1128816111 M * antagonist goodnight folks.
1128816116 Q * antagonist Quit: Leaving
1128816124 J * yarihm ~yarihm@84-74-18-28.dclient.hispeed.ch
1128816155 M * gndmstr ok so i need to get a 13.2 kernel.. np
1128816814 M * daniel_hozac i'd assume the 13.2 patch applies to 13.3 except for the Makefile.
1128816882 M * Bertl yep, so should be fine as is (base-kernel wise)
1128817209 M * gndmstr ok. i have 13.2 also so ill try 13.3 first and if it has a problem ill go to 13.2
1128817241 M * Bertl excellent!
1128817363 M * Bertl okay, I'm off to bed .. a little tired right now ... maybe back later ...
1128817369 M * gndmstr ok
1128817379 M * gndmstr will have some results in the list for you then
1128817387 M * Bertl gndmstr: thanks for testing!
1128817397 N * Bertl Bertl_zZ
1128817407 M * gndmstr no prob. weekends and nights especiall on weekends i can do this easily and not worry about production
1128819584 Q * yarihm Quit: Leaving
1128820181 J * ntrs_ ~ntrs@68-188-50-87.dhcp.stls.mo.charter.com
1128820181 Q * ntrs Read error: Connection reset by peer
1128821438 M * daniel_hozac mm->total_vm += len >> PAGE_SHIFT; should be replaced by vx_vmpages_add(len >> PAGE_SHIFT);, right?
1128823768 J * lownoize ~lownoize@p54ACA321.dip0.t-ipconnect.de
1128823781 M * lownoize hi
1128824473 M * daniel_hozac hello
1128825160 M * lownoize I'm clueless with my routing
1128825285 M * lownoize i have a vserver setup with 2 vservers, each vserver has an physical interface eth2 10.2.2.2/24 and eth3 192.168.10.244/24
1128825328 M * lownoize packets enter the vserver with 10.2.2.2 over the right physical interafce and leave over the interface from the other vserver
1128825504 M * lownoize somebody has a clue how to fix this?
1128825932 J * jayeola ~jayeola@host-87-74-35-59.bulldogdsl.com
1128825942 M * jayeola hey chaps. any one awake?
1128825981 M * lownoize I'm awake tryn to fix my routing ;)
1128826046 M * jayeola ok - quite simple question to start, i guess that you install *nix on a box as a "base" or "minimal" install, then you get kernel, build, patch, install vserver?
1128826056 M * jayeola that kinda like the right order?
1128826068 M * daniel_hozac minimal/base won't do as you need to be able to compile.
1128826098 M * lownoize i have a minimal install on vserver and do the kernel builds on a extra box
1128826105 M * jayeola um, minimal as possible. of course one needs the tools (make gcc ncurses..)
1128826151 M * lownoize yes
1128826198 M * jayeola so that implies that one doesn't have X, multimedia aps and so on until u've got yr vserver up and running?
1128826260 M * lownoize yes thats my setup here
1128826263 M * daniel_hozac well, i guess. X isn't really vserverable though, at least not in a secure way.
1128826321 M * jayeola right. i have that situation right now. no X, base install from a debian sarge busines card cd.... 
1128826347 M * jayeola just installing vim, make, gcc, ncurses and that's about it....
1128826394 M * lownoize yes then get kernel src, patch it, configure it, compile it, reboot .....
1128826408 M * jayeola hmm, but that's weird, xservers aren't really X-able and Xen isn't acpi-able....
1128826446 M * jayeola yah - i'm using this as a guide :- http://deb.riseup.net/vserver/preparing/
1128826479 M * jayeola may mean that i'll use "mutt" within one of those guests :/
1128826567 M * jayeola lownoize: would you mind if i ask some more questions in a while, prolly at compile time?
1128826591 M * lownoize jayeola, no prob looks like im some time awake
1128826600 M * jayeola ty!
1128826625 M * jayeola bty, is that url i pasted above a good guide??
1128826635 M * jayeola looks ok to me but what would i know?
1128826666 M * lownoize looks ok for debian
1128826687 M * jayeola what's your distro if you don't mind me asking?
1128826698 M * lownoize here ist slackware
1128826702 M * jayeola k
1128826796 M * jayeola oh - finally before i start building/compiling... i've seen quite a few thread where fc ppl have had trouble with vservers. this still the case?
1128826816 M * lownoize here it works fine
1128826846 M * daniel_hozac Fedora Core? FibreChannel?
1128826859 M * jayeola fedora
1128826867 A * jayeola shuts the ****  up and gets building
1128826891 M * daniel_hozac i use nothing but Fedora here, never had any real problems.
1128827095 M * lownoize hmm can't get my 2 vservers working with 2 different default gateways
1128827163 M * daniel_hozac lownoize: ip rule... trickery?
1128827215 M * daniel_hozac lownoize: please keep it in the channel, as it's logged.
1128827226 M * lownoize ok
1128827244 M * lownoize tried that config
1128827250 M * lownoize ip route add 10.2.2.0/24 dev eth2 table 102
1128827251 M * lownoize ip route add default via 10.2.2.200 dev eth2 table 102
1128827251 M * lownoize ip rule add from 10.2.2.0/24 table 102 
1128827257 M * lownoize  ip rule add from 10.2.2.0/24 table 102 
1128827257 M * lownoize RTNETLINK answers: Invalid argument
1128827270 M * lownoize looked thru many mailinglist postings ...
1128827362 M * lownoize i what i have seen that should work?
1128827375 M * lownoize but does not ;(
1128827386 M * daniel_hozac you run the last command twice.
1128827392 M * lownoize no only once
1128827412 M * daniel_hozac the last two are equivalent, i mean.
1128827421 M * lownoize cute and paste error
1128827423 M * lownoize cut
1128827580 M * lownoize could be a kernel misconfiguration
1128827876 M * jayeola is 2.6.12.6 ok for vservers?
1128827886 M * jayeola the kernel, that is
1128827922 M * daniel_hozac why not 2.6.13.3?
1128827941 M * jayeola my buddy tried that and had major issues
1128827973 M * jayeola and he actually knows what he's doing, unlike me that's only following a guide
1128827974 M * daniel_hozac as in? i'm still building it myself, but it's supposed to work well.
1128828021 M * jayeola to be honest i dunno. *ahem* i hardly understands what he's saying half the time :/
1128829470 M * jayeola any debain users here?
1128829757 J * sebi_ ~sebi@Fd10d.f.strato-dslnet.de
1128829854 Q * sebi Ping timeout: 480 seconds
1128830019 M * gndmstr lownoize: your problem is kernel configuration. you need to enable the advanced routing and multicast.. typically the biggest need is this config option in .config  CONFIG_IP_MULTIPLE_TABLES=y  
1128830051 M * gndmstr i just went through that exact same thing tonight on a new install
1128830055 M * gndmstr forgot to enable that stuff
1128830180 M * gndmstr im running 2.6.13.3 on 3 hosts and its running beautifully. there were some issues on some smp hardware that was resolved with the rc4 patch
1128830223 M * gndmstr mostly dealing with stop timeouts and kernel oops afterward
1128830304 M * gndmstr im testing the stable branch with the patch fixes now and it seems to be working fine:)
1128831965 M * gndmstr im off to bed. see y'all tomorrow
1128831979 Q * gndmstr Remote host closed the connection
1128833188 Q * lownoize Remote host closed the connection
1128833586 Q * dddd44 Read error: Connection reset by peer
1128840668 J * RebootMonkey ask@28.burningd.enterconnect.net
1128845833 J * menomc ~amery@200.75.27.12
1128845833 Q * RebootMonkey Read error: Connection reset by peer
1128845914 Q * mnemoc Read error: Connection reset by peer
1128845914 N * menomc mnemoc
1128846401 Q * yungyuc Read error: Connection reset by peer
1128847004 J * yungyuc ~yungyuc@220-135-53-220.HINET-IP.hinet.net
1128851844 J * RebootMonkey ask@28.burningd.enterconnect.net
1128852864 Q * Hollow Ping timeout: 480 seconds
1128852902 J * Hollow ~hollow@home.xnull.de
1128853367 Q * Hollow Remote host closed the connection
1128853375 J * Hollow ~hollow@home.xnull.de
1128855300 Q * Aiken Ping timeout: 480 seconds
1128859218 J * Blissex pcg@82-69-39-138.dsl.in-addr.zen.co.uk
1128859421 J * crayzzboy ~uYeHvJyQ@85.96.123.235
1128859463 Q * crayzzboy Quit: 
1128859481 J * yarihm ~yarihm@84-74-18-28.dclient.hispeed.ch
1128860835 J * samuel_ ~samuel@24.203.200.211
1128860837 M * samuel_ hi
1128860928 M * samuel_ should I use a dummy interface or alias on my ethernet interface for my VS?
1128861086 M * samuel_ and how I can set more than one interface/ip addr in my VS?
1128861240 M * Blissex samuel_: I am not sure, but there is no need to do anything special.
1128861272 M * Blissex samuel_: all that 'chbind' does is to set the _default_ IP address to substitute for '0.0.0.0'
1128862029 M * samuel_ ok
1128862439 J * johnny06 ~chatzilla@AAnnecy-103-1-21-2.w80-11.abo.wanadoo.fr
1128862479 P * johnny06 
1128862485 J * claus ~moony@p5496FDEC.dip.t-dialin.net
1128862530 P * claus 
1128862766 M * samuel_ ok I don't known for multiple interface, but for multiple ip that seem to work:
1128862799 M * samuel_ echo myip > /etc/vservers/vsname/interfaces/0/ip
1128862803 M * samuel_ echo myip > /etc/vservers/vsname/interfaces/1/ip
1128868535 Q * Blissex Read error: Connection reset by peer
1128869382 N * Bertl_zZ Bertl
1128869418 M * Bertl morning folks!
1128869433 M * samuel_ morning Bertl 
1128869455 M * Bertl samuel_: the concept is simple: if you want the tools to create an ip (or even alias) then you have to specify the interface
1128869470 M * Bertl except for that, linux-vserver doesn't care about the interfaces
1128869516 M * samuel_ 'tools' you mean 'network applications' (ssh, apache, ...)
1128869527 M * Bertl no, I mean util-vserver
1128869551 M * samuel_ ok, but I need 4 ip address in my vserver
1128869555 M * Bertl the linux-vserver networking, as it is now, does nothing but restrict the IPs ...
1128869567 M * samuel_ ok
1128869568 M * Bertl so you have three options there:
1128869583 M * samuel_ and what's the point of using multiple dummy interface?
1128869595 M * samuel_ ok
1128869597 M * Bertl 1) create 4 IPs on the host (on arbitrary interfaces) and assign them to the guest (just ip entry)
1128869640 M * Bertl 2) let some or all of those IPs be created by the tools (util-vserver) (this needs at least an interface to work)
1128869670 M * Bertl 3) let some or all of those IPs be created as aliases (again, by util-vserver). this also needs a name ...
1128869684 M * samuel_ ok
1128869721 M * samuel_ how do you specify mutliple alias in etc/vservers/? 
1128869728 M * samuel_ (i can read the doc)
1128869767 M * Bertl /etc/vservers/<guest>/interfaces/<id>/{ip,dev,name}
1128869774 M * samuel_ oh ok
1128869785 M * Bertl for aliases you need ip, dev and name (name is the alias name)
1128869796 M * Bertl prefix would be advised if you are on a network :)
1128869813 M * samuel_ I had the dev not in 'id' but direct into interfaces/
1128869820 M * Bertl the <id> is arbitrary, but 0,1,2,3 would make sense
1128870125 J * samuel__ ~samuel@24.203.200.211
1128870129 Q * samuel_ Read error: Connection reset by peer
1128870136 M * samuel__ sorry
1128870149 M * samuel__ my ethernet jack dead
1128870157 M * Bertl happens ...
1128870160 M * samuel__ <samuel_> but, just a last question (for the next hour) what's the point of using multiple dummy
1128870160 M * samuel__           interface if the contextualization is on the 'IP' side?
1128870160 M * samuel__ <samuel_> I mean, whats the difference between dummy0:alias{0,1,2,3} and dummy{0,1,2,3}
1128870160 M * samuel__ <samuel_> or eth0:alias{0,1,2,...}
1128870162 M * samuel__ <samuel_> i'll make some coffee... my girlfriend will be mad
1128870264 M * Bertl the difference is, that the IP will be shown on a different interface .. i.e. if you restrict visibility, only interface(s) will be seen which carry permitted IPs ... in some cases, you can also use the interface for iptable rules
1128870366 M * samuel__ ok thats nice, thanks for all (i'll write my 'path' into a wiki...)
1128870382 M * samuel__ i'll be back later
1128870863 Q * samuel__ Ping timeout: 480 seconds
1128871356 J * gndmstr ~gndmstr@ip1.pathworx.sbbsnet.net
1128871933 J * liquid3649 ~inet@p5497515B.dip.t-dialin.net
1128872454 M * gndmstr good evening Bertl :)
1128872463 M * gndmstr so far 2.0.1 is behaving completely
1128872530 M * Bertl evening gndmstr!
1128872570 M * Bertl yeah, thought so, we changed a few things in 2.1.x and abviously that broke the exit behaviour (the bug you experienced)
1128872598 M * Bertl but now it's fixed, again, many thanks to you ...
1128872700 M * gndmstr funny how it was only on certain platforms.. that same 'broken' code worked perfectly on the first host i did which was a single processor  machine
1128872779 M * Bertl yes, the race was in a small window, and as all races, it required some kind of concurrency ...
1128872803 M * gndmstr ill just let the stable run rather than switch it back. once i get the dell ready for prime time and get it loaded with all new installs of the guests, then that one machine we were working with can be a short term devel platform until the boss decides to remove it from the rack.
1128872805 M * gndmstr ahh
1128872868 M * Bertl excellent ...
1128872946 M * Bertl okay, have to get some work done, will be back later ...
1128872955 N * Bertl Bertl_oO
1128873018 Q * gndmstr Remote host closed the connection
1128874577 Q * kevinp Read error: Connection reset by peer
1128874623 J * kevinp ~kevinp@ny.webpipe.net
1128874872 Q * liquid3649 Read error: Connection reset by peer
1128875087 M * jayeola hey guys... when one does "make-kpkg --rootcmd fakeroot --revision custom01 --added-patches vserver --append-to-version +vserver --initrd binary-arch", the `binary-arch is the arch of the machine, right? like 2.6.12-1-686, yah?
1128875370 M * micah jayeola: no
1128875376 M * micah jayeola: its the literal words binary-arch
1128875407 M * micah binary-arch is a target to make-kpkg
1128875415 M * micah from the make-kpkg man page:
1128875415 M * micah        binary-arch
1128875415 M * micah               This target produces the arch dependent packages by running the targets kernel_headers and kernel_image.
1128875495 M * jayeola yah - thanks i replace the string binary-arch with the kernel version and the make proces borked, so i've used the actual string
1128875591 M * jayeola slight point that's confusing me.. from here:- http://deb.riseup.net/vserver/preparing/ there's no `make modules_install && make install stage", is that taken care of by the command that i pasted above ^^ ?
1128876859 J * lownoize ~lownoize@p54ACA321.dip0.t-ipconnect.de
1128876863 M * lownoize re
1128876872 M * micah jayeola: yes
1128876880 M * lownoize daniel_hozac, thanks after a new kernle build everything works fine 
1128876882 M * micah jayeola: the debian make-kpkg takes care of that
1128876899 M * micah jayeola: as long as you install the resulting .debs (dpkg -i) they will be installed
1128876917 M * micah jayeola: thats step 5, install your kernel
1128877772 J * Rabiul ~Rabiul@202.52.213.210
1128877847 M * Rabiul hello
1128877922 P * Rabiul Leaving
1128878401 M * jayeola ty micah !
1128880603 M * yarihm the capset-problem with bind is probably a rather old one ... but what's the recommended workaround?
1128880613 M * yarihm (in a vserver i mean of course)
1128880886 M * yarihm ok, got it
1128881447 J * samuel__ ~samuel@66.131.244.77
1128882247 M * jayeola when setting up a new vserver, can one allocate the address gievn by ifconfig to the LISTENADDRESS given by ifconfig?
1128882273 M * jayeola um, you know what i mean :/
1128882913 M * micah jayeola: not sure I do know what you mean
1128883084 Q * Johnsie Quit: G'bye!
1128883225 J * Johnsie ~john@acs-24-154-53-217.zoominternet.net
1128883902 M * daniel_hozac how do you make sure that your built kernel won't have any "vx_rmap_pid: undefined symbol" problems? grep -Hr vx_rmap_pid . | grep 'Binary file'?
1128886134 J * liquid3649 ~liquid@p5497515B.dip.t-dialin.net
1128886138 Q * liquid3649 Quit: 
1128886200 J * liquid3649 ~liquid@p5497515B.dip.t-dialin.net
1128887384 Q * liquid3649 Ping timeout: 480 seconds
1128889329 J * gndmstr ~gndmstr@ip1.pathworx.sbbsnet.net
1128889333 J * stefani ~stefani@c-24-19-46-211.hsd1.wa.comcast.net
1128889491 J * Doener ~doener@i5387D6BE.versanet.de
1128889984 Q * gndmstr Quit: using sirc version 2.211+KSIRC/1.3.12
1128890503 Q * samuel__ Ping timeout: 480 seconds
1128890765 P * stefani parting (is such sweet sorrow)
1128894327 J * gndmstr ~gndmstr@ip1.pathworx.sbbsnet.net
1128894370 Q * Doener Quit: Leaving
1128894402 M * gndmstr there is no way of controlling other guests from within a guest is there? which means if i want our nagios monitor to be able to restart services within a guest or even restart a guest without human intervention then it must run on the host.. right?
1128894442 M * daniel_hozac without having the guest ssh to the other guests, right.
1128894457 M * gndmstr easiest way yes
1128894477 M * gndmstr if it has to ssh and do all kinds of nutty stuff it isnt worth keeping it in a guest
1128894512 J * Aiken ~james@203.164.233.62
1128894536 M * gndmstr looking for the simplest setup possible.. and since there should not be any performance changes between running in a guest or the host for the system, i think the host would be the logical choice
1128894591 M * gndmstr AIKEN!!! you did it!! that suggestion you gave me about removing :0 from kdmrc staticservers worked like a champ! now i just have to solve any other issues that may pop up in putting it into a guest :)
1128894626 M * gndmstr fist test is to pull the vid card and see if it still behaves :)
1128894660 M * Aiken cool
1128894720 M * Aiken have only run 1 machine without a video card and that just involved a bios option to stop the bios from halting on video errors during POST
1128894778 M * gndmstr yeah its just to be sure its not trying to access vid card in any way..last thing i need is corruption of my desktop when someone logs into the remote
1128894778 M * Aiken though was always a pain if it played up and had to connected a keyboard and monitor to it
1128894826 M * gndmstr yeah.. that machine will remaini a full machine after the no vid test.. just making sure no vid action at all before i mess with it as a guest on my main workstation
1128894856 M * daniel_hozac a guest shouldn't be able to mess with the video card unless you give it special devices and/or caps.
1128894891 M * gndmstr ok cool. wasnt sure if any of the gui stuff was messing directly or not.. not a gui expert here, i just use them:)
1128894929 M * gndmstr hopefully this will work as it will free up an entire machine that can be used more efficiently elsewhere
1128894993 M * gndmstr wonder if tarring the entire machine as it sits, and placing it into a guest then overlaying a vserver baselayout is enough
1128895069 M * gndmstr i think until i find all the offending configs, ill be getting a lot of "I can't do that Dave..." stuff
1128895182 M * gndmstr back to nagios..it has the ability to execute commands when it finds a service or entire system not responding properly, so i figured on the host it could use the vserver exec command to restart the offending service, if that doesnt work, restart the guest, then if that doesnt work page me.. will save me getting pages for simple things
1128895209 M * gndmstr especially at 3am
1128895318 M * gndmstr but the boss suggested running it in a guest, but i cant see any easy way to accomplish these things when run as a guest
1128895423 J * mrec_ ~revenger@p54B0375E.dip0.t-ipconnect.de
1128895843 Q * mrec Ping timeout: 480 seconds
1128896158 N * Bertl_oO Bertl
1128896162 M * Bertl evening folks!
1128896253 M * gndmstr evening Bertl!
1128896306 M * gndmstr Bertl Aiken gave me my first big glimmer of hope to being able to run a remote desktop server as a guest :) it no longer tries to access the vid card nor runs X
1128896330 M * Bertl good!
1128896362 M * Bertl X servers do not depend on local video/hardware access
1128896382 M * Bertl (that is just the most used configuration :)
1128896391 M * gndmstr im not looking forward to this.. hehe i just defined the first 14 guests on the Dell.. now i have to configure them all, then it goes into the rack.. 
1128896392 M * gndmstr ahh i see
1128896394 M * gndmstr cool
1128896430 M * Bertl so you're now heading for the real thing?
1128896481 M * gndmstr yep host os is installed and running, 4 nics are installed and up and all the guests have been defined with the template installed.. next it goes to the rack and i put the proper services and configs in place in each one and put into production one at a time
1128896517 M * gndmstr ill configure the next 4 nics as they are needed when i get to some of the other servers
1128896568 M * gndmstr when im done it will be hosting 37 total guests.. the rest have to remain unique hardware
1128896603 M * gndmstr which hopefully will leave enough resource room to define several more as  needed in the future
1128896648 M * gndmstr on guests that dont need more than 1 processor, does it help to limit them to 1 cpu or is it better just to let it fly with all 4 as the host wishes
1128896960 J * FireEgl Atlantica@Atlantica.DollarDNS.Net
1128897004 M * Bertl welcome FireEgl!
1128897010 M * FireEgl =D  Tanks
1128897024 M * daniel_hozac Bertl: hints on detecting vx_rmap_pid problems prior to running the kernel? would grep -Hr vx_rmap_pid . | grep 'Binary file' do?
