/srv/irclogs.ubuntu.com/2007/11/26/#ubuntu-server.txt

Centaur5	soren: Yeah, I installed a specific smartlink file from synaptic so I guess I don't know what I'm doing. :)	00:00
Centaur5	soren: Would pppoe taking control of ppp0 have a conflict?	00:00
soren	Centaur5: Depends on what you want to do with the modem. :)	00:02
soren	Centaur5: Not all uses of modems involve ppp.	00:02
Centaur5	soren: I want to use hylafax so any machine can send a fax. Any better method for doing this?	00:02
soren	Centaur5: Not sure. I've used asterisk for it a few times.	00:03
soren	Centaur5: But that's quite different.	00:03
Centaur5	I know this is going to be a newbie question but how to you find out if the modem is using /dev/ttyS0?	00:04
soren	Centaur5: Just use /dev/modem	00:05
soren	Aw, crap, I need to go to bed.	00:05
soren	Time flies when you're having fun.	00:05
Centaur5	soren: alright, thanks. I'll try to figure it out.	00:05
Centaur5	or when you're arguing?	00:05
soren	Centaur5: Arguing is fun.	00:06
soren	sometimes.	00:06
soren	Centaur5: When it turns out to be not completely pointless, it's fine.	00:06
Centaur5	haha, if you're going to argue with the wife do it naked so you can make up promptly	00:06
soren	and this time, I managed to convince someone that I was right (or so i think), so it's all good.	00:07
soren	Centaur5: Good advice.	00:07
soren	:)	00:07
Centaur5	alright, g'night soren	00:07
hatter	yes, g'night soren	00:08
soren	g'night, everyone.	00:08
ajmitch	night soren	00:08
soren	Oh, hi, ajmitch!	00:08
soren	And good night.	00:08
ajmitch	hi :)	00:08
soren	:)	00:08
* soren whisks off to bed.		00:08
osmosis	anyone know how I can enable putting the monitor in power saving mode during inactivity, rather then just blank screen?	00:20
lamont	nealmcb: ew. smarthost/password... is that sasl-ish?	00:27
lamont	nealmcb: so what I need is a howto-do-sasl config	00:27
nealmcb	lamont: I'm haven't looked at exactly what fastmail lis looking for, and maybe this is a less common use case than I was thinking, but it seems like it would be increasingly popular.	00:33
nealmcb	lamont: the itch that started me down this path was wanting to run caff to sign keys from the uds-boston keysigning party. but I didn't have email configured on my laptop, and I didn't have my pgp keys configured on the server I send mail from. I thought while I was at it, it should be a smarthost setup to fastmail (a password-protected relay) so it would work on the road without reconfiguration. but maybe the number of smarthost installs t	00:39
lamont	ah.	00:41
lamont	I just taught my postfix install that anyone with a cert signed by my CA is loved.	00:42
nealmcb	and maybe it's silly to even be wanting to run postfix on the laptop since I usually read it over ssh via mutt to another machine. but I'll probably be changing that.	00:43
nealmcb	lamont: I don't run the smarthost - just the postfix on the laptop - so I don't set the policy...	00:44
fujin_	Anyone familiar with freeradius?	00:44
fujin_	I'm having some freaky issues trying to use 1.1.7-1 from debian unstable	00:44
fujin_	reeradius: relocation error: /usr/lib/freeradius/rlm_sqlippool-1.1.3.so: undefined symbol: sql_get_socket	00:45
lamont	nealmcb: once I have a good sasl-config writeup that doesn't break the other options, I plan to include it.	00:50
lamont	it's more a function of me not needing it :-(	00:50
nealmcb	lamont: i.e. you want someone else to figure out how to fit that into the way ubuntu does sasl configs? I'm certainly no expert there, but if I ever get the itch badly enough I may plunge in....	00:52
lamont	I don't care who does it... I just know it'll go faster if someone else does it...	00:53
nealmcb	in the meantime I'll send some patches to the doc to clarify that this is NOT what the current doc describes how to do....	00:53
nealmcb	re: who does it - that's what I thought - makes sense	00:54
ScottK	nealmcb: Did you get your smarthost problem solved?	01:01
nealmcb	ScottK: nope	01:02
ScottK	nealmcb: What do you use for SASL?	01:02
nealmcb	nothing yet	01:02
nealmcb	I'm just using my cable smarthost for the time being	01:02
nealmcb	no password there	01:02
ScottK	If you have "The Book of Postfix" it gives you a good how-to.	01:02
lamont	ScottK: heh. I might at that	01:02
lamont	not sure where it's hiding though	01:03
* lamont works on figuring out what got changed in gutsy(?) that broke pam/ldap for him		01:04
ScottK	Using cyrus-sasl and sasl-db it wasn't that hard.	01:05
ScottK	Assuming you've set cyrus-sasl up once already.	01:05
nealmcb	Looking at my thunderbird config, I'm not even sure it uses sasl - it specifies "username and password" and "tls" but doesn't say sasl, though thunderbird may just be dealing with it under the covers....	01:06
ScottK	That's SASL.	01:07
lamont	if it wants a user/pass, it's SASL	01:10
nealmcb	it's been too many years since I looked at that - so even plain text passwords are sasl - that makes sense....	01:11
