[Vserver] Inconsitent handling of mounts with 2.4.31-vs1.2.10 on Fedora 1

2005-08-11 Thread Stephen Harris 
The 2.4.30 patch applied cleanly to 2.4.31 (except the top Makefile, of
course) so I'm guessing it should work...

It all seems good, but sometimes I get errors when trying to mount stuff
into a vserver tree

This works:

  [root]/home/sweh
  backup.pts/2% vserver webssh status
  Server webssh is running
  13 processes running
  Vserver uptime: 13:01

  [root]/home/sweh
  backup.pts/2% mount -r backup:/RedHat/updates/core1 /vservers/webssh/RedHat

  [root]/home/sweh
  backup.pts/2% ls /vservers/webssh/RedHat
  MIRROR*  MIRROR.o*  f*  f.o*  updates/

  [root]/home/sweh
  backup.pts/2% vserver webssh enter
  SIOCSIFBRDADDR: Cannot assign requested address
  SIOCSIFFLAGS: Cannot assign requested address
  ipv4root is now 10.0.0.2
  New security context is 49173
  bash: ulimit: core file size: cannot modify limit: Invalid argument
  [EMAIL PROTECTED]:webssh /]ls /RedHat/
  MIRROR  MIRROR.o  f  f.o  updates

The /RedHat tree inside the vserver matches what is seen outside the
vserver.

However, this fails:

  [root]/home/sweh
  backup.pts/2% vserver mailgate status
  Server mailgate is running
  6 processes running
  Vserver uptime: 13:01

  [root]/home/sweh
  backup.pts/2% mount -r backup:/RedHat/updates/core1 /vservers/mailgate/RedHat

  [root]/home/sweh
  backup.pts/2% ls /vservers/mailgate/RedHat
  MIRROR*  MIRROR.o*  f*  f.o*  updates/

  [root]/home/sweh
  backup.pts/2% vserver mailgate enter
  SIOCSIFBRDADDR: Cannot assign requested address
  SIOCSIFFLAGS: Cannot assign requested address
  ipv4root is now 10.0.0.3
  New security context is 49172
  bash: ulimit: core file size: cannot modify limit: Invalid argument
  [EMAIL PROTECTED]:mailgate /]ls /RedHat
  ls: /RedHat: Permission denied

The XXX.sh files are the same and the XXX.conf files only differ in IPROOT
and S_HOSTNAME and are otherwise identical.  The underlying mount point
is OK:

  [root]/home/sweh
  backup.pts/2% ls -ld /vservers/*/RedHat
  drwxr-xr-x  2 root root 4096 Aug  9 10:22 /vservers/mailgate/RedHat/
  drwxr-xr-x  2 root root 4096 Aug  9 10:22 /vservers/webssh/RedHat/

The vservers are otherwise running happily and are running the daemons
they should be running.  I'm essentially using vservers as "bastion host"
gateways into my network from the outside world.

Any ideas?  I can't move to a 2.6 kernel since I need IDE hotswapping...

(BTW, excellent documentation: setting up the initial fc1 minimal vserver
was simplicity!)

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Inconsitent handling of mounts with 2.4.31-vs1.2.10 on Fedora 1

2005-08-12 Thread Stephen Harris 
On Fri, Aug 12, 2005 at 01:55:30AM +0200, Herbert Poetzl wrote:
> On Thu, Aug 11, 2005 at 09:56:20AM -0400, Stephen Harris wrote:
> > 
> >   [root]/home/sweh
> >   backup.pts/2% mount -r backup:/RedHat/updates/core1 
> > /vservers/webssh/RedHat
> 
> no idea 'what' filesystem you did mount here, but to me
> it looks like a network filesystem (i.e. nfs)

Yes, it is.   In fact it's an NFS mount from myself to myself; I can't use
bind mounts because I want the vservers to only have read-only access to
the filesystem, and bind mounts don't (or didn't, last time I tried) allow
changes in permissions between the original location and the bound location.

> >   backup.pts/2% vserver webssh enter
> >   SIOCSIFBRDADDR: Cannot assign requested address
> >   SIOCSIFFLAGS: Cannot assign requested address
> 
> this is a good sign of a broken config (network wise)

Network wise, it actually works.  I had thought this had come from the guest
OS trying to do stuff, but I'm a vserver newbie.  Hmm.

Ah... maybe it's because I'm using a 10.* address but have a 255.255.255.0
netmask; I left IPROOTMASK and IPROOTBCAST unset, so _maybe_ it's attempting
to calculate based on a 255.0.0.0 mask, and failing to set them.  Hmm, no,
that's not it.  I just tried.

Could this be ipv6, perhaps?  I'm not using ipv6.

I had noticed that inside the vserver, an "ifconfig -a" shows _all_
the hosts IP addresses, and not just the one in the vserver.

But otherwise it all works.

> >   ipv4root is now 10.0.0.2

This is the correct address.

> >   New security context is 49173
> 
> and just as sidenote, you should avoid dynamic context
> ids, unless you are looking for trouble :)

OK; I'm new vserver newbie and just took the defaults which said

  # Select an unused context (this is optional)
  # The default is to allocate a free context on the fly
  # In general you don't need to force a context

but I'll take your advice and have assigned fixed contexts now (10001
and 10002).

> >   bash: ulimit: core file size: cannot modify limit: Invalid argument
> 
> this looks evem more like a debian^Wconfig issue, where
> you specified a limit (maybe -H or -S) without raising
> the proper other limit (specify -HS to solve that)

No, it appears to be from my .profile inside the guest.  For historical
reasons I had "ulimit -Sc unlimited" for my own account, and this seems
to be read when entering the guest.

> this is a different IP than the one before, NFS isn't
> handled that well on 2.4, but of course, the guest 
> will send requests with 10.0.0.3 now, which, in turn
> might lead to the Permission denied (if your server 
> does not allow 10.0.0.3 to access the share)

The server allows the whole 10.0.0.* network (my home network).

Will the guest make a request?  The guest hasn't actually made the mount;
the host has made the mount and has made it available to the guest.
So will the request come from the guest's IP address, or will it fall
through to the host, and the host make the request.

Ah, OK... some network snooping... the request comes from the guest
IP address.  That's... broken!  The mount came from the host IP address
but the nfs requests came from the guest IP adrress.  Hmm.. I'm surprised
it ever worked!

OK, what's the best way of providing a filesystem to the guest with
read-only privs?  Clearly NFS is a kludge.

Huh.. that's odd... I just shut down _all_ vservers and restarted them and now
the mount works in both vserver instances  that seems like something
confused, but I can probably live with it; my mounts have so far worked.

But it does look like I need better solution; how to make a filesystem
available to a vserver with differnt permissions than the host has?

> hmm, and IDE hotswapping did work with 2.4 but does
> not with 2.6? interesting ...

Yeah, it's very annoying.  Alan Cox has a lot to say about it!

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Inconsitent handling of mounts with 2.4.31-vs1.2.10 on Fedora 1

2005-08-13 Thread Stephen Harris 
[ Oops, sorry Herbert... my initial reply only went to you.. sorry! ]

On Sat, Aug 13, 2005 at 03:43:37AM +0200, Herbert Poetzl wrote:
> On Fri, Aug 12, 2005 at 09:03:39PM -0400, Stephen Harris wrote:
> > use bind mounts because I want the vservers to only have read-only
> > access to the filesystem, and bind mounts don't (or didn't, last time
> > I tried) allow changes in permissions between the original location
> > and the bound location.
> 
> yeah, right, that's where my BME (Bind Mount Extension)
> patches come into play (fixing this mainline 'bug/feature')

Does this patch work with the 1.2 series?  I can't use the 2.0 series
vserver because of my requirement for 2.4 kernels :-(

> >   # Select an unused context (this is optional)
> >   # The default is to allocate a free context on the fly
> >   # In general you don't need to force a context
> 
> what defaults are those? 

That's what was created by the install-fc1 script which came with
util-verser-0.30-0.

> > guest. So will the request come from the guest's IP address, or will
> > it fall through to the host, and the host make the request.
> 
> the host will make the request, but with the guest's ip
> (NFS isn't really supported with 2.4/1.2.x)

Yeah, it seems to be a little messy :-)

> well, it is how networking works right now :)

I can understand _why_ things happen the way they happen, I'm just
supprised it worked at all.  I guess the Linux NFS server has a security
issue; as long as the filehandle information works it doesn't check that
the IP address matches the original mount IP address.  In this case,
luckily, good!

> > Yeah, it's very annoying.  Alan Cox has a lot to say about it!
> 
> he probably has ... fixing it would be better, though :)

The 2.6 maintainers don't agree with Alan, so there's an issue :-(

I haven't checked the latest 2.6 kernels, but last month the issue still
seemed to be unresolved.  I'd _love_ to move to 2.6 and replace my FC1
system, but it seems I can't (or else pay money for USB enclosures...).

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Inconsitent handling of mounts with 2.4.31-vs1.2.10 on Fedora 1

2005-08-13 Thread Stephen Harris 
On Sat, Aug 13, 2005 at 12:56:13PM +0200, Herbert Poetzl wrote:
> On Fri, Aug 12, 2005 at 10:25:44PM -0400, Stephen Harris wrote:
> > On Sat, Aug 13, 2005 at 03:43:37AM +0200, Herbert Poetzl wrote:
> > 
> > Does this patch work with the 1.2 series?  I can't use the 2.0 series
> > vserver because of my requirement for 2.4 kernels :-(
> 
> there is a patch for 2.4 kernels, but it was not combined
> with linux-vserver (1.2.x) yet ... provided there is some
> interest and somebody (you?) is willing to test it, I see
> no problem to provide one ...

I'll happily test!  The host is an NFS server for my home network and doesn't
do much else, so I can reboot it as needed, when I'm at home :-)

> > That's what was created by the install-fc1 script which came with
> > util-verser-0.30-0.
> 
> hmm, how old is that package?

It's the one downloaded from
  http://www.13thfloor.at/vserver/s_release/v1.2.10/util-vserver-0.30.tar.bz2

[ Re IDE hotswap ]

> well, I don't remember an IDE hotplug standard by default,
> I know that some SATA enclosures support it ... but hey

In the 2.4 series you could do

  % hdparm -b 0 /dev/hdg
  dev/hdg:
   setting bus state to 0 (off)
   busstate =  0 (off)

and that would turn off the IDE bus (from the kernel perspective)
allowing you to swap disks on that bus  (so something like a hotswap
enclosure is fine, ensuring you remove physical power from the device
before swapping it).  Then you can do another hdparm and the kernel
would redetect devices on that IDE bus:

  % hdparm -b 1 /dev/hdg
  /dev/hdg:
   setting bus state to 1 (on)
   busstate =  1 (on)

And the following shows in dmesg output:
  Probing IDE interface ide3...
  hdg: Maxtor 6Y120P0, ATA DISK drive
  ide: drives found on hot-added interface.
  blk: queue c03462fc, I/O limit 4095Mb (mask 0x)
  hdg: attached ide-disk driver.
  hdg: host protected area => 1
  hdg: 240121728 sectors (122942 MB) w/7936KiB Cache, CHS=238216/16/63, 
UDMA(133)

> there is the source, use it ...

Unfortunately the changes between 2.4 and 2.6 make this non-trivial :-(
My memory is saying that /dev/hdg (in my case) becomes unusable after
the bus state is turned off, so we can't add the device back again,
and this is quite low level in the device management handler.  (But I
could be wrong!)

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Inconsitent handling of mounts with 2.4.31-vs1.2.10 on Fedora 1

2005-08-13 Thread Stephen Harris 
On Sat, Aug 13, 2005 at 07:10:14AM -0400, Stephen Harris wrote:
> I'll happily test!  The host is an NFS server for my home network and doesn't
> do much else, so I can reboot it as needed, when I'm at home :-)

OK, so I've just built a new kernel:
  2.4.31-vs1.2.10-bme0.05

The bme0.05 patch installs almost cleanly on 2.4.31 (one rejection which is
easily fixed) and it compiled cleanly.

Nice extensions!  Having --bind -r (or "bind,ro" in fstab) is very very
useful!

It seems to work and is stable; only time will tell.

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] readonly bind mount

2005-09-04 Thread Stephen Harris 
On Mon, Sep 05, 2005 at 07:17:54AM +0900, Jun OKAJIMA wrote:

> I mean, I can write -o ro mounted dirs!. Why?
> and any clue?

It means you didn't read the documentation relating to bind mounts; they
don't change the underlying permissions, so if the original mount is
writeable then so is the bind mount.

Fortunately Herbert has written some patches ("Bind Mount Extensions")
that allow you to do exactly what you want.  I use them to make file
systems available read-only in the vserver, and they seem to work
just great.

http://www.13thfloor.at/patches/


-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] what am i doing wrong with vserver exec?

2005-10-04 Thread Stephen Harris 
On Tue, Oct 04, 2005 at 08:20:46AM -0400, Chuck wrote:
> I am trying to execute this function from a cron off the host and it isnt 
> working.
> 
> /usr/sbin/vserver prometheus exec /bin/rm 
> -f /var/spool/qmailscan/quarantine/new/*

What error are you getting?  My guess would be that the wildcard is
being expanded by the host before passing it to the guest.  But that's
just a guess :-)

I would try

  /usr/sbin/vserver prometheus exec sh -c '/bin/rm -f 
/var/spool/qmailscan/quarantine/new/*'

to force the wildcard expansion to take place in the guest.


However, why not just use the host to remove the files?
  /bin/rm -f /vservers/prometheus/var/spool/qmailscan/quarantine/new/*

(or am I missing something basic to vservers that'll cause problems!!)

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] ./testme.sh: line 115: which: command not found

2005-10-07 Thread Stephen Harris 
On Fri, Oct 07, 2005 at 08:14:49PM +0200, Herbert Poetzl wrote:
> hmm, always assumed that the 'which' command is
> part of every distro ... but hey, live and learn,
> maybe somebody has a workaround to avoid 'which'?

Since you're using bash, use the builtin command "type -p" maybe?

bash-2.05b$ type -p ls
/bin/ls
bash-2.05b$ type -p nosuchcmd 
bash-2.05b$ 

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] VServer forum

2005-10-20 Thread Stephen Harris 
On Thu, Oct 20, 2005 at 08:30:11AM +0200, Herbert Poetzl wrote:
> the main question is, do we need 'another forum'?

Mailing lists are a lot better than web forums (IMHO).  I've dropped
out of more than one community when they transferred to web forums
from mailing lists (although some people might not think that's a bad
thing ;-))

I don't answer many questions here (2 or 3 in the past few months only)
so my opinion isn't too important!

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] VServer forum

2005-10-20 Thread Stephen Harris 
On Thu, Oct 20, 2005 at 07:27:38AM -0400, Chuck wrote:

> I use the gentoo forum as an example. It is large, very active, and I have 
> yet 

*giggle* I offer tivocommunity and dealdatabase web forums as a counter
example; most questions are responded to with "do a search" and two
thirds of the search results are posts telling people to do a search!

> both have their strong and weak points... what would be nice instead of an 
> interactive forum, but a bit difficult to implement, would be to create some 
> kind of parsing program to parse the entire mailing list archives into a 
> database, then present the database data in 'forum' form for easy searching 

Most mailing list software has a web interface for the archives of the list,
and some provide a searchable interface.  Hmm, we have an archive at

  http://list.linux-vserver.org/archive/vserver/

and


  http://archives.linux-vserver.org/

I don't see a "search" option there, but I guess we could always make
google index the pages and then have a google search option :-)

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] ssh is slow

2005-11-06 Thread Stephen Harris 
On Mon, Nov 07, 2005 at 12:31:05AM +0100, Gilles wrote:
> > > When I connect from the host to the guest through ssh,
> > > it takes 40 seconds before the password prompt appears.
> > Check that the DNS server mention in /etc/resolv.conf in the guest is 
> > repsonding
> > 
> 
> That shouldn't be the problem, as the guest's name is 
> written in "/etc/hosts".

The guest needs to be able to reverse lookup the connecting machine
(in this case, the host) details based on the originating IP address
of the connection.

Make sure your DNS is set up correctly and your guest configuration is
set up for DNS properly.

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Re: ubuntu dapper vserver problem

2006-04-19 Thread Stephen Harris 
On Thu, Apr 20, 2006 at 01:30:06AM +0200, Herbert Poetzl wrote:
> On Wed, Apr 19, 2006 at 03:21:48PM -0400, Philippe Cl?ri? wrote:
> > Got a reply from the ubuntu.server list: on dapper /var/run is created
> > on a tmpfs and does not survive a reboot.
> 
> interesting detail, so maybe we should create that on
> every startup then, or you might (as a temporary fix)

Conditionally.


if [ ! -d /var/run/vshelper ]
then
  mkdir /var/run/vshelper
fi

and similar for other /var/run directories needed.

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Another conceptual newbie question

2006-05-10 Thread Stephen Harris 
On Wed, May 10, 2006 at 08:38:57AM -0500, Corey Wright wrote:
> mv /bin/bash /bin/bash.new
> mv /bin/bash.new /bin/bash

Do you mean
  mv /bin/bash /bin/bash.old
  cp /bin/bash.old /bin/bash
ie a cp for the second command?

I'm not totally familiar with vhashify semantics, but the two commands
you wrote would leave the inode number unchanged, and so it would still
be a hard link to the unified file.

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] A possible new idea

2006-05-10 Thread Stephen Harris 
On Thu, May 11, 2006 at 12:35:38AM +0200, Herbert Poetzl wrote:
> why would somebody want to _share_ the host files with
> the guest, instead of having a separate filesystem for
> them?

This is actually how Solaris 10 zones work.  In a Solaris 10
zone the filesystems /usr /bin /lib and so on are read-only loop-back
mounts to the host OS.  It makes the guest a lot smaller as a result.
Pretty much most of the overhead of a guest ("zone" in Solaris terms)
is the local files in writeable filesystems to ensure OS stability
(eg /var/sadm for package maintenance).

You don't have to worry about patching each guest because each guest
is using the host OS; patch the host, reboot the guest and it's
automatically patched.  Yes, this requires native OS support (eg the
patch utilities need to know that a guest exists and so updates it's
package state files; the patch _contents_ would appear automatically as
a result of the loopback mounts; it's merely the package state files that
need updating).

The vserver vhashify solution is an attempt in the same direction but
because it uses hard links it's not necessarily so space efficient
(you need at least one copy of the guest files in the /vserver tree,
whereas a read-only loopback mount doesn't need it).  The vserver solution
allows each guest to modify the files as needed (break the immutable hard
link, create a new file) whereas Solaris 10 zones are read-only; you can not
modify /bin/bash in a zone(guest).

-- 

rgds
Stephen
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver