1137456371 M * daniel_hozac Hollow: is it still 2005 in germany? :)
1137456468 M * michal` knodemgrd_0 comes from firewire...
1137456480 M * michal` with CLONE_KERNEL also in flags
1137456662 M * Hollow daniel_hozac: not that i know of ;)
1137456736 M * daniel_hozac Hollow: "Copyright 2005 by the vserver-utils team" ;)
1137456823 M * Hollow ic.. ;)
1137456946 M * Bertl michal`: what do you conclude from that?
1137456964 Q * Doener Quit: Leaving
1137456969 M * michal` i am afraid i can conclude nothing :/
1137456977 M * michal` everything matches but does not work
1137457979 M * Aiken Hollow any ideas on what to look for with Failed to create networkcontext: Function not implemented
1137458049 M * Aiken did find a possible problem with scripts/pathconfig
1137459336 M * Hollow hmpf
1137459351 M * Hollow looks like wrong syscall command again..
1137459368 M * Hollow there is no solution yet, sorry
1137459380 M * Hollow didn't investigate yet
1137459674 Q * Aiken Ping timeout: 480 seconds
1137460083 J * Aiken ~james@tooax6-080.dialup.optusnet.com.au
1137460717 M * michal` Bertl: what do you think about that khelper stuff ? kernel/kmod.c
1137460728 M * michal` might it be something that we are having problem with ?
1137461180 Q * ThorstenG Quit: Leaving
1137461515 Q * Aiken Quit: Leaving
1137461805 J * Aiken ~james@tooax6-080.dialup.optusnet.com.au
1137461925 Q * Aiken Quit: 
1137462608 J * Aiken ~james@tooax6-080.dialup.optusnet.com.au
1137463523 J * PilatomiK ~tek@ADijon-151-1-105-160.w83-203.abo.wanadoo.fr
1137463730 M * Bertl hmm, had some network issues, back now
1137463760 M * Bertl michal`: could be, did you investigate yet?
1137463766 M * Bertl welcome PilatomiK!
1137463830 M * PilatomiK hello hello
1137463855 M * PilatomiK today my questions is on the php-cli feature ... vserver work fine :)
1137463982 M * Bertl php-cli feature?
1137464015 M * PilatomiK I'm writing a php-cli script and the function strpos don't work
1137464191 A * Bertl is now trying to figure _how_ that could be linux-vserver related
1137464401 J * Aiken_ ~james@tooax8-058.dialup.optusnet.com.au
1137464416 M * PilatomiK Bertl, when I connect freenode #vserver is in autojoin mode ;) 
1137464462 M * Bertl ah, okay, I guess I understand now :)
1137464699 Q * Aiken Ping timeout: 480 seconds
1137466424 P * undefined 
1137467453 M * marl under /etc/vservers/vserver-name/interfaces i have a file called dev and a directory called ip, dev has 'eth0' in it, and the directory ip has has a file called ip with the vservers ip addy in it, now from reading the flower page i presume u can create a 'name' for an interface, so the ip addy shows up within ipconfig, can anyone tell me how to do this?
1137467482 M * marl ive tried creting a file called 'name' within the ip directory but it dosnt apear to have worked
1137467557 M * Bertl somehow your directories seem borked
1137467571 M * marl in what way?
1137467573 M * Bertl /etc/vservers/vserver-name/interfaces/<id>/<files>
1137467584 M * marl ah no sub dirs?
1137467594 M * Bertl the <id> is some directory which identifies the 'IP' entry
1137467604 M * Bertl each ip has to have one of those
1137467630 M * Bertl the <files> might be one of the dev, ip, name, nodev ...
1137467652 M * marl hold on a sec....
1137467677 M * Bertl so for example /etc/vservers/hansi/interfaces/0/{ip,dev,prefix,name}
1137467692 M * marl i have /etc/vservers/skelly/interfaces/ with 1 file and 1 dir sorry, file is called 'dev' and has 'eth0' as the only text and the directory is called '0' and it has the ip file in it
1137467713 M * Bertl sounds wrong to me
1137467722 M * marl so what does the 'dev' file relate to?
1137467737 M * marl (ill try removing the dev entry from the high directory)
1137467739 M * Bertl it should be inside the '0' dir
1137467758 M * marl ok, does it relate to the hosts lan cards?
1137467765 M * Bertl if you want the tools to 'create' the ip, you have to specify the 'dev' otherwise specify 'nodev'
1137467824 M * marl your loosing me :(
1137467829 M * marl sorry :(
1137467855 M * marl is the file 'dev' simply a touch file then?
1137467877 M * marl e.g. if file exists then ignore whats in it but do this....
1137467925 M * Bertl no
1137467946 M * marl so what info should the 'dev' file hold?
1137467955 M * Bertl look, there are basically three ways to specify an 'interface' (should be called ip)
1137467980 M * marl ok
1137467985 M * Bertl a) you can use an existing IP for the guest (i.e. you have to create it beforehand, the guest is just using it)
1137468021 M * Bertl b) you want the tools to create a new style ip entry for you
1137468037 M * Bertl c) you want the tools to create an old-style alias entry for you
1137468059 M * marl aaaaaaaaaaahhhhhhhhhhhhhhh my heads exploding :(
1137468061 M * Bertl in case a) you specify .../0/{ip,nodev,prefix}
1137468093 M * Bertl with ip containing the IP, and prefix (or netmask) containing the 24 or 255.255.255.0 (or whatever prefix/netmask you have)
