Re: [Vserver] jakarta-tomcat doesn't work with vserver?
Hi Markus, i have some strange problem. I'm just installing jakarta-tomcat-5.0.24 and j2sdk1.4.2_04 in a vserver. When i want to start tomcat the following error occours: [...] Error occurred during initialization of VM Could not reserve enough space for code cache I can report that it definitely works with Tomcat 4.1.30 on stock 2.4.25 with VS 1.27 patch: [EMAIL PROTECTED] root]# uname -a Linux converge..xxx 2.4.25-vs1.27 #1 SMP Sat Apr 10 09:31:38 BST 2004 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] root]# java -version java version 1.4.2_04 Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_04-b05) Java HotSpot(TM) Client VM (build 1.4.2_04-b05, mixed mode) [EMAIL PROTECTED] root]# ps auxww | grep tomcat | head -1 tomcat8960 0.0 16.2 243400 146844 ? SMay07 0:04 /usr/java/j2sdk1.4.2_04/bin/java -Djava.endorsed.dirs=/home/tomcat/common/endorsed -classpath /usr/java/j2sdk1.4.2_04/lib/tools.jar:/home/tomcat/bin/bootstrap.jar -Dcatalina.base=/home/tomcat -Dcatalina.home=/home/tomcat -Djava.io.tmpdir=/home/tomcat/temp org.apache.catalina.startup.Bootstrap start So you may want to try a stock kernel and/or Tomcat 4.1.30? Cheers, Chris. -- _ __ __ _ / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Experimental Version
Hi Herbert, other stuff can be found here: http://vserver.13thfloor.at/Experimental/ yes, actually it's vs1.9.0pre10.3 ... ;) Well, actually it's vs1.9.0pre11 right now, but let's not split hairs :-) with vs1.9.0pre10* you can actually disable the proc security from the menuconfig (or *config) Hmm, it's a shame that that's all you can do, because at least when using the stable tools, I can't stop a vserver with this feature enabled: [EMAIL PROTECTED] vservers]# vserver distcc stop Stopping the virtual server distcc Error: /proc must be mounted and readable To mount /proc at boot you need an /etc/fstab line like: /proc /proc procdefaults In the meantime, `mount /proc /proc -t proc' To set the permissions, `chmod 755 /proc' Server distcc is not running Thanks to you and Bjoern for all your help! I'm working on getting things up and running with 2.6.6rc1 and the pre11 patch now (and /proc security disabled). Cheers, Chris. -- _ __ __ _ / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Experimental Version
Hi Herbert, with vs1.9.0pre10* you can actually disable the proc security from the menuconfig (or *config) OK, I built a 2.6.6-rc1 kernel with the -pre11 patch, and it Oopses when I try to enter a vserver: [EMAIL PROTECTED] vservers]# vserver distcc1 enter /sbin/ifconfig eth1:distcc1 192.168.3.181 netmask 255.255.255.0 broadcast 192.168.3.255 SIOCSIFADDR: File exists SIOCSIFFLAGS: Cannot assign requested address SIOCSIFNETMASK: Cannot assign requested address SIOCSIFBRDADDR: Cannot assign requested address SIOCSIFFLAGS: Cannot assign requested address ipv4root is now 192.168.3.181 Host name is now distcc1.netservers.co.uk New security context is 49155 Segmentation fault linux1 kernel: kernel BUG at include/linux/vinline.h:62! linux1 kernel: invalid operand: [#3] linux1 kernel: PREEMPT linux1 kernel: CPU:0 linux1 kernel: EIP:0060:[c0113385]Not tainted linux1 kernel: EFLAGS: 00010286 (2.6.6-rc1-vs1.9.0pre11) linux1 kernel: EIP is at mm_init+0xe2/0x101 linux1 kernel: eax: e610bc00 ebx: ecx: edfeff80 edx: e610bc00 linux1 kernel: esi: e4b25ea4 edi: dfd8a76c ebp: dfd8a580 esp: e4b25dfc linux1 kernel: ds: 007b es: 007b ss: 0068 linux1 kernel: Process save_s_context (pid: 2082, threadinfo=e4b24000 task=defdc330) linux1 kernel: Stack: dfd8a580 e4b25e6c 0001 dfd8a580 dfd8a6e0 linux1 kernel:dfd8a6e0 linux1 kernel: linux1 kernel: Call Trace: linux1 kernel: [c01136ea] copy_mm+0xe7/0x427 linux1 kernel: [c0114321] copy_process+0x453/0xb7c linux1 kernel: [c01593ea] do_pipe+0x185/0x205 linux1 kernel: [c0114a9a] do_fork+0x50/0x16d linux1 kernel: [c01b398a] copy_to_user+0x3e/0x4e linux1 kernel: [c014c9ba] sys_llseek+0x9f/0xc4 linux1 kernel: [c0104387] sys_clone+0x41/0x45 linux1 kernel: [c010575d] sysenter_past_esp+0x52/0x71 linux1 kernel: linux1 kernel: Code: 0f 0b 3e 00 5f e6 28 c0 eb dc a1 ec 1f 35 c0 89 6c 24 04 89 Any ideas? Cheers, Chris. -- _ __ __ _ / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Lost access to vserver IPs
