1179101123 J * comfrey_ ~comfrey@adsl-065-013-221-124.sip.rdu.bellsouth.net
1179101420 Q * comfrey Ping timeout: 480 seconds
1179101818 J * infowolfe_ ~infowolfe@c-67-164-195-129.hsd1.ut.comcast.net
1179101896 Q * infowolfe Read error: Connection reset by peer
1179101908 N * infowolfe_ infowolfe
1179102005 J * slack101 ~Administr@cpe-71-65-52-127.insight.res.rr.com
1179102023 M * slack101 hello everyone , back once agaaaain
1179102223 Q * yarihm Remote host closed the connection
1179102535 M * Bertl wb slack101!
1179102663 Q * rgl_ Quit: Leaving
1179102783 M * slack101 Bertl: how are ya 
1179102825 M * Bertl fine, tx! and you?
1179102902 M * slack101 jus trying to make it 
1179102905 M * slack101 jus trying to make it 
1179102917 M * Bertl hmm :)
1179102938 M * slack101 life evolves around money and if you dont have alot your not moving anywhere
1179103420 J * NRiDeR ~nrider@201-42-165-96.dsl.telesp.net.br
1179103436 M * Bertl welcome NRiDeR!
1179103443 P * NRiDeR 
1179104883 M * lylix which capability allows `ulimit` within a vserver?
1179104911 M * daniel_hozac none. it's already allowed.
1179104920 M * daniel_hozac you just cannot raise the limits.
1179104972 M * lylix right... hmmm... so if it fails, it was likely trying to go beyond the limit or would that situation just take the limit as set from the host?
1179104990 M * daniel_hozac if it fails, it tried to raise the limit.
1179104991 J * flock- ~alex@ool-43541c20.dyn.optonline.net
1179104998 M * lylix bingo... k, tnx
1179104998 M * flock- hey guys
1179105009 M * flock- I am having a hard time assigning a virtual interface to my vserver
1179105027 M * flock- I want like eth0:foo to belong to a vserver, and not just assign an IP to it
1179105045 M * flock- (is there any logic behind doing something like that in first place)
1179105053 M * Bertl flock-: first, eth0:foo is no virtual interface
1179105075 M * Bertl it is called an alias, and it is basically the same as 'just' an ip, only older
1179105075 M * flock- its an alias, right. then what is a virtual interface?
1179105109 M * daniel_hozac one which has no physical representation?
1179105117 M * flock- creating a few dummy interfaces and bridging them would be a better thing to do you reckon?
1179105118 M * Bertl well, there are no virtual interfaces in Linux-VServer ...
1179105147 M * Bertl at least none which aren't in mainline linux ...
1179105179 M * Bertl flock-: if you like to complicate the network stack, without any real advantage, you could do that :)
1179105210 M * Bertl a bridge with a dummy interface will slow down the entwork stack and buy you exactly nothing
1179105218 M * flock- also true
1179105228 M * Bertl (as dummy itnerfaces will not receive or transmit any packets)
1179105276 M * flock- so how do I properly do firewalling on my vservers? just specify the IP as a destination?
1179105295 M * Bertl yep, that will be all which is relevant for firewalling
1179105425 M * flock- allrighty then:)
1179106845 Q * infowolfe Read error: Connection reset by peer
1179106855 J * infowolfe ~infowolfe@c-67-164-195-129.hsd1.ut.comcast.net
1179107530 Q * comfrey_ Ping timeout: 480 seconds
1179110160 Q * ensc Ping timeout: 480 seconds
1179110513 Q * infowolfe Quit: Leaving
1179110646 J * ensc ~irc-ensc@p54B4F591.dip.t-dialin.net
1179110858 J * infowolfe ~infowolfe@c-67-164-195-129.hsd1.ut.comcast.net
1179111463 J * zLinux_ ~zLinux@88.213.57.156
1179111622 M * slack101 once i make a new vps and the person goes in ...........theres no way they can break out or nothing right ?
1179111643 M * Bertl define 'goes in' :)
1179111767 Q * zLinux Ping timeout: 480 seconds
1179114457 Q * FireEgl Ping timeout: 480 seconds
1179114564 Q * flock- Quit: Leaving
1179117303 J * FireEgl FireEgl@4.0.0.0.1.0.0.0.c.d.4.8.0.c.5.0.1.0.0.2.ip6.arpa
1179118077 M * Bertl okay, off to bed now .. have a good one everyone!
1179118082 N * Bertl Bertl_zZ
1179119797 Q * marcfiu Quit: Download Gaim: http://gaim.sourceforge.net/
1179120071 J * dafrog kevin@tinfoilhat.net
1179120090 M * dafrog hi
1179124938 J * DavidS david@chello062178045213.16.11.tuwien.teleweb.at
1179125073 J * dna ~naucki@180-246-dsl.kielnet.net
1179125531 J * bzed ~bzed@dslb-084-059-096-203.pools.arcor-ip.net
1179132405 J * cdrx ~legoater@blueice3n1.uk.ibm.com
1179132680 J * meandtheshel1 ~markus@85-124-174-30.dynamic.xdsl-line.inode.at
1179132707 J * dsk ~dsk@anonymisierungsdienst2.foebud.org
1179132731 J * meandtheshel3 ~markus@85-124-174-30.dynamic.xdsl-line.inode.at
1179132969 Q * meandtheshel3 
1179132989 Q * meandtheshel1 Quit: Leaving.
1179133175 Q * shedi Quit: Leaving
1179133272 J * meandtheshell ~markus@85-124-174-30.dynamic.xdsl-line.inode.at
1179134249 Q * dsk Quit: Leaving
1179136116 Q * mjt Remote host closed the connection
1179136140 J * mjt ~mjt@nat.corpit.ru
1179136214 J * lilalinux ~plasma@80.69.41.3
1179138582 J * meebey_ ~meebey@stalin.gsd-software.net
1179138591 M * meebey_ morning
1179138639 M * meebey_ I have a strange problem with util-vserver, it unmounts /tmp /sys /home and /var/log from the host when the host boots
1179138651 M * meebey_ see: http://paste.debian.net/27948
1179138684 M * meebey_ this happened when I upgraded from sarge to etch, in etch is 0.30.212-1 of util-vserver
1179138715 M * meebey_ anyone an idea why it unmounts some of my host partitions?
1179139085 Q * Wonka Ping timeout: 480 seconds
1179139169 J * Piet hiddenserv@tor.noreply.org
1179140009 M * phedny meebey_: aren't you that person that built a irc client in php?
1179140320 M * daniel_hozac meebey_: hmm?
1179140337 M * daniel_hozac meebey_: do you have a guest that isn't using namespaces?
1179141838 J * Wonka produziert@chaos.in-kiel.de
1179143697 M * meebey_ phedny: yes, Net_SmartIRC
1179143707 M * meebey_ daniel_hozac: I think so
1179143785 Q * Wonka Read error: Connection reset by peer
1179144004 M * daniel_hozac meebey_: why?
1179144400 Q * Aiken Quit: Leaving
1179144419 M * meebey_ galilei:/etc/vservers# grep mount *
1179144419 M * meebey_ fax.sh:		mount --bind /dev/capi /vservers/fax/dev/capi
1179144419 M * meebey_ fax.sh:                umount /vservers/fax/dev/capi
1179144425 M * meebey_ daniel_hozac: because of that for instance
1179144448 M * daniel_hozac hmm?
1179144466 M * meebey_ daniel_hozac: but wouldn't it be a bug to unmount random partitions of the host on bootup?
1179144480 M * daniel_hozac it is, and it was fixed in 0.30.213.
1179144488 M * meebey_ ah ic
1179144501 M * meebey_ too bad that debian/stable shipped .212
1179144503 M * daniel_hozac note that simply using namespaces avoids that entirely...
1179144527 M * meebey_ let's see for which vserver I disabled namespaces
1179144580 M * meebey_ hm for 2 vservers, but I dont think they really need it... let me remove "nonamespace"
1179144626 M * meebey_ daniel_hozac: is the fix a simple patch? might consider to ask the util-vserver to push the fix into debian/stable
