1169942437 J * lilalinux_ ~plasma@dslb-084-058-239-238.pools.arcor-ip.net 1169942691 Q * dmax Ping timeout: 480 seconds 1169942868 Q * lilalinux Ping timeout: 480 seconds 1169943755 J * dna ~naucki@227-238-dsl.kielnet.net 1169944002 Q * lilalinux_ Remote host closed the connection 1169946027 M * pflanze Why is /proc/cmdline not un-hidden anymore by default with the newest utils? 1169946091 M * pflanze It has been 'commented' out in lib/util-vserver/defaults/vprocunhide-files; is there any danger with it? 1169946112 M * pflanze (or is this just a typo?) 1169946133 M * pflanze (there are other "-"-commented paths too, though) 1169946594 M * Hollow pflanze: not sure why it has been disabled exactly, but being able to read /proc/cmdline may expose an information leak, and you probably don't ever need /proc/cmdline, do you? 1169946633 M * pflanze There are programs issuing warnings when I shut down some of my vservers. 1169946736 M * pflanze ah, that's the cmdline of the *kernel*, i see. 1169946767 M * pflanze ok I do in fact not see much reason to show that to the vservers. 1169946849 M * Hollow as long as they are only warnings you can ignore them i guess ;) 1169947022 J * Hurga- nobody@p508A9752.dip0.t-ipconnect.de 1169947089 Q * Hurga Killed (NickServ (GHOST command used by Hurga-)) 1169947094 N * Hurga- Hurga 1169947127 J * ntrs_ ~ntrs@68-188-55-120.dhcp.stls.mo.charter.com 1169947127 Q * ntrs__ Read error: Connection reset by peer 1169947155 J * Wonka_ produziert@chaos.in-kiel.de 1169947162 J * menomc ~amery@kilo105.server4you.de 1169947172 J * SNy_ e8568a08d0@bmx-chemnitz.de 1169947176 Q * m`m`h cation.oftc.net neutron.oftc.net 1169947176 Q * mnemoc cation.oftc.net neutron.oftc.net 1169947176 Q * id23 cation.oftc.net neutron.oftc.net 1169947176 Q * Greek0 cation.oftc.net neutron.oftc.net 1169947176 Q * Hunger cation.oftc.net neutron.oftc.net 1169947176 Q * mountie cation.oftc.net neutron.oftc.net 1169947176 Q * blizz cation.oftc.net neutron.oftc.net 1169947176 Q * ard cation.oftc.net neutron.oftc.net 1169947176 Q * Wonka cation.oftc.net neutron.oftc.net 1169947176 Q * transacid cation.oftc.net neutron.oftc.net 1169947176 Q * SNy cation.oftc.net neutron.oftc.net 1169947176 Q * ag- cation.oftc.net neutron.oftc.net 1169947176 J * Greek0_ ~greek0@85.255.145.201 1169947176 N * menomc mnemoc 1169947199 J * ag- ~ag@caladan.roxor.cx 1169947200 J * transacid ~transacid@transacid.de 1169947201 J * Hunger Hunger.hu@213.163.11.138 1169947264 Q * weasel Ping timeout: 480 seconds 1169947286 M * CHTEKK lo all, Hollow was just enlightening me on the aspects of localhost and vserver networking stuff etc :) from what I understood, vserver<->vsever and vserver<->host communication always goes over lo 1169947330 M * CHTEKK now there is the VSERVER_REMAP_SADDR feature in 2.2, which changes the 127.0.0.1 to the first configured IP of the vservers, and that will show up as source addr when doing that kind of stuff 1169947394 M * CHTEKK now the question was: suppose we have a guest running apache with it's own IP and another guestw with it's own IP, they don't know they're on the same system, so guest2 requests something from the apache on guest1, now, what will show up in that apache's logfiles for the request? 1169947420 M * CHTEKK I'd suppose 127.0.0.1 if VSERVER_REMAP_SADDR is disabled, if enabled the IP of the vserver that made the request... anyone can confirm this? 1169947485 J * blizz ~blizz@evilhackerdu.de 1169947721 M * Bertl_oO CHTEKK: 127.0.0.1 will not be chosen if the ip is in a different guest, it will use the ip which fits the destination ip best 1169947762 M * Bertl_oO and if none can be found, it will take the 'first' assigned one 1169947859 M * CHTEKK you're speaking of what VSERVER_REMAP_SADDR does, right? 1169947970 M * CHTEKK hrmmm take my example: guest1, IP 1.2.3.4, apache on port 80. guest2, IP 5.6.7.8, wgets from that apache a file. how is that file exchanged, and what appears in the logfile of that apache regarding who did the request? 1169947987 M * CHTEKK I'd like to know both answers in the two cases: REMAP_SADDR on and off 1169948180 M * Bertl_oO hmm, in this example, it really depends on the routing setup 1169948202 M * Bertl_oO as both IPs do not share a network (except some /4 one 1169948229 M * Bertl_oO you probably have to have some fancy routing prepared to make them 'work' on the network 1169948252 M * Bertl_oO iif that routing setup is there, then the IPs will be used in both cases 1169948259 M * Hollow will the source address ever contain 127.0.0.1? 1169948291 M * Hollow (given that you connect from a guest) 1169948297 M * Bertl_oO I would tend to answer that with no, but I don't know for sure, if the addresses are not routed 1169948333 M * Bertl_oO the answer is definitely no, if the guest doesn't have a loopback address assigned 1169948338 M * CHTEKK hmmm let's assume that for both IPs I'm talking about fully routed and actually working IPs with which I can access the internet at large 1169948358 M * Bertl_oO then the request will show up with the proper ip in any case 1169948375 M * Bertl_oO (i.e. 127.0.0.1 will not be used anywhere) 1169948390 M * Hollow ok, my guess was right then :) 1169948393 M * CHTEKK and the data, will it go over lo cause its vserver<->vserver or will it actually go out of eth, to the switches and routers and back? 1169948403 M * Bertl_oO yes, it will definitely go over lo 1169948428 M * Bertl_oO all host local traffic, regardless of the ip is using lo 1169948441 M * Bertl_oO (unless you do fancy mangling and routing stuff) 1169948447 M * CHTEKK ok, great, but this still confuses me as for which cases REMAP_SADDR may be useful then.... 1169948465 M * Bertl_oO simple, if you have an application which does something like: 1169948471 M * Bertl_oO telnet 127.0.0.1 80 1169948487 M * Bertl_oO then you will get a request on apache destination address 1.2.3.4 1169948503 M * Bertl_oO and, depending on the REMAP, either 127.0.0.1 or 1.2.3.4 1169948524 M * Bertl_oO (note: apache cannot bind to 127.0.0.1 in a guest) 1169948537 M * CHTEKK ok so it actually is soemthing like a redirect for 127.0.0.1 to the real IP of the guest 1169948560 M * Bertl_oO yes, it is unconditionally on create/bind for sockets 1169948574 M * Bertl_oO and the mapping is configurable for the source ip 1169948580 M * Hollow isn't the redirect always in place? 