Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Hi Chistian! Thanks a lot, merci beaucoup, vielen Dank, mange tak!! It really works! Looks as if it's nessesary to read the kernel-source-docs even if one never intends to become a kernel hacker.. So bashing foreign admins is no longer needed, what a relief..:-) Greetings Alexander Am Mittwoch, 7. Januar 2004 18:50 schrieb Christian Mayrhuber: christian niessner wrote: das ist aber nicht zufaellig das tcp_ecn problem? cat /proc/sys/net/ipv4/tcp_ecn echo 0 /proc/sys/net/ipv4/tcp_ecn weil, imho, bis 2.4.18 war default 0, ab 2.4.19 ist default 1... ciao, marvin Ja ist es! (Yes it is!) Vielen Dank! Here is what /usr/src/linux/Documentation/Configure.help says about it: TCP Explicit Congestion Notification support CONFIG_INET_ECN Explicit Congestion Notification (ECN) allows routers to notify clients about network congestion, resulting in fewer dropped packets and increased network performance. This option adds ECN support to the Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn) which allows ECN support to be disabled at runtime. Note that, on the Internet, there are many broken firewalls which refuse connections from ECN-enabled machines, and it may be a while before these firewalls are fixed. Until then, to access a site behind such a firewall (some of which are major sites, at the time of this writing) you will have to disable this option, either by saying N now or by using the sysctl. If in doubt, say N. An enty in /etc/sysctl.conf: net/ipv4/tcp_ecn=0 and systcl -p will do away with this problem. -- --- agoeres _at_ lieblinx.net tel.: +49 (0)30 / 61 20 26 87 fax: +49 (0)30 / 61 20 26 89 --- lieblinxNET we do software a Marwood Thiele GbR --- reichenberger straße 125 10999 Berlin http://lieblinx.net --- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Matthew Nuzum wrote: Time outs like that often mean dns related problems. Have you added the proper dns settings to /etc/resolv.conf in the vserver? If so, does your mailserver run in a chroot jail? (like postfix) If so, you need to copy the resolv.conf settings to the jail or your mailserver will not know about them. If you're using postfix, it might be: /var/spool/postfix/etc/resolv.conf That problem can be very frustrating and hard to track down. BTW, if it's not dns related, the next most likely problem is routing, but I've never seen that happen in a vserver. HTH, Matthew Nuzum | ISPs: Make $200 - $5,000 per referral by www.followers.net | recomending Elite CMS to your customers! [EMAIL PROTECTED] | http://www.followers.net/isp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Goeres Sent: Tuesday, January 06, 2004 1:58 PM To: [EMAIL PROTECTED] Subject: Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24 Hi Christian! Could you describe how this problem looked like? I have a mail-sending problem too and have absolutely no idea anymore, how to solve it: A mailserver running on a vserver on a 2.4.23-vs1.21-host can't contact one single remote mailserver (only 1 :-\). Connection always times out... and that's it. works well with all other mailservers. A telnet to port 25 from the host itself to this single mailserver times out equally.. could this be a vserver-related problem? I'd never thought of that.. Thats exactly the problem I have. The dns setup is right. It happens from the root server (ctx 0), too. But does not happen if I use a standard kernel with the same configuration. The remote mailserver is behind a netfilter firewall. -- Mit freundlichen Gruessen, Christian Mayrhuber Osiris Softwareentwicklung KEG Wienerstr. 131 4020 Linz ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Christian Mayrhuber wrote: Thats exactly the problem I have. The dns setup is right. It happens from the root server (ctx 0), too. But does not happen if I use a standard kernel with the same configuration. The remote mailserver is behind a netfilter firewall. Some additional information: The remote mailserver is behind a netfilter firewall and complains about an invalid CRC in the TCP header, the CRC of the IP header is ok. The CRC of the TCP header is ok when the packets are sent from a vserver (this has been verified on a pix firewall) then those packets get routed trough the net, reach the netfilter firewall and have a corrupt TCP CRC afterwards. This may well be a bug in the netfilter code which is triggerd only by packets of a vserver kernel. The result is that on the SYN packet follows no ACK and the connection times out. -- lg, Chris ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
For my problem, I don't think it's vserver-related. Today I could compile a vanilla 2.4.23-kernel on the relevant host-server without any vserver implementation. After a reboot in this kernel I did a telnet remote.mail.server 25 from the host-server and it timed out as before. It looks as if it's a firewall-problem on the remote side but the admins in charge there of course claim, that it's not so.. I can't look into their firewall, but a more agressive approach with 1. nmap -p 25 -sS remote.mail.server and 2. nmap -p 25 -sA remote.mail.server from one of my host-servers showed for 1.: port 25 open and for 2.:port 25 filtered. That sounds exactly like your explanation. But for my host-servers it occurs no matter if they have a vserver-patched kernel running or not. Too bad, for a short time I thought I might have tracked this problem down and could accuse Herbert and the developers here of doing bad work instead of fighting alien admins.. :-) greetings Alexander Am Mittwoch, 7. Januar 2004 13:41 schrieb Christian Mayrhuber: Christian Mayrhuber wrote: Thats exactly the problem I have. The dns setup is right. It happens from the root server (ctx 0), too. But does not happen if I use a standard kernel with the same configuration. The remote mailserver is behind a netfilter firewall. Some additional information: The remote mailserver is behind a netfilter firewall and complains about an invalid CRC in the TCP header, the CRC of the IP header is ok. The CRC of the TCP header is ok when the packets are sent from a vserver (this has been verified on a pix firewall) then those packets get routed trough the net, reach the netfilter firewall and have a corrupt TCP CRC afterwards. This may well be a bug in the netfilter code which is triggerd only by packets of a vserver kernel. The result is that on the SYN packet follows no ACK and the connection times out. -- --- agoeres _at_ lieblinx.net tel.: +49 (0)30 / 61 20 26 87 fax: +49 (0)30 / 61 20 26 89 --- lieblinxNET we do software a Marwood Thiele GbR --- reichenberger straße 125 10999 Berlin http://lieblinx.net --- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Lus Miguel Silva wrote: It looks to me like some problem with the hardware! :o) Best, +--- | Lus Miguel Silva | Network Administrator@ ISPGaya.pt | Rua Antnio Rodrigues da Rocha, 291/341 | Sto. Ovdio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +--- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Goeres Sent: quarta-feira, 7 de Janeiro de 2004 16:30 To: [EMAIL PROTECTED] Subject: Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24 For my problem, I don't think it's vserver-related. Today I could compile a vanilla 2.4.23-kernel on the relevant host-server without any vserver implementation. After a reboot in this kernel I did a telnet remote.mail.server 25 from the host-server and it timed out as before. It looks as if it's a firewall-problem on the remote side but the admins in charge there of course claim, that it's not so.. I can't look into their firewall, but a more agressive approach with 1. nmap -p 25 -sS remote.mail.server and 2. nmap -p 25 -sA remote.mail.server from one of my host-servers showed for 1.: port 25 open and for 2.:port 25 filtered. That sounds exactly like your explanation. But for my host-servers it occurs no matter if they have a vserver-patched kernel running or not. Too bad, for a short time I thought I might have tracked this problem down and could accuse Herbert and the developers here of doing bad work instead of fighting alien admins.. :-) Funny thing! I've tried earlier to telnet on port 25 from a 2.4.18 debian machine and from a pix firewall and it worked. All my vserver kernel were 2.4.20 onwards... Now I've tried it from a RedHat 9 with a 2.4.24 kernel and RedHat 7.3 with a 2.4.20-RH kernel and trough a telnet proxy. Guess what - no go! Great that this thing sorted out not to be vserver related :-) Let's go firewall admin bashing... -- lg, Chris ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
christian niessner wrote: das ist aber nicht zufaellig das tcp_ecn problem? cat /proc/sys/net/ipv4/tcp_ecn echo 0 /proc/sys/net/ipv4/tcp_ecn weil, imho, bis 2.4.18 war default 0, ab 2.4.19 ist default 1... ciao, marvin Ja ist es! (Yes it is!) Vielen Dank! Here is what /usr/src/linux/Documentation/Configure.help says about it: TCP Explicit Congestion Notification support CONFIG_INET_ECN Explicit Congestion Notification (ECN) allows routers to notify clients about network congestion, resulting in fewer dropped packets and increased network performance. This option adds ECN support to the Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn) which allows ECN support to be disabled at runtime. Note that, on the Internet, there are many broken firewalls which refuse connections from ECN-enabled machines, and it may be a while before these firewalls are fixed. Until then, to access a site behind such a firewall (some of which are major sites, at the time of this writing) you will have to disable this option, either by saying N now or by using the sysctl. If in doubt, say N. An enty in /etc/sysctl.conf: net/ipv4/tcp_ecn=0 and systcl -p will do away with this problem. -- lg, Chris ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Herbert Poetzl wrote: Hi Community! for those who read about the newly discovered exploits in 2.4.23 ... and those who haven't yet, I decided to update the latest vserver patches (including the first stable release) to 2.4.24 ... you can find them together with updated, signed md5sums on http://www.13thfloor.at/vserver/project/ Thanks! Does the latest vserver 1.22 still posess the SMP bug? I think I hit it on a dual xeon machine, but had no physical access, so somebody else did a reboot back to vserver 1.00. The non SMP Athlon test machine is still up and running with vserver 1.22 ;-) The IPV4 bug is in vserver 1.00, but fixed in vserver 1.22, right? Recently, I had problems to send mail to a machine behind a netfilter firewall from a machine with a vserver 1.00 kernel. The firewall did not complain about corrupted packets, but the smtp server behind the firewall did. This happened with a ctx17 kernel, too. Things worked fine with a standard kernel. -- lg, Chris ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Christian Mayrhuber wrote: The IPV4 bug is in vserver 1.00, but fixed in vserver 1.22, right? I'll answer this myself. Both questions YES. Following patch should fix it for vserver 1.00: http://vserver.13thfloor.at/Stuff/patch-vs1.00-fix.diff I'll use that for my servers. Seems to be the only stable release that will work reliable on SMP systems and not do strange things to IPV4 packets. Please, correct me if I'm wrong. -- lg, Chris ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Hi Christian! Could you describe how this problem looked like? I have a mail-sending problem too and have absolutely no idea anymore, how to solve it: A mailserver running on a vserver on a 2.4.23-vs1.21-host can't contact one single remote mailserver (only 1 :-\). Connection always times out... and that's it. works well with all other mailservers. A telnet to port 25 from the host itself to this single mailserver times out equally.. could this be a vserver-related problem? I'd never thought of that.. Greetings Alexander Am Dienstag, 6. Januar 2004 14:22 schrieb Christian Mayrhuber: The IPV4 bug is in vserver 1.00, but fixed in vserver 1.22, right? Recently, I had problems to send mail to a machine behind a netfilter firewall from a machine with a vserver 1.00 kernel. The firewall did not complain about corrupted packets, but the smtp server behind the firewall did. This happened with a ctx17 kernel, too. Things worked fine with a standard kernel. -- --- agoeres _at_ lieblinx.net tel.: +49 (0)30 / 61 20 26 87 fax: +49 (0)30 / 61 20 26 89 --- lieblinxNET we do software a Marwood Thiele GbR --- reichenberger straße 125 10999 Berlin http://lieblinx.net --- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
On Tue, Jan 06, 2004 at 06:43:43PM +0100, Christian Mayrhuber wrote: Christian Mayrhuber wrote: Does the latest vserver 1.22 still posess the SMP bug? hmm, what is 'the SMP bug'? - the uts_sem issue present since ctx-2 (in words two) - the dynamic allocation deadlock? - the dynamic wraparound lockup? those have benn fixed in 1.22 and should be still there in 1.00 ;) I think I hit it on a dual xeon machine, but had no physical access, so somebody else did a reboot back to vserver 1.00. The non SMP Athlon test machine is still up and running with vserver 1.22 ;-) currently we are tracking some hard to trigger SMP races with or within the procfs (or the way current development versions do use it), but that should not hit you, except if you spawn 100 contexts per minute while banging at the procfs entries ... The IPV4 bug is in vserver 1.00, but fixed in vserver 1.22, right? Recently, I had problems to send mail to a machine behind a netfilter firewall from a machine with a vserver 1.00 kernel. The firewall did not complain about corrupted packets, but the smtp server behind the firewall did. This happened with a ctx17 kernel, too. Things worked fine with a standard kernel. I'll answer this myself. Both questions YES. Following patch should fix it for vserver 1.00: http://vserver.13thfloor.at/Stuff/patch-vs1.00-fix.diff yeah, this was a bug I introduced ;) it isn't present in ctx17 and it was removed in 1.21, if there is interest in updating some parts of vs1.00, please let me know I'll use that for my servers. Seems to be the only stable release that will work reliable on SMP systems and not do strange things to IPV4 packets. Please, correct me if I'm wrong. hmm, I would say 1.22 should do better, but I tell you I don't know ... although feedback is always welcome ... if you are interested in hunting down and/or improving any IPV4/6 issues, just let me know, I'm all ears ... best, Herbert ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Time outs like that often mean dns related problems. Have you added the proper dns settings to /etc/resolv.conf in the vserver? If so, does your mailserver run in a chroot jail? (like postfix) If so, you need to copy the resolv.conf settings to the jail or your mailserver will not know about them. If you're using postfix, it might be: /var/spool/postfix/etc/resolv.conf That problem can be very frustrating and hard to track down. BTW, if it's not dns related, the next most likely problem is routing, but I've never seen that happen in a vserver. HTH, Matthew Nuzum | ISPs: Make $200 - $5,000 per referral by www.followers.net | recomending Elite CMS to your customers! [EMAIL PROTECTED] | http://www.followers.net/isp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Goeres Sent: Tuesday, January 06, 2004 1:58 PM To: [EMAIL PROTECTED] Subject: Re: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24 Hi Christian! Could you describe how this problem looked like? I have a mail-sending problem too and have absolutely no idea anymore, how to solve it: A mailserver running on a vserver on a 2.4.23-vs1.21-host can't contact one single remote mailserver (only 1 :-\). Connection always times out... and that's it. works well with all other mailservers. A telnet to port 25 from the host itself to this single mailserver times out equally.. could this be a vserver-related problem? I'd never thought of that.. Greetings Alexander Am Dienstag, 6. Januar 2004 14:22 schrieb Christian Mayrhuber: The IPV4 bug is in vserver 1.00, but fixed in vserver 1.22, right? Recently, I had problems to send mail to a machine behind a netfilter firewall from a machine with a vserver 1.00 kernel. The firewall did not complain about corrupted packets, but the smtp server behind the firewall did. This happened with a ctx17 kernel, too. Things worked fine with a standard kernel. -- --- agoeres _at_ lieblinx.net tel.: +49 (0)30 / 61 20 26 87 fax: +49 (0)30 / 61 20 26 89 --- lieblinxNET we do software a Marwood Thiele GbR --- reichenberger straße 125 10999 Berlin http://lieblinx.net --- ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24
Hello Herbert, What about quota support for 2.4.24? ;oP Hugz, +--- | Luís Miguel Silva | Network Administrator@ ISPGaya.pt | Rua António Rodrigues da Rocha, 291/341 | Sto. Ovídio 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +--- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Herbert Poetzl Sent: segunda-feira, 5 de Janeiro de 2004 21:52 To: [EMAIL PROTECTED] Subject: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24 Hi Community! for those who read about the newly discovered exploits in 2.4.23 ... and those who haven't yet, I decided to update the latest vserver patches (including the first stable release) to 2.4.24 ... you can find them together with updated, signed md5sums on http://www.13thfloor.at/vserver/project/ HTH, Herbert vulnerabilities: http://isec.pl/vulnerabilities/isec-0013-mremap.txt http://www.securityfocus.com/bid/9154 ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver