Re: [Vserver] sendile() fix for 2.1.0-rc11 on 2.6.14.4
2005/12/21, Herbert Poetzl [EMAIL PROTECTED]: ah, thanks, obviously missed that one again ... best, Herbert So, will it get into the vserver patches this time? :D Best regards, Grzegorz Nosek ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] sendile() fix for 2.1.0-rc11 on 2.6.14.4
On Wed, Dec 21, 2005 at 11:07:56AM +0100, Grzegorz Nosek wrote: 2005/12/21, Herbert Poetzl [EMAIL PROTECTED]: ah, thanks, obviously missed that one again ... best, Herbert So, will it get into the vserver patches this time? :D unless mainline provides a fix, yes of course ... btw, check out Doener's version here: http://www.13thfloor.at/~doener/vserver/patches/diff-2.6.14.3-vs2.1.0-rc10-rc10.1.diff (which is the one I missed) best, Herbert Best regards, Grzegorz Nosek ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] two guests mounting a common partition?
On Wed, Dec 21, 2005 at 02:42:54PM +0700, John Francis Lee wrote: Thanks! I'll try it. On ?., 2005-12-21 at 07:41 +0100, eyck wrote: Can I have two guest servers mount the same partition? sure, mount-bind can do that. mount -o bind,rw /vserver/smbd/home /vserver/httpd/var/www/html from the master vserver. small nitpick, Eyck probably meant -o bind,ro (as you want it to be read-only on the html dir), and this requires the BME patches to work with linux (which are part of the devel branch, but not included in the stable) best, Herbert PS: don't top-post :) -- John Francis Lee 1/9-10 Thanon Trairat Muang Chiang Rai 57000 Thailand ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver and grsec
hey all, for those interested... i took a vanilla linux 2.6.14.4 kernel patched it with an updated version of grsec 2.1.7 and applied vserver 2.1.0 patch (including the sendfile patch and a optimisation for some weirdness in grsec) i put it all in a patch , which can be located at: http://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff.gz http://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff 1 thing... if you can't start your vservers and get the following error message: vcontext: vc_set_cflags(): Operation not permitted you need to enable capabilities in chroots. you can do this with: echo 0 /proc/sys/kernel/grsecurity/chroot_caps (or the appropriate sysctl command ;)) if people think it 's a good thing to merge the patches... just let me know, i'll see what i can do to keep this a little bit up to date. have fun all! -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Disclaimer: By sending an email to ANY of my addresses you are agreeing that: 1. I am by definition, the intended recipient 2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it on usenet. 3. I may take the contents as representing the views of your company. 4. This overrides any disclaimer or statement of confidentiality that may be included on your message. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Interesting times ...
Hi Community! for those who do not know yet, I recently was invited from the PlanetLab folks to pay a visit to Princeton, which I did, and besides the fact that it was a lot of fun, we managed to have a bunch of very productive discussions ... I'm going to mention some of the ideas (or solutions) which will make it into Linux-VServer (or already made it into the devel branch) sooner or later. (not all of them are the direct result of my visit, but I guess it doesn't really matter) - I/O schedulers come in 4 flavours (noop, deadline, antcipatory and complete fair queuing (CFQ)), we decided to focus on the CFQ (which now also supports priorities) and made that per context (in devel) - the CPU scheduler will get an overhaul and will become a hybrid Fair Scheduling partially Work Preserving multi CPU scheduler :) this will allow you to do things like: - hand out CPU 'guarantees' (per unit) - define a fair share independantly - restrict a context to a certain maximum - we will continue to develop ngnet and try to make it work side by side with the current legacy net (well, an updated version of that, at least) this will give you: - a virtual switch/router like setup, similar to UML or real machines, on the host (which then basically becomes the router) - completely isolated loopback and userspace device support for tunneling and similar - ipv6 support inside a guest - guest per interface accounting (also on the host) - pid and other types of 'isolation' will be extended to do full virtualization without increasing the overhead (in cooperation with folks from columbia) this is a prerequisite to context migration and snapshoting in a cooperation with folks from the Columbia university - Private Namespaces become hierarchical, i.e. they start to propagate certain events, like mount or unmount (if desired) down the hierarchy ... this is a mainline 'feature', but it will become very interesting for Linux-VServer I guess ... - We will look into creating a high speed kernel userspace interface to query/poll/report status information for graphing all kinds of stats easily - Dynamic Context support will be removed from the kernel, and moved into userspace. - Persistent Contexts (even without processes inside) are now possible - Context Setup can be done from inside (SETUP state) or from the outside all folks interested in helping with one or the other sub-project please contact me and give me some details about your plans ... all folks interested in testing one or the other feature, or willing to provide some infrastructure for the folks going to test/develop that, please send an email and let us know ... everybody interested in the features and/or similar features please follow up to this thread so that we can prioritize them properly ... ah, and I almost forgot, if you want to sponsor any of those developments (which would probably set some priority and allow us to get more work done), please let us know ... thanks a lot, Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Interesting times ...
Quoting Herbert Poetzl ([EMAIL PROTECTED]): Hi Community! for those who do not know yet, I recently was invited from the PlanetLab folks to pay a visit to Princeton, Cool. - we will continue to develop ngnet and try to make it work side by side with the current legacy net (well, an updated version of that, at least) Excellent. - Private Namespaces become hierarchical, i.e. they start to propagate certain events, like mount or unmount (if desired) down the hierarchy ... this is a mainline 'feature', but it will become very interesting for Linux-VServer I guess ... Do you think you'll need anything more in the kernel to support some sort of vserver-specific needs, or will this purely come down to exploitation in user-space? -serge ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Interesting times ...
On Wed, Dec 21, 2005 at 09:43:45AM -0600, Serge E. Hallyn wrote: Quoting Herbert Poetzl ([EMAIL PROTECTED]): Hi Community! for those who do not know yet, I recently was invited from the PlanetLab folks to pay a visit to Princeton, Cool. - we will continue to develop ngnet and try to make it work side by side with the current legacy net (well, an updated version of that, at least) Excellent. - Private Namespaces become hierarchical, i.e. they start to propagate certain events, like mount or unmount (if desired) down the hierarchy ... this is a mainline 'feature', but it will become very interesting for Linux-VServer I guess ... Do you think you'll need anything more in the kernel to support some sort of vserver-specific needs, or will this purely come down to exploitation in user-space? I assume that we still need the 'map/enter' support, and we might also need a 'special' cleanup for guest context (based on mount tagging or so) to elevate some issues folks encountered (when making heavy use of private namespaces) - pid and other types of 'isolation' will be extended to do full virtualization without increasing the overhead (in cooperation with folks from columbia) (had to add it back :) btw, do you have a version of the pid virtualization patches which already works with linux-vserver? also, do you plan to do a 2.6.15 port this time? (just curious) best, Herbert -serge ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Interesting times ...
Quoting Herbert Poetzl ([EMAIL PROTECTED]): - pid and other types of 'isolation' will be extended to do full virtualization without increasing the overhead (in cooperation with folks from columbia) (had to add it back :) btw, do you have a version of the pid virtualization patches which already works with linux-vserver? Hmm, not yet. Question there is what would be the best way to exploit those patches in vserver? I could probably keep the vserver userspace unchanged and have the vserver kernel code internally make use of the pidspaces. Or I could try to use the pidspace containers from the vserver userspace tools, and take all pid virtualization out of vserver kernel code. The latter is probably the cleaner way to go, except that I'm far less familiar with the userspace tools than the kernel code... also, do you plan to do a 2.6.15 port this time? (just curious) Yup. I guess they're on -rc6 right now, so 2.6.15 should be out soon. I'm only in one day next week, but it should be doable... Hmm, wait, aren't shared subtrees being introduced in 2.6.15? That'll probably require baroque changes in vserver. Well, we'll see how it goes :) -serge ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Interesting times ...
On Wed, Dec 21, 2005 at 10:29:39AM -0600, Serge E. Hallyn wrote: Quoting Herbert Poetzl ([EMAIL PROTECTED]): - pid and other types of 'isolation' will be extended to do full virtualization without increasing the overhead (in cooperation with folks from columbia) (had to add it back :) btw, do you have a version of the pid virtualization patches which already works with linux-vserver? Hmm, not yet. Question there is what would be the best way to exploit those patches in vserver? I could probably keep the vserver userspace unchanged and have the vserver kernel code internally make use of the pidspaces. Or I could try to use the pidspace containers from the vserver userspace tools, and take all pid virtualization out of vserver kernel code. The latter is probably the cleaner way to go, except that I'm far less familiar with the userspace tools than the kernel code... what about overlapping the pidspace containers with the vserver contexts, thus not requiring the userspace to change in any aspect, and replace the initpid setting by just starting with pid=1 (e.g. first process becomes init) might give some issues but should be doable, at least with Hollow's tools I'd say ... also, do you plan to do a 2.6.15 port this time? (just curious) Yup. I guess they're on -rc6 right now, so 2.6.15 should be out soon. I'm only in one day next week, but it should be doable... Hmm, wait, aren't shared subtrees being introduced in 2.6.15? That'll probably require baroque changes in vserver. Well, we'll see how it goes :) I'd say, the namespace changes are probably simple, the memory accounting might cause some issues ... best, Herbert -serge ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Wiki : HowTo graph vserver usage with cacti
On Fri, Dec 16, 2005 at 07:39:16PM +0100, Grzegorz Nosek wrote:
Hello,
2005/12/16, Herbert Poetzl [EMAIL PROTECTED]:
in general, if there is real interest, and folks (at
least 3 parties) are volunteering to test and add the
required userspace tools/interfaces, please contact me
with a wish list (i.e. what kind of information you
would like to monitor) and we can probably get an
implementation done ... (of course, funding such
features migh be an alternative too :)
Count me in for testing :)
excellent, appreciate that!
My wishes for vserver monitoring include:
- loadavg and cpu% (somewhat faster than parsing /proc/virtual/*)
- network traffic (again, somewhat faster than iptables stats, a'la
/proc/net/dev maybe)
this will have to wait until ngnet handles it, as with
the current implementation the iptables accounting is
the fastest you get (if you are concerned about on
wire packages) ...
an alternative is the socket accounting, which gives
an userspace view of transmitted data ...
- reliable memory usage (current implementation apparently doesn't
account for shared memory, like libraries)
hmm, please elaborate in what way this affects your
results (i.e. why would you want to know about the
shared memory specifically)
- disk i/o
as in bytes read/written from/to disk(s) by context
or disk operations or bandwidth?
- process-related stuff, like fork rate might be useful (ideally
per-user but that'd be quite an overhead probably)
hmm, fork rate can be deduced by looking at the current
processes and the number of forks in a timely manner
(i.e. that should be something the graphing tools do)
Also (although not a monitoring issue and actually not vserver-related
really but maybe somebody has a patch handy), I'd love to see per-user
rlimits (the PAM-enforced ones are really per-login, so e.g. apache
doesn't obey them at all).
hmm, shouldn't you be able to change the pam to make
them per user? guess this should be an userspace issue
please send me the patch (maybe again?) or point me
to the url where I can have a look at it ...
Attached (against some older version but should apply quite cleanly)
latest devel releases support per context CFQ queues,
so that might get a little easier there :)
Thanks, I'll look into that.
best,
Herbert
Best regards,
Grzegorz Nosek
diff -Naur linux-2.6.13/drivers/block/ll_rw_blk.c
linux-2.6.13-diskstat/drivers/block/ll_rw_blk.c
--- linux-2.6.13/drivers/block/ll_rw_blk.c2005-08-29 01:41:01.0
+0200
+++ linux-2.6.13-diskstat/drivers/block/ll_rw_blk.c 2005-10-03
16:05:14.0 +0200
@@ -29,6 +29,7 @@
#include linux/swap.h
#include linux/writeback.h
#include linux/blkdev.h
+#include linux/vserver/cvirt_diskstat.h
/*
* for max sense size
@@ -2297,6 +2298,20 @@
disk_round_stats(rq-rq_disk);
rq-rq_disk-in_flight++;
}
+#ifdef CONFIG_VSERVER_DISKSTAT
+ struct vx_info *current_vx_info = lookup_vx_info(rq-xid);
+ if (current_vx_info) {
+ if (rw == READ) {
+ cvirt_acct_add(current_vx_info, read_sectors,
nr_sectors);
+ if (!new_io)
+ cvirt_acct_add(current_vx_info, read_merges, 1);
+ } else if (rw == WRITE) {
+ cvirt_acct_add(current_vx_info, write_sectors,
nr_sectors);
+ if (!new_io)
+ cvirt_acct_add(current_vx_info, write_merges,
1);
+ }
+ }
+#endif
}
/*
@@ -2659,6 +2674,9 @@
req-ioprio = prio;
req-rq_disk = bio-bi_bdev-bd_disk;
req-start_time = jiffies;
+#ifdef CONFIG_VSERVER_DISKSTAT
+ req-xid = bio_page(bio)-xid;
+#endif
spin_lock_irq(q-queue_lock);
if (elv_queue_empty(q))
@@ -3175,6 +3193,23 @@
}
disk_round_stats(disk);
disk-in_flight--;
+#ifdef CONFIG_VSERVER_DISKSTAT
+ if (req-xid) {
+ struct vx_info *current_vx_info =
lookup_vx_info(req-xid);
+ if (current_vx_info) {
+ switch (rq_data_dir(req)) {
+ case WRITE:
+ cvirt_acct_add(current_vx_info, writes,
1);
+ cvirt_acct_add(current_vx_info,
write_ticks, duration);
+ break;
+ case READ:
+ cvirt_acct_add(current_vx_info, reads,
1);
+ cvirt_acct_add(current_vx_info,
read_ticks, duration);
+ break;
+ }
+ }
+ }
+#endif
}
if (req-end_io)
req-end_io(req);
diff -Naur linux-2.6.13/include/linux/blkdev.h
Re: [Vserver] sendile() fix for 2.1.0-rc11 on 2.6.14.4
2005/12/21, Herbert Poetzl [EMAIL PROTECTED]: unless mainline provides a fix, yes of course ... AFAIK there's no problem in mainline as there's no vfs_sendfile() and everything happens in do_sendfile(). It's the vserver patch that does the split and keeps too much of the original do_sendfile() in the new one. btw, check out Doener's version here: http://www.13thfloor.at/~doener/vserver/patches/diff-2.6.14.3-vs2.1.0-rc10-rc10.1.diff (which is the one I missed) That's a good fix too - two bug fixes (one critical and one minor) in one small patch :) best, Herbert Best regards, Grzegorz Nosek ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re:[Vserver] Continuing implementaion of a DebSid vserver on a hppa box (need more help)
Hello all, [...] 1st question: would it not be better to move prepre and postpost to simply pre and post, so that I could get rid of relative /var/lib/vservers/DebSid path? need to more test ;-) 2d question (about data insulation?): [...] BUT the from the host I can always access and modify data into guest dedicated fs (and btw I risk to corupt a guest service config by accident because the host ignore, well doesn't show, processes owned by guest). My question is so: is it possible to configure another way the guest server to hide its data from host? I presume that the announce http://archives.linux-vserver.org/200512/0261.html answer to my question: nice to have which will come soon ;-) 3rd Question: as per debian install (eventhought I had to install util-vserver from src), I install folowing startup scripts: update-rc.d vprocunhide defaults 25 15 update-rc.d vservers-legacy defaults 90 02 update-rc.d rebootmgr defaults 30 10 update-rc.d vservers-default defaults 90 02 which work fine but didn't startup my DebSid guest server (which elsewhere works fine manualy: vserver DebSid start/enter ;-). Any idea what I missed? mmm : echo default /etc/versers/DebSid/apps/init/mark seems to make the drill. (isn't there a more simple way to do it, like a config file knowing the guest's name server and it's corresponding start/stop way?) (btw I also touch a /etc/vservers/.defaults/app/vshelper/debug and filled in /var/log/VPS-dbg.log in /etc/vservers/.defaults/app/vshelper/logfile but no such file was created nor can I grab any debug info. Any idea? still have to find out why... Thanks, Joel --- A free anti-spam and anti-virus filter on all Scarlet mailboxes More info on http://www.scarlet.be/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver migration 1.2.10 2.0.1
Hi, I'm having an issue with some files (group owner) when migrating a vserver from a 2.4.30-vs1.2.10-vquota (GID24) system, ext3 partitions mounted with tagctx to the new 2.6.14.3-vs2.0.1 system (GID24, util-vserver-0.30.209), ext3 partitions mounted with tagxid. The context id is the same (fixed) on both systems. When tarring the files on one vserver and untarring it on the new one, a few files have different GID's. UID's are correct as far as I can see. Same issue when using dump/restore to transfer the guest system to the new host. The only difference is, that the GID is 16777214 on those files. Running chxid with the desired context id from the hostsystem doesn't change anything. Any hints? Am I missing anything? Regards, Lars ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] setting the MAC address for a vserver
On Thursday 15 December 2005 15:53, Herbert Poetzl wrote: depending on the number of guests which would require such changes, and the way the check is implemented, you could do one of the following: - write a preload library/command wrapper to fake the MAC - hack the kernel to report per guest MAC - use dummy interfaces and assign a separate MAC To avoid any misunderstanding. We do pay our license fees for the software. I just would like to move the license server from a dedicated machine to a vserver, and have a second copy of this vserver as a failover on a other machine. Moving a license is expensive and it still doesn't allow us to implement a failover for the license server. Best regards, Bert. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Wiki : HowTo graph vserver usage with cacti
On Wed, Dec 21, 2005 at 06:51:51PM +0100, Grzegorz Nosek wrote: 2005/12/21, Herbert Poetzl [EMAIL PROTECTED]: - network traffic (again, somewhat faster than iptables stats, a'la /proc/net/dev maybe) this will have to wait until ngnet handles it, as with the current implementation the iptables accounting is the fastest you get (if you are concerned about on wire packages) ... an alternative is the socket accounting, which gives an userspace view of transmitted data ... I'll probably go with iptables accounting for now. - reliable memory usage (current implementation apparently doesn't account for shared memory, like libraries) hmm, please elaborate in what way this affects your results (i.e. why would you want to know about the shared memory specifically) I'm not interested in shared memory per se, I'd just like realistic memory usage stats. E.g. (relevant lines from various status commands) vserver-stat: CTX PROCVSZRSS userTIME sysTIMEUPTIME NAME 135 73 1.5G 3.5G 6h25m24 1h36m13 6d15h55 v135 /proc/meminfo (on host) MemTotal: 1031036 kB MemFree: 19272 kB SwapTotal: 508920 kB SwapFree: 504152 kB So I apparently have a vserver (one of several) using 3.5G of memory on a machine with 1G installed and 0.5G of swap (hardly touched at all), whereas in reality it's just a number of apache2 processes sharing most of their memory. ahem, no, actually the situation is quite different, and very likely the vserver-stat is just wrong (as usual) but before we continue here, could you add the values from /proc/virtual/135/limits ? - disk i/o as in bytes read/written from/to disk(s) by context or disk operations or bandwidth? Ideally, I'd like to see virtualised /proc/vmstat :) hmm, but that does not have much todo with disk I/O those are the virtual memory stats :) (btw, something interesting too, but hard to account per context, as it happens on the host) - process-related stuff, like fork rate might be useful (ideally per-user but that'd be quite an overhead probably) hmm, fork rate can be deduced by looking at the current processes and the number of forks in a timely manner (i.e. that should be something the graphing tools do) Yeah, I think I can just graph total_forks from /proc/virtual/*/cvirt :) I was trying to put as many ideas as possible. and this is definitely appreciated! keep 'em coming ... Also (although not a monitoring issue and actually not vserver-related really but maybe somebody has a patch handy), I'd love to see per-user rlimits (the PAM-enforced ones are really per-login, so e.g. apache doesn't obey them at all). hmm, shouldn't you be able to change the pam to make them per user? guess this should be an userspace issue Well, I can't. The limits are enforced by pam_limits.so which isn't used at all. ahem, well, then use them, no? correct me if I'm wrong, but that is what pam was designed to do, and it should do it's job quite fine if given a chance to do so ... I don't really care about limiting interactive logins (hardly any user ever logs on these machines, most don't have shell accounts). OTOH, I care about per-uid limiting of resources (our web servers have a per-vhost assigned uid and I'd like to reduce the possibility of one broken script taking out all other vhosts). why not just make sure to invoke the required pam modules when you activate a user based service ... best, Herbert Best regards, Grzegorz Nosek ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] setting the MAC address for a vserver
On Thu, Dec 22, 2005 at 12:42:58AM +0100, Bert De Vuyst wrote: On Thursday 15 December 2005 15:53, Herbert Poetzl wrote: depending on the number of guests which would require such changes, and the way the check is implemented, you could do one of the following: - write a preload library/command wrapper to fake the MAC - hack the kernel to report per guest MAC - use dummy interfaces and assign a separate MAC To avoid any misunderstanding. We do pay our license fees for the software. I just would like to move the license server from a dedicated machine to a vserver, and have a second copy of this vserver as a failover on a other machine. right, but isn't that something the company (which licenced you to do certain things) would allow and thus make possible if it were within the scope of your license? Moving a license is expensive and it still doesn't allow us to implement a failover for the license server. which might be on purpose, and doing so might also violate the license/contract with that company ... again, IANAL and it's all hypothetical to me ... best, Herbert Best regards, Bert. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver migration 1.2.10 2.0.1
On Wed, Dec 21, 2005 at 10:09:21PM +0100, Lars Braeuer wrote: Hi, I'm having an issue with some files (group owner) when migrating a vserver from a 2.4.30-vs1.2.10-vquota (GID24) system, ext3 partitions mounted with tagctx to the new 2.6.14.3-vs2.0.1 system (GID24, util-vserver-0.30.209), ext3 partitions mounted with tagxid. The context id is the same (fixed) on both systems. you sure that the original partition is mounted with the proper tagxid (former tagctx) option? i.e. that the files show sane uid/gid at the 'source' When tarring the files on one vserver and untarring it on the new one, a few files have different GID's. UID's are correct as far as I can see. could you tar a few of those problematic files for me and upload or attach them to the next mail? Same issue when using dump/restore to transfer the guest system to the new host. The only difference is, that the GID is 16777214 on those files. just to make sure, both systems use UGID24? Running chxid with the desired context id from the hostsystem doesn't change anything. Any hints? Am I missing anything? we'll see ... best, Herbert Regards, Lars ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VServer seems to work fine basicaly on hppa too -) (just some question)
On Fri, Dec 16, 2005 at 02:55:34PM +0100, Joel Soete wrote: Hello Herbert, [123]# succeeded. verify /mnt/test/file_3053: -+(-)-i-+(-) ~ i---E [124]# failed. this is caused by the legacy kernel API support ... if enabled it will blend through the iunlink as flag 'E' on reiserfs (still investigating if that is a bug, or if some tools really used that one ...) best, Herbert ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Vserver and Reiserfs3
On Tue, Dec 20, 2005 at 03:27:07PM +0100, Joel Soete wrote: Hello Mike, A collection of notes on adding vserver to a system with an existing ReiserFS-3 filesystem. When configuring your shiny new vps-linux: Under Filesystems on menuconfig; enable ReiserFS extended attributes and ReiserFS POSIX access control lists if not already configured (mine where not). - - - - Right mine wasn't too [snip] Now the testfs.sh script should run, try it: # ./testfs.sh -D /dev/loop0 -M /mnt or for only ReiserFS: # ./testfs.sh -F reiser -D /dev/loop0 -M /mnt - - - - unfortunately still failed at the same places on my parisc box: i.e. [...] verify /mnt/test/file_3053: -+(-)-i-+(-) ~ - [114]# failed. [...] verify /mnt/test/file_3053: -+(-)-i-+(-) ~ i---E [124]# failed. [199]# succeeded. this is caused by the legacy kernel API support ... if enabled it will blend through the iunlink as flag 'E' on reiserfs (still investigating if that is a bug, or if some tools really used that one ...) disabling the legacy kernel API support should make that one succeed (CONFIG_VSERVER_LEGACY) best, Herbert :-( So most probably, a p-l issue, but i doubt that maintainers would track it down. (lol and no, I definitely don't want to do, I still have to fix many details of my vps as automatic restart when reboot the system, ...) Running the test script for the ReiserFS-3 filesystem only leaves the loop file formated as a ReiserFS-3 and unmounted. - - - - Mount it again so you can play with it: mount -o attrs,acl /dev/loop0 /mnt - - - - I worked through the examples in the SuSE in the administrators guide, found here: www.suse.de/~agruen/acl/chapter/fs_acl-en.pdf A note on those examples: use a user name and a group name that already exists on your machine, not the names in the examples. Note how a subdirectory inherits the default acl of its parent. Now you have an alternative or supplement to hard linking files into all of your vserver contexts. - - - - Backing up a filesystem with acl information requires an acl aware program - the star program is one such. - - - - One more note - you had better find the most recent versions of all system utilities this involves - I can't give minimum versions, since I just built the 'most current' of everything to get this to work. - - - - That said, nice recipe and collection of info. Thanks a lot, Joel --- A free anti-spam and anti-virus filter on all Scarlet mailboxes More info on http://www.scarlet.be/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Step by Step Guide to a nano-vserver
Joel, and Group; I have a rough draft of the step-by-step guide to creating a nano-vserver posted. Comments welcome from anyone with time to read through it. The end result of the tutorial is a virtual server running Bash and BusyBox fully contained within a single file. (Actually, the testfs.sh test file.) The current draft here: http://www.spamviz.net/download/step_step.ps.gz The entire virtual server as a compressed file: http://www.spamviz.net/download/baby01.bin.gz Watch out, she is heavy, weights in at about 4Mb. Mike ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Wiki : HowTo graph vserver usage with cacti
2005/12/22, Herbert Poetzl [EMAIL PROTECTED]: I'm not interested in shared memory per se, I'd just like realistic memory usage stats. E.g. (relevant lines from various status commands) vserver-stat: CTX PROCVSZRSS userTIME sysTIMEUPTIME NAME 135 73 1.5G 3.5G 6h25m24 1h36m13 6d15h55 v135 ahem, no, actually the situation is quite different, and very likely the vserver-stat is just wrong (as usual) but before we continue here, could you add the values from /proc/virtual/135/limits ? (sorry for any confusion I may have caused :) ) PROC: 21 199 450 0 VM: 103540 4411996 4294967295 0 VML: 0 4 512000 0 RSS: 65389 2818258 4294967295 0 ANON:60509 1789099 4294967295 0 FILES:116738548128 0 OFD: 2682 97375 4294967295 0 LOCKS: 4 60 4294967295 0 SOCK: 27 304 4294967295 0 MSGQ:0 0 4294967295 0 SHM: 128 384 4294967295 0 SEMA:2 2 4294967295 0 SEMS:2 2 4294967295 0 (up-to-date vserver-stat - it's 6am and the load is lower) 135 31 1.4G 967.3M 8h01m30 1h54m59 7d03h44 v135 /proc/meminfo (on host) MemTotal: 1031036 kB MemFree: 19272 kB SwapTotal: 508920 kB SwapFree: 504152 kB So I apparently have a vserver (one of several) using 3.5G of memory on a machine with 1G installed and 0.5G of swap (hardly touched at all), whereas in reality it's just a number of apache2 processes sharing most of their memory. ahem, no, actually the situation is quite different, and very likely the vserver-stat is just wrong (as usual) but before we continue here, could you add the values from /proc/virtual/135/limits ? - disk i/o as in bytes read/written from/to disk(s) by context or disk operations or bandwidth? Ideally, I'd like to see virtualised /proc/vmstat :) hmm, but that does not have much todo with disk I/O those are the virtual memory stats :) vmstat as in vmstat -d :) or bi/bo (and maybe si/so) columns of plain vmstat (btw, something interesting too, but hard to account per context, as it happens on the host) With a big enough dose of optimism, it just might be doable :) r/b columns (TASK_RUNNING, TASK_UNINTERRUPTIBLE accounting) should be easy swpd/free/buff/cache (memory accounting) is already (mostly?) done si/so (swap in/out) and bi/bo (block in/out) could be done via the new per-context cfq or hacking something else together in (per-context interrupts) are pointless probably :) cs (context switch accounting) could also be done, I think (e.g. counting switches _into_ or _out_of_ a process of xid=n) us/sy/id/wa (cpu usage% in different states) is done already (at least user/system) Yeah, I think I can just graph total_forks from /proc/virtual/*/cvirt :) I was trying to put as many ideas as possible. and this is definitely appreciated! keep 'em coming ... as soon as I invent something :) Well, I can't. The limits are enforced by pam_limits.so which isn't used at all. ahem, well, then use them, no? correct me if I'm wrong, but that is what pam was designed to do, and it should do it's job quite fine if given a chance to do so ... Not if spawning a hundred processes per second (guessing, didn't get round to graphing the fork rate yet). Also, the set limits are relevant in the process and child processes only, so e.g. nproc limiting is kind of pointless. I don't really care about limiting interactive logins (hardly any user ever logs on these machines, most don't have shell accounts). OTOH, I care about per-uid limiting of resources (our web servers have a per-vhost assigned uid and I'd like to reduce the possibility of one broken script taking out all other vhosts). why not just make sure to invoke the required pam modules when you activate a user based service ... See above, IMHO it just won't fly. Best regards, Grzegorz Nosek ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Wiki : HowTo graph vserver usage with cacti
On Thu, Dec 22, 2005 at 07:23:54AM +0100, Grzegorz Nosek wrote: 2005/12/22, Herbert Poetzl [EMAIL PROTECTED]: I'm not interested in shared memory per se, I'd just like realistic memory usage stats. E.g. (relevant lines from various status commands) vserver-stat: CTX PROCVSZRSS userTIME sysTIMEUPTIME NAME 135 73 1.5G 3.5G 6h25m24 1h36m13 6d15h55 v135 ahem, no, actually the situation is quite different, and very likely the vserver-stat is just wrong (as usual) but before we continue here, could you add the values from /proc/virtual/135/limits ? (sorry for any confusion I may have caused :) ) PROC: 21 199 450 0 VM: 103540 4411996 4294967295 0 VML: 0 4 512000 0 RSS: 65389 2818258 4294967295 0 ANON:60509 1789099 4294967295 0 FILES:116738548128 0 OFD: 2682 97375 4294967295 0 LOCKS: 4 60 4294967295 0 SOCK: 27 304 4294967295 0 MSGQ:0 0 4294967295 0 SHM: 128 384 4294967295 0 SEMA:2 2 4294967295 0 SEMS:2 2 4294967295 0 hmm, older kernel, yes? we fixed the funny numbers before 2.01/2.1.0 (4294967295) anyway, we see that the context uses 103540 pages VM and 65389 pages RSS with 60509 pages anon RSS I just assume that the page size is 4K, which gives us: 103540*4096 = 424099840 or 404MB of address space 65389*4096 = 267833344 or 255MB of RSS (if the page size is 16k, then the accounted values have to be multiplied by 4) the VM is the sum of all allocated address spaces, where each process can allocate up to 1/2/3GB of space, those 'pages' are not necessarily instantiated (i.e. they do not have to reside anywhere and do not consume RAM by default), the RSS is the actual memory used (those are pages mapped in physical RAM) (up-to-date vserver-stat - it's 6am and the load is lower) 135 31 1.4G 967.3M 8h01m30 1h54m59 7d03h44 v135 /proc/meminfo (on host) MemTotal: 1031036 kB MemFree: 19272 kB SwapTotal: 508920 kB SwapFree: 504152 kB So I apparently have a vserver (one of several) using 3.5G of memory on a machine with 1G installed and 0.5G of swap (hardly touched at all), whereas in reality it's just a number of apache2 processes sharing most of their memory. so, as the RSS is not supposed to exceed the physical RAM I assume that your page size actually _is_ 4k HTH, Herbert - disk i/o as in bytes read/written from/to disk(s) by context or disk operations or bandwidth? Ideally, I'd like to see virtualised /proc/vmstat :) hmm, but that does not have much todo with disk I/O those are the virtual memory stats :) vmstat as in vmstat -d :) or bi/bo (and maybe si/so) columns of plain vmstat (btw, something interesting too, but hard to account per context, as it happens on the host) With a big enough dose of optimism, it just might be doable :) r/b columns (TASK_RUNNING, TASK_UNINTERRUPTIBLE accounting) should be easy swpd/free/buff/cache (memory accounting) is already (mostly?) done si/so (swap in/out) and bi/bo (block in/out) could be done via the new per-context cfq or hacking something else together in (per-context interrupts) are pointless probably :) cs (context switch accounting) could also be done, I think (e.g. counting switches _into_ or _out_of_ a process of xid=n) us/sy/id/wa (cpu usage% in different states) is done already (at least user/system) Yeah, I think I can just graph total_forks from /proc/virtual/*/cvirt :) I was trying to put as many ideas as possible. and this is definitely appreciated! keep 'em coming ... as soon as I invent something :) Well, I can't. The limits are enforced by pam_limits.so which isn't used at all. ahem, well, then use them, no? correct me if I'm wrong, but that is what pam was designed to do, and it should do it's job quite fine if given a chance to do so ... Not if spawning a hundred processes per second (guessing, didn't get round to graphing the fork rate yet). Also, the set limits are relevant in the process and child processes only, so e.g. nproc limiting is kind of pointless. I don't really care about limiting interactive logins (hardly any user ever logs on these machines, most don't have shell accounts). OTOH, I care about per-uid limiting of resources (our web servers have a per-vhost assigned uid and I'd like to reduce the possibility of one broken script taking out all other vhosts). why
