1118102568 M * shuri brb 1118102576 Q * shuri Read error: Connection reset by peer 1118102705 J * shuri sjnesjd@64.235.209.226 1118103160 J * monrad ~monrad@213083190130.sonofon.dk 1118103202 M * Bertl evening monrad! 1118103233 M * monrad evening 1118103256 M * monrad guess who hit the ctrl+alt+backspace combo 1118103526 M * shuri re 1118103544 M * Doener wb shuri 1118106026 J * eXplasm2 explasm@p549FF5CD.dip.t-dialin.net 1118106468 Q * eXplasm Ping timeout: 480 seconds 1118108150 M * Bertl Doener, RFC: http://vserver.13thfloor.at/Experimental/delta-helper-feat01.diff 1118108176 M * Bertl I thought this might be a little more flexible ... 1118108339 M * Doener - argv[1] = "mickey"; 1118108349 M * Doener i never noticed that one ;) 1118108357 M * Doener has it any special meaning? 1118108361 M * Bertl well, because it was never there ;) 1118108381 M * Bertl artefact from my testing ... 1118108386 M * Doener ah ok 1118108468 M * Doener looks good i'd say 1118108489 M * Bertl could you test something for me? 1118108501 M * Bertl (or read the source in this regard) 1118108519 M * Bertl I'm not sure the tools will handle the version change correctly 1118108532 M * Bertl -#define VCI_VERSION0x00010025 1118108533 M * Bertl +#define VCI_VERSION0x00020001 1118108551 M * Doener the tools use if (version > xxxx) 1118108566 M * Bertl with xxx being the full word? 1118108600 M * Bertl (or better, with version being the full (32bit) word 1118108781 M * Doener # define CALL_VC_V13B(F,...) CALL_VC_GENERAL(0x00010021, v13b, F, __VA_ARGS__) 1118108801 M * Bertl looks good! 1118108802 M * Doener in that case 0x00010021 is compared against the value returned from the syscall 1118108811 M * Bertl thanks! 1118108817 M * Doener you're welcome 1118108851 A * Doener continues watching blender video tutorials :) 1118108886 A * Bertl was freeing blender back then ... 1118108887 M * Doener i've seen them a few times now, but i like the speaker's voice somehow... when i need to relax a little, i watch them ;) 1118108907 A * Doener didn't have money back then... 1118108918 M * Doener ... not that i would have money now... ;) 1118109760 Q * gregster Remote host closed the connection 1118109770 J * gregster ~gregor@greart.de 1118109779 M * Bertl wb gregster! 1118109853 Q * jkl Ping timeout: 480 seconds 1118109888 Q * shuri Ping timeout: 480 seconds 1118110264 M * Bertl http://vserver.13thfloor.at/Experimental/FOR-2.0/delta-version-fix01.diff 1118110274 M * Bertl http://vserver.13thfloor.at/Experimental/FOR-2.0/delta-vhelper-feat01.diff 1118110280 M * Bertl http://vserver.13thfloor.at/Experimental/FOR-2.0/delta-nhelper-feat01.diff 1118110586 M * locksy Hi! Just looking for suggestions about which initstyle to use (and which init package if any) on a Debian box which will run one vserver only (apache + postfix inside vserver - ftp, ssh outside) 1118110608 M * Bertl hmm, sysv and no init at all? 1118110629 M * locksy Ok, sounds right to me :) 1118111361 M * locksy Hmm, does anyone know the syntax for bind mounts in fstab (I've worked it out before but I can't find it atm) 1118111419 M * Bertl /var/tmp /tmp none bind 0 0 1118111453 Q * rs Quit: rs 1118111546 M * locksy thx, which file should I be putting it in if I want to do: /tmp/vmain /var/lib/vservers/main/tmp none bind 0 0 whenever the main vserver is entered? 1118111584 M * locksy a quick look at /etc/vservers/main/fstab suggests it works from inside the vserver? 1118111601 M * daniel_hozac the first path is outside the vserver, the second path is inside. 1118111621 M * locksy Aaaah, makes sense :) 1118111883 T * Bertl http://linux-vserver.org/ | latest stable 1.2.10, devel 1.9.5, 2.0-rc4, ng9.5 -- He who asks a question is a fool for a minute; he who doesn't ask is a fool for a lifetime -- share the gained knowledge on the wiki, and we'll forget about the minute ;) 1118112508 M * Aiken how do you stress test to make sure vserver is stable? 1118112677 M * Bertl we let the companies do the stress testing ;) 1118112719 M * Bertl no, seriously, from time to time there are real stress tests with 'killer' apps ... 1118112755 M * Bertl this typically involves creating a few million contexts and such ... 1118112780 M * Bertl having up to 20k processes and more ... 1118112804 M * Bertl (all this happens on a 4-way SMP box ...) 1118112868 M * Aiken the worst I had come up with so far was the host and 2 or more vservers doing kernel compiles at the same time 1118113055 M * Bertl and, did it work as expected? 1118113099 M * Aiken I am looking vs1.2.10 on a 2.4 box I want to setup, successfull kernel compile in all cases 1118113132 M * Aiken all I can say abt vs2.0 today is if I want to use it I really should boot his machine with the correct kernel :( 1118113256 M * Aiken with the 2.4 box I just want to be sure before I touch a machine that does not give me any trouble 1118113612 M * Aiken the first things I checked was not being able to touch eth0, host's hostname and trying kill -9 on host processes. 1118113629 M * Aiken it was those 3 that got me wary of chroot and got me looking at vserver 1118114423 M * Bertl sounds like a happy user so far ;) 1118114587 M * Aiken means I can get the functionality I wanted from solaris zones with out changing to solaris :) 1118114736 M * Bertl qualifies for me ... 1118114752 M * Bertl okay, I'm off to bed now ... back after some sleep ... 1118114763 M * Bertl night Doener! night folks! 