logo
IRC Archive / Oftc / #vserver / 2010 / February / 23 / 1
harry
g'night
Chlorek
hm
Bertl sleeping now
anyone alive?
i have an error
http203://c.sed.pl/err
anybody knows what is wrong?
daniel_hozac
what's the actual URL?
Chlorek
http203://c.sed.pl/err
hm
hm hm
something recode :: to 203:
daniel_hozac
you can't strace across context switches.
what's your problem exactly?
Chlorek
vcontext: execvp("/usr/sbin/vspace"): Permission denied
when i starting all my vservers
daniel_hozac
and /usr/sbin/vspace has exec permission?
Chlorek
yes
daniel_hozac
do you have grsec or similar?
Chlorek
yes, i have grsecurity
but it works early
daniel_hozac
i guess you have something in dmesg then?
Chlorek
vxW: [ývcontextý,6325:#3|3|3] did hit the barrier.
daniel_hozac
do you have a barrier on / or something?
Chlorek
but i set barrier for /
ok, i'll ask Bertl tomorrow
bye ;)
cehteh
hmpf setting up an network card which should acquire its ip from a dhcp (openvpn) inside a vserver is a bit pain ..
incd
Hmm, I made a new vserver guest, it doesn't want to change its netmask/broadcast to right ones
It has the same values that the first vserver has, except IP
daniel_hozac
how did you make it?
incd
http://linux-vserver.org/Building_Guest_Systems#Building_guests_using_the_clone_build_method
Changed IP's after cloning.
daniel_hozac
so your command was what?
incd
daniel_hozac: yea :)
Bertl
morning folks!
daniel_hozac
that was not a yes/no question :-)
Bertl
who is maintaining 'yea' :)
petzsch
sounds like a new web2.0 tool noone needs ;-)
morning folks
incd
daniel_hozac: sorry :) vserver mail build -m clone --hostname mail.xxx.fi --interface eth0:81.175.xxx.xxx/24 --initstyle gentoo -- --source /vservers/www1
was the command
Bertl: Now with "vserver-info" version 0.30.216-pre2880 with 2.6.32 doesn't hang up the server :)
It just says "Killed"
*vserver-stat
Bertl
what util-vserver version?
incd
Kernel: 2.6.32.8-vs2.3.0.36.29.1 and util-vserver: 0.30.216-pre2880; Feb 22 2010, 09:30:12
Bertl
looks good, probably the guest (gentoo) is confused
incd
Yea
Bertl
there was a magic line to fix that, IIRC it should be on the wiki, if not, I think daniel_hozac will remember
incd
Anyways, can't get correct netmask/broadcast for my new guest. :/
Bertl
maybe the ip is already configured on the host?
(after the guest 'died', with the wron mask)
in this case, remove it manually on the host with 'ip a del ...'
incd
or datacenter has bad routing yet again, I'll try the IP with a host that is known working, etc :p
marcin
Hi, can someone help me? I'm using Debian Lenny with default package linux-image-vserver. Take a look: http://pastebin.org/95734
I'm using: 2.6.26-1-vserver-amd64
ghislain
marcin: debian packages are toot old for using cgroup
you should use beng packages for that
or compile from source
marcin
ghislain: too old? So in this way, I should do kernel upgrade to newer version? What are beng packages?
ghislain
yes cgroup is vserver 2.3, you want to use cgroup isn't it ?
vserver 2.3 requires newest kernels and latest util-vserver tools not available in the debian repository.
bobnormal
i have to have a DNS server running on my VServer host, but i want to run one in a guest as well. will a combination of certain nflags and 127.x.y.z-binding in one or both of the host and guest allow for this? otherwise how can i achieve it?
Bertl
what's the problem?
bobnormal
basically when i try to bind UDP port 53 in the guest on 127.0.0.2 for example it fails with 'port in use' since the host is using it .. so im playing with various nflags etc. and 127.0.0.<something-not-1> binding to see if its possible to work around
i know with some configs i've previously seen 127.something.not.001 in guests
perhaps if i disable the right flags i can bind to that specifically within the guest to solve?
Bertl
why would you want to bind 127.0.0.2?
I mean, don't get me wrong, you can do that, but I'm not sure what you want to accomplish?
bobnormal
i want to host a DNS server within a vserver, however my annoying CTO has mandated all environments must have their own recursive DNS server running to prohibit interdependencies in case of dns server failure
wihch therefore includes the vserver host
Bertl
okay?
bobnormal
havent got it working yet, perhaps bind options for host-environment DNS != specific ip
aha, possibly nameserver 127.0.0.1:1234 might work
in /etc/resolv.conf
nope seems unsupported in linux, OSX supports it though
Bertl
well, you certainly have a host IP, and your guest will have a public? IP too, yes?
bobnormal
no, host will forward the port
Bertl
but to a guest IP, no?
bobnormal
yes.
Bertl
so, the only thing you need 127.x for dns then is the control prot (to start and stop it)
i.e. you make sure the guest has single_ip disabled, and the lback stuff enabled, then you can simply start bind inside the guest including the control port
it will then be available on <guest-ip>:DNS
bobnormal
ok i will try that now, thanks.
Bertl
on the host, all you need to do is to restrict bind to the public? IP you want to use (host wise)
bobnormal
ahh no
the host needs to localhost bind only
its a service for itself only
Bertl
even better then
bobnormal
ok let me try :)
with single_ip disabled, the guest will have to bind specifically to its allocated guest IP, correct? ie: 0.0.0.0 bind will not remap
Bertl
0.0.0.0 will be mapped to the guest IP(s)
bobnormal
ok
will try before asking any more questions :)
host is running unbound dns daemon lsof verifies localhost:domain bind. guest nflags from nattribute --get are 'lock.lback_remap,lback_allow,hide_netif,hide_lback,state_admin'. guest starts pdns (powerdns) daemon and reports "binding UDP socket to '0.0.0.0' port 53: Address already in use"
argh my bad. unfamiliar with pdns syntax. sorry. :) looks like it's working.
Bertl
good :)
bobnormal
yep! :) next stop, globally distributed vserver-lockdown pdns nameserver with dynamic geoip+dynamic backend-failure-detecting resolution style! :P
or at least, 2x continents within the year
now just gotta sort that horrid mysql replication out ...
Bertl
nap attack .. bbl
_Shiva_
OT: is there a source for recommended hardware to be used in high throughput storage systems..? i.e SAS-controllers other than LSI/mega_sas based..? i think that PERC/6e can't handle my current iops..
Psy0rz
is it true that normally the userspace tools and config doesnt change with a new vserver update? i went from 2.2 to 2.3.
harry
yesh
Psy0rz
oki :)
everything SEEMS to be ok for now :0
when will 2.3 be renamed to stable? its more stable than "stable" already,right?
jpic
hi, what does that mean please? http://dpaste.com/163548/
Psy0rz
when something listens on a tcpport, on 0.0.0.0, is it true it wont listen on 127.0.0.1 automaticly?
harry
jpic: do you have a vserver guest running with the same context id already?
bobnormal
_shiva_: storage is a world unto itself :) very complex once you pass a certain point .. we do video .. much hassle. vserver > * for iops
jpic
harry: i think not
harry: there are two vservers with no names running actually: http://dpaste.com/163551/ the second one has the same context ... is it fixable without reboot?
harry
sure
vkill
vps to see what processes are running in that context
then vkill to kill those
Psy0rz
i want a virtual loopback device for my vserver? do i use LBACK_REMAP to get that?
or is that unsafe
jpic
what version of vps allows to list the processes of a context?
harry
Psy0rz: it's safe afaik
jpic: man vps ?
jpic
i figured with vps -A | grep, thanks! i think we should upgrade vserver-utils because our man vps is not really helpful
harry
what version are you running?
just run the latest one... 216 something :)
jpic
Latest version available: 0.30.216_pre2864
Latest version installed: 0.30.216_pre2849
bobnormal
jpic: i use htop .. if you just want pids, if you have cgroups you can cat /dev/cgroup/<vserver-name>/tasks
harry
jpic: that would be "late enough" :)
Psy0rz
why does util-vserver has a crypto api?
Bertl
back now ...
_Shiva_
bobnormal: i think i've found the problem on the Perc that causes controller resets on heavy I/O .. ;-) the queue w/i the controller seems to be limited to 1008 cmds.. but it's configured to be a JBOD for 15 disks which all have nr_requests 128 from the Kernel.. which may cause a queue overflow on heavy I/O - doh!
Bertl
nice controller :)
_Shiva_
Bertl: that's why i asked about alternatives ;-)
Bertl
depends on the usage pattern, in many cases software raid is superior to hardware raid setups
_Shiva_
Bertl: ..that's why it's configured as JBOD ;-)
Bertl
in some cases a hardware raid setup is better suited
_Shiva_
Bertl: actually, it has each disk configured as a single RAID-0.. as the controller does not know anything about jbos..
jbod
Bertl
hehe, yeah, probably this controller is one of those better used as HW raid if at all
Psy0rz
how can i make a process that does listens on 0.0.0.0, also make listening on 127.0.0.1?
without changing anything inside the guest
Bertl
by actually having a 127.0.0.1 inside the guest
i.e. most likely your guest has the single_ip special casing enabled
and a single IP assigned, try to put ~single_ip in nflags and restart the guest
Psy0rz
ah that disables it
i do actually have a lo with 127.0.01
somehow :D
Bertl
for this particular guest, yes
Psy0rz
is it safe?
Bertl
it is fine, just a little more overhead
Psy0rz
just like my manager ;)
so with:
LBACK_REMAP
~single_ip
it almost feels like a native linux box? :)
with everything working like expected, being secure, and not influencing the host when listening on a port etc?
so if i ping to 127.0.0.1, will it go through the iptables input chain and how will it look?
Bertl
it will be shown as 127.x.y.1 (according to the lback setup)
it will go over 'lo' and will get the reply over 'lo' too
Psy0rz
ikk
k
thanks
very nice :)
so why is 2.3 still experimental?
i read somewhere its better in some ways the 2.2
Bertl
it has more features, but they are not stabilized yet
we planned to get that done till end of the month, but I doubt I'll find the time, but there is some progress
feel free to join and help
Psy0rz
ah k
i'm helping by putting it in production now :D
with a 2.6.27 kernel
Bertl
let us know how it goes and report back any issues you encounter
make sure to test them against a recent kernel though :)
Psy0rz
offcourse i will :)
well we use 2.6.27 because its long time supported
with patches
Bertl
sure, np, I guess 2.6.31 will get long-term support too
Psy0rz
hope so
the normal kernels are impossible to track for a distro maintainer :)
with all the 3rd party modules and stuff
_Shiva_
Bertl: hum? thought kregkh said 2.6.32 would be LTS?
Psy0rz
any version would do :)
last we used was 2.6.16
and now we went to 2.6.27
hope it still stays a while
explicitly: "Today the last 2.6.31-stable kernel was released, all users of this kernel series are strongly encouraged to switch to the 2.6.32 kernel series, as there will not be any more updates for this branch in the future."
Psy0rz
so if i use iptables -IINPUT -i lo -jACCEPT in the mainserver, i'm still safe with 2.3?
Bertl
_Shiva_: well, if the performance regressions and stability issues I saw with 2.6.32 remain an the recent kernel patches, there will be a long term maintained 2.6.31 :)
_Shiva_
Bertl: maybe it more like: "we aim at 2.6.32 to be LTS and ditch 2.6.31... all of you, please switch to 2.6.32 to help fixing regression and stability issues on a much broader userbase" ;-)
alas, it's a pity that they do not aim at 2.6.33.. to have i.e. DRBD in mainline support..
Bertl
is drbd finally stable?
Psy0rz
drbd8?
morfoh
moin moin
_Shiva_
Bertl: drbd is/will be in 2.6.33 mainline
geb
<Bertl> is drbd finally stable?
espcialy on debian :p