Re: [Vserver] [Release] Stable 2.2.0
On Wed, Apr 25, 2007 at 03:06:58PM +0200, ADNET Ghislain wrote: [EMAIL PROTECTED] a écrit : Herbert Poetzl a écrit : Greetings Community! after a longer rc stage, to get rid of all the minor issues, we proudly present the first release of the new stable 2.2 branch, which includes all the 'considered stable' features of the previous devel branch (2.1.x) which has been superceded by the 2.3.x devel branch ... http://www.13thfloor.at/vserver/s_rel26/v2.2.0/ (tools supposed to work fine on Mandriva 2007.x) thanks to all who helped in development and did test the release candidates ... enjoy, Herbert should that be on the vserver website also ? :) yep, it is, on the main page IIRC :) http://linux-vserver.org/ i am not too familiar with the wiki to add it myself as i tried and failed ;) np ... best, Herbert -- Cordialement, Ghislain ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0
[EMAIL PROTECTED] a écrit : Herbert Poetzl a écrit : Greetings Community! after a longer rc stage, to get rid of all the minor issues, we proudly present the first release of the new stable 2.2 branch, which includes all the 'considered stable' features of the previous devel branch (2.1.x) which has been superceded by the 2.3.x devel branch ... http://www.13thfloor.at/vserver/s_rel26/v2.2.0/ (tools supposed to work fine on Mandriva 2007.x) thanks to all who helped in development and did test the release candidates ... enjoy, Herbert should that be on the vserver website also ? :) i am not too familiar with the wiki to add it myself as i tried and failed ;) -- Cordialement, Ghislain smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0 : where is the changelog?
On Wed, 2007-04-04 at 16:34 +0200, Daniel Hokka Zakrisson wrote: Something is solliciting my curiosity though: - privacy for guests, which will hide things from xid 1 I am not sure I am found of that privacy thing. That's why it's configurable ;-) snip Isn't supposed to be able to see everything in the system? Well, not if you want to protect the guests from the host. At the risk of sounding ungreatful for all of the hard work done on vserver - what is the 'use case' for this feature? As I understand it there is nothing to keep the host from playing with /dev/kmem or otherwise tampering with the kernel, so I can't see how a feature like this will provide any strong guarentees; unless heirarchies of contexts (which would be extreemly cool) are planned. Or is it just intended as a 'speed bump' / politeness feature? Thanks for all of the hard work and the new stable version. Cheers, - Martin ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0 : where is the changelog?
that's one of the reasons i patch the vserver kernel with grsec too. also you get PAX (aslr, mprotect stuff,...) features (www.grsecurity.net) which makes it extremely hard to write to /dev/kmem, /dev/mem, it hides dangerous addresses to make exploitation harder, etc... if you want enhanced security and you know something about grsecurity (which means, you know how to secure a box): http://people.linux-vserver.org/~harry there you'll find the info you need. since this is ... well... personal choice in what to enable/disable, you're not gonna find this together with some distro. nevertheless, i include example configs (for dell and HP servers at work) good luck with it :) Martin wrote: At the risk of sounding ungreatful for all of the hard work done on vserver - what is the 'use case' for this feature? As I understand it there is nothing to keep the host from playing with /dev/kmem or otherwise tampering with the kernel, so I can't see how a feature like this will provide any strong guarentees; unless heirarchies of contexts (which would be extreemly cool) are planned. Or is it just intended as a 'speed bump' / politeness feature? -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://people.linux-vserver.org/~harry Nobody notices when things go right. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0 : where is the changelog?
Martin wrote: On Wed, 2007-04-04 at 16:34 +0200, Daniel Hokka Zakrisson wrote: Something is solliciting my curiosity though: - privacy for guests, which will hide things from xid 1 I am not sure I am found of that privacy thing. That's why it's configurable ;-) snip Isn't supposed to be able to see everything in the system? Well, not if you want to protect the guests from the host. At the risk of sounding ungreatful for all of the hard work done on vserver - what is the 'use case' for this feature? As I understand it there is nothing to keep the host from playing with /dev/kmem or otherwise tampering with the kernel, so I can't see how a feature like this will provide any strong guarentees; unless heirarchies of contexts (which would be extreemly cool) are planned. Or is it just intended as a 'speed bump' / politeness feature? Of course the host admin can still do whatever she wants, but if you're in the business of selling truly private guests, i.e. guests without VXF_STATE_ADMIN (meaning they cannot be administered from the host), a kernel with privacy enabled, each guest living on an encrypted device only the guest has access to etc., doing so would probably not be appreciated by the clientele. -- Daniel Hokka Zakrisson ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0 : where is the changelog?
On Mon, 2007-04-09 at 16:05 +0200, Daniel Hokka Zakrisson wrote: Martin wrote: On Wed, 2007-04-04 at 16:34 +0200, Daniel Hokka Zakrisson wrote: Something is solliciting my curiosity though: - privacy for guests, which will hide things from xid 1 I am not sure I am found of that privacy thing. That's why it's configurable ;-) snip Isn't supposed to be able to see everything in the system? Well, not if you want to protect the guests from the host. At the risk of sounding ungreatful for all of the hard work done on vserver - what is the 'use case' for this feature? As I understand it there is nothing to keep the host from playing with /dev/kmem or otherwise tampering with the kernel, so I can't see how a feature like this will provide any strong guarentees; unless heirarchies of contexts (which would be extreemly cool) are planned. Or is it just intended as a 'speed bump' / politeness feature? Of course the host admin can still do whatever she wants, but if you're in the business of selling truly private guests, i.e. guests without VXF_STATE_ADMIN (meaning they cannot be administered from the host), a kernel with privacy enabled, each guest living on an encrypted device only the guest has access to etc., doing so would probably not be appreciated by the clientele. So it is a politeness feature; who's existance is aimed at reassuring users of guests that the hosts admins are behaving themselves. Thanks. Cheers, - Martin ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0 : where is the changelog?
Thanks for the change log Daniel. Something is solliciting my curiosity though: - privacy for guests, which will hide things from xid 1 I am not sure I am found of that privacy thing. Isn't xid 1 the monitoring context? Isn't supposed to be able to see everything in the system? For instance, if I remember correctly, vserver-stat uses xid 1 to mesure the memory usage of each vserver... Maybe it's an irrational fear, but it seems to me like an invitation to root kits... With this privacy option, how will we be able to precisely account the memory usage of each vserver? Guillaume Pratte Daniel Hokka Zakrisson a écrit : The major changes are: - COW link breaking - 2.6.19+ support (i.e. using the mainline namespaces) - capability masking, allowing things like bind9 to run unmodified in guests - artificially advancing idle time, allowing fair sharing of CPU resources among guests - accounting APIs, making it easier to write monitoring programs And a few of the rather minor/less useful changes: - allows raising the bcapabilities of a guest while it's running - virtualized time - the ability to create private guests, that cannot be easily administered from the host - warnings without CONFIG_VSERVER_DEBUG (so Debian users will see them too...) - legacy disabled by default (so util-vserver 0.30.213+ recommended) - privacy for guests, which will hide things from xid 1 - a scheduling monitor -- Guillaume Pratte Recherche et développement Révolution Linux Toutes les opinions et les prises de position exprimées dans ce courriel sont celles de son auteur et ne répresentent pas nécessairement celles de Révolution Linux. Any views and opinions expressed in this email are solely those of the author and do not necessarily represent those of Revolution Linux. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0 : where is the changelog?
Guillaume Pratte wrote: Thanks for the change log Daniel. Something is solliciting my curiosity though: - privacy for guests, which will hide things from xid 1 I am not sure I am found of that privacy thing. That's why it's configurable ;-) Isn't xid 1 the monitoring context? Yes. Isn't supposed to be able to see everything in the system? Well, not if you want to protect the guests from the host. For instance, if I remember correctly, vserver-stat uses xid 1 to mesure the memory usage of each vserver... In older versions/kernels, yeah. But that's already rather broken by design. Maybe it's an irrational fear, but it seems to me like an invitation to root kits... With this privacy option, how will we be able to precisely account the memory usage of each vserver? vserver-stat in util-vserver 0.30.213 doesn't use xid 1 anymore (if you have a recent enough kernel that has the accounting APIs). -- Daniel Hokka Zakrisson ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0 : where is the changelog?
Daniel Hokka Zakrisson a écrit : Guillaume Pratte wrote: Maybe it's an irrational fear, but it seems to me like an invitation to root kits... With this privacy option, how will we be able to precisely account the memory usage of each vserver? vserver-stat in util-vserver 0.30.213 doesn't use xid 1 anymore (if you have a recent enough kernel that has the accounting APIs). Can you tell me in which version of the patch the accounting APIs where introduced? (Is it in the just-released 2.2.0?) Can you point me toward the documentation of these APIs? -- Guillaume Pratte Recherche et développement Révolution Linux Toutes les opinions et les prises de position exprimées dans ce courriel sont celles de son auteur et ne répresentent pas nécessairement celles de Révolution Linux. Any views and opinions expressed in this email are solely those of the author and do not necessarily represent those of Revolution Linux. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0 : where is the changelog?
Guillaume Pratte wrote:
Daniel Hokka Zakrisson a écrit :
Guillaume Pratte wrote:
Maybe it's an irrational fear, but it seems to me like an invitation
to root kits... With this privacy option, how will we be able to
precisely account the memory usage of each vserver?
vserver-stat in util-vserver 0.30.213 doesn't use xid 1 anymore (if
you have a recent enough kernel that has the accounting APIs).
Can you tell me in which version of the patch the accounting APIs where
introduced? (Is it in the just-released 2.2.0?)
I wrote:
The major changes are:
...
- accounting APIs, making it easier to write monitoring programs
Can you point me toward the documentation of these APIs?
include/linux/vserver/{limit,sched}_cmd.h is probably the best.
--
Daniel Hokka Zakrisson
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0
Herbert Poetzl a écrit : Greetings Community! after a longer rc stage, to get rid of all the minor issues, we proudly present the first release of the new stable 2.2 branch, which includes all the 'considered stable' features of the previous devel branch (2.1.x) which has been superceded by the 2.3.x devel branch ... http://www.13thfloor.at/vserver/s_rel26/v2.2.0/ (tools supposed to work fine on Mandriva 2007.x) thanks to all who helped in development and did test the release candidates ... enjoy, Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver Cool and thanks again for your job Bertl.. i have seen on kernel.org that 2.6.21 is nearly ready... I've tried a 2.6.21-rc5, without patch of course, in a vmware and it works fine. Ready to try new patchs :-) Pmenier ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0 : where is the changelog?
Hello, Where can I find the change log from version 2.02? I don't see it linked from http://www.13thfloor.at/vserver/s_rel26/v2.2.0/ Thanks! Guillaume Herbert Poetzl a écrit : Greetings Community! after a longer rc stage, to get rid of all the minor issues, we proudly present the first release of the new stable 2.2 branch, which includes all the 'considered stable' features of the previous devel branch (2.1.x) which has been superceded by the 2.3.x devel branch ... http://www.13thfloor.at/vserver/s_rel26/v2.2.0/ (tools supposed to work fine on Mandriva 2007.x) thanks to all who helped in development and did test the release candidates ... enjoy, Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Guillaume Pratte Recherche et développement Révolution Linux Toutes les opinions et les prises de position exprimées dans ce courriel sont celles de son auteur et ne répresentent pas nécessairement celles de Révolution Linux. Any views and opinions expressed in this email are solely those of the author and do not necessarily represent those of Revolution Linux. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0 : where is the changelog?
Guillaume Pratte wrote: Hello, Where can I find the change log from version 2.02? I don't see it linked from http://www.13thfloor.at/vserver/s_rel26/v2.2.0/ Thanks! Guillaume AFAIK there is none. In theory, a combination of http://linux-vserver.org/ChangeLog-2.1 and http://linux-vserver.org/ChangeLog-2.2 should get you there, but the first is horribly out of date, so here's a little ChangeLog-according-to-Daniel. The major changes are: - COW link breaking - 2.6.19+ support (i.e. using the mainline namespaces) - capability masking, allowing things like bind9 to run unmodified in guests - artificially advancing idle time, allowing fair sharing of CPU resources among guests - accounting APIs, making it easier to write monitoring programs And a few of the rather minor/less useful changes: - allows raising the bcapabilities of a guest while it's running - virtualized time - the ability to create private guests, that cannot be easily administered from the host - warnings without CONFIG_VSERVER_DEBUG (so Debian users will see them too...) - legacy disabled by default (so util-vserver 0.30.213+ recommended) - privacy for guests, which will hide things from xid 1 - a scheduling monitor -- Daniel Hokka Zakrisson ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] [Release] Stable 2.2.0
Greetings Community! after a longer rc stage, to get rid of all the minor issues, we proudly present the first release of the new stable 2.2 branch, which includes all the 'considered stable' features of the previous devel branch (2.1.x) which has been superceded by the 2.3.x devel branch ... http://www.13thfloor.at/vserver/s_rel26/v2.2.0/ (tools supposed to work fine on Mandriva 2007.x) thanks to all who helped in development and did test the release candidates ... enjoy, Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable 2.2.0
First, thanks a lot Herbert for your hard work and support ! This new stable version is a great news ! Like Chuck, I've ran in a lot of programs (especially in the VOIP domain) that requires hack to work around with 127.0.0.1: asterisk freepbx phpmyadmin (for some small features I don't recall) flashoperator panel bind (related to pam something) sendmail (don't remember what options) I don't remember anymore but I've had problems with another half dozen. Imho, the 127.0.0.1 issue is by far the most painful for a newbie. Sincerely, Adrien On 4/1/07, Herbert Poetzl [EMAIL PROTECTED] wrote: On Sun, Apr 01, 2007 at 03:15:37PM -0400, Chuck wrote: On Sunday 01 April 2007 12:33, Herbert Poetzl wrote: dumb question. i didnt see it in the changelog but then again i may not know what i am looking at :) 1. will production vserver code soon have real 127.0.0.1 unique to each guest? probably, I guess 2.2.1 will have that ... this is something that is sorely needed to prevent hours of possibly insecure workarounds with some software. I am not aware of many software packages which would require any changes to work with the current implementation (in this regard) 2. this looks like the production version of what we are currently running... util-vserver 0.30.212-r2 kernel 2.6.19-vs2.2.0-rc2 I suspect an upgrade to production would not hurt us considering our kernel version.. i guess my question is would it be a seamless upgrade for us to production? I hope so ... i would probably bump the kernel to 2.6.20 at the same time. 2.6.19.7 and 2.6.20.4 should be both fine, but a lot of minor issues were ironed out between rc2 and final (rc21+ :) same goes for the tools btw, which are at 0.30.213-rc6 HTC, Herbert Greetings Community! after a longer rc stage, to get rid of all the minor issues, we proudly present the first release of the new stable 2.2 branch, which includes all the 'considered stable' features of the previous devel branch (2.1.x) which has been superceded by the 2.3.x devel branch ... http://www.13thfloor.at/vserver/s_rel26/v2.2.0/ (tools supposed to work fine on Mandriva 2007.x) thanks to all who helped in development and did test the release candidates ... enjoy, Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Chuck ...and the hordes of M$*ft users descended upon me in their anger, and asked 'Why do you not get the viruses or the BlueScreensOfDeath or insecure system troubles and slowness or pay through the nose for an OS as *we* do?!!', and I answered...'I use Linux'. The Book of John, chapter 1, page 1, and end of book ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- Adrien Laurent Chief Information Officer (514) 284-2020 x 202 [EMAIL PROTECTED] www.modulis.ca Technical questions? [EMAIL PROTECTED] ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