nealmcb	so in the real world, how common are plain-text passwords that use tls for secrecy, vs no-tls, and some other crypto for just the passwords?	01:13
lamont	anyone here using ldap for user creds?	01:15
* nealmcb resists the urge to !ask lamont (not)		01:15
lamont	nealmcb: well, the follow up is "WTF am I doing wrong?"	01:16
lamont	I had it working in feisty, and then y'all made it better in gutsy, and broke everything	01:16
nealmcb	lamont: You'll have to be more specific :-)	01:16
nealmcb	perhaps the question is "will the last person to touch ldap step forward" :-)	01:17
lamont	ldapsearch -LLL -x -D cn=admin,dc=mmjgroup,dc=com -W -H ldaps://ldap.mmjgroup.com -b dc=mmjgroup,dc=com 'uid=lamont'	01:18
lamont	that works. finger lamont doesn't hit ldap	01:18
lamont	rather, if I use a diff user, which only exists in ldap, then 'no such user' although ldapsearch happily drops the entire entry above.	01:18
zul	'lo	01:20
ScottK	nealmcb: plain methods plus TLS are the most common I believe. I suspect plain with no TLS is nearly if not more common.	01:25
* lamont is reminded that he hates perl		01:38
lamont	fcntl64(3, F_SETFL, O_RDWR\|O_NONBLOCK) = 0	02:04
lamont	connect(3, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.35.41")}, 16) = -1 EINPROGRESS (Operation now in progress)	02:04
lamont	select(1024, NULL, [3], NULL, {30, 0}) = 1 (out [3], left {30, 0})	02:04
lamont	getpeername(3, 0xbfe35138, [128]) = -1 ENOTCONN (Transport endpoint is not connected)	02:04
lamont	maybe it's not me...	02:04
lamont	I think there should be a "connect" call after the select, no?	02:04
fujin_	ITS YOUUUU	02:05
fujin_	no	02:05
lamont	heh.	02:06
lamont	so... why did getent use ldap, instead of ldaps.	02:06
lamont	for the love of pete	02:08
lamont	diff ldap.conf{.bad,}	02:09
lamont	2c2	02:09
lamont	< uri ldaps://ldap.mmjgroup.com	02:09
lamont	---	02:09
lamont	> uri ldaps://ldap.mmjgroup.com/	02:09
lamont	it would really be nice if the docs actually said that a trailing slash is required. Or, for the &)(^)( win, append a / when there isn't one.	02:12
fujin_	heh.	02:13
fujin_	have you got start_tls or whatever it is?	02:14
fujin_	tls start_tls	02:14
fujin_	ssl start_tls	02:14
fujin_	that's it	02:14
fujin_	ssl on/off/start_tls	02:14
fujin_	I gave up on tls/ssl	02:14
* lamont floods a little.		02:14
fujin_	and just put all of my ldap authentication into a secure airgap network and put it plaintext	02:14
lamont	base dc=mmjgroup,dc=com	02:14
lamont	uri ldaps://ldap.mmjgroup.com/	02:14
lamont	ldap_version 3	02:14
lamont	rootbinddn cn=admin,dc=mmjgroup,dc=com	02:14
lamont	nss_base_passwd ou=People,dc=mmjgroup,dc=com?one	02:14
lamont	nss_base_shadow ou=People,dc=mmjgroup,dc=com?one	02:14
lamont	nss_base_group ou=Group,dc=mmjgroup,dc=com?one	02:14
lamont	TLS_CACERT /etc/ssl/certs/MMJ-2005-cacert.pem	02:14
lamont	TLS_REQCERT demand	02:14
lamont	use_sasl no	02:14
lamont	rootuse_sasl no	02:14
fujin_	mm, looks fine	02:15
lamont	works fine, except for gutsy (1) renaming all the files, and (2) changing to require that trailing slash	02:15
fujin_	awesome gutsyness	02:15
fujin_	I haven't even started testing it yet :\	02:15
lamont	oh, I expect that it's true in debian too	02:15
wasabi	Oh geeze.	02:15
wasabi	nss-ldapisms	02:15
wasabi	shield my eyes!	02:15
fujin_	wasabi: nothing else can do what it does!	02:15
lamont	nss is love	02:15
wasabi	Winbind and Samba can	02:15
wasabi	Better	02:15
fujin_	oh pfft	02:15
lamont	except for the sodomotron parts.	02:16
wasabi	I would not mind LDAP on Linux if nss-ldap and pam-ldap didn't suck so blatantly compared to alternatives.	02:16
fujin_	yeah, that's true	02:26
fujin_	they are pretty shit	02:26
fujin_	I wish my senior hadn't told me we had to use it	02:26
fujin_	so that I could use like, nss-mysql and pam-mysql	02:27
fujin_	or something, else.	02:27
* lamont looks around for a pam.conf knowledgeable person to confirm that '... required pam_permit.so' is basically a no-op		02:48
lamont	whereas '... sufficient pam_permit.so' is a "no more checking, just let'em in" directive	02:48
fujin_	should be sufficient pam_ldap.so	02:50
fujin_	required pam_permit.so	02:50
lamont	right	02:52
lamont	my "sufficient" example above being totally wrong other than for explaining how stupid it is...	02:53
* lamont calls the new home-config package sufficient.		03:53
Centaur5	is there a way to see a dhcp table of what addresses have been given out on Gutsy?	04:30
hatter	Centaur5, do you mean /var/lib/dhcpd.leases	04:39
lamont	hatter: /var/lib/dhcp3/dhcpd.leases	04:39
lamont	er, Centaur5	04:39
hatter	ya thats it	04:39
Centaur5	perfect, thanks	04:39
_ruben	bah .. i suffered from Bug #141601 last night .. not sure if i should be happy with the fact that it's a "known" issue :p	07:40
ubotu	Launchpad bug 141601 in tasksel "tasksel packages stays at 100%" [Undecided,New] https://launchpad.net/bugs/141601	07:40
soren	_ruben: What does it mean that a package is at 100%?	08:03
svschwartz	hi all	08:37
svschwartz	got question	08:37
svschwartz	does ubuntu-server use upstart or sysv ?	08:38
svschwartz	Gutsy	08:39
svschwartz	how can I figure this out?	08:40
avatar_	you've installed gutsy?	08:40
avatar_	dpkg -l \|grep upstart	08:40
svschwartz	yes	08:40
avatar_	gutsy uses upstart	08:40
svschwartz	Is there any tool like sysv-rc-conf to manage startup sctipts ?	08:41
svschwartz	there is upstart-compat-sysv package that says "compatibility for System-V-like init" so I gues sysv-rc-conf is ok	08:44
svschwartz	anybody here interested in creating drive images ? I've found good project - fork of partimage, it needs our help https://launchpad.net/partimage-ng	08:47
_ruben	soren: its indeed described a bit vague, but it means that the progress bar gets stuck at 100%	09:05
soren	_ruben: Aha.. Anything interesting in the process table?	09:06
_ruben	zombie process	09:06
_ruben	cant reproduce atm since im at work and the issue was at home and wol aint working on that box :/	09:07
_ruben	i think it was some apt-* process that was in zombie state	09:07
_ruben	it was 1 or 2 lines below the whiptail process	09:08
soren	_ruben: The proces that is a zombie is not the problem.	09:08
_ruben	(never really understood the real concept of zombie procs)	09:09
_ruben	apart from getting rid of them can be quite tedious, except for this case, killing the tasksel proc kills all	09:10
soren	It's hardly ever tedious.	09:12
soren	When a process terminates, it has an exit code.	09:12
soren	Until another proces has read this exit code (by issuing the wait() system call), the process can't be removed from the process table.	09:13
soren	A process that has terminated, but has not been "reaped" (had its exit code read), is a zombie process.	09:14
_ruben	ah, didnt know that	09:14
soren	If a process' parent process dies, the process is orphaned and adopted by init (pid 1).	09:14
soren	init will always take care of calling wait() on terminated processes.	09:14
soren	So... Putting these two facts together, we get:	09:15
soren	To get rid of zombie processes, you need to focus on the parent.	09:15
soren	Get the parent to bury its dying child process, or kill the parent so that init can take care of it for them.	09:15
soren	A zombie process is harmless.	09:15
soren	It takes a spot in the process table, but all its memory and such has already been freed.	09:16
soren	It's cosmetic, really.	09:16
_ruben	true .. tho the fact that tasksel is hanging (be it cause or result), is a bit of an issue ;)	09:17
soren	_ruben: Possibly. I'd need to see the process table when this happens.	09:18
_ruben	figured as much	09:18
_ruben	trying to reproduce it on a vm here probably aint gonna work, since if it'd be 100% reproducable, there would probably be more comments, etc	09:19
soren	yeah	09:19
_ruben	on the system i played with last night (dell c521) it was 100% reproducable (tried few times)	09:20
_ruben	tho i cant think of anything fancy that could be causing this	09:20
soren	Dunno.	09:31
=== ScottK2 is now known as ScottK
=== AnRkey_ is now known as AnRkey
AnRkey	how can i get nmap to use a broadcast ip?	14:13
AnRkey	it's driving me nuts cause google is not turning up much	14:13
ivoks	why would you do that?	14:13
sommer	AnRkey: do you want to scan an entire subnet?	14:19
sommer	AnRkey: sudo nmap -sS 10.0.0.0/8	14:19
sommer	for example... if you are trying to scan a subnet anyway	14:20
AnRkey	yeah but our cisco vlans are confed to block broadcasts	14:23
AnRkey	so i need to spec a broadcast ip in the nmap command	14:23
AnRkey	for example when we use wakeonlan we do ... wakeonlap -i 172.16.10.255 -p 9 172.16.12.0/24	14:24
AnRkey	so the wakeonlan broadcast for 12.0/24 goes through 10.255	14:25
AnRkey	i can't see any option for broadcast ip's in nmap though...	14:25
sommer	AnRkey: mmmm... not sure, you might double check the man page if you haven't	14:26
AnRkey	i have almost memorized the man page :D	14:28
AnRkey	thanks anyhow	14:29
AnRkey	i will not let it win!!!	14:31
ivoks	people do strange things with their networks :)	14:38
soren	AnRkey: It wont' work anyway.	14:40
soren	AnRkey: I can't imagine any system in its right mind will respond to requests sent to the broadcast address.	14:41
ScottK	lamont: Got a minute for an HPPA question?	14:47
AnRkey	good point soren	14:47
* AnRkey ponders his predicament...		14:48
ScottK	lamont: Nevermind. Figured it out. Sendmail isn't built yet. Urgh.	14:51
ScottK	lamont: Are you planning on asking for give backs on Universe stuff that doesn't build for HPPA in Hardy because builds are out of sequence?	14:52
lamont	ScottK: yeah. at some point.	14:52
lamont	I figured I'd let it catch up, and then have someone do a mass give-back	14:52
lamont	sendmail should bump up?	14:53
ScottK	OK. I won't worry about it then.	14:53
lamont	and what needs to be retried because of it?	14:53
ScottK	lamont: dkim-milter	14:53
ScottK	It was looking for libmilter1, but HPPA doesn't have it yet because Sendmail 8.14 isn't built yet on HPPA.	14:53
lamont	sendmail at 900, dkim-milter at 350	14:54
ScottK	Which means?	14:54
lamont	so it's _way_ down the pipe after sendnail	14:54
lamont	sendmail will build before anything else in universe, after all of main	14:55
ScottK	Well it already FTBFS once.	14:55
lamont	universe largely defaults to 355, so it'll come after a large chunk of universe	14:55
lamont	dkim-milter, taht is	14:55
lamont	sendmail ftbfs?	14:55
ScottK	No, dkim-milter	14:55
ScottK	Sendmail is not yet built.	14:55
ScottK	The new one	14:55
ScottK	8.13 built, but not 8.14.	14:56
lamont	sendmail is next up, unless something from main hops in ahead of it.	14:57
* lamont needs to go heads-down on a work thang today		14:58
kraut	moin	15:17
Runithad	hello, this is my first visit, I have 2 ubuntu servers hosting 10 domains :-)	16:02
nealmcb	Runithad: welcome!	16:09
Runithad	thx	16:44
jaredthane	I need to build php5 with a certain configure options. How can I figure out which configure options the ubuntu php5 package has?	16:54
sommer	jaredthane: php --info from a terminal will tell you.	16:59
sommer	you could also create an info.php file calling the phpinfo() function.	16:59
=== dantalizing is now known as dantalizing\|lunc
Gargoyle	if I am using DRBD with heatbeat 2, do I still need outdate-peer in drbd.conf?	17:14
kshah	What is the preferred way for granting ftp access to a non home directory, for instance the apache web directory /var/www -R , using vsftpd	17:35
somerville32	Just give the account access to that directory	17:36
somerville32	Or even set it's home directory to /var/www if you want it to start there on login	17:36
kshah	set the users home directory	17:37
kshah	?	17:37
kshah	or chmod the user	17:37
somerville32	If you want them to start in /var/www when they login, set their home directory to that	17:38
somerville32	However, that doesn't give them permissions	17:38
somerville32	You need to change the permissions to do that	17:38
kshah	thx	17:40
somerville32	No problem.	17:40
kshah	i want to fully understand file permissions, so if /var/www is owned by user root and group root, to give my local user write permission there, i have to execute chmod with the +o option?	18:00
somerville32	kshah, no	18:01
kshah	oh no	18:01
kshah	how does my local user relate to the groups?	18:01
somerville32	You would have to set the group for /var/www to something different	18:02
somerville32	And than add that user to that group	18:02
somerville32	and set the permissions for the group for that directory to what you want	18:02
kshah	okay that makes sense, but does that effect, say the daemons who need to read there, apache, or rails?	18:05
somerville32	It might if you don't do it correctly	18:05
kshah	I'm not following, as I understand the apache user is www-data, right?	18:07
kshah	but unless they are in the 'root' group, how does their access work?	18:07
somerville32	What is the output of ls -l \| grep www ?	18:08
kshah	755	18:09
kshah	for /var/www and subs	18:09
somerville32	Who is the owner and group of /var/www	18:10
kshah	root / root	18:10
=== dantalizing\|lunc is now known as dantalizing
kshah	i just don't get what is the proper way to give my user permissions to the /var/www directory	18:13
dantalizing	kshah "sudo chown -R <username> /var/www" then "sudo chgrp -R www-data /var/www" will allow your user to "own" the files, and the web server to read them	18:16
kshah	dantalizing: and that won't interfere with rails or anything like that because Apache hands off the files to rails and then rails back to Apache?	18:18
kshah	okay, so now I 'own' the files, and I put myself in the group that apache creates when it installs www-data? is that right	18:20
dantalizing	shouldnt interfere with your rails	18:21
dantalizing	regarding your perm setup, really depends on what else you need to do	18:21
dantalizing	does the web server process need to modify files?	18:21
dantalizing	do you have other users who will be modifying files?	18:22
kshah	users: probably not	18:22
dantalizing	if you own the files, no need to add yourself to www-data	18:22
kshah	web server process: i don't know, this is just a rails app	18:22
kshah	are you saying that if rails needs to create a file, it may have a problem since it'll be apache handling it and it doesn't have write permissions?	18:23
dantalizing	for instance, a typical php blog app will write to a config.php during a web based configuration, and therefore www-data would need write access to that file	18:23
kshah	okay i see, yeah	18:23
dantalizing	but if you're just reading files, www-data only needs read	18:23
kshah	so then what do people typically do to accomodate for all situations?	18:24
kshah	do they just do it case by case?	18:24
kshah	and grant permissions for specific files?	18:24
kshah	best practice	18:24
dantalizing	imho, "all" is too general	18:24
kshah	ok	18:24
dantalizing	i dont know "best" practice, but for my wifes static website (no rails, no php), i made the files owned by her, read by www-data	18:25
dantalizing	all html is 640	18:25
dantalizing	and dirs are 750	18:26
dantalizing	that wouldnt work if you have a web based template modify page, for instance	18:26
dantalizing	I never leave the files with root owner/group	18:27
kshah	okay, and so if my rails app needs to write uploaded files, I can do it in a folder that i specifically grant permissions to that is below the web root	18:28
dantalizing	or preferably outside the webroot, but yes	18:28
dantalizing	so assuming you own the dir, and www-data is the group, that dirs permissions would be 770	18:29
kshah	cool, I think I got it, make exceptions to the security, not security to the exceptions	18:32
dantalizing	well put..	18:32
kshah	exceptions might not be the best word, but I get it :) thank you dantalizing	18:33
dantalizing	advice worth every penny you paid!	18:33
dantalizing	:)	18:33
kshah	lol	18:37
dendrobates	bug 155947	19:16
ubotu	Launchpad bug 155947 in libnss-ldap "ldap config causes Ubuntu to hang at a reboot" [Undecided,Incomplete] https://launchpad.net/bugs/155947	19:16
zul	i think we got bitten by that today	19:17
zul	at work	19:17
alephant	Hey all...	19:21
alephant	I have a Dell PERC 5i controller that works beautifully with the megaraid_sas driver	19:21
alephant	but now I'd like to get notified when the array is degraded	19:21
alephant	I yanked out a drive, and the LEDs indicated that the array was being rebuilt, but there's nothing in syslog	19:22
alephant	Will the module do any status reporting, or do I need Dell's OpenManage cra^H^H^H stuff to talk to the controller?	19:24
alephant	...so apparently the megaraid_sas has no hooks into /proc >:-\|	19:27
alephant	Anybody had any luck with the Dell OMSA stuff in Ubuntu?	19:27
kshah	can anyone possibly tell me a reason why every time my friend visits my website (any file, ubuntu 7, apache 2.2) he has to refresh the page before it shows, the first time he visits it is a blank page?	19:31
mralphabet	kshah: his cache	19:31
kshah	mralphabet: but it is the first time he's visited the page, he clear his cache and it still requires him to refresh, or am I misunderstanding you?	19:32
mralphabet	so you make a page, blah.html with stuff in it and it shows blank the first time he visits it?	19:33
kshah	yes	19:33
mralphabet	sorry, I misunderstood then, that is odd	19:33
mralphabet	does your error log say anything?	19:35
mralphabet	does this happen for any other visitors?	19:38
kshah	it doesn't happen for me	19:39
kshah	checking the log	19:39
mralphabet	if it works for you and doesn't for him, I have to say it is something on his side of things	19:39
mralphabet	what client browser?	19:39
kshah	FF	19:40
kshah	its so odd	19:41
mralphabet	and has he tried IE?	19:41
mralphabet	or safari or any of the others?	19:42
mralphabet	or lynx if he's on a linux box?	19:42
kshah	asking him to use IE	19:42
kshah	I wonder if it is because there is a conflicting DNS entry	19:43
kshah	two servers both claiming to be something.com	19:43
kshah	doesn't seem to make sense though	19:43
mralphabet	that could be a roundrobin answer	19:44
mralphabet	attempt 1 goes to ip 1, attempt 2 goes to ip 2	19:44
h4x0r7h1s	damnit	20:03
h4x0r7h1s	I am using mod_jk to connect to an ajp13 worker, and it totally ignores my JkWorkersFile setting and just initializes a worker called ajp13 trying to connect to localhost:8009	20:04
h4x0r7h1s	it'll bitch if the file isn't there of course, but it doesn't load workers from it	20:04
kshah	not sure if I should ask this here or in #apache, but I've successfully followed the ubuntu-server guide in the past to enable SSL, self signed, but I want to it to work like a real website, only for pages that I designate as needing to be secure, login/logout, accounts, etc	20:24
kshah	can someone help me with that?	20:24
sommer	kshah: you can place the security settings in a .htaccess file	20:26
sommer	I'm not 100% sure if that's what you're looking for though.	20:26
kshah	well, like when someone clicks on 'login', that should be in https://	20:27
kshah	'should be in' didn't make sense, but you know what i mean	20:27
sommer	kshah: for a situation like that what I usually do is a rewrite rule.	20:28
mralphabet	the link that you make points to https://somesite.com/somedir/somesslfile.html	20:28
kshah	okay, i know what you mean, i think i saw an example of that	20:28
kshah	sommer: in the conf file	20:28
mralphabet	kshah: did your friend fix his browsing problem?	20:28
sommer	kshah: should be there's also some great examples in the docs on the apache site.	20:29
kshah	mralphabet: I don't think so, I don't think its happening to him in IE, he doesn't know whats up	20:29
kshah	sommer: thanks, I think I read over an example there, I just wanted to confirm here in case I misunderstood	20:31
sommer	np	20:31
=== jetole_ is now known as jtole
jtole	hey guys, I am looking to do load balancing with failover for a web site, the two locations for the site are located states away from each other and we were originally going to do DNS with two A records and low cache so we can manually remove one if a site goes down	20:39
