1170201668 Q * Aiken Ping timeout: 480 seconds 1170201879 J * ensc ~irc-ensc@p54B4E118.dip.t-dialin.net 1170201931 Q * duckx Remote host closed the connection 1170201936 Q * DreamerC Ping timeout: 480 seconds 1170202026 J * Hurga nobody@p508A8516.dip0.t-ipconnect.de 1170202038 M * Hurga Hi. 1170202755 Q * shuri Quit: BitchX: Little. Yellow. Better. 1170202808 J * Aiken ~james@ppp220-70.lns2.bne1.internode.on.net 1170203362 M * Bertl hey Hurga! 1170203371 M * Hurga Hiya. 1170203693 J * comfrey ~comfrey@70.91.185.84 1170203801 Q * comfrey_1 Ping timeout: 480 seconds 1170205353 Q * gerrit Ping timeout: 480 seconds 1170205853 N * Piet_ Piet 1170206381 J * Aiken_ ~james@ppp220-70.lns2.bne1.internode.on.net 1170206698 Q * Aiken Ping timeout: 480 seconds 1170208187 Q * Hurga Remote host closed the connection 1170208556 J * _dmax ~semaj@81.193.56.96 1170208901 Q * dmax Ping timeout: 480 seconds 1170208902 N * _dmax dmax 1170209097 Q * Piet Quit: Piet 1170209728 Q * s0undt3ch Ping timeout: 480 seconds 1170209764 J * s0undt3ch ~s0undt3ch@80.69.34.154 1170209811 J * DreamerC ~dreamerc@125-225-97-49.dynamic.hinet.net 1170210005 Q * nox Ping timeout: 480 seconds 1170210339 J * nox ~nox@static.88-198-17-175.clients.your-server.de 1170210428 J * gerrit ~gerrit@c-67-160-146-170.hsd1.or.comcast.net 1170216029 N * shu_school Shuri 1170216030 M * Shuri re 1170216203 M * Shuri any Work for me Bertl? 1170216337 M * Bertl not yet, but thanks for asking ... 1170216364 M * Bertl guess I'm off to bed now ... have a good one everyone! 1170216371 N * Bertl Bertl_zZ 1170216533 Q * Shuri Remote host closed the connection 1170216633 Q * brcc Ping timeout: 480 seconds 1170217085 J * ebiederm ~eric@ebiederm.dsl.xmission.com 1170222103 Q * Aiken_ Quit: Leaving 1170223539 J * brcc bruce@i.am.someasshole.com 1170224495 J * Aiken ~james@ppp220-70.lns2.bne1.internode.on.net 1170224683 Q * hallyn Ping timeout: 480 seconds 1170225050 Q * hardwire Ping timeout: 480 seconds 1170225117 J * hardwire ~hardwire@rdbck-2157.palmer.mtaonline.net 1170226018 J * hardwire` ~hardwire@rdbck-4746.wasilla.mtaonline.net 1170226138 Q * hardwire Ping timeout: 480 seconds 1170226823 Q * mountie Server closed connection 1170226829 J * mountie ~mountie@CPE0080c6fe323f-CM000a739acaa4.cpe.net.cable.rogers.com 1170227908 Q * cdrx Ping timeout: 480 seconds 1170228349 Q * blizz Server closed connection 1170228350 J * blizz ~blizz@evilhackerdu.de 1170228377 J * mEDI_S ~medi@snipah.com 1170229057 M * mEDI_S hi, i have a problem whit a host system from my. grep INET: /proc/virtual/$ID/cacct say 1170229060 M * mEDI_S INET: 2650779/797650581 1737423/18446744071716017559 13272/90223611 1170229079 M * mEDI_S the real traffic from the server is RX bytes:2520276210 (2.3 GiB) TX bytes:13828841160 (12.8 GiB) 1170229121 M * mEDI_S 18446744071716017559 is a litel bit extrem so think i this is a bug or miss configuration 1170229129 J * gab ~gab@158.36.45.236 1170229171 M * mEDI_S is is a 2.6.19.2-vs2.2.0-rc8-amd64-smp #1 SMP AMD_64bit debian etch system 1170229182 M * mEDI_S have any ppl a idea? 1170229367 M * mEDI_S or UNIX: 53826801/18446744072005881628 35134372/18446744072005817372 23/189696 1170229421 M * mEDI_S Type recv #/bytes send #/bytes fail #/bytes 1170231340 Q * nox Ping timeout: 480 seconds 1170231505 J * nox ~nox@static.88-198-17-175.clients.your-server.de 1170231523 J * cdrx ~legoater@blueice2n1.uk.ibm.com 1170231633 Q * waldi Server closed connection 1170231637 J * waldi ~waldi@bblank.thinkmo.de 1170232341 Q * MrX Ping timeout: 480 seconds 1170232577 J * MrX ~chaos@179.13.95.219.kmr01-home.tm.net.my 1170233373 Q * notasnark Server closed connection 1170233517 Q * Hollow Server closed connection 1170233537 J * Hollow ~hollow@styx.xnull.de 1170233844 J * dna ~naucki@78-232-dsl.kielnet.net 1170234878 J * bronson ~bronson@adsl-75-36-145-166.dsl.pltn13.sbcglobal.net 1170235623 Q * mcp Server closed connection 1170235654 J * mcp ~hightower@wolk-project.de 1170235786 J * id23 ~id@p50810991.dip0.t-ipconnect.de 1170235792 M * id23 greetings 1170235795 M * id23 #vserver 1170235904 M * eyck a oh well, greetings. 1170236057 Q * TrueBrain Server closed connection 1170236070 J * TrueBrain truelight@openttd.org 1170236149 J * meandtheshell ~markus@85-124-206-223.dynamic.xdsl-line.inode.at 1170236240 M * renihs welcome id23 1170237096 M * matti Morning :) 1170237380 J * ciphergoth ~paul@host226.lshift.net 1170237544 M * ciphergoth Vservers can share files to reduce disk usage. Is there a way of "cheaply" copying a vserver so that all the files are shared? 1170237796 M * daniel_hozac vserver ... build -m clone (from util-vserver 0.30.213-pre4+) will do that in a secure way. 1170237807 M * daniel_hozac (meaning: all non-unified files will be copied) 1170237865 M * ciphergoth daniel_hozac: how does unification work? The filesystems the vservers use look like normal filesystems - is it just hard linking? 1170237890 M * daniel_hozac yes, but the links are made immutable but unlinkable. 1170237913 M * ciphergoth with attributes? 1170238155 M * daniel_hozac right. 1170238268 M * ciphergoth that doesn't seem to be any of the acdijsuADST options chattr offers me... 1170238352 M * daniel_hozac nope. 1170238374 M * daniel_hozac the inverted unlink is added by Linux-VServer 1170238385 M * ciphergoth it's a special file attribute added by ... aha, thanks! 1170238386 M * daniel_hozac use setattr/showattr from util-vserver to set/see them. 1170238529 M * ciphergoth gosh 1170238701 J * DDoSad foobear@193.30.161.200 1170238711 M * DDoSad hey everybody a tiny question 1170238717 N * DDoSad bavi 1170238727 M * bavi anyone around ? (bretl isnt :( ) 1170238737 M * daniel_hozac maybe. 1170238743 M * ciphergoth right, there seems to be no documentation in the wiki about these attributes 1170238758 M * ciphergoth so I have started this page: http://linux-vserver.org/Attr 1170238758 M * daniel_hozac there is in the Paper, IIRC. 1170238761 M * ciphergoth aha 1170238763 M * bavi server 0.30.210 - when i issue a vserver $server start 1170238780 M * bavi it seems to be starting and then shuts down 1170238786 M * daniel_hozac http://linux-vserver.org/Paper#Unification 1170238789 M * ciphergoth got it 1170238805 M * bavi automatically it seems like there are old restarts waiting to happend 1170238818 M * bavi daniel can you plz help me on this ? 1170238867 M * daniel_hozac bavi: not without more info, and i have to run, sorry. try changing your initscripts to use bash -x to let you see what happens. 1170238880 M * ciphergoth daniel_hozac: I just read that but it doesn't document the new options 1170238882 M * bavi inside the vserver? 1170238981 M * bavi anyone please? 1170239003 M * ciphergoth sorry I have no idea! 1170239200 Q * cdrx Quit: Leaving 1170239677 J * duckx ~Duck@tox.dyndns.org 1170239715 M * daniel_hozac ciphergoth: it should probably go on http://linux-vserver.org/index.php?title=Filesystem_Attributes&action=edit 1170239724 M * daniel_hozac bavi: yes, of course inside. 1170239821 M * ciphergoth http://linux-vserver.org/Filesystem_attributes 1170239993 Q * HobGoblin Server closed connection 1170240005 J * UukGoblin ~jaaa@sr-fw1.router.uk.clara.net 1170240041 Q * doener_ Server closed connection 1170240047 J * doener ~doener@host.magicwars.de 1170240845 Q * bronson Remote host closed the connection 1170240904 M * ciphergoth while a vserver is stopped, can I just add files to the vserver's filesystem? 1170242249 Q * _cob Server closed connection 1170242259 J * _cob ~cob@pc-csa01.science.uva.nl 1170242393 Q * sladen Server closed connection 1170242400 J * sladen paul@starsky.19inch.net 1170243007 M * ciphergoth anyone built a fedora guest on a debian host? What do I need to do? 1170243380 Q * weasel Quit: Reconnecting 1170243388 J * weasel weasel@asteria.debian.or.at 1170243788 J * lilalinux ~plasma@dslb-084-058-197-178.pools.arcor-ip.net 1170244275 M * ciphergoth where is the documentation for the "vserver ... build" command? The page on Fedora suggests I run the command 1170244277 M * ciphergoth server gast build -m yum --context 42 --hostname=gast.example --interface gast0=eth0:192.168.0.1/24 -- -d fc5 1170244292 M * ciphergoth but where can I find out what the -m, -context, -d optinos do? 1170244468 M * ciphergoth mountie: mount point /etc/rpm does not exist 1170246249 M * PowerKe context is the context number. Doesn't have a meaning and should be in the range 2-48000 (actually 49 thousand something) 1170246301 M * PowerKe You could use the last number of the IP adress as context number, that way it's easy to remember if you ever want to do something with the context number 1170246437 J * yang ~yang@yang.sponsor.oftc.net 1170246649 J * shedi ~siggi@v10-222-142.lhi.is 1170248926 N * Bertl_zZ Bertl 1170248931 M * Bertl morning folks! 1170248978 M * Bertl ciphergoth: you should get a nice help with 'vserver - build --help' 1170249013 J * kevinp ~kevinp@ny.webpipe.net 1170249022 M * Bertl welcome kevinp! LTNS! 1170249055 M * kevinp thanks! checking on latest versions before I do an upgrade this time :) 1170249075 M * Bertl ciphergoth: also check out: http://oldwiki.linux-vserver.org/alpha+util-vserver 1170249090 M * kevinp any known problems with 2.2.0-rc8? 1170249125 M * Bertl yes, that' why there is rc8.7 :) 1170249162 M * kevinp I need to learn to read ;) 1170249323 M * kevinp Why doesn't this mirror the current patches? http://ftp.linux-vserver.org/pub/kernel/vs2.2/testing/ 1170249426 M * Bertl I'd say because folks are lazy 1170249454 M * Bertl basically I still upload the new stuff to http://vserver.13thfloor.at/Experimental/ 1170249517 M * Bertl but I guess, rc8 (which is due soon) will end up there too 1170249519 M * kevinp I'm just not sure why it's a manual thing, wouldn't it make since to just mirror your folders? 1170249521 M * Bertl *rc9 1170249529 M * kevinp s/since/sense/ 1170249557 M * Bertl as I said, we are lazy when it comes to doing stuff besides coding, fixing and porting :) 1170249779 M * Bertl feel free to help us maintaining this stuff (and/or updating the wiki any time) 1170249810 M * kevinp right, we all are, which why I think adding a rsync line to a crontab is a lot easier then manually updating the wiki 1170249843 M * Bertl yes, probalem probably is that the deltas would end up there too 1170249857 M * Bertl which might make it a little less useful ... 1170250009 M * kevinp simply adding an --include=patch or and --exclude=delta to the rsync would fix that 1170250051 M * Bertl yep, maybe we get around doing so ... will suggest it to daniel_hozac/Hollow 1170250074 M * kevinp ok, I'll let you know how the 8.7 goes 1170250122 M * Bertl okay, great! note: it is very likely that there will be an rc9 today 1170250233 M * Hollow Bertl, kevinp: exlude which patch from rsync? 1170250283 M * kevinp Hollow, we were just talking about making the wiki more up to date by running an rsync against Bertl's http://vserver.13thfloor.at/Experimental/ 1170250305 M * Hollow and list the files? 1170250317 M * kevinp But since there is no need for all the deltas on the wiki, using the --include or --exclude options would help 1170250335 M * Hollow note: the version table is most of the time up to date 1170250340 M * kevinp as well as a copy to download 1170250353 M * Hollow you can find the copys at ftp.linux-vserver.org 1170250400 M * kevinp It seems like everytime I go to compile the latest version, ftp.linux-vserver.org doesn't have it and I end up going to 13thfloor 1170250440 M * kevinp and since it's a manual update, I just offered a possible solution with automation 1170250464 M * kevinp which would make it easier on everyone 1170250519 J * thunder1 ~thu@tor-irc.dnsbl.oftc.net 1170250533 M * Hollow well, Bertl could upload the patches directly to ftp.linux-vserver.org, then we wouldn't need any syncing 1170250559 M * Bertl which would require that I upload it twice 1170250666 M * Hollow Bertl: why not use the l-v.org space only? :) 1170250675 Q * shedi Quit: Leaving 1170250701 M * Bertl Hollow: because then I would have to upload the deltas too, which would make it useless, no? 1170250816 M * Bertl I mean, if that is what you want, a wget/rsync would work too :) 1170250829 M * Hollow tbh, i don't care ;) 1170250859 M * Hollow IMO the ftp is very up to date thanks to daniel_hozac 1170250872 M * Bertl yes, indeed ... 1170250876 M * Hollow but an rsync is ok as well.. 1170251266 N * kevinp kevinp_away 1170251965 J * virtuoso_ ~s0t0na@shisha.spb.ru 1170252045 Q * virtuoso Read error: Connection reset by peer 1170252461 M * mEDI_S hi, i have a problem whit a host system from me. grep INET: /proc/virtual/$ID/cacct say 1170252466 M * mEDI_S INET: 2650779/797650581 1737423/18446744071716017559 13272/90223611 1170252471 N * virtuoso_ virtuoso 1170252482 M * Bertl okay? 1170252482 M * mEDI_S 18446744071716017559 is a litel bit extrem so i think this is a bug or miss configuration 1170252491 M * mEDI_S have any ppl a idea? 1170252492 M * Bertl no, that is actually a wrap 1170252504 M * mEDI_S wrap? 1170252516 M * Bertl but nevertheless, it looks extreme ... 1170252524 M * Bertl sec 1170252530 M * mEDI_S or UNIX: 53826801/18446744072005881628 35134372/18446744072005817372 23/189696 1170252544 M * Bertl yes 1170252553 M * Bertl 18446744071716017559 = FFFFFFFF892D1597 1170252576 M * Bertl so what happened here is, that the counter (32 bit) wrapped around 1170252578 M * ciphergoth oops! 1170252603 M * mEDI_S its a amd64 system 1170252619 M * mEDI_S 2.6.19.2-vs2.2.0-rc8-amd64-smp 1170252620 M * ciphergoth anyone want a kernel oops? Where should I paste it? It starts "BUG: unable to handle kernel paging request at virtual address 0004ad41" 1170252633 M * ciphergoth it's on the host, with no guest running 1170252644 M * Bertl mEDI_S: which reminds me, that I should change the atomic counters to long atomics there :) 1170252647 M * harry cat: /usr/local/etc/vservers/luditdb/interfaces/0/dev: No such file or directory 1170252650 M * harry wtf???? 1170252653 M * harry i have a nodev in that dir! 1170252653 Q * michal` Ping timeout: 480 seconds 1170252660 M * harry off course there is no dev file! 1170252666 M * Bertl ciphergoth: paste.linux-vserver.org please 1170252674 M * mEDI_S Bertl the problem is 1170252681 M * mEDI_S the real traffic from the server is RX bytes:2520276210 (2.3 GiB) TX bytes:13828841160 (12.8 GiB) 1170252693 M * Bertl harry: where do you have a 'nodev'? 1170252709 M * ciphergoth http://paste.linux-vserver.org/998 1170252726 M * Bertl mEDI_S: which sounds okay, no? 1170252733 M * Bertl ciphergoth: tx 1170252737 M * ciphergoth np 1170252765 M * harry /usr/local/etc/vservers/luditdb/interfaces/0/nodev 1170252767 M * ciphergoth that's me trying to get a fc6 running on an etch host 1170252774 M * ciphergoth fc6 guest I mean 1170252797 M * Bertl ciphergoth: np, just forget about the broken 2.6.18-3 debian kernel 1170252799 M * harry i really need to get that server up.. FAST 1170252804 M * Bertl ciphergoth: get the 2.6.18-4 or later 1170252808 M * harry why won't it take my nodev??? 1170252809 M * ciphergoth ah 1170252810 M * ciphergoth oh 1170252819 M * Bertl harry: 'it' being? 1170252822 M * ciphergoth that's not in testing yet, is it? 1170252830 M * harry the start command 1170252833 M * harry what else 1170252836 M * Bertl ciphergoth: it's a known bug for .. hmm, more than a month now 1170252849 M * harry boromir:/usr/local/etc/vservers/luditdb/interfaces/0# vserver luditdb start 1170252850 M * harry cat: /usr/local/etc/vservers/luditdb/interfaces/0/dev: No such file or directory 1170252851 M * ciphergoth aha 1170252854 M * Bertl ciphergoth: so don't forget to add a 'me too' on the debian bug tracker ... 1170252891 M * ciphergoth what's the bug number? 1170252907 M * Bertl harry: what version (tools) and what is in that '0' dir besides nodev? 1170252916 J * cdrx ~legoater@cap31-3-82-227-199-249.fbx.proxad.net 1170252934 M * Bertl ciphergoth: sorry, no idea, but it should be easy to find ... shutdown causes oops or so 1170252941 M * Bertl welcome cdrx! 1170252955 M * harry 212 1170252962 M * harry Bertl: ip and prefix 1170252963 M * cdrx he, hi Bertl ! 1170252971 J * michal` ~michal@www.rsbac.org 1170253021 M * Bertl ciphergoth: a quick google run said: Bug#404777: linux-image-vserver-686: oops when stopping a vserver 1170253036 M * Bertl (please double check) 1170253098 M * Bertl harry: that should be fine, please do a --debug run and upload that to paste.linux-vserver.org 1170253219 M * ciphergoth right, rebooting, bbiab 1170253221 Q * ciphergoth Quit: Client exiting 1170253313 M * mEDI_S Bertl: Yes ;) please change the atomic counters to long atomics heh collected and othe stat tools use this ;/ an a graph with 60PB is not so ideal ;D 1170253325 J * hallyn ~xa@cpe-72-179-43-119.austin.res.rr.com 1170253345 M * Bertl mEDI_S: you should be able to work around that, by using a mask and/or counter size 1170253359 M * Bertl mEDI_S: things like rrd should cope with that 1170253374 M * Bertl mEDI_S: but yes, I will do that, no question 1170253396 M * mEDI_S na not per default the default limit is ehm 1170253467 M * mEDI_S 2^63-1 1170253470 M * mEDI_S ;D 1170253485 M * Bertl rrd docu says: RRDtool checks if the overflow happened at the 32bit or 64bit border and acts accordingly by adding an appropriate value to the result. 1170253492 M * mEDI_S u can i set up i know 1170253522 M * Bertl so imho that should be fine already, but masking it with 2^32-1 should be fine too 1170253533 M * Bertl (which will give you the 'real' 32bit counter 1170253566 M * Bertl OTOH, if you are interested in testing a true 64bit version, please let me know (should have a patch for that this evening) 1170253624 M * mEDI_S Bertl: query? 1170253657 M * Bertl np 1170253751 J * ciphergoth ~paul@host226.lshift.net 1170254355 M * harry Bertl: found the problem... was my fault, sry :) 1170254371 M * Bertl harry: np, what was it? 1170254402 M * hallyn daniel_hozac: sorry i apparently misplaced ths window yesterday. i assume your question was about the task exit patches and is obsolete? 1170254446 M * Bertl hey hallyn! how's going? 1170254514 M * harry Bertl: i have a script that takes care of routing 1170254534 M * harry which does: IF=`cat $cfgdir/dev` and uses that for routing settings 1170254541 M * Bertl ah, i.c. 1170254542 M * harry but... there was no dev ==> fail ==> bleh 1170254552 M * harry was an "old-style" setup of me :) 1170254564 M * harry scripts/tools were new, configstyle old :) 1170254823 M * yang hi Bertl 1170254986 M * Bertl hey yang! 1170255036 M * harry auto eth2.95 1170255037 M * yang Bertl: sgi will be back online in a week time 1170255039 M * harry iface eth2.95 inet manual up ifconfig eth2.95 0.0.0.0 up 1170255041 M * harry whooops 1170255044 M * harry sry! 1170255065 M * Bertl :) 1170255075 M * yang Bertl: if you will manage to install the modified kernel 1170255091 M * Bertl okay, sounds cool! 1170255154 M * yang Bertl: do you know how i could avoid binding problems on one of my guests...I get the following error http://paste.debian.net/21114 1170255279 M * Bertl that's inside a guest? 1170255294 M * yang yes 1170255302 M * Bertl what does the 127.0.0.1 do there? 1170255323 M * yang I get the same error if i change it to a public IP 1170255372 M * Bertl maybe something is running there already? as it states? 1170255380 M * yang nothing on port 53 1170255388 M * Bertl try to run it with 'strace -fF ...' 1170255391 M * yang it's not visible with netstat -plont 1170255404 M * Bertl then upload the output to pastebin 1170255424 M * yang just strace -fF ? 1170255448 M * Bertl you can add -o out.trace to make life easier 1170255515 M * yang just typing "strace -fF -o out.trace" gives me the options menu 1170255532 M * Bertl strace -fF -o out.trace 1170255538 M * yang ah 1170255768 M * yang http://pastebin.ca/334343 1170255825 Q * meandtheshell Quit: Leaving. 1170255934 M * Bertl yang: hmm, try the paste.linux-vserver.org please, the ca one times out for me 1170256047 M * yang humm, there is no option for file upload 1170256056 M * yang can you reach paste.debian.net ? 1170256070 M * Bertl yep 1170256166 M * yang ok check the posting by yang on paste.debian.net 1170256241 M * yang i think it cut the half of it out 1170256246 M * Bertl hmm, looks like that ends prematurely ... 1170256261 M * yang i will resubmit 1170256291 M * Bertl just upload it somewhere I can reach it :) 1170256316 Q * Aiken Quit: Leaving 1170256555 M * yang http://217.172.183.86:11000/out.trace 1170256602 M * Bertl sin_port=htons(53), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EADDRINUSE 1170256614 M * Bertl so you have something running on port 53 1170256624 M * Bertl which kernel version is that? 1170256626 M * yang i have bind , but on root-server 1170256634 M * Bertl ah, unrestricted? 1170256664 M * hallyn Bertl: hey, going ok 1170256685 M * yang Bertl: you are right, it runs on all 4 IPS which are shared with VPS 1170256689 M * Bertl hallyn: btw, thanks for pushing the nsproxy stuff ... 1170256700 M * hallyn np 1170256710 M * yang Bertl: i will restrict it, maybe then the command will work 1170256719 M * Bertl for sure it will :) 1170256775 M * hallyn Bertl: i know you don't really have time to integrate the user namespace until it hits mainline, but i don't want it hitting mainline unless you think it will be useful to you. would you mind taking a quick look, and if you don't like it, nix it, and we can pull it out of -mm and start over? 1170256857 M * Bertl hmm, I don't think that it would be a big issue to integrate the user namespace, but I'd need a patch for 2.6.19.2, which is probably more an issue 1170256869 M * hallyn oh 1170256915 M * Bertl I have no problem to take a look at it though ... btw, I have some comments to existing interfaces/stuff which might be addressed sooner or later (but not much time for that atm) 1170256943 M * Bertl if you have some time to discuss them, I'd enjoy a chat ... 1170256987 M * yang Bertl: thank you, i solved it and it works now :) 1170256995 M * Bertl yang: excellent! 1170257122 M * hallyn Bertl: sure - since you're actually using the stuff i/d love to hear comments 1170257138 M * Bertl okay, got some time now? 1170257182 M * Guy- I'd like to add stuff to http://linux-vserver.org/Frequently_Asked_Questions 1170257191 M * Guy- is it OK to edit the page, or should I talk to derjohn? 1170257196 M * hallyn i've got about 30 mins 1170257212 M * derjohn Guy-, feel free to edit it ! 1170257221 M * Guy- right 1170257227 M * Bertl hallyn: okay, that should be enough for a start ... 1170257242 M * derjohn Guy-, ppl begin to lart /me because i didnt find time to _sort_ the FAQs (which is my task ...). 1170257266 M * Bertl hallyn: one thing, I already mentioned on lkml is that we need a mix/merge in Linux-VServer for the enter stuff 1170257269 M * derjohn Guy-, keep in mind that those FAQ are _collected_ from numeours even outdated versions .... 1170257285 M * hallyn Bertl: I am working on that. did you see my posting last night of a container subsys? 1170257289 M * Bertl Guy-: means, some cleanup/sanity checks couldn't hurt 1170257297 M * hallyn Bertl: now you may hate the interface, in which case pls let me know 1170257300 M * Bertl hallyn: probably not yet ... 1170257321 M * derjohn Guy-, to Ob-Wans^W Bertl's word listen you should ! 1170257324 M * Bertl hallyn: one detail of that mix/merge I'm fighting with right now is the following: 1170257346 M * Bertl hallyn: when a context is created, it has to have a 'default' nsproxy 1170257360 M * Guy- Bertl: I don't think I'm up to that; I'll just add a bit about hashify 1170257361 M * Bertl hallyn: this is first created as 'empty' 1170257396 M * Bertl hallyn: and once a process is instantiated, some of the spaces are 'copied' (set actually via mix/merge) 1170257412 M * Bertl hallyn: there is also an explicit syscall command to do so 1170257430 M * hallyn Bertl: you mean bind_ns, or one you added? 1170257463 M * Bertl with syscall command, I usually refer to some vserver syscall (sub-command) 1170257469 M * hallyn ok 1170257473 M * Bertl (otherwise I use syscall :) 1170257497 A * hallyn recons he should look through the latest vserver patch 1170257516 M * Bertl the issue now is, that the null_proxy stuff requires special handling regarding reference counting :) 1170257536 M * Bertl so I'm already considering to drop the nsproxy for the context completely 1170257551 M * Bertl and replace it with a static struct containing the namespaces themselves 1170257577 M * hallyn ? 1170257582 M * Bertl this is partially induced by the fact that we have to handle the fs_struct separately anyways 1170257590 M * hallyn oh, you mean just for the processes in transition? 1170257603 M * Bertl (as it is not part of nsproxy yet, and it doesn't look like it is going to be ever ..) 1170257617 M * hallyn well moving the fsstruct into nsproxy stil might be a good thing to do, depending on lifetime issues like the pid vs mntns puts we just had 1170257642 M * Bertl yes, and I think we should not do such special handling for tasks 1170257657 M * Bertl as it basically breaks the interfaces 1170257666 M * hallyn which special handling now? 1170257682 M * Bertl like with the mnt space to keep the broken nfs happy :) 1170257693 M * hallyn oh 1170257697 M * Bertl (which I still consider vfs space btw :) 1170257725 M * hallyn well if someone floated a patch to fix nfs, maybe trond would reconsider... 1170257747 M * Bertl I think nobody (except maybe trond) has an idea what the locking there actually does 1170257788 M * Bertl IMHO most of the nfs stuff is still working by accident :) 1170257812 M * hallyn well i don't have an idea - i just worked on the assumption it needs sighand and worked around that :) 1170257817 M * Bertl okay, to the things which bug me recently looking through the code ... 1170257830 M * Bertl +when 1170257843 M * Bertl first, we have a bunch of namespaces now, yes? 1170257849 M * hallyn yup 1170257876 M * Bertl why do they still have/need slightly different semantics regarding refcounting, creation and destruction? 1170257955 M * hallyn presumably because some things are pointed to by more than just nsproxies, but i'm not sure. what's a specific example? 1170257982 M * Bertl for example, ipc uses the kref stuff, and handles empty spaces for get, but not for put 1170258011 M * Bertl it has a free and a copy function 1170258025 M * Bertl mnt_ns OTOH, 1170258051 M * Bertl doesn't take empty ns on get, or put 1170258068 M * Bertl but on the 'new' exit_mnt_ns :) 1170258089 M * Bertl there is also a dup_mnt_ns() :) 1170258128 M * Guy- derjohn: I committed the page; feel free to flame/edit/censor :) 1170258145 M * hallyn i suspect noone dares touch mntns stuff since it's al's code 1170258178 M * Bertl well, maybe we should start kicking Al then to fix it up :) 1170258193 M * Bertl or jsut break it and wait what happens ... 1170258194 M * hallyn or come up with a proper api for all namespaces 1170258197 M * hallyn yeah 1170258214 M * hallyn dictate that they all must accept and ignore NULL, decide whether to use kref or not, 1170258225 M * Bertl I thought about writing a long list of the special cases 1170258241 M * Bertl but I ended up doing the if (ns) ... stuff for all of them 1170258245 M * hallyn doing something about that would likely be considered a very worthy cleanup 1170258252 M * cdrx Bertl, hallyn, we've been starting cleanup 1170258255 M * derjohn Guy-, thx for adding ! 1170258261 M * hallyn cdrx: really? 1170258274 M * cdrx but not in ipc yet 1170258291 M * Bertl AFAIKT, the interfaces we (Linux-VServer) would expect are: 1170258303 M * Bertl - get/put/copy for each namespace 1170258307 M * cdrx yep 1170258311 M * Guy- derjohn: np 1170258314 M * Bertl (put takes care of free :) 1170258326 M * cdrx what do you mean ? 1170258348 M * Bertl cdrx: i.e. not like the special put we had for nsproxy recently :) 1170258371 M * cdrx yes ... 1170258390 J * dlezcano ~dlezcano@AToulouse-252-1-23-54.w82-125.abo.wanadoo.fr 1170258391 M * cdrx so among the current ns which is the one matching 1170258393 M * hallyn cdrx: do *you* understand the nfs server code? do you know offhand how we'd fix it to handle NULL sigand? 1170258398 M * Bertl - get/put/copy/create/mix for nsproxy 1170258424 M * Bertl hallyn: the trivial solution would be to not do the locking with sighand 1170258430 M * cdrx yes 1170258443 M * Bertl hallyn: either by not doing it at all, or by using a task style lock 1170258463 M * cdrx nfs are private ground honestly 1170258463 M * hallyn presumably it needs to also be locked wrt to signals and that's why it does it? 1170258469 M * Bertl hallyn: but as I said, it might or might not break stuff there :) 1170258490 M * hallyn Ok - I'm jus tnot happy about having to rip pid namespace out of nsproxy 1170258528 M * Bertl btw, a few 'rules' I consider essential for the nsrpoxy 1170258547 M * Bertl (at least as they are implemented now, they should) 1170258560 M * Bertl - be considered constant for the entire lifetime 1170258588 M * Bertl - be copied and modified before referenced, in a pseudo atomic way 1170258604 M * Bertl - disposed when not referenced anymore 1170258620 M * Bertl and they probably should make use of a slab ... 1170258620 M * cdrx i think this is what we have 1170258631 M * cdrx a cache ? 1170258640 M * Bertl yep 1170258643 M * hallyn make use of a slab - do you think we'll be getting that many unshares? 1170258665 M * hallyn other than using a slab, which of those do we not currently do?> 1170258674 M * Bertl let me put it this way, we already see about 4 unshares per guest start/enter 1170258717 M * Bertl granted that can be reduced with a proper optimization in the kernel 1170258724 M * hallyn Ah, yes, I guess entering could tax the kmallocs... 1170258799 M * hallyn if doing a "for each v in `cat /etc/vservers`; do enter vserver cat /etc/resolv.conf; done or something 1170258815 M * Bertl cdrx: yep 1170258832 M * Bertl hmm, hallyn: yep :) 1170258841 M * cdrx :) 1170258845 M * Bertl and that is not too unusual ... 1170258857 M * Bertl some folks have a stat collector running like this 1170258868 M * Bertl (which is not very efficient, but hey :) 1170258899 M * Bertl also, for the time being, I would suggest to add something like this: 1170258960 M * Bertl http://vserver.13thfloor.at/Stuff/delta-nscheck.diff 1170258984 M * Bertl to verify that we do not leak spaces or proxies 1170259022 M * Bertl I'm currently looking for a proxy leak in my code (or in mainline?) not sure yet :) 1170259120 M * cdrx Bertl, (just to make sure) nsproxy is actually a useful object but you like the namespaces and nxproxy to have a consistent interfaces 1170259180 M * Bertl I think we can live with nsproxy, but it will get a much shorter lifetime in Linux-VServer than in mainline 1170259207 M * hallyn do you mean a lifetime in terms of refcounting, or you mean you're going to rip it out soon? 1170259208 M * cdrx could you live without ? 1170259209 M * Bertl so it should be a) simple to use, b) reasonably fast, c) avoid memory fragmentation 1170259212 M * hallyn ok 1170259232 M * Bertl cdrx: I could and did live without, by referencing the namespaces individually 1170259262 M * Bertl cdrx: there is no point in 'sharing' the nsproxy from the context struct with the tasks 1170259263 M * cdrx because putting all the namespace in the task_struct is also a solution 1170259292 M * Bertl yes, but I agree that the tasks (and more important) threads inside a guest will probably share the proxy 1170259318 M * Bertl it's basically a tradeoff between indirection and memory overhead for struct task 1170259342 M * cdrx yes it saves some space in the task_struct but also brings a lot of trouble when tasks exit 1170259343 M * hallyn Bertl: gotta go, thanks, we'll look at some of this 1170259343 M * Bertl in one extreme case, where we have one task per guest 1170259353 M * Bertl hallyn: thanks for your time! 1170259387 M * cdrx thanks Bertl 1170259389 M * Bertl cdrx: honestly, I would be perfectly fine with having all the spaces in the task struct 1170259415 M * cdrx i've been thinking about that 1170259445 M * cdrx it would make our life easier and remove an indirection (CPU cache) 1170259455 M * cdrx go to go also :) 1170259462 M * cdrx thanks ! Bertl 1170259481 M * Bertl you're welcome! cya! 1170259672 M * Guy- is there a feature matrix that includes vs2.3 somewhere? 1170259763 M * cdrx BTW, hallyn, Bertl, we could fix ->sighand in NFS byt taking a ref count on it before sleeping. but that's hacky and the issue is more around doing exit_task_namespace after exit_notify (which invalidates the task) 1170259977 M * Bertl yes 1170260022 J * chris_ ~chris@e179194016.adsl.alicedsl.de 1170260163 M * chris_ hi, are the vserver patches not pgp signed? 1170260176 M * Bertl yes 1170260202 M * chris_ yes they are not? ;) 1170260207 M * Bertl yes :) 1170260216 M * chris_ ok, why that? 1170260218 M * Bertl only the 'final' releases on 13thfloor are 1170260231 M * Bertl (which are outdated atm) 1170260250 M * Bertl chris_: it is mostly because of my development process 1170260269 M * chris_ oh ok thanks i see 1170260288 M * Bertl but if you need a signature for a specific patch, just ask me 1170260543 M * chris_ ok thanks, maybe you have one for this? 1170260546 M * chris_ http://people.linux-vserver.org/~harry/patch-2.6.17.14-vs2.0.2.1-grsec2.1.9.diff 1170260569 M * Bertl nope, this is a patch from harry, you have to ask him 1170260656 M * chris_ ah right, the grsecurity patch isnt integrated in the official 2.6 release or? 1170260681 M * daniel_hozac no. 1170260717 M * Bertl but if folks start bugging michal`, pax or some derivative could soon be :) 1170260868 Q * ensc Ping timeout: 480 seconds 1170260902 M * chris_ ok lets hope :) 1170260906 Q * chris_ Quit: leaving 1170261435 J * bronson ~bronson@adsl-75-36-145-166.dsl.pltn13.sbcglobal.net 1170261446 M * Bertl welcome bronson! 1170261460 M * bronson good morning Bertl 1170261524 J * ensc ~irc-ensc@p54B4E118.dip.t-dialin.net 1170261535 M * id23 hi ensc - hi Belu 1170261539 M * id23 Bertl, ;) 1170261557 Q * bavi 1170261563 M * Bertl hey id23! how's going? 1170261577 M * id23 fine - i solved all the problems 1170261584 M * id23 currently i am just happy :) 1170261597 M * Bertl world peace? end of worldwide hunger? 1170261613 M * id23 hehe - this are my long term tasks 1170261619 M * id23 still time till 2012 ;) 1170262219 M * harry i could make you a md5 for it if you want 1170262231 M * harry but, you're gone, chris :) 1170262360 M * daniel_hozac Bertl: btw, the only reason i didn't upload rc8.7 is because i thought of it more as current-tree, than another rc. 1170262377 M * Bertl daniel_hozac: and you are right on that 1170262407 M * Bertl didn't expect it to last that long myself ... 1170262423 M * daniel_hozac Bertl: you've already reverted hallyn's fix from your tree? 1170262447 M * Bertl no, I worked around it 1170262454 M * daniel_hozac oh, ok. 1170262474 M * Bertl I'm currently searching for an nsproxy leakage 1170262488 M * Bertl want to join? 1170262494 M * daniel_hozac yeah, i saw the discussion from earlier today. 1170262498 M * daniel_hozac sure... 1170262510 M * Bertl let me upload the current state then ... 1170262698 M * Bertl hmm, my devel system is getting unreasonably slow recently .. guess I have to reboot/cleanup soon 1170262722 M * Bertl the script doing the diff between two hardlinked kernel releases takes about 3 minutes now 1170262817 M * Bertl http://vserver.13thfloor.at/Experimental/patch-2.6.19.2-vs2.2.0-rc8.10_do_not_use.diff 1170262906 M * Bertl chcontext --xid 100 -- true (is a good test) 1170262920 M * daniel_hozac hehe, nice name :) 1170262924 M * Bertl /proc/virtual/status will show the refcount 1170262933 M * daniel_hozac +xid/? 1170262959 M * Bertl or was it stat? no the toplevel one 1170262969 M * daniel_hozac it's status, or info. 1170262989 M * Bertl okay, wasn't that what I said? 1170263042 M * daniel_hozac yep :) 1170263273 M * Bertl from the logs I get, it seems like the task is holding one reference too many to the nsproxy, right after enter 1170263303 M * Bertl or at least that reference is not dropped on task exit 1170263396 J * bonbons ~bonbons@83.222.37.103 1170263406 M * Bertl welcome bonbons! 1170263417 M * bonbons Hey Bertl! 1170263910 J * crazy_penguin ~Unknown@86.105.69.248 1170263927 M * Bertl welcome crazy_penguin! 1170263942 M * crazy_penguin hello Bertl 1170263949 M * crazy_penguin how are you? 1170263991 M * Bertl fine, thanks, and you? 1170264003 M * crazy_penguin i'm angry 1170264034 M * crazy_penguin i made a lame mistake and because of it i littered the outside network 1170264050 M * crazy_penguin if i can say litter (i hope is right) 1170264063 M * Bertl hmm, such things happen ... 1170264087 M * crazy_penguin yes 1170264094 M * crazy_penguin but this was pure stupidity 1170264143 Q * id23 Ping timeout: 480 seconds 1170264151 M * crazy_penguin i shut down the dns server and i forgot to update the host file so that the few hosts that i use for maintenance will resolve properly 1170264172 M * Bertl well, your nick says 'crazy' no? :) 1170264176 M * crazy_penguin so instead they started quering the ips's dns server 1170264178 M * crazy_penguin yes 1170264182 M * crazy_penguin you're right 1170264188 M * crazy_penguin i'm plain crazy 1170264728 J * id23 ~id@p50814034.dip0.t-ipconnect.de 1170264822 J * Piet hiddenserv@tor.noreply.org 1170265424 J * marcfiu ~mef@aegis.CS.Princeton.EDU 1170265450 M * daniel_hozac Bertl: so the problem is that clone_namespaces is called twice, and the result of the first is never dropped, right? 1170265467 M * Bertl it looks like 1170265491 M * Bertl the interesting part is, the zero count nsproxy is the null_proxy 1170265501 M * Bertl (which is used in the mix, and is okay) 1170265569 M * Bertl and as I see it, the reference we take in vx_set_space() is never released 1170265585 M * Bertl but when I look at the code, I see all the required put functions 1170265714 J * stefani ~stefani@tsipoor.banerian.org 1170265723 M * Bertl hmm, no, the *_new = * looks suspicious 1170265788 M * Bertl guess we want to drop a referencce on new and old 1170265802 M * Bertl fs/proxy should contain the 'old' values 1170265824 M * Bertl so the assignment looks like a bug, or am I confused now? 1170265959 M * daniel_hozac no, that sounds about right. 1170265986 M * Bertl let's do an empirical test then :) 1170266004 M * Bertl empirical verification actually :) 1170266098 Q * ensc Ping timeout: 480 seconds 1170266226 M * daniel_hozac or, hmm. is it *_cur that we're forget to drop? 1170266256 J * ensc ~irc-ensc@p54B4E118.dip.t-dialin.net 1170266267 M * Bertl well, we want to drop *_cur indeed, but that should be the same as get returned by the xchg 1170266313 M * Bertl or am I mentally in the wrong procedure enter/set 1170266329 M * Bertl ineed I am 1170266340 M * Bertl we want to drop fs/proxy and *_cur 1170266361 M * daniel_hozac fs/proxy should be handled though, right? 1170266379 M * Bertl yes 1170266419 M * Bertl so let's try *_new = *_cur :) 1170266560 M * Bertl yes, that's it ... perfect, I can do the rc9 now :) 1170266650 M * daniel_hozac hmm, but wouldn't that mean we should have nsproxies/fs_structs vanishing too? 1170266683 M * daniel_hozac as we now put the old fs/proxy twice. 1170266684 M * Bertl they will go away when not used/referenced anymore 1170266698 M * Bertl ah, you are doing the same mistake I did 1170266710 M * Bertl caused by the misleading naming scheme 1170266719 M * Bertl (I'm open for improvements there :) 1170266725 M * Bertl *_cur is from current 1170266734 M * Bertl while * is from the vxi 1170266743 Q * ensc Ping timeout: 480 seconds 1170266748 M * daniel_hozac right. 1170266768 M * Bertl maybe we should use fs_vxi and proxy_vxi there 1170266841 M * daniel_hozac but regardless of the naming, shouldn't this cause vanishing fs_struct's and proxies? 1170266870 M * Bertl at the beginning of _set_ we get a reference to *_cur 1170266882 M * Bertl this one is dropped at the end, okay? 1170266895 M * daniel_hozac not in 8.10? 1170266907 M * Bertl of course 1170266927 M * daniel_hozac okay. so we add that. 1170266940 M * Bertl ahem, no, it is in 8.10 1170266950 M * Bertl I mean, with the change we did right now 1170266953 M * Bertl fs_new = fs_cur; 1170266953 M * Bertl proxy_new = proxy_cur; 1170266981 M * daniel_hozac right, ok. 1170267008 M * daniel_hozac but without that change, shouldn't the fs and proxy vanish? 1170267013 M * daniel_hozac since they would be put twice? 1170267058 M * Bertl yes, but I think we have another issue with putting the vxi in error cases 1170267096 M * Bertl which is the wrong thing, so we actually want the names changed completely, let me prepare an 8.11 version for review 1170267365 M * Bertl okay, usual place 1170267429 Q * FireEgl Quit: ... 1170267455 Q * bronson Quit: Ex-Chat 1170267465 M * daniel_hozac yeah, that looks good. 1170267469 J * me ~me@p548A97E6.dip0.t-ipconnect.de 1170267476 M * Bertl welcome me! 1170267493 M * me are you a bot? :) 1170267496 M * Bertl daniel_hozac: yeah, it seems I managed to confuse myself there completely, thanks for the help! 1170267501 M * Bertl me: of course! :) 1170267504 M * me fast, hi Bertl ;) 1170267545 M * Bertl me: I'm trying to pass the Turing test, wanna help? 1170267573 M * me what for a turing test? 1170267647 M * Bertl well, once you 'believe' I'm human, I'm through ... then I just have to be extra careful with the Turing police ;) 1170267772 M * me If I want to add new ips for a vserver, I just have to add a directory ( if 0 is already available -> 1 ) in /etc/vservers//interfaces// and the 3 little files, but can I choose _any_ interfacename how I want for it? like eth45? 1170267791 M * me or has it to be in the format: eth0:1/2/3 1170267811 M * daniel_hozac the dev file needs to contain the interface you intend to add the address to. 1170267822 M * daniel_hozac e.g., if you want the address on eth1, you put eth1 in there. 1170267831 M * daniel_hozac if you want it on eth72, you put eth72 in it. 1170267841 M * Bertl note: eth0:1 is not an interface :) 1170267882 M * daniel_hozac indeed. 1170267886 M * Bertl daniel_hozac: seems to work fine here, I remove the debug stuff and finish it as rc9 1170267895 M * daniel_hozac works fine here too. 1170267896 M * me okay thanks 1170267902 M * Bertl daniel_hozac: did you read about the atomic -> atomic_long part? 1170267908 M * daniel_hozac yeah, makes sense. 1170267922 M * Bertl wanna give it a try? 1170267940 M * me and another thing, ifconfig on a guest system shows me the traffic of the host system, is that normal? 1170267997 M * Bertl yes 1170267997 M * daniel_hozac sure, but i don't think i have access to any x86_64 box for testing. 1170268008 M * Bertl daniel_hozac: you have :) 1170268009 Q * ciphergoth Quit: Client exiting 1170268029 M * daniel_hozac ah, the princeton box? 1170268040 M * Bertl yep 1170268049 M * daniel_hozac right, yeah, i could give it a try. 1170268064 M * Bertl you can use qemu there too, speeds up testing somewhat 1170268069 M * me hm but I've got a vserver, which shows me at ifconfig only the traffic, that I had caused 1170268094 M * Bertl me: maybe it has a dedicated interface? 1170268123 M * me maybe, I bought this vserver, I haven't got access to the hostsystem :) 1170268134 M * daniel_hozac or it's using a virtualized network stack, which we don't do. 1170268135 M * Bertl you can easily get that if you use vlans (one for each guest) 1170268184 M * me that is not so bad, but I wondered 1170268193 M * Bertl I guess at some point we might fake the interface stats too 1170268204 M * Bertl we probably can use the socket accounting for that 1170268327 J * mad_slackie ~Unknown@86.105.69.248 1170268335 M * Bertl welcome mad_slackie! 1170268357 M * Hollow Bertl: nsproxy-fix03 seems to run fine here .. 1170268372 M * Bertl we have a better one now :) 1170268378 Q * crazy_penguin Ping timeout: 480 seconds 1170268379 M * mad_slackie hi Bertl (i'm crazy_penguin's brother :P) 1170268386 M * Hollow always too late ;) 1170268391 M * Bertl mad_slackie: lol, nice :) 1170268391 N * mad_slackie crazy_penguin 1170268397 M * crazy_penguin yes 1170268404 M * Hollow ah, the do.not.use ones? :P 1170268407 M * crazy_penguin i'm plain crazy and mad like i said 1170268413 M * daniel_hozac yep ;) 1170268444 M * Hollow guess i'll have to silently ignore the warning .. ;) 1170268450 M * Hollow which one? 1170268453 M * Hollow 10 or 11? 1170268467 M * Bertl the 11 is okay, if you remove the debug stuff 1170268476 M * Bertl alternatively you can wait a few minutes for rc9 1170268487 M * Hollow ok, will do that 1170268516 M * Hollow btw, ext3 does not like links on symlinks it seems... fsck bailed out a lot .. 1170268524 M * daniel_hozac hehe. 1170268535 M * daniel_hozac it does seem like a somewhat strange concept to me. 1170268548 M * Hollow but it works (except for fsck ;) 1170268570 M * daniel_hozac Guy-: please submit patches against doc/configuration.xml rather than modifying util-vserver:Documentation. 1170268575 M * Bertl Hollow: hmm? 1170268619 M * Bertl if fsck complains about something, then usually the kernel code is wrong (journalling) 1170268659 M * Hollow unfortunately i did not see the kernel output, but CHTEKK said fsck complained about links to symlinks .. and thats what vcd does for unificiation 1170268678 M * Hollow it does not copy the symlinks 1170268694 J * attila_ ~attila@17.15.185.213.dk-hvi.res.sta.perspektivbredband.net 1170268787 M * Bertl wb attila_! 1170268823 M * attila_ tgx 1170268824 M * attila_ thx 1170268858 J * ensc ~irc-ensc@p54B4E118.dip.t-dialin.net 1170268934 M * Guy- daniel_hozac: aye 1170268968 M * CHTEKK Hollow, it actually complained about immutable 1170268978 M * CHTEKK not really hardlinks, wait I'll just write down the error msg 1170269037 M * Bertl ah, do we have iunlink and friends on those too? 1170269043 M * Hollow yep 1170269054 M * Bertl the vserver interfaces allow for that atm 1170269063 M * Bertl probably we should forbid it ... 1170269073 M * CHTEKK ok wile checking fs, msg such as "Special file (device/socket/fifo/symlink) has immutable or append-only flag set. Clear?" and then it would just go "yes" cause I have that system on automatic, so fscks and so are always seen as "ok" and ok'ed 1170269074 M * Hollow so symlinks should not be immutable? 1170269096 M * Bertl as it seems, no 1170269140 M * Hollow ok, i'll fix that then 1170269140 M * Bertl should be easy to verify with fsck on a test partition 1170269140 M * CHTEKK probably all four types should be restricted from being immutable at all, symlinks, fifos, sockets and devices, just to be sure 1170269140 Q * marcfiu Quit: Download Gaim: http://gaim.sourceforge.net/ 1170269140 M * Bertl CHTEKK: yep, agreed 1170269142 M * Hollow well, we ignore all those except symlinks anyway 1170269186 M * CHTEKK Hollow, on vcd, ok, but at kernel level (Bertls) it's probably the "right thing" to do to simply forbid it on all of them 1170269201 M * Bertl yep 1170269212 M * CHTEKK btw just don't test this on big partitions :P me and Hollow found oht the hard way 1170269222 M * Bertl lol 1170269247 M * CHTEKK I was away, he rebooted, so forced fsck on ext3 after about 25 reboots... 2.4TB partition... takes a while 1170269247 M * Hollow fscking an 2.2TB partition takes quite some time .. 1170269254 M * Hollow heh 1170269260 J * marcfiu ~mef@aegis.CS.Princeton.EDU 1170269304 M * Bertl so about 0.2TB was lost in argumentation ... 1170269332 M * Hollow my fault.. 1170269344 M * Hollow CHTEKK: http://svn.linux-vserver.org/projects/vcd/changeset/405 1170269346 M * CHTEKK the whole partition is 2.4TB, which after ext3 formatting goes down to 2.3TB, of which 2.2TB are shown as available 1170269360 M * CHTEKK so I actually told Hollow the wrong value myself before and just remembered the correct size 1170269395 M * Bertl np, was just considered a funny comment, forgot the :) 1170269424 M * CHTEKK yeah I tought it was't that serious, still wanted to explain it ;) 1170269441 M * CHTEKK when you have nothing particular to do typing away is an occupation like another :P 1170269454 M * Bertl you always lose disk space to something 1170269522 M * Hollow you lose the most diskspace to the manufacturer who does not use 1024 units ;) 1170269586 M * Bertl error correction, filesystem metadata, Sony, Warner ... 1170269654 M * CHTEKK yeah :) 1170269963 Q * crazy_penguin Quit: Quit == /sbin/shutdown brain now && crash 1170270145 M * Bertl okay, rc9 is test compiling, once that is through, it will be uploaded 1170270161 M * Bertl heading towards syscall_shiny_2007 now :) 1170270188 M * Hollow CHTEKK: vstatd works :) we will probably add some more data sources for the new sched_info e.g. 1170270227 M * Hollow next version is syscall_shiny_2007_pro_ultimate? ;) 1170270253 M * Bertl something like that, I plan to take gcc out of the equation 1170270260 M * Hollow good idea 1170270608 M * Guy- the linux-vserver.org wiki/database server appears to be having difficulties 1170270686 M * daniel_hozac how so? 1170270724 M * CHTEKK Hollow, ok great :) 1170270849 M * Hollow Bertl: VLIMIT_MAPPED is neither limited nor accounted currently? 1170270891 M * Bertl it should be 1170270909 M * Bertl it is used for RSS, so it better be accounted 1170270920 M * Hollow it does not appear in the mask .. 1170270935 M * Bertl that is a bug then ... 1170270966 M * Guy- daniel_hozac: it's terribly slow and occasionally throws mysql exceptions 1170270975 M * daniel_hozac Guy-: hmm, works fine here. 1170270986 M * Bertl Guy-: url? just to verify :) 1170271032 M * Guy- now it's fine again 1170271045 M * Guy- it did this when I was editing the pages in the afternoon too 1170271060 M * Guy- something about a server called 'zelos' being unknown? 