1325204545 Q * petzsch Quit: Leaving.
1325204715 J * petzsch ~markus@p57B66251.dip.t-dialin.net
1325205228 Q * petzsch Quit: Leaving.
1325205368 Q * ghislain Quit: Leaving.
1325208516 J * clopez ~clopez@238.10.117.91.dynamic.mundo-r.com
1325209803 Q * dowdle 
1325214382 J * aj__ ~aj@p5B02471E.dip.t-dialin.net
1325214773 Q * derjohn_foo Ping timeout: 480 seconds
1325220003 Q * clopez Ping timeout: 480 seconds
1325228261 J * ncopa ~ncopa@3.203.202.84.customer.cdi.no
1325231794 J * ghislain ~AQUEOS@adsl2.aqueos.com
1325233162 M * Bertl_oO off to bed now ... have a good one everyone!
1325233166 N * Bertl_oO Bertl_zZ
1325233530 N * ensc Guest22173
1325233540 J * ensc ~irc-ensc@p54ADF45F.dip.t-dialin.net
1325233951 Q * Guest22173 Ping timeout: 480 seconds
1325235359 Q * ensc|w Remote host closed the connection
1325235367 J * ensc|w ~ensc@www.sigma-chemnitz.de
1325236743 J * sannes ~ace@cm-84.209.106.118.getinternet.no
1325246206 J * renihs ~arf@83-65-34-34.arsenal.xdsl-line.inode.at
1325246295 M * renihs out of curiousity, anyone tested vservers+zfs at some stage? (interested because of dedup)
1325248195 J * clopez ~clopez@155.99.117.91.static.mundo-r.com
1325253566 Q * ncopa Quit: Leaving
1325255421 Q * guerby Remote host closed the connection
1325256900 M * macmaN sup Bertl_zZ 
1325256937 M * macmaN could someone here explain to me what happens with ip route inside vserver
1325256938 M * macmaN # ip route get to 212.98.232.222 
1325256938 M * macmaN 212.98.232.222 via 192.168.1.1 dev if3  src 192.168.1.2  cache 
1325256957 M * macmaN vserver actually only has eth1/192.168.3.20 and lo
1325256966 M * macmaN what is this magic if3 device
1325256984 M * macmaN 192.168.1.2 is eth0 on host
1325256996 M * macmaN why is it represented as if3
1325257047 M * macmaN i'm also noticing that if you do just "route get to" inside vserver, you will get the best routing decision according to host capabilities
1325257085 M * macmaN to find out how actual routing goes from within vserver i must do "route get to <ip> from <vserver-ip>"
1325257127 M * macmaN i for some reason expected that to be automatic that only vserver's interface could be picked
1325257150 M * macmaN corrections most welcome
1325257287 M * renihs dunno, doesnt happen for me nor ever seen :p
1325257359 M * renihs are you sure you are not missing and "b" in the output? eg ifb3? :p
1325257387 M * renihs Bertl is sleeping though
1325258504 J * ryker ~jalberts@c-67-176-243-86.hsd1.in.comcast.net
1325258646 M * ryker anyone know how I change ulimit -n inside a guest if I'm using cgroups?  rlimits don't seem to work since I'm using cgroups.
1325258653 M * ryker or maybe I'm just not using it right
1325258693 M * ryker I put '12000' in /etc/vservers/<guestname>/rlimits/nofile.  I then restarted the guest and it still has the same ulimit.
1325258901 N * Bertl_zZ Bertl
1325258913 M * Bertl morning folks!
1325258936 M * Bertl daniel_hozac: except for the fact that I obviously forgot -- none :)
1325259011 M * Bertl ryker: if you want to set ulimits, why not use the 'ulimits' entry
1325259057 M * ryker Bertl: where is that?  I didn't notice it in the wiki
1325259062 M * Bertl certain rlimits will still work (mostly those missing in the cgroup system), like the 'nofile' for example, but they are per guest, not per process
1325259121 M * Bertl so, if you want a total of 1000 files open per guest, use rlimits/nofile*, if you want 100 files per process (i.e. ulimit) use ulimits/nofile*
1325259122 M * ryker nofile is what i'm trying to set, but that didn't work for me.
1325259163 M * ryker why the asterisk at the end of nofile* ?
1325259165 M * Bertl note that 'ulimit' will not show the rlimits, they are shown via procfs and can be queried via the command switch API
1325259184 M * Bertl it can be nofile, nofile.soft and nofile.hard
1325259199 M * ryker ahh, ok.
1325259252 M * ryker I guess it probably changed it when I used rlimits/nofile, but I didn't notice because ulimit -Ha didn't show any change
1325259262 M * ryker awesome. Thank you very much
1325259346 J * dowdle ~dowdle@scott.coe.montana.edu
1325259437 M * Bertl yep, you're welcome!
1325259543 M * Bertl macmaN: you're correct, and I presume the kernel interface for this specific netlink query is not properly virtualized yet, will look into it later ... of course, patches and further testing are welcome
1325259684 M * renihs out of curiousity, anyone tested vservers+zfs at some stage? (interested because of dedup)
1325259755 M * macmaN Bertl: i *wish* i had resource to help at a patch level.
1325259785 M * Bertl renihs: I did read that question in the backlog, but I haven't had any chance to test it and don't know of anybody actually using it
1325259793 M * macmaN not skills wise, but paying projects and a million other open source things that you use take up *ALL* time. what is the remedy to that.
1325259848 M * renihs Bertl, y, sorry, wanted to repeat since 2 people joined and you woke up :)
1325259869 M * macmaN Bertl: i got seriously shot down on my isolation approach question on SF :) http://serverfault.com/questions/344913/options-for-non-virtualized-network-interface-isolation
1325259882 M * Bertl macmaN: well, first we need a proper test case (but I guess you are almost there) to recreate the issue (and for testing of course)
1325259893 M * Bertl renihs: no problem .. just saying
1325259895 M * macmaN but right now i just took your advice and iptabled the biznatch with a single rule
1325259909 M * renihs Bertl, well i am currently on the journey finding out :)
1325259946 M * macmaN -A INPUT -s 192.168.3.0/24 -d 192.168.1.0/24 -i lo -j LOGDROP
1325259954 M * Bertl macmaN: then, the kernel location needs to be identified, once that is done, it's probably rather easy to block unrelated routes
1325259987 M * macmaN sounds like a reasonable path description. which brings us to a bug tracker. (-> goes to look up url)
1325260011 M * macmaN yikes. no bug trackerz :>
1325260015 M * macmaN "Bug reports should be submitted to the mailing list or directly to one of our developers in IRC. "
1325260019 M * Bertl there is one, but it isn't really used
1325260040 M * Bertl but you already did the proper thing, i.e. report it here
1325260061 M * macmaN yeah, reporting is the easy part. followup and remembering is the hard one.
1325260072 M * Bertl that's what the ML is for
1325260120 M * Bertl i.e. polish your test case, test it with the latest kernel/patch, report it on the ML and we'll take it from there
1325260276 J * guerby ~guerby@nc10d.tetaneutral.net
1325260590 M * Bertl off for now ... bbl
1325260595 N * Bertl Bertl_oO
1325261400 M * ryker daniel_hozac: i'm trying to build a kernel RPM for 2.6.38.  After fixing the vserver patch to work with this kernel and adjusting the RPM spec file, I started creating the RPM with 'rpmbuild -bb --target=`uname -m` SPECS/kernel.spec'.
1325261409 M * ryker It builds for quite a while and then errors out with: No libdw.h found or old libdw.h found or elfutils is older than 0.138, disables dwarf support. Please install new elfutils-devel/libdw-dev
1325261426 M * ryker any idea where I can get a newer version for centos 5?
1325261438 M * ryker I googled around and could only find one for centos6
1325261459 M * ryker I know you usually build the kernel RPMs, so I thought you might know how to fix this.
1325262804 M * macmaN Bertl_oO: just wondering, can i ask you to take a look at shanemadden's last comment on serverfault and tell me if you think he *is* or *is not* accounting for vserver containment
1325262816 M * macmaN @Ikraav Right, but if an attacker takes control of a process on the system, they won't be limited at all by the restrictions that you've placed on traffic between the interfaces, since they'll have both interfaces accessible to them. You're adding extra transit and overhead to your legitimate traffic, and completely circumventing the defense-in-depth strategy that a DMZ is designed for. – Shane Madden yesterday
1325264776 J * bonbons ~bonbons@2001:960:7ab:0:e0bd:30d5:d2d9:c2f8
1325266597 Q * quasisane Quit: leaving
1325267808 N * Bertl_oO Bertl
1325267812 M * Bertl back now ...
1325267921 M * Bertl macmaN: sounds so
1325268110 M * macmaN is that a yes or no :)
1325268226 M * Bertl means: he seems not to account for any kind of isolation
1325268429 J * quasisane ~sanep@c-24-218-184-186.hsd1.nh.comcast.net
1325272006 Q * FireEgl Read error: Connection reset by peer
1325272215 N * Bobr_oO Bobr
1325272621 N * Bobr Dani
1325273009 J * FireEgl ~FireEgl@173-16-9-169.client.mchsi.com
1325273044 N * Dani Bobr
1325273072 N * Bobr Dani
1325273367 N * Dani BobR
1325274150 N * BobR Dani
1325274165 N * Dani BobR
1325274245 N * BobR Dani
1325274289 N * Dani BobR
1325274346 N * BobR Dani
1325274767 N * Dani BobR
1325274784 N * BobR Dani
1325274972 N * Dani BobR
1325275013 N * BobR _Dani
1325275164 N * _Dani BobR
1325275297 N * BobR _Dani
1325275408 N * _Dani BobR
1325276212 N * BobR BobR_oO
1325276460 M * Chlorek such a idiot
1325276657 M * m_ueberall Maybe we're witnessing IRC account sharing here? ;)
1325276695 M * Bertl looks like :)
1325277934 Q * cuba33ci Read error: Connection reset by peer
1325278009 J * cuba33ci ~cuba33ci@114-36-237-144.dynamic.hinet.net
1325278292 M * Bertl off for a nap ... bbl
1325278299 N * Bertl bertl_zZ
1325278473 J * Aiken ~Aiken@2001:44b8:2168:1000:21f:d0ff:fed6:d63f
1325281056 J * kir ~kir@swsoft-msk-nat.sw.ru
1325282233 Q * ryker Quit: ryker
1325284928 Q * bonbons Quit: Leaving
1325286318 J * petzsch ~markus@p57B66F47.dip.t-dialin.net
1325286438 J * Marbug ~Marbug@83.101.67.3
1325286501 M * Marbug shat kind of mountable dirs over the network can you use in a vserver ? I did want to try NFS but it failed
1325286593 N * bertl_zZ Bertl
1325286628 M * Bertl Marbug: NFS works, so do other network filesystems, they just need to be configured properly
1325286669 M * Marbug oh it's because when I tried to start the init.d I got mount: permission denied
1325286691 M * Bertl which is a sane default
1325286710 M * Marbug so I just need to enable that and it will work ?
1325286749 M * Bertl most likely, what is what you want to do/achieve?
1325286828 Q * hparker Quit: I've fallen off the 'net and can't get up
1325286892 M * Marbug I want to set up an NFS dir in a vserver where I manage all my hard drives, and I want to compose a dir to share so I can open it on another computer
1325286926 M * Marbug it's a vserver where I use unison and an ftp server 
1325287237 M * Bertl NFS dir means you want to mount something from a server yes?
1325287272 M * Bertl and you also want to somehow share a different dir with another client or so?
1325287331 M * Marbug yes thats correct, I want  the vserver to be a NFS server too
1325287362 M * Marbug I assume I need to do nr3 here: http://linux-vserver.org/Frequently_Asked_Questions#How_do_I_handle_NFS_mounts_within_in_a_guest.3F ?
1325287376 M * Marbug or will I need to do more than jsut that ?
1325287450 M * Bertl well, you definitely don't want to give any capabilities you do not need to give
1325287502 M * Bertl i.e. to share a directory from inside your guest via NFS, you have two secure options: either use an userspace nfs server inside the guest, or export it from the host
1325287553 M * Marbug I want to avoid doing something in the host, to leave everything clean I want to work inside the guests
1325287558 M * Bertl for the mounting of NFS filesystems, the securest way is to do it via the guest config
1325287569 M * Marbug so a userspace nfs like you say then
1325287625 M * Marbug but the userspace nfs what is that ?
1325287802 M * Marbug because the tools are userspace, so I'm a bit confused
1325287863 M * macmaN Bertl: cool, thanks
1325287867 J * hparker ~hparker@2001:470:1f0f:32c:beae:c5ff:fe01:b647
1325288078 M * Bertl Marbug: unfs3 for example, i.e. a pure userspace NFS implementation (there are several others)
1325288117 M * Marbug ah, so it doesn't need the kernel NFS ?
1325288144 M * Bertl correct
1325288154 M * Marbug I see
1325288210 M * Marbug as a test I tried the capabilities to see what it does, and now I get : 'rpc.mountd: svc_tli_create: could not open connection for udp6' and tcp, and also 'rpc.nfsd: Unable to access /proc/fs/nfsd errno 2 (No such file or directory)'
1325288221 M * Marbug will I have that issue also with unfs3 ?
1325288460 M * Marbug anyway, actually it doesn't matter if it's NFS or another server like thing to mount dirs, will sshfs also work, or do you suggest something else like samba ?
1325288928 M * Bertl sshfs is a good choice, combines security and flexibility, samba works too, probably better for sharing with non-unix systems
1325289065 M * Marbug owkey, and what do you think personally about curlftpfs? as I already have an ftp server in the vserver
1325289330 Q * dowdle