1163030429 M * micah yeah, thats really great... I just migrated two servers in about 10 minutes, what took so long was the rsync :)
1163030437 M * micah i've got four more to go tonight
1163030462 M * Bertl dreamist: thanks for the positive feedback!
1163030475 M * Bertl dreamist: btw, did you add yourself to the happy user page yet?
1163030483 M * dreamist micah: out of curiousity what process do you use?  is there a utility out there somewhere?  I ended up just tarring up /vservers/<vserver>, /etc/vservers/<vserver>, and /vservers/.pkg/<vserver>
1163030493 M * dreamist Bertl: nope -- is that on the Wiki?
1163030545 M * Bertl http://linux-vserver.org/VServer_Users
1163030562 M * Bertl ah, it's linked on the fron page too ...
1163030566 M * Bertl *front
1163030587 M * dreamist ok, will definitely throw myself on there
1163030591 M * Bertl although I'm not sure that 'Resources' is the proper topic there :)
1163030633 M * Bertl (i.e we might want to move that up to participate)
1163030639 M * micah dreamist: I just rsync -av --numeric-ids /vserver/<vserver> and rsync -av /etc/vserver/<vserver> and then I stop the vserver, do one last rsync, then start it up on the new host
1163030675 M * Bertl yeah, the --numeric-ids and actually -H (for the links) can be vital
1163030698 M * dreamist micah: ok.. so that ends up moving all the package management stuff under /etc/vservers/<vserver> then, right?
1163030722 M * micah dreamist: I move everything under /vserver/<vserver> and /etc/vserver/<vserver>
1163030774 M * dreamist that'd be easier.. I'll have to figure out the best way to do that.  Right now I think the package management dirs for each vserver get created (by virtue of a symlink) under /vservers/.pkg/<vserver>
1163030879 M * dreamist well thanks for the info all.. cheers!
1163030927 Q * dreamist 
1163032252 M * Bertl http://paste.linux-vserver.org/654
1163032261 M * Bertl well, at least it didn't explode :)
1163033152 M * Bertl anybody interested in extending the testfs.sh scripts?
1163034227 J * shedii ~siggi@inferno.lhi.is
1163034319 M * Bertl wb shedii!
1163034520 Q * shedi Ping timeout: 480 seconds
1163035082 J * tudenbart ~willi@xdsl-213-196-227-224.netcologne.de
1163035130 M * Bertl wb tudenbart!
1163035532 Q * dothebart Ping timeout: 480 seconds
1163038851 T * * http://linux-vserver.org/ <- new and shiny | latest stable 2.02.1, exp 2.02.2-rc6, devel 2.1.1, 2.2.0-pre1, stable+grsec 2.0.2.1, devel+grsec 2.1.1 | util-vserver-0.30.211 | libvserver-1.0.2 & vserver-utils-1.0.3 | He who asks a question is a fool for a minute; he who doesn't ask is a fool for a lifetime -- share the gained knowledge on the iki, and we'll forget about the minute ;)
1163038851 T * Bertl -
1163038890 J * Bertl herbert@IRC.13thfloor.at
1163038932 M * Bertl back now .. did somebody miss me?
1163040250 Q * mountie Remote host closed the connection
1163040271 J * mountie ~mountie@CPEdeaddeaddead-CM000a739acaa4.cpe.net.cable.rogers.com
1163040573 M * Bertl wb mountie!
1163041851 M * Aiken machine with ppp0 and a couple of vservers. I want any connection to port 7000 on ppp0 to be forwared to a vserver on the same machine
1163041882 M * Aiken I can get port forwarding happening to guests and hosts on other machine but not to a guets on the same machine
1163041901 M * Aiken 2.4.32-vs1.2.10
1163041919 M * Aiken any iptable + vserver gurus awake?
1163041924 M * Bertl hmm
1163041943 M * Bertl well, what rules do you add?
1163041983 M * Aiken iptables -t nat -I PREROUTING -p tcp -i ppp0 -d ${PPPIP} --dport 7000 -j DNAT --to 172.16.31.11:7000
1163042016 M * Aiken that rule with the approp address instead of 172.16.31.11 will forward to other mcahines on the network
1163042057 M * Bertl and the traffic comes _from_ ppp0?
1163042089 M * Aiken yes
1163042152 M * Aiken http://paste.linux-vserver.org/656
1163042157 M * Aiken that is the full script
1163042179 M * Aiken most of which just setups up masquading so the guests on that machine can access the net with outgoing connections
1163042184 M * Bertl could you do a tcpdump -vvnei ppp0 port 7000   for me of one such connection attempt?
1163042377 M * Aiken http://paste.linux-vserver.org/657
1163042445 M * Bertl and 152.98.240.153 is remote somewhere?
1163042462 M * Bertl while 203.164.233.143 is the guest?
1163042486 M * Bertl eh, host I mean
1163042493 M * Aiken 152.x.x.x is a friend abt 1 hr drive away and 203.x.x.x is my current external IP
1163042520 M * Bertl but it is the ppp0 ip, yes?
1163042524 M * Aiken yes
1163042608 M * Bertl okay, and for whatever reason port 7000 is called bbs on your side?
1163042622 M * Bertl (it's afs3 here)
1163042639 M * Bertl (check /etc/services)
1163042643 M * Aiken rh6.2 /etc/sevices file
1163042667 Q * bronson Ping timeout: 480 seconds
1163042673 M * Bertl okay, just checking, what chains do you have in nat
1163042706 M * Bertl PRE/POSTROUTING and OUTPUT?
1163042717 M * Aiken http://paste.linux-vserver.org/658
1163042805 M * Aiken bit-bucket & betty are guests on that machine, fred is this machine and pearl is the mother inlaws machine
1163042806 M * Bertl hmm, the POSTROUTING masquerading is very generic :)
1163042834 M * Bertl let's try to add a log taget for each chain, like this
1163042861 M * Bertl iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport 7000 -j LOG
1163042881 M * Bertl iptables -t nat -I POSTROUTING -p tcp --dport 7000 -j LOG
1163042909 M * Aiken what about OUTPUT?
1163042936 M * Bertl not interesting
1163043062 M * Aiken http://paste.linux-vserver.org/659
1163043309 M * Bertl could you check if that is from the pre or postrouting chain?
1163043402 M * Aiken PREROUTING
1163043428 M * Bertl so we are actually in the right chain, and the packet looks like it should match, right?
1163043447 M * Bertl let's move the LOG _after_ the DNAT
1163043493 M * Bertl (i.e. if the DNAT succeeds we should not get the log)
1163043544 M * Aiken I know, put the logging statment just after the DNAT
1163043618 M * Aiken nothing logged
1163043707 M * Bertl so it is properly rewritten
1163043750 M * Bertl the question now is, why doesn't it work for you :)
1163043802 M * Aiken a guest on this machine is 172.16.31.203, if I change the 31.11 to 31.203 the port forwarding will work
1163043805 M * Bertl could you try with a reduced iptables setup, which 'just' does the DNAT and nothing else? and see if the packets arrive and get an answer?
1163043847 M * Bertl hum, then please try to flush the routing cahce
1163043850 M * Bertl *cache even
1163043870 M * Aiken ?
1163043933 M * Bertl ip route flush cache
1163044140 M * Aiken did nothing
1163044170 M * Bertl so it works for one guest, but fails for the other?
1163044193 M * Aiken it works for a guest/host on the network
1163044204 M * Aiken it won't work for a guest on the same machine as ppp0
1163044208 M * Bertl ah, network, okay, that's different
1163044274 M * Bertl neither mangle nor filter tables have rules killing off the packet?
1163044417 M * Aiken only rules regarding that IP are in the post and pre rules you have already seen
1163044478 M * Bertl okay, could you test with a different port (or remove all listeners from the 7000 port) and nc?
1163044496 M * Bertl i.e. bind to that port on the _host_ with IP_ADDR_ANY
1163044505 M * Aiken     0     0 drop-log   all  --  ppp0   any     10.0.0.0/8           anywhere            
1163044505 M * Aiken     0     0 drop-log   all  --  ppp0   any     172.16.0.0/16        anywhere            
1163044505 M * Aiken     0     0 drop-log   all  --  ppp0   any     192.168.0.0/16       anywhere
1163044515 M * Aiken could that be doing it ?
1163044526 M * Aiken INPUT chain
1163044527 M * Bertl looks like
1163044543 M * Bertl you probably have a log entry about that too :)
1163044562 M * Aiken I have had unwanted packets from the private subnets before so drop them and have been for a long time
1163044568 M * Aiken no
1163044589 M * Bertl well, remove them for testing
1163044590 M * Aiken I turned logging off, got very sick of the log entries
1163044595 M * Bertl ah :)
1163044621 M * Bertl you know, with the ULOG taget you can easily get that into separate logs
1163044635 M * Radiance morning all :)
1163044661 M * Bertl and a good one 2u2!
1163044672 M * Radiance i read about some bug causing openvpn not able to work with tun ... is that fixed ?
1163044689 M * Bertl no bug I know of
1163044708 M * Bertl fact is, you do not have 'tun' access without proper caps
1163044726 M * Radiance i read i'd have to use cap_sys_admin if i remember
1163044727 M * Bertl but you can pre configure a persistent tun device for a guest
1163044730 M * Aiken I removed those rules, just have to wait for this other person to get back from the job he is one, he is at work
1163044752 M * Radiance yeah
1163044788 M * Radiance some one mentioned also to do this: echo '~hide_netif' >> /etc/vservers/test/flags
1163044813 M * Radiance not sure how to interpret it
1163044825 M * Aiken no change
1163044828 M * Radiance hide the tun interface ?
1163044833 M * Bertl interface hiding should be default
1163044840 M * Radiance ah
1163044862 M * Bertl Aiken: let's do the netcat (nc) thing I suggested
1163044888 M * Radiance i actually don't want to make it too complex, i just want a few ppl being able to vpn into the guest and then connect to the internet
1163044910 M * Radiance so i'm assuming that normally bridged mode should do 
1163044912 M * Aiken the packets are getting dropped
1163044917 M * Aiken I now have a log entry
1163044935 M * Bertl okay, where do they get dropped?
1163044982 M * Aiken the INPUT chain
1163045004 M * Bertl log?
1163045099 M * Aiken http://paste.linux-vserver.org/660
1163045108 M * Aiken wondering if I need and ACCEPT rule in INPUT
1163045124 M * Bertl what's the default?
1163045152 M * Bertl the packet itself looks good ...
1163045291 M * Aiken http://paste.linux-vserver.org/661
1163045327 M * Bertl that's the input chain?
1163045353 M * Bertl no wonder that this blocks ... try the following:
1163045400 M * Aiken input chain
1163045409 M * Bertl iptables -I INPUT -i ppp0 -d 172.16.31.11 -p tcp --dport 7000 -j ACCEPT
1163045445 M * Bertl well, maybe even without the -i ppp0 if you want it to work on the local network too
1163045454 M * Aiken only slightly different from what I tried 5 min ago
1163045467 M * Aiken ~, Thu Nov  9 14:05:31
1163045468 M * Aiken (root@barney) iptables -I INPUT -p tcp -d 172.16.31.11 --dport 7000 -j ACCEPT
1163045488 M * Bertl but mine works :)
1163045492 M * Aiken now 6 min is what I tried. the traffic fom Austria stopped at the same time
1163045502 M * Bertl :Avon NOTICE AUTH :*** Looking up your hostname...
1163045511 M * Aiken yes
1163045551 M * Bertl so problem solved, everybody happy, you'll cleanup?
1163045553 M * Aiken getting many reminders of why I stopped logging, all the packets from outside to ports 1026 and 1027
1163045668 M * Aiken thanks
1163045710 M * Bertl you're welcome!
1163045727 M * Bertl okay, I'm off to bed then .. have a good one everyone!
1163045737 N * Bertl Bertl_zZ
1163045739 M * Aiken gn
1163049159 Q * qb_ Ping timeout: 480 seconds
1163049328 J * togtog ~tog@e179167137.adsl.alicedsl.de
1163049331 P * togtog 
1163049396 J * qb_ ~qb@sq.sk
1163050646 J * bronson ~bronson@c-71-198-75-160.hsd1.ca.comcast.net
1163052864 Q * Skram Remote host closed the connection
1163053167 J * Skram ~mark@HERCULES.sentiensystems.net
1163057034 T * * http://linux-vserver.org/ <- new and shiny | latest stable 2.02.1, exp 2.02.2-rc6, devel 2.1.1, 2.2.0-pre1, stable+grsec 2.0.2.1, devel+grsec 2.1.1 | util-vserver-0.30.211 | libvserver-1.0.2 & vserver-utils-1.0.3 | He who asks a question is a fool for a minute; he who doesn't ask is a fool for a lifetime -- share the gained knowledge on the iki, and we'll forget about the minute ;)
1163057034 T * Bertl -
1163057161 Q * Aiken Read error: Connection reset by peer
1163057165 J * Aiken ~james@tooax6-143.dialup.optusnet.com.au
1163057954 J * dna_ ~naucki@112-205-dsl.kielnet.net
1163058306 J * dna___ ~naucki@115-206-dsl.kielnet.net
1163058720 Q * dna_ Ping timeout: 480 seconds
1163059045 Q * bronson Ping timeout: 480 seconds
1163059057 J * bronson ~bronson@adsl-64-161-106-11.dsl.snfc21.pacbell.net
1163059473 Q * dna___ Quit: Verlassend
1163060382 J * s0undt3ch_ ~s0undt3ch@81.193.60.108
1163060830 Q * s0undt3ch Ping timeout: 480 seconds
1163060830 N * s0undt3ch_ s0undt3ch
1163061176 Q * bronson Ping timeout: 480 seconds
1163062005 M * nayco_work Hello, all !
1163062050 M * daniel_hozac hi
1163062384 J * meandtheshell ~markus@85-124-38-60.dynamic.xdsl-line.inode.at
1163062775 J * SoftIce ~newbie@vc-196-207-45-253.3g.vodacom.co.za
1163062784 M * SoftIce hi, what is the story about vserver + snmp?
1163062866 M * daniel_hozac there's a story?
1163062881 M * SoftIce *chuckles*
1163062898 M * nox lovestory? (;
1163063004 M * SoftIce daniel_hozac: well i just can't get it start up
1163063026 M * harry a romantich story if bit banging and hard network penetration
1163063026 M * daniel_hozac why not?
1163063033 M * harry *romantic
1163063051 M * nox lol
1163063053 M * harry SoftIce: on the host or on the vps?
1163063107 M * SoftIce daniel_hozac: because i'm an idiot and don't read the logs properly ;)
1163063133 J * bonbons ~bonbons@83.222.36.166
1163063157 M * nox winuser? *scnr*
1163063185 M * SoftIce tell me something, why does some vserver processes show up the parent and some don't
1163063199 M * daniel_hozac what?
1163063200 M * SoftIce eg: I don't see a vserver ssh server binding when I do a netstat -anp on the parent
1163063219 M * SoftIce but I do see BIND : 53 
1163063255 M * daniel_hozac are you sure you're not running a nameserver on the host?
1163063259 M * harry wiiiiii... my patch did make sense :)
1163063272 M * harry has been added to the -mm tree.  Its filename is mlock-cleanup.patch
1163063297 M * SoftIce daniel_hozac: nope, its running on the jail sorry vserver
1163063306 M * SoftIce maybe its just something to do with named
1163063307 M * nox must be a graet feeling harry congrats
1163063323 M * SoftIce because I don't see the snmp process or ssh 
1163063332 M * SoftIce the way its supposed to be?
1163063342 M * daniel_hozac SoftIce: if you can see the pid and process name in that list, it's running on the host.
1163063369 M * SoftIce nope look here
1163063370 M * SoftIce tcp        0      0 65.75.175.41:53             0.0.0.0:*                   LISTEN      1529/named
1163063376 M * SoftIce right, 41 is ns1
1163063387 M * SoftIce [root@blackhole ~]# ps aux | grep named
1163063388 M * SoftIce named     1529  0.0  0.6  37216  3332 ?        Ssl  Nov06   0:00 /usr/sbin/named -u named -t /var/named/chroot
1163063404 M * daniel_hozac and that's on the host?
1163063418 M * SoftIce yes
1163063424 M * daniel_hozac then it's running on the host.
1163063443 M * daniel_hozac the host does not see guest processes.
1163063476 M * SoftIce dam i'm acting like a total idiot today, really sorry to mess you around, before I setup the vservers I had a session of bind running on the host.
1163063500 M * SoftIce only noticed when I pasted and saw it running in a chroot 
1163063510 J * FireEgl FireEgl@Sebastian.Atlantica.US
1163063522 M * harry nox: hehe, not really, but it just means i was right :)
1163063536 M * harry nice to get confirmation fsometimes
1163063573 M * nox sure! small step for the kernel but great step for u 
1163063608 M * SoftIce the reason what was off putting was that bind was actually running in the vserver aswell as the parent
1163063635 M * daniel_hozac shouldn't be possible, it should've failed with being unable to bind the socket.
1163063637 M * SoftIce how strange is that, now when I killed the process on the host and looked on the vserver its still running and I re-started it and it had 2 instances
1163063652 M * SoftIce named     1822  0.0  0.5   4228  2792 ?        Ss   Nov07   0:14 /usr/local/sbin/named -u named -c /etc/named.conf
1163063658 M * SoftIce named    14312  0.3  0.3   3332  1776 ?        Ss   17:08   0:00 /usr/local/sbin/named -u named -c /etc/named.conf
1163063674 M * SoftIce strange hey
1163063814 M * SoftIce daniel_hozac: you seem to know a hell of alot and i'm struggling to find info on google or any IRC channel. if I where to load up snmp and bind it to each IP and not 0.0.0.0 then run mrtg will it get statistics on eth0 or can it pick up info per IP eg: eth0:0 :1 :2 etc?
1163063836 M * SoftIce trying to get statistics for each vserver b/w usage
1163063845 M * daniel_hozac aliases do not have separate stats.
1163063897 M * SoftIce dam, so it's not IP specific, so I would have to use netgraph or something and convert the logs to mrtg stats?
1163063919 M * daniel_hozac you should be able to use iptables for stats.
1163063941 M * daniel_hozac something like iptables -I INPUT -d <guest IP>
1163063941 M * SoftIce what about creating virtual devices like in fbsd for aliases?
1163063968 M * SoftIce never tried to on a linux machine though
1163063970 Q * DavidS Read error: Connection reset by peer
1163064337 J * chand ~chand@m244.net81-64-156.noos.fr
1163066744 M * nayco_work Mmmm... After a kernel+patch update on a vserver, I get this issue : Inside a given guest, root cannot switch to another user, and a user cannot switch to root. The logs show this message inside the guest : 
1163066748 M * nayco_work Nov  9 10:56:58 vs8 pam_limits[17987]: setrlimit 15 to -1080528148 failed: Operation not permitted
1163066762 M * nayco_work And on the user console : could not open session
1163066769 M * nayco_work Any idea, folks ?
1163066819 Q * ComplexMind Quit: using sirc version 2.211+KSIRC/1.3.12
1163066827 M * daniel_hozac hmm, what's rlimit 15?
1163066861 M * nayco_work Er, dunno...
1163066880 M * daniel_hozac my kernels don't have it.
1163067038 M * nayco_work What does it mean ?
1163067054 M * daniel_hozac what does your /etc/security/limits.conf inside the guest?
1163067058 M * daniel_hozac +contain
1163067066 M * nayco_work k
1163067092 M * nayco_work *               -       rt_priority     0
1163067092 M * nayco_work *               -       nice            0
1163067092 M * nayco_work @audio          -       rt_priority     50
1163067092 M * nayco_work @audio          -       nice            -10
1163067119 M * daniel_hozac that's it?
1163067127 M * daniel_hozac what arch is that?
1163067130 M * nayco_work Well, all the other line are commented
1163067184 M * nayco_work Mandriva 2006.0 : 2.6.18.1-vs2.1.1-rc48 #1 SMP Mon Nov 6 12:08:45 CET 2006 i686 Intel(R) Pentium(R) 4 CPU 2.80GHz unknown GNU/Linux
1163067261 M * daniel_hozac what happens if you comment those lines as well?
1163067293 M * nayco_work k
1163067412 M * nayco_work It works :-O !!!
1163067426 M * nayco_work What does it mean ?
1163067444 M * daniel_hozac pam_limits seem to be doing rather strange things.
1163067460 M * nayco_work is it kernel-related ?
1163067479 M * daniel_hozac not really.
1163067488 M * nayco_work Because I guess this setup would work on the host, or a normal machine...
1163067510 M * daniel_hozac yep.
1163067519 M * daniel_hozac but a guest isn't allowed to raise the rlimits.
1163067528 M * daniel_hozac much like a regular user can't.
1163067560 M * nayco_work So I would need to play with limits in the vserver conf directory ? Well, I won't, I don't care on this server. But this is new....
1163067833 M * nayco_work Ok, thanks :-)
1163070080 J * cugok ~Lezajsk@80.51.255.30
1163070139 P * cugok 
1163070663 M * SoftIce im impressed how the host cant see the processes of the vserver
1163070674 M * SoftIce so used to fbsd jails and the 'parent' can see everything
1163070699 M * SoftIce its like its just 'hidden'
1163070705 M * SoftIce no process on the host showing it running ,etc ;)
1163070807 P * tudenbart bye!
1163070831 J * lilalinux ~plasma@dslb-084-058-221-047.pools.arcor-ip.net
1163070848 M * tokkee SoftIce: You can use vps to see all processes if needed.
1163070891 M * SoftIce ahh, I should look into the vserver-utils a bit moree
1163070907 M * SoftIce thanks
1163070976 M * SoftIce a quick question on upgrades, if I where to upgrade to fc 6 now from fc5 will the vserver kernel conflit issues and what are the steps advised
1163070988 M * SoftIce eg: upgrade host first, then login to vserver and yum upgrade ?
1163071014 M * SoftIce because I remeber when you build the vserver you specify --distro, (--fc5) 
1163071027 M * SoftIce or should I follow some other process in upgrading?
1163071255 M * nox SoftIce: the order is up to you
1163071323 M * nox SoftIce: every host can run every distro as guest, as long as it works with the running kernel
1163071367 M * SoftIce hmm, so you saying my vserve can run fc6 and my host can be fc5?
1163071374 M * SoftIce as long as they both compatible with the kernel?
1163071411 M * SoftIce if that is the case, then it can help in staging the upgrade
1163071653 J * s0undt3ch_ ~s0undt3ch@bl4-63-96.dsl.telepac.pt
1163071870 Q * s0undt3ch Ping timeout: 480 seconds
1163071918 N * s0undt3ch_ s0undt3ch
1163073015 M * nox SoftIce: yes that is the case
1163073058 J * dna_ ~naucki@4-198-dsl.kielnet.net
1163073417 Q * Aiken Ping timeout: 480 seconds
1163074164 M * SoftIce i'm impressed ;)
1163074178 M * SoftIce then that means that I would pretty much never have to upgrade the 'host'
1163074206 M * SoftIce if it runs no services, I could just upgrade the vservers
1163074400 M * doener except for the usual security updates
1163074433 M * doener but that can easily mean "kernel only"
1163074456 M * SoftIce ye, specially if I lock down the host, only have ssh running
1163074463 M * renihs "only" :)
1163074485 M * SoftIce well ssh on a high port and installed by source and updated by hand when security changes
1163074491 M * SoftIce then it wont be an exploitable service
1163074502 M * SoftIce and I dont reallly need to worry about 'local kernel exploits'
1163074506 M * renihs if you limit access to it :)
1163074508 M * SoftIce as no accounts, etc on host
1163074521 M * SoftIce iptables 1 IP allowed, 1 user account ;0
1163074528 Q * Johnnie Read error: Connection reset by peer
1163074550 M * SoftIce dam, thats impressive ;
1163074559 M * SoftIce starting to really like this vserver thing.
1163074583 M * SoftIce well done for all your guys hard work
1163074828 J * Olivier_54 ~olivier@86.66.187.66
1163076032 P * click [IRSSI]
1163077179 J * s0undt3ch_ ~s0undt3ch@bl4-58-56.dsl.telepac.pt
1163077618 Q * s0undt3ch Ping timeout: 481 seconds
1163077797 Q * s0undt3ch_ Ping timeout: 480 seconds
1163077867 J * Olivier__54 ~olivier@86.66.187.174
1163078081 J * prae ~Benjamin@host.187.57.23.62.rev.coltfrance.com
1163078181 J * s0undt3ch ~s0undt3ch@bl4-58-56.dsl.telepac.pt
1163078223 Q * Olivier_54 Ping timeout: 480 seconds
1163078467 J * Johnnie ~jdlewis@jdlewis.org
1163078595 Q * prae Quit: Quitte
1163078915 M * Olivier__54 hi
1163079047 J * marcfiu ~mef@targe.CS.Princeton.EDU
1163079182 M * Olivier__54 someone could tell me where the command vserver build get the mirror to use for build of a vserver ?
1163079201 M * Olivier__54 i tried to modify /etc/vservers/.default/debootstrap/uri
1163079215 M * Olivier__54 but it dont seems to work
1163079224 Q * SoftIce 
1163079581 J * Rich_Estill ~restill@c-24-11-195-139.hsd1.mi.comcast.net
1163079640 Q * MrX Quit: urk IRC v0.-1.4 - http://urk.sf.net/
1163079825 M * nox Olivier__54: -m <mirror>
1163080244 Q * shedii Quit: Leaving
1163080329 M * Olivier__54 ok thx
1163080404 M * Olivier__54 is it possible to make my own mirror te default ??
1163080534 Q * lilalinux Remote host closed the connection
1163080535 M * nox yes ofcause but you could also just set an alias if you have so many server to build (:
1163080562 M * nox this also wouldn?t be touched when you upgrade your server
1163080607 M * nox i prefer to have an default vserver which i just cp -a
1163080612 Q * wenchien Ping timeout: 480 seconds
1163080628 M * nox and apt-cacher for all to upgrade
1163080650 M * renihs rsync -a :)
1163080685 M * nox renihs: aH then (;
1163080705 M * renihs yah :)
1163080775 J * wenchien ~wenchien@59-105-176-11.adsl.static.seed.net.tw
1163080778 M * nox Olivier__54: then you just have to modify hosts mailname ... which i do by a script
1163080783 Q * wenchien Remote host closed the connection
1163080785 J * wenchien ~wenchien@59-105-176-11.adsl.static.seed.net.tw
1163081066 N * Bertl_zZ Bertl
1163081071 M * Bertl morning folks!
1163081073 M * nox Olivier__54: http://paste.linux-vserver.org/663  very uggly but does the job
1163081085 M * nox morging Bertl 
1163081280 M * renihs morning Bertl 
1163081341 M * renihs Bertl, slept long today :)
1163081343 M * renihs sleeping is healthy
1163081521 M * Bertl well, actually I'm up early today :)
1163081600 M * nox i thought everyone here knows you are living in utc+10 (;
1163081626 M * Bertl BUT it is :)
1163082118 M * nox Bertl: does bind9 rndc really uses 127.0.0.1 or is it virtualized?
1163082125 M * nox on 2.1.1
1163082142 M * Bertl on 2.1.1 you typically reconfigure that to a private ip
1163082158 M * Bertl on post 2.1.1 you can use 127.0.0.1
1163082300 M * nox well it worked to do a iptables -A ip6 -p tcp -s 127.0.0.1 -d $ip6 --dport 953 -j ACCEPT
1163082311 M * nox was vary surprised about that
1163082356 M * renihs utc+10? arent you in austria?
1163082402 M * nox utc-10 would be more precise even if australia would better fit to austria by name
1163082417 M * Olivier__54 thx for all these answers
1163082526 M * nox Bertl: all bind sockets listen to the serverip none to 0.0.0.0 or 127/8
1163082655 M * nox never the less i had a ... SRC=127.0.0.1 DST=88.x.y.z LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4885 DF PROTO=TCP SPT=46259 DPT=953 WINDOW=32792 RES=0x00 SYN URGP=0 ... in my logs
1163082682 M * nox 88.x.y.z bind9 ip
1163082853 M * Bertl probably your rndc is misconfigured then
1163083217 M * Bertl nox: check the rndc config and the relevant part of the bind config
1163083377 M * Bertl doener: did you get somewhere with te 2.6.19 port?
1163083383 M * Bertl *the
1163083683 M * nox couldn?t find anything but seems to work fine with the iptables rule
1163083827 M * doener Bertl: nope, university had higher priority lately
1163083862 M * Bertl np, I have a port which doesn't explode :)
1163083880 M * Bertl but still needs fixing up a few things
1163083913 M * Bertl so I wondered if you had some modifications done already (to avoid doing them again :)
1163084335 Q * wenchien Ping timeout: 480 seconds
1163084392 J * wenchien ~wenchien@59-105-176-11.adsl.static.seed.net.tw
1163084467 M * Bertl I renamed the 2.1.1.0 to 2.3.0.0 to avoid issues
1163085558 M * marcfiu good morning.
1163085634 M * Hollow morning!
1163085636 M * Bertl and a good 1 2u2!
1163085652 M * marcfiu what changed between vs2.0.2.2-rc6 and rc4?
1163085656 M * Hollow Bertl: several xfs tests fail with 2.2.0_pre1
1163085674 M * Hollow http://paste.linux-vserver.org/662
1163085737 M * Bertl very interesting, could you redo just the xfs tests with -vvv
1163085746 M * Bertl i.e. add -F xfs -vvv
1163085751 M * Hollow sure, sec..
1163085864 M * Hollow Bertl: http://paste.linux-vserver.org/664
1163085969 M * Bertl hmm, that was with -vvv? maybe the -t is still there?
1163085970 J * _mcp ~hightower@wolk-project.de
1163085984 M * Hollow ah yeah..
1163086018 Q * _mcp Read error: Connection reset by peer
1163086033 J * _mcp ~hightower@wolk-project.de
1163086051 M * Hollow http://paste.linux-vserver.org/665
1163086067 Q * mcp Read error: Connection reset by peer
1163086450 M * Bertl btw, regarding the pastebin, do you know, is there some kind of search extension available?
1163086467 M * Bertl or maybe at least a list of all posts or so?
1163086525 M * doener Hollow: is it MySQL-based?
1163086560 M * doener wow... 13.440s to load the main page...
1163086567 M * doener what's up with the box?
1163086635 M * Bertl Hollow: but you do not get those with 2.1.1 and a similar config?
1163086647 M * Bertl (just checking)
1163086707 M * doener better now... I wonder if my connection to the mysql server was just coincidently at about the same time that the slowdown stopped...
1163086754 M * Hollow Bertl: dunno what the last version i tested with was ..
1163086761 M * Hollow 2.1.1_rc4* something i think
1163086800 M * Hollow doener: you're talking about l-v.org?
1163086824 M * doener Hollow: p.l-v.o ;)
1163086831 M * Hollow ah yeah.. quite slow here too
1163086886 M * Hollow but my net connection seems quite slow today anyway
1163087101 M * marcfiu What is the word on the street about enable FUSE such that a vserver can mount its own filesystem (e.g., sshfs, gmailfs, etc.).
1163087110 M * marcfiu s/enable/enabling
1163087130 P * Olivier__54 Leaving
1163087160 M * Bertl marcfiu: in general, too dangerous :)
1163087190 M * Bertl Hollow: okay, could you give 2.1.1 a spin?
1163087230 M * Hollow yeah ..
1163087274 M * marcfiu bertl: too dangerous because...?
1163087354 M * Bertl well, 'mounting' some kind of filesystem always is dangerous, as broken filesystems can stall the kernel (or even crash it)
1163087372 M * Bertl now allowing to mount 'userspace' filesystems makes that even worse
1163087397 M * marcfiu FUSE doesn't have sufficient cruft in there to isolate the kernel from user-level failures?
1163087398 M * Bertl it would be necessary to first proove that the interface cannot be abused for DoS
1163087413 M * marcfiu ok... agreed.
1163087438 M * Bertl technically it shouldnt be hard to allow fuse to work inside a guest
1163087450 M * Bertl probably even in a per guest (isolated) manner
1163087702 M * Bertl Hollow: seems like I can recreate it here with 2.2.0
1163087728 M * Bertl interesting fact is I get a lock warning too
1163087836 M * Bertl 2.1.1 seems fine ... very interesting .. investigating now
1163087975 M * Bertl ah, seems I found it
1163088042 M * Hollow ah ok.. compilation just finished ;)
1163088324 M * Bertl as nobody answered yesterday ... maybe somebody missed my question *G* ... anybody interested in improving the testfs.sh script?
1163088359 M * Bertl Hollow: yeah, I have a fix for the xfs issue, should I upload it or are you fine when itgets into pre2
1163088586 J * s0undt3ch_ ~s0undt3ch@bl9-225-35.dsl.telepac.pt
1163088642 M * Hollow Bertl: pre2 is fine
1163088986 Q * s0undt3ch Read error: Operation timed out
1163089220 Q * s0undt3ch_ Ping timeout: 480 seconds
1163089238 M * marcfiu why does vs_cvirt.h define two inline functions (proc_pid_visible and find_proc_task_by_pid) without the vx_ prefix?
1163089284 M * marcfiu this is 2.02.2-rc6.
1163089304 M * marcfiu not that it is bad, just seems inconsistent.
1163089485 M * Bertl yeah, well, I didn't feel like vs/vx at that time :)
1163089508 M * Bertl feel free to submit a patch to mend that
1163089509 J * glutoman glut@no.suid.pl
1163089510 Q * glut Read error: Operation timed out
1163089517 M * Bertl wb glutoman!
1163089576 J * yarihm ~yarihm@whitehead2.nine.ch
1163089607 Q * yarihm 
1163089612 J * s0undt3ch ~s0undt3ch@bl9-225-35.dsl.telepac.pt
1163090192 M * Hollow Bertl: btw, could you (again?) explain what is the difference between VXF_INFO_LOCK and VXF_INFO_PRIVATE?
1163090206 M * daniel_hozac lock prohibits the context from migrating to another context.
1163090222 M * daniel_hozac private disallows entering the context.
1163090236 M * Bertl yeah, btw, I decided to drop the VXF_INFO_LOCK completely (i.e. jsut use the context cap)
1163090237 M * Hollow ah ..
1163090280 M * Bertl so the next release of whatever will remove VXF_INFO_LOCK usage
1163090284 M * Hollow isn't ~VXF_INFO_LOCK insecure then? every guest could migrate to other guests?
1163090291 M * daniel_hozac nope.
1163090299 M * daniel_hozac the CAP_CONTEXT is required to call sys_vserver.
1163090304 M * Hollow ah right..
1163090664 M * Bertl okay, off for dinner ... back shortly
1163090672 N * Bertl Bertl_oO
1163090875 Q * s0undt3ch Ping timeout: 480 seconds
1163091320 J * s0undt3ch ~s0undt3ch@bl9-224-31.dsl.telepac.pt
1163091929 M * Rich_Estill hmm.  Slashdot just made me check my primary keys. Good thing too.  Dodged a big one there.
1163092069 N * Bertl_oO Bertl
1163092077 M * Bertl back now
1163093710 J * Nysis ~Office@dslb-088-073-145-057.pools.arcor-ip.net
1163093714 P * Nysis 
1163094732 J * Piet hiddenserv@tor.noreply.org
1163095129 J * bronson ~bronson@66.160.177.229
1163095427 M * Bertl wb Piet! bronson!
1163096933 M * marcfiu bertl: wrt IPv6, how do you handle new prefixes that are provided when a machine receives a IPv6 route advertisement?
1163096995 M * Bertl for now, you have to ask bonbons, but note that the new networking will be more than flexible regarding ip set changes
1163097009 M * marcfiu oh
1163097011 M * marcfiu ok
1163097032 M * marcfiu bonbons: so what did you do?
1163097033 J * coocoon ~coocoon@dslb-084-056-194-062.pools.arcor-ip.net
1163097034 M * Bertl I've just started digging into ipv6
1163097041 M * coocoon hello to all
1163097059 M * Bertl hey coocoon!
1163097110 M * bonbons You configure the IP addresses avialable to the guest, whenever you get a new prefix (or one of the existing ones gets deprecated at your host) you need to update the IP addresses associated with affected context(s)
1163097162 M * marcfiu bonbons: where "you" in "you need to update" is who exactly?
1163097183 M * marcfiu some user-level daemon?
1163097185 M * Bertl maybe we'll ned a new? helper?
1163097201 M * marcfiu I think this needs to be handled in the kernel.
1163097203 M * bonbons you is either the administrator of the host system, or a script running on his behalf when available prefixes change
1163097220 M * marcfiu The user-level stuff should just associate the EUI for the vserver.
1163097231 M * daniel_hozac how would that work?
1163097250 M * marcfiu All other addresses (link-local, global based on router prefixes, etc.) should be maintained by the kernel.
1163097253 M * Bertl marcfiu: as you obviously spent some thought on that, could you give me a short overview of the issue/mechanism?
1163097267 M * marcfiu An ipv6 address is 128bits long.
1163097280 M * bonbons why should that need to happen in kernel? Prefixes normally do not appear/disappear randomly...
1163097305 M * marcfiu The lower 64 bits are the End Unit Identifier (EUI).
1163097332 M * Bertl basically the 'bare metal'?
1163097337 M * marcfiu The upper 64 bits are prefixes, which are advertised by a link local IPv6 router.
1163097347 M * bonbons marcfiu: the thing you do not always want is that a guest gets access to ALL prefixes available on the host
1163097350 M * marcfiu As bonbons mentioned, these prefixes usually are stable.
1163097380 M * marcfiu However, in general, those prefixes can change.
1163097384 M * Bertl okay, why do we care about the prefix being stable or not?
1163097397 M * Bertl I mean, addresses are 128bit, no?
1163097443 M * bonbons the more important point would be what kernel event is provided to userspace to notify about the change in available prefixes, then hotplug (or the like) event could trigger update of prefixes/addresses available to the guest
1163097443 M * marcfiu addresses are always 128bits.
1163097479 M * marcfiu bonbons: i'm fine with there being a helper daemon that "does the right thing" when there is a change event.
1163097485 M * daniel_hozac i really don't think that should be the default.
1163097498 M * daniel_hozac but having the mechanism available might be handy.
1163097501 M * Bertl okay, so why would it be important if there is a 'new' prefix 'available'?
1163097517 M * daniel_hozac and why do we want every guest to automatically get an address there?
1163097603 M * marcfiu a new global prefix gives the node a new global address by which others can reach it.
1163097636 M * bonbons I wouldn't want guest to take new prefixes automatically, at best have a script that decides what to do when new prefix gets available. Prefixes going away normally happen in two phases, deprecation and later removal (after expiration of prefix's lifetime)
1163097669 M * marcfiu bonbons: agreed.... have some user-level daemon decide the policy.
1163097680 M * marcfiu bonbons: but the capability to do that needs to be there.
1163097694 M * Bertl how is it handled right now in linux?
1163097698 M * bonbons the point where such automation might be useful is in the area of "mobile IPv6", there prefixes change when one moves around but EUI keeps constant
1163097713 M * marcfiu the host just suddenly has another address by which it can be reached.
1163097729 M * marcfiu If you type ifconfig, you'll see it associated with the appropriate interface (as well as the others).
1163097731 M * Bertl who changes that address?
1163097741 M * marcfiu kernel does
1163097757 M * Bertl well, then I think it will do the same for the guests too?
1163097764 M * bonbons it does because it received a prefix-advertisment from some "new" router on the link
1163097765 M * Bertl remember, networking is on the host?
1163097774 M * marcfiu right...
1163097805 M * Bertl so this is kind of moot point, if the kernel already handles that
1163097806 M * bonbons but the EUI part is in most cases based on the NIC's MAC address (or is random in case of privacy extension)
1163097815 M * Bertl why should we remove that functionality?
1163097818 M * marcfiu I was under the impression that if each vserver gets its own IPv6 address that there would need to be some additional special handling.
1163097840 M * Bertl it is the same as when you put 100 ips on the host
1163097843 M * marcfiu which is why I asked the question in the first lpace.
1163097862 M * Bertl if they automagically change now, then that is fine and will be so with the guests too
1163097876 M * bonbons marcfiu: each guest gets permission to use a given address, specified by it's 128 bits, no matter if that address is available on the host or not
1163097880 M * daniel_hozac but the context won't be updated.
1163097899 M * Bertl well, which brings me to an important ipv6 question
1163097904 M * bonbons if it does not exist on the host guest can't use it until it 'magically' appears on the host
1163097924 M * Bertl are the upper 64 bits relevant for guest ip isolation?
1163097932 M * marcfiu bertl: not really.
1163097939 M * marcfiu the upper 64 bits are routing goop.
1163097955 M * bonbons yes, they are as important as the lower 64 bits. It's like net-address and host-address in IPv4
1163097989 M * marcfiu bonbons: ?
1163098003 M * marcfiu how does this matter wrt guest isolation?
1163098009 M * bonbons a host may be running guest in different subnets, then it's important what prefix is in use by which guest
1163098027 M * bonbons s/guest/guests/
1163098034 M * Bertl what I eman is, can there be two guests with the same EUI and different prefix?
1163098046 M * Bertl (on the same host)
1163098052 M * bonbons yes, that's permitted
1163098054 M * daniel_hozac guests using the host's addresses on different networks?
1163098061 M * daniel_hozac doesn't seem unlikely at all to me.
1163098079 M * marcfiu bonbons: why is it permitted to have two guests with the same EUI?
1163098092 M * marcfiu or rather, why does that make sense?
1163098102 M * marcfiu Why not give each guest a unique EUI.
1163098114 M * daniel_hozac because you might want to use the host's?
1163098121 M * marcfiu no
1163098130 M * daniel_hozac why not?
1163098133 M * marcfiu one can construct a unique EUI for each vserver.
1163098144 M * daniel_hozac and one can also reuse the same for many.
1163098146 M * Bertl well, we do not want to reduce to certain corner cases here
1163098151 M * bonbons e.g. because you have two prefixes on the same link, use the MAC address to build up EUI and have one guest on one prefix, the other guest on the other prefix
1163098164 M * Bertl but let me ask another question in this regard:
1163098172 M * bonbons there is no reason to "drop" half of the IPv6 address space
1163098219 M * Bertl let's assume, marcfiu decides to keep it strict one EUI per guest, what keeps him from assigning a network mask ala *EUI to the guest?
1163098235 M * marcfiu bonbons: I suppose one could do that, but why not just assign a unique EUI per guest and then not worry if they ever get put onto the same prefix.
1163098245 M * Bertl i.e. whatever the upper 64 bits are, plus the EUI is allowed/assigned?
1163098263 M * daniel_hozac marcfiu: because that's rather limiting.
1163098277 M * Bertl that should pretty much cope with the 'automatic' host changes and does not limit any checks/selections?
1163098281 M * marcfiu bonbons: by the way, if two guests have the same EUI, what is their corresponding link-local address?
1163098325 M * marcfiu daniel_hozac: it is limiting in what way?  I am very confused.  My impression is that giving more than one guest the same EUI is limiting.  
1163098352 M * daniel_hozac how is it limiting to let the user specify what they want?
1163098384 M * Bertl marcfiu: s/limiting/restriction/
1163098389 M * marcfiu daniel_hozac: the guest gets to decide what it wants or the admin/scripts in context 0 decides?
1163098399 J * lilalinux ~plasma@dslb-084-058-221-047.pools.arcor-ip.net
1163098405 M * daniel_hozac the guest shouldn't decide what it wants.
1163098417 M * daniel_hozac that's the basic concept of vservers.
1163098425 M * marcfiu ok.. so user here == someone running chbind6 in context 0.
1163098437 M * daniel_hozac you limit it to a subset of the available resources of the host.
1163098456 M * marcfiu I am not arguing that we should NOT let the admin/scripts assign whatever they want.
1163098458 M * Bertl it would be an imposed restriction to disallow certain addresses in general because of a specific usage pattern...
1163098469 M * marcfiu I am just asking what actually makes sense.
1163098507 M * Bertl but back to the original question, I think it's a nobrainer regardless what we decide to do with the addresses
1163098509 M * daniel_hozac IMHO disallowing sharing the host's IP addresses (i.e. just for service isolation) would be rather bad.
1163098509 Q * chand Quit: chand
1163098535 M * daniel_hozac which original question? the EUI one?
1163098595 M * marcfiu ok... from what I gather, VMware and Xen when using network bridging give each "guest" a unique MAC# and then just rely on whatever is in the guest OS to configure itself proper according to IPv6 practices.
1163098627 M * Bertl yes, but our guest _do not have_ a mac
1163098634 M * marcfiu right... 
1163098665 M * marcfiu There are other schemes that one can use to arrive at a unique EUI-64 number.
1163098680 M * marcfiu This should be done using chbind6 from user-level.
1163098697 M * Bertl you can do that, no problem there ...
1163098715 M * marcfiu But once that EUI is in there, it would be nice to have the kernel just treat it as another virtual interface or whatever, and just do the right thing wrt router advertisements etc.
1163098723 M * Bertl you have to do it on the host, though
1163098734 M * marcfiu right
1163098743 M * marcfiu from the host context (xid==0).
1163098751 M * Bertl read my explanation regarding mask above ...
1163098781 M * Bertl IMHO it isn't an issue at all, if your setup is designed to follow whatever change in prefix there is (with an unique EUI)
1163098783 M * marcfiu right right...
1163098796 M * marcfiu I'm with you on that.
1163098798 M * Bertl you are simply done by assigning the proper EUI/mask
1163098818 M * Bertl the ekrnel will (or will not) follow the changes as it does now
1163098837 M * marcfiu I got the impression from bonbons and daniel_hozac that this should not be handled by the kernel.  
1163098867 M * Bertl as far as I see, there is nothing to handle (except for what ais already handled)
1163098893 M * marcfiu And, possibly with bonbons' current implementation, the contexts do not get automagically updated when the kernel IPv6 code processes a change.
1163098918 M * Bertl the context will not get updated with the final implementation either
1163098928 M * Bertl but that does not matter ...
1163098963 M * marcfiu So then I don't follow your comment above: "the ekrnel will (or will not) follow the changes as it does now"
1163098992 M * Bertl let's make a simple, probably awfully wrong example :)
1163098999 M * marcfiu Please clarify what you meant by "if your setup is designed to follow whatever change in prefix there is".
1163099026 M * Bertl ip = 0x0001 (64bit) 0x0042 (64bit EUI)
1163099053 M * bonbons marcfiu: when IP addresses can be made available by masks you can eventually give a guest the address mask EUI, no matter what prefix
1163099060 M * Bertl you 'define' that this ip will _always_ have EUI 0x0042
1163099082 M * Bertl the prefix may change (according to current linux mainline rules) right?
1163099097 M * Bertl everything regarding those changes is already handled by the mainline kernel, right?
1163099103 M * marcfiu yes
1163099105 M * bonbons in that case as soon as the host obtains a new prefix and configures itself (assuming the autoconfiguration will generate a complete address with that EUI and the new prefix) it will automatically be available to the guest
1163099143 M * Bertl so, in your setup, you assign 0x0000:0x0042/0x0000:0xFFFF to the guest
1163099157 M * Bertl i.e. basically you assign a whole 64bit space to the guest
1163099177 M * marcfiu lets just call that the unique EUI-64.
1163099199 M * Bertl when the kernel changes the ip, the guest will not even notice the changes from the bind check PoV
1163099223 M * Bertl (as long as the EUI part keeps constant)
1163099258 M * marcfiu yes... I follow and believe you to this point.
1163099306 M * Bertl so? there is nothing else to folow ...
1163099318 M * marcfiu What confused me before was bonbons and daniel_hozac's assertation that one should be able to give >=2 guests the same EUI.  I suppose if one did that, then the two simply share the same IP addresses with all that it implies.
1163099358 M * daniel_hozac yep.
1163099361 M * marcfiu ok
1163099372 M * marcfiu fair enough... it is just that you made it sound like it might be the common case.
1163099399 M * daniel_hozac no, but i don't really think it's rare enough to explicitly disallow it.
1163099401 M * bonbons as of now you can give only individual 128bit IPv6 addresses to guests, that is EUI+Prefix
1163099410 M * marcfiu daniel_hozac: agreed.
1163099423 M * marcfiu bonbons: that is something that probably needs to change.
1163099457 M * bonbons marcfiu: that will change with ability to assign network masks to guests (IPv4 and IPv6)
1163099475 M * marcfiu ok
1163099497 M * bonbons that's on the networking TODO list
1163099503 M * doener Bertl: ah, another invitation to LSM (just saw the reply, completely missed the thread-hijacking post). Last year I also got one, but discovered way too late that some procmail rule had shredded it
1163099648 M * Bertl daniel_hozac: for me an interesting question is: do we have cases where the EUI is identical, but the 128bit IP has to be isolated?
1163099664 M * daniel_hozac hmm?
1163099679 M * daniel_hozac i.e. different prefixes for different guests using the same EUI?
1163099679 M * Bertl i.e. that we want certain packets to reach one guest but not the other?
1163099712 M * daniel_hozac well, wouldn't the same IP sharing rules that apply to IPv4 apply to IPv6 as well?
1163099721 M * daniel_hozac i.e. whoever binds the socket first wins?
1163099729 M * bonbons dual-homed host with guests on either networks using same EUI (induced by networks being on same nic == MAC) or hand-set EUIs like you will find in server environments
1163099745 M * Bertl that's the question, because if so, we do not need to store the prefix for the guests at all
1163099781 M * Bertl i.e. we just need to store the prefix iif we want isolation with identical EUI
1163099787 M * bonbons a socket is always bound to the full 128 bits, not just the EUI (or it's bound to ::)
1163099803 M * Bertl that's fine, I'm talking about the checks and isolation
1163099848 M * bonbons IMHO checks should work either with full address or a mask, no special-casing
1163099872 M * daniel_hozac EUI is a mask, no?
1163099884 M * Bertl well, I have no problem with that either, but we could definitely save big time overhead if we skip 64bit in checks
1163099911 M * Bertl and iif the upper bits are not relevant for isolation, why should we store them
1163099922 M * Bertl (and waste half the space too)
1163099972 M * Bertl note: I'm not deciding that here and now, I'm just asking :)
1163100028 M * bonbons skipping the 64 bits would be a special-case, often people will get /48 networks... sample: ::1/128 and ff02::1/128 (localhost and ip6-allnodes)
1163100085 M * Bertl that means (just for clarifiaction) that 48 bits are network relevant, yes?
1163100129 M * Bertl but that doesn't mean that they will have guests with identical EUI, or?
1163100142 Q * coocoon Quit: KVIrc 3.2.0 'Realia'
1163100155 M * bonbons the 64 first bits are relevant to routing, but most often 48 are used by internet backbones and the remaining 16 bits are at the end-user's site (or partially at his ISP)
1163100156 M * Bertl (or does that mean that the EUI now is 96 bit)?
1163100207 M * Bertl IMHO it all boils down to the question if two ipv6 addresses on a single host, with identical EUI should 'share' connections or not
1163100229 N * _mcp mcp
1163100230 M * Bertl i.e. should binding to one of them automatically block the other
1163100259 M * bonbons EUI is the last 64 bits, but the 64 first bits are not assigned at once, but rather in steps: IANA (or equivalent for the other continents) => ISP => End-user
1163100278 T * Bertl http://linux-vserver.org/ <- new and shiny | latest stable 2.02.1, exp 2.02.2-rc6, devel 2.1.1, 2.2.0-pre2, stable+grsec 2.0.2.1, devel+grsec 2.1.1 | util-vserver-0.30.211 | libvserver-1.0.2 & vserver-utils-1.0.3 | He who asks a question is a fool for a minute; he who doesn't ask is a fool for a lifetime -- share the gained knowledge on the iki, and we'll forget about the minute ;)
1163100293 M * Bertl Hollow: you're gonna like that pre2 (all? legacy removed)
1163100318 M * bonbons no, they are different addresses see my ff02::1 and ::1 example, they have the same ::1 EUI, but are totally different addresses
1163100357 M * Bertl bonbons: okay, let's play an exmaple, let's assume IANA gives me ff01 and ff02
1163100365 M * Bertl *example
1163100384 M * Bertl now I take a machine and put two guests on that
1163100407 M * Bertl one guest gets ff01::42, the other ff02::42
1163100431 M * Bertl in gthe first guest, apache is started and binds to ff01::42 port 80
1163100467 M * Bertl what happens when guest2 tries to do the same with ff02::42 (what should happen and what happens on a real system right now)?
1163100485 M * bonbons the there is no problem for second guest to bind its own apache on ff02::42 port 80
1163100539 M * bonbons they both just happily listen on their address on port 80, as if you had two distinct physical boxes
1163100560 M * Bertl okay, and I can reach each of them independantly
1163100568 M * bonbons exactly
1163100578 Q * michal` Ping timeout: 480 seconds
1163100582 M * Bertl well, guess that clarifies that the EUI is not relevant here
1163100620 M * bonbons marcfiu's request makes sense only in the case of mobility where you wish to use the same EUI with varying prefixes and remain reachable
1163100647 M * bonbons but for that you have a well-defined range of prefixes available
1163100779 M * Hollow Bertl: ah nice.. was about asking for the legacy cleanup already :P
1163100927 J * michal` ~michal@www.rsbac.org
1163100960 M * Bertl wb michal`!
1163101661 M * Hollow Bertl: well, not all.. the legacynet is still there..
1163101817 M * Bertl yeah, but all 'normal' legacy got removed
1163102272 J * kevinp ~kevinp@ny.webpipe.net
1163102298 M * Bertl welcome kevinp! LTNS!
1163102325 M * kevinp yeah been a little while
1163102360 M * kevinp just noticed I got an oops the other day on rc43
1163102398 M * kevinp don't know if it's already been fixed or not
1163102447 M * Bertl have a stack dump to upload to paste.linux-vserver.org?
1163102465 M * kevinp http://paste.linux-vserver.org/666
1163102489 M * Bertl yep, that is fixed
1163102493 M * daniel_hozac that looks ominous :)
1163102519 M * kevinp ok, just making sure, guess its time to start compiling the latest again :)
1163102663 M * Bertl yeah, the real thing (2.1.1) is out, so that's a good choice
1163102911 M * kevinp I will be installing that on several severs so I'll let you know how it goes
1163102929 M * Bertl great, tx!
1163104700 M * marcfiu hello... I am back.
1163104708 M * marcfiu bertl says: "one guest gets ff01::42, the other ff02::42"
1163104796 M * Bertl and bonbons says:
1163104814 M * Bertl < bonbons> the there is no problem for second guest to bind its own  apache on ff02::42 port 80
1163104817 M * marcfiu If the host gets both a FF01 and FF02 prefix and those actually refer to different distinct paths to the host, then it probably doesn't make sense to only assigned  ff01::42 to one guest and ff02::42 to another guest. Unless the admin doing so absolutely wants the guests to be reachable only from the different network paths.
1163104846 M * Bertl < bonbons> they both just happily listen on their address on port 80, as if you had two distinct physical boxes
1163104853 M * marcfiu yes.
1163104855 M * marcfiu I read that.
1163104903 M * Bertl well, that clarified that we a) will need 128bit for matching, and b) everything is as explained :)
1163104905 M * marcfiu It is not that one could NOT do that, I am just saying that it probably does not make sense to assign different guests the same EUI but then try to isolate them based on the routing goop.
1163104940 M * marcfiu oh... yes, if vserver permits to be this expressive, then you will need to do the 128bit matching.
1163104941 M * Bertl the 'sense' part is (as usual) left to the admin
1163104955 M * marcfiu I am not arguing that point.
1163104986 M * Bertl okay, and I don#t think we want to do special cases (unless they have proven advantages)
1163105010 M * marcfiu I am just trying to figure out what the real world scenarios might be, but wrt vserver permitting the most expressive/creative ways for admins to set things up, I suppose the 128bit matching is required.
1163105038 M * Bertl but I think we can make the following matching 'extension':
1163105040 M * marcfiu As for myself, I'm just going to make up unique EUI per guest.
1163105058 M * Bertl - ignore prefix part for checks
1163105069 M * Bertl - apply 'netmask' for checks
1163105088 M * marcfiu ok
1163105102 M * marcfiu If I understand the netmask part correctly, I think that is a nice approach.
1163105125 M * marcfiu Looking forward to actually trying it out. ;)
1163105130 M * Bertl this will also be added for ipv4
1163105722 M * Bertl bonbons: do you have an updated patch somewhere or is the ipv6k it?
1163105744 M * Bertl (i.e. the latest and greatest :)
1163105881 M * kevinp oldwiki down again?
1163106118 M * kevinp nevermind
1163106283 M * Bertl marcfiu: you keep talking about testing? do you have a test setup ready? if so, it would be nice to check out the 2.3.x release regarding loopback and such ...
1163106313 J * Aiken ~james@tooax8-034.dialup.optusnet.com.au
1163106327 M * Bertl morning Aiken!
1163106338 M * Aiken hello
1163106374 M * Aiken the service I was setting up was used after your efforts yesterday
1163106387 M * Aiken everything worked as it should have :)
1163106395 M * Bertl perfect!
1163106843 M * bonbons Bertl: I don't have a IPv6 patch for 2.1.1 yet, but unless there were real changes in the network area the latest one should apply (when I looked at it there were some offsets, but have not taken time yet to check the details)
1163106924 M * Bertl np, just wanted to check
1163107022 J * DavidS ~david@chello062178045213.16.11.tuwien.teleweb.at
1163107140 M * DavidS hi, micah! util-vserver on debian creates vservers with 16m /tmp tmpfs .. that is too small to even unpack and patch a linux-2.6 source package .. 
1163107224 M * Bertl DavidS: that's what /var/tmp is for, no?
1163107241 M * Bertl btw, it's not debian specific
1163107260 M * DavidS Bertl: i don't unpack to /tmp, but "patch" creates tmp files in /tmp ...
1163107286 M * Bertl sounds like patch would need to be patched then .. but you can raise the limit
1163107351 M * DavidS Bertl: i already did (successfully i might add ;), but i thought it woth mentioning, since it is quite unobvious ...
1163107380 M * doener DavidS: is $TMPDIR set?
1163107406 M * doener (or $TMP or $TEMP)
1163107410 M * Bertl yeah, IMHO it should use ~/tmp
1163107459 M * Bertl so maybe add a TMPDIR=/var/tmp default for debian?
1163107469 M * doener DavidS: patch checks them (in that order) and falls back to /tmp then
1163107482 M * DavidS doener: neither ...; Bertl: most programs would be better off using ~/tmp or something
1163107578 M * DavidS brb
1163107579 Q * DavidS Quit: Leaving.
1163107585 J * DavidS ~david@chello062178045213.16.11.tuwien.teleweb.at
1163107599 M * Bertl wb DavidS!
1163107633 A * DavidS fights with his gaim config ... (ctrl+enter doesn't send messages)
1163107656 Q * meandtheshell Quit: Leaving.
1163107670 M * Bertl nice, well, irssi is really good, IMHO
1163107672 M * doener heh, the first thing I adjust in a messenger
1163107685 M * doener I wouldn't use one for irc though (an IM that is)
1163107799 P * kerberos isnt it obvious?
1163107924 Q * DavidS Quit: Leaving.
1163107931 J * DavidS ~david@chello062178045213.16.11.tuwien.teleweb.at
1163107951 M * DavidS hmm ... now "enter" sends messages 
1163107955 M * DavidS probably even better
1163108057 M * marcfiu bertl: "you keep talking about testing? do you have a test setup ready? if so, it would be nice to check out the 2.3.x release regarding loopback and such ..."
1163108061 M * marcfiu Not yet.
1163108064 M * marcfiu Purely my fault.
1163108089 M * DavidS re: patch: #137075: patch: Error reporting could be more useful; Tags: upstream; Merged with #239135; Forwarded to bug-patch@gnu.org; >>>>>>>4 years and 249 days old<<<<<<<<<
1163108157 M * Bertl sounds good, almost 5 years :)
1163108166 J * yarihm ~yarihm@84-75-123-221.dclient.hispeed.ch
1163108240 M * Bertl wb yarihm!
1163108399 M * DavidS btw: perhaps someone could use that: http://www.balabit.com/products/oss/tproxy/ <- a really transparent proxying solution.
1163108406 M * yarihm hi Bertl-bot :)
1163108412 J * kerberos ~satan@85.138.138.52
1163108421 M * DavidS with this kernel patch one can open tcp connections with non-local source IP
1163108617 M * kerberos Note that some tools have not yet been altered to use
1163108617 M * kerberos this API, so disabling this option may reduce some
1163108617 M * kerberos functionality.
1163108630 M * kerberos Enable Legacy Kernel API (VSERVER_LEGACY)
1163108643 M * kerberos so i need to enable it? or disable
1163109007 M * bonbons kerberos: if you use latest util-vserver you can disable it
1163109026 M * kerberos :)
1163109039 M * kerberos but isnt the inglish incorrect?
1163109056 M * kerberos the tools have not been altered to use the legacy api
1163109077 M * kerberos so disable it may reduce funcionality
1163109111 M * kerberos ok.. maybe im getting drunk..
1163109514 Q * dna_ Quit: Verlassend
1163110944 Q * s0undt3ch Server closed connection
1163110946 J * s0undt3ch ~s0undt3ch@bl9-224-31.dsl.telepac.pt
1163112514 Q * DavidS Server closed connection
1163112539 J * DavidS ~david@chello062178045213.16.11.tuwien.teleweb.at
1163113072 P * marcfiu 
1163113093 J * eyck_ eyck@ghost.anime.pl
1163113509 M * Bertl welcome eyck_!
1163113816 Q * lilalinux Remote host closed the connection
1163114092 M * hardwire weird
1163114207 M * Bertl very weird indeed!
1163114452 Q * yarihm Quit: Leaving
1163115202 Q * bonbons Quit: Leaving
1163115660 Q * Aiken Server closed connection
1163115665 J * Aiken ~james@tooax8-034.dialup.optusnet.com.au
1163115953 Q * mnemoc Ping timeout: 480 seconds
1163116409 J * mnemoc ~amery@kilo105.server4you.de
1163116487 Q * Piet Quit: Piet