1172275353 J * Aiken ~james@ppp126-23.lns2.bne4.internode.on.net 1172275365 Q * Aiken 1172275401 J * Aiken ~james@ppp126-23.lns2.bne4.internode.on.net 1172275440 Q * Aiken 1172277148 Q * me Remote host closed the connection 1172277553 Q * vaq Ping timeout: 480 seconds 1172278026 Q * blizz_ Server closed connection 1172278026 J * blizz ~blizz@evilhackerdu.de 1172278522 Q * Piet_ Quit: Piet_ 1172279096 Q * gerrit Ping timeout: 480 seconds 1172280922 Q * cehteh Server closed connection 1172280939 J * cehteh ~ct@pipapo.org 1172283716 Q * ruskie Remote host closed the connection 1172283744 Q * meandtheshell Quit: Leaving. 1172283900 J * ruskie ruskie@ruskie.user.oftc.net 1172287895 Q * [PUPPETS]Gonzo Server closed connection 1172287915 J * [PUPPETS]Gonzo gonzo@langweiligneutral.deswahnsinns.de 1172288553 J * Aiken ~james@ppp126-23.lns2.bne4.internode.on.net 1172290018 Q * ensc Ping timeout: 480 seconds 1172290196 M * Bertl okay, off to bed now .. have a good one everyone! cya! 1172290203 N * Bertl Bertl_zZ 1172291917 J * Aiken_ ~james@ppp119-251.lns1.bne4.internode.on.net 1172292233 Q * Aiken Ping timeout: 480 seconds 1172292461 Q * deEvilCat Ping timeout: 480 seconds 1172294342 Q * hardwire Server closed connection 1172294365 J * hardwire ~hardwire@rdbck-6299.wasilla.mtaonline.net 1172295102 Q * Hollow Read error: Connection reset by peer 1172295134 J * Hollow ~hollow@styx.xnull.de 1172295135 Q * phreak`` Read error: No route to host 1172295146 Q * mEDI_S Ping timeout: 480 seconds 1172295147 J * Loki|muh_ loki@satanix.de 1172295176 Q * yang Read error: Connection timed out 1172295176 Q * Loki|muh Read error: Connection reset by peer 1172295177 N * Loki|muh_ Loki|muh 1172295201 J * yang ~yang@cpe-213-157-253-172.dynamic.amis.net 1172295222 J * mEDI_S ~medi@snipah.com 1172295263 Q * micah Server closed connection 1172295271 J * micah ~micah@micah.riseup.net 1172295698 J * phreak`` ~phreak``@deimos.barfoo.org 1172296184 Q * Radiance Server closed connection 1172296201 J * Radiance db50248014@halt.1984world.eu 1172298250 Q * fosco Server closed connection 1172298251 J * fosco fosco@konoha.devnullteam.org 1172298707 Q * Medivh Server closed connection 1172298759 J * Medivh ck@paradise.by.the.dashboardlight.de 1172301971 J * DoberMann_ ~james@AToulouse-156-1-72-223.w90-16.abo.wanadoo.fr 1172302077 Q * DoberMann[ZZZzzz] Ping timeout: 480 seconds 1172303340 Q * bored2sleep Server closed connection 1172303403 J * bored2sleep ~bored2sle@66.111.53.150 1172305206 Q * doener Server closed connection 1172305226 J * doener ~doener@host.magicwars.de 1172308316 Q * bon Server closed connection 1172308318 J * bon bon@stichting-brein.eu 1172309109 J * ensc ~irc-ensc@p54B4EF67.dip.t-dialin.net 1172309361 N * DoberMann_ DoberMann 1172309560 Q * kaner Server closed connection 1172309564 J * kaner kaner@strace.org 1172309665 Q * sannes cation.oftc.net neutron.oftc.net 1172309665 Q * PowerKe cation.oftc.net neutron.oftc.net 1172309665 Q * s0undt3ch cation.oftc.net neutron.oftc.net 1172309665 Q * sid3windr cation.oftc.net neutron.oftc.net 1172309665 Q * AndrewLee cation.oftc.net neutron.oftc.net 1172309665 Q * weasel Remote host closed the connection 1172309666 J * sannes ace@har.sagt.no 1172309666 J * sid3windr luser@bastard-operator.from-hell.be 1172309677 J * AndrewLee ~andrew@flat.iis.sinica.edu.tw 1172309677 J * PowerKe ~tom@d54C13E4B.access.telenet.be 1172309680 J * s0undt3ch ~s0undt3ch@80.69.34.154 1172310179 Q * phedny_ Remote host closed the connection 1172310343 J * weasel weasel@asteria.debian.or.at 1172312848 J * DavidS ~david@chello062178045213.16.11.tuwien.teleweb.at 1172314528 J * meandtheshell ~markus@85-124-207-12.dynamic.xdsl-line.inode.at 1172316663 J * EvilDin ~Snake@BSN-77-83-28.dsl.siol.net 1172316691 M * EvilDin am how can i add entry to fstab in gentoo vserver 1172316856 J * Aiken__ ~james@ppp96-171.lns1.bne1.internode.on.net 1172317176 Q * Aiken_ Ping timeout: 480 seconds 1172317176 Q * Guy- Ping timeout: 480 seconds 1172317301 M * daniel_hozac EvilDin: same way you'd do it for any other type of host/guest? 1172317386 J * dna ~naucki@33-208-dsl.kielnet.net 1172317427 J * ema ~ema@lart.galliera.it 1172317631 Q * dna 1172318155 Q * Aiken__ Remote host closed the connection 1172318175 J * dna ~naucki@33-208-dsl.kielnet.net 1172319774 T * daniel_hozac http://linux-vserver.org/ | latest stable 2.0.2.1, 2.0.3-rc1, 2.2.0-rc14/pre4, devel 2.3.0.10, stable+grsec 2.0.2.1, 2.2.0-rc13.1 | util-vserver-0.30.212 | libvserver-1.0.2 & vserver-utils-1.0.3 | He who asks a question is a fool for a minute; he who doesn't ask is a fool for a lifetime -- share the gained knowledge on the Wiki, and we'll forget about the minute ;) 1172322493 J * Piet hiddenserv@tor.noreply.org 1172323433 M * matti dna: :) 1172323436 M * matti daniel_hozac: :) 1172323597 M * daniel_hozac morning matti 1172323912 Q * michal` Ping timeout: 480 seconds 1172324060 J * Guy- 0fNMbE209u@chardonnay.math.bme.hu 1172324092 M * matti Morning, how are you? 1172324132 M * daniel_hozac i'm fine thanks. you? 1172324166 J * _dmax ~semaj@bl9-224-203.dsl.telepac.pt 1172324333 J * michal` ~michal@www.rsbac.org 1172324521 Q * dmax Ping timeout: 480 seconds 1172324523 N * _dmax dmax 1172325834 M * orzel hello. i have a vserver on the same computer as the nat/gateway for my local network. I can't ping outside. 1172325843 M * orzel i can ping all IP of the host computer 1172325849 M * orzel and i can ping computer on the local network 1172325870 M * daniel_hozac are you NATing it properly? 1172325900 J * Piet_ hiddenserv@tor.noreply.org 1172325917 M * daniel_hozac IIRC -j MASQUERADE does not apply to local connections, so you need a -j SNAT --to ... 1172325930 M * orzel ok, gonna try this. 1172326005 M * orzel iptables -t nat -A POSTROUTING -s 10.11.0.128 -o eth0 -j SNAT --to 192.168.1.1 <- i already got this 1172326009 M * orzel 128 is the vserver 1172326012 J * VooDooMaster ~icechat5@p549CBC06.dip0.t-ipconnect.de 1172326014 M * orzel 192.168 is the host 1172326036 Q * VooDooMaster 1172326036 M * orzel eth0 is the outside link (even if it looks like a local address) 1172326090 M * daniel_hozac so 192.168.1.1 is the external address? 1172326095 M * orzel mmh, no, it's fixed ! 1172326114 M * orzel i had to exchange the order with iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 1172326124 M * orzel thanx for pointing me to the iptables rule anyway :) 1172326292 Q * Piet Ping timeout: 480 seconds 1172327608 J * VooDooMaster ~VooDooMas@p549CBC06.dip0.t-ipconnect.de 1172327655 M * VooDooMaster hello everybody! 1172327712 M * VooDooMaster Short question: If I create a new verver from the stage3 template - what's already installed in that vserver? 1172327780 M * VooDooMaster if I say vserver xyz start and then vserver xyz enter the vserver is up and running ... 1172327826 M * daniel_hozac equery list? 1172327842 M * VooDooMaster in the howto on linux-vserver.org -> gentoo it looks like that syslog-ng is already installed and running in the template 1172327859 M * VooDooMaster equery is not installed in the template 1172327880 M * VooDooMaster emerge equery gives me an ARCH is not set ... 1172327895 M * daniel_hozac what stage3 did you use? 1172327919 M * daniel_hozac a snapshot with baselayout 1.13? or the vserver one? 1172327923 Q * DavidS Quit: Leaving. 1172327930 M * VooDooMaster do I have to alter the vserver's fstab ... why isn't that done automagically. 1172327936 M * VooDooMaster I used stage3-x86-20060317.tar.bz2 1172328023 M * VooDooMaster host baselayout 1.12.9 ... util-vserver-0.30.212-r2, sys-kernel/vserver-sources-2.0.2.1 1172328338 M * VooDooMaster daniel_hozac: Any idea or hint for me? ... what's the default way to setup a new vsever or prepare an own template? 1172328350 M * daniel_hozac depends on the type of guest you want. 1172328373 M * VooDooMaster gentoo host and gentoo guest 1172328389 M * daniel_hozac as for creating templates, just run tar -cjf template.tar.bz2 -C /vservers or similar. 1172328412 M * daniel_hozac so what's the problem with vserver ... build -m template ... -- -t stage3... -d gentoo? 1172328470 M * VooDooMaster is that right: vserver template build --context 1000 --hostname template --interface eth0:192.168.100.199/24 --initstyle plain -m template -- -t /vservers/stage3-x86-20060317.tar.bz2 1172328486 M * VooDooMaster which initstyle should I use? 1172328537 M * daniel_hozac for the old template, plain is right. 1172328542 M * daniel_hozac you're missing -d gentoo. 1172328549 M * VooDooMaster what does -d do? 1172328577 M * VooDooMaster can or do I have to use --initstyle gentoo? 1172328617 M * daniel_hozac -d gentoo runs the pre/post configuration scripts for Gentoo guests. 1172328652 M * VooDooMaster aaahhh ... ok ... seems I forgot the "magic switch" ... it's getting a bit brighter in here ;) 1172328697 M * VooDooMaster if I try to delete one of my vservers I get: pkgcfgbase-dir '/vservers/.pkg' does not exist or is invalid 1172328717 M * VooDooMaster seems I did many things wrog ... 1172328730 M * daniel_hozac sounds like the Gentoo package doesn't create that directory, IMHO. 1172328734 M * daniel_hozac unless you removed it yourself. 1172328826 M * VooDooMaster nope - did that vserver.. build command I wrote above and now did vserver .. delete - and that message appeared and the vseerver was still there 1172328861 M * VooDooMaster once again back to the initstyle - which one shall I use plain or gentoo? 1172328929 M * daniel_hozac i _think_ either one will work. 1172328937 M * daniel_hozac gentoo used to require baselayout 1.13 though. 1172328944 M * ntrs I have a bit of an off-topic question 1172328950 M * VooDooMaster or better: where do I find the most recent docu/howtos about the whole vserver stuff - so I don't have to ask so much and steal your time? 1172329004 M * ntrs I normally use ext3 as a filesystem but once in a while the journal is damaged or something, due to a panic or similar and I have to do an fsck. Is there another filesystem that would not require a fsck in such a case? 1172329007 M * daniel_hozac http://www.gentoo.org/proj/en/vps/vserver-howto.xml should be up to date, AFAIK. 1172329049 M * daniel_hozac ntrs: the journal is supposed to keep you from requiring fsck. if that's damaged, forcing an fsck is the most logical thing to do, IMHO. 1172329069 M * ntrs right, but what about other filesystems? xfs, jfs? 1172329108 M * daniel_hozac i have no idea, but i imagine a damaged journal invokes the same behaviour in all of them. 1172329142 M * daniel_hozac what other way is there to ensure filesystem consistency? 1172329142 M * ntrs Ok, maybe someone that has used jfs or xfs will see the question and provide some more information. 1172329157 M * ntrs perhaps a journal that's not so easily damaged? 1172329194 M * daniel_hozac i have never experienced a damaged journal... 1172329234 M * ntrs I see that with ext3 all the time. 1172329280 M * daniel_hozac how do you manage that? 1172329292 M * ntrs daniel_hozac, fsck.ext3 after a reboot. 1172329311 M * ntrs daniel_hozac, you never had to use fsck on ext3? 1172329312 M * daniel_hozac i mean, how do you get it damaged all the time? 1172329322 M * daniel_hozac not manually. 1172329346 M * ntrs well, right now there was a kernel panic and after a reboot the filesystem can no longer be mounted. 1172329360 M * daniel_hozac after panics the journal is replayed by fsck. 1172329375 M * ntrs and this is a 2 TB partition, it's a bit large. and it is very heavily utilized, it's part of a backup server. 1172329411 M * ntrs replayed, yes but it cannot be mounted anymore until I do an fsck 1172329474 M * VooDooMaster ntrs: do you use lvm or something like that? do you have everything on one large partition? 1172329481 M * daniel_hozac right, but surely your boot sequence doe sthat for you? 1172329505 M * daniel_hozac the journal replay doesn't take long at all. 1172329519 M * ntrs VooDooMaster, no LVM. The large partition is just the backup partition. The OS is on a separate drive. 1172329547 M * ntrs daniel_hozac, yes the journal replay takes a few seconds but it insufficient for the partition to become mountable again. 1172329559 M * VooDooMaster sounds good to me - I have 1TB data partitions here and after a crash the journal replay is through in no time ... 1172329572 M * daniel_hozac ntrs: i have never experienced that. 1172329614 M * VooDooMaster ntrs: that sounds very strange - I have to agree with daniel 1172329614 Q * infowolfe Read error: Connection reset by peer 1172329616 M * ntrs after the journal replay, I get this: 1172329618 M * ntrs Clearing orphaned inode 85361154 (uid=0, gid=0, mode=0100000, size=8389488560141069312) 1172329619 M * ntrs Illegal block #0 (909652841) found in orphaned inode 85361154. 1172329634 J * infowolfe ~infowolfe@c-67-164-195-129.hsd1.ut.comcast.net 1172329671 M * ntrs When trying to mount I get this a million times in dmesg: 1172329675 M * ntrs ext3_orphan_cleanup: deleting unreferenced inode 85361153 1172329675 M * ntrs EXT3-fs error (device sda1) in start_transaction: Journal has aborted 1172329676 Q * sid3windr Ping timeout: 480 seconds 1172329684 M * VooDooMaster hmmm ... have you checked your harddisks? could be, that there is a slowly growing defect on one or more HDs destroying your data and(or journal 1172329690 M * ntrs "Journal has aborted" - what does that mean? 1172329723 M * ntrs all disks are in a RAID5 array and are regularly checked with smartctl 1172329761 M * daniel_hozac battery backup for the RAID card? 1172329791 M * ntrs daniel_hozac, not sure. 1172329821 M * ntrs that is why I was asking if there is some other filesystem whose journal does not abort that easily. 1172329893 M * VooDooMaster I think not the filesystem is your main problem ;) there's something nasty messing up your data/journal ... and why do you get kernel_panics so often? 1172329922 M * VooDooMaster how do you "backup" your data to the backupserver? drbd? rsync? 1172329943 M * ntrs rsync 1172330008 M * VooDooMaster rsync should not kill your kernel ... when do you get those kernel-panics? 1172330118 M * ntrs the most recent one was today and it was a panic in kswapd0 at remove_inode_buffers 1172330142 M * VooDooMaster how much ram? how much swap-space? 1172330156 J * sid3windr luser@bastard-operator.from-hell.be 1172330358 M * ntrs 1 GB RAM with 4 GB swap 1172330365 M * ntrs 1 GB RAM with 3 GB swap 1172330386 M * ntrs almost all the ram is free most of the time. 1172330409 M * VooDooMaster hmmm ... should bemore than enough - even for a 2tb rsync-run 1172330418 M * VooDooMaster once again: very strange 1172330573 M * VooDooMaster how often do you do the rsync-run for backup? 1172330607 M * VooDooMaster when does your kernel crash? while collecting the files to copy? while syncing? oder without doing anything? 1172330648 M * VooDooMaster but alll that doen'st explain why your journal geht's crashed :/ 1172330741 M * VooDooMaster daniel_hozac: by the way - -d was the magic switch - thanks - now everything look MUCH better! 1172330825 M * VooDooMaster daniel_hozac: can I mount portage rw in my template and generate some often used packages a bin-packages in there and then set up other vservers using those bin packages later? 1172330835 M * daniel_hozac sure. 1172330943 J * FireEgl Atl-NA@68.220.222.136 1172331120 M * VooDooMaster daniel_hozac: aaannnd ... ;) .. if I wanto to set up a samba-vserver with ldap support - but also want to setup an extra ldap server - do I have to set samba-vserver use-flags -ldap to keep emerge from emerging openldap? or doesn't my samba lack ldap support then? 1172331146 M * daniel_hozac i have absolutely no idea. 1172331155 M * daniel_hozac i have never used Gentoo. 1172331167 M * VooDooMaster daniel_hozac: ah - ok - what distro do you use? 1172331174 M * daniel_hozac Fedora. 1172331178 M * daniel_hozac and CentOS. 1172331226 M * VooDooMaster daniel_hozac: I never tried this one ;) - but many friends say it's really woth trying ... hmmm ... I really should try it, too ;) 1172331250 M * VooDooMaster daniel_hozac: fedora surely has dependencies, too, doesn't it? 1172331259 M * daniel_hozac of course. 1172331265 M * VooDooMaster daniel_hozac: how do you manage it with fedora? 1172331274 M * daniel_hozac manage what? you just install stuff. 1172331297 M * daniel_hozac it pulls in whatever is needed. 1172331412 M * VooDooMaster daniel_hozac: yes - but if you set up an ldap-server and a seperate samba server with built-in ldap support - how do you keep the package management from installing a complete ldap-environment in the samba-vserver 1172331459 M * daniel_hozac i don't understand. if you install Samba with LDAP support, you _need_ to install LDAP as well. 1172331480 M * daniel_hozac not necessarily the server, but the libraries for sure. 1172331489 M * daniel_hozac unless you're one of those "ooo, static libraries, neat!" people. 1172331512 M * VooDooMaster daniel_hozac: LOL - no - I'm none of those ;) 1172331563 M * VooDooMaster daniel_hozac: I think I#ll have to play around a bit more with some gentoo-switches .. by now I get only a full LDAP-install, wenn I want samba with ldap-support 1172331623 M * daniel_hozac i guess Gentoo doesn't have the subpackage concept? 1172331675 M * VooDooMaster daniel_hozac: don't know :/ 1172332572 M * VooDooMaster daniel_hozac: thanks for your help - I'm off testing now 1172332596 M * VooDooMaster ntrs: Good luck with your filesystem! 1172332600 Q * VooDooMaster Quit: KVIrc 3.2.5 Anomalies http://www.kvirc.net/ 1172333317 Q * sladen Ping timeout: 480 seconds 1172333393 J * sladen paul@starsky.19inch.net 1172335955 Q * FireEgl Quit: ... 1172336232 J * gerrit ~gerrit@c-67-160-146-170.hsd1.or.comcast.net 1172336677 J * bonbons ~bonbons@83.222.38.57 1172337004 J * badari1 ~badari@200.157.90.3 1172337432 Q * badari Ping timeout: 480 seconds 1172337492 J * iarwain ~iarwain@eu100-229-249.clientes.euskaltel.es 1172337492 J * badari2 ~badari@bi01p1.co.us.ibm.com 1172337528 P * iarwain 1172337736 Q * dna Read error: Connection reset by peer 1172337760 J * dna ~naucki@33-208-dsl.kielnet.net 1172337830 Q * badari1 Read error: Operation timed out 1172338269 J * badari1 ~badari@200.157.90.3 1172338384 M * sid3windr hehe 1172338395 M * sid3windr andrew morton likes containerisation better! 1172338399 M * sid3windr I guess that fits linux-vserver 1172338402 M * sid3windr one kernel to rule them all ;) 1172338700 Q * badari2 Ping timeout: 480 seconds 1172338721 M * ard Hmmm 1172338748 M * ard I think it's more of a must to have some kind of jailing securitywise 1172338753 J * badari ~badari@bi01p1.co.us.ibm.com 1172338768 M * sid3windr he wanted to boot suse and fedora on the same box, with the same kernel 1172338775 M * sid3windr sounds a lot like linux-vserver to me :) 1172339121 Q * badari1 Ping timeout: 480 seconds 1172340485 M * ntrs can the kernel take advantage of dual and quad core cpus? 1172340503 M * harry yes 1172340525 M * ntrs would a single quad core perform as good as dual dual core? 1172340953 M * daniel_hozac intel quad? IIRC that's just dual dual core on one chip. 1172340989 M * ntrs yes, intel quad 1172340998 M * ntrs would a single quad core perform as good as dual dual core? 1172341020 M * daniel_hozac so, if my memory serves, it should be equal. 1172341096 M * ntrs really? but what about front side bus? bandwidth to RAM and HDDs? 1172341149 M * daniel_hozac but if the quad is just dual dual core on one chip, there are absolutely no differences regarding those. 