Re: [Vserver] Problems with Knoppix 5.2 (which should be Vserver-enabled...)
On 2007.03.21 15:09:48 +0100, Gerhard Hofmann wrote: Hi all, I have some Vserver hosts running that were setup according to this HowTo: http://www.howtoforge.com/linux_vserver_debian Because these are quite a lot of steps I always thought it would be nice to have a Debian distro that is Vserver-enabled out-of-the-box. Now, in the recenct release of German magazine c't, there was a Knoppix 5.2 CD which claims to be Vserver-ready. Has anybody here already tried Knoppix 5.2 and can share his or her experiences? I booted Knoppix, tried to setup a Vserver like this: vserver vserver1 build \ -n vserver1 \ --hostname vserver1 \ --interface eth0:192.168.1.133/24 \ -m debootstrap -- -d sarge I get this error message: /etc/vservers/.defaults/vdirbase/vserver1: Function not implemented Any ideas? Or any other Vserver-ready distro out there? As it is also said to support OpenVZ, I guess there are multiple kernels to choose from at the boot prompt. I guess you didn't take the one that is Linux-VServer-enabled. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bug or feature
On 2007.02.24 01:13:21 +0100, Herbert Poetzl wrote: On Fri, Feb 23, 2007 at 06:30:15PM -0500, Adrien Laurent wrote: Hi, By mistake I assigned to a guest the same IP than the host. on guest startup, it will have warned you that the address was already assigned ... I stopped the guest... and I lost the host ip... a serial (or at least remote :) console (which should really be part of any serious hosting setup) would have helped here ... hard remote reboot... well, you assigned it as ip which shall be added on startup and removed on shutdown, which is what it did ... Is it possible to forbid assignment of host ip to a guest ? almost everything is possible nowadays :) but it would not make sense to forbid that, besides the fact that there is no way to figure what ip is considered a 'host' ip besides that, certain setups even require that you share the host IPs with a guest Sidenote: That's really a feature and you can also use it in a sane way by having a nodev file instead of a dev file in the directory for that ip address. That way, the ip address is assumed to be already setup and will neither be created when the vserver is started, nor be destroyed when the vserver is stopped. Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: vserver patch for recent 2.6.16
On 2007.01.22 22:01:59 +0100, Markus Schuster wrote: Herbert Poetzl wrote: I had no problems patching older 2.6.16 kernels with XEN and vserver, but with the more recent one, the latest available vserver patch for 2.6.16 (patch-2.6.16.20-vs2.0.2-rc22.diff) does not apply without dozens of rejects that I can't fix myself. I take it that you are actually volunteering to test such a kernel with and without Xen meshed in ... I think I can't follow your thoughts here :) Should I try to patch a vanilla 2.6.16.37 with patch-2.6.16.20-vs2.0.2-rc22.diff or what do you mean? I'm also ready to test a pre-made 2.6.16.37 with XEN and vserver patches applyed as long as it won't eat up my server :) It basically means I would create a patch for you, iff you promise to actually test it and give feedback etc.. There were quite a few feature requests in the past where those who filed them simply disappeared, thus Bertl tries to make sure that such a thing does not happen before he starts working on stuff that is not of interest for the majority of users. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] using of 'vlimit --cpu', problems with 'gcc'
On 2006.10.30 14:54:36 +0100, Jaroslav Tomecek wrote:
Hi,
1) I tried '/usr/sbin/vlimit -c 1000 --cpu 30'. It returned:
'vc_set_rlimit(): Invalid argument'
Any idea?
It's probably just not implemented/supported. I didn't check though. But
do you really _want_ that? It would limit your vserver to 30 seconds of
cpu time and kill it after it has used them up.
If you want to limit cpu usage you should rather take a look at vsched.
2) I compiled a program on FC6 using g++ (GCC) 4.1.1 20061011 (Red Hat
4.1.1-30) on host server:
#include iostream
using namespace std;
int main(void)
{
return 0;
}
But in FC5-based vserver 'test' it returned:
'[EMAIL PROTECTED] /]# ./test-programme
Floating point exception'
Maybe a glibc/libstdc++ conflict? No real idea about it... :(
Any idea?
/usr/sbin/vserver --version
vserver 0.30.210 -- manages the state of vservers
This program is part of util-vserver 0.30.210
An upgrade to .211 won't hurt, but it's probably not affecting the above
issues at all.
HTH
Björn
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Apache inside vserver closing connection early
On 2006.10.22 18:02:56 +0200, [EMAIL PROTECTED] wrote: Hi All, I have a problem with quite old version of vserver (2.0) running on 2.6.12.6 kernel, the symptoms are that the server (apache,vsftp located inside vs) is closing connection after sending 114688 bytes of data, the problem doesnt occur on never versions of vserver or when you star the server in the root context. That sounds like one of the sendfile(2) bugs we fixed back then. can someone point me towards the patch where it was fixed ? Try searching the mailing list archives for sendfile. i cannot upgrade the kernel for the moment as im using lustre to store vserver directory and anything above 2.6.12 makes it very unstable (bugged symlinks etc..) Try disabling sendfile support in apache to see if it is the correct bug first and if it is, but you can't find the patch, ask again plesae. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] confusion on kernel settings
On 2006.09.23 17:24:39 -0400, Chuck wrote: the gentoo vserver how-to says to set up the kernel this way: [ ] Enable Legacy Kernel API [*] Disable Legacy Networking Kernel API Using util-vserver 0.30.210 or later, these setting are fine, earlier tools need the legacy networking, ancient tools need both legacy interfaces. Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Files lost in guestsystem update
You are constantly hijacking your own threads and those of others. This is harmful to everyone that uses a threaded view of his mailbox. Most people are likely to ignore you because of that, please do _not_ hit the reply button, but write a new email if you are not actually writing a reply. Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] CAPABILITIES as module?
On 2006.06.25 10:33:31 +0200, Martin Grunert wrote: Hi! I want to use dazuko on my vserver host, to be able to scan efficient my files for viruses. Therefore the capabilities have to be compiled as module. Is this possible with the vserver kernel? Should make no difference if you make sure to load the module early enough (you probably know when that is better than me). The whole security concept of Linux-VServer relies on POSIX capability support and lots of folks had insecure setups, because the debian kernel config builds that thing as a module and when people based their config on that one, they didn't know that debian kernels have that module auto-loaded via some /lib/modules/`uname -r`/ file rather than /etc/modules. So they actually never had that module loaded. For that reason we decided to make it mandatory to have capabilties built-in, but there's is no technical reason for this AFAIK, changing the config manually or patching the Kconfig file to allow modular builds should be fine, of course only if you load it ;) HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Re: Samba in a vserver guest: broadcast problem
On 2006.06.25 13:35:34 +0200, [eMAXX] [EMAIL PROTECTED] wrote: [eMAXX] [EMAIL PROTECTED] wrote: Is running samba servers the way I want to (several vserver guests with each it's own sambaserver) even possible? Strangely enough, when I set /etc/vservers/vs02/interface/0/name to vs02 (name was not yet there before, but is was for vs01) ... it worked! Probably the bind interfaces only (or whatever it was called) option causes Samba to parse the ifconfig output or uses the old ioctl interface to get the data itself. That interface is fixed to show the vserver's ip address in 2.1.x-rcX (don't remember which rc it was fixed in), but not in 2.0.x, so Samba cannot determine the ip address that way, unless the ifa is named (that case works even in 2.0.x). Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] totem-video-thumbnailer within vserver?
On 2006.06.14 21:46:44 -0700, Martin Fick wrote:
--- Herbert Poetzl [EMAIL PROTECTED] wrote:
On Mon, Jun 12, 2006 at 02:43:24PM -0700, Martin
Fick wrote:
Ok, this is going to be a little out there. I am
trying to run the totem-video-thumbnailer inside a
vserver and this is the error message I get:
ERROR: Could not determine network interfaces,
you must use a interfaces config line
please provide details regarding your host kernel,
tools and guest configuration, as well as some
relevant snippet from strace -fF ing the app
Host: Debian unstable 2.6.16-1-vserver-686
Guest: Debian sarge
strace:
...
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 14
ioctl(14, SIOCGIFCONF, {32, {{eth0, {AF_INET,
inet_addr(192.168.1.65)) = 0
ioctl(14, SIOCGIFADDR, 0xbffb112c) = 0
ioctl(14, SIOCGIFFLAGS, 0xbffb112c) = 0
ioctl(14, SIOCGIFNETMASK, 0xbffb112c) = -1
EADDRNOTAVAIL (Cannot assign requested address)
close(14) = 0
write(1, ERROR: Could not determine netwo...,
85ERROR: Could not determine network interfaces, you
must
use a interfaces config line...
Looks like it just can't open eth0, the ip is the
proper ip for the vserver.
Yep, the ioctl part virtualizes too much away, this was fixed in
2.1.1-rc7 IIRC. The relevant patch is here:
http://www.13thfloor.at/~doener/vserver/patches/diff-2.6.16.5-vs2.0.2-rc16-devinet_ioctl.diff
Should apply without any problems.
The ifconfig inside the vserver returns:
eth0 Link encap:Ethernet HWaddr
00:11:D8:74:5D:3F
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
RX packets:39193682 errors:0 dropped:0
overruns:0 frame:0
TX packets:39207371 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:781137783 (744.9 MiB) TX
bytes:3562859166 (3.3 GiB)
Interrupt:209
I guess I'd better read up on vserver networking...
ifconfig also uses the ioctl interface and thus cannot show the
vserver's ip address either.
HTH
Björn
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Tools to convert directory config to flat file and back
Hi folks, on IRC once again someone complained about the directory based config, and Bertl once again wondered why noone came up with some conversion tool. I was sick of that and spend a few minutes on hacking two small scripts for that purpose. (A bit of an offense intended *g*) They can't do much as of now, but should work for basic usage. Stuff they do: Care about all regular files in the configuration. Stuff they do not do: Care about symlinks, delete files that appear in the flat file config but not in the directory config. The flat file layout is pretty minimalistic, just enough to get the job done, basically it's just all files smashed together with their filenames inserted in between. If you want more than that, feel to enhance or rewrite them (I actually suck at bash scripting), but please stop whining about the directory config being inconvenient ;). Wiki-Page (usage is explained there): http://linux-vserver.org/ConfigConverters Scripts: http://www.13thfloor.at/~doener/vserver/tools/fromDir.sh http://www.13thfloor.at/~doener/vserver/tools/toDir.sh HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Cant get Autofs working
On 2006.05.23 15:27:17 +0200, peter wrote: Hello all, I have a problem with vserver. Here my setup: The Host is a small Home-Server for Internet Routing and Fileserver. The Guest is a Desktop with running X and related (works very good). Both running Debian Sarge. Now I wanted to have all this nice removable usb devices (usb-sticks,sdcard-reader,...) and floppy/cdrom to work. On the Host I have setup autofs and this is running fine for the Host. On the Guest side i configured fstab to rbind the autofs-folder. Now the Problem: If I cd into the binded folder from the Guest, I see all the possible drives (because of the --ghost automounter option). If I cd into one of these the drive get mounted on the Host. But I cannot see any Files in this Folder from the Guest. In the Host all is working. That's because new mounts are not propagated into the rbind'ed mount tree. Shared subtrees solve that problem, but were added to the kernel only recently (.15? maybe .16) and are not natively supported by util-vserver yet (AFAIK). But it should be quite simple to add a pre/post start script to the vserver configuration to use it. Details on it can be found in Documentation/sharedsubtree.txt in the kernel source tree. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] VPS time differ from HOST time ??? why
On 2006.05.09 14:32:51 +0200, Sébastien CRAMATTE wrote: VPS time differ from HOST time ??? why I've changed my host server time but my VPS keep running with the old one. Did you change the time or the timezone? The former will affect everything running on the box, the latter will only affect the host or the guest for which it was changed. Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Errors on stopping vserver
On 2006.05.04 12:59:45 -0400, Fareha Shafique wrote: Hi, When I stop the vserver I get the following: Stopping sshd: [FAILED] Shutting down kernel logger: [FAILED] Shutting down system logger: [ OK ] Starting killall: Stopping sshd:[FAILED] [FAILED] They probably failed because the services were never started ;) The kernel logger can only be started if you enable lgo virtualization for that vserver, but you can as well just remove the kernel logger from your vserver's runlevels, as it won't log anything anyway ;) For sshd to be able to start, you need to set the ListenAddress for the host's sshd to some ip address else than 0.0.0.0 (default), because otherwise it listens on port 22 of all ip addresses, so the vservers' addresses are already in use. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Newbie question
On 2006.05.04 22:46:07 -0400, Fareha Shafique wrote: Hi, I'm new to vservers. I installed the vserver from rpms and built it according to the instructions on Vserver Installation Fedora Core 4. I was under the impression that a vserver has all the same files in its /etc directory as the host machine, but my vserver has fewer files. Furthermore, inside my vserver I cannot use bash commands such as less, rpm, man. Have I misunderstood the basics of vserver or did I incorrectly install my vserver? AFAIK the build methods of util-vserver build FC vservers with a minimum of installed packages. less, rpm and man are not bash commands but separate programs which are probably simply not installed yet. Any help would be appreciated. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver 2.0.2 patch for kernel 2.6.15.6
On 2006.03.24 11:10:52 +0100, Gerald Hochegger wrote: Hello all, I'm maintaining Ubuntu kernels with vserver patch applied. (https://wiki.ubuntu.com/VServer) Ubuntu Dapper with 5 years support will be released in June with a modified kernel-2.6.15.6, but since the release of kernel-2.6.16 the newest 2.0.2rc.. series of vserver patches are only supplied for kernel-2.6.16 Is it possible to supply 2.0.2rc.. kernel patch for 2.6.15.6 also until 2.0.2 is released ? I'm willing to maintain the Ubuntu Dapper 2.6.15.6 kernel with the vserver 2.0.2 patch for some time in the future since we ourself depend heavily on this combination. The latest patch for 2.6.15.6 is vs2.0.2-rc13, the changes from rc13 to rc14 are pretty simple and using interdiff you can extract them from the patches for 2.6.16, maybe that's even a good start for being a maintainer ;) HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] sendfile in kernel 2.6.16r5 broken ?
