1209342284 M * Bertl okay, off to bed now ... have a good one everyone!
1209342288 N * Bertl Bertl_zZ
1209351198 J * balbir ~balbir@122.167.177.193
1209351969 J * mugwump ~samv@watts.utsl.gen.nz
1209351981 M * mugwump hey, I just had a box go down - run out of tasks
1209352003 M * mugwump I notice on other vserver machines that `vps ax | wc -l` disagrees with `sar -q`'s plist-sz column
1209352042 M * mugwump (using debian's 2.6.18-6-vserver-amd64 kernel)
1209352068 M * mugwump on the machine which died, plist-sz was approaching 32,767
1209352083 M * mugwump and there were <250 tasks shown by `vps ax`
1209352338 M * daniel_hozac isn't sar -q cumulative?
1209352409 M * mugwump documented as "Number of processes and threads in the process list."
1209352424 M * mugwump hmm
1209352450 M * daniel_hozac well, try ps maux | wc -l then.
1209352472 M * daniel_hozac though you'll want an awk in-between those.
1209352538 M * mugwump sudo vps maux  | awk '($2 == "-") { print }' | wc -l
1209352546 M * mugwump ok, that agrees on the stable box
1209352564 M * mugwump the one which went down was 2.6.16-vs2.0.2-rc14 :)
1209352670 M * daniel_hozac anything in the logs?
1209352695 M * mugwump I had a login, and fork was failing
1209352782 M * daniel_hozac echo $(</var/log/messages) should work without fork, i think.
1209352789 Q * balbir Read error: Operation timed out
1209352795 M * daniel_hozac but i assumed you had rebooted the box.
1209352800 M * mugwump yes, I have
1209352808 M * mugwump that would probably moan about the command line length ;)
1209352813 M * mugwump I could intermittantly run commands
1209352829 M * daniel_hozac so there's nothing in the logs _now_?
1209352859 M * mugwump nothing in kern.log
1209352866 M * mugwump it went down relatively cleanly
1209352876 M * mugwump as in, reboot -f ;)
1209352898 M * mugwump I don't think the mount -o ro,remount -f worked
1209357730 J * balbir ~balbir@122.167.177.193
1209358285 Q * balbir Ping timeout: 480 seconds
1209359225 J * esa bip@ip-87-238-2-45.static.adsl.cheapnet.it
1209359249 Q * esa` Ping timeout: 480 seconds
1209359309 J * sharkjaw ~gab@64.28.12.166
1209360052 Q * FireEgl Quit: Leaving...
1209360411 J * Slydder ~chuck@194.59.17.53
1209360829 J * cryptronic ~oli@p54A3B114.dip0.t-ipconnect.de
1209361137 J * balbir ~balbir@122.167.177.193
1209362102 Q * ktwilight Read error: Connection reset by peer
1209362156 J * ktwilight ~ktwilight@170.213-66-87.adsl-static.isp.belgacom.be
1209362200 J * FireEgl FireEgl@adsl-61-144-242.bhm.bellsouth.net
1209362391 Q * larsivi Remote host closed the connection
1209364112 Q * tobifix__ Quit: Leaving
1209364925 J * derjohn_mob ~aj@e180194096.adsl.alicedsl.de
1209365037 Q * cryptronic Quit: Leaving.
1209365281 J * tobifix ~tobifix@IVV7KNALLER.UNI-MUENSTER.DE
1209367505 J * Aiken ~james@ppp121-45-247-4.lns2.bne4.internode.on.net
1209367592 J * wibble wibble@vortex.ukshells.co.uk
1209367711 Q * wibble_ Ping timeout: 480 seconds
1209367933 J * Punkie ~Punkie@goc.coolhousing.net
1209368059 Q * balbir Remote host closed the connection
1209368187 N * DoberMann[ZZZzzz] DoberMann
1209368734 J * bfremon ~ben@ANantes-252-1-55-193.w82-126.abo.wanadoo.fr
1209369246 J * dna ~dna@17-243-dsl.kielnet.net
1209369486 Q * bfremon Ping timeout: 480 seconds
1209369921 Q * derjohn_mob Ping timeout: 480 seconds
1209370119 J * bfremon ~ben@ANantes-252-1-21-146.w82-126.abo.wanadoo.fr
1209370229 J * pmenier ~pme@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr
1209370961 Q * bfremon Ping timeout: 480 seconds
1209371604 J * bfremon ~ben@ANantes-252-1-27-126.w82-126.abo.wanadoo.fr
1209371869 J * balbir ~balbir@122.167.177.193
1209372089 Q * balbir 
1209373023 Q * Q_ Ping timeout: 480 seconds
1209373389 N * Bertl_zZ Bertl
1209373403 M * Bertl morning folks!
1209373488 M * pmjdebruijn mornin
1209374709 J * balbir ~balbir@122.167.177.193
1209375834 J * [PUPPETS]Cook ~bgi|id@pD9EA2D0C.dip0.t-ipconnect.de
1209375861 M * [PUPPETS]Cook hi
1209376320 M * Bertl hey
1209376435 Q * ryker Ping timeout: 480 seconds
1209377167 J * ktwilight_ ~ktwilight@170.213-66-87.adsl-static.isp.belgacom.be
1209377167 Q * ktwilight Read error: Connection reset by peer
1209378607 J * [P]Cook ~bgi|id@pD9EA2D0C.dip0.t-ipconnect.de
1209379064 Q * [PUPPETS]Cook Ping timeout: 480 seconds
1209379292 J * Alexander ~main@217.172.56.88
1209379363 M * Alexander hello. tell please, how I can use iptables on the guest ?
1209379386 M * Bertl not at all ...
1209379445 M * Bertl Linux-VServer does IP isolation, iptables is routing and below that layer, so it remains on the host
1209379493 M * [P]Cook you do not have direct access to the network interface, which would be needed inside the guest to use iptables
1209379500 M * Alexander Bertl: thanks for the answer. I have found vserver_virtuatables (http://www.virtuaserver.com.br/forum/viewtopic.php?t=130). It work?
1209379524 M * Bertl yep
1209379542 M * Alexander thanks :)
1209379594 N * [P]Cook [PUPPETS]Cook
1209379687 M * Bertl np
1209379952 J * virtuoso ~s0t0na@ppp92-101-27-224.pppoe.avangarddsl.ru
1209380363 Q * virtuoso_ Ping timeout: 480 seconds
1209380429 Q * balbir Ping timeout: 480 seconds
1209380944 Q * FireEgl Ping timeout: 480 seconds
1209381533 Q * Alexander Quit: IRC-VPS.NET Virtual Private Servers (VPS) Solutions
1209381692 J * balbir ~balbir@122.167.177.193
1209382620 J * FireEgl FireEgl@adsl-212-220-64.bhm.bellsouth.net
1209382660 J * zbyniu_ ~zbyniu@host13-188.crowley.pl
1209383687 M * ard Hmmm
1209383706 M * [PUPPETS]Cook hhhmmmm
1209383714 M * ard chcontext --cap SYS_NICE,SYS_ADMIN --xid sponlp1 ionice -n7 -p24409
1209383719 M * ard what's flawed about that?
1209383752 Q * zbyniu_ Quit: leaving
1209383755 M * Bertl hmm, looks like most of it to me, but daniel_hozac will know
1209383793 A * ard still gets ioprio_set: Operation not permitted
1209383799 M * ard but I think that was obvious :-)
1209384040 Q * Aiken Remote host closed the connection
1209384055 M * ard Hmmmm, task->uid != current->uid, but no test on uid == 0
1209384168 M * ard found it:
1209384170 M * ard root@chode:/extra/home/ard# chcontext --cap SYS_NICE --xid sponlp1 sudo -u '#2089' ionice -c2 -n5 -p24409
1209384215 M * ard root@chode:/extra/home/ard# chcontext --xid sponlp1 sudo -u '#2089' ionice -c2 -n5 -p24409
1209384218 M * ard is enough...
1209384335 A * ard would assume that uid==0 fixes everything ;-)
1209384356 Q * bfremon Ping timeout: 480 seconds
1209385006 J * bfremon ~ben@ANantes-252-1-93-20.w81-53.abo.wanadoo.fr
1209385056 A * ard6 is doubting if he should split the FAQ about I/O speed
1209386060 M * ard6 http://linux-vserver.org/Frequently_Asked_Questions#Nice_disk_I.2FO_scheduling.2C_is_that_possible.3F
1209386069 A * ard6 's first wiki entry!
1209386070 M * ard6 :-)
1209386220 J * DavidS ~david@p57A48E44.dip0.t-ipconnect.de
1209386544 M * tobifix ard6, nice ;)
1209386761 Q * tobifix Remote host closed the connection
1209386810 Q * DavidS Quit: Leaving.
1209386927 J * tobifix ~tobifix@IVV7KNALLER.UNI-MUENSTER.DE
1209386928 M * tobifix re
1209386944 M * Bertl wb
1209387232 N * [PUPPETS]Cook [PUPPETS]Cook|aw
1209387429 Q * Punkie Quit: ...mizim...
1209387951 Q * mire Ping timeout: 480 seconds
1209388501 Q * sharkjaw Remote host closed the connection
1209389472 M * ard6 Hmmm, notagcheck problem:
1209389493 M * ard6 root@sponla2:/var/web/htdocs/speurdersonline/etc# mv resin.conf resin.conf.franklin
1209389494 M * ard6 mv: cannot move `resin.conf' to `resin.conf.franklin': Permission denied
1209389508 M * ard6 cp-ing the file plain works...
1209389524 M * Bertl check the permissions of the file and dir
1209389528 M * ard6 version  2.6.24.4-vs2.3.0.34-d64-xeon
1209389537 M * Bertl lsattr, showattr, lsxid
1209390069 M * ard6 http://paste.linux-vserver.org/12062
1209390143 M * Bertl what is vsdev?
1209390165 M * ard6 that's another vserver that shares that directory with the notagcheck option
1209390174 M * ard6 -o bind,notagcheck
1209390205 M * Bertl ah, and you expect that to work on such a kernel :)
1209390211 M * ard6 the idea is to do cvs etc from another vserver, and run the stuff in an environment which is close to a live server
1209390223 M * ard6 I don'
1209390229 M * ard6 t expect anything :-)
1209390243 M * ard6 I was happily playing guinnea pig
1209390246 M * ard6 :-)
1209390249 J * Alexander ~main@217.172.56.88
1209390273 M * Bertl good, let's check with 2.6.25/vs.2.3.0.34.5
1209390274 M * ard6 if I've got problems with it, I just downgrade to 2.6.22.19 ;_0
1209390294 M * Bertl or with a devel version for 2.6.22.19
1209390324 M * ard6 2.6.22.19 is available...
1209390439 M * ard6 I can test the other one @home...
1209390523 M * Alexander hello :) I have tried to start virtuatables. On the guest a mistake "Only root can do that ".
1209390523 M * Alexander But start script under root. How it to correct? Thanks
1209390526 M * Bertl good, keep us updated (about both)
1209390559 M * tobifix Alexander, could you download virtuatables? i tried, but the link was dead :(
1209390576 M * Bertl Alexander: which script are you using, what kernel and what user do you use on the guest?
1209390617 M * Alexander tobifix: ftp://ftp.linux-vserver.org/pub/people/dhozac/t/vserver_virtuatables-0.1.tar.gz
1209390672 M * Alexander Bertl: script iptables.sh, kernel 2.6.22.19-grsec2.1.11-vs2.2.0.7; user root
1209390713 M * Bertl grsec is disabled?
1209390740 M * ard6 2.6.22.19-2.3.0.34 has the same problem...
1209390755 M * tobifix Alexander, thanks
1209390773 M * Bertl ard6: okay, tx
1209390790 M * Alexander no, is enabled, security level low
1209390851 M * Bertl could be you hit something there?
1209390866 Q * bfremon Ping timeout: 480 seconds
1209390891 M * Bertl and did you adjust the IP and port info in the script?
1209390904 M * Alexander Bertl: yes
1209391124 M * Bertl so, you could try running the script with bash -x, to get some debug info
1209391127 M * Bertl (please use paste.linux-vserver.org for everything longer than 3 lines)
1209391278 M * ard6 vfs_rename does a "precheck" on may_create and may_delete with NULL as struct nameidata *
1209391301 M * ard6 may_create and such calls permission, which calls dx_permission with NULL as struct..
1209391322 M * ard6 the notagcheck is done on that data...
1209391371 M * Alexander Bertl: http://paste.linux-vserver.org/12064
1209391597 J * bfremon ~ben@ANantes-252-1-53-193.w82-126.abo.wanadoo.fr
1209391604 M * Bertl so netcat complains, which I would say is grsec related
1209391605 J * docelic ~docelic@78.134.192.202
1209391618 M * Bertl try without grsec (maybe even remove the grsec patch)
1209391636 M * Bertl ard6: ah, interesting ... any chance we get the nameidata there?
1209391687 M * Alexander Bertl: thanks, I shall try
1209391711 M * Bertl let us know how it goes
1209391813 M * Alexander ok
1209392043 M * ard6 Bertl : dunno, I'm not a kernel guru :-)
1209392160 M * daniel_hozac Bertl: it's lacking the vfsmount.
1209392213 M * Bertl thought so ... fixable?
1209392248 M * ard6 the namei struct is available in do_rename, but then it calls vfs_rename without those...
1209392303 M * ard6 so, it's there in the calling function
1209392317 M * ard6 (if I am correct ;-) )
1209392525 M * Bertl so then it should be simple ... wanna try a patch? :)
1209392589 M * ard6 for 2.6.25 - 2.3.0.34.5 ?
1209392625 M * Bertl preferable, will be backported to 2.6.22 then
1209392685 M * heanol with grsec, when in learning mode, i assume you're supposed to do all admin tasks as the admin role if you want them to be restricted to being done under the admin role?
1209392708 M * Bertl sounds like a grsec question :)
1209392729 M * heanol yep
1209392743 M * heanol but i was hoping someone in here was running grsec ;)
1209392752 M * heanol sorry for the off-topic i guess
1209392765 M * Bertl np, maybe, let's see ...
1209392788 M * ard6 Hmmm, vfs_rename is EXPORTed
1209392790 M * ard6 :-(
1209392813 M * Bertl np, simply adjust the definition too, it's not the only one we change
1209392830 M * zbyniu heanol: yes
1209392854 M * heanol if i use vserver foo enter
1209392857 M * heanol as the admin role
1209392864 M * heanol is that kept into the grsecurity contexr
1209392867 M * heanol context*
1209392883 M * heanol i dunno how to explain really.. but am i still in the admin role when i've entered a guest? :P
1209392885 M * ard6 and it's used in nfsd :-)
1209392887 J * cryptronic ~oli@p54A3B114.dip0.t-ipconnect.de
1209392910 M * zbyniu heanol: yes, you are
1209392933 M * zbyniu heanol: as long as you don'
1209392950 M * zbyniu don't exit shell or typu gradm -u
1209392959 M * heanol ok 
1209392992 J * mire ~mire@188-175-222-85.adsl.verat.net
1209393097 M * zbyniu heanol: btw, grsec in harry's patch is a little broken, so expect some strange behaviours :)
1209393106 M * heanol zbyniu: broken how?
1209393118 M * Bertl woah, if harry hears that *G*
1209393137 M * heanol i have been running it for a weeks, although with rsbac disabled, but it seems to work fine ;)
1209393141 M * ard6 Hmmm ... fchdir(3)                               = -1 EACCES (Permission denied)
1209393142 M * zbyniu heanol: try subject /sbin/ip  -CAP_ALL in root role
1209393144 M * heanol rbac*
1209393169 M * zbyniu and then type just "ip a add 1.2.3.4/24 dev lo"
1209393193 M * heanol it still works?
1209393203 M * zbyniu sure it works but with holes ;)
1209393222 M * zbyniu yep, no protection in this place
1209393244 Q * tobifix Quit: Leaving
1209393421 M * ard6 Ah, that vfsmount...
1209393668 M * ard6 sys_fchdir could be fixed by fixing just file_permission which holds uses file, which holds a * to vfsmount
1209394194 Q * Slydder Quit: Leaving.
1209395409 J * frode ~frode@ti511210a080-1534.bb.online.no
1209395484 Q * frode Remote host closed the connection
1209395588 J * tobifix ~tobifix@muedsl-82-207-212-043.citykom.de
1209396534 M * Alexander Bertl: I recompile a kernel with disabled grsec. It has not solved a problem :(
1209396567 M * Bertl strange, nc shouldn't complain if you are really root inside the guest
1209396582 M * Bertl could you strace -fF the nc process for us?
1209396616 M * Alexander yes, mom
1209396928 M * daniel_hozac i think that message is coming from the server.
1209397053 J * rm ~irc@90.151.88.228
1209397128 M * Alexander Bertl: http://paste.linux-vserver.org/12065
1209397166 M * Alexander daniel_hozac: On a node I start script php under root
1209397189 M * daniel_hozac you need to bind the nc to a port below 1024.
1209397212 N * rm rm_afk
1209397298 M * Alexander daniel_hozac: yes, port 7001
1209397307 M * daniel_hozac that's above 1024...
1209397316 M * daniel_hozac and i meant the client, not the server.
1209397334 M * Bertl ah, that is the root check, I see :)
1209397355 M * Bertl Alexander: set the _client_ port to something below 1024 then
1209397360 M * daniel_hozac somewhat strange, indeed...
1209397394 M * daniel_hozac but i suppose that's the price you pay to use TCP instead of UNIX sockets :-)
1209397491 M * Bertl well, I've seen worse ideas (think NFS insecure :)
1209397668 M * Alexander sorry, in a script iptables.sh which I start on the client it's possible to set only value "IPTABLES_SERVER_PORT"
1209397808 M * daniel_hozac add -p 1023 to the nc command.
1209397862 M * Alexander thanks
1209397988 M * Alexander many thanks. it works
1209398005 M * Bertl excellent!
1209398062 M * Alexander now I should change port on each the guest? "IPTABLES_SERVER_PORT" and "nc port" 
1209398212 M * Alexander I correctly understand, what for each guest on a server should be started a separate copy of a php script? (virtuatables.php)
1209398258 M * Bertl basically one script should be able to handle all guests, but it's a prototype, so I don#t know
1209398290 M * Alexander Bertl: thanks :)
1209398380 N * rm_afk rm_
1209398449 P * rm_ ~ You are happier than you realize ~
1209398481 M * Bertl you're welcome! 
1209398676 J * bonbons ~bonbons@2001:960:7ab:0:2c0:9fff:fe2d:39d
1209398994 J * Q_ ~kurt@d54C3F9BC.access.telenet.be
1209399629 Q * Alexander Quit: IRC-VPS.NET Virtual Private Servers (VPS) Solutions
1209399761 Q * bfremon Ping timeout: 480 seconds
1209400249 J * waldi ~waldi@bblank.thinkmo.de
1209400390 J * bfremon ~ben@ANantes-252-1-39-185.w82-126.abo.wanadoo.fr
1209400785 J * JonB ~NoSuchUse@77.75.164.169
1209400863 Q * mire Read error: Connection reset by peer
1209400871 Q * bfremon Ping timeout: 480 seconds
1209401531 J * bfremon ~ben@ANantes-252-1-52-49.w82-126.abo.wanadoo.fr
1209401937 J * mire ~mire@238-172-222-85.adsl.verat.net
1209402034 Q * pmenier Quit: Konversation terminated!
1209402496 Q * bfremon Ping timeout: 480 seconds
1209403072 M * ard6 daniel_hozac : is there any objection against going for vfsmount instead of nameidata?
1209403117 M * ard6 It would make most other fixes more easy, at the cost of having to traverse the nameidata at a few places
1209403120 J * bfremon ~ben@ANantes-252-1-59-125.w82-126.abo.wanadoo.fr
1209403170 M * daniel_hozac well, the downside is that without the dentry we can't get a path.
1209403298 M * ard6 Hmmm...
1209403347 M * Bertl in the far future, we will pass path structs, I guess :)
1209403361 M * Bertl dentry, vfsmnt 
1209403371 M * ard6 well, path structs is inbetween nameidata and vfsmount :-)
1209403388 M * daniel_hozac path structs would be optimal.
1209403399 M * ard6 But for the dx_notagcheck we only need the vfsmount struct?
1209403429 M * daniel_hozac but for the error message we want the dentry. device:inode sucks, IMHO
1209403436 M * ard6 :-)
1209403475 M * Bertl does anybody know a smart tool to edit gpt partition tables?
1209403484 M * ard6 allright, that can be fixed mostly in namei, even if dx_notagcheck only checks vfsmount
1209403520 M * ard6 the only problem is that in file_permission f.i. we have a file struct, which contains a path struct, but not a namei
1209403546 M * daniel_hozac i looked at this before...
1209403589 M * ard6 this is only for sys_fchdir and do_rename
1209403589 M * daniel_hozac you could move the fields in either structure, so they match, and have struct path be what's used.
1209403608 M * daniel_hozac and then just cast nameidata to struct path when needed.
1209403624 M * ard6 silently making it a "union" :-)
1209403634 M * daniel_hozac right.
1209403711 A * ard6 currently has a workaround for my situation ...
1209403724 A * ard6 just chxid the dirs to 0 with inotifywait 8-D
1209403833 J * larsivi ~larsivi@144.84-48-50.nextgentel.com
1209404181 N * DoberMann DoberMann[PullA]
1209406648 N * DoberMann[PullA] DoberMann
1209407217 Q * nkukard Ping timeout: 480 seconds
1209407514 M * Bertl nap attack ... off for now .. bbl
1209407520 N * Bertl Bertl_zZ
1209410896 J * doener_ ~doener@i577AEF4B.versanet.de
1209410994 Q * doener Ping timeout: 480 seconds
1209412858 J * Aiken ~james@ppp121-45-247-4.lns2.bne4.internode.on.net
1209413450 J * ViRUS ~mp@p5B245AC1.dip.t-dialin.net
1209414034 Q * [PUPPETS]Cook|aw Read error: Connection reset by peer
1209414123 Q * bonbons Quit: Leaving
1209414334 Q * dna Ping timeout: 480 seconds
1209416137 J * derjohn_mob ~aj@e180194096.adsl.alicedsl.de
1209416751 J * hparker ~hparker@linux.homershut.net
1209417988 N * DoberMann DoberMann[ZZZzzz]
1209418391 Q * bfremon Quit: Leaving.
1209420362 J * geb ~geb@AOrleans-151-1-4-55.w90-21.abo.wanadoo.fr
1209420591 Q * larsivi Remote host closed the connection
1209421815 Q * JonB Quit: This computer has gone to sleep
1209422072 Q * ViRUS Quit: Leaving
1209422201 Q * bardia Ping timeout: 480 seconds
1209423268 Q * docelic Quit: http://www.spinlocksolutions.com/
1209425454 Q * derjohn_mob Ping timeout: 480 seconds
1209425584 Q * infowolfe Read error: Connection reset by peer
1209425594 J * infowolfe ~infowolfe@c-67-160-167-96.hsd1.or.comcast.net
1209426347 Q * cryptronic Quit: Leaving.