1164153623 M * Bertl well, I'd do the kernel space part :) 1164153627 M * brcc hehehe 1164153632 M * brcc Cant you do that as a second phase ? 1164153639 M * brcc First we get something working in the easiest way 1164153644 M * brcc policy is implemented and well tested 1164153649 M * Bertl yes, the reason why I mention that now is this 1164153650 M * brcc And then we gol to the second stage 1164153670 M * brcc I am thinking like, easier and faster way. The iptables binary is: 1164153679 M * brcc cat iptables.sh 1164153679 M * brcc #!/bin/bash 1164153679 M * brcc IP=192.168.0.123 1164153679 M * brcc PORT=4556 1164153679 M * brcc echo $* | nc $IP $PORT 1164153679 M * Bertl you are going to define some protocol 1164153681 M * brcc :) 1164153743 M * Bertl you should check if handling 'netlink' messages isn't easier for you than parsing and interpreting the command arguments 1164153756 Q * yarihm Quit: Leaving 1164153776 M * Bertl but sure, stage one will probably be a bunch of scripts doing that 1164153789 M * brcc what are netlink messages ? 1164153796 M * brcc we neer met :) 1164153797 M * brcc hehehe 1164153799 M * brcc never 1164153812 M * Bertl basically a socket, where userspace and kernel exchange messages 1164153838 M * brcc so i would just read() and write() ? 1164153852 P * stefani I'm Parting (the water) 1164154164 Q * Wonka Ping timeout: 480 seconds 1164154371 M * Bertl something like that 1164154378 M * Bertl it's more packet oriented though 1164154396 M * Bertl nevertheless, the main advantage would be a single interfafce 1164154399 M * Bertl *interface 1164154422 M * Bertl i.e. you could run a daemon which simply gets all the userspace requests, with additional context info 1164154493 M * brcc got it 1164154521 M * brcc does it need to be a daemon? Cant it be like the reboot stuff 1164154524 M * brcc ? 1164154594 M * daniel_hozac netlink requires a daemon, i think. 1164154615 Q * TheSeer Quit: Client exiting 1164155012 M * Bertl in theory, it could be a helper, but that would complicate both, userspace and kernel space 1164155045 M * Bertl the daemon would just sit there and wait for a new 'message' 1164155062 M * Bertl then decide what to do with the request, and even send an answer 1164155066 M * brcc ok 1164155072 M * Bertl (back through the very same channel) 1164155101 M * brcc tomorrow i expect to have something ready!! 1164155111 M * Bertl okay ... 1164155113 M * brcc i've already finished the tcp/ip stuff 1164155122 M * brcc now it is the cool part, chains and stuff 1164155122 M * brcc hehehe 1164155128 M * brcc going to sleep! cya tomorrow 1164155202 M * Bertl cya! 1164155397 M * brcc i had to come back 1164155401 M * brcc just though about something......... 1164155411 M * brcc only root should be able to use iptables 1164155426 M * brcc how could i guarantee it is root if i am receiving stuff thourgh tcp/ip ? 1164155455 M * daniel_hozac UNIX sockets have SO_PASSCRED. 1164155467 M * brcc better to use unixsockets ? 1164155491 M * brcc i will try not to think about this stuff at fist. After policy is ready we can change stuff 1164155523 M * daniel_hozac with kernel/netlink, it should be a lot easier to make sure it's allowed. 1164155584 M * brcc ok 1164155591 M * brcc i will sleep and think about this. heehhe 1164155592 M * brcc good night 1164155904 M * Bertl good night :) 1164157907 Q * Piet Ping timeout: 480 seconds 1164160482 Q * cehteh Ping timeout: 480 seconds 1164160500 J * cehteh ~ct@pipapo.org 1164161652 J * Aiken_ ~james@tooax7-195.dialup.optusnet.com.au 1164161660 M * Bertl welcome Aiken_! 1164161696 Q * Johnnie Ping timeout: 480 seconds 1164161791 M * Aiken_ hi Bertl 1164161978 Q * Aiken Ping timeout: 480 seconds 1164163333 J * Johnnie ~jdlewis@jdlewis.org 1164163368 J * marcfiu ~mef@c-68-39-177-97.hsd1.nj.comcast.net 1164163375 M * marcfiu hello 1164163387 M * Bertl hey marcfiu! 1164163396 M * marcfiu sorry about the serial console. 1164163400 M * marcfiu Will take care of it tomorrow!!! 1164163400 M * Bertl np 1164163414 M * marcfiu what's your status w/ ngnet and ipv6? 1164163432 M * Bertl fine, waiting for a test setup for the first steps 1164163438 M * marcfiu :) 1164163455 M * Bertl i.e. loopback isolation should already work fine 1164163485 M * Bertl next step is taking the address scheme apart and putting it together again in a more flexible way :) 1164163510 M * marcfiu what about network virtualization? 1164163514 M * Bertl we already designed some quite flexible method to 'construct' the match trees 1164163529 M * Bertl as in layer 2? 1164163533 M * marcfiu yes 1164163547 M * Bertl that's mainly attacked by the OVZ and IBM folks 1164163567 M * marcfiu agreed... 1164163570 M * Bertl nevertheless, it will be tested once it is out of design phase 1164163585 M * Bertl I'm focusing on layer 3 and ipv6 atm 1164163592 M * marcfiu ok 1164163609 M * marcfiu i.e., primarily focusing on network isolation. 1164163622 M * Bertl wouldn't hurt to raise some 'demand' on the layer 3 isolation front ... 1164163650 M * Bertl (before mainline folks decide that layer 2 virtualization 'is suitable for everyone' :) 1164163655 M * marcfiu do you think it will be possible to have a mix and match of some vservers using network virtualization while others use network isolation on the same machine? 1164163669 M * Bertl yes, that's the main idea 1164163672 M * marcfiu right 1164163676 M * marcfiu I mean: good. 1164163680 M * Bertl i.e. we _want_ two network namespaces 1164163699 M * Bertl one for layer 2 (virtualization) and another one for layer 3 (isolation) 1164163709 M * marcfiu I think so. 1164163727 M * Bertl you can then decide on a per guest basis for lightweight isolation or full blown virtualization (for a cost) 1164163786 M * marcfiu It would be nice to quantify the cost in terms of both time and space. 1164163799 M * marcfiu i.e., performance and memory footprint. 1164163826 M * Bertl yes, definitely, I'm hoping on you folks there to do some decent testing/measuring 1164163876 M * marcfiu We've been setting up a nice "macro" performance harness for networking. 1164163890 M * Bertl sounds good! 1164163893 M * marcfiu I.e., something that goes beyond just running iperf. 1164163957 M * marcfiu Specifically, we care about using network virtualization in the context of a virtual router. But we can't fully set up some of the benchmarks without the full virtualized setup. 1164163968 M * marcfiu So maybe we'll install openvz and play around with that. 1164163990 M * marcfiu Kir mentioned that the overhead of their virtualized network stack should only be 1-3% from a performance point of view. 1164163992 M * Bertl would be a good idea ... get some decent benchmarks there 1164164039 M * marcfiu quick question about the vavavoom component of the scheduler... is that still there in the 2.1 or later vs releases? 1164164040 M * Bertl especially checking things like 'single guest' compared to 'unmodified kernel' and of course scaleability 1164164055 M * Bertl yes, vavavoom is still there :) 1164164057 M * marcfiu "yup" on the benchmark setup. 1164164102 M * marcfiu In what context do you use it? 1164164110 M * marcfiu Or rather, do you use it all the time? 1164164154 M * marcfiu What we are noticing on Planetlab is that there are a bunch of vservers that are doing network measurements that generally do not run out of tokens. 1164164159 M * Bertl well, the vavavoom is the 'priority bonus' calculated from the token bucket 1164164170 M * marcfiu yes yes... excellent. 1164164189 M * Bertl and it is only relevant when you activate the priority scheduler 1164164218 M * marcfiu sorry, I have not looked into this deeply enough to know what you mean by that. 1164164241 M * Bertl simple, you have two 'flags' (well actually three by now :) 1164164254 M * Bertl which control the (hard) cpu scheduler 1164164275 M * Bertl one is sched_prio, the other sched_hard (we now also have the idle time per cpu) 1164164307 M * Bertl when sched_prio is set, the token bucket is used to calculate (and consequently add) the vavavoom 1164164355 M * marcfiu What would happen if one set sched_prio on all vservers? 1164164385 M * Bertl then they will be adjusted in priority, according to their token buckets ... nothing more, nothing less :) 1164164409 M * marcfiu define "adjusted". 1164164409 M * Bertl it does neither influence the token bucket itself, nor does it affect the other guests 1164164422 M * Bertl you know what a process priority is? 1164164424 M * marcfiu ok 1164164425 M * marcfiu I do 1164164448 M * Bertl okay, that 'nice' value is adjusted (by adding or substracting the vavavoom) 1164164458 M * marcfiu nice 1164164479 M * Bertl so with sched_prio only, the guests will never go on hold 1164164536 M * marcfiu I think what we want is to set sched_prio on all guests, such that those who use their tokens sparingly get prio when they are woken up from i/o and need to run quickly. 1164164590 M * Bertl you can do that, but note that (at least with recent kernels) processes which receive signals or get woken up have a priority bonus 1164164624 M * Bertl there is a nice test tool we wrote some time ago, you might want to play with that 1164164970 M * Bertl http://vserver.13thfloor.at/Experimental/TOOLS/isched-0.02.tar.bz2 1164164972 J * Piet hiddenserv@tor.noreply.org 1164167161 J * GyrosGeier ~richter@port-195-158-177-111.dynamic.qsc.de 1164167162 Q * Johnnie Read error: Connection reset by peer 1164167164 M * GyrosGeier hi 1164167174 M * Bertl welcome GyrosGeier! 1164167226 M * GyrosGeier I'm trying to hand out a vserver to a friend whom I generally trust, but I have other users on the same box that might object to me handing out root access 1164167242 M * Bertl hmm, okay? 1164167243 M * GyrosGeier the plan is to simply run a vserver with an sshd on a different port 1164167264 M * Bertl should work out fine ... 1164167303 M * GyrosGeier the box has a dynamic IP, simply not specifying a network setup at all works fine for the vserver as a client 1164167322 M * GyrosGeier however sshing into the vserver gives "network not reachable" 1164167330 M * Bertl I would suggest giving that guest a private ip (192.168.x.x or so) 1164167333 M * GyrosGeier (for that particular port only) 1164167348 M * Bertl you can then simply SNAT/DNAT the port you want to open 1164167383 M * GyrosGeier well, I'd be fine with allowing services inside the guest to bind to ports 1164167406 M * Bertl they will be able to (only the private ip though) 1164167421 M * Bertl this way you have a better control over the guest 1164167432 M * GyrosGeier so there is no way to allow binding to IPADDR_ANY? 1164167441 M * Bertl sure you can do that ... 1164167465 M * Bertl but you said that some users might object to the root guest 1164167484 M * Bertl now you want to allow that guest to do DoS by hijacking ports? 1164167508 M * GyrosGeier well, the only port visible on the outside is port 22 anyway 1164167522 M * GyrosGeier which is bound before the vservers start 1164167531 M * Bertl yes, but what if the guest grabs that when you restart sshd? 1164167556 M * Bertl but as I said, no problem you can allow it to bind to any ip 1164167581 M * marcfiu Bertl: I'll check into isched. 1164167582 M * marcfiu thanks 1164167611 M * Bertl marcfiu: you're welcome! 1164167612 M * GyrosGeier how? 1164167627 M * GyrosGeier I mean, the vserver is running and everything 1164167628 M * Bertl simply specify 0.0.0.0 as single ip 1164167646 M * GyrosGeier you mean, as the host IP? 1164167653 M * GyrosGeier (for the guest) 1164167667 M * Bertl for the guest, in the guest config 1164167681 M * GyrosGeier wouldn't that try to assign 0.0.0.0 to some innocent network device? 1164167688 M * Bertl i.e. ip=0.0.0.0 prefix=0 nodev 1164167693 M * GyrosGeier ah 1164167703 A * GyrosGeier tries 1164167895 M * GyrosGeier hmm 1164167906 M * GyrosGeier still says "Network is unreachable" 1164167929 M * Bertl when does it say that, and what kernel/patch version are we talking about, btw :) 1164167950 M * GyrosGeier stock Debian vserver enabled 2.6.18 kernel 1164167952 M * GyrosGeier on powerpc 1164167971 M * Bertl should support that, what command do you use? 1164168015 M * GyrosGeier I followed the instructions on http://deb.riseup.net/vserver/create-instance/ 1164168037 M * Bertl okay, I meant the "Network is unreachable" case 1164168044 M * Bertl i.e. when do you get that? 1164168053 M * GyrosGeier ssh -p 2222 1164168068 M * Bertl is the sshd started inside? 1164168079 M * GyrosGeier yes, on port 2222, INADDR_ANY 1164168088 M * Bertl is it bound? what does lsof -ni show inside/outside the guest? 1164168118 M * GyrosGeier bash: lsof: command not found 1164168120 M * GyrosGeier sec... 1164168120 M * Bertl from where are you trying to ssh to the guest? 1164168127 M * GyrosGeier from outside 1164168137 M * GyrosGeier i.e. via the ppp link on the host 1164168140 M * Bertl and the port 2222 is mapped via the firewall? 1164168147 M * Bertl (or router or whatever) 1164168159 M * GyrosGeier the host has direct connectivity 1164168201 M * Bertl okay, let's check a few things, please upload the output to paste.linux-vserver.org 1164168223 M * Bertl - cat /proc/virtnet//{status,info} 1164168233 M * GyrosGeier host or guest? 1164168251 M * Bertl - lsof -ni | grep 2222 1164168258 M * Bertl the first one on the host 1164168277 M * Bertl - cat /proc/self/{n,v}info (on the guest) 1164168477 M * GyrosGeier http://paste.linux-vserver.org/683 1164168497 M * GyrosGeier there is a second virtual network device 1164168513 M * GyrosGeier (49161) 1164168551 M * Bertl you should switch from dynamic xid/nid to static ones 1164168567 M * Bertl i.e. add a 'context' entry to the config with, let's say 100 or so 1164168576 M * Bertl (must be between 2 and 49151) 1164168595 M * GyrosGeier then I need to tag all the files in the installation with the new xid? 1164168611 M * Bertl okay, when you now do (on the host) 'ssh -p 2222 ' 1164168612 J * ntrs ~ntrs@68-188-55-120.dhcp.stls.mo.charter.com 1164168635 M * GyrosGeier Connection refused 1164168649 M * GyrosGeier i.e. it doesn't see the bind from the guest 1164168651 M * Bertl GyrosGeier: no, because if your guest actually used tagged files, you'll be screwed anyways, because the xid (and tagging) will change on every restart :) 1164168669 M * GyrosGeier well, it worked so far 1164168684 M * Bertl connection refused? could you check the guest logs? 1164168730 M * GyrosGeier nothing interesting there 1164168739 M * GyrosGeier no connection attempt 1164168749 M * GyrosGeier sshd still running 1164168761 M * Bertl okay, let's try with tcpdump then 1164168779 M * GyrosGeier hmm 1164168789 M * Bertl on the host, please do: ' tcpdump -vvnei lo host 1164168807 M * Bertl then try again with the ssh -p 2222 1164168872 M * GyrosGeier IPv6 SYN, followed by IPv6 RST, followed by v4 SYN, followed by v4 RST 1164168996 M * Bertl funny thing, okay, could you please give the guest a static context id, then assign (for a test) the host ip to the guest (in the same way as the 0.0.0.0) 1164169017 M * Bertl (my best bet would be that the debian kernel does not have the 0.0.0.0 check yet) 1164169133 M * GyrosGeier zep 1164169135 M * GyrosGeier yep 1164169138 M * GyrosGeier works 1164169145 M * GyrosGeier (even with dynamic NID) 1164169165 M * GyrosGeier can I use a hostname in the ip= setting? 