1118114770 N * Bertl Bertl_zZ 1118125079 Q * monrad Quit: Leaving 1118127519 M * eyck night 1118128087 J * erwan_ho ~erwan@konilope.dyndns.org 1118128110 J * Aiken_ ~james@tooax8-145.dialup.optusnet.com.au 1118128429 Q * Aiken Ping timeout: 480 seconds 1118128617 Q * erwan_ho Remote host closed the connection 1118128663 P * Aiken_ Leaving 1118129074 M * SiD3WiNDR hehe 1118129080 M * SiD3WiNDR I was reading in one of my o'reilly box 1118129084 M * SiD3WiNDR books even 1118129087 M * SiD3WiNDR "apache security" 1118129095 M * SiD3WiNDR linux-vserver is suggested there as security measure! :) 1118131818 J * prae ~prae@ezoffice.mandriva.com 1118132352 J * rs ~rs@imhotep.rhapsodyk.net 1118132373 J * betonamu ~Administr@dhcp-243-048.mag.keio.ac.jp 1118132444 M * betonamu hello. i am new to vserver. to understand it better, i am looking for a (scientific) paper about vserver, but dont see any (??). could anybody here recommend me where to find? 1118132459 M * betonamu i look at the home page, but there is only few userguide 1118132828 M * Loki|muh try the whitepaper 1118132842 M * Loki|muh or 'use the source, luke' *g* 1118133382 M * betonamu Loki|muh: where is the whitepaper? 1118133469 M * Loki|muh http://linux-vserver.org/Linux-VServer-Paper 1118133611 M * betonamu ah i known that page. it seems be the best resource on vserver architecture (unfortunately!!) 1118133677 M * Loki|muh hmmm best would be waiting for Bertl_zZ or Doener, these 2 know best about the vserver code I think 1118133722 M * betonamu this room seems quiet? 1118133749 M * betonamu but looks like vserver is pretty popular? 64 in this room now 1118133792 M * betonamu Loki|muh: any chance to get vserver into mainline kernel? any attempt to do that? 1118133847 M * Loki|muh sorry, dunno 1118134658 Q * rs Quit: rs 1118134758 M * SiD3WiNDR betonamu: channel 'traffic' usually picks up in the afternoon/evening CET time :) 1118136464 J * rs ~rs@staff.lycos.fr 1118137774 J * Doener` ~doener@p54876CB9.dip.t-dialin.net 1118137853 J * dsoul darksoul@pingu.ii.uj.edu.pl 1118137903 Q * Doener Ping timeout: 480 seconds 1118138424 Q * id Ping timeout: 480 seconds 1118138593 Q * Doener` Ping timeout: 480 seconds 1118138612 J * Doener ~doener@p548765D2.dip.t-dialin.net 1118139470 Q * rs Quit: rs 1118139886 M * ruuth hi! If I follow hollow's guide (http://dev.gentoo.org/~hollow/vserver/guide/) - do I have to use the standard profile (choosing the right profile) or the vserver profile - (following the gentoo-install-manual)? 1118139912 M * Hollow ruuth: please use the standard profile for now 1118139920 M * ruuth Hollow: ok! 1118139946 M * Hollow once the new profile is finished i'll update the docs 1118139958 M * Hollow should be pretty soon 1118140252 M * ruuth Hollow: How many developers are there in the vserver-project? 1118140281 M * Hollow currently only DaPhreak is helping me with the grsec patches 1118140296 M * Hollow wanna join? 1118140307 M * ruuth Hollow: Wow! You're the only one? 1118140312 M * Hollow kinda 1118140364 M * ruuth Hollow: opening private chat ... 1118140370 M * Hollow k 1118140373 J * Xorith ~noxoriths@pool-71-241-76-237.scr.east.verizon.net 1118140419 M * Xorith dsoul: I think what I'm needing is something showing the pro's and con's of the two :P 1118140514 M * DaPhreak Hollow: are you on the late afternoon in ?! 1118140530 J * axu_ ~axu@62.116.66.2 1118140534 M * axu_ hello :) 1118140545 M * Hollow DaPhreak: *shrug* maybe ;) 1118140565 M * axu_ is there a fast way to see all processes and there cpu usage from within the rootserver ? 1118140597 M * axu_ i have a vserverhost with 10 vservers and one has an ap in it running wild :) lazy me, i dont want to walk all of them :) 1118140670 M * axu_ ok.. lets enter those arenas ;) 1118140740 M * axu_ hmmm, klogd in 3 vservers was the problem 1118140760 M * axu_ should possibly disable it, it has no need i assume 1118140864 M * Xorith Can vserver actually run a completely different distro from the host? 1118140875 M * axu_ Xorith: shure 1118140895 M * Xorith Well I was recommended to look at vserver (I'm a tech for a virtual hosting company) 1118140926 M * Xorith Currently, we use UML, and I don't want to "trade features". So as long as I can establish that something like vserver will be "the same but better", I'm happy :P 1118140943 M * axu_ Xorith: go have a look, i use it for about 1 1/2 years. its a charm :) 1118140964 M * Xorith I really need to get some more hardware for my home, so I can actually play with things like this 1118140986 M * Xorith UML is nice in the sense that ot 1118140987 M * Xorith err 1118141007 M * axu_ xorith: no you dont. just get qemu up and running..install your favorite distro +? vserverpatched kernel + tools. on you go 1118141040 M * Xorith it's obvious. You're booting a kernel. Filesystems are block devices, so they can be mounted and tweaked on the host. The only pains we're having is UML is slow.. and there's no "easy" way to limit servers. 1118141056 M * axu_ xorith: uml is soem kind of different thing. vserver is more like superhard jails or chroot 1118141060 M * Xorith Customers have a technical CPU limit, but they don't know we can't really enforce it yet. 1118141080 M * axu_ 1 kernel 1118141098 M * Xorith What if a vserver does something to cause that kernel to panic? 1118141099 J * Doener` ~doener@p5487446C.dip.t-dialin.net 1118141106 M * Xorith Does that mean they all go down? 1118141118 M * axu_ Xorith: shure :) 1118141126 M * Xorith Not sure I like that. :P 1118141194 M * axu_ Xorith: then you should use solaris. or aix. 1118141299 Q * Doener Ping timeout: 480 seconds 1118141310 M * eyck do you think solaris will protect you from kernel panic? 1118141335 M * axu_ eyck: in conjunction with certified apps for those oses, yes :) 1118141392 M * Xorith Well it's my understanding though, that if a user runs an app on a UML, the kernel that's running the UML will be the one to suffer. 1118141407 M * Xorith I'm sure if someone did something bad enough it'd bring the whole server down. 1118141430 M * eyck so, if your app is certified, then it will work even when kernel panics? interesting. 