Hi Cathy, are you 100% sure that this isn't some hidden arp table flushing / router not routing issue? I had similar problems (similarly affecting only the vserver IPs, not the master server) that coincided with a router upgrade in the data center. I second Herbert's suggestion to check the router. :) HTH. I will, but I definitely observed repeated incoming ARP requests for an IP that I thought was configured on the server, although I neglected to capture evidence. The addresses had not previously been assigned, so I don't think there could be an ARP table entry to flush, and having restarted the vservers it once again became possible to access them without any changes to the firewall. I will investigate further when I can afford potential downtime, and capture a tcpdump and the output of ip link show, ip route show and arp -n to prove that the machine is not responding to ARPs. Is there anything else I should capture? Is it possible that vserver X stop does not always take down the right interface? Cheers, Chris. -- _ __ __ _ / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Lost access to vserver IPs
Hi Thomas, Herbert helped me to trace down the problem: We are running the master server and the vservers in different ip subnets: Yes, that is _exactly_ what we are doing. (ip from the iproute2 suite) you can figure out which of the ip alias interfaces are secondary. These ip aliases will be removed if you shut down the corresponding primary interface. I did check, and noticed the difference, but I wasn't sure about the significance of it, except to try to rearrange the order of addresses to make a different one master. we had some problems with nasty side effects when stopping one specific vserver: all other vservers on the same master lost their network connectivity. Well, we didn't lose all of them, but quite a few. The kernel ip stack treats the first ip address within a scope as primary and deletes all secondary ip addresses within this scope when the primary address is taken down. Ouch, that is a very nasty thing for it to do. Maybe we should be using ip addr add and ip addr del to add/remove addresses instead of ifconfig'ing interfaces up and down? Is this (mis)feature related to backwards compatibility with the old way of doing aliases? (ifconfig doesn't show the primary/secondary feature, but ip from iproute2 does) Yes, we have only a few primary addresses, and many secondaries. I have to discuss it with my boss, but your solution looks interesting, although non-standard. If this really is the problem, then two other solutions pose themselves. Change the main IP address of the master server to be in the same subnet as the vservers (not scalable, what happens when we run out of addresses in this subnet?) Add a VLAN interface for each vserver, to isolate them (and fix the problems with getting the wrong netmask due to the scripts' assumptions that the master is in the same subnet as the vservers). Does this also make CAP_NET_RAW somewhat safer? (are you still restricted to the same physical interface that your address is bound to, or can you spoof/listen to any packets on any interface that you want?) Thanks very much for your help, Cheers, Chris. -- _ __ __ _ / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Lost access to vserver IPs
Hi Herbert, Is it possible that vserver X stop does not always take down the right interface? yes, under yet unknown circumstances, it happens that the vserver tools (or the ip/ifconfig utility) creates the alias as primary IP, in which case a vserver down (for this alias) will take down the entire interface (which is the right thing to do for primary ip addrs, which should not be used by vserver tools) ... Yes, that is exactly what happened. Thomas was exactly right with his explanation, which is that when the vservers are in a different subnet to the main server, the first vserver to come up gets a non-secondary address, with the results that you describe. this can cause other servers to become disfunctional after a vserver stop (which you didn't mention ;) Well, I did say that I restarted a vserver, I assumed that a vserver stop was implicit in that :-) you can verify such a mis-configuration with ip addr show on the host, which should only list secondary aliases for the vservers IPs ... I did, I saw that vservers did indeed have primary addresses, and I fixed it by moving the master server into the same subnet as all the vservers, restarting networking, and then entering each vserver to get it to recreate its addresses (I also had to stop the vservers that already had primary addresses, before restarting networking, to stop them from keeping their addresses across the restart). Thanks guys! I think that's solved the problem. Cheers, Chris. -- _ __ __ _ / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver