#ubuntu-directory 2006-10-26
* Starting logfile irclogs/ubuntu-directory.log
* Fujitsu welcomes ubuntulog.
(Fujitsu/#ubuntu-directory) Thanks fabbione :)
(fabbione/#ubuntu-directory) no problem
(ajmitch/#ubuntu-directory) thanks
<fabbione> ok it works
<fabbione> logs will start to appear on the web within the next hour or so
<fabbione> have fun
<ajmitch> so watch what you say from now on :P
<lophyte> morning all
<wasabi> morning
<lophyte> how's it going?
<wasabi> https://wiki.ubuntu.com/NetworkAuthentication/ScratchPad/Client  <-- proofread
<wasabi> me->work
<lophyte> I'll take a look in a bit..rebooting, brb
<lophyte> ergh.. can't get Xen set up
<wasabi_> sux
<Burgwork> wasabi_: very wordy
<Burgwork> might want to cut it down a little
<lophyte> Burgwork: know where I can find some info on getting Xen on edgy running?
<lophyte> I can't find anything useful
<Burgwork> lophyte: no idea
<lophyte> dang..
<Burgwork> wasabi_: here is what I would do. Move all that wordy-ness into the wordy sections, like use cases
<Burgwork> the implementatin and scope should be point form with very small paragraphs
<Burgwork> whiprush: if you don't post to ubuntu-devel about ubuntu-directory by 5pm PDT, I am doing it
<wasabi_> Burgwork: I'm writing something up that will be linked from a blog/u-d post
<wasabi_> Something for people to read.
<Burgwork> much too wordy, even for that
<Burgwork> you also need a better intro
<wasabi_> Heh.
<wasabi_> This also in a way helps me.
<wasabi_> Get the ideas fully formed.
<Burgwork> tbh, I get bored into the first para
<Burgwork> and I care about this stuff
<Burgwork> first tell about the high level, then get into the details
<Burgwork> with small paragraphs, one with each idea
<wasabi_> I have a feeling Mark will like htis anyways, being a business guy.
<Burgwork> I am not talking about mark
<Burgwork> I am talking about the rest of the world
<Burgwork> I don't see a plan to action there
<Burgwork> which packages are going to change, etc.
<wasabi_> TO BE CONTINUED
<Burgwork> it is already too long
<robertj_> btw, is Mark still expanding Canonical? Scope keeps increasing, is staff keeping up?
<Burgwork> yes, he is
<Burgwork> see ubuntu.com/employment
<robertj_> Burgwork: is the strategy to replace old maintainers so they can work on new things?
<Burgwork> all the moz, kernel, x people?
<Burgwork> no, it is more, now we are to the point we need both maintainers and developers
<robertj_> just kinda curious, I think my days fiddeling with computers are mostly over
<robertj_> I've got a teleworking op I'm hoping will supplement a meager existence while I head back to school
<robertj_> hurray for soulless PHP work :(
<wasabi_> Burgwork: My main reason for not having a bulleted list is I don't want to reexplain why certain items on such a list are there. "Implement a NSS realm table" doesn't fully tie together WHY it should be done.
<wasabi_> And the reasoning for that is pretty wide.
<Burgwork> wasabi_: no, currently you have giant paragraphs, without many headings
<wasabi_> There will be a short list of actionables when I get to the bottom.
<robertj_> wasabi: maybe those should be links?
<Burgwork> it is still too long, I am telling you
<Burgwork> I tell you this as a marketing person
<Burgwork> I will try and dig into it and lunch
<whiprush> Burgwork: ok that sounds good. Sorry I dropped the ball on that
<Burgwork> whiprush: I will beat you in MTV
<whiprush> Burgwork: I have an ubuntu talk tonite at a new lug so I am putting together my slides and totally forgot
<Burgwork> ah
<whiprush> Burgwork: I will bask your awesomeness
<whiprush> Burgwork: do you have the draft we were working on?
<Burgwork> no, email it to me
<whiprush> corey@u.c?
<Burgwork> corey.burger
<Burgwork> ok googlel is wacked
<Burgwork> why do I need a new account?
<Burgwork> it already knows who I am
<whiprush> dunno
<Burgwork> I think that was what sergey was going on about
<lophyte> Burgwork: about usus.. when does a client decide to push their dpkg -l ?
<lophyte> on boot, on a cronjob.. what?
<Burgwork> if changed would be best
<lophyte> if what's changed?
<Burgwork> if the pakcage information has changed
<lophyte> on the server?
<Burgwork> no, the client
<lophyte> why would it change?
<Burgwork> an update?
<lophyte> I don't follow..
<Burgwork> when the machines update, their information is going to change
<Burgwork> as their might be new versions
<lophyte> how can they update if they haven't sent their package list to usus yet?
<Burgwork> on initial install and upon any change
<wasabi_> Sort of a chicken n egg problem.
<lophyte> so you'd have to manually go around to all your computers and force a change before it pushes its package list?
<wasabi_> They should push their info right before they update.
<wasabi_> They are unrelated actions, actually.
<robertj_> can we keep a uid on the server with a last seen timestamp?
<robertj_> and send only the names of newly installed packages?
<wasabi_> This cron job should just push/update
<wasabi_> Nothing else.
<lophyte> cronjob?
<wasabi_> Or whatever we use.
<lophyte> that makes more sense to me..
<wasabi_> Existing update-manager server or whaetver mvo has.
<robertj_> also, does it seem inevitable that you will end up tracking packages that are no longer in use?
<lophyte> I'm gonna take a look at nwu and see what's already working
<robertj_> because person x used to have it but dropped their laptop down the storm drain?
<wasabi_> At some point machines expire.
<wasabi_> WSUS does that too... it says the last time a machine reported.
<wasabi_> And you can just click on it and hit remove.
<wasabi_> And then it's no longer considered.
<wasabi_> The UI puts little marks next to computers which haven't repoted for 180 days or something
<lophyte> so perhaps it should report to the usus server in a cronjob, or on boot
<lophyte> in a cronjob preferably
<wasabi_> Mine as well just do it everytime the normal update runs.
<wasabi_> The reporting is sort of disconnected from the updating. There's no reason for it to happen more often though.
<lophyte> you mean the update-notifier?
<wasabi_> Yeah.
<lophyte> ah, right
<wasabi_> The update-notifier can just a report inserted right before it runs update.
<lophyte> nwu looks like its completely different than what we've been discussing..
<lophyte> its like a way to remotely administer a client's repo configuration, and force updates
<Burgwork> which is needed
<lophyte> you can force package installation and such
<Burgwork> how much code is there?
<wasabi_> Yeah, I think we need that too, but I think that should consider LDAP
<lophyte> I think that's outside of the scope of USUS
<wasabi_> And other things, like gconf mandatories.
<wasabi_> Since those all fall under "configuration"
<lophyte> that's more like a configuration management thing, ie. GPOs
<wasabi_> Yeah.
<Burgwork> if the code exists, no reason to throw it away
<lophyte> I agree, but again, it seems outside the scope of USUS.. the code could be integrated into a GPO-like system though
<Burgwork> yep
<robertj_> when it sends its list of packages, it also needs to send in a list of all components it is subscribing too, correct?
<lophyte> you /could/ use nwu in conjunction with usus at the moment, until we have a GPO-like system
<lophyte> http://cetico.org/nwu-doc/user-manual.html#d0e327
<lophyte> but it uses SSL and stuff.. which breaks the kerb/ldap theory
<lophyte> I'll see if I can use any of it
<lophyte> paste warning
<lophyte> First of all, how does nwu-agent work? The first time the nwu-agent is run, it will generate its auth information and save it on /var/spool/nwu/, then load system information - including current APT state and send that to the server. The agents will push and pull data to the servers every 10 minutes. They notify the server of the changes (eg: "package 'foo' installed") then get the list of pending tasks.
<wasabi_> Seems sort of heavy and complicated.
<lophyte> yeah
<wasabi_> And very very hard coded to only deal with apt.
<wasabi_> I would much rather prefer a generic GPOish thing, where you can push many things: mandatory gconf strings, apt lines, fstab entries, etc.
<wasabi_> That hooked to LDAP would be nice.
<lophyte> *nods*
<lophyte> agreed
<wasabi_> I do also think that in large organizations these things are very disconnected.
<lophyte> I'd love to work on a GPOish thing.. but USUS is on my mind at the moment
<wasabi_> You have people deploying corporate policy, and then some sub departments deploying per-department policy.
<wasabi_> And you have people disconnected from that which validate security updates.
<wasabi_> security team vs management team
<lophyte> hrm, question...
<lophyte> what if update groups were determined by OUs rather than group membership?
<wasabi_> They sort of are.
<wasabi_> Well, actually they're determined by whatever configuration system populates apt.
<wasabi_> Which, presumably, would be like GPO, and use OUs
<lophyte> ah, right..
<lophyte> like, you'd create a sources.list GPO that uses the testing repo and assign that to the testing OU
<lophyte> right?
<wasabi_> Yup
<lophyte> or a GPO that uses the servers repo and assign that to the servers OU..
<lophyte> k, got it
<wasabi_> This brings me to my thoughts on a GPO replacement... which probalby overlaps or eliminated the current NWU.
<wasabi_> I'm thinking keep it super simple.  You define a set of name/value properties, much like debconf keys.
<wasabi_> In fact, exactly like them.
<wasabi_> And you come up with some LDAP assignment to determine the full set of keys to apply to a system.
<lophyte> I've never seen debconf keys..
<lophyte> will have to look that up
<wasabi_> Then you just write them to the system someplace, and leave it up to some client programs to configure themselves based on them.
<wasabi_> Which is basically like GPO does.
<lophyte> you write them to an NFS share
<wasabi_> The GPO results in a set of registery keys being created based on the total sum of all applied GPOs... and client apps have to deal with them.
<lophyte> at least, that's how GPO works
<wasabi_> Yeah. The name of the template is delivered by LDAP.
<lophyte> yeah
<wasabi_> The template is just a flat file of name/value pairs.
<lophyte> *nods*
<wasabi_> + one local template.
<wasabi_> I might do it the same, except eliminate NFS, and use a dedicated HTTP server to retrieve the templates.
<wasabi_> Since NFS is obviously sucky for a lot of reasons.
<lophyte> \\server1\SYSVOL\path\to\gpo
<lophyte> store that path in LDAP
<wasabi_> Basically you just ask the server for the full set of templates that apply to you, and it delivers them.
<wasabi_> That's basically what GPO does, except it doesn't store the path.
<lophyte> it's very simple... all the development work will be on the client-side, developing a client that interprets the templates and applies them
<Burgwork> sabayon is the beginnings of gpo
<wasabi_> It stores the GUID, teh clients retrieve it on it's own.
<wasabi_> Yeah I know nothing about sabayon.
<lophyte> ah
<Burgwork> stores a zip on a server somewhere
<wasabi_> zip of what?
<Burgwork> pulled down the client and unpacked upon login
<Burgwork> zip of gconf keys and other config into
<Burgwork> info, rather
<wasabi_> per user or for a system?
<lophyte> both
<Burgwork> per user
<lophyte> well, GPO does both
<wasabi_> So sabayon doesn't address the system.
<Burgwork> I am describing what sabayon does now
<wasabi_> ahh
<Burgwork> not what it could do
<Burgwork> this is part of what federico is working on at Novell
<wasabi_> Yeah.
<wasabi_> For the user stuff. For the system, I might seriously consider pushing debconf keys.
<lophyte> k, I gotta go do some shopping...
<wasabi_> I mean... it totally works.
<lophyte> I'm gonna send you guys what I've got here
<lophyte> feel free to hack it up
<lophyte> and rip it apart
<wasabi_> Server delivers a set of debconf keys, every key that changes, package gets reconfigured, it applies the values.
<lophyte> wasabi_: whats your email?
<lophyte> actually
<lophyte> nm
<wasabi_> wasabi@larvalstage.net
<lophyte> I'll post it up on a web server
<Burgwork> debconf has issues in that it is Ubuntu/Debian specific
<wasabi_> Heh. A packages entire configuration is Ubuntu/Debian specific.
<wasabi_> Either fix that, or accept it. ;)
<lophyte> I thought the point of ubuntu DS was to create an Ubuntu/Debian specific system :P
<lophyte> http://www.dave-sullivan.com/usus/-workflow.odg
<lophyte> erm
<wasabi_> As long as we have package scripts which set up the package and configure it based on debconf keys... the problem will be how to drive that out.
<lophyte> http://www.dave-sullivan.com/usus/usus-workflow.odg
<lophyte> http://www.dave-sullivan.com/usus/usus-workflow-footnotes.txt
<lophyte> that's still a WIP
<Burgwork> looks good
<lophyte> I still need to finish up the server-side flow for receiving a client's package list, as well as how it determines which updates to download from upstream, and the update approval workflow
<lophyte> also..
<lophyte> I moved our braindump:
<lophyte> http://wiki.ubuntu.com/UbuntuSUS
<lophyte> since it now seems unrelated to NWU
<Burgwork> ok, that means we now have three specs
<Burgwork> because there is that spec whiprush wrote
<lophyte> which one?
<Burgwork> update-server
<lophyte> https://features.launchpad.net/distros/ubuntu/+spec/ubuntu-update-server
<lophyte> this one?
<lophyte> that one has been supersded
<Burgwork> right
<lophyte> UUS spec stores package info in LDAP.. and we argued against that yesterday
<Burgwork> ok, we need to sort out the interaction between nwu and sus
<Burgwork> so that people are not confused
<wasabi_> I think we actually just need to make something work, and then people will use it, and the other pages will get deleted. ;)
<lophyte> storing credentials and configuration template information in LDAP is what we discussed as the best option I think
<lophyte> lol, agreed
<Burgwork> yep
<lophyte> I can have this operational by some time next week if I worked my ass off on it..
<wasabi_> I personally don't think what's written down on NWU is the right path. I think it's complicated and addresses half of a seperate problem which we will want to fully address anyways.
<Burgwork> should we supercede the nwu spec with the sus one?
<wasabi_> I think the current USUS idea we have is actually simple.
<wasabi_> And doable, quickly.
<wasabi_> And immediatly useful.
<lophyte> I agree with wasabi
<Burgwork> so do I
<wasabi_> Sure, we can't deploy sources.list files out of hte box. That's fine.
<Burgwork> whiprush: you around?
<lophyte> that's done through another mechanism
<wasabi_> We can solve that in the same step we figure out how to deploy everything else.
<Burgwork> lets change uus and nwu to be superceded by sus
<lophyte> yup
<whiprush> Burgwork: in and out
<whiprush> ok
<Burgwork> whiprush: change your superceding stuff to sus from nwu
<whiprush> on it
<lophyte> should I create a sus spec?
<wasabi_> I think so. You should clearly right up what we've talked about, and let the NWU people in on the conversation.
<lophyte> alright
<Burgwork> whiprush: better, change the dirver of uss to -directory
<wasabi_> We need to convince them why we think our approach is better.
<wasabi_> And decide where to move from there.
<whiprush> okey
<Burgwork> lophyte: merge your page to the wiki page of the current https://wiki.ubuntu.com/UpdateServer
<Burgwork> lophyte: and then make nwu superceded by uus
<Burgwork> there, that is simpler
<Burgwork> no three spec
<lophyte> alright
<lophyte> so merge usus with uus and call it uus?
<Burgwork> yep
<lophyte> alrighty.
<whiprush> ok
<whiprush> what am I doing now?
<wasabi_> You need to be updated on what we've discussed.
<wasabi_> =)
<wasabi_> And have your say, etc.
<whiprush> yeah
<whiprush> how far back do I go in the log?
<lophyte> yesterday around this time, lol
<whiprush> ok.
<whiprush> let me do this spec thing
<lophyte> ubuntu-update-server should be the most up-to-date spec
<whiprush> ok, so I am changing uus to be merged with usus?
<lophyte> yup
<whiprush> I superceded it yesterday
<whiprush> so do I un supercede it?
<lophyte> I think that's what Burgwork wanted
<lophyte> merge our discussion into UUS and make it the latest spec
<lophyte> right Burgwork?
<whiprush> it's ok, I have no idea how to even find my spec now
<whiprush> god launchpad makes me cry sometimes
<lophyte> https://features.launchpad.net/distros/ubuntu/+spec/ubuntu-update-server
<lophyte> though it should be a spec under ubuntu-directory me thinks
<wasabi_> whiprush: What we've discussed goes basically like this:
<wasabi_> Simple mod_python based web application, which manages a directory of user-created repositories.
<wasabi_> The user can create a repository, named whatever he wants, but usually something like "dapper"
<wasabi_> And hook it up to one or more upstream repositories.
<wasabi_> In this case, he would create a repository named "dapper" and hook it up to "dapper", "dapper-updates" and "dapper-security"
* whiprush nods
<wasabi_> This would cause a sync to happen periodically pulling the Packages files for each of those upstream repositories, and merging them into the user one.
<wasabi_> Under $reposname/proposed
<wasabi_> Machines can then be set up to pull from
<wasabi_> deb http://localserver/uus/repos dapper/proposed main universe
<whiprush> right
<wasabi_> That's the latest copy of upstream.
<whiprush> ok, spec is given to ubuntu-directory now
<wasabi_> Machines will post their entire dpkg database (package names and versions) to the URLS periodically.
<whiprush> and unsuperceded
<whiprush> wasabi_: and this can be enforced right?
<lophyte> I think it should only be posted once
<wasabi_> In what way?
<wasabi_> lophyte: Has to be posted everytime a new package is installed.
<whiprush> wasabi_: well, can a client machine break?
<wasabi_> Of course.
<wasabi_> This is code we're talking about.
<whiprush> heh
<whiprush> well
<wasabi_> When this happens, the server will use it to determine what packages are installed in various places. And that will drive out the interface of what you should be prompted to approve.
<wasabi_> So you'll see an approval interface for "dapper"
<whiprush> I meant, so a user with sudo on a client can still remove the stuff right?
<wasabi_> listing all packages which have later upstream versions.
<whiprush> or will it continue to push to the client?
<wasabi_> whiprush: Yup. He can remove it.
<whiprush> ok
<wasabi_> When you approve a package it moves it into the Packages files within the main repository (non /proposed)
<wasabi_> Clients retrieve everything from there.
<wasabi_> Testing boxes can test dapper/proposed, all other boxes can use dapper
<wasabi_> Approval simply makes it available to the clients in production.
<wasabi_> Each user repository will have a seperate pool, where .deb files are kept.
<wasabi_> They can be linked from /proposed to non proposed.
<lophyte> I don't think you need to send your entire package listing every time.. just once
<lophyte> and diff it every other time
<wasabi_> I think .deb files should be downloaded on demand somehow.
