[00:03] kirkland: im not wild about it (php backport for hardy) [00:04] zul: too many changes? [00:04] New PHP versions always mean new bugs. And broken interfaces. [00:04] kirkland: gimme half an hour we can discuss I need to put liam to bed [00:04] Never a good candidate for a stable release. [00:20] kirkland: its seems like a flimsey excuse to backport 5.2.6 besides the security fixes will be applied eventually and he could always build it himself as well [00:21] zul: okey doke. [00:21] zul: let the security-fix-backporting begin ;-) [00:21] kirkland: yep [00:21] and what infinity mentioned as well [00:21] fyi, i chased those down for kees a few weeks back, i have them in my changelogs somewhere [00:21] s/changelogs/irclogs/ [00:22] soren has me thinking 'changelogs' at the moment ;-) [00:22] zul: cool, could you add comments to that bug to that effect? [00:22] kirkland: sure [00:22] zul: i'll add my irclog research as a comment to [00:23] zul: basically, a stack of urls to the precise php commit messages [00:23] zul: of those security issues [00:39] i'm running a small fileserver with two identical drives in raid 1... is it possible to copy data from a drive that was previously in a raid 1 array, for example if i formatted one of the two drives and wanted to copy some data from the second one? [00:40] yes [00:40] could i tell you how? no :) [00:40] but that's the point of mirror-raid, so i imagine it's doable... [00:40] i mean, imagine you had a drive crash and had to replace the drive... [00:41] the point of raid-1 is that there's no interruption and you lose no data... [00:41] i think it's called 'rebuilding the raid' [00:41] but [00:41] i couldn't tell you how... :( [00:41] okay [00:41] here's my situation [00:41] i am running the raid1 array and i would like to reinstall the OS without having to back up everything, as i don't have enough room anywhere else [00:42] is the os on your raids? [00:42] i want to install the OS on one drive, copy my data from the other mirrored drive, then format that drive as well and add it back to the array [00:42] well i imagine you could probably [00:42] de-raid and remove disk 2 [00:42] install os like normal [00:43] install second disk and say that it's part of a raid - and that it has the data [00:43] ...twiddle your thumbs... [00:43] you're done [00:43] basically my question is... is there a special procedure for mounting a drive that was once part of a raid1 array? [00:43] i don't think so [00:43] okay [00:43] but again, i've never even done a raid [00:43] so you shouldn't be listening to me [00:44] so in theory, in order to pull my data, (i'm guessing) i can just mount hdb1 as usual [00:44] okay, not listening :) [00:44] yeah [00:44] mount -o ro [00:44] to be safe [00:44] fantastic, that's a BIG help [00:44] but you're not listening to me === slimjim8094__ is now known as slimjim8094 [00:45] oh god damn [00:45] lol [00:45] you're not listening to me, right? [00:45] good [00:45] no sir. [00:45] very nice [00:45] Filefly: definitely mount -o ro [00:45] i'd say, mount it read-only [00:46] and see what happens [00:46] alright, i gotta go [00:46] see ya [00:46] thanks [00:46] kirkland: can i mount the partition as if it was never part of the array? [00:47] Filefly: is the partition marked "Linux RAID" ? [00:47] i'm afraid i'm a bit of a noob [00:47] how do i check? [00:47] Filefly: and is the md device formatted directly to a filesystem? ie, you're not running LVM on top of RAID, are you? [00:47] no, no LVM [00:47] Filefly: fdisk -l /dev/hd? [00:47] okay one moment [00:48] Filefly: okay, then, yeah, mounting the RAID1 is very straight-forward [00:48] Filefly: i can't stress enough, though, the importance of mounting it readonly -o ro [00:48] here's this, too [00:48] md0 : active raid1 sda2[0] sdb2[1] [00:48] 116238208 blocks [2/2] [UU] [00:48] i assume i can format and install the os, then mount sdb2 and pull my data from it [00:49] Filefly: right [00:49] can you explain why it needs to be ro? [00:49] i will do it of course.. just curious [00:49] Filefly: safety measure [00:49] okay [00:50] Filefly: in the case that you wanted to boot your old system, you could using sdb [00:50] okay [00:50] that's a big help [00:50] Filefly: if you (accidentally) muck with the meta-data on sdb, then it wouldn't be bootable [00:50] Filefly: i should say "might not be bootable" [00:50] right, that i get [00:51] i'm computer-savvy, but i only rudimentarily understand the workings of raid... that definitely answers my question [00:51] kirkland: http://pastebin.com/d25280947 [00:51] thanks very much for your help [00:52] zul: works for me [00:52] zul: i previously offered to put one in my PPA... i can do this if people really start griping (unsupported, of course) [00:53] kirkland: they could always ask for a backport from the backports team but I dont know what state that team is, but yeah thats a choice [00:54] zul: right, well, it might help the backports team if something is in my ppa, right? [00:54] kirkland: yep [00:54] zul: since I already did the work merging for intrepid, it seems incremental for me to just build the package for hardy, no? (supporting it, obviously, is a hugely different ordeal) [00:55] kirkland: its your ppa but it depends if the build-depends have changed [00:56] zul: those were minimal, i'll try a local build [00:56] but you already built it before for hardy so that doesn even matter :) [01:19] zul: ping [01:19] nxvl: yo [01:20] nxvl: whats up? [01:21] did you make any changes to my patch on the reload bug [01:21] on nagios? [01:21] nxvl: I believe I did [01:21] you remember what changes [01:21] just to know [01:22] yeah the init script [01:23] but i mean [01:23] and the maintainer field [01:23] to my patch [01:23] Bug #236373 [01:23] Launchpad bug 236373 in nagios2 "'/etc/init.d/nagios2 reload' causes nagios to exit (sends SIGTERM not SIGHUP)" [Low,Fix released] https://launchpad.net/bugs/236373 [01:23] nxvl: im not getting you and Im about to leave for tonight can you send me an email [01:23] i mean... [01:24] ok, doesn't matter [01:24] i can run debdiff later [01:24] when i get my ubuntu machine [01:24] :D [01:24] thnx [01:24] btw [01:24] zul: you haven't send me an e-mail of the SRU you wanted me to test [02:14] hey folks [02:14] I upgraded from 7.10 to 8.04 and am having some authentication issues ... I need to reconfigure libnss-LDAP but when I run dpkg-reconfigure libnss-ldap nothing happens [02:14] is just returns a bash prompt [02:17] SpaceBass: just to double check... are you doing sudo dpkg-reconfigure ? [02:17] sommer, i am [02:17] sorry for omitting that :) [02:18] hrmm, strange [02:18] i know, right? ... wonder if there is a verbose mode [02:20] SpaceBass: you can always edit the /etc/ldap.conf file by hand :) [02:20] sommer - no opposed ...but which one? /etc/ldap/ldap.conf or /etc/ldap.conf [02:21] s/no/not [02:22] SpaceBass: for authenticating to ldap /etc/ldap.conf is the main one... it replaced /etc/libnss-ldap.conf (or whatever the old file was) [02:22] and I believe the dpkg-reconfigure simply changes settings in that file [02:22] which I suspect is why broke my authentication to OpenDirectory in the first place [02:22] the replacement of those two files [02:23] SpaceBass: I could be wrong about that though [02:23] dpkg-reconfigure simply calls debconf rutines [02:23] maybe that package doesn't have any [02:23] SpaceBass: nope that's the file I was thinking of /etc/ldap.conf, heh [02:23] when its first installed, there are prompts [02:24] you can always apt-get remove --purge and reinstall :S [02:24] ahhh purge [02:24] didnt try it that way [02:24] but keep a backup of your files before [02:24] if you have make some changes [02:24] SpaceBass: ah, I think you're looking for sudo dpkg-reconfigure ldap-auth-config [02:25] oh yes, you need to use sudo [02:26] actually I'm using root - I know, I know...but until I can get auth working again, I cannot log in as anynone else...had to drop to recovery just to get a root shell [02:26] SpaceBass: yep, dpkg-reconfigure ldap-auth-config... will give you the prompts [02:27] sommer, thats it! thanks! [02:27] np [02:28] the packages were reconfigured so things are slightly different from 7.10 to 8.04, but hopefully better for the long run [02:29] seems like easier management, from what I've read [02:33] alright! at least getent passwd works [02:33] thanks guys [02:34] SpaceBass: party! [02:36] the new /etc/ldap.conf doesnt replace the pam.d/common-* files does it? [02:37] nope just the files needed to configure libnss-ldap [02:38] just double checking [02:38] you should still see an entry for ldap.so (or whatever) in those files [02:51] evening all. anyone want to work with me on file permissions issues? [02:51] Doesn't look like my last message went through [02:51] oh ther eit is [02:54] I have 3 directories set up to share on my server. Sharing is exported with nfs and Samba. the three directories are /public (completely open, any user can read write or execute. this includes windows users /ldap/users/or any unauthenticated client [02:56] the second directory is /business. also a nfs share and samba share. only persons from LDAP authentication can access this share and they must belong to the businness group. the should have complete control over anything in the share. anything they creat in the share can be controlled by anyone else that has access to the share. [02:56] the third share is /private. this is an nfs and samba share with only one user having access and no other user can do anything in the share. [02:57] can someone out there help me to get this set up correctly [03:23] does 8.04 not use /etc/fstab? [03:27] It does [03:32] appears my raid did not start after the upgrade to 8.04 [03:32] thinks theres only 2 devices [03:34] check what devices are being looked at in mdadm.conf? [03:35] thats what is odd...no devices listed ARRAY /dev/md0 level=raid5 num-devices=4 UUID=7b94174d:9827fba7:9d356db8:2532e22e [03:36] right, apparantly it defaults to looking at all partitions if no DEVICES line is there [03:36] (from a quick look at man mdadm.conf) [03:39] odd - all the partitions appear to be present [03:41] it's been awhile since I looked at it, but does mdadm --assemble /dev/md0 bring up the array now with all devices? [03:45] says theres only 2 (out of 4) devices [03:46] odd [03:46] yeah, b/c they are all there [03:46] trying to figure out how to manually sepcify them [03:46] I thought it ccould possibly have been that the devices weren't known in time for mdadm to run at bootup, not that it should possibly happen now [03:49] yeah, dmesg shows some errors like that might have been the case...but it should assemble now [03:49] * SpaceBass smells a downgrade [03:49] what sort of errors? [03:50] 484.709354] md: unbind [03:50] [ 484.709359] md: export_rdev(sdd1) [03:50] [ 484.709368] md: unbind [03:50] [ 484.709370] md: export_rdev(sdb1) [03:50] [ 484.709376] md: unbind [03:50] [ 484.709379] md: export_rdev(sde1) [03:50] [ 484.709383] md: unbind [03:50] [ 484.709386] md: export_rdev(sdc1) [03:50] [ 484.757276] md: bind [03:52] SpaceBass: When you upgraded how did you do it? [03:53] the built in distro upgrade command [03:55] SpaceBass: You mean do-release-upgrade or using apt? [03:57] do-release-upgrade [03:58] OK. There's one set of problems that can happen if you use apt (I know), so that's ruled out. [03:59] * ajmitch hasn't played around with raid problems for a year or so, so is rusty [03:59] i am too...b/c its just worked [03:59] since I was fortunate to have mdadm & lvm just work on upgrade [03:59] haven't had the need to play around [04:00] i guess I can re-create ...but that scares the crap out of me [04:00] and it really shouldn't be necessary [04:01] unless somehow the raid metadata disappeared from those other devices, or was corrupted [04:01] * ajmitch knows that you can use mdadm to examine each partition & print out what the metadata is [04:01] just can't recall the command [04:02] mdadm --examine [04:02] but I'm in "assemble" mode so it won't let me [04:03] ah, mdadm --misc --examine? [04:04] unsure if both are required [04:04] from what --help says, it's not [04:05] hummm...no subperblock detected [04:08] according to the verbose output...they all have the wrong uuid [04:09] strange, to say the least [04:09] yeah [04:10] I'm fairly concerned ...to say the least [04:10] * SpaceBass thinks he's lost 2TB of data [04:11] Na surely not. [04:12] how can I fund the uuids of each partition manually? then use them to update mdadm.conf? [04:12] ^^is googleing now [04:12] SpaceBass: Error: "^is" is not a valid command. [04:13] Have you tried assembling the array specifying the devices? [04:14] interesting ...each of the 4 partitions has the same uuid ... the same uuid that is in mdadm.conf [04:14] hads, I cannot find how to do that...that was my first instinct [04:15] hads, I tried simply listing them: [04:15] mdadm --assemble /dev/md0 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1 [04:15] but I get: mdadm: /dev/md0 assembled from 2 drives - not enough to start the array. [04:16] That looks right from memory, not that I know that much about mdadm [04:18] and since we're quiet tonight...here's the verbose output...even more strange [04:18] mdadm: looking for devices for /dev/md0 [04:18] mdadm: /dev/sdb1 is identified as a member of /dev/md0, slot 3. [04:18] mdadm: /dev/sdc1 is identified as a member of /dev/md0, slot 0. [04:18] mdadm: /dev/sdd1 is identified as a member of /dev/md0, slot 1. [04:18] mdadm: /dev/sde1 is identified as a member of /dev/md0, slot 2. [04:18] mdadm: added /dev/sdc1 to /dev/md0 as 0 [04:18] mdadm: added /dev/sde1 to /dev/md0 as 2 [04:18] mdadm: added /dev/sdb1 to /dev/md0 as 3 [04:18] mdadm: added /dev/sdd1 to /dev/md0 as 1 [04:18] mdadm: /dev/md0 assembled from 2 drives - not enough to start the array. [04:18] sorry for the flood [04:20] from what I see in the mdadm help, it looks at both UUID & superblock information [04:22] Does `mdadm --examine /dev/sd{b,c,d,e}1 | grep UUID` show the same UUID? [04:22] hads, duno...let me try that [04:24] yeah, all the same uuid (same result as vol_id /dev/sd.... ) [04:27] As I said, I don't know mdadm that well so don't know how much help I can be sorry. [04:27] you both have helped me troubleshoot - thats the most anyone can ask for...thanks! [04:30] interestingly ... the results for mdadm --examine /dev/sdd1 and sde1 are slightly different than sdb1 and sdc1 [04:30] Perhaps you could assemble with --update [04:31] how slightly different? superblock? [04:31] there is the --force option as well, but I don't know if that's safe [04:32] yeah...see that...but doesnt feel safe :) [04:32] guessing I have to recreate and hope the data is there [04:32] that's probably the least safe option :) === slimjim8094 is now known as Guest87625 === slimjim8094__ is now known as slimjim8094 [04:35] not sure what else to do :( [04:36] seems to think sdd1 and sde1 have no superbloks [04:36] Well update looks like it should fix that [04:47] well I gotta take a break and call it a night [04:47] thanks again for the help [04:48] bye, sorry we couldn't help enough [04:50] troubleshooting help is great [04:51] tried to recreate it (as some blogs suggest its non destructive) and sdd1 and sde1 report as "too small" ....very odd indeed [04:51] might run spinrite against them to make sure they are not damaged [04:51] but cannot fathom how the upgrade to 8.04 would have hosed physicial disks [04:51] anyway....night all! [05:08] <_CitizenKane_> Is it possible to change the size of the varrun filesystem? Mostly right now I have a server where it is completely full, and it's causing some problems [05:14] what is being stored on /var/run that is takin so much space? [05:19] <_CitizenKane_> ajmitch: it seems that mysql is storing binary logs there [05:20] That would be odd. [05:20] They should be in /var/log [05:21] <_CitizenKane_> well, maybe i'm incorrect with this, the filenames are like this, mysqld-relay-bin.000004 [05:24] Well nothing should be stored in /var/run except pid files and sockets etc. as it's tmpfs [05:25] <_CitizenKane_> hads: ya, i know that, this mysql server is just replicating from another one, but I don't know why there would be binary logs in /var/run [05:27] grep "/var/run" /etc/mysql/my.cnf [05:28] <_CitizenKane_> socket = /var/run/mysqld/mysqld.sock [05:28] <_CitizenKane_> socket = /var/run/mysqld/mysqld.sock [05:28] <_CitizenKane_> pid-file = /var/run/mysqld/mysqld.pid [05:28] <_CitizenKane_> socket = /var/run/mysqld/mysqld.sock [05:29] <_CitizenKane_> sorry, should have done a pastebin, i got a little lazy [05:30] Well I don't know that much about mysql replication but there should be a log_bin directive in my.cnf which it should honor [05:31] especially as /var/run is on a tmpfs usually [05:31] <_CitizenKane_> hads: turns out its a bug [05:32] <_CitizenKane_> http://arjen-lentz.livejournal.com/115899.html [05:33] though the linked bug says it's foxed in hardy [05:33] s/fox/fix/ [05:35] <_CitizenKane_> ajmitch: this server is on feisty, so no fix yet i guess [05:36] * ajmitch wonders if it'll be a candidate for fixing in earlier releases [05:37] <_CitizenKane_> ajmitch: I hope so, but at least there is a work around [05:37] thankfully so [05:38] <_CitizenKane_> because this bug is breaking nearly everything on this server =/ [05:38] with /var/run full, not much else is going to start if it fails on storing pid files [05:39] <_CitizenKane_> ajmitch: ya, that was the problem I was having, samba started acting up out of nowhere [05:40] Ah that's a bummer, at least you found info relating. [05:41] Easy workaround [05:42] <_CitizenKane_> hads: yep, and thanks for the help [05:42] No problem, didn't actually help :) [05:43] <_CitizenKane_> hads: it's the thought that counts ;) [05:43] * ajmitch thinks hard about beer & hopes it counts [05:43] getting closer to that time of day :) [05:44] It's nearly middle-of-the-week-beer-o'clock :) [05:44] heh [06:03] Are the Magic SysRq keys enabled for the server kernel? [08:43] moin [09:56] hi [09:56] does anyone know how i can get the refresh time with dig? [10:06] by refresh time, do you mean TTL? === fredrik is now known as frippz [11:02] Hi [11:03] I need some help [11:03] who can help me? [11:03] :) [11:03] !ask [11:03] Please don't ask to ask a question, ask the question (all on ONE line, so others can read and follow it easily). If anyone knows the answer they will most likely answer. :-) === fredrik is now known as frippz [11:05] ok, sorry :). I'm a school teacher and i'm configuring a ubuntu server with PDC - samba and Ldap, and I need to get redirect the "My Documents" to go direct to the home folder of my server [11:07] i have the netlogon script [11:08] and i have a file shortcut.vbs . I think maybe it's here where i have to put the code?? [11:08] I'm not english, sorry for my write === [gquit]bombadil is now known as gquit|bombadil [12:46] morning all. trying to resolve the following issue. when a authenticated network user writes a file to an exported NIS share the following permission and ownships result. -rw-r--r-- userxxx Domain Users. This is the default. how do I change the default save the file with -rwxrwxr-x Domain Users Domain Users [12:49] Change your umask [12:49] ...to 002. [12:49] /etc/login.defs [12:50] ok. I'm not familiar with umask what would the umask number be? [12:50] 11:49:37 < soren> ...to 002. [12:50] cjsstables, umask is the oposite to the file permissions numeric value you want to finish with [12:51] thanks soren, you have benn quite a help for me. I have an excellent server so far. and now just finishing it up with network shares.. [12:51] cjsstables: :) [12:51] soren, is the umask set on nfs server or client? [12:52] * Kamping_Kaiser found a rather nice way of setting umask via pam today (and was happy when it worked) [12:52] next question. do I modify the /etc/login.defs on the server side or client side? [12:52] Kamping_Kaiser: client. [12:53] cjsstables: client :) [12:53] nod. ta. :) [12:53] ok. next question. is it possible to only specify the umask for specific directories or will it apply to all directories [12:54] all dirs. you'd have to do seperate one differently [12:54] It's used by the open(2) and mkdir(2) system calls, which are invoked on the client. [12:55] my concern is that my /ldaphome directory would end up having files witten with the wrong permissions. that directory and the writes are working perfectly rite now and don't want to mess it up [13:05] soren: looks as though I may not want to do that. the login.defs narrative recommends not to use UMASK. Am I better off not using an nfs share and only use a samba share with samba configured to force the permissions and groups on writes? [13:06] It's an option, sure. [13:08] you can export nfs with a mask per export cant you? [13:08] annyway. night [13:09] ok. next question. all linux clients use an xfce desktop that doesn't have a means to browse smb shares. Also is there a way to automount those smb shares based on the user login? [13:09] cjsstables: look at nis maps ? [13:09] cjsstables: autmounter ? [13:09] kamping_keiser... can you explain that further [13:10] Kamping_Kaiser: sure, in the exports file under the options you can set mask [13:10] ahhh... thats it. thats what I needed. [13:12] ikonia. right now all clients have the export automounted through /etc/fstab. I was looking for a solution to do that with samba, but I have seen you have to have a user and password to get them mounted. That isn't convienient for me [13:12] cjsstables: well you can do it in the export section and use a mask, or look at tools like automount [13:13] ok. I'm going to go and research that. thanks for the help guys [13:14] bye [13:39] hey hey guys [13:39] quick question... i have just got a t2000 sparc back from storage and am playing about with it... when i got it originally i managed to put 6.06 on it... which is now obviously out of date... which version should I look at putting on it with a fresh install? I tried 8.04 last night but its giving problems... is it the officially supported version for these sparcs? [13:42] sparc is dead [13:42] it's a community distro now [13:43] the T2000 is also the latest Sun chip so generic sparc stuff doesn't work properly on it unless done through solaris (%100 binary compatability ) [13:44] which is why it is now in ports? [13:44] but there is still an 8.04 image... so someone must be still maintaining it [13:44] http://drwetter.org/coolthreads/t2000.Ubuntu_vs_Solaris10_3.html [13:45] Kelerion: sorry, didn't mean to miss-lead, most of it gets auto built from the repo, and there are "people" maintaining it [13:45] ah [13:45] ok..reading that page :) [13:45] Kelerion: its a tad dated, but does give you an idea [13:53] ok... [13:53] well hmph... lol [13:54] makes me wonder though... if the SAS controller driver was implemented in edgy... wouldn't it still be in hardy? [13:55] anyways... not important [13:55] doesn't seem to leave me with my options... mainly, go back to solaris... [13:56] opensolaris? [13:57] i don't know solaris *at all*.. to be honest... [13:57] might be a good time to learn a new OS.. lol [13:59] http://www.nexenta.org/os [13:59] kelerion check it [14:01] nvmd [14:01] not sparc [14:01] well damn...that was looking promising too.. lol [14:03] it's ok... i don't mind playing around with a new OS.. its all in the learning, right... === jjesse_ is now known as jjesse [14:59] OpenSolaris would be interesting to toy with [14:59] so would OpenBSD [15:02] <\sh> opensolaris is nice [15:03] <\sh> actually the zfs thing... [15:05] ya, that sounds really cool [15:05] not that I'm a filesystem guru [15:08] hello, I am new to ubuntu and want to setup a media server that can be accessed from my LAN and remotely. [15:08] would it be best to use standard ubuntu or the server edition [15:09] I have an old Proliant ML330 that I would like to use. Is this machine sufficient or??? [15:11] You probably wouldn't use standard ubuntu [15:12] Don't go on my word alone, but check out Ubuntu Studio, Mythbuntu, and Ubuntu Server. [15:38] Hm, new kernel today. [15:42] -18? [15:42] lukehasnoname: yes [15:44] Is the "-18" part an Ubuntu specific edition? [15:44] the 2.6.24-xx [15:46] lukehasnoname: yes, that's the build number [15:53] are there any good router guides that will show you how to prioritize traffic or apply bandwidth limits to certain machines(or both) by mac address?? [15:53] Isn't that called QoS (Quality of Service)? [15:53] maybe even with a gui? do I hear laughter? [15:53] lukehasnoname, yeah... [15:54] as far as by mac address, I don't kow [15:55] know [15:55] All I see so far is iptables [16:00] is it ebtables that uses MAC addys? [16:01] arakthor, don't know... but weren't you the guy that deleted his samba config files?? that was pretty funny. [16:02] arakthor, I'll look into ebtables... [16:03] What I'm trying to get is close to the same effect as this product http://www.softperfect.com/products/bandwidth/ [16:04] You can turn on/off, and limit bandwidth by mac and prioritize traffic. So I think the QOS is pretty well documented, but the other stuff it seems near impossible to find. [16:08] no, I didn't delete my samba config files :) [16:13] fbc: Greetings.. I'm interested in somethign like that as well. [16:15] pschulz01, hehehe,, you want the winning lotto numbers too? [16:15] fbc: Useful diagram.. http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png [16:16] fbc: Do you have them? [16:16] pschulz01, nope. sorry...:-P [16:16] fbc: I used to work for these guys.. http://netpriva.com/ [16:17] fbc: We worked on somethign that does exactly what you're after. I left 2 years ago, and was thinking that there should be a way to do exactly the same thing, but in the FOSS world. [16:18] pschulz01, cool, yeah I would like guide that would walk you through it. Maybe even throw a little squid config in there... [16:19] fbc: I was thinking of something along the lines of a 'config file' that then get's converted into the low level ip/eb tables commands. [16:19] fbc: one way of doing this is to set up traffic shaping using tc [16:19] danshearer: Howdy :-) [16:19] pschulz01, I figure that kind of setup is what 95% of businesses need.. somethign that can control and limit like that, and I'm trying to replace the windows server at my workplace with ubuntu, but the boss says it needs to do everything the old server did. [16:19] fbc: and then using iptables to stamp packets depending on the user or other criteria [16:20] fbc: A template for doing this and with stamping code but not discrimination by user can be found at [16:20] fbc: http://shearer.org/Linux_Shaping_Template [16:20] danshearer, tc?? cool.. I'll look into it... [16:20] pschulz01: you again! g'day :-) [16:20] danshearer: The problem with tc as I was aware, was that whatever you came up with (rate limiting) it had to be redone when you wanted to add an additional service. [16:21] pschulz01: what does "redone" mean here? [16:22] re-done.. the tc setup required various parameters for bucket sizes (token buckets) etc. [16:23] I need to revisit tc and see if there have been new developements. [16:23] danshearer, Is there a high level tool that will create all those config files for you? maybe even a gnome gui?(try not to laugh) [16:24] pschulz01: well, you don't have to "tc qdisc del dev eth0 root" every time [16:24] * lukehasnoname laughs in spite [16:24] pschulz01: but even if you did, is that a major problem? like re-running your iptables script, it's very quick and the kernel [16:25] pschulz01: doesn't drop packets or anything although I guess the QOS for some few packets might be slightly indeterminate [16:25] danshearer: probably not.. the idea was to be able to add additional channels incrumentally. [16:25] pschulz01: ah, you mean, if you have already allocated your full bandwidth among 3 classes and [16:25] danshearer: Some of the queuing disciplines will drop packets when you remove the queue. [16:26] pschulz01: then you want to add a 4th class? [16:26] pschulz01: but not HTB, I think? Which, unless you are pretty specialised, should be ok for most people? [16:26] danshearer: Well.. I would like to have a pool of channels (eg. for voice) [16:26] pschulz01: Hey, but you're the one whose run a firewall company not me so what would I know :-) [16:26] danshearer: .. and be able to allocated them as required. [16:27] danshearer: I have some pretty wallpaper. [16:27] lartc.org [16:28] pschulz01: Right, so you're getting into hairy tc-foo. As I say on the web page, tc filters are complex and yukky [16:28] Deeps: lartc.org can be as much of a hinderance as a help (unless they have updated docs recently. Beware the 2.4 kernel docs.) [16:28] Depps: some of the diagrams really help though [16:29] danshearer, pschulz01 , ok so what direction do I go in? I have kids here on campus using bittorrent(that needs to stop). I have kids using school computers for internet access, which should only be used for learning.(those need to have internet access removed totally). So this is why I need to be able to turn internet access on and off by mac, and limit bandwidth for others, and restrict certain other machines to only certain ports. [16:29] fbc: if you are comfortable starting with a partial solution today, and then building on that, I'd be surprised if [16:30] fbc: the tc template I gave you wasn't a fairly low-pain way of solving your most pressing problems first [16:30] fbc: it deliberately doesn't use anything very clever or complicated [16:30] danshearer, Yeah, for sure. [16:30] fbc: because otherwise I'd just confuse myself worse than usual [16:31] fbc: stopping bt can be just an iptables thing [16:31] fbc: there's a fairly simple firewall script up there too somewhere [16:32] fbc: ah yes, in the comments: http://shearer.org/Linux_Firewall_Template [16:32] hey, fbc, might I ask what university you work for? If that's confidential, I understand. [16:32] nvmd, I'll PM you [16:32] fbc: think of this as the not-very-clever-way of doing firewalling and bandwidth shaping [16:32] They are just about to activate the new toilet pump on the International Space Station [16:32] nope, it's unives, here in guadalajara, Mexico... [16:32] fbc: there are people present who can give much more complete answers [16:32] Small startup [16:33] pschulz01: You mean they will be able to boldly go once again? [16:33] The words 'high pressure' and 'toilet' are not words that you'd like to hear in the same sentance. [16:33] danshearer: Yep. [16:34] pschulz01: You obviously haven't spoken to any submariners. Wander down to Port Adelaide mate [16:34] yeah, is it a toilet or an enima machine? [16:34] Not recently. [16:34] Adelaide? Mate? Are you from Ireland? [16:34] <_< [16:35] fbc: they cracked that one in WW2 [16:36] danshearer, meant enema [16:36] fbc: sorry, got lost in the flow [16:37] too much pressure? lol [16:37] danshearer, lol [16:40] danshearer, which part of that script turns off internet access... what what little I can understand from reading the syntax there doesn't seem to be anything there for that. [16:42] it would probably be helpful for most people to compartmentalize the script maybe into smaller files. like apache2 does.. [16:45] like /etc/tc/macs.allowed and /etc/tc/ports.allowed or something similar you automatically know where to look for something and where to put it. [16:45] and just add INCLUDE /etc/tc/macs.allowed in the main script. [16:45] coffeedude: g'day [16:46] hey danshearer [16:46] fbc: that's what I meant about iptables, you'd do that over on your firewall [16:46] fbc: these two things work in concert [16:47] fbc: the firewall disallows everything and you selectively allow things you want [16:47] fbc: and then you stamp packets you want shaped particularly [16:47] fbc: all other packets get shaped according to the default policy [16:48] what pschulz01 said is quite right, tc has its limitations but this is one way to get you going [16:49] Hey does anyone have any experience with Ubuntu Server on a Dell PowerEdge R805 [16:49] fbc: as to splitting it up, nearly all of those two files are comments showing you what to modify and when [16:50] fbc: so I can't quite see what the thousand little files approach would add here :-) [16:50] I'm particular just looking for info on compatibility. Any snags on getting it installed and configured [16:50] fbc: sure that stuff is very helpful for automated administration and so on. and if you were creating a managed facility [16:50] fbc: on debian or something. [16:53] danshearer, yeah, I guess it's just my stab at not having one humongous config file. My mac addess of allowed machines might hit 300 lines.. so that's was why the compartmentalizing for me was important. [16:54] fbc: wow! I hadn't thought of putting them all in a file [16:54] fbc: you're right, that's painful. The thing is you then have to generate that file and rerun the script each time it changes [16:55] fbc: there are other ways of getting yes/no answers for iptables rules [16:55] fbc: for example, hooking into an rbl [16:55] fbc: its called packetbl iirc [16:56] danshearer, ok... I'm gonna setup a small lab this afternoon and see what i can get done.. [16:58] Anyone? [16:59] fbc: if you happen to be running your own dynamic router you can drop packets on the floor there too [16:59] fbc: but there was also a specific package I remember trying out for just this use case, hang on [17:00] fbc: ah yes, this was a couple of years ago I tried this and I didn't put it into production, but it looked good [17:00] fbc: http://www.dessent.net/linblock/ [17:00] jambooda, it's a pretty straight forward install.. there should be no special tricks [17:00] jambooda, got xeon.. use 64-bit version... to take advantage [17:01] fbc, so you have ubuntu server installed on a poweredge r805? [17:02] I know installing the OS is straightforward. I've installed it many times but I want to make sure there are no issues with this particular server [17:02] fbc: if you get a chance it would be good if you wrote down a log of your experiences, and any improvements to my scripts [17:03] soren: \sh asked if we could bump up the php memory from 16 to 32 I dont have a problem with it [17:04] danshearer, sure.... It would be nice... to publish a howto guide for the rest of the world. And if I ever get a round to learning to program in C, I'll create a gtk+ app to create the syntax.. [17:06] fbc: perlgtk is another option, with glade. [17:08] danshearer: What was the other idea you floated recently? [17:11] zul: did you see that I put an (untested) php5-5.2.6 package in my PPA for hardy? === danshearer1 is now known as danshearer [17:12] pschulz01: can I have a little context? [17:13] kirkland: nope but good [17:13] zul: it built just fine, no changes necessary [17:14] kirkland: sweet I didnt expect any changes were necessary since you already built it locally [17:14] zul: right [17:14] zul: i figured we'd let it bake there for a little while, and if people find it useful, they can try to push it through the -backports process [17:18] kirkland: ok by me :) [17:20] pschulz01, I'll have to learn pearl. I'm limited to batch,basic,php,mysql,html,some java. [17:24] fbc: great ideas, but at the least if I could have some fixed scripts to publish that would be good [17:26] fbc: and as to your list of 300 addresses, if you have to write them all in iptables rules something is probably wrong [17:26] providing a zip file or something of a basic config might not be bad. [17:27] fbc: and iirc a while back you mentioned ebtables, that's at a lower level than anything else we've discussed here [18:03] New bug: #237391 in openssh (main) "ssh-keygen should default to dsa not rsa" [Undecided,New] https://launchpad.net/bugs/237391 [18:17] how can i add a script to the startup of ubuntu? [18:17] is there some tool for the runlevels? [18:18] (i would like to run my firewall script when my box is starting up) [18:18] spiekey: you can put it in /etc/rc.local [18:18] or you can make a script for /etc/init.d [18:21] thanks [18:24] kirkland: re bug 237391 [18:24] Launchpad bug 237391 in openssh "ssh-keygen should default to dsa not rsa" [Undecided,Confirmed] https://launchpad.net/bugs/237391 [18:24] kirkland: why ? [18:25] mathiaz: indeed - aren't dsa keys, e.g., more vulnerable to problems with random number generators :( [18:28] e.g. http://www.schneier.com/blog/archives/2008/05/random_number_b.html#c271308 [18:32] [18:33] update-rc.d will make the links for you. [18:33] mathiaz: sorry.... [18:33] mathiaz: i just updated my reply to that bug [18:33] mathiaz: I completely misread it [18:33] * kirkland goes looking for more coffee [18:34] * nealmcb is beaten by kirkland by 5 seconds in commenting on the bug.... [18:34] nealmcb: :-) [18:35] nealmcb: I think the "X seconds/minutes ago" on Launchpad bug comments should be javascript [18:35] nealmcb: give the unix epoch time, and put a javascript counter in each of those [18:35] nealmcb: 1/2/3/4/5/6/7/8/9/10 seconds ago :-p [18:36] jdstrand: do you have more ideas about auth-client-config ? [18:36] mathiaz: that is a pretty open ended question... [18:36] jdstrand: I was wondering if we could add automatic package installation to it [18:36] mathiaz: I do plan to add netgroup support, there is a patch for it [18:37] jdstrand: so that if you want to configure an ldap profile, it pulls in nss_ldap [18:37] mathiaz: oh-- you mean for the user auth integration stuff [18:37] jdstrand: user auth integration ? [18:37] mathiaz: automatic package installation-- hmm [18:37] mathiaz: I always envisioned it the other way around [18:38] openldap/clients/etc [18:38] jdstrand: well - I was wondering if we could turn auth-client-config into an equivalent to domain-join from likewise-open [18:38] the intrepid integration work discussed at UDS [18:38] Isn't RSA pretty easy to crack nowadays? [18:38] Er... No. [18:39] hmm... [18:39] mathiaz: well, auth-client-config on it's own is just a tool to do profile switching [18:39] jdstrand: the use case would be - to setup your ubuntu client to use your ldap server run: auth-client-config ldap [18:39] lukehasnoname: not with sufficient bits [18:39] mathiaz: yes-- that is the intent of the program [18:40] mathiaz: difference being, there might be a different program, say ubuntu-ldap-client, that would provide the profile, then call auth-client-config from postinst [18:41] jdstrand: right - but the end user still has to figure out that the nss-ldap and pam-ldap packages have to be installed in order to make it work correctly [18:41] mathiaz: the idea being that the package maintainer knows more about configuring this stuff than auth-client-config [18:41] lukehasnoname: You can't crack it. You can brute force it. And even if you could check 100 trillion keys in a second, it would still take you 10^286 years to go through the 1024 bit keyspace. [18:41] mathiaz: ubuntu-ldap-client would Depends on whatever is needed [18:41] lukehasnoname: A.k.a. "a very long time". [18:42] soren: uh, I am not sure your math is right there [18:42] jdstrand: hmm.. and ubuntu-ldap-client would drop a profile for auth-client-config [18:42] mathiaz: exactly [18:42] jdstrand: It does sound a bit high. [18:42] (2^1024/100000000000000)/(60*60*24*265) [18:42] mathiaz: there could be all kinds of these things-- ubuntu-ldap-client, ubuntu-kerberos-client, etc, etc [18:43] soren: but it's still "universe getting chilly" sort of timeframe. And hello [18:43] jdstrand: Er... Ok, that should clearly have been 365 days in a year. [18:43] jdstrand: well - I only see two of them - ubuntu-ldap-client and ubuntu-kerberos-client [18:43] danshearer: Ahoy there :) [18:43] jdstrand: I was wondering if likewise-open could provide a profile to auth-client-config too [18:44] mathiaz: IMO, auth-client-config should be very dumb, and is simply a tool for maintainer scripts and administrators [18:44] Changing the number of days in a year only changed the fourth most significant digit (base 10). [18:44] mathiaz: absolutely-- the more the merrier :) [18:44] jdstrand: agreed [18:44] mathiaz: while ubuntu may only have 2 or 3 of these packages-- an administrator may have site-profiles for ease of maintenance [18:45] jdstrand: in the example of ubuntu-kerberos-client, there needs to be more work done to join a client to the realm [18:45] jdstrand: do you think auth-client-config could be extended to do that work ? [18:45] jdstrand: this is the other part in domain-join IIUC [18:46] mathiaz: well, auth-client-config is technically just pam and nss, I guess you are talking about krb5.conf? [18:46] jdstrand: you need to configure your local system (pam and nss), plus do some other work on the server side ('register' the machine) [18:46] mathiaz: oh yes [18:47] mathiaz: OTOH, seems the server side stuff should maybe have an addkerbhost script of something [18:47] jdstrand: I'm trying to figure out if we can provide the equivalent of domain-join for ubuntu-ldap-client and ubuntu-kerberos-client [18:47] s/of/or/ [18:47] jdstrand: http://people.ubuntu.com/~mathiaz/network_auth_integration.png [18:47] jdstrand: ^^ this is a big picture of network authentication from the client POV [18:48] yes [18:48] jdstrand: I'd like to see if we can provide a single command to handle all of the three scenario [18:48] * jdstrand is thinking [18:48] jdstrand: auth-client-config IIUC can handle the pam/nss configuration [18:49] mathiaz: yes, that is all it does. it safely updates nss and pam based on the profile specified [18:49] jdstrand: but we need to add some infrastructure to configure other parts of the system (krb5.conf or lwidentidy.conf or /etc/ldap.conf) [18:49] mathiaz: I definitely see it as a component of this, but update these other .conf files seems out of scope for a-c-c [18:50] mathiaz: but maybe not [18:50] jdstrand: and do the right thing to register the machine in the infrastructure [18:50] jdstrand: do you think this is out of the scrope of auth-client-config ? [18:50] I don't want to unnecessarily limit my thinking [18:51] jdstrand: If you think my maths is wrong... What do you get if you do the maths? [18:51] mathiaz: my gut feeling is it is out of scope, as what you are suggesting is ubuntu-specific, whereas administrators use it for other things [18:51] For reference, this is what I asked bc: [18:51] l(((2^1024)/(100*10^12))/(60*60*24*365))/l(10) [18:51] For maximum clarity. [18:52] The result is the power to which I need to raise 10 to get the number of years I'd need to sit around waiting for my supercomputer to finish. [18:52] mathiaz: however, auth-client-config does seem to be an important component of your design [18:52] (as is) [18:52] * soren goes to dinner [18:52] mathiaz: mind you, I am just thinking out loud [18:53] * mathiaz doesn't hear jdstrand [18:54] did anyone got openldap with tls working on ubuntu8 [18:56] jdstrand: what about adding a check to auth-client-config to make sure that the librarys it's about to setup for pam and nss are available, and if not, list the packages that should be installed ? [18:56] jdstrand: /librarys/libraries/ [18:58] soren: well, 1024 bit rsa keys can be brute-forced much more easily than that, given other smarts in the algorithm, but it is still awfully hard for the time being [18:59] ... since you don't need to check all the possible values... [19:00] mathiaz: what is the end result you would like to see. rather than saying the executable is auth-client-config, lets call it uauth. eg: [19:00] uath ldap ... [19:00] can you give an example of the command and what the result should be, and let's go from there [19:03] jdstrand: uauth --ldap-cert=/etc/ca.cert ldap-profile dc=example,dc=com [19:03] hmm [19:03] jdstrand: uauth --ldap-cert=/etc/ca.cert ldap-profile dc=example,dc=com ldap.example.com [19:04] mathiaz: well, some of those smarts are already in the libnss-ldap and libpam-ldap packages [19:04] jdstrand: configure your system to use ldap.example.com to perform authentication and nss lookups [19:04] mathiaz: gotcha [19:04] jdstrand: uauth krb5-profile example.com [19:05] jdstrand: updates the krb5.conf file and gets the host keytab (somehow) [19:05] mathiaz: what if the 'uauth' package provided your three profiles? uauth the executable could then be smart enough to update /etc/krb5.conf, /etc/ldap.conf or whatever, and then call auth-client-config [19:06] jdstrand: yeah - that's what I was thinking of [19:06] mathiaz: this keeps the high level stuff out of auth-client-config (so other admins/packages/users/distros can use it) [19:06] jdstrand: the same design as auth-client-config, but you'd have to provide some code to create the configuration on the host [19:06] mathiaz: exactly-- and this is ubuntu integration specific [19:07] jdstrand: auth-client-config uses just a declarative langage for profiles [19:07] * mathiaz nods [19:07] mathiaz: I haven't used likewise yet-- does it do more than pam? [19:07] jdstrand: yes - AFAICT it does nss also (ie winbind function) [19:07] (other than the equivalent of ldap.conf, etc) [19:08] jdstrand: and the domain-join commands makes sure that your system is setup properly (krb5.conf, etc...) [19:08] jdstrand: domain-join support 100s of platform [19:08] mathiaz: ok good-- then a-c-c can be used here as well [19:08] jdstrand: it also does the right thing to create your machine account in AD [19:09] jdstrand: that's what I was thinking. [19:09] jdstrand: so to be more specific about auth-client-config, I was suggesting to improve error detection [19:09] jdstrand: such as libraries that are supposed to be used are not available [19:10] jdstrand: and improve logging to support syslog (for automated installation) [19:10] mathiaz: since we inherit a lot of debconf from debian for this stuff, it might be weird to have uauth Depends on all these packages [19:10] mathiaz: I have no problem with syslog [19:11] jdstrand: oh - I wasn't suggesting that auth-client-config depends on packages [19:11] mathiaz: simple .so checks for pam probably would not be a bad idea [19:11] mathiaz: no, I didn't think you were-- I was thinking about the new 'uauth' package [19:11] jdstrand: just that libraries that it's about to setup are available - if not, give pointers to where they can be found [19:11] jdstrand: well the uauth package wouldn't depend on this [19:12] mathiaz: uauth could be-- uauth-common, uauth-ldap, uauth-kerberos, uauth-likewise [19:12] jdstrand: the profiles would specify what packages are needed when installing - and debconf answers could be preseeded [19:12] just OTOH [19:13] lsal: have you checked in LP for bugs ? IIRC there was some bug about TLS/SSL for openldap on hardy [19:15] no i didnt.. let me check [19:15] mathiaz: yeah-- there are some variations on this theme, but something like this [19:16] jdstrand: right - uauth-common would be the command and the glue to setup the profiles provided by uauth-ldap [19:16] * jdstrand nods [19:17] mathiaz: I'm still thinking that the dependencies should be done in these packages though (as opposed to a-c-c) [19:17] jdstrand: great - thanks for your input - I'll update my spec with your uauth package suggestion [19:17] jdstrand: these packages == uauth-{ldap,krb5,...} ? [19:17] mathiaz: yes [19:17] jdstrand: agreed. [19:18] uauth-ldap needs libpam-ldap and libnss-ldap, etc [19:18] jdstrand: auth-client-config is just one component used to manage the pam/nss configuration [19:18] * mathiaz nods [19:18] mathiaz: agreed [19:18] soren: where does your dc "l" (log?) function come from? [19:18] jdstrand: and providing plugins/scripts to modify configuration files should not be against the debian policy [19:19] jdstrand: wrt to configuration files [19:19] mathiaz: the idea of checking for the .so pam lib is interesting-- I'll need to think about how to do this in a distibution agnostic way [19:19] mathiaz: not at all-- if you provide a tool to update configuration files, that is ok [19:19] mathiaz: what gets sticky is updating configuration files from maintainer scripts [19:20] whether via a tool or not [19:20] mathiaz: eg, I thought a-c-c could be used to manage common-auth, common-password, etc [19:21] mathiaz: but in order to do that, either pam needs to depends on a-c-c, or a-c-c needs to own those [19:21] mathiaz: you can see that a-c-c could end up owning a lot of files if you go the second route and more and more programs use it, so the former was decided [19:22] (even though ultimately it was decided pam wouldn't use a-c-c) [19:22] soren, your formula suggests that it would take 10^178 years to find rsa-200 (663 bits). But that was found back in 2005.... http://en.wikipedia.org/wiki/RSA_Factoring_Challenge [19:23] mathiaz: but that is neither here not there [19:23] mathiaz: even if you do no configuration directly in the maintainer scripts, being able to do 'uauth ...' is a *big* improvement [19:23] 1024-bit keys don't have an adequate margin for many purposes now... [19:27] soren, nealmcb: I think the problem in the formula is that the 2^1024 is simple how many numbers there are. however, breaking rsa is about finding the two prime numbers p and q that equal 'n'. there are far fewer than 2^1024 prime numbers in a 1024 bit key [19:28] specifically, we don't need to check 2, 4, 6, 8, 9, ... so the 'brute-force' can be much more intelligent [19:32] jdstrand: right, among many other things. the attacks are really sophisticated these days [19:32] nealmcb: absolutely [19:32] nealmcb: I was in no way trying to brainstorm a way to crack rsa :) [19:32] what default key size are we generating now? [19:33] nealmcb: default? you mean via openssl or ssl-cert? [19:33] probably should be at least 2048 [19:33] yeah, and ssh [19:34] nealmcb: ssh is 2048, ssl-cert (for snakeoil) is 1024, and IIRC openssl with specifying '-b' is still 512 [19:40] nealmcb: the man page for openssl (req) says 512 bits if default_bits is not specified, but debian/ubuntu specifies 1024 bits in /etc/ssl/openssl.cnf, so openssl without specifiying '-b' is 1024 [19:41] (which makes much more sense as 512 is pretty much worthless now) [19:41] * nealmcb shivers at 512 and looks around [19:42] yeah - I just found that default_bits - ouch. shouldn't we change the 1024 to 2048 in openssl.cnf? [19:42] probably should... [19:42] I'm sure there has been discussion in Debian on that [19:43] hopefully in openssl themselves also [19:43] * jdstrand makes a note to look into this further [19:43] :) [19:44] though really, I always specify the bits so I know what I am getting [19:44] but that doesn't help ssl-cert any [19:44] * nealmcb nominates jdstrand to be sysadmin everywhere [19:44] heh [19:45] :) [19:49] kees: off-hand, can you think of any objections to setting default_bits in openssl.cnf to 2048? it is currently 1024, which affects things like ssl-cert. If you can't think of anything, I've made a note to look into it more. [19:49] (and this would be a 'get Debian involved' kind of thing) [19:54] ...and upstream!... [19:54] (or is that our package/file from the start?) [19:54] nealmcb: I'm not sure, but point taken [19:54] i.e. what package is that openssl.cnf in? [19:55] $ dpkg -S /etc/ssl/openssl.cnf [19:55] openssl: /etc/ssl/openssl.cnf [19:55] thanks [19:59] jdstrand: I don't see any reason it'd be a problem. [19:59] jdstrand: sort of follows our general goal of increasing bit sizes of encryption in pam, e.g. [19:59] * jdstrand nods [20:01] we need to close 237391 -- rsa needs to stay. [20:07] coffeedude: yo dude! [20:07] kees: uh-- I'm going to slap that down right now if you haven't already [20:07] you missed a great time in prague. Put Mountain View on your calendar.... [20:08] * Kelerion just sits there and cries [20:08] I've spent the last 4 hours trying to figure out why alom won't update its firmware from my tftp server [20:08] Kelerion: alom? [20:09] sun bios [20:09] and then i figure it out... it doesn't use tftp... it uses regular ftp... [20:11] Kelerion: d'oh! [20:11] i want to kick something... lol [20:15] kees: yeah, agreed on rsa... i read that bug title pre-coffee :-S sorry. [20:16] hehe [20:20] soren: any objections to bumping up the memory limit for php5 to 32? [20:20] jdstrand: Good point. [20:21] nealmcb: "bc -l" gives you l() which is a logarithm function. I always forget the base, so I just stick a /l(the base I want) at the end. [20:24] soren: ah - cool. I just went with python.... [20:24] hey nealmcb [20:25] coffeedude: so how is likewise rolling along? [20:25] zul: Er... Yes, probably :) [20:25] zul: Why? [20:26] soren: \sh asked on #-devel this morning and I said I would ask around [20:26] I know we been through this before :) [20:28] Why does he want to raise it? [20:28] no idea [20:29] Then I'm even more opposed to it :) [20:29] * nealmcb appreciates soren's perennial focus on the underlying problem [20:29] :) === slimjim8094___ is now known as slimjim8094 [20:34] nealmcb: Things are going well. Pretty busy these days. Kind of falling behind on email though :-) [20:40] re php5> how many times does that horse have to be beaten anyway? [20:40] a few more times, I guess. keeps kicking. [20:40] *slap* [20:41] *kapow* [20:42] we'll see if that does it [20:42] jdstrand: repeatedly until its dead [20:55] hello, I would like to install a radio server, for streaming , any ideas ? [20:56] ghaleb: apt-cache search icecast [20:57] ghaleb: there are a few options there [20:58] kirkland, thank you ,, this is what I want , a starting point [20:58] ghaleb: you're welcome. i've barely played with icecast-server, so i won't be of much more help. [20:58] kirkland: about your comment @ https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/129789/comments/8 [20:58] Launchpad bug 129789 in openssh "sshd seems to be run multiple times at startup" [Undecided,Incomplete] [20:58] :) [20:59] kirkland: the issue is that by default, both ipv4 and ipv6 are enabled -- so by default our sshd_config makes it noisy at start [21:00] Koon: right [21:00] I still don't get why it would restart though [21:01] * Koon digs further [21:31] hhmmm... does a DHCP lease renewal trigger if-up.d scripts ? [21:45] answer:no [21:47] answer = yes; do{ answer = yes; }while(true); [21:47] lmao [21:56] server team meeting in #ubuntu-meeting in 4 minutes... [21:56] no 3 minutes :) [21:56] https://wiki.ubuntu.com/ServerTeam/Meeting [22:00] * nealmcb finds that his finely-tuned clock (see adjtimex and ntpdate) has let the workstation drift by only 0.08 seconds over the last month, and smiles [22:00] Can Virtualbox do live migration? [22:01] lukehasnoname: nope [22:03] so why, if I may ask, do I always hear about VB on IRC and ubuntuforums, and not Xen? [22:03] Not trying to sound snobbish [22:04] lukehasnoname: no idea, because I'm new around here. But the kind of people that find VB really [22:04] attractive are often repelled by Xen because it is usually more trouble to set up [22:05] And Xen hasn't got a really long lifetime ahead of it anyway. To paraphrase the old saying: Xen is the question, [22:05] hm... well I've talked to some sysadmins and they use VMware ESX for all of it's GUI administration tasks and its live migration (I work as intern at "HugeCorp") [22:05] the answer is 'no'. And I've done quite a bit of Xen that's stable and scaleable and all that good stuff. [22:06] Do you mean it's going to die; it's not maintained? [22:06] That I can't say, after all there are still a lot of people working on it. But it is a very large piece of code that has to [22:07] be in the kernel but never will be in the official kernel, so it has to have an out-of-tree maintenance effort. And it is very much larger [22:07] than it needs to be as other projects have demonstrated. [22:07] because I've read up on its capabilities, and it's pretty advanced. well, you said it "hasn't got a long lifetime ahead of it" [22:08] So, in my personal opinion, if you are making a strategic bet for the next 3-5 years on a kernel technology that everyone [22:08] agrees will never be in the kernel, and where we have a fast-moving kernel so this technology has to be maintained out of tree, and [22:08] I just installed three new SATA drives on a new pci sata expansion card. "ls /dev/sd*" lists sda, sdb, sdc as I expected. When I try to fdisk sda one I get "Unable to read /dev/sda" but the other two work. [22:08] where kernel decisions are being made regularly without any regard to how hard it might make life for this out-of-tree code, then [22:09] there are some pretty serious questions to look at. [22:09] There is also the issue of completeness. The level of polish in Xen scripts and so on isn't all that high (not hard to get [22:10] Python errors that are truly obscure) and after all this time if a thorough job can't be done of this level of packaging, what's going to [22:10] suddenly make it better? Finally, the company behind it seems to have mostly settled on a business model that relies on the [22:11] open source version being less manageable than the closed-soure enterprise versions. So where's the incentives to fix the OSS version? :-) [22:13] danshearer: You might want to join us in #ubuntu-meeting as we're having an Ubuntu Server Team meeting now. [22:13] So, that's the reasoning behind my claim there, and I don't think it is very original reasoning either. [22:13] Ah! [22:13] ScottK: timezones, timezones.. coming and thanks [22:26] Is installing ruby on rails covered in the server chat? I've tried following tutorials, and guides, and even documentation, but I can't get it to work. I've installed the debian package for rails and I have ruby installed with gems and all, but when I go to access "ruby test.rb" from a web browser, I just get plain text. If it's anything that anyone may need to know, I'm running apache2, with php and I even tried installed [22:26] mod_fgid, but it did nothing. [22:28] Furom: After enabling the module, did you reload the web-server? [22:35] owh, yeah, I've reloaded, and restarted, still "puts 'Hello'" shows in text format. [22:36] owh, would I happen to be using the wrong file extention or something? [22:36] Furom: Does the module show as enabled in the logs or in the server identity string? [22:36] owh, how do I check that? I've not gotten into how to read my logs yet, I'm just trying to setup my environment. [22:36] New bug: #237460 in open-iscsi (main) "Root on iscsi is not supported" [Undecided,New] https://launchpad.net/bugs/237460 [22:37] Furom: Check /var/log/apache2/* [22:41] Nah, I don't see nothing about rails or mod_fgid [22:42] owh, thanks, time to go google about how to enable it all. At least now I know that they're not enabled. [22:43] Furom: a2enmod is the command. [22:43] owh, thanks =D [23:01] Kees verified the new version of Limesurvey: unfortunately not all issues that he reported have been solved (or correctly solved) in the latest version... [23:02] As we are clearly running out of time, here are a few possibilities: [23:02] 1/ run it on proprietary software Canonical has paid for (would not be running on ubuntu.com, has a limited feature set compared to limesurvey) [23:02] 2/ run it on survey monkey (would not be on ubuntu.com, not fully evaluated) [23:02] 3/ run limesurvey on an isolated server I would rent for the occasion (with a few calculated risk that kees could help me identify) [23:02] 4/ See with elmo if it possible to run limesurvey on an isolated server [23:02] (or other proposals I may not have not thought about). [23:02] Note that 1 and 2 would cause us to post the logic and retest everything. [23:02] (note - we're continuing the conversation from #ubuntu-meeting....) [23:03] there's a lot of code in limesurvey, much of it intertwined with SQL, so getting it all sorted will take a while, I think. [23:03] the places where it can be abused are relatively small, though [23:03] but they're not zero [23:04] which is why I'm still not able to recommend it. (sorry, I know that's a bit troublesome) [23:04] kees: sorry that I am not up to date on limesurvey-- but does it use something like adodb? [23:05] jdstrand: yes, mostly [23:05] it does, but not in a reliably safe way [23:05] too much of things like: [23:05] tkquery = "SELECT COUNT(*) FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".db_quote($token)."' AND (completed = 'N' or [23:05] Crap [23:05] and db_quote adds quotes [23:05] so you get WHERE token=''$token'' oops [23:05] hmmm... [23:05] kees: And that's in production? Yuk [23:06] I'd like to see proper WHERE token=? .... execute($query, @args) etc [23:06] and then there is at least 1 scary looking eval that comes from the database: [23:06] kees: What language is it written in? [23:06] if (eval('if (trim($cfieldname)'. $row['method'].' trim($cvalue)) return true; else return false;')) [23:06] PHP [23:06] owh: PHP [23:07] Crap, I can't even hide. Have you got a list of issues kees? [23:07] eek [23:07] anyway, the eval risks seem to require either an evil admin, SQL injections, or both. but it's hard to audit due to the heavy use of globals, SQL strings, etc [23:07] * danshearer is away: moving computers [23:08] kees: but if admin is limited to trusted individuals, is the risk fading? [23:08] owh: my recommendations remain the same as the original email I sent. if I itemized the lines that needed fixing, it might take days [23:08] nijaba: yeah, but again, if SQL injections are possible, a random user could potentially make themselves an admin, etc. [23:08] it's all unlikely, but imaginable [23:09] kees: oh, you mean you found SLQ injections in the user part? [23:09] kees: I didn't see the original email, but I'm an experienced PHP developer. If I spend two days cleaning it up will that get us there, or is it going to be a waste of time? [23:09] and since the code isn't consistent with its SQL usage and the global vars, and alternating sanitization, it's very hard to be sure without really really careful examination of every line, which makes it also fragile for future updates [23:09] owh: limesurvey is 12Mo [23:09] nijaba: Surely that is not all PHP code. [23:10] $ find . -type f -name '*.php' | xargs wc -l [23:10] ... [23:10] owh: there is a LOT of code, trust me, or have a look at it [23:10] 136754 total [23:10] (though that includes the many embedded modules) [23:10] * owh stops contemplating working on it for two days. [23:11] whuh...? [23:11] To me that indicates that nijaba's option 3 and 4 are out. [23:11] owh: I think it's possible to fix it, yes. It just requires redesigning how SQL it used and being more careful with output [23:11] it embeds adodb and others? [23:11] they're already on their way to fix it, it's just not really done yet [23:11] jdstrand: yes [23:11] kees: Yes, but fixing it won't likely be in time for our survey to be useful. [23:11] jdstrand: but I have "fixed" that in my package [23:12] owh: that might be true yeah. options 3 and 4 seem reasonable since it would isolate the risks, and the risks are in the "unlikely" category. [23:12] kees: sounds like a bit of a nightmare [23:12] kees: Other than that the database can be compromised, cleared, altered and the results becoming meaningless, yes :) [23:12] ajmitch: I'm seen much worse. limesurvey is certainly working to be safe. they're just not all the way there yet. [23:13] owh: right, vandalism may be possible. but again, I think it's an unlikely situation (but not impossible) [23:13] kees: Can we mitigate, by doing database replication/backups? [23:13] owh: probably possible. just more admin work. [23:14] I think that the risks don't outweigh the benefits. [23:14] * kees leaves that up to nijaba and elmo [23:14] I'm just giving my opinion on the code safety. :) [23:14] elmo: really your call: do we go to option 1 or 2? [23:15] (1) and (2) are proprietary and/or survey monkey? [23:15] elmo: yes [23:15] If we're going to redo it, I'd go for option 1 - it's in-house. [23:15] elmo: my worst fear would be for the data to be stolen [23:16] err, I'm confused are you asking 'should we do option (1, 2) or something else' or 'should we do option (1) or option (2)? [23:16] 'cos if you're not running survey software on my servers, it's not really my (professional ;-) business :) [23:16] elmo: I am asking you if we should rule out option 1 and 4 [23:16] sorry 3 and 4 [23:16] right, wel [23:17] argh, I don't really know [23:17] if a) you guys genuinely think upstream are making progress and it will one day be a sane codebase [23:18] and b) you're super keen to get whatever offers limesurvey offers you and benefit from whatever work you've put into it [23:18] then, we can run it, I guess [23:18] I don't think it'll be fixed within the year unless someone is dedicated to doing the redesign. [23:18] kees: can we rule out the possibility for the data to be stolen? only vandalize at worst? [23:18] (but all things being equal, I'd rather not ) [23:18] well, there is an assumption in 1 and 2 that it is actually better than limesurvey-- I don't know any of it, but am not sure that assumption is true [23:18] nijaba: I can't say we can rule it out, no. [23:18] jdstrand: good point [23:19] jdstrand: I did consider that also, which is why I lean toward option 1. [23:19] nijaba: if one can inject, one can likely extract. and if they actually gain shell access, game over for data [23:19] owh: sure, security by obfuscation? [23:19] nijaba: No, security by hitting the supplier. [23:19] :) [23:19] nijaba: I guess with adodb it doesn't care if it's mysql or postgresql? [23:20] jdstrand: normally not, but not tested with pgsql === danshearer1 is now known as danshearer [23:20] kees: well, if we run it on an isolated surver with mysql, then we have apparmor [23:20] (on hardy) [23:20] I think that would pretty well mitigate non-db access [23:20] jdstrand: it could -- just more admin work. [23:21] kees: not really, the profile is there already [23:21] * nealmcb agrees with jdstrand - who knows how secure the proprietary option is (what is it?) or surveymonkey [23:21] Also, from memory you can log all MySQL queries to syslog. [23:21] nijaba: more work because of the isolated server [23:21] nijaba: well, isolating the web server really. [23:21] jdstrand: my plan was to run it in a KVM... [23:22] I mean, for option 3 [23:24] If we can mitigate access and we can log all queries, are we not able to roll? [23:25] elmo: given that the survey should only run for a couple month this round, I'd be ok to go for option 3 and take the admin on my shoulders if you want. Would you be ok to moint some serversurvey.ubuntu.com record to it? [23:25] point, too [23:26] nijaba: the loco server debacle showed us that if it has the ubuntu name outsourcing doesn't help us PR wise [23:26] * kees has to go afk, back in a bit. [23:26] if we're going to do this, I'd rather it be (4) than (3) [23:27] elmo: right. and your feeling on 4 at this point (and we'll close the subject after that). [23:27] nijaba: hasn't really changed from what I said before. if (a) and (b) are true, we can do it [23:28] elmo: I beleive they are. owh, do you agree on (b)? [23:28] nijaba: Depends on what I'm agreeing to putting in. [23:29] b) you're super keen to get whatever offers limesurvey offers you and benefit from whatever work you've put into it [23:29] owh: pasting from elmo ^^ [23:29] nijaba: I understood that, what I mean is, what expectations does ubuntu-server - ie, you - have that I do with/to limesurvey? [23:30] limesurvey itself: not much [23:30] the test we have done on the survey we prepared: a lot [23:30] and you were a big part of that [23:30] together with faulkes- [23:30] WFM [23:31] nijaba: If you turn on the General Query Log: http://dev.mysql.com/doc/refman/5.1/en/query-log.html on the database - log to a remote syslog server, then we can rebuild if the shit hits the fan. [23:31] elmo: I think we have a plan, then [23:32] Excellent, next topic :) [23:32] so the plan is: 18:02 < nijaba> 4/ See with elmo if it possible to run limesurvey on an isolated server [23:33] ? [23:33] mathiaz: yep [23:33] nijaba: ok - great ! [23:33] I think we running late [23:33] elmo and I will work out the details in the next few days, I guess [23:33] and most of the people are not around anymore - so last topic: [23:33] mathiaz: Only 33 minutes thus far :) [23:33] # [23:33] Agree on next meeting date and time. [23:34] 15:00 UTC next week? [23:34] (tuesday?) [23:34] Yeah, saw the post to the list, what day did you say again? [23:34] tuesday [23:34] works for me [23:34] I'll have to have a nanna-nap before the meeting :) [23:34] works for me [23:35] excellent - so next meeting: next tuesday, 15:00 UTC in #ubuntu-meeting [23:35] owh; we'll sponsor an ubuntu pillow then ;) [23:35] nijaba: Excellent, email it to me :) [23:35] owh: so what happened about your ex-client with the ssh vulnerability? [23:35] owh: sure thing [23:35] nijaba: If you know which exact version of limesurvey you're going to run, and you can send me kees' comments, I can have a look at the code. [23:36] InsomniaCity: I sent a security notice and heard nothing. I sent several to other clients and fixed theirs. [23:36] owh: I thought it'd be a non-issue :) [23:36] owh: thanks for the offer [23:36] InsomniaCity: At least I can look in the mirror and sleep well. [23:37] yup [23:37] nijaba: Sure. [23:37] InsomniaCity: I'm glad I asked though. It helped formulate a plan - so thanks for your input at the time. [23:37] * nijaba need to go get some sleep. Thanks everyone! [23:37] owh: np :) [23:37] Thanks mathiaz for chairing another wonderful meeting. [23:37] and thanks to mathiaz for hosting the meeting once more [23:38] #endmeeting :)