1188172908 M * mstone Bertl: well, in any case, thanks again for your help.
1188172918 P * mstone 
1188173272 Q * meandtheshell Quit: Leaving.
1188173601 J * AstralS ~astralsto@tor-irc.dnsbl.oftc.net
1188173679 Q * AStorm Ping timeout: 480 seconds
1188174462 M * slack102 hey is that grsecurity stuff really any good ?
1188175555 M * mnemoc hi, whats the name of the monitoring tool with vserver support with the name of a north's god?
1188175918 J * friendly12345 ~friendly@ppp59-167-75-40.lns1.mel6.internode.on.net
1188175977 M * mnemoc munin :)
1188176722 J * [Guy] ~korn@elan.rulez.org
1188176740 Q * Guy- charon.oftc.net kinetic.oftc.net
1188176740 Q * Medivh charon.oftc.net kinetic.oftc.net
1188176807 J * Medivh ck@paradise.by.the.dashboardlight.de
1188178235 N * AstralS AStorm
1188178819 J * DoberMann_ ~james@AToulouse-156-1-177-59.w90-38.abo.wanadoo.fr
1188178928 Q * DoberMann[ZZZzzz] Ping timeout: 480 seconds
1188179794 M * AStorm slack102: it depends on how you define "good"
1188179802 M * AStorm it's a nice MAC system
1188179821 M * AStorm and adds some strength to chroots optionally
1188179863 M * AStorm randomizes TCP sequence number, pids
1188179881 M * AStorm combined with Pax it's great
1188180350 M * slack102 AStorm: would you use it ?
1188180394 M * AStorm For a mission-critical server, definitely
1188180414 M * AStorm it makes hacking much more difficult
1188180568 M * friendly12345 AStorm: recently, there has been a shift towards just abuse of inherent functionality rather than exploitation of bad programming
1188180593 M * friendly12345 AStorm: by bad programming I mean buffer overflows
1188180651 M * AStorm proper ACL will help secure the system against that too
1188180671 M * AStorm chroot strenghtening will also be nice
1188180714 M * AStorm will not help the DB though :>
1188180756 M * friendly12345 AStorm: hmm, no I'm talking about things where Access Control won't do anything (or a great deal)
1188180801 M * friendly12345 AStorm: cross-site scripting, Javascript abuse, tunnelling -- things like that
1188180835 M * AStorm yes
1188181021 Q * AStorm Remote host closed the connection
1188181053 J * AStorm ~astralsto@tor-irc.dnsbl.oftc.net
1188181700 J * virtuoso_ ~s0t0na@pppoe-63.2.110.89-adsl.spbnit.ru
1188181843 M * slack102 AStorm: isnt the kernel as it is pretty stable ?
1188181868 M * AStorm slack102: yes, but is missing security features
1188181877 M * AStorm unless you use SELinux, which is a PITA to get right
1188181880 M * slack102 im saying isnt it pretty secure as is ?
1188181890 M * slack102 i do no use selinux
1188181908 M * AStorm slack102: no, it doesn't restrict easy chroot escape paths
1188181911 M * slack102 so a server without grsecurity or selinux is insecure no matter ?
1188181930 M * Bertl well, first, stable has nothing to do with secure
1188181931 M * AStorm or limit the server's filesystem access
1188181941 M * slack102 Bertl: i meant secure 
1188181954 M * slack102 right now i run my webserve like 
1188181960 M * Bertl both the grsec as well as any other patch de-stabilize the kernel somewhat
1188181964 M * slack102 real server -> vserver -> chroot 
1188181995 M * slack102 but i guess it is possible ot break out of a chroot 
1188181996 M * Bertl second, no grsec user could explain the benefit of grsec (or selinux) in addition to the Linux-VServer patches yet
1188182023 M * Bertl maybe AStorm can explain the benefit here for us ...
1188182032 M * AStorm Bertl: well, with VServer, that's another matter :P
1188182050 M * Bertl okay, but we are in the Linux-VServer channel :)
1188182078 M * Bertl so I assume grsec patches _for_ or at least in combination with Linux-VServer 
1188182179 M * AStorm the only good side of grsecurity (not Pax) is that you can limit chroots inside the vserver
1188182179 M * AStorm and reduce the damage to it
1188182179 M * AStorm but then, why would you chroot, if you're inside the vserver
1188182179 Q * virtuoso Ping timeout: 480 seconds
1188182179 M * AStorm The only usable part of grsecurity in combination with VServer is PaX
1188182179 M * AStorm well, when vserver gets per-vserver vprocunhide, that is
1188182179 M * slack102 hmmmm
1188182179 M * slack102 is it worth the extra work ?
1188182179 M * AStorm slack102: well, patching vserver w/ PaX shouldn't be that hard
1188182186 M * slack102 i know 
1188182192 M * slack102 but its just extra work  
1188182195 M * AStorm esp. the randomization parts could be useful
1188182200 M * slack102 blah i will do that on server 2 
1188182232 M * AStorm fortunately, -mm recently got pie-randomization patches
1188182237 M * AStorm so you won't have to get PaX just for that
1188182261 M * Bertl AStorm: this is something I agree with, and that is also why I contacted the pax folks (specifically michal`) so that we could get that combined 
1188182264 M * AStorm though TCP sequence randomization and pid randomization would still be nice
1188182291 M * Bertl AStorm: there is no real point in pid randomization with a limited number of pids 
1188182307 M * AStorm Bertl: well, scanning 65535 pids will trip my detectors ;P
1188182309 M * Bertl AStorm: and you get a certain randomization by having several guests too
1188182319 M * AStorm Yes.
1188182384 M * AStorm but not inside the guest, which is the point of it
1188182393 M * AStorm to not be able to jump back to libc
1188182427 M * AStorm especially nice when combined with nX
1188182434 M * AStorm (which Intel has unfortunately broken)
1188182498 M * friendly12345 AStorm: broken?
1188182542 M * AStorm yes, it doesn't protect upward the stack on some Core 2 chips, or so I heard
1188182556 M * AStorm it's possible to work around in the kernel (I hope the devs did that)
1188182560 M * friendly12345 AStorm: Got a link/source?
1188182572 M * AStorm friendly12345: google for "intel nX"
1188182580 M * AStorm probably from kerneltrap
1188182622 M * AStorm I'll dig up that link
1188182661 M * Bertl AStorm: in a recent linux distro, you won't even detect a scan over 64k pids, so many daemons and applications have constantly respawning threads
1188182912 M * AStorm uh, a lot of quick start/stop patterns could trigger it
1188182920 M * AStorm but I agree, it's a weak defence
1188182961 M * AStorm though TCP sequence number randomization is more useful
1188182964 M * Bertl btw, same goes for address space randomization, it doesn't really make injecting code (with buffer overflows) much harder
1188182968 M * AStorm makes "man in the middle" much harder
1188183010 M * AStorm that's why ASLR has to be combined with nX
1188183033 M * AStorm ASLR only makes launch-some-lib attacks harder
1188183033 M * Bertl sensitive tcp data should be encrypted, and then the man-in-the-middle is not a real problem anymore
1188183039 M * AStorm yes
1188183067 M * AStorm hm, so what do we have left?
1188183068 M * Bertl for unencrypted tcp, the sequence number randomization doesn't help you much either (unfortunately)
1188183072 J * ktwilight ~ktwilight@203.75-66-87.adsl-dyn.isp.belgacom.be
1188183073 M * AStorm mprotect() and stuff
1188183091 M * AStorm mprotect and trampoline emulation
1188183147 M * Bertl memory protection should be done by the elf (or binary) headers/load for the sections
1188183150 M * Bertl *loader
1188183158 M * AStorm well, PIE
1188183163 M * slack102 seems linux vserver is the only "true" os virtulization 
1188183177 M * AStorm and the kernel could load them to random places
1188183196 M * AStorm the pie-randomization patches do so
1188183205 M * slack102 openvz was a mess for me 
1188183233 M * Bertl AStorm: well, having position independant code just makes reuse in overflows easier :)
1188183236 M * AStorm normal ELF can't be randomized w/o overhead
1188183360 M * AStorm Bertl: not if you have nX ;>
1188183375 Q * ktwilight_ Read error: Connection reset by peer
1188183386 M * AStorm as you won't be able to run it anyway (I hope)
1188183421 M * AStorm and w/ randomization you won't be able to just launch another function of the same executable too
1188183424 M * friendly12345 slack102: how so?
1188183466 M * slack102 how so which ?
1188183511 M * slack102 now i know why all these vps host is like 512 mb of ram etc all these high numbers for cheap cost cause openvz counts cache as real memory 
1188183511 M * friendly12345 slack102: <slack102> openvz was a mess for me 
1188183520 M * slack102 not on the host but yea 
1188183544 M * slack102 so you might have a 512 cache but only have like 230 mb being used 
1188183628 M * slack102 friendly12345: so that was a mess for me 
1188183638 M * slack102 and i wasnt to happy about the network being virtulized 
1188183641 M * slack102 stakc anyways 
1188183644 M * slack102 stack*
1188183661 M * AStorm slack102: yeah, net virtualization is rarely needed
1188183674 M * AStorm and if you want some of it, you can just run the vserver on a dummy interface
1188183683 M * AStorm and route/NAT in the host
1188183696 M * slack102 i dont need it 
1188183703 M * slack102 i modiefied a iptables web app to work good
1188183710 M * slack102 last night so yea 
1188183718 M * slack102 took only about 20 mins actually
1188183741 M * Bertl just for clarification: the dummy interface doesn't change anything here, but it is nice to bind to
1188183750 M * AStorm Yes.
1188183761 M * slack102 dummy interfacde ?
1188183767 M * slack102 you mean :1 : 2 ?
1188183774 M * AStorm no, not alias
1188183781 M * Bertl dummy0 instead of eth0
1188183788 M * slack102 why would 1 do that ?
1188183800 M * AStorm to separate the VServer from eth0 more
1188183806 M * slack102 ah wel 
1188183836 M * slack102 ah well goal is to keep it as native as possible 
1188183840 M * AStorm if you have routing set properly, the dummy won't be able to see the rest of the network
1188183849 M * slack102 hopefully  vservers dont count cache as real memory 
1188183862 M * slack102 dummy as in virtulized ?
1188183879 M * slack102 and in a vserver i make now on the same interface the vserver cannot see other ip's 
1188183879 M * Bertl nah, dummy0 is just a dummy interface Linux provides
1188183926 M * slack102 ah 
1188183927 Q * coderanger_ Read error: Connection reset by peer
1188183951 M * AStorm slack102: VServers share the cache with the rest of the system, so they shouldn't count it too
1188183955 J * coderanger ~coderange@kantrn.stu.rpi.edu
1188183969 M * slack102 AStorm: for instance in openvz
1188183976 M * slack102 if you start mysql 
1188183984 M * slack102 it uses like 130 mb 
1188184000 M * slack102 if you start on a real linux system it uses 130 as well but 120 is cachde 
1188184002 M * slack102 cache 
1188184018 M * AStorm uhm, uses == VIRT?
1188184024 M * slack102 in opemnvz they dont count cache as per se cache they treat it as real mem insdie the vm
1188184029 M * slack102 vps
1188184041 M * AStorm I think it's not cache, but mmapped file
1188184049 M * slack102 which ?
1188184052 M * AStorm it should be counted as used memory
1188184065 M * slack102 it is  used memory but it can be freed
1188184067 M * slack102 its cache 
1188184082 M * AStorm freed? tell me how ;P
1188184086 M * AStorm what "cache"
1188184092 M * AStorm not filesystem cache I guess
1188184092 Q * coderanger Read error: Connection reset by peer
1188184096 M * slack102 my friend
1188184099 M * slack102 open mysql
1188184103 M * AStorm and it's not freeable from the kernel view
1188184109 M * AStorm so it's used.
1188184111 M * slack102 tell me how much real ram it is using - cache 
1188184126 M * AStorm I guess it's not some "cache", but an mmapped file
1188184130 J * coderanger ~coderange@kantrn.stu.rpi.edu
1188184137 M * slack102 if you do a free -m 
1188184144 M * AStorm which will appear on VIRT
1188184147 M * AStorm but not on RSS
1188184160 M * slack102 it will show you are using 130 mb of mysql
1188184163 M * slack102 well not free -m
1188184166 M * slack102 but you get the point
1188184167 M * slack102 BUT
1188184177 M * slack102 but then you look at the cache and its using 120 mb for it 
1188184187 Q * coderanger Read error: Connection reset by peer
1188184191 M * AStorm which cache? filesystem cache?
1188184198 M * slack102 i assume a memory cache
1188184200 M * slack102 free -m
1188184202 M * slack102 look to your right
1188184210 M * AStorm that doesn't count as used in any way
1188184218 M * slack102 it does
1188184221 M * AStorm it's shared between vservers too
1188184223 J * coderanger ~coderange@kantrn.stu.rpi.edu
1188184229 M * slack102 exactly 
1188184232 M * slack102 in openvz its not 
1188184233 M * AStorm no, it doesn't - it's just that free displays it so
1188184243 M * slack102 lol
1188184248 M * slack102 ok s your sayuing on my 2 GB box
1188184253 M * AStorm  /proc/memstat
1188184253 M * slack102 i only have 7 mb of free ram ? 
1188184266 M * slack102 it is cache'ing like 1.8 GB
1188184267 M * AStorm uh, /proc/meminfo
1188184274 Q * coderanger Read error: Connection reset by peer
1188184281 M * AStorm uh, Cache is not Used
1188184283 M * AStorm it's just that free sums it up
1188184295 M * AStorm using MemFree entry
1188184303 M * AStorm which isn't really the "used" amount
1188184306 M * slack102 ok i have only 7 mb of free ram due to free 
1188184314 J * coderanger ~coderange@kantrn.stu.rpi.edu
1188184331 M * AStorm Active is really used ram
1188184334 M * neuralis slack102: do you understand at all how memory is managed by a modern OS? you're talking nonsense (again).
1188184336 M * slack102 have you ever used openvz for one ? 
1188184347 M * slack102 neuralis: oi understnad very well
1188184347 M * slack102 how 
1188184352 M * slack102 cache works on linux 
1188184357 M * slack102 memory cache 
1188184361 M * neuralis slack102: then what are you talking about?
1188184361 M * slack102 and filesystem cache 
1188184370 M * Bertl slack102: please keep OVZ stuff to the OVZ channel
1188184375 M * AStorm there's no such thing as "memory cache"
1188184383 M * slack102 neuralis: i am getting the impression that  you are saying 
1188184388 M * AStorm filesystem cache isn't counted as used
1188184396 M * slack102 cache is not able to be freed
1188184399 M * AStorm see /proc/meminfo, entry "Active"
1188184410 M * AStorm slack102: it is automatically freed when memory is required
1188184415 M * AStorm unless OpenVZ broke something ;P
1188184416 M * slack102 here i got a box near me let me login remote console 
1188184453 M * slack102 free -m
1188184453 M * slack102              total       used       free     shared    buffers     cached
1188184453 M * slack102 Mem:           491        484          7          0         35        409
1188184453 M * slack102 -/+ buffers/cache:         39        452
1188184468 M * neuralis and your point?
1188184481 M * slack102 so your saying that 409 mb cant be freed AStorm
1188184485 M * slack102 ?
1188184494 Q * badari1 Ping timeout: 480 seconds
1188184501 M * neuralis slack102: for all practical purposes that _you_ care about, that memory is already free.
1188184516 J * badari1 ~badari@bi01p1.co.us.ibm.com
1188184517 M * slack102 neuralis: thats what i was saying 
1188184543 M * AStorm slack102: no, 484 MB can't be freed
1188184554 M * slack102 NO BUT 409 CAN
1188184557 M * slack102 gosh dude 
1188184561 M * AStorm oh, wait
1188184565 M * AStorm you only use 39 MB :P
1188184566 M * AStorm sorry ;p
1188184573 M * slack102 either you are not understanding what im saying or something ;)
1188184589 M * slack102  then neuralis jumps in to try and make me lok like an idiot 
1188184593 M * slack102 prolly daniel_hozac twin 
1188184595 M * neuralis AStorm: that's incorrect. the 'used' number counts the cache, as well.
1188184605 M * neuralis AStorm: (incorrect re: 484mb.)
1188184608 M * AStorm neuralis: I see ;P
1188184647 M * AStorm misread (have to drink some more _water_ I guess ;p )
1188184660 A * slack102 hits head
1188184700 M * AStorm that 39 MB is the "Active" amount I think
1188184708 M * AStorm so, the really used memory
1188184751 M * slack102 yes but 
1188184789 M * slack102 my whole point was to say this sorry Bertl (openv*) would count the whole 484 as used ram vps's dont have cache it says cache is zero
1188184805 M * AStorm that's a bug IMO
1188184818 M * slack102 thats the way i had it setup 
1188184820 M * AStorm unless they really want to virtualize VM cache - which I think is dumb like hell
1188184835 M * slack102 the way they fix that is to give burstable MEM
1188184851 M * AStorm it removes some interrelation between VMs, but I don't think that's worth it
1188184865 M * slack102 well now you know how it works 
1188184891 M * AStorm and balooning will remove that advantage
1188184907 M * slack102 cache is always 0 in the vps 
1188184908 M * slack102 but 
1188184910 M * AStorm (if burstable mem is that - I guess it is)
1188184914 M * slack102 on the host it will show it as cache 
1188184919 M * AStorm weird
1188184935 M * AStorm they mangle pagecache then in a weirder way than I though
1188184937 M * AStorm *thought
1188184943 M * slack102 but in vps cache + w/e is always counted as used and thats a ownside to it i think 
1188184959 M * slack102 they also put the whole vps process table on the host 
1188184972 M * AStorm as does VServer - but in another namespace
1188184983 M * AStorm (it did so, until that was disabled)
1188184988 M * slack102 ah
1188184995 M * slack102 well i know on the host i would do ps aux
1188185000 M * slack102 and there would be ALOT of stuff
1188185006 M * AStorm they are marked as VM processes - with the proper xid
1188185026 M * slack102 yea 
1188185052 M * AStorm I hope VServer gets pid namespaces support soon, that will clean it up :-)
1188185054 M * slack102 not to mention there netwroking with is all borked and not to mention there slow and non existnet dev team 
1188185073 M * AStorm slack102: sure, that's why I don't use it
1188185089 M * AStorm their networking is worse than just TUN/TAP
1188185092 M * slack102 from the outside it looks better then vserver 
1188185101 M * slack102 from the inside its horrible
1188185111 M * slack102 what about their memory useage way ? 
1188185119 M * slack102 how does vserver split up mem ?
1188185135 M * AStorm it doesn't
1188185140 M * AStorm you use normal ulimits
1188185148 M * AStorm but per-vserver
1188185158 M * Bertl well, we do ulimits and rlimits per context
1188185176 M * Bertl and memory is accounted when explicitely allocated to a guest
1188185177 M * AStorm it isn't really "splitting up" :-)
1188185184 M * slack102 ah
1188185195 M * slack102 well again as you may know openvz has another way about going about it too
1188185216 M * AStorm yes, they probably do what Xen does - a real virtual memory space
1188185217 M * Bertl I know, and as usual, it adds quite some overhead
1188185243 M * Bertl especially the page tagging and shared page accounting does so
1188185255 M * AStorm yes, page tagging will be evil
1188185270 M * slack102 big bad openvz
1188185287 M * slack102 i would rather use xen then that thing
1188185294 M * slack102 it atleast doesnt give false illusions
1188185303 M * AStorm yes, Xen should be just as fast as OpenVZ ;P
1188185318 M * AStorm if not faster
1188185323 M * slack102 they shouldnt even call openvz os virtulization
1188185336 M * slack102 and that FreeVPS that thing is a pos too i knw its a fork of this 
1188185344 M * slack102 but they ruined ome aspects as ell
1188185356 M * AStorm the only thing you lose is probably the ease of splitting up the filesystem
1188185359 M * Bertl freevps is quite an early branch/spinoff
1188185374 M * Bertl it doesn't share any code with recent Linux-VServer 
1188185377 M * AStorm as each Xen VM requires its own partition - real or loop
1188185384 M * slack102 Bertl: i didnt know that 
1188185399 M * slack102 AStorm: i hate that openvz thing
1188185401 M * slack102 and i hate
1188185406 M * slack102 virtuzzo with their crazy prices 
1188185410 M * Bertl at least I would be suprised if it did (freevps)
1188185430 M * slack102 1,500 to host 5 vps's 
1188185432 M * AStorm slack102: that's another whole OS ;p
1188185433 M * slack102 you crazy
1188185448 M * slack102 i ask them for prices 
1188185453 M * slack102 please sign an nda 
1188185464 M * slack102 then we will give you prices << wtf
1188185467 M * AStorm oh fun
1188185511 M * AStorm they probably thrive on ripping pointless CEOs
1188185519 M * AStorm *ripping off
1188185535 M * slack102 and they make you install their os 
1188185547 M * slack102 it just seems to be to be a big huge mix up 
1188185558 M * slack102 i would hate to see how the windows one runs 
1188185567 M * AStorm well, I had some fun when Mozilla had problems with their VMWare Server EMX
1188185577 M * slack102 thats the only reason i would use it but knowing how they did the linux one thats prolly just as bad if not worse 
1188185579 M * AStorm they use that to run tinderbox
1188185598 M * AStorm lost a lot of performance to some iSCSI change (like 200x slowdown) ;>
1188185623 M * AStorm fortunately, VMWare devs were very responsive (I guess they would be for the money mozilla pays to VMWare)
1188185624 M * Bertl let me state that once again: I really don't think neither OVZ nor Virtuozzo(tm) stuff belongs here, and I'd prefer to limit it to things like: 'OpenVZ has this really cool feature XY, and we think that would be a good addition to Linux-VServer because ....)
1188185626 M * slack102 yea well look like Linux Vserver is the clear winnter 
1188185642 M * slack102 btw Virtualmin su8pport linux vserver now 
1188185649 M * slack102 Bertl: if anything we were bashing it ;)
1188185659 M * slack102 dont let ANY feature come into linux vserver from openvz 
1188185662 M * AStorm It is, people really miss such chroots, we need that in the mainline some day :-)
1188185667 M * slack102 their live migration is not so live either ;)
1188185810 M * AStorm though they probably won't accept unification as it is implemented now
1188185810 M * AStorm (if redone as slower xattrs, probably should go in)
1188185810 M * slack102 but i think i will use Xen never really usded it though i think it supports windows as well 
1188185810 M * AStorm slack102: Xen is heavier and more complex, and you'll lose easy unification. Other than that, it's a good choice too.
1188185810 M * slack102 dont have many choices for windows
1188185810 M * AStorm if you can live with a 2.6.18 host kernel (though security updated)
1188185810 M * slack102 ah maybe microsfot is best as virtulizing their own stuff :D ms virtual server looks appealing and free 
1188185822 M * slack102 AStorm: i wouldn't use it for linux
1188185852 M * AStorm slack102: well, then you don't care about it that much
1188185873 M * AStorm and the discussion should take place elsewhere (not even related to Linux :> )
1188185910 M * Bertl slack102: Micro$oft and free? you must be on drugs :)
1188185920 M * slack102 it is 
1188185922 M * AStorm M$ Virtual Server costs $$$
1188185926 M * slack102 poooo ?
1188185928 M * slack102 oo ?
1188185929 M * AStorm you need Windows Advanced Server
1188185935 M * slack102 sorry
1188185941 M * slack102 it said click here for free DL on their site
1188185949 M * AStorm yeah, sure
1188185955 M * AStorm so check it out :-)
1188185972 M * slack102 might be useful for windows clients 
1188185972 M * Bertl slack102: please CC me when you write to the tooth fairy :)
1188185979 M * slack102 lol
1188185979 M * AStorm I think you'd get better performance out of Virtualbox though
1188185987 M * slack102 ooo ?
1188185996 M * AStorm or VMWare
1188185996 M * slack102 i am a Vbox fan tooo
1188186002 M * slack102 wtf?
1188186004 M * slack102 no?
1188186020 M * slack102 i think MS can make their own os run the best i would think ?
1188186028 M * AStorm not really
1188186045 M * AStorm unless they cheat and not virtualize, but only para-virtualize
1188186049 M * slack102 it sends native executions right to the processor like vbox as well or w/e 
1188186064 M * AStorm so, they use SVM/VT
1188186073 M * slack102 im not up on the terms :D
1188186077 M * AStorm then VMWare and Virtualbox should be as fast
1188186084 M * slack102 i understand 
1188186099 M * slack102 i dunno i knwo a guy with 20 people on a ms virtual server box 
1188186100 M * AStorm (if not faster)
1188186103 M * AStorm and KVM should be as fast too
1188186110 M * slack102 i cant see that happening with vbox :P
1188186119 M * AStorm (it can run Windows too, hehe)
1188186126 M * slack102 again dont you think microsoft can make their own OS run the best ? 
1188186133 M * Bertl folks! wrong channel, last warning ...
1188186141 M * AStorm if they paravirtualize it, then yep
1188186143 M * slack102 plus you get all the snazzy web ui's and desktop programs to control the vm's 
1188186151 M * slack102 sorry
1188186158 M * AStorm Bertl: ok, EOT
1188186185 M * slack102 heh Bertl is still old school 
1188186191 M * AStorm slack102: /msg me if you wish to continue
1188186203 M * AStorm or pick some other channel :>
1188186206 M * slack102 most irc channels as long as people are getitng help and off topic doesnt turn into hate no one cares :P
1188186236 J * SkramX mark@phalse.2600.COM
1188186239 M * AStorm well, we're making an anti-advertisement ;p
1188186241 M * SkramX hi all
1188186251 M * slack102 yea
1188186251 M * AStorm hello
1188186260 M * slack102 as we say here Bom dia < 
1188186260 M * SkramX uhmm... i start a vserver and it doesnt start but i get no errors either
1188186263 M * SkramX :(
1188186280 M * slack102 do you have a vserver kernel :P
1188186283 M * AStorm SkramX: did you start any service inside?
1188186297 M * AStorm SkramX: if you don't start any process inside it will just finish :>
1188186300 M * SkramX yes, i have other vserves running just fine
1188186305 M * AStorm start something, like cron
1188186312 M * SkramX how?
1188186317 M * SkramX and.. it should start sshd at boot
1188186321 M * SkramX i cant even enter it
1188186331 M * AStorm ah, should work, check if sshd is really started
1188186337 M * AStorm it seems like it isn't
1188186341 M * SkramX how do i do that?
1188186346 M * slack102 SkramX: what distro is it running inside ?
1188186349 M * SkramX gentoo
1188186388 M * AStorm SkramX: chroot and rc-update add sshd default
1188186398 M * slack102 doenst is usually have a startt  up stuff SkramX ?
1188186418 M * slack102 AStorm: he should still be able to log in lol 
1188186427 M * slack102 well if bash or w/e is there
1188186430 M * SkramX right
1188186435 M * SkramX it has always worked
1188186437 M * AStorm slack102: nope, if the vserver finished ;P
1188186445 M * SkramX http://pastie.caboo.se/91211
1188186450 M * AStorm SkramX: already done that?
1188186489 M * slack102 i can deboostrap a debian with not 1 thing installed on it except cron and bash the neccary stuff and i can enter it 
1188186495 M * slack102 you dont need ssh to enter a vps ;)
1188186504 M * SkramX  * sshd already installed in runlevel 'default'; skipping
1188186535 M * AStorm SkramX: you have a problem with net.lo then ;P
1188186536 M * slack102 re install it 
1188186552 M * SkramX sorry.. how?
1188186560 M * slack102 stop delete
1188186566 M * slack102 create it again 
1188186592 M * SkramX delete the whole vps or just configs?
1188186612 M * Bertl SkramX: make sure to have recent tools, everything there should be fine (forget about 'expert' tips)
1188186665 M * SkramX      well
1188186669 M * Bertl SkramX: the RTNETLINK answers: File exists means that the tools try to assign IPs for your interfaces which are already there, for whatever reason
1188186677 M * SkramX 2.6.17.7-vs2.0.2-rc27
1188186683 M * Bertl ancient
1188186683 M * SkramX not up to date,i bet
1188186708 M * SkramX sigh
1188186710 M * Bertl we are at 2.2.0.3 atm (see topic)
1188186738 M * SkramX what should i do to resolve this then i can schedule some downtime
1188186759 M * Bertl the question is, why are the IPs already assigned
1188186768 M * SkramX hrmm
1188186773 M * Bertl could be for several reasons
1188186774 M * AStorm yes, that means a configuration problem
1188186790 M * SkramX nothing outside of the vps (on the host) was changed tho
1188186792 M * Bertl 1) your guest didn't really start (and left them configured)
1188186812 M * Bertl 2) the ips are host assigned, so the guest scripts cannot succeed
1188186825 M * SkramX the ips dont show as up in ifconfig
1188186840 M * Bertl ifconfig is _very_ ancient
1188186841 M * AStorm SkramX: they're aliases probably, use ifconfig -a
1188186845 M * Bertl use 'ip addr ls'
1188186850 M * AStorm or ip addr show
1188186864 M * SkramX ip addr ls doesnt show them either
1188186871 M * Bertl case 1) could be caused by not having any active service inside the guest
1188186872 M * AStorm so they're not there
1188186884 M * AStorm Bertl: ruled out already :-)
1188186899 M * Bertl AStorm: how so?
1188186911 M * AStorm he added sshd
1188186919 M * AStorm unless... that didn't start
1188186932 M * AStorm maybe it died trying to listen on a wrong IP
1188186936 M * SkramX i have no way of knowing
1188186941 M * SkramX i can try a different ip
1188186943 M * Bertl so I would do the start again, and check with vps auxwww
1188186947 M * SkramX i'll go do that
1188186947 M * SkramX ok
1188186947 M * AStorm SkramX: check the logs :>
1188186953 M * SkramX where
1188186959 M * SkramX on the host or guest
1188186961 M * AStorm SkramX: in the guest, duh
1188186966 M * SkramX ok
1188186978 M * Bertl if there isn't a process shown with vps, belonging to the context, it is not running/started
1188187059 M * Bertl also, a test start with 'vserver --debug vps034 start' would help
1188187059 M * SkramX Aug 26 22:45:16 phate shutdown[22185]: shutting down for system reboot
1188187060 M * SkramX Aug 26 22:45:16 phate init: Switching to runlevel: 6
1188187060 M * SkramX Aug 26 22:45:16 phate init: No inittab file found
1188187064 M * SkramX i shut down from the host
1188187071 M * SkramX well actually restarted from host
1188187074 M * SkramX and now it wont come back
1188187079 M * SkramX that's messages if the guest
1188187088 M * AStorm SkramX: so you're missing an inittab, heh
1188187109 M * SkramX how could it get deleted?
1188187112 M * Bertl which also means that the guest is in 'plain' init mode
1188187122 M * AStorm yes, which is wrong
1188187123 M * Bertl SkramX: from inside the guest, as root?
1188187135 M * SkramX Bertl: what do you mean
1188187140 M * SkramX i just catted it from the host
1188187151 M * SkramX vat /vserver/whatever/var/log/messages
1188187153 M * SkramX *cat
1188187175 M * Bertl SkramX: the inittab, could have been deleted from guest root
1188187187 M * SkramX ok
1188187197 M * SkramX o havent ever messed with intitab
1188187200 M * SkramX sigh
1188187200 M * Bertl try to switch to sysv init style
1188187211 M * AStorm or "gentoo" init style
1188187216 M * Bertl that should at least help your guest to startup
1188187225 M * SkramX uhmmm.. in /etc/vservers/name/something?
1188187229 M * Bertl AStorm: gentoo on a debian guest?
1188187239 M * SkramX gentoo guest on gentoo host
1188187259 M * Bertl ah, okay, then gentoo should be better indeed (with recent tools that is)
1188187275 M * SkramX so instead of plain, "gentoo" in apps/init/style?
1188187292 M * Bertl with util-vserver 0.30.213+
1188187296 M * SkramX init-style 'gentoo' is no longer supported; please use plain instead; aborting
1188187316 M * AStorm huh?
1188187339 M * SkramX i have 0.30.210-r17 it looks like
1188187348 M * SkramX can i upgrade to .213 with my current kernel version?
1188187349 M * AStorm olden
1188187362 M * AStorm I suggest upgrading the kernel first, but yes, it should work
1188187395 M * SkramX compiling 213
1188187427 M * AStorm Bertl: Gentoo on baselayout2 doesn't require special init style anymore
1188187430 M * AStorm should work on "sysv"
1188187442 M * Bertl okay, I'm off to bed now ... have fun! cya!
1188187446 M * SkramX crap
1188187446 M * AStorm bye
1188187449 N * Bertl Bertl_zZ
1188187449 M * SkramX thanks
1188187452 M * SkramX peace
1188187519 M * SkramX vcontext: execvp("/lib/rcscripts/sh/init-vserver.sh"): No such file or directory
1188187524 M * SkramX sigh
1188187525 M * SkramX ok
1188187558 M * AStorm SkramX: you installed by hand, didn't you?
1188187560 M * AStorm Copy the file then
1188187566 M * SkramX i used portage
1188187573 M * AStorm uh?
1188187579 M * AStorm not util-vserver?
1188187587 M * AStorm (to make the context)
1188187595 M * AStorm vserver build is the usual way
1188187599 M * SkramX # emerge -av util-vserver
1188187601 M * SkramX o
1188187617 M * slack102 Bertl_zZ: whats that xml rpc server again who made it the openvcp people ? or Hollow or something ? 
1188187638 M * SkramX AStorm: sorry, what?
1188187661 M * AStorm SkramX: read "vserver help"
1188187677 M * AStorm and create the vserver correctly next time - will save you some hassle
1188187745 M * SkramX AStorm: i sort of need to fix this one vps before recreating it
1188187759 M * SkramX trying at least
1188187880 M * AStorm SkramX: so copy that file
1188187890 M * AStorm it should be in /usr/share/util-vserver
1188187924 M * SkramX no such folder
1188187935 M * AStorm uhm, /usr/lib/util-vserver, sorry :>
1188187951 M * AStorm subfolder distributions
1188187972 M * AStorm check /usr/lib/util-vserver/distributions/gentoo
1188187979 M * AStorm you'll need to copy init-vserver.sh
1188187989 M * SkramX oooo ok
1188188000 M * AStorm and reboot.sh and shutdown.sh to /etc/init.d of that vserver
1188188070 M * SkramX vcontext: execvp("/lib/rcscripts/sh/init-vserver.sh"): Permission denied
1188188072 M * SkramX yuck
1188188077 M * SkramX what does it need to be?
1188188084 M * SkramX i just cp'ed as root on the host
1188188120 M * AStorm SkramX: chmod +x it :P
1188188232 M * SkramX so ineed to do this to all currently running vpses too?
1188188246 M * AStorm hmm, if they're running, no
1188188430 M * SkramX Error opening file /proc/kmsg for reading (Operation not permitted)
1188188435 M * SkramX from inside the host
1188188437 M * SkramX any idea?
1188188618 M * SkramX oh duh
1188188648 M * AStorm SkramX: vprocunhide
1188188649 M * AStorm you need it
1188188654 M * SkramX did it on the host
1188188667 M * AStorm should work on the guest too
1188188736 M * AStorm but then, you probably tried to mount /proc again
1188188750 M * AStorm and didn't mount /proc in the guest "vserver" fstab
1188188753 M * AStorm the one in the config
1188188840 M * AStorm in /etc/vservers
1188188843 M * SkramX i did gentoo as the init
1188188850 M * SkramX plain still doesnt work
1188188857 M * AStorm It won't.
1188188870 M * AStorm Not with baselayout-1
1188188872 M * SkramX so where is it telling it to mount /proc
1188189518 M * AStorm SkramX: it should be, the fstab in /etc/vservers should mount proc
1188191788 Q * AlanCox Ping timeout: 480 seconds
1188192205 M * daniel_hozac SkramX: you should remove that part of your syslog configuration. /proc/kmsg isn't available inside the guest.
1188192219 M * SkramX right
1188192224 M * SkramX got that earlier, thanks
1188192240 M * SkramX do i know you from somewhere else? freenode?
1188192256 M * daniel_hozac freenode is a very large network...
1188192262 M * SkramX yeah
1188192264 M * SkramX nevermind
1188192293 M * daniel_hozac you've been here before though, and i'm always here :)
1188192304 M * SkramX alright then
1188195482 J * sharkjaw ~gab@158.36.44.106
1188195597 Q * Baby Remote host closed the connection
1188196020 N * DoberMann_ DoberMann
1188196218 Q * phreak``_ Quit: Reconnecting
1188196242 J * phreak`` ~phreak``@deimos.barfoo.org
1188196493 J * balbir ~balbir@59.145.136.1
1188196878 M * fb_ AStorm: a benefit of grsec is also you can limit processes user sees only to his own, when you have (v)server with shell access
1188196983 M * AStorm fb_: uh, then create more vservers instead ;P
1188197442 N * DoberMann DoberMann[PullA]
1188198666 M * matti Morning :)
1188198913 M * fb_ AStorm: vserver for every shell user? ;)
1188198924 M * daniel_hozac why not?
1188198928 M * AStorm yeah, it's cheap with unification
1188198934 M * fb_ and he would still see system processes
1188198942 M * daniel_hozac which system processes?
1188198942 M * AStorm no
1188198950 M * AStorm if you have privacy enabled
1188198955 M * AStorm not even w/o it
1188198956 M * AStorm :P
1188199006 M * fb_ not the *kernel*
1188199013 J * Baby ~miry@195.37.62.208
1188199020 M * AStorm fb_: ?
1188199037 M * AStorm no, it wouldn't be able to see other processes and kernel threads
1188199046 M * AStorm it wouldn't have the capability to do that
1188199085 M * fb_ AStorm: hm, how'd you limit /proc access without grsec?
1188199105 M * AStorm normally, everything is hidden by default
1188199117 M * AStorm only internal processes are visible
1188199124 M * AStorm and what you vprocunhide
1188199132 M * AStorm (from the host)
1188199191 M * fb_ i'm not talking about host at all, i'm talking about processes inside vserver
1188199225 M * AStorm and I am too
1188199242 M * AStorm you can call vprocunhide only from host or sufficiently empowered context
1188199295 M * AStorm as I said, everything is hidden (except in-context processes and things unhidden)
1188199374 M * AStorm the context is also capability-reduced
1188199395 J * esa` ~esa@ip-87-238-2-45.adsl.cheapnet.it
1188199396 M * AStorm so it can't bypass these restrictions by default by querying the kernel directly
1188199398 Q * esa Ping timeout: 480 seconds
1188199409 M * fb_ but you still can see daemons running with this context
1188199418 M * AStorm within, yes
1188199422 M * fb_ httpd, ssh, ident...
1188199423 M * AStorm outside of it, now
1188199424 M * AStorm *no
1188199437 M * fb_ and i can hide them all with grsec
1188199445 M * AStorm what for?
1188199451 M * fb_ so the user can see ONLY his processes
1188199452 M * AStorm any intelligent attacker will look at files
1188199466 M * AStorm and vserver can see only its processes
1188199496 M * harry and adress offsets of libs, loaded by binaries, which make it easier to "know" where certain methods in libs are located
1188199497 M * fb_ unless filesystem doesn't allow to look for them :)
1188199505 M * harry so exploitation is a piece of cake
1188199531 M * harry which... is randomizable in grsec + hide'able in grsec ;)
1188199549 M * AStorm harry: vserver won't be able to access that
1188199562 M * AStorm not enough capabilities
1188199566 M * harry AStorm: won't be able to access what?
1188199570 M * AStorm (unless you enable it)
1188199578 M * AStorm address offsets of all libs loaded in it
1188199583 M * AStorm it's much like user-ran app
1188199588 M * harry ahm... why not?
1188199594 M * AStorm in a chroot, but strenghtened
1188199610 M * fb_ AStorm: i agree that grsec for a server which runs only services and is administred only by trusted admins is pointless
1188199628 M * harry fb_: not entirely...
1188199638 M * AStorm mostly, yes, but not all
1188199639 M * fb_ but when you have not so trusted shell access
1188199651 M * fb_ ok, i should say mostly pointless
1188199655 M * AStorm fb_: you can only crack inside the vserver ;P
1188199656 M * harry if you run "services", and there is an expliot for it, it will be extremely hard to exploit if you have pax features enabled
1188199667 M * AStorm harry: pax != grsec
1188199671 M * AStorm it's separate :>
1188199673 M * harry AStorm: pax is part of grsec
1188199684 M * AStorm no, it's included in the grsecurity patch
1188199685 M * AStorm it's not the same
1188199685 M * harry there are 2 parts in grsec... a grsec part, and a pax part ;)
1188199694 M * AStorm sure
1188199700 M * harry AStorm: i know.. i maintain that stuff...
1188199706 M * AStorm and pie-randomization will be in kernel soon
1188199718 M * AStorm (some kind of, it's in -mm now)
1188199744 M * AStorm ASLR is pointless, as you can't see that in the context anyway
1188199747 M * AStorm lacking permissions
1188199759 M * harry aslr is NOT pointless
1188199764 M * AStorm /proc/mem will be hidden too
1188199776 M * AStorm and other such
1188199785 M * harry aslr is very useful ... you won't be able to do stack based overflows reliably in a aslr environment
1188199796 M * AStorm harry: nx and pie randomization
1188199798 M * harry remote exploitation is extremely hard
1188199808 M * harry AStorm: that's not in mainline kernel
1188199813 M * harry and not all binaries support PIE
1188199817 M * AStorm the only parts useful of pax is mprotect and trampoline protection
1188199817 M * AStorm harry: not yet
1188199836 M * fb_ AStorm: it's not. 
1188199848 M * harry aslr is also extremely useful for preventing remote exploits
1188199854 M * AStorm e.g.
1188199857 M * harry they don't fix software, but exploitation is a bitch
1188199863 M * fb_ AStorm: rather the only part you find useful :)
1188199867 M * AStorm how it's better than nX?
1188199876 M * AStorm NX or XD
1188199887 M * AStorm which most modern CPUs have
1188199908 M * harry AStorm: aslr loads libs at different points too
1188199914 M * harry libs are mostly in executable space
1188199918 M * harry NX doesn't help you there
1188199919 M * AStorm that will be done by pie-randomization
1188199929 M * AStorm except that old ELF emulation
1188199930 M * harry AStorm: as said: there is no PIE for every binary
1188199935 M * harry there is no NX on all machines
1188199937 M * AStorm another mildly useful thing
1188199945 M * AStorm harry: sure
1188199951 M * harry so all you're saying is something that might happen in the next few years
1188199960 M * harry until then: grsec + pax still remain very useful
1188199961 M * AStorm PaX is the most useful part of grsec
1188199967 M * harry true
1188200096 M * AStorm pax, yes, grsec inside the vserver? why?
1188200096 M * harry grsec are just minor "patches"
1188200096 M * AStorm for filesystem hiding?
1188200096 Q * balbir Ping timeout: 480 seconds
1188200096 M * harry if you want your exploit to do execve call
1188200096 M * AStorm you should better factor out ELF relocation emulation out from grsec
1188200096 M * AStorm and send it to Morton
1188200096 M * harry you need to know where that call is in memory
1188200096 M * harry in /proc/<pid>/maps, you can see where libc is loaded
1188200096 M * harry and you can calculate the offset of it
1188200096 M * AStorm if you can access it
1188200096 M * harry grsec has an option which hides it
1188200096 M * harry you can ALLWAYS access that
1188200096 M * AStorm I'll check if it's accessible from context
1188200096 M * harry it has to be...
1188200096 M * fb_ AStorm: sure it is :)
1188200096 M * AStorm the only thing broken by an exploit will be the context only anyway
1188200096 M * harry how else can chdir, ... work
1188200096 M * AStorm but that's almost as good as the whole machine ;P
1188200097 M * harry AStorm: true
1188200109 M * harry but you don't want people to break security in your virtual machien
1188200110 M * harry machine
1188200113 M * AStorm (unless severly ulimited/rlimited)
1188200133 M * AStorm well, pie-randomization + that part of aslr hiding maps would suffice
1188200139 M * harry true
1188200143 M * harry and NX ;)
1188200146 M * AStorm I don't have any old ELF security-problematic programs
1188200152 M * AStorm yes, and NX, which I also have
1188200174 M * harry i consider the grsec/pax patches added to vserver useful
1188200180 M * AStorm maybe dump in stack protector too
1188200182 M * harry just because it 's a bitch to get exploits working on it
1188200193 M * harry and i don't trust users on my systems
1188200200 M * AStorm :-)
1188200200 M * harry i don't trust services on my systems
1188200211 M * harry so i want to make it as bitchin' hard as possible to get an exploit working
1188200222 M * harry scriptkiddies will give up easily
1188200228 M * AStorm oh, one thing from grsec that is mighty useful: logging
1188200230 M * harry those who REALLY want it, will get in anyway
1188200255 M * harry AStorm: if you're rooted, you can delete logs :)
1188200268 M * AStorm not if they're sent outside the context
1188200279 M * AStorm or to another machine
1188200314 M * fb_ AStorm: and you're right, experienced user will be able to break things sooner or later
1188200330 M * harry true
1188200342 M * harry you can break everything
1188200344 M * fb_ AStorm: but for someone who just wants to try latest exploit from bugtraq, it will not work
1188200346 M * harry even PIE
1188200354 M * AStorm can't wait for a port of Linux-VServer to 2.6.23 or CFS
1188200357 M * harry but it's gonna be hard... and that's my point :0
1188200358 M * harry ;)
1188200389 M * AStorm my servers don't care, but the devel machine does
1188200434 M * AStorm harry: yeah, and much easier to set than SELinux or RSBAC
1188200465 M * AStorm it elides me why it isn't included in the kernel proper, while that SELinux redhat junk is
1188200515 M * AStorm as for emulation: I forgot about exec-shield, which I think is in the mainline
1188200521 M * AStorm but is weaker than ASLR
1188200572 M * daniel_hozac SELinux was developed by NSA...
1188200587 M * AStorm ah, yes
1188200597 M * AStorm that doesn't make it any more trustworthy :P
1188200621 M * harry AStorm: the reason... pax features break broken software from time to time
1188200627 M * daniel_hozac trustworthy?
1188200638 M * harry like: X needs to access /dev/kmem directly
1188200640 M * daniel_hozac you know CFS was developed by Red Hat staff, right?
1188200652 M * AStorm harry: yeah, but that's optional
1188200654 M * harry which isn't allowed by some features etc..
1188200658 M * AStorm daniel_hozac: Ingo Molnar, to be exact
1188200669 M * harry all is... but krenel people don't like things that can break stuff on your system
1188200673 M * AStorm harry: and in VServer usage, you either create a node, or don't
1188200681 M * AStorm harry: so don't make it a visible option
1188200690 M * AStorm server people will know how to enable it
1188200712 M * harry true, true... i don't see why they shouldn't put it in mainline kernel either, but hey...
1188200715 M * AStorm or disable by default and mark "if unsure and you use X, pick N"
1188200717 M * harry what can i do about it :0
1188200743 M * harry all those patches make exploitation harder, not impossible
1188200755 M * harry and it's only useful if you run "bad soft"
1188200758 M * AStorm hmm, writing better code and asking LKML about pie-randomization that went in to -mm
1188200761 M * harry which is never a good idea
1188200774 M * AStorm I'd check it, and propose getting more similar features in
1188200793 M * AStorm the "camel nose" technique
1188200827 M * AStorm you'd have to factor the patch
1188201054 M * harry i think the main developer of pax tried it enough...
1188201074 M * harry kernel devel is a bit "weird" on that matter
1188201139 M * AStorm stances change with time
1188201145 M * AStorm maybe it's time to try again
1188201150 M * AStorm as scheduler went in
1188201166 M * harry i'll propose it to pipacs...
1188201342 M * AStorm maybe goad Molnar into redoing the same thing as PAX once more ;p
1188201350 M * AStorm (as he and others did with exec-shield)
1188201458 M * AStorm though redhat won't support him as much
1188201487 M * AStorm they use SELinux now
1188201977 A * Supaplex sees it's 2am - time to crash
1188201987 A * friendly12345 feels that they must jump in an defend SElinux at some point
1188202135 M * AStorm who?
1188202145 M * AStorm anyone who really likes that mistake? ;p
1188202192 M * friendly12345 I think it would be good if vserver and SElinux could be run at the same time, but then again, I am insane
1188202331 M * AStorm it is possible, why not?
1188202501 M * friendly12345 probably possible, but I don't think you can run them both in a secure fashion due to interface issues.
1188203366 M * matti Hi harry 
1188203366 M * harry hey matti 
1188203366 M * harry how are things?
1188203409 J * pmenier ~pmenier@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr
1188203444 M * matti harry: Fine, and you? :)
1188203489 M * harry blah
1188203491 M * harry bad!
1188203498 M * matti Why bad?
1188203568 M * harry i don't feel all that well...
1188203577 M * harry its been over a year since i last had a decent holiday
1188204521 M * matti :/
1188204527 M * matti Same here.
1188204539 M * matti And I am currently at work - and there is a bank holiday in UK.
1188205507 J * martijn ~martijn@senturparks.xs4all.nl
1188205607 J * arachnist arachnist@088156189068.who.vectranet.pl
1188206152 J * Pazzo ~ugelt@reserved-225136.rol.raiffeisen.net
1188206391 Q * martijn Read error: Connection reset by peer
1188206519 J * Loki|muh_ loki@satanix.de
1188206519 Q * Loki|muh Read error: Connection reset by peer
1188206529 N * Loki|muh_ Loki|muh
1188206530 Q * pmenier Ping timeout: 480 seconds
1188206840 Q * SkramX Ping timeout: 480 seconds
1188207613 M * toom_ hi
1188207624 M * toom_ do vs-2.3.0.17 + util-vserver-0.30.213 support IPv6 ?
1188207630 J * cehteh ~ct@pipapo.org
1188208220 J * jmcaricand ~root@d90-144-21-54.cust.tele2.fr
1188208237 Q * jmcaricand 
1188208341 Q * arachnist Quit: Leaving
1188208492 M * harry toom_: normally: yes
1188208609 M * toom_ harry: I still have "naddress: vc_net_add(): Invalid argument"
1188208620 M * toom_ when I start my vserver
1188208713 M * toom_ /etc/vservers/vname/interfaces/1/ip contains 2001:[hidden]::2
1188208731 M * toom_ /etc/vservers/vname/interfaces/1/prefix contains 64
1188209016 M * harry toom_: i don't use IPv6
1188209021 M * toom_ :(
1188209023 M * harry so can't help you there
1188209030 M * harry daniel_hozac or so has experience with it
1188209454 M * daniel_hozac toom_: for 2.3, you need util-vserver 0.30.214.
1188209466 M * toom_ where can I download it ?
1188209480 M * daniel_hozac http://people.linux-vserver.org/~dhozac/t/uv-testing/util-vserver-0.30.214-pre2590.tar.bz2
1188209491 M * toom_ thx
1188209818 J * pmenier ~pmenier@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr
1188210360 M * daniel_hozac actually, you probably want http://people.linux-vserver.org/~dhozac/t/uv-testing/util-vserver-0.30.214-pre2601.tar.bz2 :)
1188210373 J * meandtheshell ~markus@85-127-110-123.dynamic.xdsl-line.inode.at
1188210376 M * toom_ ok
1188210817 M * toom_ great ! it works
1188210818 M * toom_ thx
1188210885 M * toom_ hum ... I can't stop my vserver 
1188210903 M * toom_ # vserver vname stop
1188210911 M * toom_ You must specify the tag with '--tag'; try '--help' for more information
1188210919 J * arachnist arachnist@088156189068.who.vectranet.pl
1188210964 M * toom_ bbl
1188211358 J * dreamind ~dreamind@p54A7838D.dip0.t-ipconnect.de
1188211393 N * dreamind Guest1977
1188211404 N * Guest1977 dreamind
1188211415 M * dreamind Hi
1188212708 J * arachnis1 arachnist@088156185052.who.vectranet.pl
1188213054 Q * arachnist Ping timeout: 480 seconds
1188213054 N * arachnis1 arachnist
1188214584 J * lilalinux ~plasma@dslb-084-058-195-109.pools.arcor-ip.net
1188214711 J * Piet ~piet@tor.noreply.org
1188214974 Q * Johnnie Ping timeout: 480 seconds
1188215509 Q * grobie Remote host closed the connection
1188215561 J * Johnnie ~jdlewis@c-67-163-142-234.hsd1.ct.comcast.net
1188216638 Q * lilalinux Remote host closed the connection
1188216697 Q * sharkjaw Quit: Leaving
1188216979 Q * pmenier Read error: Connection reset by peer
1188216983 M * toom_ what does the error "You must specify the tag with '--tag'; try '--help' for more information" mean ? It is displayed when I try to stop my vserver (vs-2.0.37 util-vserver-0.30.214-pre2601)
1188217010 M * daniel_hozac it means i kinda suck.
1188217014 M * daniel_hozac http://people.linux-vserver.org/~dhozac/t/uv-testing/util-vserver-0.30.214-pre2602.tar.bz2
1188217083 M * toom_ ok I'll try it
1188217308 J * pmenier ~pmenier@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr
1188217433 M * toom_ daniel_hozac: it works now, thx
1188217471 M * daniel_hozac great, thank you.
1188218303 Q * AndrewLee Ping timeout: 480 seconds
1188218626 J * coderanger_ ~coderange@x-1-29.dynamic2.rpi.edu
1188218981 P * friendly12345 
1188219748 J * Julius ~julius@p57B252D6.dip.t-dialin.net
1188219826 Q * Aiken Quit: Leaving
1188220515 J * maistk0 ~andrea@host149-124-dynamic.16-87-r.retail.telecomitalia.it
1188220975 Q * Julius Remote host closed the connection
1188221008 J * Julius ~julius@p57B252D6.dip.t-dialin.net
1188221319 Q * maistk0 Remote host closed the connection
1188222108 J * AndrewLee ~andrew@flat.iis.sinica.edu.tw
1188222573 Q * the-dude Remote host closed the connection
1188223443 J * the-dude ~martijn@senturparks.xs4all.nl
1188224256 J * yvonne ~chatzilla@vpn083.rz.uni-mannheim.de
1188225124 Q * ag- Ping timeout: 480 seconds
1188225170 J * ag- ~ag@fedaykin.roxor.cx
1188225214 N * Bertl_zZ Bertl
1188225232 M * Bertl morning folks!
1188225328 M * daniel_hozac morning Bertl!
1188225477 M * fb_ hello Bertl 
1188226655 M * pmenier Hello Bertl
1188226681 Q * coderanger_ Quit: coderanger_
1188227839 J * ensc ~irc-ensc@p54B4D9AD.dip.t-dialin.net
1188227950 Q * Guest1922 Ping timeout: 480 seconds
1188229014 J * McKillRoy ~kvirc@HSI-KBW-085-216-092-149.hsi.kabelbw.de
1188229024 M * Bertl welcome McKillRoy!
1188229031 M * McKillRoy hi
1188229051 M * McKillRoy Does anyone in here use 64bit Gentoo System?
1188229071 M * Bertl very likely ... what's the issue?
1188229096 M * arachnist McKillRoy: i do
1188229136 M * McKillRoy I have problems to compile libvserver-2.0_rc1
1188229158 M * arachnist hmm
1188229169 M * arachnist seems that i haven't updated my box in quite a while
1188229181 M * McKillRoy :-)
1188229182 M * McKillRoy me too
1188229375 M * FaUl anone here that owns a dl360-g5 or some other proliant with sas-hardware?
1188229605 M * FaUl or at least had his hand on one? i'd like to know how they changed the disk-slots (and the coresponding frames) - is it still rock-solid as on older proliant-sca-hardware?
1188229635 M * fb_ never had to replace one, FaUl 
1188229706 M * FaUl fb_: at least you didn't tried to put it out and in again? ;-)
1188229739 A * ard at least knows that the older disk-slot cages are not compatible with sata
1188229768 M * ard But I guess the only change that was needed was to shorten the bracket on one side
1188229800 M * fb_ nope ;)
1188230070 N * tokkee_ tokkee
1188230135 P * McKillRoy Time makes no sense
1188230190 Q * ntrs Ping timeout: 480 seconds
1188230294 M * slack102 how do i create a file system for a linux swap  
1188230310 M * slack102 mkfs -t linux-swap /dev/sda(number)
1188230313 M * slack102 ?
1188230326 M * slack102 is linux-swap a file system type ?
1188230346 M * ard mkswap
1188230387 M * slack102 kk thanks 
1188230391 M * slack102 also
1188230395 M * slack102 lets say i am installing php5 
1188230402 M * slack102 it wants to bring in apache-common
1188230407 M * slack102 how do i make it not pull that in 
1188230424 Q * Julius Remote host closed the connection
1188230506 M * slack102 oops sorry
1188230511 M * slack102 thought htis was a debian channe l
1188230512 M * slack102 ;)
1188230522 A * slack102 is using debian for the first time in a while 
1188230527 M * slack102 and is lazy
1188230588 M * slack102 well not first time but dpkg is being very evil with this depency stuff 
1188230594 M * slack102 bbl
1188230595 P * slack102 
1188230812 M * Bertl *sigh*
1188230869 J * ntrs ntrs@68-188-55-120.dhcp.stls.mo.charter.com
1188230948 M * ard :-)
1188231133 M * Bertl wb ntrs!
1188231255 M * eyck Bertl: what is the current political situation on vserver front? I saw people from openvz and IBM and some other folks are trying to merge their attempts with vserver
1188231276 M * eyck  and IBM is trying to do exactly the same as vserver is doing now, sans the procfs virtualisation
1188231297 M * eyck If I understand this correctly
1188231312 M * Bertl hmm .. yeah ... that's reoughly it
1188231316 M * Bertl *roughly
1188231340 M * Bertl the thing is, for IBM, snapshoting is the important feature
1188231350 M * eyck snapshotting == checkpointing ? 
1188231365 M * Bertl while SWsoft just wants to get mainline to maintain their kernel :)
1188231394 M * eyck good, so I'm with IBM :) 
1188231442 M * Bertl then there is also Eric Biederman, who is trying to coordiate the effords, and promised a proper network virtualization
1188231473 M * eyck FaUl: I've got dl360's running vserver
1188231485 M * FaUl eyck: g5? with sas?
1188231488 M * eyck yupp
1188231512 M * eyck haven't had the problems, but I haven't moved them to production yet.
1188231516 M * FaUl how have the harddisk-caves changed? 
1188231535 M * eyck hmm, versus g4?
1188231545 M * FaUl the question is about the hardware only - i'd like wether the harddisk-stuff is still stable - that sucks on sun and ibm-hardware imho
1188231563 M * eyck what do you mean by stable?
1188231565 M * FaUl i hate if some moron can break it while changing harddisks ;-)
1188231584 M * FaUl physical - is it still that metal-stuff?
1188231587 M * eyck they're way better then sun shitty-tin-foil-disc enclousorues
1188231601 M * eyck but they're not as heavy as old 3.5'' SCA stuff
1188231608 M * FaUl hm
1188231615 M * FaUl compared to ibm xserves?
1188231616 M * eyck but as far as SFF goes, they're solid.
1188231637 Q * transacid Remote host closed the connection
1188231638 M * eyck I have only seen older ibm xservers, no SAS
1188231652 M * eyck but xserves felt flimsy in comparision
1188231660 J * transacid ~transacid@transacid.de
1188231704 M * FaUl ok, thx
1188232613 Q * esa` Ping timeout: 480 seconds
1188233083 Q * dreamind Quit: dreamind
1188233142 N * virtuoso_ virtuoso
1188233321 J * Julius ~julius@p57B252D6.dip.t-dialin.net
1188233880 Q * pmenier Quit: pmenier
1188234050 J * esa ~esa@ip-87-238-2-45.adsl.cheapnet.it
1188234302 J * phedny ~mark@ip56538143.direct-adsl.nl
1188234913 J * duckx ~Duck@tox.dyndns.org
1188235159 N * DoberMann[PullA] DoberMann
1188235912 Q * Pazzo Quit: ...
1188237009 Q * Piet Quit: Piet
1188237171 M * yvonne hi
1188237173 J * Piet ~piet@tor.noreply.org
1188237213 M * yvonne is someone here who can help me a little bit with ssh on vserver?
1188237250 M * daniel_hozac what's the problem?
1188237443 M * yvonne my virtual server has a different ip, than the host, I told the host to listen only on its own one and now i would like to connect to the virtual one directly over its ip
1188237496 M * yvonne he authenticity of host 'myIP (myIP)' can't be established.
1188237498 M * yvonne RSA key fingerprint is 18:82:f3:64:fc:a9:f5:13:d4:46:99:8e:5c:ff:f3:57.
1188237499 M * yvonne Are you sure you want to continue connecting (yes/no)?
1188237501 M * yvonne Host key verification failed.
1188237529 M * daniel_hozac did you type yes as a response to that question?
1188237563 M * yvonne i´m afraid I also don´t have a passwd for the virtual server yet - how can I set a pw and in how far is that important to get ssh work?
1188237600 M * yvonne :-D
1188237606 M * daniel_hozac same as on any Linux-system, just use passwd.
1188237642 M * yvonne ok, but now it seems I am on the host, not on the virtual server
1188237681 M * daniel_hozac then you didn't restrict the host's sshd properly.
1188237720 M * yvonne oh, I restricted ssh_conf - was that wrong?
1188237738 M * daniel_hozac /etc/ssh/sshd_config
1188237906 M * yvonne now he asks for the pw direktly without that question before, but i´m again on the host
1188237919 M * yvonne ListenAddress hostIP
1188237939 M * yvonne this is what I added to ssh_config and sshd_config
1188237939 M * daniel_hozac and you _did_ restart sshd after changing that?
1188237958 M * yvonne oh, no
1188238288 M * yvonne Host key verification failed. :-/
1188238315 M * yvonne can´t I simply have a password for this virtual server?
1188238327 Q * FireEgl Read error: Connection reset by peer
1188238494 M * yvonne any idea what to do?
1188238740 M * yvonne ok, I´m afraid, I have to finish here for today, I´ll try it again at home, it´s already great, that I can reach my server over ssh ;-)
1188238742 M * yvonne Thx for your help!
1188238743 M * yvonne Bye.
1188238825 Q * yvonne Quit: ChatZilla 0.9.78.1 [Firefox 1.5.0.12/2007073111]
1188239358 J * bonbons ~bonbons@2001:960:7ab:0:20b:5dff:fec7:6b33
1188240650 J * UukGoblin ~jaa@sr-fw1.router.uk.clara.net
1188240665 M * UukGoblin hello again
1188240679 M * daniel_hozac hi
1188240698 M * UukGoblin is there any capability to set to give a vserver guest access to /proc/net/rpc/* ?
1188240780 M * daniel_hozac no, you'll have to unhide that for all guests.
1188240885 M * UukGoblin oh
1188240892 M * UukGoblin how can I do that?
1188240949 Q * Piet Ping timeout: 480 seconds
1188240970 M * daniel_hozac mkdir /etc/vservers/.defaults/apps/vprocunhide; cp /usr/lib*/util-vserver/defaults/vprocunhide-files /etc/vservers/.defaults/apps/vprocunhide/files; echo /proc/net/rpc/ >> /etc/vservers/.defaults/apps/vprocunhide/files
1188241047 M * UukGoblin wow cool thanks :-)
1188241087 M * UukGoblin I somehow feel that restarting all active vservers will be necessary?
1188241105 M * daniel_hozac no, just rerun vprocunhide.
1188241155 M * UukGoblin cool
1188241643 M * UukGoblin lovely, works
1188241652 M * UukGoblin and running vservers still can't see it.. :-]
1188241676 M * UukGoblin so, I deduce, if I want it for one vserver only, I start all the others first, then change the unhiding and start that one which needs to see it :-]
1188241835 Q * click Ping timeout: 480 seconds
1188241859 J * independence independen@80.252.175.45
1188241861 M * daniel_hozac no, it's a global setting.
1188241867 M * daniel_hozac it will affect all of your guests.
1188241921 M * UukGoblin ah, right.
1188241924 M * UukGoblin I wasn't root.
1188241926 M * UukGoblin oh well.
1188241927 M * independence I want my root user in my guest system to be able to manipulate his own ulimit, but I don't want all users to be able to do it.. If I add the capability SYS_RESOURCE the docs says ALL processes will get that capability, is that right?
1188241979 M * daniel_hozac root is the only one with capabilities by default.
1188242002 M * independence oh, okay
1188242003 M * eyck hmm, everyone can lower their own ulimits
1188242038 M * daniel_hozac yes.
1188242050 M * independence Do I have to restart the vserver for changes in ccapabilities to be reloaded?
1188242067 M * daniel_hozac SYS_RESOURCE is a bcap.
1188242072 M * daniel_hozac and yes.
1188242080 M * daniel_hozac you could just set it with vattribute though
1188242162 M * independence hm, so I don't set SYS_RESOURCE in ccapabilites?
1188242162 M * daniel_hozac no.
1188242254 M * independence yay, it works :) Thanks!
1188242306 M * daniel_hozac you're welcome!
1188243036 M * UukGoblin hm, wonder if nfs4 in kernelspace has any right to work under a gues :-)
1188243039 M * UukGoblin guest*
1188243046 M * UukGoblin nfsservctl(0, 0x7fff27e81c20, 0)        = -1 EPERM (Operation not permitted)
1188243089 M * UukGoblin oh, SYS_ADMIN seems to allow that
1188244391 J * Real_Magus ~ochykysh@195.160.234.1
1188244503 M * Real_Magus Hi, does anybody know what is the correct capability flag set to enable ioprio for a vserver guest?
1188244517 M * AStorm CAP_SYS_RAW I think
1188244547 M * AStorm sorry, CAP_SYS_ADMIN
1188244578 M * AStorm might have been factored into some VX capability, but I don't think so
1188244629 M * Real_Magus just a sec i'll check...
1188244651 M * AStorm hmm, no
1188244656 M * AStorm CAP_SYS_NICE
1188244659 M * AStorm that's the one
1188244669 M * AStorm CAP_SYS_ADMIN only for RT and IDLE ioprio classes
1188244794 J * coderanger_ ~coderange@ae-lally-green-30.dynamic2.rpi.edu
1188245016 M * Bertl nap attack .. back later ...
1188245022 N * Bertl Bertl_zZ
1188245025 M * Real_Magus CAP_SYS_ADMIN this should go into bcapabilities, right?
1188245069 M * AStorm Bertl_zZ: did you win against the nap?
1188245072 M * AStorm I guess not.
1188245135 M * Real_Magus Thanks AStorm, it worked.
1188245319 M * daniel_hozac note that giving a guest CAP_SYS_ADMIN isn't something you really want to do.
1188245366 M * Real_Magus yea I know... it's a investigation only task at first.
1188245446 M * Real_Magus Is there a chance that a capability or flag is created for this(ioprio) in the near future?
1188245524 M * Real_Magus BTW: Daniel, thanks for all those fedora packages, our production cluster uses them, they are really handy :-)
1188245554 M * daniel_hozac i thought we already had an ioprio ccap.
1188245583 M * daniel_hozac but i can't find the delta now...
1188245658 M * daniel_hozac unfortunately, all of the Fedora packages are terribly out of date by now.
1188245658 M * daniel_hozac since FC6 is no longer available in the public CVS.
1188245693 M * daniel_hozac (and F7 is waiting for the 2.6.23 port)
1188245783 M * Real_Magus With fc4 in our cluster, they are just right :-) (You do not want to know what is running there, a colleague got banned for asking why doesn't the fc5 64bit vserver kernel run of centos 4 in this channel)
1188245854 M * daniel_hozac FC4 is... ancient.
1188245940 M * daniel_hozac so even if we did add a ccap for it, you wouldn't see it :)
1188246029 M * Real_Magus yep :-)  But it works... An upgrade is currently impossible as the testing of the application is not yet complete on fc6.... Hmm..that could be a good reason to speed up the upgrade... :-)
1188246038 M * AStorm huh?
1188246063 M * AStorm how long could testing a single application on a system update take?
1188246082 M * AStorm it's a cluster, so it should be homogenous
1188246158 M * Real_Magus with a release every 1.5 month the 10 QA got their hands full, and we can't have a downtime longer then 5 hours per year, so it's beeing taken or very serios
1188246209 M * Real_Magus we got several staging clusters to handle the testing, currently it's in face 2(of 3)
1188246269 M * Real_Magus + there are a lot of support scripts in perl/python, some of them need to be rewritten
1188246442 M * Real_Magus OK, thanks for that chat..I better go ho it's 23/30 here in Ukraine. Bye
1188246503 P * Real_Magus 
1188246503 M * AStorm 5h/y? Quite a little
1188246507 M * AStorm hardware failures can eat more
1188246529 M * AStorm ah, he left
1188246659 M * AStorm unless they got rock solid networking, that's really hard to keep
1188246942 N * DoberMann DoberMann[ZZZzzz]
1188247075 J * doener ~doener@host.magicwars.de
1188247089 Q * doener 
1188247104 J * doener ~doener@host.magicwars.de
1188248717 J * deavid deavid@84.120.105.136.dyn.user.ono.com
1188248849 J * slack102 ~Administr@cpe-65-31-3-247.insight.res.rr.com
1188248868 M * slack102 how does memory in vserver actually work hmm 
1188248894 M * slack102 i mean backend wise trying ot find out 
1188248906 M * slack102 does it just add up the pid's of that user 
1188248907 M * slack102 hmm
1188249205 J * Aiken ~james@ppp121-45-255-55.lns2.bne4.internode.on.net
1188249212 Q * bonbons Quit: Leaving
1188249240 J * FireEgl FireEgl@Sebastian.Atlantica.CJB.Net
1188249303 J * martijn ~martijn@senturparks.xs4all.nl
1188249336 Q * the-dude Quit: Is that a kangeroo?
1188249451 J * the-dude ~martijn@senturparks.xs4all.nl
1188249963 Q * martijn Quit: Terminated with extreme prejudice - dircproxy 1.0.5
1188250713 M * AStorm slack102: check out how rlimits work first
1188250718 M * AStorm they're dead simple
1188250724 M * AStorm vserver does not manage memory at all!
1188250787 M * AStorm it just sums up process sizes etc. and adds its own check to the rlimit one
1188250832 M * slack102 yea i saw 
1188250840 M * slack102 i see how it works now 
1188251366 Q * coderanger_ Quit: coderanger_
1188251972 J * coderanger_ ~coderange@taz-26.dynamic2.rpi.edu
1188252064 J * coderanger__ ~coderange@taz-26.dynamic2.rpi.edu
1188252065 Q * coderanger_ Read error: Connection reset by peer
1188252687 Q * deavid Remote host closed the connection
1188252740 Q * FireEgl Read error: Connection reset by peer
1188253642 J * FireEgl FireEgl@4.0.0.0.1.0.0.0.c.d.4.8.0.c.5.0.1.0.0.2.ip6.arpa
1188254513 Q * meandtheshell Quit: Leaving.
1188254785 N * Bertl_zZ Bertl
1188254789 M * Bertl back now ...
1188254936 Q * coderanger__ Ping timeout: 480 seconds
1188255724 Q * Aiken Remote host closed the connection
1188255776 J * Aiken ~james@ppp121-45-255-55.lns2.bne4.internode.on.net
1188257915 J * julius_ ~julius@p57B255D7.dip.t-dialin.net
1188258131 J * luigi87 ~luigi87@ool-4571accf.dyn.optonline.net
1188258143 Q * luigi87 
1188258340 Q * Julius Ping timeout: 480 seconds