1118141511 M * eyck I haven't seen such functionality in any of the solaris versions I've been working with 1118141531 M * axu_ eyck: i havent ever seen a solaris kernel panic :) so my talk is really theoreticaly :) but i have seen, misc systems in the telecombusiness running solaris for years under heavy load with databases, networkmonitoringtools, and telcospecific stuff on it .... 1118141573 M * Xorith I've seen systems run for years just on Linux, under heavy load. 1118141636 M * axu_ who hasent ? ;) 1118141667 M * Xorith Anywho, I'll have to toy with vserver 1118141668 M * eyck you people need to study logic, or mathematics or sth, 1118141680 M * axu_ eyck: hehehe 1118141695 M * Xorith Would love to find a page that lays out UML, Xen, and vserver with benchmarks, features, and drawbacks. 1118141727 M * Xorith While I'm at it. I'd also love to find a programming language that writes it's own code based on what I think, and does it bug-free, but alas ;) 1118141736 M * eyck UML/Xen/vservers are orthogonal concepts 1118141782 M * eyck Xorith: it's called 'perl' 1118141784 M * Xorith Yes, but logically they all have differences. 1118141799 M * eyck and there even is mythical module called 'DWIM' 1118141807 M * eyck perl -e 'use DWIM;' and you should be all set 1118141816 M * Xorith Perl hasn't developed telepathic communications yet :P 1118141825 M * Xorith Though I hear it's in early alpha stages. 1118141864 M * axu_ i guess with benchmarks. vserver is unbeatable :) 1118141873 M * Xorith Xen also shows to be unbeatable. 1118141898 M * Xorith The benchmarks on it's page show to be very close, if not equal to, native linux. :P 1118141919 M * Xorith The problem is, I need a good reason to pull the server down and rework how things are. It's the old "if it ain't broke, don't fix it" 1118141920 J * id ~id@relax-media.softwarezentrum.de 1118141940 M * Xorith While UML doesn't offer everything we're looking for (yet), it's what's working now. 1118141965 M * eyck vserver should win any virtualisation benchmarks hands down 1118141996 M * Xorith I need to test it for myself then. 1118141999 M * Xorith Not the benchmark 1118142002 M * Xorith But the features 1118142011 M * Xorith I'm currently falling in love with UML's CoW support. ;) 1118142018 M * eyck you need to understand those approaches 1118142028 M * Xorith I understand UML enough 1118142045 M * eyck that's a good start :) good luck :) 1118142070 M * eyck vserver has CoW links, and Xen had this COW block device IIRC 1118142083 M * eyck oh, no 1118142105 M * eyck vserver would like to support CoW links, right now we only got COW block device, right. 1118142132 M * Xorith I think that's all UML does anyway... Not sure. I just started toying with it, and it's saved my backside already 1118142185 M * Xorith I'm working a distro up from FC2 to FC3, and I use the CoW files to ensure that if a particular package breaks the distro, I can easily recover. When things work and prove to be stable, I merge the CoW with the pristine. 1118142276 M * Xorith The other reason we're going to CoW files is so it'll be easier to "restore" a VM to "default" settings. Most of our clients use their VMs for testing and development. :P 1118142360 M * Xorith Oh, what about as far as web-based control panel tools for vservers? 1118142912 M * betonamu eyck: what is COW links? i know COW device, but what is this? 1118142956 M * betonamu eyck: how about comparing performance with Xen? 1118142998 M * eyck betonamu: performance of what? 1118143011 J * erwan_taf ~erwan@81.80.43.67 1118143029 M * betonamu eyck: you said that vserver is best at performane? 1118143038 M * betonamu (benchmark) 1118143042 M * eyck what about, you run Xen, inside it there are multiple vservers, and inside one of vservers you run UML 1118143054 M * eyck betonamu: it is, 1118143071 M * eyck but what exactly is it that you care about? 1118143170 M * betonamu eyck: just because i dont understand the context of your conclusion 1118143180 M * betonamu ok, how about CoW links? what is that? 1118143194 M * eyck do you understand how Xen works? and how vserver works? 1118143244 M * betonamu eyck: i know xen, but not vserver. just now i am reading its paper 1118143288 M * eyck oh, you come from academic background? 1118143293 M * betonamu (but papers on vserver are pretty rare) 1118143323 M * betonamu eyck: just because it is best to read scientific paper to understand it, rite? 1118143339 M * eyck so, you do come from academic background. 1118143367 M * betonamu eyck: i guess it is not that important, academic or not 1118143393 M * betonamu but academic paper is obviously better than some userguides 1118143402 M * eyck *of course* 1118143421 M * eyck there's nothing like reading documentation to get to know the subject. 1118143439 M * betonamu eyck: any attempt to push vserver to mainline ? 1118143480 M * eyck yup, 1118143489 M * eyck but SELinux people blocked it. 1118143496 M * betonamu hey, why? 1118143514 M * eyck because they are the SELinux people, the ultimate in linux security. 1118143520 M * eyck and they know everything, 1118143538 M * betonamu i guess selinux and vserver have separate segments 1118143541 M * eyck and there is no SELinux kabal. 1118143556 M * eyck go, and tell them that. 1118143585 M * eyck and they will tell you, that if you want vserver in mainline, you need to extend SELinux so that it can do the vserver's work. 1118143619 M * betonamu i guess probably if merging vserver into mainline, selinux must be reworked because there are some conflicts 1118143627 M * betonamu yeah, i think so 1118143651 M * eyck that's not the problem. 1118143678 M * betonamu selinux is kind of monopoly. 1118143691 M * betonamu virtually only selinux uses LSM. that is too bad 1118143694 M * dsoul realy?:P 1118143706 M * betonamu LSM is badly designed :( 1118143730 M * eyck I've been told by Russel Coker, that vserver, grsec and all the other people are just lazy, and it's their own fault for not fixing LSM 1118143752 M * betonamu how did you answer? 1118143770 M * eyck I was just speachless 1118143783 M * eyck besides, I don't speak english that well in real life, 1118143800 M * betonamu what happen with vserver at that time? why you dont join designing LSM? 1118143814 M * betonamu ah so you meet Coker in conference? 1118143818 M * eyck yupp 1118143824 M * betonamu he is a very nice guy, anyway 1118143839 M * albeiro dsoul: :) 1118143842 M * eyck if you've got the talent and time, go ahead and fix LSM 1118143856 M * betonamu i think it is too late now 1118143865 M * eyck then go ahead, 1118143880 M * eyck that would be good for both LSM and vserver 1118143882 M * betonamu there is one paper on lwn.net about "is it time to remove LSM" 1118143889 M * eyck (and probably grsec) 1118143921 M * betonamu it will be free to everybody this Thursday. look forward to seeing what they said 1118143923 M * dsoul albeiro: ;) 1118143934 M * albeiro there is a simple way of fixing lsm 1118143950 M * albeiro throw it out and let security experts design necesary functionality 1118143976 M * dsoul no sense 1118143985 M * dsoul beter to design new kernel 1118143995 M * eyck oh, and I've been told that non-SELinux people are 14-year old brasilian programmers that can't code. 1118143995 M * albeiro right. 1118144006 M * dsoul eyck: lol 1118144013 M * albeiro i mean dsoul right now eyck ;p 1118144019 M * albeiro now/not/ 1118144020 M * eyck very nice of russel to let me know that. 1118144042 M * betonamu nd I've been told that non-SELinux people are 14-year old brasilian programmers that can't code.? 1118144050 M * betonamu what is that? any typo here? 1118144055 M * betonamu i dont understand it 1118144099 M * eyck is there some problem with syntax? 1118144106 M * eyck or semantics? 1118144167 M * betonamu probably both grammatic and semantics, cause i dont understand it 1118144187 M * betonamu no-selinux peole or selinux peole? 1118144195 M * eyck non-SELinux people. 1118144196 M * betonamu s/no/non/ 1118144201 M * albeiro everybody but selinux 1118144222 M * betonamu ah i see. Coker must not be serious at that time 1118144240 M * betonamu for example Linus is non-selinux :) 1118144271 M * albeiro linus publicly admited he know nothing about security 1118144273 M * betonamu but anyway that sentence above still has some problem in semantics 1118144279 M * eyck Linus is not a security guy 1118144284 M * betonamu but he can code 1118144301 M * betonamu so that makes nonsense at all :) 1118144315 M * albeiro yep. linux works. but nothing above it. 1118144352 M * eyck I don't think "so that makes nonsense at all" is english. 1118144354 M * betonamu i think ath any guys at that level (like Linus) can understand any security problem very easily (may be too easily) 1118144374 M * Xorith Apparently bill gates wasn't a security guy either. Neither were any of his hundreds of developers. :P 1118144380 M * betonamu eyck: i am not native, either :) 1118144383 M * eyck betonamu: there is a 'scientific paper' about Linus not understanding security :))) 1118144418 M * betonamu cause he doesnt pay attention. if he does, i dont see any problem. 1118144427 M * albeiro but MS is doing recent security releated decision and solutions in a right way 1118144455 M * albeiro finally they got it and are going in more or less right direction 1118144527 M * dsoul less ;P 1118144549 M * betonamu MS have all the top security experts. i think they just got problem organize their developers to work on security. 1118144567 M * albeiro dsoul: linux is going much worse way ;) 1118144586 M * dsoul albeiro: agree :) 1118144597 M * betonamu and yes, i think linux has worse record on security than MS. 1118144611 M * betonamu too much bugs on kernel recently 1118144647 M * dsoul bugs are not problem 1118144671 M * dsoul they are patched quickly 1118144685 M * betonamu why not problem? 1118144687 M * Xorith But not all admins patch. 1118144691 M * betonamu that is very bad for linux image 1118144707 M * betonamu besides, not every systems get patched quickly enough 1118144711 M * dsoul top security experts @ MS? neeeeeeee :) 1118144731 M * eyck dsoul: why not? 1118144735 M * betonamu dsoul: yes, never doubt about that. MS has a lot of top security experts 1118144778 M * Xorith They do *now*, the problem is they didn't when they started the NT arch. :P 1118144785 M * eyck hmm 1118144808 M * Xorith We were hacking NT4 out of boredom in highschool. 1118144809 M * eyck you think NT arch is insecure? 1118144826 M * Xorith It's more secure than the old 95/98 arch 1118144838 M * eyck it's more secure then linux 1118144863 M * axu_ my c64basic os is more secure then linux 1118144866 M * Xorith Perhaps in the current state. 1118144868 M * eyck not really, 1118144887 M * axu_ my c64 never got hacked 1118144894 M * eyck NT is microkernel-based OS, linux is monolithic child's toy. 1118144920 A * Xorith looks at the terminology hit the wall behind him. 1118144921 M * betonamu eyck: there are some problem with NT architecture 1118144934 M * eyck like? 1118144948 M * betonamu but GUI is in kernel, anyway, so how come it is good? 1118144960 M * eyck it's not part of original design 1118144980 M * Xorith I suppose the remote management parts aren't actually part of the arch. 1118145006 M * eyck in original design GUI run in userspace and was dog-slow :) 1118145021 M * Xorith Kinda like Gnome? :P 1118145042 M * eyck nope, GNOME is fast and runs lots of stuff in kernel mode 1118145070 M * betonamu eyck: which part of gnome in kernel? 1118145085 M * Xorith I haven't toyed with a GUI on Linux since GNOME 1 on a RH6 or 7 box, running on a 300mhz Celeron.. so I suppose it's gotten better since then. 1118145138 M * Xorith Well except for on a VM, but slowness is expected then. 1118145140 M * eyck betonamu: lot's of drawing primitives, transparency etc... everything with 'accelerated' in description ;) 1118145152 M * eyck Xorith: VM? 1118145164 M * Xorith virtual machines. ie VMware, MS Virtual PC 1118145169 M * Xorith UML 1118145212 M * Xorith I've run GNOME2 in all three of those, with performance hangs. Mostly due to the limited resources granted to the VM 1118145248 M * betonamu eyck: like what? 1118145295 M * eyck like, XVideo, 1118145319 M * betonamu xvideo? what is the kernel module for it? 1118145351 M * betonamu actually i dont use gnome, too slow. i go for fluxbox or icewm 1118145362 M * Xorith Holy crap. 1118145396 M * Xorith I guess that's a bad config. Pages of panics. 1118145457 M * axu_ eyck: transparency ? istn that just a dump copy of the framebuffer copied somewhere else and put with an tint effect ? 1118145525 M * axu_ or is the composite thingy working with gnome ? 1118145531 M * eyck isn't it? 1118145566 M * axu_ eyck: l?ast time i tried i had real transparency through xcompmgr + transset, and fake transparency with gnome 1118145580 M * axu_ 3-4 months ago 1118145624 M * axu_ maybe should look again 1118145696 M * axu_ like if you drag an icon over a running movie (x11 output!) can you see the movie below the gnome icon ? 1118145834 Q * betonamu Ping timeout: 480 seconds 1118145912 M * eyck what? 1118145916 M * eyck I don't use gnome 1118146181 Q * Xorith Quit: 1118146240 J * rs ~rs@staff.lycos.fr 1118146303 M * eyck oh well, 1118147704 M * axu_ me neitrher ;) 1118147706 M * axu_ ok, bye folks 1118147711 P * axu_ Client exiting 1118152373 N * Bertl_zZ Bertl 1118152417 M * Bertl morning folks! 1118153454 M * Pazzo moin Bertl! 1118156036 M * ruuth Bertl: Did you get my private Message? What do you think? 1118156063 J * jsambrook ~jsambrook@aelfric.plus.com 1118156066 P * jsambrook 1118156104 M * Bertl ruuth: hmm, well, could you repeat the question please? 1118156194 M * ruuth Bertl: -> private Window 1118156256 J * shuri sjnesjd@64.235.209.226 1118156260 M * shuri ola 1118156377 M * shuri i got an hold vserver install 1118156379 M * shuri 2.4.27-vs1.29 1118156398 M * Bertl hey shuri! 1118156408 M * SiD3WiNDR Bertl: did you know vserver was mentioned in the "apache security" book? :) 1118156448 M * shuri how can i allow ping into one vserver 1118156460 M * Bertl shuri: is 'ola' just an onomatopoeic expression, or are you looking for the debian maintainer? 1118156464 M * shuri S_CAPS="CAP_NET_RAW" is not enouggh 1118156464 M * SiD3WiNDR lol 1118156472 M * SiD3WiNDR I think the first one, Bertl :) 1118156489 M * Bertl shuri: ping 'into' a vserver is not possible 1118156504 M * Bertl shuri: ping to a vserver ip works out of the box ... 1118156516 M * Bertl SiD3WiNDR: hey, and no, didn't know .. url? 1118156528 M * SiD3WiNDR hm, I have it hardcopy ;) 1118156533 M * shuri ping google.co 1118156535 M * shuri com 1118156537 M * SiD3WiNDR it's the book "Apache security" by O'Reilly 1118156550 M * Bertl shuri: you have a vserver for google? 1118156553 M * shuri ola is an onomatopoeic expression :) 1118156563 M * SiD3WiNDR when talking about separating parts and stuff, it talks about using different machines, which is expensive, or using vserver or uml :) 1118156563 M * shuri i got a server to monitoring 1118156576 M * shuri nagios / mon 1118156604 M * shuri nagios need to ping to see if other host are alaive 1118156606 M * shuri alive 1118156626 M * Bertl shuri: what a great method to verify that ... 1118156644 M * Bertl SiD3WiNDR: cool! 1118156648 M * shuri huh? 1118156696 M * Bertl shuri: well, one half of my hosts will reply to pings if if they are hard locked (kernel panic), for the other half, the router/firewall will reply the ping on behalf ;) 1118156722 M * shuri well is the router do not ping 1118156731 M * shuri of the gateway of the provider... 1118156735 M * shuri i need to know it. 1118156746 M * SiD3WiNDR Bertl: yea, thought so too. It's just a reference to the site, but still cool... stumbled upon that while reading the book :) 1118156750 M * shuri when cisco freeze it do not answer to ping:) 1118156754 M * Bertl k, so you are 'trying' to ping from _inside_ the guest, no? 1118156771 M * SiD3WiNDR yes 1118156781 M * shuri i need to be able to ping anyting from a vserver 1118156787 M * shuri even if is not secure 1118156800 M * Bertl good, you successfully added CAP_NET_RAW (on your 2.4 kernel)? 1118156804 M * shuri yes 1118156813 M * Bertl and ping still doesn't work? 1118156844 M * shuri ping: ping must run as root 1118156856 M * Bertl you are not root in your vserver? 1118156865 M * shuri yes i am 1118156867 M * shuri lol 1118156870 M * shuri vserver mon enter 1118156881 M * shuri ping x.x.x.x 1118156887 M * Bertl so what is your ping trying to tell you? 1118156908 M * shuri # ping google.com 1118156908 M * shuri ping: ping must run as root 1118156957 M * shuri any other way to allow ping? 1118156961 M * Bertl what about giving strace a chance? 1118157013 M * shuri dont know how it work.. 1118157168 M * shuri i will upgrade my kernel.. 1118157178 M * shuri got one box with lastest stable and it work 1118157234 M * Bertl strace -fF -o ping.log ping google.com 1118157316 M * shuri strace -fF -o ping.log ping google.com 1118157317 M * shuri ping: ping must run as root 1118157318 M * shuri hihi 1118157330 M * Bertl now upload the ping.log somewhere 1118157338 M * shuri k 1118157469 M * shuri http://shuri.electronicbox.net/ping.log 1118157586 M * shuri anyway this box is old. 1118157593 M * shuri will upgrade is to latest 1118157607 M * Bertl 2.0-rc4? good idea! 1118157622 M * shuri got 2 box on it 1118157623 M * shuri :_) 1118157630 M * Bertl really? 1118157635 M * shuri yes 1118157638 M * shuri but rc3 1118157645 M * Bertl anyway, quite fast 1118157679 M * Bertl your guest doesn't have CAP_NET_RAW ... 1118157705 M * shuri S_CAPS="CAP_NET_RAW CAP_NET_ADMIN" 1118157759 Q * erwan_taf Remote host closed the connection 1118157816 M * shuri i think the problem is the tool 1118157825 M * Bertl which tool? 1118157850 M * shuri maybe i got to much lasted utils for this kernel 1118157878 M * Bertl could be ... 1118158066 M * Doener` Bertl: http://www.oreilly.de/catalog/apachesc/chapter/ch02.pdf 1118158084 M * Doener` Page 28 (PDF) or Page 41 (Book) 1118158142 M * Doener` there's a paragraph mentioning virtualizion to be discussed in an other chapter (which is not available as preview :( ) 1118158174 M * Bertl ah, thanks! 1118158191 M * Bertl btw, 2.0-rc4 looks good with legacy stuff and in the plm tests ;) 1118158228 M * shuri good to know! 1118158230 M * Doener` http://www.apachesecurity.net/about/links.html 1118158241 M * Doener` 6th links in chapter 9 1118158779 M * DaPhreak Bertl: does the -rc4 already include the xfs-fix ?! 1118158829 M * SiD3WiNDR :) 1118158836 J * erwan_taf ~erwan@81.80.43.67 1118158845 M * DaPhreak (hopefully) 1118158893 Q * erwan_taf Remote host closed the connection 1118159004 Q * rs Quit: rs 1118159006 M * Bertl DaPhreak: of course! 1118159018 M * DaPhreak Bertl: thanks ;) 1118159040 M * DaPhreak saw it a second ago on the patch --dry-run ;) 1118159196 Q * cryo Remote host closed the connection 1118159412 J * cryo ~say@212.86.243.154 1118160137 M * ruuth help! my first vserver-start-stop hangs at "saving random seed" :| 1118160216 J * erwan_taf ~erwan@81.80.43.67 1118160236 J * rs ~rs@Laubervilliers-151-13-4-57.w82-127.abo.wanadoo.fr 1118160240 M * Bertl ruuth: well, a) it's not supposed to do that, and b) you sure it hangs there? 1118160248 M * Bertl welcome erwan_taf! rs! 1118160254 M * rs re 1118160274 M * ruuth Bertl: Yes. I'm waiting for about 3 Minutes now. 1118160277 M * Bertl Doener`: just realized we have no semaphore accounting in 2.0? 1118160281 M * DaPhreak yupp Bertl ;) experienced it some times .. 1118160300 M * DaPhreak ruuth: try a `rc-update del urandom default` inside that vserver 1118160312 M * erwan_taf hey Bertl \o/ 1118160316 M * ruuth DaPhreak: ok ... mom ... 1118160350 M * Doener` hmm... where did i see that code then... 1118160354 M * DaPhreak if that doesn't work, you have to edit your init-script and _remove_ urandom from the depend line 1118160368 M * Doener` i mess up stuff too often in my head lately... 1118160402 M * DaPhreak comes from thinking too hard ;) or even by head-banging (with a wall ;P) 1118160591 M * ruuth DaPhreak: it's not found in default - I see it in boot 1118160607 M * ruuth DaPhreak 1118160628 M * DaPhreak yeah ... then delete it from boot and remove it from your init-scripts :) 1118160633 M * ruuth DaPhreak: Sorry ... damn NetTalk-Program 1118160911 M * ruuth DaPhreak: It seems that the vshelper script hangs AFTER the saving random seed! 1118160942 M * DaPhreak hmm take a look at halt.sh (in /etc/init.d of your vserver) 1118160967 M * Bertl ruuth: you are using 2.0? 1118160979 M * DaPhreak and make sure you comment out the first /sbin/halt 1118160990 M * Bertl no, please don't do that 1118161001 M * DaPhreak ? 1118161012 M * Bertl ruuth: which kernel version do you use? 1118161024 M * DaPhreak Bertl: well the first halt is -idp .. and not -f ;) 1118161064 M * DaPhreak or is the -f harmful for those older than 2.0 ? 1118161114 M * Bertl no, your approach is fine, I just would like to know the kernel version and if it is fixed with 2.0-rc4 or not ... 1118161135 M * DaPhreak heh ;) ah :D 1118161160 M * DaPhreak probably not .. since -rc4 is not yet in the official portage tree (AFAIK) 1118161469 M * ruuth Bertl: 2.6.11.11-vs2.0-rc3 1118161508 M * DaPhreak ruuth: do you have an overlay-dir on the host (the physical server) ? 1118161510 M * Bertl okay, could you update to rc4 and see if it remains? 1118161587 A * DaPhreak 's rebooting to -rc4. Back in a minute or so (hopefully) ;P 1118161606 M * ruuth DaPhreak: No 1118161622 Q * ruuth Quit: Nettalk6 der Freeware IRC-Client 1118161666 J * ruuth VooDoo@topas.informatik.uni-ulm.de 1118161774 M * ruuth back again - had to update my icr client ... 1118161835 Q * ruuth Read error: Connection reset by peer 1118161883 J * ruuth VooDoo@topas.informatik.uni-ulm.de 1118162074 Q * erwan_taf Remote host closed the connection 1118162150 M * DaPhreak *grrr* ;( 1118162152 M * DaPhreak Bertl: http://pastebin.com/296562 1118162181 M * Bertl well, didn't you read the help in the config? 1118162208 M * DaPhreak eh ? 1118162213 M * DaPhreak kernel config ?! 1118162231 M * Bertl bool "Disable Legacy Networking Kernel API" 1118162234 M * Bertl This disables the legacy networking API which is required 1118162234 M * Bertl by the chbind tool. Do not disable it unless you exactly 1118162234 M * Bertl know what you are doing. 1118162256 A * DaPhreak didn't disable that one .. 1118162268 M * DaPhreak hmm i used a shitty config ... 1118162619 J * jkl eric@c-67-173-254-242.hsd1.co.comcast.net 1118162904 M * DaPhreak second try :) 1118162956 M * ruuth how can I update to rc4? my portage says that rc3 is the latest ... 1118162978 M * ruuth ~x86 unmasked 1118163030 M * dsoul if it's not in portage it do not exist ?:P 1118163190 M * ruuth dsoul: yeah! :) ... but I know it must be somewhere ;) ... and not only in the channel-topic 1118163252 M * Bertl http://vserver.13thfloor.at/Experimental/patch-2.6.11.11-vs2.0-rc4.diff.bz2 (but I guess gentoo folks will update pretty soon) 1118163383 M * ruuth Bertl: Thanks - I hope Hollow will take care of it soon ;) 1118163437 M * Hollow right ;) 1118163438 M * ruuth As soon as it is in ther Portage tree - I will try, if the vserver stop keeps hanging after "saving random seed" 1118163463 M * Hollow -rc4 will get in this evening 1118163472 M * ruuth Hollow: Cool! 1118163992 M * DaPhreak $ uname -r 1118163993 M * DaPhreak 2.6.11.11-vs2.0-rc4 1118163995 M * DaPhreak ;) 1118164001 M * Bertl congrats! 1118164051 M * DaPhreak yeah :) finally :D 1118164065 M * DaPhreak now i only have to fix up that xids ;) 1118164430 M * Bertl hhmm? 1118164476 M * DaPhreak yeah .. those vservers are _very_ old ;) so that all their stuff belongs to them, i'm fixing up the xid-tags .. (for their directories, etc) 1118164878 M * Bertl okay, I'm off now .. back later ... 1118164895 N * Bertl Bertl_oO 1118164929 Q * prae Quit: Client exiting 1118166759 M * jkl i am having trouble with portforwarding to a vserver, any docs describing this? 1118166828 J * steve^ ~steve@user-2774.l6.c5.dsl.pol.co.uk 1118166829 M * steve^ hi all 1118166841 M * steve^ is the 2.6 tree stable enough for production use? 1118167256 M * ruuth Bertl: is it possible that the vshelper-script in 0.30.207 is missing the STOP argument? 1118167321 M * ruuth Bertl: I just saw that vshelper is called with "stop" and vserver pid 1118167323 Q * steve^ Ping timeout: 480 seconds 1118167400 M * ruuth DaPhreak: is it possible that the vshelper-script in 0.30.207 is missing the STOP argument? I just saw that vshelper is called with "stop" and vserver pid. I had a quick look at the script-code and found no stop section ... only *) handling all unknown 1118167696 J * erwan_ho ~erwan@konilope.dyndns.org 1118172174 M * Hollow ruuth: 2.0-rc4 is in cvs 1118172191 M * Hollow DaPhreak: ^ 1118173650 M * jkl is there a way to run tcpdump from within a vserver? 1118173899 M * daniel_hozac give it CAP_NET_RAW? 1118173963 Q * erwan_ho Quit: Leaving 1118173974 M * jkl whats that? 1118174042 J * mef ~mef@targe.CS.Princeton.EDU 1118174545 J * yarihm ~yarihm@84.73.118.158 1118174586 M * yarihm yo everyone, yo Bertl_oO 1118176493 Q * albeiro Ping timeout: 480 seconds 1118176904 J * albeiro ~albeiro@procyon.romke.net 1118177613 Q * duckx Read error: Connection reset by peer 1118177615 J * duckx ~Duck@81.57.39.234 1118178546 M * Doener` g'night folks 1118178550 N * Doener` Doener_zZz 1118179308 N * Bertl_oO Bertl 1118179323 M * Bertl evening folks! 1118179404 M * case jkl: a capability for a vserver, should be in /etc/vservers/vs.conf: S_CAPS="CAP_NET_RAW CAP_NET_ADMIN", e.g. 1118179668 M * Bertl hmm, only for old configs ;) 1118179682 M * Bertl and you actually don't want to give them ;) 1118179760 M * mugwump morning 1118179808 M * mugwump how's the 2.0 release going, Bertl? Got a 0.30.208 from enrico ? 1118180202 M * Bertl well, didn't check the last 3 hours, but before we had none ... 1118180216 M * Bertl 2.0 is going fine (kernel side) 1118180404 M * mugwump I'm investigating automatic tracking of the savannah sources via svk into the openfoundry repository.. 1118180581 Q * shuri Read error: Connection reset by peer 1118180716 M * mugwump blast, getting commit messages out of savannah requires you to be a project member 1118181229 J * Aiken ~james@tooax6-104.dialup.optusnet.com.au 1118181527 M * mugwump http://rafb.net/paste/results/9aHZQC55.nln.html # differences ... hmm 1118181755 M * Bertl hmm .. yeah, we should try sync up again ... 1118182021 Q * mef Remote host closed the connection 1118182656 M * Bertl mugwump: did you get around having a look at 2.0-rc*? 1118183039 M * Aiken the web page still says rc3 1118183100 M * Bertl really? well, rc4 is current ... 1118183197 M * Aiken I just downloaded rc4 1118183228 M * mugwump I'm on -pre1 atm 1118183277 M * Bertl ruuth: still around? 1118183307 M * Bertl jkl: what do you want to 'forward'? 1118183873 M * Aiken for a machine with 1gig of ram, which is better? himem support or changing the split? 1118183911 M * Bertl split, nohighmem, highmem in this order ... 1118183920 M * Bertl i.e. different split -> full 1GB 1118183932 M * Bertl no highmem -> 927MB 1118183936 M * Aiken nohimem is not an option as I want the full 1 gig 1118183949 M * Aiken I only get 896 meg with nohimen 1118183949 M * Bertl both is better than having 1GB with highmem 1118183983 M * Bertl himem on x86 is really slow ... and complicated 1118184045 M * Aiken 2.5/1.5 or 2/2? have not looked at the split before so not sure which way to go 1118184056 M * Aiken but as the option comes up with the vserver patch I though I would try it 1118184057 M * Bertl 2/2 is probably the simplest 1118184063 M * Aiken ok 1118184766 M * jkl Bertl: tcp traffic going to port 80 with an apache webserver running in a verserver 1118184779 M * jkl vserver even 1118184815 M * jkl but i have two internet connections and was forwarding both on port 80 to the apache server 1118184821 M * Bertl no forwarding fro vservers ;) 1118184826 M * jkl one would work, one wouldn't 1118184831 M * jkl well, i was trying to use DNAT 1118184834 M * jkl will that work? 1118184845 M * Bertl it should ... 1118184869 M * jkl i have a feeling that doing it on both interfaces messed something up 1118184883 M * Bertl two internet conections sound like two different gateways 1118184884 M * jkl i switched it to just one a couple hours ago and it seems to be working reliably now 1118184915 M * jkl i have two modems connected to two ethernet cards on the same machine that is running the vserver 1118184918 M * Bertl which is a little trickier, especially if you map them to a single ip 1118184926 M * jkl two separate ips 1118184934 M * Bertl for the vserver? 1118184940 M * jkl equal cost multipath routing on the host 1118184976 M * jkl apache web server running in a vserver with a firewalled NAT ip 1118185012 M * jkl vserver only has one firewalled ip address 1118185139 Q * rs Quit: rs 1118185166 M * jkl *shrug* i'm going to add the other DNAT rule back in and see if it breaks again 1118185274 M * mugwump Bertl, are all 25 bugs on http://savannah.nongnu.org/bugs/?group=util-vserver&func=browse&set=open current, or just the ones you mailed Enrico about on the list? 1118185289 M * Bertl almost all ... 1118185299 M * mugwump ouch, ok 1118185341 M * Bertl a few have been addressed by the cvs ... 