviledged context 1111190044 M * Bertl this falls into two categories: 1111190057 M * Bertl - buffer exploits and stack under/over runs 1111190075 M * Bertl - manipulation of binaries and/or system calls 1111190079 M * matti ;] 1111190095 M * yarihm matti: that's not funny dude :) 1111190112 M * Bertl both of them usually end up either with guest root, or not working at all 1111190122 M * Bertl evening matti `:] 1111190151 M * Bertl why? simple because each process is tagged (context xid) 1111190182 M * matti Evening Bertl ;] 1111190185 M * Bertl and this tagging can not easily be removed (at least not with the typical exploits) 1111190199 M * matti yarihm: I am the "always flat-smile dude" ;] 1111190208 M * matti yarihm: :] 1111190218 M * yarihm yeah, that makes sense ... but I'd say those aren't attacks on "kernel" level, they normally are flaws in daemons, no? i mean vserver can't protect anyone against lame wu-ftpd or whatsoever 1111190228 M * yarihm matti: i see :) 1111190233 M * Bertl then there is the kernel manipulation exploit, which uses some way to modify kernel structures 1111190238 M * matti yarihm: :] 1111190249 M * Bertl those again fall into two categories: 1111190273 M * Bertl - the exploits using existing (yet undisclosed) holes 1111190295 M * Bertl - exploits loading modules and/or libraries 1111190341 M * Bertl the former usually fail (if not especially targeted on linux-vserver kernels, just because several structures are quite different to the mainline structures) 1111190366 M * Bertl and the latter do not work at all (from the guest) because module loading doesn't work inside