jtole	but I thought you guys might know of a better solution	20:39
ivoks	redhat-cluster-suite + ldirectord	20:39
ivoks	oh... sorry	20:39
ivoks	states away	20:40
ivoks	didn't notice that part :)	20:40
jtole	especially if it can be automated so if one site fails, traffic is automatically diverted to site B	20:40
jtole	yeah, it's ok	20:40
jtole	plus it has to be OS independent since the sites are on windows IIS/SQL however some of them are on xen on ubuntu with a debian IDS at one site	20:41
jtole	SQL is fine actually, the web servers always connect to the SQL at the same site	20:41
jtole	so basically it would be end user @ anywhere connecting to 80/443	20:41
ivoks	well... you can't do much on those systems	20:45
ivoks	both have public IP address, right?	20:46
fujin	jtole: use the linux HA packages	20:48
fujin	can do easy failover between n+1+x systems	20:49
fujin	I use it here locally on a private LAN for a callcentre Asterisk setup	20:49
fujin	across the intertrons it should work fine	20:49
fujin	oh what	20:49
fujin	one server is windows? nevermind	20:49
ScottK	ivoks: Saw your reply on the server list. Sounds very good. I think this will be a big step forward for Ubuntu mail server easy of setup.	20:50
ScottK	easy/ease	20:50
ivoks	i hope so	20:52
ivoks	fujin: HA or redhat-cluster-suite is not good options for this situations	20:53
jtole	ivoks: yes, they are all on public IP, like I said, right now our main coarse of action is DNS with two A records and a 5 minute cache time but if one server goes down it requires manual intervention to initiate the failover	20:54
jtole	fujin: so for linux HA I am fscked?	20:54
ivoks	jtole: do you really have a fail over?	20:55
ScottK	jtole: You could write a script to check and modify the DNS if it gets no response.	20:55
ivoks	i mean... i guess each server has it's own sql database, right?	20:55
ivoks	so... services don't fail over	20:55
ivoks	they just die, right?	20:55
ScottK	Personally, I think it's more trouble than it's worth. Just make the primary as reliable as you can and suck up what little outages you get unless it's so critical you can afford to do it right.	20:56
jtole	ivoks: no, not yet, the second co-location will be implemented in about two weeks	20:58
jtole	right now we just simply have a primary site	20:58
ivoks	will they have same SQL data?	20:58
jtole	ivoks, there will be SQL servers at each site, currently there are two at our main site but no fail over and it is managed hosting solution (which I don't like) and they will not provide us one	20:59
jtole	however both sites will be getting transaction (up to the minute) updates of remote sites	20:59
jtole	MS SQL transactional replication	20:59
ivoks	and one machine is windows, and the other is linux?	21:00
sommer	ScottK: hey, just wondering if you'd had a chance to review the Mail Filtering section of the Postfix docs?	21:01
ScottK	No. Sorry. Still on my list.	21:01
sommer	ScottK: cool, no rush	21:01
jtole	ScottK: it is not only crucial but was more then a recommendation of upper management, so far I have allocated 24k in new hw expenses as well as 1400 a month on co-location costs and it was all approved in record time	21:08
jtole	I don't imagine any big web site has only one location and I have seen many mid sized companies in previous employment that do not	21:09
ScottK	jtole: In that case, I'd suggest doing a proper failover or HA solution like ivoks was suggesting. Don't mess with the Windows/Linux mix	21:09
jtole	well right now windows is a requirement	21:09
fujin	yuck@windows/linux mix	21:09
fujin	then do windows/windows	21:09
ScottK	jtole: True, but I think it's more important for scalability than reliability.	21:09
fujin	and use the windows cluster tools	21:10
jtole	fujin: windows VM is a pain in the ass and we want quick restoration in the event of a problem	21:10
ScottK	My web host, on a shared server has ~5 minutes of down time a year.	21:10
mralphabet	all that you have right now is round robin dns answers and a low TTL, that is not failover ;(	21:10
jtole	i.e. in xen copying c:\ from 5 days ago back over corrupt c:\ etc	21:10
jtole	ScottK: well our managed hosting provider has had 3 of our servers go down in the last few months	21:11
ivoks	so those are windows on top of linux	21:11
mralphabet	jtole: if you want quick recovery from a meltdown on the windows side, there is a symantec product that can restore to bare metal in ~ 1 hour	21:11
ivoks	ayayay	21:11
jtole	that is why co-location is now a priority	21:11
fujin	jtole: then use linux/linux	21:11
ScottK	jtole: Then get a better provider.	21:11
jtole	ivoks: yes A windows on top of linux	21:11
jtole	xen	21:11
* mralphabet sighs		21:12
ivoks	drop linux and go with windows only	21:12
ivoks	nothing else works	21:12
jtole	fujin: windows is a requirement, this site has been long established for years and is all ASP / SQL 2000	21:12
jtole	ScottK: co-location will be a better provider	21:12
mralphabet	then take linux out of the equation and use the windows HA tools	21:12
mralphabet	does the linux OS actually do anything other then serve xen?	21:14
jtole	mralphabet: no but it will be serving multiple machines on xen	21:14
mralphabet	and what do these multiple vm's do? one for asp and one for sql?	21:15
jtole	two for IIS, one SQL, one mail, another one running linux nagios on one of the machines	21:15
ivoks	so many xen machines...	21:16
ivoks	i hope you have two quad core processors :)	21:16
jtole	that is what xen was built for	21:16
fujin	you're doing it wrong	21:16
ivoks	and 16GB of ram :)	21:16
fujin	as I said earlier	21:16
mralphabet	aye, you are doing it wrong	21:17
jtole	yes, AMD 2.4 Ghz w/ 8GB RAM and RAID 5 with 5 250GB sata 2	21:17
fujin	take Linux out of the equation and use the windows clustering/HA tools	21:17
mralphabet	your stated goals do not match up with the hardware / software mix you have	21:17
jtole	on two machines + IDS and bypass switch + switch w/ monitor port	21:17
jtole	so you guys are saying to lose windows all together on this one?	21:17
akincer	!pastbin	21:17
ubotu	Sorry, I don't know anything about pastbin - try searching on http://ubotu.ubuntu-nl.org/factoids.cgi	21:17
jtole	er, lose linux I mean	21:18
akincer	!pastebin	21:18
ubotu	pastebin is a service to post large texts so you don't flood the channel. The Ubuntu pastebin is at http://paste.ubuntu-nl.org (make sure you give us the URL for your paste - see also the #ubuntu channel topic)	21:18
fujin	jtole: either lose linux, or lose windows	21:18
mralphabet	or go to vmware esx	21:18
fujin	a 100% linux environment will enable you to use the heartbeat / linux-ha clustering packages for failover	21:18
mralphabet	esx has failover packages for vm's	21:18
fujin	and a 100% windows environment will let you do a similar thing with clustering	21:18
fujin	mralphabet: esx wont' work, as, his two servers are 'states' away afaik	21:18
ivoks	khm... redhat-cluster-suite instead of ha :)	21:18
jtole	like I said, I can't lose windows, I would like to but I cannot	21:18
fujin	wth@ redhat-cluster-suite	21:19
fujin	I don't even know what that is, it's so wrong	21:19
fujin	s/redhat.*//	21:19
mralphabet	fujin: I thought esx could do remote failover in case a building disappears	21:19
jtole	lol	21:19
ivoks	fujin: ?	21:19
fujin	mralphabet: not sure about that	21:19
fujin	but ESX at both locations would be expensive	21:19
ivoks	fujin: it's a tool, fully suported in ubuntu	21:19
fujin	(san, n+1 esx hosts)	21:19
ivoks	wich isn't something you can say for ha	21:19
jtole	well, unfortunatly, we won't have linux at all at one site	21:19
fujin	ivoks: apt-get install heartbeat?	21:20
fujin	apt-get install heartbeat2	21:20
ivoks	fujin: in universe	21:20
mralphabet	fujin: he's already 24k deep /shrug	21:20
jtole	although this may become two co-locations once the first one is up and proves useful	21:20
ivoks	fujin: r-c-s is in main	21:20
ivoks	fujin: and much much better than ha	21:20
fujin	mralphabet: san+esx host(s) > 100k	21:20
mralphabet	fujin: what's another 75?! ;)	21:20
fujin	I guess.	21:20
akincer	I posted here a week or so ago about a Tripp Lite KVM keyboard and touchpad that didn't work in the server install. I got it working only by unplugging and plugging it back in. I included output of dmesg in this process here http://paste.ubuntu-nl.org/45942/	21:20
fujin	akincer: log a bug	21:21
akincer	Was just thinking that	21:21
mralphabet	fujin: i'm just being sarcastic	21:21
fujin	Generally the engineer shouldn't have to worry about pricing.	21:22
mralphabet	true, to a point	21:22
mralphabet	anyway, jtole, as I said before, your stated goals and what have already don't really mix	21:23
jtole	I gotta run, cheers	21:23
mralphabet	I feel kinda bad for him	21:23
fujin	heh, yeah.	21:24
fujin	I wouldn't want to inherit that shitbag of a system.	21:24
fujin	he is doing it wrong, though.	21:24
mralphabet	yes	21:24
mralphabet	he's asking for help AFTER he already bought the system	21:24
fujin	"I did it wrong! help!"	21:24
fujin	;\|	21:24
fujin	epic fail	21:25
mralphabet	how about the novel approach of doing a little research first ;(	21:25
fujin	That's always good.	21:25
ivoks	fujin: if you use HA, really check out cluster-suite	21:28
akincer	Got a bug report of my very own. How nice	21:29
fujin	It'd be a pain to change it.	21:29
ivoks	fujin: it provides some features HA doesn't and provides support for shared (file) systems like drbd and gfs	21:29
ivoks	fujin: that's what i tought so	21:30
fujin	ivoks: I rolled heartbeat v1 (linux-ha) for my systems, for basic ping-node failover.	21:30
ivoks	fujin: now i just wish i did't it sooner :)	21:30
fujin	and have no use for drbd/gfs	21:30
fujin	I just check if asterisk is running, check conectivity etc	21:30
fujin	it's only very basic.	21:30
ivoks	ok	21:30
ivoks	s/drbd/gnbd/	21:31
fujin	is gnbd functionally identical to drbd?	21:31
ivoks	no	21:31
fujin	I had thought of using drbd for voicemail replication etc	21:31
ivoks	drbd provides shared disk	21:31
