1117930191 M * terr It works fine. 1117930215 M * Bertl and, from where to where did you connect? 1117930259 M * Bertl and more important, did the packets pass host2? 1117930280 M * terr From Host 1 to Host 1, through Host 2, yes. 1117930320 M * Bertl so, next step, the vserver guests ... 1117930365 M * Bertl first let's check the configs 1117930494 M * terr http://harfang.pastebin.com/295212 1117930527 M * Bertl okay, we have to change that ... 1117930545 M * Bertl remove the dev files and touch a nodev file 1117930560 M * Bertl also change the ips to 172.16.0.1 and 172.17.0.1 1117930705 M * terr OK, done. 1117930726 M * Bertl now let's make a copy of the important data 1117930751 M * Bertl ip {rule,addr} ls 1117930766 M * Bertl ip route ls table {local,main,16,17} 1117930805 M * Bertl then let's start one guest 1117930941 M * terr http://harfang.pastebin.com/295216 1117930997 M * Bertl hmm, you added the 17 rule twice, but no problem with that ... 1117931038 M * terr I don't remember having done that but... 1117931057 M * Bertl 'history' might remember ;) 1117931160 M * terr Terrible things those computers, they remember everything :^! 1117931247 M * FaUl hehe 1117931395 M * Bertl terr: okay, did the guest startup as expected? 1117931414 M * terr Yes. 1117931445 M * Bertl then let's try to ssh into it from the other ip (with the chbind as used before) 1117931463 M * Bertl monitor the packets on host2 1117931681 M * terr chbind --ip 172.17.0.1 -- ssh -p 2222 root@172.16.0.1 1117931701 M * Bertl well, if your guest uses 2222 as port, yes 1117931714 M * terr But then I'm connecting to Host 1. 1117931722 Q * knoppix_ Quit: Verlassend 1117931756 M * Bertl I assume you started guest 1 (on 172.16.0.1) 1117931777 M * Bertl and your sshd on Host 1 doesn't use port 2222 1117931793 M * Bertl (or is limited to certain IPs != 172.16.0.1) 1117931805 M * FaUl Bertl: the nfxid is the id of the virtual vserver interface? 1117931816 M * Bertl terr: and the guest 1 has an sshd running which listens on port 2222 1117931854 M * Bertl FaUl: not exaclty ... 1117931868 M * Bertl the nfxid is the context id for a packet 1117931880 M * Bertl the nfvnet is the vnet id 1117931909 M * Bertl (which usually is unique for each virtual interface) 1117931912 M * FaUl hmm, is that context id that thing that iptables sets with the vnet-target? 1117931933 M * Bertl no, the iptables set the vnet id 1117931939 M * FaUl ah 1117931947 M * Bertl the mapping goes like this: 1117931986 M * Bertl packet -> classify/mark with vnet id -> lookup vnet interface -> receive/transmit/mark with xid 1117932027 M * Bertl the xid is required to get the proper tables for routing and such 1117932035 M * Bertl (which are per context) 1117932090 M * FaUl isn't the vnet-id per context, too? 1117932097 M * Bertl I'm not sure, maybe it would make sense to keep a separate id for that (a network id) 1117932111 M * Bertl no the vnet id is per interface 1117932166 M * FaUl ah, ok, so that vnet-id marks the (virtual) interfaces and the nfxid marks the context? so why not using the contextid? 1117932173 M * Bertl I ahve to check the xid/nfxid interaction, probably a separate nid would make sense ... 1117932175 M * FaUl for that routingtable-stuff 1117932208 M * Bertl nfxid is basically a synonym for xid (context id) 1117932256 M * Bertl Doener`: still around? 1117932262 M * Doener` yep 1117932289 M * Bertl what do you think, maybe we should keep the network id (from current networking) and extend it for ngnet? 