[00:00] <soren> a) install the security update b) replace all your ssh keys (both dsa and rsa)
[00:00] <soren> b) does not include the host keys as those will be handled by the security update itself.
[00:02] <owh> InsomniaCity: An added benefit of your advice is that in composing the message I made a generic version which made me think of other past clients who may be affected and who may not have a current sysadmin.
[00:07] <arooni-mobile> how do i regenerate my keys on my dev boxes (keys i will copy over to the server's ~/.ssh/authorized_keys file)?
[00:08] <hads> ssh-keygen
[00:08] <arooni-mobile> do i need to restart my computer before doing that agian
[00:09] <arooni-mobile> my dev boxes which are running ubuntu
[00:10] <hads> Nope, reboots are only needed for kernel upgrades.
[00:12] <arooni-mobile> ok great
[00:18] <arooni-mobile> Enter passphrase (empty for no passphrase):   necessary or not?
[00:19] <hads> Yes! passphrase-less keys are A Bad Thing
[00:20] <hads> Without a passphrase anyone who gets your private key will be able to access any server which has your public key.
[00:30] <LeChacal> what is a .phtml file and why all of a sudden is my web server severing this file and not my normal index.php file
[00:36] <arooni-mobile> i was ssh'd into a gutsy box and was running:  sudo apptitue update; sudo apptitude dist-upgrade; then accidentally closed the ssh window.  now i see:     E: Could not get lock /var/lib/dpkg/lock - open (11 Resource temporarily unavailable);  E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?  (what should i do?  is update still running)?
[00:36] <hads> ps ax | grep aptitude
[00:40] <hads> LeChacal: .phtml is usually a PHP file.
[00:41] <hads> LeChacal: Assuming you are using apache it will serve index files in the order specified with the DirectoryIndex directive.
[00:45] <macd> arooni-mobile, just rm the lock file, and kill all apt process, and restart the dist-upgrade, if it gives you more errors, clean out the cached packages in /var/cache/apt/archives/* and /var/cache/apt/archives/partial/*
[00:47] <hads> And run in screen :)
[00:47] <macd> yes, that too
[00:47] <macd> Has anyone had troubles with sshd after upgrade, newly generated keys from updated ssh/ssl gives errors when trying to auth via key on ssh, http://pastie.caboo.se/197206
[00:47] <arooni-mobile> what does run in screen mean
[00:47] <macd> screen is your best friend
[00:48] <hads> http://www.kuro5hin.org/story/2004/3/9/16838/14935
[00:48] <macd> when using ssh, as soon as you login type "screen", then do your stuff, to disconnect from ssh, and not loose your terminal type crtl a+d or accidental disconnects leave your terminal running
[00:48] <macd> then ssh back in, and screen -r to resume, if you have more thanone screen running it'll give you pid's
[00:49] <arooni-mobile> sweet action
[00:49] <macd> yah
[00:49] <macd> arooni-mobile, you tried mod_rails yet?
[00:49] <arooni-mobile> macd, nope still running mongrel clusters
[00:49] <arooni-mobile> have you?
[00:50] <macd> no, I use that upload_progress plugin for mongrel, and can't figure out any other way to handle that
[00:50] <macd> If I could find a way to route uploads themselves to mongrel and have mod_rails handle everything else I'd be in good luck
[00:52] <ajmitch> hads: got all your boxes in order now? :)
[00:54] <hads> ajmitch: Yeah, finally :) Except one SSL cert that's getting re-signed. You?
[00:54] <ajmitch> yeah, it's pretty much just been ssh host keys
[00:55] <hads> Most of the host keys were OK here as they were upgrades from Sarge or something, a few user keys. The main thing was checking everything.
[00:58]  * macd is still having problems
[01:07]  * owh loves spam filters, especially those that block incoming emails from a system administrator to the end user :-|
[01:09] <owh> How do I coerce module-assistant to use my source packages, rather than the ones it thinks it knows about?
[01:10]  * owh is thinking of madwifi specifically.
[01:33] <LeChacal> ok i am my web server isn't severing my page anymore if you go to the site it just makes you download the page but it is the page with a .phtml file and it does it if i point to any php page so i think i some how broke php i have tried rebooting but that didnt do anything how can i restart php or something
[01:43] <owh> LeChacal: PHP is run from within the server, there is no need to "restart" it. Most likely you have one of two problems, either PHP isn't actually activated as a module, or the mime-type mapping does not include a mapping for PHP.
[01:45] <LeChacal> owh: well how would it get turned off is my first question then how do i fix this, all i have done is install postfix, dovecot, and squirrelmail and before i did that everything was working i have now removed all three of these
[01:47] <owh> LeChacal: Well, installing squirrelmail is the only thing I can think that may have done anything as the other two don't use PHP at all. I'd start with checking the logs in the /var/log/apache* tree.
[01:48] <endeavormac> i insert my ubuntu server disk, start up the machine, and then without hitting anything it immediately goes to language select and stalls
[01:50] <endeavormac> usb legacy support in bios, right?
[01:50] <endeavormac> i'll try it out
[01:50] <LeChacal> owh: i dont see anything in logs just me restarting apache a few times nothing else in errors
[01:53] <LeChacal> owh: well back to fixing for a minute if i just make a link from the php5 files in mods-available to mods-enabled and restart apache should that put php back
[01:53] <owh> LeChacal: What does this return: grep -ri php /var/log/apache* - specifically look for notices in the error.log
[01:54] <owh> LeChacal: Fixing a problem is not just a case of jumping in, first you find out what is broken, then you figure out how to fix it.
[01:56] <LeChacal> owh: well that just dumbed all of my access.log file and error.log file which i had looked at before and didnt see anything
[01:56] <LeChacal> i can pastbin if you think you would see something
[01:57] <owh> LeChacal: My error log has this kind of notice: [Sun May 11 16:03:45 2008] [notice] Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.3 configured -- resuming normal operations
[01:57] <owh> LeChacal: That indicates that PHP is actually active.
[01:58] <owh> LeChacal: If you do not see any PHP results at all, then the module is not enabled.
[01:58] <LeChacal> owh: i have one of thoughts also but it was a few hours ago before i started installing mail stuff everyone after that is just apache
[01:59] <owh> LeChacal: What does this tell you: sudo a2enmod php5
[01:59] <LeChacal> owh: Module php5 installed; run /etc/init.d/apache2 force-reload to enable.
[02:00] <owh> LeChacal: Do that.
[02:01] <LeChacal> owh: doing that didnt seem to affect php i dont see it restarting in the log i only see apache restarting and going to the site shows now difference
[02:02] <owh> LeChacal: Does the error.log show PHP?
[02:03] <LeChacal> owh: nothing about php
[02:03] <owh> LeChacal: What does dpkg -l 'php*' tell you that is installed?
[02:05] <owh> LeChacal: Better still, what does dpkg -l '*php*' tell you - specifically, is libapache2-mod-php5 installed?
[02:06] <LeChacal> owh: it says that ibapache2-mod-php5 is installed and is version 5.2.4-2ubuntu5
[02:06] <owh> LeChacal: What does sudo dpkg-reconfigure libapache2-mod-php5 give you?
[02:07] <endeavormac> well now i have a new problem. i'm using my motherboard's raid to put two 640gb hdds together in raid 0. when i start to install ubuntu server, it tells me ata1.00: exeception Emask 0x0 SAct 0x0 SErr.... etc
[02:08] <endeavormac> does anyone know if there's something special i need to do?
[02:08] <owh> endeavormac: Is that hardware RAID or software RAID?
[02:08] <endeavormac> hardware over the mobo
[02:08] <LeChacal> owh: that restarted apache and in the log i see php restarting but it didnt change the site
[02:09] <owh> endeavormac: Just because your motherboard comes with on-board RAID does *not* mean that it's hardware RAID!
[02:09] <owh> LeChacal: So, now you can see PHP in error.log?
[02:10] <endeavormac> well as far as i know the RAID has already been set up through the bios. i already created the raid0 with 32kb stripe.
[02:11] <owh> endeavormac: That is no guarantee at all.
[02:12] <endeavormac> does ubuntu server have a wiki or something where i can find more information on this?
[02:12] <owh> endeavormac: If it was in fact hardware RAID, then the installer would only see one drive. By adding kernel modules it might then be able to monitor the RAID device. If you see other things, then it is likely to be software RAID. I'm looking for a nice URL for you.
[02:12] <LeChacal> owh: i see this in the log ' Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch configured -- resuming normal operations' and if you go to www.muncc.marmoinacademy.org see what you get but i found if you go to www.muncc.marmionacademy.org/index.php the page comes up which it didnt before\
[02:13] <owh> LeChacal: So, now you need to find out why you get an error on the first link. Check error.log
[02:13] <endeavormac> i just don't understand the point of setting up raid through the motherboard, and then again through the OS
[02:14] <owh> endeavormac: The problem is that manufacturers are saving a few cents by not including actual hardware RAID.
[02:14] <endeavormac> god damn manufacturers
[02:14] <_ZeuZ_> Guys, I've developed an easy to use HTB script for traffic shaping, directed to ISPs... And I would like your thoughts on it to make it part of Ubuntu server...
[02:15] <owh> _ZeuZ_: Come to the next ubuntu-server meeting and raise it.
[02:16] <_ZeuZ_> owh, I'm on the mailing list, but, I don't remember when is it going to be...
[02:16] <LeChacal> owh: i see this in error.log near when i tried to visit [client **.**.**.**] Negotiation: discovered file(s) matching request: /var/www/index.php (None could be negotiated).
[02:16] <_ZeuZ_> I know the script needs refinement, still it would be a hit to make ubuntu-servers to go higher on the sky..
[02:16] <owh> endeavormac: I cannot currently locate the link I was looking for. The best start is to google for your motherboard and raid and see what comes up.
[02:17] <owh> LeChacal: Well, start by googling with that error and see what you find.
[02:17] <owh> !meeting
[02:17] <owh> Hmm
[02:17] <owh> !nex-meeting
[02:17] <owh> !next-meeting
[02:17] <owh> Crap
[02:17] <endeavormac> i'm reading now and it seems that you can just hook up two hard drives, no raid through the mobo, and then when you install ubuntu server and are partioning drives you can do some voodoo magic and *raid0*
[02:18] <owh> endeavormac: Yes, that is Linux Software RAID, that is different again.
[02:18] <macd> endeavormac, above all value hardware raid first ;)
[02:18] <owh> endeavormac: To make it "simple" there are three types of RAID.
[02:18] <endeavormac> what's the performance like on linux software raid
[02:18] <endeavormac> if i can get 120megabytes/sec red/write from two hdds, i'm good
[02:19] <macd> endeavormac, maybe on a FC/U320 set, but nothing ata
[02:19] <owh> endeavormac: Hardware RAID, an actual card that has an on-board CPU that talks to drives and does magic. It shows the drives to the OS as one drive. Fake RAID, which tries to do the same, but requires that the main CPU take care of things - needs a driver. Linux Software RAID, using the Kernel to talk to multiple disks.
[02:20] <owh> _ZeuZ_: https://wiki.ubuntu.com/ServerTeam/Meeting
[02:20] <hads> Hardware is good, software is good, I don't see the point in fake.
[02:20] <owh> Ditto :)
[02:21] <endeavormac> yeah screw fake
[02:21] <endeavormac> booze + linux = success
[02:21] <endeavormac> i mean raid through linux kernel = success
[02:21] <endeavormac> thanks
[02:22] <owh> LeChacal: It appears that your issues come from a rewrite condition.
[02:23] <_ZeuZ_> so Wednesday right? gosh... one week more until I can release it? I'm not only seeking to include it in ubuntu-server but to improve it... currently it's a pretty basic ToS and QoS clasifiying with bandwidth shaping for different terminals on the lan, or on the outside...
[02:23] <owh> _ZeuZ_: Not next Wednesday, the one after.
[02:23] <owh> _ZeuZ_: Everyone is in Prague :)
[02:24] <owh> _ZeuZ_: I'm not at all suggesting that it will be included. What you'll get is a bunch of ubuntu-server people listening to what you have to say and making suggestions.
[02:24] <_ZeuZ_> Hmm.. perhaps I can send it to the mailing list...
[02:25] <macd> yes do , b/c I want to see
[02:25] <owh> _ZeuZ_: Well, you can start the conversation there, yes.
[02:25] <LeChacal> owh: rewrite condition? doesn't mean anything to me. can you link me to the site you have found and/or tell me some more about this
[02:31] <owh> LeChacal: Is there a .htaccess file in the server root?
[02:31] <owh> +webserver document root that is
[02:33] <owh> LeChacal: This describes the issue in another way: http://www.webmasterworld.com/apache/3161107.htm
[02:35] <LeChacal> owh: well i am not sure what you call server root but the only place that i have a .htaccess file is in a squirrelmail folder not anywhere near what i would call root
[02:36] <owh> LeChacal: What does this return: sudo grep -ri multiview /etc/apache*
[02:39] <LeChacal> owh: i get this http://paste.ubuntu.com/12176/
[02:43] <owh> LeChacal: Well, that looks pretty normal - though you should not make a habit of leaving backup files with ~ lying around.
[02:43] <macd> LeChacal, owh have you tried 'sudo a2enmod php5'
[02:43] <owh> macd: It's running, just doing weird stuff as well :)
[02:43] <owh> LeChacal: Which files do you have in /var/www
[02:44] <owh> macd:  www.muncc.marmoinacademy.org - borked    www.muncc.marmionacademy.org/index.php - woring
[02:44] <owh> +k
[02:44] <macd> what about the DirectoryIndex portion of the apache2.conf file?
[02:44] <LeChacal> owh: i was changing that right now after reading that link that you sent me because i have several files that start with index and they have different endings
[02:44] <owh> macd: Well, the site was working before squirrelmail got installed. Now it doesn't work anymore.
[02:45]  * owh just *loves* PHP installers that break running web-sites.
[02:45] <macd> LeChacal, what does "grep -i index.php /etc/apache2/apache2.conf"
[02:45] <macd> LeChacal, return when you issue it (damn cr)
[02:46] <LeChacal> macd: that returns nothing
[02:47]  * owh has to go back to work and wanders off.
[02:47] <macd> LeChacal, then we know your problem, add index.php to the DirectoryIndex directive in /etc/apache2/apache2.conf
[02:48]  * _ZeuZ_ Notified it's intentions to add it's Routing, QoS, MAC+IP control and Traffic Shaping/managing and limiting to the ubuntu-server distro
[02:49] <LeChacal> macd: i will do that for the future but moving all any file that started with index out of the root of /var/www fixed my problem also
[02:50] <macd> LeChacal, yeah, this just lets it serve index.php even if index.html is present
[02:51] <macd> LeChacal, FYI also thats apache admin101 ;)
[02:53] <LeChacal> macd: yes and i think both you and owh for the help i just got thrown in to running this server so i have a bigger learning curve to over then i thought i see
[02:53] <macd> LeChacal, if your doing alot of apache stuff, its a good bookmark http://wiki.apache.org/httpd/ also has user contributed things for some simplified tasks
[02:54] <owh> LeChacal: Pleasure.
[02:54] <LeChacal> macd & owh: i meant i thank both of you
[02:54] <macd> LeChacal, anytime
[02:55] <endeavormac> by software raid through the kernel, we're talking about LVM, right?
[02:56] <hads> software RAID is software RAID, LVM is LVM :)
[02:58] <endeavormac> ok
[02:58] <hads> Two completely separate but often used together.. bah, they left.
[03:01] <owh> hads: You get that :)
[03:01] <hads> :)
[03:02] <ajmitch> yay, got my debian password back
[03:02] <hads> :)
[03:03] <LeChacal> owh & macd: now that i have solved my problem do ether of you have suggestions on squirrelmail or another webmail program before i go back to reading on it and apache
[03:03] <owh> LeChacal: Sorry, don't do webmail, I let google handle that :)
[03:04] <_ZeuZ_> So do I xD
[03:04] <hads> I put roundcube on one server where people wanted webmail. Seems not too bad.
[03:05] <giovani> roundcube is pretty experimental imo
[03:05] <giovani> I've had issues with it
[03:05] <giovani> very limited on featureset -- but it's AJAX so everyone thinks it's the greatest thing since sliced bread
[03:06]  * macd seconds roundcube for how nice it looks
[03:06] <hads> I don't use it myself, users seem to think it's OK though.
[03:09] <LeChacal> looking at roundcube makes me think i should have just stayed with gentoo server
[03:11] <owh> LeChacal: Well, personally I cannot think of a better way to self-inflict pain, but if that's what you like, go for it.
[03:12] <macd> LeChacal, he you could spend time emerging, or drinking beers with friends, but thats your choice ;)
[03:12] <macd> Like I say, why compile when you can apt.
[03:12] <LeChacal> owh: i the reason i say is because a lot of what i was reading on it was on gentoo, and the server was once gentoo before i took over and i hated gentoo
[03:12] <hads> It's a PHP application, nothing to do with package management really.
[03:13] <giovani> LeChacal: how does roundcube relate to gentoo?
[03:13] <LeChacal> nothing really it was just reminding me of my gentoo nightmares
[03:13] <giovani> and your nightmares make you think you should stay with gentoo? huh?
[03:14] <LeChacal> no away from it very far away
 looking at roundcube makes me think i should have just stayed with gentoo server
[03:15] <LeChacal> giovani: ok bad wording there, looking back now
[03:16] <owh> On a completely different note, how do I make module-assistant use my source packages, rather than the ones it knows about? I need to deploy madwifi source drivers on an end-user machine which will need to be able to deal with kernel updates without needing me to recompile and install stuff. Last time I looked, m-a + included madwifi was borked.
[03:21] <macd> owh, the command line arg is -h
[03:21] <owh> Whoa, not all at once ;-)
[03:22] <macd> err -k
[03:22] <owh> macd: Excellent, just what I needed. Tah.
[03:23] <macd> man module-assistant FTW ;)
[03:23] <macd> I couldnt remember myself, and I just built for 2.6.25
[03:23] <owh> macd: Funny, that's what I was reading - now I'm trying to find out how to put it in the automatic configuration / conf file :)
[03:24] <macd> yeah, that could be fun
[03:24] <owh> I've just found the environment variable, that's a start.
[03:24] <owh> KERNELDIRS
[03:25]  * owh cannot recall if m-a does an automatic rebuild when the kernel changes.
[03:28] <luckyone> hello everyone. can anyone help me get svn setup? I am seeing svn: PROPFIND of '/trunk//': 405 Method Not Allowed
[03:31] <firecrotch> luckyone:  this error is when you try to browse to the svn repository in a web browser?
[03:32] <firecrotch> luckyone: http://readlist.com/lists/subversion.tigris.org/users/4/21441.html  this may help you
[03:39] <luckyone> firecrotch: not when I use a browser, via browser it works fine
[03:39] <luckyone> firecrotch: it is when I try to use the subclicpse svn plugin
[03:41] <macd> luckyone, are you using javaHL with subclipse?
[03:43] <luckyone> macd: YES
[03:43] <luckyone> macd: sorry for the caps!
[03:44] <luckyone> macd: at least I think so
[03:44] <macd> Let me pop open eclipse and see what the other one is, b/c I had that problem a while back myself
[03:46] <luckyone> org.tigris.subversion.javahl.ClientException
[03:47] <macd> yeah, theres another layer of abstraction that subversion can use, and its not JavaHL
[03:47] <macd> I just can't recall where it is, or how to change it
[03:47] <macd> Im poking around eclipse, but I dont see it
[03:49] <macd> well, on the good side, looks like the ruby plugin got some updates ;)
[03:50] <luckyone> hah
[03:50] <luckyone> I just installed subclipse
[06:10] <rhineheart_m>  I can't mtr yahoo.com nor do sudo apt-get update... But I can access webpages from the outside.. and I can even ssh to the box.. any idea?
[07:55] <kraut> moin
[08:09] <mohamed_> is there h ow setup openswan vpn client ?
[08:58] <sgrover> Q: I have openvpn installed and can connect to my vpn with network manager.  Any easy way to automagically run a script (to mount directories) once the vpn connection is made?
[08:58] <sgrover> I want to set up automatic mounting of the Samba shares when the VPN connection is established.
[08:59] <sgrover> Grey area between desktop/server, so my appologies if this is not quite on topic..  But don't think it's that far off topic.. :)
[09:00] <yann2> hello :)
[09:00] <yann2> I wanted to know: Do canonical plans to provide training for particular parts of Ubuntu? Like KVM, samba/ldap/win integration etc?
[09:01] <nealmcb> sgrover: perhaps you can use dbus to talk to network manager?  it might have a callback for that.  there may be easier ways also - just a thought
[09:02] <nealmcb> yann2: you might also ask in #ubuntu-training (?) or ask canonical directly
[09:03] <yann2> thanks :)
[09:04] <sgrover> nealmcb: thanks for the lead.  Was hoping there would be an existing tool.    Probably easiest to just script it directly and put an icon on the desktop to the script...
[09:04] <sgrover> bypass network manager for the VPN connection...
[09:04]  * nealmcb nods
[09:04] <nealmcb> but playing with dbus is fun also :-)
[09:05] <sgrover> (that and I'm not very familiar with dbus at this time)
[09:05] <sgrover> off to google I go then.. :)
[09:05] <nealmcb> but yeah - not so much a server thing....
[09:06] <sgrover> but not fully a desktop thing either.. :)
[09:07] <sgrover> and you were able to give me more of a tip than I got in #ubuntu (no response there)
[10:24]  * nealmcb heads towards the UDS hotel.....
[10:37] <bip> hello anybody has experience using tape units with ubuntu-server ?
[10:37] <bip> i have a fresh installed 7.10 server but mt commands get non answer
[10:38] <bip> any hint will be gladly received thanx
[11:36] <vcorreia> hello everyone
[11:36] <vcorreia> has anyone been using ebox with hardy?
[11:37] <vcorreia> if so, what do you make of the integration?
[11:37] <elliotjhug> hi all, got a user called 'manageen' who logs in repeatedly every 3/4mins - I never added this user. Is there a check I can do over either their activities - or can I set the account to expire? (Or is there any other action you would suggest?)
[11:41] <soren> elliotjhug: I'd recommend, you unplug the machine, shut it down, remove the disk, and carefully check every single bit on it.
[11:42] <soren> elliotjhug: If someone's logging onto it and you didn't create the user, you've most likely been compromised somehow.
[11:43] <elliotjhug> is it likely to be a virus or what?
[11:43] <elliotjhug> I only checked because I noticed unusual network activity
[11:46] <Deeps> it's likely that you've been rooted
[11:46] <Deeps> in that, someone has gained root privledges on your machine, and created  that account
[11:46] <elliotjhug> Deeps: Thanks - well I've just changed my root password (and an account with sudo)
[11:47] <Deeps> recommended course of action would be, as soren said, to shut down the machine immediately
[11:48] <hads> elliotjhug: That's not enough, you should remove the box from the network immediately.
[11:48] <elliotjhug> hads: OK - I'd best go with that then. Thanks for the advice
[11:48] <hads> And then reinstall it basically.
[11:48] <Deeps> indeed, reinstall from 0
[13:19] <dennda> aaaarg is there no django in dapper? I was under the impression that I saw it the other day
[13:21] <dennda> How would you install django on an ubuntu dapper drake (6.06.2) system so that you can easily update the machine or the packages later on?
[13:41] <Terrasque> hello, having a problem with my file server after upgrading from 6.06 to 8.04. Its x64, have an XFS raid5 (3tb, 7 hdd's), and after the update, if a large amount of data is written in short time to it, it stops writing data, load goes up (slowly rising, went to 36 before i killed server last time), but dmesg/messages are silent, and ps / top does not show anything unusual. Any idea?
[13:43] <fromport> what kernel ?
[13:43] <fromport> the standard 2.6.16 ?
[13:43] <Terrasque> 2.6.24-16-server
[13:45] <fromport> i've witnessed similar stuff
[13:45] <fromport> i upgraded to 2.6.24-17-server which is available in the deb http://archive.ubuntu.com/ubuntu/ hardy-proposed main restricted universe multiverse repository
[13:46] <fromport> 2.6.24-17-server #1 SMP Thu May 1 14:28:06 UTC 2008 x86_64 GNU/Linux
[13:46] <Terrasque> and that fixed it?
[13:47] <fromport> i haven't seen it since, but no warranties ;-)
[13:47] <Terrasque> of course :)
[13:47] <fromport> as usual: ymmv ;-)
[13:48] <fromport> what disk controller do you have ? have you updated the mobo bios to the latest ?
[13:48] <Terrasque> 2x Mass storage controller: Promise Technology, Inc. PDC40718 (SATA 300 TX4) (rev 02)
[13:48] <Terrasque> el cheapo sata cards, basically :)
[13:49] <Terrasque> and no, haven't updated bios
[13:50] <Terrasque> fancy. The IO died on the system disc too, which is not in raid, and not on the same controllers. Hard reboot ftl
[13:53] <fromport> hardy is using 2.6.24 which really pushes harder on acpi (is my opinion) i had a lot of problems with machines with old bios'es
[13:54] <Terrasque> btw, hardy-propsed packages.. Will all those be automatically downloaded in an apt-get upgrade? or do you pick packages manually?
[13:56] <ScottK> Terrasque: After testing, hardy-proposed packages get copied to hardy-updates (if there are no problems) and then you get them automatically with apt.
[14:02] <Terrasque> new kernel in, rebooting. And crossing fingers and toes
[14:18] <Terrasque> fromport: no crashing yet.. :) But I'm not 100% sure until ive done some more testing
[14:42] <Terrasque> fromport: same happened again. New kernel did not solve it
[14:49] <fromport> terrasque: :-( ..... pitty
[14:53] <dennda> hm
[14:53] <dennda> I removed klogd and sysklogd from all runlevels, but I still have that issue
[14:57] <Terrasque> fromport: made a forum post, maybe I'll get lucky there. if not.. going back to 6.06 probably
[14:58] <fromport> try to update the bios, or even better: compile a 2.6.25(or 26-rc2) kernel yourself.
[14:58] <fromport> see if it is kernel related.
[15:05] <dennda> what's the preferred way of upgrading ubuntu on a server? (just one release to the next))
[15:06] <dennda> update-manager -d? :)
[15:07] <cjsstables> hello all.  I have a quick question.  Getting ready to set up an ubuntu ltsp server. I have 900 GB of space on 3 drives.  In the partition schem where should I allocate most of the HD space?  /home?  /root?
[15:21] <gouki> Has anyone configured fail2ban? I'm having problems. The regexep don't seem to work.
[15:23] <gouki> the log reports the IP is banned, but for some reason I can continue to access the server.
[15:34] <soren> gouki: It only blocks new connections.
[15:34] <soren> gouki: Could that explain what you're seeing?
[15:34] <gouki> soren: no
[15:35] <gouki> Does it require the default port, or the regexp doesn't care about that?
[15:35] <soren> It blocks port 22.
[15:44] <nxvl> soren: when are you comming?
[15:44] <gouki> soren: that's the problem right there.
[15:47] <soren> nxvl: I'm here.
[15:48] <nxvl> soren: i'm still in madrid
[15:48] <soren> nxvl: Ah, ok.
[15:48] <nxvl> soren: my flight leaves in 2 hours
[15:48] <nxvl> so, se you in 5
[15:48] <nxvl> :D
[16:43] <radone> greetings, I have problem with cron
[16:43] <radone> command: ps -ef | grep -i cron
[16:43] <radone> gives: root      4112     1  0  2007 ?        00:00:02 /usr/sbin/cron
[16:43] <radone> command: crontab -l:
[16:44] <radone> * * * * * root echo "Runs each second." > /home/johny/smazat/cron.txt
[16:44] <radone> however, the file /home/johny/smazat/cron.txt remains empty :-(
[16:45] <radone> any idea?
[16:45] <radone> http://pastebin.com/m59c6f729
[16:45] <\sh> is * * * * * not "run every minute" ?
[16:46] <dennda> lol?
[16:46] <\sh> radone, that cron line will run every minute...
[16:47] <\sh> there is no "second"
[16:47] <dennda> do-release-upgrade did not work for dapper -> hardy, but dapper -> edgy -> feisty -> gutsy -> hardy seems to work
[16:49] <radone> \sh: well, unfortunately not even minute ...
[16:49] <\sh> radone, and I wonder if you can delete the "root" user as well, because crontab -e -u root is that what you have by default when you use the crontab tool...all cron scripts who are in need of the "user to run"..are in /etc/cron.*
[16:49] <\sh> radone, because your line is terribly wrong
[16:49] <\sh> crontab -e
[16:49] <\sh> (thinking about user root now)
[16:49] <\sh> * * * * * echo "foo is bar" > /tmp/palimpaloem
[16:51] <radone> \sh:ok, thank you, I will give it a try and I will wait one minute
[16:52] <\sh> radone, man 5 crontab :)
[16:53] <radone> changed to: * * * * * echo "Runs each minute." > /home/johny/smazat/cron.txt
[16:53] <radone> and got not any  result :-/
[16:55] <TrioTorus> how can I find out why a certain package is kept back?
[16:57] <TrioTorus> is there an apt command for that?
[16:57] <ScottK> Is the certain package related to ssh/ssl/vpn?
[16:58] <mok0> TrioTorus: try apt-get install the package, and you will see what will happen. You will be given a chance to abort
[16:59] <dennda> Am I the only one thinking that should not be the case? Something seems to be wrong somewhere
[16:59] <TrioTorus> among others: there is openssh-client and openssh-server being kept back yes
[16:59] <TrioTorus> dennda: you're obviously not the only one
[17:00] <dennda> TrioTorus: I am talking about dapper -> hardy upgrade failing and dapper -> edgy -> feisty -> gutsy -> hardy upgrade working
[17:00] <ScottK> TrioTorus: sudo apt-get dist-upgrade will solve it in this case.  sudo apt-get -s dist-upgrade if you want to see it first (to more generally understand what's going on).
[17:00] <mok0> TrioTorus: that's because they pull in a new package, -blacklist
[17:00] <TrioTorus> mok0: I can see that with one of my servers. What's going on with that -blacklist package?
[17:01] <mok0> TrioTorus: it contains a list of weak ssh keys
[17:02] <TrioTorus> mok0: so better not upgrade yet then?
[17:02] <mok0> TrioTorus: by all means, upgrade
[17:02] <mok0> TrioTorus: and run ssh-vulnkey
[17:03] <mok0> TrioTorus: http://www.ubuntu.com/usn/usn-612-1
[17:04] <cyris||> morning everyone
[17:04] <W8TAH> hi folks -- are the patches for the ssh vunerability in the repos / updates now?
[17:04] <\sh> radone, /etc/init.d/cron restart .... could be that cron ran mad
[17:04] <mok0> W8TAH: yes
[17:04] <cyris||> people still patching up eh ?
[17:04] <W8TAH> good
[17:04] <W8TAH> how do i then re-gen my keys
[17:05] <mok0> And folks, don't forget to remove your comprimised ssh keys from EVERY remote system that has in in ~/.ssh/authorized_keys
[17:05] <cyris||> ssh-keygen
[17:05] <W8TAH> cool -- thanks
[17:05] <mok0> s/in in/it in
[17:05] <mok0> ssh-vulnkey is your friend
[17:06] <cyris||> Can anyone recommend a USER FRIENDLY web application that will allow users to change their passwords stored in openldap?
[17:08] <giovani> mok0: HD More's SSL "rainbow tables" are your friend :)
[17:08] <TrioTorus> cyris||: if your app only needs to do this single operation: write your own script. I have looked out for what you are asking for a long time.
[17:08] <mok0> giovani: ydrk, where do you find those
[17:09] <giovani> mok0: ... oh cmon ... you should know already: http://metasploit.com/users/hdm/tools/debian-openssl/
[17:09] <giovani> appreciate the dilbert :)
[17:10] <mok0> giovani: no seriously , I have better things to do than hang out with script kiddies... I exterminate them when they show up...
[17:10] <giovani> ... if you think HD More is a script kiddie ... you're revealing your ignorance of the industry
[17:11] <mok0> giovani: hereby revealed :-)
[17:11] <cyris||> TrioTorus, far enough, just wanted to see if there was anything out there. I did find one project, called chpassldapweb http://sourceforge.net/projects/chpassldapweb/
[17:12] <W8TAH> is there a how-to someplace on using ssh-keygen to make new keys?
[17:12] <cyris||> TrioTorus, but its in Brazilian Portuguese :S
[17:12] <giovani> W8TAH: http://metasploit.com/users/hdm/tools/debian-openssl/
[17:12] <giovani> err
[17:12] <giovani> bad paste
[17:12] <giovani> http://wiki.debian.org/SSLkeys
[17:12] <mok0> W8TAH: man ssh-keygen?
[17:12] <giovani> W8TAH: welcome to #ubuntu-server ... we have some overlap :)
[17:13] <W8TAH> mok0, its not giving me what im hoping for  -i just want it to rerun the same thing that happens at install time for keys -- i dont customise
[17:13] <W8TAH> thanks
[17:13] <W8TAH> giovani, thanks
[17:13] <mok0> W8TAH: dpkg --reconfigure openss-server
[17:13] <giovani> #dshield untie!
[17:13] <W8TAH> even better
[17:13] <ScottK> mok0: With an 'h' in there.
[17:14] <mok0> ScottK: you're right of course... it's not the open version of Waffen SS ;-)
[17:14] <W8TAH> LOL
[17:14] <ScottK> Doesn't the blacklist tool regenerate bad keys on install (I don't know - I'd done all mine before it was released)?
[17:14] <giovani> mok0: feel free to read up: http://en.wikipedia.org/wiki/H._D._Moore
[17:15] <cyris||> ScottK, I don't think it does.
[17:15] <mok0> ScottK: I think it contains a long list of fingerprints
[17:15] <giovani> ScottK: I believe the new release of openssh-server did that
[17:15] <cyris||> ScottK, I wasn't sure so I just regenerated
[17:15] <mok0> giovani: thanks!
[17:15] <giovani> it regenerated automagically
[17:15] <W8TAH> dpkg --reconfigure is not working
[17:15] <ScottK> The one of the openssl updates will redo snakeoil.
[17:15] <giovani> W8TAH: run "sudo ssh-vulnkey" to test your keys
[17:16] <W8TAH> says unknown option reconfigure
[17:16] <W8TAH> ok
[17:16] <mok0> giovani: Ah, I don't bother with anyone born after 1980
[17:16] <mok0> :-)
[17:17] <giovani> mok0: yeah, who cares how influential they are, right? :)
[17:17] <W8TAH> giovani, im on ubuntu -- and ssh-vulnkey does not work, nor is it in repos to install
[17:17] <giovani> W8TAH: which ubuntu release are you on?
[17:17] <W8TAH> 604-lts
[17:17] <mok0> giovani: ok, /me reads...
[17:17] <W8TAH> fully updated
[17:17] <giovani> W8TAH: you're not vulnerable
[17:17] <giovani> the bug was introduced AFTER 6.04 LTS
[17:17] <W8TAH> ok - that makes that easy
[17:18] <giovani> only 7.04, 7.10 and 8.04 were vulnerable before updates
[17:18] <ScottK> I think Edgy was OK too, but it's out of support.
[17:18] <W8TAH> i need to upgrade this guy to hardy LTS but im not doing that till summer - when i can take the internet down for an exteded period
[17:18] <W8TAH> ok
[17:18] <mok0> giovanni: ok, I'll bump that to 1982 :-)
[17:18] <giovani> mok0: who needs OSVDB, right?
[17:19] <giovani> or metasploit?
[17:19] <giovani> heh
[17:19]  * giovani throws out half of the linux kernel developers
[17:22] <Terrasque> 18:21:54 up  3:19,  1 user,  load average: 33.00, 33.07, 33.41   -- fun..
[17:22] <cyris||> W8TAH, what version of ubuntu are you running ?
[17:22] <W8TAH> 6.04 LTS on the firewall
[17:22] <cyris||> W8TAH, oh ok
[17:22] <giovani> W8TAH: we already went over this
[17:22] <giovani> err
[17:22] <W8TAH> which is the one im most concerned
[17:22] <W8TAH> ya
[17:22] <giovani> cyris||*
[17:22] <W8TAH> :D
[17:23] <W8TAH> ive gotta do the upgrade -- but i dont wanna take the school offline right now -- i'll wait till summer
[17:23] <cyris||> giovani, sorry didn't see
[17:24] <W8TAH> thanks for the help guys - this day didnt need a crisis in the middle of it
[17:24] <W8TAH> :D
[17:24] <giovani> :)
[17:24] <mok0> most of the attacks I see are stupid brute force ssh attacks that immediately gets blocked in iptables
[17:25] <giovani> mok0: you mean brute forced password attacks? not key attacks
[17:25] <mok0> giovani: right
[17:25] <giovani> however ... in the years to come
[17:25] <mok0> I am surprised that ssh is vulnerable to key attacks.
[17:25] <giovani> this will be a big vuln
[17:25] <mok0> I agree
[17:25] <giovani> mok0: ... it's not ... debian's ssh is
[17:25] <giovani> this isn't an openssh bug
[17:25] <mok0> giovani: well, you can by chance have a compromised key
[17:26] <giovani> no
[17:26] <mok0> giovani: the compromised keys are a legal subset of the total number of keys
[17:27] <giovani> no, they're not
[17:27] <giovani> normal openssl uses a different PRNG system
[17:27] <mok0> it doesn't matter
[17:27] <giovani> it wouldn't come up with the same seed values as the debian vulnerable ssl
[17:27] <giovani> it does matter ... there are different seeds used ...
[17:27] <mok0> giovani: of course it could
[17:28] <mok0> those seeds could arise by chance... I admit it's small
[17:28] <ScottK> giovani: Yes.  You could (although the odds are low) have a key that's in the small set generated by the bad openssl generated from a non-broken openssl.
[17:28] <giovani> I stand corrected
[17:29] <giovani> you're correct
[17:29] <giovani> however the keys do not become "comrpomised"
[17:29] <giovani> they just happen to become the target of a specific attack, they were still generated in good-faith pseudo-random
[17:29] <mok0> giovani: right, but they are part of the "rainbow dictionary" set
[17:29] <giovani> right
[17:30] <ScottK> They are neither more nor less compromised.  Just via bad luck rather than a bug.
[17:30] <giovani> right
[17:30] <mok0> giovani: so, in fact openssh should be patched to make those keys illegal
[17:30] <giovani> mok0: ... that may be a principle difference
[17:30] <giovani> up to the openssl guys
[17:31] <ScottK> openssh
[17:31] <giovani> nah, the bug is in openssl
[17:31] <ScottK> Different bunch.
[17:31] <giovani> it just affects openssh as well
[17:31] <giovani> http://www.debian.org/security/2008/dsa-1571
[17:31] <mok0> giovani: yes, in fact I wish they'd go to a key size of 2048
[17:31] <ScottK> Right, but if the keys are to be blacklisted, it'd have to be done in SSH.
[17:31] <giovani> ScottK: and every other system that uses openssl
[17:31] <ScottK> mok0: Just don't use DSA keys.
[17:32] <ScottK> giovani: Yes.
[17:32] <giovani> why would it have to be blacklisted at the openssh level?
[17:32] <giovani> couldn't that set of seeds be discarded in the openssl generation code?
[17:32]  * mok0 thought the DSA keys were the most secure ... *blush*
[17:32] <giovani> when it generates the random number, it would check against a list of known PIDs
[17:32] <giovani> and reject it, and generate again
[17:33] <mok0> giovani: ... and the max pid number is 32767
[17:33] <giovani> mok0: right ... so, all of that set
[17:33] <giovani> but why would this not be able to be done within the ssl code?
[17:34] <ScottK> mok0: My understanding (and I'm not an expert) is that the reason Debian used to recommend DSA over RSA was to do with RSA patents.  Now that they've expired there's no reason not to use RSA keys of whatever length you are comfortable with.
[17:35] <mok0> Hmm. Well, perhaps I should regenerate my key, then. But I think I'll do it on my Mac :-)
[17:36] <mok0> But perhaps Ubuntu should consider packaging security sensitive software directly from upstream source
[17:36] <ScottK> Dunno.  There was a time (~20 years ago) when I knew something about cryptography.
[17:36] <giovani> mok0: modifications have to be made to get everything to work together ... can't do a strict upstream tarball
[17:36] <ScottK> mok0: I don't think that would help significantly.
[17:36] <mok0> ScottK: I've just read Simon Singh's book
[17:37] <mok0> ScottK: It would give us  a double check
[17:37] <ScottK> mok0: Since install scripts have root, all packages are significant from a security perspective.
[17:37] <mok0> ScottK: ... I was in fact kinda chocked to see that Debian patches the code
[17:37] <ScottK> We either trust Debian and work as a derivative or not.
[17:37] <giovani> ScottK: some packages affect the security of other applications, openssl being the chief one
[17:38] <mok0> Exactly
[17:38] <ScottK> mok0: Honestly I think most of the blame with this one lies with the openssl developers.
[17:38] <giovani> mok0: still .. modifications are always made in distributions ... otherwise, nothing would fit together cleanly
[17:38] <mok0> It would just be a few packages, that would get an independent audit in Ubuntu and Debian
[17:38] <giovani> ScottK: .... why is that?
[17:38] <mok0> giovani: but unless there's a bug,  you don't go around removing function calls
[17:39] <ScottK> 1.  The Debian maintainer went to what was the advertised right list for such questions and asked and was told it seemed reasonable.
[17:39] <giovani> mok0: they considered "purify complaining" as a bug
[17:39] <ScottK> 2.  If you are going to do something completely outside the C standard as rely on something being undefined, I think it would deserve a comment in the code.
[17:40] <mok0> ScottK: THAT is true. It is a dirty algorithm to start with
[17:40] <ScottK> So upstream had two quite reasonable chances to have avoided this entire mess and didn't do it.
[17:40] <giovani> ScottK: it seems the opposite from the correspondence, no?
[17:40] <ScottK> I agree the the Debian maintainer has blame too, but it's hard to see what he should have done different.
[17:40] <mok0> But the fact of the matter is that it was modified by someone who did not fully understand what the code does
[17:40] <ScottK> giovani: Not sure what you mean?
[17:41] <giovani> "No, it's fine - the problem is Purify and Valgrind assume all use of uninitialised data is inherently bad, whereas a PRNG implementation has nothing but positive (or more correctly, non-negative) things to say about the idea."
[17:41]  * mok0 thinks that this is a harsh reminder of the kind of responsibility we all have working on a distribution...
[17:41] <giovani> -Geoff Thorpe
[17:42] <giovani> seems to be saying that this is a Purify/Valgrind problem ... not a code problem ... and is suggesting that such warnings should be ignored?
[17:42] <giovani> or am I misreading?
[17:42] <mok0> giovani: this piece of code relies on random bits being present in an uninitialized buffer... which is very far fetched at best
[17:42] <ScottK> According to the C standard (as I understand it, and it's limited) use of uninitialized data is inherently bad.
[17:42] <giovani> if it was a "bug" in openssl ... they would've "patched" it upstream, and then all openssl would be "infected"
[17:43] <mok0> Yeah, there's enough blame to go around
[17:43] <ScottK> giovani: It's a very obscure (at best) design in openssl and they should have made it clear what was going on.
[17:43] <giovani> http://rt.openssl.org/Ticket/Display.html?id=521&user=guest&pass=guest
[17:43] <mok0> ScottK: exactly!
[17:43] <InsomniaCity> all I can say is thank god gnupg links against gnutls
[17:43] <giovani> that's the correspondence on the issue that I'm aware of
[17:44] <mok0> giovani: ... and a new compiler optimization might have had the same effect
[17:44] <mok0> ... and no-one would know
[17:45] <mok0> giovani: interesting reading...
[17:45] <ScottK> giovani: There's more. Give me a moment to find it.
[17:46] <mok0> Lemme get this clear: the bug was in the openssl libraries, that are used by openssh??
[17:46] <ScottK> The bug was in openssl and it generated keys that were cryptographically worthless.  openssh uses said keys.
[17:47] <mok0> k
[17:48] <ScottK> Here's the Debian maintainer asking about the change in question.  Follow the thread and see if any openssl devs tell him it's a bad idea: http://marc.info/?l=openssl-dev&m=114651085826293&w=2
[17:48] <mok0> Well why not just have a function that fills the said buffer with random bits? Instead of relying on un-initalized memory?
[17:49] <ScottK> I have no idea.
[17:49] <ScottK> Here's one openssl developer being an a$$ and getting pounded in the comments: http://www.links.org/?p=327
[17:50] <mok0> I think this was just "one of those unfortunate things" that happen in software
[17:50] <ScottK> My favorite response: http://advogato.org/person/branden/diary/5.html
[17:50] <mok0> ... a chain of events leading to disaster
[17:51] <ScottK> Unfortunately I think the the first blog entry there has raised the stakes considerably in terms of how people feel about it.
[17:51] <ScottK> mok0: I agree.  I wish that guy hadn't decided to through gasoline on the fire.
[17:52] <mok0> For some reason, the software world is full of socially incapable people who jump at anyone else at the first chance they get
[17:52] <InsomniaCity> it goes with being good at writing software
[17:53] <mok0> ... yeah so they say
[17:53] <mok0> They are good at claiming how good their own stuff is and how unjustly they are b eing treated
[17:54] <Deeps> lol
[17:54] <ScottK> He'd have been well advised to have his facts straight before going on the attack.
[17:54] <Deeps> the links to the patch that broke stuff, as well as the patch to fix it, is amusing
[17:55] <Deeps> patch that breaks: comments out 2 bits, patch that fixes: uncomment one bit that was commented originally (what about the other?)
[17:56] <ScottK> That's been heavily discussed.  Even upstream agrees that part is OK.
[17:57] <Deeps> ok
[17:57] <mok0> Instead of pushing around the blame, it would be better getting some infrastructure in place to avoid these things from happening in the future. Without distributions, openssl would hardly be used
[17:58] <Phil___> hi
[17:58] <Phil___> would anyone be able to help me with a problem installing grub?
[17:58] <mok0> ... or rather, would be compiled by users themselves, which would give a huge amount of extra support work to the developers
[18:00] <mok0> Well thanks for the chat, interesting, I have to leave now
[18:00] <ScottK> See you later.
[18:00] <mok0> see you
[18:02] <Deeps> ScottK: can you point me to where the openssl team suggested that commenting out those bits seemed reasonable?
[18:02] <ScottK> Deeps: It's later on in this thread http://marc.info/?l=openssl-dev&m=114651085826293&w=2
[18:02] <Deeps> ok ta
[18:02]  * Deeps reads
[18:02] <Deeps> i liked the links.org blog pots, made me lol
[18:04] <Jeeves_> http://www.kuro5hin.org/story/2003/8/8/83254/78171
[18:05] <ScottK> Unfortunately the original post on links.org seems to be a largely fictional account of events.
[18:05] <Deeps> based on your email thread you linked me, i'm inclined to agree
[18:05] <Deeps> http://marc.info/?l=openssl-dev&m=114652287210110&w=2 being the firts reply to the idea about commenting it out
[18:06] <Deeps> (and it's from someone at openssl)
[18:06] <ScottK> Yes.
[18:07] <ScottK> He aimed to fire a shot and Debian and all distro developers and IMO accidentally shot himself in the head due to carelessness.
[18:07] <Deeps> however
[18:07] <ivoks> anyone in prague?
[18:07] <Deeps> not entirely: "if you are going to fix bugs, then you should install this maxim of mine firmly in your head: never fix a bug you don.t understand"
[18:08] <Deeps> nobody on that thread seems to understand what's going on in this bit of code
[18:08] <ivoks> openssl again? :)
[18:08] <ScottK> Still
[18:08] <Deeps> i just joined in :)
[18:09] <Deeps> from the debian side and the openssl side, the respondants dont appear to have a clue about what's going on
[18:09] <ScottK> Deeps: And if he'd just said that, I think it'd have been fine.  But he went further.
[18:09] <Deeps> ok, so pull the good and ignore the bad
[18:09] <Deeps> dont forget it all because some of the good is shrouded in BS
[18:10] <ScottK> True, but I'm probably a bit biased because as an Ubuntu developer and a Debian Maintainer, I was who he was aiming at.
[18:11] <ScottK> He's correct, but it's not always practical advice.
[18:12] <ScottK> There is a balance between spending a huge amount of time on one fix to totally understand it and how much fixing can get done overall.
[18:12] <ScottK> For openssl, it is probably reasonable.
[18:13] <Deeps> what is probably reasonable? the amount of time that was spent, or the amount of time that they think should have been spent?
[18:14] <ScottK> Probably reasonable to spend more time understanding stuff.
[18:14] <Deeps> yea
[18:14] <ScottK> I'm working on an update for Spamassassin right now to make it work with pg 8.1 and later for it's bayesian database.  I got the patch from upstream.  If I really thought I needed to competely understand the code and what it's changing, I'd move on and leave it broken.
[18:14] <Deeps> re-reading that thread, makes it look like "hai! autotool says this is a problem, can i remove it?" "duhhh, i dunno, i guess so"
[18:14] <ScottK> In this case it's more trusting upstream to have got it basically right and testing to see if it fixed the problem.
[18:15] <Deeps> ah well, nm
[18:15] <Deeps> done and fixed
[18:15] <ivoks> ScottK: you are familiar with pgsql?
[18:15] <Deeps> need to redo all my openvpn certs
[18:15] <ScottK> Only in a very limited sense.
[18:15] <Deeps> hassle
[18:16] <ivoks> ScottK: well, if you understand roles in pgsql, you are my man :D
[18:16] <ScottK> ivoks: It's used on some project I work on and I can interact with it directly or through I can't remember which python module I'm using.
[18:16] <ScottK> ivoks: No.  I think I'm not.
[18:16] <ivoks> ok then
[18:17] <ivoks> Deeps: more than 50 openvpn certificates, installed all over the country, are also waiting for me :)
[18:18] <Deeps> thankfully i only need to do.... 7
[18:18] <Deeps> still a hassle
[19:08] <Terrasque> 20:08:21 up  5:05,  1 user,  load average: 137.42, 133.51, 122.98   --   Do I win a prize? :p
[19:13] <ivoks> nope
[19:13] <ivoks> come back when your load goes over 300
[19:14] <Terrasque> that shouldn't take too long. crossed 140, and heading to 150
[19:14] <Terrasque> but have a feeling something will happen to the servers power supply soon
[19:16] <Jeeves_> Come back when you've reached 1600 :)
[19:16] <Terrasque> got a link from a friend :p http://pr0n.sesse.net/tg06/1280x960/dsc_0999.jpg   |  accidental fork bomb
[19:17] <Deeps> keep it at 600+ for 6 months
[19:17] <Deeps> then let me know :P
[19:18] <Terrasque> think I'd prefer a machine that works the way it should :p
[19:33] <ryoohki> i notice that apache2 is installed without creating an apache user?  is that intentional? should httpd run as user:group apache:apache or as root:root?
[19:34] <Terrasque> usually its run under www
[19:34] <Terrasque> www-data actually
[19:34] <ryoohki> so why was a www user not created?
[19:34] <ryoohki> oh - there is a www-data
[19:35] <Terrasque> goodie :)
[19:35] <ryoohki> i thought that was from some other package
[19:35] <Terrasque> thats what apache2 runs as on my systems at least :)
[19:37] <ryoohki> Terrasque: ok thanks!
[19:50] <J_P> hi all
[20:44] <gamercod4> hi all :)
[20:46] <gamercod4> i've a question of routing virtual nic
[21:40] <gamercod4> hi
[21:40] <gamercod4> somebody is here?
[21:43] <soren> !justask
[21:43] <soren> !ask
[21:44] <soren> Ah, there it goes.
[21:46] <gamercod4> ok
[21:46] <gamercod4> i would like to do a NAT routing on virtual NIC but iptables do not  support this :(
[21:48] <nxvl> soren: where are you?
[21:48] <nxvl> soren: i'm already here
[22:00] <soren> nxvl: I'm in my room right now.
[22:03] <nxvl> soren: number?
[22:08] <nxvl> dendrobates: are you also here?
[22:08] <nxvl> dendrobates: i have a present for you
[22:08] <dendrobates> nxvl:  yes
[22:08] <nxvl> dendrobates: where?
[22:09] <nxvl> btw, are we going for some beer today, didn't we?
[22:09] <nxvl> i have 2 bottles of pisco here
[22:10] <dendrobates> nxvl: it is too late for me today, but tomorrow.  I am in room 812.
[22:12] <nxvl> :(
[22:12] <nxvl> did you know in wich room is pedro_?
[22:15] <dendrobates> nxvl: no, I have seen him though.
[22:16] <JanC> you guys at the UDS place?  ツ
[22:16] <nxvl> yup
[22:17] <JanC> I wish I could be there  ツ
[22:18] <ajmitch> yes, just the entertainment value alone would be worth it...
[22:20] <infinity> Maybe I'm jaded, but I don't tend to find UDS entertaining.
[22:20] <ajmitch> infinity: usually just the various people in the evenings
[22:21] <nxvl> dendrobates: i'm going to say hi and give you your present, it's that ok, or are you at bed already?
[22:21] <dendrobates> nxvl: I am not in bed, just not up for more beer.
[22:22] <nxvl> ok
[22:22] <nxvl> i will be there in a minuto
[22:22] <nxvl> minute
[22:22] <infinity> soren: How's the connectivity there?
[22:23] <soren> infinity: Quite good, actually.
[22:24] <infinity> soren: All ports, not just http proxy?
[22:24] <soren> infinity: Yup.
[22:24] <infinity> \o/
[22:24] <infinity> Good, good.
[22:24] <JanC> if HTTP works, you can use anything you want anyway  ;-)
[22:25] <infinity> Yes, but setting up random tunnels just to use the interwebs annoys me.
[22:25] <soren> Compared to the PoS excuses for internet connections they have in hotels in the US, this is actually extremely good.
[22:25] <soren> Heck, if DNS works, you can use anything anyway.
[22:25] <infinity> Again, "if you're willing to jump some hoops"... I'm getting too old to care about said hoops.
[22:26] <infinity> I just want to plug in my laptop and do stuff, y'know?
[22:27] <soren> infinity: pft... Talk to #ubuntu-desktop
[22:27] <infinity> *smirk*
[22:27] <infinity> You'll understand some day. :)
[22:27] <infinity> I used to get a thrill out of circumventing people's ideas of what I should be "allowed" to do, now I just want to be able to do it all by default.
[22:28] <infinity> Cause, well, the circumvention is less exciting and more time-wasting, these days.
[22:28] <Deeps> lemme guess, you also like having a desktop system that /juts works/ and doesn't need years of hacking to actually get working properly?
[22:29] <Deeps> and that IT is just a means to an end, and not an end in itself?
[22:29] <infinity> Shocking, I know. :)
[22:29] <Deeps> phew, finally
[22:29] <Deeps> someone else like me
[22:30] <infinity> Of course, I still like hacking like no tomorrow to make these sorts of things possible to other people, which means getting my hands dirty -- a lot.
[22:30] <infinity> I just don't feel the urge to "hack" in a hotel room.
[22:30] <infinity> Especially not as cranky and tired as I usually am after an intercontinental flight or three.
[22:31] <infinity> soren: I hope you brought enough money to make good on some of those alcohol promises you made over the last year.
[22:31] <infinity> soren: ... and that you don't spend it all before I get there.
[22:36] <JanC> infinity: I agree, IP-over-DNS etc. should "just work" under Ubuntu  ;-)
[22:39] <infinity> JanC: Hahaha.  Not *quite* the point I was making, but okay. :)
[22:39] <JanC> I can tell some stories about IP-over-DNS...  ;)
[22:40] <soren> infinity: Did I promise you beer? Hm.. Ok. It's dirt cheap here, so I'll probably manage :)
[22:41] <infinity> soren: Not sure if it was beer, or "the local equivalent of a massive destruction weapon"..
[22:46] <soren> infinity: Ah, yes. It will not be at the hotel, though. The prices here are insane.
[22:47] <JanC> soren: you're Danish IIRC?
[22:47] <infinity> soren: Are they ever not?  Hotels are terrible.
[22:47] <soren> infinity: A litre of water is $20.
[22:47] <infinity> JanC: He is.
[22:47] <soren> infinity: !
[22:47] <soren> JanC: I am.
[22:47] <infinity> soren: Sweet Jesus.  20 USD?
[22:47] <soren> infinity: I've never seen prices this steep.
[22:47] <soren> infinity: Yup.
[22:47] <JanC> then beer @ uds should be very cheap for you  ;)
[22:47] <soren> infinity: 290 of the local currency unit.
[22:48] <JanC> unless something changed since my sister was there  ;)
[22:48] <soren> JanC: Outside the hotel, yes. very much so.
[22:49] <soren> infinity: 290 CZK is 17.90 USD, apparantly.
[22:49] <ajmitch> soren: $20 is nuts
[22:49] <infinity> soren: That's beyond insane.  I don't even know if English has a word to express just what that is.
[22:50] <soren> infinity: Luckily, there's a cafe almost just across from here.
[22:50] <infinity> Jeg hader UDS hotels.
[22:50] <infinity> soren: Phew.
[22:50] <soren> :)
[22:52] <infinity> soren: Anywhere in walking distance with a pool table?  *hopeful look*
[22:53] <soren> infinity: I haven't had a chance to go looking. We found that cafe, had a few beers, left for food, ate, came back to the hotel, and here we are now.
[22:53] <infinity> soren: Slacker.  What was the point of sending a scouting party if you can't tell us all about the area by the time we get there? :)
[22:54] <soren> infinity: When do you show up?
[22:55] <infinity> soren: 1745 on Sunday.
[22:55] <infinity> soren: Well, 1745 + (however long it takes to clear customs and get to the hotel)
[22:56] <soren> infinity: Plenty of time to find good places.
[22:56] <infinity> soren: I'm counting on you. :)
[22:57] <infinity> soren: Bonus points if you can find a nice Lebanese place with good shawarmas...
[22:57]  * soren accepts the assignment and acknowledges that #ubuntu-server will selfdestruct in 5 seconds
[22:57] <soren> or something.
[22:58] <soren> infinity: Well... Non-Czech food here seems to have been subject to a very strong Czech influence.
[23:00] <infinity> soren: So, we'll get a shawarma smothered in cheap beer, served on a modestly-priced hooker?
[23:02] <soren> infinity: I'm sure something can be arranged. I've not dared walk down dark alleyways yet.
[23:03] <soren> At least that's where I'd expect to find such things. Maybe I'm just not into the whole Czech vibe yet.
[23:41] <gouki> Any recommendations for a NAS (no freenas, openfiler or lightnas)? I want something installable on Ubuntu.
[23:47] <giovani> gouki: use the tools that openfiler/etc use ... they're all available for ubuntu
[23:47] <giovani> it's just a matter of auto-configuration with those specialized distros versus manually configuring
[23:48] <giovani> decide on what protocol you want to use for your NAS/SAN
[23:48] <giovani> and then an appropriate tool can be used
[23:52] <giovani> for example, for an NFS-based server ... this HOWTO appears to be relevant: https://help.ubuntu.com/community/SettingUpNFSHowTo
[23:54] <Deeps> also check out http://ubuntuguide.org/wiki/
[23:56] <giovani> Deeps: it's virtually the same set of commands ... except it goes into less detail, and is only found in the 7.10 and earlier manuals ...
[23:57] <Deeps> hmm?
[23:57] <Deeps> i was thinking for other protocols that he may want to use
[23:57] <Deeps> eg samba
[23:57] <Deeps> it's a generally nice overall guide too thats worth browsing through, if only to get ideas
[23:57] <giovani> the documentation is still ebtter on the wiki
[23:58] <giovani> on the official wiki, that is
[23:58] <Deeps> the joys of free speech