1113525731 J * DaemonDazz ~darryl@jet.pineview.net 1113525758 M * DaemonDazz hey peepz 1113525769 M * DaemonDazz is anyone running a gentoo guest on a RH based host? 1113526141 A * DaCa uploads http://vserver.limehouse.org/patch-2.6.11.7-grsec2.1.5-vs2.0pre1.diff.bz2 1113527628 J * ciphernaut ~a@61.88.18.130 1113527971 Q * grecea Ping timeout: 480 seconds 1113529178 J * Nik ~Nik@cable-153-130.online.bg 1113529661 Q * Nik Ping timeout: 480 seconds 1113533687 Q * MrX Read error: Connection reset by peer 1113536384 J * Nik ~Nik@cable-153-130.online.bg 1113536866 Q * Nik Ping timeout: 480 seconds 1113537207 J * flock ~restless@l192-117-111-12.broadband.actcom.net.il 1113538438 J * alex234 new@p548C905E.dip.t-dialin.net 1113539716 Q * alex234 Quit: Leaving 1113540487 Q * itamarjp Quit: 1113541386 M * DaPhreak DaCa: which grsec subversion did you use ? 1113544507 J * grecea ~grecea@h-195-22-237-74.mdl.net 1113547039 J * erwan_ho ~erwan@lns-vlq-39f-81-56-133-136.adsl.proxad.net 1113548348 M * gregster morning 1113549282 Q * ciphernaut Quit: 1113549320 Q * erwan_ho Remote host closed the connection 1113549445 M * SiD3WiNDR morning 1113550304 M * DaemonDazz evening 1113552035 M * SiD3WiNDR I wish :p 1113553312 J * prae ~prae@134.106-14-84.ripe.coltfrance.com 1113553314 J * pusling ~pusling@195.215.29.124 1113553507 Q * pusling Quit: 1113553624 J * pusling ~pusling@195.215.29.124 1113553988 Q * pusling Quit: leaving 1113554780 J * pusling ~pusling@195.215.29.124 1113556929 N * Bertl_zZ Bertl_oO 1113557862 M * prae DaPhreak: here, my dear ? :) 1113558911 J * SNy ~mfr@bmx-chemnitz.de 1113558917 M * SNy hey guys 1113558948 M * SNy I just yesterday encountered some very weird behaviour with a linux vserver 1113558967 M * SNy it runs a gld (greylisting daemon) 1113558973 M * SNy for which an exploit exists 1113558985 M * SNy the gld was configured to only bind to loopback 1113559001 M * SNy however, the exploit was working not only from localhost 1113559007 M * SNy but from remote site as well 1113559050 M * SNy I just tested a bit with a very simple tcp server/client 1113559090 M * SNy and wether or not I bind to INADDR_LOOPBACK or _ANY, it doesn't actually restrict it to loopback 1113559099 M * SNy is this a know problem? 1113559893 M * SiD3WiNDR inside a vserver there is no loopback 1113559918 M * SiD3WiNDR perhaps unless you use ngnet 1113559919 M * SiD3WiNDR bbl 1113560158 M * DaCa DaPhreak: the released one: 200504111924 1113560297 M * DaCa DaPhreak: 2.6 patch only compiletested for the moment. my 2.4 patch otoh is in use in production. 1113561210 M * DaPhreak yeah, same was here (my previous patches against grsec-2.1.4) 1113561240 M * DaPhreak since i actually have no vserver to test it .. well i think i gonna give vmware a try 1113563161 M * SNy oh, there is a loopback in the setup my ISP has there, alright 1113563188 M * SNy are you saying that linux-vserver does not have a concept of per-vserver loopback? 1113563512 M * Doener SNy: even if it had one, i't wouldn't matter ;) 1113563571 M * Doener if you assign an ip address to an interface it becomes an ip address of the box and packets for this address are received then 1113563665 M * SNy packets for 127.0.0.1 are not to be received from the outside, though 1113563675 M * SNy escpecially not if one is not aware of that 1113563698 M * SNy see, I am glad I actually tested the gld exploit though I was "sure" it wouldn't work 1113563719 M * SNy I'd have a "nice" root shell exploit noe if I hadn't 1113563722 M * Doener 127.0.0.1 is special. you should not assign that to a vserver. 127.0.0.1 is automagically rewritten to the first ip address assigned to the vserver 1113563748 M * SNy then I need to kick my ISP in the butt for not telling me 1113563777 M * SNy anyway, I find that concept very strange 1113563840 M * SNy what's the matter with having loopback? 1113563850 M * SNy I am just in the process of reading about it 1113563932 M * Doener we don't have any virtualized interfaces, yet. ngnet (next generation networking) will have it, but it's still experimental 1113564029 M * SNy then maybe a BIG FAT WARNING is in order somewhere stating that, if a loopback exists, it probably isn't what one would expect 1113564046 M * SNy I will discuss that with my ISP now 1113564072 M * Doener seems to be something with your setup, I don't see any loopback device in my vservers 1113564126 M * SNy well, there sure is one 1113564138 M * SNy it just doesn't do what it's supposed to 1113564210 M * Doener it's supposed to handle all traffic that is local to the host (i.e. coming from and going to the host itself) 1113564216 M * SNy which is even worse than one that doesn't exist 1113564224 M * SNy indeed 1113564238 M * SNy but instead, it receives outbound just fine 1113564240 M * SNy or rather 1113564247 M * SNy you cannot actually bind() to it 1113564264 M * SNy calls to bind with INADDR_LOOPBACK just end up at the outer interface 1113564284 M * SNy as I learned yesterday 1113564319 M * SNy now I also need to check wether or not someone was able to compromise my server in the meantime 1113564323 M * SNy :/ 1113564456 M * Doener ah, ok you don't mean the interface here. as i said, it doesn't matter to which interface an address is assigned. it's just 127.0.0.1 that is special, and that isn't true any longer with linux-vserver... (interface vs. address, i just try to clarify that, because some folks think it is f.e. more safe to assign an address to dummy0, since they think that it won't be reachable that way...) 1113564516 M * Doener but i get your point... maybe we can do something about that before the 2.0 release 1113564638 J * sizo janek@openbug.org 1113564643 M * sizo hi 1113564696 M * sizo any hints why i cant get an df listing on a vserver? 1113564702 M * sizo # df -h 1113564702 M * sizo Filesystem Size Used Avail Use% Mounted on 1113564703 M * sizo # 1113564769 M * Doener empty /etc/mtab ? 1113564829 M * sizo yes okay;) 1113564830 M * sizo thanks.. 1113564834 M * sizo missed that 1113564844 M * Doener np 1113564856 M * sizo a doener would be nice 1113564894 M * Doener indeed... 1113567667 M * SNy you'd need to slaughter a Doenertier ;p 1113568075 M * wurd does anybody recognize this error message? (i get it after doing a ' vserver --debug vserv14 build -m apt-rpm --hostname test --interface eth0:10.99.1.6/16 -- -d fc3 ' 1113568086 M * wurd 70:kernel ########################################### [ 99%] 1113568086 M * wurd error: %post(kernel-2.6.11-1.14_FC3.i686) scriptlet failed, exit status 1 1113568086 M * wurd 71:hal ########################################### [100%] 1113568097 M * wurd E: Sub-process /usr/lib/util-vserver/vrpm-preload returned an error code (71) 1113568749 M * ComplexHo Hi wurd 1113568800 M * ComplexHo you could probably strace it to find out exactly what failed but at first glance it's nothing to worry about... It's probably just trying to install to a non-existant /boot or /lib/modules or something... 1113568847 M * ComplexHo I think you can usually ignore these messages, especially seeing as though you won't really need the kernel package in a vserver anyway... 1113568866 M * ComplexHo important thing is the RPM transaction completed 1113568962 M * wurd which transaction exactly ? 1113568997 M * ComplexHo the RPM transaction which got to 100% ie all packages - these messages are just warnings really 1113569026 M * wurd well are you sure that i got them all ? 1113569030 M * wurd maybe theres more than 71 1113569099 M * ComplexHo nah 71 is the error code, not a number of packages... You can see the transaction completed because it got to 100% 1113569118 M * ComplexHo ah actually yes there were 71 pkgs 1113569123 M * ComplexHo sorry ;) 1113569127 M * ComplexHo does it boot? 1113569175 M * wurd the vserver ? 1113569186 M * wurd didnt try yet, i didnt read the doc concerning the USE of vserver 1113569187 M * ComplexHo btw the kernel package is only really there to satisfy dependencies - you will never use it... 1113569195 M * wurd until now i've only been trying to install it.. 1113569204 M * wurd which kernel package? :/ 1113569216 M * ComplexHo error: %post(kernel-2.6.11-1.14_FC3.i686) scriptlet failed, exit status 1 1113569222 M * wurd oh ok 1113569252 M * ComplexHo basically, nothing to worry about for now, try getting it to boot :) 1113569260 M * wurd ok 1113569263 M * ComplexHo looks like a successful build to me 1113569459 N * Doener Doener|gone 1113569492 M * wurd ComplexHo : 'vserver servername start' & 'vserver servername enter' , thats it ??? 1113569633 M * wurd at start, smartd and SELinux initialization have failed 1113570441 M * ComplexHo hmm you need to disable both of those services with chkconfig, they don't really serve any purpose in a vserver 1113570463 M * ComplexHo did you execute "/usr/lib/util-vserver/vprocunhide"? 1113570498 M * wurd no 1113570509 M * wurd should i ? 1113570622 M * ComplexHo yes that will definitely help - more info on the wiki about vproc 1113570678 M * wurd i assume that with this 1113570684 M * wurd i can see the vserver's processes 1113570691 M * wurd with ps -aux 1113570698 M * wurd ?% 1113570714 J * yarihm ~yarihm@80-218-3-32.dclient.hispeed.ch 1113570741 J * palmi ~polm@host130-250.pool8172.interbusiness.it 1113570844 M * wurd well it seems that the build doesnt work 100% of the time 1113570856 M * ComplexHo not from outside the vserver context ... try 'vps' to get a list of system-wide (context 0) processes, or just to see if the vserver is running you can try "vserver-stat" 1113570864 M * wurd ive just tried building another and something failed at 69 1113570901 M * ComplexHo ok I got to go out for 15 mins I might have a little more time then... 1113570938 M * wurd ok np, thanks :) 1113570987 N * Doener|gone Doener 1113571025 M * Doener ComplexHo: context 1 is the spectator context, not context 0 ;) 1113571236 M * ComplexHo oops 1113571241 M * ComplexHo :) 1113571367 Q * palmi Quit: Verlassend 1113574759 N * Doener Doener|gone 1113574960 M * kevinp wurd: your problem is that you are trying to install a kernel in a vserver. that will not work 1113575673 M * wurd how am i trying that? :S 1113575785 M * kevinp At least that's what it looks like you are doing - according to the error. 1113575795 A * kevinp looking for your command again 1113575823 M * gregster what about hard memory limit per vserver ? - could i only restrict the memory by pages ? 1113575834 M * kevinp what do you have set to install in /etc/vservers/.distributions/fc3 ? 1113575926 M * gregster is rss_limit my friend ? 1113575942 M * gregster mean rlimit_rss 1113575943 M * kevinp wurd: sorry wrong dir, check /usr/lib/util-vserver/distributions/fc3/rpmlist.d/00.1st 1113575965 M * kevinp or /usr/lib/util-vserver/distributions/fc3/pkgs 1113575978 M * wurd filesystem-*.rpm 1113575978 M * wurd setup-*.rpm 1113575978 M * wurd tzdata-*.rpm 1113575978 M * wurd glibc-common-*.rpm 1113576012 M * kevinp Did you do the fix mentioned on the ml for fc3? 1113576029 M * kevinp which tools? 1113576053 M * wurd what do you mean which tools ? 1113576072 M * kevinp util-vserver 1113576081 M * wurd i created the symbolic links if thats what youre talking about (fix in ml) 1113576086 M * kevinp yep 1113576091 M * wurd util vserver 205 ? 1113576095 M * kevinp ok 1113576138 M * kevinp so when you did it the second time, was the error the same? 1113576163 M * wurd hard to tell, it was yesterday 1113576178 M * wurd wait 1113576183 M * wurd which errors are you talking about ? 1113576187 M * wurd the ones i get when i build ? 1113576189 M * kevinp wurd ive just tried building another and something failed at 69 1113576192 M * wurd yeah ok 1113576193 M * wurd that. 1113576199 M * wurd well yes the errors were different 1113576203 M * wurd once it failed at 69 1113576206 M * wurd then it went pretty ok 1113576228 M * wurd thats weird 1113576231 M * wurd what does it mean ? 1113576247 M * kevinp what is the error? 1113576249 M * wurd (sometimes it works, sometimes it fails at 69) 1113576442 M * kevinp what is the error? 1113576502 M * wurd Get:69 ftp://ftp.tu-chemnitz.de 3/i386/os module-init-tools 3.1-0.pre5.3 [166kB] 1113576502 M * wurd Fetched 52.1MB in 4m31s (191kB/s) 1113576502 M * wurd Failed to fetch ftp://ftp.tu-chemnitz.de/pub/linux/fedora/fedora/3/i386/RPMS.updates/grep-2.5.1-31.4.i386.rpm Could not connect data socket, connection timed out 1113576502 M * wurd Failed to fetch ftp://ftp.tu-chemnitz.de/pub/linux/fedora/fedora/3/i386/RPMS.os/libattr-2.4.16-3.i386.rpm Server closed the connection 1113576508 M * wurd E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? 1113576533 M * kevinp Have you tried a different mirror? 1113576649 M * wurd you mean.. 1113576653 M * wurd the ftp:// adresses ? 1113576657 M * wurd trying other adresses ? 1113576660 M * kevinp correct 1113576667 M * wurd no i havent 1113576678 M * wurd the build works 1time out of 3 1113576687 M * kevinp It looks like you have a good connection, so maybe the mirror is overloaded 1113576774 M * kevinp Change which line you have uncommented in: /etc/vservers/.distributions/fc3/apt/sources.list 1113577161 Q * wurd Ping timeout: 480 seconds 1113577221 M * kevinp well, maybe he had a good connection :) 1113578521 M * eyck 0reset 1113578522 M * eyck clear 1113578580 M * eyck argh 1113578582 M * eyck sorry 1113579136 Q * BWare Ping timeout: 480 seconds 1113579292 J * alex234 new@p548C905E.dip.t-dialin.net 1113579531 P * alex234 1113579647 J * BWare ~bware@212.26.196.195 1113579691 Q * DuckMaster Ping timeout: 480 seconds 1113582156 A * kevinp compiling 2.0pre1 now 1113583962 Q * prae Quit: Client exiting 1113586142 J * Dominik ~miles@p3EE09EB9.dip0.t-ipconnect.de 1113586209 M * Dominik Hi, i just compiled a 2.6.11.5 Kernel with Vserver and testme.sh gives me 1 error: [011]# failed. Is that important? ;) 1113586262 J * itamarjp lualele@200-225-242-013-dynamic.idial.com.br 1113586685 M * Dominik Nobody here? ;( 1113586722 M * itamarjp only botīs 1113586835 J * erwan_ho ~erwan@lns-vlq-39f-81-56-133-136.adsl.proxad.net 1113587813 M * eyck who are you calling a bot, bot? 1113588380 M * DaCa eyck: reset 1113588383 M * DaCa :) 1113588829 M * kevinp can you vkill a vserver by it's context or something - if vserver stop doesn't work? 1113588853 M * kevinp Bertl_oO: 2.0pre1 patch worked great so far 1113588885 M * DaCa kevinp: do a ps in its context and kill all those processes? 1113589015 M * kevinp hmm 1113589059 M * kevinp the stop isn't working because it is trying to stop the local interface. I have cleared out all the scripts now, but it still is trying to do it 1113590218 M * Dominik What does vserver try to say with: The configured vshelper '"/usr/local/lib/util-vserver/vshelper"' does not match the 'vshelper' 1113590218 M * Dominik script of the util-vserver package 1113590221 M * Dominik ;-) 1113590552 M * Dominik ok, got it 1113591379 J * duckx ~Duck@dyn-83-157-151-155.ppp.tiscali.fr 1113592405 Q * yarihm Quit: Leaving 1113594477 Q * Dominik Quit: 1113596051 J * tad ~truex@static-151-204-232-50.bos.east.verizon.net 1113596611 Q * tad Remote host closed the connection 1113598949 M * eyck DaCa: that does not compute. 1113599833 Q * erwan_ho Remote host closed the connection 1113600609 N * Doener|gone Doener 1113600948 M * Doener evening folks 1113602296 Q * lilo Quit: bbiab 1113604112 M * DaCa where does one find this famous testme.sh ? 1113604125 M * Doener http://vserver.13thfloor.at/Stuff/SCRIPT/ 1113604143 M * DaCa tnx Doener 1113604158 P * click [IRSSI] 1113604233 M * Doener you're welcome 1113604383 M * DaCa wow, its in color and all :) 1113604436 M * Doener that means your blind now, right? ;) 1113604485 M * DaCa no, its not like the flower page :p 1113604589 A * Doener still wonders if there's a way to tell firefox to always use one of the other stylesheets... 1113604612 M * Doener i hate those first five seconds between loading the flower page and changing the stylesheet... 1113604707 M * DaCa ok, testme seems to approve my patchsets :) 1113604762 M * Doener if you also want to test limits, you have to compile the kernel with vserver debugging enabled, then run testme.sh with -L 1113604821 M * Doener the script's output for those additional tests is always 'OK' AFAIK, but you should get some complaining messages from the kernel if something's bad 1113604842 M * DaCa of course I didnt select that, and it takes 50 minutes to compile a 2.6 kernel on this machine 1113604888 M * Doener hm, if you don't do 'make clean' a 'make' (without changing anything) should be _really_ fast ;) 1113604904 M * Doener don't know how much recompilation is needed when you turn on vserver debugging thoug 1113604909 M * Doener though even 1113604909 M * DaCa and I especially want to test that because I am not 100% sure about a conflict in mlock.c 1113604954 M * Doener if you got details for that conflict, i can take a look at it, i you like... 1113604979 Q * ComplexHo Remote host closed the connection 1113605307 M * DaCa Doener: ok, let me first reboot my laptop in 2.4 so I have a network on it :) 1113605755 M * kevinp Bertl_oO: on the 2.0pre1, the kernel logger still fails on shutdown 1113605779 M * Doener kevinp: was it correctly started at all? 1113605802 M * Doener i.e. _not_ using as much cpu as it is allowed to? 1113605942 M * DaCa Doener: could you get http://pub.limehouse.org/mlock.c ? 1113606019 M * DaCa line 74 // vma->vm_mm->locked_vm -= pages; 1113606022 M * kevinp hmm, it said OK, but I can check 1113606061 M * DaCa vserver replaces it by vx_vmlocked_sub(vma->vm_mm, pages); 1113606089 M * DaCa PaX replaces it by mm->locked -= pages; 1113606098 M * kevinp syslog: klogd startup succeeded 1113606118 M * DaCa so I came up with vx_vmlocked_sub(mm, pages); 1113606122 M * kevinp where can I look for more indepth info? 1113606155 M * kevinp checked ps and it is not running 1113606168 M * kevinp only syslogd 1113606180 M * DaCa but PaX also adds on line 80 the same line, which I replaced too, I am not sure if this is good or bad 1113606215 M * DaCa I suspect that it wants to get the counter down twice to account for the VMA mirroring 1113606257 M * Doener DaCa: can you provide the hunks in question? 1113606291 M * Doener the source says more than a thousand words :) 1113606331 M * DaCa Doener: ok, one moment 1113606335 M * Doener btw, did anyone have a look at Linus' git yet? 1113606372 M * DaCa Doener: just the parts of the diffs that corresponds to that section? 1113606386 M * Doener yep, just those hunks 1113606541 M * kevinp Remember how before I was saying that you can't see the ip address in ifconfig and you recommended ip? 1113606572 M * Doener hm, maybe... folks ask for that a lot ;) 1113606582 M * kevinp Well, I figured out why. I had named the interface the same on two vservers. 1113606592 M * kevinp If I stop the one then it works 1113606616 M * kevinp In the setup I had specified --interface domain=eth0:192.168.0.136/24 on one 1113606624 M * kevinp and --interface domain=eth0:192.168.0.137/24 on the other 1113606652 M * kevinp So whichever was started second was not visible in ifconfig 1113606656 M * Doener ah, okay, that's a reason for not seeing them although they are named 1113606670 M * kevinp right 1113606675 M * Doener the ifconfig vs. ip 'issue' only arises if you don't name them 1113606690 M * Doener seems i didn't get you right back then 1113606690 M * kevinp so if one had been domain1 and the other domain2 would it have worked? 1113606695 M * Doener yep 1113606706 M * kevinp cool... 1113606742 M * Doener but keep the names short... max length is 15 characters (16 if you include the final \0). and that include the "eth0:" part 1113606790 M * kevinp so that is still the case on the latest versions? 1113606849 M * Doener the interface address name length limitation? yes, that's defined in vanilla to be 15/16 characters long 1113606895 M * kevinp running 2.0pre1 on 2.6.11.7, I get these messages on the console and in /var/log/messages when I start and stop a vserver: kernel: /usr/lib/util-vserver/vshelper: (startup 500) returned with 256 1113606906 M * kevinp Is this normal or should it be reported? 1113606963 M * Doener that's ok. two new vshelper calls we're introduced and the tools simply don't support them yet 1113606990 M * kevinp ok, sounds good, enjoy your Friday! 1113607011 M * Doener if you want to get rid of those warnings, the 'fix' is simple... 1113607028 M * kevinp what is it? 1113607153 M * Doener touch /etc/vservers/.defaults/apps/vshelper-delegate/startup; chmod +x /etc/vservers/.defaults/apps/vshelper-delegate/startup 1113607161 M * Doener should be sufficient... 1113607192 M * Doener same for the shutdown thing. i don't remember the name for that one atm, should appear in your logs anyway... 1113607264 M * kevinp okay, thanks! 1113607269 M * kevinp have a good one! 1113607269 M * Doener that just turns the error message into 'do nothing', which is just fine for now... AFAIK only ngnet will require those scripts 1113607292 M * Doener you're welcome! and thanks, have a nice friday, too! 1113607470 M * DaCa Doener: http://pub.limehouse.org/mlock_{vs,grsec,merge} 1113607582 M * DaCa those are the hunk only, http://pub.limehouse.org/mlock_{vs,grsec,merge}.orig have the diff's for the whole file 1113608092 M * Doener DaCa: the change from vma->vm_mm->locked to mm->locked_vm should be fine 1113608101 M * Doener see this line: struct mm_struct * mm = vma->vm_mm; 1113608107 M * Doener (from the vanilla sources) 1113608142 M * Doener changing that to vx_vmlocked_sub(mm, pages); then is also fine 1113608227 M * Doener what you should probably look for are those second decrements of the locked_vm, that might not always conflict with the vserver patch and then cause problems 1113608240 M * DaCa yeah, saw that, but my doubt is rather if I should do it the second time via the vx macro (within the PAX_SEGMEXEC / RANDEXEC ifdef block) 1113608385 M * Doener i'd say you should (i guess the VM_MIRROR flag doubles the usage), but then you should do so always and i guess some of those second in-/decrements might not conflict and thus you may miss them in your merge 1113608398 M * Doener s/may/might/ 1113608487 M * Doener would be less trouble some if they had done this instead (before changing mm->locked_vm of course): 1113608487 M * Doener +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC) 1113608488 M * Doener + if (vma->vm_flags & VM_MIRROR) 1113608488 M * Doener + pages *= 2; 1113608488 M * Doener +#endif 1113608649 M * DaCa Doener: I see what you mean, good point 1113608832 M * DaCa as I didnt have conflicts for increments and I am too lazy to find out where they are, I'd suppose its better to use the original method in the ifdef block 1113608937 M * Doener probably... but that might might that the limiting/accounting doesn't work correctly for that mirrored stuff... i don't know anything about grsec, so i may of course be wrong here 1113609032 M * Doener s/might might/might mean/ 1113609329 M * DaCa its basically how PaX implements nonexecutable protection without paging overhead, the VMA is mirrored, the CS segment is lowered, and pages are mapped into the lower half or upper half depending how they may be accessed, if your counter is only for limiting/accounting, it shouldnt be counted twice, imho, I am not a kernel hacker, but willing to learn :)