1128897077 M * Bertl hmm, maybe, better would definitely be to use objdump -s
1128897158 M * FireEgl Anybody here using vserver and grsec?  I can't find a newer patch for 2.6 kernels besides the one on http://team.lea-linux.org/bgigon/vserver/mirror/ which isn't that new (June 13th).  =/
1128897231 M * Bertl is there a newer grsec patch available?
1128897252 M * mnemoc 2.1.7-almost
1128897258 M * mnemoc for 2.6.13
1128897268 M * mnemoc but merging with vserver is _big_ pain
1128897289 M * FireEgl No, that patch I mentioned has the latest released grsecurity, but it doesn't contain the latest vserver or Linux kernel.
1128897292 M * mnemoc it seems spender is waiting for 2.6.14
1128897649 M * Bertl hmm, does the latest released grsecurity apply to 2.6.13.3 ?
1128897702 M * Bertl mnemoc, FireEgl: I'd suggest to do the following:
1128897705 M * FireEgl Bertl: Not the released one..  but you can get the grsec that's in CVS, and apply the .3 kernel patch to it to make it 2.6.13.3-grsec..  That's what I'm running now.
1128897718 M * Bertl - get the 'combined' patch (if it works :)
1128897736 M * Bertl - get the base patch for linux vserver
1128897747 M * Bertl - get the base patch for grsec (same versions)
1128897782 M * Bertl - build the deltas A (vserver-grsec) and B (grsec-vserver)
1128897794 M * Bertl you now have stackable patches ...
1128897817 M * Bertl - compare (interdiff) them with the 'newer' patches
1128897833 M * Bertl - apply the diff to the old patches to the new ones ...
1128897865 M * Bertl othher approach, make a grsec/vserver delta diff
1128897877 M * Bertl apply that that to the new patches
1128898002 M * FireEgl gosh.. I'm not THAT good at diff'ing and patching stuff.. Sounds too complicated for me. =/  Besides, I don't know C in case the code needs to be modified.
1128898214 M * mnemoc i'll try
1128898220 M * FireEgl =D
1128898232 M * Bertl well, the more important question is, does the grsec+vserver combined patch work as you expect?
1128898249 M * mnemoc at least it use to work ;)
1128898301 M * FireEgl I haven't tried it..  I just saw old patch and got discouraged from even trying to use it.
1128898323 M * Bertl mnemoc: k, let me know if you need anything ...
1128898344 M * mnemoc don't doubt ;)
1128898424 M * Bertl FireEgl: which parts do you plan to use of the grsec patch/features?
1128898508 M * FireEgl Bertl: All of it, except the RBAC part.
1128898579 M * Bertl k, could you describe them to me, I'd like to get a feeling for _what_ folks use there ...
1128898600 M * Bertl michal: ping!
1128898632 M * FireEgl Bertl: http://www.grsecurity.net/features.php
1128898663 M * michal Bertl: pong !
1128898724 M * Bertl ah, you're here, great! we had a talk about possible integration of rsbac, pax and vserver ...
1128898726 M * mnemoc i have a not tested vserver-pax patch of 2.0.1-pre2 for 2.6.11.12
1128898732 M * lownoize FireEgl, why not se linux?
1128898784 M * mnemoc selinux is _very_ hard to use, so it's implicitly insecure
1128898800 M * Bertl sounds like an excellent moment to have a short discussion/brainstorming about 'security patches and linux-vserver' no?
1128898835 M * mnemoc :)
1128898855 M * Bertl just for a starting point, I consider PaX the most useful patch/enhancement ATM ..
1128898865 A * michal agrees
1128898868 M * Bertl a) because it seems to work out of the box
1128898883 M * Bertl b) because it immediately adds 'some' security
1128898897 M * mnemoc having PIE binaries, yes
1128898908 M * daniel_hozac what does PaX do, exactly?
1128898912 M * mnemoc SSP is more direct
1128898922 M * mnemoc like PIC, but for executables
1128898965 M * mnemoc randomization
1128898969 M * FireEgl lownoize: Well selinux isn't working quite right in Debian..  So I'm holding off on using it..  Besides, selinux and grsec can be used together.. (except the RBAC/MAC stuff)
1128898969 M * michal pax + pie binaries + ssp is the usual and reasonable combination
1128898980 M * michal pie binaries crafted in some clever way of course
1128898982 M * Bertl daniel_hozac: http://pax.grsecurity.net/
1128898995 M * daniel_hozac Bertl: i've been there many times, i never quite understood what it did though ;)
1128899008 J * traffic ~gorecki@home.negativeiq.com
1128899013 M * Bertl welcome traffic!
1128899023 M * traffic hello
1128899026 M * Bertl daniel_hozac: ah, okay, maybe michal can explain in a few words?
1128899051 M * michal let's say it follows simple principles:
1128899065 M * Bertl FireEgl: can I assume that you would use/utilize PaX? 
1128899074 M * michal no uncontrolled (arbitrary) execution of code. it achieves it with
1128899094 M * FireEgl Bertl: yep.. I use that too.
1128899097 M * michal making those parts of process memory unexectuable that should be made so
1128899162 M * Bertl I'd assume that the PaX code does not really interfere/overlap with linux-vserver code ... so adding/combining that should be easy, no?