On 2006.03.08 15:18:06 +0100, gerardi wrote: Herbert Poetzl schrieb: On Tue, Mar 07, 2006 at 05:37:11PM +0100, gerardi wrote: Hello everyone, Is the sendfile kernel option broken in 2.6.16rc5 or only together with vserver ? Wenn I am running kernel 2.6.16rc5 with the vserver patch vs2.1.1-rc10 I have to deaktivate sendfile in Apache because it is broken. this sounds like a kernel bug, did you test with mainline 2.6.16-rc5 if it 'works' there? if so, please let me know how it fails for you, as it then can be considered a bug in the vserver code, which we'd like to fix asap ... Ok I verified it. plain 2.6.16-rc5 is working but with vserver patch vs2.1.1-rc10 not. Are their other things to be broken in the dev version ? once we gain knowledge of 'broken' things, we try to fix them as soon as possible .. so no 'known' broken things there ... Nice to hear. Could you try if this fixes the issue? TIA Björn -- diff -NurpP --minimal linux-2.6.16-rc5-vs2.1.1-rc10/fs/read_write.c linux-2.6.16-rc5-vs2.1.1-rc10-sendfile/fs/read_write.c --- linux-2.6.16-rc5-vs2.1.1-rc10/fs/read_write.c 2006-03-08 16:12:35.0 +0100 +++ linux-2.6.16-rc5-vs2.1.1-rc10-sendfile/fs/read_write.c 2006-03-08 16:22:15.0 +0100 @@ -657,8 +657,9 @@ ssize_t vfs_sendfile(struct file *out_fi return -ESPIPE; ret = rw_verify_area(FLOCK_VERIFY_READ, in_file, ppos, count); - if (ret) + if (ret 0) return ret; + count = ret; /* verify out_file */ out_inode = out_file-f_dentry-d_inode; @@ -668,8 +669,9 @@ ssize_t vfs_sendfile(struct file *out_fi return -EINVAL; ret = rw_verify_area(FLOCK_VERIFY_WRITE, out_file, out_file-f_pos, count); - if (ret) + if (ret 0) return ret; + count = ret; ret = security_file_permission (out_file, MAY_WRITE); if (ret) ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] No luck with chroot-barrier
On 2006.03.08 09:10:39 +1100, Tony and Robyn Lewis wrote: I can't seem to get the chroot-barrier to work. == in guest, before setting chroot-barrier == [EMAIL PROTECTED]:~$ date Tue Mar 7 21:43:19 UTC 2006 == in host, turning on chroot-barrier == [EMAIL PROTECTED]:~$ sudo setattr --barrier /var/lib/vservers/rice The barrier should be set on the parent directory, so the correct thing to do would be: setattr --barrier /var/lib/vservers/rice/.. == in guest, after chroot-barrier == [EMAIL PROTECTED]:~$ date -bash: /bin/date: Permission denied Yep, cause you just denied access to the guest's / directory :) HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] mountpoints blocked - reloaded
On 2006.02.18 00:38:02 +0100, Herbert Poetzl wrote: On Fri, Feb 17, 2006 at 01:50:41PM +0100, Oliver Welter wrote: Hi Folks, Hi Bertl, the problem which seemed to be solved re-appeard today with recent kernel patches (2.6.15-gentoo-r4-vs2.1.1-rc6) To reconstruct the problem 1) add a drbd blockdevice to the guests fstab 2) start and stop guest 3) try to unmount the device you get an error, telling that the drbd device is still mounted... So - any ideas ?? okay, just as update, we tracked this down to the fact that even mainline 2.6.15/2.6.16-rc3 does not release ext3 filesystems properly when the namespace is destroyed ... this can be easily verified with a mainline kernel and the following command sequence: vnamespace --new -- mount /dev/hda1 /mnt (assuming that /dev/hda1 contains an ext3 fs and /mnt exists, this will claim hda1 but not release it -- it works fine with ext2 though) now investigating ... Bertl tracked the issue down to be caused by the kernel thread created for the mount (kjournald), which is running in the new namespace. Once all user processes in that namespace are gone, you loose access to it, but the kjournald keeps it alive, thus the mount stays around which in turn keeps the kjournald alive, oops :-) A patch to fix this is in -mm now, the according threads on lkml are: Message-Id: [EMAIL PROTECTED] http://lkml.org/lkml/2006/2/17/323 Message-Id: [EMAIL PROTECTED] http://lkml.org/lkml/2006/2/20/33 Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] ifconfig problem with virtual interfaces
On 2006.01.23 12:31:53 +0100, Raimund Specht wrote: Hi ! We have a very strange problem here with virtual IP addresses (various up-to-date 2.6 kernels with vserver 2.0): Let eth0 have a normal IP address. Let v1 and v2 be two vservers with a virtual IP on eth0 each. # vserver v1 start # vserver v2 start ifconfig shows eth0, eth0:v1, and eth0:v2 as expected, everything works. # vserver v1 stop Now ifconfig shows that all virtual IPs have been removed although vserver-stat shows that v2 is still running. Networking with v2 doesn't work either. This only happens if the vserver, that was startet first, ist stopped. Other orderings work fine. This problem is not vserver related, we can reproduce it on non-vserver systems/kernels too. The following commands reproduce it on 90% of our systems (Debian, Ubuntu, Gentoo, all with Linux 2.6): # ifconfig eth0:1 1.2.3.4 # ifconfig eth0:2 1.2.3.5 # ifconfig eth0:1 del 1.2.3.4 Does anyone else have this problem? Any workaround except defining an eth0:dummy interface outside any vserver? Yep, that's default behaviour... :/ If you add the first address for a subnet, this becomes the 'primary' address for this subnet, all later added addresses becomes secondaries. Removing the primary address tears down all secondaries as well. The common workaround is to have a primary address for each used subnet on the host and only giving secondaries to the vservers. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [Bug] sendfile64 stopped working in host server after upgrading from vanilla
On 2005.12.03 19:39:21 +0100, Bodo Eggert wrote:
After I upgraded from vanilla 2.6.11.10 to 2.6.14.2-vs2.1.0-rc7, the
sendfile function in the host server stopped delivering the whole file.
After reverting to the old kernel, it works correctly again.
--
$ echo -e 'GET http://be10/images/___.jpg HTTP/1.0\r\n\r' |
netcat be10 80 | wc
62 247 13032
(The file contains 78835 bytes).
--
open(/home/___/public_html/images/___.jpg,
O_RDONLY|O_LARGEFILE) = 10
setsockopt(9, SOL_TCP, TCP_NODELAY, [0], 4) = 0
setsockopt(9, SOL_TCP, TCP_CORK, [1], 4) = 0
writev(9, [{HTTP/1.1 200 OK\r\nDate: Sat, 03 D..., 284}], 1) = 284
sendfile64(9, 10, [0], 78835) = -1 EOVERFLOW (Value too large
for defined data type)
--
Ah! That's what's happening... I just noticed that my local webserver
delivers broken images (i.e. only a part of them), but because I'm busy
with other stuff atm, i didn't care to find out what's happening.
Some details:
Kernel
--
Linux atjola 2.6.14.2-vs2.1.0-rc7 #1 SMP Sun Nov 13 17:58:58 CET 2005 x86_64
AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ AuthenticAMD GNU/Linux
Apache
--
Server version: Apache/2.0.54
Server built: Nov 19 2005 22:05:20
FS
--
All partitions are ext3 and located on a lvm2 volume on software RAID 1.
testme.sh passes without errors.
HTH
Björn
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] packet shaping with vservers
