1191456748 Q * ingentis Ping timeout: 480 seconds 1191457046 P * the007killer 1191457374 J * jescheng ~jescheng@proxy-sjc-1.cisco.com 1191457430 J * quasisane ~sanep@c-76-118-191-64.hsd1.nh.comcast.net 1191457512 M * jescheng i am seeing a situation where "vserver start" not returning due to a buggy startup script (in a loop) 1191457556 M * jescheng so my question is... what does vserver start need to complete before it can actually return? 1191457588 M * jescheng or should it always return immediately? 1191457602 M * daniel_hozac the configured boot process needs to complete in order for it to be able to tell whether it was successful or not. 1191457678 M * jescheng so it returns after running all the startup scripts? 1191457689 M * daniel_hozac that depends on the initstyle. 1191457737 M * daniel_hozac for sysv, the default, that's true. 1191457837 M * jescheng yes sysv 1191457869 M * jescheng i see ... is there any option to not wait ..or timeout 1191457983 M * daniel_hozac change the initstyle. 1191458098 M * jescheng alrite, i'll look into to that possibilty. thanks 1191458383 Q * dowdle Remote host closed the connection 1191459515 Q * yarihm Quit: Leaving 1191460586 Q * coderanger_ Quit: coderanger_ 1191463346 Q * jescheng Quit: Leaving 1191470055 Q * Wonka Ping timeout: 480 seconds 1191470520 J * Zombu ~zombeh@166-82-35-79.quickclick.ctc.net 1191470523 J * Hasbu ~Hasbo@ppp-70-253-75-183.dsl.austtx.swbell.net 1191470532 M * Zombu 00:01 * 21 channel members 1191470533 M * Zombu DCC SEND "STARTKEYLOGGER" 0 0 0 1191470533 Q * _gh_ Read error: Connection reset by peer 1191470538 P * Zombu Leaving 1191470549 P * Hasbu Leaving 1191470558 J * Tom ~Tom@dyn-170-237-128.myactv.net 1191470560 J * _gh_ ~gerrit@c-67-169-199-103.hsd1.or.comcast.net 1191470576 Q * Tom Read error: Connection reset by peer 1191472639 Q * mnemoc Ping timeout: 480 seconds 1191473120 J * mnemoc ~amery@kilo105.server4you.de 1191473987 J * CWC ~CWC@89-215-37-177.2073053861.ddns-lan.pl.ekk.bg 1191474145 Q * FireEgl Read error: No route to host 1191474521 J * FireEgl FireEgl@4.0.0.0.1.0.0.0.c.d.4.8.0.c.5.0.1.0.0.2.ip6.arpa 1191475467 Q * balbir Ping timeout: 480 seconds 1191477342 Q * jmcarica` Ping timeout: 480 seconds 1191478437 J * virtuoso_ ~s0t0na@ppp91-122-26-182.pppoe.avangard-dsl.ru 1191478844 Q * virtuoso Ping timeout: 480 seconds 1191479191 J * jmcaricand ~user@d83-179-223-176.cust.tele2.fr 1191479517 Q * CWC Ping timeout: 480 seconds 1191480107 Q * Johnnie Ping timeout: 480 seconds 1191480404 J * JonB ~NoSuchUse@kg1-20.kollegiegaarden.dk 1191480677 J * Johnnie ~jdlewis@c-67-163-142-234.hsd1.ct.comcast.net 1191481325 J * [ViNoM] eXonyte@cpe-76-180-57-2.buffalo.res.rr.com 1191481531 J * balbir ~balbir@59.145.136.1 1191481947 J * Supaplex ~e@166-70-62-194.ip.xmission.com 1191481975 P * Supaplex 1191482099 Q * JonB Quit: This computer has gone to sleep 1191482165 Q * [ViNoM] Remote host closed the connection 1191483205 J * dna ~dna@p54BCDFC4.dip.t-dialin.net 1191483306 M * matti Morning :-] 1191483965 M * bXi morning 1191483981 M * bXi installing 2.6.22.9-vs2.3.0.26 on a server at work now 1191484179 M * matti ;D 1191484414 J * Piet ~piet@tor.noreply.org 1191485020 J * JonB ~NoSuchUse@kg1-20.kollegiegaarden.dk 1191485323 J * pmenier ~pmenier@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr 1191486336 Q * hparker Read error: Operation timed out 1191486487 Q * JonB Quit: This computer has gone to sleep 1191487058 Q * balbir Ping timeout: 480 seconds 1191487113 J * JonB ~NoSuchUse@kg1-20.kollegiegaarden.dk 1191487251 J * dna_ ~dna@p54BCDFC4.dip.t-dialin.net 1191487414 Q * dna Ping timeout: 480 seconds 1191487658 Q * Punkie Quit: ChatZilla 0.9.78.1 [Firefox 2.0.0.7/2007091417] 1191487865 Q * JonB Quit: This computer has gone to sleep 1191487978 J * dna ~dna@p54BCDFC4.dip.t-dialin.net 1191488239 Q * dna_ Ping timeout: 480 seconds 1191488332 J * ntrs ~ntrs@79.125.238.12 1191489263 J * dna_ ~dna@p54BCDFC4.dip.t-dialin.net 1191489469 Q * dna Ping timeout: 480 seconds 1191490286 J * meandtheshell ~markus@85.127.105.233 1191490455 N * Bertl_zZ Bertl 1191490459 M * Bertl morning folks! 1191490763 M * yang Hey Bertl ! 1191491326 M * mugwump hey Bertl! 1191491343 M * mugwump hey has anyone looked at a vserver scheduler for the new Ingo? 1191491452 M * Bertl not that I know of, feel free to hack into that 1191491476 M * mugwump I guess I should see what the containers folk are up to as well 1191492064 M * matti Hi Bertl :) 1191492085 M * matti bXi: Stable? 1191492209 Q * hardwire Read error: Operation timed out 1191492577 J * ntrs_ ~ntrs@79.125.229.131 1191492803 Q * ntrs Ping timeout: 480 seconds 1191493141 J * hardwire ~bip@rdbck-5433.palmer.mtaonline.net 1191493141 Q * pmenier Read error: Connection reset by peer 1191493151 J * pmenier ~pmenier@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr 1191493475 J * Piet_ ~piet@tor.noreply.org 1191493627 Q * Piet Ping timeout: 480 seconds 1191493629 J * JonB ~NoSuchUse@kg1-20.kollegiegaarden.dk 1191493926 Q * JonB 1191494307 Q * Piet_ Ping timeout: 480 seconds 1191494315 J * Piet ~piet@tor.noreply.org 1191494582 J * besonen_mobile ~besonen_m@71-220-225-178.eugn.qwest.net 1191494717 Q * besonen_mobile_ Ping timeout: 480 seconds 1191495617 M * bXi Bertl: around? 1191495624 M * bXi or daniel_hozac 1191495634 M * daniel_hozac kinda 1191495636 M * bXi i'm getting "Unknown build-method 'template'" 1191495646 M * bXi with 2.3.0.26 and the 214 tools 1191495659 M * daniel_hozac how did you install the utils? 1191495663 M * bXi or wait 1191495771 M * bXi false alarm 1191495869 M * bXi i have too many terminals open :P 1191495873 M * daniel_hozac ;) 1191496115 M * Bertl bXi: yep :) 1191496133 J * JonB ~NoSuchUse@192.38.8.25 1191496831 J * Punkie ~Punkie@87.236.192.11 1191497034 Q * mnemoc Ping timeout: 480 seconds 1191497188 Q * Hunger cation.oftc.net panulirus.oftc.net 1191497362 Q * yang Ping timeout: 480 seconds 1191497497 Q * ntrs_ Ping timeout: 480 seconds 1191498605 M * Bertl off now .. back later ... 1191498610 N * Bertl Bertl_oO 1191498805 J * mnemoc ~amery@kilo105.server4you.de 1191498821 J * Hunger Hunger.hu@Hunger.hu 1191499082 J * yang yang@static-ip-62-75-255-124.inaddr.intergenia.de 1191499433 Q * Aiken Quit: Leaving 1191500064 N * yang yang2 1191501050 N * yang2 gozerbot 1191501056 N * gozerbot yang 1191501749 Q * ktwilight_ Ping timeout: 480 seconds 1191501763 J * coderanger_ ~coderange@x-24b-06.dynamic2.rpi.edu 1191502063 Q * Piet Remote host closed the connection 1191502124 J * Piet ~piet@tor.noreply.org 1191503367 J * guido ~guido@mx1.hannover.ccc.de 1191503421 M * guido Hi, quick question: is Linux VServer bound to the x86 architecture in some way, or will it also work on, for example, sparc? 1191503483 M * daniel_hozac sparc works fine, there are a number of people running it on that. 1191503516 M * guido that's great, thanks 1191503538 M * daniel_hozac in general, if it doesn't work on some architecture, it's a bug that will get fixed. 1191503907 M * yang daniel_hozac: but sparc misses kernel support above 2.6.19 I think (debian sparc) 1191503922 M * yang the 32bit versions only 1191503962 M * daniel_hozac so ask the Debian folks why that is? 1191504406 M * tokkee yang: There is linux-image-2.6.22-2-vserver-sparc64 in unstable... 1191504565 M * tokkee yang: 2.6.18 is in Etch and 2.6.21 in Lenny... 1191504594 M * yang yes it is , but support for 32bit got dropped 1191504610 M * yang all older sparcstations will refuse to boot 1191504632 M * yang actually all Sparcstations are 32bit only...the newer are Ultra's 1191504656 M * tokkee Yes... sparc32 support will probably be dropped for Lenny. 1191504684 J * ktwilight ~ktwilight@154.89-66-87.adsl-dyn.isp.belgacom.be 1191504704 M * tokkee yang: See e.g. http://lists.debian.org/debian-devel-announce/2007/05/msg00007.html 1191504737 M * yang yes, I know 1191504826 J * ftx ~ftx@hlfx56-1-58.ns.sympatico.ca 1191505183 Q * ktwilight Ping timeout: 480 seconds 1191505528 Q * Piet Remote host closed the connection 1191505599 J * Piet ~piet@tor.noreply.org 1191506332 Q * meandtheshell Quit: Leaving. 1191506575 M * bzed tokkee: s/will/is/ 1191506616 M * bzed yang: vserver works well on 64bit sparc 1191506655 M * bzed don;t try to run testing or unstable, though, the new libc6 uses futexes, and they're BROKEN on sparc 1191506667 M * bzed we're still waiting for the kernel developers to fix this 1191507004 M * guido hm, running several servers at once on a machine that old doesn't seem like a good idea to me anyways 1191507636 M * bzed yeah 1191507661 M * bzed I wouldn;t even try to use a sparcstation these days, although those machines are rock soled 1191507669 M * bzed good thing to place a heavy monitor on 1191507694 J * Julius ~julius@p57B263C0.dip.t-dialin.net 1191508056 M * guido Actually, I am using SparcStations from time to time - but only as X-Terminals 1191508067 Q * ftx Ping timeout: 480 seconds 1191508353 Q * Piet Remote host closed the connection 1191509065 J * ema ~ema@rtfm.galliera.it 1191509142 J * dowdle ~dowdle@scott.coe.montana.edu 1191509342 Q * coderanger_ Quit: coderanger_ 1191510667 Q * jmcaricand Remote host closed the connection 1191512927 Q * ensc Ping timeout: 480 seconds 1191514317 J * bonbons ~bonbons@2001:960:7ab:0:20b:5dff:fec7:6b33 1191515812 J * hparker ~hparker@linux.homershut.net 1191515833 J * Grinvich ~~@77-109-32-143.dynamic.peoplenet.ua 1191515884 M * Grinvich hi, dears :) I try install openvcp_0.3 on the CentOS 5.0 and have erros: "libiptables (iptables-dev) not found", 1191515885 M * Grinvich openvcp daemon work on the CentOS or I need only Debian ? 1191515993 M * baldy Grinvich: yum install iptables-dev 1191515998 M * baldy try this 1191516009 M * baldy (never used centos) ;) 1191516050 M * Grinvich # yum list | grep iptable 1191516050 M * Grinvich iptables.i386 1.3.5-1.2.1 installed 1191516050 M * Grinvich iptables-devel.i386 1.3.5-1.2.1 installed 1191516050 M * Grinvich iptables-ipv6.i386 1.3.5-1.2.1 installed 1191516055 M * Grinvich > 1191516118 M * mnemoc try asking centos people ,-) 1191516172 M * baldy Grinvich: locate iptables.h ? 1191516184 M * dowdle OMG... if you ask on the #centos channel on freenode (their main IRC place)... if it is out of distro and you aren't using one of their kernels... it'll probably be hard to stay in the channel without getting kicked. 1191516213 J * balbir ~balbir@122.167.79.239 1191516291 M * Grinvich # locate iptables.h 1191516292 M * Grinvich /usr/include/iptables.h 1191516292 M * Grinvich /usr/share/doc/selinux-policy-2.4.6/html/system_iptables.html 1191516292 M * Grinvich /usr/src/kernels/2.6.18-8.1.1.el5-i686/include/config/ip/nf/iptables.h 1191516292 M * Grinvich /usr/src/kernels/2.6.18-8.1.1.el5-i686/include/config/ip6/nf/iptables.h 1191516292 M * Grinvich /usr/src/kernels/2.6.18-8.el5-i686/include/config/ip/nf/iptables.h 1191516292 M * Grinvich /usr/src/kernels/2.6.18-8.el5-i686/include/config/ip6/nf/iptables.h 1191516323 M * bzed Grinvich: :\ use a pastebin! 1191516424 M * bzed libiptables is not a .h file 1191516456 M * bzed no clue what you need to install though, never used centos 1191516635 M * Grinvich bzed: what is pastebin ? whene can I get this libiptables ? and may be I need reinstall OS? what OS you recommende ? 1191516657 Q * pmenier Quit: /quit 1191517056 N * BobR_zZ BobR 1191517193 M * Grinvich what vserver control panel you used? I know only openvcp :) 1191517218 Q * JonB Ping timeout: 480 seconds 1191517320 A * bzed recommends debian. and I have no clue wher eyou can get this libiptables for centos. you wanna ask the openvcp people 1191517432 M * Grinvich thanks. openvcp channel is sleep :) 1191517892 M * baldy Grinvich: ask them via mailinglist 1191517905 M * baldy i never saw any1 here online ;=) 1191518218 J * PhatJ ~PhatJ@24-231-253-65.dhcp.aldl.mi.charter.com 1191518317 M * PhatJ hi all - is vcopy / vrescue still the preferred method to clone a vserver instance ? the oldwiki sorta references local to remote cloning...is there any more documenation on how to clone a vserver instance to a different physical host ? 1191518394 M * baldy any1 a idea why i see the following error when u wanne start a vserver: no command given use "--help" when i do vserver xxx start 1191518498 M * dowdle baldy: you have a config/dir for the VPS? How did you create it? 1191518575 Q * hparker Quit: *burp*.. It's broke 1191518747 P * dowdle bbl 1191519682 N * BobR BobR_oO 1191520044 Q * balbir Read error: Operation timed out 1191520046 Q * ema Quit: leaving 1191520092 Q * Punkie Quit: Odcházím 1191520183 J * yarihm ~yarihm@84-75-130-73.dclient.hispeed.ch 1191520553 P * guido 1191521283 J * jmcaricand ~user@d77-216-233-159.cust.tele2.fr 1191521604 J * arekm arekm@carme.pld-linux.org 1191521626 M * arekm [root@rhea-agnat-nagios ~]# pidof crond 1191521626 M * arekm pidof: can't read sid for pid 1 1191521626 M * arekm 13231 1191521678 M * arekm the question is: should this happen? There is init process (pid==1) visible. root 1 0.4 0.0 8188 672 ? Ss 20:09 0:01 init [3] 1191521819 J * ensc ~irc-ensc@p54B4D19D.dip.t-dialin.net 1191521864 M * arekm vxW: !!! limit: ffff810106b83080[VM,9] = 31 on exit. 1191521865 M * arekm vxW: !!! limit: ffff810102029080[VM,9] = 31 on exit. 1191521875 J * dowdle ~dowdle@scott.coe.montana.edu 1191522120 J * ntrs_ ~ntrs@79.125.229.131 1191522329 Q * bonbons Ping timeout: 480 seconds 1191522503 J * dna ~dna@p54BCDFC4.dip.t-dialin.net 1191522787 Q * dna_ Ping timeout: 480 seconds 1191522854 M * daniel_hozac PhatJ: vserver ... build -m rsync doesn't work for you? 1191522903 M * PhatJ didn't know about -m rsync 1191522904 M * daniel_hozac baldy: typically that means you used the sysv initstyle for a guest that doesn't have sysv initscripts. 1191522918 M * PhatJ this is for cloning an existing instance right? 1191522936 M * daniel_hozac PhatJ: yes. 1191522954 M * PhatJ i will have to find some docs then 1191522956 M * PhatJ thank you 1191522981 M * daniel_hozac vserver ... build --help 1191523144 J * dna_ ~dna@p54BCDFC4.dip.t-dialin.net 1191523164 M * daniel_hozac arekm: i was just looking at that earlier today, i think we need to allow more operations on fakeinit... 1191523190 M * daniel_hozac arekm: as for the warnings, have you tried reverting all those patches we did while trying to find your bug? 1191523218 M * arekm daniel_hozac: yes 1191523222 M * daniel_hozac arekm: specifically, i think delta-earlyexit-debug01 might be problematic. 