1175040000 M * Bertl after that, look at the process via ps auxwww 1175040033 M * Bertl (or better top) in the 'original' context, the priority is listed there 1175040138 M * Bertl ps -eo pid,pri,nice,cmd 1175040204 M * doener renice says "no such process" if sys_getpriority returns -ESRCH, and as that uses the same way to find the process that sys_getpriority uses, you should be safe if that message appears 1175040205 M * Bertl slack101: well, congrats to the new GF, and make sure that you don't make the same error twice (regarding email and server that is :) 1175040265 M * dannf right, that's what i'm seeing - so it doesn't look like we were vulnerable in 2.6.18 even w/o that patch 1175040272 M * doener (at least in .20.4) 1175040284 M * Bertl no, I think it was introduced with 2.6.19 1175040314 M * Bertl dannf: but you probably have a bunch of other issues in the 2.6.18 kernels 1175040326 M * dannf ah - that makes a lot of sense then. thanks! 1175040330 M * dannf Bertl: security or otherwise? 1175040353 M * dannf i'm interested in both, but w/ two different hats 1175040362 M * Bertl well, what was the last version you synced up to, and what patches did you add since? 1175040389 A * dannf will have to look - waldi manages the vserver stuff usually 1175040390 M * Bertl then we can look through the deltas and see what might affect you 1175040409 M * dannf 2.0.2.2-rc9, it looks like 1175040452 M * Bertl and that is 2.6.18? wasn't that 2.6.16? 1175040478 M * Bertl we rencently did a fixup release for 2.6.16.43 for some debian related kernels IIRC? 1175040495 M * dannf nah, debian is shipping 2.6.18 in etch 1175040513 M * Bertl okay ... sec 1175040533 M * dannf there's also a 'bindmount-dev.patch' in there that adds some capability checks, apparently 1175040543 M * dannf in fs/namespace.c 1175040574 M * Bertl well, I see a vs2.0.3-rc1 for 2.6.18.5 here, which seems to be the last release we did 1175040591 M * slack101 Bertl: yea .......hopefully i can get this up by like friday ......so i can setup a few clients i have waiting 1175040616 J * pflanze ~chris@84-73-56-197.dclient.hispeed.ch 1175040621 M * Bertl dannf: we did a bugfix release for 2.6.16 (vs2.0.3-rc2) that stuff should apply for you in any case ... 1175040622 M * pflanze hello 1175040628 M * Bertl hey pflanze! 1175040687 M * pflanze hey, I'm doing a backup of my machine the first time after having started using vhashify, with rsync. 1175040698 M * dannf Bertl: ok - is there a place i can easily review those changesets/descriptions? 1175040699 M * pflanze Somehow I think it has gotten very slow. 1175040726 M * Bertl dannf: let me see what I can do for you ... 1175040731 M * pflanze rsync on the server side is now scanning the file system for more than 2 hours. I don't remember it having taken more than half an hour or so in the past. 1175040742 M * dannf Bertl: thanks, i appreciate it 1175040781 M * Bertl pflanze: maybe wrong options? i.e. not handling hard links properly or so? maybe even changing files and thus breaking the unification? 1175040784 M * pflanze I find this especially suspect since I've also observed some apps to start up *much* more slowly the first time after an upgrade&hashify run. 1175040820 M * doener dannf: hm, seems like the last chroot escape did never get fixed in the kernel-patch-vserver "relict" (not that I think that anyone should use that anyway) 1175040848 M * dannf doener: ah - is there a CVE/reference for that one? 1175040870 A * dannf fixes a lot of things that i don't think people *should* use :) 1175040896 M * dannf but hard to tell them that when you're shipping it and calling it 'stable' 1175040901 M * doener bastian should now, he said he was going to get a CVE for it, never heard back about it (and I completely forgot about it) 1175040919 M * dannf hrm.. sounds familiar actually - wonder if i have a reference in my mail 1175040953 M * Bertl pflanze: that is not totally unexpected, as some startups might break links immediately ... 1175040963 M * pflanze I'm using the same options as always (per a script), -aHxz --numeric-ids --delete -b (and --backup-dir=.. --exclude-from=..) 1175040984 M * pflanze Bertl: hm but I'm starting the apps as non-root user and the app files are owned by root. 1175041000 M * pflanze I don't think there are files which are unified which belong to the user. 1175041015 M * Bertl dannf: here is the first delta: http://vserver.13thfloor.at/Stuff/delta-2.6.18.5-vs2.0.2.2-rc9-vs2.0.3-rc1.diff 1175041047 M * Bertl pflanze: then they should not break .. check the link counts before and afterwards 1175041051 M * doener dannf: the issue was discovered around Sep 12 2006, if that makes the search easier... 1175041057 M * Bertl pflanze: but e.g. log files might break ... 1175041096 A * dannf should be upfront - i can only apply fixes for things that are of >= important severity (by debian standards), which includes security bugs and others - etch kernel is pretty well final otherwise 1175041128 M * Bertl dannf: well, IMHO etch should ship with 2.2.0 1175041168 M * Bertl that way it wouldn't be outdated before released :) 1175041177 M * dannf Bertl: unfortunately there's nothing we can do but bugfix, and can't even do that till after etch ships (unless its something *really* critical) 1175041200 M * Bertl dannf: yeah yeah debian bla bla :) 1175041264 M * dannf Bertl: so i see a lot of whitespace changes & a variable rename or two - other than that i see a s/capable/vx_capable/ - did that fix a bug? 1175041289 M * Bertl dannf: second delta comes shortly 1175041502 M * Bertl http://vserver.13thfloor.at/Stuff/delta-2.6.16.43-vs2.0.3-rc1-rc2.diff 1175041521 M * Bertl (this is for 2.6.16 but most of it should directly map to 2.6.18 too) 1175041570 M * Bertl basically fixes the 'wrong' (short) atomic values for 64bit archs 1175041599 M * dannf oh - i think we have a patch queued for that for 4.0r1, lemme check 1175041641 M * Bertl the jfs removal seems odd IMHO, but maybe that is unrelated ... (i.e. maybe the patches just failed, I double check) 1175041674 M * dannf http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412132 <- that it? 1175041726 M * dannf waldi has been working on that one, it should make it into etch shortly after release 1175041727 M * Bertl yep, looks like 1175041733 M * dannf excellent :) 1175041751 M * Bertl i.e. it isn't a bad overflow, just the type is too short 1175041811 M * Bertl dannf: disregard the jfs changes, they shouldn't be there 1175041894 M * Bertl dannf: from the other delta, the vx_capable and the MASK_ENTRY changes are relevant 1175041910 M * dannf Bertl: what did that affect? 1175041933 M * Bertl the vx_capable allows VXC_BINARY_MOUNT to work as expected 1175041957 M * Bertl otherwise it doesn't really work for network mounts IIRC 1175041987 M * dannf ok - i'll run that by waldi 1175042032 M * Bertl and the MASK_ENTRY stuff removes limits which aren't there :) 1175042066 M * Bertl everything else is whitespace cleanups and label changes 1175042082 M * Bertl ah, and removing unnecessary includes 1175042144 M * Bertl dannf: so it is definitive that etch will ship with 2.0.x, will there be 2.2.x too or 'just' 2.0.x? 1175042232 M * dannf Bertl: that's definitive - etch has a timeline of releasing in early april (4/4 i think, from the last release team notice) 1175042262 M * dannf we were permitted to do one more kernel upload to fix some pretty hairy issues last week, but even that was a bug-fix only thing 1175042276 M * Bertl okay, just that I know that I can tell debian folks that the first thing they do is to upgrade to a recent version :) 1175042318 M * dannf Bertl: hopefully backports.org will be keeping up so that etch users can easily grab the latest trunk builds (currently 2.6.20-based) 1175042349 M * dannf and there's the possibility that we'll add a new kernel in etch midstream to support new hardware, but its too early to know th edetails of that 1175042559 M * Bertl okay, fair enough ... 1175042731 M * dannf alright, thanks again for your help. i've sent bastian an e-mail about the chroot escape & the VXC_BINARY_MOUNT issues - now off to dinner :) 1175042776 M * Bertl you're welcome! 1175043502 Q * dghill Ping timeout: 480 seconds 1175043629 J * dghill dghill@office.mel.illuminate.com.au 1175043914 M * slack101 i found the ip of the abuser 1175043927 M * slack101 they are from germany hmmmmm 1175044037 J * dos000 ~ymo@CPE000f66912f92-CM0018c0c6147e.cpe.net.cable.rogers.com 1175044041 M * dos000 howdy 1175044046 M * Bertl slack101: never trust the evil germans :) 1175044053 M * Bertl welcome dos000! 1175044079 M * slack101 Bertl: they do have a record 1175044080 M * dos000 hey Bertll 1175044100 M * dos000 i am noticing that the interfaces disapear after a while altho i still have the guest running. they are just not accessible 1175044114 Q * dghill Ping timeout: 480 seconds 1175044119 M * Bertl interfaces means ips or so? 1175044130 M * dos000 this is 2.6.17.13-vs2.0.2.1+vserver 1175044136 M * slack101 Bertl: your from germany ? .......n pun intended ;) 1175044146 M * Bertl slack101: luckily no :) 1175044152 M * slack101 ah 1175044176 M * slack101 where the server i located 1175044184 M * slack101 Bertl: you live in europe ? 1175044190 M * dos000 Bertl: yes the vserverstat shows the guests are still running but ip addr show returns none of the guests 1175044222 M * Bertl dos000: I assume you are hitting the 'primary ip' issue (which is not really Linux-VServer related) but let me explain 1175044223 M * dos000 Bertl: as if the ips got disconnected/unbound from the iface 1175044228 M * Bertl slack101: yep 1175044240 M * slack101 Bertl: what country :P 1175044244 M * dos000 Bertl: ah ! 1175044266 J * dghill dghill@office.mel.illuminate.com.au 1175044270 M * Bertl dos000: if you assign several ips on the same interface/network, one will be the primary (the first one) and all others will become secondaries 1175044279 M * Bertl slack101: Austria 1175044283 M * slack101 lol 1175044290 M * slack101 is there even a difference ???? 1175044303 M * dos000 Bertl: that was my next question :) ... but .. continue 1175044304 M * Bertl slack101: yes, there is ... trust me :) 1175044330 M * slack101 Bertl: i think you already know what i know about germany ;) 1175044349 M * Bertl dos000: then, when you do not enable 'promote secondaries' taking down the one primary ip will take down all the secondaries 1175044371 M * Bertl dos000: the guests keep working quite fine, just the IPs are gone 1175044395 M * Bertl dos000: you could even readd them and the guests would probably continue to work 1175044409 M * dos000 ah ! 1175044418 M * Bertl dos000: now the taking down of the primary doesn't happen after some time 1175044437 M * Bertl dos000: it actually happens when you restart the one guest which got the primary ip 1175044443 M * slack101 Bertl: i was just in europe ........doing a little sight seeing about 2 months ago 1175044469 M * Bertl dos000: and you basically have two options to avoid this 1175044470 M * dos000 Bertl: ahaaa .. so the fix is net.ipv4.conf.all.promote_secondaries=1 in sysconfg ? 1175044490 M * dos000 Bertl: pray tell the 2 optios 1175044490 M * Bertl dos000: first option is that, the second one is to reserve a 'primary' per network for the host 1175044527 M * Bertl i.e. if you use 192.168.1.x for the guests, then using 192.168.1.1 for the host solves the problem too 1175044545 M * Bertl (or whatever IP in the same network range) 1175044562 M * Bertl slack101: and, what did you see in europe? 1175044577 M * dos000 Bertl: my hot and guests are on the same network 1175044595 M * Bertl dos000: then one of your netmasks is wrong :) 1175044618 M * Bertl e.g. host uses /24, guests have /25 or so 1175044632 M * dos000 Bertl: indeed .. Bertl san .. one of then is wrong 1175044672 M * slack101 Bertl: well .....started off in london then to paris ....a little through paris .....then barcelona and madrid ..........then italy and greece ........rome naples......and athens greece 1175044691 M * slack101 very shocking trip 1175044720 M * Bertl dos000: fixing that up will fix the issues without the promote secondaries 1175044735 M * dos000 Bertl: but the sysconfig will definetly fix this then ? 1175044737 M * Bertl dos000: but the promotion stuff cannot hurt, so it is probably safe to add it 1175044747 Q * dghill Ping timeout: 480 seconds 1175044750 Q * weasel Ping timeout: 480 seconds 1175044752 M * dos000 Bertl: thanks man 1175044774 M * Bertl probably the best is to fix the netmasks and reboot the host 1175044791 M * Bertl or at least restart the guests 1175044795 J * dghill dghill@office.mel.illuminate.com.au 1175044862 M * slack101 Bertl: no germany or austria though 1175044937 J * weasel weasel@asteria.debian.or.at 1175044955 M * Bertl slack101: well, italy was probably close enough for austria :) 1175045022 M * Bertl okay, I'm off to bed now ... have a good one everyone! cya! 1175045028 N * Bertl Bertl_zZ 1175046858 Q * pflanze Quit: g'night 1175047307 Q * slack101 Read error: Connection reset by peer 1175047448 Q * boci^ Quit: Távozom 1175048060 Q * meandtheshell Quit: Leaving. 1175049335 Q * doener Read error: Connection reset by peer 1175049513 J * doener ~doener@host.magicwars.de 1175052274 Q * softi42 Ping timeout: 480 seconds 1175052806 J * softi42 ~softi@p549d6c3f.dip.t-dialin.net 1175053393 M * daniel_hozac Hollow: hmm, i'd love to go, but it seems to clash with an exam of mine, so i guess i can't make it. 1175054940 Q * ensc Ping timeout: 480 seconds 1175058978 N * DoberMann[ZZZzzz] DoberMann 1175059298 T * * http://linux-vserver.org/ | latest stable 2.0.2.1, 2.0.3-rc2, 2.2.0-rc21, devel 2.3.0.11, stable+grsec 2.0.2.1, 2.2.0-rc21 | util-vserver-0.30.212 | libvserver-1.0.2 & vserver-utils-1.0.3 | He who asks a question is a fool for a minute; he who doesn't ask is a fool for a lifetime -- share the gained knowledge on the Wiki, and we'll forget about the minute ;) 1175059298 T * harry - 1175062431 N * DoberMann DoberMann[PullA] 1175064499 Q * FireEgl Quit: ... 1175065311 J * ntrs_ ntrs@68-188-55-120.dhcp.stls.mo.charter.com 1175065363 Q * ||Cobra|| osmotic.oftc.net oxygen.oftc.net 1175065363 Q * arachnist osmotic.oftc.net oxygen.oftc.net 1175065363 Q * CHTEKK osmotic.oftc.net oxygen.oftc.net 1175065363 Q * xp_prg osmotic.oftc.net oxygen.oftc.net 1175065363 Q * ntrs osmotic.oftc.net oxygen.oftc.net 1175065363 Q * SNy osmotic.oftc.net oxygen.oftc.net 1175065363 Q * micah osmotic.oftc.net oxygen.oftc.net 1175065368 J * sharkjaw ~gab@158.36.45.236 1175065450 Q * Aiken Read error: Connection reset by peer 1175065459 J * Aiken ~james@ppp250-73.lns2.bne4.internode.on.net 1175065459 J * ||Cobra|| ~cob@pc-csa01.science.uva.nl 1175065459 J * arachnist arachnist@088156185052.who.vectranet.pl 1175065459 J * SNy ~mfr@bmx-chemnitz.de 1175065459 J * ntrs ntrs@68-188-55-120.dhcp.stls.mo.charter.com 1175065459 J * xp_prg ~xp_prg@ftp.microvu.com 1175065459 J * CHTEKK ~chtekk@84.55.211.45 1175065459 J * micah ~micah@micah.riseup.net 1175065725 Q * ntrs Ping timeout: 480 seconds 1175066352 J * slack101 ~root@cpe-71-65-58-25.insight.res.rr.com 1175066711 J * awk ~awk@dsl-242-123-186.telkomadsl.co.za 1175066734 M * awk hi can somebody tell me if they experience problems installing samba on an ubuntu vserver 1175066758 M * awk ~pb 1175067599 M * harry http://linux-vserver.org/Problematic_Programs 1175067737 J * ensc ~irc-ensc@p54b4de7b.dip.t-dialin.net 1175068258 J * dna ~naucki@p54bcf597.dip.t-dialin.net 1175068365 J * ema ~ema@rtfm.galliera.it 1175068377 M * awk thanks harry 1175068403 M * harry np 1175068622 Q * DoberMann[PullA] Ping timeout: 480 seconds 1175069069 J * yarihm ~yarihm@pub-wlan.office.nine.ch 1175069149 J * DoberMann[PullA] ~james@AToulouse-156-1-77-191.w86-196.abo.wanadoo.fr 1175070192 Q * DoberMann[PullA] Ping timeout: 480 seconds 1175070244 J * chand ~chand@212.99.51.254 1175070730 J * DoberMann[PullA] ~james@AToulouse-156-1-78-17.w86-196.abo.wanadoo.fr 1175070761 J * matti matti@acrux.romke.net 1175070781 N * matti Guest125 1175071484 Q * Aiken Ping timeout: 480 seconds 1175072081 P * xleave_ 1175073281 Q * cdrx Quit: Leaving 1175073323 J * DavidS ~david@vpn.uni-ak.ac.at 1175074372 Q * yarihm Ping timeout: 480 seconds 1175074383 J * yarihm ~yarihm@whitehead2.nine.ch 1175075036 M * Guest125 ROTFL 1175075041 N * Guest125 matti 1175075043 M * matti http://www.flickr.com/photos/amster/418602656 1175075093 J * meandtheshel1 ~markus@85-124-232-239.work.xdsl-line.inode.at 1175075569 M * awk hmm 1175075574 M * awk can somebody sugest something 1175075584 M * awk mknod: `/lib/udev/devices/ppp': Operation not permit 1175075587 M * awk this is in a vserver 1175075597 M * awk I know you cant use raw devices in a vserver 1175075604 M * awk but what is the correct way to do this? 1175075930 M * DavidS either create the device from the host context or allow the guest to do it himself (security!) with capabilities 1175076020 M * cehteh or create a static device somewhere 1175076028 M * cehteh no udev then 1175076040 M * DavidS yes 1175076067 M * DavidS well, only in the host context 1175076093 M * awk E: Couldn't find package lpd 1175076099 M * awk there is slpd,e tc 1175076109 M * awk errrr 1175076134 M * awk DavidS: well this is in internal network 1175076139 M * awk nobody will ever have access from the outside 1175076145 M * awk so security isn't my main concern 1175076237 M * DavidS then you can allow mknod. see http://linux-vserver.org/Capabilities_and_Flags 1175076377 M * awk many thanks :) 1175076585 M * daniel_hozac there's a patch to let guests use/create certain devices too. 1175076617 M * awk daniel_hozac: thanks! i'm sure there is a patch for everything :) 1175076639 M * daniel_hozac http://cvs.hozac.com/viewvc/rpms/kernel/fedora-6/linux-2.6-vserver-devmap.patch?revision=1.2 1175076715 Q * chand Ping timeout: 480 seconds 1175076717 M * awk daniel_hozac I must say vserver has really gone quite a way since i used it some time back 1175076719 M * awk well done guys 1175076790 M * daniel_hozac we like to think so too. 1175077112 Q * renihs Remote host closed the connection 1175077191 A * matti is looking for some nice URLs about security and releated in order to improve his WiKi page :) 1175077274 M * matti Anybody? 1175077275 M * matti :) 1175078168 Q * ema Quit: leaving 1175079805 Q * michal` Ping timeout: 480 seconds 1175080029 Q * shedi Quit: Leaving 1175080182 J * michal` ~michal@www.rsbac.org 1175080589 Q * spion Read error: Connection reset by peer 1175080718 M * awk hmm 1175080738 M * awk somebody tell me where I actually set this CAP_MKNOD 1175080788 M * doener /etc/vservers/$NAME/bcaps 1175080834 M * awk well, that file doesn't exsist 1175080836 M * awk thats why I asked 1175080862 M * doener create it ;) usually it is not needed and thus not created 1175080886 M * awk so in bcaps id just have have MKNOD 1175080889 M * awk on 1 line 1175080891 M * awk then restart the vserver? 1175080914 M * doener oh, seems that the name is bcapabilities, actually 1175080919 M * doener yes 1175081103 M * daniel_hozac bcapabilities ;) 1175081114 M * daniel_hozac ... helps to scroll all the way down. 1175081129 M * doener phew, thought that I was lagging a few minutes again ;) 1175081160 M * doener had an interesting conversation with someone yesterday, his and my server were like 10 minutes apart 1175081189 M * arachnist lool 1175081275 M * awk sorry so for bind9 and for the ability to use mknod 1175081275 M * awk id have: 1175081275 M * awk MKNOD 1175081275 M * awk SYS_RESOURCE 1175081283 M * awk ./etc/vservers/name/bcapabilities ? 1175081309 M * daniel_hozac yep. 1175081310 M * doener AFAIK bind9 should work ootb with recent vserver versions, daniel_hozac? 1175081393 M * awk oh, intresting 1175081406 M * awk daniel_hozac you finally conviced bind9 to fix their shit ? 1175081411 M * awk or are they still not intrested? 1175081440 M * daniel_hozac doener: yep. 1175081442 M * doener well, I'm not sure about it, but there were patches floating around that were supposed to make bind9 think that everything's fine 1175081454 M * daniel_hozac yeah, the patches still exist, not merged yet. 1175081471 M * daniel_hozac but with 2.1+'s capability masking, we don't need it anymore. 1175081514 M * awk pfft, any debian users here, if you mask a package to not be used for installation how do you remove the mask 1175081529 M * awk eg: echo "blah hold" | dpkg --set-selections 1175081619 M * ard you can get the list with --get-selections 1175081627 M * ard somewhere in there is a good option :-) 1175081640 M * ard anyway: I recommend reading the manpage of aptitude 1175081649 M * ard aptitude install tcpdump_ 1175081658 M * ard purges tcpdump for instance.... 1175081664 M * ard it has a lot of modifiers like that 1175081681 M * awk i hate aptitude 1175081686 M * awk never seen a worst application :P 1175081692 A * doener loves aptitude 1175081699 M * awk :P 1175081706 M * ard you have to make sure that you have arguments... 1175081716 M * ard else it will give you that lousy user interface 1175081722 M * ard and I hate user interfaces 8-) 1175081764 M * awk :P 1175081765 M * ard for the remainder: aptitude is better than apt-get (IMO), for the exception that it doesn't have supercow powers :-( 1175081794 M * ard but in some stubborn cases I fall back to apt-get 8-D 1175081808 M * ard : 1175081809 M * ard Keep at its current version: cancel any 1175081809 M * ard installation, removal, or upgrade. Unlike "hold" (above) this 1175081809 M * ard does not prevent automatic upgrades in the future. 1175081828 M * ard aptitude install tcpdump: 1175081830 M * ard for instance 1175081835 M * ard will cancel any holds 1175081876 M * doener ard: well, it has elephant-snake powers instead ;) 1175081892 M * ard but it can't moo :-( 1175081905 Q * michal` Ping timeout: 480 seconds 1175081905 M * ard and sometimes I just need to :-) 1175081912 M * awk ard I see what u mean 1175081922 Q * yarihm Quit: Leaving 1175081978 M * doener ard: doesn't it feel better when aptitude admits that you have won than when apt-get asks if you are cow-ish? 1175082037 M * awk ard well you have just proved me wrong 1175082043 M * awk apt-get install bind9 messed with things 1175082049 M * awk wouldn't install /etc/init.d/bind9 startup script 1175082060 M * awk aptitude install bind9 vwala 1175082060 M * awk :) 1175082305 J * cdrx ~legoater@cap31-3-82-227-199-249.fbx.proxad.net 1175082452 J * michal` ~michal@www.rsbac.org 1175082766 Q * sharkjaw Remote host closed the connection 1175082842 M * awk hrm, isn't vservers able to be rebooted 1175082929 M * daniel_hozac hmm? 1175083038 M * awk hmm, im sure i had a vserver before when I could just run restart 1175083042 M * awk and it restart the vserver 1175083052 M * awk I mean reboot 1175083122 M * daniel_hozac reboot -f 1175083132 M * daniel_hozac just reboot requires that you use the plain initstyle. 1175083201 M * awk i see 1175083609 J * sharkjaw ~gab@158.36.45.236 1175083730 J * yarihm ~yarihm@whitehead2.nine.ch 1175084111 J * chand ~chand@212.99.51.254 1175084131 N * Bertl_zZ Bertl 1175084135 M * Bertl morning folks! 1175084283 M * doener morning Bertl 1175084379 J * shedi ~siggi@tolvudeild-195.lhi.is 1175084675 M * daniel_hozac morning Bertl! 1175084832 M * Bertl did we get any report from -rc21? 1175084874 M * daniel_hozac not that i've seen. 1175084933 M * Bertl daniel_hozac: ah, I made a diff for dannf yesterday, and I wonder .. did we remove jfs from 2.0.x at some point? 1175084949 M * awk hmm, that ubuntu guide never explained how to set the vserver to start at boot ? 1175084955 M * daniel_hozac no, i accidentally merged those changes. 1175084971 M * daniel_hozac but jfs doesn't have those attributes in 2.61.6. 1175084976 M * daniel_hozac s/2.61.6/2.6.16/ 1175084977 M * awk should I just add to rc.local - vserver vservername start 1175084998 M * daniel_hozac awk: echo default > /etc/vservers//apps/init/mark 1175085020 M * Bertl daniel_hozac: ah, okay, that explains it ... tx 1175085035 M * awk thanks 1175085037 Q * awk Quit: . 1175085426 J * marcfiu ~mef@aegis.CS.Princeton.EDU 1175085477 M * marcfiu hello vsWorld 1175085481 M * Bertl hey marcfiu! 1175086231 J * ntrs__ ntrs@68-188-55-120.dhcp.stls.mo.charter.com 1175086231 Q * ntrs_ Read error: Connection reset by peer 1175086982 J * arachnis1 arachnist@088156185052.who.vectranet.pl 1175086983 Q * arachnist Read error: Connection reset by peer 1175087203 J * ema ~ema@rtfm.galliera.it 1175087317 J * FireEgl ~FireEgl@adsl-61-136-122.bhm.bellsouth.net 1175087876 Q * ema Quit: leaving 1175087918 Q * dos000 Ping timeout: 480 seconds 1175088939 J * dos000 ~ymo@CPE000f66912f92-CM0018c0c6147e.cpe.net.cable.rogers.com 1175089265 J * pmenier ~pme@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr 1175089278 M * pmenier Hello 1175089445 M * doener hi pmenier 1175089454 M * doener pmenier: any new tty crashes? 1175089474 M * pmenier no no :-) It seems to work fine now.... 1175089547 M * doener too bad that it was somewhat hard to trigger, hard to say if it is fixed :/ 1175089598 M * Bertl yes, but the fact that we do not have any report yet makes me hope :) 1175089612 M * pmenier and the other problem : i'm not a big developpeur.... just an enhanced newbie in this domain... 1175089663 M * doener Bertl: I'll consider increasing my lucky guess counter then ;) 1175089709 M * Bertl doener: yeah, definitely ... good catch in any case ... 1175089757 M * pmenier just a little question : i'm the only one to have encounter this bug ? 1175089780 M * Bertl nope, definitely not 1175089796 M * Bertl http://vserver.13thfloor.at/Stuff/BUGHUNT/bertl-0002/ 1175089809 M * Bertl this is only a small number of reports we got 1175089853 M * doener it's a bit sad though, that 50%+ of my patches depend on "vim -t $LUCKY_GUESS" instead of actual knowledge... ah well, who cares.. 1175090292 M * Bertl for lucky guesses you need a good feeling for the subject too 1175092152 M * matti Hi B :) 1175092924 Q * DavidS Quit: Leaving. 1175093161 M * ard heheh... 1175093171 A * ard just discovered "ip moo" 1175093187 M * ard cows are taking over the world 8-D 1175093363 M * doener *LOL* 1175093381 M * Loki|muh thanks for the hint :) 1175093466 M * doener no "ip -v moo" though :( 1175094132 M * sid3windr tom@magic:~$ ip moo 1175094132 M * sid3windr Object "moo" is unknown, try "ip help". 1175094133 M * sid3windr :( 1175094147 M * sid3windr ah 1175094150 M * sid3windr etch's iproute has it 1175094505 M * Bertl luckily none of my systems is affected *G* 1175095299 N * arachnis1 arachnist 1175095849 J * kevinp ~kevinp@ny.webpipe.net 1175095963 M * Bertl welcome kevinp! 1175095977 M * kevinp hello! 1175096072 M * kevinp should have a testme result for you shortly 1175096551 J * stefani ~stefani@flute.radonc.washington.edu 1175097120 J * mIRCTRUser-998 ~mIRCTR@88.228.29.21 1175097143 M * Bertl morning stefani! welcome mIRCTRUser-998! 1175097152 M * kevinp Bertl: http://pastebin.utahlinux.com/8 1175097187 M * Bertl kevinp: nice, tx! 1175097201 P * mIRCTRUser-998 1175097334 Q * shedi Quit: Leaving 1175098480 Q * dna Quit: Verlassend 1175098660 J * bonbons ~bonbons@83.222.39.201 1175098757 J * boci^ ~boci@pool-5294.adsl.interware.hu 1175098775 Q * yarihm Quit: This computer has gone to sleep 1175099761 J * teukka ~teukka@193.65.190.29 1175100014 M * Bertl welcome bonbons! teukka! 1175100045 M * teukka hi 1175100240 M * teukka obviously i also have a question =) 1175100280 M * teukka the host is connected to two networks (on the same network card) 1175100295 M * teukka let's say 10.1.0.0/24 and 10.2.0.0/24 1175100303 M * Bertl shared subnets 1175100324 M * teukka on the guest there are addresses on both of the networks 1175100343 M * teukka how can i tell which one to use? 1175100360 M * teukka i played with routing tables but didn't have much success 1175100377 M * Bertl the proper one will be used, depending on the IPs assigned to the guests 1175100416 M * Bertl if it cannot be decided, the first IP assigned to the guest will be used 1175100468 M * doener teukka: note that the source address selection will break if you didn't set the correct netmask for the vserver's ip addresses 1175100498 M * pmenier bye. Go home 1175100500 Q * pmenier Quit: Quitte 1175100519 M * Bertl which would (strictly speaking) mean that the guests are _not_ on those networks :) 1175100534 M * doener right 1175100575 M * doener just been writing that in a somewhat more complicated wording ;) 1175100580 A * ard always binds to lo 1175100587 M * ard makes it more easy :-) 1175100598 M * daniel_hozac hmm? 1175100614 M * Bertl for the mind, that is :) 1175100619 M * doener how is that related? 1175100644 M * ard if you bind to lo, you don't have problems with sa selection 1175100671 M * Bertl interesting theory ... 1175100676 M * daniel_hozac indeed... 1175100680 M * doener the kernel doesn't care about the interfaces, only about interface addresses 1175100683 M * ard i mean: I always put lo in interfaces file 1175100695 M * ard doener is correct 1175100721 M * sannes is it now allowed to make a new namespace inside a vserver? 1175100738 M * daniel_hozac sannes: which namespace? :) 1175100738 M * ard but why bother looking at which interface you want to put it? 1175100800 M * ard (at lo you only have /32's because lo is a special interface) 1175100827 M * doener ard: ehrm, it's 127.0.0.1/8 here 1175100858 M * ard that's a special: it means: that every adress between 127.0.0.0 to 127.255.255.255 is local :-) 1175100884 M * ard that's the difference between lo and a non-lo :-) 1175100915 M * doener and if it was all /32, that would mean that using lo exclusively would totally break source address selection for vservers, as you would _never_ be on the same net as the target address (except for local traffic) 1175100961 M * doener ard: no, that's special about 127.0.0.0/8, see the LOOPBACK macro in the kernel 1175100973 M * ard it makes you on the same net because the host has an ip on that interface with a netmask :-) 1175100985 M * ard it works with every ip you put on lo... 1175101009 M * ard try putting your local network address there and with the same netmask on your lo.... 1175101011 M * sannes daniel_hozac: unshare(CLONE_NEWNS); 1175101026 M * ard and the try running from your collegeas :-) 1175101082 M * ard your host will answer any arp request for that network on any interface your host has :-) 1175101084 M * teukka on my setup everything is working if i have addresses on only one network on the guest. but if there are addresses on both on the networks i can not choose which address to use on outgoing connections 1175101093 M * ard a 0/0 on lo is deadly :-) 1175101095 M * teukka the default one of the host is always used 1175101145 M * trippeh teukka: Multiple default gateways too? You need policy routing for that. 1175101152 M * ard if you want to help address selection, you should use ip rule 1175101178 M * teukka trippeh: tell me more =) 1175101211 M * sannes daniel_hozac: http://www.sannes.org/wp-content/uploads/2007/03/newns.c to be exact 1175101215 M * ard you make multiple routing tables with the preferred source address 1175101219 M * trippeh teukka: lartc.org should have the information you need 1175101224 M * ard and choose with ip rule which routing table you want to use 1175101259 M * daniel_hozac sannes: i'm sucking right now, but i imagine you need a capability to do that. 1175101268 M * ard and this is what's so good about linux :-) 1175101269 M * daniel_hozac i know NEWUTS requires CAP_SYS_ADMIN. 1175101307 M * Bertl yeah, IIRC, all the namespaces are blocked atm, not sure that was always so 1175101352 M * ard My nicest routing table: 1175101353 M * teukka arc: hmm. but if the source address is different for each guest? 1175101354 M * ard ard@john:~$ ip ro sh table tolvs 1175101354 M * ard local default dev lo scope host 1175101357 M * sannes I havn't really played with it before .. 1175101382 M * daniel_hozac Bertl: yeah, they all need CAP_SYS_ADMIN. 1175101387 M * daniel_hozac which makes sense, i suppose. 1175101390 M * doener ard: hm, right, PACKET_LOOPBACK makes it special I guess 1175101395 M * ard teukka : that's why you need multiple tables... :-) 1175101436 M * Bertl teukka: in this case, two of them :) 1175101437 M * ard doener : that tolvs routing table is also a special trick to get traffic routed to the host (for LVS usage) 1175101450 M * teukka well, i was just thinking if there would be a way do it automagically 1175101473 M * trippeh sannes: Ha, har du blitt blogger :) 1175101478 M * Bertl teukka: how should that work? 1175101482 M * ard teukka: actually I would think you should not have any problems... 1175101529 M * sannes if I remember correctly CAP_SYS_ADMIN is a bit much .. hehe, hm, how is it blocked in fork.c .. 1175101537 M * ard teukka: if all your traffic is linklocal 1175101545 M * ard (or is it somehow working for me?) 1175101546 M * sannes trippeh: bruker det for å huske ting og tang .. heh 1175101610 M * sannes trippeh: ~/src/fun/ became to messy .. heh 1175101621 M * trippeh Riktig :) 1175101627 M * trippeh *cough* 1175101635 M * Bertl sannes, trippeh: please ... 1175101649 A * trippeh stops 1175101664 M * trippeh It's always interesting to see how people react ;) 1175101695 M * sannes heh, he was just making fun of me (just for the record) :P 1175101809 M * ard teukka : I've just tried it on a vserver with 2 subnets, and the source address is correct 1175101822 M * ard teukka : it belongs to the vserver... 1175101832 M * ard teukka : even the arps are correct 1175101884 M * teukka ard: mind sharing the commands for setting up the routing tables? 1175101907 M * ard teukka : no... 1175101915 M * ard teukka : the only command you need: ip :-) 1175101936 M * teukka ard: i somehow guessed that =) 1175101947 M * ard teukka : but if your stuff is linklocal (meanin: it is within the subnet of one of your interfaces), it should work 1175101966 M * teukka well, it is not 1175101984 M * ard teukka : this is on: 2.6.19.1-vs2.2.0-rc6-va1220 1175102035 A * ard is rereading your question 1175102104 M * ard Hmmm 1175102224 M * ard I just discovered that one IP was configured: 1175102230 M * ard inet 10.0.5.22/32 scope global eth0 1175102237 M * ard and the other: 1175102238 M * ard inet 10.0.6.22/24 brd 10.0.6.255 scope global secondary eth0.1 1175102310 M * ard this server has: 1175102311 M * ard CONFIG_VSERVER_LEGACYNET=y 1175102311 M * ard # CONFIG_VSERVER_REMAP_SADDR is not set 1175102313 M * ard set 1175102344 M * ard legacynet is I think an API change 1175102369 M * daniel_hozac which only matters if you use util-vserver < 0.30.210. 1175102390 M * ard jups :-)... This was my *first* install ... 1175102402 M * ard the REMAP_SADDR I am wondering about 1175102416 M * daniel_hozac only applies to connections to 127.0.0.1 inside guests. 1175102417 M * ard would that have any influence on source addresses? 1175102421 M * ard ah, ok :-) 1175102442 M * ard then, no, I don't see why it wouldn't work for teukka... 1175102460 M * ard 0.0.0.0 should be bound to the ip of the vserver 1175102491 M * ard But maybe because he has two networks on the same interface... 1175102516 M * ard teukka : can you put an ip a ls and an ip ro sh somewhere on a pastebin? 1175102526 M * daniel_hozac 0.0.0.0 is only bound to the guest's IP address if your guest only has one IP address. 1175102530 M * ard In the mean time I will change my clothes... (have to get home) 1175102618 M * ard softi42: if a vserver has 2 IP's, what will be used for 0.0.0.0? (now I am really getting interested :-) ) 1175102623 M * ard eh 1175102637 M * ard how did softi42 get there? 1175102643 M * ard micah: I meant so: 1175102675 M * daniel_hozac hehe, fun with automatic nick completion, eh? 1175102679 A * ard irc client autocompletes the first words ending with : 1175102683 M * ard jup 1175102721 M * teukka ard: networking works. i can bind to the wanted ip and the connection leaves from that ip. the problem is when the bind address is not specified 1175102731 A * ard wonders if his setup is working because he has seperate interfaces 1175102733 M * daniel_hozac when the guest has two IP addresses, 0.0.0.0 binds to both. 1175102819 A * teukka continues studying linux routing =) 1175103521 N * DoberMann[PullA] DoberMann 1175103653 M * s0undt3ch hello ppl 1175103665 M * s0undt3ch I'm trying to minimally secure my guest vserver 1175103685 M * s0undt3ch on this host, I'm only a guest so I don't have access to iptables 1175103695 M * s0undt3ch so what's the way to go? 1175103713 M * s0undt3ch trying to use hosts.{allow,deny} doesn't seem to be working 1175103735 M * daniel_hozac are the services you try to protect using tcp_wrappers? 1175103737 M * s0undt3ch P.S.: I only have the public ip available inside the guest 1175103757 M * s0undt3ch daniel_hozac: well, ldap,postfix and cyrus lmtp, etc 1175103763 M * s0undt3ch is there a way to know?» 1175103771 M * daniel_hozac ldd , i suppose. 1175103780 M * s0undt3ch hmm, checking 1175103790 M * daniel_hozac if you see wrap in there, they're using it. 1175103801 M * daniel_hozac (or might, if you enable it in a configuration file or similar) 1175103912 M * s0undt3ch hmm, cyrus lmtp has wrap; postfix lmtp does not; ldap also has wrap 1175103984 M * s0undt3ch so, just focusing on ldap, I've set on /etc/hosts.deny ldap: ALL, and that says, deny all access to ldap from everyone correct? 1175103996 M * daniel_hozac you sure it's ldap? 1175104030 M * s0undt3ch what do I put there, the port name(from /etc/services) or the binary name? 1175104044 M * s0undt3ch if it's the binary name then it's slapd 1175104108 M * daniel_hozac i have no idea, to be honest. i've never really used tcp_wrappers. 1175104149 M * s0undt3ch heh, I'm just beiyng forced to use it, if I could it'd be all iptables 1175104194 M * ard depends on the application 1175104197 M * s0undt3ch that's what I do on my own verver host 1175104215 M * ard if they have libwrappers compiled in, they can put their own tag there 1175104222 M * ard and then it should be in the manual 1175104247 M * s0undt3ch ard: there where? 1175104258 M * ard in the /etc/hosts.deny :-) 1175104260 M * s0undt3ch there a missing comma between those 2 words :9 1175104294 M * s0undt3ch nope, I have at least 2 binaries compiled with libwrapper and they didn't added anything 1175104320 M * ard I mean: they can tell to libwrapper what tag they expect in /etc/hosts.* 1175104326 M * s0undt3ch ah 1175104346 M * s0undt3ch then I should see each of the binaries documentation right? 1175104369 A * ard was just bothered by the helpdesk for an application that I do not maintain 1175104371 A * ard sighs 1175104396 M * s0undt3ch he he he 1175104483 M * s0undt3ch vserver should really get virtual networking going into main source, so that one can run it's own iptables if needed 1175104582 M * s0undt3ch or at least provide access to 127.0.0.1 for each of the guest independant of the host's 127.0.0.1, then we could bind services to local ip and not public, but I think this is somewhat possible now, am I wrong? 1175104612 M * Bertl yep, still-not-updated 2.3.x should provide that 1175104638 M * s0undt3ch Bertl: which, virtual networking or 127.....? 1175104673 M * ard anyway 1175104677 A * ard should go home 1175104686 M * ard first change into biking gear 1175104720 M * s0undt3ch daniel_hozac: for ldap it's actualy slapd that should be added to /etc/hosts.deny 1175104728 M * Bertl s0undt3ch: the 127.xx thing 1175104738 M * s0undt3ch Bertl: that would be great :) 1175104789 J * mattabYst ~no_spam@pool-71-98-182-59.tampfl.dsl-w.verizon.net 1175104793 P * mattabYst 1175105148 M * softi42 ard, sorry - did you mean me? 1175105351 M * ard No : my client was autocompleting ... I just meant so: ;-) 1175107462 M * bXi Bertl: i think i'll have to dissapoint you on the test box :( 1175107646 J * ema ~ema@rtfm.galliera.it 1175107736 M * Bertl bXi: no problem ... 1175107747 J * Pazzo ~ugelt@dialin-225136.rol.raiffeisen.net 1175107759 M * Bertl evening ema! Pazzo! 1175107769 M * Bertl off for now ... back later ... 1175107772 M * Pazzo Hi Bertl! 1175107775 N * Bertl Bertl_oO 1175107781 M * Pazzo ltns & cya :o) 1175107893 Q * chand Quit: chand 1175107903 Q * boci^ Ping timeout: 480 seconds 1175108557 M * bXi Bertl_oO: the box seems to be dead :( 1175108731 Q * Pazzo Quit: Verlassend 1175109244 P * stefani I'm Parting (the water) 1175110391 J * shedi ~siggi@ftth-237-144.hive.is 1175110533 Q * duckx Remote host closed the connection 1175110703 J * duckx ~Duck@tox.dyndns.org 1175111387 Q * ema Quit: leaving 1175112322 J * Asmodeo ~chatzilla@151.66.5.205 1175112934 J * infowolfe_ ~infowolfe@c-67-164-195-129.hsd1.ut.comcast.net 1175112950 Q * bonbons Quit: Leaving 1175113242 Q * infowolfe Read error: Connection reset by peer 1175113738 J * boci^ ~boci@pool-7395.adsl.interware.hu 1175114606 Q * Asmodeo Quit: Chatzilla 0.9.77 [Firefox 2.0.0.2/2007032112] 1175114623 Q * ntrs__ Read error: Connection reset by peer 1175114694 Q * ruskie Ping timeout: 480 seconds 1175114761 Q * waldi Remote host closed the connection 1175114823 J * Asmodeo ~chatzilla@151.66.5.205 1175114837 Q * Asmodeo 1175116075 J * Aiken ~james@ppp250-73.lns2.bne4.internode.on.net 1175116240 Q * boci^ Quit: Távozom 1175116244 J * boci^ ~boci@pool-7395.adsl.interware.hu 1175116502 M * matti :) 1175117014 Q * arachnist Read error: Connection reset by peer 1175118046 J * arachnist arachnist@088156185052.who.vectranet.pl 1175119305 P * Roey Leaving 1175119424 N * DoberMann DoberMann[ZZZzzz] 1175119823 P * marcfiu 1175120874 Q * dos000 Quit: Ex-Chat 1175122019 Q * boci^ Quit: Távozom 1175122411 J * ruskie ruskie@ruskie.user.oftc.net 1175122533 Q * Aiken Quit: Leaving 1175122578 J * Aiken ~james@ppp250-73.lns2.bne4.internode.on.net 1175122672 Q * Aiken 1175122966 J * Aiken ~james@ppp250-73.lns2.bne4.internode.on.net 1175124740 Q * meandtheshel1 Quit: Leaving.