1382833278 N * l0kit Guest3517
1382833284 J * l0kit ~1oxT@0001b54e.user.oftc.net
1382833624 Q * Guest3517 Ping timeout: 480 seconds
1382834682 Q * treaki Ping timeout: 480 seconds
1382834748 J * treaki 0b6f400def@p4FDF708B.dip0.t-ipconnect.de
1382835033 Q * bonbons Quit: Leaving
1382840106 N * l0kit Guest3525
1382840112 J * l0kit ~1oxT@0001b54e.user.oftc.net
1382840263 Q * Guest3525 Ping timeout: 480 seconds
1382843292 J * undefined ~undefined@00011a48.user.oftc.net
1382843355 M * undefined how do i mount /proc within a guest (eg mount -t proc /proc /var/lib/chroot/proc)?
1382843372 M * undefined i'm trying to migrate from 3.0 to 3.10
1382843381 M * undefined and in 3.0 secure_mount was sufficient
1382843401 M * Bertl_oO proc is usually mounted by util-vserver, why do you want to mount it manually?
1382843405 M * undefined but i see in 3.10 that secure_mount (and secure_remount) is commented out
1382843416 M * undefined i run pbuilder within a guest
1382843432 M * Bertl_oO okay
1382843445 M * undefined Bertl_oO: and pbuilder works by way of chroots
1382843474 M * undefined Bertl_oO: it allows building debian packages in an isolated/pristine environment
1382843517 M * undefined Bertl_oO: and pbuilder extracts a tarball for whatever distro you want (eg precise, wheezy) and mounts /proc within it
1382843549 M * Bertl_oO yeah, I know, stupid thing :)
1382843586 M * Bertl_oO let me check the source, IIRC, I removed the caps because they are not required anymore (i.e. the namespaces should handle that)
1382843659 M * undefined Bertl_oO: it also creates /dev entries (ie full, null, ptmx, random, tty, unrandom, zero) within the chroot directory, which i strictly control with MKNOD and vdevmap
1382844182 M * Bertl_oO what error do you get when you try to mount /proc?
1382844202 M * undefined Bertl_oO: mount -t proc /proc /var/cache/pbuilder/build//6802/proc
1382844202 M * undefined mount: permission denied
1382844219 M * undefined you want me to strace it?
1382844236 M * Bertl_oO won't hurt
1382844318 M * undefined Bertl_oO: 17524 mount("/proc", "/var/cache/pbuilder/build/proc", "proc", MS_MGC_VAL, NULL) = -1 EPERM (Operation not permitted)
1382844356 M * undefined Bertl_oO: (relevant line from strace of me, as root within guest, running mount -t proc /proc /var/cache/pbuilder/build/proc)
1382844398 M * undefined Bertl_oO: i don't see anything in the host logs
1382844440 M * undefined Bertl_oO: though i believe i saw similar errors/warning with 3.0
1382844500 M * Bertl_oO the thing is, vfs_kern_mount will only return EPERM when we have binary mount data and VXC_BINARY_MOUNT is not given
1382844527 M * Bertl_oO (you can check that by giving that capability to the guest, but I doubt that it applies)
1382844587 M * Bertl_oO mount_fs() which is called from vfs_kern_mount OTOH explicitely checks for PROC and DEVPTS and allows that
1382844627 M * Bertl_oO finally the error could result from a security policy which is checked after that
1382844669 M * Bertl_oO do you have any security modules/features activated?
1382844764 M * undefined Bertl_oO: yeah, added binary_mount to the guest and it gave the same error
1382844808 M * undefined Bertl_oO: (unless that's because "vattribute --set ..." doesn't work while guest is runnign and the guest needs to be restarted)
1382844832 M * undefined Bertl_oO: security modules?
1382844838 M * undefined Bertl_oO: no selinux
1382844861 M * Bertl_oO nah, vattribute will suffice
1382844986 M * undefined Bertl_oO: comparing kernel configs (3.0 vs 3.10)
1382845185 M * Bertl_oO can you test with a patch?
1382845196 M * undefined Bertl_oO: yes, sir
1382845214 M * Bertl_oO okay, give me a minute to prepare one :)
1382845460 M * undefined Bertl_oO: feel free to hit/hate me because i start with a debian kernel config (though i'm using non-debian kernel source)
1382845477 M * Bertl_oO no problem with that, any kernel config is fine
1382845507 M * undefined Bertl_oO: so there are several CONFIG_SECURITY_{SELINUX,TOMOYO,APPARMOR,YAMA}=y
1382845521 M * undefined Bertl_oO: but i haven't done anything to specifically enable them
1382845536 M * Bertl_oO well, any of those might prevent you from mounting :)
1382845572 M * Bertl_oO but we'll know soon, I just have to test build the changes (which takes a little longer as expected because I updated the tree)
1382845583 M * undefined Bertl_oO: okay, rebuild kernel with CONFIG_SECURITY_*=n
1382845656 M * undefined Bertl_oO: i should have thought of that and tested it before popping on here
1382845882 M * Bertl_oO np
1382846836 M * undefined Bertl_oO: btw, can i recommend a patch to account for the removal of CONFIG_EXPERIMENTAL in 3.10 (so as to enable the "experimental" vserver features like vdevmap)
1382846858 M * undefined Bertl_oO: http://paste.linux-vserver.org/25861
1382846907 M * Bertl_oO well, some of them are still experimental, but I'll consider it
1382846974 M * undefined Bertl_oO: i followed the upstream convention that i saw in the upstream Kconfigs (ie remove "depends on EXPERIMENTAL" and append "(EXPERIMENTAL)" to name
1382847062 M * Bertl_oO I've seen that :)
1382847131 M * Bertl_oO following a hunch, I've reintroduced the secure mount capability for a test, if that isn't what blocks proc inside a guest, we have to use a bunch of printks instead http://vserver.13thfloor.at/ExperimentalT/delta-secmount-feat01.diff
1382847170 M * Bertl_oO please give it a try and let me know if that helps
1382847196 M * undefined Bertl_oO: got it, rebuilding 3.10.17-vs2.3.6.6 shortly
1382852724 M * Bertl_oO okay, I'm off to bed now ... let me know how it turned out
1382852730 N * Bertl_oO Bertl_zZ
1382852733 M * undefined Bertl_oO: no problem
1382852753 M * undefined Bertl_zZ: testing it now; will let you know
1382856308 M * undefined Bertl_zZ: doesn't look like it worked but i'm going to retry it in virtualbox (so i can revert to a working 3.0)
1382858169 M * undefined Bertl_zZ: i can verify that trying to mount proc within a guest still fails (EPERM) even with delta-secmount-feat01.diff applied (to 3.10.17-vs2.3.6.6)
1382858265 M * undefined Bertl_zZ: i'm currently rebuilding the kernel without any security modules (eg selinux, tomoyo, smack, apparmor) and will report back if that makes a difference
1382860301 J * JonB ~NoSuchUse@77.75.164.169
1382862659 J * fisted_ ~fisted@xdsl-78-35-87-231.netcologne.de
1382862762 Q * click Read error: Operation timed out
1382863099 Q * fisted Ping timeout: 480 seconds
1382863099 N * fisted_ fisted
1382863511 J * Aiken ~Aiken@2001:44b8:2168:1000:21f:d0ff:fed6:d63f
1382864150 J * click click@ice.vcon.no
1382864402 Q * fisted Remote host closed the connection
1382864429 J * fisted ~fisted@xdsl-87-78-143-243.netcologne.de
1382866764 J * bonbons ~bonbons@2001:a18:224:2e01:c490:da40:4e25:f27
1382868896 Q * Walex 
1382871548 Q * ircuser-1 Ping timeout: 480 seconds
1382873328 N * Bertl_zZ Bertl
1382873337 M * Bertl morning folks!
1382873360 Q * JonB Quit: This computer has gone to sleep
1382874132 J * ircuser-1 ~ircuser-1@35.222-62-69.ftth.swbr.surewest.net
1382876102 J * _BWare_ ~itsme@31.25.99.5
1382876102 Q * BWare Read error: Connection reset by peer
1382876160 M * undefined Bertl: another data point: i backed out the patch you provided and unset all linux security modules (ie CONFIG_SECURITY_{SELINUX,SMACK,TOMOYO,APPARMOR,YAMA}) and still receive EPERM when trying to mount proc (ie "mount -t proc /proc /root/tmp/proc") within a guest
1382876225 M * undefined Bertl: let me know what else i can try, though i'm stepping away from the computer for a few hours
1382876259 M * Bertl did you give the secure mount capability when testing?
1382876265 M * Bertl (with the patch)
1382877656 M * undefined Bertl: yes, i have the secure_mount capability assigned to the guest that i tested with
1382877748 M * undefined Bertl: the last combination/permutation to try is without any lsm and with the secure_mount patch you provided
1382877993 M * undefined Bertl: vattribute --get --xid $(cat /etc/vservers/build/run) | grep -i secure.*mount
1382878010 M * undefined Bertl: set_utsname,raw_icmp,audit_control,secure_mount
1382878471 Q * Aiken Remote host closed the connection
1382879315 M * Bertl okay
1382880717 M * Bertl I'll prepare a debug patch to test with
1382883857 Q * Guy- Remote host closed the connection
1382884384 J * Guy- ~korn@elan.rulez.org
1382884486 Q * Guy- Remote host closed the connection
1382887599 J * Guy- ~korn@elan.rulez.org
1382889288 J * padde_ ~padde@patrick-nagel.net
1382889288 Q * padde Read error: Connection reset by peer
1382889306 N * padde_ padde
1382891618 J * JonB ~NoSuchUse@77.75.164.169
1382894116 Q * JonB Quit: This computer has gone to sleep
1382899167 Q * click Read error: Connection reset by peer
1382899308 J * click click@ice.vcon.no
1382900990 J * hijacker ~hijacker@cable-84-43-134-121.mnet.bg
1382904863 J * Aiken ~Aiken@2001:44b8:2168:1000:21f:d0ff:fed6:d63f
1382905162 Q * l0kit Ping timeout: 480 seconds
1382905455 J * l0kit ~1oxT@0001b54e.user.oftc.net
1382906495 N * l0kit Guest3578
1382906501 J * l0kit ~1oxT@0001b54e.user.oftc.net
1382906636 Q * Guest3578 Ping timeout: 480 seconds
1382906881 Q * ntrs Ping timeout: 480 seconds
1382907113 Q * hijacker Quit: Leaving
1382907601 Q * fisted Remote host closed the connection
1382907626 J * fisted ~fisted@xdsl-81-173-191-66.netcologne.de
1382909885 N * l0kit Guest3581
1382909890 J * l0kit ~1oxT@0001b54e.user.oftc.net
1382909919 Q * Guest3581 Read error: Operation timed out
1382910377 N * l0kit Guest3582
1382910382 J * l0kit ~1oxT@0001b54e.user.oftc.net
1382910402 Q * Guest3582 Ping timeout: 480 seconds
1382911083 N * l0kit Guest3583
1382911088 J * l0kit ~1oxT@0001b54e.user.oftc.net
1382911096 Q * Hunger Ping timeout: 480 seconds
1382911197 Q * Guest3583 Ping timeout: 480 seconds
1382911896 Q * bonbons Quit: Leaving
1382912061 J * Hunger hunger@proactivesec.com
1382913163 M * Bertl off for a nap ... bbl
1382913178 N * Bertl Bertl_zZ
1382913286 J * JonB ~NoSuchUse@77.75.164.169
1382913691 Q * l0kit Remote host closed the connection
1382914032 J * l0kit ~1oxT@0001b54e.user.oftc.net
1382914593 Q * Jb_boin Quit: Quitte
1382914639 J * Jb_boin ~dedior@proxad.eu
1382914781 Q * l0kit Ping timeout: 480 seconds
1382917682 Q * JonB Quit: This computer has gone to sleep