1179144651 M * daniel_hozac yep.
1179144654 M * meebey_ as it's serious bug, it can do in proposed-updates
1179144665 M * daniel_hozac i wouldn't really call it serious.
1179144679 M * meebey_ well, the system is not usable after boot .)
1179144680 M * daniel_hozac especially given the fact that you're the second person to report it.
1179144683 M * meebey_ after upgrade to etch
1179144769 J * ema ~ema@rtfm.galliera.it
1179144949 M * meebey_ daniel_hozac: I can confirm that the workaround solved the problem for me
1179144963 M * meebey_ daniel_hozac: thanks
1179145098 J * Wonka produziert@chaos.in-kiel.de
1179146100 Q * phedny Ping timeout: 480 seconds
1179147479 Q * zLinux_ Ping timeout: 480 seconds
1179148702 N * Bertl_zZ Bertl
1179148710 M * Bertl morning folks!
1179148713 M * daniel_hozac morning Bertl!
1179149619 Q * ema Ping timeout: 480 seconds
1179150191 J * ema ~ema@rtfm.galliera.it
1179151176 J * zLinux ~zLinux@88.213.43.242
1179151205 Q * Piet Ping timeout: 480 seconds
1179151348 J * Piet hiddenserv@tor.noreply.org
1179154404 Q * derjohn Ping timeout: 480 seconds
1179154725 J * ninou ~sylvain_f@bredele.imag.fr
1179154785 J * ramon ~ramon@116.Red-88-5-228.staticIP.rima-tde.net
1179154789 M * ramon Hello. 
1179154843 M * ramon Is there something like unionfs for vserver? I see that unionfs is disabled on Debian for vserver kernels, so I guess there must be some incompatibility.
1179154846 M * ninou hello ,i want to backup an entire vserver, is it a good solution and is there a tool which do that ?
1179154877 M * ramon ninou: Why not just backing up /var/lib/vserver/<name> and /etc/vservers/<name>?
1179154938 M * Bertl ramon: if done properly, unionfs should work for Linux-VServer, but IIRC, it is not part of mainline yet
1179154960 M * ramon I guess so.
1179154970 M * Bertl ramon: Linux-VServer uses unification and CoW link breaking for reducing disk size and resource consumption
1179155003 M * Bertl ninou: rsync, dump, tar ... whatever you like, just make sure that the uid/gid values are archived properly
1179155034 M * ramon I already now that Debian people like cows.
1179155068 M * ramon I hope we will see vserver <name> moo
1179155153 M * Bertl (CoW = Copy on Write)
1179155165 M * ramon I now.
1179155168 M * ramon I know.
1179155194 M * ramon Like ext3cow.
1179155324 M * Bertl yup
1179155391 J * phedny ~mark@ip56538143.direct-adsl.nl
1179155417 M * ramon Is there any place where usage of cow links is explained?
1179155430 M * ramon I mean, how to mount them and so on.
1179155469 J * jezdez ~jezdez@pd9554799.dip0.t-ipconnect.de
1179155502 M * jezdez hi guys
1179155577 M * jezdez I don't quite get the "directory" variable for the dlimit. is this the path to the vserver root on the host or what else?
1179155577 M * daniel_hozac ramon: what?
1179155601 M * ramon How to make and use cow links.
1179155605 M * daniel_hozac ramon: you just make the file immutable+invert unlink (i.e. the typical result of hashification), and it's done.
1179155632 M * daniel_hozac jezdez: if you're interested in limiting the root filesystem, yes.
1179155665 J * derjohn ~derjohn@80.69.41.3
1179155716 M * Guy- daniel_hozac: are there any plans to deal with the intra-guest anomalies this causes?
1179155741 M * daniel_hozac hmm?
1179155743 M * Guy- daniel_hozac: i.e. automatic link breaking will break all hard links to the file, not just inter-guest ones
1179155753 M * daniel_hozac what?
1179155762 M * Guy- you have /bin/gzip and /bin/gunzip
1179155769 M * Guy- they are the same file, hardlinks
1179155782 M * Guy- you hashify
1179155789 M * jezdez daniel_hozac: df (on guest) is now showing: "/dev/hdv1 5,0G 0 4,8G 0% /". zero usage?
1179155790 M * Guy- then you change /bin/gzip
1179155802 M * Guy- and it will no longer be hardlinked to /bin/gunzip
1179155806 M * daniel_hozac jezdez: have you tagged the files with the guest's xid?
1179155811 M * Guy- because the link will be broken
1179155814 M * Guy- isn't this right?
1179155816 M * daniel_hozac yep.
1179155830 M * jezdez daniel_hozac: ouh, no. what for?
1179155831 M * Guy- isn't this wrong? :)
1179155848 M * daniel_hozac jezdez: so the disk limit work correctly?
1179155864 M * Guy- meeting...
1179155865 A * jezdez goes back to the wiki
1179155872 M * daniel_hozac if the files aren't tagged with the guest's xid, they won't count towards the disk limit
1179155883 M * ramon I didn't understand. First chattr inmutable, invert? 
1179155891 M * jezdez daniel_hozac: ok, now I get it, thanks daniel :)
1179155922 M * daniel_hozac Guy-: maybe. how would you suggest it gets handled instead?
1179155943 M * daniel_hozac ramon: setattr --iunlink.
1179156115 M * ramon So first I make a hard link, and then, by making the link immutable + iunlink, it is copy on write, so that the link is broken when the file is written to it?
1179156155 M * daniel_hozac yes.
1179156163 M * ramon But, I am afaid, this is not posible with directories, because one cannot hard links to directories.
1179156170 M * daniel_hozac no.
1179156180 M * daniel_hozac what would COW on a directory get you?
1179156190 Q * cdrx Read error: Connection reset by peer
1179156198 M * Bertl ramon: no need for directories, they only consume minimal resources
1179156276 M * ramon Think about it. It would be an interesting generalization. After the link is broken, the directory "copy" would have as entries hard links to the same files of the original directory.  It would be an interesting replacement of unionfs
1179156356 M * Bertl ramon: it just complicates the kernels copy part with no gain
1179156370 M * Bertl ramon: you can create all the hardlinks beforehand
1179156382 M * Bertl ramon: and you won't notice a real difference
1179156751 M * ramon I prefer unionfs. The real reason for reusig files is not space, but maintainance: if an application is updated in the host, it gets updated in the vm automatically.
1179156943 M * Bertl IMHO that is more a maintainance burden ...
1179156993 M * Bertl unless unionfs got some kind of 'propagation' feature recently
1179157076 M * ramon I don't know how does unionfs works, I just imagine what it looks like. If a vm as a directory formed by union of /bin and /local/bin, then, if /bin/netstat is updated, it will be updated in the VM as well, will it?
1179157126 M * Bertl depends, it might get partial updates if the guest already updated and/or deleted certain files, no?
1179157154 M * Bertl just consider a package consisting of 3 files, A, B and C
1179157167 M * ramon Exactly, but that is the intention.
1179157186 M * Bertl the guest leaves A and B alone, but updates C 
1179157198 M * Bertl now the host admin updates the package
1179157210 M * ramon Typical usage would be, say, add some file to /bin (in Plan9 operating system, PATH search is implemented by /bin being a union of several directories).
1179157214 M * Bertl which replaces the files with A', B' and C'
1179157220 Q * jezdez Quit: jezdez
1179157239 M * Bertl the guest will now see A', B' and his personal version of C which breaks the entire package :)
1179157243 M * ramon Yes, there can be dependencies, but there can be no dependies.
1179157266 M * Bertl and the best is, you'll never know _what_ you did break in the guests :)
1179157295 J * CHTEKK ~chtekk@84.55.197.235
1179157302 M * Bertl wb CHTEKK!
1179157305 M * CHTEKK yo all!
1179157311 M * CHTEKK hi Bertl! :)
1179157320 M * CHTEKK how are you?
1179157342 M * Bertl fine tx, and you?
1179157353 Q * ninou Quit: Chatzilla 0.9.67+ [Iceape 1.0.8/2007021704]
1179157360 M * CHTEKK fine too, thanks
1179157443 J * stefani ~stefani@tsipoor.banerian.org
1179157468 M * CHTEKK I have a quick question, since I'm writing up a few methods to get status info for vcd, and have seen something that I'd like clarified: vx_limit_stat_t.id RLIMIT_NPROC, as well as vx_stat_t.tasks and vx_stat_t.nr_threads always show the same amount of stuff, is that expected?
1179157512 M * CHTEKK or better: what's the theoretical difference between the three? since if there's no difference, tehre wouldn't be a reason to have three places to get such info :)
1179157545 M * Bertl do they?
1179157565 M * CHTEKK yeah, I tried running both normal process-based programs as well as some threaded stuff inside the vserver
1179157569 M * CHTEKK and I always get them all the same values
1179157598 M * CHTEKK (as threaded program I tried cpuhog -n 10, cpuhog v 0.02 using pthread afaik)
1179157636 M * Bertl I would assume that two of them show the same most of the time
1179157656 M * CHTEKK yeah nproc and tasks I'd also assume would show the same usually
1179157668 M * CHTEKK but that perplexes me is the total threads... that should theoretically be higher, no?
1179157675 M * CHTEKK (if running some threaded app)
1179157780 M * Bertl the vx_stat is derived from the reference count (tasks referencing the context)
1179157801 M * Bertl the vx_limit is from the accounting (and process limits)
1179157831 M * Bertl the nr_threads I have to check ...
1179157970 M * Bertl CHTEKK: try creating threads via sys_clone ...
1179157987 M * Bertl I think they should be accounted differently (not 100% sure though)
1179158013 Q * meebey_ Quit: leaving
1179158023 M * Guy- daniel_hozac: I see no easy way around this, unfortunately
1179158024 M * CHTEKK just to show you a little bit better what happens: http://paste.linux-vserver.org/1811
1179158048 M * CHTEKK (I'm using 2.6.20-2.2.0-gentoo, so the latest vserver sources)
1179158055 M * CHTEKK I'll try with sys_clone
1179158102 M * Bertl I think the naming is a little confusing for userspace
1179158116 M * Bertl in kernel space, threads and tasks are kind of reversed
1179158141 M * Bertl and in certain places they are even a synonym
1179158319 M * Bertl okay, off for dinner ... back shortly after 
1179158324 N * Bertl Bertl_oO
1179158391 M * CHTEKK well still I'd expect the threads to be counted differently... so is this some bug, or is it ok? there probably is some way to get this I assume... I mean, ps for example by default shows only processes, and you need some flag for it to also show the threads of threaded programs
1179158413 M * CHTEKK and I'd fully expect tasks/nproc to be the process count, and threads the count of processes + their threads for the threaded ones
1179158553 M * CHTEKK and well, I'd expect this to happen even with cpuhog -n 10, as it uses NPTL as far as I can see... :)
1179158602 M * CHTEKK in the end what I need to know is if there is any bug in all of this, or if the values are effectively expected to be always the same... cause I need to decide which ones to expose in VCD, and atm they all look the same
1179158625 M * CHTEKK so I need to know which ones may differ, and thus be of interest for the user to know... :)
1179158795 J * cdrx ~legoater@cap31-3-82-227-199-249.fbx.proxad.net
1179158858 P * TrueBrain So long and tnx for all the fish
1179159107 N * DavidS DavidS|de
1179159239 J * bonbons ~bonbons@ppp-111-156.adsl.restena.lu
1179159430 Q * Piet Ping timeout: 480 seconds
1179159471 J * Piet hiddenserv@tor.noreply.org
1179159813 N * Bertl_oO Bertl
1179159873 M * Bertl CHTEKK: I would provide the limit in as limit
1179159905 M * Bertl and the nr_threads as context overview, the tasks should not be of much interest to the user
1179160006 M * CHTEKK hmmm ok, but are there casses in which nproc limit and nr_threads differ?
1179160017 M * CHTEKK (just curious now)
1179160241 M * Bertl let's assume for now, that they _might_ differ at some point
1179160255 M * Bertl I have to verify the clone() case, unless you do that for me :)
1179160361 M * CHTEKK hmmm I'd have to get a crash-course in "programming with threads and stuff" to do that really, so I'll leave it to you ;)
1179161292 M * CHTEKK Bertl, other quick question: what does NXA_SOCK_PACKET, NXA_SOCK_UNSPEC and NXA_SOCK_OTHER track exactly? UNIX, INET and INET6 are obvious, but I'm not sure about the others exactly
1179161442 M * Bertl everything else
1179161448 Q * doener Ping timeout: 480 seconds
1179161479 M * CHTEKK Bertl, hehe guessed as much :P but who tracks "what else"? :)
1179161510 M * CHTEKK ie. to a normal user UNSPEC and OTHER may seem redundant, and why PACKET when afaik for each one you get recv/send/fail packets?
1179161524 M * CHTEKK (normal user == me :P)
1179161625 M * Bertl grep AF_ /usr/include/linux/socket.h
1179161742 Q * mountie Remote host closed the connection
1179161791 M * CHTEKK ok thanks, I only checked vserver.h myself :)
1179161805 M * Bertl I guess that clarifies, yes?
1179161810 Q * cdrx Quit: Leaving
1179161815 M * CHTEKK to an extend :)
1179161891 M * CHTEKK what's the "packet family"?... and I guess OTHER is all the other stuff AF_bla stuff, all-in-one for vservers, and UNSPEC is whatever it can't identify with one of the existing types, am I right?
1179161917 M * Bertl yep, basically that's it
1179161930 J * mountie ~mountie@trb229.travel-net.com
1179161980 M * Bertl PF_PACKET is a special kind of socket like PF_INET
1179162028 M * CHTEKK "DESCRIPTION
1179162028 M * CHTEKK Packet sockets are used to receive or send raw packets at the device driver
1179162028 M * CHTEKK (OSI Layer 2) level. They allow the user to implement protocol modules in user space on top of the physical layer."
1179162035 M * CHTEKK k found it, thanks a lot!!! :)
1179162325 M * Bertl np
1179162640 Q * Piet Ping timeout: 480 seconds
1179162700 J * doener ~doener@host.magicwars.de
1179162714 M * Bertl wb doener!
1179162981 J * phreak`` ~phreak``@deimos.barfoo.org
1179163174 J * Piet hiddenserv@tor.noreply.org
1179163450 Q * DavidS|de Quit: Leaving.
1179164290 Q * ema Quit: leaving
1179164679 Q * lilalinux Remote host closed the connection
1179164773 J * {marcz} ~marc@lns-bzn-47f-81-56-187-30.adsl.proxad.net
1179165085 Q * FireEgl Ping timeout: 480 seconds
1179167393 Q * slack101 Read error: Connection reset by peer
1179167449 Q * phreak`` Read error: Operation timed out
1179167559 Q * Hollow Ping timeout: 480 seconds
1179167574 Q * FloodServ Service unloaded
1179167949 J * kand ~kandreas@P1b13.p.pppool.de
1179168204 J * cdrx ~legoater@cap31-3-82-227-199-249.fbx.proxad.net
1179168507 J * Hollow ~hollow@styx.xnull.de
1179168545 J * FloodServ services@services.oftc.net
1179168624 Q * ramon Quit: Leaving
1179168828 Q * kand Quit: Verlassend
1179168985 Q * duckx Remote host closed the connection
1179169021 J * duckx ~Duck@tox.dyndns.org
1179169080 Q * ktwilight Quit: dead
1179169094 Q * duckx Remote host closed the connection
1179169098 J * ktwilight ~ktwilight@121.95-66-87.adsl-dyn.isp.belgacom.be
1179169245 J * duckx ~Duck@tox.dyndns.org
1179169368 J * ktwilight_ ~ktwilight@57.195-66-87.adsl-static.isp.belgacom.be
1179169780 Q * ktwilight Ping timeout: 480 seconds
1179171146 J * FireEgl FireEgl@4.0.0.0.1.0.0.0.c.d.4.8.0.c.5.0.1.0.0.2.ip6.arpa
1179171394 J * phreak`` ~phreak``@deimos.barfoo.org
1179172657 J * ema ~ema@rtfm.galliera.it
1179172872 J * yarihm ~yarihm@84-75-103-239.dclient.hispeed.ch
1179174881 M * svenk how can i set the shared memory limit for a vserver?
1179174902 M * svenk i raised it in the host but it had no effect in the vserver
1179174941 M * svenk i get a permission denied if i try to raise it in the vserver
1179174975 M * daniel_hozac how are you trying to raise it?
1179174994 M * svenk with sysctl
1179175016 M * daniel_hozac and this is with 2.6.19+?
1179175026 J * Mark17 ~root@vnc.streamservice.nl
1179175032 M * Mark17 hello
1179175042 M * daniel_hozac hi
1179175046 M * svenk 2.6.19.7 with grsec
1179175048 M * daniel_hozac you shouldn't IRC as root you know.
1179175080 M * Mark17 i know, but this is just an vps that i use for irc (when i stop i normally stop the vps)
1179175093 M * Mark17 vcontext: vc_create_context(): File exists << how could i fix that?
1179175101 M * svenk should sysctl work in the vserver?
1179175111 M * daniel_hozac you're trying to use the same context id for two guests? why?
1179175115 M * daniel_hozac svenk: no.
1179175126 M * daniel_hozac svenk: use /etc/vservers/<guest>/sysctl
1179175130 M * Mark17 daniel_hozac: i just try to start a vps that did stop
1179175191 M * Mark17 it can be crached (i didn't stop it and it is stopped)
1179175194 M * daniel_hozac then it's not really stopped, as the context is still alive.
1179175263 M * Mark17 i can't access it (using the ip and ssh or using "vserver dns2 enter" aren't working)
1179175271 M * Mark17 so how can i stop it?
1179175293 M * daniel_hozac what does vps say about it?
1179175367 M * Mark17 http://pastebin.ca/488139
1179175372 M * Mark17 that is all i get]
1179175389 M * Mark17 debian:~# vserver dns2 status
1179175389 M * Mark17 Vserver 'dns2' is stopped
1179175398 M * daniel_hozac yes, but what does vps faux | grep <xid> say?
1179175465 M * Mark17 -bash: syntax error near unexpected token `newline'
1179175497 M * daniel_hozac you did replace <xid> with the guest's xid, right?
1179175513 M * Mark17 http://pastebin.ca/488147
1179175524 M * Mark17 some more information
1179175530 M * svenk daniel_hozac: does this file have the same syntax like /etc/sysctl.conf?
1179175537 M * Mark17 i just don't like to past more than 3 lines
1179175565 M * daniel_hozac svenk: no, it's a directory.
1179175573 M * daniel_hozac svenk: see the flower page for the details.
1179175634 M * daniel_hozac Mark17: well, there you go. it's still running MySQL.
1179175709 M * Mark17 and how can i kill a process on a vps that i can't access?
1179175728 M * daniel_hozac vkill.
1179175915 M * Mark17 debian:~# vps faux | grep dns2
1179175915 M * Mark17 root      3419     0 MAIN           0.0  0.1  2120  592 pts/4 
1179175921 M * Mark17 3419 is the pid?
1179176037 M * daniel_hozac that's a process on the host.
1179176042 M * daniel_hozac but yes, 3419 is the pid.
1179176051 M * daniel_hozac note that you don't want to grep for the name of the guest, but the xid.
1179176121 M * Mark17 xid == guest name or?
1179176144 M * daniel_hozac no.
1179176151 M * daniel_hozac xid is the numeric identifier of the guest.
1179176158 Q * Mark17 Remote host closed the connection
1179176341 M * svenk daniel_hozac: sysctl is not mentioned on the flower page
1179176357 M * daniel_hozac really?
1179176394 M * daniel_hozac d'oh, i forgot to update it when i released 0.30.213.
1179176446 J * Mark17 ~bnc@85.12.26.130
1179176464 M * mjt hmm... sysctl?
1179176506 M * svenk so this will not work if i am still using util-vserver 0.30.212
1179176517 M * daniel_hozac no.
1179176558 M * Mark17 how can i find the numeric identifier of the guest?
1179176577 M * daniel_hozac cat /etc/vservers/<guest>/context
1179176620 M * daniel_hozac there, it should be on the flower page now.
1179176686 M * svenk daniel_hozac: thank you very much
1179176720 M * Mark17 is it possible to change that numeric identifier? 2 vservers are using the same numeric identifier...
1179176738 M * daniel_hozac yes, you simply change the value in the file.
1179176747 M * daniel_hozac why did you create two of them with the same value?
1179176772 M * Mark17 i use openvcp to create/manage vservers and it is probably a bug
1179176839 M * Mark17 debian:~# vserver vnc start
1179176839 M * Mark17 Unknown bcap 'Allow capability CAP_SYS_RAWIO'
1179176842 M * Mark17 :S
1179176888 M * mjt how namespace is assotiated with vcontext?
1179176958 M * mjt is it like, create^Wclone a namespace, create vcontext, and vcontext inherits the current namespace, making namespace a vcontext property?
1179176974 M * daniel_hozac vnamespace handles namespaces.
1179176981 M * daniel_hozac (the filesystem ones anyway)
1179176984 M * cehteh haha derjohn ;) tell me how it ends ;)
1179177005 M * mjt vnamespace --new just calls clone(CLONE_NEWNS)
1179177014 M * daniel_hozac vcontext creates/enters the IPC and uts spaces.
1179177015 M * mjt it doesn't assotiate the new namespace with a context
1179177022 M * daniel_hozac vnamespace --set does that.
1179177060 M * mjt ghrm
1179177126 M * mjt so initially the new namespace is assotiated with a process, while "vcontext" is something by its own, sharing "default" system namespace?
1179177140 M * mjt it's really confusing
1179177143 M * daniel_hozac what?
1179177162 M * daniel_hozac namespaces, like most other things, are inherited from the parent.
1179177182 M * mjt yes
1179177211 M * mjt i mean
1179177261 M * mjt there's a thing called "context", which includes uts things, probably time, IPC stuff, *and* namespace
1179177313 M * mjt the namespace of a context is the default namespace in that context (since it is, like, say, current working directory, is a process property)
1179177338 M * mjt and there's a way to change the default namespace of a context.
1179177371 Q * yarihm Remote host closed the connection
1179177378 J * Aiken ~james@ppp222-137.lns2.bne1.internode.on.net
1179177398 M * mjt does it resemble reality somehow?
1179177425 M * daniel_hozac sure.
1179177438 M * mjt when there are processes running in a context, changing namespace of that context doesn't change namespaces of the said processes
1179177448 M * daniel_hozac nope.
1179177465 Q * Mark17 Quit: Changing server
1179177489 M * daniel_hozac the namespace associated with the context only really matters when you're entering it from the host.
1179177516 J * shedi ~siggi@ftth-237-144.hive.is
1179177625 M * mjt so there are 3 main utilities in util-vserver - vnamespace, vcontext and ncontext.  Plus stuff like setting limits/flags.
1179177641 M * Bertl atm, yes
1179177647 M * mjt atm?
1179177660 M * Bertl but e.g. uts and ipc have become separate 'spaces'
1179177681 M * mjt in stock kernel or in vserver kernel?
1179177688 M * Bertl so there basically is 'vuts' and 'vipc' :)
1179177688 M * daniel_hozac mainline.
1179177705 M * mjt i wonder how many other v* things will be there
1179177711 M * Bertl mjt: the uts code is almost 1:1 the original vserver code
1179177731 M * mjt "vpid" is a part of vipc, right?
1179177743 M * Bertl mjt: so we jsut removed that from Linux-VServer when mainline got support for it
1179177745 M * mjt (if such a thing will ever exist)
1179177764 M * Bertl no, actually the pid space will be a separate space (soon)
1179177767 M * daniel_hozac why would vpid be a part of vipc?
1179177786 Q * bonbons Quit: Leaving
1179177813 M * mjt dunno really
1179177857 M * mjt either way, with so many v* spaces, i wonder how it all will work when one v* belongs to one "context" and another v* to another :)
1179177876 M * mjt it's already.. interesting. with nid and xid spaces
1179177912 M * mjt in vserver (as a whole) the two are parts of one context
1179177937 M * mjt but it's already possible to treat them separately
1179177961 J * yarihm ~yarihm@84-75-103-239.dclient.hispeed.ch
1179177981 M * daniel_hozac yep.
1179178037 M * mjt aha. also chbind that manages ncontexts - another util i missed above
1179178051 M * daniel_hozac chbind is just a wrapper script.
1179178070 M * mjt hmm?  src/chbind.c is a script?
1179178081 M * mjt argh
1179178091 M * daniel_hozac that's chbind-compat, a legacy program.
1179178144 M * mjt that's alot of compat/legacy programs/code :)
1179178149 Q * dna Quit: Verlassend
1179178155 M * daniel_hozac yes.
1179178164 M * mjt how about moving that stuff to legacy/ or src/compat/
1179178165 M * mjt ?
1179178186 J * rpetre ~petre@83.166.220.142
1179178195 M * daniel_hozac what would be the point?
1179178275 M * mjt for me it'd be great ;)
1179178293 M * mjt because trying to understand what it all actually does is umm.. difficult ;)
1179178402 M * daniel_hozac and having files in a different directory would make it easier to understand?=
1179178424 M * mjt having *right* files in one dir will ;)
1179178439 M * daniel_hozac "right files"?
1179178456 M * mjt src/chbind.c is an example of a "wrong" file
1179178462 M * daniel_hozac how so?
1179178483 M * mjt because the right tool to use is ncontext
1179178492 M * daniel_hozac only if your kernel is recent enough.
1179178495 M * mjt yes
1179178522 M * daniel_hozac so, right/wrong is in the eyes of the beholder, no?
1179178536 M * mjt ..or nattribute really
1179178549 Q * ema Quit: leaving
1179178553 M * daniel_hozac hmm? nattribute doesn't do much yet.
1179178618 M * mjt ok, naddress ;)
1179178650 M * mjt duh, that's 3 programs to manage netcontexts...
1179178653 M * daniel_hozac you still need ncontext.
1179178673 M * mjt ncontext, nattribute, naddress
1179178679 M * rpetre hi, i have a weird situation, and i'm not sure what to make of it: debian etch host and brand-new guest. vserver-entered the guest, ran aptitude and did a lot of stuff with the packages (installs, purges, so on). at one point aptitude broke (the terminal froze). i ssh-ed into the host with a different terminal and motd was displaying the name of the new guest! How in the name of god did that get modified?
1179178718 M * mjt rpetre: why not?
1179178733 M * rpetre (umm, sorry, i broke a conversation while composing that novel)
1179178737 M * mjt or, what do you mean by "new guest"?
1179178747 M * rpetre new vserver
1179178757 M * daniel_hozac how did you build the guest?
1179178769 M * rpetre built with the newvserver script from vserver-debianutils
1179178769 M * daniel_hozac mjt: yes, one program to do one thing, you know.
1179178778 M * daniel_hozac well, can't really help you then.
1179178784 M * daniel_hozac i have no idea what that does.
1179178795 M * mjt rpetre: a guest can set up system name etc inside. and sure you can modify /etc/motd there too.
1179178811 M * daniel_hozac sounds like a bug though.
1179178812 M * mjt motd is just a file
1179178816 M * rpetre mjt: true, but the motd in the main host was modified
1179178834 M * mjt ah, you ssh'ed into the HOST!
1179178849 M * rpetre yes, i don't have ssh in the vserver yet
1179178856 M * daniel_hozac rpetre: might want to file a bug.
1179178863 M * daniel_hozac if there isn't one already.
1179178864 M * mjt by the way, newvserver does some weird things
1179178877 M * rpetre i'm trying to figure out first what happened
1179178878 M * daniel_hozac in the future, you might want to use vserver ... build instead.
1179178883 M * rpetre oh
1179178909 M * Bertl mjt: btw, newvserver is officially deprecated/banned :)
1179178910 M * mjt i tried it once, it displayed some errors which i found.. scary (like failure to enter chroot or something like that, and CONTINUING in host), and didn't use it since
1179178911 M * rpetre let me check out something
1179178921 M * rpetre i used that earlier on a different machine
1179178930 M * rpetre oh
1179178934 M * rpetre same stuff
1179178940 M * rpetre i just didn't notice
1179178946 M * daniel_hozac Bertl: only according to us, thus far ;)
1179178952 M * rpetre so it's newvserver's fault
1179178985 M * daniel_hozac hopefully i've convinced Ola to contribute to util-vserver and drop vserver-debiantools though...
1179178998 M * rpetre i thought the packet-munging inside was at fault
1179179003 M * Bertl daniel_hozac: well, as officially as it can get from the Linux-VServer front :)
1179179035 M * daniel_hozac yeah, definitely.
1179179043 M * rpetre i'll stay away from vserver-debiantools for a while then, thanks a lot
1179179072 M * daniel_hozac i think that's a wise choice.
1179179124 A * mjt nods ;)
1179179126 M * rpetre well, i used my own scripts on sarge, i thought that the new packages in etch deserve a spin around
1179179150 M * mjt vserver sorta works, too ;)
1179179158 M * daniel_hozac "sorta"?
1179179162 M * mjt vserver $foo create
1179179170 M * mjt s/create/build/
1179179176 M * mjt daniel_hozac: note the smile at the end
1179179192 M * rpetre btw, is bind installable in vserver in etch or should i procure a nocapset package again?
1179179210 M * daniel_hozac etch's kernel is too old.
1179179226 M * daniel_hozac if you'd use the latest stable kernel, it'd work fine.
1179179306 M * ktwilight_ too old??
1179179318 M * daniel_hozac yes.
1179179330 M * mjt it's 2.6.18, isn't it?
1179179330 M * ktwilight_ i thought 2.6.18 is quite new
1179179342 M * ktwilight_ don't tell me 2.7.x is out?
1179179350 M * daniel_hozac 2.6.21 is out...
1179179352 M * ktwilight_ it's up to 2.6.20 or so, no?
1179179353 M * mjt gee.  already rotten ;)
1179179362 M * rpetre maintaining a custom kernel package through sarge was a pain in the A. unless there's a _really_ good motive, i'd prefer to stick with upstream
1179179366 M * ktwilight_ wow, it's 2 years old then, didn't know
1179179371 M * ktwilight_ um, 3 i mean
1179179409 M * mjt 2.6.18 is 3 years old?  really?
1179179463 M * daniel_hozac no, it's 8 months old.
1179179470 P * stefani I'm Parting (the water)
1179179533 M * rpetre so the preffered vserver creation method would be vserver $x build, right?
1179179557 M * mjt i'd just un-tar a preinstalled system and do some changes ;)
1179179591 M * daniel_hozac yes, vserver ... build is the recommended method.
1179179616 M * rpetre heh, found the bug
1179179619 M * rpetre echo "Debian GNU/Linux ($DIST/$(uname -m)) $VHOST.$VDOMAIN" \ > "$VROOTDIR/$VHOST/etc/motd"
1179179636 M * rpetre /etc/motd is a symlink to /var/run/motd
1179179674 M * rpetre firing up reportbug right now, thanks for the help
1179179695 M * daniel_hozac np.
1179179750 M * mjt what's a "One time capability/flag" ?
1179179763 J * Cobranet ~cobra@host177-63.pool8175.interbusiness.it
1179179782 M * daniel_hozac you can only (un)set it once.
1179179786 P * Cobranet 
1179179792 M * daniel_hozac once it's gone, it's gone.
1179179831 M * rpetre bugs.debian.org/417597 - fixed already in unstable
1179180118 M * daniel_hozac well, that's good, i guess.
1179180164 M * mjt HIDE_NETIF is in both cflags and nflags - is it an error?
1179180174 M * daniel_hozac no.
1179180196 M * daniel_hozac it depends on your kernel which is used.
1179180227 M * mjt (there's also such a thing as "L" tag -- Capabilities_and_Flags page :)
1179180250 M * mjt (to mean - one probably should be marked with "L")
1179180277 M * daniel_hozac not really.
1179180299 M * mjt ghrm
1179180509 M * mjt what's SECURE_[RE]MOUNT?
1179180527 M * Bertl what does it sound like?
1179180556 M * mjt to be fair, it sounds like a.. nonsense... ;)
1179180579 M * mjt it's either mount(2), or not
1179180582 M * Bertl well, for me it sounds like secure (re)mount
1179180619 M * daniel_hozac mjt: yeah, the kernel has no way of knowing whether it's a remount.
1179180620 M * Bertl mjt: nope, it is mount(2) with a security measure
1179180624 M * daniel_hozac *cough*
1179180718 M * mjt "some ``secure'' mount with a hidden secret ``security measure''" ohwell.. ;)
1179180739 J * ramon ~ramon@116.Red-88-5-228.staticIP.rima-tde.net
1179180754 M * daniel_hozac "hidden secret"? have you seen that kernel patch you apply?
1179180759 M * Bertl well, nobody said it was hidden ..
1179180784 M * mjt daniel_hozac: i'm doing exactly that - trying to understand what this measure is ;)
1179180786 M * ramon hello
1179180794 M * daniel_hozac mjt: so, read the source?
1179180804 M * mjt doing exactly that ;)
1179180831 M * ramon I am trying to redirect an external port to a vserver guest with iptables. I do  iptables -A PREROUTING 1 --dport 8000 -j DNAT --to-destination 127.0.0.4:80 but it does not work at all. Any ideas?
1179180855 M * daniel_hozac well, that rule is missing a lot.
1179180867 M * daniel_hozac like, -t nat, -p tcp/udp...
1179180873 M * ramon Sure, -p tcp
1179180885 M * ramon And yes -t nat.
1179180888 M * daniel_hozac also, the 1 after PREROUTING is bogus as you're using -A.
1179180925 M * ramon The output of iptables-save contains
1179180927 M * ramon -A PREROUTING -p tcp -m tcp --dport 8200 -j DNAT --to-destination 127.0.0.4:80
1179180937 M * ramon In the :nat table
1179180943 M * rpetre the packets might get discarded in the filter table
1179180979 M * daniel_hozac have you tried using another IP? 127.0.0.0 is special, and i'm not sure that works.
1179181018 M * mjt it's .4, not .0
1179181024 M * ramon aaaaaaaargh
1179181060 M * daniel_hozac i know, but the entire network is special.
1179181076 M * mjt it's not really special
1179181104 M * ramon Aaargh That packets are regarded as special http://lists.netfilter.org/pipermail/netfilter/2002-November/040104.html
1179181107 M * mjt its only "speciality" is that it's usually bound to loopback interface, WHICH is special.
1179181123 M * ramon No, mjt, that might be reasonable, but not true.
1179181141 M * mjt ok, unless it's treated in special way by netfilter code
1179181145 M * ramon The solution is to use other IP, but nothing prevents me from binding to lo
1179181159 M * ramon mjt: by routing code. See url.
1179181173 M * daniel_hozac yep, it's the other way around. the addresses are special, not the interface...
1179181190 M * daniel_hozac (well, the interface is also special, but not in that sense)
1179181220 M * mjt it's about 2.4 kernel, isn't it?
1179181222 M * ramon I guess that this was to avoid the security issue where someone sends a packet with a source address of 127.0.0.x on interface eth0 for doing bad things.
1179181226 M * ramon 2.6
1179181237 M * mjt even in 2.4 i was able to ping 127.0.0.1 from *another* host
1179181242 M * ramon I am experimenting with 2.6, and the behaviour is otherwise unexplainable.
1179181270 M * ramon But at least, some logs should have been issued. The behaviour is suprising.
1179181271 M * Bertl I'm off to bed now ... have a good one everyone! cya!
1179181279 M * daniel_hozac good night Bertl!
1179181279 N * Bertl Bertl_zZ
1179181309 M * mjt ramon: /proc/sys/net/ipv4/conf/$foo/log_martians
1179181326 M * mjt (speaking of martians)
1179181382 M * ramon Good night.
1179181506 M * ramon How can I change the timeout of waiting for a vserver to kill all its processes in vserver mm stop?
1179181507 M * mjt hmm i wonder how ping-of-127.0.0.1-from-other-host worked
1179181548 M * daniel_hozac ramon: why isn't the guest shutting itself down properly?
1179181562 M * ramon It's my fault with scripts.
1179181579 M * ramon I have a custom init which is a shell script. 
1179181600 M * ramon I do my best to exit gracefully on common cases (handling SIGINT).
1179181620 M * daniel_hozac /etc/vservers/.defaults/apps/vshelper/sync-timeout
1179181632 M * daniel_hozac or if you just want it for one guest, change .defaults to that name.
1179181640 M * ramon Exactly.
1179181665 M * ramon Seconds?
1179181669 M * daniel_hozac yes.
1179181686 M * ramon Thank you.
1179181724 M * doener mjt: what do you mean by "pinging 127.0.0.1 from another host"? Forged ICMP ping messages?
1179181747 M * mjt not really forged
1179181749 M * ramon Mysql is nice not making assumptions and accepts gracefully that 192.168.100.1 is localhost
1179181770 Q * duckx Remote host closed the connection
1179181802 M * doener ramon: well, but it assumes that "localhost" is a UNIX sockets (at least with the default settings)
1179181822 M * ramon Not with Java apps, which can't use UNIX sockets.
1179181827 M * mjt doener: remove 127.0.0.1/8 from your lo and ping 127.0.0.1 - packets will go to the default gateway.  Which will happily answer if it's not configured to drop such packets
1179181870 M * mjt obviously not only ping works - everything else works too
1179181892 M * ramon My vservers use a custom init, which executes /sbin/startup.sh on start and /sbin/shutdown.sh on exit.
1179181895 M * ramon Here is the script
1179181899 M * ramon #!/bin/sh
1179181899 M * ramon trap "/sbin/shutdown.sh; kill \$(jobs -p); exit" INT
1179181899 M * ramon (/sbin/startup.sh
1179181899 M * ramon while true;
1179181899 M * ramon         do sleep 1d &
1179181901 M * ramon         wait
1179181903 M * ramon done)
1179181913 M * daniel_hozac ramon: what's the point of the script?
1179181930 M * daniel_hozac i.e. why can't you just use an init-less guest?
1179181942 Q * yarihm Quit: Leaving
1179181984 M * ramon daniel_hozac: It is nice to be able to do      vserver vm stop   and stop the database and so on.
1179181985 M * doener mjt: ok, that was too obvious for me to guess it ;)
1179181998 M * daniel_hozac ramon: so? that would still work...
1179182045 M * ramon How would I have an initless guest?
1179182086 M * daniel_hozac change the initstyle to sysv, and set cmd.start to /sbin/startup.sh and cmd.stop to /sbin/shutdown.sh.
1179182106 M * ramon Hmmmm.
1179182146 M * ramon I assumed sysv was something with runlevels and rc<n>.d and so on.
1179182227 M * mjt sysvinit itself is about inittab, not about rc<n>.d.  rc<n>.d is done by a script (/etc/init.d/rc or somesuch)
1179182238 M * daniel_hozac sysv is just so you don't have a plain initstyle.
1179182275 M * daniel_hozac i guess you could use an empty style file too
1179182353 M * ramon thanks. Now the startup makes more sense. 
1179182409 M * mjt heh. i've never set initstyle, yet it's running initless by its own (i've pretty much the same setup, with startup.sh and shutdown.sh, and no init)
1179182523 M * mjt bah. it's... scary
1179182537 M * mjt i executed vps and it told me "function not implemented" (ENOSYS)
1179182561 M * mjt but i think i know this machine is running vserver-enabled kernel!
1179182593 M * mjt so i checked and rechecked, straced it -- ENOSYS...
1179182638 M * mjt vserver syscall should probably return something like ENOPERM for non-root, instead of ENOSYS :)
1179182689 M * daniel_hozac ENOSYS is for stealthiness inside the guests.
1179182741 M * mjt compare with HIDE_VINFO
1179182770 M * mjt i'm on a host, not inside a guest, and HIDE_VINFO isn't set anywhere.
1179182820 M * daniel_hozac non-root on the host or inside a guest has the same result -> no CAP_CONTEXT.
1179182823 M * mjt ENOSYS is just scary ;)  I was already thinking about my sanity :)
1179182948 M * ramon My setup is beginning to work.
1179182966 M * ramon The one thing that I really miss is unionfs.
1179182992 M * daniel_hozac so add it?
1179182994 M * mjt by the way, that "secure mount" thing - the patch just changes calls to capable(CAP_SYS_ADMIN) into vx_capable(CAP_SYS_ADMIN,SECURE_MOUNT) in a few places.  Well, looks like not in *all* mount-related places.
1179183000 M * ramon For instance, I need a virtual machine with a Java Tomcat web server. 
1179183022 M * mjt ramon: what's wroong with unionfs?
1179183033 M * ramon daniel_hozac: for some reason, vserver kernel (and xen) are excluded in Debian from unionfs build.
1179183040 M * ramon No idea what is the issue.
1179183063 M * daniel_hozac and you are incapable of building your own kernel?
1179183108 M * daniel_hozac the issue is that BME requires the nd to be passed to some VFS calls, and so unionfs will fail.
1179183152 M * daniel_hozac (to apply)
1179183165 M * ramon I prefer not building my own kernel if posible. 
1179183204 M * ramon nd = inode?
1179183207 M * mjt ramon: try http://www.corpit.ru/debian/tls/kernel/
1179183217 M * daniel_hozac nd is nameidata.
1179183219 M * mjt that's kernel packages i build and use
1179183267 M * mjt not using debian kernel stuff at all (hence no security patches etc ;) but i found it much easier to deal with than kernel-package &Co
1179183293 M * ramon I am not sure if I understand.
1179183306 M * ramon What should I do to build unionfs modules with vserver kernel?
1179183340 M * mjt patch some unionfs code a bit
1179183350 M * ramon Trivial patches?
1179183354 M * mjt yes
1179183390 M * mjt like this: http://www.corpit.ru/mjt/unionfs-vserver-2.6.17.diff
1179183391 M * ramon Well, then I may even use the unionfs-source, build it and fix it. Unionfs is too useful.
1179183405 M * mjt err
1179183414 M * mjt that should've been 2.6.19.7 ;)
1179183443 M * mjt like this: http://www.corpit.ru/mjt/unionfs-vserver-2.6.19.7.diff
1179183455 M * ramon Not too difficult.
1179183509 M * mjt (it really has nothing to do with kernel version since neither unionfs nor vserver are in mainline but ohw ell ;)
1179183544 M * ramon Now that you mention it.
1179183561 M * ramon How do you feel about the likeness of integrating vserver in the mainline kernel.
1179183562 M * ramon ?
1179183589 M * daniel_hozac highly unlikely.
1179183602 M * mjt well, it is being done, in parts
1179183606 M * ramon Why?
1179183614 M * ramon For technical reasons?
1179183617 M * daniel_hozac because bits and pieces are slowly being added.
1179183639 M * daniel_hozac none of the existing solutions will be included.
1179183667 M * daniel_hozac mainline intends on having a framework available though, so the patches will likely shrink over time
1179183668 M * mjt there are several approaches and solutions which finally will be built on top of primitives merged into mainline
1179183695 M * ramon Vserver was a complete surprise for me. I suspect that there is a strong corporate interest against it. Well, it is rather obvious. The only distribution that integrates VServer is Debian.
1179183714 M * daniel_hozac umm, Gentoo?
1179183719 Q * {marcz} Quit: Leaving.
1179183722 M * ramon perhaps Gentoo.
1179183736 M * mjt and also ubuntu ;)
1179183748 M * daniel_hozac i highly doubt that.
1179183753 M * mjt there are other similar solutions too
1179183767 M * ramon Large Linux distributions like Redhat have shareholders that are hardware vendors, like Intel and IBM. They are not at all interested in something that saves huge amounts of hardware.
1179183770 M * mjt daniel_hozac: i mean as in -- how it is? -- universe? multi-universe?
1179183781 M * daniel_hozac not at all, AFAIK.
1179183803 M * daniel_hozac util-vserver is included in a non-functioning package, IIRC.
1179183806 M * mjt redhat "promotes" xen
1179183832 M * ramon Only with this point of view I am able to explain the including of kvm (or something like that) in the mainstream.
1179183835 M * mjt that's of the same sort (running multiple virtual machines)
1179183863 M * mjt kvm is very non-intrusive
1179183879 M * ramon However, I see that I am not alone. vserver is part of the standard Debian packages.
1179183879 M * daniel_hozac yeah, that kind of virtualization doesn't need much.
1179183888 M * mjt so it had much more chances to be merged
1179183906 M * daniel_hozac OS-level virtualization needs to have hooks pretty much all over the kernel to work correctly.
1179183930 M * mjt and hooks agrreed upon all the linux people ;)
1179183945 M * ramon Well, for merging I feel that VServer might need to be generalized. I mean, all of its features must be implemented as the most general primitives.
1179183958 M * daniel_hozac that's already being done.
1179183959 M * mjt together with xen, virtuozzo, vserver, etc.. ;)
1179183979 M * daniel_hozac see e.g. the uts and IPC spaces introduced in 2.6.19.
1179183983 M * ramon For instance, I do not like that one cannot mount under a VM for security. It should be posible and secure, perhaps by virtualizing device space.
1179184000 M * mjt VM?
1179184005 M * daniel_hozac allowing mounting is dangerous for numerous reasons
1179184005 M * mjt ahh
1179184016 M * ramon It shouldn't be.
1179184020 M * mjt but it is possible to mount in a vserver guest
1179184045 M * mjt that "secure mount" thing ;)
1179184046 M * daniel_hozac filesystem fuzzing tools have discovered quite a few bugs in the filesystems.
1179184064 M * daniel_hozac in addition to the fact that mounts occupy kernel memory.
1179184068 M * ramon In a true virtual machine, one should have exactly the same powers as root, but without being able to bother anyone outside the VM.
1179184089 M * daniel_hozac ramon: if that's what you want, KVM is your thing.
1179184096 M * ramon No.
1179184098 M * daniel_hozac yes.
1179184101 M * mjt or xen
1179184107 M * daniel_hozac Xen isn't a true virtual machine.
1179184114 M * mjt but close
1179184146 M * mjt all the powers of root anyway. including installing new kernel.
1179184183 M * ramon I didn't explain me well. Obviously, in a VServer guest one cannot run kernel code.
1179184219 M * mjt here we go
1179184226 M * ramon But things that can be done without affecting others, such as mount -o loop file.iso /mnt/cdrom, or mount --bind /a /b
1179184232 M * ramon That should be posible and secure.
1179184232 M * mjt by allowing mount, you effectively allow running kernel code
1179184240 M * ramon Like any system call :-)
1179184245 M * mjt nope
1179184256 M * daniel_hozac mount --bind is allowable through secure_mount.
1179184270 M * mjt you know how many bugs was (and still is) in isofs?
1179184317 M * ramon secure_mount ?
1179184324 M * ramon I didn't know about that.
1179184331 M * mjt no, SECURE_MOUNT
1179184335 M * mjt it's a flag
1179184343 M * daniel_hozac no, it's a context capability.
1179184344 M * ramon I see.
1179184364 M * ramon I guess other mounts are still blocked, are they?
1179184366 M * mjt yeah, capability
1179184378 M * mjt also BINARY_MOUNT
1179184402 M * daniel_hozac binary_mount is more dangerous.
1179184407 M * mjt http://linux-vserver.org/Capabilities_and_Flags#Context_capabilities_.28ccaps.29
1179184429 M * daniel_hozac stale NFS filesystems can mess you up pretty good.
1179184446 M * daniel_hozac note that binary_mount is likely broken in the Debian etch kernel.
1179184472 M * ramon But that is not our issue, these are security issues of other subsystems. It might decrease the usefulness of something like VServer, but it is not your responsability.
1179184508 M * daniel_hozac with that mindset, VServer would be useless.
1179184523 M * ramon In fact, I think that it should be posible for an ordinary user to create and ran vservers.
1179184528 M * daniel_hozac any guest would rather easily be able to DOS the entire host.
1179184545 M * daniel_hozac ramon: what you're looking for is KVM.
1179184551 M * ramon No.
1179184555 M * daniel_hozac yes.
1179184557 M * ramon Exactly the opposite.
1179184563 M * daniel_hozac it works exactly the way you describe...
1179184615 M * ramon An operating system should provide to applications a virtual machine environment, in the sense that anything that an app needs can be done provided that it does not affect others.
1179184630 M * ramon A normal user should be able to (u)mount 
1179184643 M * daniel_hozac that affects all users.
1179184657 M * ramon Depending on how mount is defined.
1179184672 M * mjt . o O { fuse }
1179184687 A * mjt hides
1179184698 M * mjt by the way, unionfs is quite dangerous too
1179184718 M * ramon Linux implements namespaces, and thus it is posible to make a mount viewable in part of the process hierarchy.
1179184732 M * mjt that works
1179184735 M * ramon Exactly like VServer contexts.
1179184744 M * daniel_hozac that doesn't matter.
1179184752 M * ramon But surprisingly, it is posible only for root.
1179184766 M * mjt surprisingly??
1179184770 M * daniel_hozac the mount still consumes kernel memory, and filesystems appear to be inherently insecure.
1179184771 M * mjt oh dear
1179184791 M * mjt mount --bind ~/passwd /etc passwd; su -
1179184809 M * ramon Well, then there may be a point in having (un)trusted filesystems.
1179184810 M * mjt /etc/passwd even
1179184822 M * ramon mjt: that is not difficult to solve.
1179184850 M * daniel_hozac there was a user mount patchset posted a week or so ago.
1179184856 M * mjt it breaks all of the 3 S (small, stupid, simple) :)
1179184861 M * ramon the filesystem view of a setuid exec should be the first trusted one finding by going up in the process hierarchy.
1179184886 M * daniel_hozac ramon: namespaces don't work like that.
1179184889 M * daniel_hozac you just have one.
1179184942 M * ramon ?
1179184946 M * mjt speaking of mounts and stuff like mounting myimage.iso - that thing is alredy almost here - think gnome vfs for example
1179184971 M * ramon Aarght. Creating new namespaces.
1179184975 M * mjt this is - imho - much more appropriate to be in userspace
1179184977 M * ramon We are going backward.
1179185006 M * mjt there's no need for kernel to be involved. provided userspace has the right support
1179185017 M * mjt you can even do vfs using LD_PRELOAD
1179185018 M * ramon Let me look up.
1179185057 M * ramon Is it posible that people do not learn lessons from the past http://cm.bell-labs.com/cm/cs/doc/85/1-05.ps.gz ?
1179185075 M * mjt plain9 docs?
1179185091 M * mjt (i don't have postscript reader handy)
1179185109 M * ramon We are falling in the Microsoft way of doing things. Not surprising Miguel the Icaza took an interview for working there, and prefers there lack of abstraction.
1179185120 M * ramon Not actually plan9.
1179185163 M * ramon It is a paper explain the advantadges of having only one and simple directory hierarchy.
1179185232 M * mjt . o O { only one }
1179185257 M * ramon But Miguel prefers to have so many different namespaces, like GConf, like gnome-vfs, like Bonobo object names, and so on.
1179185274 M * ramon What is . o O ?
1179185284 M * mjt that's one of reasons i don't like and use gnome :)
1179185288 M * mjt heh
1179185290 M * ramon (Appart from a growing buble)
1179185302 M * mjt it IS a growing bubble ;)
1179185314 M * mjt like in comics ;)
1179185326 M * ramon :-)
1179185329 M * mjt like, /me thinks ... ;)
1179185337 M * mjt or /me thinks about ...
1179185498 M * daniel_hozac ramon: why aren't you using Plan9?
1179185531 M * mjt M$ goes just the other route. there's no "unix way" in windows, no simple-small-stupid tools like grep etc, but there are documents of various types sitting in one or two places on a system - no need to even look at other places.
1179185548 M * ramon For obvious reasons, it is not posible at work.
1179185563 M * daniel_hozac and why's that?
1179185564 M * mjt depends on what you're doing
1179185576 M * ramon no c++ compiler, no java, no tomcat and so on.
1179185590 M * mjt for non-computer-savvy persons it's the best way
1179185609 M * mjt lol
1179185613 M * ramon no c++ compiler means no applications: no firefox no mozilla no openoffice.
1179185632 M * mjt on plan9 or on win? :)
1179185640 M * ramon on plan9
1179185653 M * mjt gcc doesn't work on plan9?
1179185689 M * mjt but in any way, plan9 now is more experimental (academical) OS than an OS for real usage
1179185692 M * ramon It does not produce exactly native object files. It works under a Posix emulation subsystem, including executables.
1179185696 M * ramon Exactly.
1179185703 M * ramon It is not usable at all.
1179185749 M * ramon In fact, I think that it only make sense for convergence of software. I used to advocate using, say, OpenBSD for routers. But I am less and less convinced.
1179185780 M * ramon Vserver is convincing me that the most popular operating systems will see the most interesting developments.
1179185792 M * mjt why did you advocate it, btw?
1179185817 M * ramon OpenBSD is very secure. The web server runs chrooted, and so on.
1179185832 M * mjt aha.
1179185846 M * ramon But VServer allows me to have that degree of security without patching applications, like OpenBSD.
1179185860 M * daniel_hozac why would you run a web server on your router?
1179185867 M * mjt think jail(2) on a bsd system
1179185869 M * mjt lol
1179185869 M * ramon Actually a proxy.
1179185888 M * ramon A proxy web server for multiplexing a single IP address for different services.
1179185936 M * mjt i remember a certain FAQ item on a openwrt.org project -- how run a webserver on my wrt? (wrt is a small device, arm or mips based, usually about 16 megs ram and 4mb flash)
1179185967 M * ramon That would be interesting. Putting a decent OS in a router.
1179186023 M * mjt this my router (on the deck right near the monitor) is running linux too. also 16/4, 265MHz mips-based device
1179186029 M * mjt desk even
1179186078 M * mjt (wrts originally come with linux. but very broken linux - from montavista, 2.4.18-based, with *worst* drivers i ever seen)
1179186101 M * ramon Did you put Linux in it?
1179186120 M * mjt i put openwrt linux on it
1179186167 M * ramon Perhaps some day I will try.
1179186210 M * mjt before i tried to hack oem firmware, and managed to replace some userspace components (finding the right (old) uclibc and toolchain was problematic). but didn't succeed with kernel
1179186230 M * mjt (no sources, that is)
1179186266 M * ramon So it came with Linux?
1179186272 M * mjt yes
1179186289 M * ramon That is cool.
1179186304 M * mjt but it doesn't matter really, because THAT linux is unusable and buggy
1179186327 M * ramon Yes, but it makes posible to replace it.
1179186347 M * mjt many devices which didn't run linux has been re-flashed with linux
1179186367 M * ramon The most difficult trouble would be to have drivers for ADSL, Wireless and so on.
1179186382 M * mjt plus general platform support
1179186499 M * mjt int wifiRecv(..) { char szBuf[512]; int nLen = halRecv(szBuf); if (nLen > 2048) goto fail; ... } - that's a (simplified) example of wireless driver code i've seen (leaked somewhere from texas instruments)
1179186521 M * mjt for my router, that is
1179186537 M * ramon great.
1179186617 M * ramon great code.
1179186876 M * mjt and speaking of mounts &Co - it's a general rule - the more you allow inside guests, the more complex the thing becomes, and the more non-obvious ways to do something normally disallowed you have.
1179186976 M * mjt like, -- in userspace, very simple example -- you allow $LD_PRELOAD in runtime linker - a very useful thing - and suddenly you need to check for it in every setuid app, or do non-obvious things in linker.
1179187006 M * ramon That does not work with statically linked applications.
1179187026 M * mjt ok, or start linking all setuid apps statically ;)
1179187040 M * ramon And it would not be secure.
1179187041 M * daniel_hozac which would be an even worse idea.
1179187055 M * mjt or even worse, intruduce "secure environment" namespace
1179187076 M * ramon I mean, a user space mechanism like LD_PRELOAD, cannot be used to jail an application.
1179187079 M * mjt and later start distinguish those namespaces by UID or whatnot
1179187138 M * mjt it was an example of how a very nice thing may lead to non-immediately-obvious.. issues. nothing to do with jails etc
1179187173 M * mjt damn that word -- "secure"
1179187198 M * mjt i finally understand where my confusion about - like - SECURE_MOUNT flags - comes.