1202688073 Q * meebey Remote host closed the connection 1202688112 Q * jescheng Remote host closed the connection 1202688125 J * jescheng ~jescheng@proxy-sjc-2.cisco.com 1202688709 J * meebey meebey@booster.qnetp.net 1202689608 J * Linus ~nuhks@bl7-151-206.dsl.telepac.pt 1202693192 J * quasisane ~sanep@c-76-118-191-64.hsd1.nh.comcast.net 1202695737 Q * Supaplex Read error: Connection reset by peer 1202695741 J * Supaplex supaplex@166-70-62-194.ip.xmission.com 1202696324 Q * dowdle Remote host closed the connection 1202696920 M * cehteh does linux-vserver have a git repository? 1202697161 M * cehteh http://git.linux-vserver.org/cgi-bin/gitweb.cgi 1202697163 M * cehteh duh! 1202697587 M * Supaplex yea, but you have to have the internet too. 1202698120 Q * the-me Ping timeout: 480 seconds 1202698254 J * Patrick Patrick@Linux-Dev.org 1202700059 J * jsirucka ~jsirucka@220-245-131-131.static.tpgi.com.au 1202700072 N * jsirucka yaboo 1202700792 J * FireEgl FireEgl@Sebastian.Atlantica.CJB.Net 1202701419 Q * chotchki Quit: Konversation terminated! 1202703497 Q * FireEgl Quit: Leaving... 1202703552 J * FireEgl Proteus@adsl-147-90-184.bhm.bellsouth.net 1202704285 J * aj_ ~aj@e180202189.adsl.alicedsl.de 1202704605 J * doener_ ~doener@i577BAB6B.versanet.de 1202704672 Q * derjohn_mobil Ping timeout: 480 seconds 1202705021 Q * doener Ping timeout: 480 seconds 1202706941 J * fatgoose ~samuel@bas5-quebec14-1177836757.dsl.bell.ca 1202707337 M * cehteh kernel/vserver/legacy.c: In function 'vx_set_initpid': 1202707337 M * cehteh kernel/vserver/legacy.c:31: error: implicit declaration of function 'find_task_by_real_pid' 1202707337 M * cehteh kernel/vserver/legacy.c:31: warning: assignment makes pointer from integer without a cast 1202707886 J * Mooo ~troy@shells195.pinchaser.com 1202709032 J * Infinito ~argos@201-10-156-220.gnace701.dsl.brasiltelecom.net.br 1202709508 J * DLange ~dlange@p57A31555.dip0.t-ipconnect.de 1202709601 Q * jescheng Remote host closed the connection 1202709619 J * jescheng ~jescheng@proxy-sjc-2.cisco.com 1202710431 Q * fatgoose Quit: fatgoose 1202710878 J * dreamind ~dreamind@C2107.campino.wh.tu-darmstadt.de 1202710914 N * dreamind Guest1120 1202710994 N * Guest1120 dreamind 1202711297 J * balbir ~balbir@59.145.136.1 1202711788 N * Patrick the-me 1202712173 Q * Infinito Quit: Leaving 1202712920 J * pisco ~pisco@tor.noreply.org 1202713156 Q * Slydder Remote host closed the connection 1202713425 Q * quasisane Read error: Connection reset by peer 1202713457 J * Slydder ~chuck@194.59.17.53 1202713525 M * Slydder morning all 1202713543 J * larsivi ~larsivi@144.84-48-50.nextgentel.com 1202713818 J * JonB ~NoSuchUse@77.75.164.169 1202714216 Q * DLange Quit: Bye, bye. Hasta luego. 1202714673 Q * CyberMonk Remote host closed the connection 1202714742 Q * FireEgl Quit: Leaving... 1202714755 J * FireEgl Proteus@adsl-147-90-184.bhm.bellsouth.net 1202715685 M * cehteh derjohn: ping 1202716325 M * maddoc Guy-: A friend of mine made it work on 64-bit, he just needed to change the shellcode. 1202716651 J * _bjh_ ~bjh@84.112.154.154 1202716699 Q * FireEgl Quit: Leaving... 1202716992 Q * dreamind Quit: dreamind 1202717083 N * enkahel__ enkahel_ 1202717361 J * harry ~harry@d54C363EF.access.telenet.be 1202718732 Q * JonB Ping timeout: 480 seconds 1202719259 N * DoberMann[ZZZzzz] DoberMann 1202719330 J * gebura ~gebura@77.192.186.197 1202719402 M * gebura hi 1202719448 J * JonB ~NoSuchUse@77.75.164.169 1202719535 Q * aj_ Remote host closed the connection 1202719623 J * ema ~ema@rtfm.galliera.it 1202719961 J * derjohn_mobil ~aj@e180202189.adsl.alicedsl.de 1202720019 J * awk ~awk@security.web.za 1202720021 M * awk hello 1202720295 Q * balbir Read error: Connection reset by peer 1202720878 J * virtuoso ~s0t0na@host-207-145-66-217.spbmts.ru 1202720947 P * virtuoso 1202721024 M * yaboo ok seems have port conflicts between the host and the vserver 1202721042 M * yaboo how can I make the server and host have seperate ports 1202721066 M * arachnist make sure nothing on host listens on "0" ip 1202721110 M * yaboo on the server port 0 out of range 1202721158 M * arachnist eh, i mean, make sure nothing on the host listens on all interfaces 1202721194 M * yaboo arachnist, the server and host share eth1 1202721205 M * yaboo they have different ip's 1202721400 M * cehteh i made a hack once ... its somewhere on the wiki 1202721401 M * cehteh moment 1202721440 M * yaboo is host and server supposed to have there own dedicated interface? 1202721489 Q * giovanni_ Quit: Konversation terminated! 1202721629 M * cehteh seems to be lost somehow 1202721642 M * yaboo ok 1202721648 M * cehteh basically it chbind's the host server as well 1202721656 M * cehteh hacked into /etc/inittab 1202721855 M * yaboo oh ok, not sure 1202721858 M * yaboo what you mean 1202721879 M * cehteh hah 1202721883 M * cehteh http://www.pipapo.org/pipawiki/Vserver/vinit 1202721888 M * cehteh have it on my own server :( 1202721890 M * cehteh :) 1202721897 M * yaboo ok 1202721948 M * cehteh # cat /sbin/vinit 1202721949 M * cehteh #!/bin/sh 1202721949 M * cehteh exec /sbin/chbind --ip 10.20.20.10/16 --bcast 10.20.255.255 -- /sbin/init $@ 1202722030 M * yaboo need to create a vinit cehterh 1202722034 M * cehteh yes 1202722041 M * yaboo ok 1202722077 M * cehteh well you can also do that for single services in the correspondening /etc/init.d scripts .. whatever you like 1202722151 M * yaboo got one server with one vserver 1202722237 M * cehteh thats just to chbind the host server 1202722259 M * yaboo oh 1202722278 M * yaboo seriously do I need one interface to a server 1202722348 M * cehteh you had ports clashing .. so you need at least dedicated ip's for the same service 1202722358 M * cehteh or move ports 1202722367 M * yaboo yeah got dedicated ip's, but ports are still clashing 1202722377 M * yaboo e.g. port 80 on both clash 1202722419 M * cehteh the host is not chbind'ed by default when you start a server there listening at 0.0.0.0 it wil clash with guests 1202722440 M * yaboo hmmm 1202722445 M * cehteh so you either need to configure servers in the host not to listen on 0.0.0.0 or you need to do the chbind trick as above 1202722474 M * cehteh later is tricky to setup but works for all services and doesnt need per service configuration 1202722495 J * ftx ~ftx@dslb-084-060-244-160.pools.arcor-ip.net 1202722496 M * cehteh but well ... what besides ssh do you need to run on the host :) 1202722512 M * yaboo yeah need to apps i guess to specific ip's 1202722555 M * cehteh vservers should be chbinded when you set them up correctly 1202722570 M * cehteh the only cause of a clash can be the host server 1202722592 M * yaboo yeah so something not being setup correclty 1202722618 M * cehteh and hornestly .. i would only run ssh on a host server nothing else .. and that maybe on a hidden port and listening to a dedicated ip 1202722693 M * yaboo yeah setup ssh as the site stated, but whern I ssh still goes to the server 1202722735 J * dna ~dna@36-206-dsl.kielnet.net 1202723002 Q * Hunger Ping timeout: 480 seconds 1202723114 Q * mick_work Ping timeout: 480 seconds 1202723745 Q * JonB Quit: This computer has gone to sleep 1202723765 J * Homere ~homere@alf94-16-88-177-172-146.fbx.proxad.net 1202723777 M * Homere hello 1202723785 J * mick_work ~clamwin@adsl-068-157-089-099.sip.bct.bellsouth.net 1202723798 M * Homere looking for patch against local root exploit 1202723811 M * Homere today is reboot day :) 1202723878 Q * derjohn_mobil Ping timeout: 480 seconds 1202723879 M * Loki|muh http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c works without reboot ;) 1202723942 M * cehteh [05:31] # git cherry-pick 8811930dc74a503415b35c4a79d14fb0b408a361 1202723942 M * cehteh [05:31] Auto-merged fs/splice.c 1202723942 M * cehteh [05:31] Finished one cherry-pick. 1202723942 M * cehteh [05:31] Created commit c0b82a2: splice: missing user pointer access verification 1202723942 M * cehteh [05:31] ..btw :) 1202724080 M * Slydder can somebody take a look and let me know wtf is happening. I can't even get ip to add a route for 195.98.207.84/28 and all other guest servers are running and have connection. .84 is the only one without. thanks. http://paste.linux-vserver.org/11740 1202724338 J * JonB ~NoSuchUse@77.75.164.169 1202725088 J * balbir ~balbir@59.145.136.1 1202725471 M * Slydder anyone alive here that can help with the above problem? am about to start pulling my hair out. 1202725488 M * Slydder and ain't got a lot of hair left tbtfh 1202725498 M * Homere Loki|muh: very bad patch 1202725557 M * cehteh Hollow: hotfix :) 1202725617 M * Homere just for the record: Do not use the "hotfix" named disable-vmsplice-if- 1202725617 M * Homere exploitable.c. The hotfix first tries to run the exploit (which would be 1202725617 M * Homere totally unnecessary for the actual "fix" by the way and is therefore a 1202725617 M * Homere very dumb thing to do), and this still leads to kernel memory corruption 1202725617 M * Homere which will render the system unstable. You can imagine what might come 1202725618 M * Homere from corrupted kernel beside a simple crash (e.g. data loss). 1202725620 M * Homere It shall be possible to remove the actual exploit attempt from the "fix", 1202725622 M * Homere but seems to be another solution which apparently compiles to a kernel 1202725624 M * Homere module which will catch and report attempts to (ab)use vmsplice at 1202725626 M * Homere http://home.powertech.no/oystein/ptpatch2008/ptpatch2008.c 1202725647 M * Slydder Homere: it states right at the top that it is an exploit 1202725655 M * Homere but my servers have no module support 1202725658 M * Loki|muh Homere: thanks 1202725677 M * Slydder * Linux vmsplice Local Root Exploit 1202725677 M * Slydder * By qaaz 1202725693 M * Homere Slydder: it's based on the exploit 1202725826 M * cehteh btw i tried to build a new vserver kernel with patching patch-2.6.24-rc7-vs2.2.0.5.0.7-pre.diff .. gives me build errors anyone knows about? 1202726228 Q * renihs Ping timeout: 480 seconds 1202726573 Q * ema Quit: leaving 1202726590 Q * pusling Server closed connection 1202726597 J * pusling pusling@77.75.162.71 1202726645 M * daniel_hozac cehteh: legacy enabled? that's known. 1202726661 M * derjohn cehteh, pong 1202726692 M * cehteh daniel_hozac: once enabled and once disables .. same problem .. but i can retry maybe i overseen something 1202726698 J * jsambrook ~jsambrook@aelfric.plus.com 1202726717 M * daniel_hozac cehteh: paste.linux-vserver.org. 1202726736 M * cehteh moment 1202727002 M * yaboo ok on my vserver i gather to send ports from the server to the virtual, what would be my iptables syntax 1202727054 M * daniel_hozac you have the guests on private IP addresses? 1202727061 J * renihs ~penguin@83-65-34-34.arsenal.xdsl-line.inode.at 1202727294 M * Tuxbubling hey renihs 1202727295 M * Tuxbubling :) 1202727317 M * renihs hello Tuxbubling 1202727359 Q * balbir Ping timeout: 480 seconds 1202727428 M * cehteh daniel_hozac: 2 lines: 1202727431 M * cehteh kernel/vserver/legacy.c: In function 'vx_set_initpid': 1202727431 M * cehteh kernel/vserver/legacy.c:31: error: implicit declaration of function 'find_task_by_real_pid' 1202727444 M * cehteh seems to be a legacy problem 1202727445 M * daniel_hozac cehteh: that's with legacy enabled. 1202727473 M * cehteh CONFIG_VSERVER_LEGACY=y 1202727475 M * cehteh :) ok 1202727478 M * cehteh found 1202727510 Q * jsambrook Quit: Leaving. 1202727556 J * jsambrook ~jsambrook@aelfric.plus.com 1202727742 M * cehteh # vserver --version 1202727742 M * cehteh vserver 0.30.212 -- manages the state of vservers 1202727755 M * cehteh .. do i need to update the utils or should the be ok? 1202727782 M * daniel_hozac you need at least 0.30.214. 1202727797 M * daniel_hozac waldi: nice catch ;) 1202727801 J * dna_ ~dna@190-247-dsl.kielnet.net 1202727802 M * cehteh bah .. missed by 0.002 :) 1202728168 Q * larsivi Quit: Konversation terminated! 1202728207 Q * dna Ping timeout: 480 seconds 1202728306 Q * Homere Quit: This computer has gone to sleep 1202728504 J * larsivi ~larsivi@144.84-48-50.nextgentel.com 1202728570 J * balbir ~balbir@59.145.136.1 1202728817 M * waldi daniel_hozac: what? 1202728844 M * daniel_hozac 2.6.24.2 1202729939 M * Slydder http://paste.linux-vserver.org/11742. this is a problem with the newest kernel + newest utils. 1202729998 M * daniel_hozac versions, please. 1202729999 P * friendly12345 1202730014 M * daniel_hozac we've got several branches, and are you really using the pre version of the utils? 1202730086 M * Slydder Linux valerie 2.6.22.15-vserver-2.3.0.29 #2 SMP Mon Jan 21 11:06:29 CET 2008 i686 GNU/Linux with vserver 0.30.214 1202730094 M * daniel_hozac which is not the latest. 1202730102 Q * ritter Ping timeout: 480 seconds 1202730109 M * Slydder ? another update? 1202730114 M * daniel_hozac the latest is 2.6.22.16-vs2.3.0.32, but you may want 2.6.22.18-vs2.3.0.32. 1202730264 M * Slydder don't see 2.6.22.18-vs2.3.0.32 at ftp.linux-vserver.org/pub/kernel/vs2.3/testing 1202730297 M * daniel_hozac i do :) 1202730376 M * Slydder got it. hate being sick. can't even think strait 1202730412 J * pisco_ ~pisco@tor.noreply.org 1202730642 Q * JonB Quit: This computer has gone to sleep 1202730751 Q * pisco Ping timeout: 480 seconds 1202731444 Q * Aiken Remote host closed the connection 1202731575 J * bXi bluepunk@irssi.co.uk 1202731602 M * bXi hey guys 1202731611 M * daniel_hozac hello 1202731687 M * bXi how can i access /dev/sdc directly from a vserver? 1202731703 M * Loki|muh create the file via mknod 1202731709 M * daniel_hozac (on the host) 1202731711 M * Loki|muh or cp it from the host 1202731740 M * bXi what would the command look like? 1202731798 M * daniel_hozac cp /dev/sdc /vservers//dev/sdc 1202731821 M * bXi and its normal that it takes longer then 3 seconds? 1202731840 M * daniel_hozac note that you don't want to give the guest access to the device it lives on, since it can easily root your host if you do. 1202731848 M * daniel_hozac i guess you want -a too. 1202731864 M * bXi in this case i dont have issues with rooting 1202731883 M * bXi its a build enviroment 1202731892 M * daniel_hozac and you trust everything you build? 1202731898 M * bXi yes 1202731909 M * bXi since i code the stuff i build :) 1202731932 M * bXi only reason its in a vserver is so i can move the vserver easily and copy it over to multiple boxes 1202731942 M * daniel_hozac why do you need /dev/sdc in a build environment? 1202731959 M * bXi to write the installer to an usb stick directly 1202731996 Q * jsambrook Remote host closed the connection 1202732018 Q * weasel Quit: reboot 1202732060 J * mattzerah ~matt@121.50.220.20 1202732087 Q * pisco_ Remote host closed the connection 1202732237 J * jsambrook ~jsambrook@aelfric.plus.com 1202732301 J * weasel weasel@weasel.chair.oftc.net 1202732368 J * pisco ~pisco@tor.noreply.org 1202732481 J * ema ~ema@rtfm.galliera.it 1202732947 N * mattzerah mattzerah`afk 1202733572 J * mire ~mire@99-171-222-85.adsl.verat.net 1202733705 J * ftx_ ~ftx@dslb-084-062-252-235.pools.arcor-ip.net 1202734073 J * ftx__ ~ftx@dslb-084-062-224-020.pools.arcor-ip.net 1202734078 Q * ftx Ping timeout: 480 seconds 1202734470 Q * ftx_ Ping timeout: 480 seconds 1202734649 J * telexicon ~will@76.28.132.206 1202734695 J * Hunger Hunger.hu@Hunger.hu 1202734699 J * ftx_ ~ftx@dslb-084-062-229-068.pools.arcor-ip.net 1202735068 Q * ftx__ Ping timeout: 480 seconds 1202735093 M * gebura hi 1202735110 M * gebura are u aware of new local linux exploit ? 1202735112 M * telexicon hi 1202735124 M * gebura it seems to not impact vserver kernel 1202735135 M * telexicon oh? thats good news 1202735142 M * gebura (even on the host, not only in a vserver) 1202735147 M * gebura i don't understand why 1202735153 M * TrueBrain gebura: only in your dreams maybe ;) 1202735160 M * gebura if somebody know and has some time to loose ... 1202735228 J * Julius ~julius@p57B26DA0.dip.t-dialin.net 1202735239 M * Tuxbubling i really don't care of local exploits .... 1202735242 M * TrueBrain gebura: which kernel are you trying? 1202735378 M * gebura i haven't tested myself (today if i can) 1202735403 M * TrueBrain then where do you get the information it doesn't effect vserver? :) 1202735446 M * gebura it's just based of somebody report 1202735453 M * telexicon its also not really an issue when using SELinux under practical circumstances 1202735454 M * gebura will verify 1202735472 M * TrueBrain well, rest asure, it works flawless here (the exploit, that is :p) 1202735473 M * telexicon sure, it lets you become root.. but you cant do anything more than you could before 1202735547 M * Loki|muh telexicon: if you can change your userid, the its assumable that you can change your context-id, too 1202735567 M * Loki|muh and that would be really harmful 1202735579 M * TrueBrain telexicon: remember that become root is just a showcase of what this 'bug' can do 1202735589 M * telexicon yea i suppose so 1202735598 M * TrueBrain crashing your system, even with SELinux, is still very simple 1202735621 M * telexicon but theres no proof of concept code for that, so i think that might cut down on the scripties 1202735625 M * gebura dd if=/dev/random of=/dev/kmen ? 1202735627 M * TrueBrain but I guess an example code that crashes your system, isn't really useful ;) 1202735655 J * Homere ~homere@alf94-16-88-177-172-146.fbx.proxad.net 1202735657 M * telexicon theres some hotfix that disables vmsplice but i dont think thats a good thing to use 1202735672 M * telexicon i tried it on one of my systems, it made the exploit not work.. but it also made some applications stop working 1202735674 M * TrueBrain without doubt, that is a bad idea ;) 1202735686 M * TrueBrain I mean, you can also just unload your whole kernel 1202735689 M * TrueBrain for sure you are bug free 1202735716 M * Tuxbubling so you don't let them gaining local access so they can't run the exploit 1202735719 M * Tuxbubling easy :p 1202735760 M * telexicon Tuxbubling, you can run it say by, uploading it to your hosting and executing it in a PHP script 1202735762 M * TrueBrain Tuxbubling: I don't know if you noticed, but the general usage of vserver is to give users a VPS where they can do what ever they want... and I doubt we can tell those users not to allow local access, because there is an exploit ;) So.. practical, I give your idea a 0 out of 10 :) 1202735818 M * TrueBrain I mean, you can also plug the internet connection ;) 1202735831 M * Tuxbubling good idea too :D 1202735870 J * ftx__ ~ftx@dslb-084-062-241-220.pools.arcor-ip.net 1202735902 M * telexicon but then, did grsec stop the exploit from working? 1202735922 M * Tuxbubling is the exploit fixed in the mainline? 1202735966 M * Loki|muh 2.6.24.2 fixes it afaik 1202735972 M * TrueBrain telexicon: nope 1202735975 M * trippeh kernel.org has released fixed versions of 2.6.22, 2.6.23 and 2.6.24. 1202735983 M * Tuxbubling ok 1202736018 M * TrueBrain Changelog Linux 2.6.24.2: splice: fix user pointer access in get_iovec_page_array() 1202736019 M * TrueBrain ;) 1202736062 M * TrueBrain better: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.2 1202736085 M * Tuxbubling is there a vserver patch for this kernel? 1202736225 J * ftx ~ftx@dslb-084-062-245-037.pools.arcor-ip.net 1202736268 Q * ftx_ Ping timeout: 480 seconds 1202736329 Q * tam_ Server closed connection 1202736333 J * tam ~assmastr@gw.nettam.com 1202736371 Q * arachnist Quit: brb 1202736406 M * phedny telexicon: well, such a hotfix is of course a good option to stop malicious users that just want to try it 1202736428 M * phedny telexicon: it gives you some time to test the "real" patch and be safe in these couple of hours before you reboot your server to install it 1202736442 M * telexicon phedny, yea, except it breaks applications 1202736461 M * telexicon phedny, i didnt have a chance to test it with everything but i know that it made apt stop working 1202736472 M * telexicon 'Killed' 1202736542 M * phedny telexicon: well, of course there is the difference between a production server where no untrusted users have access and eg. a vps hosting environment 1202736555 J * arachnist arachnist@088156188145.who.vectranet.pl 1202736568 Q * ftx__ Ping timeout: 480 seconds 1202736785 J * ftx_ ~ftx@dslb-084-060-206-008.pools.arcor-ip.net 1202736954 M * telexicon phedny, apparently theres a real fix available now 1202736970 M * telexicon a real 'hotfix', in the form of a kernel module you can just insmod and it wraps vmsplice and does the check 1202736988 Q * ftx Ping timeout: 480 seconds 1202737056 Q * arachnist Read error: Connection reset by peer 1202737110 M * TrueBrain url? 1202737130 M * Loki|muh the vmsplice works definitely inside vserver guests, tried it just the other moment 1202737130 Q * ftx_ Read error: Connection reset by peer 1202737170 M * Loki|muh even with 32-bit guests inside 64-bit hosts (you have just to use a 64bit compiled binary) ;) 1202737176 M * Tuxbubling someone has a link to the exploit code? 1202737203 J * ftx_ ~ftx@dslb-084-062-224-121.pools.arcor-ip.net 1202737213 M * Loki|muh Tuxbubling: google vmsplice, its on milw0rm or something like that, third or fourth hit 1202737253 M * Wonka 5092, iirc 1202737291 M * gebura http://www.milw0rm.com/exploits/5092 1202737298 M * Loki|muh yes 1202737301 M * telexicon heres a kernel module that you can load that wraps vmsplice and does the check.. wouldnt run it on production without testing though 1202737302 M * telexicon http://home.powertech.no/oystein/ptpatch2008/ptpatch2008.c 1202737317 M * Tuxbubling Loki|muh: cannot get it compiled... 1202737407 M * Loki|muh Tuxbubling: read the head of the file 1202737417 M * Loki|muh there are compiler options 1202737479 J * click_ click@ti511110a080-5777.bb.online.no 1202737508 M * TrueBrain that 'module' also just disabled vmsplice 1202737595 Q * click Ping timeout: 480 seconds 1202737618 M * telexicon yea but it does it safer than the exploit 1202737642 M * telexicon sort of, apparently the exploit (and the module) causes kernel panics on x86_64 1202737656 M * telexicon although i ran it on x86_64 just fine 1202737681 Q * ex Ping timeout: 480 seconds 1202737821 M * phedny telexicon: this is exactly the hotfix I was talking about, it just disables the syscall by making it return -EINVAL; 1202737841 M * telexicon oh, i was talking about the other hotfix 1202737847 M * telexicon before 1202737857 Q * balbir Ping timeout: 480 seconds 1202737881 M * Tuxbubling ok let's see how i got it 1202737900 J * Indy ~independe@host106-247.junet.se 1202737900 M * Tuxbubling if i'm leaving that's i got panic 1202737901 M * Tuxbubling :p 1202737914 M * Tuxbubling [-] mmap: Invalid argument 1202737916 M * Tuxbubling bah 1202737936 M * Indy hm, this local linux root exploit, does it affect linux-vserver too? 1202737954 M * michiel` yes 1202737976 J * arachnist arachnist@088156188145.who.vectranet.pl 1202737982 M * Tuxbubling ok rebooting 1202738000 M * Indy is there a patch? 1202738018 Q * Tuxbubling Remote host closed the connection 1202738021 M * Slydder just finished installing the newest versions of vserver and utils. deleted a problem guest and reinstalled with the new versions using the following command: vserver webcp build -m debootstrap --hostname webcp.p4.net --interface eth0:195.98.207.84/28 -- -d etch -m http://valerie.p4.net/mirror/debian/ -- --resolve-deps --arch i386 after install not network connection for the guest and after changing basic settings to match other running and connected guests st 1202738041 J * Infinito ~argos@200-101-46-84.gnace701.dsl.brasiltelecom.net.br 1202738071 M * telexicon Indy, there has been a release of updated mainline kernel with a fix 1202738074 M * michiel` Indy: I believe there is a patch for the newest kernel, but I don't know if it works for the latest vserver. I used a workaround to disable the offending syscall 1202738145 J * ftx__ ~ftx@dslb-084-062-235-247.pools.arcor-ip.net 1202738186 M * Indy how is vserver for 2.6.24 coming along btw? 1202738361 J * ftx ~ftx@dslb-084-060-237-139.pools.arcor-ip.net 1202738417 Q * yaboo Quit: Leaving 1202738452 M * Slydder this is very annoying. i can only ping my host from the guest and nothing beyond. 1202738478 J * hijacker ~hijacker@213.91.163.5 1202738482 M * hijacker hi fellows 1202738507 M * michiel` Indy: I don't know, maybe someone else here knows 1202738538 M * telexicon Slydder, routing issue? 1202738551 Q * ftx_ Ping timeout: 480 seconds 1202738584 M * Slydder don't see how as all the other guests work fine. or at least they did before I upgraded to the newest version a bit ago. am firing up the other guests now to check. 1202738692 J * ftx_ ~ftx@dslb-084-062-242-179.pools.arcor-ip.net 1202738730 Q * ftx__ Ping timeout: 480 seconds 1202738870 J * ftx__ ~ftx@dslb-084-060-249-054.pools.arcor-ip.net 1202738873 M * Slydder all other guests work fine 1202738942 J * JonB ~NoSuchUse@77.75.164.169 1202739087 Q * ftx Ping timeout: 480 seconds 1202739095 J * balbir ~balbir@59.145.136.1 1202739124 J * ftx ~ftx@dslb-084-060-225-205.pools.arcor-ip.net 1202739267 Q * ftx_ Ping timeout: 480 seconds 1202739452 Q * ftx__ Ping timeout: 480 seconds 1202739496 Q * bXi Remote host closed the connection 1202739500 J * bXi bluepunk@irssi.co.uk 1202739562 Q * puck Ping timeout: 480 seconds 1202739708 J * puck ~puck@leibniz.catalyst.net.nz 1202739726 J * Flinx ~chatzilla@86.57.175.203 1202739737 M * Flinx Hi! 1202739779 M * Flinx I did installed KDE on vserver guest os (Debian etch 4.0) 1202739824 M * gebura miam :) 1202739842 M * Flinx Then i created second guest and copied all files from working guest to other. 1202739878 M * hijacker fellows, what do we do with this one: http://it.slashdot.org/it/08/02/10/2011257.shtml 1202739879 M * hijacker ? 1202739888 M * Flinx When i trying to run cloned guest is working ok until KDM is running 1202740161 M * Flinx When KDM is running screen is black. LCD led is yellow (no signal) 1202740304 M * JonB hijacker: we fix it ;-) 1202740322 M * JonB hijacker: doesnt the patch apply cleanly? 1202740376 Q * telexicon Quit: Leaving 1202740505 M * hijacker JonB, where do i get the patch ? 1202740506 M * hijacker ;-) 1202740564 M * JonB hijacker: i dunno, maybe the kernel mailing list? 1202740587 M * JonB hijacker: but cant you just compile a new kernel without vmsplice? 1202740604 Q * balbir Ping timeout: 480 seconds 1202740607 M * hijacker JonB, aye 1202740608 M * hijacker ;-) 1202740662 M * hijacker where is vmsplice in the kernel source? 1202741018 M * hijacker fs/splice.c 1202741020 M * hijacker ;-) 1202741069 J * ex ex@valis.net.pl 1202741138 M * Slydder wow. since updated one of my servers to the latest release i am getting nothing but problems. 1202741332 J * arekm arekm@carme.pld-linux.org 1202741366 M * arekm ... local attackers to access resources in other vserver? huh 1202741437 J * TheSeer ~theseer@border.office.nonfood.de 1202741444 M * TheSeer heya :) 1202741446 M * daniel_hozac TheSeer: pong 1202741450 M * TheSeer daniel_hozac: :) 1202741479 Q * ensc Remote host closed the connection 1202741481 M * TheSeer daniel_hozac: any chance of a vmsplice secure kernel already? 1202741527 M * Loki|muh debian stable just announced new kernels 1202741539 M * hijacker TheSeer, did you read the vserver mailing list? 1202741542 M * hijacker see that : http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44 1202741550 M * hijacker seems just one line would fix that... 1202741554 M * hijacker i am recompiling now 1202741589 A * arekm looking patch for CVE-2008-0163 1202741635 Q * Infinito Quit: Leaving 1202741653 M * TheSeer hijacker: let me know of your finidings :) 1202741660 J * dib ~dib@217.128.17.6 1202741663 M * hijacker sure 1202741664 M * hijacker will do 1202741809 A * TheSeer hops fedora /redhat updates too after this and daniel_hozac provides updates also 1202741831 M * daniel_hozac 2.6.22.18-vs2.2.0.6 and 2.3.0.32 have been on linux-vserver.org for hours. 1202741837 Q * mick_work Ping timeout: 480 seconds 1202741878 M * Slydder daniel: and after installing them the server that had the problem with the one guest now has problems with all guests. 1202741901 M * daniel_hozac how so? 1202741940 M * Slydder am still waiting (10 min now) for onxdemo to startup and ms1 just finished booting. none have internet access anymore 1202741952 M * Slydder something is really strange now. 1202742127 M * daniel_hozac TheSeer: for what distro? i haven't been doing Fedora kernels for quite some time, due to lack of sources/patches. 1202742141 M * Slydder here in one error i just got while restarting a guest: /usr/lib/util-vserver/vserver.stop: line 85: 5106 Killed "${NICE_CMD[@]}" "${CHBIND_CMD[@]}" "$_VTAG" --migrate "${OPTS_VTAG_ENTER[@]}" --silent -- $_VCONTEXT $SILENT_OPT --migrate --chroot --xid "$S_CONTEXT" -- "${INITCMD_STOP[@]}" 1202742214 M * daniel_hozac which is expected, if your rc-script commits suicide. 1202742251 Q * Flinx Quit: ChatZilla 0.9.80 [Firefox 2.0.0.11/2007112718] 1202742282 M * Slydder so it decided to commit suicide first after installing the new kernel and utils? strange 1202742335 M * daniel_hozac i doubt that, it's probably been doing it all along. 1202742341 M * Slydder never. 1202742376 M * Slydder the only problem i had was that webcp.p4.net had no conection to the internet. could ping the host fine but that was it. now all guests are dead 1202742397 M * daniel_hozac which sounds like some pretty serious misconfiguration. 1202742432 Q * pisco Remote host closed the connection 1202742461 M * daniel_hozac arekm: if you can trigger that in a recent patch, let me know. it's a Debian ancient-kernel thing. 1202742476 J * Wachert ~wachert@p3EE2F0BC.dip.t-dialin.net 1202742486 M * Slydder have yet to find anything as to why all others worked fine prior except for webcp and now nothing works and i use a a single install command for each guest changing only the name and ips 1202742540 M * zbyniu daniel_hozac: 2.3.0.29 is ok? (CVE-2008-0163) 1202742547 Q * Wachert Quit: Nettalk6 - www.ntalk.de 1202742679 M * daniel_hozac zbyniu: i'd say anything not based on 2.6.18 is okay... but i don't have any details. 1202742781 M * zbyniu daniel_hozac: ok 1202743089 J * mick_work ~clamwin@adsl-068-157-089-099.sip.bct.bellsouth.net 1202743255 Q * hijacker Quit: Leaving 1202743494 Q * renihs Quit: Leaving 1202743500 J * ensc ~irc-ensc@77.235.182.26 1202743505 Q * tokkee Quit: leaving 1202743733 M * zbyniu daniel_hozac: http://paste.linux-vserver.org/11743 - it is patch from debian 1202743747 M * zbyniu daniel_hozac: can you look at that 1202743769 Q * bXi Remote host closed the connection 1202743770 J * hparker ~hparker@linux.homershut.net 1202743895 M * daniel_hozac i even have that in my 2.6.17-based trees... 1202743910 J * hijacker ~hijacker@213.91.163.5 1202743930 M * hijacker TheSeer, it works 1202743944 M * hijacker at least it does not give you the root shell any more 1202743945 M * hijacker ... 1202743946 M * hijacker ;-) 1202743968 M * zbyniu damn, sure, I was looking on other arch source 1202744048 J * quasisane ~sanep@c-76-118-191-64.hsd1.nh.comcast.net 1202744194 M * daniel_hozac hijacker: what works? 2.6.22.18? 1202744426 J * bXi bluepunk@irssi.co.uk 1202744732 J * tokkee tokkee@ssh.faui2k3.org 1202744946 Q * _bjh_ Quit: leaving 1202745228 M * maddoc Any news about the mmap-bug and vserver? 1202745278 M * maddoc I found that the jessica biel-exploit didn't work on my box with 2.6.19.7-grsec2.1.10-vs2.2.0, but it crashed it. 1202745375 M * TheSeer daniel_hozac: centos ;) 1202745418 M * TheSeer maddoc: now is that better? ;> 1202745448 M * maddoc Well, I get some downtime instead of a compromised system? 1202745477 M * daniel_hozac it probably just needs some tweaking to work on it... 1202745519 M * TheSeer maddoc: well.. i wouldn't trust on that ;) 1202745538 M * maddoc Yeah. 1202745538 M * daniel_hozac TheSeer: just waiting on the i686 build to finish. 1202745549 M * TheSeer daniel_hozac: i'd need a x86_64 build ;) 1202745609 J * dowdle ~dowdle@scott.coe.montana.edu 1202745653 M * daniel_hozac well, i only push complete builds. 1202745714 M * Indy maddoc: I got the same result on my box with vs+grsec 1202745854 M * TheSeer grsec seems to limit the access to /proc/kallsyms 1202745862 M * TheSeer which is used by the exploit 1202745871 M * Slydder am currently in the process of nuking a complete server for reinstallation. too bad the docs are as well rounded as vserver and the utils package. lol 1202745872 M * daniel_hozac as does Linux-VServer... there are a number of exploits. 