1128899163 M * michal so new executable code cannot be introduced into process memory space
1128899178 M * daniel_hozac so non-executable pages, is that it?
1128899187 M * michal along with randomization and ssp it can also prevent changing program executing flow (redirecting program to execute another code that is already prsent in process memory space)
1128899200 M * Bertl daniel_hozac: basically with all problems and 'solutions'
1128899220 M * michal it used to be common technique to defeat non exec solutions, but is no longer
1128899274 M * michal having properly configured pax you can be sure nobody introduces and executes her arbitrary code. </end>
1128899289 M * michal (fast, simple, inaccurate but showing a point ;)
1128899289 M * daniel_hozac sounds like features i already have then ;)
1128899382 M * Bertl btw, @all security aware folks, what do you think about the stuff Sebastian Krahmer (SuSE) is doing (Code Chunk Borrow Technique)
1128899444 M * FireEgl BTW.. PaX, PIE/SSP, and MAC are all nicely explained here.. http://www.gentoo.org/proj/en/hardened/primer.xml
1128899460 M * Bertl ah, cool!
1128899500 M * lownoize Bertl u mean the non exec stuff on x64 cpus?
1128899524 M * Bertl yeah, basically it circumvents the no execution plan ...
1128899542 M * Bertl (for those interested: http://www.suse.de/~krahmer/no-nx.pdf )
1128899728 M * mnemoc thanks Bertl 
1128899974 M * gndmstr i thought i saw it somewhere on the site, but now i cant find it.. is there a reasonably easy way to be sure all guests auto-start in a certain order? and shut down in reverse order exactly?
1128900069 M * mnemoc gndmstr: rc.d/vservers-default
1128900083 M * mnemoc gndmstr: and using dependencies
1128900104 M * Bertl gndmstr: yes, basically they are started in parallel (to some degree)
1128900115 M * Bertl gndmstr: but you can use the #  depends
1128900115 M * Bertl This file is used to configure vservers which must be running before the current vserver can be started. At shutdown, the current vserver will be stopped before its dependencies. Content of this file are vserver ids (one name per line).
1128900147 M * mnemoc daniel_hozac: where do you have PAX features?
1128900194 M * daniel_hozac ExecShield sounds like pretty much the same thing.
1128900206 M * gndmstr cool. im looking for the vservers-default script but cant find it... will keep looking
1128900208 M * gndmstr thanks!
1128900257 J * douglas ~douglas@douglas.user.oftc.net
1128900259 M * douglas hey
1128900267 M * Bertl welcome douglas!
1128900294 M * douglas I got a quick question, I'm installing centos4 as a vserver and it doesn't come with a reboot command, is there a basic script that can be used throughout vservers so that customers can reboot there own vserver?
1128900309 M * mnemoc gndmstr: it's on your init.d dir
1128900361 M * daniel_hozac douglas: install SysVinit
1128900465 M * douglas daniel its already installed but I dont see a reboot command
1128900475 M * daniel_hozac douglas: /sbin/reboot?
1128900501 M * douglas nope
1128900502 M * mnemoc init 6?
1128900503 M * douglas its centos4
1128900515 M * douglas I dont have much experience with centos4
1128900624 M * daniel_hozac douglas: /sbin/reboot is in SysVinit, and it's a symlink to /sbin/halt.
1128900659 M * douglas bash-3.00# ls -al /sbin/halt
1128900659 M * douglas lrwxrwxrwx  1 root root 6 Oct  9 18:48 /sbin/halt -> reboot
1128900674 M * douglas yea
1128900677 M * douglas but reboot doesn't exist
1128900678 M * douglas hold on
1128900736 M * daniel_hozac well, i'm looking at CentOS 4.1's RPM, and it has /sbin/halt as the real binary, and reboot as a symlink to it.
1128900760 M * douglas ahh so reboot is suppose to be linked to halt as in /sbin/reboot /sbin/halt ?
1128900769 M * douglas well in centos41 its diff, halt is linked to reboot
1128900773 M * douglas reboot is the binary
1128900804 M * Bertl seriously, does it matter?
1128900831 M * douglas well I would like reboot to work so I mean the specifics dont I guess, cuz reboot doesn't exist and I think my script accidently deleted it
1128900833 M * douglas teehee
1128900834 M * douglas :)
1128900850 Q * yarihm Quit: Leaving
1128900865 M * Bertl douglas: that sounds more resonable ...
1128900874 M * douglas heh what are you implying bertl?
1128900874 M * douglas :)
1128900911 M * Bertl that it a) doesn't matter if halt is a symlink to reboot or the other way round, and b) if you don't have the binary (because you removed it) you have to reinstall it :)
1128900962 M * douglas haha
1128900971 M * daniel_hozac rpm2cpio is your friend ;)
1128900981 M * douglas very tactifully said bertl
1128900982 M * douglas :)
1128900998 M * douglas hmm
1128901012 M * douglas is /dev/reboot ok to have in the vserver?
1128901024 M * douglas cuz the reboot proggy is erroring out saying it requirs /dev/reboot
1128901053 M * Bertl what would /dev/reboot be?
1128901065 M * douglas got me 
1128901071 M * Bertl IIRC, we had that years ago with the reboot script/helper
1128901073 M * litage will running ntop on a vserver host show the usage of all of the guests?
1128901101 M * douglas what was the fix bertl?
1128901102 M * Bertl litage: if you run it in the spectator context (xid=1) probably yes
1128901119 M * Bertl douglas: no fix, it was obsoleted with early util-vserver
1128901122 M * litage thanks Bertl 
1128901133 M * douglas what's the proper way to allow vservers to reboot themselves with util-vserver_0.30
1128901140 M * douglas ?
1128901153 M * Bertl hmm, update to 0.30.208 I guess :)
1128901158 M * douglas done
1128901168 M * douglas and what else do I do?
1128901177 M * Bertl what kernel are you using?
1128901181 M * douglas I mean is there a script that needs to be ran or placed inside the kernel?
1128901185 M * douglas 2.6.12.4 I believe
1128901198 M * douglas 2.6.12.4-vs2.0
1128901208 M * douglas or inside the vserver?
1128901210 M * Bertl okay, that should be fine ... calling 'reboot -f' (the real binary) or 'reboot' with init running should work fine
1128901282 M * douglas what if it still errors out asking for /dev/reboot?
1128901291 M * gndmstr mnemoc: dont have that. i have a vservers init script instead. now that i know it can be done ill research and find whats needed:) thanks! there are probably hints in the util-vserver 'system' directory
1128901300 M * douglas nevermind
1128901302 M * douglas -f worked
1128901321 M * Bertl yeah, thats the difference between with and without init
1128901350 M * gndmstr brb walking dog
1128901358 M * Bertl gndmstr: hmm, wasn't that what 'we' were discussing with Hollow (ML)
1128901650 M * gndmstr that was just how to cancel all loads by killing the 'default' name in the startup 
1128901673 M * gndmstr im talking about insuring that autostart starts them in a certain order and kills them in the exact reverse order
1128901728 M * gndmstr does the START_VSERVERS="" entry where you put the names of the vservers to start do so in the exact order mentioned and shut down in exact reverse?
1128901730 M * mnemoc gndmstr: set the 'depends' considering that order and use vserver-wrapper
1128901786 M * gndmstr hmm ok. will look that over to see what i have to do. been so busy with getting other things done on this i never had time to study startups :D
1128901820 M * gndmstr thankfully i wont need the ordered startup till next weekend so it gives me time
1128901969 Q * litage Ping timeout: 480 seconds
1128901978 M * gndmstr i really only have 4 of them that need to start first, and only one of those has to be #1, the rest all depend on those 4 so worst case i can do away with the vservers init script and put the startups in order in local.start and shutdowns in local.stop
1128901985 M * Bertl hmm .. okay, seems the security discussion faded away somehow ... anybody interested taking it up again? FireEgl, lownoize, michal, mnemoc?
1128902011 M * michal lol, arp poisoned somebody to listen to the radio ;p
1128902022 M * michal sorry folk, that's live ;)
1128902041 M * FireEgl Bertl: eh, I just want a 2.6.13.3-grsec-vs2.0 patch. =P
1128902060 M * michal Bertl: could we take it up tommorow (or i might as well read a log and give opinion)
1128902062 M * Bertl FireEgl: ah, just want to take and give nothing eh? :)
1128902069 M * michal i am too tired to think now :/
1128902080 M * Bertl k, no problem ...