1118185381 M * Bertl jkl: probably a better setup is to give 2 separate private ips to the vserver, one for each public ip ... 1118185449 M * jkl and then have the apache server bind to both 1118185456 M * Bertl precisely 1118185467 M * jkl yeah that would make a lot more sense 1118185492 M * jkl what's the easiest way to add another ip to an existing vserver? 1118185503 M * Bertl I assume new style config? 1118185511 M * jkl yes 1118185533 M * Bertl you have a dir in '..//interfaces' 1118185537 M * jkl yep 1118185547 M * jkl just add more to that eh? 1118185550 M * Bertl just copy the 0 1118185558 M * Bertl (or whatever it is called right now) 1118185566 M * Bertl then edit the ip ... 1118185642 Q * Aiken Quit: Leaving 1118185680 M * jkl so i should copy it to 1? 1118185689 M * Bertl yup, for example 1118185700 M * Bertl (the actual name doesn't really matter) 1118185781 M * jkl ok 1118185824 M * jkl is prefix the netmask? 1118185863 M * Bertl the network prefix, yes ... keep in mind, unless you make a multitable routing setup (for the two gateways) the packets leaving the guest will originate from the first assigned ip 1118185880 J * Aiken ~james@tooax6-104.dialup.optusnet.com.au 1118185913 M * jkl egh, yeah you're right 1118185938 M * jkl so ill have to mark the packets as they come into the guest to make sure they go back out over the correct interface 1118185940 M * jkl ? 1118185969 M * Bertl depends, connection tracking should take care of that if you do DNAT 1118186001 M * Bertl if you have guest originating packets, you will need to get an MT setup 1118186120 Q * yarihm Quit: Leaving 1118186441 M * jkl sweet, i think that did it 1118186769 M * Aiken rc4 with a 2/2 split seems to be working ok for me 1118186785 M * Bertl good! 1118186974 M * mugwump (svn merge)++ 1118187049 M * Aiken I keep forgetting how to setup the hardcpu limit 1118187076 M * Bertl token bucket ;) 1118187134 M * mugwump (svn merge)++ # another CVS revision cleanly merged into SVN without a hitch! 1118187144 M * Bertl cool! 1118187199 Q * matti Ping timeout: 480 seconds 1118187388 M * mugwump rightio ... r146 of http://svn.openfoundry.org/utilvserver/trunk has had all changes from 2005-04-28 to HEAD merged 1118187555 M * mugwump changes up to 2005-04-30 seemed to already be applied to HEAD, so no changes were needed (as seen with merge in version r142) 1118187566 M * mugwump the rest applied cleanly with no manual intervention required 1118187601 M * Bertl okay, so the svn repository (HEAD) is now in sync with enricos changes? 1118187625 M * mugwump I believe so! 1118187639 M * Bertl excellent, will test it asap ... 1118187744 M * mugwump that would be good, perhaps check with diff or something it matches the head revision from CVS you've been working with, or that the differences are inconsequential.. 1118187766 M * mugwump then we can crack on with the major issues you mentioned in the list e-mail 1118187956 M * Aiken I got it working following http://www.paul.sladen.org/vserver/archives/200412/0099.html 1118187980 M * Aiken is that the way to do setup the cpu limit or is than an easier way, ie just specify 20% 1118188005 M * Bertl hehe, well, that is the way, and it's actually pretty easy too 1118188038 M * Bertl the parameters you set here are part of the config now 1118188055 M * Bertl so you can simply enter them there, no need for hardcore flag setting and such 1118188083 M * Bertl the basic elements (FillRate, Interval, Min/max) are the same 1118188110 M * Aiken so I assume some overhead on the host is normal??? 1118188125 M * Aiken xp1600, I have the vserver limited to 50% and the host is 30% idle 1118188141 M * Bertl your settings are? 1118188160 M * Aiken 50 1118188161 M * Aiken 100 1118188161 M * Aiken 600 1118188161 M * Aiken 0 1118188161 M * Aiken 500 1118188162 M * Aiken 0 1118188177 M * Aiken the example on that post with the first line 50 instead of 20 1118188200 M * Bertl how do you test, (i.e. what is running inside?) 1118188228 M * mugwump you can reduce that 50/100 to 1/2 if you like 1118188246 M * Bertl Aiken: and most important, did you enable the limit idle task option in the kernel? 1118188252 M * Aiken at the moment ssh into the vserver with top running with an update interval of zero 1118188284 M * Aiken no 1118188292 M * Aiken time for another kernel compile? 1118188298 M * Bertl hmm, this probably includes network stuff too ... you should get a real cpu-hog ... 1118188316 M * mugwump perl -e "1 while 1" is my favourite :) 1118188358 M * Bertl yeah, or if you prefer C ... http://vserver.13thfloor.at/Experimental/TOOLS/cpuhog.c 1118188358 M * Aiken mugwump much better example 1118188379 M * Aiken vserver is holding 50% and the host is 40 - 45% idle 1118188425 M * Aiken I can live with that 1118188425 M * Bertl you get 'preciser' limits with the idle task limiting enabled 1118188441 M * Bertl but it also adds more overhead in form of task switching 1118188458 M * mugwump (english nitpick: that's "more precise" ;) 1118188465 M * Aiken "but increases scheduling overhead" put me off enabling it at the time 1118188475 M * Bertl mugwump: oops, thanks! 1118188514 M * Bertl Aiken: basically the overhead/quality tradeoff goes like this: 1118188548 M * Bertl No-Limit - Priority Scheduler - Hard CPU Limits - Hard With Idle Limits 1118188572 M * Bertl from left to right you increase the overhead and precision ... 1118188635 M * mugwump of course this "overhead" is still very difficult to measure even on the maximum setting AIUI 1118188668 M * Bertl yes, it also depends on the number of processes 1118188709 M * Bertl for example, an interesting corner case is when a number of processes which are not really cpu bound are constantly accessing the disk subsystem 1118188742 M * Aiken lots of swap or a big compile 1118188766 M * Bertl in this case it is very improtant to keep the interval high, with a given rate/interval ratio