1301443263 Q * dowdle Remote host closed the connection 1301444160 Q * ensc Quit: Lost terminal 1301450985 Q * Romster Ping timeout: 480 seconds 1301451270 J * Romster ~romster@202.168.100.149.dynamic.rev.eftel.com 1301452988 Q * FireEgl Remote host closed the connection 1301453219 Q * bsingh Ping timeout: 480 seconds 1301453821 J * bsingh ~balbir@122.172.36.156 1301455919 Q * bsingh Ping timeout: 480 seconds 1301456469 J * bsingh ~balbir@122.172.40.64 1301457509 J * SwenTjuln_ ~SwenTjuln@77.111.2.36 1301457533 J * Marillio1 ~dirk@178.63.150.30 1301457625 Q * SwenTjuln Ping timeout: 480 seconds 1301457625 N * SwenTjuln_ SwenTjuln 1301457655 Q * Marillion Ping timeout: 480 seconds 1301457655 N * Marillio1 Marillion 1301457665 Q * mEDI_S Ping timeout: 480 seconds 1301457953 Q * fLoo Ping timeout: 480 seconds 1301457985 J * mEDI_S ~medi@255.255.255.255.li 1301465102 J * ncopa ~ncopa@3.203.202.84.customer.cdi.no 1301467151 J * ghislain ~AQUEOS@adsl2.aqueos.com 1301467545 Q * derjohn_mob Ping timeout: 480 seconds 1301467706 J * fLoo ~fLoo@irc.coresec.de 1301468368 J * petzsch ~markus@p57B66750.dip.t-dialin.net 1301468457 Q * nkukard Quit: Leaving 1301468904 Q * arekm Quit: leaving 1301469621 J * arekm arekm@carme.pld-linux.org 1301469771 M * arekm daniel_hozac: tested but didn't work, useCgroup tests for mount_point/task while now there is separate task file for each subsystm (/dev/cgroup/{memory,devices,freezer,...}/tasks 1301469990 M * daniel_hozac and with that fixed? 1301470116 M * arekm tried to use /dev/cgroup/cpuset/carme-pld-srv/cpu.shares while it should use /dev/cgroup/cpu/carme-pld-srv/cpu.shares 1301470161 M * arekm and first create /dev/cgroup/cpu/carme-pld-srv/ of course, looking more 1301471205 M * arekm actually it tries to use next subsystem in /dev/cgroup/XXX/carme-pld-srv/cpu.shares for every start try I do 1301471238 Q * bsingh Read error: Connection reset by peer 1301471415 M * daniel_hozac should be fixed 1301471853 M * arekm daniel_hozac: works now. So the only thing left is vserver-stat which needs to look in correct place for memory and cpuacct 1301471883 M * daniel_hozac sure. 1301472048 J * bsingh ~balbir@122.172.4.183 1301472064 Q * Romster Read error: No route to host 1301472261 M * arekm daniel_hozac: based on /etc/vservers/.defaults/cgroup/per-ss existence I assume. Are you making these changes? 1301472268 M * daniel_hozac yes. 1301472405 M * Bertl off to bed now ... have a good one everyone! 1301472413 N * Bertl Bertl_zZ 1301473108 J * Romster ~romster@202.168.100.149.dynamic.rev.eftel.com 1301473720 M * daniel_hozac arekm: seems to work here now... 1301473896 J * bonbons ~bonbons@2001:960:7ab:0:a967:fb0e:7f38:7589 1301474089 M * arekm daniel_hozac: hmm, open(memory.usage_in_bytes): No such file or directory 1301474098 M * arekm have to go for few minutes 1301475777 Q * petzsch Quit: Leaving. 1301479796 M * daniel_hozac arekm: strace? 1301479809 M * daniel_hozac and ls -lR /dev/cgroup 1301480768 Q * bsingh Ping timeout: 480 seconds 1301482575 M * arekm daniel_hozac: vserver(0xb010001, 0x1, 0x7fff46c87168, 0, 0x2upeek: ptrace(PTRACE_PEEKUSER,57584,120,0): Operation not permitted 1301482593 M * arekm daniel_hozac: but not sure who is forbidding that, vserver or grsec 1301482615 M * arekm daniel_hozac: http://pastebin.com/Cs1ccP4K 1301483478 M * daniel_hozac vserver forbids that, unfortunately... 1301483483 M * daniel_hozac it might be fixed in recent kernels. 1301483665 M * arekm this is 38.2 with patch-2.6.38.1-vs2.3.0.37-rc9.diff 1301483781 M * arekm so not fresh enough? 1301484065 M * daniel_hozac hmm, interesting. 1301484106 M * daniel_hozac ah, i see... yeah, i guess that still won't work. 1301484195 M * daniel_hozac anyway, what git did you build from? 1301484231 M * arekm http://git.linux-vserver.org/git/util-vserver.git c6d15ec933126d74645ffbe0cfd2e8e931664e0d 1301484265 M * daniel_hozac and you are using that vserver-stat? 1301484275 M * daniel_hozac because i have that setup here right now, and vserver-stat works fine. 1301484357 M * arekm yes, I'll debug then 1301484544 M * arekm daniel_hozac: looks like script don't create cgroups for guests that don't have /etc/vservers/xyz/cgroup and vserver-stat tries to access these anyway 1301484596 M * daniel_hozac the scripts will create it if /etc/vservers/.defaults/cgroup exists, if memory cgroups are used for memory accounting, or if /etc/vservers//cgroup exists. 1301484607 M * daniel_hozac can you get a --debug run of vserver ... start? 1301484631 M * arekm hmm, previously there was no need for /etc/vservers/.defaults/cgroup, I just had /etc/vservers/xyz/cgroup in some guests 1301484653 M * daniel_hozac it's not required. 1301484657 M * arekm but right, I have it for ss 1301484680 M * fback_ evening :) 1301484729 M * fback_ daniel_hozac: is it possible to assign plain (ie without IPs assigned) network interface to a guest with util-vserver? 1301484748 M * daniel_hozac i.e. using network namespaces? 1301484768 M * arekm daniel_hozac: damn, my fault. Everything is fine. I simply didn't restat that few guests (without /etc/vservers/xyz/cgroup ) after installing fixed util-vserver... I only restarted these which had some local cgroup configuration 1301484776 M * arekm daniel_hozac: thanks for the fixes 1301484837 M * daniel_hozac you're welcome 1301484843 M * daniel_hozac let me know if you run into any more issues. 1301484904 M * arekm would happily test strace fix if there is any 1301484962 M * daniel_hozac should be trivial, comment lines 722-724 in kernel/ptrace.c 1301484971 M * fback_ daniel_hozac: without? 1301485037 M * daniel_hozac fback_: hmm? 1301485208 M * fback_ daniel_hozac: if I can understand our admins, if I can understand them, create bunch of tun/tap interfaces on the host, then want to assign them to guests 1301485214 M * arekm daniel_hozac: and is this correct fix (so I'll apply to local kernel) or just a test on a way to correct fix? 1301485232 M * fback_ and then let the guests to assign IPs to them 1301485345 M * daniel_hozac arekm: IMHO it's correct, but you might want to check with Bertl_zZ. 1301485373 M * daniel_hozac arekm: we already check for permissions in the main ptrace permission hook, so i don't see a need to check additionally in ptrace itself. 1301485416 M * daniel_hozac fback_: you'll have to assign the IPs on the host. 1301485435 M * daniel_hozac fback_: or remove the network context from the guest, and give it CAP_NET_ADMIN, which basically means they can mess with your networking however they see fit. 1301485551 J * petzsch ~markus@p57B63D92.dip.t-dialin.net 1301485914 J * mtg ~mtg@vollkornmail.dbk-nb.de 1301488338 Q * petzsch Quit: Leaving. 1301490193 J * JonB ~NoSuchUse@212-60-115-150.ip.cust.zensystems.net 1301490226 M * JonB hi, how would I open up in my firewall such that access to a mysql running inside 1 guest on port 127.0.0.1 is only possible from that guest and not from the other guests? 1301490253 M * daniel_hozac if you're using 2.3 with lback, you already have that. 1301491175 M * JonB daniel_hozac: debian squeeze 2.6.32-5-vserver-amd64. But it turns out that this simple did the trick iptables -I INPUT -i lo -j ACCEPT without opening for other guests being able to access it 1301491375 M * JonB i had expected it to open for all guests, because i expected guest traffic still on the same physical host to come from localhost 1301492773 M * SwenTjuln JonB: if you've enabled CONFIG_VSERVER_AUTO_LBACK in kernel config then guest 127.0.0.1 is mapped to another 127.x.x.1 IP. So binding to that ip wont work between guests 1301492878 M * daniel_hozac all of 127.0.0.0/8 is mapped to the guest's private lback. 1301493030 M * JonB ok 1301494769 J * DOUGHTY ~loudserv@64.235.198.125 1301494807 P * DOUGHTY 1301495421 J * nkukard ~nkukard@41-133-112-179.dsl.mweb.co.za 1301495502 J * dowdle ~dowdle@scott.coe.montana.edu 1301496535 J * tam_ ~tam@says.screwallofyoubitches.com 1301496645 Q * tam Ping timeout: 480 seconds 1301496690 Q * fichte` Ping timeout: 480 seconds 1301496710 Q * monrad-51468 Ping timeout: 480 seconds 1301496714 J * monrad-51468 ~mmk@domitian.tdx.dk 1301496718 J * FIChTe ~fichte@bashpipe.de 1301496742 Q * mtg Quit: Verlassend 1301497767 Q * ncopa Quit: Leaving 1301497775 Q * JonB Quit: Leaving 1301498115 J * bsingh ~balbir@122.172.22.50 1301498270 Q * fisted_ Remote host closed the connection 1301500344 J * fisted ~fisted@p508854D5.dip.t-dialin.net 1301500873 J * derjohn_mob ~aj@d142169.adsl.hansenet.de 1301501266 N * Bertl_zZ Bertl 1301501270 M * Bertl morning folks! 1301501300 M * julius 1301501304 M * julius morning Bertl 1301502494 M * arekm Bertl: hi, take a look few lines earlier what daniel suggests about dropping ptrace check 1301503117 Q * Romster Ping timeout: 480 seconds 1301503526 M * Bertl arekm, daniel_hozac: what's the associated issue we are trying to fix there? 1301503829 M * arekm Bertl: make for example strace -Ff vserver-status working 1301503900 J * Romster ~romster@202.168.100.149.dynamic.rev.eftel.com 1301504648 J * st-8622 ~st-8622@a89-154-147-132.cpe.netcabo.pt 1301504784 Q * s0undt3ch Remote host closed the connection 1301504866 Q * st-8622 Remote host closed the connection 1301504997 J * s0undt3ch quasselcor@80.69.34.153 1301505087 J * st-9028 ~st-9028@a89-154-147-132.cpe.netcabo.pt 1301505200 Q * st-9028 Remote host closed the connection 1301505251 J * st-9200 ~st-9200@a89-154-147-132.cpe.netcabo.pt 1301505382 M * Bertl arekm: okay, so the argument is (to recap) the check can be dropped because it is already checked somewhere else, yes? 1301505520 M * arekm Bertl: yes, according to daniel 1301505551 M * daniel_hozac right 1301505554 M * Bertl which doesn't make much sense to me right now, because if it was, how would it help to fix the issue? 1301505575 M * daniel_hozac __ptrace_may_access allows things the ptrace check doesn't. 1301505591 M * daniel_hozac and __ptrace_may_access is invoked from the ptrace check. 1301505602 M * daniel_hozac s/check/syscall/ 1301505603 Q * st-9200 Quit: Quiting... 1301505631 M * Bertl okay, so basically we have two patches/changes 1301505646 M * Bertl 1) up the ptrace check to the same fix we did some time ago 1301505658 M * Bertl 2) remove the duplicate check from ptrace 1301505806 J * st-9398 ~st-9398@a89-154-147-132.cpe.netcabo.pt 1301505923 M * daniel_hozac right 1301505970 Q * st-9398 1301506814 J * st-9666 ~st-9666@a89-154-147-132.cpe.netcabo.pt 1301506873 Q * st-9666 1301506909 J * st-9783 ~st-9783@a89-154-147-132.cpe.netcabo.pt 1301507041 Q * st-9783 1301507317 J * manana ~mayday090@84.17.25.149 1301507751 J * derjohn_foo ~aj@c135068.adsl.hansenet.de 1301508195 Q * derjohn_mob Ping timeout: 480 seconds 1301508804 M * Bertl I'm not convinced that we do the proper checks without the one in sys_ptrace() 1301508824 M * Bertl but we can add WS_ADMIN_P to the check 1301508962 M * Bertl IMHO we end up in arch_ptrace() without further checks for PTRACE_* (!= ATTACH) 1301509728 M * daniel_hozac how? 1301509769 M * daniel_hozac IMHO ptrach_check_attach will just return -ESRCH 1301509796 M * daniel_hozac since it requires you to attach 1301509961 M * daniel_hozac (also note that we don't have the equivalent check in compat_sys_ptrace :-)) 1301510245 M * Bertl hmm, good argument 1301510385 Q * manana Quit: Terminated 1301510517 Q * ghislain Quit: Leaving. 1301510525 J * ghislain ~AQUEOS@adsl2.aqueos.com 1301518396 Q * derjohn_foo Remote host closed the connection 1301519601 Q * caglar Remote host closed the connection 1301522890 Q * bonbons Quit: Leaving 1301524148 Q * imcsk8 Quit: Leaving 1301526064 Q * dowdle Remote host closed the connection 1301526231 J * fisted_ ~fisted@p50883079.dip.t-dialin.net 1301526665 Q * fisted Ping timeout: 480 seconds 1301527579 Q * ghislain Quit: Leaving.