1202745947 M * Indy TheSeer: any idea why it hangs? or how to stop it? 1202745949 M * Supaplex debian has new kernels on the security repos 1202745978 M * TheSeer Indy: not really.. 1202746031 M * Indy I used this on another system: http://home.powertech.no/oystein/ptpatch2008/ worked fine, but not sure how to compile it on gentoo 1202746169 M * Indy didn't work on this box, to old kernel or something :/ 1202746284 J * Daniello daniello@Hmm.iglu.sk 1202746355 M * Daniello is there any patch for latest kernel bug ? 1202746378 M * daniel_hozac yes, and updated versions are already available on the front page of linux-vserver.org. 1202746400 M * Daniello http://downloads.securityfocus.com/vulnerabilities/exploits/27704-2.c 1202746402 M * Daniello http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c 1202746451 M * Daniello daniel_hozac: also for these exploits ? :) 1202746486 M * daniel_hozac yes, they're fixed by 2.6.22.18. 1202746486 M * pusling Daniello: is it diane lane and jessica biel ? 1202746516 M * micah probably 1202746526 M * Daniello daniel_hozac: thx :) 1202746540 M * TheSeer daniel_hozac: any eta for centos x86_64? 1202746557 M * Daniello pusling: magic twins :) 1202746562 M * daniel_hozac the i686 build is just finishing up, should be pushed within an hour. 1202746578 M * TheSeer thanx :) 1202746592 Q * gebura Quit: Quitte 1202746667 M * Indy is it two exploits? 1202746683 M * daniel_hozac from what i gather, there are at least 3 different exploits. 1202746703 J * probz damn@secure.signalstorm.org 1202746718 M * Indy is there a patched version for vs+grsec ? 1202746855 J * pmenier ~pme@193.251.7.5 1202746911 J * fatgoose ~samuel@76-10-149-199.dsl.teksavvy.com 1202747178 Q * micah Remote host closed the connection 1202747301 M * probz why i got error while i try to run sshd on vserver 1202747308 M * Indy daniel_hozac: are they all fixed in 2.6.22.18 ? 1202747326 M * probz * ERROR: interface lo does not exist 1202747326 M * probz * Ensure that you have loaded the correct kernel module for your hardware 1202747326 M * probz * ERROR: net.lo failed to start 1202747326 M * probz * ERROR: cannot start sshd as net.lo would not start 1202747334 M * daniel_hozac Indy: yes. 1202747349 M * daniel_hozac probz: make sure you're using a vserver-stage, and that you've run the post-install script. 1202747363 M * probz im using 4stage 1202747375 M * probz post-install script? 1202747410 J * Alteisen alteisen@shell.chaostreff-dortmund.de 1202747414 M * daniel_hozac /usr/lib*/util-vserver/distributions/gentoo/initpost /etc/vservers/ /usr/lib*/util-vserver/util-vserver-vars 1202747416 M * probz i have break with vserer last times i used it was 17-13 kernel 1202747422 M * Alteisen hiho 1202747439 M * probz daniel_hozac: and i dint have a such of problems 1202747456 M * daniel_hozac probz: how did you build the guest? 1202747493 M * probz like always vserver box build and other otpions 1202747503 M * Indy daniel_hozac: you think I can apply the vs+grsec 2.6.22.16 patch to linux 2.6.22.18 ? 1202747513 M * daniel_hozac yes. 1202747529 M * daniel_hozac Indy: the Makefile was the only thing that conflicted here, but i don't use grsec. 1202747537 M * daniel_hozac probz: and was -d gentoo one of those options? 1202747599 M * probz sp1019a .transfers # vserver hotbox build --context 1253 --hostname hotbox --interface eth1:65.xx.xx.xx --initstyle plain -m template -- -d gentoo -t /root/stage4-i686-20070905.tar.bz2 1202747603 M * probz yes 1202747652 M * probz i never had that issue before 1202747693 J * oauto ~micah@micah.riseup.net 1202747694 M * daniel_hozac TheSeer: pushed. 1202747716 N * oauto micah 1202747729 M * daniel_hozac probz: what util-vserver version? 1202747791 M * probz 0.30.212-r2 1202747820 Q * ||Cobra|| Remote host closed the connection 1202747825 M * daniel_hozac i think you need 0.30.213, or maybe even 0.30.214. 1202747838 M * probz well gentoo emerged that ver :/ 1202747894 M * probz that ill solve the prob? 1202747895 M * daniel_hozac 0.30.214 should be marked as stable these days, i think. 1202747914 M * daniel_hozac yeah, i think so. 1202748137 M * Alteisen sorry for maybe asking an FAQ, but can i apply vs2.3.0.32 also to linux 2.6.24.2? looks like there is an severe problem in 2.6.22.x... (-> http://www.heise.de/newsticker/meldung/103279) 1202748141 M * probz can somebody remaind me how to upgrade portage in gentoo? 1202748200 M * Indy Alteisen: it was fixed in 2.6.22.18 too 1202748215 M * probz nvm i remined myself 1202748229 M * Indy probz: emerge portage ? 1202748247 Q * _gh_ Ping timeout: 480 seconds 1202748252 M * Alteisen Indy: that is good news 1202748277 M * Alteisen and vs2.3.0.32 applies to .22.18 too? 1202748292 M * Indy hm, not sure 1202748303 M * daniel_hozac yes, but there's also a new patch on linux-vserver.org. 1202748351 M * Indy how stable is vs2.3? 1202748407 J * jmcaricand jm@d90-144-110-144.cust.tele2.fr 1202748447 Q * mountie Ping timeout: 480 seconds 1202748584 M * daniel_hozac it's development ;) 1202748591 M * daniel_hozac i've been running it on all my servers for months though.. 1202748614 M * Alteisen Indy: FaUl and me need vs2.3 due to IPv6, and FaUl says that it is running well 1202748617 Q * Homere Quit: Client exiting 1202748633 J * mountie ~mountie@trb229.travel-net.com 1202748647 M * Alteisen (and for me, i guess that FaUl knows about what he is talking) 1202748716 M * Alteisen so, if linux 2.6.22.18 includes the patch that is in 2.6.24.2, and i can use the current devel vs2.3-patch, we are fine and happy ;-) 1202748810 J * ||Cobra|| ~cob@pc-csa01.science.uva.nl 1202748910 M * Indy what happens with tokenbucket cpu thingy if you choose to run tickless system? 1202748977 M * daniel_hozac it's supposed to work fine. 1202749043 M * Indy but I need to know the frequency to calculate the burst time? 1202749199 Q * ||Cobra|| Remote host closed the connection 1202749233 J * ||Cobra|| ~cob@pc-csa01.science.uva.nl 1202749243 J * Infinito ~argos@200-101-46-84.gnace701.dsl.brasiltelecom.net.br 1202749263 J * balbir ~balbir@122.167.213.22 1202749549 Q * ||Cobra|| Remote host closed the connection 1202749588 J * ||Cobra|| ~cob@pc-csa01.science.uva.nl 1202749613 Q * JonB Quit: This computer has gone to sleep 1202749651 J * AndrewLe1 ~andrew@flat.iis.sinica.edu.tw 1202749722 Q * AndrewLee Ping timeout: 480 seconds 1202749742 N * AndrewLe1 AndrewLee 1202750025 J * bonbons ~bonbons@ppp-111-234.adsl.restena.lu 1202750072 M * probz daniel_hozac: 1202750074 M * probz Feb 11 16:16:03 hotbox sshd[16902]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use. 1202750077 M * probz Feb 11 16:16:03 hotbox sshd[16902]: fatal: Cannot bind any address. 1202750083 M * probz whys that? 1202750088 M * daniel_hozac http://linux-vserver.org/Frequently_Asked_Questions#When_I_try_to_ssh_to_the_guest.2C_I_log_into_the_host.2C_even_if_I_installed_sshd_on_the_guest._What.27s_wrong_here.3F 1202750089 M * probz i set up ip 1202750455 M * TheSeer daniel_hozac: upgrading :) 1202750620 J * padde ~padde@58.209.25.61 1202750630 M * padde hi there 1202750638 J * chigital ~chigital@91.90.144.102 1202750659 M * daniel_hozac hello 1202750750 M * padde i'm trying to whitelist incoming ports for vserver guests (because iptables can't be used within the guests), but my iptables knowledge is insufficient. does anybody have some examples that could help? 1202750770 M * daniel_hozac what do you want to accomplish? 1202750771 Q * Infinito Quit: Leaving 1202750802 M * padde basically i want to firewall the guests, so that only a fixed set of ports is accessible from the net 1202751082 J * JonB ~NoSuchUse@77.75.164.169 1202751120 Q * probz Quit: Lost terminal 1202751149 M * padde got to go now... would be great if anybody could point me to a related iptables howto or something :) i'll read answers later 1202751184 M * daniel_hozac i'd suggest something like iptables -N guest1; iptables -A INPUT -d -j guest1; iptables -A INPUT -d -j DROP; iptables -A guest1 -p tcp --dport 80 -j ACCEPT 1202751330 Q * JonB 1202751580 Q * TheSeer Quit: Client exiting 1202751967 Q * chigital Ping timeout: 480 seconds 1202752423 Q * pmenier Quit: Konversation terminated! 1202752467 J * hijacker_ ~Lame@87-126-142-51.btc-net.bg 1202752600 Q * mire Remote host closed the connection 1202752803 Q * jescheng Remote host closed the connection 1202752814 J * jescheng ~jescheng@proxy-sjc-2.cisco.com 1202752886 Q * ema Quit: leaving 1202752943 J * Pazzo ~ugelt@reserved-225136.rol.raiffeisen.net 1202753091 M * Pazzo Aaaaargh :-( What a GREAT day, isn't it? 1202753112 M * daniel_hozac it is! 1202753150 J * mire ~mire@99-171-222-85.adsl.verat.net 1202753191 Q * mire Read error: Connection reset by peer 1202753274 M * Pazzo hi daniel_hozac! 1202753306 M * Pazzo Never before I crashed so many hosts in one single day :-( 1202753306 M * daniel_hozac hello Pazzo 1202753351 M * Pazzo disable-vmsplice-if-exploitable.c looked to greatly do it's job this morning... 1202753366 M * daniel_hozac you might want to upgrade the kernel instead ;) 1202753382 N * Bertl_zZ Bertl 1202753387 M * Pazzo ...but when I realized what it is doing... *brrr* 1202753390 M * Pazzo Hi Bertl! 1202753390 M * Bertl evening folks! 1202753407 M * Pazzo daniel_hozac: that's what I'm doing right now :-) 1202753424 J * ftx_ ~ftx@dslb-084-060-233-222.pools.arcor-ip.net 1202753441 M * daniel_hozac Bertl: FYI, i took the liberty of uploading patches against 2.6.22.18. there were no rejects or offsets whatsoever. 1202753520 J * _gh_ ~gerrit@bi01p1.co.us.ibm.com 1202753597 M * Bertl daniel_hozac: thanks! 1202753606 A * Pazzo got the liberty to download patches against 2.6.22.18 :-) 1202753626 M * Bertl np with that either :) 1202753763 Q * ftx Ping timeout: 480 seconds 1202753763 Q * hijacker_ Read error: Connection reset by peer 1202753816 J * hijacker_ ~Lame@87-126-142-51.btc-net.bg 1202754262 J * ftx__ ~ftx@dslb-084-060-198-073.pools.arcor-ip.net 1202754511 M * Pazzo Bertl: I have read about really promising changes in 2.6.24. I don't want to ask you something you probably told people many times before, but I'm really curious: could you point me to some irc log / blog entry / whatever, allowing me to find out what this changes mean to linux-vserver in the near future? 1202754556 M * Bertl it means: the scheduler is broken, some other things don't work as expected 1202754567 M * Pazzo thought so :-) 1202754574 M * bragon hello world 1202754589 Q * markus_ Remote host closed the connection 1202754592 M * Pazzo print "Hello world!"; 1202754596 M * Bertl hello bragon! :) 1202754609 M * bragon how patch vserver kernel who have the last kernel issues without reboot 1202754616 M * bragon any solution ? 1202754635 N * DoberMann DoberMann[PullA] 1202754639 M * Mooo Bertl: To your knowledge, does the vmsplice() vulnerability expose any isolation problems between vservers? 1202754648 M * Bertl bragon: you can patch any kernel without reboot, but you have to reboot to get the kernel running :) 1202754656 M * bragon lol 1202754681 M * Bertl Mooo: no idea atm, I was disconnected for 22+ hours 1202754694 M * daniel_hozac Mooo: of course. it's a "write anywhere you want" kind of issue. 1202754697 M * bragon do you planned a vserver patch+ipv6+grsec for the 2.6.24.2 ? 1202754711 Q * ftx_ Ping timeout: 480 seconds 1202754749 M * Mooo mmhmm.. thanks daniel_hozac :) 1202754751 M * daniel_hozac bragon: 2.6.24 needs a lot of work. 1202754761 M * bragon daniel_hozac: i understand 1202754769 M * bragon but my box is rootable :'( 1202754770 Q * ftx__ Ping timeout: 480 seconds 1202754786 M * daniel_hozac why don't you upgrade to 2.6.22.18 then? 1202754788 M * Pazzo Bertl: "In the vserver-enabled kernels, a missing access check on certain symlinks in /proc enabled local attackers to access resources in other vservers (CVE-2008-0163)." <- ?? 1202754812 M * bragon daniel_hozac: 2.6.22.6-grsec2.1.11-IPv6-vs2.2.0.3 i have this at the moment. 1202754820 M * daniel_hozac Pazzo: it's a Debian kernel thing. i don't know how it was missing, since even my 2.6.17 trees have that. 1202754834 M * Pazzo daniel_hozac: thanks! 1202754854 M * Bertl Pazzo: well, happens with distro kernels 1202754906 M * Pazzo Bertl: depending on kernel version or kernel config? 1202754908 M * Bertl bragon: get 2.6.22.18 + vs patch 1202754964 M * Bertl Pazzo: the maintainer missed (somehow) a patch/fix we did a long time ago 1202754973 M * Pazzo great 1202754974 M * bragon i need upgrade to 2.6.22.18 so ... 1202755044 Q * jmcaricand Quit: KVIrc 3.2.4 Anomalies http://www.kvirc.net/ 1202755069 M * bragon but no patch ipv6 for 2.6.22.18 :'( 1202755104 M * Pazzo Bertl: and regarding my previous question (2.6.24): what about the newly introduced virtualization thingies (virtualized /proc/net, process namespaces, veth...): anything useful for linux-vserver - or just a lot of headaches for you and mostly useless for the project? 1202755111 M * Bertl bragon: get the devel branch, it has out-of-the-box ipv6 support 1202755157 A * Pazzo hates "make oldconfig" 1202755159 M * Bertl Pazzo: some of them (when they actually work :) will become options for Linux-VServer 1202755166 M * Pazzo SLAB or SLUB?? 1202755206 A * Pazzo will try to stay with 2.6.22 for a while... 1202755218 M * Pazzo (been using 2.6.20 'til now) 1202755287 M * Pazzo staying with SLAB would be the safe way, right? 1202755525 Q * Julius Remote host closed the connection 1202756669 Q * kiorky Remote host closed the connection 1202756711 J * kiorky ~kiorky@cryptelium.net 1202757012 N * Linus Guest1173 1202757058 J * Linus ~nuhks@bl7-144-57.dsl.telepac.pt 1202757268 Q * kiorky Ping timeout: 480 seconds 1202757271 M * Pazzo Every time I'm sitting here to compile a new kernel I'm asking myself the same question: 100hz timer for linux-vserver? or would 1000hz be the wiser choice? 1202757293 M * daniel_hozac doesn't really matter as far as Linux-VServer is concerned. 1202757327 M * Bertl 1kHz means lower latencies, but higher task switching overhead 1202757337 Q * Guest1173 Ping timeout: 480 seconds 1202757344 M * Pazzo yep, found http://www.mail-archive.com/vserver@list.linux-vserver.org/msg10756.html :-) 1202757444 M * Pazzo Hmm... are these idle guests with only a few processes? 1202757572 Q * hijacker_ Quit: Leaving 1202757723 M * Bertl Pazzo: you can get an idea if you compare it to a non-Linux-VServer system 1202757736 M * Bertl Pazzo: 100x10 processes = 1000 processes 1202757818 M * Pazzo would 100hz be fine for a total of 100 / 500 / 1000 / 5000 procs? or does it also depend on the number of idling procs? 1202757863 N * DoberMann[PullA] DoberMann 1202757987 M * Bertl yes, it definitely depends on what the processes are doing 1202758008 M * Bertl think 1000 running processes vs 5 running and 995 sleeping 1202759213 M * Pazzo Hmmm... thanks Bertl. I would lie if I would say that it is pretty clear right now... so I'll stay with 100hz :-) 1202759320 J * ktwilight ~ktwilight@90.96-66-87.adsl-dyn.isp.belgacom.be 1202759532 J * Piet ~piet@tor.noreply.org 1202759563 Q * ktwilight_ Ping timeout: 480 seconds 1202760036 J * Aiken ~james@ppp59-167-117-30.lns3.bne4.internode.on.net 1202760373 M * Pazzo Is CONFIG_VSERVER_REMAP_SADDR something I should like? 1202760429 M * Bertl did you like the help text? 1202760445 M * Pazzo yup. 1202760469 M * Bertl then you probably want the option too :) 1202760507 M * Pazzo It somehow "masks" connections from 127.0.0.1 to the guest's ips - but if it doesn't, who cares? 1202760573 M * Pazzo Did I misread something? 1202760729 M * Pazzo (trying to explain myself with my poor English) What I'm concerned about: is there anything that could get broken? 1202760758 J * JonB ~NoSuchUse@77.75.164.169 1202760766 M * Bertl no, the remapping is part of the lo isolation 1202760777 M * Bertl recent devel kernels provide the lback remapping 1202760856 A * Pazzo is confused - it shows my vserver clients first ip to himself instead of 127.0.0.1 when doing something like "telnet 127.0.0.1 80" - doesn't it? 1202760877 M * daniel_hozac CONFIG_VSERVER_REMAP_SADDR, yes. 1202760918 A * Pazzo accepts the majority opinion ;o) 1202761062 M * Pazzo Last question (hopefully): CONFIG_VSERVER_PRIVACY -> is this just protecting vServer clients from BOFHs controlling the vHost - or does it also have some benefit for the vHost's admin himself? 1202761071 M * daniel_hozac no. 1202761085 M * daniel_hozac it's only to protect the guests from the host. 1202761120 M * Bertl (but it won't stop a BOFH :) 1202761139 M * daniel_hozac of course not ;) 1202761162 M * Pazzo hehe 1202761173 M * Pazzo thanks daniel_hozac, Bertl! 1202761482 M * Pazzo Kernel is baking in the oven :o) 1202761502 A * hparker smells something burning 1202761510 M * Pazzo Hehe... 1202761521 A * Pazzo is going to eat something 1202761531 J * ftx ~ftx@dslb-084-062-250-009.pools.arcor-ip.net 1202761549 M * Pazzo Soon I'll be back to have my "reboot & pray"-party 1202761582 M * Pazzo Once again thank you for your help! 1202761587 M * Bertl you're welcome! 1202761796 Q * _gh_ Ping timeout: 480 seconds 1202761864 J * _gh_ ~gerrit@bi01p2.co.us.ibm.com 1202763222 Q * ftx Remote host closed the connection 1202763344 J * fatgoose_ ~samuel@76-10-149-199.dsl.teksavvy.com 1202763344 Q * fatgoose Read error: Connection reset by peer 1202763424 J * jazzanova ~boris@66.109.22.212 1202763502 M * Bertl wb jazzanova! 1202763513 M * jazzanova how can I limit RAM on my vservers. 1202763517 M * jazzanova bertl :) 1202763571 M * JonB Bertl: can RAM limits be changed while it is running? 1202763606 M * Bertl http://linux-vserver.org/Memory_Limits 1202763740 M * jazzanova thanks 1202763869 Q * Indy Quit: Quit 1202764263 M * Bertl okay, off to bed now ... still a little ill (and thus tired) 1202764271 M * Bertl have a good one everyone, cya! 1202764275 N * Bertl BErtl_zZ 1202764281 N * BErtl_zZ Bertl_zZ 1202764399 M * jazzanova what does this mean: 40003 109 1.1G 2G 14m18s65 0m15s15 29m07s96 rearden 1202764399 Q * _gh_ Read error: Operation timed out 1202764413 M * jazzanova as the output of vserver-stat 1202764433 J * chigital ~chigital@p5B0C5474.dip.t-dialin.net 1202764455 M * daniel_hozac most likely that your kernel is broken. 1202764484 M * daniel_hozac (or you're consuming insane amounts of RAM, causing the counters to wrap) 1202764732 M * Pazzo re 1202764820 Q * kaner_ Remote host closed the connection 1202764849 Q * bonbons Quit: Leaving 1202764866 Q * fatgoose_ Read error: Connection reset by peer 1202764899 M * jazzanova hmm 1202764905 M * jazzanova my machine has 2gigs of ram 1202764938 J * fatgoose ~samuel@76-10-149-199.dsl.teksavvy.com 1202765007 M * jazzanova but free -m shows that I only have 242 1202765014 M * jazzanova how can this be ? 1202765068 M * daniel_hozac on the host? 1202765076 J * _gh_ ~gerrit@bi01p1.co.us.ibm.com 1202765119 M * jazzanova yeah 1202765139 M * jazzanova can this be just bad output, or did they give me little ram 1202765149 M * jazzanova i just got this computer 1202765154 M * jazzanova its a dedicated 1202765199 M * daniel_hozac check dmesg. 1202765301 M * jazzanova 0MB HIGHMEM available. 1202765301 M * jazzanova 247MB LOWMEM available. 1202765308 M * jazzanova thahts rigth at the top ofdmesg 1202765548 M * daniel_hozac so it would appear you only have 256 MiB of RAM, with some video RAM or similar. 1202765870 J * derjohn_mobil ~aj@e180202189.adsl.alicedsl.de 1202765948 Q * jazzanova Read error: Operation timed out 1202766166 J * kiorky ~kiorky@cryptelium.net 1202766503 Q * fatgoose Quit: fatgoose 1202766825 M * cehteh how are the new filesystem capabilities handles in .24 vserver? 1202766829 N * DoberMann DoberMann[ZZZzzz] 1202766859 M * daniel_hozac we don't care :) 1202766881 J * jazzanova ~boris@66.109.22.212 1202766895 M * cehteh daniel_hozac: not checked yet .. but might that be used to break out of it explanation: 1202766904 M * daniel_hozac no. 1202766907 M * jazzanova ok, i fixed my ram 1202766909 M * daniel_hozac we mask capabilities at check time. 1202766911 M * jazzanova its showing things correctly now 1202766918 M * cehteh ah 1202766953 M * jazzanova 40003 85 2.3G 2.1G 5m22s19 0m05s33 7m03s97 rearden 1202766961 M * cehteh well if a vserver root has the right to set capabilities (we want that in a vserver when distris install tools pcap'ed) 1202766962 M * jazzanova so does this mean I am usig 2.1gb of RAM ? 1202766978 M * daniel_hozac jazzanova: that seems unlikely. what kernel/utils? 1202766982 M * cehteh he cant set more than he actually has? 1202766994 M * daniel_hozac cehteh: he can set whatever he wants, but he can't use them. 1202767003 M * cehteh ah ok 1202767023 M * cehteh sounds reasonable 1202767025 M * jazzanova 2.6.22-3-vserver-686 1202767042 M * jazzanova VS-API: 0x00020200 1202767065 J * kaner kaner@zzz.strace.org 1202767113 M * jazzanova memory usage says: 1202767116 M * jazzanova Mem: 2019 693 1326 0 12 372 1202767123 M * jazzanova (thans free -m) 1202767127 M * jazzanova on the host 1202767148 M * jazzanova so used only 694M out of 2019M 1202767165 M * daniel_hozac you didn't show which util-vserver version. 1202767171 M * jazzanova ah, ok, now vserver-stat also dropped 1202767175 M * jazzanova shouws correctly 1202767201 M * jazzanova util-vserver 0.30.212-1 1202767238 M * daniel_hozac you want at least 0.30.213. 1202767251 M * jazzanova ok, this is debian etch 1202767262 M * jazzanova where do I get a recent util-vserver ? 1202767282 M * daniel_hozac backports.org 1202767555 M * Pazzo daniel_hozac: util-vserver < 0.30.213 == evil? 1202767584 M * daniel_hozac if you want accurate data from vserver-stat, yes. 1202767593 M * Pazzo thanks for the hint! 1202767653 M * Pazzo is compiling 0.30.214-6 from sid on etch ok? 1202767703 M * jazzanova i have upgraded my vsrerver utils 1202767755 M * jazzanova ok, i'd like to limit this vserver to 200MBs 1202767771 M * jazzanova 40004 12 73M 36.3M 1m39s67 0m00s66 20m06s52 francisco 1202767771 M * jazzanova how do I do it ? 1202767912 M * daniel_hozac Pazzo: why not use the precompiled packages from backports.org? 1202767926 M * daniel_hozac jazzanova: did you read the memory limits page? 1202768084 Q * infowolfe Read error: Operation timed out 1202768170 M * jazzanova yeah 1202768173 M * jazzanova makes nosense 1202768187 M * jazzanova can I give limit command in Megabytes, and not pages ? 1202768221 M * daniel_hozac no, but you can give it megapages :) 1202768315 M * jazzanova when the system reacehs ram limit, i want processes to get killed 1202768331 M * jazzanova that the "rss" limit ? 1202768333 M * daniel_hozac yes. 1202768344 M * jazzanova ok, so how many pages is 200MB ? 1202768345 M * daniel_hozac or, rather, the rss.hard limit. 1202768401 J * infowolfe ~infowolfe@home.dsl.hardcore-linux.net 1202768429 M * daniel_hozac that depends on the page size. divide 200 Mi with the page size, and you have your answer... 1202768466 M * daniel_hozac http://linux-vserver.org/Resource_Limits has some snippets for that. 1202768721 M * jazzanova ok, my page size is 4096 1202768757 M * jazzanova thats 4096 bytes ? 1202768770 M * daniel_hozac yes. 1202768806 M * jazzanova so i take, 200 * 1024 * 1024 / 4096 ? 1202768812 M * daniel_hozac yep. 1202768827 Q * cehteh Read error: Connection reset by peer 1202768941 M * jazzanova i get 200 * 256 = 51200 1202768997 M * daniel_hozac sounds reasonable. 1202769020 M * jazzanova so, is there a command to sest thelimit, or shound edit files ? 1202769028 Q * JonB Quit: This computer has gone to sleep 1202769034 M * daniel_hozac the memory limits page has all that info... 1202769240 M * jazzanova i run the vilmits command, but no rlimits directory in /etc/* got created 1202769249 M * Pazzo daniel_hozac: I got really angry about backports.org some time ago (they managed it to do some really strange things to php, can't remember it right) 1202769264 M * jazzanova sudo vlimit -c 40004 --rss 51200 1202769269 M * daniel_hozac the directory doesn't get created, you need to create it yourself. 1202769313 M * jazzanova i cretaed the directory, run the vlimit command, but no file got created in the directory 1202769326 M * daniel_hozac you also need to create the file... 1202769326 M * jazzanova so, the vilmit only afftects at runtime ? 