1317081849 Q * dowdle Remote host closed the connection
1317084546 J * FireEgl FireEgl@2001:470:e056:1:68a7:c396:45c5:8322
1317085490 Q * Hunger Quit: _._
1317085694 J * Hunger ~Hunger@Hunger.hu
1317088188 Q * fisted Ping timeout: 480 seconds
1317088399 J * fisted ~fisted@xdsl-87-78-216-39.netcologne.de
1317090450 Q * sannes Remote host closed the connection
1317093819 M * Bertl off to bed now ... have a good one everyone!
1317093823 N * Bertl Bertl_zZ
1317097252 Q * Vudumen Ping timeout: 480 seconds
1317097573 J * Vudumen adc37795af@perverz.hu
1317104234 J * derjohn_mob ~aj@213.238.45.2
1317105072 J * ghislain ~AQUEOS@adsl2.aqueos.com
1317105119 J * tana59 ~tana59@82VAAD15X.tor-irc.dnsbl.oftc.net
1317105166 P * tana59 
1317105815 J * ncopa ~ncopa@3.203.202.84.customer.cdi.no
1317108767 J * Aiken_ ~Aiken@2001:44b8:2168:1000:21f:d0ff:fed6:d63f
1317108767 Q * Aiken Read error: Connection reset by peer
1317112346 J * sannes ~ace@cm-84.209.106.118.getinternet.no
1317114134 J * BenG ~bengreen@host86-135-76-110.range86-135.btcentralplus.com
1317116094 M * kcin is it normal behavior for /proc/cpuinfo inside vserver to shows host cpu even though I have limit it to 1 core with cgroup? 
1317116861 M * kcin anyone?
1317121157 M * daniel_hozac yes
1317121373 Q * mikez Remote host closed the connection
1317121947 M * kcin daniel_hozac: thanks :)
1317122115 N * Bertl_zZ Bertl
1317122120 M * Bertl morning folks!
1317122151 M * Bertl kcin: but it would be rather trivial to hide CPUs not contained in a cpuset for example, just mainline didn't do that (yet)
1317122388 M * kcin Bertl: Any pointer on how to do that? (please excuse my English)
1317123615 M * Bertl there is a seq_operations cpuinfo_op for each architecture
1317123632 M * Bertl which basically iterates through all the online CPUs
1317123684 M * Bertl you also have the cpuset for each process, so you can use the information for the current process (the one reading /proc/cpuinfo) to select what CPU data you show or hide
1317123726 M * Bertl probably simplest way is to modify show_cpuinfo for your architecture
1317126319 M * hparker Bertl: Will linux-vserver work ok with selinux?
1317126721 M * hparker Everything I'm finding says no, but wanted to make sure
1317126760 Q * ntrs Ping timeout: 480 seconds
1317127198 Q * FireEgl Ping timeout: 480 seconds
1317127231 J * ntrs ~ntrs@vault08.rosehosting.com
1317128286 Q * Aiken_ Remote host closed the connection
1317128506 M * Bertl hparker: if configured properly, yes, but selinux is not guest aware
1317128562 M * hparker Will it work within a guest at all, or is that what you're saying by "not guest aware"
1317128621 M * Bertl again, depends on the config and setup, but you shouldn't expect it to be virtualized 
1317128642 M * Bertl i.e. selinux out of the box has no concept of a guest
1317128668 M * hparker I can see where this might be opening a can of worms
1317128737 M * hparker Are there any MAC implementations you know of that work well with vserver?
1317128781 Q * BenG Quit: I Leave
1317128803 M * Bertl depending on the definition of 'working well', grsec seems to have worked for many folks, although I'm not sure that they actually used the MAC features :)
1317128841 M * Bertl for selinux, I remember that somebody wrote extensive rules to handle guests properly, but AFAIK, the information wasn't disclosed
1317128863 M * hparker Oh
1317128874 M * Bertl for me, the main question is: what do you want to achieve?
1317128912 M * hparker Selinux still lock down to secure a server
1317128940 M * hparker Something more than just user/group
1317128955 M * hparker Somewhere in between :P
1317128983 M * Bertl what's the purpose, or more precisely, what is the concrete example?
1317128987 M * hparker s/still/style
1317129107 M * hparker Just a multi service server in a DMZ running the normal external facing services, apache, MTA for filter and forward, webmail. Just to lock it down in case one of the web sites gets cracked would be the main thing
1317129133 M * hparker Oh, and dns
1317129203 M * Bertl lock down how/what? i.e. what is the functionality you expect/hope for with a guest using selinux (in case the web site get cracted)?
1317129340 M * hparker It would have limited access to anything else as the user would be very limited... And I'm a bit out of my league here, someone was asking me if i was possible. I'm not very familiar with Selinux other than the concept
1317129390 M * Bertl see, there is the point, a properly configured guest/unix system doesn't allow an arbitrary user access to anything out of the 'secure' scope
1317129411 M * Bertl if unix user/group is not enough, you can use acls
1317129450 M * Bertl everything else is usually handwaving, as the selinux "users" do not use other functionality as it would require configuration :)
1317129473 M * hparker And acls work within guests properly?
1317129474 M * hparker lol
1317129522 M * hparker Or maybe I'm confusing acl with another filesystem attribute 
1317129627 M * hparker Google seems to know more than I
1317129743 M * hparker Bertl: Thanks!
1317130040 M * Bertl acls should work fine inside a guest, although it wasn't explicitely tested recently
1317130077 M * hparker ahh
1317131819 J * BenG ~bengreen@host86-135-76-110.range86-135.btcentralplus.com
1317131914 Q * BenG 
1317133777 Q * fisted Ping timeout: 480 seconds
1317134150 J * fisted ~fisted@xdsl-87-78-210-110.netcologne.de
1317134590 J * dowdle ~dowdle@scott.coe.montana.edu
1317137298 Q * ntrs Ping timeout: 480 seconds
1317137681 J * ntrs ~ntrs@vault08.rosehosting.com
1317138794 M * meebey whats the purpose of nfs inode tagging?
1317139307 M * Bertl that files placed on nfs have tagging information?
1317139797 M * Walex meebey: which tagging do you refer to?
1317139827 M * meebey inode->i_tag in nfs/inode.c
1317139851 M * meebey I am fixing the nfs client code, its currently bugged
1317139868 M * Bertl really? currently being what kernel/patch?
1317139870 M * Walex meebey: the client code is pretty bad, especially as to performance.
1317139895 M * meebey its updating the inode with invalid file attribute information
1317139896 M * Walex meebey: I'll double check, but there is an important issue
1317139912 M * meebey uid and gid get updated while they shouldnt
1317139926 M * meebey and I am not sure what I should do with the tag
1317139942 M * Walex meebey: it is that a vital semantics of UNIX style filesystems is that they *must* give each file a unique and persistent inumber.
1317139987 M * Walex meebey: some filesystems that can be served by NFS do not necessarily have that, so NFS servers must be prepared to generate a unique id of some sort for every file they serve.
1317139994 M * meebey Bertl: this is a 2.6.32 kernel with vs2.3.0.36.29.7
1317139997 M * Walex meebey: this needs only to be persistent for a mount.
1317140025 M * Bertl meebey: and what's broken there?
1317140107 M * meebey Bertl: in nfs/inode.c the inode->i_uid = and i_gid = part
1317140122 M * Walex meebey: but that "i_tag" just looks like a VServer specific field to hold the context number
1317140134 M * meebey Bertl: it simply sets them without the attribute validation check
1317140144 M * Bertl Walex: the tag, not necessarily the context
1317140165 M * Walex Bertl: I am just skimming theough the source.
1317140174 M * meebey moving the assigment into the validation block will fix it
1317140175 M * Walex Bertl: I am just skimming theough the source...
1317140221 M * daniel_hozac meebey: umm
1317140223 M * meebey you can reproduce the bug by doing "cat $file; ls -l $file" on a nfs mount
1317140230 M * meebey the uid/gid will be -2 then :)
1317140234 M * daniel_hozac meebey: which assignment are you talking about?
1317140234 J * bonbons ~bonbons@2001:960:7ab:0:919d:64fb:39e8:df75
1317140280 M * Bertl meebey: sounds more like you are mixing tagged nfs client with untagged nfs server
1317140398 M * Bertl as far as I can tell, the i_tag assignments in nfs/inode.c are symmetrical to the uid/gid ones, which is what they should be, IMHO
1317140432 M * meebey the tag one is only related, the real issue is the uid/guid usage from the attribute without checking for validity
1317140440 M * Bertl so, what assignment is not done like uid/gid?
1317140466 M * meebey to my understanding of the nfs protocol, that is an attribute cache that it updates from different nfs responses but in this case it takes the uid/gid attribute from the response while it shouldnt, that happens because the inode->i_uid = uid; is done after the checks
1317140535 M * meebey try my repro and you will see, if you have a nfs server
1317140550 M * Bertl okay, so what you are seeing is data coming from the cache, with the default uid/gid instead of the correct one?
1317140606 M * meebey yes, it overwrites the uid/gid with wrong values as they are not passed in the nfs response (the server really replies with uid/gid -2 when you do a cat $file)
1317140650 M * Bertl hmm, why would the server do that?
1317140683 M * Bertl okay, let me rephrase that, the uid/gid=-2 are special in server responses, yes?
1317140708 M * meebey I think so yes, I dont reall know how the nfs server works, but I see the different behavior of my clients
1317140714 M * meebey that is the same debian kernel with and without vserver patch
1317140721 M * meebey they behave differently to the -2 reply
1317140773 M * meebey the nfs client with the vserver patch suddenly shows wrong uid/gid after opening and reading the file, while the same nfs client without vserver patch is showing uid/gid fine according to stat
1317140815 M * Bertl with nfs tagging enabled in the kernel, yes?
1317140870 M * meebey CONFIG_TAGGING_ID24=y
1317140871 M * meebey so yeah
1317140928 M * Bertl and the server is patched and has CONFIG_TAG_NFSD enabled?
1317141087 M * meebey the nfs server is vserver patched and has
1317141091 M * meebey CONFIG_TAGGING_ID24=y
1317141095 M * meebey # CONFIG_TAG_NFSD is not set
1317141105 M * meebey same kernel version and same vserver patch
1317141123 M * Bertl and you are mounting the nfs as 'notag'?
1317141164 M * meebey no, I do a regular nfs4 mount from the host (not inside a guest) of the nfs client
1317141188 M * meebey should I try notag?
1317141268 M * Bertl well, it should be default, unless you specify 'tag' (or one of the relatives)
1317141295 M * meebey oh noac workarounds the issue btw
1317141329 M * meebey as that will not use invalid attribute cache
1317141395 M * meebey isnt that if (fattr->valid & NFS_ATTR_FATTR_OWNER) check making sure to only use the data from the received fattr when its really populated?
1317141421 M * meebey it depends on the NFS call which attributes are populated and which not, to my understanding...
1317141441 M * Bertl okay
1317141444 M * meebey and thats what broke, the vserver always uses the uid/gid value from it
1317141541 M * Bertl okay, I can follow that argumentation, let me check ...
1317141715 M * Bertl well, I can see that if the NFS_ATTR_FATTR_OWNER and NFS_ATTR_FATTR_GROUP flags are missing, it will cause the -2/-2 you are seeing
1317141745 M * Bertl the question now is, does the server use them separately or always together?
1317141781 M * Bertl and where do uid/gid come from when they are not specified?
1317141802 M * Bertl is whatever the inode contains simply assumed correct then?
1317141860 M * meebey good question, I guess the client will request them, not sure where and how though
1317141871 M * meebey the original code at least works that why, without vserver
1317141879 M * meebey s/why/way/
1317141916 M * Bertl well, we can do a simple workaround which mimics the old behaviour
1317141949 M * Bertl let me wrap up a patch for that
1317141960 M * meebey thats what my attempt was, but then hit the tag line :)
1317142010 M * meebey no idea when or how to update that one, as its based on the uid and gid
1317142612 M * Bertl try this one: http://vserver.13thfloor.at/ExperimentalT/delta-nfs-fix01.diff
1317142757 Q * derjohn_mob Ping timeout: 480 seconds
1317143461 J * sweil ~stefan@p5086E83B.dip.t-dialin.net
1317146222 Q * sweil Remote host closed the connection
1317146526 M * WMP Bertl: is possible to delete vserver without question?
1317146648 M * Bertl hmm?
1317146652 N * click_ click
1317146672 M * WMP  Are you sure you want to delete the vserver Informatic (y/N) y
1317146678 M * WMP without this question
1317146702 M * Bertl ah, that'd be an util-vserver question, so daniel_hozac is the right person to ask ...
1317146710 M * WMP ok
1317146718 M * WMP daniel_hozac: hello :)
1317146732 M * Bertl but you can always use 'yes | ...'
1317146766 M * WMP OOO
1317146800 M * WMP Bertl: thx
1317146842 M * Bertl you're welcome!
1317148067 J * mike___ mike@no.phear.eu
1317148079 N * mike___ mikez
1317149217 M * daniel_hozac or --silent
1317149767 M * WMP o
1317149794 M * WMP daniel_hozac: vserver delete --silent ?
1317149800 M * WMP or vserver --silent delete?
1317149811 M * daniel_hozac vserver --silent <guest> delete
1317149839 M * WMP ok, thx
1317150200 J * strowi ~strowi@g228140229.adsl.alicedsl.de
1317150312 M * strowi hey
1317150681 M * strowi i currently trying to patch the zen-kernel with vs2.3.1-pre10.1 but i am no pro and have some trouble patching ./drivers/md/dm.c correctly.
1317151197 M * Bertl what is the 'zen-kernel'?
1317151308 M * strowi it is a quite heavily patched kernel "zen-kernel.org" i have been successfully patching previous versions (for my testing rig).
1317151471 M * Bertl okay, what's the problem with dm.c?
1317151601 J * strowi_ ~strowi@g228140229.adsl.alicedsl.de
1317151601 Q * strowi Read error: Connection reset by peer
1317151607 M * strowi_ sry connection dropped
1317151625 M * strowi_ basically the problem is this: http://paste.pocoo.org/show/483475/
1317151682 M * strowi_ i am no kernel-expert, so i don't really know about ret an retval and if they are the same or should be kept separated.
1317151758 M * strowi_ this is the original zen-file http://git.zen-kernel.org/zen-stable/tree/drivers/md/dm.c
1317151891 M * Bertl well, basically they do the same as we do regarding return value and cleanup
1317151935 M * Bertl so simply reduce the rejected hunks to:
1317151991 M * Bertl if (!vx_check(md->xid, VS_IDENT|VS_HOSTID)) {
1317152020 M * Bertl   retval = -EACCESS;
1317152027 M * Bertl   goto out;
1317152030 M * Bertl }
1317152060 M * Bertl and insert that before the get_disk_ro() check
1317152091 M * Bertl no idea why they do the md=0 part though
1317152122 M * Bertl (read: it doesn't make sense to me :)
1317152181 M * strowi_ ok, will try that on my thinkpad right now
1317152222 M * strowi_ thx!
1317152533 M * Bertl np
1317153093 Q * strowi_ Quit: Verlassend
1317154888 Q * ntrs Ping timeout: 480 seconds
1317155410 J * ntrs ~ntrs@vault08.rosehosting.com
1317156439 M * Bertl meebey: does the patch work for you?
1317156512 Q * bonbons Quit: Leaving
1317156636 J * Aiken ~Aiken@2001:44b8:2168:1000:21f:d0ff:fed6:d63f
1317160235 Q * ghislain Quit: Leaving.
1317162858 J * imcsk8 ~ichavero@nat.ti.uach.mx
1317163543 J * FireEgl ~FireEgl@173-16-9-169.client.mchsi.com
1317167805 Q * dowdle Remote host closed the connection