1519605106 M * Bertl_oO  off to bed now ... 
1519605107 N * Bertl_oO Bertl_zZ
1519611626 Q * geb Ping timeout: 480 seconds
1519611835 J * geb ~geb@mars.gebura.eu.org
1519629839 J * Ghislain ~ghislain@81.56.195.31
1519630683 N * Bertl_zZ Bertl_oO
1519630686 M * Bertl_oO  morning folks!
1519632588 M * Le_Coyote Bertl_oO: morning! delta02 seems to do the trick, just applied it (after reversing 01 of course) and it's currently building
1519635623 M * Le_Coyote BlackPanx: fix confirmed, no more foreign udp sockets showing in ss -l output. Kudos :)
1519635845 Q * romster Ping timeout: 480 seconds
1519635956 M * Le_Coyote Sorry, wrong HL/tab completion
1519636007 M * Le_Coyote And all that's left is for me to investigate/fix Spectre variant 2 protection in this one
1519637400 J * romster ~romster@158.140.215.184
1519637873 M * Ghislain hello there, is there a new thing to test ?
1519637919 M * Le_Coyote Ghislain: yep, a delta that fixes the udp socket leak
1519637929 M * Le_Coyote I confirm that it fixed the issue for me
1519637937 M * Le_Coyote 16:50:27     Bertl_oO | http://vserver.13thfloor.at/Experimental/delta-netlink-feat02.diff (replaces feat01)
1519637941 M * Ghislain thats great :)
1519637966 M * Le_Coyote Running 4.9.84-vs2.3.9.7 now
1519638046 M * Le_Coyote I'm wondering about the ip route leak
1519638063 M * Le_Coyote route -n doesn't reveal the host IP for instance
1519638897 M * Bertl_oO it only reveals routes which apply to the guest, but those might contain source IPs from the host
1519638929 M * Bertl_oO (especially on badly configured host systems :)
1519639038 M * Ghislain dont look at me like that !
1519639040 M * Ghislain ;p
1519639120 M * Le_Coyote Bertl_oO: what's bad in such a config?
1519639140 M * Le_Coyote It's the ISP's setup so I didn't think it would be bad
1519640652 M * Ghislain woha we got 2 4.9 release in the WE ... dam 
1519641004 M * Le_Coyote I'm curious to know what could be changed in terms of network config to avoid the leak. Not that it matters *that* much
1519641029 M * Ghislain i guess create a routing table per gest ip
1519641037 M * Le_Coyote Ghislain: btw, what's your status regarding variant 2? I'm looking for hands-on feedback
1519641049 M * Le_Coyote ie what compile did you use, what mitigation solution if any
1519641053 M * Le_Coyote compiler*
1519641067 M * Le_Coyote Hm, let's see if the OVH docs mention anything about that
1519641106 M * Ghislain i use gcc version 8.0.1 20180218 (experimental) [trunk revision 257787] (Debian 8-20180218-1)
1519641138 M * Le_Coyote I just build 7.3.0, it's supposed to have the retpoline stuff backported
1519641144 M * Le_Coyote built*
1519641158 M * Le_Coyote Any performance issues so far? Also what's your CPU?
1519641164 M * Ghislain you can easely check but looking at the sys feature
1519641229 M * Ghislain grep . /sys/devices/system/cpu/vulnerabilities/*
1519641238 M * Le_Coyote Yep, it's there
1519641255 M * Le_Coyote It says I'm still vulnerable to variant2, which is why I'm going to rebuild the kernel with gcc 7.3.0
1519641266 M * Le_Coyote What's your status in this regard?
1519642150 M * Le_Coyote Fully mitigated o/
1519642460 M * Ghislain /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI 
1519642460 M * Ghislain /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization 
1519642460 M * Ghislain /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
1519642479 M * Ghislain on 4.9.82-vs2.3.9.7
1519642957 M * Le_Coyote Same here
1519642971 M * Le_Coyote And without the UDP socket issue
1519642989 M * Le_Coyote Any performance issues?
1519643365 M * Ghislain not enough data to tell
1519643691 M * Le_Coyote 'k
1519643701 M * Le_Coyote I'll see how my server fares
1519644903 M * Le_Coyote Ghislain: FWIW the memory reporting issue seems to be fixed, too
1519648275 Q * FloodServ charon.oftc.net services.oftc.net
1519648320 J * FloodServ services@services.oftc.net
1519649267 Q * Aiken Remote host closed the connection
1519651989 M * Ghislain testfs, testme ok on 4.9.84
1519652021 M * Le_Coyote Have you tried free/htop in a guest ?
1519652098 M * Le_Coyote From what I see, the used memory reported is now much more realistic, and close enough to the RSS from vserver-stat
1519652102 M * Le_Coyote (a big higher)
1519652104 M * Ghislain this was solved a few patches ago so no
1519652128 M * Le_Coyote Oh ok, I must have missed this
1519652165 M * Ghislain ss -l show the "secret 127 ip" , like 127.159.46.1:3306 
1519652214 M * Ghislain it does not leak the udp socket now
1519652250 M * Le_Coyote "secret 127 ip" ?
1519652267 M * Le_Coyote Oh, yeah, hadn't noticed that
1519652272 M * Ghislain each guest has 127.0.0.1 that is mapped to a "secet" 127 ip
1519652298 M * Le_Coyote Is that SINGLE_IP flag still a thing btw?
1519652311 M * Le_Coyote I remember it causing more problems than it'd solve
1519652399 M * Le_Coyote e.g. binding to :: would not "create" a binding to 127.0.0.1
1519652877 M * Jb_boin do you know if debian stretch guest are working without any issue (i am on 4.1 kernels ATM)?
1519652897 M * Le_Coyote Don't think I have debian guests
1519652913 M * Le_Coyote Nope
1519653099 M * Jb_boin ok, lets try then :)
1519653142 M * Le_Coyote Was it a problem with systemd?
1519653521 Q * Carpoon Ping timeout: 480 seconds
1519653575 M * Ghislain Jb_boin: we use debian stretch guest, as long as you disable systemd it works
1519653597 M * Ghislain our build kernel bot is a debian buster one so.
1519653665 M * Jb_boin as its an upgrade from a template that already doesnt have systemd it will work just fine then
1519653674 M * Ghislain yes
1519653694 M * Ghislain if you have issue tell me i perhaps encountered them
1519653710 M * Ghislain could not find the time to write a wiki article about it ..
1519653740 M * Le_Coyote One of the reasons I stuck to gentoo I think
1519653746 M * Le_Coyote (the whole systemd thing)
1519655766 J * Carpoon ~Carpoon@carpoon.hu
1519657763 M * Ghislain Bertl_oO: from what i see in ss -l we do not leak other's guest adress but we leak the 127.X.Y.Z address local to the guest
1519659177 M * Le_Coyote Gotta run, seeya 
1519671150 M * Bertl_oO Ghislain: ah, intersting, so we are missing a loopback virtualization there
1519672427 J * Aiken ~Aiken@2001:44b8:2168:1000:b26e:bfff:fe2a:b951
1519683842 M * Bertl_oO  off to bed now ... have a good one everyone!
1519683843 N * Bertl_oO Bertl_zZ
1519683851 M * Le_Coyote 'night Bertl_zZ 
1519683856 Q * yang__ Quit: leaving
1519686390 Q * zerick Quit: No Ping reply in 180 seconds.
1519686463 J * zerick ~zerick@irc.quassel.zerick.io
1519689097 Q * Carpoon Ping timeout: 480 seconds