Re: [Vserver] Re: About the tcp/ip stack ...
Although dhcp packets use UDP, they're very weird UDP packets because the client doesn't necessarily have an IP address at the time it needs to receive them. Thus, dhcpd uses a different socket layer than normal UDP/TCP, which I gather from the above is not divided between contexts in freevps. Aren't they just broadcast packets, sent to 255.255.255.255 on port 67/udp? Anyway, this is OT here so I'll pursue it on the FreeVPS lists. Thanks, Andrew. dhcpd don`t use udp sockets. dhcpd use raw socket and receive packets via bpfX device. It`s one one reason who dhcpd don`t work with later versions FreeVPS, but now i release patch to fix it and use L2 address to inter context routing. -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: About the tcp/ip stack ...
В Сбт, 27.05.2006, в 14:17, Andrew Schulman пишет: dhcpd don`t use udp sockets. dhcpd use raw socket and receive packets via bpfX device. It`s one one reason who dhcpd don`t work with later versions FreeVPS, but now i release patch to fix it and use L2 address to inter context routing. OK. Is that true for all DHCP servers, or just dhcpd in particular? seems to all. it`s because dhcpclient send first packet to address 0.0.0.0 with broadcast L2 address. -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] VMWare-Server and vserver
I know about it. some network function changed and it`s add incompatibility with vmware and have fixes for vmware. at http://www.freevps.com/download/vmware/ uploaded sources for VmWare workstation 4.5.1 if you need for different version - please mail me or at freevps list. В Втр, 18.04.2006, в 12:21, David Amiel пишет: Hi, I've tryed on a centos 4.3 + freevps based server and vmware is not able to compile its network modules. Regards, David -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Stephan Mueller Envoyé : mardi 18 avril 2006 09:57 À : vserver@list.linux-vserver.org Objet : [Vserver] VMWare-Server and vserver Hi, are there any known issues running the vmware-server on a 2.6 kernel with applied vserver-patches? Cheers, Steph. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Abstract (not FS based) UNIX sockets collision
В Срд, 25.01.2006, в 18:47, Herbert Poetzl пишет: On Wed, Jan 25, 2006 at 03:35:23PM +0100, Andreas Schultz wrote: Hi, It seems that abstract UNIX sockets leak from a vserver. I'm trying to run the same java app inside two vservers and only the first one started succeeds. The critical piece from strace is: 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0 20397 bind(5, {sa_family=AF_FILE, [EMAIL PROTECTED]/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use) Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket hashes are identical across all vservers and that no additional context check is used. There is a context check in include/net/af_unix.h, but this does not seem to be used when creating sockets from unix_bind(). Any ideas? this should help ... --- linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-21 18:28:17 +0100 +++ linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-25 17:22:11 +0100 @@ -238,6 +238,8 @@ static struct sock *__unix_find_socket_b sk_for_each(s, node, unix_socket_table[hash ^ type]) { struct unix_sock *u = unix_sk(s); + if (!vx_check(s-sk_xid, VX_IDENT|VX_WATCH)) + continue; if (u-addr-len == len !memcmp(u-addr-name, sunname, len)) goto found; thanks for spotting this ... this not a full fix. this not fix issue for FS based unix sockets. -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Abstract (not FS based) UNIX sockets collision
В Срд, 25.01.2006, в 19:07, Herbert Poetzl пишет: On Wed, Jan 25, 2006 at 06:51:14PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 18:47, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 03:35:23PM +0100, Andreas Schultz wrote: Hi, It seems that abstract UNIX sockets leak from a vserver. I'm trying to run the same java app inside two vservers and only the first one started succeeds. The critical piece from strace is: 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0 20397 bind(5, {sa_family=AF_FILE, [EMAIL PROTECTED]/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use) Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket hashes are identical across all vservers and that no additional context check is used. There is a context check in include/net/af_unix.h, but this does not seem to be used when creating sockets from unix_bind(). Any ideas? this should help ... --- linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-21 18:28:17 +0100 +++ linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-25 17:22:11 +0100 @@ -238,6 +238,8 @@ static struct sock *__unix_find_socket_b sk_for_each(s, node, unix_socket_table[hash ^ type]) { struct unix_sock *u = unix_sk(s); + if (!vx_check(s-sk_xid, VX_IDENT|VX_WATCH)) + continue; if (u-addr-len == len !memcmp(u-addr-name, sunname, len)) goto found; thanks for spotting this ... this not a full fix. this not fix issue for FS based unix sockets. sorry Alex, but the filesystem case is already covered by the namespaces, which you can verify easily ... so everything fine here ... don`t. inode must have one context id (just are error or if unification), but access/bind from an other context. -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Abstract (not FS based) UNIX sockets collision
В Срд, 25.01.2006, в 19:51, Herbert Poetzl пишет: On Wed, Jan 25, 2006 at 07:27:11PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 19:07, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 06:51:14PM +0200, Alex Lyashkov wrote: ? ???, 25.01.2006, ? 18:47, Herbert Poetzl ?: On Wed, Jan 25, 2006 at 03:35:23PM +0100, Andreas Schultz wrote: Hi, It seems that abstract UNIX sockets leak from a vserver. I'm trying to run the same java app inside two vservers and only the first one started succeeds. The critical piece from strace is: 20397 socket(PF_FILE, SOCK_STREAM, 0) = 5 20397 setsockopt(5, SOL_SOCKET, SO_PASSCRED, [7738151124464566273], 4) = 0 20397 bind(5, {sa_family=AF_FILE, [EMAIL PROTECTED]/run/.php-java-bridge_socket}, 110) = -1 EADDRINUSE (Address already in use) Looking at unix_bind() in net/unix/af_unix.c, it would seem that the socket hashes are identical across all vservers and that no additional context check is used. There is a context check in include/net/af_unix.h, but this does not seem to be used when creating sockets from unix_bind(). Any ideas? this should help ... --- linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-21 18:28:17 +0100 +++ linux-2.6.16-rc1/net/unix/af_unix.c 2006-01-25 17:22:11 +0100 @@ -238,6 +238,8 @@ static struct sock *__unix_find_socket_b sk_for_each(s, node, unix_socket_table[hash ^ type]) { struct unix_sock *u = unix_sk(s); + if (!vx_check(s-sk_xid, VX_IDENT|VX_WATCH)) + continue; if (u-addr-len == len !memcmp(u-addr-name, sunname, len)) goto found; thanks for spotting this ... this not a full fix. this not fix issue for FS based unix sockets. sorry Alex, but the filesystem case is already covered by the namespaces, which you can verify easily ... so everything fine here ... don`t. inode must have one context id (just are error or if unification), but access/bind from an other context. could you provide an example where it fails for you? look into unix_bind. you can`t create unix socket if fs consist fs object with same name. One object can be create via chroot or via full path and second is program inside VPS. -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: [ANNOUNCE] second stable release of Linux-VServer
Virtual Machine (Emulators/Simulators): (allows for unmodified guest systems) - Bochs - VMware - QEMU- SoftPC - Hercules- VirtualPC - GXemul - UAE Parallels http://www.parallels.com/en/download/ -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VServer vs OpenVZ
В Срд, 07.12.2005, в 16:34, Herbert Poetzl пишет: On Wed, Dec 07, 2005 at 06:44:43AM +0200, Alex Lyashkov wrote: (will use Z for OpenVZ and S for Linux-VServer) Factors of interest are - stability, Z: the announcement reads first stable OVZ version S: we are at version 2.0.1 ( two years stable releases) And all this time VServer need a hack for allow bind socket to INADDR_ANY at VPS ;-) hmm, well, it works reasonably fine .. no? The thing that I find unreasonable is that you cannot bind to INADDR_ANY on the host server, without affecting all the VPSes. This basically means that if you have default bind (or ssh) installed on the HOST system, no VPSes will be able to bring up those services. Z Have: COW VFS (simular unionfs), S: has CoW link breaking (more powerful than unionfs :) CoW link requires glibc modification, while VZFS does not. The negative side of VZFS is double buffering, due to it being stackable FS. Virtual networking support, Fair-share scheduler S: priority and hard cpu schedulers This is not the same. Priority and hard limits don't provide fair share CPU scheduling. Two different things (three). Z don`t have: disk namespace support (but create vroot simular FreeBSD Jail). but I guess we are heading towards a feature shootout (which is fine for me, but isn't very important for the userbase, I guess :) best, Herbert PS: nice to hear from you! PPS: is there anything left from the cooperation we started a year ago (or so)? It would be great, but somewhat difficult as Vserver and FreeVPS use different ideology. VServer and OpenVZ store context id at kernel objects level (it's easier to develop, but slows down access to context data). FreeVPS stores pointer to context structure, at kernel object (more work, debugging, but much faster access to data, that is needed for each context switch). I see a lot of potential in the possible merge, but I consider the way FreeVPS works with context ids to be much more efficient. I also consider it fairly critical for optimum performance on a server with large number of VPSes. It would be great to work together though, but it makes sense only if VServer developers are interested in merging projects/porting some of the FreeVPS staff to VServers as well. Other side - FreeVPS used RH EL kernels. this adds stability to the kernel API, while all the bug fixes are back ported. At the same time Vserver can continue to use bleeding edge kernels/be portable across all the platforms If compare features - FreeVPS has all features which VServer have at x86 platform. Yet, at this moment it is the only platform supported. -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VServer vs OpenVZ
FreeVPS stores pointer to context structure, at kernel object (more work, debugging, but much faster access to data, that is needed for each context switch). hmm, again JFYI, linux-vserver uses both, context references as well as xid information, wherever the one or the other applies ... network, fs, ngnet looks use xid taging. I don`t see real use of context reference. I see a lot of potential in the possible merge, but I consider the way FreeVPS works with context ids to be much more efficient. I also consider it fairly critical for optimum performance on a server with large number of VPSes. It would be great to work together though, but it makes sense only if VServer developers are interested in merging projects/porting some of the FreeVPS staff to VServers as well. cooperation is not about porting stuff from one project to the other, cooperation is about discussing stuff and ideas, and keeping the APIs (and maybe userspace tools) somewhat compatible, so that folks (the customers) can choose to their likings ... For me, it`s interested only with merge project to one. Other side - FreeVPS used RH EL kernels. this adds stability to the kernel API, while all the bug fixes are back ported. At the same time I do not understand why folks always think that back porting bug fixes adds to stability ... well, maybe to the stability of the API but not to the kernel stability ... :) If you don`t love RH, look how work Debian re. Vserver can continue to use bleeding edge kernels/be portable across all the platforms If compare features - FreeVPS has all features which VServer have at x86 platform. Yet, at this moment it is the only platform supported. hmm, looking here I see a bunch of differences: http://www.freevps.com/tracker.html This only basic :) Don`t include per context IPC, per context ip_conntrack, per context arp_tables, separated UIDS, and some other. btw, is there a patch (or even better, broken out version) available which applies to mainline? (just curious) best, Herbert PS: please point me to _any_ patch against a well known base kernel (for the recent FreeVPS versions) look into CVS repository or http://vps-demo.freevps.com/snapshots/patches/. Last freevps26 patches is against RH 2.6.9-22.0.1 kernel. -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] VServer vs OpenVZ
(will use Z for OpenVZ and S for Linux-VServer) Factors of interest are - stability, Z: the announcement reads first stable OVZ version S: we are at version 2.0.1 ( two years stable releases) And all this time VServer need a hack for allow bind socket to INADDR_ANY at VPS ;-) Z Have: COW VFS (simular unionfs), Virtual networking support, Fair-share scheduler Z don`t have: disk namespace support (but create vroot simular FreeBSD Jail). -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [EMAIL PROTECTED]: Re: [Users] VServer vs OpenVZ]
ngnet was delayed several times because it is not really necessary to have and of course network virtualization adds overhead and 'might' affect stability (as the kernel networking is changing very heavily with every release) I don`t right. Network virtualization reduse overhead of using VPS at box. But it need full virtualization, not are only virtualize routing tables how it do at ngnet. Without network virtualization you must have hacks for bind INADDR_ANY and work chbind ;-) -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] RHEL3 - Rpm lockup when installing new vserver ?
, 03.03.2005, 18:57, Brian Ipsen : Hi, Hmm.. I wonder why the rpm command suddenly decides to take up so much CPU time ... :-/ try to attach with strace to that rpm command (once it is running) or even via gdb, and see what it is doing ... most likely it's some kind of rpm bug, which keeps it spinning on the very same action over and over (maybe looking for some file or device which isn't there ...) some trace or debug log would help to narrow that down I've got some output from strace - rather much ... 50-60 MB uncompressed... The last thing in the log (before I interrupt the trace and rpm command) are a whole lot of lines like: futex(0x8337d18, FUTEX_WAIT, 1, NULL) = -1 ENOSYS (Function not implemented) futex(0x8337d18, FUTEX_WAIT, 1, NULL) = -1 ENOSYS (Function not implemented) futex(0x8337d18, FUTEX_WAIT, 1, NULL) = -1 ENOSYS (Function not implemented) futex(0x8337d18, FUTEX_WAIT, 1, NULL) = -1 ENOSYS (Function not implemented) futex(0x8337d18, FUTEX_WAIT, 1, NULL) = -1 ENOSYS (Function not implemented) I don't know if someone want to take a look at it ? Gzip'ed the log is about 370 KB ... Regards, don`t try to install vanila 2.4 kernel to RHEL3 system. vanila 2.6 posible work at RHEL3 box, but not a vanila 2.4 :) -- FreeVPS Developers Team http://www.freevps.com Positive Softwarehttp://www.psoft.net ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] eth0 + dummy0
, 21.09.2004, 13:53, Konrad Korzeniowski : Brian napisa(a): I cannot understand.. I have a Hostsystem with eth0 = Internet address dummy0 = Privat address 1 Vserver with Privat address bind on dummy0 2 Vserver with Internet and Privat address. its running well, fast and stable. yesterday I install Vserver number 4 with Internet and Privat address too. It's running well too.. I install apache and mail ... I go to the Webinterface of my software in this new vServer. everything running well. 5 minutes later the 4. Vserver are offline .. I try to ping but nothing is go .. restart vserver ... nothing changed... I go to the Host system and ping the IP .. ping 83.xxx.yy.zz PING 83.xxx.yy.zz (83.xxx.yy.zz): 56 data bytes 64 bytes from 10.49.0.1: icmp_seq=0 ttl=64 time=0.0 ms 64 bytes from 10.49.0.1: icmp_seq=1 ttl=64 time=0.0 ms 64 bytes from 10.49.0.1: icmp_seq=2 ttl=64 time=0.0 ms 64 bytes from 10.49.0.1: icmp_seq=3 ttl=64 time=0.0 ms 10.49.0.1 is the dummy0 of the host system .. why !!?? when the server are down, it's the same .. I don't know whats rong .. My solution was changing order of IP addresses in config file (IPROOT) - first one should be public address. But my problem occurs only with such applications as razor2, pyzor... with iptraf I've discoverd that tcp packets with private source address are trying to get out trough 'public' interface (ip_forwarding = 0, no iptables) Looks like this setting influences somehow routing - is it possible? (2.4.26-vs1.27) http://list.linux-vserver.org/archive/vserver/msg05959.html -- Alex Lyashkov [EMAIL PROTECTED] Home ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] Re: BSDJAILS in 2.6.x as LSM?
, 13.09.2004, 20:33, Marc E. Fiuczynski : Herbert, I've already contacted the author, some time ago, and again yesterday, maybe we can work together on that ... we'll see ... If move it to LSM you can`t reduse VPS overhead. It`s primary at network part, large lists (sockets/iptables/etc) is not are good for work. -- Alex Lyashkov [EMAIL PROTECTED] Home ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver And RedHat Kernels
, 20.08.2004, 11:37, Ehab Heikal : Thank you Alex I did have alook at your fine project, it is very nice, but we have already a lot of time learning Vserver, you do things a bit differently, I already have VSERVER running and the migration would be a headache. VServer can`t be applied to RH kernel, because this kernel have many changes with vanilla kernel. I know Sam Villiam (?) have changes for Vserver and it applied to RH 7.3 kernels. Alex Lyashkov wrote: , 19.08.2004, 15:46, Ehab Heikal : Yes I know most of the time this is the case, but still I would feel more comfortable buying such a product if I could do a RH 2.4X kernel. Does any one know how or if it has already been done? see FreeVPS home page - www.freevps.com. This product based at RH EL kernels and have many additions as compared with VServer. As full separated per VPS ipv4 stack (include iptables/routings and virtual network devices), CPU QoS. Arne Blankerts wrote: On Tue, 2004-08-17 at 14:35, Ehab Heikal wrote: Has anyone patched the RedHat kernels rather than plainvanilla kernel.org kernels? Are there any problems with it? Are they available for download anywhere? I need them since a specific driver supports only RH kernels or so its vendor says. If that's not a binary-only driver, that's pretty much going to be bullshit. They may only support offical rh-kernels, but the driver is supposed to work in any kernel of the same version. Mit freundlichen Gren/Regards, Arne Blankerts ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- Alex Lyashkov [EMAIL PROTECTED] Home ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] UDP port forwarding bug
, 16.08.2004, 13:49, Herbert - the 'first' ip associated with a vserver is considered the 'primary' ip, used for outgoing traffic, if the source ip can no be determined and if routing cache not have any cached routes for this dst entry. Otherwise been used src address from cached route entry. -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] some question about vserver
, 23.07.2004, 15:20, Thomas Gelf : I have some question about vserver. Q1. can we set limit at each virtual root usage of their bandwidth per month, cpu/ram usage? limiting bandwith per month can be done in userspace, for example with simple iptables-based accounting, triggering some action if the limit gets exceeded (stop vserver, shape traffic...) With some situation traffic from vserver not been send from vserver ip`s. It`s effect running linux routing cache. I send info about it to vserver list and I hope Herbert fix it with new generation vserver network. limit cpu/ram per month doesn't seem very useful to me - but vserver allows you to set absolute soft/hard ram/cpu limits. vserver can limit only total address space (total vm size) - Herbert say it`s been fixed with new memory accounting. -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] please update freevps info at http://www.linux-vserver.org/
Hi Herbert Please update information at http://www.linux-vserver.org/ about FreeVPS to current state. At current state FreeVPS based at kernel 2.4.21-9.0.3 and tested at testlab for compatible with RH 7.3, RH EL 3, CentOS 3.1. I know it also running with RH 9, and i think this work with RH 8. -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Connections from virtual server appearing as if from host
, 28.04.2004, 18:46, [EMAIL PROTECTED] : Howdy all: Incoming connections from a virtual server I'm running are appearing as if they are coming from the host. For example, on a third server (completely separate from the host/vserver), the httpd access_log shows entries from the host IP, and not the vserver IP, when accesses are coming from an app running in the vserver context. Is this expected behavior? Is there a way I can make vserver connections appears as if they are from the vserver? I saw a similar question in the IRC logs, but the answer appeared to be truncated. Thanks, Ryan p.s. Running vs1.3.8 and alpha util-vserver. The host and the vserver have been assigned different IP addresses on the same subnet. ___ see archive this list. Correctly select source address without complete separate routing caches and routing tables not possible. and Vserver not have it. I report about this bug to list, because freevps have same problem at one of old snapshot. -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] FreeVPS 1.3 features announce
, 02.04.2004, 15:41, Herbert Poetzl : On Fri, Apr 02, 2004 at 04:59:19PM +0300, [EMAIL PROTECTED] wrote: On Thu, Apr 01, 2004 at 09:01:12PM +0300, Alexander Suvorov wrote: Dear coleagues! Let us to announce some new features in FreeVPS 1.3: scheduled for? 1. CPU Limit - allow to set up the upper limit of CPU usage inside VPS this is in linux-vserver ;) Just one question: when ? Is it CPU_CAP patch integration? no, we have a hard CPU scheduler (not realtime) in the 2.6 experimental branch, which will become devel in a few days ... And does it will be possible to limit amount of phisical RAM that is accesible to vserver ? this, as a matter of fact, doesn't make any sense, as you would not want to have complete memory separation between vservers. why? - one benefit of vservers over let's say UML or VMware is that the resources are shared, for example the inode cache - strict memory separation would not allow to fork/move a process into a context, which is what you do when you enter a vserver you not right. it easy. for example see ckrm. we do RSS accounting and VM accounting, and in 2.6 experimental, a limit on RSS can be enforced in various places where it makes sense HTH, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] FreeVPS 1.3 features announce
, 02.04.2004, 15:05, Herbert Poetzl : On Thu, Apr 01, 2004 at 09:01:12PM +0300, Alexander Suvorov wrote: Dear coleagues! Let us to announce some new features in FreeVPS 1.3: scheduled for? 1. CPU Limit - allow to set up the upper limit of CPU usage inside VPS this is in linux-vserver ;) Sam Vilian patch ? in stable version ? i see her in you patchset, but this patch need less overhead. 2. CPU QoS - allow to set up the lower limit of CPU resource available inside VPS like min 50% for all 10 servers? like min 5% per vps. if been request i can add and it feature. it easy. 3. Restore RSS memory accounting hmm, please elaborate ... When porting to RH EL RSS can be not work. 4. DiskQuota speed optimization - separating dquota hash per each context great, we have that one too, since ... hmm, 2002? not, you not store information per context (how i say to you over year old) and it add many many overhead to code. you not agree ? 5. init emulation - add teinit, reboot, halt tools hmm, probably means 'reloading' the /bin/init or whatever after a reboot? it analog for vserver`s userland helper, but i think run script from kernel (how you do) it really bad idea. Today, two first points been finished and available in FreeVPS CVS. -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Traffic limitation - how are you doing it ?
, 02.04.2004, 17:04, [EMAIL PROTECTED] : It's something like pool - what people using for traffic/bandwidth limitation? FreeVPS 1.2 vifconfig --ctx N --device Name --txspeed Zk -- Alex Lyashkov [EMAIL PROTECTED] Home ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] iptables
, 26.03.2004, 00:06, Gregory (Grisha) Trubetskoy : I know someone who has a virtuozzo-base hosting account, and it appears that their latest version aloows for iptalbes/ipchains to work somehow. Anyone know how it works, and is this something that might be possible with VServer, perhaps in the future? Grisha current vserver - not. Try FreeVPS - her allow use iptables inside vps. -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] FreeVPS 1.2
Hi All FreeVPS 1.2rc1 released. Changes between last release 1) reworked memory accounting. now correctly counted shared memory regions. 2) implement new (2 level) routing scheme. it`s do speed up for network applications. 3) implement network bandwidth shaper at virtual network devices. 4) Project moved to last RH EL kernel (2.4.21-9.0.1 at this moment). I test this kernel with RH 7.3 environment and not found problems at work. I think his must be work with all RH products after RH 7.3 and Fedora Core. Scrips for build kernel and tools for it uploaded to http://www.freevps.com/download/make_rpm/. Also kernel can be downloaded via anonymous cvs cvs -z9 -d :pserver:[EMAIL PROTECTED]:/var/spool/cvs/freevps-rh-as checkout -r FREEVPS_1_2_RC1 kernel Web cvs for project http://freevps.org.ua/cgi-bin/cvsweb.cgi Any feedbacks a welcome. -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Zones...
, 05.03.2004, 21:01, Asbjrn Sannes : On Friday 05 March 2004 11:14, Arnaud Gomes-do-Vale wrote: Alex Lyashkov [EMAIL PROTECTED] writes: 4) IPv6 support. Zones have it, vserver does not. It realy need ? I'd say yes. :-) This is one of the main issues preventing me from switching most of my public servers to vservers (the other one being the lack of a virtual loopback interface). I've been hoping for that feature for a long time (IPv6), I hope it gets included in the 2.6 vserver tree :) (Just so you know there are people wanting this feature). Luckily this isn't a problem for me right now, because I don't have IPv6 connectivity at the moment.. but still :) Well. Second request... -- Alex Lyashkov [EMAIL PROTECTED] PSoft ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Ulimt's seems to fail.
, 04.03.2004, 11:13, : On Tue, 2 Mar 2004 13:35:53 +0100 Dariush Pietrzak [EMAIL PROTECTED] wrote: 1'st - it was not a fork bomb. I expected that -t 5 will give to vserver no mo then 10% of CPU time Why would '-t 5' limit cpu usage to 10%? What patches are you using for that? Hi. None. It was my mistake. man bash is very ppor about ulimits... :( Still trying to find solution. ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver Try CPU CAP. -- Alex Lyashkov [EMAIL PROTECTED] Home ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] POLL: Number of IP Addresses in Each Vserver
, 27.02.2004, 10:03, Thomas Gelf : I believe that limiting the number of possible ip addresses is definitively the wrong way: - most vservers need only one ip address - if you start hosting many ssl sites on a single vserver even 200 or more ip addresses will not be enough - Christian proposed using an ip/wildcard combination to limit addresses. this seems unusable to me as from my experience your provider over the years will assign you many different small subnets - at least if you depend on RIPE - i believe that with IPv6 ssl-based webhosting and ip-based vhosts will increase dramatically - so 16, 32 or even 64 ip addresses per vserver will be useless vserver still needs better networking support - and in my eyes at the moment the best solution will be: - one TUN/TAP Device per vserver, bridging them to eth0 (like UML, see http://user-mode-linux.sourceforge.net/networking.html, section TUN/TAP with a preconfigured tap device - the possibility to define the name of the interface as it will be visible inside the vserver - the possibility to add more than one interface to one vserver, as adding many bridges to a real host is also no problem - context-based routing support - virtual loopback devices - per-context netfilter... - full networking support! is it possible to realize this? how much work would it be? the first part (tun/tap interface == virtual eth0 inside the vserver, bridge them to real eth0, allow CAP_NET_ADMIN for the visible interfaces only) should be no problem, what about per-context routing/firewalling? VServer not have it. Cheers, Thomas Am Fre, den 27.02.2004 schrieb Kevin Gray um 01:15: After discussions on the irc channel, Herbert thought it might be a good idea to get some feedback on the following question. Any input is appreciated: How many ip addresses should be sufficient for a single vserver? If you think more than a few (more than 16 for example), would it be more useful/appropriate given your setup to use ranges of ips or enter them one by one? Just for my feedback to start: We normally use one ip address per vserver, but for some of our hosting services, we have 32 customers in a single vserver. The reason being, less individual services (overhead), more customers on a server, etc. The number 32 is used because of the limitation of adding secondary members to a group in reference to permissions. Instead of changing this in the kernel (if possible), we decided to increase the limitation in vserver tools/patch to allow more than 16 ip addresses. We do not use ranges only for the reason that other than the hassle of obtaining additional subnets, our existing free ips are not in blocks, but randomly throughout.. Kevin Gray Sr. Network Administrator eApps ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver -- Alex Lyashkov [EMAIL PROTECTED] Home ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] POLL: Number of IP Addresses / FreeVPS
, 27.02.2004, 11:54, Thomas Gelf : Hi Alex, I've had a look at freevps (just downloaded the source, didn't try it out). vifconfig seems to be a very cool thing, do you consider it possible to adapt somthing like that to the linux-vserver project? What is adapt to the linux-vsever project ? porting ? For it need port all my network patches and change some structure linux vserver core. If Herbert do it I believe that creating freevps was a great work, but I prefer the vserver project for the following reasons: - I'll not go to use a redhad-like 2.4.18-x kernel on my debian servers, I prefer patches to the latest stable kernel, I'm using 2.4.25 at the moment and I'll switch to v2.6 as soon as possible, at the moment I'm missig support for ctx-based disklimits in kernel v2.6 2.4.18-27 more 2.5/2.6 when 2.4. It`s kernel based on -ac patchset. Whis many fixes and additions. Next release be based on RH AS -9.0.1 kernel at current do adapt new memory accounting to his mm subsystem. - linux-vserver is a community project and this community seems to be very active! I see at last time community only finding Herberts errors :-\ In my opinion the best way for both projects would be to merge now, as both projects are undergoing deep changes for kernel v2.6 (has been discussed earlier on this list): - find a common solution for the networking stuff, I prefer the FreeVPS way - find a common way for handling ctx-based disk/memory-limits and quotas - ... Am Fre, den 27.02.2004 schrieb Alex Lyashkov um 09:11: , 27.02.2004, 10:03, Thomas Gelf : is it possible to realize this? how much work would it be? the first part (tun/tap interface == virtual eth0 inside the vserver, bridge them to real eth0, allow CAP_NET_ADMIN for the visible interfaces only) should be no problem, what about per-context routing/firewalling? VServer not have it. -- Alex Lyashkov [EMAIL PROTECTED] Home ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bind9 in vserver (new...)
On Thursday 12 February 2004 13:58, Christian Mayrhuber wrote: Viorel Anghel wrote: My first post here and i would like to thank to all the developers for their terrific work. Now, my problem. Short story: kernel 2.4.24, vserver 1.26 (no other patches). bind9 with nocapset (Paul Sladen's debian packages), running inside a vserver. doesn't answer to udp requests, but works with tcp requests. short question: does anyone using bind9 inside vserver with recent series of patches (it worked for me with old Jacques Gélinas's ctx patches). Yes, Debian woody, kernel-2.4.24-vs1.26, Bind9 9.2.1-2.woody, S_CAPS=CAP_SYS_RESOURCE in $VSERVER.conf. Running fine with vs1.26 as it did with ctx17a. in 1.2.x CAP_SYS_RESOURCE allow vps admin overwrite process limit per vps. it safety to use only with 1.3.x -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Redhat 9.0 or 7.3
On Monday 09 February 2004 19:10, Tom Walsh wrote: I am about to set up a brand new Vserver and am wondering would it be better to use Redhat 9.0 or 7.3 as the Vserver root server? Is Redhat 9.0 fully compatible as a root Vserver? My thought is that there are fewer packages being compiled for Redhat 7.3 than Redhat 9.0 and this trend will only continue into the future. Please forgive me if this has been answered elsewhere (I haven't been able to find this answer) or if I start a flame war :) Thank you for all your hard work on this project. I don't believe it is possible to use the redhat kernel sources (7.3 or 9.0) to apply the vserver patch set. You are better off going with a vanilla kernel (or the ck1 patchset to a vanilla kernel, which has a lot of the same kernel features that RedHat includes in their kernel O(1), xfs, etc... And there is a vserver patch set for this kernel.). Linux vserver can`t be aplyed to RH kernel sources. if you have exactly RH kernel source - try FreeVPS. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Stable vs1.25 Security Update
On Friday 06 February 2004 18:58, Ondej Sur wrote: Hi, BEWARE this patch brokes Debian! dpkg does: mkdir(blah/blah.dpkg-new, 0) chmod(blah/blah.dpkg-new, 0755) And chmod obviously fails. Proper fix should probably check exact inode of /vservers/ dir and protect only this one particular inode. Proper fix - use separated disknamespace for each vserver. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] future 2.6 development ...
On Friday 30 January 2004 01:13, Herbert Poetzl wrote: n Thu, Jan 29, 2004 at 04:34:00PM -0500, Igor Seletskiy wrote: Hi Herbert, My name is Igor Seletskiy. I own psoft (maker of freeVPS). I wander what are your thoughts about merging linux-vserver freeVPS? I believe at some points freeVPS is more advanced then linux-vserver (like our new memory accounting module, new network routing, also, mount tables), on the other hand - I am pretty sure that there are bunch of places where linux-vserver is more advanced. I spun off freeVPS when Jacques virtually stopped releasing anything. Yet, seeing how linux-vserver took off - I wander what your feelings are about merging projects working together. I always tried to keep contact to Alexey Lyashkov, who, if I'm not mistaken, started and maintains the vserver branch, now known as freeVPS (I wonder if that information is incomplete?) first is request from PSoft about create vserver pachset for RH kernels. I'm forwarding this to the mailing list, because I think it is of interest for the community, and I hope you do not take this as a personal offense (which isn't intended). some facts (as I see them): - freeVPS has some features the current linux-vserver implementation lacks (memory, networking, ...) - freeVPS is limited to a certain kernel (RH 2.4.18) and distribution (RedHat 7.3) and I assume arch (i386) too this kernel can be instaled to RH 8.0 and you know about it. not forget. ask Matt. I specialy not create patch for RH 9.0 because it been not supported in near future. Other RH kernels can be supported easy, but i use UML for kernel development and last RH kernel not capability with it. Also i don`t waste time for analyze changes in new kernel and merge to freevps only security/stability fixes. You remember many bugs in memory subsystem 2.4.23 ? i don`t have it FreeVPS. About arch other then i386 - I have only one arch specific code in container.h it can be ported easy to other platforms after request, but i see primary using I386 arch. - the License of tools and kernel patches is not obvious to me, although kernel patches basically default to GPL - the changes freeVPS made to the RH kernel are very intrusive and might introduce various issues which need some reviewing and a lot of testing my opinion: I'm convinced that 'working together' in a well defined way, and even 'merging' various parts, provided that they are covered by an open and free license, could be very beneficial for both projects, but I currently do not see a simple way to do that (ideas welcome ;) ... That said, I'm not convinced that it can't be done, it just needs some work on both sides and especially some official statements from your side, what how and why psoft is/will be involved in this (well there is a commercial product H-Sphere, right?) btw, linux-vserver development is free, and as I said many times, patches are always welcome, so if your aim is to 'improve' the quality of a free linux-vserver implementation, publishing patches agains recent dev. versions would be a great way to do that ... freevps also free :) release version and snapshots uploaded to www.freevps.com and supported by my team :) -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Development 1.3.6
On Saturday 24 January 2004 00:58, Herbert Poetzl wrote: On Sat, Jan 24, 2004 at 12:42:12AM +0200, Alex Lyashkov wrote: On Saturday 24 January 2004 00:25, Herbert Poetzl wrote: Hi Community! another quite big step in vserver evolution awaits your testing/approval ;) I had to get 1.3.6 out, before I start attacking the network and virtualization issues, and this seemed like a good time, so here it is: http://www.13thfloor.at/vserver/d_release/v1.3.6/ what was done? * heavy restructuring (revolution part II) * memory accounting and resource limits * xfs iunlink support was added * finalized the next generation procfs * inode attribute/xid syscall command * uts and context name syscall commands you can download a all-in-one patche for 2.4.25-pre7 or the tar archive of the broken out patches. (2.4.25 patches will be available when the kernel is released ;) it should work with older tools, but to utilize the latest and greatest features, enricos util-vserver 0.27.199 (or later) package is required ... if you want to aid in development, please test it (for best results, on production like scenarios) and provide some feedback ... enjoy, Herbert At linux-vserver has bug with selected source address for outgoning packets. It bug exist because not divided routed cache info per context. routing informations about sending packets be stored in routing cache (net/ipv4/route.c; /proc/net/rt_cache) and it`s info be used before any call ip_route_output. its can be tested simple: # ifconfig eth0 10.0.0.2 netmask 255.255.255.0 1) assign to vps address from network other then host system. # ifconfig eth0:1 192.168.0.2 netmask 255.255.255.0 2) send any packet from vps to any host in that network. # chbind --ip 192.168.0.2 ping -c 3 192.168.0.1 3) try to send packet from host system to selected host. packet been have vps source address. # ping -c 1 10.0.0.1 you try ping different addess - it create new routes in cache. try ping -c 3 192.168.0.1 from host. routes for this addess be cached in rt_cashe. 23:55:21.328698 52:54:0:12:34:56 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 10.0.0.1 tell 10.0.0.2 23:55:21.328787 0:ff:e0:f7:ab:81 52:54:0:12:34:56 0806 42: arp reply 10.0.0.1 is-at 0:ff:e0:f7:ab:81 23:55:21.333256 52:54:0:12:34:56 0:ff:e0:f7:ab:81 0800 98: 10.0.0.2 10.0.0.1: icmp: echo request (DF) (ttl 64, id 0, len 84) 23:55:21.98 0:ff:e0:f7:ab:81 52:54:0:12:34:56 0800 98: 10.0.0.1 10.0.0.2: icmp: echo reply (ttl 64, id 5575, len 84) # uname -a Linux (none) 2.4.25-pre7-vs1.3.6 #1 SMP Fri Jan 23 21:33:03 CET 2004 i686 unknown sorry, can't reproduce ... Simple fix for it - add context tag at rt_key structure. more correctly - full separate it`s cache. patches against vs1.3.6 and vs1.24 are always welcome ;) for me be difficulty work with 2 brances. you can backport it`s part from my last release - it use idea about using tag for separate routing caches. last snapshot use full separated caches. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Development 1.3.6
On Saturday 24 January 2004 00:25, Herbert Poetzl wrote: Hi Community! another quite big step in vserver evolution awaits your testing/approval ;) I had to get 1.3.6 out, before I start attacking the network and virtualization issues, and this seemed like a good time, so here it is: http://www.13thfloor.at/vserver/d_release/v1.3.6/ what was done? * heavy restructuring (revolution part II) * memory accounting and resource limits * xfs iunlink support was added * finalized the next generation procfs * inode attribute/xid syscall command * uts and context name syscall commands you can download a all-in-one patche for 2.4.25-pre7 or the tar archive of the broken out patches. (2.4.25 patches will be available when the kernel is released ;) it should work with older tools, but to utilize the latest and greatest features, enricos util-vserver 0.27.199 (or later) package is required ... if you want to aid in development, please test it (for best results, on production like scenarios) and provide some feedback ... enjoy, Herbert At linux-vserver has bug with selected source address for outgoning packets. It bug exist because not divided routed cache info per context. routing informations about sending packets be stored in routing cache (net/ipv4/route.c; /proc/net/rt_cache) and it`s info be used before any call ip_route_output. its can be tested simple: 1) assign to vps address from network other then host system. 2) send any packet from vps to any host in that network. 3) try to send packet from host system to selected host. packet been have vps source address. Simple fix for it - add context tag at rt_key structure. more correctly - full separate it`s cache. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver problems (eth0 stop + newserver)
On Monday 15 December 2003 14:43, Sam Stickland wrote: I believe you have to disable /etc/rc.d/init.d/network script (chkconfig --del network). It'll be trying to shut down the eth0 interface, which will obviously crash inside a vserver. There's also a few other runlevel scripts that need to be deleted - I can't remember what they are off the top of my head, I haven't actually gotten around to deploying a vserver myself yet. Sam other way for fix it problem - add virtualizations rtnetlink to vserver. at RH for start/stop interfaces using ip tools and this tools freezes if can`t be found/attach to main netlink socket. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Traffic control
On Monday 15 December 2003 23:41, Kern Wolfgang wrote: Hello List, my question is simple: Can I supervise, on the host system, the Traffic of every single VServer? If every VServer could have a network interface of its own, like eth0:VM1, then i can read the traffic of this virtual interface. How can i realize this? Any ideas? see freevps. [EMAIL PROTECTED] root]# chcontext --ctx 1 cat /proc/vservers/3 New security context is 1 vserver id 3 .. Addresses assigned : lo(none):127.0.0.1/255.0.0.0; Incoming traffic : 30 Kb Outgoing traffic : 47 Kb -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] fcntl on NFS still broken on vs1.20
On Monday 08 December 2003 13:29, Jan Zuchhold wrote: Hello List! I just tested vs1.20 and it appears that fcntl locking on NFS shares mounted inside a vserver is still broken, as I reported some time ago (04.11.2003). I quote from my other posts: The share is mounted like this in the vserver startup script: /usr/sbin/chbind --ip 192.168.1.145 --bcast 192.168.1.255 mount -t nfs fileserver:/home /var/lib/vservers/$2/home Script to reproduce error: #!/usr/bin/perl use Fcntl; open FH, locktest.lock or die Cannot open $fn: $!; print Testing fcntl...\n; @list = (F_WRLCK,0,0,0,0); # exclusive write lock, entire file $struct = pack(SSLLL,@list); fcntl(FH,F_SETLKW,$struct) or die(cannot lock because: $!\n); # With vs1.00 and vs1.20 I don't get here print FH blabla; close FH; Symptoms: NFS Share stops responding, all processes go to state D. Because of this problem nearly all of my machines are stuck at 2.4.22ctx-17c. Is there anything I can do to get this bug fixed? At testlab run this test script and not found this bug in freevps-1.1.0. == [EMAIL PROTECTED] root]# ./testnfs.pl Testing fcntl... [EMAIL PROTECTED] root]# cat locktest.lock [EMAIL PROTECTED] root]# === after it share work correctly - dir can been changed and files been read. for test share do mounting inside vps. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: Re: Re[3]: [Vserver] [Release] Per Context Quota and Disk Limits ...
On Saturday 06 December 2003 14:15, [EMAIL PROTECTED] wrote: Hello Alex, I have downloaded the new freevps stuff, and I have it working fairly well. My question is this, will I need to add CAP_SYS_RESOURCE to the .conf file for the vserver, in order to make bind work? and can I do a shutdown from inside the vserver? first, adding CAP_SYS_RESOURCE not break process limits but add some additions capabilty: /* Override resource limits. Set resource limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps * i don`t find serious security problem with allow it. second - for shutdown vps from inside, you can use reboot manager from original Jacks tools. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: Re: [Vserver] [Release] Per Context Quota and Disk Limits ...
On Monday 01 December 2003 16:41, Herbert Poetzl wrote: On Mon, Dec 01, 2003 at 09:15:33AM -0500, [EMAIL PROTECTED] wrote: Hello Herbert, I have a question to ask? what is the difference between the current vserver, and Freevps? well, FreeVPS is a late branch of vserver which was done by Alexey Lyashkov who adapted the vserver patches to the redhat kernel (around 2.4.18) ... this branch has some (experimental) features not yet in vserver (at least not in stable) like the virtualized network and routing tables, or some resource limits ... also with virtual root and privated disknamespace which allowed use mount inside vps. It`s do not need hack for dir with permisions 000 as quarantine zone. some speed optimizations as full devided sockets lists and devided netlink part. rpm with it was uploaded to web. next stages of development 1) add baundwith control to virtual devices (or 2 level packets scheduler) 2) add full divided routing tables and implement 2 level routing 3) rework memory limits for do account based on page allocations, not on account VM. 4) add context taging for skb structure 5) add permits for use set_rlimits inside vps without security compromise. 6) divide process accounting per vps -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] Per Context Quota and Disk Limits ...
AL also with virtual root and privated disknamespace AL which allowed use mount inside vps. well, allowing mount inside a vserver _is_ a security risk, as it allows to mount _any_ other partition including the root of the host ... if not create nodes for it and disable mknode ? also disabled mount loopback. AL It`s do not need hack for dir with permisions 000 AL as quarantine zone. this will go away soon, as it can be solved via userspace helpers ... try :-) i don`t know how you close nmaped dynamic linking librarys. static linking ? -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: Re[3]: [Vserver] [Release] Per Context Quota and Disk Limits ...
On Monday 01 December 2003 22:32, Alex Klymov wrote: Hello Alex, Monday, December 1, 2003, 10:22:42 AM, you wrote: AL On Monday 01 December 2003 16:41, Herbert Poetzl wrote: On Mon, Dec 01, 2003 at 09:15:33AM -0500, [EMAIL PROTECTED] wrote: Hello Herbert, I have a question to ask? what is the difference between the current vserver, and Freevps? well, FreeVPS is a late branch of vserver which was done by Alexey Lyashkov who adapted the vserver patches to the redhat kernel (around 2.4.18) ... this branch has some (experimental) features not yet in vserver (at least not in stable) like the virtualized network and routing tables, or some resource limits ... AL also with virtual root and privated disknamespace which allowed use mount AL inside vps. It`s do not need hack for dir with permisions 000 as quarantine AL zone. AL some speed optimizations as full devided sockets lists and devided netlink AL part. AL rpm with it was uploaded to web. AL next stages of development AL 1) add baundwith control to virtual devices (or 2 level packets scheduler) AL 2) add full divided routing tables and implement 2 level routing AL 3) rework memory limits for do account based on page allocations, not on AL account VM. AL 4) add context taging for skb structure AL 5) add permits for use set_rlimits inside vps without security compromise. AL 6) divide process accounting per vps Sounds interesting to try - whats the exact URL of rpm? and what's in it - just kernel binary or patch too? all. patch/src.rpm/rpms. - some utils/docs. http://www.freevps.com/download/rpms/ on site not updated news about release but rpm`s was changed. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: Re: Re[3]: [Vserver] [Release] Per Context Quota and Disk Limits ...
On Tuesday 02 December 2003 00:26, [EMAIL PROTECTED] wrote: Hello Alex, Will the new freevps stuff work on redhat9, or only 7.3? It`s rpm builded at rh 7.3 box, i think it must work with RH 8, but RH 9 have many many changes in kernel/glibc.. You can try it - but I don`t test with RH 9. Next release planing move to kernel-2.4.20-20.x. or lastes at moment code frezze. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: RE: [Vserver] Rpms for vserver 0.27 (got it)
On Wednesday 26 November 2003 07:50, Charles Dale wrote: It's a bit hard to read what you posted because after a certain point all the hard returns seem to have been folded. But I think you have this in your redhat9.conf: S_CAPS=CAP_NET_RAW CAP_SYS_ADMIN CAP_NET_ADMIN Change that to S_CAPS=CAP_NET_RAW CAP_SYS_RESOURCE stop use CAP_SYS_RESOURCE in vserver, because you process limit be broken. part from linux-vserver-1.1.2: == iff -NurpP --minimal linux-2.4.21/kernel/fork.c linux-2.4.21-vs1.1.2/kernel/fork.c --- linux-2.4.21/kernel/fork.c Fri Jun 13 16:51:39 2003 +++ linux-2.4.21-vs1.1.2/kernel/fork.c Fri Nov 14 03:35:40 2003 @@ -22,6 +22,7 @@ #include linux/namespace.h #include linux/personality.h #include linux/compiler.h +#include linux/vcontext.h #include asm/pgtable.h #include asm/pgalloc.h @@ -629,6 +630,10 @@ int do_fork(unsigned long clone_flags, u *p = *current; retval = -EAGAIN; + if (p-s_info (p-s_info-flags VX_INFO_NPROC)) { + if (atomic_read(p-s_info-refcount) = p-rlim[RLIMIT_NPROC].rlim_max) + goto bad_fork_free; + } == Herber rewrite it for work with internaly rlimits array. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] chroot(safe) issues
Therefore, it will not make sense to hope on a magic chrootsafe() syscall for vservers. Alternative approaches like CLONE_NEWNS in combination with pivot_root() or 'mount --rbind vdir /' (suggested by Rik van Riel) must be investigated to find better methods. I say Rik and Herber - vserver _can`t_ use CLONE_NEWNS and pivot_root because some nmaped files be placed at old root and old root can`t be unmounted. If you have use separated namespace you must write own function to create namespace and fill data. after it process migrate to it. It need modification at kernel but i can`t find other way for correctly work with namespace. If interested see may snapshots. -- With best regards, Alex ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver