1157675286 J * litage ~nick@203.220.55.70 1157675333 M * litage hey guys, i've just noticed that /tmp/ in each of my vservers is 16MB. how can i increase this? 1157675758 Q * xinos Quit: Leaving 1157676379 M * doener litage: adjust /etc/vservers/foo/fstab 1157676856 N * Bertl_oO Bertl 1157676861 M * Bertl evening folks! 1157677641 M * Skram anyone know good datacenters in Virginia? 20-30 amps, 1 rack, 3mbps commit, maybe a class-c of IPs 1157677644 M * Skram : ) 1157678479 Q * gerrit Ping timeout: 480 seconds 1157679618 A * matti nope. 1157679624 M * matti Bertl: Hi there! 1157679819 M * Bertl hey matti! 1157681210 Q * FireEgl Quit: Bye... 1157685000 J * as ~asa@dva168.neoplus.adsl.tpnet.pl 1157685004 M * as Hello. 1157685014 M * as Is someone who offerring free psybnc? 1157685046 M * as I need this thing very much. Someone may help? 1157685049 M * Bertl what's that? and how is it related to Linux-VServer? 1157685075 M * as Hmm. This is shell account. Installing into server and giving account to (user as me) 1157685079 M * as Is this possible here? 1157685089 M * as I will add my network into this {if possible} 1157685119 M * Bertl never heard of that and no I do not think it is possible or desired ... 1157685158 M * as ok. Well I'm searching this now. Had many of this for free but some accident take Me here in (searching on progress) 1157685179 M * as Well nevermind. I thought that If U guys have linux U may host me on Your shell as user. 1157685189 M * Bertl good luck with searching then ... 1157685195 M * as Anyway wander about PsyBnc still becouse it's simply needed to Me. 1157685199 M * as Thx I will . 1157686480 M * litage thanks doener 1157686490 M * litage why is /tmp/ only 16MB by default? 1157686695 M * Bertl IIRC, by definition, /tmp is only for very small files, larger files should use /var/tmp 1157686738 M * Bertl as 16MB seem quite huge to me (old fashioned :) it is a reasonable limit (especially as it is allocated in ram/swap) 1157686738 M * litage thanks Bertl 1157686934 Q * as Quit: —I-n-v-i-s-i-o-n— 2.0 Build 3515 1157687334 Q * m4z Remote host closed the connection 1157687357 J * m4z m4z@bastard-operator.from-hell.net 1157687426 P * litage Leaving 1157687673 M * Bertl wb m4z! 1157690283 J * stefani ~stefani@c-24-19-46-211.hsd1.wa.comcast.net 1157690305 P * stefani 1157690713 J * Viper0482 ~Viper0482@p549767C5.dip.t-dialin.net 1157691615 M * olilo hey Bertl! 1157691644 M * Bertl hey :) 1157692197 M * Hollow morning 1157692388 M * Bertl good morning Hollow! 1157692529 P * Viper0482 und weg 1157692829 M * Hollow hey Bertl, are you familar with PIC/PIE? 1157693184 M * Bertl a strange question (after we debugged that every now and then :) 1157693219 M * Bertl but to answer it, yes, to some extend :) 1157693260 M * Hollow well, i cleaned up the dietlibc ebuild, and this exec-ulimit is gone, had sth to do with SSP/STACKGAP.. during the cleanup -fno-pie got lost 1157693276 M * Hollow which brought back bugs of undefined reference 1157693283 M * Bertl ahh? 1157693286 M * Hollow i'm just looking for the bugzilla entry.. 1157693315 M * Hollow and i thought maybe we can fix the bug instead of adding -fno-pie again :) 1157693348 M * Hollow https://bugs.gentoo.org/show_bug.cgi?id=111880 1157693494 M * Bertl well, do you know what the problem is? 1157693511 M * Hollow not really, we just fixed it with -nopie back then.. 1157693688 M * Bertl well, chances are good that it is the 'usual' register scarceness on x86/64 1157693704 M * Hollow i.e. relatively easy to fix? 1157693716 M * Hollow i'm just setting up a hardened environment to test it 1157693729 M * Bertl a) which archs do expose this? b) do we have comparative test code (i.e. small example code which we could check with and without)? 1157693755 M * Hollow a) at least x86 and amd64, don't know about others, b) no(t yet) 1157693811 M * Bertl okay, we need to get -S compiles and objdump debugs for two versions one with PIE the other without, (one working the other one failing :) 1157693888 M * Hollow well, the version with pie doesn't even compile .. ;) 1157693921 M * Bertl hmm .. well, that is probably a different issue then :) 1157693935 M * Hollow as i said.. undefined references.. 1157693946 M * Hollow but i'll first try to reproduce it 1157693973 M * Bertl that sounds more like a _linker_ issue (or more precisely a library issue) than a _compiler_ problem? 1157693986 M * Bertl i.e. I assume it _does_ compile, but it fails to link :) 1157694047 M * Hollow yeah, sorry for being unspecific ;) probably it suffices to provide pie/non-pie dietlibc which it is linked against.. 1157694171 M * Bertl yes, this will definitely be a requirement, i.e PIC code in the library 1157694213 M * Hollow doesn't pic only apply to shared libs? 1157694434 M * Bertl well, PIE basically requires PIC to work 1157694515 M * Hollow and if pic applies only to shared libs, the fix probably is -nopie? 1157694526 M * Hollow because we have no shared libs in diet.. 1157694539 M * Hollow (at least we don't compile the dyn version) 1157694561 M * Bertl well, I'm pretty sure that diet can be used to generate PIE executables 1157694602 M * Bertl one prerequisite for PIE/PIC stuff is that you use the very same options for all of the objects 1157694692 M * Bertl so, you probably want to use -fPIE on the diet libraries and have 'diet' issue -fPIE too 1157695197 M * Hollow ah, it does _not_ happen on amd64 but x86 1157695299 Q * suka Ping timeout: 480 seconds 1157695596 M * Bertl okay, I'm off to bed now ... try to get the -S and objdump stuff for both cases on x86 and I will have a look at it (try to make a trivial test case for that too please :) 1157695617 M * Bertl have a good whatever everyone ... cya later! 1157695624 N * Bertl Bertl_zZ 1157695836 J * mugwump ~samv@watts.utsl.gen.nz 1157695841 M * nib-nico the faq says bind9 doesnt need userlandstuff anymore since 2.1.1-18 but how can I check my version? it isn't the version of the utils, is the version of the kernelpatch meant? 1157696029 M * nib-nico ah yes found it 1157696138 J * FireEgl FireEgl@Sebastian.Atlantica.US 1157696291 J * dna_ ~naucki@72-238-dsl.kielnet.net 1157696534 Q * cdrx Ping timeout: 480 seconds 1157696594 Q * comfrey Ping timeout: 480 seconds 1157699733 J * ||Cobra|| ~cob@pc-csa01.science.uva.nl 1157700003 Q * Hollow Quit: Konversation terminated! 1157700068 J * id23 ~id@p5081205C.dip0.t-ipconnect.de 1157701350 J * cdrx ~legoater@242.32.96-84.rev.gaoland.net 1157701830 J * prae ~Benjamin@5-63.206-83.static-ip.oleane.fr 1157701846 J * meandtheshell ~markus@85-124-37-20.dynamic.xdsl-line.inode.at 1157702541 J * dlezcano ~dlezcano@242.32.96-84.rev.gaoland.net 1157702673 J * m4z_ m4z@bastard-operator.from-hell.net 1157702673 Q * m4z Read error: Connection reset by peer 1157702681 N * m4z_ m4z 1157702732 Q * Aiken Ping timeout: 480 seconds 1157702779 J * gerrit ~gerrit@c-67-160-146-170.hsd1.or.comcast.net 1157703788 J * Hollow ~hollow@2001:a60:f026::1 1157706298 M * nayco hello, all ! 1157707418 J * yarihm ~yarihm@84-75-123-221.dclient.hispeed.ch 1157707428 Q * yarihm 1157708181 J * shedi ~siggi@dsl-149-109-85.hive.is 1157708186 Q * dna_ Quit: Verlassend 1157708380 Q * fosco helium.oftc.net charon.oftc.net 1157708380 Q * kaner helium.oftc.net charon.oftc.net 1157708435 J * kaner kaner@strace.org 1157708435 J * fosco fosco@konoha.devnullteam.org 1157709801 Q * FireEgl Read error: Connection reset by peer 1157710293 M * meebey Unknown flag '~hide_netif' 1157710303 M * meebey is that a util-vserver feature or kernel feature? 1157710315 M * meebey I upgraded util-vserver but it doesn't seem to recognize it 1157710378 M * meebey hm with 2.4 that doesnt the default anyhow, so I can remove it safely 1157710382 J * FireEgl FireEgl@2001:5c0:84dc:1:4:: 1157710471 M * meebey galilei6:~# vserver vpn-openvpn enter 1157710471 M * meebey capchroot: getpwnam("0"): No such file or directory 1157710471 M * meebey galilei6:~# 1157710472 M * meebey eh? 1157710680 M * meebey looks like I need to downgrade util-vserver 1157711373 M * meebey dpkg - warning: downgrading util-vserver from 0.30.210-8bpo2 to 0.30.204-5sarge3. 1157711528 M * daniel_hozac meebey: ~hide_netif should be supported by recent util-vservers as well. 1157711538 M * meebey daniel_hozac: it was 1157711541 M * daniel_hozac you appear to be using the legacy config though? 1157711546 M * meebey daniel_hozac: but only with 2.6 kernel it seems 1157711550 M * meebey daniel_hozac: nope 1157711574 M * daniel_hozac oh, so you're using a 2.4 kernel? 1157711583 M * meebey works now with 0.30.204 1157711593 M * meebey so 0.30.210 is not compatible with 2.4 anymore 1157711598 M * meebey daniel_hozac: yes 1157711599 M * daniel_hozac sure it is. 1157711611 M * daniel_hozac you just need to poke it in the right places ;) 1157711642 M * meebey 2.4 + directory config + 0.30.210 -> capchroot: getpwnam("0"): No such file or directory 1157711651 M * daniel_hozac but i suppose pretty much nobody is using 2.4 :) 1157711658 M * meebey 2.4 + legacy config + 0.30.210 -> ok 1157711669 M * daniel_hozac IMHO that error is because you lack /etc/passwd inside the guest. 1157711678 M * daniel_hozac or you compiled the utils with glibc and ignored all the warnings. 1157711684 M * meebey daniel_hozac: not true 1157711688 M * meebey daniel_hozac: /etc/passwd exists 1157711708 M * meebey I didnt compile util-vserver with glibc, lemme check the package dependencies 1157711735 M * meebey Depends: libbeecrypt6, libc6 (>= 2.3.2.ds1-21), iproute, net-tools, make, debconf 1157711738 M * meebey no glibc 1157711747 M * daniel_hozac libc6 is glibc ;) 1157711763 M * daniel_hozac but vserver-info will be infinitely more useful. 1157711768 J * lilalinux ~plasma@dslb-084-058-199-058.pools.arcor-ip.net 1157711772 M * meebey mixed glibc with glib :) 1157711775 M * daniel_hozac because vhashify will always be linked dynamically due the beecrypt. 1157711786 M * daniel_hozac s/the/to/ 1157711834 M * meebey daniel_hozac: 0.30.204 is also linked against libc 1157711838 M * daniel_hozac yes. 1157711845 M * meebey how come it works? 1157711846 M * daniel_hozac as i said, it'll always be linked against libc. 1157711861 M * meebey 12:34:38 < daniel_hozac> or you compiled the utils with glibc and ignored all the warnings. 1157711862 M * daniel_hozac but really, you're using legacy utils due to the legacy kernel :) 1157711869 M * daniel_hozac yep. 1157711875 M * daniel_hozac 12:36 < daniel_hozac> but vserver-info will be infinitely more useful. 1157711876 M * meebey that sounds like compiling it not against libc, wouldnt cause my problem 1157711879 M * prae hello everybody 1157711886 M * daniel_hozac hi prae 1157711892 M * meebey but that doesnt make sense to me, since both versions use libc and one works and one not 1157711899 Q * cdrx Ping timeout: 480 seconds 1157711915 M * daniel_hozac meebey: it will always be linked against glibc. the question is just how much. 1157711917 M * meebey Use dietlibc: yes 1157711927 M * meebey daniel_hozac: is that what you need? 1157711929 M * daniel_hozac meebey: but it's quite possible that the legacy utils got broken somehow... 1157711934 M * daniel_hozac exactly... 1157711954 M * meebey both versions use dietlibc 1157711961 M * daniel_hozac ok. 1157711965 M * meebey daniel_hozac: ok that sentence sounds now more logical to me :) 1157711988 M * meebey the combo: 2.4 + directory config + 0.30.210 doesn't work anymore 1157712024 M * daniel_hozac hmm, well, actually, could you try changing /usr/lib*/util-vserver/vserver and change the suexec lines from 0 to root? 1157712043 M * meebey daniel_hozac: hm not now, its a production system 1157712054 M * daniel_hozac i meant /usr/sbin/vserver, of course... 1157712062 M * daniel_hozac meebey: if anything, that should make it work for legacy guests as well. 1157712069 M * meebey its not that important, our newest system uses 2.6 already 1157712071 M * daniel_hozac and would also mean that i'm the one who broke it :) 1157712189 M * daniel_hozac really, it shouldn't have any sort of ill-effects unless your guest lacks /etc/passwd or similar. using 0 there is just a short-cut to make vcontext work on utils where glibc is used (because we don't want to load NSS modules from the guest). 1157712222 M * daniel_hozac (vcontext is only used in the non-legacy path though) 1157712246 M * daniel_hozac i guess i didn't really investigate all the possible paths that the change affected. 1157712327 M * meebey I dont see any gain by using suexec 0 instead of root 1157712557 M * daniel_hozac you don't have to do the username to uid lookups. 1157712566 M * daniel_hozac nor the initgroups, etc. 1157712606 M * daniel_hozac you just set the uid to 0, and you're done. 1157712669 M * meebey galilei6:/etc/vservers# /usr/lib/util-vserver/capchroot --suid 0 /vservers/vpn-openvpn echo 1157712672 M * meebey capchroot: getpwnam("0"): No such file or directory 1157712674 M * meebey daniel_hozac: its reproducible 1157712683 M * daniel_hozac right, capchroot is a legacy tool and doesn't work the same way. 1157712691 M * daniel_hozac all of what i said only applies to vcontext. 1157712729 M * meebey 12:14:31 < meebey> capchroot: getpwnam("0"): No such file or directory 1157712735 M * meebey daniel_hozac: so thats the problem, using 0 for capchroot 1157712742 M * daniel_hozac as i said ;) 1157712947 M * meebey so downgrade or changing /usr/sbin/vserver does the trick 1157712966 M * meebey which is allright for me anymore, deprecated system :) 1157713028 M * daniel_hozac right. i'll fix the patch too so capchroot also understands uids. 1157713068 M * meebey the debian packages of util-vserver got worse btw with the last versions 1157713075 M * daniel_hozac why's that? 1157713077 M * meebey ugly bugs in /etc/init.d/util-vserver 1157713092 M * meebey one is a race condition the other is a scripting error 1157713093 M * daniel_hozac ah, the custom-made initscript? 1157713107 M * meebey custom-made? I didnt write it, but the maintainer :) 1157713113 M * daniel_hozac i'm starting to think we should make a generic one that works for most distros. 1157713127 M * daniel_hozac right. 1157713129 M * meebey make one that is LSB-conform 1157713134 M * meebey then everyone will use it 1157713135 M * daniel_hozac but Gentoo also uses a custom one. 1157713150 M * daniel_hozac i think i'm the only maintainer still using the vanilla initscript ;) 1157713153 M * meebey if its not LSB conform but another crappy hacky dirty script nobody will use it 1157713202 M * daniel_hozac i think the biggest problem is that distros differ in how they handle the configuration files. 1157713218 M * daniel_hozac i don't think changing an initscript is an optimal solution in any way... 1157714296 J * cdrx ~legoater@cap31-3-82-227-199-249.fbx.proxad.net 1157716648 Q * nokoya Ping timeout: 480 seconds 1157717979 M * doener daniel_hozac: it's also a problem that by now there are probably around 10 bazillion different formats for initscripts... the good old ones, gentoo, initng... 1157717993 M * daniel_hozac yeah. 1157718027 M * doener grr... cscope segfaults and I still have no idea how to use reportbug with msmtp... anyone? 1157718028 M * daniel_hozac i don't think it'll be possible to create a unified one at all... better just keep it in the distro packages or just put them all in there with a . suffix. 1157718099 M * doener util-vserver is becoming a first class example of changes not "reaching" upstream... lots of diversity :( 1157718240 M * daniel_hozac yep... hopefully ensc will start responding to our queries soon. 1157718353 J * nokoya ~young@hi-230-82.tm.net.org.my 1157718369 M * daniel_hozac i did get him to at least casually review most of the patches though. 1157718601 M * Hollow daniel_hozac: well, vmware in gentoo e.g. uses a generic init script which is wrapped by a gentoo init script, imo that is the best solution 1157718616 M * daniel_hozac isn't that generic init script in this case the start-vservers script? 1157718649 M * Hollow probably, but the init script provided by util-vserver still does some other things iirc? not sure though, it's been a while already ;) 1157718664 M * daniel_hozac no, it just sets the default variables and then execs it. 1157718667 M * daniel_hozac IIRC. 1157718674 M * daniel_hozac now you got me all insecure ;) 1157718708 M * daniel_hozac oh, it uses vserver-wrapper. 1157718710 M * Hollow or maybe this idea is based on the fact that you have two init scripts in u-v (vprocunhide + vservers) and we have merged those 1157718755 M * daniel_hozac you're correct, the vserver-wrapper script does the outputting and stuff. 1157718775 M * daniel_hozac in a way though, i can see the use-cases for vservers-default. 1157718807 M * daniel_hozac i mean, it's a handy short-cut if you group your guests to be able to restart the groups in one command. 1157718861 M * daniel_hozac i suppose not many people are using it like that though. 1157718886 N * Belu_zZz Belu 1157718925 M * daniel_hozac and the start-vservers script would still be available... 1157719361 J * DiamonD ~Admin@wbd-326d8.adsl.wanadoo.nl 1157719364 P * DiamonD 1157720817 A * Belu is away (i´ll be back later...) 1157720817 N * Belu Belu_zZz 1157720903 Q * michal_ Ping timeout: 480 seconds 1157721203 J * michal_ ~michal@www.rsbac.org 1157723691 J * Piet hiddenserv@tor.noreply.org 1157723692 J * CYnabr ~CYnabr@82-208-83-177.ats34-dzer.pppoe.mts-nn.ru 1157723866 J * s0undt3ch_ ~s0undt3ch@bl7-241-87.dsl.telepac.pt 1157723932 A * kir is away: Gone home 1157724293 Q * s0undt3ch Ping timeout: 480 seconds 1157724299 N * s0undt3ch_ s0undt3ch 1157724476 M * Hollow daniel_hozac: do you think it would make sense to drop the output from vserver-wrapper (or at least make it quiet via env), and add a function to stop all guests not in any group? i'd adapt our init script then.. 1157724919 P * CYnabr Kopete 0.10.3 : http://kopete.kde.org 1157726676 Q * id23 Remote host closed the connection 1157727117 J * id23 ~id@p5081205C.dip0.t-ipconnect.de 1157727202 M * matti jmp 0xc0ffee 1157727340 M * doener hm, you should use "call 0xc0ffee" so that you can "ret" ;) 1157727366 M * phedny doener: maybe he doesn't want to ret 1157727373 M * doener :( 1157727575 M * matti :-) 1157727578 M * matti Hehehe. 1157727581 M * matti doener: Good point. 1157728256 J * Roey ~katz@h-69-3-4-130.mclnva23.covad.net 1157728311 Q * dlezcano Read error: Connection reset by peer 1157728350 J * dlezcano ~dlezcano@242.32.96-84.rev.gaoland.net 1157728522 M * meebey wasn't there some flag name for hide_netif for 2.4? 1157728571 M * meebey galilei6:~# vattribute --xid 1035 --set --flag a_netif 1157728571 M * meebey Unknown flag 'a_netif' 1157728571 M * meebey galilei6:~# vattribute --xid 1035 --set --flag hide_netif 1157728571 M * meebey vattribute: vc_set_flags(): Invalid argument 1157728572 M * meebey hm 1157728852 J * Viper0482 ~Viper0482@p549767C5.dip.t-dialin.net 1157728878 M * doener wasn't that always on? 1157728910 M * meebey nope 1157728927 M * meebey legacy config is not setting it, current config does, and I need to disable it 1157728961 Q * kaner Ping timeout: 480 seconds 1157729034 Q * prae Quit: Quitte 1157729048 P * Viper0482 1157729139 M * meebey seems like to reject all flags I tr 1157729141 M * meebey try 1157729198 M * meebey eh the vserver wasnt running 1157729200 M * meebey *doh* 1157729234 M * meebey hm still 1157729243 M * meebey galilei6:~# vattribute --xid 1035 --set --flag lock 1157729243 M * meebey vattribute: vc_set_flags(): Invalid argument 1157729371 M * meebey smells like work overtime 1157729823 J * stefani ~stefani@tsipoor.banerian.org 1157730747 N * Bertl_zZ Bertl 1157730756 M * Bertl morning folks! 1157730774 M * node good morning Bertl 1157730809 M * doener morning 1157730831 M * Bertl meebey: what tool version is that? 1157730857 M * meebey Bertl: 0.30.204 1157730872 M * meebey I tried 210 but that broke other things 1157730880 M * Bertl hmm, how so? 1157730893 M * meebey it didn't understand ~hide_netif either 1157730908 M * meebey I use 2.4 kernel and was trying to allow interface creating and assignment of IP inside a vserver 1157730915 M * matti :) 1157730929 M * matti Bertl: Hello! 1157730959 M * meebey Bertl: 210 passes 0 to suexec which fails on 2.4 1157730971 M * meebey Bertl: but that is not related to the hide_netif thing 1157730987 M * meebey I used john's method now, creating the tap0 device on the host 1157730991 M * meebey and it seems to work 1157731101 M * meebey wth, something creates now tap1 1157731119 Q * shedi Quit: Leaving 1157731171 M * Hollow morning Bertl, the PIC is trivial again... although i'm not sure if my fix is really correct... if __PIC__ is defined, on x86, dietlibc does not build socketcalls... the workaround/fix is here: http://dev.croup.de/proj/gentoo-vps/browser/dietlibc/patches/0.30-r2/100_x86_pic-socketcall.patch 1157731254 M * meebey Bertl: I think I found a bug 1157731300 M * meebey Bertl: now that tap0 is created on the host and gets an IP assignment via /etc/vservers/*/interfaces/*/ip the application can create a tap1 and assign an IP to it 1157731313 M * meebey Bertl: that shouldn't work in sense of hide_netif 1157731344 M * Hollow nayco: btw, thanks for the article.. this looks very promising: Linux-VServer (751 hits) :) 1157731401 M * meebey but I got my tap device now, so I am happy 1157731541 M * Hollow nayco: i even understand 50% of what is written there, quite astonishing :D 1157731992 M * doener which article? 1157732046 M * Hollow http://linuxfr.org/2006/09/06/21291.html 1157732090 M * Hollow the link count on the front page is higher though.. smells like a bug ;) 1157732223 J * kaner kaner@strace.org 1157732430 Q * ||Cobra|| Remote host closed the connection 1157732620 M * Bertl meebey: you are talking about what kernel version? 1157732689 M * Bertl Hollow: is the VServer Hosting already transferred? if no I'd do that and clean it up? 1157733124 Q * MrX Quit: urk IRC v0.-1.4 - http://urk.sf.net/ 1157733145 J * bonbons ~bonbons@83.222.36.236 1157733151 M * Bertl welcome kaner! bonbons! 1157733174 M * bonbons Hey Bertl! 1157733298 M * Hollow Bertl: it is.. 1157733312 J * MrX ~urk@219.95.2.216 1157733341 M * Bertl Hollow: ah, great so just cleanups then ... 1157733349 M * Bertl Hollow: or did you do that too? 1157733359 M * Hollow no, i transfered it as-is 1157733366 M * Bertl okay, np, thanks! 1157733378 M * Bertl Hollow: how is the PIE? yummy? :) 1157733379 M * Hollow did you see the PIC patch? 1157733395 M * Bertl obviously not, which one? 1157733396 M * Hollow look at 6pm ;) 1157733409 M * Hollow http://dev.croup.de/proj/gentoo-vps/browser/dietlibc/patches/0.30-r2/100_x86_pic-socketcall.patch 1157733426 M * Hollow i'm not sure if this is a real fix, but it compiles at least 1157733429 M * Bertl okay, checking 1157733491 M * Bertl hum, hum, you basically disable socketcall completely ... are you sure you want that :) 1157733506 M * Bertl note: I have no idea what socketcall does :) 1157733567 M * Hollow no, it's the other way round... 1157733572 M * Hollow i _enable_ socketcall 1157733592 M * Hollow if __PIC__ is defined, no socketcall will be built 1157733616 M * Hollow imo this socketcall thing is quite strange.. only i386 uses it in diet... 1157733624 M * Hollow at least with an own asm implementation 1157733633 M * Hollow this includes calls like socket, accept, listen etc 1157733689 M * Bertl I assume those will break somehow ... you should do a simple test with them 1157733776 M * Hollow well, it seems to work... 1157733785 M * Hollow socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP) = 3 1157733785 M * Hollow socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4 1157733806 M * Hollow ah wait 1157733808 M * Hollow wrong box 1157734397 M * Loki|muh can someone here give me a hint, which tool I can use when I'm search for all uppercase characters in a textfile? 