1184460459 J * DoberMann_ ~james@AToulouse-156-1-163-8.w90-38.abo.wanadoo.fr 1184460568 Q * DoberMann[ZZZzzz] Ping timeout: 480 seconds 1184460830 Q * slack101 Ping timeout: 480 seconds 1184460851 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184463153 J * markus_ ~chatzilla@chello213047089232.17.14.vie.surfer.at 1184463159 M * markus_ hi 1184463194 M * daniel_hozac hello. 1184463848 M * markus_ I think I can truly say vserver is the first server which makes me having fun working with it every day (and night ...) 1184463858 M * markus_ s/first server/first software/ ;) 1184463982 M * Bertl_oO excellent! 1184464414 M * markus_ seriously :) 1184464459 M * markus_ btw, while you're there ... ( :) ) ... is there a way to virtualize/limit cpu ressources available for a vserver? I've learned with your help about memory by adjusting rlimit/rss.hard and that works fine 1184464481 M * daniel_hozac  1184464484 M * Bertl_oO yes, the Token Bucket Scheduler does that 1184464493 M * daniel_hozac apparently i can't paste things anymore... 1184464497 M * daniel_hozac > 1184464498 M * daniel_hozac > 1184464498 M * Bertl_oO (as daniel_hozac tried to explain) 1184464512 M * daniel_hozac http://linux-vserver.org/CPU_Scheduler 1184464518 M * daniel_hozac is what i meant to paste... 1184464536 M * Bertl_oO tx :) 1184464629 M * markus_ before I run against a wall .. does cpu hard limit work in 2.0.0 ? :) 1184464655 M * daniel_hozac 2.0.0? why on earth are you running that? 1184464663 M * Bertl_oO nostalgia? 1184464683 M * daniel_hozac must be... IIRC we released 2.0.1 quite shortly after. 1184464706 M * markus_ well ... I'm bound to debian etch kernel packages 1184464713 M * markus_ :-/ 1184464722 M * Bertl_oO markus_: think what a multitude of great things you can do after an upgrade :) 1184464728 M * daniel_hozac well, that should be 2.0.2.2-rc9. 1184464751 M * daniel_hozac which has the hard CPU scheduler, but not the idle time part. 1184464765 M * markus_ I know, yes, but after (wasting?) two days I still wasn't able to get me the debian kernel I needed so I had to resort to what is already there :-/ 1184464776 M * markus_ hmm 1184464853 M * markus_ maybe it *is* more recent, debian is a bit vague here. Is there a bullet proof way to determine the current vserver patch in the kernel? 1184464868 M * daniel_hozac no. 1184464881 M * daniel_hozac 2.6.18-4 is that version though. 1184464888 M * daniel_hozac or at least, that's what the changelog says ;) 1184464903 M * markus_ yes, that's the kernel image etch is using 1184464954 M * markus_ cat: /proc/vserver/version: No such file or directory ... hmm, not that way 1184464972 M * daniel_hozac /proc/virtual/info is as close you'll get.. 1184464980 M * daniel_hozac that's not very specific though. 1184465019 M * markus_ VCIVersion: 0002:0002 1184465032 M * daniel_hozac right. 1184465065 M * markus_ does that translate to .. 2.0.2 ? 1184465080 M * daniel_hozac roughly, yes. 1184465125 Q * slack101 Ping timeout: 480 seconds 1184465146 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184465429 M * markus_ Does someone have a sample schedule file? I'm unsure how it should look like ... 1184465442 M * daniel_hozac you shouldn't use the schedule file. 1184465491 M * daniel_hozac use the sched directory. 1184465498 M * daniel_hozac just put the values you want in the appropraite files. 1184465504 M * daniel_hozac +english 1184465602 M * markus_ Sorry, I don't read anywhere how the files need to be named and what the content/value should mean. I get the token bucket example (I guess...) but that doens't tell me where to put the values ... 1184465635 M * daniel_hozac the great flower page to the rescue! 1184465646 M * daniel_hozac http://www.nongnu.org/util-vserver/doc/conf/configuration.html#sched 1184465719 M * markus_ definitely ;) the fixed positioned header is confusing, but great page! 1184465932 M * Bertl_oO IIRC, there are different headers in the various css stylesheets :) 1184465944 M * markus_ :) 1184465951 M * daniel_hozac yep. 1184465989 M * markus_ Ok, so when my current /proc/virtual/40/sched reads: FillRate: 1 and Interval: 4 that means that the vserver gets a whole cpu from the system dedicated to him? 1184465996 M * markus_ (the system has 4) 1184466009 M * daniel_hozac well, sort of. 1184466016 M * daniel_hozac in reality it'll get 25% of each CPU. 1184466023 M * markus_ ok, that's fine. 1184466038 M * markus_ so, when I want to have it just 12,5% I set Interval to 8 ? 1184466062 M * Bertl_oO note that higher values (with the same ratio) will give better overall behaviour, but higher latency too 1184466114 M * daniel_hozac i.e. prefer 10/80 over 1/8, or maybe even 100/800, depending on your requirements/configuration... 1184466194 M * markus_ hmm .... what should higher latency mean to me in that context exactly? 1184466224 M * Bertl_oO that a context might have to wait longer to get scheduled again when over limit 1184466277 M * markus_ ok, thanks.many many thanks 1184466296 M * markus_ vserver definitely needs some kind of "Dummy guide to vserver" book ;) 1184466302 Q * Aiken Remote host closed the connection 1184466311 M * daniel_hozac well, we need documentation in general. 1184466327 M * daniel_hozac unfortunately, no one wants to write it :) 1184466338 M * Bertl_oO markus_: go ahead, write one ... make a fortune :) 1184466419 M * markus_ heh 1184466491 M * markus_ should I adjust TokensMin/Max too with 10/80 fillrate/interval ratio? 1184466532 M * daniel_hozac yes, you'll want tokens-max to be at least your fillrate. 1184466560 M * daniel_hozac it determines how long it can hog the CPU when it hasn't used it for a while. 1184466620 M * markus_ thx 1184466646 J * Aiken ~james@ppp121-45-220-241.lns2.bne1.internode.on.net 1184466666 M * markus_ ok, have to leave now. good night (morning) 1184466678 M * Bertl_oO have a good one ... 1184466996 Q * markus_ Quit: ChatZilla 0.9.78.1 [Firefox 2.0.0.4/2007051502] 1184468334 Q * Aiken Remote host closed the connection 1184468363 J * Aiken ~james@ppp121-45-220-241.lns2.bne1.internode.on.net 1184468502 M * daniel_hozac coloring the matrix seems to be harder than i thought. 1184468585 M * Bertl_oO how so? 1184468624 M * daniel_hozac i can't get it to apply my classes. 1184468689 M * daniel_hozac http://linux-vserver.org/index.php?title=MediaWiki:Common.css has them, at the bottom. using !class="stable"|2.2 does nothing though. 1184468736 M * Bertl_oO give me a few minutes, then I will look into it 1184468742 M * daniel_hozac okay, thanks. 1184468910 Q * Aiken Remote host closed the connection 1184468939 J * Aiken ~james@ppp121-45-220-241.lns2.bne1.internode.on.net 1184469421 Q * slack101 Ping timeout: 480 seconds 1184469442 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184469510 M * Bertl_oO daniel_hozac: what happens if you remove all the preconditions? 1184469523 M * Bertl_oO i.e., just td.stable ? 1184469570 M * daniel_hozac i had only .stable from the start, that didn't work either. 1184469605 M * daniel_hozac i assumed because the table.wikitable th overrode it. 1184469744 M * Bertl_oO where was the matrix page again? 1184469760 M * daniel_hozac http://linux-vserver.org/Template:CurrentPatchTableMatrix 1184469850 M * Bertl_oO looking there I don't see your class being used? 1184469869 M * daniel_hozac i was using preview. 1184469873 Q * Aiken Remote host closed the connection 1184469883 M * daniel_hozac (no point in saving something that doesn't work :)) 1184469897 J * Aiken ~james@ppp121-45-220-241.lns2.bne1.internode.on.net 1184469909 M * Bertl_oO well, then please upload the source of one preview page for me 1184470077 M * daniel_hozac http://people.linux-vserver.org/~dhozac/tmp 1184470198 M * Bertl_oO and which one is the stylesheet containing the th.stable defs? 1184470215 M * daniel_hozac @import "/index.php?title=MediaWiki:Common.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000"; 1184470248 M * daniel_hozac hmm, i guess that could be it. the cache might be preventing me from seeing the right one. 1184470290 M * Bertl_oO I don't see it here either 1184470302 M * Bertl_oO i.e. that one doesn't contain your class 1184470311 M * daniel_hozac okay, i guess i'll just wait then. 1184470321 M * daniel_hozac thanks for looking at it. 1184470327 M * Bertl_oO np 1184470354 M * daniel_hozac i'm running out of battery now, and i don't have my charger here, so i'm off... have a good one! 1184470375 M * Bertl_oO tx, u2! 1184470647 N * EtherNet\AwAy EtherNet 1184470765 M * Bertl_oO wb EtherNet! 1184471092 M * EtherNet Bertl_oO, thank you so much 1184471094 M * EtherNet Bertl_oO, how are you doing 1184471518 M * Bertl_oO fine fine, a little tired by now .. 1184471538 M * EtherNet yeah.. I am too, where are you from 1184471549 M * Bertl_oO Austria, Europe 1184471571 M * EtherNet nice 1184471982 J * gresco ~gresco@4-154-114-200.fibertel.com.ar 1184472042 M * Bertl_oO welcome gresco 1184472052 M * gresco oh. virtualization with one kernel. 1184472053 M * gresco cool 1184472072 M * Bertl_oO yep, cool stuff indeed ... 1184472204 M * gresco it makes more sense than having many kernels running on the same hard and trying to do anything useful. 1184472241 M * EtherNet Bertl_oO, is there a new Intel branch processors which allows Windows to work with virtualization ? heard about that? 1184472241 M * Bertl_oO especially with the possible resource sharing ... 1184472267 M * Bertl_oO EtherNet: that is VT/Pacifica 1184472287 M * EtherNet Bertl_oO, indeed.. I have heard something.. but I wasn't sure. 1184472309 M * Bertl_oO EtherNet: although that has no relation to Linux-VServer, which is at a different layer 1184472333 M * EtherNet yes, of course 1184474101 M * neuralis Bertl_oO: so, you've probably seen, VS has passed our stress tests and is in our Trial-2 kernel 1184474116 M * neuralis Bertl_oO: cause for celebration :) 1184474117 M * Bertl_oO great news! 1184474188 M * neuralis indeed. no containers will be active by default, but the secops team will provide a set of RPMs in the fedora repositories such that a single yum command can be used to install the userspace security service and patch program launching to use containers through it. 1184474236 M * neuralis so, all in all, i'm quite satisfied with the progress we're making. 1184474244 M * Bertl_oO good to hear ... 1184474646 M * neuralis yep. bedtime now, cheers! 1184474658 M * Bertl_oO yeah, here too ... have a good one! 1184474672 N * Bertl_oO Bertl_zZ 1184475597 N * EtherNet EtherNet\AwAy 1184478867 Q * Aiken Remote host closed the connection 1184479239 J * Aiken ~james@ppp121-45-220-241.lns2.bne1.internode.on.net 1184481145 J * David1 ~david@p57A4C29E.dip0.t-ipconnect.de 1184481558 Q * DavidS Ping timeout: 480 seconds 1184482304 Q * slack101 Ping timeout: 480 seconds 1184482325 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184482984 J * dna ~naucki@109-215-dsl.kielnet.net 1184485003 Q * Baby Remote host closed the connection 1184486600 Q * slack101 Ping timeout: 480 seconds 1184486621 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184486728 J * bzed ~bzed@10-205-116-85.dsl.manitu.net 1184487836 Q * emtt1 Remote host closed the connection 1184488292 Q * Aiken Remote host closed the connection 1184488317 J * Aiken ~james@ppp121-45-220-241.lns2.bne1.internode.on.net 1184490960 Q * slack101 Ping timeout: 480 seconds 1184490983 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184491760 N * DoberMann_ DoberMann 1184492827 J * pmenier_off ~pmenier@ACaen-152-1-3-220.w86-220.abo.wanadoo.fr 1184492855 M * pmenier_off Hello 1184492865 N * pmenier_off pmenier 1184494487 N * David1 DavidS|Juelich 1184494682 N * pmenier pmenier_off 1184495224 Q * slack101 Ping timeout: 480 seconds 1184495245 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184496693 J * bonbons ~bonbons@2001:5c0:85e2:0:20b:5dff:fec7:6b33 1184496904 Q * FireEgl Quit: Bye... 1184497843 J * |pmenier| ~pmenier@ACaen-152-1-3-220.w86-220.abo.wanadoo.fr 1184497843 Q * pmenier_off Read error: Connection reset by peer 1184498354 J * FireEgl FireEgl@4.0.0.0.1.0.0.0.c.d.4.8.0.c.5.0.1.0.0.2.ip6.arpa 1184498852 Q * FireEgl Quit: Bye... 1184499550 Q * slack101 Ping timeout: 480 seconds 1184499571 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184500015 J * emtty ~eric@dynamic-acs-24-154-33-109.zoominternet.net 1184500916 J * FireEgl FireEgl@Sebastian.Atlantica.DollarDNS.Net 1184501203 N * |pmenier| pmenier_off 1184503491 Q * Aiken Remote host closed the connection 1184503990 Q * dna Quit: Verlassend 1184504512 J * Pazzo ~ugelt@195.254.225.136 1184505462 J * Piet hiddenserv@tor.noreply.org 1184507998 Q * derjohn Read error: Connection reset by peer 1184508005 J * derjohn ~derjohn@80.69.41.3 1184508135 Q * slack101 Ping timeout: 480 seconds 1184508156 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184508739 Q * AStorm Quit: Bye 1184508753 J * AStorm ~astralsto@host-81-190-179-124.gorzow.mm.pl 1184510752 N * pmenier_off pmenier 1184512405 Q * slack101 Ping timeout: 480 seconds 1184512426 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184513444 Q * meebey Remote host closed the connection 1184513452 J * meebey meebey@booster.qnetp.net 1184513586 J * Baby ~miry@195.37.62.208 1184513742 N * Bertl_zZ Bertl 1184513745 M * Bertl morning folks! 1184514151 M * bonbons morning Bertl 1184514204 M * Bertl hey bonbons! how are you? 1184514205 M * bonbons do you know if there is a way to fetch UDP/ICMP packets from kernel with arrival timestamps? e.g. to get correct ping results, not dependent on system load 1184514232 M * Bertl hmm, packets should get timestamped 1184514259 M * bonbons I'm fine, would just prefer the weather to be a bit less hot :) 1184514326 M * bonbons how can userspace get that info? - I'm seeing horrible results with collectd's ping plugin spikes of 40ms for loopback, average 10 times what ping shows 1184514386 M * AStorm bonbons, why rewrite ping? :P 1184514389 M * bonbons so the results are influenced by collectd's reaction-time (it does save timestamps of sending and fetching responses using gettimeofday() if I remember well when reading) 1184514390 M * AStorm check its code :> 1184514412 M * AStorm no, it doesn't use gettimeofday I think 1184514420 M * bonbons well, unless ping got improved recently collectd's code should be ping-based! 1184514652 M * bonbons hm ok, ping has a nice fallback if (... || ioctl() || gettimeofday()) to determine the receiving time 1184514882 M * pmenier Morning Bertl 1184514934 M * pmenier Bertl: did you see http://paste.linux-vserver.org/4555 ? 1184515136 J * praveenlinux007 praveen.ra@220.224.8.46 1184515331 Q * praveenlinux007 1184515450 Q * ensc Ping timeout: 480 seconds 1184515502 M * Bertl pmenier: not yet ... 1184515651 M * Bertl pmenier: interesting ... can you trigger that somehow? 1184515717 M * pmenier as i said in post i just stop a vserver and it crashes when i restart it 1184515740 M * Bertl and that works for you every time? 1184515775 M * pmenier i've not tested many times :) When i saw machine crashes, i reboot on 2.6.21.5 1184515836 M * Bertl okay, so that was a single incident, yes? 1184515857 M * Bertl would it be possible to test/recreate that somewhere? 1184515879 M * Bertl (looks like a mainline issue at first glance, but you never can be sure) 1184515887 M * pmenier perhaps, i don't know.... The server was working fine since 30 hours and suddenly : bug 1184516033 M * pmenier i can compil a 2.6.22 on another machine and make all test you need now 1184516060 M * Bertl well, if you can somehow trigger this, it would be quite interesting 1184516122 M * pmenier okay : i make now a new kernel with this patch 1184516538 J * ensc ~irc-ensc@p54B4E7B5.dip.t-dialin.net 1184516623 M * Bertl pmenier: but in general, it looks like 2.6.22 is not perfect yet :) 1184516649 M * pmenier yes i saw on kernel.org there is already a 2.6.22.1 ! 1184516665 Q * slack101 Ping timeout: 480 seconds 1184516682 M * Bertl I'm also experiencing a severe performance degradation on raid5 on SATA here 1184516686 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184516726 M * pmenier while upgrading from 2.6.21 to 2.6.22 ? 1184516761 M * pmenier i'm interested as i use now raid1 on sata 1184516805 M * Bertl actually it was 2.6.19.7 -> 2.6.22 (and I haven't checked for the exact kernel change responsible yet) 1184516986 M * pmenier it's a huge job :) The changelog'size for 2.6.22 is near 4Mo 1184517038 M * Bertl yeah, especially as the machine in question is 'production' 1184518534 M * pmenier booting on 2.6.22.... 1184518567 M * pmenier starting vserver1 vserver2 1184518716 M * pmenier stoppping and restarting vservers 1184519300 Q * Pazzo Quit: ... 1184520960 Q * slack101 Ping timeout: 480 seconds 1184520981 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184521475 Q * sid3windr Ping timeout: 480 seconds 1184521861 J * sid3windr luser@bastard-operator.from-hell.be 1184522704 M * AStorm hmm, what does "iunlink but not immutable" attr do? 1184523380 N * pmenier pmenier_off 1184524166 M * Bertl AStorm: it inverts the immutable case regarding unlink 1184524179 M * AStorm which is? 1184524416 M * Bertl you can write to files, but not remove them 1184524462 M * AStorm hmm, iunlink is the unification attr, right? 1184524476 M * Bertl it is the linkage invert attribute4 1184524479 M * Bertl -4 1184524508 M * AStorm ? 1184524534 M * Bertl which means: it inverts the immutable case regarding unlink :) 1184524549 M * AStorm I know, know, but I'm asking now about plain iunlink 1184524558 M * AStorm that's the COW attribute, right? 1184524562 M * Bertl nope 1184524578 M * Bertl iunlink + immutable + link > 1 == CoW 1184524586 M * AStorm link > 1, yep 1184524591 M * AStorm it has to be immutable? 1184524596 M * Bertl yep 1184524606 M * AStorm why? Shouldn't just removing work? :P 1184524620 M * Bertl sure, you could change the semantics quite easily :) 1184524635 M * AStorm btw, I wonder what will happen if you remove the source unification file 1184524645 M * AStorm that won't be caught by vserver, yes? 1184524652 M * Bertl there is no source, that is the magic of hard-links 1184524661 M * AStorm blah, forgot about hardlinks :P 1184524707 M * AStorm link + --iunlink = CoW? And the difference against link + --iunlink-but-not-immutable is that I can delete the link file? 1184524713 M * AStorm (the unified one) 1184524726 M * Bertl you mixed that up 1184524746 M * Bertl iunlink + immutable + (link > 1) == CoW 1184524758 M * Bertl i.e. --iunlink-but-not-immutable + --immutable :) 1184524760 M * AStorm Yep, but then unlink on that file won't work? 1184524766 M * AStorm (due to immutable) 1184524779 M * Bertl that is what the linkage invert, inverts :) 1184524789 M * AStorm I'd like the CoW semantics, but so that unlinking would work correctly 1184524799 M * Bertl it does :) 1184524799 M * AStorm so I want --iunlink-but-not-immutable then? 1184524802 M * AStorm ahha 1184524803 M * Bertl nope 1184524805 M * AStorm ok 1184524836 M * Bertl I have no bloody idea _why_ the tools did choose to have those 'confusing' options in this regard 1184524843 M * Bertl (you have to ask ensc for that :) 1184524858 M * Bertl but there are two flags: immutable and iunlink 1184524882 M * Bertl when both set, (and the link count is greater than 1) then we have a potential CoW canditate 1184524898 M * Bertl (i.e. unlink, write, change of attributes will break the link) 1184524913 M * Bertl just immutable gives you an immutable file 1184524930 M * Bertl just iunlink gives you a file which cannot be removed 1184524948 M * Bertl none of them set, gives you a normal file :) 1184524954 M * AStorm Great 1184524970 M * AStorm that iunlink can be useful in sandboxing 1184524985 M * AStorm actually, iunlink + immutable 1184525004 M * AStorm blah 1184525007 M * AStorm that's CoW :P 1184525008 J * Blissex ~Blissex@82-69-39-138.dsl.in-addr.zen.co.uk 1184525022 M * Bertl when link > 1 :) 1184525032 M * AStorm yes, right 1184525037 M * AStorm unionfs done right 1184525057 M * AStorm (although one drive only) 1184525069 M * Bertl correct 1184525087 M * AStorm it could be extended so that symlinks work in this way too, but I don't know exactly how 1184525095 M * AStorm because symlink's link count should be 1 1184525108 M * AStorm it'd have to cheat a lot 1184525139 M * AStorm symlink that doesn't stat like one (and has a link count > 1) would work 1184525157 M * AStorm would look to the higher layers like a normal file 1184525255 Q * slack101 Ping timeout: 480 seconds 1184525255 M * AStorm I don't know how fsck utils would react to such a thing :> 1184525276 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184525559 M * AStorm hm, will mv invoke CoW semantics? (shouldn't, but it's best to ask) 1184525574 M * Bertl no, shouldn't 1184526228 M * Bertl okay, nap attack .. back later 1184526241 N * Bertl Bertl_zZ 1184526783 A * sid3windr attacks the nap 1184526901 M * AStorm maybe it was supposed to have been a pan attack? :P 1184527486 M * trippeh_ Any known problems with the latest 2.6.22 vserver 2.2.0 rc patch? 1184527500 M * AStorm random hardware burns ;P 1184527536 M * trippeh_ Just burns? No explotions? 1184527556 M * AStorm not yet, maybe later? 1184527646 Q * Blissex Remote host closed the connection 1184527780 Q * Piet Quit: Piet 1184528097 M * meebey daniel_hozac: btw it seems like the sometimes hanging hwclock during shutdown seems to be under influence from /dev/rtc, when deleting /dev/rtc I didn't see the problem anymore 1184529550 Q * slack101 Ping timeout: 480 seconds 1184529571 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184530187 M * doener meebey: IIRC there was a report on lkml about that 1184530203 M * doener topic was sth. like "CMOS read hang" or so 1184530335 M * meebey hm ic 1184530352 M * meebey I wanted to cleanup /dev in the vservers anyhow :) 1184530633 Q * AStorm Ping timeout: 480 seconds 1184532032 N * Bertl_zZ Bertl 1184532457 Q * bonbons Quit: Leaving 1184532474 J * AStorm ~astralsto@host-81-190-179-124.gorzow.mm.pl 1184532578 Q * trippeh_ Quit: going down! 1184532707 J * insomniaa ~insomnia@80.99.232.232 1184532718 M * insomniaa hi 1184532780 M * Bertl hey 1184532791 M * insomniaa iam installing vserver, testme.sh runs ok, but when i want to create a vserver i get the following error message : vnamespace: execvp("/usr/lib64/util-vserver/vserver-build"): No such file or directory 1184532801 J * AstralSt ~astralsto@host-81-190-179-124.gorzow.mm.pl 1184532817 M * Bertl did you install the 'build' package? 1184532841 M * Bertl welcome AstralSt! 1184532856 M * insomniaa build package ? 1184532868 N * AStorm Guest418 1184532868 N * AstralSt AStorm 1184532876 M * Bertl insomniaa: what distro are you on, and how did you install the tools? 1184532876 M * AStorm Bertl, ? :> 1184532891 M * AStorm Thanks for the welcome :> 1184532897 M * insomniaa iam on mandriva 2007.1 x86_64, 1184532903 M * Bertl AStorm: ah, two irc logons are better than one, I guess? 1184532912 N * DoberMann DoberMann[ZZZzzz] 1184532916 M * AStorm no, my network was a bit broken last time 1184532926 M * insomniaa i have installed the appropriate kernel, and util-vserver 1184532938 M * Bertl insomniaa: okay, how did you install util-vserver? 1184532942 M * AStorm route problems :P 1184532960 M * insomniaa i've not seen on linux-vserver.org any build package 1184532963 Q * Guest418 Ping timeout: 480 seconds 1184532969 M * insomniaa Bertl : through rpm 1184532998 M * Bertl okay, and what packages did you install? 1184533001 M * insomniaa Package util-vserver-0.30.212-2mdv2007.1.x86_64 1184533025 M * pmenier_off bye back tomorrow 1184533037 Q * pmenier_off Quit: KVIrc 3.2.0 'Realia' 1184533050 M * Bertl insomniaa: then I assume there should be an util-vserver-build too :) 1184533082 M * insomniaa Bertl : kernel-2.6.19.1-1 1184533121 M * insomniaa Bertl : rebuilding from source util-vsever would make the trick? 1184533144 M * Bertl did you grab the rpm somewhere and just rpm -i/U it? 1184533178 M * Bertl I haven't heard of a mandriva util-vserver package yet (which doesn't mean it doesn't exist :) 1184533188 M * insomniaa yes (telling the truth, iam using easyurpmi from a specific server) 1184533212 M * Bertl ah, well, then you probably did not use rpm directly, but urpmi, yes? 1184533225 M * insomniaa util-vserver rpm is on every official mirror 1184533264 M * Bertl nice, maybe we should get it updated now too .. do you know by any chance who is maintaining it? blino? 1184533278 M * insomniaa Bertl : damned you have right, there is a vserver-util-build package 1184533720 M * insomniaa thx 1184533726 M * Bertl you're welcome! 1184534255 J * Aiken ~james@ppp121-45-220-241.lns2.bne1.internode.on.net 1184534271 M * Bertl morning Aiken! 1184534304 M * Aiken hello Bertl 1184534617 Q * AStorm Quit: Bye 1184534890 J * markus_ ~chatzilla@chello213047089232.17.14.vie.surfer.at 1184534902 M * markus_ hi 1184534936 M * markus_ About the page http://linux-vserver.org/Communicate .. the mailing lists are mentioned but labeled as not working. Is there currently a working alternative for it, for the public? 1184535264 M * Bertl the mailing list _is_ working, the web interface is not 1184535302 M * Bertl unfortunately the guy 'supposed to be maintaining that' was last seen more than half a year ago, and cannot be reached (for whatever reason) 1184535353 M * Bertl markus_: so use the 'traditional' mailing list (subscribe/unsubscribe) interface, and you should have no problem at all 1184535708 M * markus_ Bertl: ok, because the Wiki says something else. Is it ok to rephrase the text so everyone understands what at least currently is working? 1184535792 M * Bertl yes, but please verify first :) maybe it is now broken completely 1184535807 M * Bertl (but it worked for me yesterday :) 1184536004 M * markus_ I was subscribed successfully. Should embarrass myself to the list with a test mail as a first mail? :) 1184536441 M * markus_ Hmm ... I sent a test mail and now received a "Automatic response - eMail address verification". I guess this shouldn't happen with a prior successful list subscription ... 1184537352 J * AStorm ~astralsto@host-81-190-179-124.gorzow.mm.pl 1184537414 M * markus_ n8 1184537415 Q * markus_ Quit: ChatZilla 0.9.78.1 [Firefox 2.0.0.4/2007051502] 1184538139 Q * slack101 Ping timeout: 480 seconds 1184538160 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com 1184538384 J * ktwilight_ ~ktwilight@88.101-66-87.adsl-dyn.isp.belgacom.be 1184538588 Q * ktwilight Ping timeout: 480 seconds 1184538592 N * BobR_afk BobR 1184539238 N * BobR BobR_zZ 1184539605 M * flea Bertl: howdy 1184539645 M * Bertl heya! 1184539726 J * ktwilight ~ktwilight@220.99-66-87.adsl-dyn.isp.belgacom.be 1184539818 Q * ktwilight_ Ping timeout: 480 seconds 1184539819 M * flea Bertl: whats up? :D 1184539839 M * flea i've been away on work , just got today 1184539844 M * flea *got back 1184539985 M * flea Bertl: on that day I've instaled iproute2 utils inside the vserver and saw that you can actually access all routing tables 1184539999 M * flea a guest system can inspect all routing tables on the host system 1184540034 M * Bertl yep 1184540064 M * AStorm flea, yes, but not change 1184540071 M * AStorm it's network separation, not virtualisation 1184540089 M * AStorm (can change if it has enough permissions) 1184540098 M * Bertl as I said last time, we could improve on the route 'hiding' 1184540111 M * flea AStorm yap I know it's not vritualisation, but it's an isolation mechanism 1184540122 M * flea isolation should isolate things... 1184540124 M * flea like containers 1184540136 M * Bertl it does, the routes are _not_ part of it :) 1184540137 M * AStorm flea, uhm, not really 1184540152 M * flea disclosing host route information into the guest system is not a good policy I think 1184540156 M * AStorm Bertl, hmm, would implementing route hiding be hard? 1184540177 M * Bertl AStorm: no, we already hide the interfaces which do not carry guest IPs 1184540183 M * AStorm only for !CAP_NET_ADMIN 1184540216 M * AStorm btw, why is that data even available for an app w/o that capability? 1184540224 M * AStorm it's illogical 1184540233 M * flea AStorm: as we're talking in the other day it should be an interesting thing that you could have a flexible policy mechanism for viewing/managing routes inside guest systems 1184540247 M * AStorm flea, a lot of overhead, heh ;> 1184540264 M * flea AStorm: I think that depend the way you implement it 1184540266 M * AStorm I propose just hide the routing tables altogether for apps not having CAP_NET_ADMIN 1184540271 M * AStorm *hiding 1184540284 M * flea hiding it's easy... 1184540288 M * AStorm :> 1184540307 M * flea I think doing it all it's more tricky... but it's doable I guess 1184540361 M * flea the initial problem i've reported was only about the disclosure of routes but Bertl has sugested a more wider mechanismo, not only to hide put also to police route managment 1184540373 M * flea flag routes a guest system could manage or not 1184540402 M * Bertl flea: yeah, but the part you didn't get (last time) was that this is _nothing_ to be done in the kernel :) 1184540463 M * AStorm exactly 1184540470 M * AStorm more like current quota management daemon? 1184540509 M * Bertl proxying netlink messages to a policy daemon on the host 1184540596 J * fleaAtWiFi ~flea@a83-132-13-23.cpe.netcabo.pt 1184540614 M * fleaAtWiFi brrr.... damn cable :S 1184540683 M * fleaAtWiFi Bertl: how will you manage to police routing access without messing around with the kernel route code? is there already an infraestructure that suports it? 1184540731 M * Bertl 01:01 < Bertl> proxying netlink messages to a policy daemon on the host 1184540856 Q * flea Ping timeout: 480 seconds 1184540857 M * fleaAtWiFi thats an idea but tell me... iproute utils uses the netlink device, but the route/ipconfig utils dont use the legacy support or something? 1184540871 N * fleaAtWiFi flea 1184540918 M * Bertl well, as I already said, hiding is one part (virtualization) 1184540932 M * Bertl this will automatically reach legacy tools too 1184540965 M * Bertl manipulation can be redirected and applied by the policy deamon 1184540983 Q * s0undt3ch Ping timeout: 480 seconds 1184541011 J * s0undt3ch ~s0undt3ch@80.69.34.154 1184541039 M * flea how will you intercept legacy calls? since they must be ioctl or something alike 1184541040 M * flea ? 1184541087 M * Bertl not sure I really want to :) 1184541103 M * Bertl iproute2 basically replaced ifconfig 5 years ago :) 1184541148 M * flea I know Bertl, but that isn't the case 1184541215 M * flea anyone can write a small C program and get the routing tables trough those ioctls. The netlink proxy isn't the same... event if someone writes a program, those messages will allways be caught by the proxy and able to be policed. 1184541269 M * Bertl so? 1184541346 M * AStorm flea, no CAP_NET_ADMIN, no ioctl :P 1184541356 M * AStorm uhm, you even need CAP_SYS_ADMIN for that 1184541386 M * flea AStorm: ok, that's a clean way to do it :D 1184541463 M * AStorm hmm, currently you need none. I wonder why would anyone want to see routing tables and not change them :P 1184541487 M * AStorm CAP_NET_ADMIN governs changing 1184541563 M * flea the idea here, is that if you have a bunch of routes on the host system, and you don't want them to be disclosed into the guest system, you could be able to do so. 1184541596 M * flea since disclosure can be a security threath... 1184541619 M * AStorm weak one, and if it is a threat, then your networking is misconfigured 1184541628 M * AStorm firewall ftw 1184541699 M * flea AStorm I don't think so... even if you enforce a diferent routing table , or even firewall it, the simple act of disclosing routes can be dangerous 1184541711 M * flea why disclose routes if the guest system don't need them 1184541733 M * AStorm tell me, how disclosing routes can be dangerous? 1184541752 M * AStorm give a hint about a misconfigured system reachable from net, maybe 1184541757 M * AStorm but that's about all 1184541778 M * flea I'm disclosing information, I don't want the guest system to know that I have other public routes, or conection with other LANs 1184541798 M * flea And that could be a motivation for an intruder for instance 1184541835 M * AStorm yes 1184541852 M * AStorm I'd really love a VServer to become a totally virtualised environment (optionally, of course) 1184541877 M * AStorm complexity, complexity and even more of it 1184541927 M * flea AStorm when I reported this situation , it was because I've steped into that problem 1184541953 M * AStorm Hmm, turning off that sysctl on CAP_NET_ADMIN could be nice 1184541955 M * flea I was setting up a host system, where I configured a bunch of vservers to support isolation of some services 1184541960 M * AStorm and send that patch to LKML too 1184541967 M * AStorm s/sysctl/ioctl/ 1184541975 M * flea and also a fast way of disaster recovering. 1184541981 M * AStorm maybe disallow viewing routes w/o it through netlink too 1184541985 M * flea fail over...whatever. 1184541995 M * flea The problem I was faced was that inside the guest systems 1184542010 M * flea I was able tou inspect all routes of the host system 1184542018 M * flea some of them are kinda of private 1184542028 M * flea and even with a firewall 1184542041 M * flea I prefer not to disclosed them 1184542059 M * flea since it gives alot of information to a potencial intruder 1184542170 M * flea personally I liked alot the Bertl sugestion 1184542189 M * flea a daemon would take the complexity out of the kernel into the userland 1184542201 M * flea and should be very configurable. 1184542239 M * flea with a kind of rule set language you can setup hide/view/set/unset policys easly 1184542300 M * Bertl glad we agree on that :) 1184542367 M * flea :) 1184542440 Q * slack101 Ping timeout: 480 seconds 1184542461 J * slack101 ~rwer@cpe-65-31-15-111.insight.res.rr.com