Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Herbert Poetzl wrote: Hi Community! for those who read about the newly discovered exploits in 2.4.23 ... and those who haven't yet, I decided to update the latest vserver patches (including the first stable release) to 2.4.24 ... you can find them together with updated, signed md5sums on http://www.13thfloor.at/vserver/project/ Thanks! Does the latest vserver 1.22 still posess the SMP bug? I think I hit it on a dual xeon machine, but had no physical access, so somebody else did a reboot back to vserver 1.00. The non SMP Athlon test machine is still up and running with vserver 1.22 ;-) The IPV4 bug is in vserver 1.00, but fixed in vserver 1.22, right? Recently, I had problems to send mail to a machine behind a netfilter firewall from a machine with a vserver 1.00 kernel. The firewall did not complain about corrupted packets, but the smtp server behind the firewall did. This happened with a ctx17 kernel, too. Things worked fine with a standard kernel. -- lg, Chris ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vs1.2.x + nslookup/dig on main server
Hi, I have a strangeproblem when I try to do a dig or nslookup FROM the main server when I'm connected w/ ssh (v_sshd) [EMAIL PROTECTED] root]# dig linux-vserver.netsocket.c:1100: internal_send: 205.151.16.3#53: Invalid argumentsocket.c:1100: internal_send: 205.151.16.3#53: Invalid argumentsocket.c:1100: internal_send: 205.151.16.3#53: Invalid argument... I have this problem only w/ the MAIN server on remote access... don't have this problem from inside a vserver or console... Both vs1.2.1 vs1.2.2 have this "problem". ctx17 is ok and I will check for 1.3.x asap. -- Joel Vandal Infoteck Internethttp://www.infoteck.qc.ca Tel. 819-370-3232[EMAIL PROTECTED] Fax. 819-370-3624
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Christian Mayrhuber wrote: The IPV4 bug is in vserver 1.00, but fixed in vserver 1.22, right? I'll answer this myself. Both questions YES. Following patch should fix it for vserver 1.00: http://vserver.13thfloor.at/Stuff/patch-vs1.00-fix.diff I'll use that for my servers. Seems to be the only stable release that will work reliable on SMP systems and not do strange things to IPV4 packets. Please, correct me if I'm wrong. -- lg, Chris ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vs1.2.x + nslookup/dig on main server
On Tue, 6 Jan 2004, Roderick A. Anderson wrote: Thanks. I did a little more research and was getting the smae errors (just haven't ahd time to report my findings.) This is on ctx17 system though. As some background and and upon reflection I think I might have forced a library update (using RPM) that was actually suppose to be in a vserver. I'll try to figure out which lib etc. today. None of the above. It was a ssh (v_ssh?) issue. I placed the main servers IP as the ListenAddress in /etc/sshd_config and followed it with /etc/init.d/sshd restart. And now I can ping and dig (and therefore assume smbmount, traceroute, etc. also.) Not sure how this will fly when I reboot the system as /etc/init.d/sshd is run by v_sshd which in turn calls vsysvwrapper. This looks for /etc/vservices/sshd.conf and not finding it uses 127.0.0.1 as the IP. (Go figure why remote doesn't work but console does. :-) Looks like time to create the /etc/vservices directory and figure out what goes in sshd.conf. I think I did this once but it looks like old-timers desease got me and I never finished or returned to it. So all in all it looks like the later vserver utilites (or at least Jacques' version) need some tweaking after install/update. I've been much too spoiled by 'install-and-run' setups. Time to get back to basics. Cheers, Rod -- Open Source Software - You usually get more than you pay for... Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] [Release] Development 1.3.4
Hi Community! another small step in vserver evolution has been made with the new development release (1.3.4) available at http://www.13thfloor.at/vserver/d_release/v1.3.4/ the changes: - cleanup of the ili stuff - small vshelper interface change - XFS ili support [ck1] you can download all-in-one patches for 2.4.24 and 2.4.24-ck1 (2.4.24 + 2.4.23-ck1 patchset) as well as tar archives of all the splitups and incremental patches ... util-vserver-0.27 and later should work for now, newer tools will be required at a later stage ... if you want to aid in development, please test it (for best results, on production like scenarios) and provide some feedback ... TIA, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vs1.2.x + nslookup/dig on main server
On Tue, 6 Jan 2004, Roderick A. Anderson wrote: Looks like time to create the /etc/vservices directory and figure out what goes in sshd.conf. I think I did this once but it looks like old-timers desease got me and I never finished or returned to it. Don't you love replies to the poster from the poster. Well I had done this once already on another system when I couldn't get ssh access to vservers from the outside world. The proof will be when I next reboot this system. Last time it ran for 320+ days. I might be waiting for awhile. (Reboot happened when I moved the server to our new NOC. :-) Rod -- Open Source Software - You usually get more than you pay for... Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Development 1.3.4
small question from a new (but very happy) user. What does ck* stand for? Thanks Jim -- Original Message --- From: Herbert Poetzl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tue, 6 Jan 2004 19:06:40 +0100 Subject: [Vserver] [Release] Development 1.3.4 Hi Community! another small step in vserver evolution has been made with the new development release (1.3.4) available at http://www.13thfloor.at/vserver/d_release/v1.3.4/ the changes: - cleanup of the ili stuff - small vshelper interface change - XFS ili support [ck1] you can download all-in-one patches for 2.4.24 and 2.4.24-ck1 (2.4.24 + 2.4.23-ck1 patchset) as well as tar archives of all the splitups and incremental patches ... util-vserver-0.27 and later should work for now, newer tools will be required at a later stage ... if you want to aid in development, please test it (for best results, on production like scenarios) and provide some feedback ... TIA, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver --- End of Original Message --- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Hi Christian! Could you describe how this problem looked like? I have a mail-sending problem too and have absolutely no idea anymore, how to solve it: A mailserver running on a vserver on a 2.4.23-vs1.21-host can't contact one single remote mailserver (only 1 :-\). Connection always times out... and that's it. works well with all other mailservers. A telnet to port 25 from the host itself to this single mailserver times out equally.. could this be a vserver-related problem? I'd never thought of that.. Greetings Alexander Am Dienstag, 6. Januar 2004 14:22 schrieb Christian Mayrhuber: The IPV4 bug is in vserver 1.00, but fixed in vserver 1.22, right? Recently, I had problems to send mail to a machine behind a netfilter firewall from a machine with a vserver 1.00 kernel. The firewall did not complain about corrupted packets, but the smtp server behind the firewall did. This happened with a ctx17 kernel, too. Things worked fine with a standard kernel. -- --- agoeres _at_ lieblinx.net tel.: +49 (0)30 / 61 20 26 87 fax: +49 (0)30 / 61 20 26 89 --- lieblinxNET we do software a Marwood Thiele GbR --- reichenberger straße 125 10999 Berlin http://lieblinx.net --- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Development 1.3.4
- cleanup of the ili stuff - XFS ili support [ck1] what is 'ili'? -- Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 ..The program fails and the power plant explodes, poisoning the earth and the sea. Famine and disease sweep the world. All die. Oh, the embarrassment. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Development 1.3.4
On Tue, 6 Jan 2004, Dariush Pietrzak wrote: - cleanup of the ili stuff - XFS ili support [ck1] what is 'ili'? It might make you ill? Sorry. I think 'immutable link invert' or something along those lines. Don't ask me what it is 'cause all I know is it _might_ have been the cause one of my problems. I am still too new to this kernel stuff to understand all that's happening. Rod -- Open Source Software - You usually get more than you pay for... Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Problem with kernel 2.4.24 + vs1.22
Hello all, Today I updated my servers kernel to 2.4.24-vs1.22 and im having some trouble when I try to stop the vserver. [EMAIL PROTECTED] /usr/src/installs/new-vserver# vserver srmi stop Stopping the virtual server srmi Server srmi is running ipv4root is now 192.168.3.86 Can't set the new security context : Invalid argument sleeping 5 seconds Killing all processes chcontext version 0.29 chcontext [ options ] command arguments ... chcontext allocate a new security context and executes a command in that context. By default, a new/unused context is allocated --cap CAP_NAME Add a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h In general, this option is used with the --secure option --secure removes most critical capabilities and --cap adds specific ones. --cap !CAP_NAME Remove a capability from the command. This option may be repeated several time. See /usr/include/linux/capability.h --ctx num Select the context. On root in context 0 is allowed to select a specific context. Context number 1 is special. It can see all processes in any contexts, but can't kill them though. Option --ctx may be repeated several times to specify up to 16 contexts. --disconnect Start the command in background and make the process a child of process 1. --domainname new_domainname Set the domainname (NIS) in the new security context. Use none to unset the domain name. --flag Set one flag in the new or current security context. The following flags are supported. The option may be used several time. fakeinit: The new process will believe it is process number 1. Useful to run a real /sbin/init in a vserver. lock: The new process is trapped and can't use chcontext anymore. sched: The new process and its children will share a common execution priority. nproc: Limit the number of process in the vserver according to ulimit setting. Normally, ulimit is a per user thing. With this flag, it becomes a per vserver thing. private: No one can join this security context once created. ulimit: Apply the current ulimit to the whole context --hostname new_hostname Set the hostname in the new security context This is need because if you create a less privileged security context, it may be unable to change its hostname --secure Remove all the capabilities to make a virtual server trustable --silent Do not print the allocated context number. Information about context is found in /proc/self/status [EMAIL PROTECTED] /usr/src/installs/new-vserver# uname -a Linux leonardo-root.ispgaya.pt 2.4.24-vs1.22 #1 SMP Tue Jan 6 09:52:07 WET 2004 i686 unknown unknown GNU/Linux [EMAIL PROTECTED] /usr/src/installs/new-vserver# Is this the problem with vkill you mention on your site (Herbert)? Best, +--- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +--- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
On Tue, Jan 06, 2004 at 06:43:43PM +0100, Christian Mayrhuber wrote: Christian Mayrhuber wrote: Does the latest vserver 1.22 still posess the SMP bug? hmm, what is 'the SMP bug'? - the uts_sem issue present since ctx-2 (in words two) - the dynamic allocation deadlock? - the dynamic wraparound lockup? those have benn fixed in 1.22 and should be still there in 1.00 ;) I think I hit it on a dual xeon machine, but had no physical access, so somebody else did a reboot back to vserver 1.00. The non SMP Athlon test machine is still up and running with vserver 1.22 ;-) currently we are tracking some hard to trigger SMP races with or within the procfs (or the way current development versions do use it), but that should not hit you, except if you spawn 100 contexts per minute while banging at the procfs entries ... The IPV4 bug is in vserver 1.00, but fixed in vserver 1.22, right? Recently, I had problems to send mail to a machine behind a netfilter firewall from a machine with a vserver 1.00 kernel. The firewall did not complain about corrupted packets, but the smtp server behind the firewall did. This happened with a ctx17 kernel, too. Things worked fine with a standard kernel. I'll answer this myself. Both questions YES. Following patch should fix it for vserver 1.00: http://vserver.13thfloor.at/Stuff/patch-vs1.00-fix.diff yeah, this was a bug I introduced ;) it isn't present in ctx17 and it was removed in 1.21, if there is interest in updating some parts of vs1.00, please let me know I'll use that for my servers. Seems to be the only stable release that will work reliable on SMP systems and not do strange things to IPV4 packets. Please, correct me if I'm wrong. hmm, I would say 1.22 should do better, but I tell you I don't know ... although feedback is always welcome ... if you are interested in hunting down and/or improving any IPV4/6 issues, just let me know, I'm all ears ... best, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vs1.2.x + nslookup/dig on main server
On Tue, Jan 06, 2004 at 10:14:33AM -0800, Roderick A. Anderson wrote: On Tue, 6 Jan 2004, Roderick A. Anderson wrote: Looks like time to create the /etc/vservices directory and figure out what goes in sshd.conf. I think I did this once but it looks like old-timers desease got me and I never finished or returned to it. Don't you love replies to the poster from the poster. Well I had done this once already on another system when I couldn't get ssh access to vservers from the outside world. The proof will be when I next reboot this system. Last time it ran for 320+ days. I might be waiting for awhile. (Reboot happened when I moved the server to our new NOC. :-) hmm, I just felt like you need a reply best, Herbert Rod -- Open Source Software - You usually get more than you pay for... Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Development 1.3.4
On Tue, Jan 06, 2004 at 01:47:45PM -0500, Jim Buttafuoco wrote: small question from a new (but very happy) user. What does ck* stand for? 'ck' is short for Con Kolivas and that is the guy (google will tell you more) who does the patchsets I recently stumbled over, and considered for vserver use ... basically it contains O(1), Preemption, Lowlat and XFS patches for the vanilla kernels ... what is vanilla? those are the unmodified, main kernel releases like the Macello or Andrew tree .. who is Marcelo? who is Andrew? well that is another story, but they both maintain stable linux branches (2.4 und 2.6) HTH, Herbert Thanks Jim -- Original Message --- From: Herbert Poetzl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tue, 6 Jan 2004 19:06:40 +0100 Subject: [Vserver] [Release] Development 1.3.4 Hi Community! another small step in vserver evolution has been made with the new development release (1.3.4) available at http://www.13thfloor.at/vserver/d_release/v1.3.4/ the changes: - cleanup of the ili stuff - small vshelper interface change - XFS ili support [ck1] you can download all-in-one patches for 2.4.24 and 2.4.24-ck1 (2.4.24 + 2.4.23-ck1 patchset) as well as tar archives of all the splitups and incremental patches ... util-vserver-0.27 and later should work for now, newer tools will be required at a later stage ... if you want to aid in development, please test it (for best results, on production like scenarios) and provide some feedback ... TIA, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver --- End of Original Message --- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Development 1.3.4
On Tue, Jan 06, 2004 at 12:04:17PM -0800, Roderick A. Anderson wrote: On Tue, 6 Jan 2004, Dariush Pietrzak wrote: - cleanup of the ili stuff - XFS ili support [ck1] what is 'ili'? yeah, I was wondering too what ili would be and what it will become, well in the development branch it now became 'immutable unlink' or short 'iunlink' ... It might make you ill? Sorry. I think 'immutable link invert' or something along those lines. Don't ask me what it is 'cause all I know is it _might_ have been the cause one of my problems. I am still too new to this kernel stuff to understand all that's happening. okay, short explanation: immutable link(age) invert there is a flag (on most linux filesystems) called the Immutable flag, which, when set, blocks any attempts to modify or remove the file ... this flag becomes handy, when for example as done with vserver some files can be shared amongh different contexts (like it is done with unified servers), but how could such an immutable file in a vserver ever be updated? well it can't that was the reason for adding another flag, which was done by Sam Vilain, to weaken this Immutability by allowing to remove the file although the Immutable flag is set. luckily most package systems remove any old files before they install new ones, so this is almost natural to most systems ... HTH, Herbert Rod -- Open Source Software - You usually get more than you pay for... Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] v_sshd and ipip tunnels
Hi folks, Related to my previous message I believe the v_sshd script is having issues with the ipip tunnels that we are running. Using v_sshd which is bound to the master host's addresses causes Invalid argument errors when attempting to access services via a tunnel. Forcing software within these v_sshd sessions to bind to a specific source IP address appears to solve the access issues. Not all software is capable of doing this and it is very inconvenient to remember to add the extra arguments. We have reconfigured our server to use the standard sshd and ListenAddress parameters and are able to ping,ssh with no problems. Our box is using 2.4.23 and vs1.21. [EMAIL PROTECTED] root]# cat /etc/vservices/sshd.conf #!/bin/sh IP=eth0 eth1 If anyone could offer suggestions or possible fixes that would be appreciated. Thanks, Trevor. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] v_sshd and ipip tunnels
On Wed, Jan 07, 2004 at 11:04:56AM +1030, Trevor Nichols wrote: Hi folks, Related to my previous message I believe the v_sshd script is having issues with the ipip tunnels that we are running. Using v_sshd which is bound to the master host's addresses causes Invalid argument errors when attempting to access services via a tunnel. Forcing software within these v_sshd sessions to bind to a specific source IP address appears to solve the access issues. Not all software is capable of doing this and it is very inconvenient to remember to add the extra arguments. We have reconfigured our server to use the standard sshd and ListenAddress parameters and are able to ping,ssh with no problems. Our box is using 2.4.23 and vs1.21. [EMAIL PROTECTED] root]# cat /etc/vservices/sshd.conf #!/bin/sh IP=eth0 eth1 If anyone could offer suggestions or possible fixes that would be appreciated. well, I guess I could, if I would understand what you are trying to accomplish and where you see/get the issues ... maybe you could join our #vserver irc channel on irc.oftc.net and shed some light on your setup and the related issues best, Herbert Thanks, Trevor. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Time outs like that often mean dns related problems. Have you added the proper dns settings to /etc/resolv.conf in the vserver? If so, does your mailserver run in a chroot jail? (like postfix) If so, you need to copy the resolv.conf settings to the jail or your mailserver will not know about them. If you're using postfix, it might be: /var/spool/postfix/etc/resolv.conf That problem can be very frustrating and hard to track down. BTW, if it's not dns related, the next most likely problem is routing, but I've never seen that happen in a vserver. HTH, Matthew Nuzum | ISPs: Make $200 - $5,000 per referral by www.followers.net | recomending Elite CMS to your customers! [EMAIL PROTECTED] | http://www.followers.net/isp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Goeres Sent: Tuesday, January 06, 2004 1:58 PM To: [EMAIL PROTECTED] Subject: Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24 Hi Christian! Could you describe how this problem looked like? I have a mail-sending problem too and have absolutely no idea anymore, how to solve it: A mailserver running on a vserver on a 2.4.23-vs1.21-host can't contact one single remote mailserver (only 1 :-\). Connection always times out... and that's it. works well with all other mailservers. A telnet to port 25 from the host itself to this single mailserver times out equally.. could this be a vserver-related problem? I'd never thought of that.. Greetings Alexander Am Dienstag, 6. Januar 2004 14:22 schrieb Christian Mayrhuber: The IPV4 bug is in vserver 1.00, but fixed in vserver 1.22, right? Recently, I had problems to send mail to a machine behind a netfilter firewall from a machine with a vserver 1.00 kernel. The firewall did not complain about corrupted packets, but the smtp server behind the firewall did. This happened with a ctx17 kernel, too. Things worked fine with a standard kernel. -- --- agoeres _at_ lieblinx.net tel.: +49 (0)30 / 61 20 26 87 fax: +49 (0)30 / 61 20 26 89 --- lieblinxNET we do software a Marwood Thiele GbR --- reichenberger straße 125 10999 Berlin http://lieblinx.net --- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver