1259625861 Q * dowdle Remote host closed the connection
1259626415 Q * ghislain Quit: Leaving.
1259627869 J * blues ~blues@afgw161.neoplus.adsl.tpnet.pl
1259627987 Q * blues_ Ping timeout: 480 seconds
1259628190 Q * imcsk8 Quit: Leaving
1259629032 J * imcsk8 ~ichavero@evdomip-25-182.iusacell.net
1259629177 Q * geb Quit: /
1259629681 Q * AmokPaule Remote host closed the connection
1259630204 Q * arekm Remote host closed the connection
1259630206 J * arekm arekm@carme.pld-linux.org
1259630425 J * FelipeMcMont ~mcmont@187.59.113.200
1259631473 Q * manana Read error: Connection reset by peer
1259632065 J * manana mayday_571@84.17.25.144
1259632508 J * jrklein_ ~jrklein@ppp-70-130-46-49.dsl.wchtks.swbell.net
1259633958 Q * FelipeMcMont 
1259634552 Q * imcsk8 Ping timeout: 480 seconds
1259635525 J * scientes ~scientes@174-21-140-29.tukw.qwest.net
1259639783 J * saulus_ ~saulus@c207229.adsl.hansenet.de
1259640191 Q * SauLus Ping timeout: 480 seconds
1259640199 N * saulus_ SauLus
1259641257 Q * nox Ping timeout: 480 seconds
1259642064 M * Bertl off to bed now ... have a good one everyone!
1259642068 N * Bertl Bertl_zZ
1259642098 J * imcsk8 ~ichavero@evdomip-91-218.iusacell.net
1259642518 Q * balbir Ping timeout: 480 seconds
1259642811 J * nox ~nox@host.noxlux.de
1259646273 Q * niki Quit: Leaving
1259646905 J * badiane ~badiane@cpe-72-229-37-2.nyc.res.rr.com
1259649175 J * kir ~kir@swsoft-msk-nat.sw.ru
1259650073 J * ntrs ~ntrs@77.29.7.50
1259650159 J * ntrs_ ~ntrs@77.28.30.17
1259650412 Q * imcsk8 Ping timeout: 480 seconds
1259650558 J * balbir ~balbir@122.181.150.106
1259650597 Q * ntrs Ping timeout: 480 seconds
1259650657 J * imcsk8 ~ichavero@evdomip-237-106.iusacell.net
1259651165 Q * imcsk8 Ping timeout: 480 seconds
1259651232 J * imcsk8 ~ichavero@evdomip-84-152.iusacell.net
1259652103 J * ichavero_ ~ichavero@201.144.130.18
1259652150 Q * imcsk8 Ping timeout: 480 seconds
1259652567 Q * derjohn_foo Ping timeout: 480 seconds
1259652669 J * davidkarban ~david@80.250.18.198
1259653756 J * ghislain ~AQUEOS@LPuteaux-151-41-11-129.w217-128.abo.wanadoo.fr
1259654302 Q * balbir Ping timeout: 480 seconds
1259654477 J * thierryp ~thierry@zankai.inria.fr
1259655256 Q * ichavero_ Quit: This computer has gone to sleep
1259658872 J * balbir ~balbir@122.181.150.106
1259658995 Q * thierryp Quit: ciao folks
1259660880 J * taenzerme ~Adium@static-87-79-237-223.netcologne.de
1259660980 J * derjohn_foo ~aj@80.85.196.112
1259661601 J * gnuk ~F404ror@pla93-3-82-240-11-251.fbx.proxad.net
1259661748 Q * balbir Ping timeout: 480 seconds
1259661790 J * BenG ~bengreen@cpc2-aztw22-2-0-cust521.aztw.cable.virginmedia.com
1259661956 J * friendly ~friendly@ppp118-209-31-140.lns20.mel4.internode.on.net
1259662145 J * balbir ~balbir@122.181.150.106
1259662564 Q * taenzerme Quit: Leaving.
1259663532 Q * balbir Ping timeout: 480 seconds
1259663872 J * AmokPaule ~amokpaule@brsg-4dbbb260.pool.mediaWays.net
1259664042 Q * zbyniu Ping timeout: 480 seconds
1259664237 Q * derjohn_foo Ping timeout: 480 seconds
1259664281 J * zbyniu ~zbyniu@ip-62.181.188.13.static.crowley.pl
1259665360 Q * friendly Quit: Leaving.
1259665814 Q * FireEgl Quit: Leaving...
1259666430 J * geb ~geb@earth.gebura.eu.org
1259666657 J * taenzerme ~Adium@static-87-79-237-223.netcologne.de
1259667389 P * taenzerme 
1259667507 Q * BenG Quit: I Leave
1259668483 Q * AmokPaule Quit: Nettalk6 - www.ntalk.de
1259669603 N * Bertl_zZ Bertl
1259669607 M * Bertl morning folks!
1259671570 J * ntrs__ ~ntrs@77.28.29.225
1259672017 Q * ntrs_ Ping timeout: 480 seconds
1259672530 J * FireEgl Proteus@2001:470:e056:1:4::9
1259673978 J * ptiphus ~guillaume@pro75-5-88-162-202-144.fbx.proxad.net
1259675221 M * Bertl nap attack ... bbl
1259675226 N * Bertl Bertl_zZ
1259675970 Q * jrdnyquist Quit: Leaving
1259676471 J * jrdnyquist ~jrdnyquis@slayer.caro.net
1259676724 J * thierryp ~thierry@zankai.inria.fr
1259677299 J * swen ~quassel@217.72.66.253
1259677312 M * swen hi
1259677362 M * swen have a problem assigning dummy interfaces to guests
1259677380 M * swen is here anyone who can help?
1259677678 J * gavbaa ~gav@92.49.33.65.cfl.res.rr.com
1259677682 M * swen I have a case where I want to assing same IP on different dummy interfaces to vserver guests. 
1259677682 M * swen I.e.:
1259677682 M * swen   * ip 1.1.1.1 on dummy0 to guest1
1259677682 M * swen   * ip 1.1.1.1 on dummy1 to guest2
1259677682 M * swen   * etc
1259677707 M * blathijs swen: You'll have to create the dummy interfaces on the host first
1259677726 M * swen oh, i've done that
1259677736 M * blathijs swen: But you probably don't need separate interfaces, vserver does ip separation, not interface virtualization
1259677780 M * swen yes....but I want assign *same* ip to *different* guests 
1259677886 M * swen But as soon I create another interface with same IP it gets shown in currently running host which alreatedy has this IP on different interface
1259677920 M * blathijs Oh, sorry, missed that :-)
1259677942 M * blathijs I think you can't assign the same ip to multiple interfaces in Linux at all
1259677954 M * swen oh that you certenly can :D
1259677963 M * blathijs (Since IIRC you're really assigning an IP to the host, not to an interface)
1259678011 M * swen in linux you can assign same IP to different interfaces
1259678029 M * swen i've done that - problem is that vserver is not handling it properly
1259678039 M * blathijs swen: Somehow I have the idea that you'll get the same behaviour if you just assign it to one interface
1259678072 M * blathijs e.g., if you put ip 1.1.1.1 on eth0, then any packets to 1.1.1.1 on eth1 will be accepted as well (but return routing is probably messed up)