1157734902 Q * dlezcano Quit: Leaving 1157734986 Q * Piet Ping timeout: 480 seconds 1157735616 J * Piet hiddenserv@tor.noreply.org 1157736837 Q * gerrit Ping timeout: 480 seconds 1157737284 Q * sladen Ping timeout: 480 seconds 1157737602 J * sladen paul@starsky.19inch.net 1157738621 Q * FireEgl Read error: Connection reset by peer 1157738860 M * Hollow Bertl: well, it seems to work everywhere ;) 1157738933 M * Bertl excellent then! 1157738950 M * Hollow awesome... it seems we fixed all pic/pie/ssp whatever bugs 1157738952 M * Hollow :) 1157738974 M * Bertl good to hear, please send that upstream too 1157739006 M * Hollow will do 1157739232 J * FireEgl FireEgl@Sebastian.Atlantica.US 1157739524 J * Piet_ hiddenserv@tor.noreply.org 1157739606 M * Hollow Bertl: it seems the old wiki is quite broken... non-ascii character madness, old timestamps, missing history... :/ 1157739626 Q * lilalinux Remote host closed the connection 1157739654 M * Hollow will have to look at the sqldump... especially for the non-ascii thing 1157739668 M * Hollow e.g. all pages are truncated from the beginning of the first non-ascii character 1157739907 Q * Piet Killed (NickServ (GHOST command used by Piet_)) 1157739920 N * Piet_ Piet 1157740026 M * Bertl Hollow: hmm, php has a simple html_escape() function, maybe use that one? 1157740037 M * Bertl (I'm sure perl has something similar too :) 1157740071 M * matti Bertl: http://pl2.php.net/manual/pl/function.htmlspecialchars.php 1157740076 M * Hollow well, i guess the right encoding for the sqldump should fix it... 1157740103 M * matti Uhm. 1157740185 M * Hollow will have a look later... i'm still fighting with bureaucrazy 1157740201 M * matti Hmh... 1157742278 M * Hollow Bertl: which mysql version did you run for the old wiki? 1157742390 J * gerrit_ ~gerrit@bi01p1.co.us.ibm.com 1157742499 Q * FireEgl Quit: Bye... 1157742822 M * Bertl Hollow: sec 1157742927 Q * nokoya Quit: changing servers 1157742996 M * Bertl Hollow: 3.23.58 1157743030 M * Hollow hrm.. i guess the database files of this version will not work with 5.0 anymore :) 1157743044 M * Hollow else i'd suggested to just copy those original files 1157743118 M * Bertl isn't that a little odd that an ascii sql dump does not work in a newer release of the same database? 1157743153 M * Hollow well, the fact that the wiki pages have many non-ascii characters says no :) 1157743171 J * dreamind ~dreamind@C2107.campino.wh.tu-darmstadt.de 1157743172 J * michael ENETDOWN@fw-ext.konaktiva.tu-darmstadt.de 1157743175 M * dreamind Hi :) 1157743176 M * michael hi 1157743178 M * dreamind hi michael 1157743181 M * dreamind :P 1157743190 M * Hollow iirc i did some special iconv conversion with the first dump you sent me.. 1157743203 M * Bertl dreamind, michael: hmm? 1157743211 M * dreamind can somebody tell me if its possible with vserver to have private network interfaces for virtual machines? 1157743233 M * Bertl not possible (and usually not required) yet 1157743247 M * dreamind hm, ok 1157743257 M * Bertl dreamind: btw, there are no virtual machines in Linux-VServer :) 1157743261 M * dreamind but how can I make sure all outgoing traffic is firewalled? 1157743279 M * Bertl by simply putting a firewall on the host 1157743284 M * cehteh it is already, by the host firewall 1157743290 M * dreamind 'k 1157743317 M * dreamind but can I use iptables and use different rules per context? 1157743323 M * dreamind or only per ip? 1157743333 M * cehteh only per ip 1157743346 M * cehteh which should actually suffice 1157743347 J * nokoya ~young@hi-230-82.tm.net.org.my 1157743348 M * dreamind hm, 'k that would be easier with a virtual interface 1157743353 M * Hollow hm.. i wonder what's up with all that firewall requests... i never even used iptables, neither host nor guest nor else... 1157743370 M * cehteh heh 1157743379 M * cehteh well i prefer some firewalling too 1157743401 M * cehteh just in case someone breaks in he shall not feel comfortable 1157743402 M * dreamind hm - and can I use the loopback device for a vserver? 1157743416 M * dreamind so I don't have to use an "official" ip for all my vservers... 1157743432 M * Hollow use private ips 1157743438 M * dreamind on eth0? 1157743438 M * Hollow 192.168.* & friends 1157743446 M * Hollow well, why not? 1157743455 M * dreamind because its my external interface? 1157743468 M * daniel_hozac so? 1157743470 M * dreamind pysically connected to completely different machines 1157743479 M * dreamind thats just not an option, ok? 1157743485 M * Hollow i doubt that private adresses are routed fron the internet to your network card ;) 1157743497 M * Hollow but you can create dummy interfaces of course 1157743507 M * dreamind ok that would be possibly a solution 1157743517 M * Bertl doesn't change anything though 1157743518 M * dreamind and how would I do that? 1157743533 M * Hollow yeah, but well... if he feels more comfortable with those ;) 1157743556 M * Bertl illusion of comfort and safety :) 1157743561 M * Hollow heh 1157743585 M * Bertl dreamind: you want to have guests with private ips on a single public ip host system, yes? 1157743598 M * dreamind yup. 1157743607 M * Bertl okay, so here is what you do: 1157743624 M * dreamind and I want to be 100% sure no traffic from the guest to the host goes out on any physical interface 1157743634 M * Bertl - assign the private ips to eth0 or dummy0 (whatever you prefer) 1157743651 M * Bertl - add a firewall rule to block all private ip traffic to the outside 1157743678 M * Bertl - add masquerading rules for dedicated ports (you want to be reachable from outside) 1157743690 M * Bertl you're done 1157743697 M * daniel_hozac why would any traffic from the guest destined for the host use any physical interface? that'd use lo. 1157743710 M * Bertl thing is, for host-guest traffic, lo is used anyways 1157743821 M * dreamind Bertl: 'k that answers my question :) 1157743864 M * cehteh dreamind: i just played with a bridge interface as backed private interface across my dmz which are currently only vservers .. but if i need i could easily add a physical interface to the bridge 1157743896 M * cehteh dunno maybe one can alias loopbacks for that purpose too, no idea ;) 1157744002 M * dreamind and how do I change the routing for the vserver - so it can connect to the internet? 1157744033 M * cehteh networking is all managed in the host 1157744056 M * cehteh when you start a vserver the host sets up the networking interfaces/aliases for the guest and then starts the guest 1157744098 M * cehteh if your vservers have private IP's you need to NAT traffic 1157744118 M * cehteh snat for outgoing traffic, dnat for incomming 1157744136 M * cehteh if they have real ip's on your internet interface they are already conencted 1157744163 M * cehteh just do the usual firewalling as you like 1157744236 A * cehteh again suggests firehol.sf.net for that 1157744240 M * Bertl dreamind: for the guest you basically just need a rule to 'map' the private ip to a public one 1157744363 M * Bertl dreamind: no 'special routing' is involved, packets are 'sent' from the same machine 1157744391 M * cehteh (which is sometimes annoying) 1157744408 M * dreamind ok but I think now thats clear to me :) 1157744907 M * dreamind hm, next thing, how do I limit the memory and cpu time? 1157744928 M * dreamind sorry, that I'm asking that much, but I at first only tried xen and I'm really new to all this ;) 1157745147 M * Bertl http://linux-vserver.org/Resource+Limits 1157745179 M * Bertl http://oldwiki.linux-vserver.org/Scheduler 1157745197 M * Bertl http://linux-vserver.org/Scheduler+Parameters 1157745300 M * dreamind Bertl: thanks :D 1157745376 M * Bertl you're welcome! 1157745647 M * matti Anybody live in .uk? 1157745648 M * matti :) 1157745791 M * Bertl sladen does, IIRC 1157745814 M * matti I see. 1157745870 M * matti I will move myself to .uk in october. 1157746104 Q * gerrit_ Ping timeout: 480 seconds 1157746162 M * matti Oh well. Heh, nvm. 1157746718 J * gerrit_ ~gerrit@bi01p1.co.us.ibm.com 1157746796 P * stefani I'm Parting (the water) 1157747304 M * dreamind hm, and how do I make sure (on debian) my vservers are started upon boot? 1157747344 M * Bertl there is a sysv runlevel script (usually called vserver-default) which starts all guest marked 'default' 1157747407 M * Bertl the details of the tools and config can be found here: 1157747408 M * Bertl http://oldwiki.linux-vserver.org/alpha+util-vserver 1157747421 M * Bertl http://www.nongnu.org/util-vserver/doc/conf/configuration.html 1157747468 J * FireEgl FireEgl@2001:5c0:84dc:1:4:: 1157747494 Q * ag- 1157747586 J * ag- ~ag@caladan.roxor.cx 1157747662 M * matti Bertl: BTW, who own the "Flower Page"? 1157747696 M * Bertl Enrico 1157747728 M * matti So, can we move some informations from Flower Page to new WiKi? 1157747747 M * matti I mean, Flower Page is great (alternate css also ;p) but...: ) 1157747749 M * matti Ehehe. 1157747862 M * Bertl well, yes and no, I'd rather leave that up to daniel_hozac ... 1157747869 Q * cdrx Quit: Leaving 1157747873 M * mnemoc matti: it's generated from an xml from within utils-vserver afaik 1157747876 M * Bertl thing is, the flower page is auto generated from an xml thingy 1157747916 M * Bertl so once we managed to contact enrico *sigh* and daniel_hozac takes over, he will decide how to proceed ... 1157747951 M * matti I see. 1157747957 M * matti Sorry for nagging then. 1157747986 M * michael Are there patches for 2.6.18-rc6 or maybe an up to date git repository? I know there is one, but gitweb says it is 5 weeks old, it has no server-info to pull over http (somebody should run git update-server-info and make hooks/post-update executable) 1157748035 M * Bertl good point, I should a) start populating the git repository and b) have a look at the 2.6.18 changes ... 1157748067 M * doener Bertl: I started fetching/unpacking rc6, will look into a port within the next hour 1157748082 M * matti .18 looks very nice. 1157748086 M * doener (actually I started that 4 hours ago, but then got hungry) 1157748104 M * Bertl doener: excellent ... will look at it too, so that we can compare results ... 1157748227 M * Hollow Bertl: apropos... if you need things installed (for git and your webspace) please bug me, i'm bored anyway ;) 1157748243 M * matti ;-p 1157748268 M * Bertl Hollow: ah, good, maybe you can give me a short walkthrough how to use the git repository remotely? 1157748271 M * matti Hollow: What you think about "vserver" features flag? 1157748291 M * Hollow Bertl: git+ssh://foo ? :) 1157748308 M * Bertl I should be able to push with that? 1157748320 M * Hollow matti: which flag are you talking about? use flag? 1157748335 M * matti Hollow: No. 1157748347 M * Hollow Bertl: iirc i still have to set uid/gid on /var/git correctly, but yeah, that should work afaik 1157748348 M * Bertl matti: like this? http://oldwiki.linux-vserver.org/Caps+and+Flags 1157748351 M * matti nokoya: FEATURES="blah blah". 1157748357 M * matti Oops. 1157748361 M * Hollow :) 1157748366 M * matti This was for Hollow ;p 1157748368 M * matti nokoya: Sorry. 1157748371 M * Hollow and what should that feature do? 1157748431 M * matti Hollow: Automagically enabled functionality for vserver host/guest in (for example) normal hardened profile. 1157748454 M * matti Hollow: Once enabled, needed software/patches will be choosed and used. 1157748467 M * matti Bertl: Thanks :) 1157748476 M * Hollow Bertl: iirc it depends on the development model you want to apply to your git repo... if you want to have a public repo on helios you have to put the .git dir on the remote box only or sth like that 1157748488 M * Hollow matti: that's what use flags are for 1157748588 M * Bertl Hollow: well, I'm trying to figure out the details, it should be possible to push certain states to the public repository 1157748651 M * matti Hollow: k, so. What you think after all? If we consider the use flag instead FEATURES... 1157748656 M * Hollow yep, for the regular svn user it's quite confusing ;) 1157748689 M * Hollow matti: well, i rather try to push the opposite: no vserver specific things in portage (except the kernel and utils of course :P) 1157748711 M * Hollow ah, btw... baselayout 1.13 will work with vserver given that secure_mount is enabled 1157748730 M * Hollow i.e. you could use regular stages for guests 1157748834 M * Hollow Bertl: you should have write access to /var/git now 1157748841 M * Hollow probably needs a relogin to refresh groups 1157748850 M * Loki|muh no acls? ;) 1157748860 M * Hollow bah 1157748867 M * Bertl I'll try to upload something there for a test, we can remove that lateron ... 1157748869 M * daniel_hozac hmm, what's up with oldwiki's dates? 1157748879 M * Hollow daniel_hozac: broken, broken and a lot more broken 1157748881 M * Hollow :) 1157748893 M * daniel_hozac that i noticed ;) 1157748911 M * Hollow [20:20] Bertl: it seems the old wiki is quite broken... non-ascii character madness, old timestamps, missing history... :/ 1157748919 M * daniel_hozac ah. 1157748932 M * Hollow will fix it asap 1157749514 M * doener Hollow: hm, for non-ascii chars you probably just need to set the input charset when importing the dump. no idea about the broken dates 1157749544 M * doener MySQL <4.1 had no idea about charsets 1157749558 M * Hollow i hate charsets 1157749559 M * Hollow . 1157749561 M * Hollow :) 1157749574 M * Hollow and mysql has the crappiest implementation ever 1157749578 M * doener yeah... if the world had started out with utf-8... 1157749587 M * Bertl OMG! 1157749594 M * Loki|muh hehe mysql has a swedish default 1157749612 M * Loki|muh some kind of annoying 1157749681 A * doener wonders what exactly the "OMG!" was about 1157749721 M * Bertl utf-8 is one of the most useless inventions ever 1157749738 Q * mire Quit: Leaving 1157749754 M * Hollow i agree. the world should have stayed with ascii 1157749774 M * daniel_hozac and just force everyone to speak english? ;) 1157749796 M * Hollow well, you can write german with ascii-only too ;) 1157749802 M * Bertl well, there have been standartized character sets for several years before, or how do you think did postscript use non ascii chars? 1157749803 M * Hollow umlauts are crap anyway 1157749805 M * daniel_hozac even ü? 1157749812 M * Hollow ue 1157749821 M * Bertl that reads: ü here 1157749826 M * waldi Bertl: it aggregates more than one character 1157749842 A * Hollow smells a flame war 1157749846 M * waldi and 日本語? 1157749847 M * cehteh mhm 1157749853 M * daniel_hozac Bertl: that's a u with an umlaut here ;) 1157749860 M * doener chinese! sweet :) 1157749864 M * waldi doener: no 1157749867 M * Bertl so basically Ü :) 1157749880 M * doener waldi: japanese? 1157749881 M * daniel_hozac but lowercase, yes. 1157749889 M * Bertl üÜ :) 1157749891 M * waldi doener: yes 1157749895 M * Hollow eiei 1157749935 M * Bertl now lets see what the irc log says to this :) 1157749936 M * cehteh âš” for flamewars 1157749939 M * Hollow Results 1 - 10 of about 1,370,000 for import mysql encoding 1157749940 M * Hollow wahaha 1157749985 A * doener is quite happy that irssi deals well with both, utf-8 and iso-8859-1 1157750007 M * Bertl doener: I disabled utf8 in irssi, but it's fine for me :) 1157750033 M * cehteh ☮ brothers ;) 1157750062 M * Loki|muh :ø) 1157750130 M * doener Bertl: I just noticed that the logs are served without compression? Might be a good idea to enable deflate, no? 1157750144 M * doener s/?/./ 1157750227 M * Hollow Bertl: uhm... do you still have that mysql dump around? 1157750282 M * Bertl doener: yeah, I had some issues with deflate at some point, just avoided to activate it ... but will try again 1157750327 M * doener I had problems with it, too. But only when used behind a reverse proxy and the client was using IE 1157750346 M * cehteh who cares about that :P 1157750351 M * Hollow hehe 1157750358 A * meandtheshell throws http://de.wikipedia.org/wiki/Lojban into the ascii/utf8 talk 1157750364 M * meandtheshell ;) 1157750753 M * Bertl sounds like esperanto (from the idea) but I don't see a relation to urf8 :) 1157750777 M * Bertl *utf even 1157750829 M * michael bye 1157750831 Q * michael Quit: michael 1157750838 M * meandtheshell Bertl: because there's none :) 1157750855 M * meandtheshell its a language not just a character set 1157750884 Q * bonbons Quit: Leaving 1157750909 M * meandtheshell it differs from esperanto in the manner that its directly machine "readable" 1157750909 M * cehteh lojban is based on logic .. actually nice but i dont want to learn it 1157751010 M * meandtheshell cehteh: not just logic but yes a huge portion of logic ... 1157751088 M * Hollow i suggest we all speak binary 1157751104 M * meandtheshell AI guy's love it because one of the most problems the are faced with is the ambiguity in human languages 1157751111 M * meandtheshell Hollow: lol 1157751132 M * meandtheshell s/most/major/ 1157751222 M * meandtheshell I guess if the human race wants to make "real" progress with AI something like Lojban is a must have ... just my two cents :) 1157751305 A * meandtheshell is off to bed now ... ciao pfirt gott und auf wida schaun 1157751312 M * Hollow servus 1157751374 Q * meandtheshell Quit: bye bye ... 1157751506 M * Hollow off to bed too... Bertl: if you find some spare seconds please send me another dump of the old wiki db please.. 1157751517 M * Bertl I think this is a bad joke of the mandriva folks: tetex-3.0-18mdv2007.0.src.rpm size: 325467117 1157751531 M * Hollow guess not 1157751534 M * Bertl Hollow: will do so, good night! 1157751538 M * Hollow tetex is terribly huge :o 1157751541 M * Hollow night 1157751559 M * doener but 300mb+? that looks a little exaggerated 1157751575 M * Bertl especially as it usually is bzip2 compressed 1157751613 M * doener oh, src rpm... well, that might fit... IIRC debian binaries are around 180MB 1157751626 M * Bertl really? 1157751628 M * doener "binaries", fonts etc. are included in that 1157751683 J * node_ node@c-69-143-148-254.hsd1.md.comcast.net 1157751692 M * Bertl sounds like something is going wrong there (with tetex :) 1157751804 M * doener tetex base sources (vanilla) are 90mb, the source rpm probably includes "a few" more things ;) 1157751824 M * Bertl 90mb bzip2 compressed? 1157751838 M * doener yep 1157751850 M * Bertl what do they put in there? 1157751863 M * doener another 70mb for "bin" and "src" (whatever "src" might be) 1157751870 M * Loki|muh patches ;) 1157751885 M * Bertl the 1.0.7 tetex src.rpm did have 50MB which I considered excessively huge 1157751914 M * doener Source files for the texmf tree of the Debian teTeX distribution. They are 1157751914 M * doener only here to meet the copyright requirements of some tex packages, and may 1157751914 M * doener be useful for (La)TeX developers. 1157751923 M * Bertl I mean, we are talking about tex and latex there, right? 1157751925 M * doener ouch.... 1157751957 M * doener that's the description of debian's tetex-src package... 56mb bz2-compressed vanilla source 1157751965 M * doener guess you have all-in-one there ;) 1157751971 M * Bertl maybe they included some mpeg movie to explain how to write packages :) 1157751981 M * Bertl *classes I mean :) 1157752031 J * DreamerC_ ~dreamerc@61-217-227-61.dynamic.hinet.net 1157752270 Q * DreamerC Read error: Operation timed out 1157752320 M * sid3windr hehe Bertl 1157753253 Q * dreamind Quit: dreamind 1157753561 Q * m4z Remote host closed the connection 1157753561 Q * AndrewLee Remote host closed the connection 1157753561 Q * harry Remote host closed the connection 1157753561 Q * phreak`` reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * tanjix reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Hollow reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * ntrs reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Snow-Man reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * pagano reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * daniel_hozac reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * cohan_ reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Wonka reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * eyck reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * nox reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * nib-nico reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * dhansen reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * node_ reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * nokoya reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * MrX reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Piet reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Roey reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * id23 reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * glut reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * olilo reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * virtuoso reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Johnnie reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * sid3windr reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * mnemoc reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * mountie reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Adrinael reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * blizz reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * phedny reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * FireEgl reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * weasel reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Hunger reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * DreamerC_ reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * ag- reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * gerrit_ reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * node reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * fs reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Medivh reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * samuel_ reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * ray6 reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * ex reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * bragon reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * meebey reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * cryptronic reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Skram reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * SNy reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * abi reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * pusling reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * kaner reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * fosco reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * FloodServ reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Loki|muh reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * nayco reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * cehteh reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * matti reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * waldi reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * nebuchadnezzar reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * mugwump reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * click reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * hap reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * bogus reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * wenchien reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * micah reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Greek0 reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * mcp reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * tokkee reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * [PUPPETS]Gonzo reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * s0undt3ch reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * michal_ reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * anonc reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * derjohn reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * ebiederm reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * lylix reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Belu_zZz reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * ruskie reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Vudumen reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * kir reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * rob-84x^ reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * bubulak reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Zaki reticulum.oftc.net hydrogen.oftc.net 1157753561 Q * Revelator Read error: Connection reset by peer 1157753561 J * m4z m4z@bastard-operator.from-hell.net 1157753618 J * harry ~harry@d54C2508C.access.telenet.be 1157753618 J * AndrewLe1 ~andrew@tnlug.linux.org.tw 1157753618 J * DreamerC_ ~dreamerc@61-217-227-61.dynamic.hinet.net 1157753618 J * node_ node@c-69-143-148-254.hsd1.md.comcast.net 1157753618 J * ag- ~ag@caladan.roxor.cx 1157753618 J * FireEgl FireEgl@2001:5c0:84dc:1:4:: 1157753618 J * nokoya ~young@hi-230-82.tm.net.org.my 1157753618 J * Piet hiddenserv@tor.noreply.org 1157753618 J * MrX ~urk@219.95.2.216 1157753618 J * kaner kaner@strace.org 1157753618 J * Roey ~katz@h-69-3-4-130.mclnva23.covad.net 1157753618 J * id23 ~id@p5081205C.dip0.t-ipconnect.de 1157753618 J * s0undt3ch ~s0undt3ch@bl7-241-87.dsl.telepac.pt 1157753618 J * michal_ ~michal@www.rsbac.org 1157753618 J * fosco fosco@konoha.devnullteam.org 1157753618 J * Hollow ~hollow@2001:a60:f026::1 1157753618 J * mugwump ~samv@watts.utsl.gen.nz 1157753618 J * weasel weasel@weasel.noc.oftc.net 1157753618 J * glut glut@no.suid.pl 1157753618 J * phreak`` ~phreak``@140.211.166.183 1157753618 J * tanjix ~tanjix@office.star-hosting.de 1157753618 J * click click@ti511110a080-2980.bb.online.no 1157753618 J * Greek0 ~greek0@85.255.145.201 1157753618 J * bogus ~bogusano@fengor.net 1157753618 J * mcp ~hightower@wolk-project.de 1157753618 J * tokkee tokkee@casella.verplant.org 1157753618 J * hap ~penso@212.27.33.226 1157753618 J * [PUPPETS]Gonzo gonzo@langweiligneutral.deswahnsinns.de 1157753618 J * wenchien ~wenchien@59-105-176-11.adsl.static.seed.net.tw 1157753618 J * FloodServ services@services.oftc.net 1157753618 J * matti matti@linux.gentoo.pl 1157753618 J * micah ~micah@micah.riseup.net 1157753618 J * waldi ~waldi@bblank.thinkmo.de 1157753618 J * nebuchadnezzar ~nebu@zion.asgardr.info 1157753618 J * Loki|muh loki@satanix.de 1157753618 J * nayco ~nayco@proxy2.laroche.univ-nantes.fr 1157753618 J * cehteh ~ct@cehteh.homeunix.org 1157753618 J * ntrs ~ntrs@68-188-51-87.dhcp.stls.mo.charter.com 1157753618 J * Snow-Man ~sfrost@kenobi.snowman.net 1157753618 J * node ~dwindsor@stanford.columbia.tresys.com 1157753618 J * olilo hiddenserv@tor.noreply.org 1157753618 J * pagano ~pagano@131.154.5.20 1157753618 J * virtuoso ~s0t0na@shisha.spb.ru 1157753618 J * Johnnie ~jdlewis@static-acs-24-154-32-33.zoominternet.net 1157753618 J * sid3windr luser@bastard-operator.from-hell.be 1157753618 J * fs fs@213.178.77.98 1157753618 J * Hunger Hunger.hu@Hunger.hu 1157753618 J * daniel_hozac ~daniel@c-2c1472d5.010-230-73746f22.cust.bredbandsbolaget.se 1157753618 J * dhansen ~dave@sprucegoose.sr71.net 1157753618 J * nox ~nox@nox.user.oftc.net 1157753618 J * cohan_ ~cohan@koniczek.de 1157753618 J * nib-nico ~nico@nibweb.net 1157753618 J * Wonka produziert@chaos.in-kiel.de 1157753618 J * eyck eyck@ghost.anime.pl 1157753618 J * blizz ~blizz@evilhackerdu.de 1157753618 J * Adrinael adrinael@hoasb-ff09dd00-79.dhcp.inet.fi 1157753618 J * mnemoc ~amery@kilo105.server4you.de 1157753618 J * phedny ~mark@volcano.p-bierman.nl 1157753618 J * mountie ~mountie@CPEdeaddeaddead-CM000a739acaa4.cpe.net.cable.rogers.com 1157753618 J * Medivh ck@paradise.by.the.dashboardlight.de 1157753618 J * SNy 6cfbac777d@bmx-chemnitz.de 1157753618 J * bragon ~weechat@sd866.sivit.org 1157753618 J * pusling pusling@195.215.29.124 1157753618 J * samuel_ ~samuel@jupe.quebectelephone.com 1157753618 J * ray6 ~ray@vh5.gcsc2.ray.net 1157753618 J * meebey meebey@booster.qnetp.net 1157753618 J * ex ex@valis.net.pl 1157753618 J * abi ~abi@enz.schiach.de 1157753618 J * cryptronic crypt@mail.openvcp.org 1157753618 J * Skram ~Mark@hermes.sentiensystems.com 1157753618 J * Belu_zZz B.Lukas@mail.openvcp.org 1157753618 J * lylix ~eric@dynamic-acs-24-154-53-234.zoominternet.net 1157753618 J * ebiederm ~eric@ebiederm.dsl.xmission.com 1157753618 J * ruskie ~ruskie@ruskie.user.oftc.net 1157753618 J * derjohn ~derjohn@80.69.37.19 1157753618 J * anonc ~anonc@staffnet.internode.com.au 1157753618 J * rob-84x^ rob@submarine.ath.cx 1157753618 J * bubulak ~bubulak@whisky.pendo.sk 1157753618 J * kir ~kir@swsoft-mipt-nat.sw.ru 1157753618 J * Vudumen 4750fd0049@perverz.hu 1157753618 J * Zaki ~Zaki@212.118.126.43 1157753976 J * shedi ~siggi@inferno.lhi.is 1157754345 Q * m4z Remote host closed the connection 1157754353 J * m4z_ m4z@bastard-operator.from-hell.net 1157754361 N * m4z_ m4z 1157754472 Q * FireEgl Quit: Bye... 1157754758 M * doener yeah, funny... installed a new kernel and boom, .12 is out... 1157754905 M * Bertl does anybody know a simple and quick way to disable the 'Lock Shift In' (SI) ansi commands on a terminal? 1157754933 M * Bertl i.e. I would like to stay with the 'unshifted' 7 bit set regardless of the command sequences 1157755332 Q * s0undt3ch Quit: leaving 1157755637 J * gerrit ~gerrit@bi01p1.co.us.ibm.com 1157757505 M * node_ is there any MAC infrastructure (i.e. selinux, rsbac) for vserver? 1157757524 M * node_ ive been reading some of the documentation on linux-vserver.org, but cant find any mention of anything MAC related 1157757534 M * Bertl what do you mean by 'infrastructure'? 1157757598 M * node_ well, does MAC exist in vserver? 1157757608 M * Bertl MAC = Mandatory Access Control? 1157757612 M * node_ yes 1157757622 M * mnemoc there was one guy integrating rsbac with vserver some time ago 1157757629 M * node_ interesting 1157757641 M * node_ has there been any effort to virtualize selinux? 1157757671 M * mnemoc oO( was it micah ? )o 1157757673 M * Bertl nope, neither for grsec (which exists as patches) 1157757689 M * Bertl mnemoc: nope michal' 1157757695 M * mnemoc close :) 1157757727 M * Bertl node_: what kind of MAC do you have in mind? can you give a few examples what you'd like to do? 1157757930 M * node_ if MAC doesn't exist in vserver in general, it'd be a nice thing to have 1157757942 M * node_ problem is, if there hasnt been any significant effort thusfar, there must be a reason why 1157757959 M * node_ i know in the case of selinux, it would definitely not be trivial 1157757962 M * Bertl well, bananas do not exist either in Linux-VServer, although they would be nice to have :) 1157757982 M * node_ heh.. bananas might not stop a 0-day exploit though =) 1157757996 M * Bertl how will MAC do that? 1157758012 M * node_ by confining exploited processes to protection domains 1157758023 M * Bertl like vserver guests? 1157758040 M * node_ processes within guests will be confined to protection domains 1157758049 M * node_ the guests themselves are obviously isolated from each other 1157758061 M * Bertl and what do they protect them from? 1157758081 M * node_ well, suppose we have apache running in a guest 1157758085 M * node_ apache gets exploited 1157758097 M * Bertl by some stack overflow, for example? 1157758098 M * node_ the attacker has the same privs that the apache binary runs as 1157758100 M * node_ sure 1157758105 M * Bertl okay 1157758118 M * Bertl now what do you do with MAC 1157758131 M * node_ well, MAC in general is a bit difficult to discuss 1157758137 M * node_ lets take selinux as an example 1157758139 M * Bertl okay 1157758156 M * node_ selinux enforces a security policy, which is defined by the system administrator 1157758165 M * node_ so, in this case 1157758174 M * node_ the sysadmin gives apache minimal access 1157758184 M * Bertl fine, what does this 'security policy' mean? 1157758207 M * node_ in selinux, there is a 'default deny' policy.. IOW, unless there is a statement in the security policy allowing an access, the access will be denied 1157758215 M * Bertl I could as well put the apache in a separate context without any permissions, no? 1157758254 M * node_ i suppose you could do that 1157758275 M * node_ you would do this with every daemon process youre attempting to run though? 1157758290 M * Bertl yes, basically I do so 1157758309 M * node_ interesting 1157758349 M * Bertl you can make that a little more comfortable by having 'dedicated' service guests 1157758368 M * node_ i guess i see why there has been no significant effort in the MAC front for vserver =) 1157758370 M * Bertl i.e. one guest for apache, another for postgres, still another for postfix 1157758379 M * node_ if every privileged process is isolated, there is no need for it 1157758409 M * node_ Bertl: does that approach scale well? 1157758429 M * Bertl but I think it would not be too hard to extend selinux to work _inside_ the guests and become context aware 1157758442 M * Bertl well, it probably scales as well as selinux 1157758462 M * Bertl there is no real overhead in having a context for each process 1157758469 M * matti node_: You can use harry's patches (grsecurity + vserver) and use RBAC from grsecurity. 1157758472 M * matti node_: TPE also. 1157758530 M * matti node_: grsecurity provides MAC as a part of RBAC. 1157758579 M * node_ well, i probably should say that im an selinux developer 1157758601 M * matti node_: And what about 0-day exploits... Well, you probably want to use PaX and non-exec stack/memory/kernel spac as well as ALSR... 1157758604 M * matti node_: Oh. 1157758606 M * matti node_: :) 1157758616 M * Bertl node_: ah, now we are getting somewhere :) 1157758625 M * node_ so, i have a few opinions on the security properties of grsecurity/rbac 1157758641 M * matti node_: Well. 1157758656 M * Bertl node_: so you would be interested in making selinux context aware? 1157758660 M * matti node_: AFAIR spender do not like selinux at all ;-p 1157758663 M * node_ Bertl: yes 1157758687 M * node_ matti: you know spender? 1157758692 M * Bertl node_: okay, well, first, you got my support on that 1157758700 M * matti node_: Anyway - sorry for nagging I didn't know that you are SEL developer. 1157758702 M * matti node_: Yes. 1157758710 M * node_ Bertl: i would also need NSA's support =) 1157758738 M * node_ it is an interesting thought though, making selinux context aware 1157758746 M * matti node_: But, AFAIR MAC/RBAC is not enough. 1157758763 M * Bertl node_: well, the NSA is your problem :) 1157758765 M * node_ not enough? 1157758767 M * matti node_: You also need something like PaX. 1157758769 M * matti node_: Yes. 1157758779 M * node_ matti: yes, PaX is a complement to MAC 1157758789 M * matti :-) 1157758793 M * node_ although, selinux does provide the execmem permission which essentially does the same thing 1157758821 M * matti I am not sure about. 1157758834 M * node_ well, selinux wont randomize your address space 1157758848 M * node_ but itll make sure that a given process' stack isnt executable 1157758862 M * matti And will never do such thing like segmexec or pageexec. 1157758912 M * matti node_: So, non-exec is available, but still... PaX can a lot more than that. And I am sure, you know about this very well :) 1157758923 M * matti k, I don't want to interrupt :) 1157758925 M * matti Sorry. 1157759008 M * Bertl node_: I do not understand that much about selinux, always viewed it as something artifical which doesn't match real world cases, but it is in mainline now and some folks actually use it 1157759065 M * Bertl node_: as far as I got the selinux concept, it is a set of rules (policies) to apply to events (access and operation) 1157759083 M * node_ yes, that is the case 1157759093 M * node_ matti: selinux provides comparable memory protection as PaX 1157759126 M * node_ Bertl: i see your point about not needing MAC in vserver though, assuming each process runs in its own context 1157759133 M * Bertl a problem folks using Linux-VServer always encounter is that they cannot use the 'typical' policies because they do not match a host/guest setup 1157759136 M * node_ that is better than selinux can accomplish 1157759159 M * node_ well, in the case of selinux, the selinux security server lives in kernel-land 1157759161 M * Bertl node_: yes, but it is not the default case, usually folks use Linux-VServer for providing vps 1157759175 M * matti Yep. 1157759177 M * node_ userspace queries the kernel security server for access decisions 1157759181 M * matti 80% of usage cases. 1157759199 M * Bertl and in this case, they either have to create special policies which 'work' with those guests, or disable it completely 1157759225 M * node_ most of the docs ive seen regarding selinux/vserver say 'set enforcing to 0' 1157759231 M * Bertl it would, for example, be interesting, to make those policies context aware to some extend, and/or virtualze the interface 1157759233 M * node_ which isnt what i want to hear, as a selinux developer =) 1157759245 M * daniel_hozac node_: because nobody has bothered with it yet ;) 1157759247 M * node_ well, ive been thinking about it 1157759248 J * DaCa ~danny@mail.limehouse.org 1157759260 M * node_ and it'd involve virtualizing the kernel security server 1157759279 M * node_ libselinux itself wouldnt have to change that much 1157759296 J * symtab ~symtab@193.230.207.150 1157759306 M * daniel_hozac why would it have to change at all? 1157759333 M * node_ well, let me ask this 1157759343 M * node_ from userspace, the process' context must be communicated to the security server 1157759345 M * daniel_hozac IMHO proper virtualization means that the same userspace can be used regardless. 1157759350 M * Bertl wb DaCa! welcome symtab! 1157759355 M * node_ daniel_hozac: very true 1157759386 M * Bertl yes, it could be either at the host level (which would require extensions to the lib) or the guest level 1157759393 M * node_ so, is there some way for the vserver kernel to know what a process' context without having it explicitly communicated? 1157759402 M * Bertl yep 1157759412 M * node_ then libselinux wouldnt have to change 1157759431 M * node_ although, it just feels naive saying that 1157759446 M * DaCa hi Bertl 1157759522 M * daniel_hozac so what would be the point of virtualizing it? giving guests the ability to load their own policies, right? 1157759525 M * Bertl node_: so what I mean is, if you're serious about that, I can probably give you a fast walk through to the Linux-VServer kernel code 1157759545 M * node_ Bert: that would be very helpful, there is some documentation ive been reading on linux-vserver.org about the kernel patches 1157759583 M * node_ daniel_hozac: the point of virtualizing it is that a true MAC infrastructure in each VPS would exist 1157759593 M * node_ rbac/grsecurity isnt really MAC =) 1157759595 M * daniel_hozac buzzword++. 1157759638 M * node_ sorry about the buzzwords, i get overly enthusiastic sometimes 1157759652 M * daniel_hozac what would that mean? per guest policies? or host controlled? 1157759653 A * matti pokes michal_ 1157759657 M * matti michal_: Wake up. 1157759658 M * matti ;) 1157759661 M * node_ per guest policies 1157759671 M * node_ using the same kernel security server 1157759671 M * matti Now, we've full house. 1157759680 M * daniel_hozac so a simple "yes" would've sufficed ;) 1157759685 M * matti A RSBAC developer - michal_. A SEL developer - node_. 1157759702 M * node_ nooooo, have i started a flamewar? 1157759708 M * matti And some other fans of grsecurity :) 1157759720 M * matti node_: Not yet :) 1157759741 M * doener node_: can't be, we already had some kind of utf-8 flame"war" today, twice a day is too much ;) 1157759751 M * matti doener: Hehehe. 1157759773 M * Bertl node_: http://www.13thfloor.at/vserver/s_rel26/v2.02/split-2.6.17.11-vs2.02/ 1157759774 Q * gerrit Ping timeout: 480 seconds 1157759783 A * matti hands doener a cup of 0xc0ffee. 1157759784 M * matti ;) 1157759797 M * doener hm, quite a good idea, thanks matti 1157759804 M * matti Welcome, as usual. 1157759811 A * Bertl .o( well, better than 0xbadbeef :) 1157759823 M * matti Bertl: Hehe. 1157759823 M * node_ or 0xbaddecaf 1157759845 M * Bertl didn't know that one, nice :) 1157759861 A * doener doesn't get that one... 1157759883 M * node_ bad-decaf.. as in decaffeinated coffee 1157759892 M * node_ 0xdeadbeef as well, but that's obvious 1157759894 M * doener ah! thanks :) 1157759916 M * Bertl node_: okay, see the diffs on that url? 1157759941 M * node_ yes, got them 1157759962 M * Bertl those are the broken out patches for the latest stable Linux-VServer release