<wasabi_> lophyte: Sure, you could keep the last sent copy
<wasabi_> And just send the diff.
<wasabi_> I think I might implement that last though
<wasabi_> When we determine it really matters.
<lophyte> the server would also have a local copy of each client's package list
<lophyte> so when it sends the diff, it compares the diff with the package list
<wasabi_> whiprush: And that's all it does. It doesn't handle machine groups or anything on it's own.
<lophyte> it /can/ be set up to use groups, though
<wasabi_> Machine groups are handled by creating multiple repositories: dapper-desktops, dapper-servers, etc.
<lophyte> simply by creating multiple repos
<lophyte> yeah
<whiprush> wasabi_: ok I was just trying to understand the scope
<wasabi_> The scope is simply to approve updates to existing packages.
<wasabi_> It is not to manage the installation or configuration of client machines.
<lophyte> this way, it doesn't introduce any new technology and is built on things that already exist and work
<wasabi_> Since we believe that would overlap with other projects seeking to do the same.
<lophyte> there should be a separate project to handle configuration settings deployment
<wasabi_> As that seperate project will want to take into account other stuff, deploying text files, fstab entries, local user stuff, etc
<whiprush> right
<wasabi_> Which sort of includes sources.list
<wasabi_> This ends up mirroring WSUS basically.
<wasabi_> Where WSUS simply approves, GPO deployes pointers to WSUS.
<lophyte> I'm gonna go eat and do some shopping..
<lophyte> I'll be back later to finish up the spec
<lophyte> i wonder why nwu is approved
<lophyte> anywho.. bbl.
<wasabi_> Because mvo worked on it
<ajmitch> hey people
<ajmitch> mvo... and nictuku
<Burgwork> nictuku wrote the actual code
<Burgwork> mvo just speced it
<wasabi_> ahh
<ajmitch> lophyte: still having xen issues?
<lophyte> ajmitch: yup
<ajmitch> followed the XenOnEdgy wiki page?
<lophyte> ajmitch: yeah.. I booted up the xen kernel and had X issues.. probably an nvidia kernel module issue.. I didn't get a chance to troubleshoot it yet
<Burgwork> ok, uus added to mtv
<ajmitch> on i386 or amd64?
<ajmitch> there's a xen-restricted-modules package
<lophyte> i386
<lophyte> Burgwork: i wish I was going to mtv
<ajmitch> you should be fine then
<lophyte> I'll try installing xen-restricted-modules
<Burgwork> lophyte: you can. It is not that much from to to sfo
<lophyte> Burgwork: yeah but I still can't afford it :P
<Burgwork> sorry, my funds are tapped
<lophyte> unemployed = no money
<lophyte> ajmitch: so xen-restricted-modules will provide the nvidia driver?
<Burgwork> lophyte: you realize we both have the same diploma from CDI?
<lophyte> LOL
<lophyte> you went to CDI too?
<Burgwork> yep
<Burgwork> sadly
<lophyte> that's funny
<lophyte> yeah, it was horrible
<Burgwork> grad with honours?
<lophyte> yeah.. though I haven't officially graduated yet
<Burgwork> ah
<lophyte> they haven't contacted me about when the graduation is supposed to be..
<Burgwork> there are two ways to get out cdi
<lophyte> well, I'm done my classes
<Burgwork> with honours or not at all
<lophyte> hehe
<lophyte> I finished with like a 97% average
<lophyte> its almost impossible not to graduate with honours
<lophyte> the way they just kinda pass you even if you have no clue what you're doing
<lophyte> anyway brb, testing xen again
<lophyte> no luck
<Burgwork> FUCK!!!
<Burgwork> guess who is not going to MTV
<lophyte> you?
<Burgwork> yep
<Burgwork> want to go?
<ajmitch> damn
<Burgwork> potential I might show up midweek
<lophyte> i'd love to
<ajmitch> there goes my plans of living in luxury for the week ;)
<Burgwork> yep
<Burgwork> floor for you!
<Burgwork> lophyte: give me a number on flights from to to sfo
<ajmitch> Burgwork: about what I can afford now!
<lophyte> Burgwork: one sec.. gotta find some cheap flights
<Burgwork> ok, question
<Burgwork> why would a machine, while sitting idle, sponteanously decide to switch to dhcp?
<wasabi_> Why aren't you going?
<lophyte> Burgwork: thought you said it wasn't much?
<Burgwork> wasabi_: work has a big project lined up and it starts next week
<lophyte> the lowest I'm getting is like $545
<ajmitch> lophyte: hah, that's nothing compared to flying from NZ
<wasabi_> Suck.
<lophyte> ajmitch: ;)
<wasabi_> Yeah, my tickets were $200.
<wasabi_> But I got two.
<lophyte> $545 return from to
<ajmitch> I'm not unemployed, but I may as well be with the funds I  have left :)
<lophyte> according to expedia.ca
<Burgwork> I'm a fairy princess who likes to sprinkle muffin crumbs like sparkly dust allll over my coworker's shipping table.
<Burgwork> I also like goats.
<Burgwork> A lot.
<ajmitch> hm, do you think someone got to corey's keyboard?
<lophyte> wasabi_ from where?
<wasabi_> texas
<wasabi_> Canonical is paying for me though... so actually I don't have to pay anything.
<wasabi_> neiner.
<lophyte> hah
<lophyte> anyone know where to find cheap flights?
* ajmitch is not bitter, no, not at all.. ;)
<Burgwork> ajmitch: yes, somebody did
<Burgwork> my new colleague, Audrey
<lophyte> lol
<ajmitch> wonderful person, I'm sure
<Burgwork> usually I lock my screen
<lophyte> Burgwork: $525 return seems the cheapest
<Burgwork> let me see
<lophyte> don't think the link will work..
<lophyte> http://www.expedia.ca/pub/agent.dll?tovr=-1294697288&ps3u=
<lophyte> its about $20 cheaper to go to san jose
<Burgwork> aircanada and travelocity are not cheaper
<Burgwork> what airline?
<Burgwork> try their website
<lophyte> $545 return via US Airways
<lophyte> I gotta go for a bit...
<lophyte> that's the cheapest I can find
<lophyte> bbiab
<Burgwork> ok, that was odd
<Burgwork> where is the dhcp timeout information stored?
<Burgwork> lophyte: see /var/log/dpkg.log
<lophyte> Burgwork: for?
<Burgwork> that shows what dpkg has been doing
<lophyte> oh, sweet
<lophyte> could use that to let the usus server know what's going on
<lophyte> ajmitch: you around?
<ajmitch> yes..
<Burgwork> is it within the spec to have the machine report back successfully updating?
<Burgwork> basically the machine would send back that piece of the log
<lophyte> sure.. that can be added
<Burgwork> after update
<lophyte> ajmitch: can you point me in the right direction for xen help?
<Burgwork> send back the chunk of the log, parsed for the new versions
<ajmitch> lophyte: with regards to?
<lophyte> seems mostly missing modules..
<ajmitch> what modules?
<lophyte> the module for my wifi card isn't loaded either
<lophyte> and the nvidia driver is missing
<ajmitch> and you have the xen-restricted-modules package that matches the 2.6.17 kernel you're running?
<lophyte> yup
<ajmitch> (not 2.6.16)
<ajmitch> eg xen-restricted-modules-2.6.17-6-generic-xen0
<lophyte> yup
<ajmitch> and xen-image-xen0-2.6.17-6-generic-xen0
<lophyte> dpkg -l says its installed
<ajmitch> and you created the initramfs, etc
<ajmitch> and you have /lib/modules/2.6.17-6-generic-xen0/volatile/nvidia.ko
<lophyte> oh.. should I re-create initramfs after installing restricted modules?
<lophyte> no, there's nothing in volatile..
<ajmitch> not necessarily, but running depmod -a may help
<lophyte> hm.. volatile is empty..
* ajmitch would check why that is
<Burgwork> ajmitch: hoping pitti will play ball
<lophyte> ajmitch: /lib/linux-restricted-modules/2.6.17-6-generic-xen0/nvidia
<lophyte> that dir has a bunch of object files..
<ajmitch> Burgwork: with?
<ajmitch> lophyte: right, and the postinst should have linked then
<Burgwork> ajmitch: nixing beryl
<lophyte> apparently it didn't..
<ajmitch> lophyte: try & run /etc/init.d/linux-restricted-modules-common
<ajmitch> Burgwork: fat chance
<ajmitch> plenty of crap code is in main
<lophyte> ...huh
<lophyte> okay, I'm gonna try this from scratch
<lophyte> alrighty..
<lophyte> followed the wikipage to the letter
<lophyte> brb
<lophyte> well, got networking working in the host domain anyway...
<lophyte> though I don't think bridging will work in guest domains
<lophyte> ajmitch: so far so good, I think
<ajmitch> ok
<ajmitch> why won't bridging work?
<lophyte> ajmitch: we'll find out when I create a guest..
<lophyte> which I'm trying to do now
<lophyte> meh..
<ajmitch> as long as the xen config is setup properly
<lophyte> not having any luck creating a guest either, lol
<ajmitch> ouch :)
* ajmitch uses xen-tools for that
<ajmitch> nice & simple & fast
<lophyte> I'm working on it
<lophyte> its running debootstrap right now
<lophyte> using the cdrom as the mirror
<ajmitch> ok
<lophyte> sweet, it finished..
<lophyte> now I do xm create ... right?
<lophyte> so far so good
<lophyte> sweet, it works
<ajmitch> great
<ajmitch> sudo xentop
<ajmitch> in the dom0
<ajmitch> shows you a nice overview of cpu usage, etc
<lophyte> ajmitch: how do I get networking going in the guest? which interface is it?
#ubuntu-directory 2006-10-27
<ajmitch> should just be eth0 in the guest
<lophyte> it'll act like an additional box on my network?
<ajmitch> yes
<lophyte> hrm..
<lophyte> it won't even ping itself..
<ajmitch> (network-script 'network-bridge netdev=eth1')
<ajmitch> ignore the netdev=eth1 bit
<ajmitch> but you should have something like that on the dom0
<lophyte> I do
* ajmitch just wanted to make sure it bridged with the wired interface on the laptop, not the wireless
<lophyte> though, here's the issue I had...
<lophyte> my main interface is ra0
<lophyte> so I did (network-script 'network-bridge netdev=ra0')
<lophyte> but then networking wouldn't work on dom0
* ajmitch has had all sorts of fun with bridging..
<lophyte> should I be using eth0 in dom0?
<lophyte> dom0/eth0 -> xenbr0 -> ra0 -> network ?
<lophyte> and domU/eth0 -> xenbr0 -> ra0 -> network
<lophyte> is that how it works
<ajmitch> no, the bridging is from domU to dom0
<ajmitch> so only domU/eth0 -> xenbr0 -> ra0 -> network
<lophyte> hmm..
<ajmitch> ra0 only exists in dom0
<lophyte> so the question is, why does ra0 break in dom0 when I use network-bridge netdev=ra0
* ajmitch shrugs :)
<lophyte> cuz I should be using eth0 in dom0..
<lophyte> I think
<ajmitch> why?
<ajmitch> do you even have an eth0 in dom0?
<lophyte> yeah
<lophyte> ugh.. this is confusing..
<ajmitch> just use the interface that's normally connected & it ought to work :)
<lophyte> no..
<ajmitch> why it suddenly stops in dom0 is beyond me
<lophyte> when I use network-bridge netdev=ra0
<lophyte> ra0 says "no wireless extensions"
<ajmitch> hm right
<lophyte> though it creates pra0, which has wireless extensions
<ajmitch> though this could be why I switched to eth1 (the wired interface)
<ajmitch> since the ipw2200 was playing funny tricks
<ajmitch> but this was also when i was testing 2.6.16 & the firmware was broken :)
<lophyte> but I tried using pra0 and it didn't work either
<ajmitch> I haven't set it to use wireless since then
<lophyte> I don't really have a choice
<lophyte> has to use wireless :|
<ajmitch> laptop sits on top of my tower case usually
<lophyte> this is a desktop ;)
<ajmitch> fun
<lophyte> hrm..
<ajmitch> I could hardly put my main box on my desk :)
<lophyte> haha
<lophyte> okay, its a tower :P
<lophyte> not a laptop
<lophyte> but..
<lophyte> paste warning
<lophyte> nm
<lophyte> in /etc/xen/xend-config.sxp, there's a little diagram...
<lophyte> dom0: fake eth0 -> vif0.0 -> bridge -> real eth0 -> network
<lophyte> domU: fake eth0 -> vifN.0 -> bridge -> real eth0 -> network
<lophyte> so if I use netdev=ra0, it becomes "real ra0 -> network"
<lophyte> but would the fake ones remain eth0, or become ra0?
<ajmitch> hm
* ajmitch doesn't know, hasn't checked it
<lophyte> and also...
<lophyte> is fake eth0 called 'eth0' or peth0? :P
<ajmitch> see reponse above
<lophyte> hrm
<Burgwork> wasabi_: rh uses a joined /etc/ldap.conf
<wasabi_> How do they deal with maintainer scripts, or do they not?
<Burgwork> no idea
<Burgwork> looking at my FC4 machines
<wasabi_> It might be fine to not deal with it, and move ldap.conf configuration completely into authtooll
<wasabi_> And remove conffile from the files.
<wasabi_> Get rid of the debconf questions on libnss-ldap, etc
<Burgwork> yep
<Burgwork> I think that works
<Burgwork> whiprush: what does SLED 10 have?
<Burgwork> but FC doesn't have our common-* stuff
<Burgwork> at least 4 doesn't
<Burgwork> also, fedora bundles pam_ldap.so in with nss_ldap
<cliebow_> Burgwork:How do you plan to supply the functions smbldap-tools provides?
<wasabi_> What functions are those?
<cliebow_> those from smb.conf...adding machines passwrord changes
<wasabi_> winbind.
<wasabi_> In the case of AD.
<cliebow_> i guess i need to read the spec..ive been working on perl stuff to replace the functions smbldap-passwd smbldap-useradd etc do
<Burgwork> how does ccreds interact with nssdb?
<wasabi_> It doesn't.
<wasabi_> It's completely seperate.
<Burgwork> right
<wasabi_> You reading my novel?
<Burgwork> 'cause db doesn't appear to cache auth stuff
<Burgwork> no
<wasabi_> It does not.
<Burgwork> so I need both?
<wasabi_> NSS does not involve auth.
<cliebow_> why does ad come up?
<wasabi_> Yes.
<wasabi_> NSS involves only passwd/group entries.
<cliebow_> in This situation
<wasabi_> pam is hte "is your password correct?" pipeline.
<Burgwork> right
<wasabi_> Kerberos users have no entry in shadow.
<wasabi_> No hashed password, etc.
<Burgwork> auth    sufficient      pam_ldap.so <-- replace with pam_ccreds.so ?
<wasabi_> pam_ldap shouldn't be used.
<Burgwork> right
<wasabi_> Oh, this is at your office?
<Burgwork> yes
<wasabi_> Ahh. You have no kerberos.
<wasabi_> https://wiki.ubuntu.com/NetworkAuthentication/ScratchPad/Client#preview
<wasabi_> Jump to my sample pam file.
<wasabi_> And my long explanation of it's purpose.
<Burgwork> and I discovered the pain when my ldap server decided to start using a dhcp addy
<wasabi_> Hah.
<Burgwork> still haven't figured why
<Burgwork> given I have hacked /etc/network/interfaces to list it as static
<Burgwork> wasabi_: your novel can assume more knowledge on the part of the read
<Burgwork> ie: don't tell use what pam is, etc.
<wasabi_> I don't want it to.
<wasabi_> Also it's only one sentence.
<Burgwork> I assume those assumptions are inherent throughout the text
<wasabi_> You'd be suprised how many people don't actually understand PAM and NSS.
<wasabi_> Again, I want this to be blogged about, and get people talking/interested.
<lophyte> okay, spec time
<Burgwork> that is way too long to a be blog post
<wasabi_> It won't be IN a blog post.
<Burgwork> still too long
<wasabi_> Linked from, sure.
<Burgwork> look, you need to catch peoples attention
<Burgwork> novels don't do it
<wasabi_> Actually, specifically, I need to sell it to mark.
<wasabi_> So he'll pay for it.
<Burgwork> that is not going to catch his eye either
<Burgwork> remember, mark has add
<Burgwork> ADD, raterh
<wasabi_> Haha
<wasabi_> I have ADD. It worked for me.
<Burgwork> yours is probably treated
<Burgwork> Marks is not
<wasabi_> Mine isn't. =)
<wasabi_> I don't get anything done if I do. =(
<Burgwork> ok, if you must keep the fracking novel
<Burgwork> at least point the point form stuff at the top
<Burgwork> the todos, etc.
<lophyte> would you guys mind a short discussion about directory services in general?
<wasabi_> Sure.
<Burgwork> then put everything else in a discussion section
<wasabi_> I suspect you should read my novel though. ;)
<lophyte> I sifted through it ;)
<Burgwork> it looks interesting, in a text book way
<Burgwork> I need facts and short bits, not learning
<Burgwork> lophyte: shoot
<lophyte> I just basically wanted to do a braindump of my own and see how it matches up with other people's visions
<Burgwork> The NSCD daemon will run as root. <-- lets figure out a way around this, if possible
<wasabi_> There is no way around it.
<Burgwork> ok
<wasabi_> Except to one run copy for every user.
<Burgwork> question about your pam block
<wasabi_> Including root.
<wasabi_> Each with massively duplicated information.
<wasabi_> And redundant LDAP queries.
<Burgwork> if I don't run kerberos, can I just nuke that line?
<wasabi_> Replace the line with pam_ldap
<wasabi_> In some intelligent way.
<lophyte> UDS (ubuntu directory services, not developer summit) should, imo, be a group of packages that can either work standalone or together..
<Burgwork> wasabi_: ok
<lophyte> USUS for example.. can be run on its own, but works better with other packages, ie the GPO-like configuration system
<lophyte> so you've got network auth, update services, config deployment... all things that can be run standalone or together as one big system
<lophyte> unlike AD which is one big bloated package that you take all or none
<Burgwork> yep
<wasabi_> Not really, but okay. ;)
<wasabi_> WSUS is not tied to AD.
<wasabi_> The only real tie is that you're forced to use both their LDAP and their KDC.
<lophyte> well, no.. but you can't have SSO services without GPO services
<Burgwork> wsus not tied to AD is a mistake on MS's part
<wasabi_> lophyte: Well, you don't have to USE GPO.
<lophyte> no, but its still there
<wasabi_> For instance, I use other software to deploy software.
<wasabi_> wpkg.sf.net
<lophyte> is there any work being done on a GPO-like system?
* wasabi_ shrugs.
<wasabi_> https://wiki.ubuntu.com/NetworkAuthentication/Client   Moved my novel.
<lophyte> another question.. is UDS going to be tied to specific packages, or is it going to be versatile and flexible?
<lophyte> ie. you don't /have/ to use openldap and krb5-kdc
<wasabi_> Depends what you mean by that.
<Burgwork> wasabi_: can you forward that on to federico
<wasabi_> addy?
<Burgwork> lophyte: we are going to pick a best of breed ldap server
<Burgwork> ask whiprush
<Burgwork> ubuntu is about making decisions
<lophyte> indeed
<wasabi_> I suspuect UDS will be nothing but some automated utilities to install a server, configure it, and setup some schema.
<wasabi_> No reason you can't setup your own server instead of using that.
<wasabi_> That's sort of why we'll work with AD.
<lophyte> but under the umbrella of 'UDS' includes our own centralized config deployment system
<lophyte> and network auth
<lophyte> and perhaps other packages
<wasabi_> Sure... but again, the client component is just Ubuntu configured to talk LDAP/Kerberos.
<wasabi_> NO reason you have to use our server component for that.
<lophyte> right.. so you don't have to use the config system if you don't want to
<Burgwork> no
<wasabi_> I don't think there's anyway we could force you to do so.
<Burgwork> but we are going to provide the complete stack, client and server
<Burgwork> for the server side, we are going to choose technologies and go with them
<lophyte> at a bare minimum, UDS is simply Ubuntu configured to talk LDAP/Kerberos on the client side, and LDAP/KDC on the server side
<Burgwork> the client is fairly generic
<Burgwork> the server is going to be much more specific
<wasabi_> I wouldn't even consider UDS a product name.
<lophyte> but you can install fancy extras on top of that.. ie. config system, usus, etc.
<wasabi_> Really.
<Burgwork> we are going to say OpenLDAP or FDS
<lophyte> FDS?
<Burgwork> fedora directory server
<lophyte> why fedora?
<Burgwork> because FDS is better than most out there
<Burgwork> OpenLDAP vs FDS is debatable right now
<Burgwork> and the world doesn't need another ds
<lophyte> so what are we doing then?
<Burgwork> need to evaluate both of them and decide
<lophyte> if the world doesn't need another ds.. are we just making ubuntu work with existing DS systems?
<wasabi_> Yes.
<wasabi_> A DS is just a database though.
<Burgwork> yes, but we also don't need to go out and fork an existing DS
<wasabi_> Something has to install it, configure it, and set it up with proper information for clients to use it.
<lophyte> ah, alright
<wasabi_> I suspect we'd like to reduce that down to a single wizard on a server.
<lophyte> so if we choose FDS, how would we migrate that into ubuntu?
<Burgwork> there is a spec for that
<lophyte> ah.
<wasabi_> Somebody needs to package it.
<lophyte> alright..
<lophyte> I'm just more or less catching up to what's going on :P
<lophyte> and figuring out what our goals are
<Fujitsu> Doesn't it depend on pretty much everything on the planet?
<Burgwork> Fujitsu: less everyday
<Fujitsu> Burgwork: Good!
<Burgwork> they are splitting out the web frontend, which requires non-free java, in the next release
<lophyte> is FDS free?
<Burgwork> yes
<Burgwork> all RH stuff is open source
<Burgwork> everything
<wasabi_> Did you give me federico's email?
<Burgwork> whiprush has it
<Burgwork> just a sec, let me see if have it
<wasabi_> oh yeah i remember now
<Burgwork> federico@novell.com
<wasabi_> This one:
<wasabi_> http://primates.ximian.com/~federico/news.html
<wasabi_> k
<lophyte> Burgwork: you didn't get a tracking # for that package did you?
<Burgwork> yep, but it is at home
<lophyte> ah
<lophyte> should check it
<lophyte> my mom said she hasn't gotten anything by courier
<Burgwork> it came by regular post
<lophyte> how big is it?
<lophyte> I wonder if the mailman stuffed it in the mailbox
<Burgwork> envelope
<lophyte> ah
<lophyte> probably in the mailbox
<lophyte> brb I'll check
<ajmitch> right, I'm back
<ajmitch> wasabi_: yes, I started packaging FDS, nothing new there
<ajmitch> so of the todo list you have there, I've got stuff for the last 2.
<lophyte> Burgwork: got it, thanks
<Burgwork> perfect
<lophyte> I'll hand them out tomorrow and pass some on to djp
<lophyte> 1 down, 3 to go
<Burgwork> wasabi_: just got bitten by https://launchpad.net/distros/ubuntu/+source/pam/+bug/67276
<lophyte> Burgwork: is there a list of goals for the directory team somewhere?
<Burgwork> our specs
<lophyte> ah, good point
<Burgwork> what is the FC equiv of /var/log/auth.log ?
* ajmitch rages at ugly php code
<Fujitsu> ajmitch: That's what PHP is for!
<Fujitsu> Being ugly, and raged at.
<lophyte> Burgwork: alright, I'm gonna start merging our braindump with /UpdateServer
<Burgwork> perfect
<lophyte> also, re: -ca approval.. I'm gonna put us on the CC agenda, is there anything else we need?
<Burgwork> we need the approval form
<Burgwork> did you see that?
<lophyte> I glanced at it briefly
<Burgwork> please fill that out
<Burgwork> I am fighting with FC4
<wasabi> Burgwork: Yeah. So... You see why we need C coders. ;)
<Burgwork> ajmitch: got a stumper of a question of you
<Burgwork> userdel claims that I am logged in
<Burgwork> but I am, have no open files and have no running processes
<Burgwork> what else should I check?
<ajmitch> w
<Burgwork> ?
<ajmitch> w
<ajmitch> type it
<Burgwork> nope, doesn't list me
<ajmitch> ok
* ajmitch wonders what userdel is using then
<Burgwork> no idea
<Fujitsu> It's Fedora, does it need a reason to do crazy stuff?
<Burgwork> no
<Burgwork> I am currently on dapper
<lophyte> oohhh burrrrn.
<Burgwork> my boss wants a "homogenous" environment with our main office
<Fujitsu> Ah, you said `I am fighting with FC4' :P
<Burgwork> 1 Ubuntu machine, 2 FC
<Fujitsu> I've never had userdel do that sort of thing to me.
<Burgwork> wasabi_: how are you working around the ccreds brokenness?
<wasabi> auth_err=reset
<wasabi> Which is incorrect functionally, but works for now.
<wasabi> It's returning auth_err.
<ajmitch> what should it return?
<Burgwork> right, o
<Burgwork> ok
* Burgwork grumbles further at FC4
<Burgwork> getent passwd corey --> uid 10000
<Burgwork> chown corey:corey --> uid of home dir? 0
<wasabi> ?
<Burgwork> hmm, ok
<Burgwork> that worked
<wasabi> That's another interesting point... probably a place where i'd be willing to take a stand against everybody else.
<wasabi> libnss-ldap should not make groups for users.
<Burgwork> you mean, it shouldn't do the Ubuntu default?
<wasabi> Nope. It shouldn't.
<Burgwork> a corey group along with the corey user?
<Burgwork> why not?
<wasabi> Because it serves no real purpose, and muddles the issue tremendously... the LDAP server would have to have groups for each user.
<wasabi> And make sure there were no conflicting gids, etc.
<Burgwork> are we talking ldap groups or local groups?
<wasabi> Neither really.
<wasabi> I make my LDAP members primary group 65535, nogroup.
<Burgwork> we shouldn't diverge from ubuntu
<Burgwork> I don't see a benefit to diverging, so why do it?
<wasabi> Because we have no way to not diverge.
<wasabi> Unless you're going to mandate AD make a group for every user.
<Burgwork> oh?
<Burgwork> is that a bad thing?
<Burgwork> we shouldn't shoehorn Ubuntu into Windows
<wasabi> Hmm. I'd say so.
<ajmitch> that's a lot of unnecessary groups
<wasabi> No, certainly not, but we should carefully examine the reasons MS doesn't make a group for every user.
<wasabi> ANd I assert that reason is because nobody suggested it, because they had no problem to solve.
<wasabi> Because it solves no problem. =)
<Burgwork> the groups one?
<wasabi> Yes.
<Burgwork> what about standalone machines?
<wasabi> I believe the old-schoolr eason for doing it is because POSIX permissions are limiting.
<wasabi> And you can only have one owner.
<Burgwork> I find them quite elegant, actually
<wasabi> So, in the case you want to share your folder with one other perosn, you setgroup it to him.
<wasabi> Posix ACLs don't make that a problem anymore.
<ajmitch> which is why windows never really needed a group per user
<wasabi> Yup. THey were never working around a Posix permission set.
<wasabi> They started with ACLs
<wasabi> Anyways, so the options are thus: Either we leave it up to the admin to make a AD group for every user (not likely to happen)
<wasabi> We mandate they do, no way to enforce it.
<wasabi> We auto generate matching "fake groups" in libnss-ldap
<wasabi> (horribly hacky, might make conflicting gids)
<wasabi> Or we fix the problem that made us need a per-user group in the first place.
<wasabi> Which is probably a better long term goal.
<Burgwork> then write a spec for that
<wasabi> local users can still have their own group, it hurts nothing.
<Burgwork> and get it on the MTV
* Fujitsu likes that last solution, there's a lot of clutter otherwise...
<ajmitch> wasabi: so do you want to spec up ACLs enabled throughout ubuntu?
<wasabi> Hmm. I don't think it's required at first.
<Fujitsu> ajmitch: There's already a spec on that...
<wasabi> And I think somebody else will do that. ;)
<wasabi> Yeah.
<ajmitch> Fujitsu: sure, but when might that get done?
<ajmitch> there's a spec for nearly everything
<wasabi> NOt having a per user group doesn't break anything.
<ajmitch> doesn't mean it's useful :)
<wasabi> It just makes it slightly more difficult to give a single user access to one of your files.
<Fujitsu> ajmitch: True, but it's not difficult to implement...
<ajmitch> other linux distros have managed fine without group-per-user
<ajmitch> I think it's an option in debian
<wasabi> I don't mind per-user groups for local stuff. It hurts nothing.
<wasabi> Let it continue.
<wasabi> My first user I create in Ubuntu is "admin".. and that creates an "admin" group.
<wasabi> And that group has sudo access.
<ajmitch> then let's break from that for remote users
<wasabi> So I add remote users to the local admin group, to give other users sudo access.
<wasabi> adduser jhaltom@DOM admin
<wasabi> And that's worked wonderfully.
<wasabi> Since all users require a primary gid, I've been using 65534 I believe, for nogroup.
<wasabi> Which has no permissions.
<wasabi> Other groups are secondary.
<lophyte> hey guys, where can I find a decent ldap+kerb howto?
<wasabi> Don't think there is one.
<ajmitch> yeah 65534 is default for  nogroup it seems
<lophyte> hah
<lophyte> you're telling me ;)
<wasabi> bayour had a good one.
<ajmitch> decent?
<wasabi> but it's been aging.
<lophyte> okay, half-decent.
<ajmitch> there are 1001 useful ones
<ajmitch> none decent
<lophyte> Burgwork: what's the news about UDS?
<Burgwork> uds?
<lophyte> MTV I mean
<Burgwork> need to look into my finances
<lophyte> I don't know if I'm comfortable with you sending me :P
<ajmitch> we'll help relieve you of your finances, that's fine
<lophyte> that's quite a bit of buck
<Burgwork> ajmitch: heh
* ajmitch looks into his bank account & cringes
* lophyte does the same
<Burgwork> mine is pretty bad too
<ajmitch> hopefully I get paid again before I get to the US
<Burgwork> just slightly less worse
<ajmitch> currently about $250NZD to last me until next payday
<ajmitch> yay for being poor :)
<lophyte> I have about $250CAD in my account
<lophyte> but that's /all/ i have
<Burgwork> how are you paying rent?
<ajmitch> unemployed?
<lophyte> that's what my girlfriend is for, Burgwork ;)
* ajmitch puts off rent...
<wasabi> How are ya'll poor? You have more skills than 95% of the populace.
<Burgwork> ok, here is a fun one
<ajmitch> of course this $250 is the $250 until I hit the overdraft &  credit card limit :)
<ajmitch> wasabi: sure, find me a job that pays
<wasabi> Odd.
<Burgwork> wasabi_: I am poor 'cause I choose to work for a Linux company and didn't want to move
<ajmitch> there just aren't many jobs in this field where I live
<wasabi> I get 4 job postings a day coming across my in box.
<wasabi> For ~100k
<wasabi> Ya'll should move to the US! =)
<ajmitch> lucky you - I wouldn't see that in a year :)
<lophyte> lol
<Burgwork> wasabi: lophyte is poor 'cause he doesn't know how much he is worth
<wasabi> Ahh.
<lophyte> hah, that's about right actually
<ajmitch> and I'm poor because I waste my life writing php ;)
<wasabi> I do C# and Windows. ;)
<Burgwork> thing is, I wasn't willing to sell my soul and work on Windows anymore
<lophyte> yeah, I don't think I am either
<lophyte> I'd /really/ prefer to work in a linux environment
<ajmitch> wasabi: you poor sod
<wasabi> I don't have a moral problem with technology. I have a technological problem.
<wasabi> WIndows pisses me off.
<lophyte> I have both :P
<ajmitch> I have a windows box that I work on, but all the code runs on the debian server
<wasabi> Because it sucks in such obvious ways.
<wasabi> And there's no way to improve it.
<wasabi> ANd hence I believe money is to be made in superceeding that.
<lophyte> Burgwork: did I ever tell you our plans for the Vista launch party in Toronto?
<Burgwork> no
<lophyte> bwahaha...
<lophyte> djp and I (and a gang of people probably) are going to be putting up his 12-foot inflatable Tux outside the party
<wasabi> The idea of a Vista release party confuses the shit out of me.
<Burgwork> heh
<Burgwork> hand out Ubuntu cds
<wasabi> People who had nothing to do with the actual development of it praising it's launch?
<wasabi> That sounds like religion to me.
<lophyte> LOL
<lophyte> good call
<wasabi> If they'd worked to make a Linux distro, they can have a release party.
<lophyte> but then again, what do you call Edgy release parties?
<wasabi> Depends whose there. =)
<lophyte> true enough
<wasabi> Since so many people do actually contribute.
<wasabi> And have a personal stake in it.
<lophyte> good point
<ajmitch> most people who go to those ubuntu release parties have no involvement in contributing to development
<wasabi> Wonder if there's one around me.
<lophyte> djp is supposedly having one, but he wouldn't tell me the date
<lophyte> I bet its tonight, and nobody showed up because it was a last minute thing
<ajmitch> I don't think we're planning any release party here in dunedin
* ajmitch doesn't really feel like attending one in any case
<lophyte> fyi, djp = a dude in toronto that owns the linuxcaffe
<cliebow_>  wasabi:call it community chuckle
<lophyte> Burgwork: yay for recruiting
<lophyte> I just saw Em3rald say he was from Edmonton in #ubuntu-offtopic, so I pointed him over to -ca ;)
<lophyte> brb, rebooting
<wasabi> ANyboyd know much about libdb?
<wasabi> berkely db
<wasabi> http://www.macdevcenter.com/pub/a/mac/2003/12/09/active_directory.html  <--- Joining OS X to AD
<wasabi> ajmitch: You might be interested in their interfaces.
<ajmitch> seen it
<wasabi> k
<ajmitch> flatmate has a mac
<wasabi> ahh
<ajmitch> he works with some of this stuff at uni
<ajmitch> teaching fellow/sysadmin in telecommunications
<ajmitch> which is where I got into it
* ajmitch was helping him teach some of the network management stuff in the labs
<wasabi> Cool.
<wasabi> I'm wondering if berkely DB can be used properly readonly.
<lophyte> ugh.. xen networking...
<lophyte> I'm still lost.
<lophyte> anywho.. bbl.
<lophyte> time for TV
<robertj> stily me forgot to read my scrollback this morning :P
<robertj> well I'm a happy boy, my RAID is _finally_ rebuilding itself
<robertj> the RAID controller has internal ports only, so there is an inside-outside mounting bracket that goes where PCI cards normally go
<robertj> and apparently one of those ports is flaky enough to cause problems
<robertj> 48 hr rebuild time still sucks
<whiprush> anyone around?
<whiprush> Burgwork: ping
<Burgwork> whiprush: pong
<whiprush> Burgwork: where you working on an email list?
<whiprush> I just got a mail from that guy in Indiana doing edubuntu in schools
<whiprush> and he's very interested in discussion, etc.
<Burgwork> I have a half written email, but I felll asleep last night
<Burgwork> will do it today
<Burgwork> whiprush: can you followup with mdz about n-a?
<whiprush> ok, just wondering if that was on the drawing board.
<whiprush> Burgwork: will do when I finish this mail
<Burgwork> you writing to devel?
<whiprush> I was pinging him on irc
<whiprush> but I can do -devel
<Burgwork> no ping him
<whiprush> ok
<robertj_> btw, I'd note that the AD stuff posted for mac is no longer current and has been redone in 10.4
<robertj_> although I haven't looked at it
<Burgwork> ah
<whiprush> "Please give me your feedback. I believe Andrew Mitchell was working on this as a SoC project but was unable to finish it? I don't know his status at the moment, and will try to get in contact with him."
<Burgwork> whiprush: that is old
<whiprush> maybe we should do a quick status for mdz.
<whiprush> yeah
<whiprush> so has he looked at this yet then?
<Burgwork> well, as soon as that email to -devel goes out, they will know
<whiprush> ah
<whiprush> I hope that dude's school has the funds to send him out.
<whiprush> I was like "dude just come to mountain view."
<whiprush> Burgwork: One of our states (Indiana) is mandating linux desktops for all public schools
<Burgwork> ah
<whiprush> so guys like him are a big PR win too.
<Burgwork> I have heard fo that
<Burgwork> whiprush: have you responded to the indiana guy
<whiprush> yep
<whiprush> just about 5 minutes ago
<Burgwork> perfect
<whiprush> filled him in on the new stuff, pointed to the specs, launchpad, etc.
<Burgwork> score
<robertj_> what does GPO stand for?
<robertj_> Group Policy Something?
<Burgwork> group policy object
<whiprush> object
<robertj_> from they way it's referred to you need...leprechauns? It seems to be a magical fix to problem X :)
<Burgwork> whiprush: n-a has been accepted
<Burgwork> https://features.launchpad.net/sprints/uds-mtv/+specs
<whiprush> Burgwork: you're the man on so many levels.
<Burgwork> I had nothing todo with it
<whiprush> I just felt like fanboing you for a little bit
<whiprush> roll with it
<Burgwork> right
<SimonAnibal> Howdy
<whiprush> hi SimonAnibal!
<SimonAnibal> Hello Jorge
<whiprush> Burgwork: this is Simon from Indiana like I was talking about.
<Burgwork> hey SimonAnibal
<whiprush> SimonAnibal: meet Corey Burger.
<whiprush> and robertj_
<SimonAnibal> just got your e-mail
<whiprush> and the rest. :D
<SimonAnibal> and I'm glad someone else is doing all the hard work :-D
<robertj_> Howdy SimonAnibal
<SimonAnibal> Howdy all
<Burgwork> well, we also need testers
<robertj_> SimonAnibal: what's your background? Are you rolling Ubuntu at at a school, multiples schools, etc?
<SimonAnibal> High School here in Indiana
<SimonAnibal> One school
<SimonAnibal> 9 Classrooms
<SimonAnibal> 279 workstations
<Burgwork> SimonAnibal: what do you do for auto updating?
<SimonAnibal> ONE RING!
<robertj_> Excellent
<SimonAnibal> sorry
<SimonAnibal> that was overly geeky
<SimonAnibal> *fidgets nervously* I've not been doing updates this year
<SimonAnibal> Last year I used Ghost, but this year I've just not had time
<Burgwork> ah, ok
<SimonAnibal> I literally scorched earth and re-imaged every workstation about once a week to keep them up to date
<Burgwork> you might want to take a peek at the UbuntuSUS stuff
<whiprush> indeed
<SimonAnibal> So, this is the part where I'm supposed to say: "UbuntuSUS?"
<Burgwork> https://features.launchpad.net/distros/ubuntu/+spec/ubuntu-update-server
<Burgwork> does that meet your needs?
<Burgwork> code doesn't exist yet, just a spec
<Burgwork> but lophyte here is going to be working on it
<SimonAnibal> wow
<SimonAnibal> yes, meets the need
<SimonAnibal> or at least a need
<whiprush> Yep.
<whiprush> It's no secret that there's tons of stuff we need.
<whiprush> SimonAnibal: since last we talked I've learned that Novell will be putting resources in sabayon and pessulus development.
<SimonAnibal> So, my concerns are: Updates (just addressed), Active Directory integration, Desktop management and lockdown (Sabayon and Pessulus?)
<SimonAnibal> AD would be Kerberos and LDAP (maybe something else?)
<whiprush> you got it
<SimonAnibal> So
<SimonAnibal> boy I'm glad you guys have a freenode channel
<whiprush> Burgwork: was lophyte looking at the existing nwu code or doing something else?
<SimonAnibal> So, basics - how do launchpad teams "work"?
<SimonAnibal> I've got a launchpad account, and I wanna join
<SimonAnibal> And unfortunately I don't think my high school will fly me out to California
<SimonAnibal> ack!
<SimonAnibal> Firefox died and I'm using ChatZilla
<SimonAnibal> So, who else here is in an aggresively homogenous Microsoft shop?
<Burgwork> whiprush: new stuff
<Burgwork> nwu solves a different issues
<Burgwork> SimonAnibal: I work and sell Linux
<Burgwork> work with, rather
<SimonAnibal> Before the Indiana ACCESS program our network was about 100% Microsoft
<Burgwork> ah, wow
<SimonAnibal> though they do use Linux on some servers downtown
<Burgwork> SimonAnibal: did you figure out LP
<Burgwork> ?
<SimonAnibal> Anyhow, our corporate tech support structure was not happy about 300 new Linux boxes
<Burgwork> heh
<Burgwork> especially with 3 different distros across several schools
<SimonAnibal> You're speaking from a state perspective, yes, 3 different distros across several schools
<SimonAnibal> our school is the only one in our corporation that runs Linux
<SimonAnibal> and our Linux is homogenously Ubuntu
<SimonAnibal> Re: LP, I'm looking for a button called "Join", but I see such a thing does not exist
<SimonAnibal> or I am blind
<SimonAnibal> Anyhow, our corporate IS people said flat out "We will not support this, you are on your own"
<SimonAnibal> "We only support Windows XP"
<SimonAnibal> I found out recently that they've been moving since XP came out towards a 100% Windows XP deployment, so as to operate Active Directory in "native mode", whatever that is. So it seems they're pretty irritated to have 300 Linux workstations dumped in the middle of their plans
<Burgwork> to join an Ubuntu machine to add currently takes work
<Burgwork> ajmitch is working on making that easier, as easy as windows
<Burgwork> s/add/AD/
<SimonAnibal> Yeah, and I'm grateful for that
<SimonAnibal> But they're not concerned about how much work it's going to take
<SimonAnibal> They're not doing any of the work
<Burgwork> yep
<SimonAnibal> And with that in mind, they still want to get rid of everything non-Microsoft
<SimonAnibal> I've heard they're thinking of segregating all the Linux workstations in their own subnet
<Burgwork> that is crack
<Burgwork> and very MS-thinking
<SimonAnibal> and cut it off completely from the Microsoft network
<SimonAnibal> yeah, so I figure if I can demonstrate that they'll play nice, I can punch holes in their logic
<SimonAnibal> My question is, is there some benefit (from their point of view) to having a 100% MS network?
<SimonAnibal> Does anybody in here know?
<SimonAnibal> (I mean in the context of they're not being asked to support any non-MS clients)
<Burgwork> yes, head-in-the-sand-thinking
<Burgwork> I used to work for such a company
<SimonAnibal> that's not really a benefit, I'm looking for something more concrete like "it's easier to manage the network with AD in 'native mode'"
<Burgwork> no, it isn't
<SimonAnibal> Ok, I give up, how do I join a Launchpad Team?
<Burgwork> at least, as of server 2k it wasn;t
<Burgwork> go to our LP team page
<Burgwork> click join
<SimonAnibal> :-/ the only instance of "join" is in "Membership policy:  Open Team. Any user can join and no approval is required. "
<SimonAnibal> Ah, there I see it
<SimonAnibal> strange
<SimonAnibal> I get it, I was at https://features.launchpad.net/people/ubuntu-directory
<wasabi_> hi
<Burgwork> hey wasabi_
<SimonAnibal> I was just listening to Chris DiBona's podcast with Jeremy from Samba. I'm addicted to podcasts recently
<wasabi_> I see a lot of discussion.
<wasabi_> What was all that about? Somebody distill it. ;)
<Burgwork> SimonAnibal here has 250+ ubuntu workstations in an indiana school
<Burgwork> he wants to be able to link them with AD
<wasabi_> Fun.
<SimonAnibal> Well, NEED is more accurate
<wasabi_> Heh.
<Burgwork> he also was droolling over the update server
<SimonAnibal> I don't particularly WANT to deal with this
<SimonAnibal> nodnod
<SimonAnibal> And Sabayon
<wasabi_> Well, it can be done, but it'll take a lot of knowledge on your part right now.
<wasabi_> Are you up for it? :)
<Burgwork> SimonAnibal: the other piece you need is http://live.gnome.org/Glocke
<SimonAnibal> This page does not exist yet. You can create a new empty page, or use one of the page templates. Before creating the page, please check if a similar page already exists.
<SimonAnibal> did you mean http://live.gnome.org/Glockenspiel?
<Burgwork> yes
<SimonAnibal> I'm checking it out
<SimonAnibal> So, lots of great concepts
<SimonAnibal> what can I do to help them become real products?
<Burgwork> help federico with real world use cases
<SimonAnibal> I'm inexperienced but willing
<SimonAnibal> and I gotta go run TVs around the school now, bbiab
<whiprush> mixed mode is when you support NT4 workstations on an AD
<whiprush> which disables some features for AD.
<whiprush> going native means you don't have to deal with them
<wasabi_> Believe it also means LanMan hashes are not generated.
<ajmitch> morning
<wasabi_> Oh yes, in mixed mode the DC runs the services neccassary for a NT4 BDC to pull from.
<whiprush> I run all native and my ubuntu machines work fine
<wasabi_> Ayup.
<whiprush> his windows guys probably think that they have to run in nt4 mode to support the linux machines.
<wasabi_> The Linux machines can participate as fully secured AD members.
<wasabi_> Including Kerberos authentication and LDAP access using Kerberos.
<whiprush> yep
<wasabi_> The will appear in AD as computer accounts, just like Windows.
<wasabi_> And they will need their own tickets to even be able to talk to windows services.
<whiprush> yep, they show up in the AD management tools
<wasabi_> Obvioulsy GPO doesn't work with them.
<robertj_> SimonAnibal: pretty much the only advantage from a networking perspective is that you could, with appropriate hardware, require anti-virus & firewall stuff before even getting routed to the outside world
<robertj_> SimonAnibal: but _nobody_ I know is actually using that stuff thankfully
<ajmitch> robertj_: sadly I do
<ajmitch> robertj_: small businesses using the ISA firewall client - makes it hard to get a linux box on the network
<SimonAnibal> This has been incredibly informative
<SimonAnibal> I'm passing this information along to my boss for his perusal
<whiprush> SimonAnibal: idle around for a while, wait until wasabi and ajmitch REALLY get going
<SimonAnibal> And all I had to do was go push some TVs around
<SimonAnibal> I'm actually now done with my work day
<ajmitch> whiprush: haha
<whiprush> SimonAnibal: do you talk with your counterparts in the other districts?
<SimonAnibal> Well, I'm going to be representing Canonical at the next CINLUG meeting where I expect some of my counterparts will be
<robertj_> wasabi: so is the plan to implement a subset of GPO where applicable or to come up with a full alternative?
<whiprush> excellent.
<SimonAnibal> but normal not
<SimonAnibal> normally
<SimonAnibal> I'll be promoting the ubuntu-education community mainly
<whiprush> sweet
<whiprush> maybe they'll be impressed with where we're going and climb aboard.
<whiprush> SimonAnibal: work is sending me to the conference because we need this too.
<whiprush> so you can ring the "academic alliance" bell a few times, heh.
<SimonAnibal> I hope I can convert some
<SimonAnibal> hm?
<whiprush> "There are other schools doing this too ..."
<whiprush> to convince management, etc.
<SimonAnibal> Ah!
<SimonAnibal> of course
<SimonAnibal> I want to relate the Ubuntu creation story
<whiprush> I whip out that Trump card all the time.
<SimonAnibal> I think it's a good story/intriguing introduction
<whiprush> "Hey, U of M is doing this, we don't want to be left behind." etc.
<SimonAnibal> Well, the main pain with that is that I'd be luring them from Novell, who as far as I know have this directory stuff pretty much down
<SimonAnibal> :-/
<whiprush> oh.
<whiprush> luckily we're friends with them
<SimonAnibal> So I'm going for the community angle
<whiprush> there's lots of things to learn from each deployment
<SimonAnibal> nodnod, I don't want to HURT Novell, but I do want to score converts for Ubuntu
<whiprush> heh
<SimonAnibal> weird situation
<SimonAnibal> I'd rather win converts from people who don't know Linux yet, so we can spread our user base without hurting the other projects out there
<whiprush> yep
<SimonAnibal> I admire what Novell and Red Hat have done for the community
<SimonAnibal> I just think Ubuntu is the next logical evolutionary step.
<whiprush> a guy from Novell will be at our spec braindumps, heh
<SimonAnibal> Jeremy?
<whiprush> yeah
<SimonAnibal> I was just saying I was listening to him on FLOSS Weekly
<whiprush> he's good people, we should have a great time.
<SimonAnibal> awesome
<SimonAnibal> Too bad there's no money to support the project
<SimonAnibal> It's all deployment money and teacher professional development money
<whiprush> he
<whiprush> heh
<SimonAnibal> So I doubt I'll ever get them to foot my bill for anything
<SimonAnibal> I went to Ohio LinuxFest on my own dime
<whiprush> that's ok, with all of us together we all have something to contribute
<SimonAnibal> One day, I'll be making a living on this stuff
<whiprush> yeah, I have it pretty good, surrounded by linux.
<whiprush> a little bit of windows stuff
<whiprush> but that's always nice to know to keep the skills up
<SimonAnibal> I get paid $8/hr, 7hrs/day, 35 hrs/wk, 180 days/yr.
<SimonAnibal> Which, frankly, sucks...I love the work, don't get me wrong
<SimonAnibal> I feel like a fish in water
<whiprush> heh, I took a pay cut to work at this U just to work on linux.
<Burgwork> I took a pay cut to sell Linux
<whiprush> but, if you factor in the costs of going back to school, I come out ahead.
<whiprush> plus I don't deal with shit like Outlook anymore
<whiprush> this makes me a happy camper
<SimonAnibal> I just started working with all this stuff on top of my other responsibilities
<SimonAnibal> So I provide 100% of the support on almost 300 computers on top of my job...and now I've put myself in the position where if I leave I feel this program will come to a grinding halt
<ajmitch> you people get *paid* for this? ;)
<SimonAnibal> which makes me feel bad thinking about moving on to a different job
<SimonAnibal> cause I'm really invested in this community and this project, personally
<whiprush> hardcore.
<SimonAnibal> but, you know, I've got my whole life ahead of me
<SimonAnibal> and $10,000 a year isn't going to cover any of my hopes and dreams
<whiprush> how old are you?
<SimonAnibal> I only survive by living with my mom (cramped house, my fiancee and I, my mom, my much older brother, and our 4 furry children)
<SimonAnibal> I'm 23
<whiprush> dang, it's like hispanic Full House
<SimonAnibal> And, to add insult to injury, I don't have a computer to play with at home
<robertj_> Umm, leave em
<SimonAnibal> *lol* Actually I'm the only Hispanic in the house
<robertj_> go find a better job
<SimonAnibal> yeah, I know that's the logical conclusion
<robertj_> let them go back to pirating windows and go work somewhere decent
<whiprush> It took me 10 years to find a linux-related job, I'm going to retire here if I can get away with it, heh.
<SimonAnibal> I've bitched to my bosses about it, though, and pointed out all the reponsibilities I've taken on on the off chance that the corporate machinery could be moved to realize they need me enough to pay me what I'm worth
<SimonAnibal> I believe in Ubuntu, and I believe in education
<SimonAnibal> If I didn't have to worry about money, THIS is what I'd be doing as a hobby to pass the time
<SimonAnibal> you know?
<SimonAnibal> it's hard to walk away from that
<robertj_> SimonAnibal: tell them you need a raise, can't afford to live, and are taking time off to look at your options
<SimonAnibal> only to go to a job that I hate where I make decent money
<whiprush> the project is pretty high-visibility Linux-deployment wise
<whiprush> who knows, maybe someone will come looking for him when it's done.
<Burgwork> yep
<robertj_> whiprush: "done"?
<whiprush> heh, good point.
<SimonAnibal> That's another hope I have, that this experience and visibility will be worth something in the long run
<SimonAnibal> well, worth something tangible
<whiprush> I got some job offers at linuxworld and i don't do /shit/ but blog about ubuntu.
<whiprush> So there's definately a need out there for people like us
<SimonAnibal> I think what I'm doing should be worth something to someone. I mean why is our military so well-funded when we're churning out illiterate high school graduates and cutting back the education budget?
<robertj_> SimonAnibal: $7.50 is chump change in the states
<SimonAnibal> it is
<whiprush> yeah, we pay our student-employees like, 9 bucks
<SimonAnibal> which makes me a chump
<robertj_> SimonAnibal: Dude, the principle at your school is probably pulling down $100-150k
<robertj_> whiprush: some of may lab workers get paid 10
<SimonAnibal> Well, he's a brand new principal, so he'd be a little lower than that, but your point is valid
<ajmitch> whiprush: yeah, I should so start blogging about this :)
<SimonAnibal> my boss directly over me makes at least 4 or 5 times as much as I do
<ajmitch> throw up a few screenshots, etc :)
<robertj_> whiprush: the issue is not that there isn't enough money in the game, it's that someone is getting to it before you are. And if there is a 2x increase in funding you will see a cost-of-living increase and they will fatten their take, that's how it works everywhere
<robertj_> SimonAnibal: what's your bosses name?
<whiprush> ya
<SimonAnibal> My direct boss?
<SimonAnibal> Steve
<whiprush> ajmitch: yeah dude ... publicity always gets people involved, etc.
<robertj_> the head honcho at the school
<robertj_> first & last, I can look it up & let you know
<SimonAnibal> Jeff Henderson
<SimonAnibal> Jeffry, actually
<ajmitch> whiprush: then dholbach can stop nagging me to get on the planet
<whiprush> Look at Burgwork, he's a sales weeny and already has an Ubuntu book under his belt.
<whiprush> ajmitch: heh. YOu know you can add yourself to planet right?
* Burgwork smacks whiprush
<SimonAnibal> Oh, THAT Corey Burger
<SimonAnibal> heh, I have a copy of the book right here
<whiprush> see?
<Burgwork> the one and same
<whiprush> famous.
<ajmitch> SimonAnibal: yeah, the infamous one
<SimonAnibal> I got it for getting the Ohio LinuxFest organizer a drink
<ajmitch> whiprush: I know I can add myself to planet - I need some content first
<robertj_> ajmitch: is he new to Indiana? He doesn't seem to bel isted here
<robertj_> err SimonAnibal, not ajmitch, sorry
<whiprush> ajmitch: blog about this stuff.
<ajmitch> :)
<SimonAnibal> and I got Ubuntu hacks for just saying I'd invite my bosses for next year
<ajmitch> whiprush: I will
<whiprush> it'll get more interest
<whiprush> more attention, etc. etc.
<SimonAnibal> This is his first year as a principal
<SimonAnibal> I think
<SimonAnibal> maybe last...
<SimonAnibal> Last it was
<ajmitch> for the sake of the project
<robertj_> SimonAnibal: hehe, what's steves last name then?
<robertj_> http://www2.indystar.com/state_salaries/ <-- take a peek for yourself
<lophyte-> anyone around?
<SimonAnibal> Cole
<Burgwork> robertj_: we are trying make him not leave his job, not make him more depressed about how little he gets paid
<lophyte-> hey Burgwork
<SimonAnibal> He's not there either
<Burgwork> hey lophyte
<whiprush> hi lophyte-
<lophyte-> hey whiprush
<lophyte-> I'm working on the uus spec.. and i've run into something that doesn't make sense..
<SimonAnibal> Noone I know here is on that list
<whiprush> lophyte-: ok
<lophyte-> why would we download Packages.gz/Releases from the dapper/edgy repo if those packages are frozen on release?
<ajmitch> ok, back later
<lophyte-> for an update server, it would never need to access the main repo... only -updates and -security
<whiprush> I agree
<lophyte-> also, storing all this information in the filesystem seems kinda disorganized.. but I don't know if its worth while to use mysql or postgre
<whiprush> how about something like sqlite?
<lophyte-> the uus server would need to keep track of a) updates available upstream, b) which updates are required by which clients, and c) which packages are installed on which clients
<lophyte-> and tracking that via files is messy imo
<lophyte-> if that info was stored in a db it'd be so much easier for comparison/storage/retrieval
<robertj_> lophyte-: are you doing the implementation?
<whiprush> sqlite seems appropriate for this
<lophyte-> robertj_, yes
<lophyte-> robertj_, I'm working on the spec right now though
<lophyte-> whiprush, I'll look into that
<robertj_> lophyte-: were you here for my suggestion that it be in twisted w/ xmlrpc?
<lophyte-> I remember you briefly mentioning xmlrpc, but thats about it
<lophyte-> care to elaborate?
<robertj_> lophyte-: and that the web client would also communicate over xmlrpc & not use apache
<robertj_> but include derive from the twisted HTTPServer class
<SimonAnibal> Alright, and as you move to a higher plane in the conversation I have important personal business to attend to (including, but not limited to, getting the hell out of here)
<whiprush> I wonder what pup does (the fedora one)
* whiprush looks
<SimonAnibal> sruiz@mccsc.edu - http://indianalinux.blogspot.com if you wanna get ahold of me
<SimonAnibal> I'm on the Launchpad team now, and I plan to start idling here when I'm on
<SimonAnibal> So I'll see you all around
<whiprush> cool
<lophyte-> see ya
<whiprush> thanks for dropping by
<SimonAnibal> Thanks for clueing me in
<whiprush> <3
<SimonAnibal> Por curiosidad, me puedes entender en este idioma?
<whiprush> <-- doesn't speak spamish
<whiprush> spanish either.
<lophyte-> <-- doesn't either
<lophyte-> spamish, hehe
<SimonAnibal> yeah, just checking
<SimonAnibal> I said "Out of curiosity, can you understand me in this language?"
<Burgwork> whiprush: pup is our update-manager
<SimonAnibal> now for real
<lophyte-> Burgwork, FSOSS sucked, btw
<Burgwork> lophyte: is it done already?
<whiprush> Burgwork: yeah I see that, I'm looking for whatever they replaced up2date with
<lophyte-> nope, i left early because i didn't pay for registration and didn't wanna keep sneaking into talks :P
<whiprush> for the RHN integration thing
<lophyte-> the other guys were more interested in attending the seminars
<whiprush> lophyte-: dang.
<lophyte-> there weren't any other tables.. it was just kinda awkward
<lophyte-> I snuck into an interesting seminar on marketing foss though
<lophyte-> it was really interesting
<lophyte-> but anywho... back to uus
<lophyte-> i think it would make sense to store package and tracking info in a db...
<lophyte-> when the client-side update checker is triggered, it checks whether or not it has reported its package list to the server.. if not, it sends a full package list, and the server stores it in a db
<lophyte-> when updates are made.. the client machine makes a copy of dpkg.log, updates, and diff's the two dpkg logs and pushes the diff to the server
<lophyte-> the server takes the diff, analyzes it and updates its tracking info as necesary
<whiprush> "rhnsd" is the Red Hat Network Daemon. Every other hour, it sends a request to Red Hat Network asking for any notifications or updates and works in coordination with Red Hat Network to schedule automated tasks. It sends information to Red Hat Network only requested by you. If you add a new system using the Red Hat Network web interface, the next time the Red Hat Network Daemon probes Red Hat Network it receives a request to return the inform
<Burgwork> can we build our client side stuff into update-manager?
<lophyte-> that's what I was planning
<Burgwork> in that case, you need to talk to mvo
<lophyte-> how do I go about that?
<Burgwork> write up the client side code changes
<Burgwork> then run them past him
<lophyte-> alright
<lophyte-> how would the update-manager discover if there's a uus server?
<Burgwork> need to be configured
<Burgwork> told an IP addy, I think
<lophyte-> hmm..
<lophyte-> well the uus server info would be in sources.list..
<Burgwork> yep
<lophyte-> perhaps it could check the repos for a certain file, to see if its a uus repo
<Burgwork> we have no way of knowing what is an uus repo
<Burgwork> better to explicitly mark it
<Burgwork> after all, uus is likely going to be used in conjunction with kickstart or something simlar
<lophyte-> hmm..
<lophyte-> i'm wondering how we'd mark it
<Burgwork> someting in an update-manager.conf
<lophyte-> ah
<Burgwork> useuss = yes
<Burgwork> serverIP = 192.168.1.80
<lophyte-> good call
<lophyte-> update-manager is python, isn't it?
<Burgwork> yep
<Burgwork> http://packages.ubuntu.com/cgi-bin/search_contents.pl?searchmode=filelist&word=update-manager&version=edgy&arch=all
<Burgwork> currently it has conf file
<Burgwork> it has no, rather
<Burgwork> except gconf
<lophyte-> could be stored in gconf..
<lophyte-> a gconf key for uus
<Burgwork> see waht mvo has says
<lophyte-> i'm gonna look into using sqlite for storing package and update tracking data on the server sde
<Burgwork> cool
<Burgwork> it rocks how you are just digging in
<lophyte-> I've been kicking around the whole directory services idea on my own for a while.. I was excited to find out there's already a team working on it ;)
<wasabi_> There is an update-manager config file?
<wasabi_> I thought it just pulled from apt?
<lophyte-> no, there isn't
<lophyte-> just gconf
<lophyte-> btw Burgwork, I delivered the remaining case badges to djp.. i'm at the caffe right now
<Burgwork> lophyte-: cool. How many did you have?
<Burgwork> wasabi_: it uses the sources.list and sources.list.d
<lophyte-> I think I gave him 60 or so
<lophyte-> handed out some this morning at fsoss
<Burgwork> so you gave out 40 or so?
<lophyte-> yeah, about that
<lophyte-> also..
<lophyte-> update-notifier is what we'd need to modify
<lophyte-> not update-manager
<wasabi_> Yeah, SQL lite was what I expected to be used.
<Burgwork> update-notifier is a generic method of notifying on changes
<wasabi_> Some simple db storage thing.
<wasabi_> update-manager is the part that runs as root though isn't it?
<Burgwork> update-manager is the piece that actually does the update
<wasabi_> And pulls from apt I assume.
<Burgwork> http://packages.ubuntu.com/edgy/gnome/update-notifier
<Burgwork> but notifier is the daemon that runs constantly
<lophyte-> notifier launches manager?
<Burgwork> notifier puts the thing in the notification area
<wasabi_> Looks like /etc/cron.daily/apt is the thing that is schedule to pull updates.
<Burgwork> manager is launched by the user
<wasabi_> And thus, the thing that should push package info.
<lophyte-> wasabi, on the client side, right?
<wasabi_> Yes.
<lophyte-> alright
<lophyte-> so there's the key
<Burgwork> that runs 24 times a day, you realize that?
<lophyte-> should only be once a day if its in cron.daily
<Burgwork> hmm
<lophyte-> wasabi, you're right.. that's what we'll need to modify
<wasabi_> yeah, it looks like it runs 24 times, but only does something every now and then.
<lophyte->  /etc/cron.daily/apt should push its package list to the uus server
<wasabi_> If that server is UUS.
<wasabi_> Or otherwise it is told to do so.
<lophyte-> say what?
<wasabi_> Well, you want it to simply report packages to "the apt servers", which may or may not be UUS.
<lophyte-> you mean you don't want it to do that
<wasabi_> Report packages to archive.ubuntu.com
<wasabi_> It does not need to do that. ;0
<lophyte-> right
<lophyte-> hmm..
<wasabi_> Also, it shouldn't report packages to any random line in apt.sources, only ones marked as trusted in some way.
<lophyte-> well, that's what we tossed around earlier..
<lophyte-> having a gconf key or a config file specify the uus server
<lophyte-> and have the script use that
<wasabi_> gconf won't work, since this doesnt' happen as a user.
<lophyte-> alright, so then a config file..
<wasabi_> I'd say a companion file to apt.soruces is fine.
<wasabi_> sources.list i mean
<wasabi_> Unless apt provides a built in way to attach metadata to specific servers.
<wasabi_> Which it might, I remember there being special syntax back in the pre apt-key days
<lophyte-> hmm..
<lophyte-> I'll have to look into that
<lophyte-> what's the wiki page for edgy release parties?
<Burgwork> EdgyReleaseParties
<lophyte-> thanks
<Burgwork> lophyte-: for comparison
<Burgwork> http://www.mat.univie.ac.at/~gerald/ftp/autoupdate/
<Burgwork> perl, but might have some interesting ideas
<Burgwork> lophyte-: just to let you know, time is ticking on the -ca approval process, to get edgy cds
<lophyte-> I wanted to talk to you about what to put on the application
<Burgwork> for the stuff we have done
<Burgwork> lophyte-: you are not in -ca
<Burgwork> lets move there
<lophyte-> alright, so we've got this apt cronjob that checks for updates.. it can also push its package list to the uus server if there is one..
<lophyte-> i imagine it simply does apt-get update..
<lophyte-> and then update-notifier checks the package cache to see if there's a new version available
<lophyte-> and notifies you
<lophyte-> which then launches update-manager to do the actual update
<lophyte-> so update-manager would need to be modified to push the update results back to the server, so uus can keep track of which updates are installed on which clients
<lophyte-> wasabi_, I wonder if we could create an apt-config entry for UUS-specific variables
<lophyte-> ie. whether or not its enabled, and the IP/address of the serer
<wasabi_> Why do ya need IP address of server?
<wasabi_> Create a convention underneath an apt repository.
<wasabi_> just like dists, pool, etc.
<wasabi_> "Data shall be reported in this schema posted to $repos/post"
<wasabi_> etc
<lophyte-> yeah, but we need to differentiate between archive.ubuntu.org and a local uus server
<Burgwork> for the actual updates, yes
<Burgwork> but the passing for the sources.list info, we need another method
<Burgwork> and the dpkg -l stuff
<lophyte-> we need another method of determining the uus server for package list pushing
<lophyte-> apt-config might work..
<Burgwork> apt-config?
<wasabi_> Well, you don't want to determine a single server.
<wasabi_> Since there may actually be multiple.
<wasabi_> Just push to each apt source, if it's marked as pushable.
<Burgwork> pushable?
<lophyte-> marked how?
<wasabi_> I dunno. "this apt source is ok!"
<wasabi_> In apt-config if it fits there.
<lophyte-> that's what i said :P
<Burgwork> but there are two issues here
<lophyte-> which are?
<Burgwork> the actual updates, which is easy
<Burgwork> and the backchannel data transfer
<wasabi_> for source in `cat sources.list`; if source is marked as ok; push; end; done
<Burgwork> the actual updates is simply hacking the sources.list
<lophyte-> how is it marked in sources.list, though
<Burgwork> but for passing teh sources.list and dpkg -l information, we need another method
<lophyte-> well, passing sources.list to the clients is done via the unnamed configuration deployment system
<Burgwork> are we going to be passing the sources.list back?
<Burgwork> I don't us doing that
<lophyte-> not that I planned, no
<lophyte-> just dpkg -l
<Burgwork> yep
<lophyte-> and dpkg.log diffs
<Burgwork> we need to pass teh sources.list to the server
<lophyte-> dpkg -l gets pushed once.. and dpkg.log diffs get pushed on every update
<lophyte-> why?
<Burgwork> to check whether or not the list is correct
<lophyte-> hm.. good call
<Burgwork> then the server would say "this is correct"
<lophyte-> or should that be up to the config system?
<Burgwork> for now, just notifying is what we will do
<Burgwork> ie server says to admin "you have a problem with this computer"
<lophyte-> but sources.list isn't going to be handled by uus..
<Burgwork> no, it is not
<lophyte-> but uus should verify it?
<Burgwork> yes
<Burgwork> because that is simple
<lophyte-> yeah, i suppose, as an extra security precaution
<Burgwork> yep
<lophyte-> but the question is again.. how do we mark a specific sources.list entry as pushable/uus?>
<Burgwork> so there are two error conditions the server notifies the admin of
<Burgwork> we assume the admin is controlling the entire sources.list
<Burgwork> assuming we have a uss=yes set somewhere
<Burgwork> actually, we don't need to set an IP, just a flag
<Burgwork> as we have the IP
<Burgwork> via the sources.list
<lophyte-> yup
<lophyte-> we just need something that flags a specific entry as a uus server
<Burgwork> no we don't
<lophyte-> ?
<Burgwork> oh, hmm, we do
<lophyte-> we need to differentiate between a regular apt repo and a uus server
<Burgwork> because you might have mixed sources
<lophyte-> yu[
<lophyte-> yup
<Burgwork> then I think we need an IP field
<lophyte-> outside of sources.list?
<Burgwork> yes, where the flag is
<lophyte-> apt-config
<lophyte-> perhaps
<wasabi_> Not an ip. Just a source path.
<Burgwork> that field shoudl be able to take several IP addys, to handle wasabi_'s use case of several update servers
<wasabi_> Just a copy of whatever is in apt sources.
<Burgwork> no, no
<Burgwork> this is for the primary server to contact with config stuff
<wasabi_> That way it's a simple "does this == that"
<Burgwork> this is completely seperate from apt
<wasabi_> Not really.
<Burgwork> yes it is
<wasabi_> My UUS might be on a different box.
<wasabi_> My WSUS sure is.
<Burgwork> the update-notifier takes this IP and passes the dpkg -l and sources.list to this box
<lophyte-> yup
<wasabi_> I don't like that at all.
<Burgwork> then apt, which is a seperate system, updates the system based on the sources.list
<wasabi_> Just post it to the HTTP URL in sources.list
<lophyte-> but then you're posting to apt rpeos
<lophyte-> repos*
<wasabi_> So?
<Burgwork> that is crack
<wasabi_> You're posting to a known URL under an apt repos.
<Burgwork> we also have the issue that it should work without changing apt
<wasabi_> In the same way we "know binary-arch"
<wasabi_> or "release.gz"
<wasabi_> or "Packages.gz"
<lophyte-> we don't need people trying to post their dpkg -l to archive.ubuntu.org
<wasabi_> Nothing is changing apt.
<wasabi_> lophyte-: Hence the mark.
<Burgwork> if you add stuff to sources.list, you need to change apt
<lophyte-> what mark?
<wasabi_> Didn't say we were.
<wasabi_> A mark in apt-config.
<wasabi_> "this sources.list line is postable!"
<lophyte-> that's what I said :P
<Burgwork> then we need to change apt
<wasabi_> Not IP.
<wasabi_> Sources.list line.
<Burgwork> which sucks
<wasabi_> No we don't.
<wasabi_> Heh.
<Burgwork> I am totally lost
<lophyte-> use apt-config
<Burgwork> where is teh config stored? on the server?
<wasabi_> apt-config certainly has the ability to stick some srot of string into it someplace.
<lophyte-> yeah
<wasabi_> In fact, check out apt.conf.d
<lophyte-> apt-config -o UUS::ServerIP='172.16.0.1'
<wasabi_> There's stuff in there for Unattended-Upgrade
<Burgwork> hmm, ah
<wasabi_> Read 50unattended-upgrades
<Burgwork> I see
<wasabi_> model after that
<Burgwork> perfect
<wasabi_> UUS::Allowed-Servers { "http://server.com/whatever" ; "next line"; }
<wasabi_> ;
<lophyte-> sounds good
<wasabi_> Simple for each line in sources.list, if it == a line in Allowed-Servers, you're good.
<Burgwork> what parses apt.conf?
<wasabi_> At some point, maybe that can change to be key based or something.
<wasabi_> For now that is good.
<lophyte-> that sounds good
<Burgwork> wait a sec
<Burgwork> are we talking checking whether or not you should update from a server or whether or not you shoudl pass data to that server
<Burgwork> ?
<lophyte-> whether or not you should pass data
<Burgwork> right
<Burgwork> wasabi_: is that what you were thinking?
<lophyte-> we're trying to determine whether or not a sources.list entry is pushable
<lophyte-> i should probably head home
<wasabi_> Whether you should post data to it.
<Burgwork> ok
<wasabi_> Whether or not you should update is something else.
<lophyte-> apt-config sounds like the best method
<Burgwork> in that case UUS::Config-Servers { "http://server.com/whatever" ; "next line"; }
<wasabi_> Which actually, seems to be in 50unattended-upgrades
<Burgwork> that is better
<wasabi_> / allowed (origin, archive) pairs
<wasabi_> Unattended-Upgrade::Allowed-Origins {
<wasabi_>         "Ubuntu edgy-security";
<wasabi_> /      "Ubuntu edgy-updates";
<wasabi_> };
<Burgwork> does this require apt changes?
<lophyte-> no
<lophyte-> all we need to modify is /etc/cron,daily/apt to push the dpkg -l
<wasabi_> We would use Allowed-Origins too
<lophyte-> and update-manager to push the dpkg.log diffs
<wasabi_> Since it looks like unattended-upgrades already handles this
<lophyte-> yea
<wasabi_> we would configure which servers you can POST to, and they would configure which ones get pulled from automatically.
<lophyte-> yeah, right
<lophyte-> okay, that sounds good
<wasabi_> So you can do those independently, or in conjunction.
<wasabi_> Allowed-Origins is interesting.
<Burgwork> but that is drifting into configuration issues
<wasabi_> Since it's Origins.
<wasabi_> yup
<Burgwork> which is a little bit beyond this spec
<lophyte-> yeah
<Burgwork> for now, the server should do some parsing and notify the admin is something is amiss
<lophyte-> well, milestone 1 is getting the basic framework to function
<lophyte-> pushing dpkg -l, dpkg.log diffs, approving packages, etc.
<Burgwork> as soon as you have code, I want to test it
<lophyte-> alright
<lophyte-> well I'm still working on the spec.. I'll probably start coding next week
<Burgwork> cool
<lophyte-> I wanna make sure all the methodology is planned out before I write code
<Burgwork> make certain you get some of the core dev team to look at it
<lophyte-> that way I don't trip over my own feet half way through
<Burgwork> include mvo, infinity and keybuk
<lophyte-> look at the spec?
<lophyte-> or the code?
<Burgwork> the spec
<lophyte-> alright
<Burgwork> after all, we want this is main
<lophyte-> well once I have it finished I'll pass it around
<Burgwork> oh, pitti to
<lophyte-> will have to meet these folks.. never spoke to them before
<Burgwork> pitti does security, keybuk and mvo are apt people and infinity does servers
<lophyte-> alright
<lophyte-> well once the spec is looking good, I'll pass it around
<Burgwork> pitti is Martin Pitt, keybuk is Scott James Remnant, mvo is Michael Vogt, and inifinity is Adam Conrad
<wasabi_> / never update the packages in this list
<wasabi_> Unattended-Upgrade::Package-Blacklist {
<wasabi_> /      "vim";
<wasabi_> Heh.
<lophyte-> haha
<wasabi_> I suspect we fit into this file.
<wasabi_> Maybe to the point where your client code becomes part of it
<wasabi_> And you're client portions are actually part of Unattended-Upgrade
<lophyte-> wasabi, agreed
<lophyte-> I'll look through the apt-config stuff whe i get home
<lophyte-> anywho.. i'm out before i have to pay more for this laptop
<wasabi_> Actually, now that I'm in this file, my ideas have been altered
<lophyte-> yay rentals
<lophyte-> haha
<lophyte-> well.. leave the discussion for later ;)
<Burgwork> lophyte-: you rent a laptop?
<wasabi_> Unattended-Upgrade::Trusted-Post-Keys { "apt-key name"; };
<lophyte-> Burgwork, linuxcaffe rents them for $2/hr
<Burgwork> ah
<Burgwork> at least you get ubuntu
<lophyte-> yup :)
<lophyte-> anyhow.. I'll be back later tonight, and we can discuss this more
<lophyte-> I wanna get the spec done by sunday
<lophyte-> start on the code next week
<lophyte-> anyway.. i'm out
<lophyte-> be back in a few hours
<Burgwork> cya
<Burgwork> ok, this update server is going to rock
<SimonAnibal> hell yes it will
<Burgwork> now I just need to make it talk yum *grin*
<SimonAnibal> why yum?
<Burgwork> cause I have to deal with FC4 boxen
<Burgwork> I only have an Ubuntu machine 'cause I brought it in the backdoor
<Burgwork> I work for Userful, we build on Fedora
<SimonAnibal> heheh
<SimonAnibal> that is quite the interesting story
<SimonAnibal> I'm glad to see you on the team, I'm sure your getting this to work will help other people as well, doncha think?
<Burgwork> yep
* ajmitch is back
#ubuntu-directory 2006-10-28
<ajmitch> Burgwork: sorted out if/when you may be able to be in MV?
<Burgwork> ajmitch: not going
<ajmitch> not even for a couple of days?
<Burgwork> best possible arrival date: Late tuesday morning
<Burgwork> provided this project I am being kept for tanks
<ajmitch> ah
<ajmitch> that sucks
<Burgwork> yep, it truly does
<SimonAnibal> Take it easy ya'll
<Burgwork> lophyte: welcome home
<Burgwork> back, rather
<lophyte> thanks
<lophyte> did you guys go on with that discussion about apt-config?
<Burgwork> nope
<lophyte> alright, cool.. then I don't have any catching up to do, lol
<lophyte> I gotta go make dinner and such.. I'll be back in a bit
<Burgwork> whiprush: ping
<whiprush> Burgwork: pong
<Burgwork> whiprush: your google docs link is no worky
<whiprush> lame
<whiprush> should I just mail it to you?
<Burgwork> yes please
<Burgwork> welcome to the brave new world
<whiprush> k
<ajmitch> yo whiprush
<Burgwork> whiprush: ok, that is not the email I was looking for
<Burgwork> I will use bits
<Burgwork> the "we want time at MTV" is for another email
<whiprush> oh
<whiprush> bbiab
<Burgwork> ajmitch, wasabi, you guys around?
<ajmitch> Burgwork: yes
<Burgwork> sent, but accidentally
<Fujitsu> Hahah: `
<Fujitsu> Does WSUS make
<Fujitsu> your heart throb?
<Fujitsu> Gah.
<Fujitsu> Stupid Konversation line breaking.
<ajforgue> so I got master/master replcation working in RHDS
<ajforgue> that was cool
<ajmitch> Fujitsu: bah, you & your replies on the list :P
<Fujitsu> Can you see how AD is `arcane'?
<Fujitsu> I've always found it quite intelligible, and I first experimented with it when I was 11... I can't see how it can be difficult to understand.
<lophyte> hey Burgundavia
<Burgundavia> whiprush: mail sent, a little bit prematurely
<Burgundavia> hey lophyte
<lophyte> wasabi_ are you around?
<Burgundavia> lophyte: what is the latest on teh spec? do you need me to review it?
<lophyte> I wanted to discuss it some more, since wasabi said he had a few ideas after looking at apt-config
<Burgundavia> right
<lophyte> I can write up a general overview of the spec as it stands right now
<Burgundavia> sounds good
<Burgundavia> you know which spec we are working on?
<Burgundavia> after that confused discussion
<lophyte>  /UpdateServer
<Burgundavia> ok
<lophyte> nwu was superseded by UUS
<Burgundavia> the whiperush one
<lophyte> yeah
<lophyte> I was basically working out the details on paper before merging our braindump with UUS
<ajmitch> so who's talked with nictuku, who's coded up a lot of stuff for NWU?
<ajmitch> I really would hate to go superseding & throwing away work someone has done
<Burgundavia> nobody yet
<lophyte> we're not throwing it away
<Burgundavia> nwu is somewhat tangent
<ajmitch> wonderful
<Burgundavia> ajmitch: that sarcastic?
<ajmitch> yes, since from what I can see it's not that much of a tangent
<Burgundavia> nwu assumes a bunch of other things
<Burgundavia> such as authentication and passing data around
<Burgundavia> lophyte: can you lay out more?
<ajmitch> are those implementation details, or something that can be changed in the spec?
<lophyte> from what I read in the user manual, it seemed more or less like a remote update tool rather than an update approval system
<lophyte> ie. forcing updates on machines remotely
<ajmitch> partly why I suggested talking to him, to get a clearer idea
<Burgundavia> ok, I am having the strangest issue with ephy
<Burgundavia> sometimes it is failing to load the css
<lophyte> well, if we can get nictuku in here..
<lophyte> that'd be great
<Burgundavia> the nwu spec is much larger is scope
<lophyte> I'd like to talk to him and find out what issues he was trying to address with nwu and what the goals were/are
<Burgundavia> he just implemented the spec
<Burgundavia> you need to talk to the drafters, which included mvo
<lophyte> nwu is lacking an approval system in the spec..
<lophyte> I'd say that's the biggest difference between nwu and uus
<lophyte> well what should I do then? I'm more or less the new kid on the block and I don't wanna start stepping on toes as much as I'm into this
<lophyte> brb
<whiprush> Do we really have to reimplement Microsofts arcane network structure
<whiprush> for Ubuntu? Cann't we create something that is ... better and simpler
<whiprush> to understand at the same time? Like, for the human beings? Please
<whiprush> heh
<whiprush> we all saw that one coming a mile away.
<ajmitch> heh
<Burgundavia> whiprush: arcane network structure?
<ajmitch> what's new, whiprush ?
<ajmitch> https://features.launchpad.net/distros/ubuntu/+spec/accelerated-x
<ajmitch> nice, essential spec
<ajmitch> obviously someone really really wants the bling
<ajmitch> can people please subscribe to https://features.launchpad.net/distros/ubuntu/+spec/nis-ldap-migration so I'm not the only one there?
<ajmitch> it's mainly useful to do so for the scheduling
<whiprush> Burgundavia: that was a response on the list.
<whiprush> ajmitch: but I already did my migration.
* whiprush joins anyway. :D
<ajmitch> :P
<whiprush> Burgundavia: unix people are going to be hanging you in efigy anyway, might as well enjoy it.
<Burgundavia> right
<Burgundavia> oh, right
<ajmitch> whiprush: which list?
<whiprush> -devel
<ajmitch> ah I see it now
<Burgundavia> that is where I posted the -directory stuff
<ajmitch> yes, must have skipped that reply earlier
<ajmitch> or it has gone into a spam folder or something
<ajmitch> since it's not in my -devel mailbox
<Fujitsu> I can't see it.
<ajmitch> Fujitsu: you replied to it
<whiprush> https://lists.ubuntu.com/archives/ubuntu-devel/2006-October/022108.html
<Fujitsu> Oh, I misread whiprush as saying he had replied to it.
<whiprush> I didn't
* ajmitch wonders where this message has run away to
<Fujitsu> ajmitch: Be glad you can't read it.
* whiprush doesn't plan on responding to anything
<ajmitch> Fujitsu: why?
<Fujitsu> ajmitch: It is a stupid email.
<ajmitch> in your opinion
<Fujitsu> Probably.
<ajmitch> don't fall into the trap of "oh, AD is so easy, anyone who can't get it is stupid"
<Fujitsu> But AD /is/ easy, except in some setups.
<ajforgue> he's just mad that unix is changing
<ajforgue> you can tell by his sig
<whiprush> ajmitch: someone recorded my ubuntu-AD talk
<whiprush> http://www.ohiolinux.org/recordings/olf-b1-1000-holygrail.mp3
<whiprush> !!
<ajmitch> yay!
<ajmitch> blog it!
* ajmitch starts listening to those sweet tones of whiprush' voice ;)
<whiprush> I will, after I listen to it
<whiprush> hahaha
<ajmitch> haha, "still drink or hungover"
<ajmitch> typical
<whiprush> indeed
<whiprush> too bad it doesn't capture the audience.
<ajmitch> you had a few questions from the audience?
<whiprush> since it sounds like no one is laughing at my jokes
<whiprush> I don't recall if they had a mic.
<whiprush> or I repeated the question
<ajmitch> hey imbrandon
<imbrandon> heya
<ajmitch> come to harass us here? :)
<imbrandon> lol , no come to help ( where i can )
<imbrandon> AD on linux is scary atm :)
<ajmitch> heh
<ajmitch> imbrandon: so how do you plan to help?
<imbrandon> not quite sure yet, i'm sure something will come along that i can give a hand too , other than testing and complaining
<nkassi> Hi
<ajmitch> hello nkassi
<nkassi> I was wondering, what kind of stuff is currently there ? Is there something to play with ?
<nkassi> I saw you code for the client side.
<ajmitch> client-side is initial focus, yes
<ajmitch> eg the current braindump of client stuff is: https://wiki.ubuntu.com/NetworkAuthentication/Client
<ajmitch> (still has a bit to be added)
<nkassi> Will this be integrated into the installation process ?
<ajmitch> we still have to discuss those sort of things - we're mostly in the planning stage of things
<nkassi> hehe, I guess I'm going a little fast. I've been looking for a solution like this at work. Trying to fend off the Active Directory.
<nkassi> push.
<nkassi> Sorry that got chop off the last line.
<tepsipakki> howdy
<ajmitch> hi
<tepsipakki> great to see all these specs for feisty :)
<tepsipakki> about networt authentication etc
<tepsipakki> damnit, have to run ->A
<tepsipakki> -A
<tepsipakki> (it's great to have two kids)
<ajmitch> hehe ok :)
<ajmitch> hi siretart
<siretart> huhu ajmitch
<wasabi> So I had this wild idea about a replicated/caching home directory or other file system, thing.
<wasabi> bzr handles many peer merges properly, doesn't it?
<wasabi> So, you write a little daemon which basically just advertises a bzr archive of each home directory... you give it knowledge of what all the other server-peers are, and have the daemon try to push changes to the other mirrors when anything locally changes.
<wasabi> All mirrors should be kept up to date.
<wasabi> You could do that server side to replicate many NFS shares.
<wasabi> And you could throw a client into the mix to do it on hte client.
<wasabi> Oh, and the servers would need to truncate old data.
<wasabi> So, user logs onto the client, the client contacts the best server mirror, pulls it's change set, the user logs in. Small daemon watches home directory for changes, and attempts to push them back to any server.
<wasabi> Client can disconnect and have a full copy of the data.
<wasabi> When he reconnects, he starts pushing again.
<lophyte> morning all
<wasabi> morning
<lophyte> whats up?
<wasabi> Pondering a crackful bzr idea.
<wasabi> Okay, get this. Roaming/synching home dirs.
<wasabi> You have N number of servers, which all run a little daemon and export a bzr archive.
<wasabi> These servers, on any commit, try to push that change to all the other servers.
<lophyte> roaming dirs are usually stored on one server, aren't they?
<wasabi> Yeah.
<wasabi> Merging is turned off... conflicts result in a .conflict file or something, and the best is dtermined by a timestamp only.
<wasabi> So, you basically then have a bunch of bzr archives which should be peers.
<wasabi> Except when somebody updates the same file in two places before a sync.
<lophyte> and the bzr archives are the home dirs?
<wasabi> Then you bring in the clients... make a pam_mkhomedir module or some such... what it does is pick the closets mirror and pulls its changes locally.
<wasabi> Yup
<lophyte> nice
<wasabi> Runs a similar daemon which pushes any local changes (inotify) to any remote server.
<lophyte> that'd be more reliable than AD for sure
<wasabi> Works for laptops. YOu just log onto the network once, next tme the server is in reach, your changes get pushed/pulled.
<wasabi> It doesn't seek to adress the idea of merging files... but then neither does DFS/FRS and they work fine.
<lophyte> in AD you can only specify one server
<wasabi> Yeah
<lophyte> mirrors are a good thing
<robertj> merging has to have a great gui though, thats a complaint I hear _alot_ from AD users
<wasabi> Naw. Screw merging.
<robertj> "my machine crashed and now I can't log in AT ALL and the server admin had to delete my user directory"
<wasabi> AD doesn't merge.
<wasabi> So that actually shouldn't happen. :)
<wasabi> It simple uses copy-over approach.
<lophyte> yeah, merging might create issues
<wasabi> With a slightly sucky algo.
<wasabi> And a huge NTUSER.DAT file which always sucks.
<lophyte> I'll be back in a sec
<wasabi> We have lots of small little files. I suspect our merging won't be as bad.
<wasabi> I'd mostly be concerned when a user drops a large ISO or something into his archive.
<robertj> wasabi: don't forget about the every popular logging in from home situation
<robertj> in which you might log in, do some work, and then it want to upload the iso over your itty-bity residential-upstream connection
<wasabi> Yeah. Again, Windows doesn't address that YET.
<wasabi> ANd that seems to be okay for NOW.
<wasabi> I'd love to solve it though.
<wasabi> Perhaps some fashion by which it can refuse to merge until reconnected.
<wasabi> Or until the ISO goes away.
<wasabi> ie on a high speed link
<robertj> wasabi: what about the iDisk approach where you continually sync in the background?
<wasabi> Well, I doubt bzr supports that...
<wasabi> ie partial commits.
<wasabi> and resuming of such.
<robertj> crashy nvidia drivers :(
<wasabi> git might work too
<siretart> 
<siretart> wasabi: does your bzr idea cover the case that the user might be logged in on 2 or more systems?
<wasabi> Yeah. It takes care of it "enough"
<wasabi> The two workstations would, on login, merge from any server... so they'd have the latest on the server.
<wasabi> And periodically + when each were altered, they would push.
<wasabi> Except in the cases of files that do change on both rapidly.
<wasabi> And I'd advocate not merging, simply timestamp overwriting.
<wasabi> THe user shouldn't be altering the same file in two places. ;)
<siretart> that could happen accidentally
<siretart> I'm thinking about firefox profiles, or similar
<siretart> they could get into an bad inconsistent state and confuse the application
<wasabi> Yeah. I was thinking about those too.
<wasabi> I suspect a simple last-time overwrite still works fine, though.
<wasabi> The firefox profiles are plain text...
<wasabi> Heh. It's worth noting that firefox on windows works fine with roaming profiles.
<wasabi> WHich do basically teh same thing.
<siretart> I don't know how roaming profiles work on windows. I have heard ppl screeming about them
<wasabi> Yeah, they cause problems, but in my experience it's because of NTUSER.DAT
<wasabi> That contains the ENTIRE user registry hive.
<wasabi> And it is never merged, always overwritten.
<wasabi> I think it's probably okay to think the same human being won't be doing the same thing on two workstations too often.
<wasabi> But in MS cases, anything they do overwrites whatever the other one was doing.
<wasabi> I'd worry about applications which themselves do not work good with NFS home dirs.
<wasabi> Such as, as I just discovered, beagle. ;)
<wasabi> Big index file... assumes one beagle process is accessing it.
<ajmitch> morning
<lophyte> howdy
<Burgundavia> hey ajmitch, lophyte
<Burgundavia> welcome siretart
<ajmitch> hey Burgundavia, how's it going?
<Burgundavia> not bad
* ajmitch just crawled out of bed :)
<Burgundavia> so did I
<lophyte> heya Burgundavia
<lophyte> what should I do about this uus spec? should I keep going with it, or talk to someone first? I don't wanna walk in here and start stepping on toes
<Burgundavia> keep talking
<ajmitch> I didn't mean to put you off in any way
<ajmitch> I just want to avoid any hassles at the start
<Burgundavia> there are lots more people who have an opinion and are good enough to listen to
<siretart> heyho Burgundavia
<lophyte> should I talk to mvo about nwu before i go on with uus?
<Burgundavia> mailing list has seen 9 new subscribers sinece yesterday
<ajmitch> siretart!
<Burgundavia> lophyte: yes
<siretart> ajmitch!! :)
<ajmitch> how are you?
<siretart> oh, I'm fine. and you?
<ajmitch> I'm good
<ajmitch> busy as ever
<siretart> ;)
<ajmitch> busy with this :)
* ajmitch wishes you could be there at MV to discuss all this stuff
<siretart> I'm currently rather lurking in this channel, but it looks like I'll be setting up a single sign on kerberos setup soon
<siretart> oh, I'd wish as well, trust me
<siretart> but my thesis is urgent now ;)
<ajmitch> I hope we can make things as easy as possible for you to set it up :)
<ajmitch> so that you don't have to take much time away from the thesis
<ajmitch> how is the writing going?
<siretart> I have now about the half written, I think
<siretart> there are still some things to implement, but I focus on writing right now
<ajmitch> good luck :)
<siretart> thanks :)
<lophyte> i can't figure out this xen networking for the life of me..
<ajmitch> still giving you issues?
<lophyte> yeah.. I can't use briding
<lophyte> bridging, rather
<lophyte> i'm gonna try using routing
<lophyte> so far so good..
<lophyte> I think its an iptables issue now
* ajmitch might try network-nat instead
<ajmitch> it'll probably work better with domains I don't need to access directly
<lophyte> hrm..
<lophyte> from domU I can ping vif3.0 and ra0 in dom0
<lophyte> but not beyond dom0
<lophyte> which is why I think its an iptables issue
<lophyte> iptables is either blocking or not forwarding packets coming back
<ajmitch> forwarding is on in /proc/sys/net/ipv4/ip_forward ?
<lophyte> er, wtf, no.. it should be..
<lophyte> er, wait, lol
<lophyte> wrong machine
<lophyte> yeah, its on in dom0
<lophyte> ACCEPT     all  --  192.168.10.10        anywhere            PHYSDEV match --physdev-in vif3.0
<lophyte> that's the only iptables rule
<lophyte> in the FORWARD chain
<lophyte> ergh.. maybe I should try nat
<lophyte> I can ping domU from dom0
<lophyte> and dom0 from domU
<lophyte> but nothing beyond dom0... hrm
<lophyte> okay, maybe its not an iptables issue..
<lophyte> ##xen isn't very helpful
<lophyte> ajmitch: do you use routing or bridging?
<lophyte> woo.. nat seems to be working
<lophyte> sweet
<lophyte> nat works
<ajmitch> lophyte: bridging
<ajmitch> whiprush: ping
<lophyte> ah
<lophyte> well, nat seems to be working for me
<ajmitch> whiprush: got the address of the hotel you've got booked?
<lophyte> is there a way to manually create a domain that runs in the background?
<ajmitch> just xm create domain.cfg
<ajmitch> unless you mean at bootup
<ajmitch> also there's /etc/xen/auto/ for domains started at bootup
<lophyte> ah, alright
<lophyte> so -c brings you to the console
<ajmitch> yes
<Burgundavia> anybody else want to post a todo list to the mailing list, or should I
<Burgundavia> ?
<Burgundavia> hmm, uus got declined for mtv
<Burgundavia> whiprush, ajmitch, wasabi_: you lot need to subscribe to https://features.launchpad.net/distros/ubuntu/+spec/ubuntu-update-server
<Burgundavia> and repropose for mtv
#ubuntu-directory 2006-10-29
<robertj> ..
<lophyte> who declined it?
<nkassi> Hey y'all
<lophyte> hiya
<nkassi> I reposting a question from ubuntu-server cause the channel seems dead
<nkassi> I can't find the answer to why the slapd package in ubuntu and debian doesn't include SSL. Anyone knows ?
<wasabi> It should.
<wasabi> You of course have to enable and configure it with a certificate.
<nkassi> It's not enabled by default
<wasabi> Of course not. Ubuntu doesn't distribute a cert for you.
<nkassi> From what I gather, it's not enable in the build
<wasabi> It is.
<wasabi> checking though.
<nkassi> hum, weird, after setting the TLS* config params and all and starting the ldap server, 636 is unused.
<wasabi> TLS != SSL.
<nkassi> port 636 I mean
<nkassi> Oh yeah sorry.
<wasabi> TLS is Transport Layer Security.
<wasabi> ie a socket is transformed to SSL on the fly.
<nkassi> Isn't TLS the SSL replacement ?
<wasabi> After an unsecured hand shake.
<nkassi> oh ok.
<wasabi> Yes, but it doesn't require a new port.
<nkassi> Me stupid.
<nkassi> ;-)
<wasabi> The handshake happens in plain text, over the normal port.
<nkassi> thanks for the info.
<wasabi> I'm going to guess since libssl-dev is a build-dep, that it's enabled.
<wasabi> And also, that I use it.
<nkassi> hehe
<nkassi> that would be a give away ;-)
<nkassi> I was wondering because I saw a lot of issues documents about enabling this in debian
<wasabi> Well, plain ol' SSL isn't really needed or desired anymore.
<wasabi> And TLS requires you creating a cert.
<wasabi> So it's not really something that can work out of the box.
<nkassi> That makes sens.
<wasabi> And I'm all for using Kerberos anyways.
<nkassi> How hard would it be to create one automagically when the openldap server is installed ?
<wasabi> Which provides transport encryption on it's own.
<nkassi> I guess that would be another option.
<wasabi> nkassi: Could create a self signed one, but that is completely unoptimal.
<wasabi> I'd rather have the creation of a proper CA be part of our LDAP server plans.
<nkassi> Except I would like to use it to allow thunderbird to look up contacts
<nkassi> sound decent.
<nkassi> sounds decent. I mean
<wasabi> All of this is pretty far off imo
<wasabi> Unless mark gets a hankering and pays for it
<nkassi> Well that was something I was hoping to work on. ;-) I'm tired of hearing my friends complain about how AD is so much easier ;0)
<nkassi> I was really happy when I saw the ubuntu movement towards this.
<wasabi> We need C coders. =)
<nkassi> Hehe,  I thought the project would mostly be in python seeing the Ubuntu commitment to python.
<wasabi> The project consists of pam/nss modules and stuff. =)
<nkassi> Dusting off my C programming language book right now :0)
<wasabi> All the really big stuff imo, from the client side, is fixing up the pam/nss infrastructure.
<wasabi> and nscd
<wasabi> and then, yeah, a nice python wizard to configure it all.
<wasabi> But still, all the heavy actual work is in C.
<sbalneav> What needs to be done in C?
<nkassi> Yeah is there going to be a sort of todo list somewhere ?
<wasabi> I'm working on a plan.
<wasabi> http://wiki.ubuntu.com/NetworkAuthentication/Client.
<wasabi> Client comes first, unless somebody else starts working on the server independently.
<sbalneav> Hmm, not subscribed to that one, which is odd, seeing as how I need this spec implemented for the LTSP side of things.
<nkassi> Was there any discussion about adapting the already existing tools on fedora ?
<sbalneav> I may be of use here, as I was the fellow who originally added openldap support for shadow components into pam_ldap :)
<wasabi> There was, but we don't really like their tools I don't think.
<wasabi> And have some good ideas of our own.
<wasabi> And ajmitch already has a codebase that works.
<wasabi> sbalneav: Sounds super insecure. ;)
<wasabi> Check out that wiki page then, change what you think.
<wasabi> I'm going to add a new table to NSS.
<wasabi> "realm"
<wasabi> And do it right.
<wasabi> So, it'll be a lot of work to do it right. =)
<wasabi> Also I've been thinking about new async getpwent and such APIs
<bmonty> wasabi: a lot of the work can be done in python
<wasabi> Sure, the wizard, which spits out a pam and nss file.
<wasabi> And creates the remote objects and all that cool stuff.
<wasabi> But that's not the hard part. That's scripting.
<wasabi> The hard part is reducing blocking in nss, or coming up with a good cache stragity, or putting cross realm support into libnss-ldap, or fallback, recover, walking the SRV records.
<bmonty> I've been using LDAP+Kerberos for awhile now, and the PAM and NSS code needs some updating
<wasabi> Yup.
<bmonty> there is essentially no viable caching as far as I'm concerned
<wasabi> Right now there isn't.
<wasabi> Right now I use nss-updatedb =)
<bmonty> ncsd doesn't seem to work at all, and I can't figure out why it doesn't cache any of my users or groups from the LDAP server
<nkassi> I didn't know the whole spec was so extensive. So you really want to make this similar to the windows way.
<wasabi> nkassi: I want it to work right, anyways.
<nkassi> hehe
<wasabi> Yeah nscd is broken.
<bmonty> nkassi: that is how I read it....
<bmonty> i.e. LDAP+Kerberos
<wasabi> Well, obviously, the most important goal from a marketing point is joining AD.
<wasabi> Since they are so prevailant.
<nkassi> true.
<wasabi> But luckily it's a super-set of Kerberos+LDAP.
<bmonty> wasabi: can't you already join an AD with samba?
<bmonty> I think using NTLM
<wasabi> Yeah, but it's not really integrated.
<wasabi> We really want pam_krb5.
<nkassi> I've had my share of head ache trying to do this exact thing ;-) We had to buy a commercial set of pam modules
<bmonty> I agree
<wasabi> And server-based UIDs
<bmonty> has anyone thought about which kerberos server Ubuntu is going to use?  Heimdal or MIT?
<wasabi> Not really.
<wasabi> I suspect when the dust clears we'll be using Heimdal.
<wasabi> Simlpy because the Samba guys are pushing so much new stuff into it.
<bmonty> supposedly the MIT server will be able to use LDAP for its user database in the near future
<wasabi> Yeah, and Heimdal can now.
<wasabi> I am totally convinced that server work is far off.
<wasabi> A server without a good client is useless.
<bmonty> does the existing pam-krb5 work with heimdal?
<wasabi> bmonty: There's a heimdal compile of it.
<bmonty> wasabi: don't you think that the server should be worked out before you get the client side going?
<wasabi> Not really.
<wasabi> We know what we're targetting.
<lophyte> wasabi: the main goal is to get an AD-compliant client, right?
<wasabi> The first goal, yes.
<lophyte> I figured
<wasabi> An AD compliant client that relies as much as possible on Krb5/LDAP
<wasabi> So the client works with whatever we choose for our own server.
<bmonty> I thought the goal was to have the server architecture for AD-like authentication and authorization as well as an update server
<wasabi> THat's massive long term.
<bmonty> obviously you need a client side for that as well
<wasabi> If you've used AD you know the issues involved with that.
<bmonty> I use LDAP+Kerberos and I know there are plenty of issues there
<wasabi> The scope of work with AD is huge.
<lophyte> I wish the SSO howto on the wiki wasn't half done
<wasabi> I mean, what, it took MS 4 years and a 100 person team?
<lophyte> working full time, no less
<wasabi> Kerb5 at every level, LDAP schema defiinition, third party integration.
<wasabi> Long term support, upgradability.
<wasabi> Replication of schema.
<wasabi> A custom CA.
<wasabi> Domains, forests.
<lophyte> indeed
<bmonty> ..figuring out how to lock customers into their solution
<wasabi> Pssh. That took them 2 minutes.
<lophyte> haha
<wasabi> "oh lets add 1 field to krb5"
<nkassi> hehe.
<wasabi> Other than that, it's plain LDAP/Kerberos.
<Burgundavia> lophyte: which sso howto?
<lophyte> http://help.ubuntu.com/community/SingleSignOn
<bmonty> I started writing that SSO howto, but I ran out of time to document all of the issues I was running in to
<Burgundavia> lophyte: didn't even know that existed
<Burgundavia> https://help.ubuntu.com/community/LDAPClientAuthentication
<Burgundavia> I used that one
<Burgundavia> need to update it
<lophyte> I wanna set up a server, though
<lophyte> ldap+krb5
<wasabi> Go for it.
<lophyte> I don't know how.. that's the problem :P
<wasabi> I do it for all my client machines.
<bmonty> lophyte: the server part is mosty complete
<wasabi> I have two KDCs, two LDAP servers.
<bmonty> except for how to add users
<wasabi> Replicating over the inet. ;)
<lophyte> ergh..
<wasabi> Heh. If you're telling me slapd can replicate between 500 peers, you've suprised me.
<wasabi> Until it can do that, it can't comprae to AD. ;)
<lophyte> my computer sucks with 2 Xen guests..
* lophyte thinks he needs more RAM
<wasabi> lophyte: vmware.
<wasabi> oh just ram?
<wasabi> You get xen working?
<lophyte> it sucks just as bad with vmware, lol
<lophyte> yeah, works fine now
<lophyte> my biggest issue was networking.. using NAT, it works fine
<bmonty> I haven't seen it documented anywhere, but there is a big issue with udev and having group info on the LDAP server
<bmonty> especially with edgy
<wasabi> Should be fine... you just need to know how to configure nss right.
<wasabi> ie NSS *must never block ever*
<wasabi> Since all apps make an assumption that it never will.
<bmonty> wasabi: that is one issue
<wasabi> The only way to accomplush that is to drive NSS from a pure cache.
<bmonty> the second is that the network isn't available when udev assigns groups to the devices it creates
<wasabi> You should't need the network for local groups.
<wasabi> try this:
<wasabi> passwd:         compat db
<wasabi> group:          compat db
<wasabi> And use nss_updatedb (package nss-updatedb) to update teh DB files from the ldap module.
<lophyte> bmonty: there's no instructions for configuring OpenLDAP.. I think that's the biggest issue
<bmonty> wasabi: I want to have those groups stored in LDAP directly
<wasabi> They are.
<wasabi> cronjob, runs once an hour, that refreshes the cache.
<bmonty> lophyte: good point, I have an OpenLDAP config file if you are interested
<Burgundavia> lophyte: I am going to write some openLDAP stuff coming up next week or so
<bmonty> wasabi: then you have a consistency issue
<lophyte> bmonty: where do you configure the sasl binds, in the slapd config?
<wasabi> bmonty: Yup. Until nss gets an async API, there is no solution.
<wasabi> bmonty: But this one makes the box work. ;)
<bmonty> lophyte: yes, you have to configure SASL in slapd.conf
<wasabi> You cannot have a network query go out for every group lookup. NSS is always used single threaded.
<lophyte> bmonty: ah, alright..
<wasabi> The best option I have is a daemon which keeps the local cache uptodate, by subscribing to LDAP notifications.
<wasabi> ANd that daemon's name might be nscd in the future. heh
<bmonty> lophyte: the two directives are sasl-secprops and sasl-regexp
<bmonty> wasabi: can I get a copy of your nss config file?
<lophyte> I need to get more RAM, so I can create a virtual network of computers to tinker with this stuff
<bmonty> I've never been able to solve the issues with nss, or find good info on the net
<bmonty> lophyte: www.newegg.com
<lophyte> american site.. costs for shipping :P
<lophyte> its probably cheaper to shop locally
<bmonty> its isn't here :)
<nkassi> hehe
<bmonty> lophyte: you can use a pretty much stock LDAP config, but you have to add a couple of things for SASL to work correctly
<nkassi> yeah, there nothing local around here that is cheaper than newegg + shipping ;-)
<lophyte> oi..
<bmonty> I've also found that SASL binds do not work on 64-bot machines
<lophyte> $60 for 512mb
<lophyte> not bad
<bmonty> I still have to check and see if that is true with edgy though
<wasabi> I have a 64 bit machine which binds using SASL just fine.
<wasabi> It's not a server though.
<lophyte> alright, i gotta go..
<lophyte> perhaps later tonight I'll have some time to set this up
<bmonty> wasabi: what is the architecture of your server machine?
<lophyte> bbl
<wasabi> em64t
<wasabi> But it's windows. =)
<bmonty> ok, I'm running OpenLDAP on i386, and SASL binds cause a segfault on the 64-bit machines
<wasabi> 64bit clients?
<bmonty> wasabi: yes
<wasabi> Hmm.
<wasabi> dapper?
<bmonty> yeah with dapper
<wasabi> oh well. core dump, post a bug.
<bmonty> I haven't tested with edgy yet
<bmonty> dist upgrading to edgy completly hosed my machine due to the LDAP/Kerberos setup I had
<wasabi> heh
<bmonty> it wouldn't boot even in "safe mode"
<wasabi> Just set up NSS differently.
<bmonty> wasabi: yeah, I wish I had known that
<bmonty> once I did the dist upgrade though it was too late
<wasabi> livecd + fix
<wasabi> or init=/bin/bash
<bmonty> where can I find info about setting up nss?
<wasabi> Not really anywhere.
<wasabi> me =)
<bmonty> wasabi: too late, I already rebuilt the box :)
<wasabi> ahh. you neve rhave to rebuild a linux box.
<wasabi> You can always just boot with init=/bin/bash, get a shell, fix the problem, and reboot.
<bmonty> do you have a working nss config file I can copy?
<Burgundavia> soon, I am going to rewrite the LDAPclient stuff
<wasabi> bmonty: Use libnss-db + nss-updatedb
<Burgundavia> which will fix all the issues
<wasabi> It's the only reasonable way to remove the issue.
<bmonty> BTW, other stuff I have been working on is a python binding for libkrb5
<wasabi> Oh that's you?
<wasabi> I saw somebody post about that someplace.
<bmonty> and I also started a python-based LDAP user config utility
<bmonty> both are still very experimental
<Burgundavia> isn't the latter just n-a?
<bmonty> my python-krb5 is based on MIT's code, so it will require some modification if the decision is to use heimdal
<wasabi> bmonty: What's your goal with that?
<wasabi> What are you binding?
<wasabi> GSSAPI or ?
<bmonty> wasabi: so you can use the krb5 library directly from python
<wasabi> To do what?
<wasabi> kadmin?
<bmonty> whatever you want
<wasabi> Just wondering what sort of program you would build that uses that.
<bmonty> kadmin uses the krb5 lib to do its functions
<bmonty> I have a rewrite of klist in python using my bindings
<bmonty> I don't have enough of the API to do kadmin...yet
<bmonty> for a lot of client side stuff you probably want to use GSSAPI
<bmonty> but I think if you want to have a tool that can manage a LDAP+Kerberos server you need to use the krb5 lib
<bmonty> ...and if you want to write in C there is no problem with that
<bmonty> if you want to use python do develop your solution you are stuck since there is currently no binding to the krb5 libs that python can use
<wasabi> Well, doesn't help much with AD.
<wasabi> That I can see.
<Burgundavia> interesting: http://lists.debian.org/debian-devel/2006/10/msg01177.html
<bmonty> why do you say that?
<wasabi> Since you don't use anything resembling kadmin to manage principals.
<bmonty> krb5 tools can talk to AD
<wasabi> And there's no need for client management of kerberos at all.
<wasabi> It should work silently and transparently.
<bmonty> wasabi: you are assuming that I'm running AD on a windows box, correct?
<wasabi> No.
<wasabi> I'm just comparing MS's solution to our potential one.
<wasabi> Which is that I don't want our users dealing with krb5 principals. ;)
<wasabi> New User, type the name, done.
<wasabi> The only interface component we should need on the desktop is a notification tray that says "You're authentication has expired. Please click here to renew. *button*"
<whiprush> wasabi: ajforgue has a little ticket applet thing he wrote.
<wasabi> Yeah. I hope we don' thave to show it to users ever. ;0
<Burgundavia> wasabi: do we have pieces of software in universe that needs to migrate to main?
<bmonty> wasabi: what are you using to manage users and groups in your setup?
<wasabi> GQ mostly.
<wasabi> Burgundavia: Probably will.
<bmonty> which is a decent tool, but can't manage kerberos principals
<wasabi> Yeah. I don't want to expose kerberos princs to users.
<wasabi> I sort of want them to be stored in LDAP.
<bmonty> I was thinking that eventually we need a tool that can manage users in the LDAP directory and the krb5 database
<wasabi> Also I'd be worried about the security/policy issues of seperating the two.
<bmonty> wasabi: I want that as well
<wasabi> ie an admin user could potentially compromise the integrity of the relation between the two.
<wasabi> Once, again, pulling another example from windows. THey have discrete APIs to create a user... which handes the kerberos part and ldap part together.
<wasabi> ANd makes sure all suceeds.
<bmonty> is there an open source solution that can do that?
<wasabi> Not yet.
<bmonty> hence the need for tools to manage those
<wasabi> Yes, new tools... which don't use kadmin.
<wasabi> Consider this. Im my company, HR creates users.
<wasabi> Because HR hires and fires them.
<bmonty> yup, which requires that you can link in the krb5 lib...
<wasabi> Nope.
<wasabi> So, the HR users have permissions to create users. Not permissions to create principals.
<nkassi> Does this tool require a seperate spec ? Cause work on that could be started pretty much now. It would be extremely useful currently.
<wasabi> Not permissions to create LDAP objects.
<wasabi> but discrete permissions to issue a CreateUser RPC call to the server.
<wasabi> The logic of that lives on the server, where it can't be subverted.
<wasabi> If the user himself could create a principal, he could create one, and link it to any object.
<wasabi> Or rename it independently.
<wasabi> Or assign permissiosn to it he didn't otherwise have the permission to assign.
<wasabi> HR can create users, but they cannot touch anything critical. THey are not systems admins.
<bmonty> that all makes sense to me
<wasabi> It's something we're missing.
<wasabi> Completely.
<bmonty> we are missing it in that there are currently no tools that implement that process
<bmonty> I think the software that is available has features that could be used to make that work
<bmonty> without rewriting a whole ton of stuff
<wasabi> Sure, but I don't htink allow kadmin access from a client machine solves it.
<bmonty> wasabi: I agree, I never proposed that
<bmonty> BTW, can I take a look at your nss config file?
<bmonty> and what were the other nss packages you said I needed to install?
<wasabi> nss-updatedb
<wasabi> my config file is "passwd: compat db"
<wasabi> group: compat db
<wasabi> nothing else
<bmonty> and this basically copies the users and groups from the LDAP server to the local machine?
<ajmitch> hey bmonty
<bmonty> hi ajmitch
<ajmitch> whiprush: you around?
<ajmitch> bmonty: coming to MV?
<bmonty> ajmitch: no
<ajmitch> unfortunate
<bmonty> yeah...I'm way too busy at work
<bmonty> ajmitch: is this going to get discussed at MV?
<ajmitch> definitely
<ajmitch> write up anything else you think we need
<bmonty> ok
<Burgundavia> bmonty: I have been using lat instead of gq
<Burgundavia> a little crashy, but a much nicer UI
<whiprush> ajmitch: yeah
<ajmitch> whiprush: got the hotel details?
<whiprush> dang, not on me, I did it old school. (pen and paper)
* ajmitch will need to give these details to the friendly people in customs :)
<ajmitch> ok
<whiprush> oh
<whiprush> let me find it on the map
<Burgundavia> I just lie
<ajmitch> mainly just the address
<ajmitch> Burgundavia: I also want to know where it is
<whiprush> http://www.choicehotels.com/ires/en-us/html/HotelInfo?hotel=CA679&amp;promo=gglocal
<whiprush> booya
<ajmitch> nice, I wonder how dodgy it is
<whiprush> one of my friends works at google and said that it was nice.
<whiprush> not like, omg nice. but a nice normal hotel for a decent price
<ajmitch> that's excellent
<ajmitch> aha, found it on google maps
<ajmitch> nice & close to google HQ
<whiprush> yep
<whiprush> learned my lesson after staying all far at the boston summit
<ajmitch> right by the freeway though
<ajmitch> like *right* beside it, by the look of the map
<whiprush> are you concerned about the noise?
<ajmitch> it shouldn't be too bad, I guess
<Burgundavia> ajmitch: whiprush's melodious snoring will drown out all
<wasabi> bmonty: "nss-updatedb ldap"   will retrieve the entire passwd/group tables from the libnss-ldap module, and store them in a bdb database.
<wasabi> bmonty: the "db" nss module will read from those.
<ajmitch> whiprush: that's what I expect
<wasabi> You schedule nss-updatedb to be run, using GSSAPI/SASL binding, every hour or something reasonable.
<wasabi> As root.
<ajmitch> whiprush: looks like we get free google wifi
<whiprush> ajmitch: don't worry, it's california, the cars don't actually move on the freeway
<whiprush> it's more of a parking lot.
<wasabi> I wish I could drive.
<bmonty> wasabi: ok, thanks
<ajmitch> haha
<ajmitch> whiprush: what are the arrangements for the airport? shall I try & get a shuttle in?
<whiprush> ajmitch: I recommend the train
<whiprush> the BART
<ajmitch> but the BART doesn't go down that way, does it?
<whiprush> but we should probably ask someone from mountain view
<whiprush> it goes to mountain view
<whiprush> then you can cab from there
* ajmitch really hopes he gets paid before saturday :)
<ajmitch> either that or if I catch a shuttle in,  mpt & infinity are on the same flight as I am
<Burgundavia> from sfo there is a train
<Burgundavia> whiprush: we caught that
<ajmitch> caltrain
<Burgundavia> however, google runs buses from downtown
<Burgundavia> and I presume the airport
<Burgundavia> they may be running buses for us
<ajmitch> canonical sponsored people have been told that there's a shuttle
<ajmitch> not google-provided
<Burgundavia> ah
<ajmitch> Supershuttle http://www.supershuttle.com/. >From San Francisco, it would
<ajmitch> be about $40-45.00 one way.
<ajmitch> expensive
<Burgundavia> you are landing at sfo?
<ajmitch> yeah
<Burgundavia> sfo is on the caltrain run
<ajmitch> so I saw
<Burgundavia> I would take that to mtv, and then take a taxi from there
<ajmitch> I'd have to check where it stops in MV
<Burgundavia> downtown
<Burgundavia> about 20 minutes from google
<ajmitch> ok
<Burgundavia> this is the train we took for ubucon
* Burgundavia whips whiprush for being useless about this sort of stuff
<ajmitch> how much does it cost?
<Burgundavia> caltrain? $10?
<ajmitch> k
<ajmitch> whiprush: when do you get to the hotel?
<whiprush> damn, all these questions!
<whiprush> sec
<ajmitch> heh
<ajmitch> we like to plan ahead :)
<whiprush> probably 8-ish on Saturday the 4th.
<whiprush> 8pm
<whiprush> I'll have your name on the room if you get there before we do.
<ajmitch> much earlier
<ajmitch> flight lands at 11:15AM
<whiprush> ok
<whiprush> when I finalize the reservation I'll let them know you'll be coming in first
<ajmitch> I can probably fill in the time :)
<ajmitch> thanks
<whiprush> I am sure there will be people around to hang out with
<whiprush> google is open on the weekends, I wonder if people will be hanging out there.
<ajmitch> I wonder how long it'll take to walk to google
<whiprush> ajmitch: hopefully my friend will be our ride in everyday, heh.
<ajmitch> yeah, but I may go for a walk anyway
<whiprush> oh
<ajmitch> besides, I need to wander into MV about 5pm or so
<whiprush> I wouldn't mind walking everyday if it's like, less than 45 minutes or something
<ajmitch> looks like it may be, but the tricky part is where to cross the freeway
<whiprush> I am trying to remember if it's an elevated freeway
<whiprush> let me ask my google friend
<Burgundavia> got a linky to the map?
<Burgundavia> I might be able to remember
<whiprush> http://maps.google.com/maps?f=q&hl=en&q=hotel+Mountain+View,+CA&ie=UTF8&z=14&ll=37.40746,-122.082739&spn=0.04568,0.114326&om=1&iwloc=H
<ajmitch> just looking at google maps
<whiprush> I remember driving by that airbase multiple times
<ajmitch> we're at H on that map
* lophyte has never been to Cali
* ajmitch has only been in airports there
<lophyte> actually I've never been out of Canada...
<lophyte> or Ontario at that
* lophyte is sheltered :(
<ajmitch> took me awhile to get out of NZ
<bmonty> just clicked on the map link...I've actually been there before :)
<lophyte> alrighty.. I'm gonna go through the SSO howto
<ajmitch> bmonty: the hotel, or the area?
<bmonty> the area
<bmonty> I think the hotel I stayed at was right down the street
<bmonty> I remember thinking that the place was set up to get around really easy without a car
* lophyte looks at his bank account and sighs
<ajmitch> lophyte: I know how it is
<ajmitch> bread & water for me for the week :)
<lophyte> lol
<lophyte> I really need to find a job..
<whiprush> ajmitch: my friend says it's 10-20 minute walk!
<ajmitch> oh if I get paid this week I'd have about $2K USD by the weekend, and I'd be fine
<lophyte> I don't get paid.. so..
<lophyte> this is all I have
<ajmitch> whiprush: wonderful :)
<ajmitch> whiprush: I could probably walk from the train station too :)
<whiprush> that was like a 15 minute drive
<whiprush> but the area down there is nice
<ajmitch> ok
<whiprush> you could probably walk around the shopping areas and whatnot if you're bored
<ajmitch> the train station looks closer than google does
<ajmitch> it's a walk straight down moffett blvd
<ajmitch> yeah, since I can't get to mass on the sunday, I'll be going on saturday, so that'll take some time
<ajmitch> conveniently that's right beside the train station
<whiprush> Burgundavia: where can I find channel logs?
<whiprush> is it still on people.something?
<Burgundavia> whiprush: for this channel?
<whiprush> ya
<Burgundavia> people.ubuntu.com/~fabbione/irclogs
<whiprush> ta
<wasabi> So I've been thinking about the caching problem.
<wasabi> Number of different solutions.
<wasabi> either fix nscd, or use/write something else.
<wasabi> The db idea is pretty appealing.
<wasabi> Guess I'd be worried about db corruption though.
<wasabi> hmmmmmmmmmmm
<wasabi> I guess it would be reasonable for remote users to simply not exist until nscd starts.
<whiprush> wasabi: also I thought about something while driving around today
<whiprush> that RH cert server isn't oss.
<wasabi> They have a cert server?
<whiprush> yep
<wasabi> I've heard some good things about OpenCA.
<whiprush> I was driving around and was like "oh shit, we're going to need one of those."
<wasabi> Yeah.
<wasabi> Thought about it earlier.
<wasabi> Again, this is why server-side is a huge project. ;)
<wasabi> So many pieces that all tie in together.
<wasabi> And are huge on their own.
<wasabi> I've sort of got a game plan for where I will start work at. I've already got a broken patch to add a realm table to nss.
<wasabi> I'll get that done, then start digging into libnss.
<wasabi> -ldap that is
<wasabi> Or whatever. To be honest, I don't have enought time for this.
<wasabi> me->bed
<lophyte> morning all
<wasabi> moni
<wasabi> Does anybody want to be responsible for seperating server stuff out of NetworkAuthentication?
<MagnusR> you mean in the specification?
<wasabi> just the wiki.
<wasabi> it needs cleanup
<MagnusR> I can give it a try. Shall I create a new page NetworkAuthenticationServer to put things that are cleand out until we now where to put it?
<wasabi> https://wiki.ubuntu.com/NetworkAuthentication/Client   is client stuff
<wasabi> So, I'd imagine /Server would be server stuff.
<MagnusR> Hmm seams that we have three diferent pages today: https://wiki.ubuntu.com/NetworkAuthentication https://wiki.ubuntu.com/NetworkAuthentication/Client https://wiki.ubuntu.com/NetworkAuthentication/ScratchPad
<wasabi> ScratchPad was some stuff I was just braindumping too
<wasabi> It can be ignored. =)
<tepsipakki> wasabi: was it you that had some ideas about an offline "cache" (using bzr) for a networked filesystem?
<wasabi> yeah
<tepsipakki> do you know about FS-Cache? it only provides the basic support for caching stuff but the offline-use is left to the fs itself
<wasabi> Not a networked file system.
<MagnusR> What about using ifolders?
<alp> anyone familiar with the novell ldap stuff?
<wasabi> Not really. Never had a chance to touch it.
<alp> i think we have a good c# ldap stack
<alp> that should be "they"
<alp> don't know if their directory services are based on that, think it's all new
<tepsipakki> ald: do you mean eDirectory?
<tepsipakki> alp: ^^
<MagnusR> I think the c#-bindings are used to connect new things to the old NDS stuff.
<alp> http://developer.novell.com/wiki/index.php/Ldapcsharp <- looks standards based and pretty active
<lophyte> wtf :\
<lophyte> kadmin: Improper format of Kerberos configuration file while initializing krb5 library
<wasabi> Novell's LDAP C# libraries are fine.
<wasabi> But I suspect nobody here is going to use them.
<bmonty> lophyte: check your krb5.conf file, especially the part that tells the lib how to contact the kadmin server
<lophyte> why do I get the feeling these locale errors are reeking havoc
<alp> wasabi: oh, what's the game plan?
<alp> when i put together the mono debian packages and policy all those years ago this is exactly the kind of neat project i had in mind :-)
<alp> i am unfamiliar with the python libraries though, it's quite possible they're more suitable
<MagnusR> I think Apple have released Python Bindings for parts of kerberos.
<bmonty> MagnusR: do you have a link?
<alp> i have done some work with managed pam plugins and nss
<wasabi> Yeah, but whatever we do, I want to have uptake on every distro.
<wasabi> And there's a political situation that matters.
<wasabi> Managed NSS sounds sorta wonky too. A CLR in every process instance?
<wasabi> Unless it's a shim to an out of process CLR or something.
<alp> the nss stuff was just for configuration
<wasabi> I think we've got a pretty good plan on where to go from here for client side stuff. I think now I'll just do some little work before UMV to make sure it's reasonable, then have the full conversation at UMV.
<wasabi> Unless mark pays some people, it's not going to happen... I suspect. =)
<alp> i think it would be doable in a few months if it didn't aim to interoperate with AD, use ldap properly and so on
<wasabi> ALl that's needed to interoperate with AD is LDAP.
<wasabi> And Kerberos.
<wasabi> AD isn't very special.
<MagnusR> bmonty: It is called python-kerberos in debian unstable.  It's under Apachel License
<bmonty> MagnusR: thanks
<alp> apparently integrating the c# ldap libraries with kerberos is on the novell todo list, though that means it's not around now (http://forge.novell.com/modules/xfmod/newsportal/article.php?group_id=1318&msg_id=981&group=novell.devsup.ldapcsharp)
<lophyte> ergh.. why won't the kdc run..
<wasabi> Error?
<lophyte> nothing at all
<wasabi> Well, it has logs. =)
<lophyte> yeah, but there's no logs either
<wasabi> /var/log/krb5kdc i think
<lophyte> yeah nothing there
<wasabi> well, try to start it without the init script.
<wasabi> then strace it.
<lophyte> krb5kdc: cannot initialize realm BLINDUTOPIA.COM - see log file for details
<lophyte> but there's no log file
<wasabi> Heh.
<lophyte> that's helpful
<lophyte> stupid kdc
<wasabi> Interesting. Looks like Heimdal and MIT both have PKINIT support, and so does pam_krb5.
<wasabi> I think our pam-krb5 is diverged.
<wasabi> Yeah. Completely.
<tepsipakki> pam_krb5 from redhat?
<wasabi> Yeah. Looks like the two bases diveraged years ago.
<wasabi> Ours seems to be maintained still, theirs is only maintained internally.
<tepsipakki> yep
<lophyte> oi.
<wasabi> http://www.stacken.kth.se/lists/heimdal-discuss/2006-10/msg00034.html
<tepsipakki> oh, there are tools in fedora/rhel that notify about expired tickets
<wasabi> We got PKINIT patches just a few days ago.
<wasabi> Looks like Nalin from RH is participating in the conversation (I talked to him a few years ago, he mainted libpam-krb5 internallt)
<wasabi> so I bet they'll merge again
<lophyte> this is silly
<MagnusR> I have started to move server things from https://wiki.ubuntu.com/NetworkAuthentication to https://wiki.ubuntu.com/NetworkAuthentication/Server. Please add and comment.
<wasabi> Nice. Thanks.
<tepsipakki> slapd is from openldap? how about fedora directory server?
<tepsipakki> oh, it was mentioned
<tepsipakki> =)
<tepsipakki> (on the wiki)
<MagnusR> Fedora DS has alot of nice webbinterfaces. So I think it should be evaluated. Unfoutunately it takes more resources.
<tepsipakki> I remember seeing an ITP of it
<MagnusR> Any one knows if there are any deb:s for it.
<wasabi> There aren't.
<wasabi> Few people here were workingon it
<wasabi> The interfaces require Sun's JRE.
<MagnusR> That's bad
<lophyte> hrm
<tepsipakki> but we have that now :)
<lophyte> so I got the kdc to start..
<lophyte> but now kadmin fails
<wasabi> Think I'm going to try to migrate my kerberos to LDAP
<tepsipakki> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315297
<tepsipakki> that's the ITP
<MagnusR> wasabi: But with only ldap you do not get the SSO possibility.
<wasabi> Huh?
<tepsipakki> magnusR: does fds have a kdc as well?
<wasabi> Didn't say replace Kerberos.
<wasabi> Store keys in LDAP
<MagnusR> wasabi: ok, missunderstod you
<MagnusR> tepsipakki: no
<lophyte> ugh.. okay, I give up
<wasabi> Anybody aware how to enable simple bind in slapd only over ldapi?
<wasabi> Interesting. When creating a new principal, it doesn't search for existing objects.
<wasabi> THat's not so good.
<lophyte> hrm..
<lophyte> yay, more errors
<lophyte> how do I add a host principal in krb5?
<wasabi> kadmin
<wasabi> host/fqdn
<lophyte> how do you use kadmin without already having a principal set up, though?
<wasabi> kadmin -l
<lophyte> ah.
<lophyte> ..eh, there is no l option
<wasabi> kadmin.local then with MIT
<lophyte> hehe, no kadmin.local either :P
<wasabi> Beats me then. ;)
<wasabi> one of the two should be present.
<lophyte> or do I need krb5-admin-server installed
<lophyte> meh.. i have to go
<lophyte> I'll look for a complete howto later
<siretart> can you guys recommend a tutorial and/or good documentation for MIT Kerberos in edgy?
* ajmitch would have to dig through his bookmarks at home
<wasabi> Nope.
<Burgundavia> ajmitch, wasabi: would one of you mind responding to that -directory announce post on -devel and answer those peoples questions?
<wasabi> looking
<wasabi> oh. missed all that
<tepsipakki> I tried tp3 a week ago
<tepsipakki> shared libraries are broken, so I couldn't run the provisioning script
<tepsipakki> or program, actually
<tepsipakki> that's samba-4.0.0tp3 I was talking about :)
<ajmitch> yep
<ajmitch> I saw your post on the samba list :)
* ajmitch was trying it out as well
<tepsipakki> oh :)
<tepsipakki> the packaging needed some tweaks to get through
<ajmitch> yes
* ajmitch was looking at that also
<tepsipakki> anyway, I'm looking forward to the beta
<tepsipakki> whenever that is released..
<ajmitch> yep
<wasabi> What do I want to respond to? heh
<wasabi> What do I want to respond to? heh
<lophyte> Burgundavia: I don't think I have time now to finish up the -ca approval.. I've got some things that need to be taken care of offline at the moment
* netjoined: irc.freenode.net -> brown.freenode.net
#ubuntu-directory 2009-10-23
<NiteSnow> Oo
