1233792350 Q * dowdle Remote host closed the connection
1233793086 J * jmcaricand jm@79.80.191.103
1233793590 P * jmcaricand 
1233794075 M * Bertl off to bed now .. have a good one everyone! cya
1233794081 N * Bertl Bertl_zZ
1233795100 Q * hparker Quit: Quit
1233795581 J * dowdle ~dowdle@67-42-169-52.blng.qwest.net
1233798763 J * ghislainocfs21 ~Ghislain@adsl2.aqueos.com
1233799057 J * ghislainocfs22 ~Ghislain@adsl2.aqueos.com
1233799073 Q * almak_ Remote host closed the connection
1233799087 J * almak_ ~almak@proxy-sjc-1.cisco.com
1233799113 Q * ghislainocfs2 Ping timeout: 480 seconds
1233799338 Q * ghislainocfs21 Ping timeout: 480 seconds
1233800848 J * takeru ~takeru@nttkyo888227.tkyo.nt.ftth.ppp.infoweb.ne.jp
1233800851 Q * takeru 
1233801151 Q * almak_ Remote host closed the connection
1233801162 J * almak_ ~almak@proxy-sjc-2.cisco.com
1233802045 J * takeru ~takeru@s35.GtokyoFL11.vectant.ne.jp
1233804215 Q * maddoc Ping timeout: 480 seconds
1233804837 J * maddoc maddoc@social.ostruktur.com
1233805350 Q * dowdle Remote host closed the connection
1233805704 Q * takeru Quit: takeru
1233809710 Q * pmenier_off Read error: Connection reset by peer
1233809749 J * pmenier_off ~pme@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr
1233811019 Q * balbir_ Ping timeout: 480 seconds
1233811330 J * Aiken ~Aiken@ppp118-208-45-4.lns3.bne1.internode.on.net
1233816397 J * balbir_ ~balbir@59.145.136.1
1233819038 J * sharkjaw ~gab@217-26-13.231210.adsl.tele2.no
1233819690 J * duckx ~Duck@81.57.39.234
1233821168 J * friendly ~friendly@ppp118-208-221-197.lns10.mel6.internode.on.net
1233821197 Q * balbir_ Ping timeout: 480 seconds
1233821978 J * harobed ~harobed@pda57-1-82-231-115-1.fbx.proxad.net
1233822091 J * balbir_ ~balbir@59.145.136.1
1233822274 J * hijacker_ ~hijacker@213.91.163.5
1233822274 Q * hijacker Read error: Connection reset by peer
1233822431 Q * friendly Ping timeout: 480 seconds
1233822752 J * doener ~doener@i577BA589.versanet.de
1233823150 Q * doener_ Ping timeout: 480 seconds
1233823733 Q * balbir_ Ping timeout: 480 seconds
1233823791 N * pmenier_off pmenier
1233824495 J * balbir_ ~balbir@59.145.136.1
1233826339 J * amine ~amine@41.221.19.3
1233827112 N * Bertl_zZ Bertl
1233827117 M * Bertl morning folks!
1233827134 M * hijacker_ morning Bertl 
1233827334 M * amine Good morning
1233827353 M * amine thanks you Bertl for your help the other day
1233827382 M * amine I finnaly contacted the hoster and it was a problem with vlans and firewalling on thei side
1233827440 J * gnuk ~F404ror@pla93-3-82-240-11-251.fbx.proxad.net
1233827677 M * Bertl amine: you're welcome!
1233829668 J * geb ~geb@79.82.4.42
1233829685 M * geb hi
1233829692 M * amine is it possible to have ssh acces specifically to a guest?
1233829737 M * Bertl sure, just restrict the host sshd to host only IPs or select a separate port
1233829775 M * Bertl (see FAQ)
1233829960 M * amine ok thanks
1233830871 J * kir ~kir@swsoft-msk-nat.sw.ru
1233831783 M * saulus good morning
1233831794 M * Bertl morning!
1233831820 M * saulus anything now for now, Bertl ?
1233831838 M * Bertl well, more confusion it seems :) 
1233831846 M * saulus :)
1233831849 M * Bertl it works for me here on 2.6.28, but I have a test for you
1233831852 M * saulus if you need more infos, just tell me
1233831858 M * saulus ok
1233831877 M * saulus im doing some upgrades at the moment. Hopefully another kernel comes in
1233831877 M * Bertl try to run you host test like this:
1233831952 M * Bertl chcontext --xid 42 --secure -- setfattr -n user.test -v abcd /path/to/file
1233831966 M * Bertl i.e. with a file which works fine on the host
1233832016 M * nox saulus: 42 should not be already used :)
1233832032 J * dna ~dna@229-201-103-86.dynamic.dsl.tng.de
1233832032 M * Bertl correct :)
1233832064 M * saulus :)
1233833118 M * saulus finally: http://rafb.net/p/47d7ie47.html
1233833244 M * Bertl hmm, that permission denied is a problem with tagging and/or the barrier
1233833262 M * Bertl try it on a harmless file in /var/lib/vservers
1233833292 M * Bertl might need to be in a subdir, and require you to cd there first
1233833301 M * Bertl (so that you do not have to cross the barrier)
1233833352 M * Bertl try something like:
1233833374 M * Bertl chcontext --xid 42 --secure -- touch /var/lib/vservers/test
1233833385 M * Bertl if that works, continue with it, otherwise do
1233833395 M * Bertl mkdir /var/lib/vservers/subdir
1233833400 M * Bertl cd /var/lib/vservers/subdir
1233833408 M * Bertl chcontext --xid 42 --secure -- touch test
1233833517 J * ktwilight_ ~ktwilight@87.66.194.161
1233833637 Q * balbir_ Ping timeout: 480 seconds
1233833650 M * saulus http://rafb.net/p/pcNSO515.html
1233833709 M * Bertl so that works for you too
1233833733 M * Bertl strange, something else must happen which keeps you from doing it in a fully fledged guest
1233833770 M * Bertl the chcontext --xid 42 --secure should do all the restrictions imposed from the Linux-VServer kernel
1233833801 M * Bertl (in regard of capabilities and processes)
1233833862 N * ensc Guest144
1233833862 Q * Guest144 Read error: Connection reset by peer
1233833872 J * ensc ~irc-ensc@77.235.182.26
1233833908 Q * ktwilight__ Ping timeout: 480 seconds
1233834043 M * saulus so you think its not a vservers-bug?
1233834644 M * Bertl no, at best it is related to the way util-vserver (userspace) sets up the guest
1233834658 M * Bertl but I should have a test setup in an hour or so
1233834724 M * saulus ok, thank you! I will reboot soon, updated kernel to linux-image-vserver-686 2.6.26+17. 
1233834776 A * saulus is rebooting
1233834778 Q * saulus Quit: leaving
1233835853 Q * pmenier Read error: Connection reset by peer
1233835886 J * pmenier ~pme@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr
1233836301 J * ktwilight__ ~ktwilight@87.66.195.154
1233836301 Q * ktwilight_ Read error: Connection reset by peer
1233836457 J * ktwilight_ ~ktwilight@121.66-66-87.adsl-dyn.isp.belgacom.be
1233836635 J * ktwilight ~ktwilight@179.87-66-87.adsl-dyn.isp.belgacom.be
1233836765 J * saulus ~saulus@d047163.adsl.hansenet.de
1233836818 Q * ktwilight__ Ping timeout: 480 seconds
1233836970 Q * ktwilight_ Ping timeout: 480 seconds
1233837418 Q * Aiken Remote host closed the connection
1233840650 Q * gypsymauro Quit: leaving
1233841835 M * saulus Bertl: Nothing changed with the new kernel. Anything new from your side or anything I shall do?
1233841909 M * Bertl not yet .. go distracted by a paying customer :)
1233841967 M * Bertl should have something in an hour or so
1233842296 M * saulus :)
1233845917 M * hijacker_ hey fellows
1233845945 M * hijacker_ why is it important that the barrier for the vserver is set against .. of the vserver $HOME dir?
1233845955 M * hijacker_ from the wiki: "Please note that it's important to set the barrier against ".." inside /path/to/guest/ "
1233846017 M * hijacker_ in the example above the B flag is for the /path/to, rather than /path/to/guest/ ?
1233846047 M * Bertl because otherwise the barrier won't work?
1233846047 M * nox hijacker_: afaik to protect against chroot escapes 
1233846860 M * hijacker_ aye
1233846863 M * hijacker_ but then
1233846876 M * hijacker_ what if guest1 escapes into guest ?
1233847074 M * hijacker_ as the barrier will only protect any guest to escape into sub directories of /path/to ?
1233847090 M * hijacker_ and not into /path/to/guest1 ?
1233847102 M * Bertl the barrier blocks on the way up
1233847123 M * Bertl i.e. if a guest tries to go beyond their /, the barrier is there to block it
1233847140 M * Bertl thus, the barrier sits on /path/to/guest/..
1233847459 M * hijacker_ so
1233847469 M * hijacker_ just to clarify that with another example
1233847491 M * hijacker_ showattr vservers/
1233847491 M * hijacker_ ----BuiX vservers/
1233847497 M * hijacker_ this means
1233847517 M * hijacker_ that if vservers/g1 wants to escape into vservers/g2
1233847523 M * hijacker_ it will not be able to?
1233847539 M * hijacker_ no matter that:
1233847565 M * hijacker_ ----buiX vservers/g1
1233847566 J * saulus_ ~saulus@d063187.adsl.hansenet.de
1233847567 M * hijacker_ ----buiX vservers/g2
1233847568 M * hijacker_ ?
1233847608 M * Bertl yep
1233847625 M * Bertl if you set the barrier on g1 or g2, the guest won't be able to run :)
1233847755 Q * nkukard Ping timeout: 480 seconds
1233847933 Q * saulus Ping timeout: 480 seconds
1233847934 J * nkukard ~nkukard@196.212.73.74
1233847982 M * hijacker_ ha ha ;-) alright
1233847987 M * hijacker_ that clarifies it now ;-)
1233848010 M * hijacker_ cheers Bertl 
1233848246 M * Bertl np
1233849723 Q * amine Quit: Ex-Chat
1233850187 Q * sharkjaw Quit: Leaving
1233850740 J * ktwilight_ ~ktwilight@253.104-66-87.adsl-dyn.isp.belgacom.be
1233850741 Q * ktwilight Read error: Connection reset by peer
1233851349 Q * ktwilight_ Read error: Connection reset by peer
1233851407 J * ktwilight_ ~ktwilight@55.87-66-87.adsl-dyn.isp.belgacom.be
1233851776 Q * ensc Ping timeout: 480 seconds
1233852033 J * ensc ~irc-ensc@p57AA54C6.dip.t-dialin.net
1233852134 J * dowdle ~dowdle@scott.coe.montana.edu
1233852358 J * ktwilight__ ~ktwilight@87.66.192.130
1233852776 Q * ktwilight_ Ping timeout: 480 seconds
1233853091 M * Bertl saulus_: works perfectly fine in a guest here too
1233853116 M * Bertl no need to remount or change anything from a default setup
1233853183 M * Bertl saulus_: http://paste.linux-vserver.org/12728
1233853705 J * bonbons ~bonbons@2001:960:7ab:0:2c0:9fff:fe2d:39d
1233854603 J * hparker ~hparker@2001:470:1f0f:32c:215:f2ff:fe60:79d4
1233854989 M * saulus_ so where do you suggest the error?
1233854992 M * saulus_ so where do you suggest the error? Bertl 
1233855075 M * Bertl no idea, I'm using a recent kernel and util-vserver here, but I somewhat doubt the behaviour changed
1233855118 M * Bertl Linux test.domain.org 2.6.28.3-vs2.3.0.36.5 #1 SMP Thu Feb 5 11:16:02 EST 2009 x86_64 GNU/Linux
1233855130 M * saulus_ ok, I'll see, if I build my own kernel over the weekend
1233855136 M * Bertl util-vserver is 0.30.216-0.pre2827
1233855159 M * Bertl I would suggest to do one more test on your system
1233855183 M * Bertl is the xid=42 unused?
1233855264 M * Bertl if so, build a 'test' guest like this:
1233855268 M * Bertl vserver test build -m debootstrap --context 42 --hostname test.domain.org --interface eth0:10.10.0.1/24 -- -d etch -m http://ftp.us.debian.org/debian -- --arch amd64
1233855290 M * Bertl (assumed that you are on x86_64, if not, replace the amd64 with i386)
1233855324 M * Bertl then start the guest with 'vserver test start' and repeat the sequence I pasted above
1233855355 M * Bertl (you need to do an apt-get install attr inside the guest too)
1233855454 M * saulus_ how can I check for xid=42?
1233855514 M * Bertl ls /proc/virtual/
1233855523 M * Bertl if 42 doesn't show up, it is free atm
1233855589 M * saulus_ this is the content of that dir: 40011  40014  40019  40053  40066  40097  info  status - so you mean the 40042?
1233855669 M * Bertl perfectly fine, you can use 42 :)
1233855733 J * ktwilight_ ~ktwilight@87.66.196.29
1233855754 M * saulus_ how about the parameters for the new vserver - i suppose I dont have to tune them to my network (the only change is to i386)
1233855790 M * Bertl yes, should be fine, but you need to add an iptables rule to allow the guest to access the network
1233855803 M * Bertl iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -j MASQUERADE
1233855806 M * Bertl (should do)
1233855941 Q * pmenier Quit: Konversation terminated!
1233856118 Q * ktwilight__ Ping timeout: 480 seconds
1233856178 Q * ktwilight_ Read error: Connection reset by peer
1233856182 J * saulus ~saulus@d073041.adsl.hansenet.de
1233856478 Q * saulus_ Ping timeout: 480 seconds
1233857979 Q * ruskie Write error: connection closed
1233858002 Q * almak_ Remote host closed the connection
1233858120 J * almak ~almak@proxy-sjc-1.cisco.com
1233858128 J * ruskie ruskie@ruskie.user.oftc.net
1233858242 M * cehteh vxW: [»ps«,30112:#1|0|0] did lookup hidden devpts:ffff88008ebfed80[#0,2] »/dev/pts«
1233858252 M * cehteh is that vserver related?
1233858368 M * Bertl yes, it is a warning that ps inside a guest did lookup a pts entry
1233858413 M * cehteh mhm
1233858444 M * Bertl a pts entry which belongs to a different guest or the host
1233858496 A * cehteh wonders how/why that happens and if i just ignore it
1233858519 M * Bertl it is harmless insofar that the attempt was blocked :)
1233858541 M * cehteh the other problem is .. wtf does the raid only sync at 6mb/sec
1233858561 M * cehteh i now shut down all vservers to see if that speeds it up
1233858563 M * Bertl it usually syncs on idle I/O
1233858585 M * cehteh and increased the max/min limits to insane values
1233858675 M * Bertl increase the buffers and caches too, that helps a lot
1233858698 M * cehteh which ones? hdparm?
1233858700 M * cehteh i did
1233858753 M * Bertl /sys/block/md*/md/stripe_cache_size
1233858775 M * cehteh ah
1233858918 M * cehteh mhm no such entry 
1233859372 J * balbir_ ~balbir@122.172.57.195
1233859667 Q * harobed Ping timeout: 480 seconds
1233859819 M * nkukard this is odd
1233859838 M * nkukard i'm getting connectiosn to my smtp server inside of a vserver, it says its coming from 127.0.0.1 
1233859848 M * nkukard only thing i have running is postfix
1233859854 M * nkukard listening on 10.0.2.132
1233859868 M * Bertl single ip special casing maybe?
1233859908 M * Bertl what's your guest config (/proc/virtnet/<nid>/*)
1233859913 M * nkukard hrmmmm, this is very odd  its a connection test from 10.0.2.254  :) , let me check it out
1233859925 M * nkukard looks like its being natted somehow
1233859937 M * nkukard tcpdump on the host shows 10.0.2.254 to 10.0.2.132
1233859955 M * nkukard vserver is showing up 127.0.0.1, let me check that Bertl 
1233859980 M * nkukard Lback:	127.0.200.1
1233859980 M * nkukard 0:	[66.197.161.151-0.0.0.0/255.255.255.240:0010]
1233859980 M * nkukard 1:	[10.0.2.132-0.0.0.0/255.255.255.0:0010]
1233859983 M * nkukard woops
1233859993 M * nkukard pasted by mistake  :(
1233860002 M * Bertl well, looks go so far :)
1233860020 M * nkukard yea, i been looking for past 1-2 hrs to see why i'm seeing 127.0.0.1 in my logs
1233860021 M * Bertl so I suspect you actually have some weird nat rule there
1233860045 M * nkukard no nat rule in iptables
1233860049 M * Bertl (or there is some local traffic on 127.0.200.1)
1233860086 M * nkukard the traffic is coming from 10.0.2.254 which is the odd thing, the vserver picks it up as 127.0.0.1, let me check the other vserver on the same box
1233860104 M * nkukard hrmmm, same thing
1233860136 M * nkukard postfix/smtpd[17992]: connect from localhost[127.0.0.1]   <= oddest thing ever
1233860143 M * Bertl I would suspect the userspace thingy to 'report' it wrong
1233860184 M * Bertl but double check that the smtpd is actually the 'first' one picking it up
1233860200 M * Bertl maybe it goes through a filter process, whcih then relays it locally
1233860205 M * nkukard nope  :)
1233860215 M * nkukard its the only thing listening on 10.0.2.132
1233860220 M * nkukard i did a netstat -ant
1233860238 M * nkukard on both the vserver and host  :)
1233860244 M * Bertl do an strace -fF on the smtpd
1233860270 M * nkukard this is running latest snapshot of util-vserver and the patch for 2.6.27.10 iirc
1233860275 M * nkukard on 64-bit  :)
1233860278 A * nkukard treis
1233860390 M * nkukard in strace now ... watching
1233860419 M * nkukard [pid  6888] accept(6, {sa_family=AF_INET, sin_port=htons(51726), sin_addr=inet_addr("10.0.2.254")}, [16]) = 10
1233860421 M * nkukard o my
1233860464 M * nkukard Feb  5 19:00:27 authsmtp-0-3 postfix/smtpd[6888]: connect from localhost[127.0.0.1]
1233860466 M * nkukard heh
1233860472 Q * gnuk Read error: Connection reset by peer
1233860482 M * nkukard Bertl, now isn't that the most interesting thing  :)
1233860515 M * click is the smtpd on the host or a guest?
1233860525 M * nkukard i think its because its giving a connreset the second it gets an ack ... in any case, this isn't a blocking problem on my side, just very interesting
1233860528 M * nkukard click, only on the guest
1233860535 M * Bertl never trust userspace :)
1233860545 M * nkukard yea
1233860552 M * Wonka never trust anyone
1233860558 M * click trust me!
1233860565 M * nkukard in any case thanks for the idea of strace Bertl :)  , lack of sleep delayed me from thinking about it  ;)
1233860567 M * click give me your visa details, and i'll buy you something nice.
1233860571 M * click :P
1233860581 M * Bertl nkukard: don't mention it
1233860588 M * nkukard Bertl, all our boxes are running 100% on the 2.6.24.10 patch btw , and we really hammered them
1233860593 M * nkukard no more rpm problems either
1233860617 J * hijacker ~hijacker@87-126-142-51.btc-net.bg
1233860618 M * Bertl nice, now get testing 2.6.27/28 :)
1233860634 A * nkukard salutes, yes boss
1233860641 M * click wish i had 28 on the laptop
1233860686 M * click would make the wlandriver on it working with firmware uploads to an old orinoco-card i have :P
1233862481 Q * FloodServ synthon.oftc.net services.oftc.net
1233862936 M * Bertl saulus: any results yet?
1233862942 J * FloodServ services@services.oftc.net
1233862982 M * saulus Bertl: starting now, had something to do
1233862993 M * Bertl np, take your time!
1233863598 M * ard click : /me wants 2.6.29rcX 
1233863622 M * ard so I can use wireless for accesspoint usage
1233863687 M * Bertl shouldn't be too hard to adapt the latest 2.6.28 patch ...
1233864016 J * ViRUS ~mp@p579B5953.dip.t-dialin.net
1233864025 M * ard Hmmmm
1233864052 A * ard didn't pay attention to the kind of patches that went into .29
1233864363 J * nah ~nah@201-88-23-157.gnace704.dsl.brasiltelecom.net.br
1233864502 J * larsivi ~larsivi@9.80-202-30.nextgentel.com
1233865144 Q * hijacker Quit: Leaving
1233865711 J * saulus_ ~saulus@c154051.adsl.hansenet.de
1233865822 Q * saulus Ping timeout: 480 seconds
1233865966 M * cehteh apropos was was the last state of the 'git' discussion?
1233866007 M * saulus_ ok Bertl - new vserver "test" created, aptitude update&&dist-upgrade&&install attr slocate. Same problem remains: setfattr: test.txt: Operation not permitted
1233866020 M * cehteh i just using git and checked the latest patch in .. in theory i could host a mob repo for vserver but i dont want to care much more
1233866035 M * Bertl saulus_: did you try the exact commands I pasted too?
1233866061 M * Bertl http://paste.linux-vserver.org/12728
1233866103 M * saulus_ ok, i did my old ones ... stay tuned
1233866188 M * saulus_ this _works_ as it does for you: http://paste.linux-vserver.org/12730
1233866197 M * Bertl :)
1233866236 M * Bertl can you upload your exact commands again, please?
1233866328 J * Aiken ~Aiken@ppp118-208-45-4.lns3.bne1.internode.on.net
1233866375 M * saulus_ :) Here's the working part and the non-working part with strace and _&&_: http://paste.linux-vserver.org/12732
1233866439 M * Bertl now scroll back two days, and answer my question again, but this time truethfully ...
1233866453 M * Bertl are you running your tests in /tmp ?
1233866575 J * yarihm ~yarihm@77-56-182-18.dclient.hispeed.ch
1233866595 M * saulus_ yes
1233866609 M * Bertl so, there's your explanation :)
1233866616 M * saulus_ ????? 
1233866628 M * Bertl /tmp is overmounted with a tmpfs
1233866640 M * saulus_ oh dear god!
1233866660 M * Bertl unless you compiled that with attributes and mounted it accordingly, it will not support them :)
1233866695 M * Bertl that was, why I was asking this in the first place ...
1233866858 M * saulus_ i'm sorry for your time Bertl :( But what about this one: http://paste.linux-vserver.org/12733 
1233866870 M * saulus_ I changed to /root and it didnt work either
1233866929 M * Bertl now you get operation not permittet
1233866945 M * Bertl which is quite different from operation not supported
1233866960 M * Bertl and there could be a number of reasons for that
1233866984 M * Bertl for a start, remove that file and try again
1233867005 M * Bertl btw, no need to do the remount thing, if the fs has the user_xattr on the host
1233867021 M * Bertl (as I showed with my example)
1233867151 M * saulus_ ok, good. As I may repeat: 1) vservers and util-vservers are working fine for me. right? 2) the filesystem of the guests is the same (its attributes as well), as the host? 3) The Error "op not permittet" is a better one, than "op not supported"?
1233867164 M * saulus_ deleting the file, touching and so on didnt help
1233867197 M * Bertl operation not permitted means that _something_ keeps you from changing that particular file
1233867219 M * Bertl in unix, the directory has a lot of influence on the files beneath
1233867260 M * Bertl you might hit a bunch of different security measures keeping you from changing them, including actual security xattrs
1233867293 M * Bertl check the attributes of the directory, check with dmesg 
1233867454 M * Bertl actually it looks more like a bug in setfattr to me (or maybe it is checking something else)
1233867463 M * Bertl because your strace shows:
1233867471 M * Bertl setxattr("test.txt", "user.test", "test", 4, 0) = 0  
1233867479 M * Bertl which means the setxattr succeeded
1233867494 M * saulus_ yes
1233867502 M * saulus_ but its working on the host
1233867516 M * saulus_ ok - thats lenny, the "test" is edge
1233867521 M * Bertl just means that the security change failed
1233867533 M * Bertl (and you do not do an strace of that)
1233867568 M * Bertl could as well be that you do not have the 'permission' for security stuff :)
1233867759 M * Bertl did you enable security labels? do you plan to use them?
1233868078 M * saulus_ I dont know which security labels you are talking about. The only ccaps for the vserver are (at the moment) SECURE_MOUNT and SECURE_REMOUNT. Shall I have a look at the caps?
1233868091 M * Bertl nah, I'm talking about the kernel
1233868107 Q * larsivi Ping timeout: 480 seconds
1233868152 M * saulus_ the kernel is the debian default one - I dont know much about kernels and stuff. 
1233868156 M * Bertl zcat /proc/config.gz | grep FS_SECURITY
1233868165 M * Bertl (look if that contains ext2/3)
1233868274 M * saulus_ they are all on YES
1233868281 M * Bertl good
1233868465 M * Bertl well, I had a look at the capabilities checked in 2.6.28
1233868476 M * Bertl I presume they are very similar in your kernel
1233868505 M * Bertl boils down to: common xattr needs CAP_SETFCAP, security xattr OTOH, needs CAP_SYS_ADMIN
1233868525 M * Bertl note: you don't want to give CAP_SYS_ADMIN to a guest lightly
1233868536 M * Bertl so, your options are (IMHO):
1233868553 M * Bertl  - forget about the security xattrs, put the stuff in user xattrs
1233868579 M * Bertl  - get a patch to enable this specific operation with a ccap for your guests
1233868628 M * saulus_ the samba4 ads model requires the security specific attributes
1233868634 M * Bertl while I do not see a big problem to add that ccap for you (i.e. provide that patch), you will need to a) recompile the kernel yourself, and b) use a magic number till the ccap is 'official' and supported by the tools
1233868681 M * Bertl of course, for a quick test, adding CAP_SYS_ADMIN will do (bcapabilities)
1233868761 M * saulus_ it works with CAP_SYS_ADMIN!
1233868846 M * saulus_ I were glad if you could manage this path. I think I will compile a kernel on the weekend - think I have to read a bit about it first
1233868876 M * saulus_ because my server has no graphics card a panic would be a mess :)
1233868933 M * Bertl serial console (should be the default anyways)
1233868988 M * saulus_ as I read now - samba4 can emulate the xattr by putting into smb.conf: posix:eadb = /usr/local/samba/eadb.tdb
1233869364 M * saulus_ As far as you got me I may give you a big THANKS Bertl - very kind of you to help so long and good!
1233869404 M * Bertl well, you get a patch now too, as I'm alread done with it :)
1233869410 M * saulus_ :)
1233869412 M * saulus_ great
1233869417 M * Bertl would be nice if you found the time to test it :)
1233869439 M * saulus_ I will test it (if I manage the part towards it :)
1233869451 M * saulus_ I mean the compiling
1233869457 Q * geb Ping timeout: 480 seconds
1233869493 M * Bertl wouldn't hurt to compile a kernel yourself, the distro kernels are kind of bloated, inefficient and fragile
1233869554 M * Bertl http://vserver.13thfloor.at/Experimental/delta-fssec-feat01.diff
1233869576 M * saulus_ I've spent long nights with gentoo some years ago ... trying to optimize the kernel for the last grain of some KB ... that was time consuming :)
1233869602 M * Bertl that should allow you to get the same functionality without CAP_SYS_ADMIN, by giving ^3 (in ccapabilities)
1233869645 M * Bertl if that makes it into Linux-VServer mainline, it will probably get named fs_security lateron
1233869669 J * ktwilight ~ktwilight@40.119-66-87.adsl-dyn.isp.belgacom.be
1233869669 M * Bertl hmm, actually it should be ^2 :)
1233869740 M * saulus_ ok
1233869746 M * saulus_ thank you
1233869758 M * Bertl you're welcome!
1233870369 M * bibabu hello folks, can i use iptables inside a vserver?
1233870406 M * Bertl depends on what 'iptables' means for you, and how you want to use it :)
1233870443 M * bibabu i want to use a programm which depends on a netfilter extension
1233870472 M * Bertl okay, in what way?
1233870487 M * bibabu its a extension for teamspeak. i send all traffic through a small apps and search for links in nicknames.
1233870566 M * Bertl so a netfilter userspace packet queue or such?
1233870594 M * bibabu yeah
1233870607 M * Bertl do you control the host?
1233870639 M * bibabu iptables -A INPUT -p udp --dport 8767 -m state --state NEW -j QUEUE
1233870645 M * bibabu i control the host 
1233870686 M * Bertl then it is probably the best to run the TSQueue app (that's what google suggested :) on the host too
1233870710 M * bibabu ok
1233870715 M * bibabu sounds good
1233870718 M * Bertl but you could give a guest enough capabilities to do that too
1233870737 M * Bertl I just wouldn't do that on a guest running the server
1233870751 M * Bertl (for security reasons)
1233870763 M * bibabu but its possible?
1233870779 M * Bertl yes, you can give basically all capabilities to a guest
1233870801 M * Bertl will allow that guest to take over the host pretty easy, but it's possible
1233870825 M * bibabu ok. but i can give this capabilties just to one guest?
1233870834 M * Bertl yes
1233870840 M * bibabu ok
1233870856 M * Bertl http://linux-vserver.org/Capabilities_and_Flags
1233870929 M * bibabu thank you. i will check that
1233870944 M * Bertl you're welcome!
1233871059 Q * bonbons Quit: Leaving
1233871081 M * bibabu how can i set a cflag? i want to turn  VIRT_MEM for a guest.
1233871111 M * bibabu vattribute --xid 101 --flag 20, correct?
1233871145 J * harobed ~harobed@arl57-1-82-231-110-14.fbx.proxad.net
1233871258 M * bibabu i want to set a memory limit for a guest (my test guest). 
1233871359 M * Bertl yes, vattribute will allow you to setthe flags, vlimit to set limits
1233871372 M * Bertl note that the settings are not permanent
1233871385 M * Bertl (you need to add them to the config to make them permanent)
1233874244 J * puck ~puck@leibniz.catalyst.net.nz
1233875167 N * ensc Guest31
1233875177 J * ensc ~irc-ensc@p57AA54C6.dip.t-dialin.net
1233875236 Q * nkukard Ping timeout: 480 seconds
1233875273 Q * Guest31 Ping timeout: 480 seconds
1233875300 J * nkukard ~nkukard@196.212.73.74
1233875965 Q * harobed Ping timeout: 480 seconds
1233877109 J * Piet ~piet@asteria.debian.or.at