1137468105 M * Bertl nodev is just touched
1137468122 M * marl ok, i get that bit :)
1137468122 M * Bertl in case b) you specify .../0/{ip,dev,prefix}
1137468149 M * Bertl ip,prefix is the same as in a) dev has to tell the tools on which interface the IP will be added
1137468167 M * Bertl (e.g. you use eth0 or bond0.10 there)
1137468182 M * marl the interface from the host system?
1137468191 M * Bertl yes
1137468199 M * marl ah, got you :)
1137468207 M * Bertl in case c) you need .../0/{ip,dev,name,prefix}
1137468228 M * Bertl similar to b) just the name is new, which means that 
1137468241 M * Bertl the tools will create an alias, e.g. eth0:hansi
1137468261 M * Bertl with the ip present in ip, 'hansi' would be the contents of 'name'
1137468279 M * marl ah ok thanks that makes more sence :)
1137468388 M * Bertl you're welcome!
1137468511 M * nokoya 0
1137469425 J * undefined ~undefined@adsl-68-93-109-94.dsl.rcsntx.swbell.net
1137469779 M * Bertl wb undefined! hey nokoya!
1137469916 M * entroposcope ls -alrt
1137469919 M * entroposcope sorry
1137469966 M * Bertl entroposcope: what a pity that 'e' is not a recognized option :)
1137470824 M * entroposcope heh
1137470841 Q * marl Ping timeout: 480 seconds
1137472571 M * daniel_hozac Bertl: well, -lart is good enough for me ;)
1137472634 Q * FireEgl Ping timeout: 480 seconds
1137472895 J * _nokoya young@hi-230-82.tm.net.org.my
1137472984 Q * nokoya Ping timeout: 480 seconds
1137472988 N * _nokoya nokoya
1137473264 M * Bertl daniel_hozac: heh
1137473279 M * Bertl daniel_hozac: btw, I found the parisc issues ... are you interested?
1137473296 M * daniel_hozac sure.
1137473332 M * Bertl okay, give me a minute to finish my mail to fefe
1137473437 J * _nokoya young@hi-230-82.tm.net.org.my
1137473499 Q * nokoya Ping timeout: 480 seconds
1137473507 N * _nokoya nokoya
1137474023 M * Bertl daniel_hozac: okay, decided to CC it to the ML
1137474066 M * Bertl the issue is more complex than thought before and a good solution seems not available yet
1137474169 M * daniel_hozac that is indeed complex.
1137474169 J * FireEgl Atlantica@Atlantica.IRCNut.Com
1137474429 M * Bertl daniel_hozac: yeah, that's why it took me some time to figure it out :)
1137474462 M * PilatomiK cu
1137474463 M * daniel_hozac does strace merge offset_high and offset_low?
1137474464 P * PilatomiK Leaving
1137474502 M * daniel_hozac or, why does the strace output only have 4 arguments?
1137474510 M * Bertl strace does strange things with this syscall
1137474572 M * Bertl but it might be related to the (very likely) non-restartability
1137474622 M * Bertl _llseek(3, 0, [396], SEEK_END)          = 0
1137474629 M * Bertl this is a successful run
1137474639 M * daniel_hozac hmm, so it removes the pointer?
1137474655 M * daniel_hozac oh, no, that's the 396.
1137474657 M * Bertl so it seems like lo/hi is merged, and the loff_t is reported
1137474664 M * daniel_hozac right.
1137474690 M * Bertl well, makes some sense ...
1137474707 P * undefined 
1137474770 M * daniel_hozac yeah, it does make it easier to read.
1137474883 M * Bertl btw, the syscall thingy has been updated and tested in this process
1137474887 M * Bertl http://vserver.13thfloor.at/Experimental/SYSCALL/syscall_shiny8.h
1137474913 M * Bertl (even includes PIC support for HPPA :)
1137474956 M * Bertl okay, off to bed now ... have fun everybody ...
1137474965 M * daniel_hozac good night!
1137474969 N * Bertl Bertl_zZ
1137477037 J * balbir ~balbir@59.145.136.1
1137478196 J * Smutje_ ~Smutje@xdsl-87-78-85-188.netcologne.de
1137478329 Q * Smutje Ping timeout: 480 seconds
1137478358 J * coocoon ~coocoon@p54A06275.dip.t-dialin.net
1137478365 M * coocoon morning
1137478537 M * daniel_hozac morning
1137478914 J * tudenbart ~willi@xdsl-213-196-254-147.netcologne.de
1137479347 Q * dothebart Ping timeout: 480 seconds
1137481147 M * coocoon does anyone now something about that message =>vxW: xid=102 messing with the procfs
1137481739 Q * Aiken_ Ping timeout: 480 seconds
1137483935 M * coocoon questions about fedora core guests
1137483962 M * coocoon is there anybody who has experiences with FC
1137484188 Q * Hollow Quit: SIGTERM
1137484353 J * Hollow ~hollow@home.xnull.de
1137485568 J * id23 ~id@p54A01D63.dip0.t-ipconnect.de
1137485587 M * id23 morning #vserver
1137486452 Q * id23 Ping timeout: 480 seconds
1137486724 Q * dlippolt Ping timeout: 480 seconds
1137486849 J * meandtheshell ~markus@85-124-9-126.dynamic.xdsl-line.inode.at
1137486852 Q * shedi Quit: Leaving
1137486894 Q * schellh Ping timeout: 480 seconds
1137486982 J * id23 ~id@p54A00CE0.dip0.t-ipconnect.de
1137490007 Q * hue|zzZ Ping timeout: 480 seconds
1137490207 J * shedi ~siggi@tolvudeild-197.lhi.is
1137490459 N * nokoya nokoyaz
1137490467 N * nokoyaz nokoya
1137491638 J * Hmmmm ~Hmmmm@221.135.51.19
1137491682 J * hue ~hue@218.20.51.109
1137492345 M * Hmmmm anyone /home?
1137492530 J * krakan ~krakan@jinx.usbe.umu.se
1137492580 P * Hmmmm Leaving
1137492636 Q * krakan Quit: 
1137493220 M * gdm morning, and g'nite ;-)
1137493225 A * gdm has to sleep...
1137493781 J * schellh ~bla@ipsio489.ipsi.fraunhofer.de
1137494588 N * oliwel[away] oliwel
1137494700 Q * id23 Quit: Leaving
1137495640 J * cattivik ~andrea@service.cab.unipd.it
1137496984 J * Doener doener@i5387EAD5.versanet.de
1137498293 J * Viper0482 ~Viper0482@p549753CC.dip.t-dialin.net
1137498635 J * brc bruce@i.am.someasshole.com
1137500024 J * undefined ~undefined@adsl-68-93-109-94.dsl.rcsntx.swbell.net
1137500535 Q * Viper0482 Quit: bin raus, 
1137500699 J * pflanze ~chris@unk-110.ethz.ch
1137500702 M * pflanze Hello
1137500809 M * harry Bertl, Doener, Hollow ?
1137500825 M * harry other vserver developers?
1137500836 M * harry with one or more occurences of the l or p
1137500862 M * daniel_hozac devellllloppppers? :)
1137500870 M * harry if you want :)
1137500877 M * Doener 'sup?
1137500880 M * harry daniel_hozac: are you a develloper?
1137500892 M * daniel_hozac Doener is for sure :)
1137500893 M * harry with 1 l :)
1137500898 M * daniel_hozac i'm a mere packager :)
1137500899 M * harry i know doener is :)
1137500903 M * harry hmm...
1137500912 M * harry i'm looking for the vserver tools code
1137500916 M * harry the latest
1137500920 M * harry no crap
1137500924 M * harry just the latest code
1137500930 A * harry wants to audit it a little
1137500943 M * harry i've got the 0.30.209
1137500951 M * harry but it still has vreboot.c etc...
1137500962 M * harry which contains a programming bug... but is totally deprecated
1137500968 M * Doener it's still in there for backwards cmopatibility
1137500971 M * harry so it's kinda useless to start auditting unused stuff
1137500974 M * Doener s/cmo/com/
1137500986 M * Doener should be in legacy/ isn't it?
1137500998 M * daniel_hozac i think the C tools don't have a legacy directory.
1137501002 M * Doener ah ok
1137501046 M * daniel_hozac harry: i guess you could infer it based on grep legacy contrib/manifest.dat
1137501198 M * harry : 13:33 lois src/util-vserver-0.30.209 ;ls contrib/
1137501198 M * harry Makefile-files  make-manifest  manifest.dat.pathsubst  yum-2.2.1-chroot.patch  yum-2.3.2-chroot.patch  yum-2.3.3-chroot.patch  yum-2.3.4-chroot.patch
1137501221 M * Doener for those tools (util-vserver) basically enrico is the only developer... Hollow is working on a replacement, so you might prefer auditing those...
1137501236 M * Doener harry: the manifest.dat.pathsubst should do for that grep
1137501310 M * harry aha
1137501312 M * harry that's true
1137501319 M * harry Hollow: gimme yer code!!! ;)
1137501334 M * pflanze A replacement? Enrico wrote a replacement of vserver-util which is to be replaced now with a replacement?
1137501389 Q * balbir Quit: Leaving
1137501422 M * pflanze I guess it must be in Python.
1137501482 M * daniel_hozac no disrespect to Enrico, but he's not the most active maintainer ;)
1137501488 M * Doener pflanze: no, it's in C, but it has no pre-2.0 support at all and therefore is somewhat easier to understand and maintain
1137501491 M * daniel_hozac and i don't think anyone else really wants to maintain the current codebase...
1137501540 M * pflanze I shall be happy
1137501540 M * Doener enrico's efforts to support all available vserver APIs made the code really hard to read... at least for the mere mortal me
1137501558 M * pflanze My main question I still have is in which language to write my stuff on top of them.
1137501588 M * daniel_hozac Python, of course.
1137501597 M * pflanze If the C code can be nicely bound by other languages, that would help.
1137501648 M * pflanze But mostly it's about reading status information. And writing my own parsers in the other language might be just as "good".
1137501654 M * daniel_hozac i guess writing a libvserver wrapper in Python shouldn't be too hard.
1137501715 M * Doener daniel_hozac: btw, is there a difference for a wrapper for some lib in some language and bindings for that language? i hear both now and then, and have no idea about either ;)
1137501747 M * daniel_hozac Doener: well, i consider them equivalent...
1137501754 M * Doener ok, thanks
1137502099 M * daniel_hozac hmm, http://news.com.com/Companies+push+Linux+partitioning+effort/2100-1016_3-6027219.html?part=rss&tag=6027219&subj=news
1137502107 J * prae ~prae@ezoffice.mandriva.com
1137502618 M * Doener daniel_hozac: hm, they compare freevps to what they just call Vserver (i.e. Linux-VServer)... that's for judging us by legacy stuff... ;)
1137502626 M * Doener s/that's/thanks/
1137502632 M * daniel_hozac indeed.
1137502644 M * Doener my typos get more and more strange...
1137502731 Q * shedi Quit: Leaving
1137505100 M * daniel_hozac oh, you think the article is talking about ebiederm's efforts?
1137505111 A * daniel_hozac just started connecting the dots.
1137505473 Q * lilalinux Remote host closed the connection
1137505691 J * lilalinux ~plasma@h1-gw.of.net-lab.net
1137505991 N * Bertl_zZ Bertl
1137506013 M * pflanze Hi Bertl
1137506022 M * Bertl morning folks!
1137506113 M * daniel_hozac morning!
1137506189 M * hue hello Berlt
1137506756 Q * Doener Quit: Leaving
1137506766 J * Doener doener@i5387EAD5.versanet.de
1137506795 P * undefined 
1137506913 M * pflanze Bertl: I've noticed that vservers configured as "plain", when rebooted from within the vserver, get nice level -5 after the reboot.
1137506929 M * pflanze And only then.
1137506960 A * pflanze will try configuring explicitely for level 0
1137507317 M * Roey hi
1137507331 M * coocoon hello Bertl
1137507333 M * Roey Do I have to set any special capabilities in order to run Apache
1137507335 M * Roey Bertl:  heya
1137507343 M * Roey or for that matter, Postfix
1137507343 M * Roey ?
1137507349 M * Roey (in a vserver guest)
1137507378 M * coocoon Bertl: some questions to tagxid settings and error messages during starting defaults vservers
1137507466 M * daniel_hozac Roey: very few programs should require additional capabilities. those that do are typically documented on the wiki.
1137507506 M * daniel_hozac pflanze: what distro is that?
1137507541 M * pflanze daniel_hozac: debian sarge on the host, debian sarge or gentoo in the guest.
1137507764 M * schellh no you wont need special caps for those
1137507886 Q * coocoon Ping timeout: 480 seconds
1137507925 J * emp ~emp@70.57.239.35
1137507941 Q * cryo Ping timeout: 480 seconds
1137507949 M * emp how many nic does a default linux kernel support?
1137508070 M * daniel_hozac i imagine you would hit physical constraints before that would be a concern.
1137508195 M * emp well, i have 13 :)  though it only sees the first 8 or so i think... i read once about enabling 16, i believe, and didn't see the option right away... so was just wondering :)
1137508553 J * coocoon ~coocoon@p54A071CB.dip.t-dialin.net
1137508575 Q * coocoon Quit: 
1137508631 J * coocoon ~coocoon@p54A071CB.dip.t-dialin.net
1137508635 M * meandtheshell emp: 13 NIC's - how's that working? what kind of hardware is that? normal PC motherboard with 13 PCI Controller Cards?
1137508671 M * daniel_hozac 4 slots ought to do it.
1137508678 M * daniel_hozac 3 if you have an onboard.
1137508679 M * coocoon Bertl: r u there
1137508704 M * meandtheshell daniel_hozac: right - that's why was asking - sounds weird to me ...
1137508711 M * emp I bought some 3 each cards that have 4 tulip interfaces on each card..
1137508719 M * daniel_hozac emp: HP?
1137508736 M * daniel_hozac i got two similar ones myself.
1137508747 M * emp no.... they are.... A something, lemme look
1137508773 M * daniel_hozac d-link? adaptec?
1137508773 M * coocoon Failed to start vserver 'sin01'  make: *** [.sin01.stamp] Error 1 vxW: xid=102 messing with the procfs. vxW: xid=102 messing with the procfs. make: Target `all' not remade because of errors.
1137508785 M * coocoon Bertl: got this error messages
1137508807 M * meandtheshell emp: have you got a Link to that NIC? 
1137508812 M * emp Adaptec made them, the ANA-6944
1137508832 M * emp meandtheshell, how do you mean?
1137508851 M * daniel_hozac ah, the adaptec.
1137508872 J * cryo ~say@212.86.233.146
1137508888 M * meandtheshell emp: URL to that adaptec NIC - searching myself now ;)
1137508900 M * coocoon Bertl: also these messages during starting up next vserver vxW: xid=101 messing with the procfs. vxW: xid=101 messing with the procfs.
1137508924 M * emp I just found this: http://www.freelabs.com/~whitis/hardware/quartet.html  (it might have what i'm looking for)
1137508942 M * emp I got mine off of ebay for about $20 each
1137508982 M * daniel_hozac coocoon: what sort of initscripts are those vservers running?
1137509004 M * emp basicly like the one here: http://cgi.ebay.com/ADAPTEC-ANA-6944A-TX-Quad-10-100-Ethernet-Card_W0QQitemZ5853432162QQcategoryZ51195QQrdZ1QQcmdZViewItem
1137509018 M * Bertl back now ...
1137509044 M * coocoon Bertl: oh hello
1137509050 M * coocoon Bertl: need u r help
1137509056 M * emp however, it is a full length card :)
1137509060 M * Bertl reading up ...
1137509080 M * daniel_hozac emp: full full length? i.e. to the front of the case?
1137509105 M * meandtheshell emp: ok - ic - what do you use that PC for? what services are running on top of that machine?
1137509112 M * coocoon Bertl: started the next vserver same messages => Bringing up loopback interface:  Device lo does not seem to be present, delaying vxW: xid=104 messing with the procfs. vxW: xid=104 messing with the procfs.
1137509135 M * emp daniel_hozac, it is roughly the length of the ATX motherboard....
1137509161 M * coocoon Bertl: also have no network connection on these guests
1137509165 M * Bertl coocoon: not xid tagging related, looks like your guests do strange things on startup, like writing to procfs or so
1137509182 M * coocoon Bertl: chcontext problem
1137509186 M * coocoon Bertl: right
1137509202 M * emp meandtheshell, nothing to fancy... personal network share, firewall, asterisk, and some other vserver clients i am setting up to mostly play and learn with
1137509244 M * meandtheshell emp: ok - is that firewall a paketfilter - iptables maybe?
1137509253 M * emp meandtheshell, correct
1137509261 M * meandtheshell emp: inside a guest?
1137509262 M * daniel_hozac wow, that card is huge.
1137509276 A * SiD3WiNDR is happily running asterisk on a vserver with access to a pci fxo card for it and such, \o/
1137509287 M * emp meandtheshell, currently I am just using iptables on the host
1137509302 M * meandtheshell daniel_hozac: lol - yeah that's a fat card ... 
1137509313 M * emp I'd like to add a fxo card to my *, right now it is all over IP
1137509326 M * Bertl coocoon, Roey: apache and postfix work just fine here, no special capabilities
1137509344 M * daniel_hozac my HP quad NIC is just as big as the PCI64 slot.
1137509376 M * emp One reason I wanted to have extra nics was to have a few of the ports setup as a "smart"  switch of sorts, that I could do trafic shapping and such (the linux box acting as a router)
1137509479 M * meandtheshell emp: ok - that makes sense ... and routing is also done with iptables?
1137509488 M * emp meandtheshell, yep
1137509497 M * emp It is still a work in progress however :)
1137509514 M * meandtheshell emp: cool - that's exactly what I'm planing to do ...
1137509577 M * meandtheshell emp: I'm thinking about to move all that paketfilter and routing stuff inside a guest ... but I've no experience if this might work ... hm ..
1137509629 M * daniel_hozac meandtheshell: you'd be subverting the security of a guest sufficiently to render it rather useless from a security standpoint.
1137509640 M * coocoon Bertl:  could it be that it has something to do with Fedora Core guests
1137509667 M * daniel_hozac coocoon: how did you create those guests?
1137509672 M * coocoon Bertl: because of after stopping these guests it takes a long time and also there comes the following error message 
1137509675 M * daniel_hozac coocoon: not with vserver ... build, i guess?
1137509719 M * coocoon Bertl: Kernel-Protokollierdienst herunterfahren:                  [FEHLGESCHLAGEN]
1137509720 M * emp meandtheshell, that's cool.... I believe you have to give a guest special privs to use iptables properly... hence the security risk (anyone can correct me if wrong :) )
1137509726 M * meandtheshell daniel_hozac: hm .. can you explain that with a little example - I'm not sure what you're takling about - why ist it better to do that routing stuff etc. insinde a guest
1137509748 M * daniel_hozac meandtheshell: what i was saying is, it's not.
1137509749 M * coocoon Bertl:  Loopback Schnittstelle herunterfahren: /usr/sbin/vserver: line 85:  3169 Get�et                 "${NICE_CMD[@]}" ${USE_VNAMESPACE:+$_VNAMESPACE --enter "$
1137509761 M * coocoon Bertl: S_CONTEXT" -- } $_VCONTEXT $SILENT_OPT --migrate --chroot --xid "$S_CONTEXT" -- "${INITCMD_STOP[@]}"
1137509768 M * daniel_hozac meandtheshell: or well, not from a security perspective, at least.
1137509776 M * coocoon Bertl: A timeout occured while waiting for the vserver to finish and it will
1137509778 M * meandtheshell daniel_hozac: right - I meant better on the host ... 
1137509785 M * coocoon be killed by sending a SIGKILL signal. The following process list
1137509797 M * coocoon Bertl: might be useful for finding out the reason of this behavior:
1137509815 M * daniel_hozac coocoon: please use pastebin.
1137509821 M * Bertl daniel_hozac: nice article :)
1137509861 M * daniel_hozac meandtheshell: it's not really better, it just makes more sense, as you wouldn't need to give it a lot of capabilities it doesn't already have ;)
1137509880 M * daniel_hozac meandtheshell: plus, iptables does on demand loading of modules, so that might be an issue (i don't know how it loads them).
1137509936 M * coocoon Bertl: this message comes from fc4
1137509942 M * daniel_hozac Bertl: any ideas what they're talking about?
1137509963 M * coocoon daniel_hozac: sorry have read ur question right now
1137509996 M * coocoon daniel_hozac: right first I have build them but now I asm using tarballed guest
1137510012 M * coocoon daniel_hozac: with skeleton
1137510085 M * daniel_hozac coocoon: built them how? vserver ... build should have removed a lot of those scripts.
1137510115 M * daniel_hozac (all of them, i think, but i'm not positive as my german is extremely lacking)
1137510140 M * coocoon daniel_hozac:  vserver blabla build -m skeleton#
1137510154 M * daniel_hozac coocoon: i meant the tarball.
1137510201 M * coocoon daniel_hozac: http://pastebin.com/509913
1137510217 M * coocoon daniel_hozac: tarjxvf ...tar.bz2
1137510227 M * coocoon daniel_hozac: tar jxvf ...tar.bz2
1137510238 M * coocoon daniel_hozac: tahts not right 
1137510243 M * coocoon isn't it
1137510255 M * Bertl daniel_hozac: well, you know how journalists work?
1137510264 M * daniel_hozac how did you create the tarball, initially?
1137510282 M * daniel_hozac Bertl: not really, i try not to read newspapers too often :)
1137510317 M * daniel_hozac Bertl: looks like a good portion of random quotes and misunderstandings, though.
1137510337 M * coocoon daniel_hozac: tar cf blah.tar
1137510343 M * daniel_hozac coocoon: of what?
1137510365 M * daniel_hozac coocoon: of a guest built with vserver ... build? of a "real" Fedora Core install?
1137510385 M * coocoon daniel_hozac: of a guest built with vserver
1137510418 M * daniel_hozac coocoon: which method was that? -m yum? -m apt-rpm? -m rpm?
1137510433 M * daniel_hozac although, all of them should do the correct thing.
1137510457 M * coocoon daniel_hozac: hm let me think about -m yum
1137510478 M * Bertl daniel_hozac: yes, that's the base for articles ... but it has a nice touch, nevertheless :)
1137510550 M * daniel_hozac Bertl: hehe.
1137510605 M * daniel_hozac coocoon: -m yum does The Right Thing(tm) for sure, but i guess that was missed somehow... you'll have to clean up the guests manually.
1137510687 M * coocoon daniel_hozac: which files must be deleted I know to delete files in Debian guests but fc guest I haven't found anything
1137510712 M * coocoon about it
1137510785 M * coocoon daniel_hozac: which files must be generally deleted
1137510790 M * daniel_hozac coocoon: util-vserver-0.30.209/distrib/redhat/initpost is the file responsible for doing it during vserver-build.
1137510830 M * coocoon daniel_hozac: oh aha so I must delete this file before building a guest
1137510834 M * daniel_hozac basically, chkconfig network off, rm -f /etc/rc[06].d/S01{halt,reboot} are the most important ones.
1137510877 M * coocoon daniel_hozac: but I don't wanted to create new fc guests
1137511172 M * Bertl okay, off for now, back later ...
1137511182 N * Bertl Bertl_oO
1137511222 M * pflanze How does one configure the nice level of a vserver?
1137511233 M * pflanze The flower page says, /etc/vservers/foo/nice,
1137511249 M * pflanze but I put 0 to this file, and the vserver is still rebooted into nice -5
1137511290 M * daniel_hozac pflanze: oh right, steps to reproduce?
1137511311 M * daniel_hozac just start a sarge with plain initstyle, execute reboot, get nice -5?
1137511330 M * coocoon daniel_hozac: network off what does that mean daniel
1137511351 M * pflanze daniel_hozac: create a vserver with init style "plain". boot it. It will have nice level 0. Log into the vserver (with ssh), enter "reboot". Watch it come back, log in again, watch nice level -5
1137511362 M * pflanze daniel_hozac: so.."yes".
1137511371 M * daniel_hozac coocoon: chkconfig is Red Hat's update-rc.d (or whatever it's called in Debian).
1137511399 M * coocoon daniel_hozac: oh ok
1137511416 M * pflanze daniel_hozac: this is 2.6.14.4-vs201 with util-vserver 0.30.209
1137511487 M * daniel_hozac pflanze: umm, here's a newbie question for you. ps flag for looking at nice values?
1137511517 M * pflanze daniel_hozac: I use top :~)
1137511543 M * pflanze ps outputs "<" for those processes, though
1137511550 M * pflanze ps aux
1137511557 M * daniel_hozac yeah, i noticed that.
1137511594 M * daniel_hozac it seems most kernel threads have a nice value of -5... maybe it's vshelper related?
1137511602 M * coocoon daniel_hozac: Kernel-Protokollierdienst herunterfahren:                  [FEHLGESCHLAGEN]
1137511617 M * daniel_hozac coocoon: you will always get that, unless you edit the initscript.
1137511619 M * coocoon daniel_hozac: has this also to do with this files
1137511646 M * coocoon daniel_hozac: ok I will have a look at it tahnx
1137511651 M * coocoon thanx
1137511919 J * undefined ~undefined@adsl-68-93-109-94.dsl.rcsntx.swbell.net
1137512287 M * coocoon daniel_hozac: also S==kilall
1137512298 M * coocoon daniel_hozac: also S00kilall
1137512305 M * coocoon daniel_hozac: should be erased
1137512574 Q * Hollow Quit: SIGTERM
1137512744 J * Hollow ~hollow@home.xnull.de
1137513084 J * dlippolt ~dlippolt@cpe-70-112-77-129.austin.res.rr.com
1137513822 M * daniel_hozac coocoon: killall doesn't need to be erased. it doesn't serve any real purpose, however.
1137514221 A * pflanze installed a workaround vshelper wrapper script which does renice 0 $$ before calling the original vshelper, that helps.
1137514248 A * pflanze wishes goodbye for today
1137514248 J * NetAsh ~NetAsh@195.12.185.128
1137514250 Q * pflanze Quit: [x]chat
1137514270 M * NetAsh hello
1137514282 M * daniel_hozac hi
1137514315 M * NetAsh is anyone ther capable to explain how vunity works?
1137514346 M * mnemoc hardlinks
1137514362 M * NetAsh yap - its basics
1137514384 M * NetAsh but lets say I have two guest machines
1137514421 M * NetAsh I "vunify" both
1137514453 M * NetAsh lets say one of two are compromised or all other reasons
1137514477 M * NetAsh but outcome = in one guost machine somebody edits a file
1137514530 M * NetAsh in normal enviroment - hardlink is just a pointer, so the file in the second guest machine sufers too
1137514537 M * NetAsh am I right?
1137514575 M * NetAsh ./
1137514665 M * coocoon daniel_hozac: thanx a lot going off now
1137514669 M * coocoon bye
1137514672 Q * coocoon Quit: KVIrc 3.2.0 'Realia'
1137514708 M * SiD3WiNDR NetAsh: yes, I think so
1137514713 M * SiD3WiNDR that's why there is cow link breaking I think
1137514744 M * michal` cow link breaking would make sense
1137514818 M * NetAsh aha
1137514887 M * NetAsh and in that satge this fieture is now?
1137514945 M * NetAsh aka i development tree or that?
1137514966 M * NetAsh I personaly use 2.01
1137515101 M * mnemoc NetAsh: immutable flag saves the day, or COW
1137515162 M * NetAsh as I understand the CoW (Copy on Write) is somethere in 2.1.0 tree
1137515260 M * mnemoc yes
1137515263 M * NetAsh immutable = ro
1137515276 M * mnemoc immutable makes a file untouchable
1137515295 M * mnemoc so hardlinked 'copies' can't be compromised
1137515296 M * michal` inlinkable
1137515302 M * michal` unlinkable
1137515309 M * michal` uneditable
1137515309 M * michal` etc
1137515310 M * NetAsh this is a problem
1137515326 M * NetAsh CoW sounds as the best solution
1137515346 M * michal` for me immutable sounds liek a best soltDuion
1137515346 M * michal` because
1137515354 M * michal` in case of comprise single vserver
1137515368 M * michal` you would get its files modified
1137515385 M * michal` with cow
1137515387 M * NetAsh compromise is just an agzample
1137515393 M * NetAsh I meen maintanace
1137515398 M * michal` and with immutable set you won't
1137515399 M * michal` simple
1137515422 M * NetAsh I got it long ago
1137515427 M * NetAsh the problem is
1137515494 M * daniel_hozac unification uses immutable hardlinks.
1137515494 M * NetAsh I administer a host machine, create some guest machines, optimize with vunity, and give away guests machines to fird parties
1137515554 M * NetAsh in case of immutable - fird parties can not update theirs guest machines with out my intervention - thats wors than compromise ;)
1137515645 M * NetAsh ./
1137515690 M * NetAsh ok I got it, I am interested in Cow - probably some more questions will folow after I will try 2.1.0 dev-tree
1137515692 M * NetAsh ./
1137515693 M * daniel_hozac any sane package management system will unlink files.
1137515714 M * daniel_hozac as such, the unification will not be a problem thanks to iunlink.
1137515714 M * NetAsh and what about apt-get ?
1137515740 M * NetAsh I am a debian-sarge user
1137515797 M * NetAsh (backoporting util-vserver, kernel-patch, vserver-debiantools, and linux-2.6 - and I am happy :)
1137515811 M * daniel_hozac dpkg should do the right thing.
1137515846 M * NetAsh the problem is that "should"
1137515854 M * NetAsh ok
1137515875 M * daniel_hozac it takes you all of 4 commands to try it for yourself.
1137515916 N * Bertl_oO Bertl
1137515920 M * Bertl evening folks!
1137515921 M * NetAsh in practice, not every thing workt to you on test systems may work flavlesly on production :)
1137515930 M * NetAsh hello
1137515941 M * Bertl hey NetAsh! new here?
1137515950 M * NetAsh sort of
1137515966 M * Bertl well, welcome then :)
1137515970 M * NetAsh :)
1137515998 M * NetAsh as I undrestand you are the one of the triple who does some active development on vserver
1137516034 M * Bertl ah, well if you want to put it this way, probably yes, but many folks here 'actively' work on it (in some way)
1137516056 M * Bertl you would not think how many questions are answered here ...
1137516111 M * NetAsh I have some sugestions regards limits
1137516112 M * Bertl bt, to shed some light on your original question (in case this wasn't made clear) the unification via hardlinks is perfectly safe inside a guest, even without CoW link breaking
1137516129 M * SiD3WiNDR :o
1137516134 A * SiD3WiNDR didn't know that
1137516143 M * Bertl CoW just makes it a lot easier to administrate
1137516157 M * NetAsh exactly a LOT :)
1137516169 M * NetAsh ./
1137516171 M * Bertl the key word here is immutable but unlinkable files
1137516198 M * Bertl i.e guests can delete (unlink) those files, but not change them
1137516209 M * Bertl SiD3WiNDR: live and learn ...
1137516227 M * SiD3WiNDR hehe
1137516230 J * Viper0482 ~Viper0482@p549753CC.dip.t-dialin.net
1137516245 M * Bertl NetAsh: so what are your suggestions regarding limits?
1137516248 M * NetAsh as I understand min soft limits are just in the plans, only hard limits implemented in some way
1137516259 M * NetAsh am I right?
1137516286 M * Bertl yes, there will be (at some time, if they proof useful) guarantees (min) and soft limits (in addition to the existing hard limits)
1137516302 M * NetAsh I personaly am the most interested in rcc
1137516317 M * Bertl rcc?
1137516347 M * NetAsh real memory usage rrc rcc - I do not remember exactly :)
1137516364 M * Bertl ah, RSS resident set size ...
1137516369 M * NetAsh yap :)
1137516396 M * Bertl well, that's probably the limit we will first address (regarding soft limits)
1137516409 M * NetAsh :)
1137516442 M * NetAsh rss does not include used swap size
1137516471 M * NetAsh lets say we indtroduse something caled vrss
1137516477 M * NetAsh swap + ram
1137516483 M * Bertl nope, rss is, as the name said, the pages _in_ memory
1137516488 M * Bertl *says
1137516529 M * Bertl okay, let's call it 'pages'
1137516543 M * NetAsh btv
1137516545 M * Bertl or maybe swap'n'ram :)
1137516553 M * NetAsh ok
1137516569 M * NetAsh then we leve rss alone ;)
1137516588 M * Bertl okay ...
1137516617 M * NetAsh lets say we have a few guest machines
1137516681 M * NetAsh for the sake of simplicity - all have rss.min=100 rss.soft=200 rss.hard=300 set
1137516711 M * Bertl swapnram or rss?
1137516719 M * NetAsh swap&ram :)
1137516724 M * Bertl okay :)
1137516768 M * NetAsh if we have plenty of free ram - all machines use it up to hard limit and are happy ;)
1137516779 M * NetAsh lets say we have some deficit for ram
1137516837 M * NetAsh then the ones over "soft" limit will swap som portions to free some ram
1137516914 M * NetAsh if we have a machine with less than min - it comes, kiks some buts and takes its ram.
1137516930 M * Bertl well, you basically describe what already is planned .. the interesting part is, how to implement that? :)
1137516944 M * NetAsh ;)
1137516983 M * NetAsh I am no c/c++ guru (old gon these days :)
1137517025 M * NetAsh I sugested the concept, and it seems you knew it befour
1137517027 M * michal` it is not about c but rather memory managment in linux kernel and some idea
1137517035 M * michal` hey Bertl :)
1137517035 M * michal` btw
1137517068 M * michal` not had time to dig futher into kmod stuff, will try tommorow, cause today i am also out of time for everything
1137517086 M * Bertl michal`: okay, hope you still have fun! 
1137517096 M * michal` obviously :)
1137517112 M * NetAsh and you probably have no luck tu understand the way it works without some basic c/c++ understanding:)
1137517144 M * Bertl NetAsh: well, basically the following seems doable (and efficient)
1137517172 M * Bertl (but first a few explanations how it works)
1137517182 M * NetAsh ok
1137517192 M * Bertl - pages are allocated for many different reasons
1137517206 M * Bertl   - some of them are file backed (e.g. executables)
1137517213 M * NetAsh (my english gramar is not the best one, so I will just sit still and listn:)
1137517224 M * Bertl   - some of them are shared with other processes (e.g. libraries)
1137517240 M * NetAsh   - some are pure data
1137517242 M * Bertl   - some of them are anonymous (i.e. they have no on-disk representation)
1137517325 M * Bertl some pages even do not have any memory or data
1137517360 M * michal` which ones ?
1137517367 M * Bertl - when memory is low, then some heuristics start to figure unused pages and start swapping them out to the disk space
1137517390 M * NetAsh I gues your question will be: how to decide what to swap, and how to force main kernel do it
1137517393 M * Bertl michal`: for example guard pages (e.g. zero page) or not yet used anon pages
1137517401 M * daniel_hozac Bertl: did you see pflanze's bug, btw?
1137517413 M * Bertl daniel_hozac: the nice issue?
1137517419 M * daniel_hozac Bertl: yeah.
1137517439 M * Bertl Bertl: unless proven wrong, I assume an userspace pam issue
1137517466 M * Bertl NetAsh: no, that is relatively simple
1137517488 M * Bertl NetAsh: you already mentioned that contexts over the soft limit have pages which are good candidates :)
1137517504 M * NetAsh yap
1137517540 M * Bertl the question is more, what do we do in the no-swap-is-needed case
1137517575 M * Bertl when context A (soft=64M hard=256M) and context B (soft=64M hard=256M)
1137517588 M * NetAsh we let it reside in ram (for the performance reasons) util some context with the right into it asks to do it
1137517593 M * Bertl use something like A=220M B=70M
1137517628 M * NetAsh oght
1137517635 M * Bertl IMHO we should somehow favor context B, because it is much nicer in this system
1137517638 M * NetAsh let say we use some proportions
1137517670 M * NetAsh imho min value we asign a propotion value of 0
1137517670 M * Bertl let's assume we have a context C (soft=128M hard=256M) which uses 100M, wouldn't it be unfair to treat them all equally?
1137517679 M * NetAsh soft - 0.5
1137517683 M * NetAsh hard - 1
1137517700 M * Bertl sorry, my dinenr is ready, let's continue this in 15 minutes, yes?
1137517716 M * NetAsh ok
1137517721 M * michal` sure
1137517726 N * Bertl Bertl_oO
1137517739 M * NetAsh in this time i will try to draw a scatch :)
1137518054 M * NetAsh ./
1137518078 M * NetAsh imagine a two dimensional chart
1137518107 M * NetAsh x - axis - badnes raiting :)
1137518119 M * NetAsh y - axis memory usage
1137518152 Q * oliwel Quit: Chatzilla 0.9.69.1 [Firefox 1.5/2006011208]
1137518177 A * michal` draws
1137518201 M * NetAsh we darw three points in it with cordinates (0, min), (0.5, soft), (1, hard)
1137518276 M * NetAsh then we join whese with thwo lines
1137518303 M * NetAsh example istuation
1137518334 M * NetAsh we have machine with min=64 soft=128 hard=512
1137518384 M * NetAsh so we have two lines (0, 64)to(0.5, 128)and_to(1, 512)
1137518475 M * NetAsh if this machine uses lets say 200 - we draw horizontal line, in the intecetion point with our "qurve" we draw vertical strait down and see badnes rating :)
1137518516 M * michal` should not it be function nbadnes(memory) ?
1137518526 M * michal` because now it is memory(badness)
1137518571 M * NetAsh you are righht
1137518595 M * NetAsh btv I think you already got my point :)
1137518642 N * Bertl_oO Bertl
1137518644 M * Bertl back now
1137518680 M * NetAsh btv beter it will be 4 points
1137518680 M * Bertl well, I had an even better idea how to calculate this badness
1137518705 M * Bertl the idea is to have 'virtual' swap pages
1137518707 M * NetAsh (0,0) (1, min) (2, soft) (3, hard)
1137518733 M * NetAsh oh crap :)
1137518734 M * Bertl i.e. pages which are still in memory, but get a special tagging that they should have been swapped out
1137518749 M * NetAsh ok situation
1137518772 M * NetAsh you have market aproximatly 100MB of pages to be candidates for swap
1137518790 Q * mkhl Quit: 
1137518791 M * NetAsh you need only one page (4KB) to swap - witch one?
1137518807 M * Bertl the one the heuristic chooses
1137518859 Q * prae Quit: Execute Order 69 !
1137518896 M * Bertl i.e. several factors will be responsible
1137518908 M * Bertl - what type of pages are available
1137518920 M * Bertl - how often is/was it used/referenced
1137518943 M * Bertl - (in the future) how bad was the context :)
1137518948 M * NetAsh probably you are right
1137518957 M * NetAsh just in case for a fallback plan
1137518972 M * NetAsh do you understand my sugestion
1137518976 M * NetAsh ?
1137518989 M * Bertl yes
1137519062 M * NetAsh my way you atleast know witch context to swap (aka the max(function_nbadnes(memory))
1137519086 J * gerrit gerrit@163.181.254.36
1137519104 M * Bertl well, it would be simple to calc (rss-soft.rss) and to use that as 'badness'
1137519109 M * Bertl welcome gerrit!
1137519173 M * NetAsh ./
1137519189 M * NetAsh watever will be implemented - it shuld be more or less fair
1137519202 M * NetAsh ./
1137519211 M * NetAsh simple quoestion regards mounts
1137519333 M * NetAsh if i add a "bind" mount to fstab (the one /etc/vserver/.../fstab - not in the /etc of guest)
1137519344 M * gerrit Hi Bertl!
1137519380 M * NetAsh with df i get
1137519395 M * NetAsh hdv1 /
1137519427 M * NetAsh /real/path/in/host/macheen/ /mnt
1137519455 M * NetAsh is there a way to hide it under lets say /dev/hdv2 ?
1137519493 M * Bertl well, df (very similar to mount) just looks at the mtab
1137519514 M * Bertl so whatever information you put there will be presented
1137519557 M * NetAsh aha, ok
1137519961 J * stefani ~stefani@superquan.apl.washington.edu
1137520231 M * Bertl welcome stefani!
1137520241 M * Bertl okay, leaving now .. back later this evening ...
1137520249 N * Bertl Bertl_oO
1137520368 M * stefani hoa
1137520611 P * undefined 
1137521987 J * Smutje ~Smutje@xdsl-84-44-245-242.netcologne.de
1137522124 Q * Smutje_ Ping timeout: 480 seconds
1137522755 Q * gerrit Ping timeout: 480 seconds
1137522864 M * NetAsh http://news.com.com/Companies+push+Linux+partitioning+effort/2100-1016_3-6027219.html
1137523048 J * bragon ~bragon@sd866.sivit.org
1137523095 M * bragon lo
1137523163 M * NetAsh hello
1137523174 M * bragon ;)
1137523353 Q * zobel Ping timeout: 480 seconds
1137523391 Q * Doener Ping timeout: 480 seconds
1137523419 J * Doener doener@i5387D471.versanet.de
1137524762 M * NetAsh by
1137524766 Q * NetAsh Quit: 
1137525115 J * dothebart ~willi@xdsl-81-173-231-215.netcologne.de
1137525546 Q * tudenbart Ping timeout: 480 seconds
1137526292 J * gerrit gerrit@163.181.254.36
1137526349 Q * gerrit Quit: 
1137526362 J * gerrit gerrit@163.181.254.36
1137526366 Q * gerrit Read error: Connection reset by peer
1137526384 J * gerrit gerrit@163.181.254.36
1137527007 J * undefined ~undefined@adsl-68-93-109-94.dsl.rcsntx.swbell.net
1137528128 J * liquid3649_ ~Viper0482@p54976F3F.dip.t-dialin.net
1137528561 Q * Viper0482 Ping timeout: 480 seconds
1137528929 J * shedi ~siggi@inferno.lhi.is
1137529118 Q * liquid3649_ Remote host closed the connection
1137529468 J * Aiken ~james@tooax8-164.dialup.optusnet.com.au
1137530007 Q * Doener Quit: Leaving
1137530097 P * undefined 
1137530109 J * undefined ~undefined@adsl-68-93-109-94.dsl.rcsntx.swbell.net
1137530382 J * mef ~mef@targe.CS.Princeton.EDU
1137530769 J * mkhl ~mkhl@200-148-41-61.dsl.telesp.net.br
1137531838 Q * lilalinux Remote host closed the connection
1137531875 J * bonbons ~bonbons@83.222.39.249
1137532266 J * jpacheco ~justin@CPE00146c1608af-CM0f0099806976.cpe.net.cable.rogers.com
1137532269 M * jpacheco hey guys
1137532293 M * jpacheco i have a question: how can i add an ip to an already existing vserver?
1137532311 M * jpacheco im using vserver 2.x
1137532341 M * TheSeer mkdir /etc/vservers/<host>/interfaces/X
1137532358 M * jpacheco yeah, i started playing around with that
1137532360 M * TheSeer echo "1.2.3.4" > /etc/vservers/<host>/interfaces/X/ip
1137532372 M * TheSeer echo "255.255.255.0 > /etc/vservers/<host>/interfaces/X/mask
1137532380 M * jpacheco so i added a directory under interfaces called 1
1137532384 M * TheSeer echo "dummy0" > /etc/vservers/<host>/interfaces/X/dev
1137532386 M * jpacheco and created the ip file
1137532403 M * jpacheco is "dummy0" the real dev name?
1137532411 M * TheSeer it can be ;)
1137532424 M * jpacheco k, lemme give this a shot
1137532435 M * TheSeer i dunno what device you want ;) 
1137532445 M * TheSeer and dummy0 is a local only interface
1137532449 M * TheSeer sort of lo
1137532574 M * bonbons But don't forget to restart the guest for it to take new addresses into account (and only IPv4 is supported)
1137532600 M * TheSeer oh yeah ;) almost forgot that one hehe
1137532675 M * jpacheco k, i called my device
1137532677 M * jpacheco eth0:3
1137532687 M * jpacheco Cannot find device "eth0:3"
1137532783 M * jpacheco said the same thing for "dummy0"
1137532805 M * TheSeer the device is eth0
1137532809 M * TheSeer not eth0:3
1137533132 M * daniel_hozac :3 would be putting 3 into name.
1137533203 Q * bonbons Quit: Leaving
1137533255 M * jpacheco ah, gotcha
1137533261 M * jpacheco thx for the help
1137533349 M * jpacheco has anyone here
1137533364 M * jpacheco got any ideas on how to get ssh work for each vserver
1137533385 M * jpacheco if they all share the same ip
1137533874 Q * gerrit Ping timeout: 480 seconds
1137533880 P * undefined 
1137533911 M * daniel_hozac jpacheco: different ports?
1137534625 J * gerrit gerrit@163.181.254.36
1137534765 M * jpacheco huuuum
1137534768 M * jpacheco i thought about that
1137534786 M * jpacheco but i don't want 5 - 10 ssh's running all at once
1137534800 M * jpacheco (problem only gets worse)
1137534963 M * jpacheco so i was hoping for
1137534967 M * jpacheco one ssh deamon
1137534973 M * jpacheco to many vservers
1137535134 P * meandtheshell 
1137535179 M * daniel_hozac jpacheco: sounds like trampoline may be what you're looking for...
1137535201 M * daniel_hozac http://vserver.13thfloor.at/Stuff/SCRIPT/trampoline.sh
1137535317 Q * entroposcope Remote host closed the connection
1137535422 J * jgelb ~entroposc@user-0c992og.cable.mindspring.com
1137535429 N * jgelb entroposcope
1137535457 P * entroposcope 
1137535483 J * entroposcope ~entroposc@user-0c992og.cable.mindspring.com
1137535810 M * jpacheco daniel_hozac: how does ssh know which vserver you are trying to get to?
1137535842 M * jpacheco basicly, i want to have someone type ssh me@myvs01.com and they get sent to that vhost
1137535860 M * jpacheco or ssh me@myvs02.com which would bring them to a different one
1137535879 M * jpacheco is something like that possible?
1137536048 M * daniel_hozac jpacheco: did you check the trampoline script?
1137536115 M * jpacheco yeah
1137536151 M * jpacheco i can't see where it would offer me the kind of functionality i require
1137536542 J * undefined ~undefined@adsl-68-93-109-94.dsl.rcsntx.swbell.net
1137536660 M * daniel_hozac jpacheco: you let users ssh to the sshd on the host, but their shell is started in the vserver.
1137536689 M * jpacheco ahhhh
1137536690 M * jpacheco ic
1137536706 M * jpacheco and what about managing users for multiple domains
1137536721 M * daniel_hozac http://list.linux-vserver.org/archive/vserver/msg09075.html
1137536724 M * jpacheco if i only read from one passwd, then i can't have more then 1 user named bob
1137536739 M * derjohn daniel_hozac, hm, I dont get where they (users) get authenticated? do they need an account on the host?
1137536755 M * daniel_hozac derjohn: yes.
1137536812 M * derjohn daniel_hozac, ah, k. this fits a little to my "management user" approach. they could even enter their vserver when their ssh is down ... thanks for pointing out!
1137536819 M * daniel_hozac jpacheco: if that's what you want, one sshd per vserver would be needed.
1137536837 M * jpacheco what's the overhead like for a situation like that?
1137536845 M * jpacheco say i have 10 or even 20 vservers
1137536893 M * daniel_hozac jpacheco: depends on if you use unification, etc.
1137536900 M * derjohn jpacheco, np root      7337  0.0  0.0   4940  1044 ?        Ss   Jan15   0:00 /usr/sbin/sshd
1137536908 M * jpacheco unification?
1137536909 M * daniel_hozac jpacheco: with unification, the overhead ought to be minimal.
1137536929 M * derjohn daniel_hozac, hm? I think the RAM and CPU time would be the overhead?
1137536932 M * jpacheco i've never head of unification
1137536944 M * daniel_hozac derjohn: there shouldn't be any CPU usage for an idle sshd process.
1137536967 M * daniel_hozac derjohn: once it forks off for a client, you have the same situation you would as for running just one.