1172341222 M * ntrs it has two fsbs? 1172341235 M * daniel_hozac no, one FSB over which the two processors communicate, IIRC. 1172341279 M * ntrs ok, so the bandwidth to the ram and the hdds will be larger on a dual dual system. 1172341454 N * Bertl_zZ Bertl 1172341458 M * Bertl morning folks! 1172341488 M * Bertl ntrs: that depends on many parameters ... 1172341522 M * daniel_hozac morning Bertl! 1172341540 M * Bertl ntrs: the speed of the FSB, the RAM speed and architecture, the CPU-CPU bus, the caches ... 1172341545 M * ntrs I need to get some new servers so I am currently researching if I should go dual or quad core. 1172341562 M * Bertl get one of both for testing, and run a few tests on them 1172341607 M * ntrs I can't really get one of each. they are pretty expensive. I need to be sure in advance what I am purchasing. 1172341622 M * Bertl http://en.wikipedia.org/wiki/Dual_core 1172341626 M * daniel_hozac Bertl, ensc, doener, Hollow: i'm contemplating removing the rbind on to /, as it doesn't really buy as anything and causes problems (the /usr/bin/{nice,env -> ../../bin/{nice,env} ones), or am i forgetting something? 1172341674 M * Bertl daniel_hozac: you should definitely revisit _all_ the chroot exploits we know ... 1172341716 M * Bertl (and have a talk with ensc, of course :) 1172341773 M * daniel_hozac well, IMHO we don't reach the new / until you've already broken out of the chroot. 1172341864 M * ntrs Bertl, I assume 2.2.0 is not anywhere closer to being released compared to a week or two ago? 1172341881 M * Bertl daniel_hozac: I never completely groked the mechanisms ensc used to protect the chroot 1172341899 M * Bertl ntrs: of course, it is a week or two closer to final release :) 1172341914 M * doener daniel_hozac: yeah, either broken out of it, or in case of the problems we see with those nice/env symlinks, we have "dotted up" too much 1172341939 M * daniel_hozac ../../../ in a guest doesn't do anything though. 1172341949 M * Bertl ntrs: seriously, we had to fix a few minor and probably a mjaor issue (fixed in rc14), so we still need more feedback/testing 1172341957 M * doener yeah, the "dot up" is only a matter prior to chrooting 1172341961 M * ntrs Bertl, you know what I mean. rc14 is out, will there be rc 15 next week or can we hope for a final release soon? 1172341962 M * daniel_hozac right. 1172341987 M * daniel_hozac ntrs: once there are no new problems, a final release would be the next logical step.. 1172341993 M * Bertl ntrs: I'm always optimistic that the current rc will be final 1172342010 M * daniel_hozac doener: you suggested we remove it back in the 2.0.2 days, right? 1172342011 M * ntrs Bertl, ok, I might setup a new kernel on a few production machines just to see how it goes. 1172342029 M * Bertl ntrs: that would definitely help and speed up the process 1172342070 M * doener daniel_hozac: yep, I never understood it before, and when I got to understand it, it still seemed just as useless, as it protects only against a very limited set of attacks, which are (AFAICT) all caught by the barrier 1172342079 M * yang hi Bertl doener 1172342094 M * daniel_hozac i agree, the barrier should protect against everything. 1172342126 M * Bertl doener, daniel_hozac: would be nice if we could double check that by writing/testing such 'limited sets of attacks' 1172342155 M * daniel_hozac what ways do we know of to break out of a chroot? 1172342158 M * Bertl I would also appreciate to add those to our soon to come (I can dream, can't I?) fully automated test suite :) 1172342197 M * Bertl - attacks based on removing the barrier 1172342218 M * Bertl - attacks based on bypassing the barrier 1172342242 M * Bertl - access not covered/handled by the barrier 1172342253 M * Bertl - access not handled by the namespace 1172342267 M * daniel_hozac hmm? how would a guest remove the barrier? 1172342284 M * Bertl we had that in the beginning :) 1172342298 M * daniel_hozac IMHO the namespace is not a security feature but more of an isolation feature. 1172342304 M * doener daniel_hozac: if there's no check that protects the barrier, that's easy ;) 1172342310 M * Bertl either by using setattr or chattr or whatever 1172342327 M * doener back in the days, it was just chmod +x IIRC 1172342335 M * daniel_hozac doener: but the barrier is only settable via sys_vserver, which guests cannot call. 1172342371 M * doener unless we get a bug there that makes it callable from guests 1172342396 M * daniel_hozac in which case we're already screwed, as guests could raise capabilities, etc... 1172342416 M * doener sure, but a complete testsuite should have that test as well 1172342431 M * daniel_hozac of course. 1172342673 M * doener back to the "limited set of attacks", the / rbind just protects against breakouts where you use '..' often enough to hit /, e.g. with chdir() or chroot() 1172342711 M * daniel_hozac in which case an extra .. will get you to the real host root, IIRC. 1172342730 M * doener no, IIRC you're stuck with the rbind / then 1172342770 M * doener at least I never managed to get past it (and never managed to even reach it when the barrier is set and working correctly) 1172343379 M * daniel_hozac you're right. 1172343407 A * doener grabs his cookie :) 1172343419 M * daniel_hozac hehe 1172343449 M * daniel_hozac with a non-functional barrier, you were able to peek in to other guests though, right? 1172343455 M * daniel_hozac (assuming no tagxid) 1172343504 M * Bertl yep 1172343538 M * Bertl basically 1172343554 M * Bertl the idea back then was, you cannot access what isn't there 1172343572 M * Bertl and the rbind pretty much made sure that nothing is there 1172343584 M * daniel_hozac it did/does? 1172343587 M * Bertl an alternative I suggested back then, was the pivot root 1172343611 M * Bertl (which was too strong, IIRC or too buggy :) 1172343626 M * daniel_hozac doesn't pivot root change the root of all the processes? 1172343758 M * Bertl something like that 1172343873 M * doener Bertl: I think what daniel_hozac meant was that you can still peek into other guests even if the rbind is there 1172343913 M * doener the pivot_root failed because the tools still need access to the host filesystem even when in the new namespace IIRC 1172343955 M * daniel_hozac pivot_root could be called instead of chroot though, which is one of the last steps in the start process. 1172344075 M * daniel_hozac what does pivot_root do that chroot doesn't, though? 1172344091 M * doener pivot_root actually changes the mount tree 1172344112 M * doener you need to supply a place where it should mount the old tree, and then manually unmount it 1172344123 M * daniel_hozac right. 1172344124 M * doener s/old tree/old mount/ 1172344150 M * doener so that either pulls the whole root into the vserver, or you unmount it, which makes the tools unusable 1172344170 M * Bertl we could do a pivot which disposes the old mount ... 1172344220 M * Bertl could be addressed by a dual namespace approach 1172344245 M * doener unless the tools are rewritten to never need the host's files after it crossed the namespace boundary, the only way I see to simply create a "clean" namespace is the approach I described some months ago 1172344268 M * Bertl one namespace for manipulations from outside (with an inheriting namespace inside, secured via pivot) 1172344270 M * doener (which does a second namespace boundary crossing in the last executable) 1172344297 M * doener http://people.linux-vserver.org/~doener/double_namespace_setup.txt 1172344780 M * daniel_hozac so, the rbind protects the host in case someone gets out. is that important enough to cause the breakage on distributions using .. to symlink binaries we use? 1172344849 M * daniel_hozac i mean, it's rather obvious the rbind isn't hit during normal operations, as it was only a bind mount until recently... 1172344997 M * Bertl I'm happy with whatever withstands the known attack scenarios 1172345008 M * Bertl known m 1172345032 M * Bertl known here means: practical and theoretical exploits and escapes 1172345094 M * daniel_hozac well, the only attack it protects against are attacks on the host. 1172345101 M * daniel_hozac the guests are still wide open, even with the rbind. 1172345121 M * daniel_hozac i don't know about other setups, but for me the host doesn't have anything interesting. 1172345123 M * doener btw, can you open files/directories by inode number from userspace? 1172345128 M * daniel_hozac no. 1172345168 M * doener ok 1172345366 M * Bertl daniel_hozac: hmm, well, access to host binaries might be a big security issue for provider though 1172345397 M * daniel_hozac sure, attacking the host would open up possibilities for further attacks. 1172345459 M * doener just add a cronjob that does whatever you want with full privileges, e.g. raise your vserver privileges ;) 1172345490 M * daniel_hozac right. 1172345564 M * Bertl why do the ../ symlinks break btw? 1172345592 M * daniel_hozac because they hit the root mount, which is now the rbind, and the guest does not necessarily have the binary in the place it's pointing. 1172345620 M * Bertl could you give me a simple example for that? 1172345786 M * daniel_hozac http://paste.linux-vserver.org/1200 1172345800 M * bored2sleep ntrs: just to chime in on your discussion from an hour ago, on intel, they would be the same. dual dual core has one fsb, and quad core has one fsb. intel's fsb is a real bus, it is always shared. under AMD, they use hypertransport, which is point to point, so it makes a difference there. if you want higher io bandwidth, you'd get a quad cpu amd system 1172345921 M * Bertl daniel_hozac: that looks more like a bash cache issue to me than anything else, no? 1172345934 M * daniel_hozac hmm? 1172345936 M * Bertl daniel_hozac: I'm probably missing something here :) 1172345943 M * daniel_hozac i'm specifying the exact path. 1172345954 M * daniel_hozac (as the utils always do) 1172346079 M * Bertl okay, let's go through that please, seems I do not understand the issue yet 1172346101 M * Bertl /usr/bin/awk is a symlink to ../../bin/gawk 1172346118 M * Bertl which means, gawk is in /bin, right? 1172346135 M * daniel_hozac right. 1172346158 M * Bertl now the guest, etch here, has no /bin/gawk 1172346175 M * Bertl but I assume, it has a /usr/bin/gawk, right? 1172346194 M * Bertl or /usr/bin/awk (actually) 1172346211 M * daniel_hozac exactly. 1172346239 M * Bertl okay, now you do the rbind, which places /usr over the previous /usr (well and for all the others too) 1172346248 M * daniel_hozac http://paste.linux-vserver.org/1201 1172346268 M * Bertl and now you try to execute the _existing_ /usr/bin/awk 1172346269 M * daniel_hozac (supposed to say /bin/gawk, but yeah) 1172346279 M * daniel_hozac /usr/bin/awk from the host, right. 1172346285 M * Bertl guest 1172346293 M * Bertl why host? 1172346294 M * daniel_hozac no, it's executing the host's binary. 1172346305 M * daniel_hozac the / is resoleved on the host. 1172346323 M * daniel_hozac i.e. using fs_struct, not the / mount. 1172346382 M * Bertl how so? 1172346429 M * daniel_hozac it's in one of the lookup functions, sec... 1172346496 M * doener the rbind mount is layered on top of /, and triggers only when '/' is actually looked up. But the kernel optimizes accesses to '/' IIRC, avoiding the lookup 1172346521 M * doener but if you reach '/' via '..', it actually does a lookup and hits the rbind mount layered on top of '/' 1172346544 M * Bertl okay, and we do not want that behaviour? 1172346582 M * doener in the case of that symlink, you hit the rbind due to symlink resolving. So you get the symlink from the host, which is then resolved, and while that happens (the second ..), you switch to that rbind 1172346603 M * daniel_hozac well, it breaks starting guests on systems where /usr/bin/env or /usr/bin/nice is a symlink to ../../bin/{env,nice} and the guest is not the same as the host. 1172346639 M * Bertl which imho is a broken approach anyway, i.e. it should better be a symlink to /bin/env 1172346640 M * doener the tools expect /bin to _always_ map to host files, unless they chroot, which works in some cases 1172346652 M * Bertl but I guess that would not help here, would it? 1172346666 M * doener IMHO the rbind on / is just creating undefined behaviour at the moment 1172346667 M * daniel_hozac a symlink to /bin/env does the trick. 1172346679 M * daniel_hozac doener: and protecting the host in case of a break out :) 1172346700 M * Bertl okay, then why not have a script for those distros, replacing the symlinks :) 1172346740 M * daniel_hozac well, ideally we could just tell autoconf to resolve symlinks and use those paths instead, but i'm not aware of a way to do that. 1172346815 M * doener daniel_hozac: maybe adding a readlink call in m4/ensc_pathprog.m4? 1172346816 M * Bertl realpath (3)? 1172346846 M * doener disclaimer: I have no clue about m4 1172346873 M * daniel_hozac doener: hmm, yeah, that might work. i wonder why i didn't think of that last time i looked at this. 1172346892 M * Bertl sounds like a solution coming up? :) 1172346948 M * daniel_hozac well, this'll just fix things called by the utils. 1172346970 M * daniel_hozac but i guess that should be sufficient. 1172347007 M * Bertl I think, except for tool cases, we do not want to call host binaries in the guest namespace, do we? 1172347027 M * daniel_hozac well, i was thinking more along the lines of vnamespace -e ... 1172347046 M * daniel_hozac but i don't think people use full paths for those. 1172347058 M * daniel_hozac (and if they do, they should've already been hit by this) 1172347357 M * daniel_hozac doener: thanks a lot, that does the trick here. 1172347454 M * doener well, a lucky guess :) 1172347468 M * matti Bertl: :) 1172347477 M * daniel_hozac well, i've been over this 2 or 3 times, and that didn't occur to me... 1172347526 J * FireEgl Proteus@68.220.222.136 1172347531 M * daniel_hozac (http://svn.linux-vserver.org/projects/util-vserver/changeset/2504 FYI) 1172347774 M * Bertl hey matti! 1172348573 Q * ema Quit: leaving 1172348581 M * waldi ncontext: vc_net_create(): Invalid argument 1172348583 M * waldi hrm 1172348696 M * Bertl dynamic contexts? 1172348719 M * Bertl what is the command you used? 1172348751 M * waldi yep, dynamic context 1172348760 M * waldi should've changed that already 1172348790 M * waldi better 1172349363 M * daniel_hozac waldi: btw, http://packages.debian.org/unstable/admin/linux-image-2.6-vserver-sparc64 isn't really for UP only, is it? 1172349417 M * waldi no, its smp 1172349444 Q * puck Quit: Coyote finally caught me 1172349488 M * daniel_hozac good, so i wasn't lying. 1172349537 M * waldi to be correct, this package does not contain anything 1172349550 M * waldi it just pulls in the latest[tm] 1172349552 M * daniel_hozac right. 1172351423 J * Aiken ~james@ppp96-171.lns1.bne1.internode.on.net 1172351432 M * Bertl morning Aiken! 1172351627 M * Aiken hi 1172351744 M * bonbons daniel_hozac: seems like shutdown or reboot from inside a guest causes trouble if there was no matching request from the host 1172351839 M * bonbons hehe equicalent issue that what I had with the SuSE guest, but it's 100% gentoo this time, util-vserver-0.30.212-r2 1172351870 M * bonbons the helper waiting for something that never happens 1172351930 J * DreamerC_ ~dreamerc@125-225-102-189.dynamic.hinet.net 1172352283 M * bonbons after waiting a long time I still have halt (D state, inside guest), vshelper poweroff and cat /tmp/vshelper-stop-sync./pip hanging around 1172352338 Q * DreamerC Ping timeout: 480 seconds 1172352440 M * Bertl bonbons: what kernel version? 1172352507 M * bonbons latest, 2.6.20-vs2.2.0-pre4, with the SuSE guest it is/was 2.6.19.x-vs2.2.0-rcy (don't remember the exact values for x and y) 1172352577 M * bonbons but here it clearly looks like it's on the userspace side where something is missing, as soon as I echo to the pipe the guest vanishes 1172352673 M * bonbons wondering what should echo something to that lock-pipe and when 1172352890 M * daniel_hozac could i get one of those guests? 1172352946 M * bonbons they're a bit fat, but I think a "halt -f" inside any guest should even be sufficient 1172352953 M * bonbons let's check 1172352955 M * daniel_hozac so just vserver ... exec halt -f? 1172353012 M * bonbons I do it from a tty that had a getty started by guest's init 1172353241 M * bonbons though the halt command seems to not respect the '-f' parameter or shutdown request is being piped back-in by vshelper 1172353299 M * daniel_hozac halt -f invokes vshelper, yes. 1172353343 M * bonbons does vshelper send a signal to guest init? 1172353353 M * daniel_hozac yes. 1172353359 M * daniel_hozac for plain initstyle. 1172353367 M * daniel_hozac vshelper just runs vserver ... restart, basically. 1172353373 M * daniel_hozac (or stop in this case) 1172353418 M * bonbons ok, so it explains the message I see on console, but that does not really make sense as init inside guest calls halt again 1172353453 M * bonbons the guest expects some virtual power-off when it does halt -f, not a virtual CTRL-ALT-DEL :) 1172353631 M * daniel_hozac damn file. i wish i had known it sucked before i made template depend on it... 1172353681 M * daniel_hozac i'm not sure what a virtual power-off would be. REBOOT_KILL? 1172353720 M * bonbons yes, or a vkill 1172353745 M * bonbons but vshelper has to exit for this to happen 1172353799 M * Bertl the kernel differentiates between halt and reboot 1172353809 M * Bertl (i.e. the helper gets the proper information) 1172353892 M * bonbons yes, but the helper waits for something to happen which keeps the guest more or less in D state 1172353975 M * daniel_hozac but there's no way for either the kernel nor userspace to differentiate between virtual power-off and clean shutdown. 1172353995 M * Bertl hmm? 1172354031 M * daniel_hozac unless we make it so that halt -f always does an unclean shutdown in plain init guests. 1172354042 M * daniel_hozac while it's the only clean shutdown for the others. 1172354070 M * Bertl what's the problem? you should know if you called vserver stop from outside or not, no? 1172354080 M * bonbons well halt -f is the end of a clean shutdown, isn't it? 1172354169 M * daniel_hozac well, the only way to tell it's vshelper calling is by the synchronization socket. 1172354206 M * Bertl wouldn't a simple entry in /var/run suffice? 1172354287 M * daniel_hozac ? 1172354331 M * Bertl i.e. when you do do 'vserver stop' touch a file /var/run/.../.shutdown or so? 1172354363 M * daniel_hozac i'm not sure what that would accomplish. 1172354378 M * Bertl well, probably I'm missing the point again ... :) 1172354389 M * daniel_hozac or i am. :) 1172354403 M * Bertl but I understood that you cannot tell a 'stop' from a 'halt -f' 1172354424 M * daniel_hozac right, as vshelper just run vserver ... stop/restart. 1172354424 M * Bertl (in the vshelper) 1172354452 M * Bertl so touching a file when you call 'stop' will help you there 1172354478 M * Bertl if the file is there, stop was called, otherwise the halt -f happened, no? 1172354534 M * daniel_hozac and in the latter case, just don't kill init? 1172354557 M * Bertl well, whatever is required .. I have no idea about the internal mechanisms used :) 1172354642 M * bonbons isn't vshelper's job just to mark the guest as down (to trigger a restart / fork+sleep+restart) when a guests requests shutdown 1172354682 M * bonbons this especially as the reboot_kill () flags is set at that time (if I remember well) 1172354713 M * daniel_hozac vshelper stops/restarts the guests. 1172354735 M * daniel_hozac only for plain init might you have a guest that's partially stopped by the time vshelper is called. 1172354801 M * bonbons for sysv I don't even know how shutdown would be called from inside... 1172354813 M * daniel_hozac halt -f. 1172354832 M * daniel_hozac could you try http://people.linux-vserver.org/~dhozac/p/uv/experimental/delta-plaininit-hack01.diff? 1172354922 M * bonbons will try 1172354995 M * daniel_hozac Hollow: is it intentional that baselayout-vserver cannot use --initstyle gentoo? i thought that was possible now. 1172355430 M * bonbons daniel_hozac: doesn't help 1172355470 M * daniel_hozac so how do you reproduce it? 1172355532 M * bonbons just start the guest (plain init), from inside (getty + login + halt -f) 1172355548 M * bonbons host it gentoo host with gentoo util-vserver package 1172355561 M * bonbons doing the call over a ssh connection to the guest produces the same result 1172355582 M * daniel_hozac so run halt -f from the inside. 1172355589 M * bonbons yep 1172355642 M * bonbons it call vshelper which issues "init 0" or "init 6" inside guest (not wanted) and then waits for the data on the pipe 1172355670 M * daniel_hozac works fine here... 1172355718 M * bonbons after some time all processes go away except 3+[1] halt -f, vshelper halt 14, cat /tmp/.../pip, [khelper] 1172355745 M * bonbons what host are you using? FC or Gentoo, might be hollow's packages that patches at the wrong place 1172355763 M * daniel_hozac FC. 1172355785 M * daniel_hozac it's vanilla 0.30.213-rcX. 1172355806 M * daniel_hozac vserver gentoo start; vserver gentoo exec halt -f; sleep 15; vserver gentoo status returns Vserver 'gentoo' is stopped here. 1172355819 M * daniel_hozac with no left over processes whatsoever. 1172355833 M * daniel_hozac (and that's without the patch, with a brand new Gentoo guest. 1172355849 M * bonbons here it does not. I think gentoo host is more important than gentoo guest! 1172355866 M * daniel_hozac so, try with 0.30.213-rc3. 1172355884 Q * EvilDin Quit: AnacønÐa · "It's better to be rich and healthy than poor and sick" 1172355890 M * bonbons will check what patch gentoo adds to util-vserver, might be there is something in there, will also try the .213-rc3 1172356016 Q * michal` Ping timeout: 480 seconds 1172356017 M * daniel_hozac i'd really appreciate some testing of 0.30.213-rc3 on Gentoo hosts, as it adds the initscripts. 1172356042 M * daniel_hozac (one of which is brand new) 1172356093 M * bonbons ok, will do, have tomorrow to do the testing as that box HAS to run autonomously during the week (I'm not present to fix things then :)) 1172356200 M * daniel_hozac thanks. 1172356352 M * bonbons when my dad wants to use it's services and something does not come up as expected, then I'm again doing bad changes :) 1172356503 J * michal` ~michal@www.rsbac.org 1172356595 M * daniel_hozac i don't expect there to be too many more changes, if any at all, before 0.30.213. 1172356644 M * daniel_hozac (i've been meaning to release it for weeks already) 1172356663 M * bonbons well, the matter is more to have the global system starting and stopping as expected 1172356794 M * bonbons is there something I have to care about when ./configure or make / make install? 1172356829 M * bonbons or is the ebuild acceptable (omitting anything that is a patch or gentoo additions)? 1172356865 M * daniel_hozac ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var should do the same thing as the ebuild, i think. 1172356865 M * bonbons ebuild: http://viewcvs.gentoo.org/viewcvs.py/gentoo-x86/sys-cluster/util-vserver/util-vserver-0.30.212-r2.ebuild?rev=1.1&view=markup 1172356888 M * bonbons it's rather at make or especially make install and behind stage 1172357051 M * daniel_hozac if you remove the initscripts part of that and add --with-initscripts=gentoo to ./configure, i guess it should be fine. 1172357103 M * daniel_hozac (it should figure that out automatically, but just in case...) 1172357200 M * bonbons ok, that's two tasks, get out why my apache has trouble getting 3 out of it's 6 sockets working, and the util-vserver 1172357498 M * Bertl wasn't there a funny bug recently, where apache did bind ports twice? 1172357512 M * daniel_hozac wasn't that a configuration error? 1172357519 M * Bertl yes 1172357637 M * bonbons don't know, just restating apache fixed it, might have been some stale files/sockets/... (here it was permanently complaining about socket operations on nonsocket fd) 1172358092 M * matti ;] 1172358579 M * bonbons daniel_hozac: /etc/init.d/vservers.default looks quite empty compared to the 2 other init scripts, no check on existance of /usr/lib/util-vserver/* as for the other two 1172358615 M * daniel_hozac hmm, well, i just grabbed vprocunhide and vservers.default from Gentoo, IIRC. 1172358635 M * daniel_hozac yep. 1172358648 M * daniel_hozac vservers.default just lets vserver-wrapper do all the work. 1172358653 M * bonbons ok 1172358669 M * daniel_hozac that checks for util-vsever-vars, etc. 1172358840 M * matti Hm... 1172358874 M * matti :)))) 1172359094 M * matti Bertl: Maybe you will know. 1172359099 M * matti Bertl: michal` is too shy to ask. 1172359118 M * michal` hello guys! 1172359137 M * Bertl hmm? 1172359146 M * matti Bertl: SuSE is using some kind of patch or weird functionality to re-map or re-assign IRQ table. 1172359151 M * michal` i don't want to take over your time with a small offtopic but i will ask 1172359169 M * matti Bertl: And you have more than 20 IRQs. 1172359172 M * michal` Bertl: i'm trying to discover the reason of completely different irq setup with suse kernel 1172359172 M * matti Bertl: Like 200. 1172359179 M * michal` and vanilla kernel 1172359187 M * michal` with the same config and kernel version :) 1172359192 M * Bertl sounds like a proper APIC setup on amd or so? 1172359208 M * matti Indeed it is APIC related. 1172359208 M * michal` it is x86_32 (xseries ibm, but other machines behave similar) 1172359219 M * michal` on suse i have apic properly used 1172359222 M * michal` on vanilla no 1172359228 M * michal` i wonder what might be the case 1172359235 M * Bertl so that explains the irq numbers, no? 1172359246 M * michal` yep, it does 1172359258 M * michal` so... vanilla is not able to properly setup such a thing? 1172359269 M * daniel_hozac it should. 