1191523264 M * daniel_hozac so what are you running now? 2.3.0.26 with what patches reverted? 1191523280 M * PhatJ daniel_hozac: do i need to stop a running vserver instance to vserver .. build -m rsync it ? 1191523298 M * arekm daniel_hozac: patch-2.6.22.9-vs2.3.0.26.diff but well, not vanilla 1191523300 M * daniel_hozac PhatJ: you don't need to, but in my experience it's best to do so. 1191523317 J * dna__ ~dna@p54BCDFC4.dip.t-dialin.net 1191523321 M * PhatJ ugh - ok... gonna be a very late night (or early morning) then 1191523341 M * PhatJ thank you - I'm sure I will have more questions as i drive down this road 1191523352 M * daniel_hozac arekm: not vanilla how? 1191523353 M * PhatJ thus far linux vserver totally rocks! 1191523389 M * daniel_hozac hehe, we think so too. 1191523426 M * PhatJ I have ran Apache, MySQL, OpenSER, Asterisk, Zimbra and SugarCRM within linux-vserver instances without a single issue 1191523456 M * arekm daniel_hozac: lot of other patches for various things like grsec, suspend2, apparmor etc, etc 1191523456 M * PhatJ even accessing Zaptel (telephony) hardware works like a charm 1191523475 M * daniel_hozac arekm: you run grsec and apparmor? 1191523497 M * arekm daniel_hozac: grsec yes, apparmor not on this machine but also yes 1191523517 Q * dna Ping timeout: 480 seconds 1191523524 M * daniel_hozac well, if you can reproduce with a vanilla version, i guess that'd be good... 1191523694 Q * dna_ Ping timeout: 480 seconds 1191524167 J * bonbons ~bonbons@2001:960:7ab:0:20b:5dff:fec7:6b33 1191524487 J * todd ~todd@151.202.82.117 1191524519 J * ^Toad ~tl@tyler.cs.brown.edu 1191524521 P * todd 1191524534 M * ^Toad hey 1191524542 M * ^Toad has anyone gotten NFS v4 running from within a vserver? 1191524553 M * ^Toad I can't get rpc.idmapd running properly because modprobe fails 1191524584 M * ^Toad (security isn't important -- this is for dev VMs, not hosting or something) 1191524630 J * coderanger_ ~coderange@marvin-05.dynamic2.rpi.edu 1191524902 J * morten ~hahnomat@a89-182-98-194.net-htp.de 1191524913 M * morten hey y'all... 1191525041 M * morten when a guest tries to bind to IPADDR_ANY it just binds only on is eth address, not on his localhost.. is that right? 1191525053 M * morten -is + it's 1191525076 M * mnemoc what version of vserver? 1191525095 M * morten 2.6.22.9-vs2.3.0.26 1191525109 M * daniel_hozac ^Toad: load modules on the host. 1191525122 M * ^Toad daniel_hozac: on further inspection it looks like the modprobe thing is just a warning 1191525129 M * daniel_hozac morten: is NXF_SINGLE_IP set? 1191525137 M * ^Toad daniel_hozac: the nfs mount works fine, but it's showing nobody/nogroup for all the files 1191525139 Q * dna__ Ping timeout: 480 seconds 1191525146 M * morten daniel_hozac: got to check that out.. sec... 1191525151 M * ^Toad Oct 4 19:11:36 staging-vm rpc.idmapd[399]: nfsdopenone: Opening /proc/net/rpc/nfs4.nametoid/channel failed: errno 2 (No such file or directory) 1191525154 M * ^Toad I'm getting that though 1191525183 M * daniel_hozac sounds like you want to unhide/mount something. 1191525197 M * ^Toad none on /proc type proc (0) 1191525199 M * ^Toad is mounted 1191525223 M * morten daniel_hozac: no, not in nflags 1191525261 M * daniel_hozac morten: /proc/virtnet//status 1191525283 M * daniel_hozac ^Toad: unhide it is. 1191525305 M * morten vhost1:/etc/vservers/vserver1# cat /proc/virtnet/40002/status 1191525305 M * morten UseCnt: 207 1191525305 M * morten Tasks: 65 1191525305 M * morten Flags: 0000000406000300 1191525305 M * morten NCaps: 0000000000000100 1191525318 M * morten i hope that wasnt to much to paste in the channel :-) 1191525348 M * daniel_hozac that has NXF_SINGLE_IP set. 1191525379 M * morten uhm, but it's not settet in nflags... just lback_remap and hide_lback 1191525388 M * mnemoc daniel_hozac: what do you use to "decode" tha caps and flags? just your brain? 1191525391 M * morten -settet+set 1191525393 P * arekm 1191525405 M * daniel_hozac did you enable the automatic SINGLE_IP when you built the kernel? 1191525413 M * daniel_hozac mnemoc: for now, yes :) 1191525416 M * mnemoc :) 1191525447 M * morten daniel_hozac: Automatic Single IP Special Casing? ^^ 1191525471 J * dna ~dna@p54BCDFC4.dip.t-dialin.net 1191525473 M * ^Toad daniel_hozac: thanks 1191525500 M * daniel_hozac morten: that's the one.. 1191525515 M * ^Toad daniel_hozac: does setattr --unhide persist across reboots, or do I need to add to a config somewhere? 1191525534 M * morten can i disable it by a flag or do i have to recompile the kernel? i have no problem with doing that :-) 1191525554 M * daniel_hozac ^Toad: you have to specify it in the vprocunhide configuration. 1191525566 M * daniel_hozac morten: put ~single_ip in nflags. 