fujin	but gave up and went with one-way rsync from the secondary from the primary	21:31
ivoks	gnbd provides access to physical disk	21:31
fujin	oh, cool	21:31
fujin	ivoks: without copying the data?	21:32
ivoks	with drbd you can set up network mirror	21:32
ivoks	with drbd?	21:32
ivoks	i'm using drbd for web servers	21:32
fujin	what does GNDB do?	21:33
ivoks	imagine you have NAS	21:33
fujin	provide access to data over the network (like NFS)?	21:33
fujin	I've been looking for a way to share mailstores between my 3 mailhosts	21:33
ivoks	well, yes and no... :)	21:33
fujin	all the data is on a SAN, but implementing file locking between them has been a pain	21:33
ivoks	filesystem does that	21:33
ivoks	with gnbd you export device	21:34
ivoks	and then create GFS on it	21:34
fujin	I see.	21:34
ivoks	so all systems can access that device at the same time	21:34
ivoks	you just need to make sure that gnbd server doesn't fail	21:34
ivoks	this is why i use drbd	21:34
ivoks	drbd keeps data in sync on two machines	21:35
ivoks	and allows both machines to rw at the same time	21:35
ivoks	with GFS on top of it, problems with locking are solved	21:35
fujin	but theoretically	21:36
fujin	I'm reading the usage stuff now	21:36
fujin	it looks like it'll do what I want	21:36
ivoks	i took me one week to figure it out what is what exactly :)	21:36
fujin	drbd would work, but replicating 300gb of mail is silly	21:36
fujin	between all 3	21:36
ivoks	you can't do that	21:36
fujin	oh?	21:37
ivoks	you can have only two primaries at the same time	21:37
ivoks	it's doesn't replicate all 300GB, only changes	21:37
ivoks	so, on reboot, only changes are replicated	21:37
fujin	I see	21:37
fujin	but it'll still mean having 300gb x X	21:37
fujin	just to redundantly have 300gb	21:37
ivoks	yes	21:37
fujin	while space isnt' really an issue (we've a 5tb~ SAN)	21:37
fujin	I'd prefer something that just shared the exact data, with happy file locking	21:38
fujin	(and wasn't NFS!)	21:38
* fujin cringes @ NFS		21:38
ivoks	gnbd+gfs	21:38
fujin	Yes, it seems like it'll do what I want.	21:38
ivoks	just don't use OCFS	21:38
ivoks	ocfs died on me couple of times during testing	21:39
ivoks	gfs works great	21:39
fujin	Thanks for the suggestion	21:39
fujin	I've made note of it and will investigate further when my current projects are completed	21:39
ivoks	source: http://sources.redhat.com/cluster/	21:40
ivoks	:)	21:40
fujin	And you said it's apt-gettable?	21:40
ivoks	it's in main	21:40
fujin	That's handy.	21:40
ivoks	it's only clustering system supported in ubuntu	21:40
ivoks	everything else is in universe	21:41
ivoks	community supported	21:41
fujin	I see.	21:41
* Nafallo hates servers		21:41
fujin	I hadn't had any issue with linux-ha, and that was the first tutorial I found	21:41
ivoks	me too	21:41
fujin	generally don't do application-level failover.	21:41
fujin	or, hadn't done it before	21:41
ivoks	i had one problem with linux-ha	21:41
ivoks	two machines, both runing mysql in master-master replication	21:42
ivoks	each machine has it's own IP	21:42
ivoks	and mysql binds to that IP	21:42
ivoks	one has VIP, so mysql binds to VIP also	21:42
ivoks	but when that machine fails, VIP goes to other machine	21:42
fujin	nasty	21:42
ivoks	and then you have a problem	21:43
fujin	I hate two-way MySQL replication.	21:43
fujin	we do master-slave here, with manual failover	21:43
ivoks	mysql needs restart, cause it isn't binded to VIP	21:43
ivoks	with r-c-s, you don't have to do that :)	21:43
fujin	ivoks: any resources/tutorials on r-c-s configuration?	21:43
ivoks	fujin: there's a GUI tool for setting up :D	21:43
fujin	My servers don't run GUI's!	21:44
ivoks	it creates cluster.conf	21:44
ivoks	no... it's a tool; you can run it on your laptop	21:44
ivoks	it creates cluster.conf, which you then transfer to servers	21:44
fujin	I wouldn't run Ubuntu on a desktop, either.	21:44
fujin	does apt-getting redhat-cluster-suite install all of the magic stuff? like gfs-tools etc?	21:45
ivoks	yes	21:45
fujin	ah, it's a metapackage I see.	21:45
fujin	so, basically	21:45
fujin	the clients (my mailhosts, in this example) will have gfs and gndb client configured	21:46
fujin	and then theoretically behind that I'd have say, mailstores	21:46
fujin	with gndb-server and gfs installed on it	21:46
fujin	s/it/them/	21:46
ivoks	right	21:46
fujin	cool	21:47
fujin	sounds great	21:47
fujin	now if only I could find some documentation or a tutorial on rcs	21:47
ivoks	there are PDFs	21:47
ivoks	search for Global_Network_Block_Device.pdf	21:47
ivoks	and	21:48
ivoks	Cluster_Administration.pdf	21:48
ivoks	and Global_File_Syste.pdf too	21:48
fujin	cool, found it	21:48
fujin	will pass them onto my senior and have him browse through	21:49
fujin	may roll it on my phone system too, for the fun of it :)	21:49
ivoks	if you have only two servers	21:50
ivoks	it would, maybe, be better to stay with HA	21:50
ivoks	anyway... good night to you all	21:53
=== tiborio__ is now known as tiborio

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!