On 2005.11.14 14:23:54 +0100, Grzegorz Nosek wrote: Hi Thanks for your info. The weird thing is that although I had limited eth0 traffic, the slowdowns occured at the lo interface (pingflooding between vservers). I now tried a local ping now, also works just as expected (i.e. unlimited). Which gcc version did you use? Could you share your kernel config? If at all possible, I'll try to boot with an identical kernel and see if there's any difference. ~ $ gcc --version gcc (GCC) 3.4.4 (Gentoo 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8) Copyright (C) 2004 Free Software Foundation, Inc. Kernel config is attached (for the vs2.1 kernel, the others were the same except for options not available in earlier version). Network setup is like this: 1: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:e0:81:55:09:b0 brd ff:ff:ff:ff:ff:ff inet 192.168.0.101/24 brd 192.168.0.255 scope global eth0 inet 192.168.100.100/24 brd 192.168.100.255 scope global eth0 2: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 192.168.0.101 is the host's address, 192.168.100.100 is the guests address. HTH Björn # # Automatically generated make config: don't edit # Linux kernel version: 2.6.14.2-vs2.1.0-rc7 # Sun Nov 13 17:57:14 2005 # CONFIG_X86_64=y CONFIG_64BIT=y CONFIG_X86=y CONFIG_SEMAPHORE_SLEEPERS=y CONFIG_MMU=y CONFIG_RWSEM_GENERIC_SPINLOCK=y CONFIG_GENERIC_CALIBRATE_DELAY=y CONFIG_X86_CMPXCHG=y CONFIG_EARLY_PRINTK=y CONFIG_GENERIC_ISA_DMA=y CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_MAY_HAVE_PC_FDC=y # # Code maturity level options # CONFIG_DEVFS_FS=y CONFIG_EXPERIMENTAL=y CONFIG_CLEAN_COMPILE=y CONFIG_LOCK_KERNEL=y CONFIG_INIT_ENV_ARG_LIMIT=32 # # General setup # CONFIG_LOCALVERSION= CONFIG_LOCALVERSION_AUTO=y CONFIG_SWAP=y CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y CONFIG_BSD_PROCESS_ACCT=y # CONFIG_BSD_PROCESS_ACCT_V3 is not set CONFIG_SYSCTL=y # CONFIG_AUDIT is not set CONFIG_HOTPLUG=y CONFIG_KOBJECT_UEVENT=y # CONFIG_IKCONFIG is not set # CONFIG_CPUSETS is not set CONFIG_INITRAMFS_SOURCE= # CONFIG_EMBEDDED is not set CONFIG_KALLSYMS=y # CONFIG_KALLSYMS_EXTRA_PASS is not set CONFIG_PRINTK=y CONFIG_BUG=y CONFIG_BASE_FULL=y CONFIG_FUTEX=y CONFIG_EPOLL=y CONFIG_SHMEM=y CONFIG_CC_ALIGN_FUNCTIONS=0 CONFIG_CC_ALIGN_LABELS=0 CONFIG_CC_ALIGN_LOOPS=0 CONFIG_CC_ALIGN_JUMPS=0 # CONFIG_TINY_SHMEM is not set CONFIG_BASE_SMALL=0 # # Loadable module support # CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_OBSOLETE_MODPARM=y # CONFIG_MODVERSIONS is not set # CONFIG_MODULE_SRCVERSION_ALL is not set CONFIG_KMOD=y CONFIG_STOP_MACHINE=y # # Processor type and features # CONFIG_MK8=y # CONFIG_MPSC is not set # CONFIG_GENERIC_CPU is not set CONFIG_X86_L1_CACHE_BYTES=64 CONFIG_X86_L1_CACHE_SHIFT=6 CONFIG_X86_TSC=y CONFIG_X86_GOOD_APIC=y # CONFIG_MICROCODE is not set CONFIG_X86_MSR=y CONFIG_X86_CPUID=y CONFIG_X86_IO_APIC=y CONFIG_X86_LOCAL_APIC=y CONFIG_MTRR=y CONFIG_SMP=y # CONFIG_SCHED_SMT is not set CONFIG_PREEMPT_NONE=y # CONFIG_PREEMPT_VOLUNTARY is not set # CONFIG_PREEMPT is not set # CONFIG_PREEMPT_BKL is not set # CONFIG_K8_NUMA is not set # CONFIG_NUMA_EMU is not set # CONFIG_NUMA is not set CONFIG_ARCH_FLATMEM_ENABLE=y CONFIG_SELECT_MEMORY_MODEL=y CONFIG_FLATMEM_MANUAL=y # CONFIG_DISCONTIGMEM_MANUAL is not set # CONFIG_SPARSEMEM_MANUAL is not set CONFIG_FLATMEM=y CONFIG_FLAT_NODE_MEM_MAP=y # CONFIG_SPARSEMEM_STATIC is not set CONFIG_HAVE_ARCH_EARLY_PFN_TO_NID=y CONFIG_NR_CPUS=2 # CONFIG_HOTPLUG_CPU is not set CONFIG_HPET_TIMER=y CONFIG_X86_PM_TIMER=y CONFIG_HPET_EMULATE_RTC=y CONFIG_GART_IOMMU=y CONFIG_SWIOTLB=y CONFIG_X86_MCE=y # CONFIG_X86_MCE_INTEL is not set CONFIG_PHYSICAL_START=0x10 # CONFIG_KEXEC is not set CONFIG_SECCOMP=y # CONFIG_HZ_100 is not set CONFIG_HZ_250=y # CONFIG_HZ_1000 is not set CONFIG_HZ=250 CONFIG_GENERIC_HARDIRQS=y CONFIG_GENERIC_IRQ_PROBE=y CONFIG_ISA_DMA_API=y CONFIG_GENERIC_PENDING_IRQ=y # # Power management options # CONFIG_PM=y # CONFIG_PM_DEBUG is not set # # ACPI (Advanced Configuration and Power Interface) Support # CONFIG_ACPI=y # CONFIG_ACPI_AC is not set # CONFIG_ACPI_BATTERY is not set CONFIG_ACPI_BUTTON=y # CONFIG_ACPI_VIDEO is not set # CONFIG_ACPI_HOTKEY is not set CONFIG_ACPI_FAN=y CONFIG_ACPI_PROCESSOR=y CONFIG_ACPI_THERMAL=y # CONFIG_ACPI_ASUS is not set # CONFIG_ACPI_IBM is not set # CONFIG_ACPI_TOSHIBA is not set CONFIG_ACPI_BLACKLIST_YEAR=2001 # CONFIG_ACPI_DEBUG is not set CONFIG_ACPI_EC=y CONFIG_ACPI_POWER=y CONFIG_ACPI_SYSTEM=y # CONFIG_ACPI_CONTAINER is not set # # CPU Frequency scaling # CONFIG_CPU_FREQ=y CONFIG_CPU_FREQ_TABLE=y # CONFIG_CPU_FREQ_DEBUG is not set CONFIG_CPU_FREQ_STAT=y # CONFIG_CPU_FREQ_STAT_DETAILS is not set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y # CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set CONFIG_CPU_FREQ_GOV_PERFORMANCE=y # CONFIG_CPU_FREQ_GOV_POWERSAVE is not set #
Re: [Vserver] packet shaping with vservers
On 2005.11.10 11:47:39 +0100, Grzegorz Nosek wrote: 2005/11/9, Herbert Poetzl [EMAIL PROTECTED]: hmm, smells like a mainline issue, to be honest, but if you have time (and the machine) we can do some more detailed investigations ... TIA, Herbert Hello I was thinking along similar lines (AMD64 x2 are quite a new brand), but I thought that was a hardware issue (slightly malfunctioning CPU from an early batch?). The box is now probably (I'll know for sure when I get to work) free to tinker with so if you have any suggestions on how to debug the issue, I'm all ears. The machine is there, so is the time (actually this is my priority task at the moment, stabilise that damn box!) :) I've tried the instructions you gave in one of your previous mails (add a qdisc, then add a class [or whatever are the correct terms...]). And ran ping -f 192.168.0.1 from my box to my router. With 1Gbit rate and ceil limits, with 100Kbit limits and backlog filled up and cleaned out about once per second for a really short time (I guess that is expected due to the rate limit). I didn't experience the backlog slowly filling up as you described. Test setup was: Athlon64 X2 4400+, Tyan Tomcat K8E S2865G2NR, 2GB RAM, 100Mbit tg3 nic. Tested kernels (all SMP): 2.6.14 2.6.14.2-vs2.0.1-rc1 2.6.14.2-vs2.1.0-rc7 On the vserver-kernels I ran ping in context 0 as well as in a vserver. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] X11 vserver
On 2005.10.05 15:03:41 +0200, hellekin wrote: 2. how comes the nvidia module, loaded in the host, doesn't show up in the vserver? There are some dev nodes that are used by the driver, maybe those are just missing. The files are /dev/nvidia0 and /dev/nvidiactl (maybe you also got other nvidia* files). 3. what is the clean way to login to this host from the console? IIRC Herbert has some script to login directly into a vserver. Unfortunately i can't seem to find it anymore... Herbert? HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Firewall between two vserver
On 2005.07.07 13:51:57 +0200, [EMAIL PROTECTED] wrote:
Hello,
i'm working on a netfilter-configuration for the host-server ...
Can i protect one vserver against another?
I testet the following:
{...}
# Block everything between 2 vserver
iptables -A INPUT -d 192.168.0.155 -s 192.168.0.157 -j DROP
iptables -A INPUT -d 192.168.0.157 -s 192.168.0.155 -j DROP
{...}
The INPUT chain is for packets entering the box, but with vservers
packets don't enter the box, all traffic is flowing inside the box. Try
using the PREROUTING chain instead.
HTH
Björn
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] can not ping 1st vserver when 3 vservers exist.
Hi, On 2005.06.27 17:40:17 -0400, Frank Crowder wrote: I have 3 vservers. I can ping vserver 2 and 3, but not vserver 1. If I restart vserver1, I can ping vserver1 and vserver3. Any suggestions are very appreciated. I guess you're hitting the primary/secondary network issue, but as you didn't provide much information (kernel/tools version, network configuration of the vservers) and my crystal ball is broken, I can't tell anything else ;) For the primary/secondary stuff: In Linux, for each subnet there is one primary address. If this address is removed, all secondaries are removed, too. Example, I assume that there are no addresses from 10.0.0.0/8 configured yet: ifconfig eth0:0 10.0.0.1 -- becomes primary ifconfig eth0:1 10.0.0.2 -- becomes secondary ifconfig eth0:2 10.0.0.3 -- becomes secondary ifconfig eth0:3 10.0.0.4 -- becomes secondary ifconfig eth0:2 down --- eth0:2 is gone now ifconfig eht0:0 down --- eth0:0 _and_ eth0:1 and eth0:3 are gone now So if you have addresses from the same subnet in different vservers, and of the vservers 'owns' the primary address, stopping/restarting that vserver will causes the other vserver to lose their addresses. Work-Arounds: Either reserve an ip address in the used subnets that is statically configured on the host and being the primary one (i.e. the first address from that subnet), so the primary address will never be removed. Or use /32 addresses, that way, the subnet contains only a single address and thus there can't be any secondaries. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Comparison of virtualization techniques
Hello, today I've found your comparison of various virtualisation techniques on the net. One thing I miss there is Linux-VServer, which is very much like Solaris Zones AFAICT (I didn't use Zones myself, yet). For the questions in the comparison table, this answers would fit Linux-VServer: Independent File System: Yes, if needed Shared read-only immutable File System: In various ways, just immutable files, or immutable files that can be deleted (sharing via hardlinks) or, with an additional patch, read-only bind mounts. Can access raw devices: No, unless it gets the necessary device node from the host. Access Network resources: Yes, configurable on ip address level. Can create or change Network Devices: No, permission can be granted. Can access hardware devices without permission: No, permission can be granted. Single Point of Maintenance: I guess yes, but I don't get the question, I'm not a native speaker ;) Can send signals : No Run's a separate kernel: No Can monitor Processes and IO using standard tools: Needs a tool to switch into 'watch' context, but then yes. Light weight: Yes Can be a NFS server: IIRC only one NFS server per real box, that one can also be in a vserver. Host can examine data inside the zone/chroot without special tools: Yes Resource Control outside the Secure Area: Yes Simple control interface: Yes (IMHO) Configuration Application for simple setup and modification: Setup yes, modification not yet, configuration is stored in simple files. Linux-VServer is modular, that means process virtualization and network virtualization are separate, you can choose between using one or both of them. File system virtualization is done via enhanced chroot to avoid breaking out of the chroot, either via a barrier flag on a directory or via namespaces. The project's homepage is at http://linux-vserver.org/ A paper on the used concepts can be found at http://linux-vserver.org/Linux-VServer-Paper I'd be grateful if you would add Linux-VServer to your comparison, if there are any questions left, feel free to ask on the mailing list (which I cc with this mail) or join the irc channel #vserver on OFTC. TIA Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Comparison of virtualization techniques
James, if you didn't get the original mail, please let me know. Your email address on http://www.karrot-x.net/jamesd/ misses the 'g' in gmail, so my first send attempt failed and I don't know whether the bounce suceeded. On 2005.06.26 14:24:20 +0100, Martin wrote: I don't claim to be an expert but there are a few things that you might have missed. Access Network resources: Yes, configurable on ip address level. Can also select which of the interfaces the vserver's ip(s) are on. Single Point of Maintenance: I guess yes, but I don't get the question, I'm not a native speaker ;) I think what they probably mean is - 'is there one machine / system / interface from which all of the servers can be administrated' - the answer is then yes. Can send signals : No Within a vserver - yes, between them - no. The question was about sending signals between vservers, thus the three dots, i've been too lazy ;) Can be a NFS server: IIRC only one NFS server per real box, that one can also be in a vserver. Hmmm... any / as many as you want of the machines can run user space NFS servers. Generally the kernel NFS server shouldn't really be used, but I think with the right permissions it could be used from any of the vservers, but it's really not a good idea. Hm, IIRC I've heard of some problems with the port mapper, but maybe that was some special case, never used NFS myself. Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] linux-2.6.12 and latest patch?
On 2005.06.18 12:28:41 +0200, Christian Heim wrote:
On Saturday 18 June 2005 12:13, Kilian Krause ( KK )wrote:
Hi guys,
i was just about to try new VS2.00 and found the latest available patch
(against 2.6.11.11) not applying cleanly to 2.6.12...
Is there one in the make for 2.6.12 now it's out? ;)
Thanks!
You could use Michal's / Bjoerns patch against 2.6.12-rc4, which (with a bit
of cleanups) works for me.
I hope you didn't have too much trouble porting that one, as I already
had a patch against 2.6.12-rc6 done and available on 13thfloor (maybe I
should start and announce such stuff?)
Alternatively you could also use my patch[1], which is against 2.6.12
and is currently running here.
[1] http://phreak.xnull.de/kernel/patches/vserver/patch-2.6.12-vs2.0-rc4.diff
Good job! Looks like mine, except for a missing semicolon and a missing
virtualization in the ppc64 code. I'll sent the patch against your
version with this mail as it is small enough to do so.
My patch is at:
http://www.13thfloor.at/~doener/vserver/patches/patch-2.6.12-vs2.0-rc4.diff
Bjoern
diff -NurpP --minimal cheim/arch/ppc64/kernel/sys_ppc32.c
linux-2.6.12-vs2.0-rc4/arch/ppc64/kernel/sys_ppc32.c
--- cheim/arch/ppc64/kernel/sys_ppc32.c 2005-06-18 13:39:21.0 +0200
+++ linux-2.6.12-vs2.0-rc4/arch/ppc64/kernel/sys_ppc32.c2005-06-18
13:27:17.0 +0200
@@ -1138,7 +1138,7 @@ asmlinkage int sys32_uname(struct old_ut
int err = 0;
down_read(uts_sem);
- if (copy_to_user(name, system_utsname, sizeof(*name)))
+ if (copy_to_user(name, vx_new_utsname(), sizeof(*name)))
err = -EFAULT;
up_read(uts_sem);
if (!err personality(current-personality) == PER_LINUX32) {
@@ -1157,12 +1157,12 @@ asmlinkage int sys32_olduname(struct old
if (!access_ok(VERIFY_WRITE,name,sizeof(struct oldold_utsname)))
return -EFAULT;
-
+
down_read(uts_sem);
ptr = vx_new_utsname();
error = __copy_to_user(name-sysname,ptr-sysname,__OLD_UTS_LEN);
error |= __put_user(0,name-sysname+__OLD_UTS_LEN);
- error |= __copy_to_user(name-nodename,ptr-nodename,__OLD_UTS_LEN)
+ error |= __copy_to_user(name-nodename,ptr-nodename,__OLD_UTS_LEN);
error |= __put_user(0,name-nodename+__OLD_UTS_LEN);
error |= __copy_to_user(name-release,ptr-release,__OLD_UTS_LEN);
error |= __put_user(0,name-release+__OLD_UTS_LEN);
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Start-Up Scipts
On 2005.05.27 18:15:34 +0200, Oliver Welter wrote: Hi List, I have a little problem with vserver Start-up scriots... I am running Gentoo Host/Guest with 2.6.9 kernel and vserver-tools 0.30.196 1) I have a vServer called wwwmain - I added a script wwwmain.sh in /etc/vservers/ but it seems that this is never executed.. Then you are probably using a new style configuration, the vservername.sh is for the old style. The flower page lists the various start/stop script possibilites. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] [PreRelease] vs2.0-rc2
On 2005.05.26 17:22:16 +1200, Michal Ludvig wrote: Herbert Poetzl wrote: Greetings Community! a fortnight after the first one, here is the second release candidate for the stable 2.6 series ... http://vserver.13thfloor.at/Experimental/patch-2.6.11.10-vs2.0-rc2.diff http://vserver.13thfloor.at/Experimental/patch-2.6.11.10-vs2.0-rc2.diff.bz2 please give it some testing, and let me know if there is anything which requires mending, if nothing is reported this might become the final 2.0 release ... And for 2.6.12-rc5: http://www.logix.cz/michal/devel/vserver/patch-2.6.12-rc5-vs2.0-rc2.diff Great! Also did a port to check for differences. Of course my port has the nr_tids++ bug again ;) The others were some comments which didn't get removed in your patch. My patch is at: http://www.13thfloor.at/~doener/vserver/patches/patch-2.6.12-rc5-vs2.0-rc2.diff (Didn't get a test compile/boot yet, but I trust your port to work and the differences are neglible in that regard [well except the nr_tids++] ;) Btw, did you get any feedback on the nr_tids++ thing yet? Thanks again Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vs2.0-rc1 for 2.6.12-rc4
Hi Michal! On 2005.05.19 17:21:44 +1200, Michal Ludvig wrote: Hi all, for anyone interested I did a patch of VServer 2.0-rc1 for the linux kernel 2.6.12-rc4. Get here: http://www.logix.cz/michal/devel/vserver/ Great, lLooks quite good :) Updated my port from pre4 to rc1 [1] to check for differences. Most of the differences are due to the *_mm_counter macros, which I modified to call the Linux-VServer accounting stuff. And some whitespace noise (from both of us I guess, didn't check, but I know that I cause some every now and then ;). It compiles, boots and runs two quite loaded vservers without problems. Most of the conflicts were quite easy to solve except for net/sunrpc/auth_unix.c, where some fields were removed from 'struct unx_cred' and I didn't know where to place 'uc_pxid'. So I omitted it completely (yes, I know, that's not a solution, but I don't use NFS anyway ;-) Well, I also left it out, as the NFS_MOUNT_BROKEN_SUID stuff is gone in 2.6.12-rc4 ;) Another issue I had with fs/nfs/inode.c where I didn't know how to initialize clnt-cl_tagxid. The handling of mount flags was moved around a bit, nfs_sb_init() is the place where it happens now... The rest was pretty obvious and unless you use NFS on your vserver you should be safe to try this patch. There are two or three other small issues, IIRC QUOTA_CTL and rss accounting, a diff between the ports tells you more ;) Enjoy but don't complain if it wipes your disk! (you've been warned :-) Hehe :) I wondered about that change you did in get_tid_list: - tids[nr_tids] = vx_map_pid(tid); - nr_tids++; + tids[nr_tids++] = vx_map_pid(tid); It looks quite good I'd say, was that a known bug in 2.6.12-rc4? Anyways, good job! Having different people (not too many ;) doing ports can help to find flaws. (And of course Bertl doesn't have to do all the work then ;) Björn [1] http://www.13thfloor.at/~doener/vserver/patches/patch-2.6.12-rc4-vs2.0-rc1.diff ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Official copy method?
Hello, On 2005.05.12 07:48:27 -0600, [EMAIL PROTECTED] wrote: * Set up vserver barrier sudo showattr -d /vservers/vcrux02 ---bui- /vservers/vcrux02 sudo setattr --barrier /vservers/vcrux02 sudo showattr -d /vservers/vcrux02 ---Bui- /vservers/vcrux02 the barrier flag is supposed to be set on /vservers (i.e. the directory directly above the vserver's root directory). Not sure if setting the flag on the vserver's root itself may cause problems with 2.6 kernels. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Summary of recent improvement discussion
___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Summary of recent improvement discussion
___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Summary of recent improvement discussion
OK, final try... I had a broken mail setup, please excuse my stupidity. On 2005.05.03 17:21:36 +1200, Sam Vilain wrote: snip Bootstrapping Images The status of debootstrap and `rpmstrap' in the current utilities was briefly discussed, so that vservers of lots of different types could easily be built without installing extra utilities manually. Björn pointed out scripts/vserver-build.debootstrap in the util-vserver distribution. There are also conflicts with some combinations of debian and rpm host vs guest building. The basic problem was agreed to be the way the tools try to install all the packages from the outside of the vserver, rather than the inside. Obviously each solution has its own benefits and disadvantages, but only bootstrapping the package utilities should need a packaging tool installed on the outer vserver - and that should be easily circumvented via guest images. /snip I'll try to provide some further information here... The main point was that, for example, on a debian host you're pretty limited in which build methods you can use. apt-rpm doesn't work (at least not easily if at all) because there are name clashes between debian's apt and apt-rpm. What is special about the debootstrap method is that it fetches a recent debootstrap debian package if debootstrap is not available on the host, unpacks it and it to create a debian vserver, without the help of any debian specific package management tools. This allows to create a debian vserver on any host system. This is the reason why I pointed it out ;) What is special about the other build methods is that the package management of the vservers built with these build methods is actually done outside of the vserver, thus you don't need rpm, apt, yum or whatever inside your vserver (you can switch between internal and external packagemanagement). But this means that you need those tools on the host, and as I said, for example debian+apt-rpm is hard, if possible at all (i never actually tried, but i didn't hear of any success stories either). What Herbert suggested was to create/modify the build-methods, so that also rpm based vservers can be created via temporary installations of the necessary tools, and that those vservers have internal package management, thus allowing to build, for example, an fc3 or mandriva based vserver on a debian host. Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] kill: (1) - No such process
On 2005.04.26 12:02:11 +0200, Gilles wrote:
Hi.
You have to specify --initstyle plain when building the vserver or have
/etc/vservers/vserver/apps/init/style contain plain.
Thanks, that's the piece I was missing. So it worked, *once* :-{
After that on the next trials to start the vserver:
# vserver phony start
vcontext: vc_create_context(): File exists
Take a look at vserver-stat output. The init process is still running.
Somewhere between 1.9.5 and 2.0pre1 we enhanced the fakeinit support.
This included session group virtualization, but also init protection,
i.e. you can't get rid of init without kernel support. What you need to
do is sending the kill signal via vkill:
vkill --xid xid -s 9 -- 1
The tools don't do that yet, thus init will keep running. Sorry that I
didn't think of that when writing my last mail.
HTH
Björn
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] kill: (1) - No such process
On 2005.04.26 12:58:04 +0200, Gilles wrote: Hello. # vserver phony start vcontext: vc_create_context(): File exists Take a look at vserver-stat output. # vserver-stat CTX PROCVSZRSS userTIME sysTIMEUPTIME NAME 0 115 0.9G 146.3K 38m18s83 1h40m52 21h55m35 root server The init process is still running. Doesn't seem so (?) Somewhere between 1.9.5 and 2.0pre1 we enhanced the fakeinit support. This included session group virtualization, but also init protection, i.e. you can't get rid of init without kernel support. What you need to do is sending the kill signal via vkill: vkill --xid xid -s 9 -- 1 The tools don't do that yet, thus init will keep running. Sorry that I didn't think of that when writing my last mail. # cat phony/context 99 # vkill --xid 99 -s 9 -- 1 vkill: vc_ctx_kill(): No such process :-( Hm, strange... A socket hanging around should be gone by now... What does /proc/virtual/99/status say? Or maybe the good old proc keeps my context annoyance is back? mount -o remount /proc should help in this case. Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] kill: (1) - No such process
On 2005.04.26 00:38:48 +0200, Gilles wrote: Hello. should work fine with a real init running inside the vserver and might work with just the fake blend through too ... PS: I assume you are using 2.6.11.7-vs2.0-pre1 ;) Euh, no: 2.6.11-vs1.9.5-rc1 Should I upgrade before expecting it to work? So, I did upgrade just in case. Now: util-vserver (Debian package) version: 0.30.206-3 (vanilla) kernel 2.6.11.7-vs2.0-pre2+g1 vserver phony was build with the command: vserver phony build -m debootstrap --hostname phony.harfang.homelinux.org --netdev dummy0 --interface 192.168.83.99/24 -- -d sarge -m ftp://ftp.belnet.be/debian/ -- --exclude=pciutils,fdutils,ipchains,makedev,ppp,pppconfig,pppoe,pppoeconf,dhcp-client,console-common,console-data,console-tools,klogd,sysklogd,nvi,base-config,telnet,iptables,syslinux,pcmcia-cs,e2fsprogs,e2fslibs,libgnutls10 --include=less,ssh [...] phony:~# ps ax PID TTY STAT TIME COMMAND 13561 ?S 0:00 /usr/sbin/nullmailer-send -d 13567 ?Ss 0:00 /usr/sbin/sshd 13576 ?Rs 0:00 sshd: [EMAIL PROTECTED]/3 13581 pts/3Ss 0:00 -bash 13585 pts/3R+ 0:00 ps ax No init process :-( What am I doing wrong? As you did not specify an initstyle, sysv is used. That means that to start a vserver /etc/init.d/rc runlevel (3 by default IIRC) is called. If you want your vserver to be started with an own init process, use plain initstyle instead. You have to specify --initstyle plain when building the vserver or have /etc/vservers/vserver/apps/init/style contain plain. For the fake blend through that Bertl mentioned, I've seen such code when having a look at 2.4.20-vs1.2.10 today, but don't remember seeing anything like that with 2.6 kernels. But maybe I just didn't look at the right places yet... ;) HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] set id script with vserver
On 2005.04.20 21:22:10 +0200, william Famy wrote: i try to run a set-id sript (chmod 0755) but when i execute iti i have the following error. YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET! FIX YOUR KERNEL, PUT A C WRAPPER AROUND THIS SCRIPT, OR USE -u AND UNDUMP! My configuration 2.6.9 patch 1.9.3 util-vserver 0.30.204-4 (debian package) new config method (the rep one flower page) everything work great except this error. According to google this seems to be a perl issue, see http://qmail-scanner.sourceforge.net/FAQ.php btw, did you mean chmod 4755? 0755 would not set the setuid bit. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Debian kernelpackage with vserver-patch applied?
On Mon, 8 Nov 2004 11:05:00 + (UTC) Jesper Krogh [EMAIL PROTECTED] wrote: Hi. I'd really like to test this vserver thing out, but currently it clashes with my policy of only installing things through the packages system on my computers. Is there someone who builds Debian kernel-packages with the vserverpatch included? You can easily create a kernel package using make-kpkg, see: http://www.desktop-linux.net/debkernel.htm Use vanilla sources instead of debian sources (i.e. forget about step 1 and 2 and download the sources from kernel.org instead). For the alpha util-vserver (the tools available from the debian repository are not recommend for the 2.6 branch) you could use something like checkinstall to create a debian package, but they come with an uninstall make target, so you can remove them anyways. HTH Bjoern ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Best backup of tagxid?
On Tue, 9 Nov 2004 12:56:32 -0500 (EST) Gregory (Grisha) Trubetskoy [EMAIL PROTECTED] wrote: On Tue, 9 Nov 2004, [ISO-8859-1] Bj?rn Steinbrink wrote: On Tue, 9 Nov 2004 12:01:33 -0500 (EST) Gregory (Grisha) Trubetskoy [EMAIL PROTECTED] wrote: I don't see any reason why it should behave like that, would only cause trouble. Example: xid 10 is limited to 500MB and has 300MB in use. xid 0 deletes some 50MB file. Now there are files worth 250MB, but still the kernel assumes that 300MB are in use. I think this is fine. There is no way for context 0 to up the counter for another context (even chxid won't increment it), by the same token it seems more consistent if there would be no way to decrement it either. Where's the sense behind that? You would have to adapt the usage statistics every now and then. You'll just have to be mindful of this, and make sure to switch into a context when deleting files if you want the counter to be updated. The disk limits are volatile anyway (you have to set them upon bootup), so it's not like it is something that is an unnatended operation in the first place. The upside of this is that there are no special mount options that make things like backups difficult. What about unification? You normally don't want the unified files to lower the usage values upon removal of those files, since actually no space is freed. You could of course say that you simply account everything below /path/to/vserver for context X, but then you would have to update the statistics for all vservers that use unified files upon an update of the unified files. Bjoern ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Don't use my clean-namespace script!
On Fri, 5 Nov 2004 03:51:31 +0100 Björn Steinbrink [EMAIL PROTECTED] wrote: why not do it this way: 1. get a new namespace 2. create the vfsmount (for example via --bind) 3. pivot_root (or similar, maybe new cmd?) to the vfsmount 4. cleanup the namespace (remove host stuff) 5. do all required/listed mounts inside that namespace 6. create the context I've found an easy way to get a clean namespace using lazy mounts. A short bash script + description can be found at http://doener.homeip.net/doener/vserver/ (be careful with that, it's just a quick hack!) Pros: Mounting of the whole vserver mount tree happens using host tools. No / overlay mount. Namespace is completely clean, not even the rootfs mount is there. chdir(..) trick is not possible (dunno about fd exchange). Should be easy to integrate with the current alpha tools. Cons: chroot(1) must not be on a separate partition. Once inside the namespace currently there's no access to the host's binaries (i'm working on that, maybe i can do something with vc_set_namespace/vc_enter_namespace...) [whatever you dislike about it/i missed] HUGE con: It seems to create stale mounts that are completely out of reach and cannot be unmounted without a reboot. The problem is this: mount -n --bind $2 $2 cd $2 umount -n -l $2 mount -n -t proc none tmp after cd $2 our pwdmnt is the bind'ed mount. Then that mount is unmounted. It is instantly detached and thus there's no reference to it in the namespace anymore. Once we change our pwd above that mount, it's out of reach. Normally, it would be unmounted now and everything's fine. But in our case, we mount something below this unreachable mount. Thus the mount is busy and can't be unmounted after we left it. So we lost any reference to the bind mount and to the proc mount on the bind mount and so we have no way to unmount it. Even if we do this in another namespace, the stale mounts will never go away, since on namespace destruction, mounts are searched starting from the root mount, and from there no way leads to our problematic mounts. Question: Could this be considered a kernel bug? I'd say the kernel should take care so that you're unable to create such a situation. Bjoern ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Casual, naïve implementation of namespace cleanup
why not do it this way: 1. get a new namespace 2. create the vfsmount (for example via --bind) 3. pivot_root (or similar, maybe new cmd?) to the vfsmount 4. cleanup the namespace (remove host stuff) 5. do all required/listed mounts inside that namespace 6. create the context I've found an easy way to get a clean namespace using lazy mounts. A short bash script + description can be found at http://doener.homeip.net/doener/vserver/ (be careful with that, it's just a quick hack!) Pros: Mounting of the whole vserver mount tree happens using host tools. No / overlay mount. Namespace is completely clean, not even the rootfs mount is there. chdir(..) trick is not possible (dunno about fd exchange). Should be easy to integrate with the current alpha tools. Cons: chroot(1) must not be on a separate partition. Once inside the namespace currently there's no access to the host's binaries (i'm working on that, maybe i can do something with vc_set_namespace/vc_enter_namespace...) [whatever you dislike about it/i missed] Comments are welcome. Bjoern ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] EBUSY on rmdir of a previous mount point with namespaces
On Fri, 29 Oct 2004 12:10:04 +1300 Sam Vilain [EMAIL PROTECTED] wrote: Found that tricky can't-remove-the-mount-point bug. clunker:/vservers# mkdir compileit clunker:/vservers# grep compileit /etc/fstab /dev/clunker/compileit /vservers/compileit ext3defaults 1 2 clunker:/vservers# mount compileit/ kclunker:/vservers# journald starting. Commit interval 5 seconds EXT3 FS on dm-1, internal journal EXT3-fs: mounted filesystem with ordered data mode. vserver bind start Mounting shadow filesystems for bind Starting system log daemon: syslogd. Starting kernel log daemon: klogd. Starting domain name service: named. clunker:/vservers# vserver bind exec grep comp /proc/mounts clunker:/vservers# grep comp /proc/mounts /dev/clunker/compileit /vservers/compileit ext3 rw 0 0 clunker:/vservers# vserver bind exec cat /proc/mounts clunker:/vservers# umount compileit clunker:/vservers# rmdir compileit rmdir: `compileit': Device or resource busy clunker:/vservers# vserver bind stop Sending all processes the TERM signal...done. Sending all processes the KILL signal...done. clunker:/vservers# rmdir compileit/ clunker:/vservers# Look! It works with tmpfs, too! clunker:/vservers# mkdir foo clunker:/vservers# mount -t tmpfs none foo clunker:/vservers# vserver bind start Mounting shadow filesystems for bind Starting system log daemon: syslogd. Starting kernel log daemon: klogd. Starting domain name service: named. clunker:/vservers# umount foo clunker:/vservers# rmdir foo rmdir: `foo': Device or resource busy clunker:/vservers# vserver bind stop Sending all processes the TERM signal...done. Sending all processes the KILL signal...done. clunker:/vservers# rmdir foo clunker:/vservers# This really shouldn't happen for mount points which are entirely outside the chroot of the new namespace, but I think this may be another point of our `chroot/pivot_root/vnamespace/mount --rbind/chcontext' chicken, egg, rooster, barn and farmer problem. Yes, you mounted something on 'foo' before starting the vserver, so that mount will also be in the vserver's namespace (but of course you can't reach it from inside the vserver because of the chroot). Once we're able to cleanup the namespace, this problem will be gone. For mount points which are *inside* the chroot, is this a bug or a feature? Is it possible to have a filesystem mounted on a path in one namespace, then remove the underlying directory? AFAICT this is not possible. You share the actual filesystems between the namespaces, so removing 'foo' in namespace A would also remove in namespace B (just because you remove it from the filesystem, not from the namespace). Now if in namespace B 'foo' is a mountpoint you would have a hard time accessing the mounted filesystem. ;-) Therefore you can't remove that directory. HTH Bjoern ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] [PATCH] 2.6.9-final-vs1.9.3-rc3
Hi,
i've adapted the 1.9.3-rc3 patch to the changed process start time
accounting in 2.6.9-final. The attached patch is against a 2.6.9-final
source tree with the 2.6.9-rc4-vs1.9.3-rc3 patch applied using the -F0
parameter (thanks Sam! :).
Bjoern
diff -NurpP --minimal linux-2.6.9-final-bertl/fs/proc/array.c
linux-2.6.9-final-vs1.9.3-rc3/fs/proc/array.c
--- linux-2.6.9-final-bertl/fs/proc/array.c 2004-10-18 23:41:51.0 +0200
+++ linux-2.6.9-final-vs1.9.3-rc3/fs/proc/array.c 2004-10-18 05:24:24.0
+0200
@@ -351,7 +351,7 @@ int proc_pid_stat(struct task_struct *ta
{
unsigned long vsize, eip, esp, wchan;
long priority, nice;
- unsigned long long bias_jiffies;
+ unsigned long long bias_uptime = 0;
int tty_pgrp = -1, tty_nr = 0;
sigset_t sigign, sigcatch;
char state;
@@ -396,12 +396,9 @@ int proc_pid_stat(struct task_struct *ta
cutime = task-signal-cutime;
cstime = task-signal-cstime;
}
- bias_jiffies = INITIAL_JIFFIES;
if (task_vx_flags(task, VXF_VIRT_UPTIME, 0)) {
- bias_jiffies = task-vx_info-cvirt.bias_jiffies;
- /* hmm, do we need that? */
- if (bias_jiffies task-start_time)
- bias_jiffies = task-start_time;
+ bias_uptime = task-vx_info-cvirt.bias_uptime.tv_sec * NSEC_PER_SEC
+ + task-vx_info-cvirt.bias_uptime.tv_nsec;
}
read_unlock(tasklist_lock);
@@ -411,7 +408,10 @@ int proc_pid_stat(struct task_struct *ta
nice = task_nice(task);
read_lock(tasklist_lock);
- ppid = task-pid ? task-real_parent-pid : 0;
+ pid = vx_info_map_pid(task-vx_info, task-pid);
+ ppid = (!(pid 1)) ? 0 :
+ vx_info_map_pid(task-vx_info, task-real_parent-pid);
+ pgid = vx_info_map_pid(task-vx_info, pgid);
read_unlock(tasklist_lock);
/* Temporary variable needed for gcc-2.96 */
@@ -419,12 +419,12 @@ int proc_pid_stat(struct task_struct *ta
start_time = (unsigned long long)task-start_time.tv_sec * NSEC_PER_SEC
+ task-start_time.tv_nsec;
/* convert nsec - ticks */
- start_time = nsec_to_clock_t(start_time);
+ start_time = nsec_to_clock_t(start_time - bias_uptime);
res = sprintf(buffer,%d (%s) %c %d %d %d %d %d %lu %lu \
%lu %lu %lu %lu %lu %ld %ld %ld %ld %d %ld %llu %lu %ld %lu %lu %lu %lu %lu \
%lu %lu %lu %lu %lu %lu %lu %lu %d %d %lu %lu\n,
- task-pid,
+ pid,
tcomm,
state,
ppid,
diff -NurpP --minimal linux-2.6.9-final-bertl/include/linux/vserver/cvirt.h
linux-2.6.9-final-vs1.9.3-rc3/include/linux/vserver/cvirt.h
--- linux-2.6.9-final-bertl/include/linux/vserver/cvirt.h 2004-10-18
23:41:51.0 +0200
+++ linux-2.6.9-final-vs1.9.3-rc3/include/linux/vserver/cvirt.h 2004-10-18
05:33:46.0 +0200
@@ -21,7 +21,7 @@ struct _vx_cvirt {
uint32_t onhold_last; /* jiffies when put on hold */
struct timespec bias_idle;
- uint64_t bias_jiffies; /* context creation point */
+ struct timespec bias_uptime;/* context creation point */
struct new_utsname utsname;
@@ -62,7 +62,7 @@ static inline void vx_info_init_cvirt(st
{
uint64_t idle_jiffies = vx_idle_jiffies();
- cvirt-bias_jiffies = get_jiffies_64();
+ do_posix_clock_monotonic_gettime(cvirt-bias_uptime);
jiffies_to_timespec(idle_jiffies, cvirt-bias_idle);
atomic_set(cvirt-nr_threads, 0);
atomic_set(cvirt-nr_running, 0);
@@ -121,7 +121,9 @@ static inline int vx_info_proc_cvirt(str
int a, b, c;
length += sprintf(buffer + length,
- BiasJiffies:\t%lld\n, (long long int)cvirt-bias_jiffies);
+ BiasUptime:\t%lu.%02lu\n,
+ (unsigned long)cvirt-bias_uptime.tv_sec,
+ (cvirt-bias_uptime.tv_nsec / (NSEC_PER_SEC / 100)));
length += sprintf(buffer + length,
SysName:\t%.*s\n
NodeName:\t%.*s\n
diff -NurpP --minimal linux-2.6.9-final-bertl/kernel/vserver/cvirt.c
linux-2.6.9-final-vs1.9.3-rc3/kernel/vserver/cvirt.c
--- linux-2.6.9-final-bertl/kernel/vserver/cvirt.c 2004-10-18 23:41:51.0
+0200
+++ linux-2.6.9-final-vs1.9.3-rc3/kernel/vserver/cvirt.c2004-10-18
05:13:35.0 +0200
@@ -24,13 +24,10 @@
void vx_vsi_uptime(struct timespec *uptime, struct timespec *idle)
{
struct vx_info *vxi = current-vx_info;
- struct timeval bias;
-
- jiffies_to_timeval(vxi-cvirt.bias_jiffies - INITIAL_JIFFIES, bias);
set_normalized_timespec(uptime,
- uptime-tv_sec - bias.tv_sec,
- uptime-tv_nsec - bias.tv_usec*1000);
+ uptime-tv_sec - vxi-cvirt.bias_uptime.tv_sec,
+ uptime-tv_nsec -
Re: [Vserver] Bringing down vsever brings down _all_ interfaces
On Wed, 13 Oct 2004 13:39:53 +1000 David MacKinnon [EMAIL PROTECTED] wrote: Just ran into this today one some new servers I'm setting up. util-vserver 0.30.195 (but it happened with 190 as well) vserver 2.6 patch 1.9.2 on 2.6.8.1 (with dm/drbd and nfs patches) When I stop _any_ vserver, it brings down _both_ eth0 and eth1 (leaving only lo up). This happens with vservers on the same subnet as the host, or on completely different networks. I haven't come across this before, I have another box with 2.6.8 + vs1.9.2 (no other patches) with util-vserver 0.30.190 that doesn't exhibit this behaviour. Copying the config from this working machine doesn't help at all. Anyone come across this before? I suppose I'll try stripping out other kernel patches, but I'm not wonderfully hopeful. Did you build your kernel with CONFIG_SECURITY enabled? If so, make sure that you also enabled CONFIG_SECURITY_CAPABILITIES and that the module is loaded if it was built as a module. Otherwise the default capability handling is disabled and your vserver is therefore allowed to remove the interfaces. HTH Bjoern ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Sudo in a vserver
On Fri, 01 Oct 2004 02:00:27 -0700 Liam Helmer [EMAIL PROTECTED] wrote: I thought I was going crazy... but, I've found I can trivially reproduce this bug. It's to do with chbind and the new 2.6.x kernels. The bug applies, for certain, to: VS 1.9.2/2.6.8.1 with vserver-utils 0.30.190, 0.29.214, or 0.29 It definitely does not occur in vserver 1.2.7 with utils 0.2.9. to reproduce this, run: in any vserver: sudo on the main server: chbind sudo Basically, what happens is that sudo aborts with no error message other than Aborted. I've attached an strace if anyone's interested (and, presuming it's allowed on the mailing list). I'm more curious than anything else, as there's workarounds for this (such as ssh with keys, etc), but sudo can be convenient sometimes. This happens only if you have a IPv6 address on an interface not visible within the vserver, because of a bad assumption of some netlink code in the glibc. This is fixed in recent versions of linux-vserver by hiding the IPv6 stuff. If you don't want to upgrade you can simply remove the IPv6 addresses from the interfaces not visible in the vserver (most of the time this means lo). Bjoern ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