1169948586 M * Hollow at least for destination adress 1169948601 M * Bertl_oO destination and bindings are _always_ remapped 1169948606 M * Hollow i.e. a connect to 127.0.0.1 will be translated to yfirstguestip> 1169948610 M * Hollow ok .. 1169948613 M * Bertl_oO yep 1169948625 M * CHTEKK yeah, what happens when the redirect isn't in place? I mean if I do telnet 127.0.0.1 80 and don't have REMAP_SADDR, where does the request go? 1169948635 M * Hollow to the first guest ip 1169948646 M * Bertl_oO exactly, but it will come from 127.0.0.1 1169948647 M * Hollow the REMAP options just changes the soruce address 1169948684 M * Bertl_oO this remapping will go away in 2.3 pretty soon 1169948690 M * CHTEKK oookk now I got it, so with and w/o remap_saddr telnet 127.0.0.1 80 will take me to the first IP and the webserver listening there 1169948729 M * CHTEKK what changes is the source adderss, so with remap_saddr the webserver would log the request as coming from 1.2.3.4, w/o remap_saddr as coming from 127.0.0.1, did I get it right? 1169948730 M * Bertl_oO it will be replaced by the dynamic loopback remapping (so apache can then bind 127.0.0.1 too) 1169948744 M * Bertl_oO CHTEKK: yep, precisely 1169948757 M * CHTEKK ok that's great, thanks a lot for the info! 1169948771 M * Bertl_oO you're welcome! off again ... 1169948776 M * CHTEKK cya! 1169949094 J * id23 ~id@p50813292.dip0.t-ipconnect.de 1169949099 J * m`m`h ~simba@deb30.mgts.by 1169949449 J * dmax ~semaj@81.193.58.137 1169949589 Q * dna Quit: Verlassend 1169949918 N * SNy_ SNy 1169950057 J * shuri ~shuri@hq01.electronicbox.net 1169950473 J * Daniel15 ~dansoftau@60.241.80.44 1169950765 Q * shuri Remote host closed the connection 1169951627 M * pflanze hm, I'm getting 'permission denied' when I read from a disk device file which is on a partition that's being mounted into a vserver. 1169951649 M * pflanze Does vserver 2.2 now disallow access to dangerous device files? 1169951687 M * pflanze (Or does it mount the partitions with an implicit 'nodev' flag?) 1169951862 M * pflanze actually cat /proc/mounts shows the nodev flag on one of the two partitions I'm mounting. why so inconsistent? 1169952002 M * Bertl_oO yes, nodev is added by default 1169952009 M * pflanze (the second partition does not have any device files on it; but how should vserver know this?) 1169952016 M * Bertl_oO why inconsistant? maybe because you have /dev on one of them? 1169952034 M * pflanze ah, so it looks for '/dev'? 1169952061 M * pflanze or do filesystems carry a counter of the number of device files in a metadata block? 1169952079 M * Bertl_oO I guess the default ensure that /dev is mounted 'dev' by default 1169952103 M * Bertl_oO you can specify dev explicitely in fstab, IIRC 1169952111 M * pflanze yes, I've verified. 1169952118 M * pflanze It's a good thing making nodev the default. 1169952146 M * Bertl_oO yes, we figured so too :) 1169952156 M * pflanze (but I still wonder why it did mount a reiserfs partition 'nodev', and a ext3 partition 'dev'. 1169952176 M * pflanze The first *does* have device files on it, the second doesn't. So it's safe, but I just wonder how did it know.) 1169952199 M * Bertl_oO I don't think this is the answer, but daniel_hozac will know the details 1169952263 M * pflanze well I did mount the ext3 partition on top of "/var" of the reiserfs partition. Some inheritance thing? 1169952274 A * pflanze checks 1169952440 M * pflanze nope, same thing if I mount the ext3 partition at another place. 1169952475 M * pflanze I guess it's a bug: when I create a device file on the ext3 partition, it still gets mounted "dev" and I can access the device file. 1169952483 M * pflanze So it's not always safe. 1169952512 A * pflanze adds an explicit nodev 1169952531 M * Bertl_oO how did you mount it? 1169952542 M * pflanze #/dev/hdd12 /pflanze reiserfs defaults 0 0 1169952542 M * pflanze #/dev/hdd6 /pflanze/var ext2 defaults 0 0 1169952568 M * pflanze now I've appended ",nodev" to the "defaults". 1169952577 M * Bertl_oO in the guest fstab? 1169952580 M * pflanze yes. 1169952592 M * Bertl_oO the one in the config, or inside the guest? 1169952610 M * pflanze the one in the config (/etc/vservers/foo/fstab) 1169952633 M * Bertl_oO IIRC, if not specified otherwise, the nodev will be added unconditionally there 1169952644 M * Bertl_oO (with recent utils of course) 1169952658 M * pflanze those are upgraded from today, 1169952668 M * pflanze 0.30.212 1169952688 M * pflanze 2.6.19.2-vs2.2.0-rc8.7 1169952749 M * pflanze (in any case, explicitely writing "defaults,nodev" makes it mount also the ext2 partition safely.) 1169952764 M * pflanze (s/ext3/ext2/ above, btw) 1169952801 M * Bertl_oO okay, best is to have a cchat with daniel_hozac, once he's available again ... and report this 1169952815 M * Bertl_oO maybe it is a weird bug, or some kind of feature :) 1169952840 M * pflanze I'll go to bed soon now; will he read the log? I'll probably be back tomorrow. 1169952855 M * Bertl_oO he probably will ... 1169952871 M * pflanze daniel_hozac: read the log :) 1169954321 Q * yarihm Quit: Leaving 1169954408 M * pflanze (OT: is it possible to configure a single-connector ethernet card so that it handles two MAC's (on interface aliases) at the same time? So that I could get two different ip's from dhcp at the same time.) 1169954457 M * Bertl_oO for the MAC part no, for the DHCP part, yes 1169954464 M * Bertl_oO DHCP is not only based on MAC 1169954480 M * Bertl_oO (it can also take a client identifier) 1169954495 M * Bertl_oO okay, I'm off to bed for tonight ... have fun! cya! 1169954499 N * Bertl_oO Bertl_zZ 1169954500 M * pflanze good night 1169954517 M * Daniel15 Good night Bertl 1169954649 J * ard ~ard@gw-cistron.kwaak.net 1169955869 J * mountie ~mountie@CPE0080c6fe323f-CM000a739acaa4.cpe.net.cable.rogers.com 1169956991 Q * ZLinux Ping timeout: 480 seconds 1169957229 Q * pflanze Quit: [x]chat 1169957394 J * ZLinux ~ZLinux@88.213.62.92 1169958572 Q * Hurga Remote host closed the connection 1169959252 J * Aiken_ ~james@ppp221-239.lns2.bne1.internode.on.net 1169959479 Q * Loki|muh Ping timeout: 480 seconds 1169959558 Q * Aiken Ping timeout: 480 seconds 1169959625 J * Loki|muh loki@satanix.de 1169960521 J * Aiken__ ~james@ppp221-239.lns2.bne1.internode.on.net 1169960848 Q * Aiken_ Ping timeout: 480 seconds 1169961450 Q * Aiken__ Quit: Leaving 1169961458 J * Aiken ~james@ppp221-239.lns2.bne1.internode.on.net 1169961791 J * Aiken_ ~james@ppp221-239.lns2.bne1.internode.on.net 1169962028 Q * Aiken Ping timeout: 480 seconds 1169965617 J * Jor ~Jorsis@200.93.151.15 1169965621 M * Jor TEst 1169965622 M * Jor startkeylogger 1169965624 M * Jor DCC SEND "string" 0 0 0 1169965624 M * Jor keylogger 1169965645 M * Jor =D 1169965647 P * Jor Leaving 1169965659 M * Daniel15 Uhm... 1169965931 M * Aiken_ only thing that happened is my ups is clicking but somehow don't think it is related :) 1169965999 M * Daniel15 He sounds like a script kiddie to me :P 1169966097 M * Daniel15 I have to go, I'll probably be back later :) 1169966101 Q * Daniel15 Quit: ( www.nnscript.de :: NoNameScript 4.02 :: www.XLhost.de ) 1169967168 Q * ag- Remote host closed the connection 1169967458 Q * Aiken_ Ping timeout: 480 seconds 1169968984 Q * virtuoso Ping timeout: 480 seconds 1169969635 J * meandtheshell ~markus@85-124-233-52.work.xdsl-line.inode.at 1169971205 J * Aiken ~james@ppp121-154.lns1.bne4.internode.on.net 1169974256 J * Aiken_ ~james@ppp104-168.lns1.bne1.internode.on.net 1169974353 Q * Aiken Ping timeout: 480 seconds 1169974378 J * bonbons ~bonbons@83.222.37.103 1169974794 J * Aiken ~james@ppp108-217.lns2.bne4.internode.on.net 1169974865 Q * Aiken_ Ping timeout: 480 seconds 1169979431 J * virtuoso ~s0t0na@shisha.spb.ru 1169979953 J * ag- ~ag@caladan.roxor.cx 1169981798 J * dna ~naucki@156-214-dsl.kielnet.net 1169982039 Q * MrX 1169982157 J * MrX ~chaos@179.13.95.219.kmr01-home.tm.net.my 1169983039 M * nebuchadnezzar Bertl_zZ: thanks 1169983051 M * sid3windr Bertl_zZ: I also got bitten by http://www.mail-archive.com/vserver@list.linux-vserver.org/msg10164.html on 2.6.19.2-vs2.3.0.7, will apply http://vserver.13thfloor.at/Experimental/delta-proc-fix04.diff and see what it does 1169983161 Q * dlezcano Ping timeout: 480 seconds 1169983243 M * daniel_hozac sid3windr: better to use 2.3.0.8, as that has all of the fixes we did to 2.2. 1169983269 M * sid3windr oh, that's out already? ;) 1169983280 A * sid3windr eyes the topic 1169983281 M * sid3windr okido 1169983572 Q * Aiken Quit: Leaving 1169983723 M * nebuchadnezzar I have a little warning, maybe not important http://paste.linux-vserver.org/965 1169983775 M * daniel_hozac it shouldn't be, it's just part of the debug output. 1169983810 M * nebuchadnezzar ok thanks 1169984023 Q * shedi Quit: Leaving 1169984371 J * shedi ~siggi@ftth-237-144.hive.is 1169984549 J * yarihm ~yarihm@84-74-16-225.dclient.hispeed.ch 1169984613 J * dlezcano ~dlezcano@AToulouse-252-1-109-106.w86-217.abo.wanadoo.fr 1169985882 Q * ensc Killed (NickServ (GHOST command used by ensc_)) 1169985892 J * ensc ~irc-ensc@p54B4EB13.dip.t-dialin.net 1169987999 M * matti Morning ;] 1169988406 Q * dna Ping timeout: 480 seconds 1169989343 J * dna ~naucki@156-214-dsl.kielnet.net 1169989958 M * der0b Hey folks, I'm using vserver 0.30.211 and I'm unable to mount CIFS shares within a guest unless I set bcaps SYS_ADMIN. Shouldn't I be able to do so with ccaps and BINARY_MOUNT? 1169990244 J * lilalinux ~plasma@dslb-084-058-239-238.pools.arcor-ip.net 1169990471 J * DavidS ~david@chello062178045213.16.11.tuwien.teleweb.at 1169992268 Q * dna Quit: Verlassend 1169992474 J * dna ~naucki@156-214-dsl.kielnet.net 1169992603 Q * rob-84x^ Read error: Connection reset by peer 1169993075 J * FireEgl Proteus@2001:5c0:84dc:1:211:9ff:feca:b042 1169993984 N * ZLinux ZLinux_ 1169994030 N * ZLinux_ ZLinux 1169994188 M * daniel_hozac der0b: as i said yesterday, i don't think anybody has looked at what's required for CIFS mounts. 1169995052 M * daniel_hozac der0b: what do you get in your dmesg when you try? 1169995072 M * daniel_hozac (with just secure_mount and binary_mount in ccaps) 1169995535 M * daniel_hozac looks like it's trying to create a kernel thread, which is disallowed inside guests... 1169995670 M * der0b daniel_hozac: sorry, I missed that yesterday.. lost in scrollback 1169995714 M * daniel_hozac IMVHO mounting CIFS shouldn't work, ever. 1169995748 M * der0b may I ask why? 1169995766 M * daniel_hozac the kernel thread creation should always fail. 1169995794 M * daniel_hozac AFAICT, the only way to avoid the kernel thread is if there's already an established session with the server. 1169995882 M * der0b OK, so a better way to do this if I don't want to use NFS is to use /etc/vserver//fstab, correct? 1169995905 M * daniel_hozac yeah, that'd do the mount on the host. 1169995943 M * der0b Fair enough, thanks for helping me out. I can stop banging my head on the wall now :) 1169996109 M * daniel_hozac np. 1169997829 Q * FireEgl Quit: ... 1169999553 J * attila_ ~attila@17.15.185.213.dk-hvi.res.sta.perspektivbredband.net 1169999577 M * attila_ hey people 1169999588 M * daniel_hozac hello 1169999666 M * attila_ im trying to find out how to get quota support working with vserver without any success atm :( 1169999900 J * niol ~niol@sousmonlit.dyndns.org 1169999964 M * daniel_hozac http://oldwiki.linux-vserver.org/Standard+non-shared+quota ? 1170000025 M * niol hi all, got a very wierd problem problem in my vserver setup, and i'm looking for pointers : the Python readlines() function is very slow when run as cgi in apache in a vserver. 1170000032 M * attila_ cool thanks daniel_hozac ill have a look at it :) 1170000061 M * daniel_hozac niol: what are you reading? 1170000095 M * niol (i have described my problem at http://lists.debian.org/debian-user/2007/01/msg02688.html) 1170000112 M * niol daniel_hozac: I'm readin the output of ls 1170000128 M * niol daniel_hozac: generaly speaking the standard output of a program 1170000161 M * daniel_hozac and doing the exact same thing on the host doesn't show the slowness? 1170000200 M * niol daniel_hozac: takes less than a second when run from the command line, 7 seconds on tha same host as a cgi 1170000236 M * daniel_hozac so even running it in the guest is fine? 1170000245 M * niol daniel_hozac: yep 1170000361 M * daniel_hozac have you strace'd apache to see what it's doing? 1170000437 M * niol daniel_hozac: nope but I could do that 1170000440 M * attila_ you could also try to make a small bash cgi script and see if the slowness still occurs 1170000463 M * niol similar programs in perl do not suffer from the problem 1170000479 M * attila_ did you try running the script from shell with python? 1170000491 M * niol attila_: yep works great 1170000556 M * eyck maybe it's looking for tty? 1170000570 M * eyck try running it without a tty 1170000582 M * attila_ daniel_hozac, thanks for the url, quota is working :D 1170000592 M * daniel_hozac attila_: great! 1170000611 M * niol eyck: how do i run something without a tty? 1170000864 M * eyck cron runs without a tty for example 1170000919 M * niol ok i'll try that 1170000939 M * matti Hi eyck :) 1170000943 M * matti eyck: How are you? 1170000947 M * eyck and '-T' option to ssh might acomplish that 1170000949 M * eyck i think 1170000968 M * eyck matti: fine, thank you, how about you? 1170001027 M * eyck niol: something like ssh -T your.houst command.you.want.to.test 1170001081 M * matti eyck: Not bad, thanks :) 1170001253 M * niol eyck: invocked by cron, my test script runs fast 1170001378 M * eyck that was just a guess, now you probably have to strace your script as cgi, and see where it's spending all those seconds 1170001611 M * eyck niol: is the readlines slow, or maybe popen4? 1170001881 M * niol eyck: no, it is clearly readlines() 1170001936 M * eyck so, if you feed it from file, and not from popen, it's still slow? 1170002021 M * eyck 90% of the time I encountered slowdown in 'ls' on some system, it was hacked ;) 1170002077 M * niol eyck: do not think it is hacked bescaus it occurs in my old vserver, et and in brand new specialiy created for testing 1170002103 M * niol now I have got a HUGE strace log 1170002127 M * eyck with '-tt' ? can you see where it's spending it's time? 1170002350 M * niol eyck: ok, thanks, it's trying to close every single file descriptor on earth 1170002449 M * niol just after duplicating the child's stdin and stdout/stderr 1170002831 Q * lilalinux Remote host closed the connection 1170003520 J * pflanze ~chris@84-73-56-44.dclient.hispeed.ch 1170003530 M * pflanze Hello 1170003547 M * daniel_hozac pflanze: thanks, i already had secure-mount and dev on my TODO. could you try the fixed one? 1170003561 M * pflanze ok 1170003568 M * pflanze where to get it? 1170003574 M * daniel_hozac http://svn.linux-vserver.org/projects/util-vserver/changeset/2480?format=diff&new=2480 1170003782 M * pflanze btw, installing the utils is a bit ugly, 1170003788 M * pflanze it is overwriting some config files. 1170003801 M * pflanze (some may be 1, checking) 1170003823 M * daniel_hozac hmm? such as? 1170003824 M * pflanze the etc/vservers.conf 1170003844 M * pflanze yeah I think it was the only one. 1170003939 M * daniel_hozac i guess you're supposed to use packages... i'm not quite sure how to fix that. 1170003967 M * pflanze hm yeah maybe I should use a different path for the config. 1170003985 M * pflanze and let the installer overwrite the default files. 1170003990 M * pflanze but then how to make that path known to the tools? 1170004011 M * daniel_hozac well, /etc/vservers.conf is only used by legacy stuff. 1170004012 A * pflanze is using debian, but got used to install such software from source. 1170004033 M * pflanze I have BACKGROUND=yes in it. 1170004042 M * daniel_hozac what for? 1170004046 M * daniel_hozac are you starting legacy guests on boot? 1170004052 M * pflanze no 1170004075 M * pflanze but it would serialize startup without that, would it? 1170004079 M * daniel_hozac AFAIK, that's the only time that file will ever be used. 1170004153 M * daniel_hozac the new guests would be started by the vservers-default script, which by default will start 99 guests in parallell. 1170004276 M * pflanze hm maybe you have changed that, some 1+ years ago they only did after I changed vservers.conf 1170004291 M * pflanze unless I'm very much wrong. 1170004302 M * daniel_hozac legacy guests are the only ones to consult vservers.conf. 1170004326 M * pflanze strange. well, I'll try compiling the debian/unstable package in the future instead. 1170004350 M * pflanze I see that it actually is using dietlibc for building, which was one worry I had. 1170004368 M * pflanze so, good so far. 1170004382 M * daniel_hozac of course. dietlibc is more than suggested... 1170004460 M * pflanze (anyway it was more of a worry of mine what would happen when running the installer on my active vserver configuration, and I watched it very carefully and so found out the overwrite and felt my worry confirmed. Nothing more.) 1170004603 M * Hollow daniel_hozac: will IUNLINK break hard links to symlinks? 1170004630 M * daniel_hozac hmm? 1170004649 M * Hollow according to the link(2) man page i can create a hard link to a symlink .. 1170004659 M * daniel_hozac if you have a symlink with IUNLINK|IMMUTABLE and re-symlink it? 1170004660 M * Hollow will the kernel break that? 1170004685 M * Hollow not re-symlink, but hard link 1170004771 M * daniel_hozac well, the kernel doesn't break links when you create them :) 1170004802 M * daniel_hozac i'd imagine we don't break them on symlink though. 1170004819 M * Hollow so it is safer to copy the symlink? 1170004826 Q * id23 Ping timeout: 480 seconds 1170004875 M * daniel_hozac safer? 1170004905 M * Hollow well, if the kernel does not break links to symlinks a guest could overwrite the symlink, no? 1170004912 M * daniel_hozac AFAIK ln -s doesn't overwrite symlinks. 1170004921 M * daniel_hozac it's immutable, so no. 1170004929 M * Hollow but it can't change it either .. 1170004946 M * daniel_hozac ln -sf will do unlink, symlink. 1170004969 M * pflanze daniel_hozac: yes with the patch it is mounting my ext2 partition nodev now. Thanks! 1170004970 M * daniel_hozac i'm actually not sure if it's at all possible to re-symlink a file. 1170004977 M * daniel_hozac pflanze: ok, thanks. 1170004986 M * Hollow daniel_hozac: ah, ok.. yeah.. makes sense .. 1170005007 M * daniel_hozac man 2 symlink would suggest no. 1170005014 M * daniel_hozac so i think it's moot. 1170005376 J * id23 ~id@p50813CBD.dip0.t-ipconnect.de 1170005515 M * id23 strange - i modified the file but /proc/diskstats is not unhided in the guest 1170005546 M * daniel_hozac and you did rerun vprocunhide? 1170005550 M * id23 no 1170005554 M * id23 ahhhh 1170005558 M * id23 thanx ;) 1170006035 M * pflanze Since my kernel+vserver upgrade yesterday, I'm seeing ps output sorted by pid instead of by process creation time. Strange. 1170006068 M * daniel_hozac what kernel did you use before, and what kernel are you using now? 1170006107 M * pflanze now: 2.6.19.2-vs2.2.0-rc8.7 before: config-2.6.17.8-vs2.0.2-rc28 1170006166 Q * dlezcano Ping timeout: 480 seconds 1170006168 M * pflanze I guess the upstream kernel has decided to sort the pids in proc differently, and ps just outputs the entries as it reads them from there. 1170006183 M * daniel_hozac yep. 1170006192 M * daniel_hozac 2.6.18 got a rather major proc rewrite, IIRC. 1170006231 M * niol guys, thanks for the advices, now I got to digg the python source code to see why it is long to close those file descriptors. 1170006235 M * niol bye 1170006238 Q * niol Quit: leaving 1170008180 J * dna_ ~naucki@156-214-dsl.kielnet.net 1170008601 Q * dna Ping timeout: 480 seconds 1170008723 M * waldi boah, does someone want to take a look at aio? it sometimes pushs the kernel thread into the calling userspace mm context 1170008744 M * waldi and dies on ppc with that because it missuses switch_mm 1170011712 J * dlezcano ~dlezcano@AToulouse-252-1-104-233.w86-213.abo.wanadoo.fr 1170012213 Q * michal` Ping timeout: 480 seconds 1170012579 J * michal` ~michal@www.rsbac.org 1170012672 N * Wonka_ Wonka 1170013367 J * Aiken ~james@ppp108-217.lns2.bne4.internode.on.net 1170013566 J * rob-84x^ ~rob@submarine.ath.cx 1170014680 M * Guy- do filesystem locks propagate across vserver boundaries? specifically, if I lock a vserver's file on the host, will it be locked inside the vserver? 1170014691 M * Guy- and vice versa? 1170014740 M * daniel_hozac IIRC that would trigger some asserts in the kernel. 1170014936 J * me ~me@p548ABB89.dip0.t-ipconnect.de 1170014944 M * me Hi 1170014946 M * daniel_hozac hello 1170014958 M * me I've got a little problem here 1170015004 M * daniel_hozac oh? 1170015037 M * Guy- daniel_hozac: in other words, it doesn't work? 1170015056 M * me I created with debian etch a vserver. as interface, I took eth0 and one of his ips ( it has many ones ). for example I take the one of eth0:1, 123.123.123.123 and as cidr range /24, it installs and after that, I started the vserver 1170015062 J * haxier ~haxier@eu85-84-174-73.clientes.euskaltel.es 1170015091 M * me If I enter the vserver, it's working well, but if I connect about the internet to it (ssh -l root 123.123.123.123) I connect to the hostsystem 1170015106 M * me what's my fault? 1170015121 M * daniel_hozac your host's sshd is listening on all interfaces. 1170015148 M * daniel_hozac add ListenAddress to /etc/ssh/sshd_config on the host. 1170015168 M * me ah okay, I will try it 1170015266 M * me and another question, how can I limit the space of the vserver to ( for example ) 5 gbit? 1170015287 M * daniel_hozac use disk limits, see http://oldwiki.linux-vserver.org/Disk+Limits 1170015325 M * me ah thx 1170015481 A * me kisses daniel_hozac 1170015485 M * me It works :) 1170016168 M * haxier daniel_hozac: is any of the 2.6.16.37-vs2.0.[23] patches of http://people.linux-vserver.org/~dhozac/p/k/ going to be mantained in long term? 1170016186 M * daniel_hozac how do you mean? 1170016253 M * haxier If it reaches, say, 2.6.16.60 you'll maintain the diffs? Of the 2.6 kernel series I think it's the "stable" one 1170016262 M * daniel_hozac if people are interested in them and report any eventual problems, i don't see why not. 1170016354 M * haxier Oh, thanks. my servers mainly run that kernel. I suffered the fs corruption bug and i'll never try anything > 2.6.16 1170016382 M * daniel_hozac hmm. that bug is in 2.6.16 too, IIUC. 1170016398 M * daniel_hozac do note that 2.0 is basically a dead branch. 1170016409 M * daniel_hozac it's not going to get any new features at all. 1170016423 M * haxier I know, but I only "suffered" it with >2.6.18.x 1170016424 M * eyck yeah, so you should upgrade to 1.2.x and linux 2.4.34 ;) 1170016441 M * me Hm, can I set any xid to a vserver? for example: echo 1 > /etc/vservers/vs001/context; echo 2 > /etc/vservers/vs002/context 1170016452 M * daniel_hozac are you going to add features to 1.2? 1170016455 M * haxier eyck: I've considered it, but it's too new for me ;D 1170016466 M * daniel_hozac me: 0 and 1 are special xids. 1170016476 M * eyck oh well, 1170016489 M * me daniel_hozac, then 2 :) are 0 and 1 used for the hostsystem? 1170016490 M * daniel_hozac me: 49152 and above are reserved for dynamic xids (that'll go away soon) 1170016498 M * daniel_hozac 0 is the host, 1 is the spectator. 1170016504 M * daniel_hozac the spectator can see all the processes. 1170016508 M * me okay 1170016565 M * haxier daniel_hozac: no new features = stable features. I don't need more features right now :) 1170016633 M * daniel_hozac not necessarily true... if the userbase is down to 3 people, there can be bugs everywhere. 1170016655 M * daniel_hozac just that it appears stable because those 3 particular use-cases don't hit them. 1170016728 M * me I think this will be the last question, how can I control on the hostsystem, how many traffic vs001 has made= 1170016741 M * daniel_hozac me: rate limit of traffic quota? 1170016756 M * daniel_hozac either way, iptables should help you there 1170016760 M * me daniel_hozac, we don't want to limit it 1170016766 M * me ah okay 1170016791 M * daniel_hozac oh, you just want to check how much a guest has used? 1170016835 M * me yes 1170016879 M * daniel_hozac well, you still want iptables, just without a target :) 1170016896 M * daniel_hozac you could also check /proc/virtual//cacct 1170016930 M * daniel_hozac but i think those values wrap-around pretty quick. 1170016955 M * haxier daniel_hozac: well, right now with 2.0.3-rc1 I have about 12 vservers with Samba, LDAP, Subversion, Tomcat, Oracle... and worked fine. 1170017013 M * haxier daniel_hozac: they are production servers so changes are not "very" welcome 1170017098 M * me hmm 1170017128 M * me daniel_hozac, could you show me maybe an example to show the traffic of vs001 or of the user with the xid 2? 1170017146 M * daniel_hozac with iptables? 1170017148 M * me yes 1170017160 M * daniel_hozac iptables -I INPUT -d 1170017164 M * daniel_hozac iptables -I OUTPUT -s 1170017178 M * daniel_hozac then use iptables -nvL INPUT/OUTPUT and check the packet/byte counters. 1170017221 Q * yarihm Quit: This computer has gone to sleep 1170017272 M * me hmm in /proc/virtual/2/cacct, I think this values will be resetted at a vserver or host restart 1170017285 M * me and this values are in bytes? 1170017320 M * daniel_hozac yes, and yes. 1170017345 M * me then I think, I've to write a daemon, which will log the actual traffic every few minutes 1170017436 M * daniel_hozac iptables shouldn't reset very often. 1170017451 M * daniel_hozac but yes, if you want to keep long-term statistics, that's required. 1170017503 M * me are any scripts available for this job? 1170017528 M * daniel_hozac ipac-ng and similar use iptables rules. 1170017758 M * me hmm, the iptables command don't display me anything 1170017763 J * duckx ~Duck@tox.dyndns.org 1170017796 M * me it's normal, that, after I added a vserver, the eth interface gone away on the host system? 1170017832 M * daniel_hozac the one you assigned to the guest? yes. 1170017839 M * daniel_hozac when the guest is stopped, the interface is removed 1170017852 M * daniel_hozac when it's started, the interface is brought up with it. 1170017886 M * me the guest is started but I can't see the interface (eth0:1) at ifconfig -a 1170017921 M * daniel_hozac did you set the name to 1? 1170017941 M * daniel_hozac i.e. did you --interface look like 1=eth0:/? 1170017952 M * daniel_hozac otherwise you're going to have to use ip addr instead. 1170017957 M * daniel_hozac (from iproute2) 1170017980 M * me I took as interface eth0, because the vserver couldn't start with eth0:1 1170017990 M * me I'm using the vserver util from debian 1170017998 M * daniel_hozac oh, so you're using newvserver? 1170018009 M * me yes 1170018015 M * daniel_hozac well, i have no idea how that works. 1170018148 M * me it seems to remove the interface from the hostmachine that I've added to the guest system 1170018209 M * daniel_hozac no. 1170018225 M * daniel_hozac most likely you just didn't use the correct options, so ifconfig can't show it anymore. 