1212365214 J * edlinuxguru ~edlinuxgu@ool-4357de9d.dyn.optonline.net 1212365483 Q * mire Ping timeout: 480 seconds 1212365553 M * daniel_hozac edlinuxguru: vslogin (and similar) are unfortunately inherently insecure, just so you know. 1212365806 Q * Piet Quit: Piet 1212368510 Q * eSa| Ping timeout: 480 seconds 1212368779 J * doener ~doener@i577BA71F.versanet.de 1212368885 Q * doener_ Ping timeout: 480 seconds 1212369013 J * FireEgl FireEgl@adsl-212-220-193.bhm.bellsouth.net 1212369361 Q * Mojo1978 Read error: Connection reset by peer 1212369565 J * eSa| ~kvirc@ip-87-238-2-45.static.adsl.cheapnet.it 1212369618 M * edlinuxguru Really in what regard? What is the path to compromise security? 1212369639 M * edlinuxguru Cleverly crafted usersnames? 1212369671 M * daniel_hozac no, just nsswitch.conf and a compromised library... 1212369960 M * edlinuxguru To bad it seems like a great solution 1212370072 M * edlinuxguru So the authors know about the vulnerability and have not corrected it? 1212370131 M * daniel_hozac you can't really correct it without building against dietlibc, which isn't possible if you're external to util-vserver. 1212370317 M * edlinuxguru What other options are there? I was thinking to tunnel high level ports to the ssh port on the vservers. eg port 9001 = ssh to vserver1 1212370541 M * daniel_hozac sure, that works. 1212370835 M * edlinuxguru I started looking at Vserver control deamon that looks very cool 1212371233 Q * FireEgl Ping timeout: 480 seconds 1212371837 J * FireEgl FireEgl@adsl-220-224-26.bhm.bellsouth.net 1212373620 M * edlinuxguru The directions seem off. For vcd the describe a configure process but in the entire checkout there is no configure script 1212373652 M * daniel_hozac did you create it? 1212373702 Q * NetNuttt Remote host closed the connection 1212373770 M * edlinuxguru No. I tried that process. would confuse-config be an extra dependancies? 1212373815 M * daniel_hozac you need at least lucid and libvserver to build vcd, IIRC. 1212374154 M * edlinuxguru Ok I am going to take this up on a test system. 1212374208 M * edlinuxguru I was reading some documentation and there is statement I do not think I am understanding correctly http://oldwiki.linux-vserver.org/Scheduler+Parameters 1212374228 M * edlinuxguru You should aim that the sum of ( / ) adds up to roughly the number of processors in your system. 1212374302 M * edlinuxguru but the example sites the numbers 7 and 32. 7 / 32 equals 21% 1212374338 M * daniel_hozac ... the sum of _all_... 1212374392 M * daniel_hozac i'm pretty sure http://linux-vserver.org/CPU_Scheduler has the right formulas and phrasings. 1212374506 M * edlinuxguru I understand now. I used the other page because it seemed less theoretical because it had a working example. 1212374540 M * edlinuxguru Thanks for the info 1212374569 Q * FireEgl Ping timeout: 480 seconds 1212374631 Q * edlinuxguru 1212375333 J * FireEgl FireEgl@adsl-17-147-80.bhm.bellsouth.net 1212377074 M * micah daniel_hozac: do you recall the patch to unbreak dynamic contexts? that was only needed for 0.30.214, right? 1212377091 M * daniel_hozac yes. 1212377103 M * micah ok, removing for the .215 backport 1212377866 Q * derjohn_mob Ping timeout: 480 seconds 1212378832 Q * dowdle Quit: Konversation terminated! 1212378983 J * dowdle ~dowdle@67-42-172-36.blng.qwest.net 1212379017 Q * Hollow Remote host closed the connection 1212379032 J * Hollow ~hollow@proteus.croup.de 1212379055 Q * padde Remote host closed the connection 1212379061 J * padde ~padde@patrick-nagel.net 1212379191 Q * pflanze Ping timeout: 480 seconds 1212380099 Q * dowdle Quit: Konversation terminated! 1212381698 J * cryptronic ~oli@p54A3B9F8.dip0.t-ipconnect.de 1212381915 Q * eSa| Ping timeout: 480 seconds 1212382739 Q * meebey Remote host closed the connection 1212382892 J * eSa| ~kvirc@ip-87-238-2-45.static.adsl.cheapnet.it 1212383275 Q * cryptronic Quit: Leaving. 1212384106 Q * pmenier_off Quit: Konversation terminated! 1212384837 J * Slydder ~chuck@194.59.17.53 1212386183 M * franck34 hi there 1212386192 M * franck34 got something strange 1212386196 M * franck34 iptable probably again 1212386269 M * franck34 the public ip adress of a host is different in a vserver 1212386293 M * franck34 ie ping foo.com = xx.xx.xx.x, but strace telnet port 80 of this host show yy.yy.yy.yy 1212386320 M * franck34 seem's that yy.yy match with one of routes 1212387956 J * pmenier ~pme@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr 1212387980 M * franck34 hi pmenier 1212387989 M * pmenier Hey francky 1212387996 M * franck34 ;) 1212388006 M * pmenier what about your mail system ? 1212388018 M * franck34 it's up an running, blocking 90% of spam 1212388025 M * pmenier cool :) 1212388071 M * franck34 so got a full vserver with qmail compiled from source + spamassassin + pyzor + razor + myownpatternmatchingstuff + qmailadmin + atmail + mrtg 1212388121 M * franck34 don't ask me to do it again :)) 2 days pfff 1212388169 M * pmenier yes i know... always a lot of stuff to make a mail system running fine 1212388210 J * rgl ~rgl@bl8-132-161.dsl.telepac.pt 1212388211 M * pmenier how do you call the "antivirus" 1212388223 M * franck34 antivirus .. 1212388224 M * franck34 :) 1212388235 M * pmenier sorry for my poor english.... :) 1212388238 M * franck34 antivaïrus 1212388241 Q * rgl Read error: Connection reset by peer 1212388271 M * franck34 now i'm thinking, dreaming about a monitoring system ... 1212388295 M * pmenier you can take a look at smeserver.org 1212388327 M * pmenier some examples: http://rrd23.pmenier.net/sme/graphs/indexd.htm without snmpd (!) 1212388333 J * dna ~dna@121-230-dsl.kielnet.net 1212388340 M * franck34 rrdtool ? 1212388344 M * pmenier yes 1212388354 M * franck34 wow nice 1212388378 M * franck34 but well 1212388387 M * franck34 i think i'll start a new project 1212388449 M * franck34 the goal should be to define tasks to check some things 1212388452 M * franck34 example 1212388458 Q * meandtheshell1 Quit: Leaving. 1212388467 M * franck34 check a webpage and alert if there is an sql error (mysql down ...) 1212388488 M * franck34 send a mail with a virus, or a spam, to see the response and alert if result not expected 1212388502 M * franck34 try an ftp connection and see if it's up and running 1212388510 M * franck34 try an ssh connection 1212388531 M * franck34 bruteforce some ftp account to check default password if i forget one one day 1212388533 M * franck34 you see ? 1212388555 M * franck34 tools to check configuration policy 1212388591 M * pmenier but you host a bank ? :) 1212388601 M * franck34 no but i work with banks 1212388604 M * franck34 :) 1212388617 M * franck34 i'm working for http://bee-ware.net/ 1212388626 M * franck34 filtering reverse proxy for web application security 1212388659 M * franck34 a friend of mine just launch a new opensource project which is an SQL proxy with bad sql things detection ;) 1212388691 M * pmenier interesting... 1212388711 A * pmenier think i'll have more questions, soon :) 1212388721 M * franck34 you are welcome 1212388752 M * franck34 security market is exploding 1212388760 M * franck34 i like paranoia movement 1212388761 M * franck34 http://fr.news.yahoo.com/zdnet/20080530/ttc-l-enisa-met-en-garde-contre-le-risqu-6a3d054.html 1212388851 A * franck34 go back to extjs cms new generation sprint day 1212388922 J * derjohn_mob ~aj@e180217009.adsl.alicedsl.de 1212390276 J * rgl ~rgl@bl8-141-2.dsl.telepac.pt 1212391446 N * DoberMann[ZZZzzz] DoberMann 1212391449 J * sprudle sprudle@cAC15BF51.dhcp.bluecom.no 1212391481 M * sprudle Crisis here - suddenly I can't start my vservers 1212391502 M * sprudle vc_new_s_context(): Function not implemented 1212391512 M * daniel_hozac reboot into a Linux-VServer kernel. 1212391530 M * sprudle How do I do that? 1212391538 M * daniel_hozac reboot, pick the right one? 1212391550 M * daniel_hozac or pick the right one first, and then reboot. up to you, really. 1212391569 M * sprudle Can this be done remotely? 1212391579 M * daniel_hozac sure... 1212391603 M * sprudle Ok, thanks, I'll give it a shot 1212392186 J * bfremon ~ben@lns-bzn-31-82-252-228-49.adsl.proxad.net 1212393302 M * sprudle daniel_hozac: Hey thanks man, that worked. 1212393437 J * ntrs ~ntrs@77.29.67.161 1212393571 P * sprudle 1212393841 J * mire ~mire@111-173-222-85.adsl.verat.net 1212393859 Q * mire Remote host closed the connection 1212394255 Q * eSa| Ping timeout: 480 seconds 1212394584 J * kir ~kir@swsoft-msk-nat.sw.ru 1212394951 P * harry 1212394955 J * harry ~harry@d51A461B4.access.telenet.be 1212394958 M * harry whoops 1212395125 J * eSa| ~kvirc@ip-87-238-2-45.static.adsl.cheapnet.it 1212395282 Q * derjohn_mob Ping timeout: 480 seconds 1212397716 N * Guest563 phedny 1212399046 J * ntrs_ ~ntrs@77.29.78.136 1212399329 Q * ntrs Ping timeout: 480 seconds 1212399455 Q * dna Quit: Verlassend 1212400541 J * bfremon1 ~ben@lns-bzn-32-82-254-6-82.adsl.proxad.net 1212400827 Q * bfremon Ping timeout: 480 seconds 1212401923 Q * [PUPPETS]Gonzo Read error: No route to host 1212402100 J * [PUPPETS]Gonzo dedeibel@fellatio.deswahnsinns.de 1212402705 Q * eSa| Ping timeout: 480 seconds 1212403696 J * eSa| ~kvirc@ip-87-238-2-45.static.adsl.cheapnet.it 1212404062 J * pflanze ~chris__@77-56-81-231.dclient.hispeed.ch 1212404660 J * dna ~dna@77-246-dsl.kielnet.net 1212405278 J * yarihm ~yarihm@vpn-global-dhcp3-176.ethz.ch 1212405497 Q * dna Quit: Verlassend 1212406876 Q * derjohn Ping timeout: 480 seconds 1212406980 J * derjohn ~derjohn@80.69.41.3 1212407641 J * ntrs__ ~ntrs@77.29.70.177 1212407940 Q * Aiken Remote host closed the connection 1212408059 Q * ntrs_ Ping timeout: 480 seconds 1212408409 Q * balbir Ping timeout: 480 seconds 1212408479 Q * ntrs__ Ping timeout: 480 seconds 1212409107 J * balbir ~balbir@122.167.179.232 1212410589 J * ntrs ~ntrs@77.29.70.97 1212410666 N * Bertl_zZ Bertl 1212410671 M * Bertl morning folks! 1212411454 J * mrfree ~mrfree@host28-183-dynamic.37-79-r.retail.telecomitalia.it 1212411744 J * fatgoose ~samuel@dsl11-014.express.oricom.ca 1212412099 Q * balbir Ping timeout: 480 seconds 1212412598 Q * mrfree Quit: Leaving 1212412784 J * balbir ~balbir@122.167.179.232 1212413178 M * pmjdebruijn hmmm 1212413183 M * pmjdebruijn I forgot 1212413191 M * pmjdebruijn when vserver mounts something with it's own fstab 1212413205 M * pmjdebruijn it's not visible outside of the server... which capability makes it visible? 1212413301 M * Bertl there is no capability for that, it is because of the use of private namespaces 1212413334 M * Bertl but you can disable them for a guest (not advised) or configure certain mounts to blend through (tricky) but usually you do not need/want either 1212413442 M * pmjdebruijn Bertl: how do I accomplish that? 1212413482 M * pmjdebruijn I think I recall doing it before (for testing)... only I forgot :( 1212413503 M * Bertl the question is, why do you want to do it at all? 1212413503 M * pmjdebruijn oh wait 1212413515 M * pmjdebruijn I do mean mean "inside" the vserver 1212413521 M * pmjdebruijn but using /etc/vservers/VSERVER/fstab 1212413567 J * ntrs_ ~ntrs@77.29.77.1 1212413669 M * pmjdebruijn Bertl: amonst other things to move files between vservers 1212413698 M * Bertl as root on the host? 1212413706 M * pmjdebruijn yeah 1212413730 M * Bertl well, enter the first guest's namespace, move the files out, enter the second, move the files in again 1212413745 M * pmjdebruijn the vservers don't have an external login 1212413750 M * pmjdebruijn Bertl: huh? why? 1212413763 M * Bertl if you want to 'share' space between guests, mount a shared dir into both guests 1212413768 M * pmjdebruijn Bertl: I can't access the hosts filesystem from within the guest 1212413780 M * pmjdebruijn Bertl: we don't want to share 1212413789 M * Bertl vnamespace --help 1212413956 M * pmjdebruijn still 1212413964 Q * ntrs Ping timeout: 480 seconds 1212413987 J * ntrs__ ~ntrs@77.29.65.112 1212414046 A * pmjdebruijn wonders how he did it back then... 1212414128 M * pmjdebruijn http://pastebin.com/m40c60739 1212414132 M * pmjdebruijn currently that's not working 1212414147 M * pmjdebruijn being able to see FS outside of the vserver, would make debugging easier as well 1212414186 M * Bertl what's not working in that fstab? 1212414195 M * pmjdebruijn well the vserver doesn't start properly 1212414200 M * pmjdebruijn I can't see why 1212414202 M * pmjdebruijn I can't enter it 1212414206 M * pmjdebruijn something to do with dev/ts 1212414212 M * Bertl well, you bind mount stuff from the host there 1212414222 M * pmjdebruijn indeed 1212414236 M * Bertl so if the libraries do not match, you are screwed 1212414236 M * pmjdebruijn intentionally 1212414241 M * pmjdebruijn "match" 1212414265 M * pmjdebruijn Bertl: before we did this using a script, which wrapped the vserver command 1212414268 M * pmjdebruijn that worked just fine 1212414313 M * Bertl the LABEL part is dubious, btw 1212414327 M * pmjdebruijn why? 1212414347 M * Bertl because I'm not sure the tools will handle that correctly 1212414357 M * Bertl (ask daniel_hozac for details there :) 1212414366 M * pmjdebruijn I'm not sure as well, but I can't see 1212414375 M * Bertl what does 'vserver --debug start' give you? 1212414382 Q * ntrs_ Ping timeout: 480 seconds 1212414400 J * ntrs ~ntrs@77.29.75.27 1212414417 M * daniel_hozac if your mount parses mount LABEL=.... correctly, it should be fine. 1212414456 M * daniel_hozac your /-mount is missing -o dev though. 1212414461 M * pmjdebruijn how do I make vserver expose fs outside of the vserver 1212414517 M * pmjdebruijn daniel_hozac: doh! 1212414529 M * pmjdebruijn hmm weird, I don't recall doing that last time... 1212414532 Q * ntrs__ Ping timeout: 480 seconds 1212414541 M * pmjdebruijn I'm getting senile... 1212414608 M * pmjdebruijn it works now 1212414630 Q * Slydder Quit: Leaving. 1212414642 M * pmjdebruijn though I'd still like to expose my filesystems to the host 1212415084 M * pmjdebruijn Bertl: anyway, our host doesn't have much space to work with, they're ramdisk based... 1212415249 Q * ntrs Ping timeout: 480 seconds 1212415275 Q * eSa| Ping timeout: 480 seconds 1212415429 Q * kir Quit: Leaving. 1212415557 M * pmjdebruijn oh wait, back then I used nonamespace, but that's less than desirable 1212415654 M * Bertl http://www.ibm.com/developerworks/linux/library/l-mount-namespaces.html 1212415940 M * pmjdebruijn does nonamespace only apply to filesystems? 1212415986 J * eSa| ~kvirc@ip-87-238-2-45.static.adsl.cheapnet.it 1212416552 Q * xdr Read error: Connection reset by peer 1212416803 J * xdr ~xdr@34-173-96-87.cust.blixtvik.se 1212417516 J * dowdle ~dowdle@scott.coe.montana.edu 1212418090 M * franck34 Bertl: hi again, about my network problem, finaly i didn't solve it 1212418095 J * fatgoose_ ~samuel@76-10-149-199.dsl.teksavvy.com 1212418124 M * franck34 from my vserver i can ping public ip of the host, but i can't telnet port 80, apache is up and running, and website are accessible from outside the vserver without any problem 1212418137 M * franck34 any help is welcome, it's an iptable rule problem, but i don't have any clue in that 1212418140 M * franck34 http://paste.linux-vserver.org/12132 1212418142 M * franck34 full configuration 1212418454 Q * fatgoose Ping timeout: 480 seconds 1212418748 J * fluor- ~fluor@silentio.us 1212418807 M * fluor- hi there - looks like there's no vserver patchset for any kernel that's more recent that 2.6.22 - is there any reason for that, and/or will it change soon? :) 1212418819 M * fluor- s/that/than 1212418848 M * m_o_d fluor-: 2.6.25.4 http://vserver.13thfloor.at/Experimental/ 1212418943 M * PowerKe franck34: why don't you telnet to the internal ip? 1212418955 M * fluor- m_o_d: I guess experimental means it's not suitable for production 1212418965 M * fluor- m_o_d: or is it already stable enough in your opinion? 1212418991 M * franck34 PowerKe: cause telnet is just an example, i can now svn checkout http://mydomain.com/trunk ... 1212418998 M * franck34 s/can/can't 1212419018 M * mnemoc fluor-: in #vserver case that directory is where Bertl uploads everything :p 1212419024 M * PowerKe but why not use the internal ip from the 'internal side'? 1212419148 M * franck34 PowerKe: because i just restore a backup from a real server and many many things are using hostname 1212419170 M * franck34 and i don't like the idea to maintain my /etc/hosts file with private ip 1212419175 M * franck34 perpahs i have no choice ? 1212419214 M * PowerKe I always use a different dns setup for internal/external so I'm using 192.x.x.x addresses on the inside and requests from outside come in via iptables like your setup 1212419223 M * daniel_hozac try iptables -t nat -A OUTPUT -j PREROUTING (no idea if that works, if not, just duplicate the ruleset) 1212419278 M * franck34 PowerKe: yep, i think it's the good way but i have no choice for some stuff to use public ip .. 1212419286 M * franck34 daniel_hozac: let me try to understand :) 1212419303 M * mnemoc franck34: decent name servers let you split the answers according to the IP of who asks, so you can retrn internal IPs to internals, and external IPs to externals 1212419329 M * franck34 mnemoc: got a local dns server on the host, but not in the vserver 1212419341 M * franck34 named .. 1212419378 M * mnemoc the dns server can be on the host and used by all the guests, but it has to be a decent name server ,-) 1212419386 M * mnemoc capable of splitting answers 1212419397 M * franck34 named is capable ? 1212419456 M * franck34 daniel_hozac: trying your way 1212419563 M * franck34 daniel_hozac: doesn't work, i can't access web vserver from outside 1212419572 M * PowerKe I have bind running in a guest. Both host and all guests point to it. When a request comes in from the external interface it's answered with a public ip, when it's from the host/guests it's answered with a private IP 1212419601 M * franck34 PowerKe: mnemoc: i like this solution 1212419603 M * mnemoc franck34: http://homepages.tesco.net/J.deBoynePollard/FGA/dns-split-horizon.html 1212419607 M * franck34 mnemoc: thanks ! 1212419952 M * Bertl franck34: did you do the tcpdump -vvnei I suggested yet? 1212419988 M * Bertl fluor-: so I presume you found the patches by now :) 1212420018 M * mnemoc hi master Bertl :) 1212420109 M * Bertl hey mnemoc! how's going? 1212420119 Q * mick_work Remote host closed the connection 1212420254 M * mnemoc Bertl: pretty well, settling at spain.. and you? 1212420284 M * Bertl quite busy .. but otherwise fine 1212421380 M * franck34 Bertl: trying again 1212421503 M * franck34 Bertl: are you sure about -vvnei ? 1212421523 M * franck34 oups sorry ok 1212421525 M * Bertl yep, just add the interface 1212421609 J * cryptronic ~oli@p54A3B9F8.dip0.t-ipconnect.de 1212421698 M * franck34 Bertl: http://paste.linux-vserver.org/12133 1212421722 M * franck34 sniffing on lo 1212421748 J * edlinuxguru ~edlinuxgu@216.223.13.158 1212421919 M * Bertl franck34: okay, let's get the output from the following commands too 1212421919 J * hparker ~hparker@linux.homershut.net 1212421960 M * Bertl 'sysctl -a | grep ipv4' 'ip addr ls' 'ip route ls' 'iptables -vnL' 1212422145 M * franck34 Bertl: http://paste.linux-vserver.org/12134 1212422512 M * Bertl could you -Z (zero) the iptables chains, including those on -t nat before doing the test, then do the test and grab the output with 'iptables -vnL' and 'iptables -t nat -vnL' and upload that again please? 1212422625 M * franck34 you mean add -Z on every iptables rules which are here ? http://paste.linux-vserver.org/12132 1212422650 M * franck34 sorry, noob with low level stuff like that 1212422655 M * Bertl nah, you do: 1212422666 M * Bertl iptables -Z INPUT 1212422685 M * Bertl same for OUTPUT/FORWARD, and similar with -t nat -Z ... 1212422694 M * franck34 k 1212422715 M * Bertl you can check that it worked, if the numbers in the first two columns are zero 1212422739 M * daniel_hozac just iptables -Z; iptables -t nat -Z should take care of them all. 1212422757 J * ntrs ~ntrs@77.29.74.137 1212422765 M * Bertl ah, right, chain is optional 1212422865 M * franck34 http://paste.linux-vserver.org/12135 1212422951 M * Bertl seems you have a lot of other traffic going on there 1212422959 M * franck34 production server 1212422961 M * franck34 but little server 1212422965 M * franck34 personal 1212422975 M * franck34 eaccelerator.net .. 1212422980 M * franck34 and lot's of spam 1212423014 M * Bertl what are you trying to reach? 1212423015 A * mnemoc use eaccelerator :p 1212423044 M * franck34 the public IP you see in my telnet command is the public ip of the server 1212423052 M * Bertl when you do telnet 88.191.53.75 80 1212423056 M * franck34 i try to reach it from inside a vserver 1212423059 M * franck34 notice ping is working 1212423063 M * franck34 but telnet port XX no 1212423070 M * Bertl then that will be maped back to the guest ip 1212423082 M * Bertl 115 6292 DNAT tcp -- * * 0.0.0.0/0 88.191.53.75 tcp dpt:80 to:192.168.0.1:80 1212423099 M * franck34 yep it's suppose to be maped back like that 1212423116 M * franck34 mm 1212423127 M * franck34 can it be something related to connection status ? 1212423131 M * franck34 new ... established 1212423169 M * Bertl there is an apache running inside the guest, yes? 1212423178 M * franck34 yes 1212423185 M * franck34 and accessible from outside without any problem 1212423189 M * franck34 http://eaccelerator.net/ 1212423195 M * Bertl and it allows connects to itself on the private ip, yes? 1212423209 M * franck34 that's i'm checking in rulez 1212423215 M * Bertl so 'telnet 192.168.0.1 80' works? 1212423227 M * Bertl (inside the guest) 1212423242 M * franck34 yes 1212423399 M * Bertl well, let's add a log rule to INPUT/OUTPUT with check for port 80 1212423413 M * Bertl (if you need to have other traffic on that machine during the test) 1212423451 M * Bertl the only ip assigned to the guest is 192.168.0.1, yes? 1212423456 M * franck34 yep 1212423459 M * franck34 got a second vserver 1212423462 M * franck34 but it's 0.2 1212423464 M * franck34 (mail) 1212423479 M * franck34 the log rule syntax is welcome ... 1212423492 A * franck34 is a noob, ready to pay :) 1212423552 M * Bertl -j LOG --log-prefix "INPUT packets" 1212423565 M * Bertl something like this, one for input the other for output 1212423574 M * franck34 ok thx 1212423576 M * Bertl match to the tcp port 1212423611 M * franck34 iptables -p tcp --dport 80 -j LOG --log-prefix "INPUT packets" 1212423624 M * daniel_hozac and -i lo. 1212423661 Q * fluor- Quit: . 1212423729 M * franck34 no command specified 1212423750 M * franck34 iptables -j LOG -i lo -p tcp --dport 80 --log-prefix "INPUT packets" 1212423752 M * franck34 doesn't work 1212423827 M * Bertl iptable -I INPUT -p tcp --dport 80 -j LOG --log-prefix "INPUT packet" 1212423946 M * franck34 got it 1212423948 M * franck34 Jun 2 18:43:48 sd-10138 kernel: INPUT packetIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.1 DST=88.191.53.75 LEN=56 TOS=0x10 PREC=0x00 TTL=64 ID=22448 DF PROTO=TCP SPT=57035 DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 1212423972 M * franck34 it's when a telnet public ip port 80 from the vserver (-> cnx refused) 1212423976 M * franck34 s/a/i 1212424014 M * Bertl and the output chain? 1212424069 M * franck34 Jun 2 18:45:49 sd-10138 kernel: OUTPUT packetIN= OUT=lo SRC=192.168.0.1 DST=88.191.53.75 LEN=56 TOS=0x10 PREC=0x00 TTL=64 ID=53019 DF PROTO=TCP SPT=57076 DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 1212424114 M * Bertl what kernel is that? 1212424137 M * franck34 Linux sd-10138 2.6.22.19-vs2.3.0.34-ipv6-686 #1 SMP Sat Apr 26 15:21:07 CEST 2008 i686 GNU/Linux 1212424151 M * Bertl what's ipv6? 1212424177 M * franck34 mmm, the thing after ipv4 ? :) 1212424194 M * franck34 speaking of that ... 1212424194 M * Bertl hehe, right, but why is it mentioned in the kernel string? 1212424216 M * franck34 don't know, i didn't make it myself 1212424228 M * Bertl who did? 1212424251 M * franck34 somebody how learn me about using vserver 1212424258 M * franck34 i don't think you know it 1212424279 M * franck34 it's hacky on irc.dedibox.fr, #dedibox 1212424294 M * Bertl okay, go and ask him what the ipv6 stands for 1212424295 M * franck34 this guy put this kernel especialy for vserver 1212424300 M * franck34 ok 1212424312 M * Bertl i.e. what patches besides the vs2.3.0.34 are there (ontop of mainline) 1212424390 M * harry hehe... prolly the vserver ipv6 patch :p 1212424407 M * franck34 hehe i see 1212424415 M * harry Bertl: if it's in the 2.3 tree AND seperately in a patch... it's bound to work double as good! 1212424415 M * franck34 notice i don't care about ipv6 for the moment 1212424484 M * franck34 seem's the guy don't reply immediatly 1212424487 M * franck34 please wait ... 1212424492 M * Bertl np 1212424528 M * franck34 this guy is working indirectly for dedibox company, a french company, low cost server solution 1212424534 M * franck34 www.dedibox.fr 1212424544 M * franck34 and seem's he install lot's of vserver here and here ;) 1212424570 M * Bertl try with 'tcpdump -vvnei lo' in the meantime, and keep the test short .. (telnet), then upload the traffic 1212424589 M * franck34 k 1212424718 M * franck34 http://paste.linux-vserver.org/12137 1212424745 M * Bertl please remove the port 80 part 1212424764 M * franck34 there is lot's of traffic 1212424775 M * Bertl that's why I said, keep it short :) 1212424779 M * franck34 ha sorru 1212424803 M * franck34 http://paste.linux-vserver.org/12138 1212424868 M * Bertl what contexts are used for guest1/2 1212424920 M * franck34 what do you mean "context" . 1212424921 M * franck34 ? 1212424925 M * franck34 both are dummy 1212424929 M * franck34 both are using dummy 1212424935 M * Bertl well, I don't see the test in this trace, did you run it? 1212424951 M * Bertl but I see 127.156.69.1 there 1212424967 M * franck34 no i didn't 1212424970 M * franck34 let me try again 1212424982 M * Bertl which would suggest that this guest has context 40005 1212425001 M * franck34 http://paste.linux-vserver.org/12139 1212425010 M * Bertl (and the other one 40004 :) 1212425049 M * franck34 root@sd-10138:~# cat /etc/vservers/innow/context 1212425049 M * franck34 40004 1212425058 M * franck34 root@sd-10138:~# cat /etc/vservers/innoqmail/context 1212425058 M * franck34 40005 1212425067 M * franck34 innow = web = 0.1 1212425073 M * franck34 innoqmail = mail = 0.2 1212425165 M * franck34 so you want i switch 40004 <-> 40005 ? 1212425173 M * Bertl nah, was just curious 1212425207 M * franck34 hehe 1212425220 M * franck34 one day i don't remember exactly how 1212425280 M * franck34 forget, i was probably a mistake 1212425292 M * franck34 i think i've seen another ip addr, but in the same subnet 1212425311 M * franck34 something like 88.191.xx.xx, but not the expected public ip 1212425321 M * franck34 i can't reproduce 1212425336 M * Bertl first, I'd suggest to remove the useless forward rules (which handle dummy 0 traffic) 1212425348 M * franck34 yeah i can reproduce 1212425349 M * franck34 recvfrom(3, "\205\237\201\200\0\1\0\1\0\3\0\3\ninnovacode\3com\0\0\1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("88.191.254.60")}, [16]) = 1212425353 M * franck34 88.191.254.60 1212425355 M * franck34 what is this ? 1212425367 M * franck34 my public ip is 88.191.53.75 1212425376 M * franck34 it's an strace of a simple wget 1212425404 M * Bertl that happens where? 1212425428 M * franck34 wait 1212425468 M * franck34 i think it's another problem 1212425498 M * franck34 ping eaccelerator.net 1212425504 M * franck34 PING eaccelerator.net (88.191.53.75) 56(84) bytes of data. 1212425504 M * franck34 64 bytes from sd-10138.dedibox.fr (88.191.53.75): icmp_seq=1 ttl=64 time=0.087 ms 1212425507 M * franck34 but 1212425509 M * franck34 when stracing telnet 1212425516 M * franck34 i can see 1212425517 M * franck34 sin_addr=inet_addr("88.191.254.60")} 1212425521 M * franck34 just before connection refused 1212425537 M * franck34 but it's recvfrom so don't know 1212425539 M * franck34 recvfrom(3, "\376\332\201\200\0\1\0\1\0\3\0\3\feaccelerator\3net\0\0"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("88.191.254.60")}, [16]) = 156 1212425545 M * Bertl which would pretty much explain the refuse 1212425547 M * franck34 (telnet from a vserver) 1212425550 M * franck34 yeah 1212425558 M * franck34 but 1212425582 M * Bertl do an strace -fF -o telnet.strace telnet ... 1212425589 M * Bertl and upload the entire output 1212425604 M * Bertl (i.e. what's in telnet.strace after that :) 1212425610 M * franck34 notice connection is refused too when i'm using directly the ip address 1212425624 M * franck34 connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("88.191.53.75")}, 16) = -1 ECONNREFUSED (Connection refused) 1212425747 M * franck34 Bertl: not full (i drop a little at the beginning) 1212425752 M * franck34 Bertl: http://paste.linux-vserver.org/12140 1212425871 M * Bertl what does 'host eaccelerator.net' give? 1212425996 N * pmenier pmenier_off 1212426010 M * franck34 eaccelerator.net A 88.191.53.75 1212426015 M * franck34 (from inside a vhost) 1212426018 M * franck34 so it's ok 1212426038 M * Bertl do you get that where you did the telnet (in the strace) above? 1212426052 M * franck34 seem's not 1212426058 M * franck34 sin_addr=inet_addr("88.191.254.60")} 1212426074 Q * pmenier_off Remote host closed the connection 1212426083 M * franck34 but remember that a telnet 88.191.53.75 80 got a connection refused too 1212426099 M * franck34 perhaps there is 2 problems 1212426106 M * Bertl you have a nameserver running on the host, yes? 1212426110 M * franck34 yes 1212426124 M * Bertl it seems to answer differently depending on the ip 1212426138 M * Bertl one answer is the 'wrong' 88.191.254.60 1212426147 M * franck34 yeah that's the second problem 1212426148 M * daniel_hozac that's not the answer though, that's just the source IP. 1212426167 M * Bertl yes, but in this case, telnet looks up the hostname 1212426186 M * Bertl gets 88.191.254.60, and probably tries to bind that for receiving or so? 1212426186 M * franck34 root@sd-10138:~# grep 88.191.254.60 /etc/bind/* -r 1212426189 M * franck34 --> nothing 1212426207 M * Bertl check /var/named 1212426208 M * franck34 same for string "eaccelerator" 1212426210 M * daniel_hozac nah, it's the recvfrom. 1212426218 M * daniel_hozac i.e. the source address of the DNS packet. 1212426229 M * franck34 i don't have any /var/named 1212426239 M * Bertl /var/lib/named? 1212426255 M * franck34 got only /etc/bind 1212426264 M * Bertl what distro? 1212426268 M * franck34 debian etch 1212426346 M * Bertl bind9? 1212426449 M * Bertl well, debian is different, but bind usually goes to /var/lib/named (for chroot and with zone files/caches) 1212426475 M * Bertl so you probably have to check with the debian folks, where the master and slave zone copies are 1212426488 M * Bertl (or read through the config file) 1212426493 M * franck34 mm 1212426500 M * franck34 root@sd-10138:~# cat /etc/resolv.conf 1212426500 M * franck34 nameserver 127.0.0.1 1212426500 M * franck34 nameserver 88.191.254.60 1212426516 M * franck34 88.191.254.60 ... sin_addr=inet_addr("88.191.254.60")} 1212426530 M * franck34 so daniel_hozac is true 1212426542 M * franck34 it's simply the ip of the dns server .. 1212426559 M * franck34 yeah ... 1212426568 M * franck34 16115 connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("88.191.254.60")}, 28) = 0 1212426572 M * franck34 ask for the ip 1212426581 M * franck34 i didn't see but just a few lines later 1212426582 M * franck34 16115 connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("88.191.254.60")}, 28) = 0 1212426588 M * franck34 sorry 1212426589 M * franck34 16115 connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("88.191.53.75")}, 16) = -1 ECONNREFUSED (Connection refused) 1212426594 M * franck34 so it's the good one 1212426596 M * franck34 no dns problem 1212426710 N * DoberMann DoberMann[PullA] 1212426824 Q * balbir Ping timeout: 480 seconds 1212426935 M * franck34 the guy who setup the system suggest me to use mnemoc and PowerKe suggestioàn 1212426942 M * franck34 ie split DNS answers according to the IP 1212426996 M * franck34 ok let's take a break 1212427020 M * franck34 i think i'll use the host file to avoid making mistake in dns setup 1212427024 M * franck34 but i really don't like that 1212427037 M * franck34 be back in 3/4 hours 1212427047 M * franck34 thanks a lot Bertl and every body 1212427049 M * franck34 ! 1212427130 M * Bertl well, I'm still not convinced ... 1212427186 M * franck34 Bertl: about what ? i'd like to not have to use dns spliting or host file 1212427202 M * franck34 seem's it's a sort of loop 1212427231 M * Bertl first, I'd drop your iptables stuff, just to avoid strange mappings 1212427244 M * Bertl then I'd create the proper S/DNAT rules only 1212427256 M * franck34 yeah i see 1212427263 M * franck34 i'll do that in a few hours 1212427273 M * franck34 starting rules from scratch 1212427384 M * Bertl add a log rule to each chain, so that you see the actual traffic 1212427404 M * Bertl I'm missing icmp messages here for example 1212427485 J * balbir ~balbir@122.167.213.252 1212429308 J * bonbons ~bonbons@2001:960:7ab:0:2c0:9fff:fe2d:39d 1212429445 J * meandtheshell ~sa@d91-129-52-56.cust.tele2.at 1212429445 Q * meandtheshell Killed (charon.oftc.net (Nick collision (new))) 1212429470 J * meandtheshell ~sa@d91-129-52-56.cust.tele2.at 1212429670 Q * eSa| Ping timeout: 480 seconds 1212430124 Q * meandtheshell Read error: Connection reset by peer 1212430363 J * eSa| ~kvirc@ip-87-238-2-45.static.adsl.cheapnet.it 1212430371 J * meandtheshell ~sa@d91-129-52-56.cust.tele2.at 1212430371 Q * meandtheshell Nick collision (new) 1212430393 J * meandtheshell1 ~sa@d91-129-52-56.cust.tele2.at 1212430987 M * Bertl nap attack .. bbl 1212430991 N * Bertl Bertl_zZ 1212431431 J * Linus ~Nuhx@bl7-128-12.dsl.telepac.pt 1212431646 J * dna ~dna@74-226-dsl.kielnet.net 1212431730 J * _gh_ ~gerrit@c-67-169-199-103.hsd1.or.comcast.net 1212432580 N * DoberMann[PullA] DoberMann 1212433976 Q * rgl Quit: Saindo 1212434116 J * mick_work ~clamwin@h-74-2-196-226.miatflad.covad.net 1212434296 J * bardia ~bardia@lnc.usc.edu 1212434333 N * mick_work mick_home 1212434408 Q * mick_home Remote host closed the connection 1212434417 Q * bardia 1212434547 Q * dna Ping timeout: 480 seconds 1212434937 Q * yarihm Quit: Leaving 1212435031 N * phedny Guest1023 1212435037 J * phedny ~mark@2001:610:656::115 1212435609 Q * jsambrook Remote host closed the connection 1212435625 Q * bfremon1 Ping timeout: 480 seconds 1212435660 J * jsambrook ~jsambrook@aelfric.plus.com 1212435845 J * lilalinux ~plasma@dslb-084-058-217-048.pools.arcor-ip.net 1212436188 J * minimike ~darko@static-87-79-239-76.netcologne.de 1212436196 Q * lilalinux Remote host closed the connection 1212436202 M * minimike hello 1212436235 M * daniel_hozac hi 1212436295 M * minimike just a question why are no patches later then 2.6.22 available? 1212436309 M * daniel_hozac http://vserver.13thfloor.at/Experimental/ 1212436392 M * minimike curently im am using the 2.6.22.19 with vserver and grsecurity patch 1212436471 A * arekm using 2.6.25 + vserver + apparmor 1212436607 M * minimike so it will comes newer kernels in Future? I thought cause there where no newer relaises the development was stoped 1212436631 M * daniel_hozac check the link i posted... we've got patches against 2.6.25.4. 1212436644 M * minimike stable? 1212436647 M * daniel_hozac no. 1212436658 M * minimike it is for an produktive Server 1212436664 M * daniel_hozac things don't become stable over night. 1212436720 M * minimike it is just for information i will deploy my Vservers for more then two years 1212436819 M * minimike if there will be Updates in Future then it's OK 1212436913 M * minimike thank you guys :) 1212437610 J * derjohn_mob ~aj@e180217009.adsl.alicedsl.de 1212437912 J * hijacker_ ~Lame@87-126-142-51.btc-net.bg 1212438203 M * minimike it's was just a little bit curious for me that ther since 2.6.17 to 2.6.22 wheres patches and then the break 1212438231 M * minimike in future will linux-vserver suports selinux? 1212438242 M * daniel_hozac meaning? 1212438283 M * daniel_hozac 2.6.23 was just too broken to bother, and too many changes. 1212438361 M * minimike with selinux i got some problems with rights in the guests so i use selinux 1212438391 M * minimike but i think in Redhat and Debian is Selinux better suported 1212438439 M * minimike then gradm or aparmor 1212438491 J * Aiken ~james@ppp121-45-230-114.lns1.bne4.internode.on.net 1212438496 A * minimike compiling 2.6.25.4 with vserverpatch for desktop use :) 1212438812 J * yarihm ~yarihm@84-74-147-84.dclient.hispeed.ch 1212439591 M * Wonka and that works? 1212439623 M * Wonka i'm still running 2.6.22.9-vs2.3.0.26.4 here 1212440385 J * ntrs_ ~ntrs@77.29.78.156 1212440451 Q * hijacker_ Quit: Leaving 1212440812 Q * ntrs Ping timeout: 480 seconds 1212441176 J * TheSeer ~theseer@e177154192.adsl.alicedsl.de 1212441180 Q * bonbons Quit: Leaving 1212441182 M * TheSeer good evening :) 1212441283 M * TheSeer anyone awake? ;) 1212441309 M * daniel_hozac never! 1212441417 M * TheSeer :-P 1212441428 M * TheSeer i have a bizare "bug" in util-vserver 1212441451 M * TheSeer i vserver build ... -m rsync from a remote host 1212441459 M * TheSeer it successfully transfers all data 1212441468 M * TheSeer and then rm -rf's it straight ahead 1212441531 M * daniel_hozac that would only happen if rsync returns a non-zero exit code, or your initpost script fails. 1212441544 M * TheSeer ouhm..? 1212441611 M * daniel_hozac i suggest you use --debug, and add -v to the rsync options. 1212441676 M * TheSeer RSYNC_RSH=ssh vserver mx build -m rsync --hostname .... --interface eth0:...../27 -- --source root@10.0.0.3:/vservers/mx2 1212441701 M * TheSeer i somehow don't feel like resyncing it again and again ;) 1212441887 Q * eSa| Ping timeout: 480 seconds 1212441932 J * ViRUS ~mp@p5B247963.dip.t-dialin.net 1212441972 M * TheSeer wtf? 1212441992 M * TheSeer okay.. let's see what happens... *sigh* 1212442401 Q * cryptronic Quit: Leaving. 1212442578 J * eSa| ~kvirc@ip-87-238-2-45.static.adsl.cheapnet.it 1212442840 Q * jsambrook Remote host closed the connection 1212442863 Q * lagann Remote host closed the connection 1212442902 J * lagann ~terminal@c-66-30-110-51.hsd1.ma.comcast.net 1212443245 N * DoberMann DoberMann[ZZZzzz] 1212443897 Q * meandtheshell1 Quit: Leaving. 1212443913 J * mick_home ~clamwin@h-74-2-196-226.miatflad.covad.net 1212443944 Q * mick_home 1212444724 Q * yarihm Quit: Leaving 1212444798 N * Bertl_zZ Bertl 1212444802 M * Bertl back now ... 1212444926 M * TheSeer wb :) 1212445022 M * Bertl so how's your rsync going? 1212445052 Q * ntrs_ Ping timeout: 480 seconds 1212445460 M * TheSeer about 4 GB transfered (of 6.1..) 1212445473 M * TheSeer ++ rsync -Hazx --numeric-ids root@10.0.0.3:/vservers/mx2/ /etc/vservers/.defaults/vdirbase/mx/ 1212445482 M * TheSeer that's where it's busy at... 1212445816 M * edlinuxguru I am working on installed vcd. I ran into this issue yesterday. VCD installer wants confuse-config. I installed a fresh libconfuse but that file is not part of it. Any ideas? 1212446337 M * edlinuxguru confuse-config has been removed in latest release remove obsolete confuse-config script in favour of pkg-config 1212446444 M * Bertl maybe time to update it then? 1212446524 M * edlinuxguru From what I am reading with confuse-config has been removed. SO I have to downgrade libconfuse to a lower version. 1212446630 M * Bertl or update the vcd stuff to use the newer stuff 1212446699 Q * ViRUS Quit: Leaving 1212446711 Q * derjohn_mob Ping timeout: 480 seconds 1212446723 J * jsambrook ~jsambrook@aelfric.plus.com 1212446884 M * TheSeer ..5.7... 1212446955 M * TheSeer Bertl: anything i can do to make sure it's not going to remove everything in a few? ;) 1212447055 M * Bertl well, make sure that the initpost script succeeds 1212447062 M * TheSeer how? ;) 1212447092 M * Bertl appending 'true' or 'exit 0' might help 1212447144 M * TheSeer where is it? 1212447151 M * Bertl also I remember a --keep option to the build command 1212447185 M * Bertl vserver - build --help 1212447474 Q * Aiken Quit: Leaving 1212447500 Q * dowdle Remote host closed the connection 1212447597 Q * Linus Quit: I'll Be Back! 1212447659 J * ktwilight_ ~ktwilight@216.68-66-87.adsl-dyn.isp.belgacom.be 1212447696 Q * ktwilight Ping timeout: 480 seconds 1212447744 Q * edlinuxguru Ping timeout: 480 seconds 1212447837 J * mire ~mire@19-169-222-85.adsl.verat.net 1212448052 Q * mire 1212448549 M * TheSeer hmm.. my rsync copy is by now bigger then the original...??? 1212448556 M * TheSeer whatever is going on.. it's strange 1212448609 M * TheSeer well, at least du -sh believes so 1212448656 M * minimike someone has running Linux-Vserver under ARM mashine like a NSLU2 ? 1212448684 M * minimike sorry under a ARM mashine 1212448693 M * minimike ^^ 1212448929 M * Bertl yep, arm works fine 1212449064 M * Bertl TheSeer: maybe you override the rsync options somehow? 1212449084 M * Bertl i.e. you definitely want it to handle links and sparse files 1212449142 J * edlinuxguru ~edlinuxgu@186.sub-97-12-139.myvzw.com 1212449184 M * TheSeer i used the line i pasted before 1212449195 M * TheSeer it's finished by now .. 1212449204 M * TheSeer and even seems to be working 1212449212 M * TheSeer checking the service 1212449213 M * Bertl good, maybe some environment variable? 1212449301 M * Supaplex edlinuxguru: can you hear me now? how's the phone surfing? :) 1212449376 M * TheSeer Bertl: i have no idea.. i exactly did the same again 1212449387 M * TheSeer the 1st time it removed it.. the 2nd it worked 1212449456 M * edlinuxguru Yes I am in here. 1212449507 M * edlinuxguru The train ride home is my time to hack away at stuff. So I take my black berry sorry for the fluttering on and off. 1212449629 M * PowerKe TheSeer: did you include other directories when running du -sh at the source? If files are hardlinked to previous displayed items, their size won't be counted again. 1212449678 M * edlinuxguru Bertl I was going to say that I am flattered but my odds of being about to 'upgrade' vcd are pretty low. I can only do little tweaks on code to get them running 1212449752 M * TheSeer PowerKe: not that i can think of.. but i didn't exactly check either 1212450440 M * TheSeer oh well.. looks like the moved server works like charm 1212450444 M * TheSeer time to get sleep .) 1212450446 M * TheSeer n8 1212450457 Q * TheSeer Quit: Client exiting 1212450697 Q * eSa| Ping timeout: 480 seconds 1212450987 Q * edlinuxguru