systemd sd_notify in chroot

[Peter Viskup]

At the moment the chrooted rsyslog instance use bind mounted
/run/systemd/notify.
It is causing the Veeam backup fail.
Anyone how to make it working without bind mounting notify file into chroot?
Is there some way to let systemd create and listen on another "notify"
socket?

-- 
Peter

~# systemctl status rsyslog-chroot@lin.service
● rsyslog-chroot@lin.service - Syslog Service lin instance under /chroot/lin
   Loaded: loaded (/lib/systemd/system/rsyslog-chroot@.service; disabled;
vendor preset: enabled)
   Active: active (running) since Fri 2019-06-21 12:36:38 CEST; 19min ago
 Docs: man:rsyslogd(8)
   http://www.rsyslog.com/doc/
...
  Process: 27608 ExecStartPre=/usr/bin/touch /chroot/lin/run/systemd/notify
(code=exited, status=0/SUCCESS)
  Process: 27609 ExecStartPre=/bin/mount -o bind,rw /run/systemd/notify
/chroot/lin/run/systemd/notify (code=exited, status=0/SUCCESS)

 Main PID: 27611 (rsyslogd)
Tasks: 8 (limit: 4717)
   CGroup:
/system.slice/system-rsyslog\x2dchroot.slice/rsyslog-chroot@lin.service
   └─27611 /usr/sbin/rsyslogd -n -f /etc/rsyslog.d/rsyslog-lin.conf

VMTools debug log entries:
[Jun 21 12:41:12.350] [   debug] [vmbackup] *** VmBackupSyncDriverStart
[Jun 21 12:41:12.350] [   debug] [vmsvc] SyncDriver: Skipping remote
filesystem, name=systemd-1, mntpt=/proc/sys/fs/binfmt_misc.
[Jun 21 12:41:12.350] [   debug] [vmsvc] SyncDriver: Calling backend 0.
[Jun 21 12:41:12.350] [   debug] [vmsvc] SyncDriver: Freezing using Linux
ioctls...
[Jun 21 12:41:12.350] [   debug] [vmsvc] SyncDriver: opening path
'/chroot/lin/etc/rsyslog.d'.
[Jun 21 12:41:12.350] [   debug] [vmsvc] SyncDriver: freezing path
'/chroot/lin/etc/rsyslog.d' (fd=8).
[Jun 21 12:41:12.396] [   debug] [vmsvc] SyncDriver: successfully froze
'/chroot/lin/etc/rsyslog.d' (fd=8).
[Jun 21 12:41:12.396] [   debug] [vmsvc] SyncDriver: opening path
'/run/rsyslog-lin/systemd/notify'.
[Jun 21 12:41:12.396] [   debug] [vmsvc] SyncDriver: failed to open
'/run/rsyslog-lin/systemd/notify': 6 (No such device or address)
[Jun 21 12:41:12.396] [   debug] [vmsvc] SyncDriver: Thawing fd=8.
[Jun 21 12:41:12.396] [   debug] [vmsvc] SyncDriver: Closing fd=8.
[Jun 21 12:41:12.396] [ warning] [vmbackup] Error freezing filesystems.
[Jun 21 12:41:13.351] [   debug] [vmbackup] *** VmBackupAsyncCallback
[Jun 21 12:41:13.351] [   debug] [vmbackup] *** VmBackupPostProcessCurrentOp
[Jun 21 12:41:13.351] [   debug] [vmbackup] Async request
'VmBackupSyncDriverStart' completed
[Jun 21 12:41:13.351] [   debug] [vmbackup] ***
VmBackupSyncDriverReadyForSnapshot
[Jun 21 12:41:13.351] [   debug] [vmbackup] *** VmBackupEnableSync

Re: Re: Systemd with chroot and under unprivileged user

[Peter Viskup]

Opened bug report at mainstream.
https://github.com/systemd/systemd/issues/12498

On Tue, May 7, 2019 at 12:17 PM Peter Viskup  wrote:

> It is related to systemd processing of chroot, as with commenting the User
> setting, the service start up successfully.
>
> Want to mimic the startup of the service in init script on Debian8 (which
> is running fine):
> ~# start-stop-daemon --start --quiet --pidfile
> "/srv/inst/var/run/rsyslogd.pid" --chuid user:group --chroot "/srv/inst"
> --exec "/usr/sbin/rsyslogd" -- -i  /var/run/rsyslogd.pid -4 -x
>
> --
> Peter
>

Re: Re: Systemd with chroot and under unprivileged user

[Peter Viskup]

It is related to systemd processing of chroot, as with commenting the User
setting, the service start up successfully.

Want to mimic the startup of the service in init script on Debian8 (which
is running fine):
~# start-stop-daemon --start --quiet --pidfile
"/srv/inst/var/run/rsyslogd.pid" --chuid user:group --chroot "/srv/inst"
--exec "/usr/sbin/rsyslogd" -- -i  /var/run/rsyslogd.pid -4 -x

-- 
Peter

Systemd with chroot and under unprivileged user

[Peter Viskup]

Running Debian9 with systemd 241-3~bpo9+1 from backports.
Having trouble to start rsyslog service in chroot jail using the systemd
service file with RootDirectory and User settings.
Setting AmbientCapabilities=CAP_SYS_CHROOT does not help and still getting
following errors:

 rsyslog-chroot@inst.service: Changing to the requested working directory
failed: Operation not permitted
 rsyslog-chroot@inst.service: Failed at step CHROOT spawning
/usr/sbin/rsyslogd: Operation not permitted
 rsyslog-chroot@inst.service: Main process exited, code=exited,
status=210/CHROOT

Any idea how to get it working properly? Starting without the User setting
is working just fine.
The workaround might be to set the $PrivDropToUser setting in rsyslog
configutation.

Service file:
[Unit]
Description=System Logging Service in chroot /srv/%i
ConditionPathExists=/srv/%i

[Service]
Type=simple
User=eset
Group=eset
PermissionsStartOnly=true
WorkingDirectory=/var/spool/rsyslog
AmbientCapabilities=CAP_SYS_CHROOT
RootDirectory=/srv/%i
RootDirectoryStartOnly=true
ExecStart=/usr/sbin/rsyslogd -n
StandardOutput=journal

[Install]
WantedBy=multi-user.target
Alias=syslog-chroot.service

-- 
Peter

Problem with fcheck job on Debian9 after kernel update

[Peter Viskup]

The fcheck task take +45000 seconds to complete instead of +8500 after
latest kernel update. Server is running on ESX as VM.
Is somebody experiencing similar prolonging task execution on CPU
intensive tasks? May be related to L1TF "Spectre-family" patches.
What commands to run to investigate the root cause in more details?

Already opened bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908647

-- 
Peter

Re: Disk failure, XFS shutting down, trying to recover as much as possible

[Peter Viskup]

Always consider using ddrescue [1] instead of dd - especially once you are
not sure about the state of the drive.
Tool ddrescue is taking 'dd' image of the drive, but will skip all the
areas where the read will return an error. Standard 'dd' will try to
continuously re-read that area which could cause more damages.
Have fun! ;-)

[1] http://www.gnu.org/software/ddrescue/

-- 
Peter

On Fri, Jun 12, 2015 at 1:20 AM, David Christensen <
dpchr...@holgerdanske.com> wrote:

> On 06/11/2015 12:32 AM, Alejandro Exojo wrote:
>
>> Yesterday I found out that my extra disk shut down. I don't know what
>> steps to
>> follow from now on. I'm searching online about the error as I found in the
>> logs, and I don't know what steps to follow.
>>
> ...
>
>> I don't know where to proceed from here. The error seems hardware, but
>> I'm not
>> totally sure. After that, what should I try to do to recover as much as
>> possible? I'm reading about ddrescue now.
>> I don't have space in the other partitions to hold all the data in the
>> failed
>> disk, but I'm only interested in recovering some parts of it as safely as
>> possible. Should I just buy a new disk, try to replicate the original one
>> there, and find out which files are damaged? Or should I create an image
>> as a
>> file stored somewhere else?
>>
>
> 1.  Buy a large disk that you can use for backups.  I use 3 TB Seagate
> ST3000DM001 because they have the best gigabyte/dollar ratio that I am
> aware of.
>
> 2.  Try to mount the file system and backup your files.  If you can't get
> the filesystem mounted, copy the raw disk image to a file using 'dd'.  You
> might have to get the image in pieces using the 'skip' and 'seek' options.
>
> 3.  Download the disk drive manufacturer's diagnostic toolset and run it.
> For example:
>
> http://www.seagate.com/support/downloads/seatools/
>
>
> David
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: https://lists.debian.org/557a17a5.2090...@holgerdanske.com
>
>

Re: bash, dash and sh

[Peter Viskup]

Hi Jeremy,
not sure whether you are aware of checkbashisms tool (part of devscripts
package). That could help you to learn how to write POSIX compliant scripts.
Others helped you much more. :-)

On Thu, Apr 23, 2015 at 5:02 AM, jeremy bentham  wrote:

> I am finally abandonning my fifteen-year-old computer and Lenny
> for a six (?) year old used Gateway 2802 (as a Bad Consumer
> (tm) I never buy anything new if I can avoid it) and, right now,
> it has a start at Wheezy on it.
>
> I happened to read on another list, and then verified for myself,
> that /bin/sh is now a link to dash, instead of bash.
>
> If I
>
> cd /bin
> sudo rm sh; ln -s bash sh
>
> will I break a bunch of stuff?
>
> I have a bunch of scripts
>
> (ls -1 ~/bin | wc
>138   139   1302)
>
> with the first line #!/bin/sh that use bashisms, and the above
> would be a lot easier than editing each one (of course, maybe
> just editing each one would be easier than doing this ;-) ).
>
> --
> Dave WilliamsIn order to save you from the terrorists, we
> d...@eskimo.com   need to find out about your sex life.  And we've
>  got the technology to do it!
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive: https://lists.debian.org/20150423030228.GS14392@benny
>
>

Re: Is this an April Fool joke running early ? (Systemd to fork the kernel)

[Peter Viskup]

argh :-)
this will definitely be one of the best for long time :-D

On Tue, Mar 31, 2015 at 10:25 AM, Lisi Reisz  wrote:

> On Tuesday 31 March 2015 08:21:12 Peter Viskup wrote:
> > "Instead we will soon have GNU/systemd, [a] much simpler, unified
> platform.
> > GNU/systemd will be a better target for third-party developers and easier
> > to support."
> > What? Foolish guys... Reading behind the words - no cooperation,
> discussion
> > and respect, we will take over! Completely wrong...
> >
> > Would like to read official answer and plans from Debian project. With
> some
> > clarification of possible impact on security and Debian itself (who will
> > audit "their" kernel?).
>
> You're not going to get it.  The whole thing was an April Fool joke
> released
> early.  It will live in memory like the spaghetti trees.
>
> http://en.wikipedia.org/wiki/Spaghetti-tree_hoax
>
> Lisi
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive: https://lists.debian.org/201503310925.06451.lisi.re...@gmail.com
>
>

Re: Is this an April Fool joke running early ? (Systemd to fork the kernel)

[Peter Viskup]

"Instead we will soon have GNU/systemd, [a] much simpler, unified platform.
GNU/systemd will be a better target for third-party developers and easier
to support."
What? Foolish guys... Reading behind the words - no cooperation, discussion
and respect, we will take over! Completely wrong...

Would like to read official answer and plans from Debian project. With some
clarification of possible impact on security and Debian itself (who will
audit "their" kernel?).

On Mon, Mar 30, 2015 at 6:00 PM, Patrick Bartek  wrote:

> On Mon, 30 Mar 2015, Renaud (Ron) OLGIATI wrote:
>
> > http://distrowatch.com/weekly.php?issue=20150330#community
> >
> > Or is it serious ?
>
> I'm not laughing.
>
> B
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> https://lists.debian.org/20150330090013.3f77f...@debian7.boseck208.net
>
>

Re: (ssh) Connection closed by

[Peter Viskup]

Could be your ssh client proposing ciphers the SSH server doesn't
understand. This was known issue with communication of ssh client 5+ to ssh
server 4.x and older.
Give it a try and let us know.

http://www.held.org.il/blog/2011/05/the-myterious-case-of-broken-ssh-client-connection-reset-by-peer/

On Mon, Mar 30, 2015 at 2:33 PM, Pol Hallen  wrote:

> hey all :-)
>
> unfortunately I don't have access to ssh server, I can only see:
>
> Platform: i586-pc-linux-gnu
> Compiled with: liblua-5.2.3 openssl-1.0.1k libpcre-8.35 libpcap-1.6.2
> nmap-libdnet-1.12 ipv6
> Compiled without:
> Available nsock engines: epoll poll select
>
> ssh -vvvl user ip
>
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: setup hmac-sha1
> debug1: kex: server->client 3des-cbc hmac-sha1 none
> debug2: mac_setup: setup hmac-sha1
> debug1: kex: client->server 3des-cbc hmac-sha1 none
> debug2: bits set: 502/1024
> debug1: sending SSH2_MSG_KEXDH_INIT
> debug1: expecting SSH2_MSG_KEXDH_REPLY
> Connection closed by IP
>
> any idea to solve?
>
> Thanks!
>
> Pol
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: https://lists.debian.org/551942a6.6080...@fuckaround.org
>
>

Re: Redirect HTTPS with Squid3+Squidguard

[Peter Viskup]

Unfortunately we are living in real (not ideal) world and there are cases
where the SSL split is definitely needed or should be considered at least.
For example Squid 3.5 coming with new design of SSLBump allowing to do some
inspection of the connection prior the real SSLSplit. That gives you
possibilities to deeply inspect only traffic which you will recognize as
suspicious.

http://wiki.squid-cache.org/Features/SslPeekAndSplice

Of course users needs to be properly informed about such technology
deployed in the environment.

That listing of SW providing https inspection on cert.org is meaningless as
all today's antivirus SW providing this feature - which can be disabled of
course...like for most of the products listed there.

On Fri, Mar 27, 2015 at 1:32 AM, Bob Proulx  wrote:

> Michael Graham wrote:
> > Reco wrote:
> > > Ow. Exactly which kind of consumer-grade hardware comes with SSL bump
> > > preinstalled? That's very interesting to me as I like know which
> > > hardware to avoid in the future.
> >
> > It's way more common than you seem to think. CERT recently did a blog
> post
> > about it and it contains a list of both hardware vendors (like Bloxx and
> > bluecoat) as well as commercial and free software.
> >
> > http://www.cert.org/blogs/certcc/post.cfm?EntryID=221
> >
> > Basically if you're selling a web filter or similar security device, you
> > let admins bump SSL.
>
> There are certainly many products that one can buy that do SSL
> inspection.  No one is saying otherwise.  That wasn't the question.
> But are any of those commonly used consumer devices?
>
> If someone walks into Fries or Best Buy and spends less than $100 for
> a home firewall router such as a Linksys, Netgear, D-Link then I doubt
> it is going to crack open SSL.  I doubt they do because doing so would
> require additional CAs to be installed on user's tablets and other
> systems downstream and that requires too much support and
> hand-holding.
>
> Most users would be immediately confused, would consider the device
> broken, would return it without ever knowing that were making the
> right decision of avoiding it but without ever understanding the
> details.  Therefore consumer devices aren't going to go there.
>
> > Given how easy it is for those same admins to push the fake SSL CAs out
> > over active directory group policy it's pretty much transparent to most
> > naive users who don't understand the difference between https and http
> > never mind trying to explain a MITM proxy with a fake root CA!
>
> Agreed in the corporate environments.  They have control over the
> users equipment.  They often require and issue employees with company
> laptops.  For that type of environment they can do anything.
>
> The warning is clear.  Don't use your company laptop for your non-work
> anything.  It isn't secure.  Use your own computer, laptop, tablet,
> phone for your banking and anything that needs security.
>
> Bob
>

Re: Redirect HTTPS with Squid3+Squidguard

[Peter Viskup]

Hello Reco,

On Thu, Mar 26, 2015 at 4:13 PM, Reco  wrote:

>  Hi.
> And just as well child can see a naughty picture on TV. Or a phone ad.
> Or a magazine/newspaper. Anywhere, once you start thinking about it.
>

And that's just sad, disturbingly and one of the main reasons of so many
people facing porn addiction.

Whatever damage is done depends on child's state of mind, which is
> influenced by his/her prior education. Which, for the most part, should
> be (IMO) provided by parents first, and society (friends, school,
> whatever) - second.
>

First would recommend you to read something about the psychology of
children.

And internet censorship is not a substitute of education. The only
> thing that censorship can teach is how to workaround it. Or that one's
> parents are complete . Is that how you want
> your children to perceive you?
>

>From this point of view all aspects of parenting are censorship. It's not
about the government internet censorship - differentiate between parenting
and freedom protection and well - I didn't tell the education is not needed.


> Besides, what's up with this 15 years mark?
>

Just as an example - no other meaning, everybody can choose its own number.
;-)

My last sentence to this thread - read "The Little Prince" a lot and once
you will understand what's all this about probably and then you will be
ready for reading Citadelle. Yes - I know - too much pathetic for
somebody...

Re: Redirect HTTPS with Squid3+Squidguard

[Peter Viskup]

It's the way you look at.
For me it's about prevention...your child can click on some link somewhere
and see some pictures/videos which will remain in his/her mind (let's say)
forever and can harm even if it was only seconds they were seen...I am
speaking about children less than 15 years old...and even older children
needs protection.

On Thu, Mar 26, 2015 at 2:19 PM, Sascha Steinmann (adremes GmbH & Co KG) <
steinm...@adremes.com> wrote:

> I agree 100% with Reco.
> Don't use technical Stuff to protect your children.
> Learn them to use their Brain, to protect their self.
> It's the most important thing, when u sit in front of a Computer.
> When u want to block adult content u have to block 80% of the entire
> visible web.
> And you will spend your evenings to make your blacklists up2date.
> Greetings
> Sascha
>
> -Ursprüngliche Nachricht-
> Von: Reco [mailto:recovery...@gmail.com]
> Gesendet: Donnerstag, 26. März 2015 13:52
> An: debian-user@lists.debian.org
> Betreff: Re: Redirect HTTPS with Squid3+Squidguard
>
>  Hi.
>
> On Thu, 26 Mar 2015 13:21:57 +0100
> Peter Viskup  wrote:
>
> > Hi,
> > just jumped into SSLBump/Split features some months ago. I don't find
> > these features harmful. Especially when protecting your children from
> > access of YouTube or other possibly harmful sites. Once you are logged
> > with Google account they redirect your communication to https which
> > makes the inspection not possible. The Squid's SSLBump/Split (whose
> > name in latest version SslPeekAndSplice) is the only feature which
> > will make the inspection happen. This means there are still some cases
> > where this feature is very helpful and the only one freely available.
>
> If you're considering that spying on your own children is a good idea - I
> don't even know what to say. They solve such problems here by educating
> children, not limiting their internet access. Besides, if a child would
> really want to bypass such access control - he or she will find a way
> sooner or later (hint - a cellphone, for instance).
>
> The only good usage of SSL Bump in my book is reverse-engineering certain
> proprietary applications.
>
> Recp
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> https://lists.debian.org/20150326155150.246957029666332067526...@gmail.com
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> https://lists.debian.org/f6da57c02758bb41bf462233ad62bf9265836...@ex10mbox1e.hosting.inetserver.de
>
>

Re: Redirect HTTPS with Squid3+Squidguard

[Peter Viskup]

Without the SSL splitting the only option is to install some software on
the client side. Some "endpoint" security software doing the inspection of
the web data transfers on the fly before they pass the TLS tunnel. It's the
same like SSL split on Squid, but let's say more transparent. Unfortunately
I don't know any such software for Linux - all of those I know are for
Windows as this OS has API for that "spying".
Can mention two for all of them:
 - Kaspersky Internet Security
 - Eset Endpoint Security
These are my favorites, but there are other SWs available.
The open source and best way to protect children is the proxy with SSLBump.
Have a look on Untangle [1] for complete FW solution with the SSLBump
feature.

[1] www.untangle.com


On Thu, Mar 26, 2015 at 2:04 PM, Michael I. 
wrote:

> Sven Hartge  wrote:
>
>> Michael I.  wrote:
>>
>>  But I have a new problem, I want to have a transparent proxy for http
>>> this works fine but when I add the iptables rule for https the loading
>>> won't work.
>>>
>>
>> Of course not. That this is not working is the _whole point_ of any
>> end-to-end encrypted connection.
>>
>> What you are effectivly trying to do is an Man-in-the-Middle "attack".
>>
>>
> All I want is to protect children of harmful content (adult content).
>
>  You cannot transparently proxy *any* encrypted connection without major
>> trickery, like I wrote in my first mail. You would need a fake CA
>> certificate (why this is a _very_ bad idea you just have to look at the
>> latest CNNIC and MSC debacle: (sorry, German URL)
>> > google-zertifikate/2112>
>> or
>> > Missbrauch-im-SSL-Zertifizierungssystem-auf-2583414.html>), and have
>> your proxy terminate the end-to-end encryption by issuing a fake
>> certificate on the fly, so that the client is satisfied and then create
>> another new encrypted connection to the intended end-point.
>>
>> There _are_ security appliances out there which work in that way but
>> they are considered _very_ *very* bad practice and should be avoided at
>> all costs.
>>
>>
> I don't want to fake a CA certificate because the danger.
>
> Is there any other way to block those sites? Maybe block the IPs in the
> firewall, but I think this is a big hassle?
>
>  Grüße,
>> Sven.
>>
>>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: https://lists.debian.org/551403f7.7080...@abwesend.de
>
>

Re: Redirect HTTPS with Squid3+Squidguard

[Peter Viskup]

Hi,
just jumped into SSLBump/Split features some months ago. I don't find these
features harmful. Especially when protecting your children from access of
YouTube or other possibly harmful sites. Once you are logged with Google
account they redirect your communication to https which makes the
inspection not possible. The Squid's SSLBump/Split (whose name in latest
version SslPeekAndSplice) is the only feature which will make the
inspection happen. This means there are still some cases where this feature
is very helpful and the only one freely available.

-- 
Peter Viskup

On Thu, Mar 26, 2015 at 12:58 PM, Sven Hartge  wrote:

> Michael I.  wrote:
>
> > But I have a new problem, I want to have a transparent proxy for http
> > this works fine but when I add the iptables rule for https the loading
> > won't work.
>
> Of course not. That this is not working is the _whole point_ of any
> end-to-end encrypted connection.
>
> What you are effectivly trying to do is an Man-in-the-Middle "attack".
>
> You cannot transparently proxy *any* encrypted connection without major
> trickery, like I wrote in my first mail. You would need a fake CA
> certificate (why this is a _very_ bad idea you just have to look at the
> latest CNNIC and MSC debacle: (sorry, German URL)
> <
> https://www.psw-group.de/blog/cnnic-signiert-falsche-google-zertifikate/2112
> >
> or
> <
> http://www.heise.de/security/meldung/Google-deckt-erneut-Missbrauch-im-SSL-Zertifizierungssystem-auf-2583414.html>),
> and have your proxy terminate the end-to-end encryption by issuing a fake
> certificate on the fly, so that the client is satisfied and then create
> another new encrypted connection to the intended end-point.
>
> There _are_ security appliances out there which work in that way but
> they are considered _very_ *very* bad practice and should be avoided at
> all costs.
>
> Grüße,
> Sven.
>
> --
> Sigmentation fault. Core dumped.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive: https://lists.debian.org/11bg3gmtro...@mids.svenhartge.de
>
>

Re: fakeroot to build a package?

[Peter Viskup]

The first seems to be quick and not-detailed tutorial.
The others are more detailed descriptions.

What package failed that first approach, in which step and what was the
error message?

Anyway I found it quite hard to went through the understanding the debian
packaging by myself.
There are many tools and ways to do the same thing. Still don't know all
the details.

-- 
Peter

On Tue, Feb 17, 2015 at 1:10 PM, Eugene Zhukov  wrote:

> Hello,
>
> I came across this building tutorial [1]. It advertises using
> fakeroot debian/rules binary
> command to build a package. Needless to say it doesn't work for all
> packages.
> I find this tutorial confusing. I know of two other IMHO better pages
> on the topic [2] and [3].
> Did I miss something or the first wiki needs fixing.?
>
> [1] https://wiki.debian.org/BuildingTutorial
> [2] https://wiki.debian.org/IntroDebianPackaging
> [3] https://www.debian.org/doc/manuals/maint-guide/
>
> Thanks,
> Eugene
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> https://lists.debian.org/capqgmfjq5t3+gccz52cq5fcwvqaej-bft7cciggjawdnx_p...@mail.gmail.com
>
>

NFS server write issues using netgroup

[Peter Viskup]

Would like to discuss the issue I am facing before opening bug report.

NFS System: latest Debian Jessie
NFS: nfs-kernel-server 1:1.2.8-9

Export config:
/data/folder @clients(rw,no_subtree_check,root_squash)

Netgroup config:
root@media:~# cat /etc/netgroup
clients (dm800,-,), (laptop,-,)

root@media:~# grep netgroup /etc/nsswitch.conf
netgroup:   files

I don't have rw access to mounted folder. Once migrated to configuration
without netgroup the permissions allow rw access as expected.

Name resolution is ok, mounting works. Am I missing or overlooked something?

-- 
Peter

Re: Linux based cellphones?

[Peter Viskup]

be careful with that as seems there is no working kernel at the moment -
ask guys at Golden Delicious. And even the QTMoko dissapeared and the other
distribution SHR is dead too. Unfortunately nobody taking care to continue
this work.
Take a look at Jolla or FirefoxOS devices. I would propose you the
FirefoxOS as it seems most promising open sourced OS for mobile devices
build on top of Linux and Gecko kernels.

https://jolla.com
https://www.mozilla.org/en-US/firefox/os/devices/

Unfortunately none of those are completely open sourced. The last one was
the OpenMoko GTA02. GTA04 has some closed sourced components AFAIK, but
check with them.

-- 
Peter Viskup

On Fri, Jan 30, 2015 at 10:47 AM, Karen Lewellen 
wrote:

> Now that  seems  nifty.
> Thanks for it.
> Kare
>
>
>
> On Fri, 30 Jan 2015, Gian Uberto Lauri wrote:
>
>  Karen Lewellen writes:
>> > I did not mean destros.
>> > I meant actually put into hardware and sold devices.
>> > Thanks again for all the answers.
>>
>> Has Golden Delicious be suggested? They sell a board GTA04 that fits
>> in the original openmoko case.
>>
>> http://www.goldelico.com/wiki.php?page=Products
>>
>> --
>> /\   ___Ubuntu: ancient
>> /___/\_|_|\_|__|___Gian Uberto Lauri_   African word
>>  //--\| | \|  |   Integralista GNUslamicomeaning "I can
>> \/ coltivatore diretto di software   not install
>> già sistemista a tempo (altrui) perso...Debian"
>>
>> Warning: gnome-config-daemon considered more dangerous than GOTO
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmas...@lists.debian.org
>> Archive: https://lists.debian.org/21707.18695.736668.429...@mail.eng.it
>>
>>

Re: glibc bug - time to patch

[Peter Viskup]

before considering downtimes and patching activities on production servers
read these:

https://www.debian.org/security/2015/dsa-3142
http://seclists.org/oss-sec/2015/q1/283

especially the second link mention network-facing software which is not
vulnerable due to proper sanitization out of glibc.

On Wed, Jan 28, 2015 at 1:20 PM,  wrote:

> Hey all,
>
>   For those that do not know about this yet, seems that glibc has a nasty
> bug in it that should probably be patched. Wheezy and squeeze vulnerable,
> but all you bleeding edge folk should be ok as Jessie and sid seems fine
>
> https://security-tracker.debian.org/tracker/CVE-2015-0235
>
> Cheers
>
> Iain
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: https://lists.debian.org/28f1fa682337d21078d8c83d9c9e03
> a...@thargoid.co.uk
>
>

Re: XBMC/Kodi? Anybody actually using this on Debian?

[Peter Viskup]

Hi Roland,
regarding the XBMC version - try to use Deb-multimedia repository [1].
There are more recent versions available.

Ad 1) more things which needs to be checked
 - kernel support
 - Xorg open source radeon or closed sourced fglrx ati drivers support
 Try to read these [2] [3] [4]

Ad 2) first make sure your direct rendering is working (running the command
"glxinfo")
 then you can just install xbmc and some other packages, try to use
aptitude [5] which have some console-based menu for package management.
 There are more xbmc-related packages - search for them and read about them
for more information. Decide what's needed by yourself.

Once you will have the setup complete you could face issues with VDPAU
and/or VAAPI (accelerated video playback on graphic chip). Search on XBMC
forum will help you.

-- 
Peter

[1] http://www.deb-multimedia.org/
[2] https://wiki.debian.org/AtiHowTo
[3] https://wiki.debian.org/ATIProprietary
[4] https://wiki.archlinux.org/index.php/ATI
[5] https://wiki.debian.org/Aptitude


On Mon, Jan 26, 2015 at 9:12 PM, Ronald F. Guilmette 
wrote:

>
> Torsten,
>
> Thank you for your clear response.
>
> I have a couple of follow-up questions:
>
> Assuming that I now wipe Wheezy off my disk, and replace it with
> Jessie RC1...
>
> 1)  Other than testing it myself, how can I find out if this (Jessie RC1)
> will properly support the AMD A4-6300 APU?
>
> 2)  What if anything will I need to manually tweek/diddle/edit in order to
> cause my newly installed Jessie RC1 to properly fetch the newer XBMC 13.2,
> which you mentioned?  If I just say "apt-get install xbmc" will that get
> it?  Or will I need to edit or modify some repository links someplace?
> (Sorry, I am kind-of new to debian's repository system, so I'm still just
> feeling my way along.)
>
> Thanks in advance for any further enlightenment.
>
>
> Regards,
> rfg
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> https://lists.debian.org/27469.1422303...@server1.tristatelogic.com
>
>

Re: how to shutdown in less than 8 minutes

[Peter Viskup]

Hi Pierre,
you can answer your question by yourself by having a look into directory
/lib/systemd/system and read systemctl man page.
Small hint could be to run 'systemctl -a -t service' command.
Some more information about systemd in Debain can be read on Wiki
https://wiki.debian.org/systemd.
Hope this helps.

-- 
Peter

On Fri, Oct 17, 2014 at 9:56 AM, Pierre Frenkiel 
wrote:

> On Fri, 17 Oct 2014, Michael Biebl wrote:
>
>  The samba package does not properly clean up it's config files on
>> upgrades. See the RC bug that's filed against samba.
>>
>> Run "update-rc.d samba remove" to fix that.
>>
>> hi Michael,
>>
>
>   I saw the thread concerning the bug report against samba, but only
>   saw a proposed fix about the LSB headers(which didn't work),
>   and not this one.
>   Actually, you need both:
>   update-rc.d  samba
>   and
>   update-rc.d  samba-ad-dc remove
>   Then, the shutdown lasts a few seconds
>
>   Thanks a lot for this valuable information.
>
>   Question: the daemons nmbd and smbd are still launched by systemd at
> boot.
>   although all the links in /etc/rcxx have been removed. How is it done?
>
> best regards,
> --
> Pierre Frenkiel
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: https://lists.debian.org/alpine.DEB.2.11.1410170933530.
> 8...@pfr2.frenkiel-hure.net
>
>

Re: OT: just falling back to fluxbox after Gnome3 mem-leak experince

[Peter Viskup]

On 02/08/2013 10:44 PM, Jochen Spieker wrote:

Peter Viskup:

viskup@viskup:~$ awk '/Name|VmSize|VmPeak/' /proc/4186/status
Name:   gnome-shell
VmPeak:  3537456 kB
VmSize:  3403068 kB

I am not sure, but I suspect you misinterpret those numbers. This is the
amount of memory that the application thinks is available for itself.
This does not equal the actual memory requirements of the process.

My system currently shows:

$ ps aux | awk '{ print $5 }' | tail -n +2 | awk 'BEGIN {s=0} {s+=$1} END 
{print s}'
8206540

$ free -k
  total   used   free sharedbuffers cached
Mem:   39552683346440 608828  0 2981282139064
-/+ buffers/cache: 9092483046020
Swap:0  0  0

The sum of all processes' virtual memory sizes is about nine times the
size of actual memory in use (887 MiB vs. 7.8 GiB with only 4GB of
physical RAM available, no swap).

J.


You are probably right with not best lines shown from status file. 
Anyway I saw that gnome-shell consumed more than 1100MB(=approx. 29% of 
4GB  real mem) for VmRSS.  System was swapping and the only application 
consuming more than 10% of memory was  ;-)


--
Peter


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/511580f7.4010...@gmail.com

Re: OT: just falling back to fluxbox after Gnome3 mem-leak experince

[Peter Viskup]

On 02/08/2013 03:12 PM, Jon Dowland wrote:

On Fri, Feb 08, 2013 at 11:28:51AM +0100, Peter Viskup wrote:

viskup@viskup:~$ uptime
  11:10:57 up 16 days, 17:01, 10 users,  load average: 1.61, 1.34, 1.07

I'm not sure what this is supposed to demonstrate. Has gnome-shell been running
for 16 days?


It is supposed to show that I do not regularly shutdown the laptop and 
use the suspend/hibernate function.
Not gnome-shell only of course but Linux kernel and some other 
applications too. ;-)


--
Peter


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/511562a4.90...@gmail.com

Re: OT: just falling back to fluxbox after Gnome3 mem-leak experince

[Peter Viskup]

On 02/08/2013 06:09 PM, Stefan Monnier wrote:

viskup@viskup:~$ awk '/Name|VmSize|VmPeak/' /proc/4186/status
Name:   gnome-shell
VmPeak:  3537456 kB
VmSize:  3403068 kB

That doesn't show a memory leak.

Indeed, but we're talking about 3GB of memory here, which seems hard to
justify for such an application.


awk '/Name|VmSize|VmPeak/' /proc/$(pidof gnome-shell)/status
Name:   gnome-shell
VmPeak:  1250636 kB
VmSize:  1190912 kB

More than 1GB also sounds excessive, so you seem to be suffering from
the same problem.

Of course, maybe this is not a problem, it is just an artifact of
gnome-shell sharing a lot of memory with other applications, so it's not
actually eating up all your RAM.  But this explanation seems unlikely.

I think it deserves a bug report.


 Stefan


I just search for gnome3 and memory leaks and found there were some of 
them fixed in latest 3.6 too. Didn't have time and energy search for 
more information.


One for all:
http://fedoraproject.org/wiki/Common_F15_bugs#System_memory_in_use_rises_constantly_.28memory_leak.29_when_using_GNOME_Shell

This probably help somebody of you who do not shutdown desktop/laptop 
every time.

It consumed all my RAM and swap...

--
Peter Viskup


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/51155cb7.6060...@gmail.com

OT: just falling back to fluxbox after Gnome3 mem-leak experince

[Peter Viskup]

Hi all,
just want to share my bad experience with Gnome3 in testing. They 
have/had some mem-leaks in there.


viskup@viskup:~$ uptime
 11:10:57 up 16 days, 17:01, 10 users,  load average: 1.61, 1.34, 1.07

viskup@viskup:~$ awk '/Name|VmSize|VmPeak/' /proc/4186/status
Name:   gnome-shell
VmPeak:  3537456 kB
VmSize:  3403068 kB

viskup@viskup:~$ dpkg -l gnome-shell
Desired=Unknown/Install/Remove/Purge/Hold
| 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend

|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version   Architecture  Description
+++--=-=-==
ii  gnome-shell  3.4.2-6   amd64 graphical shell for the 
GNOME desktop


Hopefully back with Fluxbox.

There was just another stability issue of Firefox as it had some strange 
"Gnome Shell Integration" plugin enabled which led to frozen Firefox. So 
I disabled that plugin and now everything works like a charm.


Bye-bye Gnome.

--
Peter Viskup


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/5114d363.9090...@gmail.com

Re: Upgrade from stable to testing hosed my server

[Peter Viskup]

On 01/24/2013 05:51 PM, Mark Phillips wrote:

Peter,

Can I access the log if I boot the machine with a live cd of some kind?

Mark


Hello Mark,
read the release notes first and think about what you did wrong.

I do not know how you proceed with the upgrade, but yes there are paths 
like these:

/var/log/dpkg.log
/var/log/aptitude
/var/log/apt/

The quickest solution will be to restore package states using the 
commands 'dpkg --get-selections' and 'dpkg --set-selections'. Or simply 
install all the missing ones - once you remember what packages you 
installed on the system before. Some of these procedures are documented 
in the release notes - therefore I highly recommend you to read it.

You can use the Debian installation CD/DVD and boot into 'rescue mode'.

--
Peter


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/5101932b.3040...@gmail.com

Re: Upgrade from stable to testing hosed my server

[Peter Viskup]

On 01/24/2013 02:30 PM, Mark Phillips wrote:


I used aptitude to upgrade a headless server from Debian stable to 
Debian testing. The upgrade did not generate any error messages, but 
when I rebooted I could not ssh into the box (connection refused) nor 
do I get any output on a monitor I attached to the box (no signal). 
Apache does not appear to be running either on the box (could not 
connect to the box). I can successfully ping the box.


Any suggestions on how to fix this this server would be greatly 
appreciated!


Thanks,

Mark


Hi Mark,
it's very hard to help you right now. Do you have a log of the terminal 
session on which you performed the upgrade?
Always read the upgrade notes first in the future. All of the notes from 
older stable release notes [1] will help you to perform the upgrade 
without any major issue. Of course there could be some differences, but 
none which will lead to unaccessible server.


[1] 
http://www.debian.org/releases/stable/amd64/release-notes/ch-upgrading.en.html


--
Peter


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/51015ffd.1080...@gmail.com

Re: Xen vs. KVM on Debian squeeze

[Peter Viskup]

On 12/09/2012 07:48 AM, P. J. McDermott wrote:

Hi,

I'd like to set up virtualization on a home server with a Debian
GNU/Linux squeeze amd64 host and squeeze and wheezy amd64 guests.  I'm
trying to decide between Xen 4.0 (with paravirtualized guests and
probably the xend/xm toolstack) and qemu-kvm 0.12 or 1.1 (with the
libvirt tools).

My experience in this area is currently limited; I've only used qemu-kvm
0.12, and only through Virtual Machine Manager.  So I'm looking for some
advice and answers to help me decide how to set this up.


The server has two 3.0-GHz CPU cores (an AMD CPU with the AMD-V/SVM
virtualization extensions) and 2.0 GiB of RAM (which I'm planning to
either double or triple).

I'd like to run at least five guest systems to build software, manage
mailing lists, serve files, manage a RAID 5 array using md, etc.

So I need a virtualization infrastructure that offers efficient CPU and
I/O virtualization and allows guest systems to gain or forfeit virtual
memory as their loads require (pooling my limited RAM as efficiently as
possible).  (Ease of understanding and maintenance are nice as well,
though I'm happy to read documentation.)


I see that KVM supports a rather simple method of overcommitting memory
[1], relying on Linux's lazy page allocation and swapping [2][3].

   [1]: 
http://www.linux-kvm.org/page/FAQ#Is_dynamic_memory_management_for_guests_supported.3F
   [2]: http://www.linux-kvm.org/page/Memory
   [3]: 
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sect-Virtualization-Tips_and_tricks-Overcommitting_with_KVM.html

I'm not sure I like the idea of "freeing" memory by swapping, but at
least it's a simple design and easy to set up.  Is there a newer method
in KVM (in Debian squeeze or squeeze-backports) of automatically growing
and shrinking guest systems' virtual memory space in RAM, preferably
without using swap?


Xen used to have a userspace self-ballooning daemon called "xenballoond"
[4], but it's no longer maintained [5] and it supposedly only supports
Red Hat–family systems [6].

   [4]: 
http://blog.xen.org/index.php/2008/08/27/xen-33-feature-memory-overcommit/
   [5]: 
http://old-list-archives.xen.org/archives/html/xen-devel/2011-02/msg01333.html
   [6]: 
http://xenbits.xen.org/hg/xen-unstable.hg/file/91232efdcfdc/tools/xenballoon/xenballoond.README

Now Xen supports "Transcendent Memory" or "tmem" (self-ballooning and
frontswap self-shrinking) [7][8] instead.

   [7]: https://lwn.net/Articles/454795/
   [8]: drivers/xen/xen-selfballoon.c in Linux 3.1 or later

The tmem code is in the version of Linux in squeeze-backports, and the
XEN_BALLOON option is enabled.  But, as far as I can tell, CLEANCACHE,
XEN_SELFBALLOONING, and FRONTSWAP are disabled.  I'd rather not have to
rebuild the Linux packages to install in my squeeze and wheezy domUs for
this.


All things considered, I'm leaning slightly toward qemu-kvm, because it
looks like it'll do what I need in a simple and familiar way; but I'm
concerned about the performance of the CPU and I/O virtualization and
the page swapping.

Can anyone show me that I've overlooked something about Xen in Debian or
convince me that qemu-kvm will perform fine for my needs?

Thanks,


I would recommend you to go with Wheezy at least for dom0. It provides 
the XCP toolstack which is the new standard of Xen management in Debian. 
This will save you a lot of time as it is totally different from xend/xm 
toolstack. It doesn't make sense for you to learn xend/xm from scratch 
just for three-four upcoming months.
The other thing with Squeeze version of linux-kernel there was strange 
bug discovered [1] causing the dynamic memory increase not working 
properly. It is not experienced on Wheezy.
Consider LXC [2] in case you have some concerns of CPU/memory overhead 
and you plan to run only Linux virtual servers.


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693851
[2] http://wiki.debian.org/LXC

--
Peter Viskup


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/50c7900a.80...@gmail.com

Fwd: Re: Security support for CMSes

[Peter Viskup]

Overlooked it was not sent to debian-user list.

 Original Message 
Subject:Re: Security support for CMSes
Date:   Mon, 08 Oct 2012 00:07:56 +0200
From:   Peter Viskup 
To: 	Robert Pommrich , lu...@debian.org, 
secur...@debian.org




Hello Nico,

On 10/07/2012 08:25 PM, Nico Golde wrote:

 Hi,
 Providing security updates for packages in Debian is still based on voluntary
 work. Therefore it can happen sometimes that either a security fix is
 overlooked or no person has committed to provide/release an updated package.
 The latter probably applies in this case.


I fully agree on that, understand that and am thankful to everybody
working on Debian project.


 Can you further specify what exactly you mean by cracked? This would be
 interesting as even though two CVE ids are marked as unfixed in stable, none
 of the issues qualifies for example to execute code on a remote drupal
 installation.


I do not know what security issue was used to crack my site - they used
some Drupal weakness to create some php files in Drupal install dir
remotely and without getting SFTP access.
I had a look on the state of the drupal6 package just after and noticed
there are some critical bugfixes not backported to stable branch.
That's all at the very moment.

--
Peter

Security support for CMSes

[Peter Viskup]

Hello everybody,
I am using Drupal6 from Debian repositories as I thought that Debian is 
taking care of the security fixes and therefore I do not have to take 
care too much.
Unfortunately one of my sites was cracked and there were none of 
security fixes released in June 2012 by Drupal community backported to 
main release till today. The only 'fixed' version of Drupal6 is 
available on backports.debian.org.

Do you use Debian versions of CMSes?
Are you continuously checking the main releases and checking the states 
of Debian packages?
What are your proposals for running any CMS available in Debian 
repositories?
Does somebody have similar experience from the past or with another CMS 
from Debian repositories?

Thank you.

Best regards,
--
Peter Viskup


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/50715734.8040...@gmail.com

Re: What is playing videos in web browsers?

[Peter Viskup]

On 09/16/2012 12:30 AM, lee wrote:

Hi,

trying out chromium, I have found that both seamonkey and chromium are
able to play arbitrary videos found on youtube.  I used to have
libflashplayer.so in the ~/.mozilla/plugins directory which used to play
such videos.  I have removed it for testing and both browsers still play
videos.  In the past, seamonkey was unable to play these videos when the
flash player library was removed.

What might they be using to play these videos?  Where is configured what
they use?

Pstree doesn't show it, and 'lsof |grep seamonkey |wc -l' says
4845. Searching for "flash" or "play" in the output of lsof doesn't find
any results, and manually browsing almost 5000 lines without really
knowing what to look for isn't exactly something I like to do.




Hi Lee,
there is something like HTML5 already out.
Try to have a look on http://www.youtube.com/html5 and then search for 
HTML5 support for your favorite browser and you will get an answer.


--
Peter


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/50550c0f.1050...@gmail.com

Re: Xen memory management not working

[Peter Viskup]

On 04/23/2012 03:01 AM, Bob Proulx wrote:
You didn't say... Have you rebooted your VM since then? Bob 

Hi Bob,
yes I did and the behavior didn't changed.

--
Peter


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4f94f4a5.8090...@gmail.com

Xen memory management not working

[Peter Viskup]

Hello everyone,
we have issue with memory increase for virtual servers on one of our 
boxes. We are running Debian Squeeze and Xen 4.0.
Looks like after last upgrade of xen-utils-4.0 and xenstore-utils 
without upgrade of xen-hypervisor and linux-image packages the memory 
management stopped working.


server2:~# xm list tis
NameID   Mem VCPUs  State 
Time(s)
tis 62  1024 2 -b 
392680.7


server2:~# xm mem-set tis 2048
server2:~# xm list tis
NameID   Mem VCPUs  State 
Time(s)
tis 62  2048 2 -b 
392680.9


The target_kb value changed on VPS, but the available memory didn't 
increased for some unknown reason:


tis:~# cat /sys/devices/system/xen_memory/xen_memory0/target_kb
1048576

tis:~# cat /sys/devices/system/xen_memory/xen_memory0/target_kb
2097152

tis:~# grep MemTotal /proc/meminfo
MemTotal:1044316 kB

Xen packages installed on dom0:

server2:~# dpkg -l | grep xen
ii  libxenstore3.0  4.0.1-4 
 Xenstore communications library for Xen
ii  linux-image-2.6-xen-amd64   2.6.32+29 
 Linux 2.6 for 64-bit PCs (meta-package), Xen dom0 support
ii  linux-image-2.6.26-2-xen-amd64  2.6.26-26lenny2 
 Linux 2.6.26 image on AMD64, oldstyle Xen support
ii  linux-image-2.6.32-5-xen-amd64  2.6.32-38 
 Linux 2.6.32 for 64-bit PCs, Xen dom0 support
ii  linux-modules-2.6-xen-amd64 2.6.26+17+lenny1 
 Linux 2.6 modules on AMD64
ii  linux-modules-2.6.26-2-xen-amd642.6.26-26lenny2 
 Linux 2.6.26 modules on AMD64
ii  xen-hypervisor-3.2-1-amd64  3.2.1-2 
 The Xen Hypervisor on AMD64
ii  xen-hypervisor-4.0-amd644.0.1-4 
 The Xen Hypervisor on AMD64
ii  xen-qemu-dm-4.0 4.0.1-2 
 Xen Qemu Device Model virtual machine hardware emulator
ii  xen-shell   1.8-3 
 Console based Xen administration utility
ii  xen-tools   4.2-1 
 Tools to manage Xen virtual servers
ii  xen-utils-4.0   4.0.1-4 
 XEN administrative tools
ii  xen-utils-common4.0.0-1 
 XEN administrative tools - common files
ii  xenstore-utils  4.0.1-4 
 Xenstore utilities for Xen
ii  xenwatch0.5.4-2 
 Virtualization utilities, mostly for Xen


server2:~# uname -a
Linux server2 2.6.32-5-xen-amd64 #1 SMP Mon Oct 3 07:53:54 UTC 2011 
x86_64 GNU/Linux


And kernel version on domU:

tis:~# uname -a
Linux tis 2.6.32-5-xen-amd64 #1 SMP Mon Oct 3 07:53:54 UTC 2011 x86_64 
GNU/Linux


Could anybody point me to deeper investigation of this strange issue and 
if not - is there any way to get packages of xen-utils-4.0 and 
xenstore-utils before the upgrade to latest version?


Best regards,
--
Peter Viskup


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4f94369c.6010...@gmail.com

Xen memory management not working

[Peter Viskup]

Hello everyone,
we have issue with memory increase for virtual servers on one of our 
boxes. We are running Debian Squeeze and Xen 4.0.
Looks like after last upgrade of xen-utils-4.0 and xenstore-utils 
without upgrade of xen-hypervisor and linux-image packages the memory 
management stopped working.


server2:~# xm list tis

NameID   Mem VCPUs  State   Time(s)

tis 62  1024 2 -b 392680.7

server2:~# xm mem-set tis 2048

server2:~# xm list tis

NameID   Mem VCPUs  State   Time(s)

tis 62  2048 2 -b 392680.9


The target_kb value changed on VPS, but the available memory didn't 
increased for some unknown reason:


tis:~# cat /sys/devices/system/xen_memory/xen_memory0/target_kb

1048576

tis:~# cat /sys/devices/system/xen_memory/xen_memory0/target_kb

2097152

tis:~# grep MemTotal /proc/meminfo

MemTotal:1044316 kB


Xen packages installed on dom0:

server2:~# dpkg -l | grep xen

ii  libxenstore3.0  4.0.1-4  
Xenstore communications library for Xen

ii  linux-image-2.6-xen-amd64   2.6.32+29Linux 
2.6 for 64-bit PCs (meta-package), Xen dom0 support

ii  linux-image-2.6.26-2-xen-amd64  2.6.26-26lenny2  Linux 
2.6.26 image on AMD64, oldstyle Xen support

ii  linux-image-2.6.32-5-xen-amd64  2.6.32-38Linux 
2.6.32 for 64-bit PCs, Xen dom0 support

ii  linux-modules-2.6-xen-amd64 2.6.26+17+lenny1 Linux 
2.6 modules on AMD64

ii  linux-modules-2.6.26-2-xen-amd642.6.26-26lenny2  Linux 
2.6.26 modules on AMD64

ii  xen-hypervisor-3.2-1-amd64  3.2.1-2  The 
Xen Hypervisor on AMD64

ii  xen-hypervisor-4.0-amd644.0.1-4  The 
Xen Hypervisor on AMD64

ii  xen-qemu-dm-4.0 4.0.1-2  Xen 
Qemu Device Model virtual machine hardware emulator

ii  xen-shell   1.8-3
Console based Xen administration utility

ii  xen-tools   4.2-1Tools 
to manage Xen virtual servers

ii  xen-utils-4.0   4.0.1-4  XEN 
administrative tools

ii  xen-utils-common4.0.0-1  XEN 
administrative tools - common files

ii  xenstore-utils  4.0.1-4  
Xenstore utilities for Xen

ii  xenwatch0.5.4-2  
Virtualization utilities, mostly for Xen

server2:~# uname -a

Linux server2 2.6.32-5-xen-amd64 #1 SMP Mon Oct 3 07:53:54 UTC 2011 x86_64 
GNU/Linux

And kernel version on domU:

tis:~# uname -a

Linux tis 2.6.32-5-xen-amd64 #1 SMP Mon Oct 3 07:53:54 UTC 2011 x86_64 GNU/Linux


Could anybody point me to deeper investigation of this strange issue and 
if not - is there any way to get packages of xen-utils-4.0 and 
xenstore-utils before the upgrade to latest version?


Best regards,
--
Peter Viskup


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4f871375.6090...@gmail.com