1170018231 M * daniel_hozac as i said, try ip addr instead. 1170018270 M * me instead of eth0 for example? 1170018333 M * daniel_hozac what? 1170018403 M * me I created the server with: newvserver --vsroot /var/lib/vservers/ --hostname vs001 --domain vs001.de --ip 123.123.123.123/24 --dist etch --mirror http://ftp.de.debian.org/debian --interface eth0 1170018431 M * me I think you meant, that I have to change --interface eth0 to --interface 123.123.123.123 1170018457 M * daniel_hozac well, as i said, i don't know how newvserver works. 1170018469 Q * Aiken Quit: Leaving 1170018493 M * daniel_hozac with vserver ... build, you'd use --interface 1=eth0:123.123.123.123/24 rather than eth0:123.123.123.123/24. 1170018907 J * Aiken ~james@ppp108-217.lns2.bne4.internode.on.net 1170019209 M * me daniel_hozac, I think I will use the /proc/virtual/*/cacct iface for that, I'm thanking you for your very good help for me :) 1170019234 M * daniel_hozac you're welcome! 1170019336 M * me :) thanks 1170020005 Q * phreak`` Quit: leaving 1170020006 J * niol ~niol@sousmonlit.dyndns.org 1170020016 J * phreak`` ~phreak``@deimos.barfoo.org 1170020255 M * niol hi again, just for the record, I narrowed a bit more my python slowness : for some strange reason, Python os.sysconf('SC_OPEN_MAX') returns 1048576 in cgi instead of 1024, and as popenX tries to close all file descriptors, it take some time 1170020273 M * daniel_hozac hehe. 1170020277 N * Bertl_zZ Bertl 1170020280 M * Bertl morning! 1170020287 M * daniel_hozac that's probably ulimit related. 1170020292 M * daniel_hozac morning(?) Bertl! 1170020310 M * niol morning ;) 1170020717 M * Bertl so you can improve python performance by lowering the file limits? 1170020919 M * daniel_hozac for popen, i guess so... 1170021100 M * niol in python Lib/popen2.py, there is something that says : for every possible fd, try to close it 1170021175 M * daniel_hozac if httpd doesn't try to raise the limits on its own, you could try adding ulimit -HS -n 1024 to the initscript. 1170021185 M * niol there is a post on the python ml related to that, http://mail.python.org/pipermail/python-list/2006-November/414971.html 1170021247 M * niol daniel_hozac: I thing it is httpd, because the behavior only occurs when running as cgi 1170021316 M * daniel_hozac well, pam will usually set some limits. 1170021496 M * attila_ hmm 1170021507 M * attila_ how do i make a lo interface in a vserver 1170021567 Q * bonbons Quit: Leaving 1170021594 M * Bertl attila_: not at all, it's already there, just not shown 1170021622 M * attila_ [root@shared ~]# ping 127.0.0.1 1170021622 M * attila_ PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 1170021622 M * attila_ --- 127.0.0.1 ping statistics --- 1170021622 M * attila_ 3 packets transmitted, 0 received, 100% packet loss, time 2000ms 1170021640 M * Bertl don't ping 127.0.0.1, ping the guest ip 1170021660 M * Bertl btw, ping is one of the worst tools to check anything ip related 1170021673 M * niol attila_: some people use dummy interfaces and reducing the local network mask 1170021673 M * Bertl as it works on the icmp layer 1170021705 M * Bertl niol: not a good idea at all, using 2.3.x with a mapped ip is an option though 1170021713 M * attila_ i know the guest ip works 1170021733 M * attila_ but i need the local ip for certain stuff like using mysql over tcp 1170022040 M * Bertl which will work fine 1170022063 M * Bertl as I said, ping is one of the worst choices to verify that :) 1170022237 J * crazy_penguin ~Unknown@86.105.69.248 1170022337 M * Bertl welcome crazy_penguin! 1170022417 Q * me Remote host closed the connection 1170022933 M * Guy- wow. the packaged debian vserver kernel panics all over the place. 1170022952 M * Bertl 2.6.18-3? 1170022957 M * Guy- yes 1170022960 M * Guy- on amd64 1170022966 M * Bertl well, don't use it, get a newer one :) 1170023012 M * mugwump and don't forget to put a "me too" on the debian bugs report 1170023014 J * EvilDI ~Snake@BSN-77-83-28.dsl.siol.net 1170023027 M * Bertl welcine EvilDI! 1170023032 M * Guy- Bertl: that's what I'm doing, I was just surprised :) 1170023046 M * EvilDI hi, how can i set CPU and memory limit for vserver ? 1170023051 M * Bertl Guy-: yeah, no idea why they do not 'officially' fix it 1170023094 M * Bertl EvilDI: http://linux-vserver.org/Documentation 1170023110 M * Bertl (CPU scheduler, Resource Limits/Memory Limits) 1170023228 M * EvilDI yes i found but for CPU doesn't show where to write in configuration 1170023232 M * EvilDI or i am blind 1170023274 M * Bertl check the section 'Configuration' for that 1170023343 M * Bertl although recent tools changed that a little, by breaking up the one file scheduler entry into several 1170023351 M * Bertl (i.e. 0.30.213+) 1170023379 M * Bertl daniel_hozac: is there a description of the new scheduler config somewhere on the wiki? 1170023411 M * EvilDI am i am having problem, where do i put CPU limit ? 1170023420 M * EvilDI still didn't find any file 1170023454 M * Bertl there is no CPU _limit_, as it would just limit your guest with, let's say 2 seconds of execution time, which is probably not what you want 1170023474 M * Bertl what you want is to do some kind of rate limiting for the CPU 1170023486 M * Bertl which is, what the Token Bucket Scheduler does 1170023521 M * Bertl or do you really want a CPU limit? e.g. 5 seconds, then the guest is killed off? 1170023547 M * EvilDI no i want that for example user can use only 20 % of pc 1170023562 M * Bertl see, that's what the cpu TB scheduler is for 1170023572 M * Bertl the config files are either: 1170023581 M * Bertl /etc/vservers/vserver-name 1170023590 M * Bertl /schedule 1170023601 M * Bertl or, with very recent tools: 1170023627 M * Bertl /schedule/{rate,interval,tokens_min,tokens_max ...} 1170023642 M * Bertl ah, no, there is a cpu subdir too 1170023685 M * Bertl 23:33 mount: permission denied 1170023685 M * Bertl 23:33 W: Failure trying to run: chroot 1170023694 M * EvilDI yes why 1170023704 M * EvilDI i get this when installing vserver 1170023706 M * Bertl looks like you are missing the required permissions for mount 1170023716 M * EvilDI how i am root 1170023724 M * Bertl which sounds strange, do you use a vanilla vserver patch or with grsec or so= 1170023728 M * Bertl s/=/? 1170023733 M * EvilDI yes i do 1170023740 M * EvilDI i think that i enable mount disable 1170023745 M * EvilDI dhem 1170023867 M * EvilDI how do i delete this vserver 1170023881 M * Bertl vserver - delete (IIRC) 1170023883 M * EvilDI or how do i continue installation of vservr? 1170023897 M * Bertl vserver --force or so (check out the help) 1170023910 M * Bertl vserver --help and vserver - build --help 1170024017 M * Guy- where is the rc8.7 patch? is it the rc8 linked from the wiki? 1170024020 M * EvilDI am vserver delete name_of_vserver will delete vserver 1170024161 M * Bertl Guy-: I'll upload an rc9 soon 1170024180 M * Bertl http://vserver.13thfloor.at/Experimental/ 1170024192 M * Bertl (this is where all the new patches end up atm) 1170024198 M * Guy- OK, noted 1170024267 M * Guy- how will rc9 be better than rc8? :) 1170024288 M * Bertl it will be rc8.7 with minor cleanups I guess 1170024299 M * Bertl rc8.7 has some fixes over rc8 1170024340 M * niol I cannot understand why rlimit nofile is different in a cgi in a guest, but that'll be all for today, see you guys 1170024342 M * Guy- then I'll stick with rc8.7 for the moment 1170024388 M * Bertl niol: the rlimits are tricky 1170024394 M * Bertl niol: want some explanation? 1170024464 M * niol i think i understood the purpose of /etc/security/limits.conf 1170024492 M * Bertl the important thing for rlimits/ulimits is that there are several dimensions 1170024510 M * Bertl first, there are the 'genuine' rlimits (usually called ulimits) 1170024521 M * Bertl they come in two flavors, hard and soft 1170024605 M * Bertl and they can be changed at any time, depending on the permissions 1170024627 M * Bertl i.e. if you have the necessary capability, you can raise them, if not, you can only lower them 1170024688 M * Guy- do I want CONFIG_CC_STACKPROTECTOR? 1170024718 M * Guy- panicking because of a buffer overflow doesn't sound like such a terribly smart idea to me 1170024725 M * niol thanks for the explaination, but I don't understand what could make apache2 set them higher in a guest than on the host 1170024790 M * niol (perhaps it is unlimited on the host, than apache2 set them to a deault value, and on the guest, they are somewhat limited but at a high value, and apache keeps that value) 1170024803 M * Bertl in addition to that, we have rlimits per context 1170024823 M * Bertl which impose an upper limit (hard and soft) for the guest 1170024887 M * Bertl so, one test you can do is to become root in your guest, and change the hard limit to something 1170024908 M * Bertl it will only be restricted by your guest capabilities and the context limits 1170024934 M * daniel_hozac Guy-: you think it's better to overwrite whatever's after the buffer? 1170024943 M * daniel_hozac Guy-: possibly leading to a compromise? 1170024981 M * Bertl niol: now it should also be noted that the ulimits are on a per process basis, so they can be set individually for each process/user 1170025015 M * Bertl and this is typically done via pam nowadays (*sigh* :) 1170025184 M * niol ok i'll look into that, for now i need to go, thanks for everything 1170025188 M * Guy- daniel_hozac: well, the ability to make the box panic is pretty much a DoS in itself, even if the exploit code wouldn't actually work 1170025212 M * daniel_hozac Guy-: sure, but at least the box isn't compromised and there's no need to reinstall... 1170025234 Q * niol Quit: leaving 1170025235 M * Guy- daniel_hozac: make that reload from backups 1170025270 M * Guy- daniel_hozac: but I seem to recall this stack protector used to cause problems in util-vserver; is that no longer the case? 1170025296 M * daniel_hozac in dietlic. 1170025302 M * daniel_hozac s/dietlic/dietlibc/ 1170025338 M * Guy- yes, you're right, it was dietlibc 1170025363 M * daniel_hozac doesn't really matter for the kernel though... 1170025426 M * Guy- do you think it's safe to enable? 1170025445 M * Guy- I'm more worried about functionality than security in this case 1170025464 M * daniel_hozac as i recall, the dietlibc problem wasn't with the compiler option. 1170025476 M * daniel_hozac it was with the supporting code required to use it. 1170025748 Q * dna_ Quit: Verlassend 1170026324 Q * duckx Remote host closed the connection 1170026570 Q * sannes Ping timeout: 480 seconds 1170026678 M * Bertl hmm, here is something new ... 1170026718 M * Bertl http://paste.linux-vserver.org/972 1170026773 M * daniel_hozac interesting. 1170026783 M * Bertl btw, is it just me, or is our pastebin famous now? 1170026790 M * daniel_hozac it seems so. 1170026797 M * daniel_hozac all the spam bots are using it, that's for sure. 1170026823 M * daniel_hozac (should try to block those?) 1170026835 M * daniel_hozac +we 1170026869 M * Bertl yeah, we probably we should do something about that sooner or later 1170026880 M * Guy- I guess blocking anything that starts with '