1137536997 M * derjohn daniel_hozac, yes, so only a little RAM consumption. BTW: sshd is always full user chinese brute-force attacks
1137537012 M * daniel_hozac jpacheco: it's one of the core vserver technologies that lets you save RAM and disk space if you have similar guests (i.e. same distro).
1137537045 M * daniel_hozac derjohn: but those attacks would still exist, even if you were just running one ;)
1137537089 M * daniel_hozac jpacheco: http://linux-vserver.org/Linux-VServer-Paper-06
1137537096 M * derjohn daniel_hozac, I just mentioned it because of the mem consumption issue and CPU consumption. But nevertheless, for 20 guests it should be minimal.
1137537104 M * jpacheco so what you are saying is
1137537131 M * jpacheco for each vserver, run an ssh and use a different porty
1137537132 M * jpacheco port*
1137537142 M * derjohn jpacheco, no.
1137537171 M * derjohn jpacheco, you have to take care that the hosts sshd binds only to ONE ip.
1137537185 M * daniel_hozac jpacheco: we're just listing your options. you'll need to pick your poison ;)
1137537186 M * derjohn jpacheco, (be default it grabs all available)
1137537215 M * derjohn jpacheco, /etc/ssh/sshd_config -> Listen * -> Listen <hostip>
1137537231 M * jpacheco derjohn: i don't want everyone's username/passwd on my host or single vserver
1137537233 M * derjohn jpacheco, then every guest can have an sshd on its own IP, coll he?
1137537238 M * daniel_hozac derjohn: i think the problem is that there is only one IP address.
1137537243 M * jpacheco i want each vserver to take care of itself
1137537276 M * daniel_hozac jpacheco: their password wouldn't be on the host. it would require ssh keys, if i understand it correctly.
1137537290 M * jpacheco ah keys
1137537299 M * jpacheco what about passwords
1137537309 M * derjohn jpacheco, yes, that's what happens if every vserver (in our speak: a vserver guest or "guest" for short) has an own sshd.
1137537319 M * daniel_hozac i don't think the trampoline works with passwords.
1137537357 M * derjohn jpacheco, do you only have one IP and you user RFC1918 IPs fir guests?
1137537363 M * jpacheco i think this is where my problem lies
1137537389 M * jpacheco shared ip for guests
1137537420 M * derjohn jpacheco, shared IP? eh, what? you mean one IP for all??
1137537444 M * jpacheco for connecting, yeah
1137537454 M * jpacheco services are on another vserver with different ip
1137537495 M * derjohn so why not using one sshd for every guest?
1137537509 M * jpacheco i could do that
1137537517 M * jpacheco but what about duplicate user names
1137537527 M * jpacheco which belong to different domains?
1137537547 M * daniel_hozac if you have one sshd per guest, that would not be an issue.
1137537552 M * derjohn domains? well, every sshd uses the passwd file in it own guests
1137537561 M * daniel_hozac (assuming each domain have a separate guest)
1137537588 M * jpacheco daniel_hozac: right, so if i do one per domain, then i need to run sshd on each vs with a different port (because they all share the same ip)
1137537615 M * daniel_hozac right.
1137537619 M * jpacheco right.
1137537620 M * jpacheco lol
1137537675 M * derjohn hm, how can they share the same ip? you mean you run one _global_ apache that points to the particular /var/lib/vserver/domain1/var/www ?
1137537677 M * derjohn etc ?
1137537689 M * jpacheco it would be perfect if ssh worked like apache
1137537695 M * jpacheco that would be amazing
1137537705 M * TheSeer erm..
1137537710 M * TheSeer what you want is a chroot environment
1137537714 M * TheSeer not a virtual server :P
1137537716 M * derjohn hm, well, there is a patch for sshd chroot 
1137537725 M * derjohn and there is PAM chroot ... 
1137537737 M * jpacheco i looked into that
1137537740 M * derjohn (I never used that though)
1137537744 M * jpacheco but what i need is this
1137537750 M * jpacheco ssh bob@host1.com
1137537758 M * jpacheco sshd sees bob
1137537769 M * jpacheco see's where he's going (host1.com) 
1137537775 M * jpacheco then checks for that vs
1137537783 M * daniel_hozac the hostname is translated by the client.
1137537793 M * jpacheco goes inside, grabs the passwd, sends it back to pam
1137537798 M * TheSeer the hostname is not part of the communicaiton
1137537801 M * jpacheco pams says ok, then chroots him in
1137537801 M * daniel_hozac the server won't know with which hostname the client connected.
1137537812 M * jpacheco TheSeer: i know, thats the problem :(
1137537835 M * derjohn you can set a homedir in passwd file for bob ...  point it to /var/lib/vserver/domain1/var/www or so
1137537842 M * jpacheco that's why i said that if sshd worked like apache, things would be much better
1137537850 M * derjohn and then you chroot bob there 
1137537860 M * jpacheco what about bob on host2.com
1137537863 M * jpacheco or bob on host3.com
1137537874 M * derjohn jpacheco, no go this way ;)
1137537880 M * daniel_hozac jpacheco: get more IPs.
1137537880 M * jpacheco i know :(
1137537882 M * jpacheco so sad
1137537893 M * derjohn well ... 20 users ... 
1137537899 M * jpacheco daniel_hozac: yeah, thats one option
1137537902 M * derjohn so: bob1, bob2 ....
1137537913 M * jpacheco i was hoping for something elegant
1137537929 M * jpacheco derjohn: trying to keep user names clean
1137537935 M * jpacheco u know what's interesting
1137537937 M * derjohn jpacheco, you could use the solution with sshd bound to port 10022, 10023, 10024 etc.
1137537947 M * jpacheco yeah
1137537954 M * jpacheco all of these are good solutions
1137537955 M * derjohn then ethe users would have to set the port when connectig
1137537963 M * jpacheco but i was hoping for the perfect one
1137537969 M * derjohn jpacheco, more IPs :=
1137537984 M * jpacheco haha, yeah, always comes back to that :(
1137538004 M * daniel_hozac jpacheco: how do you handle SSL?
1137538013 M * jpacheco for?
1137538020 M * daniel_hozac HTTPS?
1137538028 M * jpacheco more ips
1137538037 M * derjohn jpacheco, cool idea !
1137538040 M * jpacheco hahahaha
1137538042 M * derjohn :)
1137538045 M * jpacheco yeah
1137538055 M * jpacheco the new ssl is gonna fix all of this
1137538060 M * jpacheco just read up on it
1137538071 M * jpacheco looks where ure going first
1137538073 M * derjohn jpacheco, ipv6 will come before that :)
1137538076 M * daniel_hozac the correct fix is IPv6 :)
1137538079 M * derjohn lol
1137538080 M * daniel_hozac hehe.
1137538089 M * jpacheco how so?
1137538098 M * daniel_hozac IP addresses for everything and their dog.
1137538103 M * jpacheco ah
1137538105 M * jpacheco hahahaahah
1137538106 M * derjohn just an estimation ;)
1137538120 M * derjohn i dont have a dog.
1137538125 M * daniel_hozac me neither.
1137538141 M * derjohn i only care for serveranimals ;)
1137538150 M * jpacheco lol
1137538157 M * jpacheco ok
1137538158 M * jpacheco so
1137538168 M * jpacheco in your opinion
1137538175 M * jpacheco which would you say is the best way to go
1137538184 M * derjohn take the differnt-port solution
1137538184 M * jpacheco mind  you, ips are like $1 each
1137538198 M * jpacheco so
1137538205 M * daniel_hozac sounds like it's totally worth it.
1137538208 M * jpacheco multiple sshd's
1137538210 M * derjohn that keeps of the chinese brute-forcers
1137538212 M * derjohn yes
1137538217 M * jpacheco lol
1137538244 M * derjohn really ... on out openbsd firewalll in root mode you see all og entries on the console
1137538248 M * derjohn og=log
1137538261 M * derjohn i wasnt even able to see what I an typing ....
1137538274 M * daniel_hozac that is always really annoying.
1137538291 M * derjohn so many ssh scans .....  (no i log in as user and su - .. then the console stays clean)
1137538320 M * jpacheco yeah, tons of ssh scans
1137538350 M * jpacheco i love port knocker :)
1137538362 M * derjohn jpacheco, fly under the radar and user port -> 10000. ssh scans very rarely scan > 10000.
1137538391 M * jpacheco i use port knocker to keep my ssh hidden
1137538397 M * DaCa derjohn: you can easily filter those out with the source address tracking of pf
1137538434 M * derjohn DaCa, well said. out webhosts are without FW, OpenBSD is only for our company net :)
1137538487 M * derjohn DaCa, can you set a rate_limit per IP and port  with pf ?
1137538624 M * DaCa derjohn: yes, and you can put the offenders in a table and drop them early in your rulesets
1137538657 M * derjohn DaCa, how get get offenders? Too many attemps per minute?
1137538814 M * DaCa derjohn: indeed, look at max-src-conn-rate in pf.conf(5), use the overload option to put them in a table, google expire-tables to clean out the table from time to time
1137538890 M * derjohn DaCa, THX for that hint!
1137538910 M * jpacheco what's pf?
1137538927 M * derjohn packetfilter of OpenBSD
1137538940 M * derjohn replacement for ipfw .....
1137538944 M * derjohn some time ago
1137538978 M * jpacheco ah
1137538987 M * jpacheco similar to iptables?
1137539030 Q * gerrit Quit: Client exiting
1137539052 M * derjohn jpacheco, hey, it's openbsd ... nothing similar to linux !  :) well, IMVHO pf uses a somewhat cleaner configuration language and system.
1137539092 M * jpacheco lol, ic
1137539165 M * derjohn OpenBSD is said to be the most secure OS in the world .. so we went for "complementary systems" then it comes to FWs. 
1137539465 M * DaCa derjohn: I do the same, OpenBSD for firewall, Linux behind the firewall
1137539519 M * derjohn DaCa, but it's the softraid what I am missing ...
1137539521 M * michal` derjohn: it is said
1137539530 M * michal` and it is nowhere near the truth
1137539546 M * michal` because it is said only by its developers plus some folks that have no idea about security
1137539570 M * michal` Windows NT4, 2000, XP, 2003 all have EAL4+
1137539574 M * michal` so what ? ;p
1137539610 M * michal` looks like it is much better than any free / bsd unix system...
1137539611 M * derjohn michal`, propolice etc al by default and code auditing looks like a "quality way" 
1137539633 M * michal` nah. they do not have propolice, they have w^X
1137539641 M * michal` which is like having no protection at all
1137539644 M * derjohn micah, and only one remot hole in 7 (?) years ...
1137539665 M * derjohn michal`, they hace 4 stack guardings AFAIR (depending on the CPU)
1137539667 M * DaCa they have propolice too, its something completely different
1137539680 M * michal` sure, because there are no remote applications in default install :)
1137539696 M * derjohn micah, But I am in no way an OpenBSD Developer. I know some... 
1137539703 M * derjohn micah, sry
1137539712 M * michal` michal if you could :)
1137539727 M * michal` their propolice implementation is funny comparing to say, that one in gentoo (ssp)
1137539741 M * michal` same with W^X 
1137539771 M * michal` security experts have very good feeling about pax, but not at all about W^X
1137539771 M * derjohn michal`, yes ... openbsd is very "thin" in default install ... i agree. so there are less holes possibel of course.
1137539784 M * derjohn michal`, you use hardened gentoo ?
1137539784 M * jpacheco michal`: i take it you fight for ms?
1137539800 M * michal` derjohn: yes, on my servers
1137539800 M * michal` and routers
1137539800 M * DaCa jpacheco: he's just trolling
1137539817 M * michal` jpacheco: nah, i am telling that linux is much more secure system than *bsd
1137539820 M * derjohn DaCa, *lol*
1137539838 M * michal` it happened i've been working closely to gentoo hardened team for a long time
1137539839 M * jpacheco ah, ic
1137539849 M * michal` and have learned a lot this way
1137539852 M * jpacheco well its hard to say which is more secure
1137539876 M * michal` actualy it is easy - default gentoo hardened instalation is light years ahead than any bsd.
1137539886 M * michal` very well designed memory protection in kernel
1137539895 M * michal` full support in userspace
1137539896 M * jpacheco i mean, bsd is unix, a better one actually
1137539900 M * michal` all executables are pie
1137539904 M * derjohn michal`, -> RSBAC workshop at 22C3 Chaos Communication Congress in Berlin. Are you from DE ?
1137539911 M * jpacheco they have a powerful tcp/ip stack
1137539921 M * michal` derjohn: close... i am from .pl
1137539926 M * derjohn :)
1137539936 M * jpacheco and in all fairness, linux was molded from unix
1137539941 M * michal` sure
1137539949 M * michal` nobody denies that
1137539952 M * derjohn yesm the BSD network stack is strong. also when it comes to performance
1137539981 M * michal` but i feel linux networking stack is really good now, have been many powerfull changes from 2.2 kernels
1137539983 M * daniel_hozac didn't the early 2.6 stack outperform the OpenBSD stack in certain areas?
1137539990 M * michal` yes
1137540004 M * daniel_hozac and, well, a lot has changed since those benchmarks.
1137540010 M * jpacheco linux networking is good
1137540023 M * derjohn daniel_hozac, hm at least andre opperman was to first to break the 1MPPS barrier with freebsd
1137540024 M * michal` and security "improvments" in ip stack are beeing adopted in linux too
1137540028 M * derjohn on commodity HW
1137540033 Q * Hollow Read error: Connection reset by peer
1137540041 J * Hollow ~hollow@home.xnull.de
1137540048 M * derjohn micah, like random seq numbering etc? yes ...
1137540051 M * derjohn argh
1137540055 M * derjohn micah, sry
1137540055 M * michal` and linux networking stack is really good from what i can see everyday and what i read
1137540058 M * michal` derjohn: yeah
1137540066 M * michal` some features are in, some will be
1137540082 P * stefani I'm Parting (the water)
1137540084 M * jpacheco linux is powerful, no doubt, but bsd is unix
1137540097 M * derjohn michal`, about V6 ? KAME and WIDE are mature i guess ...
1137540098 M * michal` they are not trying to get them just for marketing, not beeing sure it breaks nothing
1137540118 M * michal` derjohn: in v6 linux has to learn a lot from bsd i agree
1137540143 M * michal` but... good things from kame are beeing ported :)
1137540155 M * michal` like their ipsec implementation, excelent one (not yet completed)
1137540172 M * derjohn michal`, I was just looking for folks who would like to join me for Linuxtag. Will anyone be there? I would like to reserve a place for linux-vserver ... 
1137540195 M * michal` link ? i need to see when it takes place
1137540210 M * derjohn michal`, (my question about .DE)
1137540219 M * michal` i will probably be with rsbac team at linuxtag...
1137540231 M * DaCa derjohn: I might come, but I am sure yet, as it is very close to debconf
1137540246 M * derjohn michal`, http://www.linuxtag.org didnt find an english page
1137540268 M * michal` i can cope...
1137540269 M * DaCa they want you to learn german :p
1137540269 M * derjohn michal`, but you are from poland, so you obviously speak german ;)
1137540276 M * michal` lol
1137540278 M * michal` not that good ;]
1137540287 M * derjohn czescht :) (or so ..)
1137540299 M * derjohn DaCa, from .DE ?
1137540314 M * DaCa derjohn: .be
1137540329 M * michal` missed again ;]
1137540374 M * derjohn DaCa, so it not very far for you. If folks here are interested i would offer to care for the place all 4 days ... so the community could share experience there
1137540386 M * derjohn michal`, missed? spelling???
1137540421 M * michal` nah, i mean you have missed again looking for someone rom .de ;p
1137540433 M * michal` from even
1137540613 M * DaCa derjohn: I wouldn't mind to help but as I am not sure yet to come, I cannot promise anything
1137540729 M * derjohn DaCa, cool to hear! At least well ... I dont like to represent the "community" as one-man-show. So I ask everyone to tell me who wnats to come. One day or two days.
1137540757 M * derjohn DaCa, even Bertl will be there for one day .... so we can talk and/or learn
1137540865 M * DaCa derjohn: if I come it'll be probably on 3 and 4 may as I really want to be in .mx on 6 may :)
1137540930 M * DaCa will he give his workshop this year? :)
1137540937 M * derjohn .mx ? Mailexchanger? :)
1137540956 M * derjohn DaCa, hm, workshop: that depends on how the linuxtag people react.
1137540977 M * DaCa mexico, for the yearly debian conference
1137541001 M * derjohn DaCa, but dothebart from this channel is with the orga of linuxtag ... i expect there will be feedback from them ;)
1137541010 M * derjohn DaCa, are you DD ?
1137541013 M * DaCa he had planned one last year, but it got cancelled for some reason last minute
1137541027 M * DaCa no
1137541062 M * derjohn DaCa, i didnt know ... now i underrstand why he wass p***ed that they didnt answer his inquiery yet
1137541102 M * derjohn DaCa, Mexico is cool for holday too, he ? ;)
1137541134 M * DaCa yes, I always plan my holiday around debconf :)
1137541164 M * derjohn DaCa, so you go there without being a DD ? or will you be one in the future?
1137541234 M * DaCa well I might apply one day :)
1137541242 M * derjohn ITP ?
1137541509 Q * ag- Ping timeout: 480 seconds
1137541627 M * DaCa derjohn: if I find something missing and can be sure to have enough time to care for it :)
1137542115 N * Bertl_oO Bertl
1137542120 M * Bertl evening folks!
1137542123 M * daniel_hozac evening!
1137542267 M * Bertl wow, that was quite a discussion, any short versions?
1137542392 M * michal` wb Bertl !