1476666273 J * fstd_ ~fstd@x4db660ea.dyn.telefonica.de 1476666285 Q * fstd Read error: Connection reset by peer 1476666289 N * fstd_ fstd 1476668890 J * aj__ ~aj@x590d1be4.dyn.telefonica.de 1476669332 Q * derjohn_mobi Ping timeout: 480 seconds 1476679544 Q * aj__ Ping timeout: 480 seconds 1476683043 J * aj__ ~aj@46.183.103.17 1476686087 Q * aj__ Ping timeout: 480 seconds 1476688036 J * Ghislain ~aqueos@109.190.11.159 1476688470 J * aj__ ~aj@46.189.28.33 1476690695 Q * Roomster resistance.oftc.net oxygen.oftc.net 1476690695 Q * zerick resistance.oftc.net oxygen.oftc.net 1476690695 Q * dustinm` resistance.oftc.net oxygen.oftc.net 1476690711 J * Roomster ~Romster@202.168.100.149.dynamic.rev.eftel.com 1476690711 J * zerick ~zerick@irc.quassel.zerick.me 1476690711 J * dustinm` ~dustinm`@68.ip-149-56-14.net 1476690822 Q * Roomster Ping timeout: 482 seconds 1476691319 J * Roomster ~Romster@202.168.100.149.dynamic.rev.eftel.com 1476695183 Q * Ghislain Read error: Connection reset by peer 1476695384 J * zpooky ~quassel@90.63.246.187 1476696606 J * Ghislain ~ghislain@adsl1.aqueos.com 1476696916 Q * Ghislain Quit: Leaving. 1476697191 J * Ghislain ~ghislain@adsl1.aqueos.com 1476700337 N * Bertl_zZ Bertl 1476700340 M * Bertl morning folks! 1476706104 M * Bertl off for now ... bbl 1476706105 N * Bertl Bertl_oO 1476708532 Q * guerby Ping timeout: 480 seconds 1476709088 J * guerby ~guerby@ip165.tetaneutral.net 1476710674 Q * daniel_hozac_ Ping timeout: 480 seconds 1476718315 J * daniel_hozac ~daniel@h149n2-spaa-a12.ias.bredband.telia.com 1476721812 Q * zpooky Remote host closed the connection 1476732625 M * CcxWrk Is ZFS(-on-Linux) known to work well with VServer? 1476732663 M * CcxWrk Or rather, anyone has an experience with it at all? 1476732746 Q * aj__ Ping timeout: 480 seconds 1476733001 M * Bertl_oO there is somebody using it on a regular basis, but you have to search the IRC logs as I do not remember who it is 1476733031 M * Bertl_oO it doesn't support any of the special flags or features, but otherwise it should be fine 1476733263 M * CcxWrk So put each VServer on separate volume to avoid needing a barrier? What other features/flags I would be missing? I presume vhashify & friends is mostly redundant to native dedup. 1476733319 M * Bertl_oO yes 1476733349 M * Bertl_oO besides that, you won't have tagging support which is required for context quota, but that shouldn't be a problem either 1476733965 M * CcxWrk I see. I've been rather disgruntled with how RAID5 recovery looks like and I'd prefer something saner (so no btrfs) with actual block checksums. But then, I'm in the mood of "everything sucks" right now. I kinda wish vserver/container technologies would just get replaced with capsicum. But that would require a lot of rewriting. At which point we might want to just redesign that posix thingy 1476733967 M * CcxWrk anyway… 1476734411 M * Bertl_oO there is a capsicum-linux version out there it seems 1476734463 M * Bertl_oO not sure how it would simplify things, judging from the readme though 1476734818 J * derjohn_mob ~aj@87.139.106.161 1476735230 M * CcxWrk Bertl_oO: There is. And it's not all that useful without rewriting applications to work with it. What VServer does is restricting the so called "ambient authority", ie. resources every process (in container) may reach. Capability systems in general eradicate that altogether and make you explicitly pass in all the resources/capabilities to each process. So you could view it as dynamic 1476735232 M * CcxWrk per-process vservers. But you would need to make each program to be able to receive it's required capabilities (eg. directories to access, sockets to handle) as filedescriptors, as that's what capiscum uses to represent capabilities. 1476735350 M * CcxWrk So far it works as limited jail where programs explicitly written to support it can use it to restrict what they can do. But from sysadmin's perspective it's not very useful yet. 1476735372 M * Bertl_oO I see .. thanks for the explanation 1476736628 M * CcxWrk I like CapSec systems. The usual ACL approach has too many ways to shoot oneself in a foot and just can't express more complex interactions, be it role-based or app-based. But not much software that can do that. It's mostly either secure microkernels or very high level languages aimed at in-process security boundaries. 1476736803 M * CcxWrk Capsicum is about the closest thing on "large" operating systems that might work. It just needs little rewrite here and there to make applications more "unixy" and perhaps add few more specialized syscalls. But it's still humongous task to port all the commonplace software. 1476736933 M * Bertl_oO I can imagine ... 1476737012 M * CcxWrk Oh, there's also some CapSec systems for web. As web is all about mutually mistrusting parties and ACLs can't express that. But I tend to stay away from webstuffs as far as possible. 1476739196 Q * Ghislain Quit: Leaving. 1476741309 Q * derjohn_mob Remote host closed the connection 1476741422 J * derjohn_mob ~aj@p578b6aa1.dip0.t-ipconnect.de 1476742039 M * Bertl_oO off to bed now ... have a good one everyone! 1476742041 N * Bertl_oO Bertl_zZ