1422320403 Q * fstd Remote host closed the connection 1422320447 J * fstd ~fstd@xdsl-87-78-191-98.netcologne.de 1422321244 M * Bertl off to bed now ... have a good one everyone! 1422321252 N * Bertl Bertl_zZ 1422321475 Q * Ghislain Quit: Leaving. 1422325079 Q * sannes Ping timeout: 480 seconds 1422325373 J * sannes ~ace@2a02:fe0:c120:ae50:48e9:3ae2:d8d8:c508 1422327391 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:b180:d629:5e8e:ebbb 1422327872 Q * thierryp Ping timeout: 480 seconds 1422337244 Q * funnel Remote host closed the connection 1422340205 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:6c27:e5d4:46b8:c745 1422340360 Q * thierryp Remote host closed the connection 1422341442 J * funnel ~funnel@0001c7d4.user.oftc.net 1422342008 Q * funnel Ping timeout: 480 seconds 1422342183 J * funnel ~funnel@0001c7d4.user.oftc.net 1422342712 J * pmenier ~smuxi@LLagny-156-36-29-11.w80-14.abo.wanadoo.fr 1422342773 N * Bertl_zZ Bertl 1422342775 M * Bertl morning folks! 1422343548 Q * derjohn_mob Ping timeout: 480 seconds 1422344106 J * thierryp ~thierry@zeta.inria.fr 1422344706 J * Ghislain ~aqueos@adsl1.aqueos.com 1422346867 J * derjohn_mob ~aj@fw.gkh-setu.de 1422349457 J * beng_ ~BenG@cpc29-aztw22-2-0-cust128.18-1.cable.virginm.net 1422354913 M * gnarface 'morning Bertl 1422354962 M * gnarface i don't suppose you could help me understand why i can't figure out how to set ulimits inside my guest for root? 1422354984 M * gnarface i noticed that it doesn't appear to be a problem if i enter the vserver with vserver [vserveruser] enter 1422354991 M * gnarface er, i mean vserver [vservername] enter 1422355011 M * gnarface in that case it appears to (i guess?) obey the host ulimit 1422355036 M * gnarface i tried this: http://linux-vserver.org/Ulimit_Nofiles but it doesn't actually seem to solve the problem 1422355060 M * gnarface i also tried this: http://linux-vserver.org/Resource_Limits 1422355065 M * gnarface and it was completely ignored apparently 1422355094 M * gnarface though i do suspect its an issue with regards to pam and su like the ulimit_nofiles page suggests 1422355136 M * gnarface (when i ssh into the guest instead of using vserver enter, my normal user will obey a limits.conf line like "* - nofiles 8192" but not root) 1422355258 M * gnarface its all the stock /etc/pam.d configuration so far though; i did notice that the /etc/pam.d/sshd for example includes the pam_limits.so by default, but the /etc/pam.d/su dos not 1422355260 M * gnarface *does not 1422355270 M * gnarface but when i tried changing it, nothing happened 1422355299 M * gnarface i feel like this is something i'd solved once before in squeeze, years ago, but i'm forgetting something (on wheezy now) 1422355340 M * Bertl note that rlimints and ulimits are somewhat different 1422355366 M * Bertl i.e. what the kernel calls rlimits, are known in userspace as ulimits (tool name) 1422355383 M * Bertl we also added per guest "rlimits" which restrict the entire guest 1422355411 M * Bertl "ulimits" are per user (inside or outside a guest) 1422355449 M * gnarface ok, i follow you so far 1422355486 M * Bertl root, as the superuser, can always set "user" limits 1422355512 M * Bertl this is also true for the guest root 1422355532 M * gnarface oh? 1422355533 M * Bertl and yes, most likely pam is messing with your limits 1422355539 M * gnarface hmm 1422355563 M * Bertl note that the "per guest" limits cannot be changed or affected by guest root 1422355574 M * gnarface after i edit a config file in pam.d, am i forgetting to run some sort of update script to make the changes take effect? 1422355610 M * gnarface i thought those files were parsed on tool invocation (ssh login or su or whatever) 1422355617 Q * undefined Quit: Closing object 1422355622 M * Bertl maybe, but I doubt it, pam is usually read when you create a new session 1422355631 M * gnarface ok, that's not the problem then 1422355631 M * Bertl i.e. a new shell, etc 1422355709 M * gnarface the only real problem currently is that in order to be able to restart apache in one of the guests without it bitching about not being able to raise the ulimit for nofiles, i have to remember to "vserver [guest] enter" as root from the host, rather than ssh into the guest directly and su 1422355734 M * gnarface since for all the life of me i can't seem to get su inside the guest to obey the guest's limits.conf file 1422355771 M * gnarface but root in the guest as "vserver [guest] enter" seems to inherit the host's limits.conf settings, so that works without complaint when i restart it that way 1422355796 M * Bertl but it is a security risk 1422355806 M * gnarface which? 1422355814 M * gnarface using vserver [guest] enter? 1422355818 M * Bertl yes 1422355838 M * gnarface how much of a risk? is it a risk even if its only me that ever does it? 1422355853 M * gnarface i wouldn't be giving out shell access to the host on this box to anyone but me 1422355925 M * Bertl well, somebody might use an exploit to modify the apache binary, and this in turn might compromise your host system 1422355975 M * gnarface hmm. i see, i think 1422355989 M * gnarface and that wouldn't be possible if root was accessed in the guest via ssh as a normal user then su ? 1422356008 M * Bertl correct 1422356015 M * gnarface good to know 1422356073 M * gnarface well, so the one thing i tried was i tried to use this: session required pam_limits.so 1422356086 M * gnarface it was commented out by default in /etc/pam.d/su 1422356093 M * gnarface but uncommenting it didn't fix the problem 1422356095 M * gnarface so i put it back 1422356098 M * gnarface now i'm out of ideas 1422356117 M * Bertl the fact that you say apache cannot raise it, means that it is already limited when the guest is started 1422356143 M * Bertl I presume you get the same error when apache is started by util-vserver? 1422356157 M * Bertl or only when you do the ssh/su thing? 1422356180 M * gnarface well, interestingly enough i don't *anymore*, but i assumed that i had fixed that by raising it in the *host's* limits.conf 1422356195 M * gnarface so now only when i do the ssh/su thing 1422356269 M * Bertl then it has to be something inside the guest which reduces the limit 1422356306 M * gnarface well my primary suspect at this point is the pam config for su 1422356331 M * gnarface since the user i ssh in initially *does* obey that line in the guest's limits.conf (* - nofile 8192) 1422356498 M * gnarface hmm 1422356557 M * gnarface in /etc/pam.d/su, after the line i tried to uncomment, (#session required pam_limits.so) it also includes /etc/pam.d/common-auth, /etc/pam.d/common-account, and /etc/pam.d/common-session... i wonder if one of those could be somehow... unloading the pam_limits.so? 1422356606 M * gnarface i'm presuming that because the ssh user obeys limits.conf correctly and it DOES require the pam_limits.so, that pam_limits.so is required in the pam config for su for this to work right, right? 1422356649 M * Bertl just comment out everything related to su and see if it stays the same 1422356670 M * gnarface like the whole config file? 1422356689 M * Bertl for example (for a test) 1422357469 M * gnarface Bertl: you called it, commenting out *everything* in /etc/pam.d/su makes it obey the limits.conf 1422357514 M * gnarface but the question remains, which line is the actual problem? 1422357523 M * gnarface and does this mean pam_limits.so isn't actually required? 1422357833 M * gnarface ok even weirder 1422357841 M * gnarface i put the old one back and its still fine 1422357844 M * gnarface so now i'm really confused 1422357893 M * gnarface could having set the /etc/vservers/[guest]/rlimits/nofile have been sabotaging me? 1422357934 M * gnarface if i created that file and set it to 8192, would it have actually somehow stopped it from being raised? 1422357945 M * gnarface i mean, stopped it from being raised to 8192? 1422357951 M * gnarface (by the guest limits.conf) ? 1422358201 M * gnarface i guess i really mean, could it have stopped pam from letting su raise it at all, while it didn't hassle sshd ? 