1202769331 M * daniel_hozac yes. 1202769343 M * Pazzo daniel_hozac: I compiled util-vserver right now and installed it on two servers - memory statistics didn't change in vserver-stat (but root server is missing right now) 1202769378 M * daniel_hozac Pazzo: that seems unlikely, but okay. 1202769423 M * Pazzo host has been booted shortly before - but no reboot after installing new utils 1202769428 M * jazzanova ok, cool, thanks alot. 1202769458 M * Pazzo daniel_hozac: is it normal, that ctx 0 is no longer shown in vserver-stat? 1202769473 M * daniel_hozac yes. it's not a guest, it had no business being there in the first place. 1202769525 M * jazzanova later:) thanks a lot daniel! 1202769528 P * jazzanova 1202769531 Q * larsivi Quit: Konversation terminated! 1202769537 M * Pazzo makes sense 1202769762 J * cehteh ~ct@pipapo.org 1202769865 M * cehteh when booting new kernel it hangs in debians start-stop-daemon script anyone knows what may cause this? 1202769896 M * daniel_hozac what new kernel? what was the previous kernel? what is start-stop-daemon doing? 1202769949 M * cehteh new is 2.6.24 with the experimental rc7 patch 1202769967 M * cehteh old is 2.6.19.1 1202770016 M * cehteh i didnt investigated further seems some things didnt got started and depending services hung (at 100% cpu) 1202770038 M * cehteh just want to ask if someone here is faimilar with that first 1202770143 M * cehteh are this new namespace extensions required? 1202770152 M * cehteh and must be loaded for vserver 1202770285 M * Pazzo is linux-vserver working with 2.6.24?? 1202770307 M * daniel_hozac not fully, no. 1202770411 M * cehteh well i have them on .. 1202770493 M * Pazzo good luck ;-) 1202770585 M * Pazzo and why 2.6.24-rc7? 1202770823 Q * bragon Server closed connection 1202770825 J * bragon ~bragon@2001:7a8:aa58::1 1202770918 J * dna ~dna@190-247-dsl.kielnet.net 1202771134 A * cehteh builds a 2.6.22 kernel ... 1202771299 Q * dna_ Ping timeout: 480 seconds 1202771331 J * suzy35 ~suzy35@ANantes-257-1-94-126.w90-25.abo.wanadoo.fr 1202771362 Q * _gh_ Ping timeout: 480 seconds 1202771366 M * dowdle Someone in #openvz on Freenode is asking how to set the root dir for a for a vserver. 1202771426 Q * suzy35 1202771467 J * ivan ~ivan@213.85.152.162 1202771469 M * daniel_hozac why are they asking there? 1202771553 M * dowdle daniel_hozac: Because that is where they are? I told them to join here so I don't have to be the middle man. 1202771559 M * ivan hi all! Does anyone know what option should I set when "vserver _server_ build "to specify root directory for vserver? I need my virtual machines to be on a separate partition 1202771563 M * dowdle daniel_hozac: Although Bertl and Hollow are there too. :) 1202771570 M * dowdle daniel_hozac: There he is now. 1202771575 M * daniel_hozac ivan: --rootdir 1202771577 M * dowdle ivan: Welcome 1202771580 M * ivan oh thanx 1202771587 M * ivan tnx) 1202771611 M * ivan I've tryied to use --vsroot but this option seems to be old one.. 1202771616 M * daniel_hozac dowdle: Hollow is (the entire?) on the gentoo-vps team, so i'm not surprised... 1202771653 A * Hollow on exams even 1202771657 M * Hollow blerg 1202771669 M * daniel_hozac on what? :) 1202771687 M * Hollow my exams for this term start tomorrow 1202771710 M * daniel_hozac ah. CS? 1202771732 M * Hollow yep, not too hard though :P 1202771763 M * daniel_hozac hehe 1202771776 M * ivan Ha it works) Now the most difficult part I belive.. organizing user\group quota inside vserver) 1202771970 J * _gh_ ~gerrit@bi01p1.co.us.ibm.com 1202771975 M * daniel_hozac shouldn't be too hard, i don't think. but i've never done it... :) 1202772093 Q * hparker Quit: Quit 1202772144 J * friendly12345 ~friendly@ppp121-44-198-55.lns3.mel4.internode.on.net 1202772145 M * Pazzo *g* 1202772420 M * cehteh mhm .. the git tags at kernel.org "v2.6.22" etc are that first 2.6.22 release .. how do i get the minor bugfix upgrades out .. seems there is neither a tag nor a branch 1202772481 M * daniel_hozac it's a separate tree. 1202772486 M * daniel_hozac http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=summary 1202772508 Q * dna Quit: Verlassend 1202772515 M * daniel_hozac Linus doesn't care about the stable trees. 1202772539 M * ivan that's how to make quota inside vserver: http://paste.org.ru/?on5glt but what;s vroot device and how to setup it?)) 1202772561 M * cehteh duh .. thanks :) 1202772580 J * fatgoose ~samuel@76-10-149-199.dsl.teksavvy.com 1202772582 M * daniel_hozac http://linux-vserver.org/Standard_non-shared_quota 1202772652 M * ivan thanx! 1202772655 M * ivan a lot! 1202772660 M * ivan will try it) 1202772778 Q * Skram Server closed connection 1202772779 J * Skram ~mark@HERCULES.sentiensystems.net 1202773004 Q * DoberMann[ZZZzzz] Server closed connection 1202773020 J * DoberMann[ZZZzzz] ~james@cap31-6-88-180-72-76.fbx.proxad.net 1202773268 J * geektopia ~geektopia@61.29.125.10 1202773634 M * geektopia Hi. I'm running vs2.2.0.5 How do I make 127.0.0.1 work inside my guests? I tried the "127.0.0.1 issues" on page http://linux-vserver.org/Problematic_Programs Doing so works inside the guest but 'stole' the lo address from my host! 1202773657 M * daniel_hozac what are you trying to accomplish? 1202773710 M * cehteh create mode 100644 mm/slab_vs.h 1202773710 M * cehteh ... means no slub for vserver? 1202773744 M * geektopia Hi Daniel. I simply want localhost == 127.0.0.1 inside my vserver guest i.e for it to be like every other server I administer 1202773755 Q * maddoc Server closed connection 1202773756 J * maddoc maddoc@social.ostruktur.com 1202773831 M * daniel_hozac geektopia: and in what way do you feel that isn't already accomplished? 1202773867 M * daniel_hozac cehteh: it's only accounting. 1202773932 M * cehteh ok 1202773933 M * geektopia Perhaps I'm doing it wrong, but if I follow hints in "Problematic_Programs" I get lo working in the guest BUT lose it from my host 1202773964 M * daniel_hozac geektopia: you need not do _anything_. 127.0.0.1 works _by_default_. 1202773977 M * geektopia In other words I start an lo-enabled guest then while still on my host ssh 127.0.0.1 and end up in my guest. 1202774002 M * daniel_hozac which is expected, since you just bound the guest to that address... 1202774029 M * daniel_hozac i suggest you undo whatever it is you did, go back to the problem, and figure out what the real issue it. 1202774074 M * ivan hm, that's whta I get when starting vserver: http://paste.org.ru/?arb0ux 1202774084 A * Pazzo is soooo tired... 1202774095 M * ivan that's because I didn't specify root password in chroot? 1202774113 M * Pazzo It's enough kernel-upgrade-sports for today :o) 1202774123 M * geektopia Already undone. 127.0.0.1 doesn't work for me by default, if it did I wouldn't have followed the instructions on the wiki. 1202774131 M * Pazzo bye all, bye daniel_hozac - and thanks once again! 1202774135 Q * transacid Server closed connection 1202774141 M * daniel_hozac ivan: did you use a vserver stage4, use recent utils, and specify -d gentoo? 1202774145 M * daniel_hozac bye Pazzo! 1202774154 M * daniel_hozac geektopia: how does it not work? 1202774156 J * transacid ~transacid@transacid.de 1202774161 M * ivan I used stage3 I belive( 1202774170 M * ivan yes, I specified -d 1202774177 M * daniel_hozac same difference, as long as it's from Hollow's people page. 1202774193 M * ivan do I need to edit fdtab in vserver 1202774195 M * ivan ? 1202774216 M * ivan but I cant see hda or something like block devise in /dev 1202774226 M * ivan *fstab of cousre 1202774244 M * daniel_hozac you should copy /dev/vrootX in the host to /dev/hdv1 in the guest. 1202774286 Q * dowdle Read error: Connection reset by peer 1202774296 J * dowdle ~dowdle@scott.coe.montana.edu 1202774299 Q * Pazzo Quit: ... 1202774307 M * ivan er... I dont have vrootX in /dev in host).. 1202774329 M * ivan hevr to setup it first 1202774330 M * ivan i belive 1202774339 M * ivan *have 1202774372 M * geektopia It doesn't exist! I can't ping it: http://paste.linux-vserver.org/11744