1184025942 Q * FireEgl Ping timeout: 480 seconds 1184026073 J * n01101111x ~nox@static.88-198-17-175.clients.your-server.de 1184026223 Q * nox Ping timeout: 480 seconds 1184026223 N * n01101111x nox 1184027466 Q * gerrit Read error: Connection reset by peer 1184027553 J * gerrit ~gerrit@c-67-169-199-103.hsd1.or.comcast.net 1184028258 Q * mire Ping timeout: 480 seconds 1184028440 J * DoberMann_ ~james@AToulouse-156-1-69-76.w90-16.abo.wanadoo.fr 1184028543 Q * DoberMann[ZZZzzz] Ping timeout: 480 seconds 1184030432 Q * fosco Remote host closed the connection 1184030442 J * fosco fosco@konoha.devnullteam.org 1184031676 J * FireEgl FireEgl@Sebastian.Tcldrop.Com 1184033017 M * Bertl daniel_hozac: does 'vsysctl: chdir(): No such file or directory' ring a bell with fc5? 1184033704 Q * FireEgl Ping timeout: 480 seconds 1184036353 J * Ashsong ~chatzilla@orchard.laptop.org 1184036364 M * Ashsong Bertl: ping 1184036379 M * Bertl Ashsong: pong? 1184036385 M * Ashsong Question. 1184036398 M * Ashsong What's going on in this interaction: http://paste.lisp.org/display/44250 1184036412 M * slack101 wb Bertl ! 1184036423 M * Ashsong The directory in question was created by a process in a different container 1184036438 M * Ashsong I take it that containers can't open() or stat() one another's files? 1184036467 M * Bertl depends on many things actually 1184036474 M * Ashsong alright. 1184036499 M * Ashsong Should I describe what I'm actually trying to do, or do you want to try to fill in my ignorance first? 1184036509 M * Bertl as you prefer :) 1184036533 M * Ashsong Well, I'll describe my task first. 1184036558 M * Ashsong We're experimenting with a design in which each separate instance of an activity gets its own container and its own chroot-island 1184036637 M * Ashsong However, all instances of Calc.activity, for example, are supposed to share some directories: e.g. /home/olpc/activity_data/Calc/conf and .../data 1184036674 M * Bertl okay 1184036711 M * Ashsong Thus (in this design) we would like separate containers to share a tiny bit of writable space 1184036726 M * Ashsong and to be able to talk to one another through that space. 1184036742 M * Bertl not advised, but possible 1184036744 M * Ashsong (well, more like to future activity instances, in the case of conf) 1184036769 M * Ashsong However, this design is hardly fixed in stone! 1184036787 M * Ashsong So, can you fill in some of the gaps in my knowledge here? 1184036787 M * Bertl one important detail here is, that you have to disable xid tagging for the shared area 1184036796 M * Ashsong So I'd guessed. 1184036809 M * Bertl otherwise the files will get tagged, and other context do not get access 1184036819 M * Ashsong Okay. 1184036828 M * Bertl the only way to do that for now is to get a separate partition 1184036862 M * Bertl but, you can somewhat assume that in the very near future (especially if required) a bind mount is sufficient :) 1184036889 M * Bertl (the hooks for that are already there, so no big deal) 1184036896 M * Ashsong We're on the fence about whether activity instances should get their own containers or not. 1184036931 M * Bertl the question is, why would one start several instances? 1184036940 M * Ashsong The issues are rate-limiting and viral document control. 1184036986 M * Bertl and I think, probably most cases where you do that (starting the same activity twice) you could as well put them into the same guest 1184037009 M * coderanger you could, but you shouldn't ... 1184037019 M * Ashsong One other advantage of that practice is that it would allow us to statically allocate the xids and nids. 1184037023 M * Bertl but the question wasn't entirely rhetorical, do you have examples for multiple activity instances 1184037035 M * coderanger Bertl: Two Write documents open at the same time 1184037050 M * Bertl not handled by the _same_ abi-word? 1184037053 M * coderanger No 1184037072 M * Bertl are we back in irix times? one web-browser per document 1184037073 M * Bertl ? 1184037094 M * Bertl that's not very resource efficient IMHO 1184037126 M * coderanger That would expose a good number of information disclosure attacks, some of which are probably going to be among the first attempts at an XO virus IMO 1184037161 M * Bertl hmm? please elaboreat! 1184037167 M * Bertl *elaborate 1184037176 M * coderanger Bertl: Imagine if one of those two documents contains a virus, pwning one instance shouldn't give you access to the other open document 1184037206 M * coderanger Web and EToys are special cases because of their memory load being so huge, but for things like Write this is certainly doable 1184037222 M * coderanger (and we already know how to do those special cases very neatly) 1184037223 M * Bertl ahem? documents containing a virus? Micro$soft? 1184037245 M * coderanger Bertl: Write documents can contain executables of various forms, a la minitamtam. 1184037278 M * coderanger might not machine code, but it is unconditionally loaded binary data at the very least 1184037312 M * Bertl IMHO already a design flaw, but okay ... 1184037337 M * coderanger Bertl: Such is the nature of multimedia documents 1184037370 M * Bertl well, there is a difference between executing arbitrary code and presenting multimedia :) 1184037380 M * coderanger not really 1184037402 M * Ashsong coderanger: I wonder if you could do the multimedia rendering inside one of the proposed oracle-containers...? 1184037411 M * Bertl so what is the point in having a shared writeable dir then? 1184037434 M * coderanger think about minitamtam, it is code from outside of Write that is being handed some kind of opaque data 1184037437 M * Ashsong Bertl: configuration data. 1184037449 Q * mugwump Remote host closed the connection 1184037461 M * coderanger Ashsong: Yes, but I think that is probably going to be more than a bit of a reach for 1st ship ;-) 1184037475 M * Bertl Ashsong: so that the virus from document A can mess up the configs from all others? 1184037477 M * Ashsong coderanger: no kidding, but it's a way better use case 1184037488 M * Ashsong Bertl: that's what I said. 1184037490 M * coderanger Bertl: Yes, but it can't get the other documents themselves 1184037520 M * coderanger Bertl: Also, Write can trust its own config reader code much more than a plugin being pulled in from somewhere else 1184037524 M * Bertl doesn't help you a bit if the font size is 0pt or so :) 1184037540 M * coderanger Bertl: Like I said, this is about disclosure, not DoS 1184037545 M * Ashsong Bertl: Touche 1184037576 M * Bertl coderanger: you cannot say we need a secure sandbox, which can share non-malicious data with others :) 1184037589 M * Ashsong Bertl: However, we aren't in the business of writing general configuration systems. 1184037600 M * Bertl that would imply that the sandbox knows what data is good and what is bad :) 1184037621 M * coderanger Bertl: The sandbox doesn't, but Write does 1184037638 M * Bertl how so, with a multimedia virus running? 1184037668 M * Ashsong Bertl: Use a safe (e.g. pure python) parser on the config data 1184037681 M * Ashsong Then do you input validation. 1184037683 M * coderanger Bertl: How would the virus get to the data in another instance through the config file? 1184037692 M * Ashsong That makes for a very narrow pipe that the virus has to skip through. 1184037724 M * coderanger Bertl: The worst it could do is toast the config so any future instance would be useless (a la 0pt font), but then the kid just punts write back to its default config or something 1184037766 M * Ashsong Bertl: one point of this design is to be able to return an activity to a default configuration just by wiping a single directory. 1184037775 M * Bertl so if that space is for config data only, why not put them into a special section of the user-data store, where it would belong IMHO? 1184037794 M * Ashsong ... 1184037797 M * Ashsong good question. 1184037825 M * Bertl btw, a good default system would help a lot too :) 1184037830 M * Bertl *defaults 1184037855 M * Bertl (like it was in Openstep/NextStep) 1184037856 M * coderanger Bertl: At some point the config file will still end up mapped into the container as a file 1184037874 M * coderanger Bertl: Thats starting to get out of scope for the time we have left 1184037876 M * Bertl coderanger: yes, but in a host-guest mapping 1184037887 M * Bertl not in a guest-guest mapping 1184037890 M * coderanger Bertl: There is gconf, but I don't think anyway wants to go there 1184037897 M * Ashsong Bertl: The other kind of data that I imagine would show up in one of these directories is something like a cache of rendered sprites 1184037926 M * Ashsong Bertl: something slightly expensive to recompute, takes up a MB or two of space, but also something that has no user-visible meaning. 1184037945 M * Ashsong e.g. TeX font metrics 1184037967 M * Bertl well, as I said, not considering the why and hows ... you could simulate shared dirs by putting a separate partition/fs there for now 1184037988 M * Bertl and you can assume that you can do the same with bind mounts in the near future 1184037993 M * coderanger Bertl: Yes, that is the plan 1184037998 M * coderanger Bertl: rw bind mounts 1184038001 M * Bertl (for now, just take a tmpfs) 1184038021 M * Bertl something like: 1184038028 M * coderanger Bertl: The entire container file structure is built using binds 1184038031 M * Bertl mount -t tmpfs none /shared 1184038043 M * Bertl mkdir /shared/guest01 1184038061 M * Bertl mount --bind /shared/guest01 /vservers/guest01/shared 1184038079 M * Bertl where guest01 would be one activity 1184038083 M * Ashsong right. 1184038086 M * coderanger thats the plan 1184038091 M * coderanger give or take a few names 1184038091 J * mugwump ~samv@watts.utsl.gen.nz 1184038108 M * Bertl yeah, I don't know about your pathes yet :) 1184038119 M * Ashsong Bertl: don't worry, we don't either. :) 1184038136 M * coderanger Bertl: This is all still in proof-of-concept mode (wow thats scary) 1184038178 M * Ashsong In any case, how would we continue? 1184038189 M * Bertl yeah, I was expecting some changes along the road 1184038190 M * Ashsong We still need to map /shared/guest01 again and to disable XID tagging on it, no? 1184038207 M * Bertl no, the tmpfs mount will be without xid tagging 1184038220 M * Ashsong Is that something specific to tmpfs? 1184038222 M * Bertl unless you mount it with tagxid/tag 1184038251 M * Bertl no, all filesystems you want to get tagged, need to have the proper option 1184038278 M * Bertl but you can assume that the filesystems the activities are on, will need the tagging for limits 1184038305 M * Bertl note that you will also lose the ability to restrict the space a context can use on such a shared partition 1184038321 M * Bertl (something we can work around too) 1184038377 M * Ashsong This sounds like quite a stack of work-arounds. 1184038409 M * Ashsong Such is the price of using software out of the context in which it was built, I guess. 1184038438 M * coderanger Ashsong: Any sufficiently complex software is really just a string of workarounds to something that seemed like a good idea at the time ;-) 1184038488 M * Bertl from the security PoV, I would double check with Ivan, because personally I would avoid shared parts like hell (unless they are strictly read-only) 1184038523 M * Ashsong Bertl: We did, yesterday. 1184038531 M * Ashsong (meaning Friday) 1184038570 M * Ashsong Bertl: Frankly, we don't expect people to use them very much; it's more that we see them as being useful for unexpected innovation. 1184038580 M * Ashsong At least, that's my feeling. 1184038618 M * Ashsong However, they've been in Bitfrost from the beginning. 1184038664 M * Bertl another option, which comes to my mind would be the following: 1184038669 M * Ashsong Bertl: However, weren't you just recommending that multiple activity instances share the same container? 1184038675 M * Ashsong Bertl: please continue. 1184038701 M * Bertl we currently allow 64k context ids, but you probably won't have more than a few different activities installed 1184038729 M * Bertl we could for example partition those context ids into subranges 1184038752 M * Bertl e.g. let's say, 10 bits for activities, and 4 bits for instances 1184038786 M * Bertl and we could then only use the 10bits to tag the files, and ignore the instance bits 1184038810 M * Ashsong Hmm. 1184038820 M * Bertl alternatively we could do an indirection for the filesystem tagging 1184038839 M * Bertl i.e. not using the xid for tagging, but a separate 'tag' value 1184038848 M * Bertl which can be changed on a per context basis 1184038868 M * Bertl note that this might add some (probably insignificant) overhead 1184038869 M * Ashsong Bertl: Before we go down that road, I think we need to spend a bit more time evaluating the benefits of instance-per-xid vs. activity-per-xid 1184038906 M * Bertl I'm just providing options here, so that you know what can be done (without too much efford) 1184038912 M * Ashsong Bertl: thank you. 1184038923 M * Bertl np 1184038958 M * Ashsong Bertl: I just wanted to be sure you knew that we're still trying to figure out what the tradeoffs are in the design space. 1184038962 M * Ashsong That's all. 1184039226 M * Ashsong To rewind the discussion a bit; the main purpose of separating instances into their own containers is to add more separation between multiple open documents. 1184039246 M * Ashsong In a sense, we view the documents themselves as being the appropriate level at which containerization should happen. 1184039289 M * Ashsong The fact that classes of documents are accessed through the same executable program is, a sense, an annoying implementation artifact. 1184039338 M * Bertl what about disk space or bandwidth/resource limitations? are they per activity or per document? 1184039381 M * Ashsong It's not completely clear from the spec. 1184039438 M * Ashsong Most of the disk space a process will use will actually be handled through the datastore. 1184039472 M * Bertl which is per activity or per document? 1184039477 M * Ashsong Thus we will limit the rate at which data can be pushed into the datastore, but probably not the quantity. 1184039504 M * slack101 Bertl, what is your programming langauge of choice just curious ? 1184039524 M * Ashsong The hard disk limits are actually intended for the immediately writable file space that we're proposing to make accessible to the activity. 1184039530 M * Ashsong Those would be per-activity 1184039595 M * Bertl then you need to have filesystem tagging based on the activity 1184039605 M * Bertl slack101: C 1184039616 J * FireEgl FireEgl@4.0.0.0.1.0.0.0.c.d.4.8.0.c.5.0.1.0.0.2.ip6.arpa 1184039626 M * slack101 anything else just curious ? 1184039650 M * Ashsong Network usage, on the other hand, seems on the surface like it should be per document, but with transfer limits per activity? 1184039665 M * Ashsong The spec doesn't give enough detail here, because we need to actually build the system and try it both ways. 1184039726 M * Ashsong Bertl: in the short run, I think our goal is just to avoid obviously stupid holes. 1184039759 M * Ashsong In the longer run, once we have some data, we'll worry more about doing what we can to avoid DOS situations 1184039855 M * Bertl slack101: there can only be one 'programming langauge of choice' no? 1184039856 M * Ashsong (By "obviously stupid holes", I mean things that destroy hardware and things that destroy the integrity of the system; particularly, the updating system 1184039860 M * Ashsong ) 1184039896 M * Bertl so be it ... 1184039898 M * slack101 Bertl, sorry languages 1184039992 M * Ashsong Bertl: In any case, thank you very much for your advice tonight. 1184040030 M * Ashsong Good night! 1184040062 Q * Ashsong Quit: ChatZilla 0.9.78.1 [Firefox 2.0.0.4/2007051502] 1184040148 M * Bertl slack101: assembler, bash, awk, smalltalk, php, scheme 1184040169 M * slack101 you like php ? 1184040180 M * slack101 i thought you would be one of the ones highly against it 1184040522 M * Bertl nah, why, php is quite efficient if it comes to quick prototyping 1184040567 M * slack101 you know theres 5,000 people ready to blast you for that one Bertl 1184040729 J * ktwilight ~ktwilight@164.101-66-87.adsl-dyn.isp.belgacom.be 1184040729 Q * ktwilight_ Read error: Connection reset by peer 1184042856 A * Supaplex made a very wise pause at "rm -Rf /var/lib/vservers" expecting to "rm -Rf /var/lib/vservers/foo" 1184043510 N * Bertl Bertl_oO 1184043522 M * Bertl_oO back later ... have to clean my heating system ... 1184043543 M * slack101 lol 1184043597 M * Supaplex slack101: http://rafb.net/p/vR7yI860.txt 1184043673 A * Supaplex /dcc send Bertl_oO /dev/heat-pipe 1184044494 Q * Johnnie Quit: G'bye! 1184045638 J * ntrs_ ntrs@68-188-55-120.dhcp.stls.mo.charter.com 1184045690 J * besonen_mobile__ ~besonen_m@71-220-233-253.eugn.qwest.net 1184046049 Q * ntrs Read error: No route to host 1184046119 Q * besonen_mobile_ Ping timeout: 480 seconds 1184046634 N * DoberMann_ DoberMann 1184047321 J * esa bip@ip-87-238-2-45.adsl.cheapnet.it 1184047325 N * esa eSa| 1184048561 Q * Piet_ Quit: Piet_ 1184048800 J * dna ~naucki@2-198-dsl.kielnet.net 1184049177 N * Bertl_oO Bertl 1184049181 M * Bertl back now ... 1184049226 M * Bertl slack101: although my previous statement left quite some room for misinterpretation and euphemisms ... I meant it literally :) 1184049263 M * Bertl slack101: i.e. the service folks for our heating system are going to service it today, and it has to be cleaned before :) 1184049570 J * mire ~mire@109-169-222-85.adsl.verat.net 1184049624 M * Bertl wb mire! 1184049673 J * Johnnie ~jdlewis@c-67-163-246-136.hsd1.pa.comcast.net 1184049697 N * DoberMann DoberMann[PullA] 1184050383 M * Supaplex Bertl: can I /dcc send Bertl /dev/heat-pipe to you? it's 87F in my house ~:-/ 1184050399 M * Bertl lol 1184050418 M * Bertl it's quite warm here too 1184050453 M * Bertl ~28°C 1184050478 M * Supaplex aye' 1184050557 M * Bertl well, actually only 23°C right now 1184050759 M * Supaplex 87 degrees Fahrenheit = 30.5555556 degrees Celsius 1184050893 M * Bertl I know .. I know ... 1184050989 M * Supaplex k :) 1184051005 M * Supaplex us imperal folks are slow to change. hehe. 1184051584 P * jordi 1184052366 Q * gerrit Read error: Connection reset by peer 1184052384 J * gerrit ~gerrit@c-67-169-199-103.hsd1.or.comcast.net 1184053136 Q * mire Quit: Leaving 1184054186 M * yangvnc Bertl: Hello, do you plan any future testings on my sparc/mips machines? 1184054713 Q * FireEgl Ping timeout: 480 seconds 1184054768 J * markus__ ~chatzilla@mail.netcare.at 1184054779 M * markus__ Hi 1184055069 M * markus__ My kernel only detects 3gb out of 4on my system (highmem is active, but there's no bigmem patch). Now I've read that in this case it just means that 3gb is available in user space, the kernel has just a reservered 1gb space for himself only. So, it seems I'm not really needing the bigmem patch, or am I wrong? 1184055547 J * DavidS ~david@office.sit.kumina.nl 1184055679 M * Supaplex 3.2gb or 3gb? 3.2gb is mmio masking, but PAE can work around that with 64GB memsupport, iirc. 1184055787 J * Pazzo ~ugelt@195.254.225.136 1184056016 M * harry then read about the PAE some more... i don't want to use it anymore ;) 1184056027 M * harry ow Bertl ...a re you there? 1184056054 M * harry i tend to have a small question on 32 bit on 64 bit machines with a shitload of mem 1184056074 M * harry i have a 8 core machine with 32GB ram, it's a 64 bit machine, 64 bit kernel 1184056077 M * harry so no PAE needed 1184056084 M * harry all my guests however, are 32 bit 1184056121 M * harry they can only use 3GB of userspace memory... 1,5 in my case, but that's grsec's fault (SEGMEXEC) 1184056162 M * harry can my entire memory space be used? 1184056187 M * harry so... is memory from 1 32 bit guest mapped to memory space higher than that by the kernel? 1184056302 J * bzed ~bzed@dslb-084-059-123-077.pools.arcor-ip.net 1184056348 M * harry so is the "real" memory mapped to a physical space that the normal processes cannot reach 1184056363 M * harry or is it just stupid to have only 32 bit guests on a 64 bit machine? 1184056371 M * harry i think it's mapped... but i'm not sure 1184056484 J * cedric ~cedric@80.70.39.67 1184056803 Q * arachnist Ping timeout: 480 seconds 1184056914 J * arachnist arachnist@088156185052.who.vectranet.pl 1184057511 Q * markus__ Quit: ChatZilla 0.9.78.1 [Firefox 2.0.0.4/2007051502] 1184057558 M * melek|work daniel_hozac: I can reproduce it 1184057565 M * melek|work it happens to different users 1184057589 M * melek|work If I reboot the box (the host not the vserver) it goes away for a bit, but it always comes back 1184057656 M * Bertl yangvnc: I can't really say right now 1184057698 M * Bertl yangvnc: if possible, we are going to move all the testing to qemu. nevertheless, testing on real hardware might be necessary in some cases 1184057903 J * HeinMueck ~Miranda@host-88-217-199-211.customer.m-online.net 1184059568 M * Bertl okay, finally off to bed ... cya later ... 1184059575 N * Bertl Bertl_zZ 1184060832 J * FireEgl FireEgl@4.0.0.0.1.0.0.0.c.d.4.8.0.c.5.0.1.0.0.2.ip6.arpa 1184061455 J * meandtheshell ~markus@85.127.116.3 1184063172 Q * bzed Remote host closed the connection 1184065531 P * starcode 1184067602 Q * FireEgl Read error: Connection reset by peer 1184068137 J * Punkie ~punkie@235-105-207-85.bluetone.cz 1184068485 J * FireEgl FireEgl@Sebastian.Atlantica.DollarDNS.Net 1184069321 Q * HeinMueck Ping timeout: 480 seconds 1184069652 J * flea ~flea@a83-132-13-23.cpe.netcabo.pt 1184071866 J * ema ~ema@rtfm.galliera.it 1184072140 Q * meandtheshell Quit: Leaving. 1184072293 J * onox ~onox@kalfjeslab.demon.nl 1184072559 J * meandtheshell ~markus@85.127.117.84 1184073853 Q * DavidS Quit: Leaving. 1184073973 J * dna_ ~naucki@2-198-dsl.kielnet.net 1184074357 Q * dna Ping timeout: 480 seconds 1184074539 J * Daniel15 ~daniel@adsl.daniel15.com 1184076117 Q * Aiken Remote host closed the connection 1184076800 Q * Daniel15 Quit: Leaving 1184077005 M * Baby do porcesses inside different vservers and in the main system have different PIDs, or can the same pid number belong to different processes in different vservers? 1184077057 M * daniel_hozac currently there's only one pid space, so at any given time a pid can only exist in one guest/host. 1184077231 M * Baby oki, so the PID would be a good identifier for a process in the whole system 1184077243 M * daniel_hozac well, not for long. 1184077330 M * Baby so, what identifier or set of identifiers should i use? 1184077467 M * daniel_hozac xid,pid should be future-proof. 1184077498 M * Guy- hi 1184077506 M * Guy- is the xfs sendfile issue fixed? 1184077540 M * daniel_hozac not that i know of. 1184077543 Q * flea Ping timeout: 480 seconds 1184077590 M * Baby xid + pid should be enough then? thanks! 1184077627 M * Baby a process can get its own xid number? 1184077636 M * daniel_hozac what? 1184077653 M * Baby I'm asking 1184077681 M * daniel_hozac if a process can find out what its xid is? 1184077686 M * Baby yup 1184077741 M * daniel_hozac it depends. by default it's available in /proc/self/vinfo 1184077766 M * Baby cool, that should be enough :) 1184077772 M * Baby thanks daniel_hozac!!! 1184077787 M * daniel_hozac note that it can be disabled though 1184077844 M * Baby yup, in that case would there be other way? 1184077856 J * lilalinux ~plasma@80.69.41.3 1184077973 M * daniel_hozac no. 1184078042 M * Baby oki, so that should be it, if there's no other way :) 1184078212 Q * Punkie Quit: Leaving 1184079151 M * slack101 Bertl_zZ, already asleep again ? 1184079215 M * daniel_hozac Bertl_zZ: we seem to have a problem with the disk limit accounting. 1184079282 M * daniel_hozac (on ext3, possibly in combination with COW) 1184080066 M * daniel_hozac nope, COW is not responsible. 1184080376 Q * Baby Read error: No route to host 1184080558 J * HeinMueck ~Miranda@dslb-088-065-242-043.pools.arcor-ip.net 1184081318 Q * cedric Ping timeout: 480 seconds 1184081893 J * pmenier ~pmenier@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr 1184081920 M * pmenier Hello 1184081923 Q * Hunger Ping timeout: 480 seconds 1184081930 M * daniel_hozac hi 1184081986 J * Hunger Hunger.hu@Hunger.hu 1184082045 M * pmenier i've tested a fedora install in a vserver by using a template from openvz : it works fine 1184082060 M * daniel_hozac why not build it yourself? 1184082096 M * pmenier i could'nt install yum ... 1184082113 M * pmenier perhaps i did'nt read all faqs... 1184082128 M * daniel_hozac why not? 1184082314 M * pmenier in fact i think i've not understood how to do for fedora... but it is not a problem as it works now :) 1184082334 M * daniel_hozac just install yum on the host, vserver ... build -m yum ... -- -d fc6 1184082404 Q * Pazzo Quit: Ex-Chat 1184082426 M * pmenier yes i do that but i couldn't install yum in the vserver... where rpm wasn't installed too... 1184082437 M * daniel_hozac how come? 1184082445 M * daniel_hozac just vyum ... -- install yum 1184082501 M * pmenier hmm : ok i will retry tomorrow and ask for help if it fails 1184082619 J * lilalinux_ ~plasma@dslb-084-058-204-191.pools.arcor-ip.net 1184083048 Q * lilalinux Ping timeout: 480 seconds 1184083150 J * stefani ~stefani@tsipoor.banerian.org 1184083361 Q * Wonka Ping timeout: 480 seconds 1184083423 Q * ensc Ping timeout: 480 seconds 1184083511 J * Baby ~miry@195.37.62.208 1184083710 J * Piet hiddenserv@tor.noreply.org 1184083731 J * Wonka produziert@chaos.in-kiel.de 1184084010 J * bonbons ~bonbons@2001:5c0:85e2:0:20b:5dff:fec7:6b33 1184084219 N * Bertl_zZ Bertl 1184084230 M * Bertl morning folks! 1184084238 M * Bertl daniel_hozac: in what way? 1184084510 J * ensc ~irc-ensc@p54B4F08E.dip.t-dialin.net 1184085590 J * bzed ~bzed@dslb-084-059-123-077.pools.arcor-ip.net 1184086179 J * flea ~flea@d83-187-17-160.cust.tele2.pt 1184086282 Q * ema Quit: leaving 1184086492 Q * pmenier Quit: pmenier 1184086691 M * slack101 Bertl, i found how to make my daemon 1184086756 M * slack101 all the daemon in openvcp does is allow open connections accept connections and run commands on the host machine depending on what is sent.........so i was thinking that basically what SSH is so hwy not run another ssh server on a differnt port tweak it a bit and just use that ...........will work perfect if not better 1184086832 M * flea Bertl, here 1184086852 M * flea ok continuing... 1184086895 M * flea so how I was saying... at the present we have the possibility to have specific routin table to a guest system using tc filter plus multi routing table support 1184086896 M * AStorm slack101, instead, drop that openvcp 1184086904 M * AStorm and use SSH, which is much safer and better 1184086926 M * flea but inside the guest system...even if the routes aren't valid, I can allways inspect the routing table that's shared from the host's main table 1184086929 M * slack101 AStorm, what? im not using openvcp 1184086955 M * flea Bertl, please correct me if I'm wrong 1184086955 M * AStorm Ah, right 1184086966 M * flea Bertl, : hope my assumptions are correct 1184086970 M * Bertl flea: so you are seeing host only (i.e. guest unrelated rules) on the guest system with 'ip route ls'? 1184086971 M * AStorm sorry, misread - too little punctuation aside from points :P 1184087058 M * flea Bertl, the problem I'm relating is that inside a guest system , doing a simple "route" I'm able to inspect the host's main routing table , even if the guest's table is another one and the packets are routing along with that table. 1184087150 M * flea Bertl, you should be able to "force" bind the guest system the correct routing table, so that when you do a "route" or an "ip route show" it shoes the correct table. 1184087165 M * flea shoes/shows 1184087207 M * flea I guess that should be easy to do... forcing the system call that the "route" program calls to use an specifc rt_table id 1184087210 M * Bertl ah, so you are suggesting a new feature, some kind of routing table 'assignment' for viewing? 1184087220 M * flea Yap, I don't mind to do that 1184087223 M * flea and submit a patch 1184087248 M * flea The Idea is that I believe it is a security breach to reveal the host's routing table 1184087272 M * flea even if the packets aren't routing because you're marking the traffic and using other routing table 1184087313 M * flea Bertl, I don't now if it is a feature since I still don't know if thats aready possible... of what I was able to understand was that it wasn't possible. 1184087322 M * flea Bertl, : please correct me if I'm wrong 1184087406 M * flea for instance when you create a vserver you have an rt_table_id 1184087426 M * flea that table is only used for "viewing" when calling "route" or "ip route show" 1184087432 M * Bertl okay, I have to leave in a few minutes, but maybe we can continue this discussion in about 4 hours? 1184087447 M * flea ok no problem.... I'll be glad to discuss it 1184087452 M * flea thanks for you attention Bertl 1184087453 M * Bertl basically I think that we have a few options here and I'm fine with extending this 1184087466 M * flea if I can be of any help 1184087496 M * Bertl you might want to take a look at the OLPC patch, to get an idea how the 'current' network isolation works 1184087501 M * flea I don't mind to submit a patch for it if you see that it's an interesting feature for the vserver patch 1184087536 M * Bertl basically I'm completely pro hiding host only data, and I think we can improve there regarding the routes 1184087556 M * daniel_hozac Bertl: it's subtracting one block too many. 1184087578 M * flea Bertl, the OLPC patch it's a new brach of the vserver patch? 1184087579 M * Bertl for the 'routing table assigned to guest' with the proposed 'mapping' we have to check if it is feasable at all and if, then how it can be done properly 1184087591 M * daniel_hozac i.e. if you start out at 100, dd if=/dev/zero of=file bs=1k count=10; rm -f file, you'll suddenly have 96. 1184087593 M * Bertl daniel_hozac: ah, okay, that should be easy to track down 1184087608 M * harry Bertl: are there still problems with 2.6.22 patch? 1184087610 M * daniel_hozac (with a 4 KiB block size) 1184087632 M * Bertl flea: http://vserver.13thfloor.at/Stuff/OLPC/patch-2.6.22-rc5-vsOLPC.0.4.1.diff 1184087657 M * Bertl flea: you might want to continue the chat with daniel_hozac (given that he has time for you :) 1184087683 M * flea no problem Bertl , I'll be around... i'll wait for you so that we can discuss it all 1184087686 M * Bertl harry: I'm testing 2.6.22 on one of my systems right now 1184087692 M * flea 3 heads are better thatn 2 1184087693 M * flea :D 1184087697 M * Bertl definitely 1184087700 M * daniel_hozac Bertl: any hints on how to track it down? i did the most obvious ones already, i.e. checking against what DQUOT does. 1184087710 M * daniel_hozac and it seems right to me. 1184087721 M * Bertl daniel_hozac: I would suspect the reservations to be off 1184087721 M * flea Bertl, the 2.6.22 patch doesn't use the same network previlege separation that the OLPC patch? 1184087731 M * harry hm... nevermind actually... spender and pipacs aren't that quick with their grsec patches 1184087735 M * daniel_hozac (found a possibly missing FREE, but that shouldn't matter) 1184087745 M * harry i think i'll boot the 2.6.21.6 on thursday :) 1184087752 M * Bertl daniel_hozac: but one page/block could as well be a mapping for an executable or inode brought into the context 1184087764 M * daniel_hozac for disk limits? 1184087800 M * Bertl well, not the mapping, the file itself, when it changes ownership 1184087815 M * Bertl okay, off for now ... back in a few hours ... 1184087820 M * flea Bertl, I'll be here later... so we can continue to discuss it 1184087820 M * daniel_hozac okay, cya. 1184087822 N * Bertl Bertl_oO 1184087825 M * flea later cya Bertl 1184088603 M * AStorm Hmm, why there's no example config in util-vserver anymore? 1184088624 M * daniel_hozac why would there be? vserver ... build -m skeleton will build you one. 1184088716 Q * gerrit Ping timeout: 480 seconds 1184089172 M * AStorm I see :P 1184089188 M * AStorm but then, my vserver doesn't want to start - seems like vserver test start is waiting? 1184089213 M * daniel_hozac hmm? 1184089216 M * daniel_hozac what did you do? 1184089354 M * AStorm nothing special 1184089361 M * AStorm hangs on vnamespace call 1184089363 M * AStorm hmm 1184089381 M * AStorm vnamespace itself works ok 1184089549 M * AStorm vcontext --create /usr/bin/echo FOO 1184089549 M * AStorm vcontext: vc_ctx_create(): Invalid argument 1184089555 M * AStorm what can that signify? 1184089568 M * daniel_hozac that you're trying to use dynamic contexts, which are disabled in your kernel. 1184089577 M * AStorm hmm, right. 1184089581 M * AStorm They are disabled. 1184089590 M * daniel_hozac as they should be. 1184089624 M * AStorm How do I create a normal one (without using the vserver script) 1184089641 M * daniel_hozac --xid? 1184089740 M * AStorm hmm 1184089811 M * AStorm doesn't work, same problem?!? 1184089816 M * AStorm I'll better strace that 1184089841 M * AStorm Oh, now it worked 1184089845 M * AStorm (some larger number :P ) 1184089872 M * AStorm Yep, these work 1184089882 M * AStorm Now, why vserver start hangs :P 1184089917 M * AStorm It is waiting for something according to strace 1184089936 M * daniel_hozac you shouldn't strace vserver ... start. 1184089956 M * daniel_hozac it tends to make strace very unhappy when it can't access the processes anymore. 1184089960 M * AStorm execve("/usr/sbin/vnamespace", ["/usr/sbin/vnamespace", "--new", "--", "/usr/sbin/vserver", "----nonamespace", "test", "start"], [/* 40 vars */]) = 0 just before 1184089968 M * AStorm and then it hung on a wait call 1184089976 N * DoberMann[PullA] DoberMann 1184089981 M * daniel_hozac uh, you _did_ use -fF, right? 1184089995 M * AStorm Ok, now I used these 1184090012 M * AStorm hangs on lockfile open (WTF??) 1184090056 M * daniel_hozac you realize i can't say anything without actually seeing the strace, right? 1184090101 M * AStorm Ok, I'll paste it 1184090182 M * AStorm Hmm, too large, I'll put it on my server then 1184090228 M * AStorm http://astralstorm.bounceme.net/vserver.log 1184090286 M * daniel_hozac so, what's /tmp? 1184090336 M * AStorm hmm, a symlink to a reiserfs filesystem directory 1184090342 M * AStorm properly stickied 1184090382 M * daniel_hozac and, cat /tmp/ works fine, yes? 1184090401 M * AStorm yep 1184090433 M * daniel_hozac ah wait, it's a fifo. 1184090481 M * daniel_hozac so it never returns, right? 1184090522 M * AStorm but then, vserver start should return 1184090532 M * daniel_hozac i.e. you've left it for over a minute? 1184090549 M * AStorm Hmm, 30 seconds 1184090565 J * gerrit ~gerrit@c-67-169-199-103.hsd1.or.comcast.net 1184090594 P * stefani I'm Parting (the water) 1184090610 M * AStorm it's not doing anything 1184090644 M * AStorm root 2926 0.0 0.1 8972 2088 pts/1 S+ 20:02 0:00 /bin/bash /usr/sbin/vserver ----nonamespace test start 1184090649 M * AStorm so something has been called 1184090682 M * daniel_hozac [pid 2903] execve("/usr/lib64/util-vserver/lockfile", ["/usr/lib64/util-vserver/lockfile"..., "/var/lock/vserver.etcvserverstes"..., "/tmp/vserver-lock.ugqxrc"], [/* 43 vars */] 1184090688 M * daniel_hozac [pid 2903] <... execve resumed> ) = -1 EINVAL (Invalid argument) 1184090692 M * daniel_hozac [pid 2903] +++ killed by SIGKILL +++ 1184090693 M * daniel_hozac why? 1184090710 M * AStorm I'll better check 1184090752 M * AStorm hmm, it dies 1184090762 M * AStorm nothing in the log 1184090769 M * AStorm I'll tell it to dump core 1184090773 M * AStorm or run it in gdb 1184090913 Q * Piet Ping timeout: 480 seconds 1184091009 M * AStorm Weird 1184091015 M * AStorm why would it SIGKILL itself? 1184091035 M * daniel_hozac more importantly, why would execve return EINVAL? 1184091040 M * AStorm hmm 1184091043 M * AStorm wicked 1184091121 M * Supaplex it's a feature ;) 1184091127 M * Supaplex undocumented 1184091174 M * AStorm EINVAL An ELF executable had more than one PT_INTERP segment (i.e., tried to name more than one interpreter). 1184091178 M * AStorm ?!? 1184091194 M * AStorm the hell? 1184091215 M * Supaplex hah wow. 1184091278 M * AStorm I'll better check something... 1184091318 M * AStorm Probably it's me being stupid 1184091856 M * AStorm Heck 1184091862 M * AStorm it was broken dietlibc it seems 1184091959 M * daniel_hozac sure, that'll do it. 1184092073 Q * AStorm Remote host closed the connection 1184093364 Q * slack101 Ping timeout: 480 seconds 1184093376 J * AStorm ~astralsto@host-81-190-179-124.gorzow.mm.pl 1184093397 M * AStorm Ok, it works, but the new baselayout2 seems to be incompatible with linux-vserver :P 1184093415 M * AStorm I'll try to see what fails to run with "--help" argument :P 1184093533 M * daniel_hozac should be fine. 1184093611 M * AStorm Hmm, doesn't start 1184093616 M * AStorm I wonder why 1184093640 M * AStorm blah, missing packages from that chroot 1184093646 M * AStorm stupidity strikes again 1184093840 M * Supaplex stupid has a vengence. 1184093848 M * Supaplex it never forgives ;) 1184093907 M * ktwilight hm, i need to chmod /dev/pts/39 to enable screen for normal users, i've added SYS_TTY_CONFIG to bcaps, but it still doesn't save the settings. how do i make it stick? 1184093931 M * daniel_hozac you specify that at mount time. 1184094167 M * AStorm daniel_hozac, is stacking contexts allowed? 1184094174 M * AStorm (could be nifty) 1184094209 M * daniel_hozac no. 1184094222 Q * lilalinux_ Remote host closed the connection 1184094408 M * ktwilight ah k, thanks daniel_hozac 1184094450 J * ema ~ema@rtfm.galliera.it 1184094491 M * AStorm Hm, my CFS patch is buggy 1184094505 M * AStorm VServer complains about nr_running < 0 1184094512 M * AStorm weird 1184094516 M * ktwilight hm, how do i enable setuid from a normal user? i've added SETUID into bcaps 1184094524 M * daniel_hozac what? 1184094533 M * AStorm ktwilight, wrong cap 1184094535 M * AStorm man capability 1184094539 M * ktwilight doh! 1184094554 M * AStorm or was that man capabilities 1184094593 M * AStorm still, you can't "enable" capabilities from a normal user 1184094607 M * AStorm unless you use file system capabilities (only in recent kernels) 1184094631 M * AStorm you can run an app as a user with less reduced caps 1184094637 M * daniel_hozac the filesystem caps made it into Linus' tree? 1184094654 M * AStorm Yes 1184094658 M * AStorm 2.6.22 has them 1184094659 M * daniel_hozac really? wow. 1184094695 M * ktwilight i enabled it via root, but trying to execute an app from a normal user, but that app setuid to root. 1184094711 M * daniel_hozac what's the app? 1184094719 M * ktwilight glusterfs 1184094722 M * AStorm maybe it's too stupid to use caps 1184094736 M * AStorm you should wrap it then with some program and run it as "root" 1184094747 M * AStorm with reduced capabilities of course 1184094749 M * daniel_hozac what does file `type -p glusterfs` say? 1184094793 M * ktwilight throws me an error on file 1184094804 M * ktwilight nm 1184094809 M * ktwilight ./glusterfs: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, dynamically linked (uses shared libs), for GNU/Linux 2.4.1, not stripped 1184094820 M * daniel_hozac so that file isn't setuid. 1184094830 M * ktwilight fusermount will be setuid root 1184094843 M * ktwilight uh, glusterfs uses fuse, and fuse setuid 1184094846 M * ktwilight my bad 1184094866 M * AStorm hmm, fuse shouldn't check for uid==0 1184094874 M * AStorm any app doing it is dumb 1184094893 M * AStorm selinux and other systems invalidate that assumption 1184094901 M * ktwilight great :( 1184094918 M * daniel_hozac fuse is normally set up as setgid. 1184094926 M * daniel_hozac with only that group having access to /dev/fuse. 1184094929 M * ktwilight ah 1184094933 M * ktwilight wrong cap then 1184094935 A * ktwilight tries again 1184095005 M * daniel_hozac what makes you say that? 1184095016 M * ktwilight SETGID >> bcapab*? 1184095018 M * ktwilight no? 1184095024 M * ktwilight thought ya meant that 1184095030 M * daniel_hozac there is no SETGID capability... 1184095040 Q * ema Quit: leaving 1184095043 M * daniel_hozac just chmod the binary g+s. 1184095048 M * ktwilight http://wiki.linux-vserver.org/Capabilities_and_Flags <- so that's wrong? 1184095068 M * AStorm CAP_FSETID 1184095068 M * daniel_hozac wow, okay. news to me. 1184095092 M * daniel_hozac note that all of those capabilities are given by default. 1184095112 M * AStorm yes. 1184095112 M * daniel_hozac Hollow: http://people.linux-vserver.org/~dhozac/p/uv/experimental/h2ext.diff am i crazy? 1184095118 M * AStorm Just set that binary setgid 1184095130 M * ktwilight by default. can't be, i had to add mount caps to enable fuse on guests. 1184095161 M * daniel_hozac i was referring to CAP_SETUID, CAP_SETGID, CAP_FSETID, etc. 1184095175 M * ktwilight o 1184095175 M * daniel_hozac obviously not _all_ of them are given by default. 1184095742 M * ktwilight hm, that worked. though i needed to add allow_other_user >> /etc/fuse.conf 1184095744 Q * fosco Remote host closed the connection 1184095757 J * fosco fosco@konoha.devnullteam.org 1184095761 M * ktwilight but i get another error. :/ 1184095805 M * ktwilight [tcp-client.c:98:tcp_connect] cdn-server2: bind loop failed - error: Permission denied <- this is what i get from the glusterfs. not sure what i means. i thought it's ADMIN_LOOP, but it isn't. 1184095885 M * daniel_hozac strace? 1184096007 Q * AStorm Ping timeout: 480 seconds 1184096419 J * Shuri ~Shuri@hq01.electronicbox.net 1184096594 M * ktwilight hm, none of my guests have internet connection :/ 1184096600 M * daniel_hozac why not? 1184096605 A * ktwilight shrugs 1184096609 M * ktwilight been trying to find out 1184096613 M * ktwilight stopping all guests now 1184097537 J * AStorm ~astralsto@host-81-190-179-124.gorzow.mm.pl 1184097543 M * AStorm Hmm 1184097554 M * AStorm it seems the vserver is finally running, BUT... 1184097568 M * AStorm it seems to stop after local has started 1184097574 M * AStorm no shell, no getty, nothing 1184097579 M * AStorm I can't enter it 1184097634 M * AStorm heh, missing /etc/passwd and other things 1184097635 M * AStorm fun 1184097636 M * AStorm :P 1184097704 M * ktwilight ok, think i got it right this time. http://rafb.net/p/3snCt112.html <- that's the strace 1184097764 M * AStorm ENOTTY 1184097767 M * AStorm in clone 1184097775 M * AStorm you don't have /dev/pts mounted/created 1184097797 M * ktwilight ? 1184097802 A * ktwilight points to himself 1184097828 M * AStorm uhm, in ioctl I meant 1184097842 M * AStorm or... 1184097850 M * AStorm you don't have fuse device nodes created 1184097872 M * ktwilight i have fuse device created, and i got SYS_ADMIN on bcaps 1184097878 Q * FireEgl Ping timeout: 480 seconds 1184097884 M * ktwilight it works when i execute the app as root. but it doesn't work out when i do it as a normal user 1184097893 M * ktwilight or it's wise to execute an app in root? 1184097948 M * AStorm it has to be able to call low-level ioctls 1184098025 M * ktwilight hm, i don't see any caps that will help me... 1184098065 M * AStorm how are you "adding" the caps to the user? 1184098071 M * AStorm By default, user has no caps 1184098093 M * AStorm and even root can't raise them 1184098104 M * AStorm (because he's missing the capability for that) 1184098107 M * ktwilight am just putting the caps in b|capabilities in /etc/vservers/NameOfGuest 1184098114 M * AStorm ah, so that 1184098115 M * ktwilight oh... 1184098126 M * AStorm you have to run the vserver as root 1184098147 M * AStorm it will be reduced in capabilities, so it's highly secure 1184098172 M * ktwilight well, i have SYS_ADMIN, SECURE_MOUNT, SECURE_REMOUNT and BINARY_MOUNT enabled 1184098186 M * ktwilight it is reduced, but my concern is largely on SYS_ADMIN 1184098193 M * daniel_hozac so you've lost any sense of security. 1184098205 M * ktwilight according to the wiki, there's lots of stuff for SYS_ADMIN 1184098206 M * ktwilight exactly 1184098240 M * ktwilight if i'm not wrong, i need SYS_ADMIN for "Allow mount() and umount(), setting up new smb connection" 1184098332 M * AStorm ktwilight, well 1184098339 M * AStorm you can mount outside the vserver 1184098347 M * AStorm and it will still see the mounts 1184098385 M * ktwilight hm, but the mountpoints are enabled by glusterfs from inside the guest. 1184098400 M * AStorm Why does it have to be run inside? 1184098413 M * AStorm the filesystems should be mounted by the host 1184098424 M * AStorm (so as to avoid that CAP_SYS_ADMIN) 1184098436 M * AStorm IMO, they should break CAP_SYS_ADMIN into subcapabilities 1184098527 M * AStorm maybe into CAP_SYS_LIMIT, CAP_SYS_ATTR, CAP_SYS_MOUNT 1184098561 M * AStorm and CAP_SYS_LIMIT_OVERRIDE 1184098592 M * AStorm daniel_hozac, hmm, why won't the vserver start properly? 1184098661 J * rgl ~Rui@84.90.10.107 1184098665 A * rgl waves 1184098696 M * Hollow daniel_hozac: definitely, but nice :) i just took a quick look, but if it works better than file, nice :) 1184098910 A * onox strikes a bloody mosquito with a fatal blow 1184099043 M * daniel_hozac Hollow: well, it's at least consistent in the output. 1184099059 M * daniel_hozac the results don't vary depending on the moon phase or whatever file's doing. 1184099092 M * daniel_hozac (plus specifying the commands in the configuration file seems better than hardcoding that. 1184099138 M * daniel_hozac AStorm: my psychic abilities are not what they used to be. 1184099221 M * AStorm daniel_hozac, I've caught it myself 1184099230 M * AStorm missing shadow file this time :P 1184099237 M * AStorm so login balked 1184099738 M * AStorm daniel_hozac, that's not it, hmm 1184099746 M * AStorm looks like the login isn't started 1184099761 M * daniel_hozac i don't even know what you're talking abou. 1184099762 M * daniel_hozac +t 1184099803 M * AStorm Ok, I'll paste and you'll see :> 1184099977 Q * HeinMueck Quit: Aah! 1184100030 M * AStorm http://pastebin.ca/613134 1184100035 M * AStorm it seems to start 1184100042 M * AStorm but it isn't running afterwards 1184100046 M * AStorm and I can't enter it 1184100058 J * HeinMueck ~Miranda@dslb-088-065-242-043.pools.arcor-ip.net 1184100070 M * daniel_hozac doesn't seem to be starting any services, IMHO. 1184100090 M * daniel_hozac which would mean the context will go away as soon as the rc script is done. 1184100225 M * AStorm daniel_hozac, shouldn't it start a console? :P 1184100229 M * AStorm (getty) 1184100238 M * daniel_hozac no, why would it? 1184100244 M * daniel_hozac it doesn't have access to any. 1184100252 M * AStorm hmm 1184100279 M * AStorm How does entering work then? 1184100395 M * AStorm vlogin: openpty(): No such file or directory 1184100400 M * AStorm now I can enter it 1184100405 M * AStorm but... I can't :> 1184100451 M * daniel_hozac no /dev/ptmx or /dev/pts mount inside? 1184100482 M * Supaplex vserver $box enter ? was it started yet? vserver-stat[tab] 1184100501 M * daniel_hozac why tab? 1184100507 M * Supaplex I forgot the name 1184100515 M * AStorm daniel_hozac, it is there, I think 1184100517 M * Supaplex I use tab completion >:) 1184100545 M * AStorm Blah, it didn't mount it :| 1184100565 M * AStorm none» /dev/pts» devpts» gid=5,mode=620» » 0 0 1184100570 M * AStorm (ignore the >>) 1184100579 M * AStorm that's in the vserver's fstab 1184100631 M * daniel_hozac and /dev/ptmx? 1184100651 M * AStorm these are missing 1184100653 M * AStorm :P 1184100692 M * AStorm it should start udev anyway... 1184100721 M * daniel_hozac no, it shouldn't. 1184100726 M * daniel_hozac a guest cannot create device nodes. 1184100732 M * daniel_hozac that'd be a huge security risk. 1184100754 M * daniel_hozac (well, without the device mapping patch at least) 1184100756 M * AStorm Hmm 1184100758 M * AStorm vserver test stop 1184100758 M * AStorm mktemp: cannot create temp file /tmp/vserver-lock.LYAkQt: No such file or directory 1184100766 M * AStorm Why would it want to? 1184100777 M * daniel_hozac create a lock file? 1184100794 M * daniel_hozac to avoid race conditions, maybe? 1184100955 M * AStorm but why it cannot? 1184100975 M * daniel_hozac probably because /tmp is a symlink to a mountpoint that has been cleaned away. 1184100990 M * AStorm real or vserver's? 1184101001 M * AStorm because the real one is there and working 1184101002 M * daniel_hozac the host's of course. 1184101012 M * daniel_hozac not in the guest's namespace. 1184101022 M * daniel_hozac look at namespace-cleanup-skip. 1184101032 M * AStorm Ahha 1184101040 M * AStorm I consider it a bug then ;-) 1184101053 M * AStorm will move /tmp to a ramdisk, why not 1184101060 J * Aiken ~james@ppp121-45-220-241.lns2.bne1.internode.on.net 1184101344 M * AStorm first, I have to kill that vserver 1184101347 M * AStorm how to do that? 1184101423 M * AStorm hmm, I have an idea 1184101542 M * AStorm yep, vkill worked 1184101564 M * AStorm BBL 1184101566 Q * AStorm Quit: Bye 1184101667 Q * Shuri Quit: Leaving 1184101768 Q * bonbons Quit: Leaving 1184102426 J * AStorm ~astralsto@host-81-190-179-124.gorzow.mm.pl 1184102878 Q * meandtheshell Quit: Leaving. 1184103568 Q * rgl Ping timeout: 480 seconds 1184103932 M * weasel hmm. are there any plans to ever merge into mainline? 1184104007 M * AStorm weasel, I don't think so 1184104030 Q * dilinger Remote host closed the connection 1184104035 J * dilinger ~dilinger@mail.queued.net 1184104190 M * weasel shame. 1184104296 M * AStorm weasel, it's too non-modular as it stands now 1184104311 M * AStorm virtual contexts would have to be split out 1184104321 M * AStorm the scheduler 1184104324 M * AStorm monitoring 1184104328 M * AStorm a lot of work 1184104741 Q * dna_ Quit: Verlassend 1184105287 J * rgl ~Rui@84.90.10.107 1184105878 Q * rgl Ping timeout: 480 seconds 1184106532 J * Piet hiddenserv@tor.noreply.org 1184106555 J * oxylin ~jpeeters@chv78-2-88-161-189-78.fbx.proxad.net 1184106587 N * DoberMann DoberMann[ZZZzzz] 1184106636 J * rgl ~Rui@84.90.10.107 1184108097 Q * oxylin Quit: Ex-Chat 1184110505 Q * HeinMueck Quit: Aah! 1184110517 N * Bertl_oO Bertl 1184110527 M * Bertl back now ... took a little longer than expected 1184110550 M * Bertl flea: ping? 1184110594 M * flea Bertl, pong :D 1184110603 M * flea Hi Bertl :D 1184110611 M * Bertl ah, great, daniel_hozac: ping? 1184110705 M * Bertl first, let's look at the options we probably have here 1184110751 M * Bertl and I will try to classify them as bugfix, improvement and feature 1184110788 M * Bertl the typical setup will be without a separate routing table at all, as it is not needed in most scenarios 1184110814 M * Bertl in this case, we have three kinds of routes 1184110815 M * flea I didn't had the time to take a peek at the kernel code, but couldnt we patch the kernel to multiplex the routing tables listing accourding the vserver id? vserver id mapped to an routing table 1184110833 M * Bertl let's go slow on that one, shall we? :) 1184110865 M * Supaplex isn't there a wheel for it already? what does qemu and others use? 1184110868 M * flea Bertl, even if we don't use separate routes all vservers are mapped into the default main routing table 1184110879 M * Bertl first, we try to figure what we want to achieve, then we think about solutions 1184110912 M * Bertl Supaplex: yes and no, probably the best example here is OVZ (the 'competition') 1184110913 M * flea ok... so the idea here is that the guest system can only list the routing table he's atached to 1184110928 M * Supaplex we could cooperate :) 1184110935 M * Bertl Supaplex: virtual interfaces and network stacks are an option, and they are currently investigated in mainline 1184110943 M * Bertl Supaplex: the problem here is the overhead 1184110951 M * Supaplex yup 1184110964 M * Bertl so, it's not that we didn't investigate virtualization in the network area 1184110977 M * Bertl actually we had an implementation for that some time ago 1184110995 M * Supaplex iptables queues or something? 1184111011 M * Bertl but, and that is the important part, we decided that this is too heavy for the lightweight isolation we want to achieve 1184111035 M * Bertl especially as 99% of all of this can be done with almost no overhead at all 1184111057 M * flea Bertl: a simple map may be sufficient... and very quick 1184111063 M * Bertl the case flea is pointing to is on a really _slow_ path 1184111090 M * Bertl as it doesn't even touch the routing or packet handling per se (at least not in the first step :) 1184111119 M * Bertl but I'd like to focus first on what we have and where we want to go :) 1184111142 M * flea Bertl, the routing issues are dealing inside the proper routing mechanisms... presently we have to use iproute2 to configure the multiple tables. 1184111145 M * Bertl so let's not jump the gun, and look at the 'things which might need fixing' 1184111158 M * flea I believe thats not an issue for this problem 1184111165 M * flea since routing talbes are workin fine 1184111176 M * flea the issue here is a disclosure problem 1184111192 M * flea I'm am disclosing the host's networks into the guest system 1184111195 M * Bertl yes, but something I'm looking for some time now is to make routing and iptables setup transparent to the guest user 1184111212 M * flea yap I see... that would be nyce 1184111220 M * Bertl now, unless you are completely uninterested in this area 1184111235 M * Bertl we should look at the 'big picture' first, from the user PoV 1184111243 M * flea Nah, I'm ok with almost any challenges :D 1184111252 M * Bertl that's the spirit :) 1184111261 M * Supaplex I wonder what I'm up against with HA 1184111276 M * Bertl HA as in High Availability? 1184111281 M * Supaplex yes 1184111302 M * Supaplex node goes down (in this case, either the host, and/or all guests) 1184111305 M * Bertl we had a few nice setups with drbd and heartbeat a year ago or so? 1184111318 M * Supaplex alternate picks up the balance (arp spoofing etc) 1184111346 M * Supaplex I've heard of all those. is this in the wiki? I pretty much get the concepts, but it's still new to me. 1184111347 M * flea Bertl, you have two main cases : 1) you wish to give the guest system the ability no manage it's routes, or 2) you manage the routes outside the guest system and inside they cant be managed 1184111347 M * Bertl works quite nicely, you can even use Linux Virtual Server for that 1184111384 M * Bertl Supaplex: you best talk to derjohn (when he's around) he did that setup back then 1184111396 M * flea either way... I think we could manage both using the current infraestruture, only with a few mappings 1184111404 M * flea since linux already supports multiple routing tables 1184111409 M * Supaplex Bertl: as to the iptables issue, I think it's pretty safe to give guests /arbitrated/ access to a subchain. 1184111426 M * Bertl Supaplex: nope, unfortunately not 1184111429 M * Supaplex that's how I manage one of my local clients 1184111450 M * Bertl Supaplex: you have at least to restrict the number of rules and make sure they are not even remotely cyclic 1184111459 M * Supaplex they don't get everything iptables has 1184111493 M * Bertl flea: okay, so to get back on track, we have a few different scenarios to handle 1184111505 M * Bertl 1) the all root/master table setup 1184111525 M * Bertl 2) the separate network (still single table) setup 1184111539 M * Bertl 3) the separate routing table for a subnet 1184111549 M * Bertl 4) the separate routing table per guest 1184111578 M * flea I think you could merge a few of them with simple mappings 1184111586 M * flea you can say for instance 1184111617 M * flea guest0 and guest1 map onto rt_table 100 1184111625 M * flea guest3 onto rt_table 101 1184111639 M * flea guest4 5 and 6 onto rt_table 254 (main) 1184111655 M * flea a subnet is a bunch of guest that share the same table 1184111775 M * flea now if you give the Capabilities each guest will be able to managed only it's mapped route 1184111783 M * flea its* 1184111797 M * flea hope I'm making any sense here 1184111864 M * flea I'm giving the mapping idea since it's a very quick way to multiplex the diferent guests onto diferent routing tables and still mantain userland compatibility 1184111978 Q * rgl Ping timeout: 480 seconds