1164169177 M * GyrosGeier the dyndns is supposed to work at this point already 1164169178 M * Bertl nope, and it will fail when the dynamic ip changes 1164169222 M * Bertl you have three options there as I see it 1164169237 M * Bertl - go with vanilla/devel branch (or add the check to debian) 1164169251 M * Bertl - assign the ip with a script before startup (if it doesn't change) 1164169269 M * Bertl - use a private ip and a changing SNAT/DNAT rule set 1164169278 M * GyrosGeier well, the IP changes only if the I go offline for more than two hours 1164169294 M * Bertl okay, that would opt for the second one 1164169295 M * GyrosGeier that should be seldom enough 1164169300 M * GyrosGeier yep 1164169303 M * GyrosGeier thanks a lot 1164169316 M * Bertl you're welcome! have fun and feel free to hang around! 1164169354 M * GyrosGeier this is the new powerpc buildd for embedded Debian 1164169369 M * GyrosGeier the amd64 and i386 buildds are more evil 1164169380 M * Bertl ah? evil in what way? 1164169384 M * GyrosGeier they are vservers inside a Xen instance 1164169399 M * Bertl yep, that should work on powerpc too actually 1164169409 M * GyrosGeier Xen needs a G5 for now 1164169417 M * GyrosGeier and I have a G4 1164169429 M * Bertl ah, okay, tough luck :) 1164169485 M * GyrosGeier otherwise I'd have used Xen, because I can then hand off a LVM volume as a block device, and the other admins can repartition the guest without having to ask me 1164169512 M * Bertl yeah, just adds a lot of unnecessary overhead 1164169540 M * GyrosGeier indeed 1164169591 M * GyrosGeier but the overhead is not that much of an issue when you save time by the hours because you don't need to bother the admin on the host to change the partitioning; you can just do it yourself. 1164169603 M * Bertl that's right ... 1164169655 M * GyrosGeier basically, on the large amd64 box when we have different admins, we use Xen, when we have the same admins, we use vserver 1164169741 M * Bertl Xen and Linux-VServer are somewhat complementary, so it's nice to combine them 1164169897 M * GyrosGeier yep 1164170335 Q * Piet Quit: Piet 1164171099 J * daniel15 ~dansoftau@220-244-250-254.tpgi.com.au 1164171133 M * daniel15 Has anyone seen the tutorial I've written on installing Linux-Vserver on Debian Etch? 1164171135 M * daniel15 http://www.howtoforge.com/linux_vserver_debian_etch :) 1164171205 M * daniel15 Very simple, I only tried to cover the basics 1164171221 M * Bertl looking at it now 1164171251 J * Johnnie ~jdlewis@jdlewis.org 1164171274 M * Bertl hmm, what are the debaintools actually used for nowadays? 1164171286 M * Bertl *vserver-debiantools that is 1164171315 M * marcfiu good night... 1164171323 M * Bertl marcfiu: have a good one! 1164171327 P * marcfiu 1164171334 M * daniel15 The 'newvserver' command is in the Debiantools ;) 1164171343 M * daniel15 It runs apt-setup after installing the base system 1164171352 M * daniel15 Asks for timezone, root password, etc. 1164171356 M * Bertl ah, okay, fair enough ... 1164171364 M * daniel15 (and I noticed the new version fixes the locale stuff) 1164171402 M * Bertl nice, thanks for doing that, you might want to link it on the Linux-VServer wiki 1164171418 M * Bertl there should be a page for distro specific howtos, IIRC 1164171425 M * daniel15 Sure, I'll do that now 1164171479 M * daniel15 The Wiki is still spammed, by the way :( 1164171492 M * Bertl again? 1164171499 M * daniel15 I just deleted spam from the Talk:Welcome to Linux-VServer.org page, and someone's already put another link on it 1164171531 M * Bertl *sigh* Hollow will Have to raise the spam protection there 1164171538 M * daniel15 Yeah 1164171548 M * daniel15 I guess the site is quite popular 1164171551 M * daniel15 (or well linked to, at least) 1164171565 M * Bertl yeah, I think so too :) 1164171575 M * Bertl well, guess the best place to add it would be here: 1164171578 M * Bertl http://linux-vserver.org/List_of_old_Documentation_pages 1164171591 M * Bertl if you feel like, you could also start migrating that 1164171631 M * daniel15 Wow, that's a lot of stuff to migrate 1164171637 M * daniel15 Is there any actual documentation in the new Wiki 1164171642 M * daniel15 Or is it all still on the old one? 1164171656 M * Bertl nope, we already migrated some 'core' pages 1164171662 M * daniel15 What Wiki software was the old one? 1164171667 M * daniel15 (I hate that Wiki software!) 1164171681 M * Bertl mediawiki or wiki in general? 1164171686 M * daniel15 I hate any Wiki that runs something other than MediaWiki 1164171688 M * daniel15 I meant, the old one 1164171695 M * Bertl ah, that was tavi 1164171703 M * Bertl and it worked quite fine for the time being 1164171725 M * Bertl had a lot less spam issues btw, but probably that increases from day to day 1164172110 M * daniel15 I personally prefer the feel of MediaWiki :) 1164172129 M * Bertl well, we are there .. go crazy and fill it with useful information :) 1164172189 M * daniel15 Hmmm... Why does http://linux-vserver.org/Documentation redirect to http://oldwiki.linux-vserver.org/Documentation even though there's a page called "Documentation" on the new Wiki? 1164172215 M * Bertl probably a wrong entry in the redirect list 1164172224 M * Bertl (please drop a note to Hollow) 1164172286 M * daniel15 I guess I should leave a note on his Talk page on the Wiki? 1164172298 M * Bertl better would be email, IMHO 1164172313 M * daniel15 OK, but where can I get his email address? 1164172366 M * Bertl http://linux-vserver.org/Wiki_Team 1164172386 M * Bertl *sigh* the link goes nowhere, shame on him 1164172411 M * Bertl http://linux-vserver.org/Developers 1164172442 M * Bertl and please mention the Wiki_Team and the Infrastructure pages as well 1164172456 M * Bertl (i.e. that they do not contain useful links) 1164172877 M * daniel15 Email sent :) 1164172886 M * daniel15 Why don't spammers ever touch the Sandbox? :P 1164172887 M * daniel15 http://linux-vserver.org/Sandbox 1164172964 M * Bertl well, I guess there are three categories of spammers nowadays 1164172973 M * Bertl - fully automated spam bots 1164172994 M * Bertl - folks trying to make some 'easy' money 1164173008 M * Bertl - folks who are just to dumb for anything 1164173034 M * Bertl none of those will be using the sandbox ... 1164173049 M * daniel15 Yeah, I should have thought of that 1164173067 M * daniel15 Those in the "fully automated spam bots" category are very easy to spot :P 1164173077 M * Bertl nevertheless at least the last two categories could be convinced by the Wiki Hacking Page we had 1164173086 M * Bertl we probably should resurrect that one ... 1164173186 M * daniel15 Hey, who did the skin for the Wiki? Skinning MediaWiki was something I never understood how to do 1164173272 M * Bertl (this one) Note: in response to public demand, we added a Hacker Page and we would kindly ask all that wannabe hackers use that page for the very challenging task of wiki hacking (TIA:). Why do we have an 'open' wiki with no auth then? Because the majority of people are adult enough not to deface common property (especially if it belongs to a cool free software project you might find useful yourself some day). 1164173289 M * Bertl Hollow did that (with a little pushing from my side :) 1164173687 Q * mire Ping timeout: 480 seconds 1164174251 Q * Aiken_ Ping timeout: 480 seconds 1164174806 J * meandtheshell ~markus@85-125-230-5.dynamic.xdsl-line.inode.at 1164175330 J * Wonka produziert@chaos.in-kiel.de 1164175973 J * s0undt3ch_ ~s0undt3ch@81.193.58.142 1164176201 Q * s0undt3ch Ping timeout: 480 seconds 1164176201 N * s0undt3ch_ s0undt3ch 1164178862 P * daniel15 1164180664 Q * virtuoso Remote host closed the connection 1164180678 J * virtuoso ~s0t0na@shisha.spb.ru 1164181809 Q * shedi Quit: Leaving 1164181907 J * avid ~avid@c-71-229-204-59.hsd1.co.comcast.net 1164181957 P * avid 1164182094 J * chand ~chand@m228.net81-64-156.noos.fr 1164182229 Q * chand 1164182349 J * DavidS ~david@chello062178045213.16.11.tuwien.teleweb.at 1164182477 J * dna_ ~naucki@190-240-dsl.kielnet.net 1164183994 J * Aiken ~james@tooax6-146.dialup.optusnet.com.au 1164184923 Q * dna_ Quit: Verlassend 1164184993 J * dna_ ~naucki@190-240-dsl.kielnet.net 1164185047 Q * dna_ 1164185061 J * dna_ ~naucki@190-240-dsl.kielnet.net 1164186405 J * anonc ~anonc@staffnet.internode.com.au 1164186642 Q * Blissex Remote host closed the connection 1164187273 J * TheSeer ~theseer@border.office.salesemotion.net 1164190098 J * prae ~Benjamin@host.187.57.23.62.rev.coltfrance.com 1164192558 Q * DavidS Quit: Leaving. 1164193224 Q * GyrosGeier Quit: .zZ 1164193261 J * chand ~chand@m228.net81-64-156.noos.fr 1164194074 J * shedi ~siggi@dsl-149-109-85.hive.is 1164194609 J * cuerva ~soatola42@82.153.18.114 1164194840 M * brcc good morning! bertl there ? 1164194873 M * Bertl yep, but almost off to bed now :) 1164194891 M * brcc hehe it is 9:26 AM here :) i think i found a solution 1164194896 M * brcc i have the algorithm here in a paper 1164194908 M * brcc guest connects toe the daemon (tcp/ip) 1164194924 M * brcc when it receives the connection, it founds which vserver it is based on the ip address 1164194977 M * brcc now the guest is going to write the " iptables arguments " to a unix socket(?) inside its fs 1164194994 M * brcc the daemon knows which vserver is, goes to the vserver fs and read the iptables arguments 1164195000 M * brcc this way only root will be able to use iptables 1164195005 M * brcc what do you think as our first version ? 1164195018 M * brcc i cant use 100% tcp/ip cause any user will be able to fire up rules 1164195032 Q * soatola Ping timeout: 480 seconds 1164195041 M * Bertl nah, that doesn't sound good, neither reliable nor secure 1164195060 M * Bertl if you want to go for a first shot, forget the security for now 1164195076 M * Bertl (it will be easier with the netlink interface) 1164195445 M * brcc hmm ok 1164195464 M * brcc how could i increase security ? 1164195470 J * chand_ ~chand@m228.net81-64-156.noos.fr 1164195472 M * brcc using just unix sockets ? 1164195495 M * Bertl nah, any socket from inside out is a potential security risk 1164195507 M * Bertl you could connect via low ports on a network socket 1164195522 M * brcc you mean tcp ? 1164195527 M * Bertl but as I said, I wouldn't bother at the first shot 1164195559 M * brcc i care a little about that because it would be great to have something usefull :) 1164195584 M * brcc and if it is security risk no one will want to try it out 1164195626 M * Bertl folks will test it, especially when we head towards a secure interface (which will be there with the netlink indirection) 1164195636 M * Bertl i.e. the kernel can check user/root/guest 1164195638 M * brcc ok 1164195650 M * brcc btw i am coding the daemon in PHP at first. 1164195651 M * Bertl and the management daemon can only connect on xid=0 1164195657 M * Bertl that's fine 1164195662 M * brcc implementing the policies in C would take lot of time 1164195668 M * brcc ok 1164195675 M * brcc you can sleep, i hope to have something at this night 1164195677 M * brcc :) 1164195686 M * Bertl probably a perl or php policy daemon is the best choice anyway 1164195696 M * brcc (night here is in 12 hour) 1164195711 M * brcc i like php because i used to be a C coder and php looks like a simplified version of C 1164195724 M * brcc no bothering with memory allocations, etc 1164195741 M * brcc to integrate it with the netlink stuff, will we need to port it to C ? 1164195744 M * Bertl hehe, well, it's almost 1pm here ... 12:42 1164195766 M * Bertl no, I think php or perl can handle netlink quite fine 1164195771 Q * chand Ping timeout: 480 seconds 1164195781 M * brcc ok 1164195783 M * Bertl at most we need to add some 'libraries' or wrappers 1164195783 M * brcc great 1164195817 M * brcc happy to hear that 1164196000 Q * eGnarF Remote host closed the connection 1164196053 J * eGnarF ~bartek@bk.crystone.se 1164197857 J * DavidS ~david@vpn.uni-ak.ac.at 1164197903 M * matti Bertl: :) 1164197912 M * Bertl :) 1164198070 Q * Aiken Ping timeout: 480 seconds 1164198188 Q * transacid Quit: Lost terminal 1164198525 J * transacid ~transacid@transacid.de 1164199905 Q * DavidS Quit: Leaving. 1164201440 M * harry is there a way to rename a vserver? 1164201474 M * Bertl IIRC, recent tools should have a rename option 1164201546 M * daniel_hozac no. 1164201569 M * Bertl okay, then I do not remember correctly :) 1164201572 M * daniel_hozac i had that functionality in one of my hack config patches, but well, it was a hack. 1164201625 M * harry so i just hack it myself 1164201635 M * harry rename, relink, blablablie, blablabla ;) 1164201765 M * harry move /vservers/name, move /etc/vservers/name, and redirect 3 symlinks, that's it, right? 1164201796 M * daniel_hozac the number of symlinks can vary, but 3 is the default, yes. 1164201868 M * harry name and uts/nodename too :) 1164202803 Q * chand_ Quit: chand_ 1164203903 M * Bertl okay, off to bed now ... have a good one everyone! cya! 1164203909 N * Bertl Bertl_zZ 1164204269 Q * duckx Remote host closed the connection 1164204488 J * duckx ~Duck@tox.dyndns.org 1164204620 M * harry what's the interdiff for 2.1.1 to 2.1.1.1? 1164204631 A * harry looks... 1164204772 M * harry bleh, can't interdiff that shit! 1164204781 M * harry i hate interdiff! 1164205108 J * Torsti76 ~irc@gate.iwm-kmrc.de 1164205636 J * cdrx ~legoater@82.227.199.249 1164206493 Q * shedi Quit: Leaving 1164208503 J * comfrey ~comfrey@84.76.53.69 1164208619 J * _Hunger Hunger.hu@Hunger.hu 1164208728 J * chand ~chand@m228.net81-64-156.noos.fr 1164208895 Q * Hunger Ping timeout: 480 seconds 1164208986 Q * chand 1164209530 J * jabra ~jabra@70.90.101.105 1164209536 M * jabra hey guys 1164209545 M * jabra having issues compiling the kernel 1164209565 M * jabra keep getting the same error regardless of what kernel i use and what config i use 1164209580 M * jabra http://rafb.net/paste/results/DtF0R757.html 1164209589 M * jabra that is with 2.6.14.3 1164209623 M * jabra but i have tried 2.6.17.13 with the same error 1164209821 M * jabra Bertl_zZ: ping me when you get up 1164210600 M * harry could be a binutils problem 1164210682 J * shedi ~siggi@inferno.lhi.is 1164210906 M * jabra sudo apt-get install binutils 1164210907 M * jabra Password: 1164210907 M * jabra Reading package lists... Done 1164210907 M * jabra Building dependency tree 1164210907 M * jabra Reading state information... Done 1164210909 M * jabra binutils is already the newest version. 1164210911 M * jabra 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 1164211166 M * daniel_hozac that looks like you compiled it with -fstack-protector or similar. 1164211171 Q * comfrey Quit: Lost terminal 1164211210 M * jabra ok i will find that option and rip it out 1164211805 J * Piet hiddenserv@tor.noreply.org 1164211923 J * comfrey ~comfrey@84.76.53.69 1164212055 M * jabra daniel_hozac: do you know where that is i can't for the life of me find that option 1164212765 M * daniel_hozac i have no idea why it would be using that option for the kernel. 1164213478 P * Torsti76 1164213977 M * jabra i mean i just pulled down the kernel from kernel.org 1164213984 M * jabra as it say on the vserver site 1164213989 M * jabra both 2.6.14 and 2.6.17 1164213992 M * jabra both wouldn't work 1164214004 M * jabra they patches applied fine 1164214010 M * jabra s/they/the 1164214024 M * doener does compiling the vanilla kernel itself work? 1164214031 M * jabra that is what i am doing 1164214078 M * daniel_hozac and is it working, thus far? 1164214111 M * jabra compiling fails everytime 1164214181 M * doener jabra: is CONFIG_CC_STACKPROTECTOR set? 1164214213 M * daniel_hozac isn't that new in 2.6.19? 1164214258 M * doener I've just seen a mail on lkml that dates back to july... no clue when it was added 1164214302 M * doener hm, ok, added on Sep 26th 1164214471 M * jabra one sec i'll check 1164214648 J * stefani ~stefani@tsipoor.banerian.org 1164214694 M * jabra doener: that isn't in the 2.6.14 kernel 1164214727 M * doener yeah, as daniel_hozac said... my fault 1164214747 M * jabra still makes no sense why it won't compile 1164214771 M * daniel_hozac what distribution are you using? 1164214791 A * doener wild guesses Ubuntu 1164214800 M * daniel_hozac yeah, me too :) 1164214817 M * jabra well ya but it is compiling a vanilla kernel 1164214827 M * daniel_hozac so vanilla works? 1164214828 M * doener "sudo apt-get" is quite a strong indicator ;) 1164214833 M * jabra no 1164214838 M * jabra the kernel won't compile 1164214862 M * daniel_hozac well, i know who i'd be blaming... :) 1164214933 M * daniel_hozac try it with a known-good toolchain. 1164214934 A * jabra hands daniel_hozac a sledgehammer to kill them 1164214950 M * jabra i'm using ubuntu edgy 1164214958 M * daniel_hozac thus my comment :) 1164214961 M * daniel_hozac ;) 1164215011 M * jabra k 1164215073 M * jabra so do u think you can get a fix or should i just use debian 1164215111 M * daniel_hozac report it to the Ubuntu people. 1164215118 M * daniel_hozac or ask them, at least. 1164215147 M * jabra let me check for a bug first 1164215239 Q * prae Quit: Quitte 1164215578 M * doener jabra: could you try this? make CFLAGS=-fno-stack-protector 1164215589 M * doener no idea if the kernel build system honors it the right way though 1164215642 M * doener otherwise, edit the Makefile and change "CFLAGS := -Wall -Wundef -Wstrict-prototypes ...." to "CFLAGS := -fno-stack-protector -Wall -Wundef -Wstrict-prototypes ..." 1164215664 M * doener Ubuntu seems to have changed the compiler's default options... 1164215712 N * _Hunger Hunger 1164216057 M * jabra ok 1164216059 M * jabra willdo 1164216073 M * jabra i'll edit the makefile 1164216116 Q * cdrx Quit: Leaving 1164217504 J * lilalinux ~plasma@dslb-084-058-218-199.pools.arcor-ip.net 1164217545 M * jabra compiling 1164218097 J * marcfiu ~mef@aegis.CS.Princeton.EDU 1164218512 M * jabra doener++ # worked on 2.6.14 1164218604 M * jabra compiling 2.6.17 now 1164219181 Q * comfrey Ping timeout: 480 seconds 1164219426 J * sebastian ~info@p54A95DC0.dip.t-dialin.net 1164219434 M * brcc bertl alive ? 1164219445 M * brcc daniel_hozac: What do you think would be the easiest way to find out if a chain already exists ? 1164219451 M * brcc iptables chain 1164219578 M * daniel_hozac isn't there a library for iptables these days? 1164219691 M * daniel_hozac libnfnetlink. 1164219732 M * daniel_hozac hmm, doesn't seem to be what i thought it was. 1164219847 M * brcc ok 1164219904 M * daniel_hozac i guess iptables -L | grep ... is it then. 1164219959 M * brcc i think tht is ugly but the only way to go :) 1164219981 M * brcc Daniel, why do you think bertl said that using unixsocket would be a secuirty risk ? 1164220015 M * sid3windr did he? :) 1164220070 M * brcc just on our case, we need some place to get iptables rules to the host, so they will be proccessed.. 1164220077 M * brcc some way 1164220086 M * daniel_hozac you have a possibility of crashing the daemon and getting root privileges on the host. 1164220119 M * jabra what does stack-protector actually do 1164220174 M * jabra nm found it 1164220262 M * jabra isn't there a config i can add -fno-stack-protector to in /etc/ or something 1164220287 M * jabra but adding it to the Makefile does solve my issue 1164220407 M * brcc ok.. 1164220429 J * comfrey ~comfrey@84.76.90.241 1164220819 M * brcc daniel_hozac: creating rules is already working 1164220831 M * brcc not chains, just rules for input/output :) 1164220832 M * brcc hehehe 1164221239 J * fluor ~fluor@84.77.170.108 1164221244 M * fluor hi there 1164221247 M * daniel_hozac hello 1164221263 M * fluor is it still necessary to compile bind with --no-caps in order to use bind within a vserver? 1164221275 M * daniel_hozac on 2.0, yes. 1164221291 M * daniel_hozac with 2.1+, that's not necessary due to the capability masking. 1164221311 M * fluor thanks! 1164221509 M * fluor I'm gonna have a look at what debian ships 1164221517 M * daniel_hozac it's stable. 1164221523 M * daniel_hozac 2.0.2.2-rcX, IIRC. 1164221531 M * fluor right. 1164221550 M * fluor when is devel expected to become a stable release? 1164221610 M * daniel_hozac in a couple of months. 1164221619 M * daniel_hozac note that it should be rather stable already. 1164221643 M * daniel_hozac just not _the_ stable. 1164221737 M * marcfiu hello... 1164221742 M * daniel_hozac hi 1164221746 M * marcfiu just wanted to get some feedback from folks. 1164221774 M * marcfiu We are considering of just using vs2.x with vanilla kernel.org, rather than integrating vs2.x with FC based systems. 1164221805 M * marcfiu The primary motivation of going with FC was to stay on top of security updates. 1164221819 M * marcfiu But going with FC causes various grief. 1164221836 M * daniel_hozac the FC kernels have some interesting enhancements though. 1164221846 M * daniel_hozac like ExecShield. 1164221849 M * marcfiu Specifically, FC tends to break things they don't care about. E.g., UML doesn't appear to work right now. 1164221877 M * marcfiu so that's the question: what are we trading off by going with vanilla vs. with FC (or other distributions)? 1164221879 M * daniel_hozac that's to be expected though. they probably aren't even aware that it's broken. 1164221900 M * daniel_hozac (and even if they are, they have more important things to fix) 1164221931 M * daniel_hozac last email i read, davej was talking about something like 700+ open kernel bugs for FC5 and FC6. 1164221932 M * marcfiu yeah... uml works just fine on vanilla. 1164221942 M * daniel_hozac probably utrace that broke it? 1164221956 M * marcfiu yep 1164221977 M * daniel_hozac i imagine Roland would be willing to fix that, i think utrace is headed for mainline anyway. 1164222150 M * jabra HOORAY!!! it works 1164222168 Q * shedi Remote host closed the connection 1164222174 M * jabra thanks guys hopefully the rest of the process won't be as hard as this was 1164222193 M * fluor weird, seems like kernel-patch-vserver has disappeared from the debian archive 1164222207 M * fluor I mean, it is in stable, but I'm using etch, and unstable doesn't ship it either 1164222224 M * daniel_hozac fluor: because Debian has binary vserver kernels now. 1164222232 M * fluor dunno what version debian kernels have been compiled with though 1164222249 M * daniel_hozac says in the changelog. 1164222331 M * fluor right :) 1164222462 J * shedi ~siggi@inferno.lhi.is 1164222699 J * Carp|razepuhh ~gt-blacks@p5086D589.dip.t-dialin.net 1164222851 Q * sebastian Ping timeout: 480 seconds 1164223833 M * jabra how do i remove a vserver after i have created it 1164223841 M * daniel_hozac vserver guest delete 1164224485 M * jabra keep getting an error when i try to start the vserver 1164224502 M * jabra i have done the suggestions at the bottom but neither work 1164224536 M * jabra http://rafb.net/paste/results/cs4eJT21.html 1164224543 M * jabra when i try to start a vserver 1164224602 M * brcc great 1164224614 M * brcc daniel got it to work .. creating rules and listing rules from input/output chains 1164224621 M * brcc now i need to implement user defined chains 1164224634 M * brcc code is a mess 1164224882 J * yarihm ~yarihm@84-75-123-221.dclient.hispeed.ch 1164225273 P * stefani I'm Parting (the water) 1164225681 M * daniel_hozac jabra: Ubuntu again, you have to create some directories on every boot. 1164225805 J * sebastian ~info@p54A95DC0.dip.t-dialin.net 1164225935 M * jabra can 1164225938 M * jabra k 1164225949 M * jabra is there a place where i can find docs on this then 1164225954 M * daniel_hozac no idea. 1164225958 M * jabra fuck 1164225968 M * jabra aight thanks 1164225970 M * daniel_hozac feel free to write some. 1164225988 M * daniel_hozac Ubuntu seems to be very undocumented, and riddled with problems :) 1164225989 M * jabra i am 1164225998 M * jabra ya i noticed 1164226293 M * neuralis varrun on /var/run type tmpfs (rw,noexec,nosuid,nodev,mode=0755) 1164226309 M * neuralis applications that rely on a persistent /var/run are broken. 1164226346 M * daniel_hozac actually, no. 1164226377 M * daniel_hozac directories in /var/run are supposed to remain. 1164226445 M * daniel_hozac see http://www.pathname.com/fhs/pub/fhs-2.3.html#VARRUNRUNTIMEVARIABLEDATA 1164226630 Q * lilalinux Remote host closed the connection 1164226660 M * neuralis the fhs does _not_ specify that directories in /var/run are persistent between boots. 1164226681 M * daniel_hozac no, but it implies that by saying that files must be removed. 1164226715 Q * shedi Quit: Leaving 1164226736 M * daniel_hozac and the fact that it's just a problem on one distribution... :) 1164226759 M * daniel_hozac but that also seems to indicate lazy maintainers. 1164226762 M * daniel_hozac or maybe there are none. 1164226908 J * FireEgl FireEgl@Sebastian.Atlantica.US 1164227893 J * shedi ~siggi@inferno.lhi.is 1164227987 J * DreamerC_ ~dreamerc@59-115-48-107.dynamic.hinet.net 1164228064 Q * sebastian 1164228091 J * dreamind ~dreamind@C2107.campino.wh.tu-darmstadt.de 1164228100 M * dreamind hi folks :) 1164228106 M * daniel_hozac hello 1164228123 M * dreamind anybody knows if the patch from the website for vserver + grsec works with 2.6.18.3? 1164228136 Q * jabra Ping timeout: 480 seconds 1164228137 M * dreamind it applied cleanly, and I'm currently building that kernel... 1164228148 M * dreamind but I thought maybe its better to ask ;) 1164228242 M * daniel_hozac should be, but you should be aware it's a vserver version behind. 1164228255 M * dreamind hm? 1164228274 M * dreamind oh, the .1 is missing... 1164228278 M * dreamind hm... 1164228291 M * dreamind is there a diff between 2.1.1 and 2.1.1.1 somewhere? 1164228296 M * daniel_hozac i think harry is working on that already though. 1164228308 M * dreamind hm, well... 1164228325 M * daniel_hozac http://people.linux-vserver.org/~dhozac/p/k/delta-2.1.1-.1.diff 1164228359 M * dreamind btw, I still wonder why linux-vserver is not using git... 1164228386 M * dreamind nice, only 2 rejects :) 1164228397 Q * DreamerC Ping timeout: 480 seconds 1164228447 M * daniel_hozac Bertl_zZ hasn't converted yet :) 1164228575 M * dreamind hm, well... 1164228586 M * dreamind would make life easier I think... 1164228618 M * daniel_hozac for? current setup works quite fine for Bertl_zZ and the vanilla users. :) 1164228619 M * dreamind so now my hand-merged kernel builds :) 1164228648 M * dreamind well thats true, but it would make it *much* easier for linux-vserver to pull updates from linus tree. 1164228702 M * daniel_hozac would it? i think doener tested that and found it lacking. 1164228735 M * dreamind in what direction "lacking"? 1164228765 M * dreamind I've been using git extensively the latest months, for almost everything, source, configuration files, and so on. (even images) 1164228768 M * daniel_hozac in that it didn't help much with the merging. of course, this is all IIRC and that doesn't happen to often :) 1164228820 M * dreamind well IMHO git makes it much easier to track what's been changed and if you wonder why something doesn't work, git bisect makes it *much* easier to find which change introduced a bug. 1164228828 M * dreamind git bisect -> binary search 1164228866 M * dreamind and you can find out who introduced which change. 1164228883 M * dreamind a thing which is currently impossible with linux-vserver AFAIK. 1164228885 M * daniel_hozac not really needed when there's one person maintaining the tree. 1164228909 M * dreamind well, I doubt all linux-vservers kernel patch is a one man show. 1164228937 J * soatolaEspera ~soatola42@82.153.18.114 1164228951 M * dreamind even if it is, there are of course patches from other contributors, and as I said, git would make life easier there. 1164228952 M * daniel_hozac sure, but everybody else is just handing out deltas. 1164228970 M * daniel_hozac i think git users are overselling it a bit. 1164228992 M * dreamind and I think you didn't use git for anything yet... 1164228995 M * daniel_hozac how does git make curl | patch -p1 easier? 1164229000 M * daniel_hozac i didn't. 1164229045 M * dreamind git uses a more intelligent merge than patch would use AFAIK. 1164229067 M * dreamind and you could do merges from several repositories into another at once (octopus merges) 1164229099 M * dreamind well just have a look at the git documentation. 1164229112 M * dreamind I'm pretty sure most kernel projects aren't using git for nothing. 1164229126 M * daniel_hozac you shouldn't convince me, i don't do anything. 1164229142 M * dreamind well but maybe convincing you helps a bit ;) 1164229148 M * daniel_hozac how so? 1164229149 M * daniel_hozac struct vx_info_save vxis; 1164229149 M * daniel_hozac #ifdef CONFIG_SMP 1164229149 M * daniel_hozac extern void smp4m_irq_rotate(int cpu); 1164229158 M * daniel_hozac wtf? stupid mouse buttons... 1164229183 M * dreamind :) 1164229249 M * daniel_hozac git wouldn't help me that much anyway. my trees are in CVS as a patch-series. 1164229307 M * dreamind have a look at pg (patchy git) 1164229307 M * dreamind http://www.spearce.org/category/projects/scm/pg/ 1164229331 M * dreamind or stgit 1164229333 M * dreamind http://www.procode.org/stgit/ 1164229356 Q * cuerva Ping timeout: 480 seconds 1164229362 M * dreamind and patch series would IMHO easier be managed with git because you can rebase things. 1164229369 M * dreamind just have a look at the git rebase docs. 1164229382 M * dreamind http://www.kernel.org/pub/software/scm/git/docs/git-rebase.html 1164229402 M * daniel_hozac doesn't really help, since the upstream is using CVS. 1164229411 M * dreamind git cvsimporter. 1164229419 M * dreamind git has importers for almost everything. 1164229430 M * daniel_hozac ... but that's even more work. 1164229434 M * dreamind nope. 1164229436 M * daniel_hozac yes. 1164229438 J * Aiken ~james@tooax6-077.dialup.optusnet.com.au 1164229468 M * daniel_hozac maintaining a git copy of the upstream CVS repo would require me changing the scripts i already have. 1164229649 M * dreamind well git-cvsimport is IMHO as easy as git-svn is 1164229658 M * dreamind I only used the latter, which really rocks. 1164229894 M * daniel_hozac oh, and doesn't git-cvsimport require i have access to the repository files? i only have a checkout. 1164229898 M * doener dreamind: the problem basically is that you need to keep the patch series somewhat separated from mainline changes and port it around. At the time of a port, you need a set of small patch to get useful results from git's rebase support. At least for me, the current "split" doesn't fit that. 1164229968 M * doener And the patch series "evolves", a continous history is nothing I'd expect with Linux-VServer living on top of Linus' tree 1164230030 M * dreamind well a rebased branch wouldn't have a linear history. 1164230069 M * doener of course 1164230172 M * dreamind anyhow, I have to go. enough git discussion for today. 1164230196 Q * dreamind Quit: dreamind 1164231729 Q * yarihm Remote host closed the connection 1164231964 J * yarihm ~yarihm@84-75-123-221.dclient.hispeed.ch 1164233176 Q * comfrey Ping timeout: 480 seconds 1164233623 J * dreamind ~dreamind@C2107.campino.wh.tu-darmstadt.de 1164233645 M * dreamind wb 1164233648 M * dreamind err 1164233653 M * dreamind re is what I wanted to say 1164233654 M * dreamind ;) 1164233808 P * marcfiu 1164234261 M * dreamind hm, is it normal that rss limits do not work these days? 1164234292 M * dreamind I have a /etc/vserver//rlimits/rss.hard file with 10000 in it, but I can use all of the host memory... 1164234400 M * doener it's supposed to work... what does /proc/virtual/$XID/limits say? 1164234472 M * dreamind RSS: 821 1702 20000 0 1164234479 J * bronson ~bronson@c-24-16-67-28.hsd1.wa.comcast.net 1164234520 M * dreamind huh, now it works?!? strange... 1164234545 M * dreamind ah well I know, I limited the address space... 1164234588 M * doener before, instead of rss, or now, in addition to rss? 1164234598 M * dreamind in addition to rss 1164234604 M * dreamind I tried now without an as limit 1164234614 M * dreamind and it doesn't work 1164234617 M * dreamind free shows: 1164234617 M * dreamind Mem: 80000 6960 73040 0 0 0 1164234621 M * dreamind which is wrong 1164234647 M * dreamind because I have a process using way more memory: 1164234655 M * dreamind ps xafu: 1164234657 M * dreamind root 5131 4.2 99.9 622284 613528 pts/1 T 23:30 0:02 \_ /usr/bin/perl -w ./test.pl 1164234667 M * dreamind 613mb... 1164234708 M * doener which kernel is that? 1164234714 M * daniel_hozac what does limits say for ANON? 1164234741 M * dreamind doener: 2.6.17.13 vserver+grsec 1164234791 M * dreamind is the support for rss ulimit something special, because I tried a normal ulimit -m on a different (non vserver) box and it does nothing. 1164234805 Q * meandtheshell Quit: Leaving. 1164234808 A * doener tends to blame the grsec merge 1164234824 M * dreamind doener: ok, I'll try a non grsecurity kernel... 1164234836 M * daniel_hozac i wouldn't be so quick... i'm fairly certain we don't limit anon nor account it towards the rss limit. 1164235056 M * dreamind hm, so what should I do? 1164235078 M * dreamind IMHO an address space limit (limits mmap too) is no option for me 1164235083 M * daniel_hozac try with vanilla, if it's not reproducible, fine, if it is, we'll have to look in to it. 1164235091 M * dreamind daniel_hozac: ok. 1164235092 J * DavidS ~david@chello062178045213.16.11.tuwien.teleweb.at 1164235565 M * dreamind vanilla kernel builds right now ;) 1164235690 Q * oo Ping timeout: 480 seconds 1164235854 J * dna___ ~naucki@137-195-dsl.kielnet.net 1164236152 M * doener daniel_hozac: can rss be limited with vanilla? I did just a quick cscope search (i.e. don't rely on the result), which didn't show any such limit 1164236176 M * daniel_hozac well, i meant vanilla as in no grsec. 1164236254 M * doener ah, that makes sense :) 1164236265 Q * dna_ Ping timeout: 480 seconds 1164236274 M * doener well, the test, not necessarily the term ;) 1164236295 M * daniel_hozac right, i should've phrased it differently :) 1164236477 M * derjohn anyone seen that with 2.6.18.3 / 2.1.1.1: invalid opcode: 0000 [1] SMP ? 1164236492 N * Bertl_zZ Bertl 1164236495 M * daniel_hozac you'll need to paste the full oops/bug/etc. ;) 1164236497 M * Bertl morning folks! 1164236501 M * daniel_hozac morning Bertl. 1164236548 M * dreamind hi Bertl 1164236582 M * daniel_hozac derjohn: when do you get it? 1164236612 M * derjohn vserver foo start 1164236616 M * derjohn a 32bit guest 1164236624 M * derjohn on a dual dual opteron 1164236630 M * doener almost morning Bertl :) 1164236630 M * derjohn (or a 246 ... mom .. ) 1164236658 M * Bertl no stack trace in dmesg? just an 'invalid opcode'? 1164236667 M * derjohn Bertl, hols a sec I check 1164236745 M * derjohn paste.linux..org doesnt work? 1164236756 M * derjohn i pasted voa p-msg, Bertl 1164236758 M * derjohn *via 1164236768 M * dreamind vanilla kernel boots right now... 1164236772 M * daniel_hozac works fine for me. 1164236797 M * derjohn http://paste.linux-vserver.org/684 1164236805 M * derjohn now. yes. just a "delay". 1164236832 M * derjohn it on dual AMD Opteron(tm) Processor 246, so no dual core. 1164236844 M * Bertl derjohn: there should be more above and below of that section 1164236849 M * daniel_hozac well, i think that should show itself on all arches. 1164236855 M * Bertl if not, check your klogs for more 1164236856 M * derjohn let me scroll ... mom 1164236923 M * derjohn Bertl, yes. updated. 1164236940 A * derjohn should look for the cut-here signs ;) 1164236951 M * Bertl yeah, helps :) 1164236971 M * dreamind huh 1164236984 M * dreamind with the 2.1.1.1 vserver kernel patch *no* vserver starts at all 1164236984 M * doener pretty patched kernel :) 1164236994 Q * dna___ Quit: Verlassend 1164236999 M * dreamind root@master:~# vserver svn start 1164236999 M * dreamind chbind: vc_net_create(): Invalid argument 1164237035 M * daniel_hozac EINVAL is good, it means you don't crash like derjohn :) 1164237038 M * doener Bertl: hm, the load updates again? 1164237048 M * Bertl dreamind: dynamic contexts? 1164237057 M * dreamind Bertl: yes disabled that... 1164237062 M * daniel_hozac Bertl: i'm fairly confident this is the result of http://people.linux-vserver.org/~dhozac/p/k/delta-private-fix02.diff 1164237063 M * derjohn chbind hangs wtih 100% CPU ... 1164237073 M * derjohn i killed it with -9 1164237074 M * daniel_hozac s/the result of/fixed by/ 1164237093 M * dreamind Bertl: do I need some newer util-vserver package than the one in debian? 1164237104 M * daniel_hozac dreamind: no, just to specify a static context. 1164237113 M * dreamind daniel_hozac: how to do so? 1164237130 M * daniel_hozac echo > /etc/vservers//context 1164237140 M * Bertl daniel_hozac: could be .. derjohn: could you try that patch? 1164237152 M * dreamind daniel_hozac: ok 1164237186 M * derjohn yes, i'll do so. But i'll need 1h to compile... 1164237192 M * derjohn i'll report later 1164237210 M * daniel_hozac Bertl: that should cause the process to belong to that nx, vc_net_create to unhash it and fail, and then when the process dies, unhashing it again fails. 1164237216 M * dreamind root@master:/etc/vservers# echo 49151 >svn/context 1164237216 M * dreamind root@master:/etc/vservers# vserver svn start 1164237216 M * dreamind chbind: vc_net_create(): Permission denied 1164237229 M * daniel_hozac or am i jumping to conclusions? 1164237267 M * daniel_hozac dreamind: got a trace in dmesg? 1164237303 M * dreamind yes 1164237314 M * daniel_hozac could you try http://people.linux-vserver.org/~dhozac/p/k/delta-private-fix02.diff too? 1164237329 M * dreamind Kernel BUG at kernel/vserver/network.c:148 1164237339 M * dreamind and much more, which I don't want to paste here... 1164237345 M * derjohn did that problem appear with 2.1.1.1 ? 1164237350 M * dreamind yup 1164237354 M * daniel_hozac sort of. 1164237355 M * derjohn or 2.1.1 ? 1164237359 M * dreamind dunno 1164237363 M * daniel_hozac 2.1.1 already had a different version of it. 1164237364 M * Bertl 2.1.1 IMHO 1164237378 M * Bertl but I think we are seeing something different 1164237390 M * dreamind well I try the above patch 1164237395 M * daniel_hozac oh? 1164237398 M * daniel_hozac how so? 1164237406 M * bon ok 1164237407 M * bon problem :) 1164237408 M * Bertl basically the BUG() means that __unhash_nx_info() is called on an unhashed nxi 1164237409 M * bon vlogin: openpty(): No such file or directory 1164237419 M * daniel_hozac Bertl: wouldn't the case i described cause that? 1164237428 M * brcc Bertl 1164237442 M * brcc iptables inside vserver is at 90% 1164237442 M * daniel_hozac bon: /dev/pts mounted and /dev/ptmx available inside the guest? 