1259678082 M * swen blathijs: but then I can't bind services from within different guests to same port
1259678120 M * swen blathijs: but I needn't routing on theese interfaces
1259678148 M * blathijs swen: Perhaps you should just assign different IP's and use DNAT based on the incoming interface?
1259678150 M * swen I need this "trick" to get so called Direct Routing working
1259678154 M * blathijs swen: What are you trying to achieve?
1259678165 M * blathijs What's Direct Routing?
1259678187 M * swen http://www.linuxvirtualserver.org/VS-DRouting.html
1259678205 M * swen It's a techniqe to provide high availability
1259678217 M * swen and/or scalability
1259678285 M * swen ...where you introduce Virtual IP on which the service is available
1259678326 M * swen and this Virtual IP doesnt need to be routed on so called "real servers"
1259678333 M * blathijs And because you don't need DNAT in this setup, the replies can go around the gateway.
1259678348 M * swen its there so TCP doesnt get confused and discard the package
1259678359 M * blathijs And you want the "real servers" to be vservers?
1259678365 M * swen yes :D
1259678448 M * blathijs Then why not just use DNAT? All traffic will travel through the host anyway, so there's no point in not using DNAT?
1259678481 J * kmad ~kmad@89.169.234.21
1259678491 M * swen 1 reason is: it is not as scalable
1259678502 P * kmad 
1259678529 M * swen 2nd is that i've already have set the DR configuration and have in production for about 3 years an it proved very stable
1259678544 J * KernelMadness ~kmad@89.169.234.21
1259678565 M * blathijs Are you running multiple vserver boxes with multiple "real servers" each then?
1259678569 M * blathijs (or planning to)?
1259678639 M * KernelMadness Hi all. Anyone knows how to use process accounting with vserver? (e.g. i need to have separate process accounting for each vserver)
1259678646 M * blathijs Looking at that page, it seems that some specific routing crap is done by the Virtual Server linux kernel code? I guess there might be some extra code needed to let that VS play nicely with vserver.
1259678716 M * swen blathijs: I'm not  familiar with how VServer handles networking ....
1259678718 J * jambo ~jambo@80.250.162.178
1259678728 M * blathijs swen: I don't think I know enough about vserver's network setup to help you with this, but you might want clarify your plans a bit more in case someone shows up that knows more (Bertl probably)
1259678754 M * blathijs KernelMadness: I've got no experience with accounting, but stick around for an answer :-)
1259678783 M * swen but when I create *new* interface with *existing* IP this new interface become available in vserver guest
1259678792 M * gavbaa Good morning, all.  Does anyone have experience with setting up an OpenVPN client in a vserver?  Not server, just client.
1259678838 M * swen gavbaa: no experience. But i'd figure you have to create tun interface on host
1259678857 M * gavbaa I've created the tun on the host, and I've MAKEDEV'd the tun into the vserver.
1259678892 M * gavbaa Getting "Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)" and "Cannot allocate TUN/TAP dev dynamically" in the logs.
1259678917 M * swen KernelMadness: is this what you are looking for : http://linux-vserver.org/Applying_CPU_Limits
1259678940 M * swen oh
1259678969 M * swen gavbaa: I think there is a tool in OpenVPN package able to create tun interface
1259678982 M * KernelMadness swen: no, i meant process accounting, not whole vserver accounting
1259678983 M * gavbaa swen: I've used that as well from the host.
1259679016 M * gavbaa swen: I've read the docs and some previous IRC logs on the topic.  Assumedly, I have to do some static routing from the host into the vserver, and etc.
1259679029 M * gavbaa What I'm hoping is that there's been any improvement in the state of things.
1259679054 M * gavbaa I have to manage well over 20 VPNs from a single control panel that I run in a vserver (one at a time), so setting static routes in the host is impractical/impossible.
1259679167 M * swen gavbaa: what if you provide CAPABILITIES
1259679182 M * gavbaa I've already set NET_ADMIN in bcaps
1259679189 M * swen huh
1259679191 M * biz KernelMadness: what about ulimits and PAM + pam_limits.so?
1259679215 M * swen gavbaa: still doesn't work ?
1259679221 M * gavbaa Same error.
1259679310 M * KernelMadness biz: limiting and accounting is different things. This what i'm talking about http://tldp.org/HOWTO/Process-Accounting/
1259679472 M * swen but if you configure your vserver guest to configure tun devices at runtime
1259679496 M * swen ie: openvpn --mktun --dev tun16 && echo "tun16" >/etc/vservers/openvpn-vserver/interfaces/16/dev && vserver openvpn-vserver start
1259679522 M * swen you'd have tun16 interface configured in vserver guest, no?
1259679531 M * gavbaa One moment, giving it a try.
1259679531 M * KernelMadness I realized that to have pacct working i need to enabled pid namespaces. But it seems that this feature doesn't supported by util-vserver as expected. When i created spaces/pid file, and started guest it shows that there no guest running. As if it wasn't started
1259679549 M * swen an AFAIK you can then dinamically add/remove routes
1259679574 M * swen but im not sure about this one
1259679587 M * gavbaa swen: I can't create an interface that doesn't have an IP.
1259679625 M * gavbaa Well, I mean I *can*, but I get this error: Can not read ip for '/etc/vservers/fcs01/interfaces/16'
1259679659 M * gavbaa Can I just put anything in there and it will safely not complain?  There's no reasonable IP to be put here, because I'm connecting to a variety of networks.
1259679680 M * swen gavbaa: you can certenly try
1259679687 M * swen and share your experience :D
1259679763 M * gavbaa swen: Well, that was progress.
1259679794 M * gavbaa cat ip; cat dev; cat prefix
1259679794 M * gavbaa 0.0.0.0
1259679794 M * gavbaa tun16
1259679795 M * gavbaa 1
1259679812 M * gavbaa And OpenVPN's log output:
1259679814 M * gavbaa Tue Dec  1 10:02:16 2009 TUN/TAP device tun16 opened
1259679814 M * gavbaa Tue Dec  1 10:02:16 2009 Note: Cannot set tx queue length on tun16: Operation not permitted (errno=1)
1259679815 M * gavbaa Tue Dec  1 10:02:16 2009 /sbin/ifconfig tun16 10.99.98.18 pointopoint 10.99.98.17 mtu 1500
1259679815 M * gavbaa SIOCSIFADDR: Permission denied
1259679815 M * gavbaa SIOCSIFFLAGS: Permission denied
1259679816 M * gavbaa SIOCSIFDSTADDR: Permission denied
1259679816 M * gavbaa SIOCSIFFLAGS: Permission denied
1259679818 M * gavbaa SIOCSIFMTU: Operation not permitted
1259679820 M * gavbaa Am I missing a capability?
1259679856 M * blathijs gavbaa: You can't create an interface without an ip, since vserver doesn't do interface virtualization, only ip isolation (and then hides all interfaces on which a vserver has no ip, but I'm not sure how strong this hiding is)
1259679901 M * swen gavbaa: i'm looking at capabilities list right now....
1259679908 M * gavbaa swen: Ditto.
1259679957 Q * scientes Ping timeout: 480 seconds
1259680249 J * balbir ~balbir@122.172.7.177
1259680324 M * swen gavbaa: i feel your pain
1259680332 M * swen :D
1259680337 M * swen im out of ideas
1259680358 M * gavbaa swen: Heh.  It would be useful if there was a pairing for the common "SIOCSIFADDR: Permission denied" and what flag they relate to.
1259680370 M * swen if you cant set ip from within guest, it is all in vain
1259680371 M * gavbaa The mailing lists show some evidence that this pairing is moderately consistent.
1259680381 M * gavbaa Oh, is that impossible?
1259680389 M * gavbaa Some of these VPNs are assigned-IP only.
1259680399 M * gavbaa Can't be statically pre-assigned.
1259680408 M * swen yes i know
1259680419 M * swen and there lays your problem
1259680450 M * swen as blathijs said: " vserver doesn't do interface virtualization, only ip isolation"
1259680474 M * swen so if it is IP isolation - how can it isolate if you can change IP
1259680490 M * biz KernelMadness: I've got it running :) - but you need the SYS_PACCT system capability within the guest
1259680511 M * biz KernelMadness: and I'm not sure if you may start to acct(2) multiple times (in multiple guests)
1259680516 M * gavbaa swen: Ugh.  So it would appear the only solution is to not use vservers then?
1259680521 M * gavbaa That's just sad.
1259680526 M * swen i guess
1259680587 M * swen gavbaa: I have similar problems (with IPs)
1259680615 M * blathijs swen: Well, IP isolation could be used with adding an IP within the guest, of course (that's just a matter of privileges)
1259680616 M * biz KernelMadness: Also, I'm not yet sure if the accounting information written within the guest is really guest-specific or host global
1259680618 M * blathijs swen: At least in theory
1259680625 M * swen difference is I want to expose different devices with same IP to different guests
1259680652 M * gavbaa swen: Saw that earlier, that seems even harder than what I'm asking. :)
1259680662 M * gavbaa blathijs: What privileges would that be?
1259680678 M * swen blathijs: I know - but where is the point in isolation then?
1259680686 M * KernelMadness biz: i know that is possible to run acct on vserver guest :) but the problem is how_to_separate accounting between guests. Now accounting is globally, you can start accounting on one guest guest and catch all acct info about host and other guests
1259680687 M * blathijs gavbaa: Dunno, I'm reasoning from a fundemental view, not a practical implementation view :-)
1259680701 M * biz KernelMadness: turns out it is global, after reading acct(2) I'm not sure if it is even possible
1259680729 J * taenzerme ~Adium@static-87-79-237-223.netcologne.de
1259680737 M * blathijs swen: That you still need root within the vserver to access the other IP's? And you could still enforce that a vserver cannot add an IP that is already in use by another vserver or the host?
1259680791 M * KernelMadness biz: it is possible by using pid namespaces. Vserver formally support this, but actually not. Guest just does not start with pid spaces enabled
1259680830 M * biz KernelMadness: oh, ok. I'm interested in this too... let's wait for Bertl_zZ :)
1259680870 M * KernelMadness biz: i think so :)
1259680884 M * swen blathijs: hmm....It's possible - but you'd need to separate routing also
1259680908 M * swen gotta run
1259680909 M * swen by
1259680914 Q * swen Remote host closed the connection
1259681176 J * scientes ~scientes@174-21-140-29.tukw.qwest.net
1259681935 Q * kir Quit: Leaving.
1259682758 J * derjohn_mob ~aj@tmo-109-25.customers.d1-online.com
1259683779 Q * ptiphus Quit: leaving
1259685093 Q * derjohn_mob Ping timeout: 480 seconds
1259685811 M * eja what does the setattr --barrier /vservers command do?
1259685853 Q * thierryp Ping timeout: 480 seconds
1259686574 J * derjohn_mob ~aj@tmo-108-224.customers.d1-online.com
1259686879 N * Bertl_zZ Bertl
1259686893 M * Bertl back now ...
1259686910 M * Bertl eja: it sets the barrier flag on /vservers 
1259686934 M * eja well i figured that :)  what's the barrier flag do though?  i have no man page for setattr
1259686988 M * Bertl KernelMadness: pid spaces have nothing to do with networking
1259687030 Q * gavbaa Ping timeout: 480 seconds
1259687038 M * Bertl eja: http://linux-vserver.org/Paper
1259687092 J * bonbons ~bonbons@2001:960:7ab:0:2c0:9fff:fe2d:39d
1259687094 M * KernelMadness Bertl: networking? i didn't talked about networking. Just process accounting
1259687203 M * Bertl okay, the discussion above is somehow unreadable for me .. i.e. it switches between accounting/virtual interfaces and other things .... so I probably confused that
1259687260 M * blathijs Bertl: hehe :-)
1259687294 M * blathijs Bertl: There's really three problems, two concerning networking (one with OpenVPN, one with "Direct Routing") and a problem of accounting
1259687381 M * Bertl good, the 'same IP problem' I got, but swen is gone, so it's probably not interesting anymore
1259687396 M * Bertl nevertheless, conclusions should be:
1259687408 M * Bertl - same ip can be assigned to multiple interfaces
1259687444 M * Bertl - there is no point in doing so with dummy, becaus when dummy devices would be used for routing, the packets would be lost (which usually is not what you want)
1259687468 J * dowdle ~dowdle@scott.coe.montana.edu
1259687471 M * blathijs Bertl: For routing outgoing packets, you mean?
1259687478 M * KernelMadness Bertl: the question is how to enable process accounting separately for each guest?
1259687481 M * KernelMadness Bertl: i did some investigation and think i have to enable pid namespaces(kernel/acct.c supports accounting on namespaces basis), but with enabled pid namespaces guest does not start
1259687481 M * Bertl - you cannot restrict a guest to an interface or number of interfaces, just IPs, so all guests which have that IP assigned will see all interfaces
1259687503 M * Bertl - you can share IPs between guests, although it has do be done with care
1259687599 M * Bertl KernelMadness: you need an init process for pid spaces
1259687665 M * blathijs Bertl: You're saying just configure the same ip on multiple guests on the same interface?
1259687696 M * Bertl yes, that will share them between the guests
1259687719 M * blathijs I think swen did that, but he was running into problems with being able to bind a particular port only once
1259687744 M * Bertl well, that is expected, when the IP is shared, you cannot bind the same port twice on that IP
1259687764 J * judasbelt ~arachnida@ner-as11292.alshamil.net.ae
1259687767 M * KernelMadness Bertl: can you explain? Because each guest has it's own init by default..
1259687788 M * Bertl KernelMadness: no, by default Linux-VServer uses a blend-through init
1259687796 M * Bertl (i.e. sysv init style)
1259687835 M * Bertl blathijs: I'm pretty sure swen was trying to do the impossible, out of ignorance regarding networking like e.g. using a single IP for several web servers
1259687844 M * blathijs Bertl: He was trying to do some direct routing approach, which normall uses multiple physical machines on the same network. Apparently, there is some IP Virtual Server code that does funky things with routing and arp to route different requests to multiple servers sharing the same IP.
1259687908 M * Bertl there is LVS, but I don't remember it doing such cruel things :)
1259687918 M * blathijs Bertl: Does indeed seem like virtual servers don't like that sort of abuse
1259687937 M * blathijs Bertl: Actually, I think he was referring to LVS (he linked an url somewhere up)
1259687942 M * Bertl in any case, it would require to 'switch' on a per packet basis with understanding of the underlying protocol
1259687973 M * Bertl and there is no real point in using the same IP for that, if you can simply NAT based on the protocol
1259687974 M * blathijs Underlying protocol being TCP in this case, I guess? That's what LVS seems to do AFAIU.
1259688002 M * KernelMadness Bertl: i can not understand, is it possible to get pid namespaces running with util-vserver?
1259688032 M * Bertl I think it should work with recent util-vserver, but please double check with daniel_hozac, I haven't tried it yet
1259688080 M * blathijs Bertl: Yeah, when just a single physical server is used, DNAT is probably the way to go (but sven had some point about scalability that he didn't expand on...)
1259688097 M * blathijs Bertl: Also, can you do load balancing with DNAT?
1259688154 N * fb fback
1259688170 M * blathijs Ah, seems you can (based on the source address, so every single source ip will always have the same target server, which is a good thing wrt sessions)
1259688192 M * Bertl well, let's assume it would be a real world setup with a switch and physical 'guests'
1259688238 M * Bertl if you give each guest the same IP, the switch will take up to several seconds to react to an arp rerouting
1259688238 M * KernelMadness daniel_hozac: is it possible to use pid namespaces with util-vserver?
1259688279 M * blathijs Bertl: I think there is a gateway that does all the routing for incoming data
1259688280 M * Bertl blathijs: so that is probably not going to work well for several simulatious connections to different machines (with the same IP :)
1259688292 M * blathijs 15:36:27 < swen> http://www.linuxvirtualserver.org/VS-DRouting.html
1259688300 M * blathijs There's a pretty picture there :-)
1259688330 M * daniel_hozac LVS doesn't give the servers the same IP. it gets DNATed to their private IP.
1259688338 M * blathijs And that gateway machine does spiffy stuff with the destination mac addresses of the packages it forwards.
1259688378 M * Bertl that's fine, it's 'virtual ip' to 'real ip' translation
1259688390 J * imcsk8 ~ichavero@nat.ti.uach.mx
1259688391 M * blathijs daniel_hozac: Apparently this is the "Direct Routing" variant of LVS, that makes sure replies don't have to go through the gateway again (which seems to make sense from a performance perspective)
1259688393 M * Bertl you can do the same setup with Linux-VServer guests as well
1259688456 M * Bertl yes, direct routing requires separate ethernet segments
1259688576 M * Bertl okay, this is quite some hack as it seems, still it might be possible to do the same on a single host, I guess
1259688604 M * daniel_hozac KernelMadness: i honestly don't know, you tell me.
1259688649 M * Bertl KernelMadness: try to select the 'plain' init style first, make sure everything runs fine, then enable pid spaces
1259688691 M * KernelMadness Bertl: it's impossible to start gentoo guests with plain style :(
1259688719 M * daniel_hozac that would be your issue then.
1259688725 M * Bertl KernelMadness: how so? that would mean that gentoo cannot work on real machines?
1259688777 M * KernelMadness Bertl: gentoo works well on real machines, but with "gentoo" init style
1259688809 M * Bertl on a real machine, it need to run init, right?
1259688823 M * Bertl (or whatever runs as init)
1259688888 M * KernelMadness Bertl: yes, right. And gentoo init style does this.
1259688909 M * KernelMadness Bertl: just tried plain style... and it works. strange
1259688931 M * Bertl no, the gentoo init style was born to run the runlevel stuff _without_ init
1259688940 M * Bertl (on gentoo)
1259688980 M * KernelMadness Bertl: but i see init process in top on guests with gentoo init style. what i'm doing wrong?
1259689007 M * Bertl nothing, it is very likely the blend-through init as well
1259689008 M * daniel_hozac KernelMadness: may i ask why you need a pid space?
1259689020 Q * scientes Ping timeout: 480 seconds
1259689023 M * Bertl for separate process accounting it seems
1259689028 M * daniel_hozac in what way is the process isolation in vserver incomplete?
1259689031 M * KernelMadness daniel_hozac: for process accounting
1259689053 M * daniel_hozac i don't follow.
1259689075 M * daniel_hozac what part of process accounting requires a pid space?
1259689102 M * Bertl good question ... I said the discussion was quite confusing :)
1259689118 M * KernelMadness daniel_hozac: without pid namespaces when we start acccounting on one guest in catches all accounting info from itself, other guests, and host
1259689125 M * daniel_hozac it does?
1259689138 M * daniel_hozac that would be a rather serious bug.
1259689146 M * Bertl that sounds like a bug .. but what kind of accounting are we talking about?
1259689149 M * daniel_hozac do you have an example for us to look at?
1259689288 M * ntrs__ The recommended solution for the latest upstart problem on ubuntu 9.10 as a guest does not work.
1259689297 M * ntrs__ http://linux-vserver.org/Upstart_issues
1259689318 M * Bertl in what way (does it not work)?
1259689323 M * ntrs__ crond still does not stop/start
1259689340 M * Bertl did you enable/configure it?
1259689344 M * ntrs__ # /etc/init.d/cron restart
1259689344 M * ntrs__ Rather than invoking init scripts through /etc/init.d, use the service(8)
1259689344 M * ntrs__ utility, e.g. service cron restart
1259689344 M * ntrs__ Since the script you are attempting to invoke has been converted to an
1259689344 M * ntrs__ Upstart job, you may also use the restart(8) utility, e.g. restart cron
1259689345 M * ntrs__ start: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused
1259689355 M * ntrs__ configure what? crond?
1259689399 M * Bertl guest is 'plain' init style with upstart configured as init?
1259689437 M * KernelMadness daniel_hozac: kernel/acct.c - it supports pid namespaces
1259689437 M * KernelMadness Bertl: tried to start with pid spaces and plain style. Got output: "Usage: init {-e VAR[=VAL] | [-t SECONDS] {0|1|2|3|4|5|6|S|s|Q|q|A|a|B|b|C|c|U|u}}"
1259689437 Q * KernelMadness Remote host closed the connection
1259689444 J * KernelMadness ~kmad@89.169.234.21
1259689459 M * KernelMadness Sorry, network problems
1259689460 M * daniel_hozac KernelMadness: so?
1259689476 M * ntrs__ Bertl, let me check
1259689508 M * ntrs__ Bertl, plain is in /etc/vservers/guest/apps/init/style
1259689530 M * ntrs__ Bertl, with plain included:
1259689532 M * ntrs__ # init: missing runlevel
1259689532 M * ntrs__ Try `init --help' for more information.
1259689551 J * thierryp ~thierry@home.parmentelat.net
1259689557 M * KernelMadness daniel_hozac: tried to start with pid spaces and plain style. Got output: "Usage: init {-e VAR[=VAL] | [-t SECONDS] {0|1|2|3|4|5|6|S|s|Q|q|A|a|B|b|C|c|U|u}}"
1259689566 M * Bertl ntrs__: see 'Notes for older kernels'
1259689593 M * daniel_hozac Bertl: has that really been confirmed?
1259689597 M * daniel_hozac that sounds like crack to me.
1259689597 M * ntrs__ Bertl, the patch is already applied
1259689616 M * daniel_hozac by the time we launch /sbin/init, it is pid 1.
1259689625 M * Bertl daniel_hozac: well, I haven't tested with older kernels, but somebody had that problem
1259689651 M * Bertl daniel_hozac: and he did some extensive debugging with modified upstart versions, there should be an irc log
1259689653 M * ntrs__ Bertl, this is not with older kernels, this is with the latest stable kernel and patch
1259689668 M * Bertl (which is an 'older' kernel)
1259689689 M * ntrs__ Right, but the stable is the one that is being maintained and guaranteed to work, right?
1259689705 M * Bertl to work for older setups and older distros, yes
1259689751 M * ntrs__ ok, no ubuntu 9.10+ then.
1259689760 M * KernelMadness daniel_hozac: any ideas?
1259689770 M * daniel_hozac KernelMadness: ah right, that thing.
1259689772 M * Bertl as I said, I never tested recent ubuntu with the stable branch
1259689778 M * daniel_hozac KernelMadness: but really, i still have yet to see why you need a pid space.
1259689792 Q * balbir Read error: Connection reset by peer
1259689792 M * daniel_hozac KernelMadness: if you find a flaw in the virtualization provided by Linux-VServer, that's a bug we'll fix.
1259689797 M * Bertl ntrs__: I have a recent ubuntu guest (for test purposes) running on a recent kernel
1259689821 M * KernelMadness daniel_hozac: i have explained this above
1259689823 M * Bertl ntrs__: so what I can conclude is that it works with recent kernels and a Mandriva host system, not more, not less
1259689831 M * KernelMadness daniel_hozac: without pid namespaces when we start acccounting on one guest in catches all accounting info from itself, other guests, and host
1259689839 M * daniel_hozac KernelMadness: so you have an example of that?
1259689843 M * daniel_hozac KernelMadness: show us the example.
1259689894 M * KernelMadness daniel_hozac: how? what kind of example do you want?
1259689949 M * daniel_hozac an example that shows us how to get accounting information for the host or another guest from a guest.
1259689965 M * Bertl KernelMadness: well, something which obviously goes wrong, is simple to test and prooves your point?
1259689977 M * daniel_hozac as with any bug report, a way to reproduce the issue is pretty much a necessity.
1259690107 M * KernelMadness daniel_hozac: for gentoo emerge sys-process/acct, then /etc/init.d/acct stop, then dump-acct /var/acct/pacct
1259690108 J * mnemoc ~amery@shell.opensde.net
1259690120 M * KernelMadness run this on guest
1259690133 M * KernelMadness and then dump-acct several times
1259690147 M * mnemoc hi, would it be evil to patch secure-mount to not write mtab when it's a symlink to /proc/mounts ?
1259690154 M * KernelMadness you will see that it catches garbage from other guests
1259690177 M * KernelMadness sorry, /etc/init.d/acct start , not stop
1259690210 M * daniel_hozac so that's the bug.
1259690310 M * Bertl that's from the psacct source, yes?
1259690316 M * KernelMadness daniel_hozac: i'm sure that this bug can be easily eliminated by enabling pid spaces, because of native support in kernel/acct.c
1259690338 M * KernelMadness Bertl: yes
1259690388 M * daniel_hozac KernelMadness: no... that's a workaround, not a fix.
1259690440 M * KernelMadness daniel_hozac: why workaround? it's native virtualization feature
1259690467 M * daniel_hozac that doesn't make the Linux-VServer isolation any less broken
1259690524 M * KernelMadness daniel_hozac: as we can see, accounting is not isolated
1259690558 M * Bertl well, psacct works on single processes, right?
1259690586 M * Bertl and reading through kernel/acct.c, I do not see what shouldn't work in a pid isolated guest
1259690621 M * Bertl I think, the only missing thing is that the kernel allows the user to read information about other processes as well, correct?
1259690658 M * Bertl i.e. there is no misaccounting or similar, just 'too much' information
1259690663 M * daniel_hozac yes.
1259690664 M * KernelMadness Bertl: in pid isolated guest accounting will collect information only about current namespace. Each guest will have it's own account statistics
1259690676 J * balbir ~balbir@122.172.18.190
1259690713 M * daniel_hozac KernelMadness: this should be a ~6 line fix.
1259690767 M * KernelMadness daniel_hozac: you know best
1259690929 M * KernelMadness Bertl: i think we're misunderstood each other. In kernel process accounting we dont need to use psacct(i don't know this tool), we just use sys-process/acct package that allow us to tell kernel start/stop accounting
1259690980 M * KernelMadness Bertl: kernel writes to file by itself without userspace tools
1259691108 M * Bertl yeah, I see that in the code ... curious interface :)
1259691187 Q * taenzerme Quit: Leaving.
1259691205 M * Bertl I think it should be doable to isolate that in Linux-VServer too, I wonder though, don't you need any special caps to enable that?
1259691255 M * KernelMadness Bertl: special caps for separate accounting?
1259691271 M * Bertl nah, for starting the kernel side bsd accounting
1259691296 M * KernelMadness Bertl: SYS_PACCT in bflags
1259691306 M * KernelMadness oops
1259691314 M * KernelMadness Bertl: SYS_PACCT in bcapabilities
1259691325 M * Bertl okay, so it's off by default
1259691340 M * Bertl that's good to know, because otherwise it would be a security issue
1259691345 M * KernelMadness Bertl: yes, ofc
1259691373 M * Bertl so, I see two options for you:
1259691414 M * Bertl a) do some testing with pid spaces and how to integrate them into util-vserver and use that (including the init process)
1259691465 M * Bertl b) do some testing with a patch (which I could provide) to isolate the bsd accounting in Linux-VServer 
1259691578 Q * davidkarban Quit: Ex-Chat
1259691633 Q * derjohn_mob Ping timeout: 480 seconds
1259691637 M * KernelMadness Bertl: i prefer util-vserver way, but i have no ideas how to get it work
1259691671 M * daniel_hozac that's a whole lot harder.
1259691674 M * daniel_hozac jFYI.
1259691700 M * daniel_hozac but patches are more than appreciated.
1259691723 M * Bertl yeah, I guess it won't hurt to pursue the util-vserver pid space path
1259691827 M * Bertl (it seems to me like a reasonably unusual setup to justify the pid space overhead)
1259691829 M * KernelMadness Bertl: ok, kernel patch seems to be a faster solution than util-vserver
1259691920 M * KernelMadness Bertl: the only reason why i think that userspace solution would be better than kernel patch is to keep vserver patch smaller
1259691973 M * Bertl well, why not pursue both pathes ...
1259692000 M * KernelMadness Bertl: yes, ofc
1259692004 M * Bertl daniel_hozac: any idea what the main problem with pid spaces would be?
1259692039 M * daniel_hozac essentially it would require a rewrite of the way util-vserver sets up the context.
1259692080 M * daniel_hozac since we can't fork after creating the pid space.
1259692145 M * Bertl do we need that? couldn't the pid space be simply unshared right before exec-ing the init process?
1259692206 M * daniel_hozac well, to keep things clean. the alternative i haven't really looked in to yet
1259692264 M * Bertl we added the unshare mask to recent patches, so it should be no problem with the context itself
1259692320 M * daniel_hozac we still have to vc_set_space though.
1259692390 J * ichavero_ ~ichavero@148.229.1.11
1259692438 M * Bertl to enter it, yes, but that wouldn't make sense anyway for pid spaces, would it?
1259692454 J * niki ~niki@0x5553169c.adsl.cybercity.dk
1259692461 M * daniel_hozac we don't plan on supporting entering pid spaces?
1259692477 M * Bertl does mainline support that?
1259692483 M * daniel_hozac no.
1259692497 M * daniel_hozac not AFAIK anyway.
1259692505 M * Bertl so why should we go there and do the complicated pid transition?
1259692520 M * daniel_hozac it doesn't have to be complicated.
1259692520 M * KernelMadness daniel_hozac: did spaces ever worked? There should be a reason to have configuration option on great flower page that does not work
1259692536 M * daniel_hozac spaces works fine.
1259692539 M * daniel_hozac the pid space does not.
1259692556 M * KernelMadness there is options for pid :)
1259692564 M * daniel_hozac yes
1259692569 M * daniel_hozac i know, i put it there.
1259692574 M * Bertl well, for a start, I guess a non enterable pid space would be fine
1259692611 M * Bertl we can think about the best way to extend pid spaces later (once they can be actually used) no?
1259692687 M * Bertl so all which would be required in this case is to postpone the pid space unsharing till init is executed, and simply do that there (should be doable within the scripts) what do you think?
1259692714 M * Bertl (i.e. without changes to the compiled util-vserver parts)
1259692725 M * daniel_hozac no, it needs to go in src/vcontext.x
1259692735 M * daniel_hozac s/x/c/2
1259692765 M * Bertl really, why?
1259692780 M * daniel_hozac because vcontext forks as part of the final step.
1259692794 M * daniel_hozac and the clone for NEWPID needs to come after that.
1259692866 M * Bertl so why not add a do_unshare_pid_space right before /path/to/init?
1259692883 M * daniel_hozac because that would need to exist in the guest.
1259692884 M * daniel_hozac :)
1259692918 M * Bertl I guess that would be fine too for a start, as unsharing pid spaces would be allowed inside the guest anyways
1259692950 M * Bertl but yeah, I see that a proper solution will require to put it in vcontext
1259693153 M * Bertl KernelMadness: you could use vcmd for that inside the guest
1259693264 Q * gnuk Quit: NoFeature
1259693654 J * derjohn_mob ~aj@d045209.adsl.hansenet.de
1259693785 M * KernelMadness Bertl: vcmd for what?
1259694856 Q * bzed Quit: leaving
1259694875 J * bzed ~bzed@devel.recluse.de
1259695142 M * Bertl for the unshare part
1259695621 Q * jrklein_ Quit: Computer has gone to sleep
1259696187 M * KernelMadness Bertl: i don't understand
1259696221 Q * niki Read error: Connection reset by peer
1259696606 M * Bertl KernelMadness: grab the latest vcmd, compile it (for use inside the guest), modify the guest config to do the final pid space unshare with that command (from inside the guest)
1259696660 J * AmokPaule ~amokpaule@brsg-4dbbb260.pool.mediaWays.net
1259696798 M * KernelMadness Bertl: ok, i'll try.. but how to enter the space later?
1259696845 M * daniel_hozac you can't.
1259697006 M * KernelMadness so, this is very ugly hack. I can start accounting from unshared namespace, but this way is too complicated
1259697053 M * Bertl nah, not really ugly, it's like the pid namespace is designed
1259697099 M * Bertl i.e. AFAWK (W = We :) entering pid spaces is not supposed to happen, you can still e.g. ssh to the guest
1259697208 M * KernelMadness recently i tried lxc and shocked by the way of connecting to guests - ssh or virtual console with login. Vserver with namespaces seems to be the same hell
1259697237 M * Bertl yeah, that's why we prefer isolation over virtualization
1259697256 Q * jambo Ping timeout: 480 seconds
1259697275 M * Bertl but as daniel_hozac hinted, there is a chance to extend the pid space to allow entering .. I'm just not sure it's worth the trouble
1259697561 M * KernelMadness so, maybe kernel patch would be better in this case?
1259697647 M * Bertl let's try the pid space stuff first, while I think about the kernel patch
1259698094 J * jrklein_ ~jrklein@156.26.8.206
1259698595 J * Aaron_ ~chatzilla@CPE001c10a88bc9-CM001947579cda.cpe.net.cable.rogers.com
1259698654 M * Aaron_ Hey is anyone around?
1259698658 M * Aaron_ got a question
1259698702 M * Aaron_ I had a vserver running I issued shutdown -r now on the host ... now when I try to start up the vserver again... I get this error, and it wont start:
1259698715 M * Aaron_ katrina:~# vserver katrina-vs start
1259698717 M * Aaron_ ioctl(): Device or resource busy
1259698718 M * Aaron_ Failed to start vserver 'katrina-vs'
1259698769 Q * AmokPaule Quit: Nettalk6 - www.ntalk.de
1259698830 M * Aaron_ *nudge*
1259698940 M * Bertl sounds strange, care to share some details like kernel/patch/util-vserver version?
1259698974 M * Aaron_ k umm
1259698990 M * Aaron_ the only changes i've made to the vserver setup from default is added non-shared quota support
1259699002 M * Aaron_ as per
1259699004 M * Aaron_ http://linux-vserver.org/Standard_non-shared_quota
1259699029 M * Bertl still doesn't give us any clue about the versions :)
1259699037 M * Aaron_ lol
1259699045 M * Aaron_ im sure what that error is suggesting
1259699048 M * Aaron_ if I knew I could troubleshoot
1259699056 M * Aaron_ 2.6.26-2-vserver-686 (SMP) i686
1259699058 M * Aaron_ thats my kernel
1259699069 M * Aaron_ how do I find util-server version?
1259699075 M * Bertl the known-to-be-broken debian version (kernel)?
1259699104 M * Aaron_ the I-Didnt-Know-To-Be-Broken debian kernel
1259699139 M * Aaron_ its whatever the kernel is on the newest version of Debian... with whatever mods that linux-vserver makes to it when it gets installed
1259699140 M * Bertl fair enough! util-vserver version will be shown with 'vserver-info - SYSINFO'
1259699147 Q * ichavero_ Quit: This computer has gone to sleep
1259699167 M * Aaron_ Versions:
1259699169 M * Aaron_                    Kernel: 2.6.26-2-vserver-686
1259699170 M * Aaron_                    VS-API: 0x00020303
1259699172 M * Aaron_              util-vserver: 0.30.216-pre2772; Dec 12 2008, 23:24:33
1259699256 M * Aaron_ the vserver is on a seperate partition "/vservers" with rw,usrquota,grpquota
1259699281 M * Aaron_ i've had this happen twice now... by restarting the host OS without first shutting down the guests...