1191525567 M * ^Toad daniel_hozac: I have no manpage for vprocunhide, heh 1191525578 M * daniel_hozac there aren't updated manpages for anything. 1191525578 M * ^Toad daniel_hozac: where's the current vserver docs? I seem to have very little installed on my machine 1191525590 M * daniel_hozac --help and the wiki. 1191525591 M * morten with or without a "~"? :-) 1191525599 M * daniel_hozac with, of course. 1191525604 M * daniel_hozac you want to disable it. 1191525609 M * morten :-) 1191525610 M * morten k 1191525611 M * morten thx 1191525616 M * ^Toad --help says it has no arguments and doesn't explain its config 1191525744 M * ^Toad do I just edit /usr/lib/util-vserver/defaults/vprocunhide-files ? 1191525755 J * dna_ ~dna@p54BCDFC4.dip.t-dialin.net 1191525819 M * daniel_hozac then your changes will get overwritten when you upgrade. 1191525842 M * daniel_hozac it's better to copy it to /etc/vservers/.defaults/apps/vprounhide/files and edit that. 1191525858 M * ^Toad copy? or just add additional to the one in /etc? 1191525870 M * morten daniel_hozac: no it works.. but it also binds on the port on the host ip ^^^ 1191525876 M * morten -no +now 1191525924 M * daniel_hozac ^Toad: copy. 1191525929 M * ^Toad k 1191525938 M * daniel_hozac morten: hmm? 1191526041 M * morten i have only ssh listening on 5001 on the host... but now when i bind imap on *:143 inside a host.. i can do a telnet localhost 143 on the host and get a connect... 1191526060 M * morten inside guest... 1191526089 Q * yarihm Quit: Leaving 1191526106 Q * dna Ping timeout: 480 seconds 1191526126 M * daniel_hozac that doesn't sound quite right. 1191526127 J * ftx ~ftx@hlfx35-151.ns.sympatico.ca 1191526143 M * daniel_hozac did you enable CONFIG_VSERVER_AUTO_LBACK? 1191526148 M * morten japp 1191526150 M * morten that works... 1191526195 M * morten cat /proc/virtnet/40002/info .... gives 127.156.66.1 a lback for example 1191526229 M * daniel_hozac can you still bind something to 127.0.0.1:143 on the host? 1191526242 M * morten i'm not sure.. i 'll try... hold up :-) 1191526339 M * morten nope :-( 1191526342 Q * maddoc Ping timeout: 480 seconds 1191526393 M * daniel_hozac and you tried a specific IP that only the host has, right? 1191526426 M * morten on the host? nope.. * also 1191526439 M * daniel_hozac use a specific one. 1191526446 M * daniel_hozac binding to 0.0.0.0 on the host should fail 1191526456 M * morten ok, will try the hosts localhost 1191526457 M * morten ok? 1191526507 M * morten nope, doesnt work either... 1191526558 M * daniel_hozac and just to make sure, you haven't done something silly like assign 127.0.0.1 to a guest, or have something bound to that port on the host? 1191526570 M * morten nope... 1191526572 M * morten i havent 1191526619 M * morten but inside a guest i see's his loopback having 127.0.0.1 ... that's normal, isn't it? 1191526631 M * daniel_hozac if hide_lback is enabled, yes. 1191526636 M * morten japp 1191526644 M * morten i mean, yes 1191526753 M * daniel_hozac okay, i'll try to reproduce. 1191526818 M * morten ok, thanks... 1191526878 Q * ftx Ping timeout: 480 seconds 1191526906 M * morten i guess this will take some time, yes? then i'll take some rest now... :-) 1191526990 M * daniel_hozac well, if you could get me the cat /proc/virtnet//{info,status} output, netstat -pnlt on host and guest, and ip a on host and guest, i guess i should have everything i need. 1191527016 M * morten what was this "paste site"? :-) 1191527024 M * daniel_hozac paste.linux-vserver.org 1191527029 M * morten k... sek 1191527369 N * Bertl_oO Bertl 1191527376 M * Bertl back now ... 1191527417 Q * coderanger_ Quit: coderanger_ 1191527471 M * morten http://paste.linux-vserver.org/6858 1191527589 J * maddoc maddoc@social.ostruktur.com 1191527623 M * morten daniel_hozac: all you need? :-) 1191527627 M * Bertl welcome maddoc! 1191527645 M * daniel_hozac morten: netstat -pnlt on the host is missing? 1191527685 M * morten line 22 :-) 1191527760 M * daniel_hozac ah. i guess that's it then. 1191527857 M * morten http://paste.linux-vserver.org/6859 ... cat status was missing in the last one :-) 1191528291 M * Bertl morten: what's the problem (in two or three lines)? 1191528325 M * daniel_hozac binding to 0.0.0.0 on a guest makes binding to 127.0.0.1 on the host impossible. 1191528349 M * daniel_hozac (and connecting to 127.0.0.1 on the host connects to the guest) 1191528386 M * Bertl hmm, and 127.0.0.1 is _not_ assigned to that guest, I presume? 1191528399 M * daniel_hozac apparently not. 1191528405 J * Aiken ~james@ppp121-45-249-108.lns2.bne4.internode.on.net 1191528417 J * coderanger_ ~coderange@ae-lally-green-181.dynamic2.rpi.edu 1191528475 M * Bertl why do we have different netmasks? 1191528507 M * daniel_hozac looks like different networks to me. 1191528511 M * Bertl ah, one is host, the other guest I think 1191528579 J * morten_ ~hahnomat@a89-182-98-194.net-htp.de 1191528580 M * morten_ re 1191528584 Q * morten Ping timeout: 480 seconds 1191528588 M * morten_ workstation crashed :-/ 1191528591 N * morten_ morten 1191528609 Q * Julius Remote host closed the connection 1191528620 N * virtuoso_ virtuoso 1191528646 M * morten bertl: when i bind somethin on * on a guest, i can do a telnet localhost port on the host and get a connect.. i also can't bind a service on that port on 127.0.0.1 on the host... 1191528680 M * morten Bertl: http://paste.linux-vserver.org/6859 ... 1191528741 M * Bertl and the kernel version is? 1191528782 M * morten 2.6.22.9-vs2.3.0.26 1191529122 Q * Medivh Ping timeout: 480 seconds 1191529231 M * morten my laptop is out of battery .. i'll take some rest... 1191529243 M * morten i'll be back tomorrow :-) 1191529248 M * Bertl okay, cya 1191529276 M * morten cya! 1191529292 Q * morten Quit: /quit /quit.. damn.. /quit! :-) 1191529318 M * Bertl AUTO_SINGLE seems to be off 1191529352 M * daniel_hozac nah, it was manually disabled. 1191529387 M * Bertl hmm, okay 1191529907 Q * Grinvich Ping timeout: 480 seconds 1191530179 Q * dna_ Read error: Connection reset by peer 1191530203 J * dna_ ~dna@p54BCDFC4.dip.t-dialin.net 1191530477 Q * dna_ Read error: Connection reset by peer 1191530559 J * dna ~dna@p54BCDFC4.dip.t-dialin.net 1191530720 J * igraltista ~jens@p4FD26471.dip.t-dialin.net 1191530730 M * Bertl wb igraltista! 1191530988 M * daniel_hozac so, i guess morten's issue is more or less to be expected... 1191531028 M * Bertl how so? 1191531061 M * Bertl IMHO the check regarding lback are failing 1191531063 M * daniel_hozac we're hitting the first conditional in include/linux/vs_inet.h:v4_addr_in_nx_info 1191531127 M * daniel_hozac vxD: v4_addr_in_nx_info(ffff8100762a3280[#40019],127.0.0.1,ffff) = 2 1191531135 M * Bertl right, this check has to become more complex 1191531142 M * Bertl (or at least smarter :) 1191531144 M * daniel_hozac yeah. 1191531163 M * Bertl we probably should do the remapping before we test 1191531174 M * Bertl and only test against actual lback 1191531191 M * daniel_hozac in the places where we want it? 1191531324 M * daniel_hozac IIRC, that check is pretty much only to let the guest see 127.0.0.1 in e.g. ip a, right? 1191531339 M * daniel_hozac i remember we discussed it before. 1191531365 M * Bertl I think we also need it to allow the actual binding of 127.0.0.1 inside a guest 1191531384 M * daniel_hozac hmm, we rewrite that, no? 1191531394 M * Bertl do we already do that? 1191531415 M * Bertl if so, I would suggest to make the check a tmask 1191531453 M * Bertl but somehow I have the feeling that it is used/required elsewhere 1191531473 M * Bertl should be easy to test :) 1191531483 M * daniel_hozac more than just for displaying it? 1191531522 M * daniel_hozac 2007-08-12T02:05:47 < Bertl> the idea now is to check for 127.0.0.1 for ifa and such, and for lback on sockets 1191531602 M * Bertl yes, that was the idea :) 1191531629 M * Bertl I have two questions now to answer: 1191531642 M * Bertl a) can a guest bind to 127.0.0.1 without that check 1191531663 J * hparker ~hparker@linux.homershut.net 1191531665 M * Bertl b) can we identify all the callers which are only used for 'ifa and such' 1191531676 J * dna_ ~dna@p54BCDFC4.dip.t-dialin.net 1191531687 M * Bertl v4_dev_in_nx_info is one for the b) part I think 1191531699 M * Bertl v4_ifa_in_nx_info too 1191531736 M * Bertl if a) is true (can be tested by simply removing the check) 1191531736 M * daniel_hozac net/ipv4/af_inet.c:inet_bind uses v4_map/set_sock_addr before get_port, so i think we should be good there. 1191531766 M * Bertl then we can e.g. make the check require tmask bit 0 set 1191531776 M * Bertl and use -2/-1 in respective places 1191531785 M * Bertl (well we should actually make that proper masks :) 1191531792 M * daniel_hozac hehe 1191531976 Q * bonbons Quit: Leaving 1191531993 M * m_stone 'afternoon, folks. 1191532008 M * m_stone Is IATTR_BARRIER is xid-specific? 1191532009 M * Bertl hey m_stone! how's going? 1191532024 Q * dna Ping timeout: 480 seconds 1191532026 M * daniel_hozac xid-specific? 1191532036 M * m_stone Bertl: good; I'm finally getting around to fixing up some of those bugs you told me when you last visited. 1191532089 M * m_stone I'm asking if I can put all of my chroot targets in one directory with IATTR_BARRIER set on it or if I need multiple "containment" directories. 1191532103 M * Bertl no, one barrier is fine 1191532131 M * m_stone Bertl: that's what I thought, but I was confused because vc_set_iattr() appears to take an xid as an argument. 1191532146 M * m_stone that's just ignored for barriers, I take it? 1191532150 M * daniel_hozac it's a multi-purpose syscall. 1191532164 M * daniel_hozac if you don't have IATTR_TAG set, that argument is ignored. 1191532176 M * m_stone great. 1191532181 M * m_stone incidentally, what's IATTR_TAG? 1191532190 M * daniel_hozac the new name for IATTR_XID ;) 1191532195 M * Bertl (this is similar to the way inode attributes are handled in the kernel) 1191532198 M * m_stone :) 1191532375 Q * dna_ Read error: Connection reset by peer 1191532431 J * dna ~dna@p54BCDFC4.dip.t-dialin.net 1191532538 M * Bertl m_stone: are there plans to have contexts with kernel threads? 1191532579 M * m_stone Bertl: I don't know enough about the context of your question to give you a good answer. 1191532582 M * m_stone Can you say some more please? 1191532606 M * Bertl certain actions cause kernel threads to be started 1191532623 M * Bertl (ps auxwww lists them as []) 1191532657 M * Bertl e.g. [nfsd4], [rpciod/0], ... 1191532670 M * m_stone indeed. 1191532674 M * Bertl do we need/want to start any of those inside a context? 1191532753 J * yarihm ~yarihm@84-75-130-73.dclient.hispeed.ch 1191532780 M * Bertl daniel_hozac: do you consider the mm_init() changes an improvement? 1191532801 M * Bertl daniel_hozac: or more precisely: do you think they are fine :) 1191532879 M * daniel_hozac i guess so, but it means we have yet another function call we need to update everywhere. 1191532881 Q * yarihm 1191532936 M * Bertl okay, do you think we are fine without that? 1191532994 M * daniel_hozac i think we could keep it in mm_init, just drop it from mm_alloc? 1191533042 M * daniel_hozac (the dup_mm hunk looks good to me) 1191533059 J * dna_ ~dna@p54BCDFC4.dip.t-dialin.net 1191533177 M * Bertl daniel_hozac: yeah, makes sense, will do as you suggested 1191533326 M * Bertl m_stone: isn't terribly important, was just a question ... 1191533437 Q * dna Ping timeout: 480 seconds 1191533449 M * Bertl daniel_hozac: the new->vx_nsproxy = copy_nsproxy(current->nsproxy); do you remember why I introduced that? *G* 1191533598 M * Bertl m_stone: another question: is the oombias used by now? 1191533665 M * m_stone Bertl: not yet, but soon, I hope. 1191533686 M * m_stone Bertl: we're working this week on integrating Rainbow into a build. 1191533702 M * m_stone (my time has been consumed for the last several weeks getting incremental network updates working) 1191533736 M * m_stone Bertl: anyway, what's the impact of the kernel threads question? 1191533777 M * m_stone Bertl: I can't identify anything we want to containerize that makes kernel threads, but, seeing as I don't even know how kernel threads are made, it's hard for me to give a believable answer. :) 1191533781 M * Bertl nothing to worry about, we just added this feature to devel recently and I wondered if OLPC could make use of that 1191533812 M * m_stone Bertl: well, in that case, I'll keep it tucked in the back of mind, in case it comes up. 1191533815 M * m_stone thanks. :) 1191533821 M * Bertl that was the idea :) 1191533855 M * Bertl 0.4.6 is almost fine 1191533905 M * m_stone Bertl: it seems quite nice so far. not that I've tried anything strenuous... 1191533906 M * Bertl we are missing about 5 hunks to make it perfect :) 1191533908 M * Chr0nicles non vserver talk: but recently (on 2.6.22) i noticed OOM Killing various services which should be running :( 1191533957 M * Bertl Chr0nicles: you can ensure that critical tasks are not touched by the killer 1191533998 M * Chr0nicles hmm 1191534053 M * Chr0nicles that would be a 'quick fix' i guess i need to find the reason why its beeing activated if someone could point me in the right direction.. :) 1191534060 M * Chr0nicles i'd be very grateful 1191534082 M * Bertl well, OOM killer is probably activated because you are running out of memory :) 1191534110 M * Bertl and it likely picks the tasks using up most of the memory 1191534257 M * daniel_hozac Bertl: haha, IIRC you said something about user namespaces in 2.6.23. 1191534265 M * Chr0nicles hmm, 32GB of ram.. did change it to 64bits though.. 1191534329 M * Bertl daniel_hozac: ah, yeah, right, tx! 1191534347 M * daniel_hozac you're welcome ;) 1191534355 M * Bertl daniel_hozac: http://vserver.13thfloor.at/Experimental/delta-mminit-fix02.diff ? 1191534377 M * daniel_hozac looks good 1191534817 Q * coderanger_ Quit: coderanger_ 1191535127 J * coderanger_ ~coderange@taz-03.dynamic2.rpi.edu 1191535575 J * ntrs__ ~ntrs@79.125.236.189 1191535897 J * dc dc@static-ip-62-75-255-125.inaddr.intergenia.de 1191535897 Q * coderanger_ Quit: coderanger_ 1191535907 M * Bertl welcome dc! 1191535915 M * dc hi there 1191535951 M * dc virtualization... 1191535974 M * dc getting a bit late for me to be reading about virtualization... off to bed now 1191535979 M * dc see you bertl 1191535998 P * dc 1191536002 Q * ntrs_ Ping timeout: 480 seconds 1191536257 Q * ntrs__ Ping timeout: 480 seconds 1191536454 Q * mattzerah Remote host closed the connection 1191536808 J * ftx ~ftx@hlfx33-228.ns.sympatico.ca 1191536967 M * daniel_hozac Bertl: kernel/pid.c:find_task_by_pid_type shouldn't we allow fakeinit here? 1191536983 M * daniel_hozac or do we rely on it for security reasons? 