1164237444 M * Bertl now, we do call __unhash_nx_info() in exactly two places 1164237450 M * doener bon: is /dev/ptmx available and /dev/pts mounted? 1164237460 M * Bertl one is unhash_nx_info() and the second is vc_net_create() 1164237468 M * daniel_hozac Bertl: and i'm thinking both are called. 1164237485 M * Bertl let's look at the 'create' case first 1164237490 M * brcc i can create and remove rules from intput/output, create new chains, etc. The missing part is: Which vserver is calling iptables? Which IPs belong do this vserver ? Going to leave that for tomorrow, when i hope to have 100% done.. 1164237498 M * daniel_hozac Bertl: that'll always trigger as-is. 1164237510 M * daniel_hozac (without delta-private-fix02) 1164237525 M * bon yeah well 1164237528 M * bon it seems like yes 1164237536 M * Bertl the vc_net_create() calls __create_nx_info() 1164237540 M * bon those directories exist inside $vsrootdir/$vsname 1164237550 M * daniel_hozac bon: but is /dev/pts mounted? 1164237557 M * daniel_hozac bon: vserver ... exec cat /proc/mounts 1164237574 M * Bertl and if an error happens on vs_net_change() we goto unhash 1164237582 M * bon daniel_hozac: nope :( 1164237592 M * daniel_hozac bon: that's why then. 1164237596 M * bon i see 1164237598 M * bon let me fix that 1164237656 M * Bertl the __create_nx_info() is supposed to hash the nxi unconditionally 1164237664 M * Bertl (when created, of course) 1164237686 M * Bertl question is, can we somehow obtain an unhashed nxi from there? 1164237691 M * daniel_hozac no. 1164237702 M * daniel_hozac the thing is, nx_migrate_task always returns -EACCES. 1164237712 M * daniel_hozac and that's why we enter the out_unhash part. 1164237750 M * bon daniel_hozac: what should $vsname/etc/fstab contain? 1164237782 M * daniel_hozac bon: /etc/vservers//fstab? the default is in /usr/lib*/util-vserver/defaults/fstab. 1164237823 M * Bertl yes, that's okay, but a failure in nx_migrate_task() must not unhash the context unconditionally 1164237841 M * daniel_hozac hmm? how so? 1164237850 M * Bertl i.e. your patch is fixing a different issue, and papering over the real one 1164237855 M * daniel_hozac the creation is failing, shouldn't we get rid of it? 1164237907 M * Bertl yep, you're right ... 1164237934 M * Bertl but the problem lies deeper 1164237960 M * Bertl let's assume the following sequence: 1164237994 M * Bertl A: vc_net_create() up to, but not including vs_net_change() 1164238041 M * Bertl B: grabs the nxi from the hash (it's already there) and uses it 1164238052 M * Bertl A: vs_net_change() fails 1164238070 M * daniel_hozac right, i see your point. 1164238085 M * daniel_hozac so maybe creation shouldn't hash it right away. 1164238104 M * Bertl that would be an option 1164238112 M * daniel_hozac seems logical to me to not add it to the hash before it's fully functional. 1164238154 M * Bertl luckily we have only two callers for that 1164238219 M * Bertl but a problem remains, we cannot synchonize there without moving the hashlock out too 1164238228 M * Bertl s/out/up 1164238278 M * daniel_hozac right... 1164238305 M * Bertl but that wouldn't be too smart 1164238322 M * Bertl because in this case we would hold the lock during the userspace call 1164238344 M * Bertl which will result in funny deadlocks 1164238442 M * daniel_hozac for how long must we hold the lock? 1164238459 M * daniel_hozac __hash_nx_info and __nx_dynamic_id(), no? 1164238466 M * dreamind well seems like daniel_hozac's fix fixed the vserver startup for me. 1164238475 M * dreamind but I still cannot correctly use rss limits. 1164238491 M * daniel_hozac dreamind: and what does the ANON line in /proc/virtual//limits say? 1164238566 M * Bertl daniel_hozac: btw, why do we hit those issues now and not earlier? 1164238573 M * dreamind ANON: 320 0/ 320 -1/ -1 0 1164238583 M * dreamind hm, whats the anon limit for? 1164238597 M * daniel_hozac Bertl: which issues? 1164238608 M * Bertl the unhash BUG() 1164238628 M * daniel_hozac well, the private-fix01 introduced it. 1164238654 M * daniel_hozac (the always failing nx_migrate_task and thus unhashing) 1164238666 M * dreamind ah well found the docs about anon... 1164238682 M * dreamind hm, but where is the difference between an adresspace limit and anon? 1164238739 M * Bertl daniel_hozac: pardon my ignorance, where is the private-fix01? 1164238743 M * daniel_hozac Bertl: i guess there isn't another way to trigger it, at least not easily. 1164238752 M * daniel_hozac http://vserver.13thfloor.at/Experimental/delta-private-fix01.diff 1164238754 M * daniel_hozac ;) 1164238806 M * dreamind *shrug* 1164238831 M * Bertl daniel_hozac: I still don't get why this triggers it 1164238854 M * Bertl daniel_hozac: neither LOCK nor PRIVATE should be set on a network context, no? 1164238864 M * daniel_hozac Bertl: but you don't reset ret to 0. 1164238882 M * daniel_hozac hence it's always returning -EACCES. 1164238885 M * Bertl ah, now I see it 1164238928 M * Bertl okay, so we simply rip out the LOCK and are back to the old state 1164238951 M * daniel_hozac okay... 1164238965 M * daniel_hozac in this case, i don't see a way to trigger the bug. 1164238968 M * Bertl but we should fix up the unhash part too 1164238986 M * Bertl no? how so? 1164239012 M * Bertl I mean, the scenario depicted above is not unusual for SMP, or am I missing something? 1164239085 M * daniel_hozac ah, true. 1164239099 M * daniel_hozac however, i don't think it's too common to be doing context startup in parallell. 1164239253 M * Bertl for now :) 1164239275 M * Bertl well, I think a proper fix would be to simply hash the new context regardless 1164239286 M * daniel_hozac and leave it hashed? 1164239292 M * Bertl and let the normal refcount/garbage collection do the unhashing 1164239306 M * daniel_hozac but what would be doing that, if vs_net_change failed? 1164239315 M * daniel_hozac nothing would be holding a reference to it. 1164239327 M * Bertl i.e. we simple get a ref 1164239335 M * Bertl and put it at the end 1164239342 M * daniel_hozac ah, yes, that makes sense. 1164239374 M * Bertl probably I tried to cut corners back then, and forgot about this case 1164239384 M * bon ah 1164239388 M * bon slackware is crap 1164239388 M * bon :) 1164239394 M * bon no support for anything 1164239405 M * Bertl hmm? 1164239452 M * daniel_hozac the __unhash_nx_info; put_nx_info order strikes me as odd too. 1164239486 M * Bertl get/put != claim/release :) 1164239519 M * daniel_hozac ah. 1164239542 M * Bertl the hash/unhash wants a claim/release user 1164239575 M * Bertl will prepare something, and we should test with the LOCK flag in place, I guess :) 1164239647 M * dreamind hm, so is there any workaround/solution for this rss limit stuff? 1164239772 Q * DavidS Read error: No route to host 1164239803 J * DavidS ~david@chello062178045213.16.11.tuwien.teleweb.at 1164239819 M * Bertl dreamind: what is the problem? 1164239861 M * dreamind well it seems like rss limits do nothing on my machine... 1164239885 M * Bertl hard or soft? and what kernel version? 1164239889 M * dreamind I tried using a 10k pages rss limit, but it didn't kill a perl "test" which allocated over 600mb. 1164239900 Q * trash Ping timeout: 480 seconds 1164239907 M * dreamind hard. kernel 2.6.18.3 vs2.1.1.1 1164239925 M * Bertl allocated? or actually used? 1164239945 Q * FireEgl Ping timeout: 480 seconds 1164239950 M * Bertl i.e. what does your perl script do 1164239962 M * dreamind my perl script does: 1164239964 J * trash ~trash@databerlin.org 1164239977 M * Bertl welcome trash! 1164239981 M * dreamind while (1) { @testarr = (@testarr, "blah"); };