[00:31] micah (micah@adsl-68-78-111-196.dsl.emhril.ameritech.net) joined #vserver. [00:31] hi micah! [00:31] hey Bertl [00:32] I got the kernel booted, now I am tyring to get util-vserver to compile [00:32] which version? [00:32] it can't find the ext2fs headers even though I did ./configure --with-kerneldir=/usr/src/linux [00:32] 0.28 [00:32] get 0.29.2 and try again [00:32] oh a newer verison :) [00:33] .29.2 is not stable though? [00:33] it's a pre to the next stable ... [00:33] you can test with 0.29 should work too [00:33] but I#d suggest 0.29.2 [00:34] I dont see where it is on the site [00:34] http://www-user.tu-chemnitz.de/~ensc/util-vserver/pre/ [00:34] http://www-user.tu-chemnitz.de/~ensc/util-vserver/ [00:34] ok, trying that one [00:35] still can't find the ext2fs headers :( [00:35] ./configure --with-kerneldir=/usr/src/linux [00:35] install the ext2 library [00:35] development version ... [00:35] hrm [00:35] yeah [00:35] I thought I already had it installed :p [00:35] getting it [00:36] i thought I had it installed or it was part of the kernel source, my fault [00:36] *lol* [00:36] For those wannabe hackers who are too stupid to get it: THIS IS A WIKI! google for that! [00:36] if you believe it or not, it was necessary ... [00:36] must have been a real genious ;> [00:36] Bertl: configure worked, but make did not :( [00:36] what do you get on make? [00:36] shall I paste? [00:37] about 10 lines [00:37] yeah [00:37] then mv -f "lib/.deps/lib_libvserver_a-syscall.Tpo" "lib/.deps/lib_libvserver_a-syscall.Po"; else rm -f "lib/.deps/lib_libvserver_a-syscall.Tpo"; exit 1; fi [00:37] In file included from lib/syscall.c:25: [00:37] lib/vserver-internal.h: In function `vserver': [00:37] lib/vserver-internal.h:99: error: `__NR_vserver' undeclared (first use in this function) [00:37] lib/vserver-internal.h:99: error: (Each undeclared identifier is reported only once [00:37] lib/vserver-internal.h:99: error: for each function it appears in.) [00:37] make[1]: *** [lib/lib_libvserver_a-syscall.o] Error 1 [00:37] make[1]: Leaving directory `/usr/src/vserver/util-vserver-0.29.2' [00:37] make: *** [all] Error 2 [00:37] clean the source dir, and reconfigure [00:37] .28 doesn't seem to have that problem [00:38] k [00:38] same problem [00:38] did a make clean [00:38] then a ./configure --with-kerneldir=/usr/src/linux [00:38] then make [00:39] .28 compiles all the way through [00:39] did you remove the config.cache? [00:39] there isn't one [00:39] ls config* [00:39] config.h config.h.in config.log config.status configure configure.ac [00:40] okay, remove the status [00:40] same result [00:41] what arch is this? [00:41] i686 [00:41] hmm ... strange ... [00:42] ya [00:42] I think I'd like to try the .28 to see how to do this [00:42] I could make it and make install it [00:42] well, you could search the log [00:42] which log? [00:42] enrico handled a similar issue a few days ago .. but I don't remember how ... [00:42] irc-log [00:43] ah, ok [00:43] I think I want to try and use .28 right now [00:43] because it works, I want to get a vserver working so I can see how it works! [00:43] okay [00:43] please send the error message to the ml, or enrico [00:43] i've been following the step-by-step wiki page (and I updated it to have a the newest patch btw.) [00:44] what is enrico's email? [00:44] Enrico Scholz [00:44] but cc it to the ml ... [00:45] great, thanks, I am subscribing to the list right now [00:45] will do that [00:45] in the meantime [00:46] I've been following http://www.linux-vserver.org/index.php?page=Step-by-Step+Guide [00:46] the step I am on now says, "Create a vserver!" [00:46] but it doesn't link to where the instructions are for doing that :) [00:47] i recall the person who was here last night doing this on debian woody [00:47] and using a program to create it? [00:47] you can do that easily with the alpha util-vserver branch ... [00:48] ah, but I am using the .28 [00:48] yeah, I know ... [00:48] Action: micah gets yesterday's irc logs [00:50] hmm [00:50] vserver build? [00:51] vserver build [00:51] takes a little bit [00:51] copies your host server ... [00:51] what does it copy? [00:51] everything ... [00:51] heh [00:51] I dont think I have enough space [00:51] to have everything [00:52] it just gets /bin /etc /sbin /usr ? [00:52] erp, just ran out of space [00:53] so you do need a full copy of the host server for each vserver? [00:53] I was hoping to be able to trim it down a lot, ie. just make an apache virtual hosting setup, that would only do apache [00:55] nope [00:55] as I said, the alpha branch does a minimal server install [00:55] it uses the debootstrap method [00:56] a similar way is implemented in the debiannewvserver script [00:56] ah interesting [00:56] but do not ask me where to get or how it works ... [00:56] heh [00:56] I'll look for it [00:56] micah: I've build a statically linked apache vserver that only contains apache and a few libs. [00:56] micah: same with mysqld, powerdns, etc. [00:56] Only 10 files in each vserver or so (apart from the content) [00:56] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Quit: Leaving [00:57] Zoiah: do you have any instructions on how to do it? I am wanting to use vserver for hosting websites for non-profits, but I want to separate each one into their own vserver for security [00:58] micah: just build a chrooted version of the apache installation. [00:58] micah: then use that as the vserver and use the appropriate S_START and S_STOP variables. [00:58] micah: lots of documentation on the net how to make chrooted versions of software. [00:59] Zoiah: hmm, I dont follow you [01:00] Zoiah: so I build apache, something like this: http://penguin.epfl.ch/chroot.html [01:00] Zoiah: then what? [01:00] Yup. [01:00] micah: then you start it with vserver. :) [01:00] how do you do that? [01:00] micah: make a config-file, put the apachectl (or whatever you want) in the S_STOP/S_START variables (if you vserver supports that). [01:20] zoiah: i dont understand what the S_STOP/S_START variables are [01:20] Action: micah is almost finished setting up a choot apache [01:30] Zoiah: hrm, I got a chroot apache installed, but it is 390 files :( [01:30] and 5.6 megs [01:31] got it down to 34 files by gteting rid of the icons, the htdocs, and the man pages [01:32] but it is still 4.2megs with the /lib directory [01:35] does anyone have a vservers/.conf I can look at? [01:35] sure .. sec [01:35] I'm trying to start vserver with my apache chroot [01:37] micah: I have it statically linked, so I don't have a /lib. :) [01:37] Zoiah: oh, nice, how do you do that? [01:38] http://vserver.13thfloor.at/Stuff/vserver.conf [01:38] LDFLAGS="-static" [01:38] Zoiah: is that an apache configuration option? [01:38] Bertl: thanks [01:39] np [01:39] micah: it's an environement (I can't spell) variable. [01:39] micah: make passes it to LD or something. [01:39] Zoiah: so if I do export LDFLAGS="-static" before I run a make in apache it will make it static? [01:39] micah: yup. [01:40] Bertl: tried to do: vserver vserver exec /apache/bin/apachectl with that vserver.conf (after modifying it), it says: [01:40] micah: although, you have to do a bit more, because nss-stuff is still dynamic by default, so I had to recompile glibc with some obscure ./configure option. [01:40] No directory for this vserver: /vservers/vserver [01:40] micah: did you put it in /vservers/vserver / [01:40] ? [01:40] Zoiah: did I put what there? [01:40] micah: the chrooted installation. [01:41] Zoiah: no, it is in /www or /apache [01:41] micah: vserver expects it in /vservers/ [01:41] Zoiah: ah, ok [01:41] in alpha util-vserver this is a symlink in the config tree [01:41] ln -s /apache /vservers/apache [01:41] Bertl: that sounds like a good way [01:42] that's why I mentioned it ;) [01:43] Zoiah: hrm, I remade apache that way, but it didn't make it static, maybe I need to reconfigure it first [01:45] ok! [01:45] vserver apache exec /apache/bin/apachectl start [01:46] looks sorta like it worked? [01:46] SIOCSIFADDR: File exists [01:46] SIOCSIFFLAGS: Cannot assign requested address [01:46] SIOCSIFNETMASK: Cannot assign requested address [01:46] SIOCSIFBRDADDR: Cannot assign requested address [01:46] SIOCSIFFLAGS: Cannot assign requested address [01:46] ipv4root is now 192.168.0.99 [01:46] Host name is now pond.riseup.net [01:46] Domain name is now [01:46] New security context is 1000 [01:46] /apache/bin/apachectl start: httpd started [01:46] the ip is already defined [01:46] if you want to 'use' a defined ip, remove the eth0: part [01:47] otherwise the vserver script will create an alias ... [01:47] (see the errors above) [01:47] so, ok, how do I tell what is going on? :) [01:47] vserver-stat says: [01:47] CTX PROC VSZ RSS userTIME sysTIME UPTIME NAME DESCRIPTION [01:47] 0 83 986MB 122kB 10m12.29 3m34.91 1h24m37 root server [01:47] 1000 6 15MB 1kB m00.00 m00.01 m29.65 apache Qemu Example Vserver [01:47] http://vserver.13thfloor.at/Stuff/VServer-IP-Setup-0.1.txt [01:48] I am not sure if I need a defined IP [01:48] well, it's simple is 192.168.0.99 already defined or not? [01:48] yes, that is my IP on eth0 in my root machine [01:49] so you do not want the script to create another alias, and take it down on shutdown right? [01:51] well, I am not sure [01:51] what I want is: [01:51] hehe [01:51] okay, another simpler question: [01:51] I want to setup these apache chroot vservers for virtual hosts, and I wont be having different static IPs for each [01:52] do you want to use 192.168.0.99, when the apache vserver is don? [01:52] is that possible? [01:52] Bertl: yes [01:52] okay, then you do NOT want the scripts to take it down on vserver stop ;) [01:52] right [01:52] but can the vserver have the same IP as the host? [01:52] which means, you DO want to reuse an existing ip for that vserver [01:53] yes [01:53] in other words: 'remove the eth0: part' [01:53] in the config, ok [01:53] yep [01:53] ok, thats easy [01:54] so vserver apache status shows me that the vserver is running with some processes running [01:54] good! [01:55] and lynx --dump http://192.168.0.99:8088 works :) [01:55] even better! [01:55] indeed [01:55] it is weird, I can't see the processes on the root machine? [01:55] any processes at all, vserver or anything [01:57] how can I tell how much resources this is taking up? [02:11] you can see the processes in the context 1 [02:11] vserver-stat shows you the resources [02:11] ? [02:11] how do you see context 1? [02:11] chcontext --ctx 1 ps auxwww [02:12] oh interesting [02:12] chcontext --ctx 1000 ps auxwww [02:12] that is cool [02:12] now that I've statically compiled apache, it should be even less :) [02:13] well, not necessarily [02:14] for example (hard) linking the libs into the apache vserver would reduce it further, and also reduce the overall memory use [02:14] 1 megabyte less :) [02:34] now I need to figure out how I can justify how this is better than a simple jail [02:34] you guys were saying before that the vserver gives you a chroot/jail setup without the chroot holes right? [02:34] hmm, that is explained easily [02:34] if you do it properly, yes [02:35] please do explain, so I can explain to the people who will decide which way we go :) [02:35] (means using the barrier and /proc security) [02:35] basically the vserver has no caps and no permissions [02:35] caps = ? [02:36] if you now secure the chroot jail with the barrier, and activate the /proc security, then somebody hacking apache, can do nothing ... [02:36] caps = linux capabilities ... [02:36] and this is different from a traditional chroot/jail how? [02:37] you can easily escape a chroot [02:37] (i hope I'm not being annoying, I'm trying to understand) [02:37] no problem ... [02:37] and you can abuse root rights to create device nodes in a root chail [02:38] s/chail/jail/ [02:38] both isn't possible with vserver [02:38] scenario 1: I have a traditional jail/chroot with php and something insecure, like php-nuke. Someone manages to exploit php nuke and do things as the jail user, the exploter could somehow break out of the jail and do things on the system. [02:39] yeah, in vserver a) he doesn' [02:39] t see anything else than apache [02:39] scenario 2: I have a vserver jail/chroot with /proc security and barrier, running apache and php and inseucre php-nuke. Someone manages to exploit php nuke and could mess up that particular site, but it is impossible for them to break out of the vserver [02:39] yes [02:40] and he can not even mess with the system from inside [02:40] so in scenario 1 the exploiter can create device nodes and break from the jail, in scenario 2 he cannot see anything but apache and cannot create device nodes and cannot break from the jail [02:40] there are probably other differences as well, but yes [02:41] basically vserver is designed to have root inside ... [02:41] so becoming root in a vserver doesn't help much ;) [02:41] and once you become root in a vserver, you cannot become root in the host server [02:42] that is the idear behind vserver [02:42] otherwise it wouldn't be safe to allow root access to a vserver [02:42] interesting [02:43] am I using the "barrier" and /proc security now? [02:43] probably not [02:44] what is your vserver path? [02:44] /vservers/apache is a symlink to /www [02:44] okay so www is the actual vserver dir? [02:44] but I can move /www into /vservers/apache if necessary [02:44] yes [02:45] hrm, it would be better to have it in /vservers [02:45] ok, I can do that easily [02:47] ok, that is done [02:47] now do chmod 000 /vservers [02:47] and chattr +t /vservers [02:48] this defines the 'barrier' [02:48] in devel or on 2.6.x this is solved via a separate flag [02:51] hmm, I can't seem to exec apachectl (No such file or directory) [02:51] what is the root? if I do vserver apache exec /apache/bin/apachectl start should that work? [02:51] nope [02:51] /vservers/apache is the root [02:52] hmm, still can't find it [02:52] doing: [02:52] vserver apache exec /vservers/apache/apache/bin/apachectl start [02:53] which is wron [02:53] +g [02:53] vserver apache exec /bin/apachectl start [02:53] might work .. not sure about the arg [02:53] Can't execute /bin/apachectl (No such file or directory) [02:53] Bertl: he has the apache part in /apache on the apache vserver [02:53] hmm, okay [02:54] vserver apache exec /apache/bin/apachectl start [02:54] then [02:54] confusing ... [02:54] Can't execute /apache/bin/apachectl (No such file or directory) [02:54] micah: vserver apache enter [02:54] okay, where _is_ your apachectl? [02:54] err, my fault, it can't launch apachectl [02:54] _where_ is your apachectl located there? [02:54] but I can launch httpd :) [02:54] doh. [02:55] its because apachectl depends on bash which depends on sharedlibs [02:55] neither of which the chroot has [02:55] okay .. [02:55] Bertl: ok, I did the +t /vservers and the chmod 000 /vservers [02:56] so that means I've got the barrier and the /proc security [02:56] ? [03:09] nope, that is the abrrier [03:09] but I gues syou do not mount /proc inside the chroot right? [03:11] paul (~irssi@195.202.59.230) left irc: Quit: leaving [03:46] is it possible to dynamically load a library inside of a vserver if you hard link it? [03:46] yes [03:47] and you can make use of another feature available in vserver [03:47] the library is outside in the master host [03:47] immutable and immutable unlink flag [03:47] the goal is to make apache take up the least amount of resources, if I dont need a separate libc for each instance... [03:48] yeah, that is usually done amongh vservers and it's called unification ... [03:48] interesting [03:48] this is sounding good [03:48] each vserver gets a hard link of the library [03:49] this hard link means that inode cache (and for RO even memory mappings) are shared [03:49] a glibc using up 5MB, used in 10 vservers only contributes 0.5MB to each ;) [03:50] and reduces the in memory footprint by a factor of 10 [03:50] do they share the memory? or just the disk space? [03:50] for RO mappings, as for libraries both [03:51] same for executables (they are ro too) [04:12] that is somehting I will have to figure out, but first I must document what I did so I dont forget that [04:12] :) [04:12] make that, best on the wiki ... or ml ;) [04:13] right [04:16] dilox (~dilox@host254-8.pool8249.interbusiness.it) joined #vserver. [04:17] Bertl: and it is possible to share one IP throughout the vservers for different apache installs? Is that what http://vserver.13thfloor.at/Stuff/VServer-IP-Setup-0.1.txt is all about? [04:17] hi bertl [04:17] hi dilox! [04:17] how are u? [04:17] micah: well, basically yes, but you cannot bind them to the same port ... [04:18] dilox: I'm okay ... a little tired ... [04:18] Bertl: that can be a problem, so do you use iptables or proxypass or somehting to have the host server redirect people to the right ports in the vservers? [04:18] micha i think rinetd is very easy to use [04:18] that might be an option, using different ips is also an option ;) [04:19] Bertl: yeah, don't have that option of IPs :( [04:19] dilox: is that how it is possible? [04:19] well, then you need different ports ... [04:19] and some kind of proxy ... [04:19] but that problem isn't different from 'normal' multiple apache setups [04:19] right, sounds like iptables, rinetd or apache proxypass would be the options [04:20] ok, we'll do some research on that, not there yet :) [04:21] soor (~as@pD951A78C.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [04:22] bertl.. i've got some problem stopping vserver [04:22] what's the correct way to kill it? [04:23] i used vserver firts stop but no works! [04:27] dilox (~dilox@host254-8.pool8249.interbusiness.it) left irc: Quit: Uscita dal client [04:29] dilox (~dilox@host254-8.pool8249.interbusiness.it) joined #vserver. [04:33] Bertl: in order to do the library unification immutable stuff, do I need a separate patch? [04:33] for the immutable linkage flags [04:35] dilox: back again? [04:36] micah: no separate patch, it's included ... [04:36] yes.. i lost connection for a while [04:36] me too ... [04:36] Bertl: ok, what is the http://www.13thfloor.at/vserver/s_release/v1.26/split-2.4.25-vs1.26.tar compared to the http://www.13thfloor.at/vserver/s_release/v1.26/patch-2.4.25-vs1.26.diff? [04:36] ok [04:36] is it just the patch split up into different patches? [04:37] micah: yeah broken out .. have a look at it [04:37] bertl i got problem stopping vserver, i did vserver first stop but no works [04:37] what does it say? [04:37] Can't set the new security context [04:37] : Invalid argument [04:37] sleeping 5 seconds [04:38] then... [04:38] chcontext version 0.29 [04:38] chcontext [ options ] command arguments ... [04:38] chcontext allocate a new security context and executes [04:38] a command in that context. [04:38] By default, a new/unused context is allocated [04:38] hmm, okay, please let me know what testme.sh gives? [04:39] http://vserver.13thfloor.at/Stuff/testme.sh [04:39] ok [04:39] one minute [04:39] i've to run it inside vserver? [04:39] nope, on the host [04:40] testhim ;-) [04:40] ehi... only 201 failed [04:40] fine, I need the first 4 lines [04:41] Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl [04:41] chcontext is working. [04:41] chbind is working. [04:41] Linux 2.4.23-vs1.22 i686/0.29/0.29 [J] [04:41] then [04:41] --- [04:41] [001]# succeeded. [04:41] [011]# succeeded. [04:41] [031]# succeeded. [04:41] [101]# succeeded. [04:41] [102]# succeeded. [04:41] good you are on vs1.22 (which is insecure) and use jack's broken 0.29 tools ;) [04:41] [201]# failed. [04:41] [202]# succeeded. [04:42] don't say I have to recomplie kernel [04:42] well, depends what you want, it's probably not kernel related (your issues) [04:42] switching to util-vserver would be a good idea though [04:43] ahh [04:43] I understand.. so remove vserver and install util-vserver right? [04:43] unless you _are_ happy with the tools (some people are ;) [04:44] 0.29.2 is the latest "stable" version of them ... [04:44] http://www-user.tu-chemnitz.de/~ensc/util-vserver/pre/ [04:44] do u use an rpm based distro? [04:45] a .deb based [04:45] okay, then compiling them yourself would be the best choice ... [04:45] i installde util-vserver [04:45] now testme is ok [04:45] i show yuo [04:45] no need to .. [04:45] Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl [04:45] chcontext is working. [04:45] chbind is working. [04:45] Linux 2.4.23-vs1.22 i686/0.29/0.29 [J] [04:45] --- [04:45] [001]# succeeded. [04:45] [011]# succeeded. [04:45] [031]# succeeded. [04:45] [101]# succeeded. [04:46] [102]# succeeded. [04:46] [201]# succeeded. [04:46] [202]# succeeded. [04:46] dilox: I would be interested to see if you can get 0.29.2 to compile though [04:46] hmm, you now have some mix of both tools installed [04:46] or is the debian version so much different? [04:46] i see [04:47] btw, could anybody tell me who is maintaining those debian packages? [04:49] micah: everything you need for util-vserver is a wroking c++/C99 compiler and sane headers ... [04:50] ok now i can stop it [04:50] it seems that debian has done a good job in breaking both for woody [04:50] Bertl: I am not using the debian packages [04:50] you did compile your compiler/(g)libc yourself? [04:51] Bertl: no, I am sorry, I was responding to the above about who is maintaining the package [04:51] Bertl: I am using the debian supplied g++ [04:51] I can install g++2.95 or 3.0 also [04:51] won't work ... [04:52] everything is working fine with sarge (as folks reported) [04:53] and I'm sure most issues can be fixed somehow, but that you have to ask enrico ... [04:53] dilox: issues resolved? [04:54] yes [04:55] is there a patch-1-26 for kernel 2.4.23? [04:56] is there a reason why you would want to use an exploitable kernel? [04:56] no [04:56] so it's better i change kernel and patch [04:57] right? [04:57] probably ... especially if you ahve no good reason ;) [04:57] (not to do it ;) [04:57] ok [04:58] i used it because in the how to on www.linux-vserver.org he used it [04:58] and so.. i follow suggestions [04:58] hmm, you could update this, when you are actually doing it ;) [04:59] maybe even extending it ... [05:00] but no problem, can i use util 0.29 on new kernel? [05:00] util-vserver 0.29 or later will work with all 1.2x kernels [05:01] ok [05:01] it should also be backwards compatible with 1.00 ... [05:01] i'll download kernel 2.4.25 [05:01] (not that anybody would use this) [05:02] darn, the grsecurity patch+vserver isn't available for 2.4.25 yet [05:02] what version do you say i have to download? [05:02] for 2.4.25? [05:02] dilox: get 2.4.25 [05:03] and get http://www.13thfloor.at/vserver/s_release/v1.26/patch-2.4.25-vs1.26.diff.bz2 [05:03] yep, sounds good ... [05:04] k got basics, will do library unification and networking later, now it is time to eat and relax :) [05:04] thanks again bertl [05:04] you are a great help! [05:04] i would have been quite lost otherwise [05:04] you're welcome [05:07] berlt [05:07] isn't it like 4am there? [05:07] here 3am [05:08] ep 3am [05:09] matta: so did you tame the dragon yet? [05:09] soor (~as@pD958AAA2.dip.t-dialin.net) joined #vserver. [05:10] hi soor! [05:10] bertl can i apply patch over debian kernel source? [05:10] no [05:10] ok [05:11] http://vserver.13thfloor.at/Experimental/patch-2.4.25-1-vs1.26.diff [05:11] this is for debian [05:11] should work but is untested [05:11] ok, i'll use normal kernel [05:41] bertl how can I jump into vserves using ssh? [05:42] well, if you start sshd service inside a vserver, you can ssh in ... [05:42] or what do you mean? [05:44] 10.0.0.83 is the ip of vserver... if I do ssh root@10.0.0.83 from the outdside i remain on the host [05:45] i think ssh is not running on vserver [05:45] probably the host's sshd is bound to all ips ... [05:45] you have to limit the hosts sshd to the host IPs [05:46] ah ok [05:46] this can be done with the v_sshd script [05:46] or by simply configuring the sshd properly [05:47] where i find v_sshd script? [05:48] it's in the util-vserver package ... [05:48] normally installed in /etc/rc.d/init.d/v_* [05:48] it's a sysv runlevel script [05:51] mmm debian package does'n have [05:51] well, that's the advantage of a well maintained package system :( [05:52] eheh [05:54] so in /etc/ssh/sshd_config i change #ListenAddress 0.0.0.0 [05:54] yup [05:54] in ListenAddress ip [05:55] right? [05:55] yes [05:55] i'm afraid to lost connection... host is miles from me ;-) [05:56] can I specify two ips? [05:56] that is, where remote console comes in ... [05:56] you should configure a different port, and test the config file with another sshd ... [05:57] can i configure a different port inside vserver? [05:57] sure ... [05:58] ok now sshd inside vserver is up [05:59] perfect now I'm inside vserver trough ssh [06:00] tnx [06:00] np [06:03] yes I like vserver.. I tries uml but it seems to be too slow [06:03] what are the diferences? [06:03] it's a different approach ... [06:03] yes [06:04] uml does a complete linux, including the kernel [06:04] vserver tries to separate processes [06:04] it's in the middle between chroot and uml [06:05] actually vserver is the extension of chroot() [06:05] we add chcontext() and chbind() which does the same what chroot() does but for process space and network [06:05] the rest is userspace magic ... [06:05] magic? [06:06] tools, scripts, configs, etc [06:07] how many people are working on the project? [06:07] depends ... [06:07] kernel space is currently me only [06:07] 1-10-100? [06:07] userspace is mostly covered by enrico [06:08] so I'd say 3-4 people core, and about 10-20 contributing ... [06:08] nice... [06:09] compliments [06:11] what linux distribution do you use? [06:11] a modified version of mandrake [06:12] modified in sense you modify? [06:12] yep [06:12] eheh [06:12] on server? [06:12] if I use vserver? of course! [06:13] <_shur1> :) [06:14] hi _shur1! [06:14] <_shur1> hi bert [06:14] your nick is getting stranger from day to day ... [06:14] i _shur1 [06:14] <_shur1> heheh [06:15] # chcontext --ctx 100 wc /vservers/mod.list [06:15] New security context is 100 [06:15] 8988 8988 398442 /vservers/mod.list [06:15] # chcontext --ctx 200 wc /vservers/mod.list [06:15] New security context is 200 [06:15] wc: /vservers/mod.list: Permission denied [06:15] # [06:15] does this tell you anything, if I add ... [06:15] # uname -a [06:15] Linux (none) 2.6.3 #8 Sun Feb 29 04:01:26 CET 2004 i686 unknown [06:16] where you find patch for 2.6.3? [06:16] <_shur1> Bertl did you try the TAP/TUN like said into the mailist? [06:17] dilox: hmm, on my harddisk ... [06:17] <_shur1> lol [06:17] :) [06:17] _shur1: nope obviously missed it, please elaborate ... [06:18] ok boys... i'm going to sleep [06:18] have a nice one ... [06:18] good night to everybody [06:18] thanks again bertl [06:19] <_shur1> + [06:19] see you later [06:19] cya [06:19] <_shur1> We would like to improve vserver's networking support. [06:19] <_shur1> Like with our UML-Servers we did the following today (on debian): [06:19] ah, okay, that was some time ago ... yeah I read it [06:20] dilox (~dilox@host254-8.pool8249.interbusiness.it) left #vserver. [06:20] <_shur1> ok [06:20] but I also suggested (in an answer to that, IIRC) to use dummyX [06:21] which pretty much does the same ... [06:21] <_shur1> ok [06:21] <_shur1> cause really important to have a REAL interface i think [06:22] well, I'm not convinced yet, that it's worth the efford ... [06:22] <_shur1> for me is the most important thing... [06:22] why? [06:22] <_shur1> monitoring.. [06:23] <_shur1> try to make MRTG graph with eth0:1 [06:23] simple [06:23] <_shur1> iptable ?? [06:23] just add an accounting rule in the iptables [06:23] <_shur1> arff [06:23] <_shur1> that sux [06:23] why? [06:23] <_shur1> stats are not realy good.. [06:24] <_shur1> 95 percentil didnt work [06:24] well, a 'REAL' interface wouldn't do anything different [06:24] <_shur1> yes [06:24] <_shur1> vmare allow it.. [06:24] and you would require a smtpd inside every vserver [06:24] <_shur1> is a virtual.. [06:25] which isn't very smart either [06:25] <_shur1> well it work very fine.. [06:25] didn't say it doesn't work ... [06:25] but there are MUCH better solutions ... [06:25] <_shur1> like what? [06:25] <_shur1> eth0:192.168.0.1 [06:25] <_shur1> humm [06:25] <_shur1> dont have the same opinion.. [06:26] like configuring iptables correctly, and doing a sane graphing with rrd [06:26] this only requires a fraction of the resources your solution does [06:26] and is much more flexible in what you account [06:27] for example separating the accounting into tcp/udp/icmp or even per port is no prob at all [06:27] <_shur1> the test i have done with iptables and mrtg are very not concluent [06:27] <_shur1> some stats where missigne [06:27] I totally agree that a eth0 inside vserver 'looks' much nicer ... [06:27] <_shur1> missing [06:27] <_shur1> nha [06:28] <_shur1> not the fact of better looking.. [06:28] but from functionality, the other approach is much more advanced [06:28] <_shur1> i really think vmware network adapter is better... [06:28] <_shur1> ismy opinion.. [06:29] well, it's something completely different ... [06:29] you'll never see this solution on vserver [06:29] <_shur1> ok [06:29] <_shur1> brb [06:36] monrad (~monrad@213083190235.sonofon.dk) left irc: Remote host closed the connection [06:37] SeerHome (~theseer@c168174.adsl.hansenet.de) left irc: Quit: Client exiting [06:51] okay, I'm off to bed now ... [06:51] have a nice one ... cu all later ... [06:52] Nick change: Bertl -> Bertl_zZ [07:38] Nick change: Mcleod[Zzz] -> Mcleod [13:14] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) joined #vserver. [14:17] dilox (~dilox@host215-1.pool8251.interbusiness.it) joined #vserver. [14:37] hi _shur1 [14:38] dilox (~dilox@host215-1.pool8251.interbusiness.it) left irc: Quit: Uscita dal client [14:54] dilox (~dilox@host215-1.pool8251.interbusiness.it) joined #vserver. [14:56] dilox (~dilox@host215-1.pool8251.interbusiness.it) left irc: Client Quit [14:56] dilox (~dilox@host215-1.pool8251.interbusiness.it) joined #vserver. [14:56] dilox (~dilox@host215-1.pool8251.interbusiness.it) left irc: Client Quit [14:59] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Quit: Leaving [15:02] kestrel (athomas@home.swapoff.org) joined #vserver. [16:26] matta (matta@tektonic.net) left irc: Quit: Hey! Where'd my controlling terminal go? [16:42] triX (~trix@145.253.155.82) joined #vserver. [16:43] hi, someone know how to bind more then 1 ip to a vserver on eth0 ? [16:50] you need ip aliases [16:50] ifconfig eth0:0 192.168.1.5 up [16:50] ifconfig eth0:1 192.168.1.6 up [16:51] something like that [16:52] ah oki [16:53] but i think the vserver script fire up the ip aliases by it self [16:53] this work when i have eth0:xx.xxx.xxx.xx eth1:xxx.xxx.xxx.xxx [16:53] b ut not when i have eth0:xx.xxx.xxx.xx eth0:yyy.yyy.yy.yy eth1:xxx.xxx.xxx.xxx [17:07] Nick change: Bertl_zZ -> Bertl [17:07] morning everyone! [17:10] morning bertl [17:10] how's your vserver today? [17:11] everything's fine :) [17:11] good to hear ... [17:15] hmmm... i have used php for too long... tried to add a long to a char*, no wonder that bs shows up on the screen... [17:15] s/wonder/surprise/ [17:16] Action: Bertl is glad that Doener didn't do too much brainfuck ... [17:16] hehe [17:17] or even intercal ... [17:26] afk, brb [17:29] serving (~serving@213.186.190.121) left irc: Read error: Connection reset by peer [17:30] omg... if i ever feel the need of destroying someone's life, i'll point him/her right to intercal... [17:31] "Beware! If you aren't a hard-core hacker, you'd best surf right back where you came from now. Nothing but twisted technical yuks and an inexorable descent into brain-sucking obsession awaits beyond this point. You have been warned." [17:31] that is what the intercal resources page says :) [17:34] paul (~irssi@82.207.133.98) joined #vserver. [17:35] hi [17:43] hi paul! [17:48] __shur1 (~shushushu@vserver.electronicbox.net) joined #vserver. [17:48] _shur1 (~shushushu@vserver.electronicbox.net) left irc: Ping timeout: 480 seconds [17:48] Nick change: __shur1 -> _shur1 [17:51] broo (~broo@host30-5.btbx.net) joined #vserver. [17:54] hi broo! [17:56] unlambda looks nice [17:57] ever tried 'brainfuck'? [17:57] SORTA seems to be nice, too [17:58] too bad, i can't seem to find a 'Hello World' for malebolge... [18:00] "whose chief selling point is that nobody has yet been able to write a trivial version of cat(1) in it." [18:00] HAHA [18:05] Action: mids reads the malbolge txt [18:05] omfg [18:06] trix: i haven't used that yet, but try eth0:0:xx.yy.zz.qq but bertl may know more ;) [18:07] hi maja! [18:07] hi! [18:07] Action: maharaja is busy setting up another server [18:09] Doener: http://www.acooke.org/andrew/writing/malbolge.html [18:09] thanks! [18:09] created using a genetic algorithm :) [18:10] bash-2.05b$ ./malbolge hello-world.mb && echo [18:10] HEllO WORld [18:10] wow [18:11] the fact that he had to ignore case to make it easier is frightening... [18:15] Weird looks fun: http://www.encyclopedia4u.com/h/hello-world-program-in-esoteric-languages.html#Wierd [18:29] matta (matta@tektonic.net) joined #vserver. [18:30] hi matta! [19:00] monrad (~monrad@213083190238.sonofon.dk) joined #vserver. [19:03] broo (~broo@host30-5.btbx.net) left #vserver (Client exiting). [19:15] hi monrad! [19:17] hi [19:17] TheSeer (~theseer@border.office.salesemotion.net) left irc: Ping timeout: 480 seconds [19:18] i am getting tried of my firewall so i am thinking of buying a soekris machine (a bit OT) [19:21] maharaja itīs runnig now [19:24] trix: what did you do? [19:27] serving (~serving@213.186.190.121) joined #vserver. [19:27] hi serving! [19:27] just restart the server drop all interfaces of this vserver by habd [19:28] an restart the vserver [19:28] hand even [19:30] ok [19:37] Action: _shur1 back [19:44] mhm [19:45] how many blocks does the parition table use? [19:45] only a fraction of one [19:46] i forgot how to copy the partition table with dd [19:46] dd if=/dev/hda of=/dev/hdb count=? [19:47] bs=512 count=1 [19:47] thnx [19:47] but be carefule, if you ahve an extended partition [19:47] the extended partition table will be located somewhere on the disk ... [19:48] in general it's easier to use sfdisk -dump [19:48] i c [20:22] people are so stupid [20:22] in particular journalists [20:22] http://www.blastwave.org/docs/Solaris-10-b51/DMC-0002/dmc-0002.html [20:24] hmm, what in particular? [20:29] they're acting like this is new [20:29] kyencer (kyencer@c-24-98-145-233.atl.client2.attbi.com) left irc: Quit: [20:29] it is for sun... [20:29] but it's the same thing basically as VServer/Virtuozzo [20:30] yeah, but for sun it's brand new ... [20:30] right [20:30] Every now and again an entirely innovative approach to computer technology appears on the market. [20:30] just didn't like that line... [20:31] does look like a solaris oriented site though [20:31] shrug [20:31] so did you tame qemu? [20:31] (just because you didn't respond to my part table) [20:37] netrose_ (john877@SP2-24.207.231.2.charter-stl.com) left irc: [20:38] somehow, i've got a little problem... [20:38] (non vserver related [20:38] yellow:/home/raoul# pvcreate /dev/md1 [20:38] pvcreate -- physical volume "/dev/md1" successfully created [20:38] yellow:/home/raoul# pvdisplay /dev/md1 [20:38] pvdisplay -- ERROR "pv_read(): pv_create_name_from_kdev_t" no VALID physical volume "/dev/md1" [20:39] pvscan [20:39] yellow:/home/raoul# pvscan [20:39] pvscan -- reading all physical volumes (this may take a while...) [20:39] pvscan -- no valid physical volumes found [20:39] see [20:40] yellow:/home/raoul# pvdata /dev/md1 [20:40] --- NEW Physical volume --- [20:40] PV Size 35.35 GB [74139776 secs] [20:40] PV# 0 [20:40] PV Status NOT available [20:40] Allocatable NO [20:41] which lvm tools? [20:41] Doener_zZz (~doener@pD9E1286A.dip.t-dialin.net) joined #vserver. [20:43] Nick change: s1aden -> sladen [20:43] ii lvm-common 1.5.11 The Logical Volume Manager for Linux (common files) [20:43] ii lvm10 1.0.8-2 The Logical Volume Manager for Linux [20:45] 18:42 < maharaja> PV Status NOT available [20:45] 18:42 < maharaja> Allocatable NO [20:45] interesting too ... [20:46] jepp [20:47] i rebooted, removed devfsd [20:47] still no luck [20:48] well, have to go [20:48] cu later [20:48] okay [20:49] Doener (~doener@pD9588176.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [20:50] okay, dinner time ... back in 20 [20:50] Nick change: Bertl -> Bertl_oO [21:04] _shur1 (~shushushu@vserver.electronicbox.net) left irc: Ping timeout: 480 seconds [21:26] Nick change: Doener_zZz -> Doener [21:27] Nick change: Bertl_oO -> Bertl [21:38] Bertl: working on your fdisk problem now. [21:38] hey talon, thanks! [21:39] never worked with a sun disklabel before ;) [21:39] its a bit puzzling to me too. just got done booting the old 2.4.24 kernel that came with gentoo. after fat fingering silo.conf and hooking up teh serial terminal in the rack to it. [21:39] i had it working before when i installed the machine. [21:40] the part 3 must be the whole disk part confuses me ... [21:40] (at least that is what fdisk oracles) [21:42] i think that was my doing. im used to there being a partition that has teh entire device mapped for doing a dd of the whole disk (like the default sun disk slice 2 or teh bsd c partition) [21:42] that might be my problem. [21:43] hmm then again. [21:43] dunno i will figer it out. [21:44] there is a 's' option in fdisk [21:44] this creates a 'new' sun disk label, but I didn't dare to do that yet [21:45] that would clear the partition table. silo and the openprom need a sun disk label. [21:46] Action: talon wonders why he gets a device busy reading/writing the device. [21:46] for the partition. [21:47] i have a feeling that fdisk isnt even being allowed to write the partiion table for some reason. [21:51] might be ... [21:54] matta: okay, seems you do not want to answer this question, anyway, if you have problems installing/using qemu, just ask me ... [21:56] sorry, getting a bunch of work done now :) [21:56] Bertl: how many partitions do you need? [21:57] i have a feeling im goign ot have to boot from cd to get a new partition on this thing. [21:57] well, I tried to create a big lvm part [21:57] in the hope, that this will allow me to create lvs inside ... [21:58] ok. i will try and create a lvm partition. [21:58] that would be great! [21:58] hopefully that will work. [21:58] lvm partitions are just a particular id# right? [21:58] yep 8e iirc [21:59] and it seemed that the fdisk supported that for sun disk labels [22:18] maharaja: just run pvchange to enable the volume [22:19] bertl: "Whole Disk" is used by the OpenPROM boot loader to do things like find out how big the disk is. Don't delete, just ignore it when creating your partitions [22:22] sladen: hmm, well unfortunately changing the partition table didn't succeed [22:23] bertl: okay, I've only just arrived and am reading the scollback [22:23] bertl: can you give me the background and tell me what you are trying to do? [22:24] sladen: simple, talon is providing a sparc, he was so kind to install it, and left some space on the disk, which now can not be used (cause: missing partition ;) [22:32] can you paste the output of fdisk -p /dev/foo [22:32] sorry fdisk -l /dev/foo [22:32] talon is currently investigating that, so I do not want to interfere ... [22:34] but it looked 'normal' to me ... 3 parts [22:35] first part ~2GB, second swap, third whole disk [22:35] I tried to add a part 4 to cover the missing space ... but no luck [22:38] what commands did you do to add it? [22:38] n [22:38] then the normal cylinder stuff [22:38] then w [22:38] hmm, should've done it [22:38] funny part, after that the fdisk -l showed the new part [22:39] but reboot restored the old one ;) [22:39] sync [22:39] yeah, had a sync too ... [22:39] *shrug* dunno :-) [22:39] was really strange ... [22:47] Bertl: ok i think i have it now. [22:47] log in and see if lvm works now. [22:47] okay, what was the issue? [22:47] Disk /dev/hda (Sun disk label): 16 heads, 63 sectors, 17660 cylinders [22:47] Units = cylinders of 1008 * 512 bytes [22:47] Device Flag Start End Blocks Id System [22:48] not sure. i think it doesnt like editing a sun disklabel if that disk has mounted filesystems. [22:48] aha [22:48] i also screwd up the partition table and had to recreate it. thankfully i saved a copy before screwing with it. [22:49] okay, do you know how the lvm-utils are called/how I can install them? [22:49] they should be installed already. [22:49] vserver-dev root # locate pvcreate [22:49] vserver-dev root # [22:50] vserver-dev root # which pvcreate [22:50] which: no pvcreate in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/opt/bin:/usr/sparc-unknown-linux-gnu/gcc-bin/3.2) [22:51] emerge -s lvm [22:51] * sys-fs/lvm-user [22:51] Latest version available: 1.0.7 [22:51] Latest version installed: [ Not Installed ] [22:51] Size of downloaded files: 364 kB [22:51] Homepage: http://www.sistina.com/products_lvm.htm [22:51] Description: User-land utilities for LVM (Logical Volume Manager) software [22:51] License: GPL-2 | LGPL-2 [22:51] * sys-fs/lvm2 [22:51] Latest version available: 2.00.08 [22:51] Latest version installed: [ Not Installed ] [22:51] Size of downloaded files: 265 kB [22:51] Homepage: http://www.sistina.com/products_lvm.htm [22:51] Description: User-land utilities for LVM2 (device-mapper) software. [22:51] License: GPL-2 [22:51] which one of the two ? [22:51] a [22:51] to install it you would just type emerge and then the package name. [22:51] oaky, I'll try [22:53] 'emerging' [22:53] if the tools dont work let me know and i will boot the 2.4.25 kernel again i reverted to the default gentoo kernel while playing with fdisk. [22:54] i should probably go back to the 2.4.25pre8 vserver kernel anyway. [22:57] the kernel sources shoudl be in /usr/src/vserver if you want to build a new kernel. [22:57] I want to try building 1.3.8 and 2.6.3(vs0.09.7) [22:57] the config in the 2.4.25-pre8 dir should work. [22:58] the stuff in /usr/src/linux* is gentoo sources. [22:59] go for it. just let me know if it doesnt come up. [22:59] okay ... [22:59] thanks for fixing this ... [22:59] /etc/silo.conf works just like lilo except you dont need to rerun silo. [22:59] like with grub ... [22:59] just add the kernel image to teh file and change the default= line. [23:00] so do the tools work? [23:00] or should i boot the 2.4.25 kernel? [23:00] just finished emerging ... [23:02] i fixed the net config files to take care of the mtu problem. [23:02] while i was at it. [23:02] ah good ... [23:05] talon: seems to work ... [23:05] great! [23:05] glad i could help. [23:05] wish id seen the email earlier. [23:06] np [23:06] JonB (~NoSuchUse@kg144.kollegiegaarden.dk) joined #vserver. [23:06] talon: any good slogan for the HoF yet? [23:06] triX (~trix@145.253.155.82) left irc: Quit: [23:07] hi Jon! [23:07] hey Bertl [23:07] either way the .config file in /usr/src/vserver/linux-2.4.25-pre8 should work for this machine so you cna use it as a guide for creating the 26 kernel. [23:07] yeah, thanks ... [23:08] you can also look at teh gentoo stock kernel config although it adds a few things that arent needed. [23:08] devfs and mount devfs on boot are needed though. [23:08] or gentto will choke on boot. [23:08] that is my preference anyway ;) [23:10] talon: the linux-2.4.24-sparc-r1 is what? [23:11] JonB (~NoSuchUse@kg144.kollegiegaarden.dk) left irc: Read error: Connection reset by peer [23:11] Bertl: i will try and email you somthing for the HoF later today i really havent had tiem to think about it since a lot of stuff popped up out of hte blue. [23:11] Bertl: thats the gentoo default kernel. [23:11] ah okay ... [23:11] the stuff in /usr/src/vserver is what i built. [23:11] anythign els ein /usr/src was put there by emerge. [23:12] the vserver label in silo.conf is the 2.4.25pre8 kernel. [23:16] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) joined #vserver. [23:47] Bertl: ok i sent you an email with a new Amoebasoft description for the HoF. [23:47] great, thanks .. [23:53] broo (~broo@host30-5.btbx.net) joined #vserver. [23:53] hi all [23:53] hi broo [23:56] hi broo! [23:56] Action: talon goes off to get started putting up a new web site. [23:57] let me know if you have any more problems with the Ultra 10. [23:57] okay, thanks again! [23:57] Nick change: talon -> talon_afk [00:00] --- Mon Mar 1 2004