1276732874 M * Bertl off to bed now ... drop me a note/paste when you got the debug output for the new kernel
1276732883 N * Bertl Bertl_zZ
1276733016 M * fLoo ok
1276733321 Q * dowdle Remote host closed the connection
1276742595 J * matthew ~matthew@gw.davintech.ca
1276742610 N * matthew MattD
1276742657 N * MattD MatthewDarwin
1276742665 N * MatthewDarwin MattDar
1276742741 Q * hparker Quit: Quit
1276742757 M * MattDar I just upgrade my kernel, util-vserver and other things (debian squeeze) and now some vservers work and some don't
1276742763 M * MattDar vsysctl: open("."): Permission denied
1276742770 M * MattDar I can't figure out what is wrong.
1276743568 Q * infowolfe Quit: Leaving
1276743664 J * SauLus_ ~SauLus@d074056.adsl.hansenet.de
1276744074 Q * SauLus Ping timeout: 480 seconds
1276744075 N * SauLus_ SauLus
1276744892 M * MattDar hrm..
1276744913 M * MattDar if i create a new versver, then copy the file system over from the old vserver to the new one, all is fine
1276744932 M * MattDar w:/fs# rm -r test2
1276744933 M * MattDar gw:/fs# cp -pra weather test2
1276744935 M * MattDar gw:/fs# vserver test2 start
1276744936 M * MattDar Starting enhanced syslogd: rsyslogd.
1276744938 M * MattDar Not starting internet superserver: no services enabled.
1276744939 M * MattDar Starting Postfix Mail Transport Agent: postfix.
1276744941 M * MattDar Starting periodic command scheduler: crond.
1276744942 M * MattDar Starting web server: apache2[Wed Jun 16 23:20:27 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
1276744944 M * MattDar .
1276744945 M * MattDar gw:/fs# vserver weather start
1276744947 M * MattDar vsysctl: open("."): Permission denied
1276744948 M * MattDar An error occured while executing the vserver startup sequence; when
1276744950 M * MattDar there are no other messages, it is very likely that the init-script
1276744951 M * MattDar (/etc/init.d/rc 3) failed.
1276744953 M * MattDar Common causes are:
1276744954 M * MattDar * /etc/rc.d/rc on Fedora Core 1 and RH9 fails always; the 'apt-rpm' build
1276744956 M * MattDar   method knows how to deal with this, but on existing installations,
1276744957 M * MattDar   appending 'true' to this file will help.
1276744959 M * MattDar Failed to start vserver 'weather'
1276745895 M * daniel_hozac check if you have a barrier on your configuration directory.
1276745928 M * daniel_hozac and if so, remove it.
1276745995 M * MattDar how do I check that?
1276746180 M * MattDar it seems to be a problem on the filesystem directory (/fs)
1276746199 M * MattDar When I did the same trick as above, but doing "mv" instead of "cp -pra" then it still failed
1276746602 M * daniel_hozac i don't know what /fs is supposed to be.
1276746612 M * daniel_hozac but showattr is your friend.
1276746696 M * MattDar ah
1276746700 M * MattDar ----bui- test2
1276746707 M * MattDar ----Bui- weather
1276746718 M * MattDar somehow I need to change that.
1276746762 M * MattDar  /fs is where the root of all my virtual servers is stored
1276746803 M * daniel_hozac yes, setattr --~barrier weather should do the trick.
1276747096 M * MattDar works great with -R in there
1276747112 M * MattDar now I wonder who was setting barriers there.... I've never used them, nor do I need them.
1276747127 M * MattDar Thanks!
1276747196 M * MattDar (my oldest veservers started fine, so obviously it is a more recent thing)
1276747202 M * daniel_hozac well, they do keep your guests from breaking out of the guest...
1276747207 M * daniel_hozac when used correctly.
1276747239 M * MattDar I guess I'll need to read up more on them.
1276747286 M * MattDar All my vservers only have me as a user... i use it to split all the things I want to run so mod_php doesn't collide with mod_perl and mod_whateverelse
1276747294 M * MattDar Application separation
1276747945 Q * Piet Ping timeout: 480 seconds
1276748304 M * MattDar ok, followed instructions at http://linux-vserver.org/Secure_chroot_Barrier
1276748308 M * MattDar Thanks!
1276748627 J * Piet ~Piet__@28IAAAOL9.tor-irc.dnsbl.oftc.net
1276749210 M * daniel_hozac you're welcome
1276749625 J * ktwilight_ ~keliew@91.176.170.164
1276749910 Q * ktwilight Ping timeout: 480 seconds
1276750686 Q * maharaja Server closed connection
1276750687 J * maharaja raoul@93-189-26-52.rev.ipax.at
1276750810 J * imcsk8 ~ichavero@evdomip-111-42.iusacell.net
1276751910 J * balbir ~balbir@122.248.161.59
1276752406 Q * ccxCZ Ping timeout: 480 seconds
1276752636 Q * sladen Remote host closed the connection
1276752645 J * sladen ~paul@starsky.19inch.net
1276752667 J * sid4windr luser@bastard-operator.from-hell.be
1276752667 Q * sid3windr Read error: Connection reset by peer
1276752686 J * yang_ yang@gnewsense.mtveurope.org
1276752694 Q * yang Read error: Connection reset by peer
1276753331 Q * biz_ Server closed connection
1276753332 J * ncopa ~ncopa@180.40.189.109.customer.cdi.no
1276753333 J * biz biz@baze.de
1276753670 Q * imcsk8 Quit: This computer has gone to sleep
1276754072 J * dothebart ~willi@xdsl-87-79-115-176.netcologne.de
1276754282 Q * snooze Server closed connection
1276754290 J * snooze ~o@1-1-4-40a.gkp.gbg.bostream.se
1276754492 Q * tudenbart Ping timeout: 480 seconds
1276756110 Q * derjohn_foo Ping timeout: 480 seconds
1276757219 J * derjohn_foo ~aj@213.238.45.2
1276757736 J * ghislain ~AQUEOS@adsl2.aqueos.com
1276757886 J * ntrs ~ntrs@77.28.165.227
1276757966 J * emcepe ~mcp@wolk-project.de
1276757996 J * mcp- ~mcp@wolk-project.de
1276758309 J * petzsch ~markus@dslb-094-222-075-166.pools.arcor-ip.net
1276758392 Q * mcp Ping timeout: 480 seconds
1276758392 N * mcp- mcp
1276758447 Q * emcepe Ping timeout: 480 seconds
1276758571 M * arekm hm, does collectd vserver plugin calculate only inside-outside traffic? or also inside-inside one, too?
1276759160 J * infowolfe ~infowolfe@c-71-236-152-35.hsd1.or.comcast.net
1276759230 J * ghislain1 ~AQUEOS@adsl2.aqueos.com
1276759571 Q * ghislain Ping timeout: 480 seconds
1276760005 J * thierryp ~thierry@zankai.inria.fr
1276760162 J * mtg ~mtg@vollkornmail.dbk-nb.de
1276760462 M * _are__ arekm: I don't know collectd, but I know only 2 commonly used methods for trafgic statistics: counters for interfaces as used with snmpd and some sort of firewall accounting chains with iptables and similar. The former might fail with vservers, the iptables approach will work as long as the INPUT/OUTPUT chains are not restricted to a single interface, e.g. with iptables-save you find no -o or -i parameter in the traffic rules
1276760638 J * barismetin ~barismeti@zanzibar.inria.fr
1276760987 M * arekm so any vserver specific software that takes into account all corner cases and nicely stores iptables chains counters into some database?
1276761284 M * _are__ I'd say so, yes
1276761395 Q * aimbot__ Ping timeout: 480 seconds
1276761633 N * sid4windr sid3windr
1276761669 M * arekm I'm asking whether such exists and if yes then url please
1276762427 Q * petzsch Quit: Leaving.
1276762609 Q * niki Quit: Leaving
1276762621 J * bonbons ~bonbons@2001:960:7ab:0:2c0:9fff:fe2d:39d
1276763160 M * _are__ ah, sorry, no idea if there is any specific software for vservers out there, I'd say any software that is able to distinguish several IPs/host will do
1276763815 J * petzsch ~markus@dslb-094-222-075-166.pools.arcor-ip.net
1276764178 J * kir ~kir@swsoft-msk-nat.sw.ru
1276764750 J * BenG ~bengreen@cpc2-aztw22-2-0-cust521.aztw.cable.virginmedia.com
1276765105 Q * barismetin Remote host closed the connection
1276765611 J * barismetin ~barismeti@zanzibar.inria.fr
1276766913 Q * derjohn_foo Remote host closed the connection
1276767157 J * derjohn_mob ~aj@213.238.45.2
1276768346 J * JonB ~NoSuchUse@130.227.63.19
1276768359 M * JonB how do i enter a vserver using the context number? using vserver-stat shows no name 
1276768691 M * _are__ no idea if vsever XID enter works, but the missing name usually is just a missing link
1276768814 M * _are__ echo YourXID > /var/run/vservers/VSERVERNAME; ln -s /etc/vservers/VSERVERNAME /var/run/vservers.rev/YourXID
1276768822 M * _are__ these paths are on Debian
1276768826 N * _are__ _are_
1276768958 M * JonB _are_: thank you
1276769086 M * JonB _are_: works perfectly now
1276769505 Q * BenG Quit: I Leave
1276769582 Q * http203 Read error: Operation timed out
1276770256 J * http203 ~http203@d80h232.public.uconn.edu
1276772088 J * BenG ~bengreen@cpc2-aztw22-2-0-cust521.aztw.cable.virginmedia.com
1276772095 Q * http203 Ping timeout: 480 seconds
1276772661 J * http203 ~http203@d80h232.public.uconn.edu
1276774365 Q * balbir Ping timeout: 480 seconds
1276774893 J * ntrs_ ~ntrs@77.29.115.198
1276775330 Q * ntrs Ping timeout: 480 seconds
1276776064 P * kir Leaving.
1276778143 J * balbir ~balbir@122.172.11.233
1276778452 Q * BenG Quit: I Leave
1276778654 Q * mtg Quit: Verlassend
1276779128 J * ccxCZ ~ccxCZ@adslctc-1867.adslcust.sbone.cz
1276779356 Q * ntrs_ Read error: Connection reset by peer
1276779377 J * ntrs_ ~ntrs@77.29.115.198
1276782227 J * Pazzo ~ugelt@reserved-225136.rol.raiffeisen.net
1276782363 M * harry Bertl_zZ: when your nr_threads atomic_t overflows, you will run into problems, so that's imho one that can benefit from the overflow protection
1276782393 M * harry and i know, that will crash things, you'll notice it in a different way
1276782423 M * harry the important thing is that, when it happens, you don't know what happens so it is/might be a security issue so better catch it
1276782551 M * ccxCZ harry: I rebooted this morning, no problems so far
1276782559 M * harry wiiiiii :)
1276782593 M * harry i don't expect any problems... :)
1276782609 M * harry since it's basicly the same patch with some counters that aren't checked for overflowing now...
1276782629 N * Bertl_zZ Bertl
1276782634 M * Bertl morning folks!
1276782638 M * harry our hero is back!
1276782638 M * fback hello harry :)
1276782641 M * harry wb, Bertl !
1276782644 M * harry fback: heya
1276782697 M * Bertl harry: but nr_threads is definitely not a reference counter
1276782725 M * Bertl so IMHO it is just plain wrong to classify it as such and check for reference counter overflows :)
1276782729 M * harry true, but does that guarantee you that you won't run into problems when it does overflow?
1276782751 M * Bertl yes, no problems when any accounting overflows
1276782757 M * fback morning Bertl :)
1276782783 M * Bertl AAMOF, many many counters are designed to overflow ...
1276782789 M * harry if you write software that bases things on that counter, you might e.g. do a number of free() calls on the basis of that number
1276782801 M * harry when it overflows, you get security issue
1276782814 M * harry hence it's better to catch it and stop your program
1276782821 M * harry just as a security mesure 
1276782822 M * Bertl if you do that, then your software is flawed in the first place :)
1276782824 M * harry (which it is)
1276782848 M * harry true, but that's what security measures in the kernel do.... they protect you from stupid programming errors
1276782855 M * Bertl I'm fine if you add an atomic counter overflow, besides the reference counter overflow
1276782868 M * Bertl which simply logs the fact that a counter overflowed
1276782869 M * harry in a perfect worlds you wouln't need security measures, but it isn't a perfect world
1276782899 M * harry well... in grsecurity (which i don't write) it changes the atomic_t type to check for overflows
1276782909 M * Bertl but there is no point in interrupting perfectly fine behaviour with possibly false positives
1276782911 M * harry i didn't invent that, and i can't rewrite all pax
1276782934 M * harry unless the "possibly false positives" result in security issues
1276782935 M * Bertl but there is a function, IIRC, which avoids the checks
1276782952 M * Bertl that one is the once you should use for all but the reference counters
1276782962 M * harry if you can manually create threads and overflow the counter and exploit software from that, you have a security issue
1276783015 M * harry you want to catch as many possible security issues in that way
1276783051 M * harry that's why i think, if it's perfectly normal and can't result in any problem, you can ignore the check
1276783073 M * harry in all other cases, where you know something is wrong if you reach the limit, you catch it before it gets dangerous
1276783116 M * harry e.g. if you have over 4 million threads,you have a problem on your server that might be exploitable, so better stop the threading and avoid a possible security issue (imho)
1276783132 Q * matthew-_ Server closed connection
1276783132 M * Bertl it's not my problem when you annoy the folks using your patches, and I do not have to agree with your argumentation, just make sure to respond to the complaints in a timely manner
1276783144 J * matthew-_ ~ms@ns2.wellquite.org
1276783150 M * harry i do... :)
1276783154 M * harry (don't i?)
1276783183 M * harry it just seems that you don't like at all, what i'm doing...
1276783295 M * Bertl You know that I do not consider mixing grsec and Linux-VServer a proper 'security' solution, because it causes more issues than it actually solves or secures
1276783317 M * Bertl and that I would really prefer combining them in a proper way
1276783332 M * harry i'm open to suggestions, off course
1276783346 M * fback port PAX to vserver! port PAX to vserver! ;-)
1276783361 M * harry you want to enable/disable by default some options when vserver is enabled etc..?
1276783383 M * harry they don't interfere that much, you know...
1276783415 M * harry aslr, pageexec, mprotect etc... are totally independent of vserver so they work together perfectly
1276783434 M * harry but maybe it is a good idea to disable e.g. chroot restrictions when you enable vserver
1276783608 M * harry do you want "more" integration? if so, make some suggestions on how to make it better!
1276783997 M * Bertl first, it would help a lot to set certain defaults, as you already suggested
1276784065 M * Bertl IMHO that would cover 98% of the Linux-VServer+grsec users, as they usually do not know what they are doing (sorry for the comment :) and just use that patch because of the 'increased security'
1276784263 M * Bertl next step would be to adapt grsec to namespaces/contexts as far as possible
1276784288 M * Bertl and of course, it won't hurt to remove duplicate code
1276784548 Q * ntrs_ Read error: Connection reset by peer
1276784569 J * ntrs_ ~ntrs@77.29.115.198
1276784694 M * harry i could completely disable chroot restrictions, but not all are "problematic" for vserver... I'd suggest disabling all chroot restrictions
1276784708 M * harry BUT, some people seem to insist to be able to enable some of them anyway
1276784769 Q * JonB Quit: Leaving
1276784784 M * harry i don't know if there is any "duplicate code"
1276784808 M * harry and if there are a lot of possibilities to "integrate into namespaces" that make any sense at all
1276784840 M * harry maybe the chroot stuff... but would just disable that completely
1276784996 J * dowdle ~dowdle@scott.coe.montana.edu
1276785003 M * harry just adding a depends on !vserv
1276785007 M * harry er
1276785086 M * Bertl a default would suffice
1276785100 M * Bertl off for now ... bbl
1276785104 N * Bertl Bertl_oO
1276785110 M * harry have fun
1276785748 Q * thierryp Quit: ciao folks
1276785863 A * harry will ask on ML what users want
1276787022 J * hparker ~hparker@2001:470:1f0f:32c:215:f2ff:fee0:9872
1276787419 Q * barismetin Remote host closed the connection
1276787456 J * barismetin ~barismeti@zanzibar.inria.fr
1276787458 Q * barismetin Remote host closed the connection
1276787592 J * manana ~mayday090@84.17.25.144
1276787896 J * barismetin ~barismeti@zanzibar.inria.fr
1276788359 J * barismet_ ~barismeti@zanzibar.inria.fr
1276788359 Q * jrdnyquist Remote host closed the connection
1276788359 Q * barismetin Read error: Connection reset by peer
1276788883 N * Bertl_oO Bertl
1276788889 M * Bertl back now ...
1276788900 M * Bertl harry: excellent idea!
1276789033 J * jrdnyquist ~jrdnyquis@slayer.caro.net
1276789860 J * dna ~dna@p54BCA3C5.dip0.t-ipconnect.de
1276789958 Q * ncopa Quit: Ex-Chat
1276790721 Q * derjohn_mob Ping timeout: 480 seconds
1276791924 Q * ntrs_ Read error: Connection reset by peer
1276791959 J * ntrs ~ntrs@77.28.4.127
1276792358 M * fLoo Bertl : the kernel had a panic while compiling
1276792360 M * fLoo need to redo
1276792362 M * fLoo lol fail
1276792396 M * Bertl well, the next compile run should start where the last one ended
1276792404 M * Bertl so, it shouldn't take too long
1276792552 M * fLoo annnd i've got my new kvm switch today
1276792565 M * fLoo so its even cooler to work with several workstations :)
1276792591 M * Bertl I prefer serial consoles, they 'just work' ...
1276792621 M * fLoo kvm switches do their work too .. i am happy now
1276792812 J * imcsk8 ~ichavero@201.174.19.86
1276793432 Q * barismet_ Remote host closed the connection
1276794580 J * BenG ~bengreen@cpc2-aztw22-2-0-cust521.aztw.cable.virginmedia.com
1276795010 Q * BenG Quit: I Leave
1276796547 M * Bertl nap attack ... bbl
1276796565 N * Bertl Bertl_zZ
1276798732 J * tudenbart ~willi@xdsl-78-35-207-210.netcologne.de
1276799150 Q * dothebart Ping timeout: 480 seconds
1276799388 Q * Pazzo Quit: Bye!
1276799863 Q * petzsch Quit: Leaving.
1276807299 Q * Piet Remote host closed the connection
1276807389 J * Piet ~Piet__@28IAAAO25.tor-irc.dnsbl.oftc.net
1276807745 Q * dna Quit: Verlassend
1276808653 J * petzsch ~markus@dslb-094-222-075-166.pools.arcor-ip.net
1276809394 N * Bertl_zZ Bertl
1276809400 M * Bertl back now ...
1276809492 M * Bertl fLoo: so, any results yet?
1276810096 Q * petzsch Quit: Leaving.
1276810918 J * derjohn_mob ~aj@d179216.adsl.hansenet.de
1276811186 Q * MattDar Remote host closed the connection
1276811337 M * fLoo Bertl : i am making my kernel thin
1276811339 M * fLoo as u said
1276811344 M * fLoo i am kicking everything i dont need
1276811352 M * fLoo so i can recompile the kernel if you need changes
1276811360 M * fLoo otherwise its useless to wait hours
1276811366 M * fLoo for modules to compile i dont need anyway
1276811374 M * fLoo its just pretty time consuming ):
1276811413 M * Bertl good idea, but recompiles are quite fast anyway
1276811492 Q * ntrs Ping timeout: 480 seconds
1276811595 M * fLoo btw
1276811597 M * fLoo i got a question
1276811611 M * fLoo do i need the device_support -> ¦ ¦ Graphics support ---> ¦ ¦
1276811622 M * fLoo the graphics card drivers when i am using shell only ?
1276811640 M * fLoo or do i need graphic card drivers only for X ?
1276811659 M * Bertl depends on your setup, for a serial console you do not need any graphics driver at all (not even a graphics card :)
1276811673 M * fLoo thats what i am using
1276811676 M * fLoo console + ssh
1276811677 M * fLoo not more
1276811734 M * Bertl vga console? if so, then you want at least the vga console driver
1276811753 M * Bertl but no need for specific console drivers, unless you want higher resolutions
1276811760 M * fLoo nope :)
1276811886 N * DoberMann[PullA] DoberMann[ZZZzzz]
1276816083 Q * imcsk8 Quit: This computer has gone to sleep
1276817853 Q * bonbons Quit: Leaving