1612570163 Q * Ghislain Quit: Leaving.
1612582462 M * Bertl_oO  off to bed now ... have a good one everyone!
1612582463 N * Bertl_oO Bertl_zZ
1612601516 J * Ghislain ~ghislain@adsl2.aqueos.com
1612607894 N * Bertl_zZ Bertl
1612607903 M * Bertl  morning folks!
1612609899 Q * Hurga 
1612609912 J * Hurga ~hurga@000131c9.user.oftc.net
1612609920 M * Hurga Morning, Bertl.
1612610585 M * Hurga I'm running a vserver guest with a full GUI (Devuan Beowulf, xfce). Not sure how common that is, but probably not very. Anyway, works for me. Mostly.
1612610639 M * Hurga Problem is, that I can't run Firefox anymore since the content sandboxing. Works ok when I switch that off, but I guess that's not a good idea in the long run.
1612610683 M * Bertl actually long time ago Linux-VServer was used to separate x11 to provide multi headed multi user separation with several keyboards, mice and monitors
1612610702 M * Hurga nice :)
1612610719 M * Bertl the main question is what in the sandboxing actually fails
1612610728 M * Hurga I'm getting a kernel stack trace on startup.
1612610742 M * Bertl that's a good thing, can you upload it?
1612610751 M * Bertl (pastebin or similar)
1612610779 M * Hurga I don't really know what I'm doing, bt I think that's the thread trying tn start the sandboxing
1612610786 M * Hurga Sure, hangon
1612610977 M * Hurga https://zerobin.net/?0456a069bc3c5243#Zuo2N5vrBpQnjUKFRmYaOTaX6eN4qlaLtFm2WwBg43A=
1612611201 M * Hurga I'm running 4.9.217-vs2.3.9.12 BTW.
1612611218 M * Bertl yeah, the kernel stack trace says so :)
1612611228 M * Hurga ah it's in the trace anyway, missed that
1612611257 M * Hurga Not sure why tainted, though.
1612611285 M * Bertl it seems to fail on forking with a new PID namespace id
1612611346 M * Bertl G = all GPL compatible, W = previous warning
1612611370 M * Hurga ahh ok
1612611463 M * Bertl and it actually warns on the child_reaper ... interesting
1612611636 M * Bertl the warning happens on a free_pid() so that seems to be more a side effect than the actual cause
1612611695 M * Bertl it might be a good idea to use strace or turn on some low level debugging and compare a startup in a chroot (of the guest) with the guest startup
1612611876 M * Hurga strace of firefox startup inside the guest I can do
1612611926 M * Hurga If you have x2go, I could give you access to the guest even
1612611949 M * Bertl split the strace up on a per thread basis
1612611959 M * Hurga strace -f ?
1612612044 M * Bertl --output-separately  or -ff
1612612122 M * Bertl together with -o will generate filename.pid files
1612612174 M * Hurga got it
1612612205 M * Hurga 84 files. Which one do you want? :)
1612612243 M * Bertl run it also from a chroot (into the guest root dir) then compare the output :)
1612612246 M * Hurga or should I just tgz then and put them on the web.
1612612270 M * Hurga hmm, not sure how to get a gui there
1612612286 M * Bertl you have to do the work there to spot the difference :)
1612612291 M * Hurga ok.
1612612297 M * Bertl I would suggest to use some VNC server
1612612330 M * Hurga ssh X11 forwarding might be sufficient.
1612612333 M * Bertl like for example the tigervnc server, where you can easily attach to (but any remote display will likely do as well)
1612612333 M * Hurga thx, I'll be back
1612617076 Q * Aiken Remote host closed the connection
1612620227 M * Hurga Bertl: Some progress. I'm looking at the "IPC Launch" processes. The failing guest instance tries a clone with flags=CLONE_NEWIPC... which fails with EPERM. I guess that is the "fail on forking with a new PID namespace id" you mentioned.
1612620288 M * Bertl yes, that looks good
1612620291 M * Hurga What puzzles me is that the chroot instance doesn't even try that...
1612620305 M * Bertl that's interesting
1612620344 M * Hurga flags=CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWNET|SIGCHLD) vs. flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD (which succeeds)
1612620385 M * Bertl so, probably need to dig into the code which makes that decision
1612620417 M * Bertl maybe 'we' look like a 'special' environment
1612620568 M * Hurga I'm a sysadmin and not a cloder :P  ok, trying to find the bit of firefox code. Up to there, things look quite similar.
1612620579 M * Hurga *coder
1612623260 M * Guy- Hurga: you can use the same DISPLAY in the chroot that you use in the actual guest
1612623297 M * Guy- so there is no need for vnc
1612623307 M * Guy- too late I guess, just thought I'd point this out :)
1612624428 M * Bertl  off for now ... bbl
1612624429 N * Bertl Bertl_oO
1612625774 Q * Ghislain Quit: Leaving.
1612631445 M * Guy- Bertl_oO: 4.9.248-vs2.3.9.12 still seems to suffer from the bug that process start times inside vservers are wrong; e.g. if I start a guest now, processes inside appear to have started in 2020
1612631464 M * Guy- I seem to recall you had a patch for that?
1612636477 J * Aiken ~Aiken@b951.h.jbmb.net
1612640682 M * Hurga Guy-: I used ssh X11 forwarding
1612640718 M * Hurga currently building a debug version of firefox... I hoped that would be easier
1612642326 M * Guy- building a browser from source? that's pretty heavy stuff
1612642339 M * Guy- way more resource intensive than a mere kernel :)
1612642455 M * Hurga And the documentation is kinda lacking
1612642495 M * Hurga But there's no prebuilt one with debug symbols, so what should I do
1612642966 M * Hurga Bet bit so far was "there's a resent but that gdb doesn't work, see this buck tracker entry" which was 21 years old. From 2000. really.
1612642973 M * Hurga *recent bug
1612643072 M * Hurga OTOH there's a dependency for nodejs