1170271072 M * Guy- and then on retry, it took its time, but worked 1170271111 M * daniel_hozac i've never seen that. 1170271132 M * Bertl Hollow: do we know some 'zelos' host? 1170271135 M * Guy- I'll paste it to the pastebin if it comes up again 1170271143 M * Hollow Bertl: yeah :) 1170271157 M * Hollow it's the database server 1170271167 J * comfrey_ ~comfrey@70.91.185.84 1170271184 J * comfrey_1 ~comfrey@70.91.185.84 1170271186 M * Bertl well, it seems it was unknown to me _and_ helios at some point :) 1170271201 M * Hollow ah? 1170271210 M * Bertl 20:17 < Guy-> something about a server called 'zelos' being unknown? 1170271212 M * daniel_hozac DNS server reboot? 1170271241 M * Guy- now it's slow again 1170271254 M * Guy- it took about 30 seconds to list 'my contributions' 1170271262 M * Guy- although there are only two :) 1170271273 M * Bertl sounds like stale dns ... 1170271276 Q * comfrey Ping timeout: 480 seconds 1170271330 M * Hollow well, it is resolvable here, and there seem to be no errors: http://www.dnsreport.com/tools/dnsreport.ch?domain=croup.de 1170271333 M * Bertl Hollow: check that all nameservers are reachable from helios, and that they know zelos 1170271356 Q * comfrey__ Ping timeout: 480 seconds 1170271399 M * Hollow works here 1170271413 M * Bertl here being helios? 1170271417 M * Hollow yep 1170271430 M * Bertl for all nameservers listed in resolv.conf= 1170271433 M * Bertl s/=/? 1170271442 M * Guy- (I can't reproduce the error now) 1170271464 M * Hollow there is just one nameserver, and i can ping it just fine 1170271469 M * Hollow it == zelos 1170271494 M * Bertl okay, maybe a rate limit on dns queries? 1170271528 M * Guy- bbl 1170271540 M * Hollow not that i know of .. and nothing in the logs .. 1170271553 M * Bertl okay, tx 1170271566 M * Hollow *shrug* 1170271846 J * yarihm ~yarihm@84-75-123-221.dclient.hispeed.ch 1170272104 Q * thunder1 Remote host closed the connection 1170272119 J * thunder1 ~thu@tor-irc.dnsbl.oftc.net 1170273071 T * Bertl http://linux-vserver.org/ | latest stable 2.0.2.1, 2.0.3-rc1, 2.2.0-rc9, devel 2.1.1.7.1, 2.3.0.8, stable+grsec 2.0.2.1, 2.2.0-rc8, devel+grsec 2.1.1 | util-vserver-0.30.212 | libvserver-1.0.2 & vserver-utils-1.0.3 | He who asks a question is a fool for a minute; he who doesn't ask is a fool for a lifetime -- share the gained knowledge on the Wiki, and we'll forget about the minute ;) 1170273083 M * Bertl *2.2.0-rc9 1170273154 M * ebiederm And one more release is out 1170273171 M * Bertl from you or from us? :) 1170273178 M * ebiederm From you :) 1170273200 M * Bertl indeed, how's going for you? 1170273283 M * ebiederm One small step at a time. At the moment I'm investigationg a really weird irq migration bug, and hoping to hear some comments on my network namespace RFC. 1170273740 J * jbailey ~jbailey@modemcable178.77-70-69.static.videotron.ca 1170274044 M * Bertl welcome jbailey! 1170274083 M * jbailey Bertl: Heya. I'm still digging through the FAQs before I ask the question ;) 1170274147 N * kevinp_away kevinp 1170274158 M * kevinp thanks for the new release Bertl 1170274182 M * Bertl np 1170274375 M * jbailey Hmm, so no joy there. My two questions are: 1) What's the merge status of this upstream? I'm curious when I'm likely to find it in a stock kernel. 2) How does udev play along inside the guests? I see in the FAQ that giving device access causes that guest to have direct hardware access. I'm curious if /sys is smart enough to not show devices that are hidden and I'm also curious about dbus knowing that events that happen on 1170274376 M * jbailey the system should be passed down to the guests that actually know about those devices. 1170274433 M * daniel_hozac Linux-VServer is unlikely to ever be merged fully upstream. 1170274469 M * daniel_hozac udev shouldn't run in the guests at all. 1170274478 M * daniel_hozac and /sys isn't mounted in guests. 1170274561 M * jbailey Is it not likely to get merged because of competition from Xen and other virtualisation stuff? 1170274567 M * mugwump containers are being merged, though 1170274581 M * mugwump the odd container related patch is getting into -mm 1170274644 M * Bertl very similar to xen, which is unlikely to be merged too 1170274680 M * jbailey linux-vserver reminds me of the second coolest feature of the Hurd. 1170274710 M * Bertl what was then coolest? 1170274713 M * jbailey In Mach, the OS is just another task on the microkernel, so running subhurds is a cheap operation that can be done by any user. 1170274758 M * mugwump I heard hypervisors being described as microkernels, rebranded for the 21st century 1170274762 M * Bertl well, we are not running kernels (not more than on a usual box) 1170274773 Q * Piet Read error: Connection reset by peer 1170274839 M * Bertl jbailey: btw, dbus is a messaging system, and it works across guests 1170274861 M * jbailey The coolest is translators, which are programs that attach to inodes in the filesystem. So if an RPC (which could be a filesystem call or other rpc) goes to that inode, it gets passed to whatever program is attached. 1170274872 M * Bertl (you can now also identify the sending guest id) 1170274878 M * jbailey A passive translator is a program that's not running, but is registered in the filesystem to get started automatically. 1170274883 M * jbailey an active translator is one that's runing. 1170274884 J * Piet hiddenserv@tor.noreply.org 1170274905 M * Bertl reminds me of FUSE 1170274910 M * jbailey Cool on the dbus, stuff. 1170274937 M * jbailey Yeah, fuse is a close version of that. 1170274958 M * jbailey The biggest difference is that in mach, you traditionally had a directory server that everyone had a port to. 1170274968 M * jbailey That way you could ask the directory server to help you find the IP stack, for instance. 1170274980 M * jbailey In the Hurd, they went with the idea that the filesystem is a good enough directory on its won. 1170274984 M * jbailey s/won/own/ 1170274996 M * jbailey So the IP stack could be found at /servers/pfinet 1170274999 M * Bertl i.c. 1170275008 M * jbailey And if you didn't have permissions in the filesystem to see it, you don't get network access. 1170275083 M * jbailey Because there's no central kernel tables maintaining all of these, it meant that a user could create subhurds or translators on their own. This was safe, because those would always be constrained by the limits of the user running the process (the subhurd doesn't get any extra priviledges to devices, etc.) 1170275272 M * Bertl I really like micro kernels, worked for some time with mach, those are very nice regarding correctness, control and security .. unfortunately they suck big time when it comes to performance 1170275383 M * mugwump so, bertl, you've been following the containers list a bit, haven't you? 1170275398 M * Bertl mugwump: indeed I have ... 1170275466 M * mugwump I'm going to an informal conference (an "unconference") this weekend and was thinking about talking about containers 1170275484 M * mugwump I see ebiederm has been busy with submissions 1170275528 M * ebiederm Yep :) 1170275582 M * jbailey Bertl: I'm not entirely convinced that microkernels lost the performance war. I'm more convinced that no serious contender from the microkernel side ever showed up to the fight ;) 1170275608 M * Bertl jbailey: well, that might be true ... 1170275615 M * jbailey The research that i've read suggests that L4 and other such things ought to be able to overcome the performance barrier, but noone seems to want to make a serious OS on top of them. 1170275670 M * ebiederm What isn't recognized is that the original unix was for all practical purposed a microkernel. 1170275700 M * mugwump I see quite a few container patches were accepted into the -mm tree - the ones I can see look to be infrastructure and clean-ups - are any features in -mm yet? 1170275713 M * daniel_hozac the user namespace. 1170275740 M * Bertl besides the namespaces already in 2.6.19 :) 1170275760 M * mugwump which namespaces are in 2.6.19 ? I mean, other than the filesystem namespace that was in 2.4.x :) 1170275805 M * Bertl uts and ipc 1170275805 M * ebiederm uts and ipc. 1170275805 M * mugwump wow. I really have been asleep 1170275805 M * ebiederm The bulk of the infrastructure changes for the pid namespace have also made it in. 1170275887 M * ebiederm There remain fixing a couple kernel_thread users like NFS and then the handlful of patches to make the pid namespace a reality. 1170275989 M * ebiederm We actually had to pull a little of the pid namespace code out of 2.6.20-rcX because it was buggy, and a good fix wasn't available. 1170276043 M * ebiederm So things are progressing. 1170276083 M * Bertl any estimation how much code will be required to get the blend through init working again? 1170276131 M * ebiederm blend through init? 1170276138 M * daniel_hozac the host's init visible on the guests. 1170276143 M * daniel_hozac s/on/in/ 1170276152 M * Bertl yeah, you know, the thing we are talking about for ages? :) 1170276193 Q * Piet Ping timeout: 480 seconds 1170276201 M * daniel_hozac it should still be unavailable for signalling and such, but ought to be there for nice ps output. 1170276243 M * ebiederm Probably not a whole lot (in comparision with the rest of the pid namespace). The difficulty is that there we are making up the rules so it takes a lot of discussion to figure out what the rules are. 1170276305 M * ebiederm If what we really are talking about is the host's init and just a dummy entry that is both easier and harder. 1170276347 M * daniel_hozac Bertl: the experiment with a pure fake-init didn't work out, right? 1170276372 M * ebiederm Splicing of process trees can be really nasty. 1170276372 M * Bertl nope, it didn't, but I guess init/swapper will soon have the necessary entries :) 1170276409 M * Bertl daniel_hozac: IIRC, one of the issues was that dynamic pid stuff was required, which is changed IIRC 1170276418 M * Bertl s/is/has/ 1170276434 J * Piet hiddenserv@tor.noreply.org 1170276483 M * daniel_hozac ah, okay. might make sense to revisit that then, when the pid namespace is merged in its entirety. 1170276505 J * shedi ~siggi@ftth-237-144.hive.is 1170276507 M * ebiederm If the semantics of pid == 1 exiting become you get pid == 1 from your parent namespace things may fall out cleanly. 1170276541 M * mugwump interesting, so what about userland utilities ... how can I start a group of processes in a different uts namespace on 2.6.19 ? 1170276549 M * mugwump it's a clone flag, right? 1170276551 M * daniel_hozac mugwump: yep. 1170276566 M * daniel_hozac just unshare it, start your processes, and you're set. 1170276576 M * Bertl you can do it in several ways: clone, unshare, vserver syscall 1170276595 M * mugwump it supports the vserver syscall interface? 1170276605 M * daniel_hozac the vserver syscall interface supports it :) 1170276629 M * mugwump I see :). Thought that would be odd 1170276656 M * ebiederm Not that the vserver syscall interface is in mainline. 1170276685 M * Bertl the syscall is :) 1170276702 M * ebiederm The syscall number is :) 1170276815 M * mugwump ok, sweet - so what about the stuff not in -mm yet, I see a lot of work in network namespaces 1170276842 M * mugwump There were the two approaches - L3 like in vserver and L2 like in openvz etc 1170276867 M * mugwump as I recall, ebiederm you were pushing for L3 to be written in terms of an LSM module 1170276875 M * ebiederm I haven't yet seen an L3 like in vserver. 1170276897 M * Bertl ebiederm: L3 isolation is all over Linux-VServer 1170276909 M * Bertl ebiederm: you just have to read the code 1170276926 M * daniel_hozac the L3 posted to the containers list seemed to be more limited than our current implementation. 1170276941 M * ebiederm Bertl: I haven't seen an L3 like in vserver considered for kernel inclusion. 1170276941 M * mugwump who posted that one, daniel_hozac ? 1170276947 M * daniel_hozac dlezcano, IIRC. 1170276966 M * Bertl ebiederm: well, who does consider kernel inclusion? 1170276986 M * mugwump presumably @core_team (they know who they are) 1170277001 M * Bertl so, that's not my fault then :) 1170277053 M * ebiederm I have not seen an L3 implementation like in vserver offered for kernel inclusion. 1170277072 M * Bertl ah, that's something different, we can do that if there is interest 1170277088 M * ebiederm Right. 1170277142 M * ebiederm Currently I think we need an L2 implementation, so we can handle the general case of being able to isolate everything the network stack is currently capable of. 1170277185 M * ebiederm Personally I am interested in L3 if the L2 work is shown to have limitations. 1170277204 M * Bertl like having twice the overhead or so? 1170277213 M * ebiederm Bertl: Exactly. 1170277251 M * Bertl so the kernel approach is to make it slow, and then see if somebody can detect it :) 1170277267 M * Bertl if not, we are fine ... 1170277288 M * ebiederm Bertl: Well that is my approach :) 1170277306 M * ebiederm I have enough code out there that it is at least possible to ask the question. 1170277346 M * Bertl sorry, didn't get that one? 1170277384 M * mugwump I think what ebiederm is saying is that he is following the scientific approach - rigorous experimentation :) 1170277387 M * ebiederm With the RFC I published I did a moderately complete L2. 1170277413 M * Bertl okay, but what is the question? 1170277431 M * mugwump or hypothesis, even 1170277437 M * ebiederm What is the performance impact. We now have something we can measure against. 1170277467 M * Bertl i.c. well, with the help of the planetlab folks, we might get some values too 1170277487 M * ebiederm Yes, the were interested in that area. 1170277511 M * ebiederm I'm happy becasue I finally figured out how to cope with sysfs. 1170277535 M * ebiederm At least as far as resolving the conflict of names problem. 1170277628 M * ebiederm Now I just need to resolve the selinux braindamange and I will be able to make /proc/sys per pid :) 1170277672 M * mugwump what about iptables ? I guess the L2 approach wouldn't touch iptables, just make it easier to manage 1170277678 M * mugwump ie, if you made a table for each interface 1170277698 M * Bertl once the L2 is through, you get separate tables too 1170277729 M * ebiederm mugwump: I touched iptables. I didn't get very far. But I got far enough it is clear out to keep iptables and all of that isolated into a network namespace. 1170277759 M * mugwump ok. so then you'd have routing between network namespaces ? 1170277765 M * ebiederm bleh. I can't type. I got far enough with iptables it was clear how to complete the work. 1170277783 M * ebiederm mugwump: Yes. If you choose. 1170277791 M * dlezcano ebiederm: what about the L3 namespace I did upon the L2 Dmitry does ? 1170277812 M * Bertl hey dlezcano! 1170277817 M * dlezcano hi 1170277825 M * Bertl we still have some questions regarding that one 1170277865 M * Bertl especially about missing? features and/or typical setups 1170277871 M * mugwump wow getting a real full house in here now 1170277905 M * Bertl yeah, would be nice if we had that more often :) 1170277908 M * ebiederm dlezcano: I haven't looked at it as closely as I'd like. My memory is that there were some weird corner cases. But I'm very interested until we show the need for such. 1170277925 M * ebiederm s/very/not very/ 1170277927 J * puck ~puck@leibniz.catalyst.net.nz 1170277938 M * Bertl welcome puck! 1170277956 M * puck Bertl: gidday 1170278012 M * dlezcano ebiederm: Bertl seems to be interested 1170278023 M * dlezcano ebiederm: We are interested 1170278028 M * ebiederm dlezcano: What I also haven't seen with your L3 work is a clear explanation of what it is trying to be. A definition of the target semantics if you will. When we have to invent things it is hard to gauge the correctness of an implementation until we define what it is trying to do. 1170278053 M * dlezcano I sent a specification to containers@ and netdev@ 1170278058 M * ebiederm dlezcano: Part of it is that L3 is largely an orthogonal to L2. 1170278060 M * Bertl ebiederm: that is because you do not care about this 1170278064 M * ebiederm dlezcano: I will have to look again. 1170278097 M * Bertl just take chroot() and map it to networking, that is what L3 isolation should look like, IMHO 1170278099 M * ebiederm Bertl: There are billions of details keep up with enough of them is hard. 1170278103 M * dlezcano ebiederm: I don't agree the L3 namespace I pushed is uses the socket isolation from the L2 1170278128 M * dlezcano ebiederm: finally L2 and L3 are coexisting 1170278134 M * ebiederm dlezcano: But you only care about PF_INET, not PF_UNIX? 1170278181 M * dlezcano ebiederm: Exact, for the moment I address only AF_INET 1170278195 M * mugwump we really wanted PF_INET6 here 1170278197 M * dlezcano AF_UNIX will work when the fs will be isolated 1170278225 M * ebiederm dlezcano: The fs is isolated and AF_UNIX has nothing to do with the fs. 1170278241 M * ebiederm dlezcano: Especially the linux abstract AF_UNIX namespace. 1170278279 M * dlezcano mugwump: I agree, AF_INET6 should be added too 1170278329 M * ebiederm Then of course there is PF_DECNET, PF_IPX, and a lot more. 1170278355 M * Bertl an of course, those are interesting for L3 isolation?! 1170278390 M * dlezcano Bertl: do you isolate PF_DECNET ? or PF_IPX ? in Linux-Vserver 1170278396 M * ebiederm They are all L3 protocols. At least the definition should be able to cover all of them. 1170278406 M * Bertl dlezcano: nope, why should we? 1170278460 M * dlezcano Bertl: How many applications was not supported because PF_DECNET or PF_PIX was not isolated ? 1170278474 M * Bertl none we know of 1170278501 M * ebiederm Honestly my gut feel for L3 isolation right now, is to setup an extra kind of iptable that instead of filtering packets filters, filters bind requests. 1170278527 M * mugwump mmm. mangle bind 1170278542 M * Bertl and how would that allow for changing the limitation lateron? 1170278545 M * dlezcano ebiederm, Bertl : so beginning addressing AF_INET and AF_INET6 isolation will cover most of the cases 1170278556 M * ebiederm Bertl: I agree from a practical stand point getting everything in the network stack is silly. But we should at least be isolated enough that we deny it. 1170278586 M * Bertl I'm fine with that 1170278618 M * dlezcano ebiederm: Can you explain me how bind filtering will allow socket isolation ? 1170278668 M * ebiederm Essentially that is what vserver does. It hooks in and looks at the bind/connect/accept requests and only allows a subset of them that the policy allows. 1170278684 M * ebiederm Once a connected socket is established we don't care. 1170278693 M * Bertl ebiederm: that is only a tiny part of what Linux-VServer does 1170278705 M * ebiederm Bertl: Sure but isn't that the essence? 1170278715 M * Bertl nope 1170278721 M * ebiederm Ok. I will have to look again. 1170278747 M * ebiederm How would you handle UDP packets? 1170278751 M * Bertl you can make it the 'essence' if you restrict yourself to the single ip case 1170278777 M * Bertl (in which case you can simply 'replace' the bind any with your ip) 1170278792 M * Bertl gives two issues besides restricting to a single ip 1170278805 M * Bertl - the ip cannot be changed easily lateron 1170278822 M * Bertl - the information shown to userspace will be different from the binding 1170278863 M * dlezcano Bertl: does the L3 namespace I sent to the mailing list bring something more to Linux-Vserver ? 1170278866 M * ebiederm Ok. So it is the wild card bind, that is used for listening sockets that is the primary problem? 1170278888 M * Bertl dlezcano: if you consider the 'moving' interfaces a feature, yes 1170278903 M * Bertl dlezcano: I'm not sure that is of any use though ... 1170278924 M * Bertl ebiederm: exactly, this needs to be handled in a proper way 1170278978 M * ebiederm Bertl: My impression and I will look again in a moment is that if we also filter the accept requests things should be decent. 1170279017 M * dlezcano ebiederm: should be the sockets isolated too ? 1170279020 M * ebiederm UDP non-connected sockets are the nasty part there. 1170279034 M * Bertl okay, let's make an example with your filtering, yes? 1170279050 M * ebiederm Ok. 1170279056 M * Bertl we define a guest network namespace like this: 1170279089 M * Bertl host: 4 ips, two on 10.1.x.x, two on 10.2.x.x 1170279100 M * Bertl of course, there is also 127.0.0.1 1170279120 M * Bertl guest: 2 ips, both from 10.2.x.x, + 127.0.0.1 1170279131 M * ebiederm Ok. 1170279148 M * Bertl now, what I expect from that, according to the chroot() semantics is: 1170279159 M * Bertl on the host, I see the 'whole truth' 1170279183 J * Aiken ~james@ppp220-70.lns2.bne1.internode.on.net 1170279190 M * Bertl on the guest, I see lo, with 127.0.0.1 and maybe eth0 with 10.2.x.1 and eth1 with 10.2.x.2 1170279211 M * Bertl (let's assume the 10.x.x.1 ips are on eth0, the 10.x.x.2's on eth1 1170279233 M * Bertl now I bind a daemon to port 53, udp and tcp 1170279247 M * Bertl I do that with 0.0.0.0 1170279261 M * ebiederm Ok. 1170279274 M * Bertl what I expect in the guest is, that I see bindings like this: 1170279287 M * Bertl udp 53:* , tcp 53:* 1170279291 M * ebiederm Ok. 1170279325 M * Bertl we are not considering iptables or routing tables part of the guest for this 1170279339 M * Bertl very similar as filesystems are not part of a chroot 1170279346 M * ebiederm Sure. 1170279374 M * Bertl of course, it is nice (and we do that to some extend) to hide unrelated stuff from userspace 1170279395 M * Bertl the basic element here is addr_in_network_space() 1170279417 M * Bertl if we can find an address related to a network space, then it will be shown to userspace 1170279451 M * Bertl this takes care of the interfaces, routing table views and some other things 1170279468 M * Bertl now, if a packet arrives (locally or from remote) 1170279487 M * Bertl all the 'interesting' sockets are matched 1170279505 M * Bertl the first one which is valid, will get the packet 1170279518 M * Bertl (there is no special handling of multicast and such) 1170279553 M * Bertl so, how to do that with a set of 'mangling' tables 1170279577 M * Bertl basically you need to transfer the addr_in_space into some iptable rule 1170279597 M * Bertl which should not be too hard 1170279638 M * Bertl the problem now is, you have to walk that chain in quite a lot of places, which have nothing to do with iptables 1170279650 M * Bertl (or packet handling) 1170279673 M * ebiederm Bertl: So let me break my suggest into two parts. 1170279707 M * ebiederm Part1. We have a hook in the bind/accept/connect and for unnconnection sockets in the socket path. 1170279743 M * ebiederm This hook or set of hooks looks solely at the layer 3 addressing and some sort of context to determine if a socket is allowed 1170279758 M * Bertl okay, that's what we have now 1170279760 M * ebiederm to bind/accpet/connect or recieve the packet. 1170279778 M * ebiederm Right. 1170279802 M * ebiederm Part2. Exporting the functionality of those hooks in a general way. 1170279871 M * ebiederm My gut feel says structuring it like an iptables table could be generally useful. 1170279895 M * ebiederm This would have the benefit of allowing you to look at both the ip address and the port when making the decision if you choose. 1170279937 M * Bertl well, I'm fine with that, but as I said, a lot of decisions does not know about ports and packets at all 1170279941 M * ebiederm Basically all you would need to hook into from iptables is the setsockopt hooks and not the socket filtering hooks I don't think, and just structure the problem in the same way. 1170279969 M * ebiederm Right. 1170279988 M * Bertl I'm perfectly fine with an IP subset matching API within the kernel 1170279994 M * ebiederm But largely instead of using the traditional NF_HOOK you use a BIND_HOOK or something like that. 1170280022 M * Bertl you specify a subset of IPs via certain rules, 'iptables style' and use that for the network namespace 1170280103 M * ebiederm That is how I would structure the problem of the L3 stuff. It makes it clear that it is just about isolation, and it puts it in a general framework so you can do sophistcated things without having to look directly at the packets. 1170280150 M * ebiederm I suspect you could replace 50% or more of all iptables based firewalls if this was done flexibly, and probably at a lower cost. 1170280172 M * Bertl that's basically what we are doing ... 1170280173 Q * Piet Remote host closed the connection 1170280200 M * ebiederm Bertl: Exactly. I'm just trying to frame the problem in a way that isn't vserver specific. 1170280217 M * Bertl so I would be glad to provide such a framework for mainline 1170280236 M * Bertl (or alternatively, to find one in mainline :) 1170280252 J * Piet hiddenserv@tor.noreply.org 1170280270 M * Bertl I also think that what dlezcano is trying to accomplish could be done with this 1170280304 M * Bertl so it might be worth designing a proper interface there, assumed that mainline wants it ... 1170280354 M * ebiederm The benefit of this is that it is generally quite small and stays out of the fast path for most things. 1170280371 M * Bertl exactly 1170280385 M * ebiederm Plus the way to extend this to ipv6 and the like is natural. 1170280404 M * Bertl yep, we have patches for ipv6 too 1170280417 M * Bertl (so yes, it is quite natural) 1170280418 M * ebiederm The question is only for a given protocol family has someone setup the table. 1170280597 M * Bertl have we lost dlezcano? 1170280607 M * ebiederm I have talked about this enough I feel like messing with this a little. Do you have a patch that hits the the hook points? 1170280608 M * dlezcano no 1170280634 M * Bertl ebiederm: yes, I can point you to broken out patches for this 1170280640 M * Bertl ebiederm: ipv4 for now? 1170280666 M * ebiederm Bertl: Yes. I'm just after something so I don't have to grep through all of the code to find where I have to touch things. 1170280684 M * Bertl http://vserver.13thfloor.at/Experimental/split-2.6.18.2-vs2.1.1/ 1170280695 M * Bertl although the 2.3 code is much cleaner than this 1170280703 M * Bertl it should be good enough for a start 1170280709 M * Bertl check the net* patches 1170280749 M * Bertl netiso is probably the one you want 1170280749 Q * bonbons Quit: Leaving 1170280826 M * ebiederm A bit of both. For mainline I would completely separate this from visibility of ip addresses. So you can run ifconfig and see it you just won't be able to use it :) 1170280881 M * Bertl we had that in vserver 1.0, so for a start it is fine :) 1170280916 M * CHTEKK gn8 all, cya tomorrow! 1170280918 M * dlezcano ebiederm: pls, look at the net-namespace-l3*.patch too at http://www.sr71.net/patches/2.6.20/2.6.20-rc4-mm1-lxc4 1170280939 M * Bertl dlezcano: what do you think of the general table idea? 1170280968 M * dlezcano I am not sure I got it 1170280977 M * Bertl dlezcano: we are heading there for some time now, so I have no problem with that approach, given that it stays at layer 3 1170281000 M * Bertl dlezcano: the basic idea in Linux-VServer is like this: 1170281012 M * Bertl - you have a set of IP addresses 1170281023 M * Bertl - you can either enumerate them, or desccribe them 1170281046 M * Bertl naturally the enumeration has some issues, if you want to map entire networks 1170281056 M * Bertl (we know that! :) 1170281082 M * Bertl so, instead of specifying all the ips a guest can use/see 1170281104 M * Bertl you describe them via something similar (but not identical) to an iptables chain 1170281141 M * Bertl where you can say, e.g. 10.0.0.0/24 but not 10.0.0.0 and 10.0.0.1 1170281157 M * matti Bertl: :)) 1170281160 M * matti Bertl: How are you? 1170281175 M * Bertl matti: fine, thnks! hope you are fine too ... 1170281213 M * matti Yes. 1170281221 M * matti I am very excited. 1170281231 M * dlezcano Bertl: I had a look to Linux-Vserver one year ago 1170281241 M * matti I will move to Cambridge soon :) New job! 1170281253 M * Bertl matti: congrats! 1170281263 M * Bertl dlezcano: which version? 1170281268 Q * m`m`h Ping timeout: 480 seconds 1170281280 M * matti Bertl: Thanks :) 1170281281 M * dlezcano Bertl: mmh, don't remember 1170281313 M * Bertl okay, np 1170281315 J * m`m`h ~simba@deb30.mgts.by 1170281331 M * bXi my dell sc1425 is happily running 6 vservers for over a month now :) 1170281345 M * Bertl bXi: great! 1170281346 M * dlezcano Bertl: do you still force the bind address to the IP assigned to the guest ? 1170281360 M * daniel_hozac dlezcano: that's only if the guest only has one IP address. 1170281367 M * daniel_hozac dlezcano: and in 2.3+, it requires a flag. 1170281394 M * Bertl dlezcano: so, optionally, yes 1170281425 M * dlezcano how do you handle several guests binding to the same port, eg *:80 ? 1170281472 M * Bertl if the IP sets are disjunct, there is no problem 1170281484 M * Bertl if the IP sets overlap, the first one binding wins 1170281513 M * dlezcano so in the case the IP are disjunct, (example: 10.0.0.1 and 10.0.0.2) 1170281519 M * dlezcano for guest 1 and 2 1170281536 M * Bertl then both can bind quite fine to * 1170281551 M * dlezcano if in guest 1, an application does bind *:80 that is converted to 10.0.0.1:80 ? 1170281570 M * Bertl only if the guest has a single ip, and this is desired 1170281583 M * Bertl (i.e. the single ip special casing is 'requested') 1170281594 M * Bertl (that is for 2.3.x) 1170281595 M * bXi they bind fine to *? 1170281604 M * Bertl bXi: yep 1170281625 M * bXi is this new? 1170281629 M * Bertl nope 1170281637 M * bXi i'm confused 1170281652 M * Bertl the guests do not need any ip restriction besides the one defined for the context 1170281661 M * bXi i have to tell an apache in a guest to bind to the guests ip 1170281663 M * Bertl the host has to be restricted manually though 1170281681 M * Bertl bXi: nope, you can do so, but it works with * too 1170281688 J * FireEgl Proteus@2001:5c0:84dc:1:211:9ff:feca:b042 1170281696 M * daniel_hozac unless you do something stupid, like assign multiple guests 127.0.0.1. 1170281697 M * bXi oh wait 1170281701 M * Bertl (this is true for almost all vserver versions btw :) 1170281708 M * bXi i'm talking about a guest vs host thing here 1170281722 M * Bertl yes, as I said, the host is unlimited 1170281733 M * Bertl so if the host binds *:53 1170281740 M * Bertl it will be gone for _all_ guests 1170281748 M * bXi i've had several issues of ending up on the host when i needed a guest 1170281772 M * daniel_hozac you know, there's a reason we suggest you run all of your services in guests ;) 1170281776 M * Bertl bXi: because you have/had services running on the host 1170281792 M * bXi yeah 1170281805 M * bXi daniel_hozac: can you controll vservers from a guest? 1170281817 M * daniel_hozac no. 1170281828 M * daniel_hozac management is not a service per se, IMHO. 1170281834 M * bXi thats why i have a service on the host 1170281846 M * bXi i made a php page thingie in which my boss can manage the vservers 1170281866 M * daniel_hozac like OpenVCP? 1170281868 M * daniel_hozac or OpenVPS? 1170281874 M * bXi dont know 1170281881 M * daniel_hozac or (what's that revolutionlinux one called?)? 1170281944 M * bXi i can mail you the code if you want 1170281949 M * dlezcano Bertl: does several guest can bind to the same broadcast:port and receive all the packets ? 1170281993 M * Bertl that is soemthing we did think about, and it is partially handled 1170282011 M * dlezcano ok 1170282042 M * Bertl i.e. the broadcast address was/is considered, but there is not a real demand for that 1170282058 M * daniel_hozac was, i think. last time i checked, we didn't use it anywhere. 1170282087 M * dlezcano ok 1170282121 M * Bertl yeah, it got basically removed from 2.2/2.3 1170282193 M * bXi Bertl daniel_hozac interested in my very simple vserver manager 1170282199 M * Bertl broadcast is usually not that interesting, there is more interest in multicast though 1170282216 M * Bertl bXi: always, what about posting it on the ML? 1170282216 M * dlezcano Bertl: multicast is much more complicated to handle 1170282227 M * bXi ML? 1170282232 M * Bertl Mailing List 1170282237 M * bXi ah 1170282243 M * bXi i guess its too big for that 1170282253 M * daniel_hozac you could post a link, no? 1170282263 M * bXi its internal network 1170282264 M * Bertl bXi: really= 1170282273 M * Bertl bXi: really so big? 1170282275 M * bXi and i dont have access to that firewall 1170282282 M * bXi its quite a lot of text 1170282291 M * bXi or on the other hand 1170282292 M * dlezcano Bertl: at least, is L3 namespace useful for Linux-Vserver ? 1170282293 M * bXi not really 1170282308 M * dlezcano Bertl: I saw the sharing IP concept is missing in my patches 1170282315 M * daniel_hozac dlezcano: AFAICT it would impose limits we don't have right now. 1170282321 M * Bertl dlezcano: as I said, we have a few issues with your patch 1170282331 M * Bertl they basically boil down to: 1170282341 M * Bertl - moving/vanishing interfaces/ips 1170282352 M * Bertl - overlapping host/guest and guest/guest sets 1170282365 M * Bertl - post creation ip set adjustments 1170282390 M * Bertl - visual sugar for userspace (virtualization) 1170282395 M * Bertl that's it 1170282401 M * dlezcano visual sugar ? 1170282411 M * Bertl well, what we do for interfaces for example 1170282417 M * Bertl let me give a simple example here 1170282417 M * daniel_hozac hiding inaccessible addresses/interfaces. 1170282433 M * dlezcano ok 1170282437 M * Bertl eth0 gets three addresses 10.0.0.1, 10.0.0.2 and 10.0.0.3 1170282448 M * Bertl the host will show 10.0.0.1 1170282459 M * Bertl the other two are only visible with ip addr ls 1170282470 M * Bertl (as they are no aliases) 1170282477 M * bXi Bertl: you know what 1170282485 M * bXi i'll finish up my script a bit tomrrow 1170282488 M * Bertl dlezcano: guest A has 10.0.0.2 assigned 1170282489 M * bXi and mail that 1170282501 M * Bertl bXi: excellent idea! make sure to state a proper license 1170282519 M * bXi DWTFYWWI :D 1170282523 M * Bertl dlezcano: the guest (context) will now show eth0 with only 10.0.0.2, even in ifconfig 1170282529 M * daniel_hozac (and to clear it with the legal department) 1170282548 M * dlezcano L3 patches does that 1170282557 M * bXi legal department? 1170282568 M * Bertl dlezcano: oh, must have missed that one ... 1170282590 M * Bertl dlezcano: ah, that is a side effect of moving the ip around, right 1170282612 M * Bertl dlezcano: so you can probably scratch that point 1170282614 M * daniel_hozac bXi: you wrote it at work, no? at least here, that means your employer is the copyright holder. 1170282636 M * bXi its own work being used there 1170282643 M * bXi basicly its me and him 1170282644 M * dlezcano Bertl: post creation is allowed too 1170282661 M * bXi s/him/the boss/ 1170282692 M * Bertl dlezcano: okay, what about adding ips which are not present at the host (yet)? 1170282719 M * Bertl i.e. which become active once they are created on the host 1170282737 M * dlezcano Bertl: you create it in the host 1170282739 M * Bertl (this is used in failover scenarios, btw) 1170282756 M * dlezcano Bertl: and "push" it to the L3 namespace 1170282772 M * dlezcano No ip management is allowed into the L3 namespace 1170282782 M * Bertl yes, but before that, the guest space will not e allowed to bind to those, right? 1170282783 M * dlezcano You lose the CAP_NET_ADMIN 1170282798 M * dlezcano yes right. 1170282800 M * Bertl so the guest will be able to bind to *, but not the ip 1170282805 M * dlezcano yes 1170282828 M * Bertl okay, not a real issue, I have to admit 1170282858 M * dlezcano The real issue is the IP overlapping 1170282879 M * dlezcano The L3 namespace brings strict IP isolation 1170282899 M * dlezcano That is wanted to ensure socket isolation too. 1170282945 M * dlezcano If I got it, Linux-Vserver does IP sharing between guests, right ? 1170282952 M * daniel_hozac yes. 1170282968 M * dlezcano Why do you need to do that ? 1170282968 M * daniel_hozac so you can run your mail server in one guest, and the web server in another. 1170283001 M * dlezcano oh, ok. 1170283001 M * Bertl yes, service isolation is a major argument there 1170283003 M * daniel_hozac but they share the IP address because, e.g. you're low on public addresses, or whatever. 1170283007 N * ebiederm ebiederm_away 1170283012 M * dlezcano Very interesting 1170283028 M * Bertl you can work around that with some D/SNAT rules though 1170283049 M * Bertl i.e. assigning private ips and doing some DNAT on them 1170283065 M * Bertl (note that this happens on the host too) 1170283073 M * dlezcano Your interested is to have the same network front-end but the fall into different guests ? 1170283096 M * Bertl yes, for service separation, that is it 1170283119 M * dlezcano interesting feature. 1170283139 M * dlezcano Is it a big issue to not have that ? 1170283162 M * Bertl IMHO it is a violation of the basic principles we use 1170283175 M * daniel_hozac yeah, that'd break the chroot-for-network concept. 1170283181 M * Bertl chroot() doesn't suddenly hide away the filesystem tree :) 1170283186 M * dlezcano I mean, if you can setup some forwaring rules in order to enter different containers, is it acceptable ? 1170283215 M * matti Good night folks. 1170283222 M * Bertl I think we could live with that, as long as the ips stay on the host 1170283230 M * Bertl matti: good night! 1170283231 M * dlezcano eg. 10.0.0.1:80 => 10.0.0.2@container 1170283236 M * matti Bertl: Thank you. 1170283257 M * dlezcano eg. 10.0.0.1:80 => 10.0.0.2:80@container1 1170283260 M * dlezcano and 1170283281 M * dlezcano 10.0.0.1:8080 => 10.0.0.3:8080@container2 1170283282 M * dlezcano ? 1170283325 M * Bertl might work, if that is flexible enough (i.e. based on some iptables entry) 1170283368 M * dlezcano Bertl: the idea behind the L3 namespace is to bring IPV4 fully functionnal and fit all your needs too 1170283393 M * ebiederm_away Bertl: Of course packet filter should introduce about as much overhead as full L2 namespace. 1170283419 M * daniel_hozac it should probably support IPv6 too. 1170283442 M * dlezcano IPV6 is, of course, absolutly needed. 1170283443 M * Bertl ebiederm_away: that might indeed be a problem 1170283458 N * ebiederm_away ebiederm 1170283519 M * dlezcano For the moment the L3 namespace is not optimized 1170283542 M * dlezcano But I have a few ideas to reduce the overhead 1170283558 M * dlezcano And I don't think using netfilters is a good idea 1170283559 M * Bertl what worried me most are the disappearing ips 1170283562 M * ebiederm dlezcano: Have you measured the overhead? 1170283584 M * dlezcano I measured the overhead before having the L2 namespace 1170283599 M * dlezcano I mean, using the routing tag mechanisms 1170283611 M * dlezcano The overhead was not measurable 1170283626 M * dlezcano And the performance were near native performances 1170283634 M * Bertl near means? 1170283674 M * dlezcano Bertl: do you want values ? 1170283692 M * Bertl yes, please, btw, do we have any performance values for the 2.6.19 changes yet? 1170283717 M * ebiederm Bertl: Which ones? ips and uts namespaces? 1170283739 M * dlezcano Bertl: one moment, I will look for the document 1170283755 M * Bertl ebiederm: yes, and the restructuring already done there for nsproxy 1170283768 Q * Piet Ping timeout: 480 seconds 1170283786 M * ebiederm I know Serge did some measurments early on and it was all in the noise. 1170283842 M * Bertl hmm, with namespaces or just with one space? 1170283877 M * ebiederm My memory was with one, and with nsproxy. It has been a long time, and the values should be in the archives. 1170283892 M * Bertl okay, will search for them ... 1170283901 M * Bertl which archive btw? 1170283920 M * mugwump I think that was probably cross-posted widely 1170283924 M * mugwump I remember seeing it 1170283949 M * ebiederm I think it was on the containers-list. Possibly lkml. I just know it was one of those good bits of the conversation that went out to everybody. 1170284031 M * dlezcano Bertl: didn't found the document 1170284059 M * dlezcano Anyway, I will do some measurment very soon for L2 and L3 posted to containers@ 1170284322 M * Bertl excellent, TIA 1170284404 A * dlezcano goes to bed 1170284412 M * dlezcano see you 1170284413 Q * me Remote host closed the connection 1170284416 M * dlezcano bye 1170284423 M * mugwump thanks dlezcano 1170284428 M * dlezcano thx 1170284454 M * Bertl cya 1170284768 J * Piet hiddenserv@tor.noreply.org 1170284822 A * mugwump considers how much of http://www.paul.sladen.org/vserver/archives/200602/0018.html is still to-do 1170284843 M * mugwump how are things like bme, mad cow, etc going in terms of integration? 1170284887 Q * yarihm Quit: Leaving 1170284890 M * Bertl almost zero 1170284903 M * Bertl there were several effords to get bme into mainline 1170284911 M * Bertl (not just from my side :) 1170284936 M * Bertl but none of those were accepted, well some not even rejected ... 1170284979 M * ebiederm I thought the last round of that was picked up. 1170284979 M * Bertl I'm not even considering CoW a candidate anymore, I would be happy if the sendpage stuff would get into mainline :) 1170285002 M * Bertl so that you can actually 'copy' a file inside the kernel 1170285015 M * Bertl although copying an inode would be much much better 1170285072 M * ebiederm There is probably some similarity with the current unionfs work. 1170285085 M * Bertl yes, I guess so 1170285217 M * ebiederm At least it looked like Dave Hansen was close on the bind mount front. 1170285243 M * Bertl well, haven't heard anything about that recently 1170285289 M * ebiederm There is enough heavy lifting to do to make the interfaces clean that I haven't been worrying about that one. 1170285289 J * Pazzo ~ugelt@dialin-225136.rol.raiffeisen.net 1170285356 M * Pazzo hi @ll! 1170285363 M * daniel_hozac hello Pazzo. 1170285366 A * Pazzo is going crazy :-( 1170285373 M * Pazzo hi daniel_hozac! 1170285406 M * Pazzo rhel is driving me crazy :-( 1170285420 M * hardwire` rhel drives most people crazy 1170285424 M * Bertl drop it, get a new distro :) 1170285440 M * daniel_hozac how come? 1170285444 M * hardwire` by new distro he means debian. 1170285466 M * daniel_hozac the one shipping broken vserver kernels? that's an upgrade? :) 1170285468 M * Pazzo I'm running lot's of Debian vServers - all of them running really fine, no problems 1170285526 M * Pazzo now I have to create two new guests (rhel-based) out of already running "physical" rhel hosts 1170285562 M * Pazzo host is running etch 1170285580 M * daniel_hozac but? 1170285583 M * Pazzo uname: 2.6.18-vs2.1.1-rc48rol-em64t 1170285593 M * daniel_hozac hmm, that's really old. 1170285610 M * Bertl we have an rc48? 1170285620 M * daniel_hozac that was the last one, IIRC. 1170285647 M * Bertl gee, we could have made 50 easily :) 1170285661 M * daniel_hozac yeah :) 1170285661 M * Pazzo atm there is one debian guest running fine 1170285677 M * Pazzo yesterday we struggled a little bit with the first rhel guest 1170285686 M * Pazzo and since then it works fine 1170285736 N * jbailey jbailey-afk 1170285749 M * Pazzo today we are moving the second rhel host (version 3, the other one is running version 4) 1170285761 M * Pazzo (btw: HI BERTL!!!) 1170285786 N * ebiederm ebiederm_away 1170285819 Q * ensc Killed (NickServ (GHOST command used by ensc_)) 1170285820 M * Pazzo each vserver has it's own drbd partition within a lvm partition - but this fact shouldn't cause any problems 1170285829 J * ensc ~irc-ensc@p54B4F291.dip.t-dialin.net 1170285878 M * Pazzo now my first problem: if I don't leave rc.sysinit in /etc/inittab the "boot" process stops after minilogd 1170285895 M * daniel_hozac hmm? 1170285916 M * daniel_hozac did you run the initpost script for Red Hat derived guests? 1170285938 M * Pazzo initpost script?? tell me more please!! 1170285974 A * Pazzo stopped using redhat after 7.3 1170286002 M * daniel_hozac /usr/lib*/util-vserver/distributions/redhat/initpost /etc/vservers/ /usr/lib*/util-vserver/util-vserver-vars 1170286065 M * Pazzo should I run /usr/lib, /usr/lib64 or both(*) of them? 1170286073 M * Pazzo host is 64bit, clients 32bit 1170286080 M * daniel_hozac wherever util-vserver is installed. 1170286102 M * daniel_hozac (i.e. unless you have util-vserver for both 64 and 32-bit installed, you shouldn't need to change anything) 1170286160 M * Pazzo got it: lrwxrwxrwx 1 root root lib64 -> lib 1170286175 M * Pazzo so I'll better leave the * away :) 1170286185 M * daniel_hozac it won't matter. 1170286202 M * Pazzo should I stop the vserver first? 1170286205 M * daniel_hozac or, hmm, with a symlink i guess it would. 1170286206 M * daniel_hozac yes. 1170286224 M * daniel_hozac (i'm too used to properly multilibbed systems :)) 1170286306 M * Pazzo btw: what does redhat/initpost do? 1170286330 M * daniel_hozac it performs cleanup on the guest 1170286383 M * daniel_hozac gets it into a known-good state. 1170286399 J * [Che]eDog ~edog@91.149.145.111 1170286415 M * Pazzo hmm... guest ist running nothing but two processes - init and syslogd 1170286427 M * daniel_hozac as expected. 1170286435 M * Pazzo aaah 1170286437 M * daniel_hozac part of the cleanup is to disable all the services. 1170286461 M * Pazzo great... just a sec 1170286480 M * Bertl welcome [Che]eDog! 1170286494 M * [Che]eDog hello world 1170286534 Q * [Che]eDog 1170286561 J * [Che]eDog ~edog@91.149.145.111 1170286567 M * Pazzo runlevel ist unknown?? 1170286584 M * daniel_hozac hmm? 1170286599 J * thunder18 ~thu@tor-irc.dnsbl.oftc.net 1170286623 Q * thunder1 Ping timeout: 480 seconds 1170286635 M * Pazzo [root@guest /]# runlevel 1170286640 M * Pazzo unknown 1170286654 M * daniel_hozac plain initstyle? 1170286672 M * Pazzo yes 1170286691 M * daniel_hozac ah, hmm. 1170286699 M * Pazzo (at least with debian it works great) 1170286707 M * daniel_hozac try using sysv instead. 1170286717 M * daniel_hozac or do you actually need the init for some reason? 1170286725 M * Pazzo don't think so 1170286738 M * daniel_hozac ensc: is this case handled? plain inistyle with a properly cleaned up redhat guest? 1170286741 N * thunder18 thunder1 1170286818 M * Pazzo great, works! 1170286841 M * Pazzo is "halt" expected to work with sysv initstyle? 1170286853 M * daniel_hozac you could do echo -e "/usr/lib/util-vserver/fake-runlevel\n3\n/var/run/utmp" > /etc/vservers//apps/init/cmd.prepare, if you need the plain initstyle. 1170286854 M * Pazzo [root@host /]# halt 1170286856 M * daniel_hozac halt -f will. 1170286859 M * Pazzo init: timeout opening/writing control channel /dev/initctl 1170286860 M * daniel_hozac as will reboot -f. 1170286957 M * Pazzo hmmm... what's the difference between plain and sysv?? I thought that there will be no fake "init" process with sysv - but this doesn't seem to be true... 1170286971 M * daniel_hozac with sysv, there _will_ be a fake init. 1170286980 M * daniel_hozac with plain, you have an actual init running. 1170287046 M * Pazzo aaah... ok, and that's why a "normal" halt doesn't work, right? and probably also things like "telinit -q" etc will not have any effect?! (doesn't matter, I don't need it) 1170287058 M * daniel_hozac right. 1170287069 M * Pazzo still unable to cleanly stop the guest 1170287093 M * daniel_hozac meaning? 1170287120 M * Pazzo unfsd and minilogd are still running (-> maybe because there is no chkconfig for unfsd?) 1170287132 M * Pazzo but where does minilogd come from??? 1170287135 M * daniel_hozac probably. 1170287141 M * daniel_hozac minilogd is a known problem. 1170287169 M * Pazzo is there also a known solution? :-p 1170287173 M * daniel_hozac however, the initpost script should've created an /etc/init.d/halt script that should take care of it... 1170287193 M * daniel_hozac wait, no, i'm confusing issues. 1170287210 M * daniel_hozac IIRC the minilogd thing needs you to comment a couple of lines in /etc/init.d/functions. 1170287251 M * Pazzo grep minilogd -r /etc/ | wc -l -> 0 lines 1170287279 M * daniel_hozac or, alternatively, export IN_INITLOG=1 from /etc/rc.d/rc. 1170287297 M * daniel_hozac (i guess version number 2 is cleaner) 1170287302 M * Pazzo there is also no running minilogd process 1170287312 M * daniel_hozac it's started after syslogd is stopped. 1170287325 M * Pazzo great 1170287328 M * daniel_hozac to log the service stops/starts. 1170287356 M * daniel_hozac but, adding export IN_INITLOG=1 to /etc/rc.d/rc should do the trick. 1170287432 M * Pazzo stopping now results in one "invalid file descritor" error per stopped process 1170287438 M * Pazzo but minilogd is gone 1170287465 M * Pazzo any idea how to avoid this ugly errors? IN_INITLOG=2? 1170287493 M * Pazzo nope, same thing 1170287501 M * daniel_hozac add exec 21> /dev/null too. 1170287517 M * daniel_hozac (i think, i can never remember that syntax) 1170287562 M * Pazzo looks promising 1170287593 M * Pazzo yep, great 1170287636 J * lilalinux_ ~plasma@dslb-084-058-216-122.pools.arcor-ip.net 1170287683 Q * Piet Ping timeout: 480 seconds 1170287698 M * Pazzo Why doesn't killall remove my unfsd daeon? (process is currently started by a simple shell script, there is no redhat alike start/stop script)? 1170287736 M * daniel_hozac the killall script doesn't actually run killall, it just runs through the available run-files in /var/lock/subsys and stops those services. 1170287740 M * Pazzo (and a simple "kill " within the vserver does the job) 1170287761 P * stefani I'm Parting (the water) 1170287766 M * daniel_hozac the halt script is meant to run killall though... what does cat /etc/init.d/halt say inside your guest? 1170287780 M * Pazzo hmmm... that's why I don't like the sysv initstyle :o) 1170287792 M * Pazzo exec /sbin/killall5 -15 1170287822 M * daniel_hozac "fix" ecryptfs 1170287822 M * daniel_hozac * use nx_check for all network related checks 1170287822 M * daniel_hozac * special-case migrate to nid 1 1170287830 M * daniel_hozac ugh, stupid mouse buttons... 1170287856 M * daniel_hozac that should do the trick, what does ls -l /etc/rc0.d/S* show? 1170287963 M * Pazzo /etc/rc0.d/S00killall -> ../init.d/killall 1170287993 M * Pazzo should I change it to /etc/init.d/halt? 1170287999 M * daniel_hozac so no S01halt -> ../init.d/halt?