1722918476 J * Ghislain ~ghislain@adsl2.aqueos.com
1722928132 Q * Hurga Remote host closed the connection
1722931205 J * Hurga ~hurga@000131c9.user.oftc.net
1722978220 M * Hurga Are there any efforts patching kernels later than v4.x yet?
1722978841 M * Guy- Hurga: Bertl is supposedly working on it, but unless he gets some serious funding I wouldn't hold my breath
1722978880 M * Guy- I'm sad to say this but I don't think vserver is viable as a one-man show
1722978908 M * Hurga Well it's been in maintenance mode for along time now...
1722978911 M * Guy- and unless someone steps up with $$$ it doesn't look like there'll be other developers
1722979160 M * Hurga did anyone try to replace Linux-vserver with e.g. Proxmox/LXC? Won't be smooth of course, I just wonder if it might be possible.
1722979202 M * Guy- we did, in some instances with one, in some with the other
1722979218 M * Guy- not _such_ a big deal, most of it is scriptable
1722979240 M * Guy- the networking is a b*tch -- there is no way to have the same isolation
1722979267 M * Guy- you can get close, but there's always some detail that doesn't work in exactly the same way
1722979295 M * Guy- e.g. suddenly you're bridging traffic that used to be plain INPUT traffic from a netfilter perspective
1722979312 M * Hurga uh
1722979408 M * Guy- so either you load br_netfilter and have netfilter process bridged traffic, or you give NET_ADMIN caps to your guests and configure netfilter inside each (this is assuming the containers are also yours, not customers')
1722979480 M * Guy- but if a container can set netfilter rules it can also mess with its own IP address, so instead of having a nice bridge where all your guests are connected to, you suddenly need a spiderweb of veth links, or risk one compromised guest stealing the IP of another
1722979526 M * Guy- I bit the bullet and use bridging with br_netfilter and containers that don't have NET_ADMIN, but even so the firewall ruleset on the host got uglier
1722979617 M * Hurga ok, thanks for the info. I guess I'd better start playing with that
1722979626 M * Guy- break a leg
1722979633 M * Hurga :)#
1722979680 M * Guy- what's annoying is that you can't migrate containers piecemeal -- the old kernels vserver still supports don't have the necessary lxc features
1722979693 M * Guy- so you have to have a flag day and convert all containers at once
1722979813 M * Hurga thought so, but's not too bad. My main server runs KVM anyway, so I should be able to set up an extra VM for the LXC stuff and then migrate IP by IP
1722979927 M * Guy- that should work, yes