1259699292 M * Bertl JFYI: 
1259699300 M * Bertl http://linux-vserver.org/Installation_on_Debian#Issues_with_the_current_2.6.26_Kernel
1259699403 M * Bertl well, the resource busy sounds strange, but could be quota related
1259699415 M * Bertl is the vroot device set-up properly?
1259699461 M * Aaron_ ya it works fine ... if I shutdown the guests manually before shutting down the Host OS
1259699477 M * Aaron_ but if I shutdown the Host, without first manually shutting down the guests
1259699480 M * Aaron_ this happens
1259699506 M * daniel_hozac does your host have an initscript that properly shuts guests down when the host is rebooting?
1259699511 M * Bertl well, the runlevel script(s) should shut down the guests when the host is shut down
1259699552 M * Aaron_ my thoughts exactly
1259699560 M * Aaron_ but appparently thats not happening properly
1259699594 M * Aaron_ perhaps I should setup another basic vserver and see if... shutting down the OS without manually shutting down the guest causes that guest to become unstartable
1259699623 M * Aaron_ the only special things about this guest... is that it is set to autostart on boot up...
1259699631 M * Aaron_ and it has quota support
1259699675 Q * jrdnyquist Quit: Leaving
1259699876 Q * KernelMadness Quit: Ухожу я от вас (xchat 2.4.5 или старше)
1259699905 J * jrdnyquist ~jrdnyquis@slayer.caro.net
1259700032 M * Bertl well, I'd opt for a debian issue ... after all, both kernel and tools are known to be problematic .. I wouldn't be surprised if updating both makes your issues disappear
1259700544 J * jambo ~jambo@94.45.190.23
1259700544 Q * jambo 
1259700564 J * jambo ~jambo@94.45.190.23
1259701432 M * Aaron_ hmm, I setup a guest installed quota and everything
1259701438 M * Aaron_ cant seem to reproduce the problem
1259701457 M * Aaron_ maybe its something else I have installed in the other vserver
1259701464 M * Aaron_ anyways i'll try upgrading the kernel
1259701469 M * Aaron_ how do I upgrade the kernel?
1259701503 M * Bertl debian should have 2.6.31.x (and maybe even 2.6.32-rc) kernel(s) for testing somewhere
1259701562 Q * jambo Quit: Ухожу я от вас (xchat 2.4.5 или старше)
1259701698 M * Aaron_ hmm kk
1259701701 M * Aaron_ i'll try it out
1259701705 M * Aaron_ in a couple hours
1259701713 M * Bertl k, keep us updated
1259701893 Q * jrklein_ Quit: Computer has gone to sleep
1259702043 M * eja just looking through this doc you linked Bertl and it says vserver doesn't use virtual network devices... with other virtualization technologies I've used i just create a tap device and add it to the appropriate bridge and i'm done.  will that not work with linux-vserver?
1259702060 Q * Aaron_ Quit: ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]
1259702107 M * Bertl eja: it will, but it is the slow approach (aka. network virtualization)
1259702132 M * Bertl where each packet has to travel the network stack twice ...
1259702255 M * eja hmm i've been able to achieve near gigabit / s performance with that approach.  i guess it's just more work for the host though.  what's the preferred approach with vserver?
1259702305 M * daniel_hozac we do multi-gigabit easily :-)
1259702335 M * Bertl eja: Linux-VServer prefers network isolation
1259702423 M * Bertl i.e. IP based isolation, you assign IP(s) to guests, and they can bind to them
1259702474 M * eja like an IP alias that can be shared with the guest?
1259702501 M * Bertl skip the 'alias' but yeah :)
1259702619 J * barismetin ~barismeti@tvwna-ip-b-192.princeton.org
1259702657 Q * bonbons Quit: Leaving
1259702671 M * eja is it facilitated by a modification the vserver project has made to the kernel?
1259702892 M * Bertl yep, correct
1259704736 M * badiane http://www.slideshare.net/bligneri/comparison-of-open-source-virtualization-technology
1259704765 M * badiane sorry wrong one 
1259705119 M * badiane bertl: should eja: take a look at man chbind?
1259705155 M * Bertl well, maybe, depends on what eja is looking for :)
1259706615 J * samv ~samv@leibniz.catalyst.net.nz
1259706678 P * samv 
1259707300 J * gavbaa ~gav@92.49.33.65.cfl.res.rr.com
1259707399 M * gavbaa I'm attempting to do OpenVPN (client only, no server) in a vserver container.  However, the nature of the VPNs I am connecting to require that the IP address be assigned by the VPN.  No statics.  Is this possible?
1259707434 M * Bertl yes, but you either need network namespaces for that or cooperation from the host
1259707527 M * gavbaa Bertl: I will have no cooperation from the host, I am sure.  Is there a guide to network namespaces recommended by the Linux-vserver team?  My first crack at Google-fu doesn't show much.
1259707620 M * Bertl basically google for 'network namespaces', they come from mainline
1259707667 M * gavbaa Okay, so it's not specific to linux-vserver.  Got it, thanks for the direction. :)
1259707762 Q * ntrs__ Ping timeout: 480 seconds
1259708364 J * AmokPaule ~amokpaule@brsg-4dbbb260.pool.mediaWays.net
1259708541 Q * xdr Quit: leaving
1259709180 Q * ghislain Quit: Leaving.