/srv/irclogs.ubuntu.com/2008/06/04/#ubuntu-server.txt

zulkirkland: im not wild about it (php backport for hardy)00:03
ajmitchzul: too many changes?00:04
infinityNew PHP versions always mean new bugs.  And broken interfaces.00:04
zulkirkland: gimme half an hour we can discuss I need to put liam to bed00:04
infinityNever a good candidate for a stable release.00:04
zulkirkland: its seems like a flimsey excuse to backport 5.2.6 besides the security fixes will be applied eventually and he could always build it himself as well00:20
kirklandzul: okey doke.00:21
kirklandzul: let the security-fix-backporting begin ;-)00:21
zulkirkland: yep00:21
zuland what infinity mentioned as well00:21
kirklandfyi, i chased those down for kees a few weeks back, i have them in my changelogs somewhere00:21
kirklands/changelogs/irclogs/00:21
kirklandsoren has me thinking 'changelogs' at the moment ;-)00:22
kirklandzul: cool, could you add comments to that bug to that effect?00:22
zulkirkland: sure00:22
kirklandzul: i'll add my irclog research as a comment to00:22
kirklandzul: basically, a stack of urls to the precise php commit messages00:23
kirklandzul: of those security issues00:23
Fileflyi'm running a small fileserver with two identical drives in raid 1... is it possible to copy data from a drive that was previously in a raid 1 array, for example if i formatted one of the two drives and wanted to copy some data from the second one?00:39
slimjim8094yes00:40
slimjim8094could i tell you how? no :)00:40
slimjim8094but that's the point of mirror-raid, so i imagine it's doable...00:40
slimjim8094i mean, imagine you had a drive crash and had to replace the drive...00:40
slimjim8094the point of raid-1 is that there's no interruption and you lose no data...00:41
slimjim8094i think it's called 'rebuilding the raid'00:41
slimjim8094but00:41
slimjim8094i couldn't tell you how... :(00:41
Fileflyokay00:41
Fileflyhere's my situation00:41
Fileflyi am running the raid1 array and i would like to reinstall the OS without having to back up everything, as i don't have enough room anywhere else00:41
slimjim8094is the os on your raids?00:42
Fileflyi want to install the OS on one drive, copy my data from the other mirrored drive, then format that drive as well and add it back to the array00:42
slimjim8094well i imagine you could probably00:42
slimjim8094de-raid and remove disk 200:42
slimjim8094install os like normal00:42
slimjim8094install second disk and say that it's part of a raid - and that it has the data00:43
slimjim8094...twiddle your thumbs...00:43
slimjim8094you're done00:43
Fileflybasically my question is... is there a special procedure for mounting a drive that was once part of a raid1 array?00:43
slimjim8094i don't think so00:43
Fileflyokay00:43
slimjim8094but again, i've never even done a raid00:43
slimjim8094so you shouldn't be listening to me00:43
Fileflyso in theory, in order to pull my data, (i'm guessing) i can just mount hdb1 as usual00:44
Fileflyokay, not listening :)00:44
slimjim8094yeah00:44
slimjim8094mount -o ro00:44
slimjim8094to be safe00:44
Fileflyfantastic, that's a BIG help00:44
slimjim8094but you're not listening to me00:44
=== slimjim8094__ is now known as slimjim8094
slimjim8094oh god damn00:45
Fileflylol00:45
slimjim8094you're not listening to me, right?00:45
slimjim8094good00:45
Fileflyno sir.00:45
slimjim8094very nice00:45
kirklandFilefly: definitely mount -o ro00:45
slimjim8094i'd say, mount it read-only00:45
slimjim8094and see what happens00:46
slimjim8094alright, i gotta go00:46
slimjim8094see ya00:46
Fileflythanks00:46
Fileflykirkland: can i mount the partition as if it was never part of the array?00:46
kirklandFilefly: is the partition marked "Linux RAID" ?00:47
Fileflyi'm afraid i'm a bit of a noob00:47
Fileflyhow do i check?00:47
kirklandFilefly: and is the md device formatted directly to a filesystem?  ie, you're not running LVM on top of RAID, are you?00:47
Fileflyno, no LVM00:47
kirklandFilefly: fdisk -l /dev/hd?00:47
Fileflyokay one moment00:47
kirklandFilefly: okay, then, yeah, mounting the RAID1 is very straight-forward00:48
kirklandFilefly: i can't stress enough, though, the importance of mounting it readonly -o ro00:48
Fileflyhere's this, too00:48
Fileflymd0 : active raid1 sda2[0] sdb2[1]00:48
Filefly      116238208 blocks [2/2] [UU]00:48
Fileflyi assume i can format and install the os, then mount sdb2 and pull my data from it00:48
kirklandFilefly: right00:49
Fileflycan you explain why it needs to be ro?00:49
Fileflyi will do it of course.. just curious00:49
kirklandFilefly: safety measure00:49
Fileflyokay00:49
kirklandFilefly: in the case that you wanted to boot your old system, you could using sdb00:50
Fileflyokay00:50
Fileflythat's a big help00:50
kirklandFilefly: if you (accidentally) muck with the meta-data on sdb, then it wouldn't be bootable00:50
kirklandFilefly: i should say "might not be bootable"00:50
Fileflyright, that i get00:50
Fileflyi'm computer-savvy, but i only rudimentarily understand the workings of raid... that definitely answers my question00:51
zulkirkland: http://pastebin.com/d2528094700:51
Fileflythanks very much for your help00:51
kirklandzul: works for me00:52
kirklandzul: i previously offered to put one in my PPA...  i can do this if people really start griping (unsupported, of course)00:52
zulkirkland: they could always ask for a backport from the backports team but I dont know what state that team is, but yeah thats a choice00:53
kirklandzul: right, well, it might help the backports team if something is in my ppa, right?00:54
zulkirkland: yep00:54
kirklandzul: since I already did the work merging for intrepid, it seems incremental for me to just build the package for hardy, no?  (supporting it, obviously, is a hugely different ordeal)00:54
zulkirkland: its your ppa but it depends if the build-depends have changed00:55
kirklandzul: those were minimal, i'll try a local build00:56
zulbut you already built it before for hardy so that doesn even matter :)00:56
nxvlzul: ping01:19
zulnxvl: yo01:19
zulnxvl: whats up?01:20
nxvldid you make any changes to my patch on the reload bug01:21
nxvlon nagios?01:21
zulnxvl: I believe I did01:21
nxvlyou remember what changes01:21
nxvljust to know01:21
zulyeah the init script01:22
nxvlbut i mean01:23
zuland the maintainer field01:23
nxvlto my patch01:23
nxvlBug #23637301:23
uvirtbotLaunchpad bug 236373 in nagios2 "'/etc/init.d/nagios2 reload' causes nagios to exit (sends SIGTERM not SIGHUP)" [Low,Fix released] https://launchpad.net/bugs/23637301:23
zulnxvl: im not getting you and Im about to leave for tonight can you send me an email01:23
nxvli mean...01:23
nxvlok, doesn't matter01:24
nxvli can run debdiff later01:24
nxvlwhen i get my ubuntu machine01:24
nxvl:D01:24
nxvlthnx01:24
nxvlbtw01:24
nxvlzul: you haven't send me an e-mail of the SRU you wanted me to test01:24
SpaceBasshey folks02:14
SpaceBassI upgraded from 7.10 to 8.04 and am having some authentication issues ... I need to reconfigure libnss-LDAP but when I run dpkg-reconfigure libnss-ldap   nothing happens02:14
SpaceBassis just returns a bash prompt02:14
sommerSpaceBass: just to double check... are you doing sudo dpkg-reconfigure ?02:17
SpaceBasssommer, i am02:17
SpaceBasssorry for omitting that :)02:17
sommerhrmm, strange02:18
SpaceBassi know, right?  ... wonder if there is a verbose mode02:18
sommerSpaceBass: you can always edit the /etc/ldap.conf file by hand :)02:20
SpaceBasssommer - no opposed ...but which one? /etc/ldap/ldap.conf or /etc/ldap.conf02:20
SpaceBasss/no/not02:21
sommerSpaceBass: for authenticating to ldap /etc/ldap.conf is the main one... it replaced /etc/libnss-ldap.conf (or whatever the old file was)02:22
sommerand I believe the dpkg-reconfigure simply changes settings in that file02:22
SpaceBasswhich I suspect is why broke my authentication to OpenDirectory in the first place02:22
SpaceBassthe replacement of those two files02:22
sommerSpaceBass: I could be wrong about that though02:23
nxvldpkg-reconfigure simply calls debconf rutines02:23
nxvlmaybe that package doesn't have any02:23
sommerSpaceBass: nope that's the file I was thinking of /etc/ldap.conf, heh02:23
SpaceBasswhen its first installed, there are prompts02:23
nxvlyou can always apt-get remove --purge and reinstall :S02:24
SpaceBassahhh purge02:24
SpaceBassdidnt try it that way02:24
nxvlbut keep a backup of your files before02:24
nxvlif you have make some changes02:24
sommerSpaceBass: ah, I think you're looking for sudo dpkg-reconfigure ldap-auth-config02:24
nxvloh yes, you need to use sudo02:25
SpaceBassactually I'm using root - I know, I know...but until I can get auth working again, I cannot log in as anynone else...had to drop to recovery just to get a root shell02:26
sommerSpaceBass: yep, dpkg-reconfigure ldap-auth-config... will give you the prompts02:26
SpaceBasssommer, thats it! thanks!02:27
sommernp02:27
sommerthe packages were reconfigured so things are slightly different from 7.10 to 8.04, but hopefully better for the long run02:28
SpaceBassseems like easier management, from what I've read02:29
SpaceBassalright! at least getent passwd works02:33
SpaceBassthanks guys02:33
sommerSpaceBass: party!02:34
SpaceBassthe new /etc/ldap.conf doesnt replace the pam.d/common-* files does it?02:36
