[00:29] ILON_ (~ILON@65.124.79.172) joined #vserver. [00:30] hi ILON_! [00:30] ILON (~ILON@65.124.79.172) left irc: Quit: Trillian (http://www.ceruleanstudios.com) [00:30] ILON_ (~ILON@65.124.79.172) left irc: Quit: Trillian (http://www.ceruleanstudios.com) [00:30] ILON__ (~ILON@65.124.79.172) joined #vserver. [01:01] broo (~broo@host30-5.btbx.net) left #vserver (Client exiting). [01:08] Nick change: talon_afk -> talon [01:09] bertl: TI UltraSPARC IIi? i guess thats tchincally correct for the CPU. the machine itself is jsut a Sun Ultra 10. that sun gave us a couploe of years back for a project. (one of 4) [01:09] so you'd prefer Sun Ultra 10 ;) [01:09] also bandwidth is whatever our cable modem allows. its an Ip tunneled in from elseware to our rack at the office. [01:12] i figured bandwidth didint really matter for testing kernels. and it owuld be easier for me to walk across teh room to fix it if thre was a problem. [01:12] right ... [01:13] i think its like 3mbit downa dn 100k up. [01:16] hmm, you took out the quota patch testing stuff. [01:16] * reporting and testing several quota hash issues [01:17] but feel free to adapt/change/modify/extend that ... [01:17] ahh my eyes skipped over that bit. [01:17] the entry is yours, so please modify according to your preference ... [01:18] it is also very likely that I forgot something ... [01:18] i think that covers everything.. anyone can edit these pages? [01:18] yep [01:19] whats to stop someone from going trhough and messing up the site? other than common courtesy that is. [01:19] nothing [01:21] Action: Doener points talon to the famous "Hacker-Page" (see note on the index page...) [01:28] Topic changed on #vserver by Bertl!~herbert@MAIL.13thfloor.at: http://linux-vserver.org/ || latest stable 1.26, devel 1.3.7, exp 0.09.8 [01:34] Bertl: im not sure how i maged this but.. the edited document now has a link next to UltraSPARCIIi that shows up as a '?' char. [01:34] that is a wiki feature, you have to use a '!' in front of it ;) [01:35] btw, there is a preview feature ;) [01:37] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Quit: zzzzzzzzzzzzz [01:39] there, much better. [01:39] paul (~irssi@82.207.133.98) left irc: Quit: leaving [01:40] anybody here interested in doing some vserver userspace coding? [01:40] i had used the preview feature i just couldnt figure out why the link was there. since it didnt look different form any other entry. [01:41] it's called WikiWords ;) [01:41] Bertl: what type of userspace coding? [01:42] little C coding for improved debugging, especially strace [01:42] I basically added vserver support to strace ... [01:43] but it would be nice to see the command arguments, where possible/useful ... [01:44] not sure i want to play with the strace code. [01:44] hmm, not really necessary, as I said, I already added the interface [01:45] vserver(VCMD_00,0[0] ) = -1 ENOSYS (Function not implemented) [01:45] vserver(legacy XID=100 ) = -1 ENOSYS (Function not implemented) [01:45] looks like this now ... [01:50] Bertl: did you find anythign interesting in the zones pdf document? [01:51] i kind of like the appraoch they use for the config tools. [01:51] not yet, but I didn#t read it carefully yet ... [01:51] they even have a virtual console device. [01:52] so you can actually init to single user. [01:52] you use zlogin -C name to attach to the virtual console device of the zone. [01:52] but, if you like, you could make a comparison of both, and post that to the ml ... [01:53] with focus on missing vserver features ... [01:53] Bertl: sure when ive had mroe time to look at it myself. ive only just skimed teh document and created a single non global zone to play with. [01:53] Bertl: both kernel and userland features or just kernel? [01:54] everything ... [01:55] it uses the solaris equivalant of read only --bind mounts to save space betwteen zones. much like the way ive been doing it. [01:56] bertl? trying to run a CS-dedicated server on a vs, and it stops responding on UDP, got any knowledge of why? [01:56] it tells you to go back to work! [01:56] stop playing games [01:56] click: first, some version information please ... [01:56] 2.4.25+grsec+vs1.26 [01:57] grsec has nothing to do with this, as I've set all the limits to off [01:57] 1.26 is missing some network stuff we added to 1.3.7/8 [01:58] well, the odd thing is that a Battlefield1942-server we started works perfectly tho' :/ [01:58] and it uses the same auth-mechanisms [01:58] let me see if I have the changes somewhere ... should work for vs1.26 too [01:58] Bertl: is there a list on the vserver site of current features? ive not beeing kepeing up to date lately. [01:59] http://www.linux-vserver.org/index.php?page=Release+FAQ [02:13] ah talon, want to do some quota hashes/context tagging tests? [02:16] Bertl: on the sparc? or vmware or what? [02:16] hmm, sparc isn't ready yet, but x86 [02:18] goodday [02:19] one thing zones dont have is teh per context disk limits. its not impossible ot limit the space taken up by a zone. but its a bit harder. you either have to mount a fs mounted from a file, or use the solaris equiv of lvm. [02:19] hi micah! [02:19] i like the vserver per context disk limits better. [02:19] click: where did you get the grsec patch that works with vs1.26? [02:20] Bertl: howdy, been documenting and learning more :) [02:20] good! [02:20] micah: linked from the linux-vserver pages [02:20] Bertl: send me a mail describing teh tests you want done and i will put it on my todo list. [02:20] talon: the interesting part is, it is for 2.6.x ;) [02:21] and ofcourse the kernel and patch versions. [02:21] i figured as much. [02:21] click: yes, but the only patch that is available is the 2.4.24 grsec patch [02:21] click: I emailed the author of that patch asking him to make a .25 version, and he said he would do so today [02:21] talon: okay, I'll send a mail ... [02:21] micah: ? [02:21] micah: already running it here [02:21] hang on [02:22] click: were you getting it from here: http://www.linux-vserver.org/index.php?page=grsecurityHowto [02:22] ? [02:22] http://www.sandino.net/parches/vserver/ [02:23] # [KBrown's patches] (linux-vserver + grsecurity patches against vanilla kernel) [02:23] click: oh great! [02:23] so two people are doing this? [02:23] kbrown and jeffery? [02:24] three [02:24] seems as if at least 2 people are doing this ... [02:24] strange [02:24] Bertl: the tools definatly seem intersting with zones. im going to take a while and try to describe them in as much detail as i can. (at lest without source code) i do have headers and system and library tracing to go off of. i just hope describing zones wont be all for nothing. [02:24] micah: maybe they should team up [02:24] i did earlier, but as there's no need for it when it's updated just as fast as I do it, I dropped mine [02:25] talon: I'm sure it will be useful and give enrico and me some new ideas [02:25] click: does that give you the grsecurity patch as well as the vserver patch? [02:25] Bertl: I agree, seems like a waste of effort for three people to do the same thing :) [02:25] Bertl: it seems ot be generally inthe same direction you guys are headed. including an xml based config. [02:26] micah: running it as current here [02:26] one difference is that the tools talk to a daemon (zoneadmd) which does the actual starting/stoppping of zones and calling any kernel hooks. [02:27] click: I mean, does http://www.sandino.net/parches/vserver/ give you vserver patches and grsecurity? Or does it just give you a grsecurity patch that works with the vserver patch? [02:27] (anyone notice that the directory is "parches" not "patches"?) [02:27] micah: full patched vs+grsec [02:27] 2.4.25+grsec+vs [02:28] great, thanks, that takes out one step from my docs [02:28] you could revert both, from different sources, to get the other part ;) [02:28] Bertl: true [02:28] :) [02:28] guess it would be interesting to compare that to vanilla+each [02:28] theres only one minor diff on the grsec part to make it work anyway [02:29] vs isn't changed afaik [02:29] and the tools were split into three parts. a configuration tool for the zone config. and administration tool for installing,uninstalling, starting and stoppping zones. and zlogin for logging into zones fro the host. [02:30] interesting would be how they handle init and the fact that init might die in a zone ... [02:30] (FYI init in a zone is supposed to reap the children) [02:30] as far as i can tell they use the standard solaris init inside a zone. and it starts as process 1. and does all normal reaping and even starts up a getty on an emulated console device. [02:31] yeah, but what happens if this init is killed? [02:31] which is the common method for logging into teh zone for the first time. [02:32] Bertl: i would imagine it would tkae all its children with it and take down the zone. but im pretty sure init gets the same protections inside a zone as the real system init. [02:32] i will look into that. [02:33] well, all protection will not save it from exiting for example ... [02:33] and taking all the processes with it, would be interesting ... [02:33] i will experiment with it a bit. [02:33] especially if one of those processes is in a busy/device state [02:34] it's interesting, because this can never happen on a normal system ... [02:34] or if it happens, you see a kernel panic ;) [02:34] what makes it possible for init to exit in a virtualized kernel environment. [02:34] ? [02:34] exit(0) for example? [02:35] or sending a KILL signal from the host [02:35] Action: talon logs into a zone to find out what happens [02:36] hmmm.. [02:36] interesting. [02:36] ps -ef | grep init [02:36] root 419 416 0 18:14:31 ? 0:00 init [02:36] root 627 594 0 18:39:06 console 0:00 grep init [02:36] thats form inside a zone. [02:37] the 419/416 is what? [02:37] Oual (~val@valzone.zbla.net) joined #vserver. [02:37] PID and parent id. [02:37] Nick change: Oual -> Val_ [02:37] hi [02:37] 416 is zsched [02:37] hi Val_, how is the debian vserver version? [02:38] Action: micah looks at vunify [02:38] Bertl : 2.4.25 work fine [02:38] Bertl : I'm testing 2.6.3 one [02:38] Bertl : thanks :) [02:38] np, what is the latest util-vserver debian package? [02:38] zsched seems to be special somehow. [02:38] (if there is one) [02:38] hum [02:38] you cant kill -9 it. [02:39] Bertl : 0.29-1 [02:39] and everything in the zone has it as its parent. [02:39] Val_: this is util-vserver not vserver? [02:40] there is no util-vserver package in debian, just vserver one [02:40] okay, would be nice to have that one too, what do you think? [02:40] the reboot system call seems to work in the zone. [02:40] I think :) [02:40] But am not a real good debian packager [02:41] yeah, was just a question to a debian user ... [02:41] it will be nice to have this tool [02:41] Bertl: think its possible zsched could be a kernel process started per zone? [02:41] Val_: so maybe buging the debian maintainer a little could help here ... [02:41] but debian maintainers seems to be very slow in making all thinks needed for vserver [02:42] talon: might be, or might be a virtualized version of the kernel thread [02:42] ILON__ (~ILON@65.124.79.172) left #vserver. [02:42] its pid changes every time the zone is booted. [02:42] Bertl : i did a new kernel-patch package (http://vallar.linuxfr.org/debian) using your latest patch (2.4.25 & 2.6.3) [02:43] hmm, 2.6.3 what is the latest? [02:43] 0.9.6 [02:43] what does the topic line say? [02:43] you gave me delta [02:43] ouch [02:43] :) [02:43] shit [02:43] *G* [02:44] so... [02:44] i'll get the new delta :) [02:46] but anyway, thanks for putting those up ... [02:47] thanks to you, using vserver and never go back :) [02:52] yeah zsched definatly seems ot be special. [02:52] you cant trace it. and i cant find any binary for it. [02:53] but init is different from that and has pid 1, right? [02:53] the system init yes. but zched does what init does as far as reaping processes. [02:53] init is just a normal process started on behalf of zsched. [02:53] ah okay, so you see two inits in a zone ... [02:54] one which is the child reaper, and another just named init? [02:54] Val_: hmm... there is a util-vserver package on debian... [02:55] # ps -ef [02:55] UID PID PPID C STIME TTY TIME CMD [02:55] root 1156 1012 0 18:53:59 ? 0:00 /usr/dt/bin/dtlogin -daemon [02:55] root 1012 1012 0 18:53:55 ? 0:00 zsched [02:55] root 1327 1221 0 18:57:39 console 0:00 -sh [02:55] daemon 1039 1012 0 18:53:57 ? 0:00 /usr/lib/crypto/kcfd [02:55] root 1136 1012 0 18:53:59 ? 0:00 /usr/lib/utmpd [02:55] root 1015 1012 0 18:53:56 ? 0:00 init [02:55] root 1334 1327 0 18:57:47 console 0:00 ps -ef [02:55] root 1221 1015 0 18:57:32 console 0:00 /sbin/sh /sbin/rc1 [02:55] root 1108 1012 0 18:53:58 ? 0:00 /usr/sbin/cron [02:55] Doener : where ? [02:55] talon: what does pstree (if it is available) show? [02:56] Val_: only on sid [02:56] # ptree [02:56] 1015 init [02:56] 1221 /sbin/sh /sbin/rc1 [02:56] 1327 -sh [02:56] 1335 ptree [02:56] 1039 /usr/lib/crypto/kcfd [02:56] 1108 /usr/sbin/cron [02:56] 1136 /usr/lib/utmpd [02:56] 1156 /usr/dt/bin/dtlogin -daemon [02:56] Doener : hum, ok just arrived on unstable branch [02:56] talon: okay, and on the 'host'? [02:57] Val_: and which version is this? [02:58] ptree on teh host is a bit long. [02:58] but pid 1 is at the top. [02:58] which is init. [02:58] that is the only interesting ;) [02:58] okay, so they do not fake the init, but add a kernel side init [02:58] we thought about that too ... [02:59] also from the host we see teh zone. [02:59] 1012 zsched [02:59] 1015 init [02:59] 1221 /sbin/sh /sbin/rc1 [02:59] 1327 -sh [02:59] 1039 /usr/lib/crypto/kcfd [02:59] 1108 /usr/sbin/cron [02:59] 1136 /usr/lib/utmpd [02:59] 1156 /usr/dt/bin/dtlogin -daemon [02:59] but on linux this complicates many tools, as they assume a) init = 1 and b) ultimate parent [02:59] well actually it breaks some ... [03:00] re [03:00] back again, and still having that lvm problem [03:00] maja: did you ask on the lvm ml? [03:00] if not, this might be a good idea ... [03:01] Bertl: which tools? id like to see if i can get certain things to fail in that way under solaris. [03:01] maybe they added some stuff in to fake it. [03:01] well, for example ps tools assume this on linux [03:01] bertl: not yet [03:01] i tried searchin the list, but lists.sistina.org is down [03:01] jes_ (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) joined #vserver. [03:02] Morning all [03:02] hi jes_! [03:02] heya Bertl [03:02] vunify is redhat specific isn't it? [03:02] yes, but there are several debian attempts, and the alpha util-vserver branch ;) [03:03] how's things tonight Bertl? Had a good weekend? [03:03] good, yeah, did some work on the 2.6 version ... [03:04] lol...nobody could ever accuse you of not being commited could they? ;) [03:04] Bertl: i will try to write up all i can find soon. im interested in any questions you might have or hints on things to look for. [03:04] that would be nice, TIA [03:05] Bertl: also if your on usenet a good place ot ask questions about zones would be comp.unix.solaris a lot of sun people post there. sometimess about internals. [03:06] wouldnt be suprised if there isnt alreayd a thread going on about zones. [03:07] Bertl: yeah, I dont want unification script that works on packages... I just want to crawl /vservers/reference and then link everything up in /vserver/unified1, unified2, etc. regardless if it is a package or not [03:07] talon: I'd prefer if such stuff is handled by somebody familiar with sun solaris stuff ... [03:07] Bertl: is that what the alpha branch will allow? [03:07] well, yes basically ... [03:08] hmmm I love Sun equipment, IMHO nobody else makes machines quite as aesthetic [03:08] lol..but maybe I'm showing my age there [03:08] micah: you ahve to make sure that not the wrong files are unified [03:09] jes_: what about SGI? [03:09] jes_: heh i consider SGI machine smuch mroe pleasing to the eye. [03:09] Bertl: how so? [03:09] newer sun hardware looks better. [03:09] but the old stuff you have to be joking. [03:09] sun hardware is just more powerful overall :) [03:09] hmmm maybe SGI....but I have a "thing" for the old Sun lunchbox form-factor [03:09] my SS2 certanly doesnt look very pretty. [03:09] micah: for example unifying empty log files isn't such a good idea ... [03:10] I bought a few IPC/IPX boxes from Ebay, just because I wanted some sitting on my shelf [03:10] jes_: ever saw a NeXT Station pizza box? [03:10] s/saw/seen/ [03:10] yes Bertl....very nice boxes [03:11] a VASTLY underrated machine IMHO [03:11] Bertl: ah, of course... however I would have a specific list of files that I would know should be unified [03:11] well, the Color Station did 1991 the same windows PCs do nowadays ... [03:11] hmm, maybe a little more ;) [03:12] i had to work on a neXt pizza box in about 1993 [03:12] yeah I remember my old Uni lecturer had one of the few NeXT boxes at the Uni, it was VERY cool [03:12] they were pretty decent, except for horrible security :) [03:12] and I practically spent 99% of my time at Uni working on an IPX [03:12] my employer was a NeXT nut [03:12] heh [03:13] Bertl: is there somewhere where it is defined how unification happens? I assume it is a process of hard link and maybe some chattr? [03:14] it's simple ... unification is 'just' hardlinking ... [03:14] then you add the immutable and iunlink flag to the inode [03:14] ah, ok, thats the part I dont know how to do [03:14] this allows the vserver to remove the hardlink [03:15] that depends on the patch version, for 1.26 it's 'chattr +i +t' [03:15] never played with much m68k based hardware. aside from early macs. msot of the old systems ive used i got well after they were not in common use anymore. still quite fun though. i own 3 AT&T 3b2/600G minis running sysvr3.2.2, one NCR tower 32 running NCR tower UNIX which is a sysvr3 variant., a VAX running OpenVMS 7.3 and an R5000 MIPS indy running irix 6.5.11. and i plan ot bring up AIX soon on a little POWERStation 230. [03:16] cool ... [03:16] Bertl: ah, so when you had me do chattr +t /vservers I had already taken care of that part [03:16] btw, the complete default sparc kernel compile of 2.6.3-vs0.09.8 [03:16] (yesterday) [03:16] showed only two warnings ... [03:16] fs/proc/virtual.c:73: warning: long long unsigned int format, uint64_t arg (arg 4) [03:16] fs/proc/array.c:299: warning: long long unsigned int format, uint64_t arg (arg 3) [03:17] (vserver related) [03:17] Talon, the 3b2's must be collectors pieces nowadays...you should definitely keep hold of those! [03:17] all im really missing is an Hp300 an alpha nd a PA-RISC machine and i should be able to run most every commercial unix excepting unicos. [03:17] micah: no, the iunlink flag on directories is required for the barrier [03:17] Bertl: you had me do the chattr +t /vservers for the /proc security and the barrier, so I assume I only need to do hard links of the files that should be unified, and then chattr +i them? [03:17] jes_: yes thats why they are still ina garrage. [03:17] micah: but yes, it's the same flag ... [03:18] i hope ot haev enough money to ship them to where i currently live. [03:18] talon, congrats....thats a LOVELY collection you have there....of course my wife wouldn't agree....but I do ;) [03:18] Bertl: hmm, so I *should* do chattr +t +i on each unified file? [03:18] the ncr tower is interesting too. [03:18] i also have compilers and sysv sources for the 3b2s. [03:18] last tiem i used them they ran just fine. [03:18] i have two copys of the install media as well. [03:18] micah: yes, unless you do not fear/care that one vserver might modify the contents of another [03:19] talon you should make them available on the internet ;) [03:19] they came out of the kansas city USDA finance office. [03:20] Bertl: well, this is where I am looking for advice... is it better to make a reference vserver that you hardlink from, or can you just do it from the "root" server? [03:20] lol I hope they trashed the disks before you got them then [03:20] jes_: thats hard to do without a terminal server since its hard to find the ethernet drivers and the 3rd party tcp stack is very buggy. [03:20] also power is an issue since its not free... [03:20] jes_: no they didnt. [03:20] lmao [03:20] jes_: they never figured anyoen would know what they were or woudl be able to find media for them when they donated them to teh school i was working for. [03:20] it ahs oracle 2.x on one of them. [03:21] none of the stuff they donated had anythign wiped in fact... [03:21] vgdata segfaults :) [03:22] the last couple of IPX's I got from Ebay didn't have their disks trashed, and it was like looking back in history, most of the files were from around 1993 ish, /var/spool/mail was VERY interesting! [03:22] i have photos of the 3b2s somehwere around here. [03:23] give me a link sometime talon, I'd love to see them [03:24] looking for it now. [03:24] http://www.amoebasoft.com/~talon/3b2/ [03:25] there you go. [03:25] oops, looks like lost bert [03:25] jes_: ahaha [03:26] wow...that looks in VERY good condition [03:26] what bet micah? [03:26] that was form back when it was at my previous workplace. [03:26] its in my aunts garrage now. been there for a couple of years. [03:27] hope you have some plastic over it ;) [03:27] hopefully it will still work by the time i can get to them again (moved ot new york) [03:27] jes_: I mean bertl [03:27] seriously, I think that'll be worth something in the future talon [03:28] jes_: unfortunately not.. i was moving in a hurry. but they are pretty robust machines. it was a battle just keepingthem from being trhown out. [03:28] *nods* [03:28] i tried ot get a collector intrested in takign them when i was in st. louis but he was onyl interested in DEC hardware. [03:28] which there is plenty of IMHO. [03:28] well DEC and hp 2000 hardware. [03:28] he runs the classiccomp mailing list. [03:29] hmm, seems I lost connection for a moment ... [03:29] wb Bertl [03:29] micah: a reference server is preferable [03:29] this way, you can propagate updates from one location ... [03:30] bertl: fyi instead of using /dev/md1, this one does the trick: "yellow:~# vgcreate vg0 /dev/md/1 [03:31] Bertl: I noticed that I cannot hard link files because the attr -t is set due to us setting chattr -t /vservers, so in order to do the unification I need to chattr -t libc.so.6 then ln, then chattr +t libc.so.6? [03:31] hmm, maharaja you are using devfs? [03:31] right now, i don't know [03:31] aktually [03:31] mhm [03:31] on this install yes [03:31] okay check for .devfsd entry in /dev [03:32] but i tried to do the lvm trick on a non devfs system, and it neither worked [03:32] it's there [03:32] well, I personally prefer devfs ... so no problem with that [03:32] anyways, glad that it works now .) [03:32] me too ;) [03:32] so i wont be getting on your nerves anymore? *g* [03:33] no, I'm happy for you! [03:33] if you would get on my nerves, I'd just /ignore you 8-) [03:33] hehe [03:34] hmm, does anybody know how long 'long long unsigned int' is on sparc 64? [03:37] mhm, no sparc over here to test [03:37] how'd you test? [03:37] sizeof (long long unsigned int)) ? [03:37] remove one ) [03:37] good pint, didn't think of it .. doing it now [03:38] +p [03:38] argh! [03:38] point! [03:38] :) [03:39] so whats the size? [03:39] # ./a.out [03:39] size = 8 [03:40] so this message is actually crap: [03:40] fs/proc/virtual.c:73: warning: long long unsigned int format, uint64_t arg (arg 4) [03:41] Bertl: how do I remove something that I hardlinked? I did chattr -ti on it [03:41] lsattr bash [03:41] ----------------- bash [03:43] micah: just rm [03:43] it wont let me [03:43] rm bash [03:43] rm: cannot remove `bash': Permission denied [03:43] but make sure that the directory is not +i/+t [03:43] ahh [03:43] because the 'unlink' is actually a directory operation ;) [03:44] thats it [03:44] I did a chattr -R +i +t [03:45] well, the tools are supposed to take care of the unification details ;) [03:45] right :) [03:45] right bedtime for me, early start tomorrow [03:46] night all [03:46] night! [03:46] night Bertl [03:46] jes_ (~jes@cpc1-leed5-3-0-cust196.ldst.cable.ntl.com) left irc: Quit: Leaving [03:47] talon: still around? [04:01] yeah im still her. [04:02] I'd like to try the 2.6.3 kernel on the sparc [04:02] ok [04:02] and I'm sure something very bad will happen ... [04:03] where do I have to put the kernel? [04:03] ok, well if it does i can just restart it form teh console. [04:03] it can be anywhere onthe root fs. [04:03] either in /boot or / [04:03] okay [04:04] just create an image entry in /etc/silo.conf and set default= to its label. [04:04] did that ... [04:05] really? [04:05] i dotn see it. [04:05] image = /boot/linux-2.6.3-vs0.09.8 [04:05] oh now i do. [04:05] ok so just default needs ot be changed. [04:05] you said I need devfs, right? [04:05] default = vserver-2.6 [04:05] yeah. [04:06] okay, have to add this, isn't in the default config ... [04:06] it needs to be set to mount at boot too in the kernel conf. [04:06] i will try to get you access to the serial console directly in the future. [04:07] right now its just wired directly to an old GRiD laptop sitting on a shelf in the rack running a dos terminal program. [04:10] any other drivers I need compiled in? [04:10] should be it, you didnt remove any sparc devices that are in by default did you? [04:10] no, I did a complete defconfig on 2.6.3 [04:11] that is, why it took ages to compile ;) [04:11] oh, heh. [04:11] thats why i pointed you to the kernels in /usr/src/vserver. [04:11] no 2.6.x kernel config there ... [04:12] that was a cut down config for 2.4.25 probably could have used it as a reference for configuring 2.6 [04:12] as far as needed drivers/options. [04:12] well I'll cut that down next time, but I didn't want to use a 2.4 config for the first build ... [04:12] anyway im ready whenevr you are to try the kernel. [04:13] okay, it's currently recompiling some stuff for devfs [04:13] i set the default = line for you in silo.conf [04:13] ,okay [04:13] so you should be able to just reboot onc eyouve installed the new kernel/modules [04:23] hmm, just realized that the boot is ext3, so I added this too ... [04:25] yeah. [04:26] i figured id better make the root fs ext3 since its likely to crash for various reasons. [04:26] okay, I'm ready for a reboot ... [04:27] ok, lets see if it comes up. [04:27] any last words? [04:29] hmm guess you were right. [04:30] Action: talon goes to check the console. [04:43] ok [04:43] silo didn tlike the size of the kernel. [04:43] Action: talon will try to upgrade ot the latesit silo. [04:43] i think they fixed soem of hte max size issues with that. [04:44] hmm, maybe the debug info .. but sparc doesn't know a bz image, right? [04:44] no and it doesnt matter. [04:44] it can do gziped images but eh uncompressed size matters. [04:45] where is my /usr/src/vserver dir go? i think i had a copy of silo in there. [04:45] for the lateist version. [04:46] it's in /usr/src/vs/ [04:46] oh you have it on one of those lvm partiions. [04:46] yep [04:46] it also didnt want to mount those form the fstab for some reason. [04:46] had to comment them out to boot with the old kernel. [04:47] said it coulndt find fsck.ext3 [04:47] interesting ... [04:47] but looks like a gentoo issue ... [04:47] either that or it didnt find the device. [04:47] probably the latter. [04:48] latter [04:48] but this is a gentoo issue too ;) [04:48] as I 'just' brought it up by hand ... [04:49] yeah. im guessing its not modprobing the lvm module. [04:49] in that stage of the boot process. [04:49] or not activating the lvm volumes ... [04:49] is there a way to use an initrd? [04:49] with silo? [04:49] yeah, should work like lilo. [04:50] lvmcreate_initrd will take care of that then ... [04:50] Action: talon grabs the lateist silo. [04:54] ok going ot try booting again with the newer silo. [04:54] okay, maybe stripping the kernel would help too? [04:54] oh certanly. [04:54] but i figure if a new silo will help load larger kernels it would save some pain. [04:55] -rwxr-xr-x 1 root root 4723516 Feb 29 20:17 /usr/src/vs/linux-2.6.3-vs0.09.8-P1/vmlinux [04:55] -rwxr-xr-x 1 root root 3707800 Feb 29 20:46 /boot/linux-2.6.3-vs0.09.8 [04:55] doesn't make that much difference ... [04:59] hmm ok the new silo still isnt happy. [04:59] i guess i could try and make a choped down kernel. [05:00] interesting ... [05:00] never tried bootign a 2.6 kernel under sparc. [05:00] maybe it would be a good idea to readup on the maximum first? [05:00] and are you sure that it doesn't matter if you gzip it or not? [05:01] yeah look at http://www.sparc-boot.org/ also it was mentiioned in the gentoo documentation. [05:03] http://www.ultralinux.org/faq.html#q_4_8 [05:04] question 10. [05:05] okay, so 2.6MB is the target, we are at 3.7 stripped [05:05] :( [05:05] okay, throwing out anything unwanted [05:05] how do i trun on the voulume groups ? [05:06] pvscan [05:06] vgscan [05:06] vgchange -a y vg [05:07] hum? [05:07] you are unmounting it? [05:07] ahh didnt see you in there [05:07] i unmounted it because i mounted it before you pasted the vgchange -a y vg [05:07] command [05:07] its mounted again. [05:08] I see, configuring kernel now [05:09] you can get rid of pretty much everything except the ide drivers and the happy meal NIC. [05:09] no audio etc. [05:09] i even took out the fbconsole stuff since i only use serial anyway. [05:09] on the kernels i built. [05:09] okay, so graphics can be empty [05:10] yeah. [05:10] what is the ide? [05:10] unless it doesnt compiler then you can put in just the base framebuffers. [05:11] scsi isn't there, right? [05:11] soor_ (~as@p5080BA62.dip.t-dialin.net) joined #vserver. [05:11] no not on this particular machine. [05:11] well, there might be a controller but its not used. [05:12] hmm, I know why the lvm fails on 2.6, it's not supported by the kernel ;) [05:13] well 2.6 never booted to fail. [05:13] soor (~as@pD958AAA2.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [05:14] do we need usb? [05:15] no [05:15] and, hang on before booting again im going to install the old silo. [05:15] the new silo locks the machien solid on a kernel thats too big. [05:16] okay, guess you ahve some time now, it's recompiling ;) [05:20] ok, got the old silo installed again. [05:21] hopefully they will get the bugs worked out of the newer one soon. [05:21] Action: talon looks for info on bootign 2.6 kernels on sparc. [05:27] found a posting of a config that claims it works on sparc for 2.6.1 [05:27] http://www.iei.tu-clausthal.de/misc-stuff/sparclinux/config-2.6.1 [05:27] incase your config doesnt work. [05:45] ahh, Annie Lennox ... [05:48] http://dev.gentoo.org/~ciaranm/docs/sparc-2.6.x/ [05:49] sounds good: 2.6.x + SMP on sparc32 is currently broken [05:51] was a good decision: Do not try to use a 2.4.x .config + oldconfig. It won't work properly. [05:52] i never meant using it with oldconfig just looking at its contents ina window to see what devices i had used. [05:52] hmm, is this now sparc32 or sparc64? [05:53] sparc32 is sun4m this is sparc64. [05:53] sun4u. [05:53] well theres more sparc 32 than just sun4m thats just the most common. [05:53] anything that doesnt say UltraSPARC is 32 bit. [05:53] 3.5MBytes (sparc64). The limit is raised to 8MBytes on sparc64 [05:53] for kernels with big_kernel support (requires silo 1.4.4 or later). [05:58] 1.4.4 was the new silo i installed earlier. [05:58] so we should have a limit at 3.5MB [05:58] that locked so hard on the previous kernel i had ot power cycle. [05:59] so i reverted back to the 1.3.1 silo [06:08] expiryjames (~james@cindi.ca) joined #vserver. [06:09] hi james! [06:13] Bertl : sleep time, 2.6.3-vs0.09.8 compiled, will test-it tomorrow and tell you if it works [06:13] okay .. cu [06:13] I guess I'll call this a day too ... [06:14] Bertl : i'll upload new debian kernel-patch-vs i made (0.09.8 one) and debian 2.6.3 image too [06:14] talon: build is running in a screen ... if it finishes, you can try to boot it, if the size is correct ... [06:14] ok. [06:14] bye all :) [06:14] Val_: great make sure that some link/url is on the wiki [06:14] Bertl : not sure :) [06:15] Bertl : after 2.6.3 test ;-) [06:15] now bye [06:15] okay, good night everyone .. cu ... [06:15] Val_ (~val@valzone.zbla.net) left irc: Quit: paf [06:15] Nick change: Bertl -> Bertl_zZ [06:17] is the 26 kernel vserver patched? [06:18] erm nervemind. [06:18] ofcourse it is. [06:18] if the kernel doesnt boot as you configured it i will do some tweaking of my own. [06:18] and probably get it running. [06:20] lot of modules compiled in. [06:21] probably would be better ot just not have them at all. for most of these things esp the sound drivers. [06:36] monrad (~monrad@213083190238.sonofon.dk) left irc: Quit: Leaving [07:39] Action: talon goes through the kernel config with a chainsaw. [07:39] new kernel should be small enough to boot and should build in half the time. [07:55] hmm [07:55] Bertl_zZ: I think you must have been speaking about chattr +iI [07:55] not +t? [08:02] micah: hmm... how would +I make any sense, you can't even (un)set it... [08:02] Doener: I was reading the information about the immutability: http://mirrors.paul.sladen.org/sam.vilain.net/immutable/index.html [08:03] and comparing with my man pages [08:03] A file with the 't' attribute will not have a partial block fragment at [08:03] the end of the file merged with other files (for those filesystems [08:03] which support tail-merging). This is necessary for applications such [08:03] as LILO which read the filesystem directly, and which don't understand [08:03] tail-merged files. Note: As of this writing, the ext2 or ext3 filesys- [08:03] tems do not (yet, except in very experimental patches) support tail- [08:03] merging. [08:03] that makes no sense to me why I would want that [08:03] and +I is Immutable Linkage Invert [08:03] the +t has a special purpose on recent vserver stable releases... [08:04] oh... so maybe +t is immutable linkage invert [08:04] it blocks any attempt to write to a directory that has it set, even if you're root, that's used to block to chmod exploit [08:04] hmm [08:05] i don't know if it's actually given a name by bertl, but i refer to it as the 'barrier' flag, as the devel versions use a specialized barrier flag for this purpose... [08:05] I have been building a setup where I have one master reference server and then different vservers which are "unified" parts of the master reference server [08:06] ok, I think that must be the barrier [08:06] so the problem I am running into is that I cannot install new unified vservers because of the +t [08:06] iirc it is a not so good idea to set +t for anything but the /vservers (or whatever yours is) directory [08:07] so I have to do a chattr -R -t newvserver/ and then do the install (or package upgrade, or reunification), and then chattr -R +t newvserver/ [08:07] Doener: it seems to be setting it for everything that is created underneat the /vservers directory though [08:07] don't recurse ;) so no -R [08:08] chattr -R -t /vservers ; chattr +t /vservers [08:09] yeah, I just did that [08:09] but now if I do: mkdir /vservers/blah [08:09] blah has +t [08:09] ah yeah... forgot about that... the flag is inherited [08:09] so after a mkdir just unset the flag... [08:10] yeah, the problem is everything that I place in there gets that flag [08:10] util-vserver 0.29 has the install scripts adjusted to respect that and remove the +t flag... [08:10] ie. I dont just do a mkdir /vservers/blah [08:10] I put a vserver in blah/ and then later need to update soe of the files in there [08:11] Doener: ah, still waiting for .29 :P [08:11] I can't quite compile the alpah version [08:11] it seems .29 has a lot of good things [08:11] well, just locate the mkdir call in you're install script and add a chattr -t xxx [08:12] yeah, I'll do that [08:12] although... I am still wondering about the immutable linkage invert [08:12] i guess my questions are: [08:13] 1. what stuff *should* have +t [08:13] 1. only /vservers [08:13] and only on stable 1.25/1.26 [08:13] 2. in order to protect shared libraries/binaries in a "unified" way I hard link them cross vservers, and then set +iI on them? [08:14] Doener: ah, ok, thats good to know [08:14] on devel/exper. you'll want a setattr --barrier /vservers instead... [08:15] the reason why I want +iI is so if there is an update that needs to be made, I make it on my reference server, which might remove a shared library that is being "unified" and replace it with a new version... I want those changes to carry to the vservers [08:15] never did any unification :/ [08:15] durn [08:15] well, I'll look into it more, thanks for the info about +t/-t and .29 [08:16] i sent something to the list/enrico about .29 not compiling, but haven't heard back yet [08:16] hm... seems i've missed that mail... [08:16] ah, there it is... [08:17] hmm... i'll check my logs, guess that was discussed here... [08:18] Nick change: talon -> talon_zz [08:19] speaking of logs [08:19] quite a few of the irclogs are useless [08:19] do you know who I tell about them? [08:23] no, didn't know there's a log archive... i stick to my own logs :) [08:23] http://213.159.117.8/logs/vserver-logs/ [08:24] oh I should sleep [08:26] hmm... what arch are you on? [08:40] i'll get some sleep... good night everybody... [10:19] there finally got the 2.6 kernel to work on sparc64. [10:24] now i can really go to bed. [11:18] vserver-dev util-vserver-0.28.1 # ./testme.sh [11:18] Linux-VServer Test [V0.06] (C) 2003-2004 H.Poetzl [11:18] chcontext is working. [11:18] chbind is working. [11:18] Linux 2.6.3 sparc64/chcontext 0.28.1/chbind 0.28.1 [E] [11:18] --- [11:18] [001]# succeeded. [11:18] [011]# succeeded. [11:18] [031]# succeeded. [11:18] [101]# succeeded. [11:18] [102]# succeeded. [11:18] [201]# succeeded. [11:18] [202]# succeeded. [11:31] dilox (~dilox@host26-7.pool8289.interbusiness.it) joined #vserver. [11:31] dilox (~dilox@host26-7.pool8289.interbusiness.it) left irc: Quit: [12:29] Filther (Filther@213-163-18-226.vnet.hu) joined #vserver. [12:29] hi [12:29] hi Filther [12:30] how can I change my email address for the mailing list? [12:30] :) [12:32] unsubscribe to the list and then resubscribe using your new email address [12:32] ok... [12:33] http://list.linux-vserver.org/mailman/listinfo/vserver [12:51] thanks, bye [12:51] Filther (Filther@213-163-18-226.vnet.hu) left irc: Quit: Leaving [14:12] stubbsd (~stubbsd@217.206.216.194) joined #vserver. [14:52] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) joined #vserver. [14:52] 'lo. [14:57] monrad (~monrad@213083190235.sonofon.dk) joined #vserver. [15:23] serving (~serving@213.186.190.121) left irc: Ping timeout: 480 seconds [15:30] expiryjames (~james@cindi.ca) left irc: Ping timeout: 480 seconds [15:31] expiryjames (~james@cindi.ca) joined #vserver. [15:35] Zoiah (Zoiah@matryoshka.zoiah.net) left irc: Ping timeout: 480 seconds [15:49] monrad (~monrad@213083190235.sonofon.dk) left irc: Ping timeout: 499 seconds [15:49] monrad (~monrad@213083190235.sonofon.dk) joined #vserver. [16:25] expiryjames (~james@cindi.ca) left irc: Ping timeout: 499 seconds [16:25] expiryjames (~james@cindi.ca) joined #vserver. [16:52] ptaff (~ptaff@HSE-Montreal-ppp339962.sympatico.ca) joined #vserver. [16:54] Any experience on multiple FTP vservers behind a single IP address? [16:55] ptaff (~ptaff@HSE-Montreal-ppp339962.sympatico.ca) left #vserver. [16:56] ptaff (~ptaff@HSE-Montreal-ppp339962.sympatico.ca) joined #vserver. [16:56] ptaff (~ptaff@HSE-Montreal-ppp339962.sympatico.ca) left #vserver. [17:25] Nick change: Bertl_zZ -> Bertl [17:30] hi everyone! [17:31] hey Bertl [17:49] expiryjames (~james@cindi.ca) left irc: Quit: Leaving [17:51] stubbsd (~stubbsd@217.206.216.194) left irc: Quit: Leaving [18:15] okay, have to leave now ... [18:15] Nick change: Bertl -> Bertl_oO [18:34] micah_ (~micah@adsl-68-73-124-153.dsl.emhril.ameritech.net) joined #vserver. [18:39] micah (micah@adsl-68-78-111-196.dsl.emhril.ameritech.net) left irc: Ping timeout: 480 seconds [18:51] bengrimm (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [19:00] paul (~irssi@195.202.59.90) joined #vserver. [19:01] hi [19:03] netrose (john877@SP2-24.207.231.2.charter-stl.com) joined #vserver. [19:32] youam (~youam@ciara.youam.de) got netsplit. [19:43] youam (~youam@ciara.youam.de) got lost in the net-split. [19:45] youam (~youam@ciara.youam.de) joined #vserver. [20:18] Nick change: cgone -> cdub [20:42] Doener_zZz (~doener@pD9588E0E.dip.t-dialin.net) joined #vserver. [20:49] Doener (~doener@pD9E1286A.dip.t-dialin.net) left irc: Ping timeout: 480 seconds [20:55] Nick change: Bertl_oO -> Bertl [20:56] hi everyone! [20:56] Hi bertl! [20:56] hi micah_! [20:56] Nick change: micah_ -> micah [20:57] Bertl: things going well? [20:58] yeah, everything's okay, a little groggy today ... [20:58] same here :P [20:59] I sure am getting a lot of spam/virus lately [20:59] .pif files [21:00] those are filtered out by my postfix config ... [21:00] yeah, I was just going to go see if I could add that to my postfix conifg :) [21:01] Bertl: do you do header_checks.regexp to block them? [21:02] I have two different ones, I am not sure which regexp is more proper [21:02] I have checks for both header/body ... [21:03] afw, brb [21:03] afk, brb [21:03] yeah, I've got body_checks for rejecting executables, sobig, w32swen,w32bagle and w32mydoom [21:03] :) [21:03] seeya [21:09] okay back [21:12] Method (Method@ip68-12-167-163.ok.ok.cox.net) joined #vserver. [21:12] your step by step guide isn't very helpful [21:12] hi Method! thanks! [21:12] for example "Create a new vserver." [21:12] not helpful at all :\ [21:13] please update it accordingly ;) [21:13] well if i knew how to do the stuff i wouldn't actually need the step by step guide :) [21:13] but I guess you will find out how to do it now and here ... [21:13] i reckon so [21:14] there are a million methods to get a new vserver [21:14] infoworlde or something like that told me to come here [21:14] my preferred method is copying an existing one ... [21:14] but that is probably not an option ;) [21:14] so basically installing in a chroot or copying an install? [21:15] depending on the tools you use you have several automated options [21:15] which patches/tool versions do you use atm? [21:15] ah, what are they? [21:15] latest 2.4 versions [21:15] i wanted to use 2.6 but was told they lack features [21:15] so vs1.3.8rc3 and util-vserver 0.29.197 ? [21:16] sys-apps/util-vserver-0.28.195 merged. [21:16] doh! [21:16] http://www.linux-vserver.org/index.php?page=Release+FAQ [21:16] (read this, there is a feature comparison) [21:17] if you use the alpha tools (0.28.195 is alpha) you have some options to create servers ... [21:18] they are described here: http://www.linux-vserver.org/index.php?page=alpha+util-vserver [21:18] that page makes almost no sense (the version one)) [21:19] hmm, why? [21:19] it just doesn't [21:19] heh [21:19] ok, i'm running gentoo, so i dont' have as many options :\ [21:20] hmm, why not? [21:20] can't use the redhat or debian way [21:20] you want to create a gentoo vserver, method? [21:20] yea [21:21] just grab a vserver tarball and unpack it some place. [21:21] Method: what is the gentoo way to create a chrooted server environment? [21:21] then chroot /my/gentoo /bin/bash [21:21] vserver tarball? [21:21] ugh, gentoo tarball. [21:21] maharaja: P [21:21] sorry, i'm doing too many things at once. [21:21] Bertl: gentoo actually installs in a chroot [21:21] Nick change: Doener_zZz -> Doener [21:21] hi [21:22] then install gentoo further, following gentoo instructions. [21:22] Method: okay so why not 'just' install a server in a chroot then? [21:22] when done you can create a vserver config, and enter the vserver. [21:22] Bertl: thats what i was asking, if that is what needs to be done [21:22] like [21:23] since it isn't booting up the same way another machine is do i need special init scripts and such [21:23] yeah, you need to add the config for that vserver, which can be done in advance ... [21:23] you just have to take out all of the 'boot' rc. [21:23] how does the network get configured since it doesn't go through init's [21:23] method, vserver configures the network, so you take out the relevant piece of the gentoo rc. [21:23] Method: all hardware related stuff, including mounts/network/etc is done from the host ... the vserver should only execute the programm runlevels ... [21:23] just disable it using rc-update. [21:24] kloo: it isn't enabled to begin with [21:24] you can get a sane config for the alpha tools with: [21:25] vserver TEST build -m skeleton --hostname TEST --netdev eth0 --interface 192.168.0.1/24 --context 1001 --force -- -d gentoo [21:26] wow, US kidnapped aristride in a coup attempt? [21:37] yeah, read that too [21:40] bengrimm_ (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [21:40] bengrimm (~ben@bengrimm-host225.dsl.visi.com) left irc: Read error: Connection reset by peer [21:41] hi ben? [21:42] hi bert! [21:42] Nick change: bengrimm_ -> bengrimm [21:43] how are you? [21:43] good, wish I had a better wireless network here [21:43] (on the beach of florida ;) [21:44] if only... [21:46] so what is the issue with your wireless network? [21:49] just disconnects a bit too frequently [21:53] method? [21:53] yar [21:57] Bertl: I have a question about unification, its the last piece of my puzzle [21:58] Bertl: as you might not remember, I am setting up a reference vserver that will be a full server that can be entered and will have proper installations of things like apache and its necessary libraries [21:58] okay ... [21:58] Bertl: that is all taken care of. Now I am going to set up unified childred who reference certain things within the reference server [21:59] children [21:59] so "reference" is my master vserver [21:59] yes [21:59] and "unified1..unified2...unifiedn" would be the children who are using libraries and binaries from "reference" [21:59] yep [22:00] ok, good :) so, I am hoping with this setup, I can go to "reference" and update the binaries and libraries when new versions show up [22:00] and the "unified" vservers will get the updates also [22:00] hmm, well, yes, taht would be possible, but not adviseable [22:00] no? [22:01] thing is: you would have to remove the iunlink/immutable flags to update for example bash [22:01] and this would allow somebody inside the vserver to manipulate this binary on all unified servers [22:01] and then, if you add a new library for example, you ahve to 'distribute' it anyway [22:02] so the best method actually is to identify what files would be changed in an update [22:02] and remove the obsolete ones from al 'derived' servers and 'relink' the new ones from the updated template [22:03] ok, yes, that was sort of my question [22:03] this is best done in two steps .. first create an unused copy of the template [22:03] Nick change: talon_zz -> talon [22:03] "the template"? [22:03] then update the copy, and use the difference between both to do it [22:03] Bertl: you happy with the new kernel i installed? [22:04] s/template/reference/ [22:04] talon: yes, I am ;) [22:04] didn't know the make image stuff ... [22:05] Bertl: ok, let me see if I have this straight [22:05] neither did i until i did enough digging. [22:05] didnt need to do that with the 2.4.x kernels. [22:06] Bertl: I have a reference server, which is not used, I create my unified children. Everything is great. Now a new apache comes out, I update the reference server and then identify the differences between the reference and the unified children and then update the children accordingly [22:06] also there was no documentation saying that LVM was built into the 2.6 kernel so i spent a long time just looking for the lvm ooption. [22:07] micah: no, you make a new child (unused copy) [22:07] then update this newly cloned server (or the original reference server) [22:07] then you check for differences between both, and propagate them to all other children [22:08] when you say "you make a new child" do you mean I make a new "unified" or a exact duplicate of the reference server? [22:08] is there really any advantage to unification over just using a read only --bind mount? [22:08] on package based systems (like rpm) this can be done by simply installing the package in _all_ cloned servers and then reunifying the 'new' files (contained in the package) [22:09] Bertl: i will be using packages actually [22:09] Bertl: although they will be debian .deb [22:09] talon: yes, there is, if the 'owner' of server XYZ decides to update his apache, he can do taht with unification but not with ro --bind [22:10] he could also install hsi own apache in /opt [22:10] well yes, sure, but what about his own glibc in /opt ? [22:11] Bertl: ok, so let me make sure I have the unification procedure correct. Lets say I have installed the apache package into the reference server, and I want "unified1" to be an apache vserver. So I hardlink all the files in the apache package from the reference server to unified1. I then do a chattr +ti on all those files. [22:11] well thats a bit more tricky. but you would hope the host system is more maintained than that. i guess its more useful when you have more than one possible distro running in different vservers. [22:12] Then, if I were to do an update, I would chattr -it the files in unified1, re-hardlink, and then chattr +it the files again. [22:12] hmm, no [22:12] oops, which part [22:12] ? [22:12] actually you do the +it once, when the files are installed the first time [22:12] well s/host/template/ [22:13] Bertl: right, but there is no way to update the libraries and binaries if +it is set [22:13] then you 'jsut' do the hardlink part, and make sure to remove old files first [22:13] micah: sure +it allows 'removing' [22:13] that is the whole idea behind it ... [22:13] oh, wait I am confused, because I am using .28 the +t on /vservers is heredetary [22:14] ok, so the process would be: [22:14] 1. hardlink [22:14] 2. chattr +it [22:14] 3. hardlink again (update) [22:14] actually it should be: [22:14] a) figure out what files won't be needed after the update [22:15] b) remove those files and the files to be installed from the unified children [22:15] c) chattr +i +t the new files installed in the reference server [22:15] d) hardlink the new files into the children [22:16] ? [22:16] yep [22:16] ok, just one clarification [22:16] no, I understand :) [22:17] ok, great, I'm going to go work on an implementation of that [22:18] have a look at the alpha tools, they already do this ... [22:18] but just for redhat packages right? [22:18] nope alpha util-vserver is mainly distro agnostic [22:19] dang, I wish I could get it to compile :p [22:19] please ask enrico (ensc) for details ... [22:19] no response from enrico on that yet [22:19] he'll be ehre this evening I guess [22:21] still hoping the LVM guy will answer my VGDA problem :( can't create LVMs until then [22:21] Bertl: ahh i was thinking of a more managed evneironment. where one provides a fully maintained and updated template image to customers for sevral distros thats shared across all vserver customers that want that linux flavor. and then users have their own choice of optional software packages. in /opt/ and /usr/local rather than each vserver administrator installing his or her own patches or major updates like a new glibc. [22:29] what i think would be cool though is a pseudo filesystem that does pretty much the same thing as vunify. where you basicly have a filesystem shared readonly to a directory, but you can write to this mount point and it will replace the stuff shared with whatever you write to it and place it in the underlying mountpoint directory. sort of a copy on write filesystem. [22:30] like that: http://vserver.13thfloor.at/TBVFS/ [22:31] ohhh. didnt know you were planning on working on that. [22:32] i will have to fire up a BSd box and play with the stackable filesystem support. i think they have somthing similar. [22:33] actually one of the issues stopping me from implementing something like this is the fact, that cow isn't that easy on a per file basis ... [22:33] what do you do if a file is 1GB large and 500MB dispace is left, and you start writing to that file (in a cow) [22:34] ive used cow on uml but they do it at the block level and its really easy to invalidate everything and loose it all. [22:34] yeah, we have blocklevel cow, in several flavours, but that would eliminate any advantage the unification and similar brings ... [22:35] lvm snapshots is basically a solution for that (or any other lv manager) [22:35] Bertl: well i would expect the write to fail. i was thinking of having the whole fiel copied over when opened for writing before you recieve a file descriptor. [22:36] if theres not enough space it should throw and error and not allow the open for write. [22:36] which would give strange results .. but that isn't the only issue [22:36] how to ahndle the fact that inodes can/will change below a filehandle ... [22:38] i will try and find previous examples of a similar filesystem. im not sure if ever was/is anythign in wide use that did anything like that. [22:38] what issues would the inodes changing cause? [22:39] process a opens the file for reading ... [22:39] process b opens it for writing, and gets a copy ... [22:39] the process a reads from? [22:39] i see. [22:39] pazzo (~pazzo@host130-250.pool8172.interbusiness.it) joined #vserver. [22:39] but the rabithole goes much deeper ... [22:40] hi pazzo! [22:40] Hi Bertl - Herbert, right? :o) [22:40] Bertl: sounds like a problem that could use some funding and research. [22:40] pazzo: right! [22:41] I'm Thomas, nice to meet you... [22:41] woudl certanly be fun to explore all the ways a system like that could confuse common applications and a few that arent. and im sure the solutions would be even more interesting. [22:41] pazzo: my pleasure ... [22:43] kloo (~kloo@213-84-79-23.adsl.xs4all.nl) left irc: Quit: Client exiting [22:43] Bertl: how hard is the vfs layer to understand well enough to write a pseduo filesystem? [22:43] Bertl: me too (or something like that - I'm used to read technical English but I'm not so familiar with everydays smalltalk :) [22:44] pazzo: no problem, that's not what you are here for, right? 8-) [22:44] so let's slowly get in medias res, and start the network talk ... [22:44] right! [22:44] damjan (~damjan@legolas.on.net.mk) joined #vserver. [22:44] talon: there is a template filesystem somewhere, I can dig it out ... [22:44] hi damjan! [22:45] pazzo: okay, so maybe let's start with a short description what you tried yet, and how you'd like to configure administer the 'ideal' network interface ... [22:45] +/ between configure and adminsiter [22:46] ok bertl, if I would like to have something like uml I would use that... [22:46] hi Bertl [22:46] pazzo: good, elt's start with the uml interface [22:46] ...I like the vserver way of doing things - everything should work on a nearly default kernel with some small changes [22:47] you configure the uml interface inside the uml kernel, and then packages traverse the uml programm, and leave the tun device ... [22:47] if I need a virtual server doing for example some firewalling, routing or whatever between different bridges on a single host - uml is the better way. [22:48] let's stay there for a while ... obviously you have some uml experience ... [22:48] eh - no - the interface is configured outside the uml! [22:48] you enable the interface outside, but it's configured (ifconfig) from inside? [22:49] or am I wron? [22:49] +g [22:49] that's right! [22:49] okay, so you can change for example the mac inside the uml, right? [22:49] you use something like "tunctl -u root -t tom0" outside [22:50] and pass this interface to the uml kernel at it's "boot time" [22:50] ifconfig and everything else is done inside the uml [22:50] yeah, okay, so what happens, if you change your mac inside the uml, and start sending fake arp replies ... [22:51] i never tried changing the mac address - and I'm not sure if it works! [22:51] I'm almost certain that it works, and I'm pretty sure that people will try all strange things on a vserver ... [22:51] every real server can also send fake arp replies - you do not even need to change the mac address [22:52] yes, that is correct, but, there is something protecting the outside from that, the switch infrastructure ... [22:53] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) joined #vserver. [22:53] hi Jon! [22:53] the switch infrastructure protects you if you have your private vlan for you and your default gateway and nothing else - but nothing is easier than arp-poisoning a switch. [22:53] hey Bertl [22:53] pazzo: did you try recently? [22:54] but if you really fear that problem - what about ebtables limiting the tun/tap interfaces to the right mac addresses? [22:54] I'm just trying to see what we have to take care of to get a better solution, not just a different ;) [22:55] that's the right way :o) [22:55] because as I'm pretty sure that many people would appreciate an uml style interface, I'm also certain that a similar number will prefer the alias approach ... [22:56] if you wouldn't do that you could write a new vserver software every day! [22:56] hmm, sometimes I am ;) [22:56] ....and it should be no problem to implement both! [22:56] people using vserver for an easy to realize backup solution, [22:57] okay, ... so what is currently missing to satisfy your (or the uml) features [22:57] for a second machine as a stand-by solutiong... [22:57] ...they will always prefer aliases, as they are root inside and outside the vserver and they need nothing limiting them [22:58] Bertl: thanks for the link to the tempplate base vfs stuff im very interested in such things. (i would give anything to be paid to work on things like that....) [22:58] talon: your right arm? [22:58] the only thing I'm missing is the possibility to give full (or nearly full) control to one of the hosts (real) interfaces to a vserver, [22:58] regardless if this is eth0, dummy0 or a tun/tap interface [22:59] Bertl: thats pushing it a bit i would need my right arm for all the typing id have to do. [22:59] Bertl: yeah, he doesnt use that for anything but mouse clicking anyway, and who needs a mouse in a terminal [22:59] JonB: ROFL [22:59] pazzo: so for example allowing access to a specific host interface inside a vserver would be sufficient? [22:59] YES! [23:00] I don't think this would be impossible to realize... [23:00] hmm, but that would mean, that you'd have to add a network card (or at least an interface) for each vserver ... [23:00] i dont normally use teh mouse fo rmuch more than changing focus to another terminal. or when i have mozilla open. [23:00] which probably won't allow the typical 30-60 vserver on a host ;) [23:01] Bertl: 2 days ago amazon brought my first book on kernel architecture - I'll learn that stuff too! (-: [23:01] so you'll soon join the vserver development group? [23:01] Bertl: I can add many many tun/tap devices, seen as real network devices from the host server... [23:02] ah, okay, but now we have a different situation ... [23:02] this uses the same tables (arp/routing) and the same ip stack ... [23:03] so any bad configuration on one interface, will render the whole server (hsot) useless ... [23:03] ...and using a bridge inside the host server and making promiscous eth0 - I have a "longer" lan - with all the tun/tap interfaces on it [23:03] Bertl: if you give them the possibility to change the routing table! [23:03] they wouldn't need that... [23:04] not required, just configuring an ip/netmask will add a route, right? [23:04] access to a interface doesn't mean access to the routing table... [23:04] the interface won't work without an interface route ... [23:05] ensc (~ircensc@ultra.csn.tu-chemnitz.de) joined #vserver. [23:05] hi [23:05] hi enrico! [23:05] Linux-VServer Test [V0.07] (C) 2003-2004 H.Poetzl [23:05] chcontext is working. [23:05] chbind is working. [23:05] Linux 2.6.3 sparc64/0.29.2/0.29.2 [E] [23:05] right - but if you go to give your internal interface a netmask ... 255.255.255.248 for example - your other vservers remain configured right [23:05] Filther (Filther@amazonas-293.adsl.datanet.hu) joined #vserver. [23:05] Action: pazzo is awy for 2 minutes [23:05] hi [23:06] hi Filther! [23:06] can you help me with a non-vserver related, linux issue? [23:06] :) [23:06] maybe ... [23:07] we're running mydns on our server [23:07] and need to validate it using an online tool, to be able to do our own name servicing [23:07] our hostname is aquilanet.hu, and the current nameserver is integrity.hu [23:08] hmm, okay, and? [23:08] I'm using dig to verify that our dns is the same as the one at integrity [23:08] and, it looks the same to me :) [23:08] hmm, but? [23:08] but, the validater says it's pretty much different [23:08] and what validator? [23:09] if you could have a look at it, and tell me anything different between the two dig queries, that would be great [23:09] what do I get in turn? [23:09] http://www.domain.hu/domain/regcheck/ [23:09] that's the validator [23:10] in turn? hmm... big thanks?... really big thanks from our team [23:10] :) [23:10] Action: pazzo is back :o) [23:10] Filther: hmm, that won't help the vserver project very much, right? [23:11] right :/ [23:11] so you've to come up with soemthing better ... [23:11] Bertl: the reference server *and* the unified server should have all their files chattr +ti? [23:12] micah: not all files, only the 'unified' ones ... (do not unify log or config files for example) [23:12] right [23:14] Bertl: what about virtualizing the routing table too? [23:14] I'll keep trying then [23:14] bye [23:14] Filther (Filther@amazonas-293.adsl.datanet.hu) left #vserver. [23:14] pazzo: yes, that is the approach which FreeVPS took ... [23:15] and what do you think about it? [23:15] very intrusive ... but it's an option ... [23:15] bengrimm (~ben@bengrimm-host225.dsl.visi.com) left irc: Ping timeout: 480 seconds [23:15] (to clarify, UML is also an option ;) [23:16] yes, but uml has one big problem - you can give it a whole partition or a sparse file as it's "disk" [23:17] hmm, right, and? [23:17] partitions are (even with lvm) not so funny to manage if you have many servers which may also have an upgrade one time [23:18] and sparse files are (mounted via loopback) very, very slow [23:18] so you prefer a 'shared' filesystem with 'low overhead' to the UML solution? [23:18] (not at the beginning, but if they start to fill up) [23:19] yes and no - combining it with tmpfs you can for example do funny things to share memory even with uml - but that not that good as the vserver way if you want to have many servers running on one system [23:20] okay, and that is the reason why I do not want an UML network solution for vserver ... [23:20] ???? [23:20] again to clarify, we are not talking about features, but implementation ;) [23:21] the uml network solution is equivalent to the disk solution [23:21] it's straight forward, but not very fast, and not easy to ahdnle from outside [23:22] s/ahdnle/handle/ [23:22] (this always happens when one of my fingers is faster than the other ;) [23:23] bengrimm (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [23:23] and vserver is very fast, easy to handle from outside and freevps allows it also to have the networking stuff like uml [23:23] nope [23:23] ever tried to modify/configure a network interface on FreeVPS from the host? [23:24] or taking it up/down? [23:24] (I experienced this problem with the "uncoordinated fingertips" on saturday morning :o) [23:24] Bertl: I've never used freeVPS - how does it work? [23:25] well never actually used it either, but I read the code (at least somewhat) [23:26] maybe you should test the FreeFVP to see what the solution you are 'suggesting' does and what pro/cons there are ... [23:26] hmmm... and what about loopback support in vserver? [23:27] local lo devices should be pretty easy, and it's just not done, because Jacques said, he'll do that ... some months ago ... [23:27] aha [23:28] but maybe we should concentrate on a better solution in general ... [23:28] and think about the requirements ... [23:28] (not looking at existing solutions) [23:31] okay, so the requirements IMHO are: [23:31] ok, if lo is easy to implement - and we can make a vserver believe that it also has a eth0 interface (or some other "real" interface, not just an alias) - would that be enough? [23:32] a) the vserver can use ifconfig and iproute2 to some extent [23:32] b) the interfaces do not interfere with the host interfaces [23:32] c) the host admin can restrict the available ips for the vserver (same for mac/etc) [23:32] d) the solution allows for more than one interface [23:33] e) host admin can control the wire (packets from/to) [23:33] any additions? [23:34] we have to decide if [23:34] - the interface is an alias or not - if not CAP_SYS_ADMIN should not be given to the vserver [23:34] bengrimm (~ben@bengrimm-host225.dsl.visi.com) left irc: Ping timeout: 480 seconds [23:35] - is CAP_SYS_ADMIN needed or is CAP_NET_RAW enough? [23:35] forget about the CAP system, we basically have now per vserver caps, which allow finer grained capabilities ... [23:35] WE HAVE PER VSERVER CAPS??? [23:35] so it will be possible to do a per interface config is allowed ... [23:36] WHERE? HOW? [23:36] yes ;) don't confuse this with disabling the linux caps this is additional ... [23:36] bengrimm (~ben@bengrimm-host225.dsl.visi.com) joined #vserver. [23:36] that's clear [23:36] it's in 0.09.8 btw [23:37] # cat /proc/virtual/100/status [23:37] RefC:5 [23:37] Flags:00010000 [23:37] BCaps:fffffeff [23:37] CCaps:00000000 [23:37] Ticks:0 [23:37] the CCaps is the vserver capability word ... [23:37] ah, kernel 2.6 - is there already something like per context disk limit? [23:37] not yet, but the first steps are completed ... [23:38] but it will need a lot of testing ... until it is production quality ... [23:39] so, let's assume there is a special vserver interface, like the dummy interface for example ... [23:39] sorry, I'm not familiar with this BCaps/CCaps flags - it was something like 3 or 4 weeks ago I've seen vserver the first time... [23:40] JonB (~NoSuchUse@129.142.112.33.ip.tele2adsl.dk) left irc: Quit: Leaving [23:40] at the moment I'm using the dummy interface for my vservers - with 2.4.25-vs1.26 [23:40] and the host server can assign those virtX interfaces to the vservers [23:40] ExpiryJames (~james@h24-71-63-164.ok.shawcable.net) joined #vserver. [23:40] hi James! [23:40] and each interface is configured on the host to be 'vserver' specific [23:41] so it only shows up on the host and in that vserver [23:41] I named the dummy0 e0, just to doesn't have it look that stupid - vserver gives the e0:vs1 to the vservers. [23:41] then the host can 'allow' some ip ranges to that interface (for example 192.168.0.0/24) [23:42] (maybe one range is enough?) [23:42] using vproc I was able to limit the view to the interfaces (there has to be a better way) [23:42] 21:43 < Bertl> so it only shows up on the host and in that vserver [23:43] and togheter with a bridge to eth0 I can give them CAP_NET_RAW without any security problems (sniffing,...) - I don't know why, but it works [23:43] then the vserver can configure the interface and it will be automatically connected to the bridge when the ip range is valid ... [23:43] Bertl: one range is not enough! [23:44] if you ask your provider for an additional subnet for your servers, it will likely be on a totally different c- or b-class [23:44] and automatically disconnected, when the vserver tries to configure something inappropriate ... [23:44] (maybe we should not allow setting not allowed ranges at all?) [23:45] hmm... do we have to allow to change the ip address? [23:45] then the packets are bridged in from that interface [23:46] pazzo: well, you wanted ifconfig to work, remember? [23:47] that's a good question - did I? [23:48] 21:00 < pazzo> the only thing I'm missing is the possibility to give full (or [23:48] nearly full) control to one of the hosts (real) interfaces to a [23:48] vserver, [23:49] I assumed this included the basic setup ;) [23:50] Bertl: is it possible to give CAP_NET_RAW to a (normal, stable) vserver without security problems? what are the issues there? [23:50] I never tried it out, because I started immediatly to look for a workaround, believing that it WOULD be a problem [23:50] basically the promisc mode (tcpdump) is the issue [23:51] (I'm often a little bit impatient :o) [23:51] CAP_NET_RAW means that you can create raw sockets ... [23:51] ok, that is it what I was fearing [23:51] using dummy0 and a bridge between dummy0 and eth0 - promisc is not a problem anymore [23:51] but I'm very interested in what you found with the bridging tests ... [23:52] tell me a little more about that ... [23:52] (but what makes me angry - I don't know WHY) [23:52] it's simple; [23:52] : [23:52] s/;/:/ [23:53] brctl addbr br0 [23:53] (creates a bridge, named br0) [23:53] ifconfig eth0 0.0.0.0 promisc up [23:53] ifconfig br0 192.168.124.100 netmask 255.255.255.0 up [23:54] (I configure eth0 promiscous and give it's ip address to br0) [23:54] brctl stp br0 off [23:54] brctl setfd br0 1 [23:54] brctl sethello br0 1 [23:54] (bridge configuration, no spanning tree protocol,...) [23:54] brctl addif br0 eth0 [23:55] add interface eth0 to the bridge [23:56] ifconfig dummy0 hw ether 01:02:03:04:05:06 [23:56] (give dummy0 a mac address) [23:56] nameif e0 01:02:03:04:05:06 [23:57] (and name this interface e0 - dummy looks so stupid) [23:57] ifconfig e0 0.0.0.0 promisc up [23:57] brctl addif br0 e0 [23:57] (promiscous mode and adding to bridge) [23:57] route add default gw 192.168.124.1 [23:58] (and don't forget to add the default route) [23:58] hmm, okay, some questions: [23:58] I've this lines in a small shell script, executed at start time [23:58] a) why the promisc mode on every interface? [23:59] b) why moving the ip to the bridge? [23:59] matta (matta@tektonic.net) left irc: Ping timeout: 480 seconds [23:59] c) is the e0 now configurable from inside the vserver? [00:00] --- Tue Mar 2 2004