1422358340 M * Bertl /etc/vservers/[guest]/rlimits are the "per guest" limits 1422358394 M * Bertl /etc/vservers//ulimits are the initial limits for the guest processes 1422358417 M * gnarface hmm, well the latter i wasn't aware of, i don't think i have that file... 1422358445 M * gnarface nope 1422358487 M * Bertl what I mean is, different limit system 1422358561 M * gnarface well the only thing that changed between last night's test when limits.conf in the guest was being obeyed for the user i ssh'd in as, but not for root after i then su'd, is i deleted the rlimits directory in frustration assuming it did nothing 1422358576 M * gnarface but now it seems it somehow interfered with the pam configuration in an unexpected way 1422358629 M * gnarface very confusing 1422358685 M * Bertl indeed 1422358737 M * gnarface i can't think of what else may have changed except... the timestamp on the /etc/pam.d/su file 1422358767 M * gnarface i literally backed it up and then copied it back over the modified one, expecting limits.conf to no longer be obeyed for su'd root, but it was 1422358777 M * gnarface i even restarted the guest after that to be sure 1422358779 M * gnarface still working 1422358933 M * gnarface i suppose i could re-create the rlimits/nofile again and restart the guest to see if the misbehavior comes back? 1422358958 M * gnarface or i could just be happy that its behaving normally now and leave it alone 1422358971 M * gnarface it couldn't have been anything to do with the fact i added the file while the guest was actually running, could it have? 1422358980 M * gnarface i know that caused me a weird issue with networking configs before... 1422359001 M * gnarface i assumed the rlimits directory was read on guest startup only 1422359006 M * gnarface is that the case? 1422359127 M * Bertl yes, the guest config in /etc/vservers is _only_ read on guest startup/shutdown 1422359247 M * gnarface wait, so /etc/vservers/[guest]/rlimits/nofile would be read on shutdown as well? 1422359269 M * gnarface so if i'd added it while the guest was running, then stopped&started that guest, it could have caused weird behavior? 1422359294 M * gnarface something that might have caused pam to misbehave? 1422359347 M * Bertl you should never edit it when the guest is running 1422359353 M * gnarface oy vey 1422359360 M * Bertl but I don't think this caused any issues 1422359367 M * gnarface ok, noted 1422359408 M * gnarface lemme try something 1422359479 M * gnarface damn 1422359489 M * gnarface well i stopped the guest, added ./rlimits/nofile back 1422359493 M * gnarface and started the guest again, 1422359496 M * gnarface and its still fine 1422359513 M * gnarface ulimit -n still shows 8192 properly for root after i ssh into the guest and su 1422359528 M * gnarface so obviously i did something wrong last night but i'm at a complete loss as to what 1422359543 M * gnarface since other than the file timestamp, literally nothing i can recall is different about this 1422359560 M * gnarface except that perhaps i added the rlimits/nofile file while the guest was running 1422359563 M * Bertl sometimes pam is mysterious :) 1422359580 M * gnarface could pam be sensetive to timetamps? 1422359594 M * gnarface no, that wouldn't make sense cause its still stock 1422359676 M * gnarface well i'm sorry 1422359678 M * gnarface thank you for your help 1422359687 M * gnarface but this appears to have been a complete waste of both of our time 1422359701 M * gnarface it seems to have magically just fixed itself 1422359705 M * Bertl no problem, you're welcome! 1422359735 M * fback 2~2~ 1422362510 J * undefined ~undefined@75-141-158-50.dhcp.mdfd.or.charter.com 1422362960 Q * beng_ Remote host closed the connection 1422363603 Q * fstd Remote host closed the connection 1422363645 J * fstd ~fstd@xdsl-87-78-184-26.netcologne.de 1422364708 J * beng_ ~BenG@cpc29-aztw22-2-0-cust128.18-1.cable.virginm.net 1422364716 Q * beng_ Remote host closed the connection 1422366035 M * Ghislain bertl, is it possible to enter a guest by ssh'ing into the false 127.0.0.1 of a guest ? 1422366068 M * Ghislain i mean if sshd listen on 0.0.0.0 it should listen to the 127.X.X.X also 1422366079 M * Ghislain or will the isolation prevent this 1422366269 M * Ghislain just created a test environement and it works 1422366333 M * Bertl :) 1422366393 M * Ghislain that is great we can create a tool that will replace vserver enter with a key on the host root 1422366974 M * Ghislain daniel_hozack: i just build the same setup on another box and routing is fine but i have only eth0 for all IP i do not use eth1 as there is none 1422367329 M * Ghislain i need to find a machine with 2 nics 1422367526 M * Ghislain on the test bed all works fine but i have only one nic, one the production machine i have 2 nics and yes traffi for 10.254.0.0/24 is choosing the wrong nic 1422367553 M * Ghislain hum test bed has no route at all for the10.x... 1422367590 P * undefined 1422367611 J * undefined ~undefined@00011a48.user.oftc.net 1422367838 M * Ghislain is the behavior different if the ip is on the host shared in the guest compared to an ip created in the guest directly by the utils 1422367872 M * Bertl hmm? 1422367920 M * Ghislain bertl: i have a problem with networking, i have 2 guest with one front ip that is the same for both 1422367941 M * Ghislain and a backend ip that is a 10.0254.0.x that is different for each guest 1422367963 M * Ghislain when i ping from the secodn guest it try to go out from the wrong network 1422367971 M * Ghislain i just reproduced it in test: 1422367977 M * Ghislain vserver: operating on vserver aqtestweb1 1422367977 M * Ghislain PING 10.130.0.13 (10.130.0.13) 56(84) bytes of data. 1422367977 M * Ghislain From 213.246.51.145 icmp_seq=1 Destination Host Unreachable 1422367999 M * Ghislain you see the ping fails using the worn g network 1422368010 M * Ghislain 213.x.x that is my external ip 1422368031 M * Ghislain the first guest got it right: 1422368031 M * Ghislain PING 10.130.0.13 (10.130.0.13) 56(84) bytes of data. 1422368031 M * Ghislain From 10.130.0.1 icmp_seq=1 Destination Host Unreachable 1422368046 Q * Aiken Remote host closed the connection 1422368056 M * Ghislain (the 13 ip do not exist this is just to force it too look for it and trigger the problem) 1422368061 M * Bertl looks like your routing is faulty 1422368088 M * Ghislain you mean i cannot rely on basic routing and must create multiple routing tables ? 1422368113 M * Ghislain for now the 10.x interface at started by the tools in /24 i do not set anything else 1422368154 Q * undefined Quit: Closing object 1422368244 J * undefined ~undefined@00011a48.user.oftc.net 1422368362 M * Bertl well, if you say 'using the wrong network' then I presume your routing is wrong :) 1422368379 M * Bertl (otherwise it would use the 1422368385 M * Bertl "right" network) 1422368478 M * Ghislain as you see it tris to ping the 10.x address from the 213.xx (external) one instead of using the 10.x ip of the guest 1422368489 M * Ghislain but in the routing table: 10.130.0.0/24 dev eth0 proto kernel scope link src 10.130.0.1 1422368501 M * Ghislain the one that work fine is the one noted as 'src' 1422368511 M * Ghislain that could be the hint that i lack somethign 1422368607 M * Bertl it wouldn't use the 213.x if it had a 10.x available 1422368785 M * Bertl anyway, off for a nap .. bbl 1422368790 N * Bertl Bertl_zZ 1422368999 M * Ghislain it has one 1422369008 M * Ghislain but it does not use it 1422369789 M * Ghislain the default isolation can use routing table per guest ? 1422369805 M * Ghislain or do we need to create a naespace and all the veth thing for it ? 1422369905 M * AlexanderS with network contexts (the default) you only have one routing table set per host... the guest does _not_ have its own stack 1422370206 M * Ghislain yes but then why does it use the wrong network 1422371265 M * Ghislain if i put the 3 ip on the host i got the same result 1422371340 M * AlexanderS two subnets on the same nic? 1422371755 M * Ghislain the 3 have an ip in 10.254.0.x/24 1422371775 M * Ghislain the problem show in two nic or one nic setup 1422372140 M * Ghislain the isolation system seems to use as route src the ip of the first one created therefor the two other cannot access the network as this ip is isolated 1422372620 M * Ghislain dnial_hozack: ok i got it working but the only way i found is to create an ip in the host that is shared by all the guest on that machine. Then the routing table is with src from this ip and as i share it with the 3 guest i can ping correctly 1422372656 M * Ghislain daniel_hozack: so the guests have 2 ip in the 10.254.0.x, the common one and their ip 1422372707 M * Ghislain how can i setup the debugging to trace this ? i have a kernel with vserver debuging enabled now 1422375408 M * daniel_hozac Ghislain: echo 16 > /proc/sys/vserver/debug_net 1422375725 Q * thierryp Remote host closed the connection 1422376407 M * Ghislain ok thx daniel i will give it a try and come back tomorow on this one if this is of interest 1422376454 M * Ghislain i think the diagnosis is here, don't you think this is just that the routing table has a src ip that is the first one ? 1422376738 J * BenG_ ~bengreen@host-92-27-135-217.static.as13285.net 1422376786 M * Ghislain and that ip is isolated so other guest cannot use this routing table 1422376869 M * daniel_hozac no 1422376883 M * daniel_hozac it uses the source IP and netmask to find an address in that range. 1422377339 M * Ghislain i got this: 1422377341 M * Ghislain [ 226.127372] vxD: ffff8804082a4860: ip_v4_find_src(ffff88040645f6c0[#44381]) 0.0.0.0 -> 10.130.0.134 1422377341 M * Ghislain [ 226.135831] vxD: ffff8804082a4860: ip_v4_find_src(ffff88040645f6c0[#44381]) rok[0]: 10.130.0.100 1422377341 M * Ghislain [ 226.144249] vxD: ffff8804082a4860: ip_v4_find_src(ffff88040645f6c0[#44381]) chk: 213.246.51.145/0.0.0.0/0.0.0.0 1422377341 M * Ghislain [ 226.152716] vxD: ffff8804082a4860: ip_v4_find_src(ffff88040645f6c0[#44381]) rok[0]: 213.246.51.145 1422377444 M * Ghislain i must leave now but if you are interested i can do whatever test you want and/or give you access to this machine, i poitn here, if this is of interest 1422377549 M * Ghislain this msg is from a ping 10.130.0.134 (ip that did not exist but that trigger the issue) 1422378213 M * daniel_hozac ah 1422378226 M * daniel_hozac you have your external address set as prefix 0? 1422378240 M * daniel_hozac that's what's causing your problems. 1422378260 M * daniel_hozac set that as /32 or whatever is appropriate and you should be fine. 1422378728 J * bonbons ~bonbons@2001:a18:22e:fb01:94f0:860a:1da7:51f1 1422379217 Q * BenG_ Quit: I Leave 1422382683 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:1c37:6f70:1873:e1fb 1422383051 Q * guerby Read error: No route to host 1422383056 Q * thierryp Remote host closed the connection 1422383066 J * guerby ~guerby@ip165-ipv6.tetaneutral.net 1422383495 Q * guerby Read error: No route to host 1422383529 N * Bertl_zZ Bertl 1422383531 J * guerby ~guerby@ip165-ipv6.tetaneutral.net 1422383534 M * Bertl back now ... 1422387053 Q * derjohn_mob Ping timeout: 480 seconds 1422387255 J * thierryp ~thierry@home.parmentelat.net 1422387738 Q * thierryp Ping timeout: 480 seconds 1422389969 J * Aiken ~Aiken@d63f.h.jbmb.net 1422390244 J * derjohn_mob ~aj@p578b6aa1.dip0.t-ipconnect.de 1422391305 J * thierryp ~thierry@home.parmentelat.net 1422392800 Q * thierryp Remote host closed the connection 1422392832 M * Bertl off for a second nap ... 1422392840 N * Bertl Bertl_zZ 1422394137 Q * DLange Quit: a reboot a day keeps the glibc bug away 1422394314 J * DLange ~DLange@dlange.user.oftc.net 1422396231 Q * bonbons Quit: Leaving 1422397282 N * Bertl_zZ Bertl 1422397283 M * Bertl back again ... 1422398087 M * Ghislain daniel_hozack: this main ip is on the host and in nodev in the guest, i need to setup the prefix also while it is a nodev ip ? 1422398379 Q * l0kit Remote host closed the connection 1422398436 J * l0kit ~1oxT@0001b54e.user.oftc.net