sommernope just the files needed to configure libnss-ldap02:37
SpaceBassjust double checking02:38
sommeryou should still see an entry for ldap.so (or whatever) in those files02:38
cjsstablesevening all.  anyone want to work with me on file permissions issues?02:51
cjsstablesDoesn't look like my last message went through02:51
cjsstablesoh ther eit is02:51
cjsstablesI have 3 directories set up to share on my server.  Sharing is exported with nfs and Samba.  the three directories are /public (completely open, any user can read write or execute. this includes windows users /ldap/users/or any unauthenticated client02:54
cjsstablesthe second directory is /business.  also a nfs share and samba share.   only persons from LDAP authentication can access this share and they must belong to the businness group.  the should have complete control over anything in the share.  anything they creat in the share can be controlled by anyone else that has access to the share.02:56
cjsstablesthe third share is /private.  this is an nfs and samba share with only one user having access and no other user can do anything in the share.02:56
cjsstablescan someone out there help me to get this set up correctly02:57
SpaceBassdoes 8.04 not use  /etc/fstab?03:23
hadsIt does03:27
SpaceBassappears my raid did not start after the upgrade to 8.0403:32
SpaceBassthinks theres only 2 devices03:32
ajmitchcheck what devices are being looked at in mdadm.conf?03:34
SpaceBassthats what is odd...no devices listed ARRAY /dev/md0 level=raid5 num-devices=4 UUID=7b94174d:9827fba7:9d356db8:2532e22e03:35
ajmitchright, apparantly it defaults to looking at all partitions if no DEVICES line is there03:36
ajmitch(from a quick look at man mdadm.conf)03:36
SpaceBassodd - all the partitions appear to be present03:39
ajmitchit's been awhile since I looked at it, but does mdadm --assemble /dev/md0 bring up the array now with all devices?03:41
SpaceBasssays theres only 2 (out of 4) devices03:45
ajmitchodd03:46
SpaceBassyeah, b/c they are all there03:46
SpaceBasstrying to figure out how to manually sepcify them03:46
ajmitchI thought it ccould possibly have been that the devices weren't known in time for mdadm to run at bootup, not that it should possibly happen now03:46
SpaceBassyeah, dmesg shows some errors like that might have been the case...but it should assemble now03:49
* SpaceBass smells a downgrade 03:49
ajmitchwhat sort of errors?03:49
SpaceBass 484.709354] md: unbind<sdd1>03:50
SpaceBass[  484.709359] md: export_rdev(sdd1)03:50
SpaceBass[  484.709368] md: unbind<sdb1>03:50
SpaceBass[  484.709370] md: export_rdev(sdb1)03:50
SpaceBass[  484.709376] md: unbind<sde1>03:50
SpaceBass[  484.709379] md: export_rdev(sde1)03:50
SpaceBass[  484.709383] md: unbind<sdc1>03:50
SpaceBass[  484.709386] md: export_rdev(sdc1)03:50
SpaceBass[  484.757276] md: bind<sdc1>03:50
ScottKSpaceBass: When you upgraded how did you do it?03:52
SpaceBassthe built in distro upgrade command03:53
ScottKSpaceBass: You mean do-release-upgrade or using apt?03:55
SpaceBassdo-release-upgrade03:57
ScottKOK.  There's one set of problems that can happen if you use apt (I know), so that's ruled out.03:58
* ajmitch hasn't played around with raid problems for a year or so, so is rusty03:59
SpaceBassi am too...b/c its just worked03:59
ajmitchsince I was fortunate to have mdadm & lvm just work on upgrade03:59
SpaceBasshaven't had the need to play around03:59
SpaceBassi guess I can re-create ...but that scares the crap out of me04:00
ajmitchand it really shouldn't be necessary04:00
ajmitchunless somehow the raid metadata disappeared from those other devices, or was corrupted04:01
* ajmitch knows that you can use mdadm to examine each partition & print out what the metadata is04:01
ajmitchjust can't recall the command04:01
SpaceBassmdadm --examine04:02
SpaceBassbut I'm in "assemble" mode so it won't let me04:02
ajmitchah, mdadm --misc --examine?04:03
ajmitchunsure if both are required04:04
ajmitchfrom what --help says, it's not04:04
SpaceBasshummm...no subperblock detected04:05
SpaceBassaccording to the verbose output...they all have the wrong uuid04:08
ajmitchstrange, to say the least04:09
SpaceBassyeah04:09
SpaceBassI'm fairly concerned ...to say the least04:10
* SpaceBass thinks he's lost 2TB of data04:10
hadsNa surely not.04:11
SpaceBasshow can I fund the uuids of each partition manually? then use them to update mdadm.conf?04:12
SpaceBass^^is googleing now04:12
uvirtbotSpaceBass: Error: "^is" is not a valid command.04:12
hadsHave you tried assembling the array specifying the devices?04:13
SpaceBassinteresting ...each of the 4 partitions has the same uuid ... the same uuid that is in mdadm.conf04:14
SpaceBasshads, I cannot find how to do that...that was my first instinct04:14
SpaceBasshads, I tried simply listing them:04:15
SpaceBassmdadm --assemble /dev/md0 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde104:15
SpaceBassbut I get: mdadm: /dev/md0 assembled from 2 drives - not enough to start the array.04:15
hadsThat looks right from memory, not that I know that much about mdadm04:16
SpaceBassand since we're quiet tonight...here's the verbose output...even more strange04:18
SpaceBassmdadm: looking for devices for /dev/md004:18
SpaceBassmdadm: /dev/sdb1 is identified as a member of /dev/md0, slot 3.04:18
SpaceBassmdadm: /dev/sdc1 is identified as a member of /dev/md0, slot 0.04:18
SpaceBassmdadm: /dev/sdd1 is identified as a member of /dev/md0, slot 1.04:18
SpaceBassmdadm: /dev/sde1 is identified as a member of /dev/md0, slot 2.04:18
SpaceBassmdadm: added /dev/sdc1 to /dev/md0 as 004:18
SpaceBassmdadm: added /dev/sde1 to /dev/md0 as 204:18
SpaceBassmdadm: added /dev/sdb1 to /dev/md0 as 304:18
SpaceBassmdadm: added /dev/sdd1 to /dev/md0 as 104:18
SpaceBassmdadm: /dev/md0 assembled from 2 drives - not enough to start the array.04:18
SpaceBasssorry for the flood04:18
ajmitchfrom what I see in the mdadm help, it looks at both UUID & superblock information04:20
hadsDoes `mdadm --examine /dev/sd{b,c,d,e}1 | grep UUID` show the same UUID?04:22
SpaceBasshads, duno...let me try that04:22
SpaceBassyeah, all the same uuid (same result as vol_id /dev/sd.... )04:24
hadsAs I said, I don't know mdadm that well so don't know how much help I can be sorry.04:27
SpaceBassyou both have helped me troubleshoot - thats the most anyone can ask for...thanks!04:27
SpaceBassinterestingly ... the results for mdadm --examine /dev/sdd1 and sde1 are slightly different than sdb1 and sdc104:30
hadsPerhaps you could assemble with --update04:30
ajmitchhow slightly different? superblock?04:31
ajmitchthere is the --force option as well, but I don't know if that's safe04:31
SpaceBassyeah...see that...but doesnt feel safe :)04:32
SpaceBassguessing I have to recreate and hope the data is there04:32
ajmitchthat's probably the least safe option :)04:32
=== slimjim8094 is now known as Guest87625
=== slimjim8094__ is now known as slimjim8094
SpaceBassnot sure what else to do :(04:35
SpaceBassseems to think sdd1 and sde1 have no superbloks04:36
hadsWell update looks like it should fix that04:36
SpaceBasswell I gotta take a break and call it a night04:47
SpaceBassthanks again for the help04:47
ajmitchbye, sorry we couldn't help enough04:48
SpaceBasstroubleshooting help is great04:50
SpaceBasstried to recreate it (as some blogs suggest its non destructive) and sdd1 and sde1 report as "too small" ....very odd indeed04:51
SpaceBassmight run spinrite against them to make sure they are not damaged04:51
SpaceBassbut cannot fathom how the upgrade to 8.04 would have hosed physicial disks04:51
SpaceBassanyway....night all!04:51
_CitizenKane_Is it possible to change the size of the varrun filesystem?  Mostly right now I have a server where it is completely full, and it's causing some problems05:08
ajmitchwhat is being stored on /var/run that is takin so much space?05:14
_CitizenKane_ajmitch: it seems that mysql is storing binary logs there05:19
hadsThat would be odd.05:20
hadsThey should be in /var/log05:20
_CitizenKane_well, maybe i'm incorrect with this, the filenames are like this, mysqld-relay-bin.00000405:21
hadsWell nothing should be stored in /var/run except pid files and sockets etc. as it's tmpfs05:24
_CitizenKane_hads: ya, i know that, this mysql server is just replicating from another one, but I don't know why there would be binary logs in /var/run05:25
hadsgrep "/var/run" /etc/mysql/my.cnf05:27
_CitizenKane_socket          = /var/run/mysqld/mysqld.sock05:28
_CitizenKane_socket          = /var/run/mysqld/mysqld.sock05:28
_CitizenKane_pid-file        = /var/run/mysqld/mysqld.pid05:28
_CitizenKane_socket          = /var/run/mysqld/mysqld.sock05:28
_CitizenKane_sorry, should have done a pastebin, i got a little lazy05:29
hadsWell I don't know that much about mysql replication but there should be a log_bin directive in my.cnf which it should honor05:30
ajmitchespecially as /var/run is on a tmpfs usually05:31
_CitizenKane_hads: turns out its a bug05:31
_CitizenKane_http://arjen-lentz.livejournal.com/115899.html05:32
ajmitchthough the linked bug says it's foxed in hardy05:33
ajmitchs/fox/fix/05:33
_CitizenKane_ajmitch: this server is on feisty, so no fix yet i guess05:35
* ajmitch wonders if it'll be a candidate for fixing in earlier releases05:36
_CitizenKane_ajmitch: I hope so, but at least there is a work around05:37
ajmitchthankfully so05:37
_CitizenKane_because this bug is breaking nearly everything on this server =/05:38
ajmitchwith /var/run full, not much else is going to start if it fails on storing pid files05:38
_CitizenKane_ajmitch: ya, that was the problem I was having, samba started acting up out of nowhere05:39
hadsAh that's a bummer, at least you found info relating.05:40
hadsEasy workaround05:41
_CitizenKane_hads: yep, and thanks for the help05:42
hadsNo problem, didn't actually help :)05:42
_CitizenKane_hads: it's the thought that counts ;)05:43
* ajmitch thinks hard about beer & hopes it counts05:43
ajmitchgetting closer to that time of day :)05:43
hadsIt's nearly middle-of-the-week-beer-o'clock :)05:44
hadsheh05:44
Ashfire908Are the Magic SysRq keys enabled for the server kernel?06:03
krautmoin08:43
spiekeyhi09:56
spiekeydoes anyone know how i can get the refresh time with dig?09:56
InsomniaCityby refresh time, do you mean TTL?10:06
=== fredrik is now known as frippz
catalaoHi11:02
catalaoI need some help11:03
catalaowho can help me?11:03
catalao:)11:03
InsomniaCity!ask11:03
ubottuPlease don't ask to ask a question, ask the question (all on ONE line, so others can read and follow it easily). If anyone knows the answer they will most likely answer. :-)11:03
=== fredrik is now known as frippz
catalaook, sorry :). I'm a school teacher and i'm configuring a ubuntu server with PDC - samba and Ldap, and I need to get redirect the "My Documents" to go direct to the home folder of my server11:05
catalaoi have the netlogon script11:07
catalaoand i have a file shortcut.vbs . I think maybe it's here where i have to put the code??11:08
catalaoI'm not english, sorry for my write11:08
=== [gquit]bombadil is now known as gquit|bombadil
cjsstablesmorning all.  trying to resolve the following issue.  when a authenticated network user writes a file to an exported NIS share the following permission and ownships result.     -rw-r--r--  userxxx Domain Users.  This is the default.  how do I change the default save the file with -rwxrwxr-x Domain Users Domain Users12:46
sorenChange your umask12:49
soren...to 002.12:49
soren/etc/login.defs12:49
cjsstablesok.  I'm not familiar with umask  what would the umask number be?12:50
soren11:49:37 < soren> ...to 002.12:50
Kamping_Kaisercjsstables, umask is the oposite to the file permissions numeric value you want to finish with12:50
cjsstablesthanks soren,  you have benn quite a help for me.  I have an excellent server so far. and now just finishing it up with network shares..12:51
sorencjsstables: :)12:51
Kamping_Kaisersoren, is the umask set on nfs server or client?12:51
* Kamping_Kaiser found a rather nice way of setting umask via pam today (and was happy when it worked)12:52
cjsstablesnext question.  do I modify the /etc/login.defs on the server side or client side?12:52
sorenKamping_Kaiser: client.12:52
sorencjsstables: client :)12:53
Kamping_Kaisernod. ta. :)12:53
cjsstablesok.  next question.  is it possible to only specify the umask for specific directories or will it apply to all directories12:53
Kamping_Kaiserall dirs. you'd have to do seperate one differently12:54
sorenIt's used by the open(2) and mkdir(2) system calls, which are invoked on the client.12:54
cjsstablesmy concern is that my /ldaphome directory would end up having files witten with the wrong permissions.  that directory and the writes are working perfectly rite now and don't want to mess it up12:55
cjsstablessoren:  looks as though I may not want to do that.  the login.defs narrative recommends not to use UMASK.  Am I better off not using an nfs share and only use a samba share with samba configured to force the permissions and groups on writes?13:05
sorenIt's an option, sure.13:06
Kamping_Kaiseryou can export nfs with a mask per export cant you?13:08
Kamping_Kaiserannyway. night13:08
cjsstablesok.  next question.  all linux clients use an xfce desktop that doesn't have a means to browse smb shares.  Also is there a way to automount those smb shares based on the user login?13:09
ikoniacjsstables: look at nis maps ?13:09
ikoniacjsstables: autmounter ?13:09
cjsstableskamping_keiser...  can you explain that further13:09
ikoniaKamping_Kaiser: sure, in the exports file under the options you can set mask13:10
cjsstablesahhh...  thats it.  thats what I needed.13:10
cjsstablesikonia.  right now all clients have the export automounted through /etc/fstab.  I was looking for a solution to do that with samba, but I have seen you have to have a user and password to get them mounted.  That isn't convienient for me13:12
ikoniacjsstables: well you can do it in the export section and use a mask, or look at tools like automount13:12
cjsstablesok.  I'm going to go and research that.  thanks for the help guys13:13
cjsstablesbye13:14
Kelerionhey hey guys13:39
Kelerionquick question... i have just got a t2000 sparc back from storage and am playing about with it... when i got it originally i managed to put 6.06 on it... which is now obviously out of date... which version should I look at putting on it with a fresh install? I tried 8.04 last night but its giving problems... is it the officially supported version for these sparcs?13:39
ikoniasparc is dead13:42
ikoniait's a community distro now13:42
ikoniathe T2000 is also the latest Sun chip so generic sparc stuff doesn't work properly on it unless done through solaris (%100 binary compatability )13:43
Kelerionwhich is why it is now in ports?13:44
Kelerionbut there is still an 8.04 image... so someone must be still maintaining it13:44
ikoniahttp://drwetter.org/coolthreads/t2000.Ubuntu_vs_Solaris10_3.html13:44
ikoniaKelerion: sorry, didn't mean to miss-lead, most of it gets auto built from the repo, and there are "people" maintaining it13:45
Kelerionah13:45
Kelerionok..reading that page :)13:45
ikoniaKelerion: its a tad dated, but does give you an idea13:45
Kelerionok...13:53
Kelerionwell hmph... lol13:53
Kelerionmakes me wonder though... if the SAS controller driver was implemented in edgy...  wouldn't it still be in hardy?13:54
Kelerionanyways... not important13:55
Keleriondoesn't seem to leave me with my options... mainly, go back to solaris...13:55
lukehasnonameopensolaris?13:56
Kelerioni don't know solaris *at all*.. to be honest...13:57
Kelerionmight be a good time to learn a new OS.. lol13:57
lukehasnonamehttp://www.nexenta.org/os13:59
lukehasnonamekelerion check it13:59
lukehasnonamenvmd14:01
lukehasnonamenot sparc14:01
Kelerionwell damn...that was looking promising too.. lol14:01
Kelerionit's ok... i don't mind playing around with a new OS.. its all in the learning, right...14:03
=== jjesse_ is now known as jjesse
lukehasnonameOpenSolaris would be interesting to toy with14:59
lukehasnonameso would OpenBSD14:59
\shopensolaris is nice15:02
\shactually the zfs thing...15:03
lukehasnonameya, that sounds really cool15:05
lukehasnonamenot that I'm a filesystem guru15:05
Bomhello, I am new to ubuntu and want to setup a media server that can be accessed from my LAN and remotely.15:08
Bomwould it be best to use standard ubuntu or the server edition15:08
BomI have an old Proliant ML330 that I would like to use. Is this machine sufficient or???15:09
lukehasnonameYou probably wouldn't use standard ubuntu15:11
lukehasnonameDon't go on my word alone, but check out Ubuntu Studio, Mythbuntu, and Ubuntu Server.15:12
mok0Hm, new kernel today.15:38
lukehasnoname-18?15:42
mok0lukehasnoname: yes15:42
lukehasnonameIs the "-18" part an Ubuntu specific edition?15:44
lukehasnonamethe 2.6.24-xx15:44
mok0lukehasnoname: yes, that's the build number15:46
fbcare there any good router guides that will show you how to prioritize traffic or apply bandwidth limits to certain machines(or both) by mac address??15:53
lukehasnonameIsn't that called QoS (Quality of Service)?15:53
fbcmaybe even with a gui? do I hear laughter?15:53
fbclukehasnoname, yeah...15:53
lukehasnonameas far as by mac address, I don't kow15:54
lukehasnonameknow15:55
lukehasnonameAll I see so far is iptables15:55
arakthoris it ebtables that uses MAC addys?16:00
fbcarakthor, don't know... but weren't you the guy that deleted his samba config files??  that was pretty funny.16:01
fbcarakthor, I'll look into ebtables...16:02
fbcWhat I'm trying to get is close to the same effect as this product http://www.softperfect.com/products/bandwidth/16:03
fbcYou can turn on/off, and limit bandwidth by mac and prioritize traffic. So I think the QOS is pretty well documented, but the other stuff it seems near impossible to find.16:04
arakthorno, I didn't delete my samba config files :)16:08
pschulz01fbc: Greetings.. I'm interested in somethign like that as well.16:13
fbcpschulz01, hehehe,, you want the winning lotto numbers too?16:15
pschulz01fbc: Useful diagram.. http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png16:15
pschulz01fbc: Do you have them?16:16
fbcpschulz01, nope. sorry...:-P16:16
pschulz01fbc: I used to work for these guys.. http://netpriva.com/16:16
pschulz01fbc: We worked on somethign that does exactly what you're after. I left 2 years ago, and was thinking that there should be a way to do exactly the same thing, but in the FOSS world.16:17
fbcpschulz01, cool, yeah I would like guide that would walk you through it. Maybe even throw a little squid config in there...16:18
pschulz01fbc: I was thinking of something along the lines of a 'config file' that then get's converted into the low level ip/eb tables commands.16:19
danshearerfbc: one way of doing this is to set up traffic shaping using tc16:19
pschulz01danshearer: Howdy :-)16:19
fbcpschulz01, I figure that kind of setup is what 95% of businesses need.. somethign that can control and limit like that, and I'm trying to replace the windows server at my workplace with ubuntu, but the boss says it needs to do everything the old server did.16:19
danshearerfbc: and then using iptables to stamp packets depending on the user or other criteria16:19
danshearerfbc: A template for doing this and with stamping code but not discrimination by user can be found at16:20
danshearerfbc: http://shearer.org/Linux_Shaping_Template16:20
fbcdanshearer, tc?? cool.. I'll look into it...16:20
danshearerpschulz01:  you again! g'day :-)16:20
pschulz01danshearer: The problem with tc as I was aware, was that whatever you came up with (rate limiting) it had to be redone when you wanted to add an additional service.16:20
danshearerpschulz01: what does "redone" mean here?16:21
pschulz01re-done.. the tc setup required various parameters for bucket sizes (token buckets) etc.16:22
pschulz01I need to revisit tc and see if there have been new developements.16:23
fbcdanshearer, Is there a high level tool that will create all those config files for you? maybe even a gnome gui?(try not to laugh)16:23
danshearerpschulz01: well, you don't have to "tc qdisc del dev  eth0 root" every time16:24
* lukehasnoname laughs in spite16:24
danshearerpschulz01: but even if you did, is that a major problem? like re-running your iptables script, it's very quick and the kernel16:24
danshearerpschulz01: doesn't drop packets or anything although I guess the QOS for some few packets might be slightly indeterminate16:25
pschulz01danshearer: probably not.. the idea was to be able to add additional channels incrumentally.16:25
danshearerpschulz01: ah, you mean, if you have already allocated your full bandwidth among 3 classes and16:25
pschulz01danshearer: Some of the queuing disciplines will drop packets when you remove the queue.16:25
danshearerpschulz01: then you want to add a 4th class?16:26
danshearerpschulz01: but not HTB, I think? Which, unless you are pretty specialised, should be ok for most people?16:26
pschulz01danshearer: Well.. I would like to have a pool of channels (eg. for voice)16:26
danshearerpschulz01: Hey, but you're the one whose run a firewall company not me so what would I know :-)16:26
pschulz01danshearer: .. and be able to allocated them as required.16:26
pschulz01danshearer: I have some pretty wallpaper.16:27
Deepslartc.org16:27
danshearerpschulz01: Right, so you're getting into hairy tc-foo. As I say on the web page, tc filters are complex and yukky16:28
danshearerDeeps: lartc.org can be as much of a hinderance as a help (unless they have updated docs recently. Beware the 2.4 kernel docs.)16:28
danshearerDepps: some of the diagrams really help though16:28
fbcdanshearer, pschulz01 , ok so what direction do I go in? I have kids here on campus using bittorrent(that needs to stop). I have kids using school computers for internet access, which should only be used for learning.(those need to have internet access removed totally). So this is why I need to be able to turn internet access on and off by mac, and limit bandwidth for others, and restrict certain other machines to only certain ports.16:29
danshearerfbc: if you are comfortable starting with a partial solution today, and then building on that, I'd be surprised if16:29
danshearerfbc: the tc template I gave you wasn't a fairly low-pain way of solving your most pressing problems first16:30
danshearerfbc: it deliberately doesn't use anything very clever or complicated16:30
fbcdanshearer, Yeah, for sure.16:30
danshearerfbc: because otherwise I'd just confuse myself worse than usual16:30
danshearerfbc: stopping bt can be just an iptables thing16:31
danshearerfbc: there's a fairly simple firewall script up there too somewhere16:31
danshearerfbc: ah yes, in the comments: http://shearer.org/Linux_Firewall_Template16:32
lukehasnonamehey, fbc, might I ask what university you work for? If that's confidential, I understand.16:32
lukehasnonamenvmd, I'll PM you16:32
danshearerfbc: think of this as the not-very-clever-way of doing firewalling and bandwidth shaping16:32
pschulz01They are just about to activate the new toilet pump on the International Space Station16:32
fbcnope, it's unives, here in guadalajara, Mexico...16:32
danshearerfbc: there are people present who can give much more complete answers16:32
fbcSmall startup16:32
danshearerpschulz01: You mean they will be able to boldly go once again?16:33
pschulz01The words 'high pressure' and 'toilet' are not words that you'd like to hear in the same sentance.16:33
pschulz01danshearer: Yep.16:33
danshearerpschulz01: You obviously haven't spoken to any submariners. Wander down to Port Adelaide mate16:34
fbcyeah, is it a toilet or an enima machine?16:34
pschulz01Not recently.16:34
lukehasnonameAdelaide? Mate? Are you from Ireland?16:34
lukehasnoname<_<16:34
danshearerfbc: they cracked that one in WW216:35
fbcdanshearer, meant enema16:36
danshearerfbc: sorry, got lost in the flow16:36
lukehasnonametoo much pressure? lol16:37
fbcdanshearer, lol16:37
fbcdanshearer, which part of that script turns off internet access... what what little I can understand from reading the syntax there doesn't seem to be anything there for that.16:40
fbcit would probably be helpful for most people to compartmentalize the script maybe into smaller files. like apache2 does..16:42
fbclike /etc/tc/macs.allowed and /etc/tc/ports.allowed or something similar you automatically know where to look for something and where to put it.16:45
fbcand just add INCLUDE /etc/tc/macs.allowed in the main script.16:45
danshearercoffeedude: g'day16:45
coffeedudehey danshearer16:46
danshearerfbc: that's what I meant about iptables, you'd do that over on your firewall16:46
danshearerfbc: these two things work in concert16:46
danshearerfbc: the firewall disallows everything and you selectively allow things you want16:47
danshearerfbc: and then you stamp packets you want shaped particularly16:47
danshearerfbc: all other packets get shaped according to the default policy16:47
danshearerwhat pschulz01 said is quite right, tc has its limitations but this is one way to get you going16:48
jamboodaHey does anyone have any experience with Ubuntu Server on a Dell PowerEdge R80516:49
danshearerfbc: as to splitting it up, nearly all of those two files are comments showing you what to modify and when16:49
danshearerfbc: so I can't quite see what the thousand little files approach would add here :-)16:50
jamboodaI'm particular just looking for info on compatibility.  Any snags on getting it installed and configured16:50
danshearerfbc: sure that stuff is very helpful for automated administration and so on. and if you were creating a managed facility16:50
danshearerfbc: on debian or something.16:50
fbcdanshearer, yeah, I guess it's just my stab at not having one humongous config file. My mac addess of allowed machines might hit 300 lines.. so that's was why the compartmentalizing for me was important.16:53
danshearerfbc: wow! I hadn't thought of putting them all in a file16:54
danshearerfbc: you're right, that's painful. The thing is you then have to generate that file and rerun the script each time it changes16:54
danshearerfbc: there are other ways of getting yes/no answers for iptables rules16:55
danshearerfbc: for example, hooking into an rbl16:55
danshearerfbc: its called packetbl iirc16:55
fbcdanshearer, ok... I'm gonna setup a small lab this afternoon and see what i can get done..16:56
jamboodaAnyone?16:58
danshearerfbc: if you happen to be running your own dynamic router you can drop packets on the floor there too16:59
danshearerfbc: but there was also a specific package I remember trying out for just this use case, hang on16:59
danshearerfbc: ah yes, this was a couple of years ago I tried this and I didn't put it into production, but it looked good17:00
danshearerfbc: http://www.dessent.net/linblock/17:00
fbcjambooda, it's a pretty straight forward install.. there should be no special tricks17:00
fbcjambooda, got xeon.. use 64-bit version... to take advantage17:00
jamboodafbc, so you have ubuntu server installed on a poweredge r805?17:01
jamboodaI know installing the OS is straightforward.  I've installed it many times but I want to make sure there are no issues with this particular server17:02
danshearerfbc: if you get a chance it would be good if you wrote down a log of your experiences, and any improvements to my scripts17:02
zulsoren: \sh asked if we could bump up the php memory from 16 to 32 I dont have a problem with it17:03
fbcdanshearer, sure.... It would be nice... to publish a howto guide for the rest of the world. And if I ever get a round to learning to program in C, I'll create a gtk+ app to create the syntax..17:04
pschulz01fbc: perlgtk is another option, with glade.17:06
pschulz01danshearer: What was the other idea you floated recently?17:08
kirklandzul: did you see that I put an (untested) php5-5.2.6 package in my PPA for hardy?17:11
=== danshearer1 is now known as danshearer
danshearerpschulz01: can I have a little context?17:12
zulkirkland: nope but good17:13
kirklandzul: it built just fine, no changes necessary17:13
zulkirkland: sweet I didnt expect any changes were necessary since you already built it locally17:14
kirklandzul: right17:14
kirklandzul: i figured we'd let it bake there for a little while, and if people find it useful, they can try to push it through the -backports process17:14
zulkirkland: ok by me :)17:18
fbcpschulz01, I'll have to learn pearl. I'm limited to batch,basic,php,mysql,html,some java.17:20
danshearerfbc: great ideas, but at the least if I could have some fixed scripts to publish that would be good17:24
danshearerfbc: and as to your list of 300 addresses, if you have to write them all in iptables rules something is probably wrong17:26
fbcproviding a zip file or something of a basic config might not be bad.17:26
danshearerfbc: and iirc a while back you mentioned ebtables, that's at a lower level than anything else we've discussed here17:27
uvirtbot`New bug: #237391 in openssh (main) "ssh-keygen should default to dsa not rsa" [Undecided,New] https://launchpad.net/bugs/23739118:03
spiekeyhow can i add a script to the startup of ubuntu?18:17
spiekeyis there some tool for the runlevels?18:17
spiekey(i would like to run my firewall script when my box is starting up)18:18
nealmcbspiekey: you can put it in /etc/rc.local18:18
nealmcbor you can make a script for /etc/init.d18:18
spiekeythanks18:21
mathiazkirkland: re bug 23739118:24
uvirtbot`Launchpad bug 237391 in openssh "ssh-keygen should default to dsa not rsa" [Undecided,Confirmed] https://launchpad.net/bugs/23739118:24
mathiazkirkland: why ?18:24
nealmcbmathiaz: indeed - aren't dsa keys, e.g., more vulnerable to problems with random number generators :(18:25
nealmcbe.g. http://www.schneier.com/blog/archives/2008/05/random_number_b.html#c27130818:28
danshearer<spiekey>18:32
danshearer<spiekey> update-rc.d will make the links for you.18:33
kirklandmathiaz: sorry....18:33
kirklandmathiaz: i just updated my reply to that bug18:33
kirklandmathiaz: I completely misread it18:33
* kirkland goes looking for more coffee18:33
* nealmcb is beaten by kirkland by 5 seconds in commenting on the bug....18:34
kirklandnealmcb: :-)18:34
kirklandnealmcb: I think the "X seconds/minutes ago" on Launchpad bug comments should be javascript18:35
kirklandnealmcb: give the unix epoch time, and put a javascript counter in each of those18:35
kirklandnealmcb: 1/2/3/4/5/6/7/8/9/10 seconds ago :-p18:35
mathiazjdstrand: do you have more ideas about auth-client-config ?18:36
jdstrandmathiaz: that is a pretty open ended question...18:36
mathiazjdstrand: I was wondering if we could add automatic package installation to it18:36
jdstrandmathiaz: I do plan to add netgroup support, there is a patch for it18:36
mathiazjdstrand: so that if you want to configure an ldap profile, it pulls in nss_ldap18:37
jdstrandmathiaz: oh-- you mean for the user auth integration stuff18:37
mathiazjdstrand: user auth integration ?18:37
jdstrandmathiaz: automatic package installation-- hmm18:37
jdstrandmathiaz: I always envisioned it the other way around18:37
jdstrandopenldap/clients/etc18:38
mathiazjdstrand: well - I was wondering if we could turn auth-client-config into an equivalent to domain-join from likewise-open18:38
jdstrandthe intrepid integration work discussed at UDS18:38
lukehasnonameIsn't RSA pretty easy to crack nowadays?18:38
sorenEr... No.18:38
lukehasnonamehmm...18:39
jdstrandmathiaz: well, auth-client-config on it's own is just a tool to do profile switching18:39
mathiazjdstrand: the use case would be - to setup your ubuntu client to use your ldap server run: auth-client-config ldap18:39
jdstrandlukehasnoname: not with sufficient bits18:39
jdstrandmathiaz: yes-- that is the intent of the program18:39
jdstrandmathiaz: difference being, there might be a different program, say ubuntu-ldap-client, that would provide the profile, then call auth-client-config from postinst18:40
mathiazjdstrand: right - but the end user still has to figure out that the nss-ldap and pam-ldap packages have to be installed in order to make it work correctly18:41
jdstrandmathiaz: the idea being that the package maintainer knows more about configuring this stuff than auth-client-config18:41
sorenlukehasnoname: You can't crack it. You can brute force it. And even if you could check 100 trillion keys in a second, it would still take you 10^286 years to go through the 1024 bit keyspace.18:41
jdstrandmathiaz: ubuntu-ldap-client would Depends on whatever is needed18:41
sorenlukehasnoname: A.k.a. "a very long time".18:41
jdstrandsoren: uh, I am not sure your math is right there18:42
mathiazjdstrand: hmm.. and ubuntu-ldap-client would drop a profile for auth-client-config18:42
jdstrandmathiaz: exactly18:42
sorenjdstrand: It does sound a bit high.18:42
soren(2^1024/100000000000000)/(60*60*24*265)18:42
jdstrandmathiaz: there could be all kinds of these things-- ubuntu-ldap-client, ubuntu-kerberos-client, etc, etc18:42
danshearersoren: but it's still "universe getting chilly" sort of timeframe. And hello18:43
sorenjdstrand: Er... Ok, that should clearly have been 365 days in a year.18:43
mathiazjdstrand: well - I only see two of them - ubuntu-ldap-client and ubuntu-kerberos-client18:43
sorendanshearer: Ahoy there :)18:43
mathiazjdstrand: I was wondering if likewise-open could provide a profile to auth-client-config too18:43
jdstrandmathiaz: IMO, auth-client-config should be very dumb, and is simply a tool for maintainer scripts and administrators18:44
sorenChanging the number of days in a year only changed the fourth most significant digit (base 10).18:44
jdstrandmathiaz: absolutely-- the more the merrier :)18:44
mathiazjdstrand: agreed18:44
jdstrandmathiaz: while ubuntu may only have 2 or 3 of these packages-- an administrator may have site-profiles for ease of maintenance18:44
mathiazjdstrand: in the example of ubuntu-kerberos-client, there needs to be more work done to join a client to the realm18:45
mathiazjdstrand: do you think auth-client-config could be extended to do that work ?18:45
mathiazjdstrand: this is the other part in domain-join IIUC18:45
jdstrandmathiaz: well, auth-client-config is technically just pam and nss, I guess you are talking about krb5.conf?18:46
mathiazjdstrand: you need to configure your local system (pam and nss),  plus do some other work on the server side ('register' the machine)18:46
jdstrandmathiaz: oh yes18:46
jdstrandmathiaz: OTOH, seems the server side stuff should maybe have an addkerbhost script of something18:47
mathiazjdstrand: I'm trying to figure out if we can provide the equivalent of domain-join for ubuntu-ldap-client and ubuntu-kerberos-client18:47
jdstrands/of/or/18:47
mathiazjdstrand: http://people.ubuntu.com/~mathiaz/network_auth_integration.png18:47
mathiazjdstrand: ^^ this is a big picture of network authentication from the client POV18:47
jdstrandyes18:48
mathiazjdstrand: I'd like to see if we can provide a single command to handle all of the three scenario18:48
* jdstrand is thinking18:48
mathiazjdstrand: auth-client-config IIUC can handle the pam/nss configuration18:48
jdstrandmathiaz: yes, that is all it does. it safely updates nss and pam based on the profile specified18:49
mathiazjdstrand: but we need to add some infrastructure to configure other parts of the system (krb5.conf or lwidentidy.conf or /etc/ldap.conf)18:49
jdstrandmathiaz: I definitely see it as a component of this, but update these other .conf files seems out of scope for a-c-c18:49
jdstrandmathiaz: but maybe not18:50
mathiazjdstrand: and do the right thing to register the machine in the infrastructure18:50
mathiazjdstrand: do you think this is out of the scrope of auth-client-config ?18:50
jdstrandI don't want to unnecessarily limit my thinking18:50
sorenjdstrand: If you think my maths is wrong... What do you get if you do the maths?18:51
jdstrandmathiaz: my gut feeling is it is out of scope, as what you are suggesting is ubuntu-specific, whereas administrators use it for other things18:51
sorenFor reference, this is what I asked bc:18:51
sorenl(((2^1024)/(100*10^12))/(60*60*24*365))/l(10)18:51
sorenFor maximum clarity.18:51
sorenThe result is the power to which I need to raise 10 to get the number of years I'd need to sit around waiting for my supercomputer to finish.18:52
jdstrandmathiaz: however, auth-client-config does seem to be an important component of your design18:52
jdstrand(as is)18:52
* soren goes to dinner18:52
jdstrandmathiaz: mind you, I am just thinking out loud18:52
* mathiaz doesn't hear jdstrand 18:53
lsaldid anyone got openldap with tls working on ubuntu818:54
mathiazjdstrand: what about adding a check to auth-client-config to make sure that the librarys it's about to setup for pam and nss are available, and if not, list the packages that should be installed ?18:56
mathiazjdstrand: /librarys/libraries/18:56
nealmcbsoren: well, 1024 bit rsa keys can be brute-forced much more easily than that, given other smarts in the algorithm, but it is still awfully hard for the time being18:58
nealmcb... since you don't need to check all the possible values...18:59
jdstrandmathiaz: what is the end result you would like to see. rather than saying the executable is auth-client-config, lets call it uauth. eg:19:00
jdstranduath ldap ...19:00
jdstrandcan you give an example of the command and what the result should be, and let's go from there19:00
mathiazjdstrand: uauth --ldap-cert=/etc/ca.cert ldap-profile dc=example,dc=com19:03
mathiazhmm19:03
mathiazjdstrand: uauth --ldap-cert=/etc/ca.cert ldap-profile dc=example,dc=com ldap.example.com19:03
jdstrandmathiaz: well, some of those smarts are already in the libnss-ldap and libpam-ldap packages19:04
mathiazjdstrand: configure your system to use ldap.example.com to perform authentication and nss lookups19:04
jdstrandmathiaz: gotcha19:04
mathiazjdstrand: uauth krb5-profile example.com19:04
mathiazjdstrand: updates the krb5.conf file and gets the host keytab (somehow)19:05
jdstrandmathiaz: what if the 'uauth' package provided your three profiles? uauth the executable could then be smart enough to update /etc/krb5.conf, /etc/ldap.conf or whatever, and then call auth-client-config19:05
mathiazjdstrand: yeah - that's what I was thinking of19:06
jdstrandmathiaz: this keeps the high level stuff out of auth-client-config (so other admins/packages/users/distros can use it)19:06
mathiazjdstrand: the same design as auth-client-config, but you'd have to provide some code to create the configuration on the host19:06
jdstrandmathiaz: exactly-- and this is ubuntu integration specific19:06
mathiazjdstrand: auth-client-config uses just a declarative langage for profiles19:07
* mathiaz nods19:07
jdstrandmathiaz: I haven't used likewise yet-- does it do more than pam?19:07
mathiazjdstrand: yes - AFAICT it does nss also (ie winbind function)19:07
jdstrand(other than the equivalent of ldap.conf, etc)19:07
mathiazjdstrand: and the domain-join commands makes sure that your system is setup properly (krb5.conf, etc...)19:08
mathiazjdstrand: domain-join support 100s of platform19:08
jdstrandmathiaz: ok good-- then a-c-c can be used here as well19:08
mathiazjdstrand: it also does the right thing to create your machine account in AD19:08
mathiazjdstrand: that's what I was thinking.19:09
mathiazjdstrand: so to be more specific about auth-client-config, I was suggesting to improve error detection19:09
mathiazjdstrand: such as libraries that are supposed to be used are not available19:09
mathiazjdstrand: and improve logging to support syslog (for automated installation)19:10
jdstrandmathiaz: since we inherit a lot of debconf from debian for this stuff, it might be weird to have uauth Depends on all these packages19:10
jdstrandmathiaz: I have no problem with syslog19:10
mathiazjdstrand: oh - I wasn't suggesting that auth-client-config depends on packages19:11
jdstrandmathiaz: simple .so checks for pam probably would not be a bad idea19:11
jdstrandmathiaz: no, I didn't think you were-- I was thinking about the new 'uauth' package19:11
mathiazjdstrand: just that libraries that it's about to setup are available - if not, give pointers to where they can be found19:11
mathiazjdstrand: well the uauth package wouldn't depend on this19:11
jdstrandmathiaz: uauth could be-- uauth-common, uauth-ldap, uauth-kerberos, uauth-likewise19:12
mathiazjdstrand: the profiles would specify what packages are needed when installing - and debconf answers could be preseeded19:12
jdstrandjust OTOH19:12
mathiazlsal: have you checked in LP for bugs ? IIRC there was some bug about TLS/SSL for openldap on hardy19:13
lsalno i didnt.. let me check19:15
jdstrandmathiaz: yeah-- there are some variations on this theme, but something like this19:15
mathiazjdstrand: right - uauth-common would be the command and the glue to setup the profiles provided by uauth-ldap19:16
* jdstrand nods19:16
jdstrandmathiaz: I'm still thinking that the dependencies should be done in these packages though (as opposed to a-c-c)19:17
mathiazjdstrand: great - thanks for your input - I'll update my spec with your uauth package suggestion19:17
mathiazjdstrand: these packages == uauth-{ldap,krb5,...} ?19:17
jdstrandmathiaz: yes19:17
mathiazjdstrand: agreed.19:17
jdstranduauth-ldap needs libpam-ldap and libnss-ldap, etc19:18
mathiazjdstrand: auth-client-config is just one component used to manage the pam/nss configuration19:18
* mathiaz nods19:18
jdstrandmathiaz: agreed19:18
nealmcbsoren: where does your dc "l" (log?) function come from?19:18
mathiazjdstrand: and providing plugins/scripts to modify configuration files should not be against the debian policy19:18
mathiazjdstrand: wrt to configuration files19:19
jdstrandmathiaz: the idea of checking for the .so pam lib is interesting-- I'll need to think about how to do this in a distibution agnostic way19:19
jdstrandmathiaz: not at all-- if you provide a tool to update configuration files, that is ok19:19
jdstrandmathiaz: what gets sticky is updating configuration files from maintainer scripts19:19
jdstrandwhether via a tool or not19:20
jdstrandmathiaz: eg, I thought a-c-c could be used to manage common-auth, common-password, etc19:20
jdstrandmathiaz: but in order to do that, either pam needs to depends on a-c-c, or a-c-c needs to own those19:21
jdstrandmathiaz: you can see that a-c-c could end up owning a lot of files if you go the second route and more and more programs use it, so the former was decided19:21
jdstrand(even though ultimately it was decided pam wouldn't use a-c-c)19:22
nealmcbsoren, your formula suggests that it would take 10^178 years to find rsa-200 (663 bits).  But that was found back in 2005....  http://en.wikipedia.org/wiki/RSA_Factoring_Challenge19:22
jdstrandmathiaz: but that is neither here not there19:23
jdstrandmathiaz: even if you do no configuration directly in the maintainer scripts, being able to do 'uauth <opts> ...' is a *big* improvement19:23
nealmcb1024-bit keys don't have an adequate margin for many purposes now...19:23
jdstrandsoren, nealmcb: I think the problem in the formula is that the 2^1024 is simple how many numbers there are. however, breaking rsa is about finding the two prime numbers p and q that equal 'n'. there are far fewer than 2^1024 prime numbers in a 1024 bit key19:27
jdstrandspecifically, we don't need to check 2, 4, 6, 8, 9, ... so the 'brute-force' can be much more intelligent19:28
nealmcbjdstrand: right, among many other things.  the attacks are really sophisticated these days19:32
jdstrandnealmcb: absolutely19:32
jdstrandnealmcb: I was in no way trying to brainstorm a way to crack rsa :)19:32
nealmcbwhat default key size are we generating now?19:32
jdstrandnealmcb: default? you mean via openssl or ssl-cert?19:33
nealmcbprobably should be at least 204819:33
nealmcbyeah, and ssh19:33
jdstrandnealmcb: ssh is 2048, ssl-cert (for snakeoil) is 1024, and IIRC openssl with specifying '-b' is still 51219:34
jdstrandnealmcb: the man page for openssl (req) says 512 bits if default_bits is not specified, but debian/ubuntu specifies 1024 bits in /etc/ssl/openssl.cnf, so openssl without specifiying '-b' is 102419:40
jdstrand(which makes much more sense as 512 is pretty much worthless now)19:41
* nealmcb shivers at 512 and looks around19:41
nealmcbyeah - I just found that default_bits - ouch.  shouldn't we change the 1024 to 2048 in openssl.cnf?19:42
jdstrandprobably should...19:42
jdstrandI'm sure there has been discussion in Debian on that19:42
nealmcbhopefully in openssl themselves also19:43
* jdstrand makes a note to look into this further19:43
nealmcb:)19:43
jdstrandthough really, I always specify the bits so I know what I am getting19:44
jdstrandbut that doesn't help ssl-cert any19:44
* nealmcb nominates jdstrand to be sysadmin everywhere19:44
jdstrandheh19:44
nealmcb:)19:45
jdstrandkees: off-hand, can you think of any objections to setting default_bits in openssl.cnf to 2048? it is currently 1024, which affects things like ssl-cert. If you can't think of anything, I've made a note to look into it more.19:49
jdstrand(and this would be a 'get Debian involved' kind of thing)19:49
nealmcb...and upstream!...19:54
nealmcb(or is that our package/file from the start?)19:54
jdstrandnealmcb: I'm not sure, but point taken19:54
nealmcbi.e. what package is that openssl.cnf in?19:54
jdstrand$ dpkg -S /etc/ssl/openssl.cnf19:55
jdstrandopenssl: /etc/ssl/openssl.cnf19:55
nealmcbthanks19:55
keesjdstrand: I don't see any reason it'd be a problem.19:59
keesjdstrand: sort of follows our general goal of increasing bit sizes of encryption in pam, e.g.19:59
* jdstrand nods19:59
keeswe need to close 237391 -- rsa needs to stay.20:01
nealmcbcoffeedude: yo dude!20:07
jdstrandkees: uh-- I'm going to slap that down right now if you haven't already20:07
nealmcbyou missed a great time in prague.  Put Mountain View on your calendar....20:07
* Kelerion just sits there and cries20:08
KelerionI've spent the last 4 hours trying to figure out why alom won't update its firmware from my tftp server20:08
nealmcbKelerion: alom?20:08
Kelerionsun bios20:09
Kelerionand then i figure it out... it doesn't use tftp... it uses regular ftp...20:09
keesKelerion: d'oh!20:11
Kelerioni want to kick something... lol20:11
kirklandkees: yeah, agreed on rsa...  i read that bug title pre-coffee :-S  sorry.20:15
keeshehe20:16
zulsoren: any objections to bumping up the memory limit for php5 to 32?20:20
sorenjdstrand: Good point.20:20
sorennealmcb: "bc -l" gives you l() which is a logarithm function. I always forget the base, so I just stick a /l(the base I want) at the end.20:21
nealmcbsoren: ah - cool.  I just went with python....20:24
coffeedudehey nealmcb20:24
nealmcbcoffeedude: so how is likewise rolling along?20:25
sorenzul: Er... Yes, probably :)20:25
sorenzul: Why?20:25
zulsoren: \sh asked on #-devel this morning and I said I would ask around20:26
zulI know we been through this before :)20:26
sorenWhy does he want to raise it?20:28
zulno idea20:28
sorenThen I'm even more opposed to it :)20:29
* nealmcb appreciates soren's perennial focus on the underlying problem20:29
soren:)20:29
=== slimjim8094___ is now known as slimjim8094
coffeedudenealmcb:  Things are going well.  Pretty busy these days.  Kind of falling behind on email though :-)20:34
jdstrandre php5> how many times does that horse have to be beaten anyway?20:40
keesa few more times, I guess.  keeps kicking.20:40
jdstrand*slap*20:40
jdstrand*kapow*20:41
jdstrandwe'll see if that does it20:42
zuljdstrand: repeatedly until its dead20:42
ghalebhello, I would like to install a radio server, for streaming , any ideas ?20:55
kirklandghaleb: apt-cache search icecast20:56
kirklandghaleb: there are a few options there20:57
ghalebkirkland, thank you ,, this is what I want , a starting point20:58
kirklandghaleb: you're welcome.  i've barely played with icecast-server, so i won't be of much more help.20:58
Koonkirkland: about your comment @ https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/129789/comments/820:58
uvirtbot`Launchpad bug 129789 in openssh "sshd seems to be run multiple times at startup" [Undecided,Incomplete]20:58
ghaleb:)20:58
Koonkirkland: the issue is that by default, both ipv4 and ipv6 are enabled -- so by default our sshd_config makes it noisy at start20:59
kirklandKoon: right21:00
KoonI still don't get why it would restart though21:00
* Koon digs further21:01
Koonhhmmm... does a DHCP lease renewal trigger if-up.d scripts ?21:31
Koonanswer:no21:45
Furomanswer = yes; do{ answer = yes; }while(true);21:47
Furomlmao21:47
nealmcbserver team meeting in #ubuntu-meeting in 4 minutes...21:56
zulno 3 minutes :)21:56
nealmcbhttps://wiki.ubuntu.com/ServerTeam/Meeting21:56
* nealmcb finds that his finely-tuned clock (see adjtimex and ntpdate) has let the workstation drift by only 0.08 seconds over the last month, and smiles22:00
lukehasnonameCan Virtualbox do live migration?22:00
danshearerlukehasnoname: nope22:01
lukehasnonameso why, if I may ask, do I always hear about VB on IRC and ubuntuforums, and not Xen?22:03
lukehasnonameNot trying to sound snobbish22:03
danshearerlukehasnoname: no idea, because I'm new around here. But the kind of people that find VB really22:04
danshearerattractive are often repelled by Xen because it is usually more trouble to set up22:04
danshearerAnd Xen hasn't got a really long lifetime ahead of it anyway. To paraphrase the old saying: Xen is the question,22:05
lukehasnonamehm... well I've talked to some sysadmins and they use VMware ESX for all of it's GUI administration tasks and its live migration (I work as intern at "HugeCorp")22:05
danshearerthe answer is 'no'. And I've done quite a bit of Xen that's stable and scaleable and all that good stuff.22:05
lukehasnonameDo you mean it's going to die; it's not maintained?22:06
danshearerThat I can't say, after all there are still a lot of people working on it. But it is a very large piece of code that has to22:06
danshearerbe in the kernel but never will be in the official kernel, so it has to have an out-of-tree maintenance effort. And it is very much larger22:07
danshearerthan it needs to be as other projects have demonstrated.22:07
lukehasnonamebecause I've read up on its capabilities, and it's pretty advanced. well, you said it "hasn't got a long lifetime ahead of it"22:07
danshearerSo, in my personal opinion, if you are making a strategic bet for the next 3-5 years on a kernel technology that everyone22:08
dansheareragrees will never be in the kernel, and where we have a fast-moving kernel so this technology has to be maintained out of tree, and22:08
captbaritoneI just installed three new SATA drives on a new pci sata expansion card. "ls /dev/sd*" lists sda, sdb, sdc as I expected. When I try to fdisk sda one I get "Unable to read /dev/sda" but the other two work.22:08
danshearerwhere kernel decisions are being made regularly without any regard to how hard it might make life for this out-of-tree code, then22:08
danshearerthere are some pretty serious questions to look at.22:09
danshearerThere is also the issue of completeness. The level of polish in Xen scripts and so on isn't all that high (not hard to get22:09
danshearerPython errors that are truly obscure) and after all this time if a thorough job can't be done of this level of packaging, what's going to22:10
danshearersuddenly make it better? Finally, the company behind it seems to have mostly settled on a business model that relies on the22:10
dansheareropen source version being less manageable than the closed-soure enterprise versions. So where's the incentives to fix the OSS version? :-)22:11
ScottKdanshearer: You might want to join us in #ubuntu-meeting as we're having an Ubuntu Server Team meeting now.22:13
danshearerSo, that's the reasoning behind my claim there, and I don't think it is very original reasoning either.22:13
danshearerAh!22:13
danshearerScottK: timezones, timezones.. coming and thanks22:13
FuromIs installing ruby on rails covered in the server chat? I've tried following tutorials, and guides, and even documentation, but I can't get it to work. I've installed the debian package for rails and I have ruby installed with gems and all, but when I go to access "ruby test.rb" from a web browser, I just get plain text. If it's anything that anyone may need to know, I'm running apache2, with php and I even tried installed22:26
Furommod_fgid, but it did nothing.22:26
owhFurom: After enabling the module, did you reload the web-server?22:28
Furomowh, yeah, I've reloaded, and restarted, still "puts 'Hello'" shows in text format.22:35
Furomowh, would I happen to be using the wrong file extention or something?22:36
owhFurom: Does the module show as enabled in the logs or in the server identity string?22:36
Furomowh, how do I check that? I've not gotten into how to read my logs yet, I'm just trying to setup my environment.22:36
uvirtbot`New bug: #237460 in open-iscsi (main) "Root on iscsi is not supported" [Undecided,New] https://launchpad.net/bugs/23746022:36
owhFurom: Check /var/log/apache2/*22:37
FuromNah, I don't see nothing about rails or mod_fgid22:41
Furomowh, thanks, time to go google about how to enable it all. At least now I know that they're not enabled.22:42
owhFurom: a2enmod is the command.22:43
Furomowh, thanks =D22:43
nijabaKees verified the new version of Limesurvey: unfortunately not all issues that he reported have been solved (or correctly solved) in the latest version...23:01
nijabaAs we are clearly running out of time, here are a few possibilities:23:02
nijaba1/ run it on proprietary software Canonical has paid for (would not be running on ubuntu.com, has a limited feature set compared to limesurvey)23:02
nijaba2/ run it on survey monkey (would not be on ubuntu.com, not fully evaluated)23:02
nijaba3/ run limesurvey on an isolated server I would rent for the occasion (with a few calculated risk that kees could help me identify)23:02
nijaba4/ See with elmo  if it possible to run limesurvey on an isolated server23:02
nijaba(or other proposals I may not have not thought about).23:02
nijabaNote that 1 and 2 would cause us to post the logic and retest everything.23:02
nealmcb(note - we're continuing the conversation from #ubuntu-meeting....)23:02
keesthere's a lot of code in limesurvey, much of it intertwined with SQL, so getting it all sorted will take a while, I think.23:03
keesthe places where it can be abused are relatively small, though23:03
keesbut they're not zero23:03
keeswhich is why I'm still not able to recommend it.  (sorry, I know that's a bit troublesome)23:04
jdstrandkees: sorry that I am not up to date on limesurvey-- but does it use something like adodb?23:04
nijabajdstrand: yes, mostly23:05
keesit does, but not in a reliably safe way23:05
keestoo much of things like:23:05
keestkquery = "SELECT COUNT(*) FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".db_quote($token)."' AND (completed = 'N' or23:05
owhCrap23:05
keesand db_quote adds quotes23:05
keesso you get  WHERE token=''$token''   oops23:05
jdstrandhmmm...23:05
owhkees: And that's in production? Yuk23:05
keesI'd like to see proper WHERE token=?  ....   execute($query, @args)   etc23:06
keesand then there is at least 1 scary looking eval that comes from the database:23:06
owhkees: What language is it written in?23:06
keesif (eval('if (trim($cfieldname)'. $row['method'].' trim($cvalue)) return true; else return false;'))23:06
nijabaPHP23:06
keesowh: PHP23:06
owhCrap, I can't even hide. Have you got a list of issues kees?23:07
jdstrandeek23:07
keesanyway, the eval risks seem to require either an evil admin, SQL injections, or both.  but it's hard to audit due to the heavy use of globals, SQL strings, etc23:07
* danshearer is away: moving computers23:07
nijabakees: but if admin is limited to trusted individuals, is the risk fading?23:08
keesowh: my recommendations remain the same as the original email I sent.  if I itemized the lines that needed fixing, it might take days23:08
keesnijaba: yeah, but again, if SQL injections are possible, a random user could potentially make themselves an admin, etc.23:08
keesit's all unlikely, but imaginable23:08
nijabakees: oh, you mean you found SLQ injections in the user part?23:09
owhkees: I didn't see the original email, but I'm an experienced PHP developer. If I spend two days cleaning it up will that get us there, or is it going to be a waste of time?23:09
keesand since the code isn't consistent with its SQL usage and the global vars, and alternating sanitization, it's very hard to be sure without really really careful examination of every line, which makes it also fragile for future updates23:09
nijabaowh: limesurvey is 12Mo23:09
owhnijaba: Surely that is not all PHP code.23:09
kees$ find . -type f -name '*.php' | xargs wc -l23:10
kees...23:10
nijabaowh: there is a LOT of code, trust me, or have a look at it23:10
kees 136754 total23:10
kees(though that includes the many embedded modules)23:10
* owh stops contemplating working on it for two days.23:10
sorenwhuh...?23:11
owhTo me that indicates that nijaba's option 3 and 4 are out.23:11
keesowh: I think it's possible to fix it, yes.  It just requires redesigning how SQL it used and being more careful with output23:11
jdstrandit embeds adodb and others?23:11
keesthey're already on their way to fix it, it's just not really done yet23:11
nijabajdstrand: yes23:11
owhkees: Yes, but fixing it won't likely be in time for our survey to be useful.23:11
nijabajdstrand: but I have "fixed" that in my package23:11
keesowh: that might be true yeah.   options 3 and 4 seem reasonable since it would isolate the risks, and the risks are in the "unlikely" category.23:12
ajmitchkees: sounds like a bit of a nightmare23:12
owhkees: Other than that the database can be compromised, cleared, altered and the results becoming meaningless, yes :)23:12
keesajmitch: I'm seen much worse.  limesurvey is certainly working to be safe.  they're just not all the way there yet.23:12
keesowh: right, vandalism may be possible.  but again, I think it's an unlikely situation (but not impossible)23:13
owhkees: Can we mitigate, by doing database replication/backups?23:13
keesowh: probably possible.  just more admin work.23:13
owhI think that the risks don't outweigh the benefits.23:14
* kees leaves that up to nijaba and elmo23:14
keesI'm just giving my opinion on the code safety.  :)23:14
nijabaelmo: really your call: do we go to option 1 or 2?23:14
elmo(1) and (2) are proprietary and/or survey monkey?23:15
nijabaelmo: yes23:15
owhIf we're going to redo it, I'd go for option 1 - it's in-house.23:15
nijabaelmo: my worst fear would be for the data to be stolen23:15
elmoerr, I'm confused are you asking 'should we do option (1, 2) or something else' or 'should we do option (1) or option (2)?23:16
elmo'cos if you're not running survey software on my servers, it's not really my (professional ;-) business :)23:16
nijabaelmo: I am asking you if we should rule out option 1 and 423:16
nijabasorry 3 and 423:16
elmoright, wel23:16
elmoargh, I don't really know23:17
elmoif a) you guys genuinely think upstream are making progress and it will one day be a sane codebase23:17
elmoand b) you're super keen to get whatever offers limesurvey offers you and benefit from whatever work you've put into it23:18
elmothen, we can run it, I guess23:18
keesI don't think it'll be fixed within the year unless someone is dedicated to doing the redesign.23:18
nijabakees: can we rule out the possibility for the data to be stolen? only vandalize at worst?23:18
elmo(but all things being equal, I'd rather not )23:18
jdstrandwell, there is an assumption in 1 and 2 that it is actually better than limesurvey-- I don't know any of it, but am not sure that assumption is true23:18
keesnijaba: I can't say we can rule it out, no.23:18
nijabajdstrand: good point23:18
owhjdstrand: I did consider that also, which is why I lean toward option 1.23:19
keesnijaba: if one can inject, one can likely extract.  and if they actually gain shell access, game over for data23:19
nijabaowh: sure, security by obfuscation?23:19
owhnijaba: No, security by hitting the supplier.23:19
nijaba:)23:19
jdstrandnijaba: I guess with adodb it doesn't care if it's mysql or postgresql?23:19
nijabajdstrand: normally not, but not tested with pgsql23:20
=== danshearer1 is now known as danshearer
jdstrandkees: well, if we run it on an isolated surver with mysql, then we have apparmor23:20
jdstrand(on hardy)23:20
jdstrandI think that would pretty well mitigate non-db access23:20
keesjdstrand: it could -- just more admin work.23:20
nijabakees: not really, the profile is there already23:21
* nealmcb agrees with jdstrand - who knows how secure the proprietary option is (what is it?) or surveymonkey23:21
owhAlso, from memory you can log all MySQL queries to syslog.23:21
jdstrandnijaba: more work because of the isolated server23:21
keesnijaba: well, isolating the web server really.23:21
nijabajdstrand: my plan was to run it in a KVM...23:21
nijabaI mean, for option 323:22
owhIf we can mitigate access and we can log all queries, are we not able to roll?23:24
nijabaelmo: given that the survey should only run for a couple month this round, I'd be ok to go for option 3 and take the admin on my shoulders if you want.  Would you be ok to moint some serversurvey.ubuntu.com record to it?23:25
nijabapoint, too23:25
elmonijaba: the loco server debacle showed us that if it has the ubuntu name outsourcing doesn't help us PR wise23:26
* kees has to go afk, back in a bit.23:26
elmoif we're going to do this, I'd rather it be (4) than (3)23:26
nijabaelmo: right. and your feeling on 4 at this point (and we'll close the subject after that).23:27
elmonijaba: hasn't really changed from what I said before.  if (a) and (b) are true, we can do it23:27
nijabaelmo: I beleive they are.  owh, do you agree on (b)?23:28
owhnijaba: Depends on what I'm agreeing to putting in.23:28
nijaba b) you're super keen to get whatever offers limesurvey offers you and benefit from whatever work you've put into it23:29
nijabaowh: pasting from elmo ^^23:29
owhnijaba: I understood that, what I mean is, what expectations does ubuntu-server - ie, you - have that I do with/to limesurvey?23:29
nijabalimesurvey itself: not much23:30
nijabathe test we have done on the survey we prepared: a lot23:30
nijabaand you were a big part of that23:30
nijabatogether with faulkes-23:30
owhWFM23:30
owhnijaba: If you turn on the General Query Log: http://dev.mysql.com/doc/refman/5.1/en/query-log.html on the database - log to a remote syslog server, then we can rebuild if the shit hits the fan.23:31
nijabaelmo: I think we have a plan, then23:31
owhExcellent, next topic :)23:32
mathiazso the plan is: 18:02 < nijaba> 4/ See with elmo  if it possible to run limesurvey on an isolated server23:32
mathiaz?23:33
nijabamathiaz: yep23:33
mathiaznijaba: ok - great !23:33
mathiazI think we running late23:33
nijabaelmo and I will work out the details in the next few days, I guess23:33
mathiazand most of the people are not around anymore - so last topic:23:33
owhmathiaz: Only 33 minutes thus far :)23:33
mathiaz#23:33
mathiazAgree on next meeting date and time.23:33
nijaba15:00 UTC next week?23:34
nealmcb(tuesday?)23:34
owhYeah, saw the post to the list, what day did you say again?23:34
mathiaztuesday23:34
mathiazworks for me23:34
owhI'll have to have a nanna-nap before the meeting :)23:34
nealmcbworks for me23:34
mathiazexcellent - so next meeting: next tuesday, 15:00 UTC in #ubuntu-meeting23:35
nijabaowh; we'll sponsor an ubuntu pillow then ;)23:35
owhnijaba: Excellent, email it to me :)23:35
InsomniaCityowh: so what happened about your ex-client with the ssh vulnerability?23:35
nijabaowh: sure thing23:35
owhnijaba: If you know which exact version of limesurvey you're going to run, and you can send me kees' comments, I can have a look at the code.23:35
owhInsomniaCity: I sent a security notice and heard nothing. I sent several to other clients and fixed theirs.23:36
InsomniaCityowh: I thought it'd be a non-issue :)23:36
nijabaowh: thanks for the offer23:36
owhInsomniaCity: At least I can look in the mirror and sleep well.23:36
InsomniaCityyup23:37
owhnijaba: Sure.23:37
owhInsomniaCity: I'm glad I asked though. It helped formulate a plan - so thanks for your input at the time.23:37
* nijaba need to go get some sleep. Thanks everyone!23:37
InsomniaCityowh: np :)23:37
owhThanks mathiaz for chairing another wonderful meeting.23:37
nijabaand thanks to mathiaz for hosting the meeting once more23:37
owh#endmeeting :)23:38

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!