1210637178 Q * edlinuxguru Ping timeout: 480 seconds 1210639549 Q * rob-84x^ Ping timeout: 480 seconds 1210642604 M * daniel_hozac_ Medivh: openvcp needs to be fixed. 1210642647 M * Medivh daniel_hozac, hrm, appears as though the compiler error comes from the vserver.h file though... are you positive it's an openvcp problem? 1210642678 M * daniel_hozac_ yes. 1210642721 M * Medivh hmm... should it use different constants or something? i.e. is that hard to fix? i mean i can do a little C... if someone points me in the right direction :) 1210642832 M * daniel_hozac_ you either need to make sure you have kernel headers that define tag_t (e.g. headers from a Linux-VServer kernel), or typedef it yourself. 1210642835 N * daniel_hozac_ daniel_hozac 1210642847 M * Medivh openvcp websites are down too, so can't really check if there's a more current version 1210643009 M * Medivh hrm, typedef is there, but still won't compile, grmpf 1210643035 M * Medivh [root@piritramid openvcpd-0.2-rc2]# grep tag_t /usr/include/linux/types.h 1210643035 M * Medivh typedef unsigned int tag_t; 1210643039 M * Medivh looks just fine to me, doesn't it? 1210643084 M * daniel_hozac you sure that's getting included? 1210643203 M * Medivh hrm, yeah... stupid me. openvcp is using which doesn't exist... doh 1210643228 M * daniel_hozac i sure hope you have sys/types.h... 1210643286 J * FireEgl FireEgl@adsl-226-58-240.bhm.bellsouth.net 1210643318 M * Medivh heh, oops, yeah... damn too late again ;) checked wrong directory... mhm, so i would just add as an include in openvcp source, right? 1210643348 M * daniel_hozac sure. 1210643377 M * Medivh still nothing, same error :( 1210643402 M * Medivh darn, not my day today 1210644535 Q * Linus Quit: I'll Be Back! 1210648613 M * Bertl_oO okay, off to bed now .. have a good one everyone! 1210648617 N * Bertl_oO Bertl_zZ 1210650269 Q * hparker Quit: Read error: 104 (Peer reset by connection) 1210650946 J * hparker ~hparker@linux.homershut.net 1210651089 Q * zbyniu Ping timeout: 480 seconds 1210655144 P * kir 1210656123 J * cryptronic ~oli@p54A3B2F0.dip0.t-ipconnect.de 1210656238 Q * balbir Ping timeout: 480 seconds 1210658140 Q * cryptronic Quit: Leaving. 1210659006 J * ntrs__ ~ntrs@77.29.70.193 1210659887 J * rgl ~rgl@bl8-137-235.dsl.telepac.pt 1210659892 A * rgl waves 1210659904 J * zbyniu ~zbyniu@host13-188.crowley.pl 1210659942 J * Slydder ~chuck@194.59.17.53 1210660021 M * Slydder morning all 1210660230 J * sharkjaw ~gab@64.28.12.166 1210661159 J * JonB ~NoSuchUse@77.75.164.169 1210661443 J * ntrs_ ~ntrs@77.29.79.182 1210661522 J * mrfree ~mrfree@host1-89-static.40-88-b.business.telecomitalia.it 1210661824 J * bfremon ~ben@lns-bzn-22-82-249-94-177.adsl.proxad.net 1210661871 Q * ntrs__ Ping timeout: 480 seconds 1210662017 Q * mrfree Quit: Leaving 1210662132 M * harry 21:20 < nkukard> harry, around? 1210662144 M * harry now i am ;) 1210662161 M * harry an will be in a fewmins/couple of mins ;) 1210662212 J * Linus ~nuhx@bl7-130-23.dsl.telepac.pt 1210662649 J * balbir ~balbir@59.145.136.1 1210663161 J * MatBoy ~MatBoy@wiljewelwetenhe.xs4all.nl 1210664215 J * dna ~dna@197-206-dsl.kielnet.net 1210665637 Q * pmenier_off Quit: Konversation terminated! 1210666162 J * yarihm ~yarihm@84-75-103-252.dclient.hispeed.ch 1210666247 N * DoberMann[ZZZzzz] DoberMann 1210666698 Q * yarihm Quit: This computer has gone to sleep 1210666742 J * yarihm ~yarihm@84-75-103-252.dclient.hispeed.ch 1210667330 Q * yarihm Quit: This computer has gone to sleep 1210667443 Q * JonB Quit: This computer has gone to sleep 1210670546 Q * mick_work Ping timeout: 480 seconds 1210670819 J * JonB ~NoSuchUse@130.227.63.19 1210672276 J * bfremo1 ~ben@lns-bzn-33-82-252-45-56.adsl.proxad.net 1210672629 Q * bfremon Ping timeout: 480 seconds 1210672999 J * friendly ~friendly@ppp59-167-137-15.lns3.mel6.internode.on.net 1210673244 J * rob-84x^ ~rob@submarine.ath.cx 1210675513 J * yarihm ~yarihm@vpn-global-dhcp1-116.ethz.ch 1210675541 Q * Slydder Remote host closed the connection 1210675548 J * Slydder ~chuck@194.59.17.53 1210675603 Q * Slydder Remote host closed the connection 1210675605 J * Slydder ~chuck@194.59.17.53 1210675890 Q * Slydder Remote host closed the connection 1210675897 J * Slydder ~chuck@194.59.17.53 1210676027 Q * Slydder Remote host closed the connection 1210676031 J * Slydder ~chuck@194.59.17.53 1210678898 Q * kriebel Ping timeout: 480 seconds 1210679622 Q * Slydder Quit: Leaving. 1210679632 J * Slydder ~chuck@194.59.17.53 1210679845 Q * friendly Remote host closed the connection 1210679892 J * Mojo1978 ~Mojo1978@p50833C35.dip.t-dialin.net 1210679903 J * friendly ~friendly@ppp59-167-137-15.lns3.mel6.internode.on.net 1210680830 Q * yarihm Quit: This computer has gone to sleep 1210680853 Q * balbir Ping timeout: 480 seconds 1210682859 Q * friendly Quit: Leaving. 1210682884 J * qxehsq ~Mojo1978@p50833C35.dip.t-dialin.net 1210682885 J * rgl_ ~rgl@bl8-137-235.dsl.telepac.pt 1210682956 J * Aiken_ ~james@ppp118-208-54-233.lns4.bne1.internode.on.net 1210682961 Q * Aiken_ Remote host closed the connection 1210682992 J * ktwilight_ ~ktwilight@122.210-66-87.adsl-static.isp.belgacom.be 1210683048 J * ntrs__ ~ntrs@77.29.70.181 1210683116 J * _Radiance ~Radiance@193.16.154.187 1210683130 J * xdr_ ~xdr@gote2.188.cust.blixtvik.net 1210683131 J * mjt_ ~mjt@nat.corpit.ru 1210683135 J * kiorky_ ~kiorky@cryptelium.net 1210683157 J * ensc_ ~irc-ensc@77.235.182.26 1210683160 J * sladen_ paul@starsky.19inch.net 1210683164 J * snooze_ ~o@1-1-4-40a.gkp.gbg.bostream.se 1210683166 J * sid3wind1 luser@bastard-operator.from-hell.be 1210683167 J * g_en__ ~glen@elves.delfi.ee 1210683182 J * xe ex@valis.net.pl 1210683224 Q * Mojo1978 charon.oftc.net kilo.oftc.net 1210683224 Q * rob-84x^ charon.oftc.net kilo.oftc.net 1210683224 Q * MatBoy charon.oftc.net kilo.oftc.net 1210683224 Q * sharkjaw charon.oftc.net kilo.oftc.net 1210683224 Q * rgl charon.oftc.net kilo.oftc.net 1210683224 Q * Aiken charon.oftc.net kilo.oftc.net 1210683224 Q * lilalinux charon.oftc.net kilo.oftc.net 1210683224 Q * ktwilight charon.oftc.net kilo.oftc.net 1210683224 Q * sid3windr charon.oftc.net kilo.oftc.net 1210683224 Q * Radiance charon.oftc.net kilo.oftc.net 1210683224 Q * snooze charon.oftc.net kilo.oftc.net 1210683224 Q * kiorky charon.oftc.net kilo.oftc.net 1210683224 Q * xdr charon.oftc.net kilo.oftc.net 1210683224 Q * mjt charon.oftc.net kilo.oftc.net 1210683224 Q * sladen charon.oftc.net kilo.oftc.net 1210683224 Q * glen_ charon.oftc.net kilo.oftc.net 1210683224 Q * ensc charon.oftc.net kilo.oftc.net 1210683224 Q * ex charon.oftc.net kilo.oftc.net 1210683224 N * snooze_ snooze 1210683224 N * xe ex 1210683349 Q * zbyniu Ping timeout: 480 seconds 1210683413 J * zbyniu ~zbyniu@host13-188.crowley.pl 1210683463 Q * ntrs_ Ping timeout: 480 seconds 1210683831 J * MatBoy ~MatBoy@wiljewelwetenhe.xs4all.nl 1210683832 J * sharkjaw ~gab@64.28.12.166 1210683873 J * lilalinux ~plasma@80.69.41.3 1210683991 J * Mojo1978 ~Mojo1978@p50837DCF.dip.t-dialin.net 1210684101 Q * qxehsq Ping timeout: 480 seconds 1210684501 Q * sharkjaw Remote host closed the connection 1210686285 Q * Slydder Quit: Leaving. 1210686504 Q * kiorky_ Ping timeout: 480 seconds 1210686785 J * kiorky ~kiorky@cryptelium.net 1210686978 J * edlinuxguru ~edlinuxgu@79.sub-97-2-52.myvzw.com 1210687056 Q * JonB Ping timeout: 480 seconds 1210687073 J * yarihm ~yarihm@vpn-global-047-dhcp.ethz.ch 1210687601 J * Hunter ~IfYouCan@clt-84-32-208-16.vdnet.lt 1210687602 M * Hunter hello any french here? I need to talk to a french guy 1210687603 M * Hunter hello any french here? I need to talk to a french guyhello any french here? I need to talk to a french guy 1210687619 M * edlinuxguru Haha this is not a frend finder service 1210687662 M * Hunter in your ass, edlinuxguru 1210687664 M * sid3wind1 he seems to do it in every oftc channel 1210687667 P * Hunter 1210687937 N * Bertl_zZ Bertl 1210687942 M * Bertl morning folks! 1210687948 M * daniel_hozac morning Bertl! 1210687965 M * Bertl seems I shortly missed the french seeking french :) 1210688474 Q * kiorky Ping timeout: 480 seconds 1210688785 J * kriebel ~kriebel@216-164-160-36.c3-0.eas-ubr10.atw-eas.pa.static.cable.rcn.com 1210688982 J * Dessa 505659db@67.207.141.120 1210689048 M * Dessa how do i correctly add an aditional ip adress to a vserver? 1210689081 M * Bertl while stopped, in the configs 'interfaces' dir, or while running with naddress 1210689155 J * JonB ~NoSuchUse@77.75.164.169 1210689167 M * Dessa so when using the interfaces dir just add a new ip in the "ip" file in the directory would be enough? 1210689172 M * daniel_hozac no. 1210689177 M * daniel_hozac you create a new directory. 1210689182 M * Bertl e.g. '1' 1210689198 M * Bertl and put similar files there as in the '0' dir 1210689207 M * Dessa oh i see 1210689210 M * Dessa thanks 1210689216 M * Bertl http://www.nongnu.org/util-vserver/doc/conf/configuration.html 1210689222 M * Bertl (for details, on the config) 1210689223 M * Bertl you're welcome! 1210689318 M * mc http://lists.debian.org/debian-security-announce/2008/msg00152.html 1210689318 M * mc https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000705.html 1210689330 Q * edlinuxguru Ping timeout: 480 seconds 1210689377 M * Bertl mc: nice, but not really Linux-VServer related, or? 1210689405 M * mc Bertl: maybe. but mispasted anyway. 1210689444 M * Bertl k, try again then :) 1210689450 M * mc here? 1210689451 M * mc :) 1210689468 M * Bertl well, I expect something Linux-VServer related now! :) 1210689498 M * mc uh. you dont want to hear that. 1210689526 M * Bertl hmm, why's that? 1210689552 M * mc theres only one box left w/ vserver in my network :( 1210689592 M * Bertl i.c. everything else is now? 1210689599 M * mc esx. :) 1210689613 M * daniel_hozac wow. somebody's got too much money :) 1210689635 M * Bertl I bet the Linux-VServer machine is running the same number of guests than all the esx machines :) 1210689642 M * mc nop 1210689648 M * Bertl more? 1210689653 M * mc lot less 1210689690 M * mc three esx servers are running like 50, maybe 75 guest. the vserver box runs... 6? 1210689699 M * mc but then, the comparison is unfair anyway. 1210689828 M * Bertl 25 guests per esx server is not bad ... high end hardware? 1210689843 M * mc pretty much 1210689864 Q * Mojo1978 Ping timeout: 480 seconds 1210689890 M * mc 24 cores, 48G RAM on all three boxes 1210689898 J * Mojo1978 ~Mojo1978@p508333CF.dip.t-dialin.net 1210689899 M * mc i.e. in total 1210689906 M * Bertl not bad 1210689933 M * mc thats why i said unfair comparison. the vserver box is some less. 1210689973 M * mc also, esx has quite some advantages over vserver and virtualization vs paravirtualization are two different shoes anyway. 1210689999 J * rob-84x^ ~rob@submarine.ath.cx 1210690039 M * Bertl what are the advantages (except for the machine vs. OS virtualization part)? 1210690060 M * mc vmotion, DRS, HA. 1210690089 M * Bertl DRS? 1210690140 M * JonB Hells Angels? 1210690159 M * Bertl well, I figured the High Availability, but DRS? 1210690169 M * mc Distributed Resource Sharing or something, basically the hosts make sure the load is distributed amongst hosts 1210690184 M * Bertl by moving around guests? 1210690189 M * JonB and vmotion? 1210690197 M * Bertl that is guest migration 1210690214 M * mc High Availability instead means, that if any of the hosts goes down, the remaining hosts will take the guests which were on the machine thats been down 1210690217 M * mc eh 1210690220 M * mc am i selling vmware here now? 1210690224 A * mc feels like a sales. 1210690236 M * mc unhappily so, i may add :-P 1210690267 M * daniel_hozac DRBD+heartbeat can handle that for Linux-VServer without problems. 1210690278 M * JonB mc: tighten that tie, your face has to be blue 1210690280 M * Bertl and does, in certain setups 1210690333 M * mc Bertl: oh, and yes, by moving around guests 1210690337 M * Bertl I still don't know why folks are so freaked out about the (Not so live) migration part ... 1210690354 M * JonB Bertl: it looks great on paper 1210690355 M * mc Bertl: ? vmotion is live. 1210690368 M * mc the actual downtime when moving around guests is < 1 sec 1210690385 N * mjt_ mjt 1210690390 M * mc and thats the moment the memory is been frozen, moved to the other box and rewaken 1210690392 M * JonB so, they are down 1210690398 M * Bertl mc: show me that with a guest which has 10k page impressions per second 1210690421 M * mc Bertl: for such a server, virtualization is the wrong thing anyway. 1210690433 M * Bertl mc: it will be more like 30-60 seconds and a huge amount of disk I/O 1210690446 M * mc heh. 1210690454 M * Bertl (or network, depends on the migration) 1210690459 M * mc unlike vserver :-P esx is NOT making your boxes faster. 1210690496 M * Bertl do you know how often the DRS moves guests around? 1210690507 M * Bertl are there any collectable statistics or so? 1210690511 M * Bertl (just curious) 1210690526 M * mc depends on your settings. there are five settings between "very conservative" and "very aggressive" 1210690531 M * JonB mc: vserver virtulization would not be wrong for a 10k page impressions pr. second server 1210690581 M * mc bertl: on my setup it does very seldom. 5 per day i'd consider much, but then, the load doesnt spike much. 1210690586 M * mc (the load on the guests) 1210690588 J * edlinuxguru ~edlinuxgu@216.223.13.127 1210690744 M * mc so, can you put the lamp out of my face now? its getting warm :-P 1210690866 M * JonB 16:59 Lietenant JonB ends Interogation, the criminal has pleaded guilty, as expected, and we did not even have to supply a moderate physical preasure 1210690878 M * mc :) 1210690890 M * mc 74 (running) guests btw, i just counted them 1210690919 M * mc and every of the hosts has 10% CPU Load and around 66% RAM usage 1210690981 M * JonB okay 1210691094 M * mc ohwell, for a customer we have even setup a cluster of boxes which run identically vservers which in turn are loadbalanced, so i may add that esx isnt the holy grail, but on some setups its nice. 1210691128 M * mc (and the last time i tried to run a -ugh ugh- windows on vserver, it failed miserably.) 1210691192 M * Bertl well, that's actually a feature :) 1210691203 J * sandman ~s@CPE-24-208-55-92.new.res.rr.com 1210691209 M * sandman Anyone alive? 1210691215 M * Bertl nope, all dead ... 1210691219 M * sandman Good. 1210691225 M * wp as dead as dead can be 1210691228 M * sandman I was wondering how I might get "host-based" networking for a VS? 1210691246 M * Bertl hmm, by default 1210691250 M * sandman Or will this be coming with the advent of ngnet 1210691276 M * sandman Well, what I mean is: I have eth0 on the host system. I wanted the VServer to have an interface like that. 1210691286 M * sandman Currently it's @ 10.0.0.1, and it doesn't appear to route to the internet. 1210691292 J * kiorky ~kiorky@cryptelium.net 1210691297 M * sannes hm, for a while I ran vservers with gfs as the data volumes .. was great, could switch a vserver from one server to the next in less than 5 seconds .. :) 1210691319 M * Bertl sandman: how would a 'virtualized' network interface help there? 1210691321 M * sandman Basically I want to ssh into it and dist-upgrade to testing/sid 1210691332 M * mc Bertl: hehe. for you maybe, for me -sadly- not. 1210691337 M * daniel_hozac sandman: and, why can't you? 1210691355 M * sandman daniel_hozac: Well, I'm trying to find out how in the documentation, but I'm a bit confused 1210691374 M * Bertl sandman: because you are looking at the wrong docu 1210691391 M * Bertl sandman: you want to read up on linux networking not Linux-VServer 1210691397 M * sandman Basically when I try to SSH in, it fails because, from what I understand, PAM is not installed. 1210691427 M * Bertl sandman: aha, how did that happen? 1210691444 M * daniel_hozac uh? if pam was required, it should be installed... unless you're using slackware. 1210691449 M * sandman So I'm guessing I could stop the vserver, chroot in, install PAM, exit chroot, restart vserver, log in via SSH, then dist-upgrade 1210691464 M * Bertl try with 'vserver enter' first 1210691511 M * sandman Okay, I got into it using that command, thank you. 1210691530 M * Bertl np, but that sounds very much unrelated to the network part 1210691538 M * sandman Networking still doesn't work. So let me guess, getting this "host" networking I was blathering about, I'll be creating a bridge, and a TUN/TAP interface behind the bridge? 1210691553 M * daniel_hozac uh, no. 1210691573 M * Bertl sandman: if you define host-networking as virtual interface, es 1210691575 M * sandman Sorry 1210691575 M * Bertl *yes 1210691578 M * daniel_hozac you'll either use NAT, or give the guest an address that the upstream router already knows how to route. 1210691598 M * sandman daniel_hozac: Like 192.168-something? 1210691608 M * sandman <== is using a Linksys router, and so that should work. 1210691615 M * Bertl if that is your hosts routed network, yes 1210691633 M * Bertl i.e. if the host has 192.168.0.10 and the router 192.168.0.1 1210691652 M * sandman Right 1210691654 M * Bertl then you can give the guest 192.168.0.11 (given the router routes that one) 1210691691 M * Bertl (it also has to nat it for public network access) 1210691765 M * sandman Wow. 1210691766 M * sandman That was easy. 1210691773 M * sandman I feel very stupid right about now 1210691832 M * Bertl see topic :) 1210691875 M * sandman Aye 1210691883 M * Bertl the thing is, you need to forget about the bridging and routing indirection stuff, when using Linux-VServer 1210691895 M * sandman It's a beautiful thing 1210691899 J * cryptronic ~oli@p54A3B2F0.dip0.t-ipconnect.de 1210691903 M * sandman I thought it was going to be complicated and non-standard or something 1210691916 M * sandman But maybe that's just because it's what I'm used to with qemu/virtualbox and what-have-you 1210691961 M * sandman Is it decidedly insecure to cp -a /dev/snd /dev? 1210692020 M * Bertl depends on the device(s) 1210692042 M * sandman I see. 1210692043 M * Bertl basically if you give a device to a guest, it will be able to do things with it (like ioctls and such) 1210692065 M * sandman And if there's some sort of root exploit for it, then it will spill over since VServer uses the host kernel. 1210692073 M * sandman Which is fine. I'm just trying to get my mind around this concept 1210692073 M * Bertl precisely 1210692090 M * sandman Okay, I'll try the dist-upgrade now. 1210692091 M * Bertl a not so obvious case is the block device 1210692120 M * Bertl it looks save at first glance to give an entire block device to a guest, but that might cause all kind of issues 1210692209 M * pflanze hm, if the kernel is never told to mount that device, it should be safe, or not? 1210692288 M * Bertl you still might be able to cause kernel problems with changes to the ide subsystem 1210692296 M * Bertl (or scsi if that is used) 1210692315 M * Bertl think switching between dma and non-dma for example 1210692336 M * sandman Just for the record, getting my vserver up and running and entering it was as easy as "aptitude install linux-image-2.6-vserver util-vserver vserver-debiantools && newvserver --hostname foo --domain foo.foo --ip 192.168.1.11 --dist etch && vserver foo enter" 1210692350 M * pflanze hm, it's possible to change dma settings on a block device? Not just unbuffered accesses? 1210692353 M * sandman A single command to get it all working. That really is lovely =) 1210692369 M * pflanze and what about lvm logical volumes? 1210692373 M * Bertl sandman: nice, but you might want to avoid the broken newvserver script in the future 1210692380 M * sandman Bertl: It's broken? 1210692385 M * sandman I did not know that 1210692408 M * Bertl yep, unfortunately, better update util-vserver from backports and remove the debian addon 1210692447 M * Bertl but again, YMMV, and IIWFY ... 1210692883 M * sandman BTW: If there is an exploit in the module for /dev/input/mice, /dev/snd/* and so forth, what's the worst that can happen? They can damage the vserver? Or would they in theory be able to escape the VServer 1210692981 M * daniel_hozac depending on the type of exploit, they'd be able to escape and/or cause problems for other guests. 1210693079 Q * phedny_ Ping timeout: 480 seconds 1210693218 M * ard sandman : I see it like this: compared to having f.i. a xen virtual server and a vserver: when r00ting a xen guest you have a rogue system in your network, since it can do *anything* with networking. 1210693274 M * Bertl well, there have been host exploits too :) 1210693275 M * ard if you root a vserver you can wreck havoc with the files, but you can't do anything more than that, unless you also have an exploitable kernel 1210693289 A * ard wasn't finished :-) 1210693345 M * ard rooting a server is a "likely" thing to happen. So it matters what happens after the rooting.... 1210693389 M * ard (for rooting you only have to install the commercial zend platform f.i. . Exploit galore...) 1210693451 N * phedny Guest818 1210693454 J * phedny ~mark@2001:610:656::115 1210693614 M * sandman I see. 1210693620 M * sandman Well, I'll certainly avoid zend. 1210693690 M * pflanze What are you guys using for automatic intrusion detection? 1210693702 M * ard pflanze : ps faux 1210693703 M * ard :-) 1210693720 A * ard is fortunately more a hoster 1210693737 M * pflanze hoster=vserver client? 1210693747 M * ard and sometimes I have to tell a client about an eggdrop on their systems :-) 1210693747 M * pflanze or hosting vservers? 1210693779 M * pflanze yes, I mean you've got better chances detecting rootings when running checks from the host. 1210693782 M * ard pflanze : hosting as in real servers and infra and such. Not the exploitable software that's gonna run on them :-) 1210693788 M * ard ah 1210693804 M * pflanze and it's in your interest finding out asap when a client is broken into. 1210693806 M * ard I wanted to look at chkrootkit and see if it is scriptable for /var/lib/vservers 1210693840 M * ard But I haven't got around it yet 1210693870 M * pflanze you can run chkrootkit on chroots, yes 1210693880 M * ard I think that that kind of detection, together with iptables is the best thing to do 1210693890 M * pflanze although I've always been a bit leery about doing it--hope they've written it correctly. 1210693909 M * pflanze with iptables? 1210693929 M * pflanze you mean, observing traffic patterns automatically? 1210693955 M * ard pflanze : I was starting with http://wiki.kwaak.net/twiki/bin/view/Main/VserverTables 1210693980 M * ard pflanze : it's just that you should always restrict incoming and outgoing traffic 1210693999 M * pflanze sure, but that's not detection, that's protection 1210694034 M * ard well, it's part of damage control 1210694040 M * ard actually the biggest part 1210694076 M * pflanze but my question is, how do you detect automatically when a client has been broken into? 1210694106 M * ard Ah... 1210694112 M * pflanze I'm looking for a kind of IDS which is well suitable in such an environment. 1210694132 M * ard well, a real IDS is also a security threat in itself :-) 1210694140 M * ard so it should be run within a vserver 1210694155 M * pflanze ugh 1210694184 M * ard But simple checks should suffice I guess 1210694198 M * ard depends on how much control you have on the environment 1210694214 J * ki1 ~kir@swsoft-msk-nat.sw.ru 1210694273 M * ard for my personal company I will certainly use something like chkrootkit, since I don't have the firewall environment available as some other projects 1210694273 M * pflanze If anyone else listens, I'm looking for a way to observe the vservers, i.e. processes, open sockets, and some learning infrastructure which would alarm me when unusual things are going on. 1210694300 M * pflanze Data collection and learning algorithms are kind of enough complexity to have hold me back writing something. 1210694519 M * sandman This is odd. I run tightvncserver in the VServer (whose IP addy is 192.168.1.11), and xtightvncviewer into it, only to discover that it just displays my host desktop's VNC session 1210694543 M * Bertl sandman: not odd, more expected 1210694563 M * sandman Because the VServer's ethernet dev is the host's 1210694566 M * Bertl sandman: the problem is most likely caused by the fact, that your host's vncserver binds _all_ addresses 1210694567 M * sandman I suppose that makes sense. 1210694592 M * sandman Bertl: I see. So I'll just go ahead and turn it off and try, then. 1210694598 M * Bertl the guest is restricted to guest only IPs, if you restrict the host vnc to host IPs, it should work fine 1210694619 J * kir ~kir@swsoft-msk-nat.sw.ru 1210694621 M * Bertl (same is usually true for sshd, btw) 1210694697 M * sandman Aha, what do you know. 1210694705 M * sandman This is all starting to come together now 1210694883 M * DLange Hi Folks, just for info. Those of you having SSH/SSL keys generated on Debian need to redo these due to a major problem with the (Debian patched) random number generator. 1210694889 M * DLange see http://lists.debian.org/debian-security-announce/2008/msg00152.html 1210694899 M * Bertl yep, got that a few hours ago :) 1210694936 Q * ki1 Ping timeout: 480 seconds 1210695127 M * Bertl DLange: more interesting would be, why did debian mess with the RNG? 1210695169 J * bonbons ~bonbons@2001:960:7ab:0:2c0:9fff:fe2d:39d 1210695188 M * sandman Alright, now it's just giving me connectio nrefused. 1210695192 M * sandman I stopped the VNCserver on the host. 1210695204 M * DLange Bertl: I'm rather sure this will be discussed in detail over the next few days. More than the guy who did it, will like it :). 1210695214 M * Bertl sandman: (re)start the guest vnc, it couldn'T start before 1210695240 M * sandman I did. tightvncserver -kill :1 && tightvncserver 1210695259 M * sandman I tried just plain connecting, as well as appending :5901 to the end of the address, still no go. 1210695261 M * Bertl DLange: once you have details on that, please let me know ... 1210695270 M * sandman It is, however, giving errors about being unable to lock .Xauthority 1210695286 M * Bertl check with lsof -ni :5901 1210695296 M * Bertl (to make sure that something is bound there) 1210695323 M * sandman It is 1210695336 Q * JonB Ping timeout: 480 seconds 1210695372 M * sandman svs@cdecafvs:~$ lsof -ni :5901 1210695372 M * sandman COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME 1210695372 M * sandman Xtightvnc 10614 svs 3u IPv4 238265 TCP 192.168.1.11:5901 (LISTEN) 1210695372 M * Bertl then the next step is strace -fF on the vnc server 1210695390 Q * lilalinux Remote host closed the connection 1210695391 M * sandman Alright 1210695401 M * Bertl and check what happens when you try to connect 1210695465 J * jyrxkf ~Mojo1978@p50837DAF.dip.t-dialin.net 1210695476 M * daniel_hozac does your user own its home directory? 1210695524 Q * Mojo1978 Ping timeout: 480 seconds 1210695702 M * sandman It's sitting @ [pid 12028] poll( 1210695710 M * sandman I mean, from strace -fF tightvncserver 1210695743 M * sandman Nothing changes when I try to connect 1210695744 M * Bertl that looks like your client is not really connecting there 1210695757 M * Bertl maybe some firewall blocking off the access? 1210695774 M * sandman I have no firewall setup 1210695793 M * Bertl you connect from where exactly? 1210695812 M * sandman And the user does own its own home directory. 1210695828 M * sandman Bertl: Host system, 192.168.1.10, trying to connect to guest VServer @ 192.168.1.11 1210695850 M * Bertl you know that vncviewer needs :1 not :5901 ? 1210695864 M * Bertl (you specify the vnc port there :) 1210695865 M * sandman Does it? 1210695893 M * sandman Jesus 1210695898 M * sandman Now I really am fucking stupid 1210695899 M * sandman admit it 1210695912 M * Bertl np, shit happens ... 1210695920 M * sandman I was trying to connect @ 5901 1210695925 A * sandman holds head in shame 1210695979 M * sandman It still cannot lock Xauthority for whatever reason. 1210695983 M * sandman I'll investigate that later, though 1210696072 J * dennis ~dennis@dslb-084-059-123-139.pools.arcor-ip.net 1210696089 P * dennis 1210696181 M * Bertl wow, just solved a funny mystery .. apache+php crashing with a double free in glibc 1210696222 M * Bertl turn out to be caused by a missing timezone info ... 1210696286 M * sandman Seems odd to me that something so seemingly miniscule would crash it, but what do I know 1210696316 M * Bertl yeah, haven't expected that either, especially as it was filling up my disk with coredumps 1210696391 M * sandman Yuo going to fix it? 1210696424 M * Bertl well, I already did, by adding the zoneinfo, but looks like an upstream bug to me 1210696476 M * sandman Word. 1210696486 M * sandman BTW: It seems when there's heavy disk access, it really bogs the system down. 1210696493 M * sandman With VServer 1210696510 M * sandman Like, whenever I install a number of things via aptitude within the VS 1210696558 J * balbir ~balbir@122.167.181.99 1210696559 M * Bertl shouldn't be more or less than on a real server 1210696579 M * Bertl what's your disk setup for the guest, what filesystem, what kernel? 1210696634 M * sandman It's just using the host FS 1210696651 M * sandman I can go to /var and look at the filesystem 1210696882 M * sandman But if it's normal, that's fine. 1210696906 M * Bertl as I said, I'd expect the same as on a real host 1210697175 M * sandman Are VServer guests prohibited from creating devnodes? 1210697229 M * pmjdebruijn usually yes 1210697254 M * pmjdebruijn that can probably be circumvented by enabled a capability, at least that's my guess 1210697270 M * sandman That seems reasonable. 1210697300 M * sid3wind1 but by creating devnodes you lose all device security 1210697306 M * sandman Yes 1210697308 M * Bertl pmjdebruijn: yes, but you have to give that capability in the config http://linux-vserver.org/Capabilities_and_Flags 1210697311 M * sid3wind1 as then you can mknod hda and access the entire harddisk 1210697315 M * Bertl (note the red warning :) 1210697369 Q * yarihm Ping timeout: 480 seconds 1210697413 M * sandman I think I'll just skip it, then. 1210697428 M * sandman Well, on the other hand, I _could_ just copy over the appropriate devnodes from the host system 1210697439 M * sandman And only allow security exploits for those particular devnodes 1210697442 M * sid3wind1 yup 1210697442 M * Bertl yep, with e.g. cp -va 1210697443 M * sid3wind1 hehe 1210697469 M * sandman I'm having a bit of an issue with VNC, btw. The screen is all gray. 1210697503 M * Bertl IIRC, with nothing running, you get a white/black background, no? 1210697513 M * sandman Yes 1210697535 M * Bertl and yours is gray? 1210697567 M * sandman Yes. I see this in the vnc log: http://hackeron.dyndns.org/fusetechcomet.jpg 1210697569 M * sandman Lots of errors 1210697607 M * sandman And this: http://hackeron.dyndns.org/fusetechcomet.jpg 1210697610 M * sandman Err, wrong URL there 1210697614 M * sandman please disregard 1210697618 M * sandman My pasting isn't working 1210697619 M * Bertl thought so :) 1210697628 M * sandman xrdb: can't open file '/home/svs/.Xresources' 1210697630 M * sandman There 1210697651 M * Bertl well, double check access/permissions as daniel_hozac suggested 1210697657 M * sandman And this: _IceTransSocketUNIXConnect: Cannot connect to non-local host cdecaf. Okay, will-do 1210697661 Q * jyrxkf Ping timeout: 480 seconds 1210697695 M * sandman Okay, yes. Permissions are there for the user's home directory 1210697718 M * sandman drwxr-xr-x 7 svs svs 4096 2008-05-13 11:54 svs 1210697725 M * Bertl xrdb seems to have problems opening it 1210697732 M * sandman Well, the file isn't there 1210697742 M * Bertl try to touch it 1210697774 J * Mojo1978 ~Mojo1978@p50837564.dip.t-dialin.net 1210697789 M * sandman Done. When re-running vncserver, I still get: "xauth: error in locking authority file /home/s/.Xauthority" 1210697797 M * sandman Well, that's weird. The host user's home directory 1210697833 M * sandman I'm logged in as svs in the vserver, on the host I have a user named s, which runs the host's X session. 1210697856 M * sandman When I run vncserver in it, it tries to access s's home dir? Must have something to do with the environmental variables 1210697868 M * Bertl could be ... 1210697891 M * sandman Okay, "su - svs" from the vserver's root account makes it work. 1210697920 M * sandman Well, to the degree that it doesn't give any errors about Xauthority. 1210697952 M * sandman It seems strange to me that environmental variables from are carried over all the way from the host's non-user account 1210697958 M * sandman -from 1210697984 M * sandman from non-root to root, to vserver's root, to vserver's nonroot. I would expect they would be dropped somewhere along the way, but aren't. But I suppose that makes sense anyway. 1210698010 M * Bertl first, don't use 'vserver enter' for everydays work 1210698027 M * Bertl (in this case, you will bring along a lot of stuff from the host) 1210698039 M * Bertl use sshd as you stated in the beginning 1210698084 M * Bertl (the enter is for maintainance purposes only) 1210698143 M * sandman Gotchya. 1210698151 M * sandman Hm. Still gray screen 1210698166 M * sandman vnc log doesn't display any errors any longer, either. 1210698184 M * Bertl what are you trying to accomplish? 1210698197 M * Bertl i.e. what is the desired setup 1210698220 M * sandman Well, I basically just want to have my host system with just services, and my vserver with client-related things 1210698229 M * sandman Host will run Debian Stable, guest will run Debian Testing/Unstable 1210698274 M * Bertl okay, usually you do it the other way round, but np, still ... where does the vnc come into play? 1210698305 M * sandman Well, I intend on having more VServers running the actual services, all on stable 1210698332 M * sandman So the host will be stable, stable vservers for its various services, and one particular vserver running testing/unstable for my daily stuff. 1210698352 M * sandman You're going to ask me if running X out of the VServer would be appropriate, right? 1210698355 M * Bertl perfect, still I don't see any vnc :) 1210698368 M * sandman I'm fine with that 1210698374 M * sandman I guess I assumed using VNC would be easier somehow. 1210698428 M * sandman I was wrong, as usual. 1210698461 M * Bertl well, X11 inside a guest is somewhat problematic (security wise) 1210698524 M * Bertl but, if you have X11 running on the host, you can ssh (-x) into a guest and simply forward X11 apps 1210698534 M * Bertl (via ssh x11 forwarding) 1210698549 M * sandman And this is secure? 1210698560 M * sandman I mean, when I think X forwarding I immediately think insecurity 1210698564 M * sandman But I suppose SSH helps 1210698576 M * Bertl I've heard so ... (unless you e use debian with broken ssh keys :) 1210698616 M * sandman Yes, as happened recently =) 1210698627 M * sandman Based upon the info page, it looks like ssh -Y would be appropriate. 1210698634 M * sandman Although I've never used that sort of thing before. 1210698702 M * Bertl simple ssh to the guest should do, as long as xauth is installed there 1210699031 Q * balbir Ping timeout: 480 seconds 1210699157 M * sandman Okay. I changed ~/.vnc/xstartup to point to something other than gnome, namely twm, and it works just fine. 1210699186 M * sandman gnome-session is rather borked under VServer. This likely has to do with the devnodes, but this will do just fine. 1210699274 M * sandman This is great. I followed your advice and it's all working now. 1210699290 M * sandman I restricted the host's SSHD to just its own IP address, and that works now. VNC works, and soon I will try X 1210699297 M * sandman That is, under ssh 1210700408 J * JonB ~NoSuchUse@77.75.164.169 1210700750 J * ktwilight ~ktwilight@33.110-67-87.adsl-dyn.isp.belgacom.be 1210700969 Q * ktwilight_ Ping timeout: 480 seconds 1210701079 M * sandman I'm still noticing a rather nasty performance hit on HDD access 1210701097 M * sandman Whenever the VServer accesses the disk, the entire system becomes quite choppy on an immediate basis 1210701121 M * Bertl which doesn't happen if you access the disk on the host? 1210701153 M * Bertl repeating one of my original questions: what kernel/patch version? 1210701191 M * sandman linux-image-2.6.18-6-vserver-k7 1210701206 M * Bertl that's quite old (ancient almost) 1210701218 M * Bertl do you have a separate /home partition? 1210701244 M * sandman Yes 1210701317 M * Bertl so what happens if you access the /var partition, with e.g. dd on the host? 1210701328 M * sandman Nothing 1210701334 M * sandman I mean, the image is created 1210701343 M * Bertl image? 1210701355 M * sandman dd if=/dev/zero of=/var/testing123 bs=1024 count=102400 1210701386 M * Bertl okay, that runs fine, without affecting 'the entire system' 1210701394 M * sandman Right. In fact, I see no lag at all 1210701401 M * Bertl but doing the same inside the guest affects it? 1210701407 M * sandman Yes, heavily 1210701422 M * sandman The mouse is frozen until it finishes whatever it's doing. 1210701428 M * Bertl strange, but I would first update the kernel, not much point in debugging it there 1210701429 M * sandman So in the case of DD, until the DD finishes, I cannot use the computer 1210701461 M * sandman Alright. 1210701466 M * sandman I'll have to get back to you on that 1210701471 M * sandman Will end up using another computer 1210701612 M * sandman I mean, for that testing, that is. 1210702282 M * sandman Oddly, it now seems that only the mouse lags. 1210702285 M * sandman Not the keyboard. 1210702346 M * sandman Thought I'd add that. 1210702426 M * Bertl I vaguely remember such an issue about 2 years or so ago, had to do with improper priorities or so 1210702446 M * Bertl (of course, was fixed back then) 1210702500 J * hijacker ~Lame@87-126-142-51.btc-net.bg 1210702999 J * xanoro ~xanoro@p549E56E2.dip.t-dialin.net 1210703477 M * pflanze Hey, Bertl + sandman: I've just read on the linux kernel ml that there seems to be a problem with cfq 1210703484 M * pflanze (thread "performance "regression" in cfq compared to anticipatory, deadline and noop") 1210703520 M * pflanze might be related to sandman's problem and mine from yesterday, or then maybe not, whatever. 1210703572 M * Bertl you mean, the regression is 12 months old? 1210703601 M * pflanze yes they are mentioning it might be quite old 1210703623 M * Bertl well, the next question is, does sandman use cfq at all 1210704151 M * sandman I don't use preemption, if we're talking about the same thing here 1210704158 M * sandman We're talking about kernel scheduling, right 1210704298 J * apboio ~Mojo1978@p50836D19.dip.t-dialin.net 1210704351 M * pflanze sandman: nothing to do with preemption; 1210704366 M * pflanze cat /sys/block/sda/queue/scheduler 1210704375 M * pflanze and replace sda with the disk(s) you use 1210704384 Q * Mojo1978 Ping timeout: 480 seconds 1210704671 J * Mojo1978 ~Mojo1978@p50836579.dip.t-dialin.net 1210704673 J * ntrs_ ~ntrs@77.29.66.232 1210704779 Q * apboio Ping timeout: 480 seconds 1210704806 Q * xanoro Quit: Leaving. 1210705083 Q * ntrs__ Ping timeout: 480 seconds 1210705566 M * sandman noop anticipatory deadline [cfq] 1210705570 M * sandman Is what mine says. 1210705578 M * sandman I have to go for a bit 1210705581 M * sandman Will be back later 1210705589 M * Bertl okay, so try to switch to deadline 1210705616 Q * rgl_ Quit: Saindo 1210705891 Q * Mojo1978 Ping timeout: 480 seconds 1210705915 J * Piet ~piet@tor.noreply.org 1210706958 J * doener_ ~doener@i577AF969.versanet.de 1210707059 Q * doener Ping timeout: 480 seconds 1210707472 Q * hijacker Quit: Leaving 1210707922 Q * bfremo1 Remote host closed the connection 1210708275 Q * bronson Quit: Ex-Chat 1210708288 J * bronson ~bronson@adsl-68-122-117-135.dsl.pltn13.pacbell.net 1210709766 J * bfremon ben@lns-bzn-33-82-252-45-56.adsl.proxad.net 1210709977 Q * bonbons Quit: Leaving 1210710079 Q * ruskie Quit: Caught sigterm, terminating... 1210710339 Q * bfremon Ping timeout: 480 seconds 1210711212 J * ruskie ruskie@ruskie.user.oftc.net 1210712730 Q * sandman Ping timeout: 480 seconds 1210713092 Q * MatBoy Quit: Ik ga weg 1210713292 J * Aiken ~james@ppp121-45-217-254.lns2.bne1.internode.on.net 1210713778 Q * cryptronic Quit: Leaving. 1210715085 Q * dna Ping timeout: 480 seconds 1210715586 J * Beuc ~yo@82.238.35.175 1210715770 Q * hparker Quit: Read error: 104 (Peer reset by connection) 1210715796 M * Beuc Hi. Is it planned to provide vserver for a more recent kernel? I'm beginning to feel uneasy about security support, and upgrading 3 kernel versions at once :) (sorry if this was already asked) 1210715807 M * Bertl like 2.6.26? 1210715871 M * Beuc 2.6.25 would be enough ;) 1210715878 M * Bertl http://vserver.13thfloor.at/Experimental/ 1210715911 M * Bertl 1st one 22nd of April, as it looks like 1210715982 M * Beuc Damn, all this was a trap for me to run experimental versions :) 1210716035 J * hparker ~hparker@linux.homershut.net 1210716079 M * Beuc Is there documentation about 2.2->2.3 changes, and about how experimental this is? 1210716121 M * Bertl it's fairly experimental (as is mainline), some things are not resolved yet 1210716131 M * Bertl but it seems to work so far 1210716264 M * Beuc I'll have a try then. 1210716539 Q * JonB Quit: This computer has gone to sleep 1210716675 Q * kwowt Ping timeout: 480 seconds 1210718020 Q * edlinuxguru Ping timeout: 480 seconds 1210718086 Q * ntrs_ Ping timeout: 480 seconds 1210718144 J * dennis_ ~dennis@dslb-084-059-106-121.pools.arcor-ip.net 1210718278 J * NetNuttt ~jeff@adsl-065-006-153-049.sip.asm.bellsouth.net 1210718918 Q * _gh_ Remote host closed the connection 1210720467 P * NetNuttt Konversation terminated! 1210720507 N * DoberMann DoberMann[ZZZzzz] 1210721780 Q * Piet Quit: Piet 1210722355 Q * daniel_hozac Ping timeout: 480 seconds 1210722567 J * daniel_hozac ~daniel@ssh.hozac.com 1210722579 Q * Beuc Quit: Leaving