1117932343 M * Bertl we could also make the vnet id 32 bit consisting of 16bit network id and 16bit vnet/local id 1117932375 M * Bertl (might simplify userspace) 1117932422 M * Doener` i thought about ngnet for quite some time... but no results... ;) 1117932434 M * Bertl :) 1117932555 M * Doener` ideas varied a lot... like "virtualizing" the local routing table... introducing some mask for device numbers (upper half -> network id, lower half, actual device number), and that way removing the iptables stuff and use the routing stuff instead... and many more, of which i don't remember all... 1117932627 M * Doener` also thought about the virtual devices, whether they should be visible on the host or not 1117932736 M * Doener` started playing with 'local' routing entries in routing tables other than 'local', but that doesn't seem to work (impossible to use the ip address as source) 1117932763 M * Bertl yeah, the local table is too speicalized 1117932787 M * Bertl terr: any status/progress? 1117932803 M * terr Bertl: OK, it works; but to be sure: If Host and Guest have a different ip, can they both listen to the same port? 1117932827 M * Bertl yes, jsut the host has to 'restrict' itself (or be restricted) 1117932869 M * Bertl Doener`: but I thought about using the tc rules (which are per interface) for classification 1117932888 M * Bertl (instead of the iptables chain) 1117932889 M * Doener` never used those 1117932986 M * Bertl it would be easier to avoid (userspace visible) classification at all, but that would cut down features significantly ... i.e. no changing the destination guest at runtime and such ... 1117933200 M * Bertl terr: so we can continue and start the second guest? 1117933227 J * explasm__ explasm@p549FB566.dip.t-dialin.net 1117933411 M * terr I'm wondering... Did I do something wrong with some of these ip/iptables commands? ... 1117933412 M * Bertl FaUl: what do you think, would keeping a network context id (in addition to the usual context id) be too complicated for setting up a guest? 1117933451 M * Doener` Bertl: hm, are interface addresses just ? If I only add an entry to the local routing table, that is sufficient to use it as source address and bind a service to it... 1117933475 M * Doener` so interface addresses look a little superflous to me... 1117933480 M * terr ... Since we started I didn't receive a single mail, and now I wanted to check a word with dictd, and it doesn't answer (!) 1117933517 M * Bertl Doener`: well, yes and no, but it is some kind of dual book keeping 1117933560 M * Bertl guess for the correct word: superfluous? 1117933572 M * Doener` probably ;) 1117933579 M * Doener` (looked it up in the meantime ;) 1117933647 M * Bertl terr: so? 1117933663 Q * eXplasm2 Ping timeout: 480 seconds 1117933675 M * terr Did you miss my remark above? 1117933709 M * Bertl no, but that hardly suffices as bug-tracking/error report ;) 1117933754 M * Bertl terr: "oh gosh, dictd is not answering, probably I did something wrong, let's go and fix it" :) 1117933815 M * Bertl terr: check the following: where is it supposed to run/answer, what happens if you try to reach such a service? which services are active at all? what does tcpdump see? 1117933964 M * Bertl Doener`, FaUl: hmm, just stumbled over this: http://linux-ip.net/html/ 1117934131 M * Doener` looks interesting 1117934220 M * Bertl and it leads (among others) to this: http://www.ssi.bg/~ja/ 1117934261 M * Bertl terr: http://www.ssi.bg/~ja/send-to-self.txt 1117934265 M * terr Bertl: Ahah, lo is down !!! 1117934321 M * Bertl terr: aha, did you take it down? 1117934365 J * hillct ~hillct@client200-5.dsl.intrex.net 1117934377 P * hillct 1117934431 M * terr No, no, I swear! Shall I call 'history'? ;) 1117934446 M * Bertl to your defense?! 1117934470 M * FaUl Bertl: i think it would be best if you have not to fiddle up with lot of ids wen starting a guest 1117934484 M * terr Yes, of course, I don't see a "ifconfig lo down" there! 1117934485 M * Bertl terr: http://harfang.pastebin.com/295061 (look it was already down here ;) 1117934510 M * Bertl no, I'm lying ;) 1117934534 M * Bertl but here: http://harfang.pastebin.com/295070 1117934678 M * terr Indeed... How could that happen (if not manually, ... no it's not me who did it :~/ ) 1117934757 M * terr Anyway, it's back now... 1117934779 M * Bertl :) 1117935010 M * Bertl terr: so next test, ssh from one guest to the other? 1117935019 M * terr I started the second guest. 1117935025 M * Doener` i'm off to bed now... will spend some more thought on ngnet while trying to sleep ;) 1117935028 M * Doener` good night folks! 1117935032 M * Bertl night Doener`! 1117935036 N * Doener` Doener_zZz 1117935140 M * terr Success, again! 1117935221 M * Bertl common guys, group hug .. 1117935358 M * terr :-) 1117935435 M * terr I'm still wondering why I have trouble with my default setup (vlan configured by the distribution startup scripts). 1117935473 M * terr This is one thing I'll do later... 1117935490 M * FaUl Bertl: i guess it will make more sense if i read the source after a little bit of sleep - so i'll sleep right now 1117935494 M * FaUl n8 all 1117935502 M * Bertl terr: as I said, all this requires 'careful' setup ... 1117935505 M * terr Good night. 1117935509 M * Bertl FaUl: k, night! 1117935553 M * FaUl sleep well all :-) 1117935555 M * terr So something careless in the startup scripts, you think? 1117935594 M * Bertl well, probably more than one issue ... 1117935647 M * Bertl - you have to do the 'mapping' for every ip in the range 1117935668 M * Bertl - you ahve to configure the guests to not crete the ip on the interface 1117935740 M * terr And the document you pointed at? Does it describe something (else) to achieve the same thing? 1117935778 M * Bertl it seems that there is a patch which allows to route local connections over external interfaces 1117935800 M * terr Avoiding the nat trick? 1117935805 M * Bertl yup 1117935880 M * terr I had other questions, but I'll first redo everything we did tonight. 1117935922 M * Bertl emphasis on 'redo'? :) 1117935952 M * Bertl (hopefully not including the lo down ;) 1117936008 M * terr "redo" and "understand" :-) ... Before I forget: How can I view the log of today's IRC session? 1117936048 M * Bertl http://irc.13thfloor.at/LOG/ 1117936195 M * terr Fine! Then, for now, I'll go to sleep. Thank you very much for the guided tour! 1117936357 M * Bertl you're welcome! 1117936372 M * Bertl (and see topic) 1117936451 M * terr Yes I know it ;-) that's why I'll redo; then I'll summarize the experiment... 1117936460 M * Bertl excellent! 1117936629 M * terr Well... Have a good night yourself. And see you another time. Bye. 1117936643 M * Bertl cya 1117936667 P * terr 1117938618 P * yarihm Leaving 1117947474 M * Bertl okay folks, I'm off to bed now ... 1117947483 M * Bertl have a good one, everyone, cya later ... 1117947489 N * Bertl Bertl_zZ 1117958998 J * Aiken ~james@tooax6-194.dialup.optusnet.com.au 1117959663 Q * jkl_ Ping timeout: 480 seconds 1117961978 Q * Aiken Ping timeout: 480 seconds 1117966314 Q * rs Quit: rs 1117968281 J * erwan_ho ~erwan@konilope.dyndns.org 1117969598 J * stofferm ~stofferm@masq.oek.dk 1117969627 M * stofferm How does Vservers cope with being moved from one system to another, both running debian, but different hardware to some extend? 1117970280 P * stofferm 1117971133 M * eyck pretty well actually, 1117972117 Q * eyck Quit: leaving 1117972160 J * eyck eyck@81.219.64.71 1117973631 J * steve^ ~steve@user-2774.l6.c5.dsl.pol.co.uk 1117973683 M * steve^ hi all 1117973691 M * steve^ is the 2.6 series of patches stable enough to use for production? 1117974313 Q * steve^ Ping timeout: 480 seconds 1117982343 N * Bertl_zZ Bertl 1117982357 M * Bertl evening folks! 1117982375 M * SiD3WiNDR heya Bertl 1117982470 M * Bertl hey albeiro! 1117982482 M * Bertl SiD3WiNDR: how are you? 1117982488 M * matti ;] 1117982512 M * Bertl ah, matti :] 1117982577 J * shuri sjnesjd@64.235.209.226 1117982603 M * SiD3WiNDR fine fine 1117982615 M * SiD3WiNDR doing some webdevelopment, watching tennis 1117982615 M * SiD3WiNDR :) 1117982620 M * matti Bertl: Hi ;D Whats up? ;] 1117982627 M * matti SiD3WiNDR: Tennis? 1117982634 M * matti Hm... ;] 1117982634 M * SiD3WiNDR yea 1117982638 M * SiD3WiNDR dunno 1117982639 M * SiD3WiNDR tv is on 1117982641 M * SiD3WiNDR tennis on it 1117982646 M * matti I see. 1117982646 M * matti ;] 1117982652 M * SiD3WiNDR nadal vs puerta 1117982658 M * SiD3WiNDR no idea which championship or whatever :p 1117982666 M * matti Who wins? 1117982688 M * Bertl the guy with the racket! 1117982696 M * matti Hehehe. 1117982698 M * SiD3WiNDR :D 1117982708 M * matti ;] 1117982709 M * SiD3WiNDR 6-7 2-1 1117982716 M * SiD3WiNDR *yawns* 1117985652 M * Hollow hey Bertl 1117986168 N * Doener_zZz Doener 1117986178 M * Doener evening folks! 1117986358 M * Bertl evening Doener! 1117986362 M * Bertl hey Hollow! 1117986368 M * Bertl leaving now .. back later ... 1117986373 N * Bertl Bertl_oO 1117987157 J * Doener` ~doener@p5487406D.dip.t-dialin.net 1117987598 Q * Doener Ping timeout: 480 seconds 1117987960 Q * Doener` Quit: Leaving 1117987989 J * Doener` ~doener@p5487406D.dip.t-dialin.net 1117989569 M * FaUl *sproing* 1117989694 Q * eyck Read error: Connection reset by peer 1117990265 J * yarihm ~yarihm@217-162-204-252.dclient.hispeed.ch 1117991494 J * rs ~rs@imhotep.rhapsodyk.net 1117992344 J * eyck eyck@81.219.64.71 1117993623 Q * rs Quit: rs 1117994005 Q * erwan_ho Remote host closed the connection 1117994023 J * erwan_ho ~erwan@konilope.dyndns.org 1117995406 N * Bertl_oO Bertl 1117997158 M * eyck hello 1117997583 M * albeiro hey folks 1117999496 Q * yarihm Quit: Leaving 1118000018 J * rs ~rs@imhotep.rhapsodyk.net 1118000888 Q * explasm__ Quit: Verlassend 1118000893 J * eXplasm explasm@p549FB566.dip.t-dialin.net 1118001326 J * Sohail ~UNIX@203.81.212.103 1118001417 Q * Sohail Quit: 1118002235 J * ghpolo ~polo@201.15.214.133 1118002597 Q * ghpolo Quit: User abort with 5 Ctrl-C's 1118002780 Q * erwan_ho Remote host closed the connection 1118004742 J * jkl__ eric@c-67-173-254-242.hsd1.co.comcast.net 1118004746 N * jkl__ jkl 1118005744 M * maharaja bertl: has there been a bug with /proc/xxxx/ipaddr where you're not getting the right ip adress? 1118005760 M * maharaja inside my vserver, my ip is 10.1.1.54 1118005772 M * maharaja but: 1118005776 M * maharaja # cat /proc/self/ipaddr 1118005777 M * maharaja 10.1.1.13 1118005794 M * maharaja or what exactly is that :) 1118006002 M * maharaja i'm trying to analyse why nmbd (samba suite) does not work 1118006010 M * maharaja inside a vserver 1118006762 J * ntrs ~ntrs@62.162.242.80 1118007062 M * Bertl hmm .. 1118007078 M * Bertl maharaja: don't know, what does /proc/self/ipaddr show? 1118007143 M * albeiro it is grsecurity addon showing ip address of current process 1118007165 M * Bertl well, then it's probably broken ;) 1118007169 M * Doener` hm, well, then that's not Bertl's fault ; 1118007177 M * Doener` s/;/;)/ 1118007184 M * albeiro might be broken 1118007214 M * albeiro afaik it records ip address when process does connect() first time 1118007219 M * albeiro err.. accept rather 1118007272 M * albeiro it is obvious it cannot show right address inside vserver 1118007293 M * jkl anyone know how to port forward to a vserver? 1118007415 M * Bertl on the host? not at all 1118007434 M * Bertl you can mangle ip/port on the host, but not forward 1118007446 M * Bertl (as there is no forwarding to the guests) 1118009164 Q * ntrs Quit: Leaving 1118009194 M * Doener` Bertl: http://www.denx.de/twiki/bin/view/Know/MiniFOHome sounds interesting 1118009246 M * jkl hm so how would i have a service running on a vserver be publicly accesible via public address on the host? 1118009326 M * Bertl Doener`: hmm, will check it later .. 1118009385 M * Bertl jkl: it's not forwarding, but you can use S/DNAT pretty easily 1118009396 M * Bertl okay, folks, back later 1118009405 M * jkl hm, thats what i tried, ill continue to mess with it then 1118009434 M * Bertl there should be a few examples in the ML/irc logs 1118009441 N * Bertl Bertl_oO 1118009443 M * jkl k 1118011181 M * rs bertl: still there ? 1118011197 M * rs Doener: are you around ? 1118011202 M * Doener` yep 1118011223 M * Doener` evening rs 1118011224 M * rs I think I got a test case for the multi-thread issue 1118011228 M * rs evening doener 1118011234 M * Doener` great 1118011245 M * rs I didn't test your patch yet 1118011268 M * Doener` well, with a test case, anyone can do that ;) 1118011269 M * rs but I have a vserver that always catch the issue 1118011317 M * Doener` which process? 1118011330 M * rs so I think it happen when the vserver is out of memory 1118011399 M * Doener` hmm, out of memory... that rings some bell regarding an oops i've seen... but that may have been on an other channel 1118011406 M * rs maybe we could try with a vserver low in memory and setup a mysql server that fill the memory 1118011426 M * Doener` out of memory = rss limit hit? 1118011443 M * rs yes 1118011668 M * Doener` is VXF_FORK_RSS set? 1118011693 J * Aiken ~james@tooax6-071.dialup.optusnet.com.au 1118011710 M * rs dunno about this flag 1118011716 M * rs how to check ? 1118011743 M * rs when the vserver is out of memory, all forks get a segfault 1118011826 M * Doener` grep Flags /proc/virtual//status 1118011908 M * Doener` 4th from left would be 2 or 6 if the flag is set, if I didn't mess up that bitshift ;) 1118011924 M * rs 00100000030b0310 1118011936 M * Doener` ok, it's off 1118011949 M * rs what does this flag do ? 1118012042 M * Doener` it checks if there's enough memory for the forked process if all of the rss pages of the parent would have to be copied 1118012091 M * Doener` i.e. early kill... usually a lot pages are shared, or the pages are replaced anyways as another process it exec()'ed 1118012123 M * Doener` I'd say it's some worst case protection or sth. like that 1118012131 M * rs ok 1118012837 Q * maharaja Ping timeout: 480 seconds 1118013135 M * Doener` rs: do the forks only get segfaults while the vserver is oom or also after memory got freed again? 1118013643 M * rs re 1118013649 M * Doener` wb 1118013671 M * rs hmm seems not, if I do a restart, once it fails I can enter the vserver 1118013683 M * rs I didn't check if the vserver was oom before the restart 1118014777 M * Doener` hum hum...