1265674379 Q * imcsk8 Quit: Leaving 1265678693 J * Bushmills ~l@verhau.de 1265678709 M * Bushmills g'day 1265678898 M * Bushmills I rent a dedicated server with 4 ip addresses routed to 1 NIC. On that server I want to run 3 VPS, assigning each one 1 of those 4 addresses, and keeping one for the host. Will vserver allow me to do that? 1265679331 Q * dowdle Remote host closed the connection 1265679401 M * mnemoc yes 1265679423 M * Bushmills good. 1265679849 Q * yarihm Quit: This computer has gone to sleep 1265679985 M * Bushmills assuming that a guest has been set up with one of those ip addresses, what do i need to do with host to route those packets to guest? i only see multiple scopes of the same host NIC, nothing i can route to 1265680454 M * daniel_hozac youdon't route to guests. 1265680462 M * daniel_hozac networking happens on the host. 1265680482 M * daniel_hozac it's just restricted to a subset of the available IP addresses 1265681075 M * Bushmills not sure what that means for packets with destination one of the guests, in terms of keeping host from replying, because it sees itself as destiniation. 1265681195 M * Bushmills host needs a mechanism to distinguish between "me" and "guest, me not touch!" while its NIC needs to be open to those packets. what is used for this purpose? 1265681624 M * mnemoc if you bind '0' on the host, the guest wont be able to bind the same port 1265681653 M * mnemoc if you bind the ip explicitly, the guests will bind their ips, and everybody will be happy 1265681668 M * mnemoc no routing related 1265681675 M * Bushmills ah, i c 1265681759 M * mnemoc if the guest binds '0' it will only be bound to the assigned ip 1265682039 M * Bushmills rather simple, actually 1265682483 M * Bushmills so i suppose that a lot of disk space can be saved by installing programs into guest, and hardlinking the files into the respective guest chroot directories 1265682493 M * Bushmills into host, i mean 1265682555 M * trippeh vserver got that built-in in the form of COW hardlinks that uses a shared, hashed pool. 1265682567 M * trippeh Saves some memory too. 1265682640 M * Bushmills after having fought a day without success against xen (guest routing), this went rather smooth now. 1265682702 M * Bushmills back en route to happy camper again 1265683079 Q * DreamerC Ping timeout: 480 seconds 1265689938 J * DreamerC ~DreamerC@122-116-181-118.HINET-IP.hinet.net 1265690365 N * Bertl_zZ Bertl 1265690371 M * Bertl morning folks! 1265691180 Q * DreamerC Quit: leaving 1265691196 J * DreamerC ~DreamerC@122-116-181-118.HINET-IP.hinet.net 1265691203 J * root ~root@188-23-38-45.adsl.highway.telekom.at 1265691232 N * root test 1265691305 Q * test 1265691743 J * test ~bertl@188-23-38-45.adsl.highway.telekom.at 1265691786 P * test 1265693176 J * balbir ~balbir@122.172.147.122 1265693494 Q * ktwilight__ Read error: Connection reset by peer 1265693506 J * ktwilight ~keliew@81.240.59.124 1265694609 Q * balbir Ping timeout: 480 seconds 1265695528 J * balbir ~balbir@122.172.151.159 1265695755 M * fback Morning Bertl! 1265696709 Q * infowolfe Quit: Leaving 1265696735 J * infowolfe ~infowolfe@c-71-236-152-35.hsd1.or.comcast.net 1265699877 J * sharkjaw ~gab@90.149.121.45 1265699965 Q * derjohn_foo Ping timeout: 480 seconds 1265702502 J * petzsch ~markus@dslb-092-078-231-216.pools.arcor-ip.net 1265702567 J * ghislain ~AQUEOS@adsl2.aqueos.com 1265703083 J * niki_work ~niki@cpe.fe4-0-120.0x50a6de52.kdnxd4.customer.tele.dk 1265703785 Q * nou Ping timeout: 480 seconds 1265704396 M * Bertl off for now ... bbl 1265704404 N * Bertl Bertl_oO 1265704592 J * derjohn_foo ~aj@213.238.45.2 1265704893 J * barismetin ~barismeti@zanzibar.inria.fr 1265705453 Q * sharkjaw Remote host closed the connection 1265706158 Q * niki_work Remote host closed the connection 1265706993 J * sharkjaw ~gab@90.149.121.45 1265706997 J * SauLus ~SauLus@c192123.adsl.hansenet.de 1265707210 N * DoberMann[ZZZzzz] DoberMann 1265707247 Q * FireEgl Read error: Connection reset by peer 1265707765 J * niki_work ~niki@cpe.fe4-0-120.0x50a6de52.kdnxd4.customer.tele.dk 1265707982 J * FireEgl FireEgl@173-16-9-10.client.mchsi.com 1265710435 J * gnuk ~F404ror@pla93-3-82-240-11-251.fbx.proxad.net 1265710969 J * yarihm ~yarihm@80-219-150-83.dclient.hispeed.ch 1265711467 J * _nono_ ~gomes@libation.ircam.fr 1265713985 Q * petzsch Quit: Leaving. 1265714428 N * Bertl_oO Bertl 1265714432 M * Bertl back now ... 1265714457 Q * agaffney Ping timeout: 480 seconds 1265714663 J * agaffney ~agaffney@71-81-81-131.dhcp.stls.mo.charter.com 1265714673 J * bobnormal ~irc@87-194-32-179.bethere.co.uk 1265714676 M * bobnormal morning! 1265714799 M * Bertl hey bobnormal! how's going? 1265714834 M * bobnormal good good, except my call center in china's telephone company is inept and broke all my connectivity ... :( ... otherwise great :) 1265714862 M * bobnormal daniel_hozac about? about to get back in to perl UI::Dialog-based vserver network config tool creation 1265714894 M * bobnormal last word was interface-linked rulesets, possibly in /etc/vservers//interfaces/0/rules 1265714997 M * bobnormal issue was iptables rules spec .. SNAT is common case but requires --to $myip in normal command line, which means either rules with __MAGIC_REPLACEMENT__ or possibly a series of default config-styles (ala vmware workstation: nat, host-ojnly, custom 1265715020 M * bobnormal since otherwise vserver portability is destroyed since host-specific config (IP address) is stored as part of the vserver config 1265715051 M * bobnormal will be working on this a couple of days i'd say, so if you have any ideas let me know 1265715071 M * bobnormal of course custom rules must be supported, eg: firewalling or conditional NAT (some protos/ports/destinations only) 1265715099 M * bobnormal whole thing is actually rather complex due to multiple IP address/interface and multiple interface being possible 1265715103 M * bobnormal :/ 1265716141 A * arekm needs to account and possibly graph traffic from vserver.. what is the best way? (snmp is not virtualized right?) 1265716169 M * Mr_Smoke I'd say iptables traffic accounting on the host 1265716210 M * arekm is there good existing software package for that? or only writting own scripts? 1265716292 M * bobnormal arekm: mrtg docs should help 1265716495 M * Mr_Smoke You'll probably need some hand tweaking, but nothing out of the ordinary I expect 1265716896 M * Bertl arekm: snmp is userspace 1265718562 M * sid3windr :) 1265718584 M * sid3windr /proc/net/dev is not virtualized is what the real question was me thinks ;) 1265718785 M * Bertl that depends :) 1265719474 Q * fback Ping timeout: 480 seconds 1265719676 J * fback fback@red.fback.net 1265720827 J * thierryp ~thierry@zankai.inria.fr 1265720918 M * ghislain BenG: yes i still use them in production system :) 1265721502 J * dna ~dna@170-198-103-86.dynamic.dsl.tng.de 1265721995 M * Bushmills would a host iptables rules set which has a table for each guest ip address as source or destination. and jumping to that table for each guest packet a good idea? idea is to replace guest iptables command against a script which pretends that the guest specific table is the whole set of iptable rules, and allows to modify those. 1265722067 M * bobnormal bushmills: im working on something like that now, basically as far as i understand from discussion with bertl last week the network context id matching is not present in normal kernels therefore the only matching you can do is IP address based. if this config changes then a ruleset normally implemented on the host is in danger of being out of sync with guest config. 1265722079 M * Bushmills arekm: munin should be a reasonable choice 1265722111 M * bobnormal bushmills: therefore i am writing a tool which will generate interface-specific iptables rulesets for each guest. the idea is that these may in future be executed by vserver start / vserver stop 1265722132 M * bobnormal bushmills: for the moment i will simply wrap vserver start with another script which executes the rules 1265722142 M * bobnormal bushmills: should have this finished within 48 hours .. hopefully 1265722143 M * daniel_hozac why? 1265722152 M * Bertl Bushmills: that was done as a proof of concept implementation for guest side iptable rules with host support 1265722159 M * daniel_hozac util-vserver has rather extensive script support. 1265722184 M * Bushmills bobnormal: you're ahead of me, i think i simply wait for you to give us the results of your first experiences with such a setup 1265722189 M * bobnormal daniel_hozac: shell scripts not my forte unfortunately ;) + my main challenge = make an easy-to-use interface for less than vserver-capable sysadmins 1265722230 Q * AndrewLee Remote host closed the connection 1265722245 M * Bushmills bobnormal: i might be able to assist you with scripts, being not too bad with those myself 1265722248 J * AndrewLee ~andrew@u7.hlc.edu.tw 1265722249 M * bobnormal daniel_hozac: how easy would it be to execute /vservers//interface//rules file on update, and auto-execute same thing with delete on stop? 1265722292 M * Bushmills bobnormal: want an example of a bash script of mine? 1265722292 M * bobnormal bushmills: can you figure out how to add/delete from iptables with reliable matching for 'the rule i added before' then? ie: can you add a ruleID or something? my worry is that if you vserver start then vserver stop and the rules file has changed, then you wont correctly flush the rules out 1265722316 M * daniel_hozac just flush the chain. 1265722322 M * daniel_hozac well, delete the chain. 1265722324 M * bobnormal bushmills: no thanks. i think what is needed COULD be achieved using a new table per guest, that may be easiest for create/delete of a set of rules against a guest 1265722333 M * bobnormal daniel_hozac: yep i suppose thats easiest 1265722382 M * bobnormal slight issue around vservers where the name is set to something other than the directory in which they reside (/etc/vservers) ... bit of a pain for scripting in the case that the name/dirname differ .. otherwise seems quite straightforward 1265722387 M * daniel_hozac just drop a script in /etc/vservers/.defaults/scripts/{pre-start,post-stop} and have it do what you need. 1265722414 M * bobnormal daniel_hozac: are those dirs or files 1265722426 M * daniel_hozac note though that you probably want' to do it in a completely different way. 1265722431 M * daniel_hozac files. 1265722437 M * bobnormal daniel_hozac: ok 1265722437 M * daniel_hozac .d are directories. 1265722454 M * daniel_hozac the goal is to make it admimistrable from teh guest, right? 1265722465 M * bobnormal daniel_hozac: not in my case 1265722476 M * Bushmills bobnormal: yes, i'd thing the same route: create a new table, add the modified rules set, insert a rule to that table before or behind the original jump rule, then delete the jump rule. 1265722495 J * SlackLnx ~SlackWare@a85-139-11-24.cpe.netcabo.pt 1265722522 Q * SlackLnx Read error: Connection reset by peer 1265722560 M * Bushmills that way you'd keep a copy of the original rules, maybe as insertion script, which allows you to add unique rule ids to identify them 1265722672 M * bobnormal bushmills/daniel_hozac: if you like pm me your email and i will email you my kinda scope doc 1265722685 M * Bushmills ok 1265722766 M * daniel_hozac send it to the mailing list. 1265722807 M * bobnormal daniel_hozac: ok 1265722856 M * bobnormal i will get a little further today then send it through 1265722869 M * bobnormal probably better to have some functional demo rather than just ideas ;) 1265724762 M * arekm Bertl: snmp daemon is but not counters, these are kernel one 1265724851 M * daniel_hozac interfaces aren't virtualized, so the statistics for them aren't either. 1265724989 M * Bertl unless you use network namespaces 1265725007 M * daniel_hozac right 1265725173 Q * sharkjaw Quit: Leaving 1265725316 M * Bertl nap attack ... bbl 1265725323 N * Bertl Bertl_zZ 1265725968 J * SlackLnx ~SlackWare@a85-139-11-24.cpe.netcabo.pt 1265726042 J * MathisTCP ~mathis@c-71-60-82-180.hsd1.pa.comcast.net 1265726580 Q * SlackLnx Quit: I'll Be Back 1265727689 M * Bushmills arekm: you can insert book keeping rules into host iptables, per ip address (supposedly per guest) 1265727710 M * Bushmills a plugin script for munin to read and graph those is simple. 1265727752 M * Bushmills (book keeping rules as i stub rules, having no other purpose than to record traffic volume) 1265727925 J * petzsch ~markus@92.78.231.216 1265728801 Q * infowolfe Read error: Connection reset by peer 1265728848 J * infowolfe ~infowolfe@c-71-236-152-35.hsd1.or.comcast.net 1265729328 J * dowdle ~dowdle@scott.coe.montana.edu 1265730688 Q * yang Ping timeout: 480 seconds 1265731265 Q * MathisTCP Quit: Ex-Chat 1265731941 J * Piet ~Piet__@28IAAAHUI.tor-irc.dnsbl.oftc.net 1265732273 J * yang yang@yang.netrep.oftc.net 1265733500 J * http203 ~http203@d80h232.public.uconn.edu 1265733648 J * SlackLnx ~SlackWare@a85-139-11-24.cpe.netcabo.pt 1265734043 J * hijacker ~hijacker@87-126-142-51.btc-net.bg 1265734096 Q * infowolfe Ping timeout: 480 seconds 1265734682 J * infowolfe ~infowolfe@c-71-236-152-35.hsd1.or.comcast.net 1265735026 J * larsivi ~larsivi@47.80-202-217.nextgentel.com 1265735075 J * bonbons ~bonbons@2001:960:7ab:0:2c0:9fff:fe2d:39d 1265736257 M * bobnormal are STATE_SETUP SC_HELPER and STATE_ADMIN worth including in a config tool or not (i guess internal use only?) 1265737572 J * TheSeer ~theseer@border.office.nonfood.de 1265737581 M * TheSeer good evening :) 1265737849 Q * yarihm Quit: This computer has gone to sleep 1265737983 Q * bobnormal Quit: evening! 1265739387 Q * thierryp Ping timeout: 480 seconds 1265739423 Q * barismetin Quit: Leaving... 1265740249 Q * ktwilight Read error: Connection reset by peer 1265740272 J * ktwilight ~keliew@205.184-247-81.adsl-dyn.isp.belgacom.be 1265741228 Q * TheSeer Quit: Client exiting 1265741634 Q * gnuk Quit: NoFeature 1265741889 Q * SlackLnx Quit: I'll Be Back 1265743577 Q * SauLus Ping timeout: 480 seconds 1265743807 J * kwowt ~urbee@93-103-199-233.dynamic.dsl.t-2.net 1265744044 Q * urbee Ping timeout: 480 seconds 1265745473 Q * derjohn_foo Ping timeout: 480 seconds 1265745970 J * kjj ~kjj@pool-74-107-128-126.ptldor.fios.verizon.net 1265745983 J * thierryp ~thierry@home.parmentelat.net 1265746220 J * imcsk8 ~ichavero@148.229.1.11 1265746356 J * BenG ~bengreen@cpc2-aztw22-2-0-cust521.aztw.cable.virginmedia.com 1265746633 Q * BenG 1265746870 Q * thierryp Remote host closed the connection 1265746957 J * derjohn_foo ~aj@c145123.adsl.hansenet.de 1265750493 Q * hijacker Quit: Leaving 1265750756 J * yarihm ~yarihm@80-219-168-84.dclient.hispeed.ch 1265751565 J * MathisTCP ~MathisTCP@c-71-60-82-180.hsd1.pa.comcast.net 1265751568 J * thierryp ~thierry@home.parmentelat.net 1265751700 N * DoberMann DoberMann[ZZZzzz] 1265751737 Q * MathisTCP Quit: Leaving. 1265751806 Q * thierryp Remote host closed the connection 1265752216 N * Bertl_zZ Bertl 1265752222 M * Bertl back now ... 1265752775 Q * bonbons Quit: Leaving 1265753511 J * MathisTCP ~mathis@c-71-60-82-180.hsd1.pa.comcast.net 1265753554 M * Bertl welcome MathisTCP! 1265753566 M * MathisTCP Thanks! 1265753654 Q * derjohn_foo Ping timeout: 480 seconds 1265753804 M * MathisTCP \msg bertl oops, yea my fingers misspeak 1265753942 J * caglar ~caglar@aegis.CS.Princeton.EDU 1265754123 M * MathisTCP \msg bertl this is ircII 1265754527 M * MathisTCP So this is off channel? 1265755123 Q * caglar Quit: caglar 1265755900 Q * MathisTCP Quit: Leaving 1265756402 Q * ghislain Quit: Leaving. 1265756572 Q * petzsch Quit: Leaving. 1265756655 J * niki ~niki@94.145.207.11 1265756889 J * thierryp ~thierry@home.parmentelat.net 1265757152 Q * thierryp 1265757257 Q * imcsk8 Quit: Leaving 1265757513 M * Bertl welcome niki! 1265757537 M * niki Thanks Bertl :-) 1265757570 M * niki Howare things ? 1265757594 M * Bertl fine here, and for you? 1265757905 M * niki Also fine here :-) 1265758289 J * derjohn_mob ~aj@c145123.adsl.hansenet.de 1265758399 Q * dna Quit: Verlassend 1265759848 Q * dowdle Remote host closed the connection