1172359273 M * Bertl it is, at least here, if configured properly 1172359284 M * daniel_hozac have you compared the dmesg outputs of the two kernels? 1172359298 M * matti :> 1172359309 M * michal` 1000 times 1172359325 M * daniel_hozac no differences? 1172359336 M * michal` yep 1172359342 M * michal` it has to be done in a silent way 1172359352 M * Bertl does it show a complete bootup? 1172359357 M * michal` yes 1172359399 M * michal` i can read in dmesg on vanilla kernel that apic is beeing used 1172359408 M * bonbons daniel_hozac: cool, with 0.30.213_rc3 I have 2 (two) vshelpers for a halt -f from inside, after some time one of the disapears and there's just the halt-f from the guest remaining 1172359440 M * Bertl michal`: do you have the /proc/interrupts output of both? 1172359441 M * bonbons so the vshelper is keeping the guest alive after (vkill or similar) from other vshelper 1172359461 M * michal` like... 'enabling io-apic irqs' or 'using ioapic for interrupt routing' 1172359464 M * michal` Bertl: sure 1172359490 M * michal` interesting... 1172359491 M * bonbons that's what I see using vps aux 1172359510 M * michal` all high number irq are level trigerred 1172359524 M * michal` all low numbers (on vanilla) are 'io-apic-fasteoi' 1172359533 M * daniel_hozac bonbons: what are you running in the guests? 1172359534 M * michal` for the same deci 1172359539 M * michal` *devices 1172359567 M * bonbons init, sshd, apache2, oftpd, metalog, agetty 1172359584 M * daniel_hozac bonbons: have you tried building a new empty guest and seeing if that shows it as well? 1172359606 M * Bertl michal`: can I have a look at them? :) 1172359623 M * michal` so it looks like '193 / io-apic-level / eth0' on suse and '22 / io-apic-fasteio eth0' on vanilla 1172359626 M * michal` sure, let me pastebin them 1172359638 M * bonbons not yet, what should I put into there? maybe you have a tiny x86 image so we test with the same guest 1172359656 M * waldi LOCKS: -4242 0/ -1 -1/ -1 0 1172359666 M * waldi hmm 1172359678 Q * dna Quit: Verlassend 1172359679 M * waldi this looks wrong 1172359686 M * daniel_hozac waldi: kernel? 1172359686 M * Bertl waldi: yep, definitely 1172359697 M * waldi 2.6.20, 2.2.0-pre4 1172359758 M * Bertl what does the guest do? 1172359767 M * waldi postfix, amavis, clamav 1172359817 M * michal` Bertl: here 1172359819 M * michal` Bertl: http://pastebin.com/888220 1172359838 M * Bertl daniel_hozac: hmm, we have a test tool/code wfor the locking somewhere, no? 1172359870 M * daniel_hozac http://people.linux-vserver.org/~dhozac/t/tests/test-flock.c http://people.linux-vserver.org/~dhozac/t/tests/test-lease.c 1172359960 M * Bertl michal`: okay, just a different APIC enumbering 1172359981 M * michal` i'm wondering why it is different :) 1172359987 M * Bertl michal`: you probably can get the same difference if you move a kernel version back or forth 1172360000 M * Bertl michal`: it's a different implementation 1172360005 M * michal` ic 1172360037 M * Bertl waldi: can you try to trigger it with those and chcontext or vcontext or vcmd? 1172360040 M * michal` well, looks like io-apic is beeing properly used on vanilla anyway 1172360051 M * michal` so i just won't care about numbers more 1172360070 M * bonbons daniel_hozac: what about just killing the guest when it has a plain init style and asks for power-of (halt/poweroff), power-reset (reboot)? 1172360101 M * michal` Bertl: thanks for your time! :) 1172360101 M * bonbons that would drop all these issues and make more sense to the inside of the guest 1172360103 M * waldi Bertl: EPARSE 1172360103 M * daniel_hozac bonbons: that what the hack patch would do... 1172360145 M * Bertl waldi: get the two tests daniel pasted, and try to trigger the issue by doing something like: 1172360158 M * Bertl chcontext --xid 666 -- sleep 1000 & 1172360170 M * Bertl chcontext --xid 666 -- test-flock .... 1172360179 M * Bertl chcontext --xid 666 -- test-lease .... 1172360187 M * waldi yep 1172360238 M * waldi /proc/virtual/2/limit:LOCKS: -5499 0/ -1 -1/ -1 0 1172360241 M * waldi /proc/virtual/3/limit:LOCKS: 1 0/ 15 -1/ -1 0 1172360255 M * waldi sometimes it looks correct 1172360281 M * daniel_hozac what's different between those two guests? 1172360365 M * waldi the first runs postfix/sshd/cron/buildd, the later exim/sshd/cron/buildd 1172360414 M * waldi test-lease.c:22: error: 'F_SETLEASE' undeclared (first use in this function) 1172360452 M * daniel_hozac -D_GNU_SOURCE 1172360478 M * waldi better 1172360521 Q * virtuoso Ping timeout: 480 seconds 1172360617 M * bonbons daniel_hozac: but the patch does not do that, looks like it has not effect 1172360630 M * waldi Bertl: only possitive results 1172360644 M * daniel_hozac bonbons: please add some echos then, to make sure it does what's expected. 1172360655 M * Bertl waldi: hmm ... unfortunate ... 1172360678 M * Bertl waldi: let's try to narrow it down to a specific guest service 1172360706 M * waldi it only happens in guests which runs postfix 1172360757 M * waldi what does the LOCKS thing count? 1172360764 M * daniel_hozac the number of locks. 1172360767 M * Bertl file locks and leases acquired 1172360835 M * waldi postfix uses per default fcntl for locking on linux 1172360854 M * bonbons it reaches the if-ed vkill once acording to echos 1172360869 M * bonbons incorrect inversion on the condition? 1172360870 M * waldi F_SETLK and F_SETLKW 1172360908 M * bonbons stop from outside produces same echos 1172360914 M * daniel_hozac bonbons: are you running vserver ... stop manually? 1172360933 M * bonbons once halt -f from inside 1172360950 M * bonbons later, having properly restarted the guest I did vserver ... stop from outside 1172360988 M * bonbons same show the same echos just before and after the if ! vshelper.isStopSync; then added by the patch 1172361031 Q * Aiken Quit: Leaving 1172361146 M * daniel_hozac and you do have an up to date vshelper, right? 1172361216 M * waldi hmm, no 1172361256 M * waldi hmm, wtf 1172361358 M * Bertl I see a possible error path which could cause that in the source 1172361372 M * waldi which one? 1172361382 M * Bertl fs/locks.c, line 811 1172361403 M * bonbons yes, and acording to echo I added on top of vshelper it's just called once in both cases, just vshelper call happens after vserver.stop code for stop from outside, before for halt -f (that looks at least correct) 1172361420 M * Bertl let's try to move the vx_locks_inc() up to line 794 1172361432 M * Bertl (right before find_conflict) 1172361475 M * waldi hmm 1172361596 M * waldi anyway, time to sleep