1191537032 M * daniel_hozac (the reason i ask is "killall5: can't read sid for pid 1") 1191537092 M * Bertl hmmm ... I can't think of a case where returning fake init would hurt (as it should be already protected) 1191537132 M * Bertl OTOH, I do not know what security issues lurk behind that ... 1191537159 M * Bertl if we want to do that, we definitely need to test at least the obvious cases 1191537223 M * daniel_hozac yeah... 1191537416 M * Bertl m_stone: here are the hunks (IMHO) missing compared to mainline Linux-VServer (note, not all of them are critical) 1191537419 M * Bertl http://vserver.13thfloor.at/Stuff/OLPC/delta-mainline.diff 1191537427 M * m_stone Bertl: thanks! 1191537440 M * Bertl will finish and test a 0.4.7 tomorrow 1191537495 M * daniel_hozac Bertl: http://people.linux-vserver.org/~dhozac/p/k/delta-proctag-fix01.diff 1191537547 M * daniel_hozac kinda ugly, but gets the job done. 1191537645 M * Bertl daniel_hozac: ah, cool, will work my way through it 1191537667 M * Bertl do we really have 32k overhead per task struct? 1191537695 M * daniel_hozac that sounds insane. 1191537709 M * Bertl neuralis: did you measure that somehow? 1191537819 M * Bertl neuralis: context is the google talk from April 12th 1191538123 J * _Hunger Hunger.hu@Hunger.hu 1191538145 M * Bertl daniel_hozac: hmm .. maybe we should not even do dx_permission calls for proc? 1191538166 M * daniel_hozac why not? 1191538168 Q * Hunger cation.oftc.net panulirus.oftc.net 1191538177 M * daniel_hozac but yes, that thought occurred to me to. 1191538179 M * daniel_hozac +o 1191538219 M * Bertl just a thought here too, let's postpone it till tomorrow 1191538413 M * michal_ hm, guys, i will ask offtopic, as usual, question ;) 1191538456 Q * mnemoc Ping timeout: 480 seconds 1191538481 M * michal_ any idea how do i verify a file signature, created with openssl, having certficate matching of course private key used for generating signature? 1191538534 M * michal_ (usualy you generate priv/pub keys, sign with priv, verify with pub, but since certificate has to include public key too, i would like to erify with certificate) 1191538544 M * daniel_hozac openssl verify? 1191538552 M * michal_ i won't accept certificate 1191538591 M * michal_ opt/csw/bin/openssl dgst -sha1 -verify rsakey.pem.pub -signature ../ipfilter.pdf.digsign ../ipfilter.pdf 1191538594 M * michal_ Verified OK 1191538596 M * michal_ opt/csw/bin/openssl dgst -sha1 -verify rsakey.crt -signature ../ipfilter.pdf.digsign ../ipfilter.pdf 1191538599 M * michal_ unable to load key file 1191538620 M * michal_ see? expecting (pub) key file 1191538630 M * Bertl well, AFAIK, you need a .key for that too, no? 1191538660 M * michal_ well. i usualy need pub.key for verify 1191538681 M * michal_ but since certificate = CAsign(pubkey) 1191538699 M * michal_ and it is nice to be able to verify certificate against CA 1191538706 M * michal_ something you cannot do with bare pubkey 1191538730 M * daniel_hozac well, i'm sure you can extract the pub key from the cert. 1191538742 M * michal_ googling for it :) 1191538844 M * michal_ openssl x509 -inform pem -in certificate.pem -pubkey -noout > publickey.pem 1191538848 M * michal_ google says that one... 1191538861 M * michal_ but's not as nice as directly veryfing by openssl, but still neat 1191538951 M * Bertl I have a cheat sheet in my bookmarks :) http://shib.kuleuven.be/docs/ssl_commands.shtml 1191538965 M * michal_ hm 1191538967 M * michal_ a nice one! 1191538982 M * michal_ http://www.madboa.com/geek/openssl/ 1191538985 M * michal_ have that one too :) 1191539027 M * Bertl yeah, tx 1191539060 M * Bertl okay, I'm off to bed now .. have a good one everyone! 1191539065 M * michal_ cya :) 1191539069 N * Bertl Bertl_zZ 1191539153 M * michal_ hah 1191539169 M * michal_ that command actualy creates pubkey+certificate file merged toogether 1191539183 M * michal_ so it's possible to use it directly by verify + verify taht pubkey 1191539187 M * michal_ neat... 1191540216 Q * igraltista Read error: Connection reset by peer 1191540397 Q * ftx Ping timeout: 480 seconds 1191540828 J * toidinamai ~frank@n15-60.dsl.vianetworks.de 1191540833 M * toidinamai Hi. 1191540880 M * toidinamai harry: Shouldn't 2.6.22.9 fix the IA32 syscall exploit? 1191540940 M * toidinamai Sorry, I misread. It did fix the vulnerability. Nevermind. 1191541182 M * bzed if I remember right the fix was added in 2.6.22.7 or so 1191541236 M * daniel_hozac yes. 1191541927 J * mnemoc ~amery@kilo105.server4you.de 1191541937 J * Wonka produziert@chaos.in-kiel.de 1191541944 Q * dna_ Quit: Verlassend