/srv/irclogs.ubuntu.com/2008/06/10/#ubuntu-server.txt

maw_	is likewise-open the best option for AD authentication/services?	01:50
jjesse	maw_: that's what ive heard but never used it	01:56
jjesse	so i cant tell you	01:56
maw_	ya I briefly tried it and it mostly owrked out of the box	01:59
nxvl	kirkland: ping	02:14
kirkland	nxvl: hey, how are you?	02:14
kirkland	nxvl: got your email, thanks for helping	02:14
nxvl	kirkland: fine, did you reveived my e-mail?	02:14
nxvl	that's what i was wondering	02:14
nxvl	:D	02:14
nxvl	so	02:15
kirkland	nxvl: so i added a section to https://wiki.ubuntu.com/EncryptedPrivateDirectory , "Getting Involved"	02:15
nxvl	any update, branch or page?	02:15
nxvl	ice	02:15
* nxvl checks		02:15
nxvl	nice*	02:15
kirkland	nxvl: i'm doing all of my work upstream, with the maintainer's git repo	02:15
kirkland	he's responsive (and a friend of mine), i submit patches to the list, he applies to the upstream repo	02:16
kirkland	when he rolls a new version, the debian maintainer creates a new debian package	02:16
nxvl	sound good	02:17
kirkland	nxvl: i'll ping the debian maintainer if it lags a week or so	02:17
nxvl	just code not packaging	02:17
nxvl	:D	02:17
kirkland	nxvl: well, actually, the next thing to do is MIR for ecryptfs-utils	02:17
kirkland	nxvl: have you done MIR's before?	02:17
jjesse	is a MIR a main inclusion request?	02:17
kirkland	jjesse: yes	02:18
jjesse	trying to learn the lingo	02:18
jjesse	heard that a lot in here	02:18
nxvl	we will need to work on some firefox, ssh and gpg packaging for the .$package directories	02:18
nxvl	kirkland: i have participate in some	02:18
kirkland	nxvl: cool, so i think we need to MIR ecryptfs-utils, and two of its dependencies, trousers and pkcs11-helper	02:19
kirkland	nxvl: links on the https://wiki.ubuntu.com/EncryptedPrivateDirectory page	02:19
kirkland	nxvl: i have placeholder MIR pages for all 3, not filled out yet	02:19
kirkland	nxvl: can you help with that?	02:19
nxvl	ok	02:20
nxvl	i have 2 hours in a really boring class	02:20
nxvl	so i have 2 hours to work on it	02:20
nxvl	:D	02:20
* nxvl starts		02:20
kirkland	nxvl: ;-)	02:21
nxvl	kirkland: you have just copy & paste the template, didn't you?	02:23
kirkland	nxvl: yup	02:23
nxvl	btw, did you got any answer from the hotel about you camera?	02:23
ajmitch	more lost/stolen stuff from UDS?	02:24
kirkland	nxvl: they don't have it :-(	02:24
kirkland	ajmitch: yeah, missing camera, left on the piano on the 3rd floor	02:24
ajmitch	it could be worse, like montreal	02:25
* ajmitch lost laptop bag during breakfast, left table for only a minute or so		02:25
jjesse	ajmitch: sorry to hear about that, that sucks	02:25
ajmitch	jjesse: yeah, it was more than 2 years ago now, rather annoying at the time	02:26
jjesse	ah missed scroll	02:26
jjesse	thought it was breakfast today	02:26
ajmitch	nope, my laptop is on the desk beside me here :)	02:26
ajmitch	I was just recalling UDS back in montreal	02:27
jjesse	wow you have had terrible luck with uds	02:28
kirkland	ajmitch: did you have your drive encrypted?	02:28
ajmitch	no, so I got gpg keys revoked & replaced	02:28
ajmitch	at least I had people around who could sign a new key	02:29
ajmitch	this is a good reason for the spec mentioned above :)	02:29
kirkland	ajmitch: you would have benefited from an encrypted ~/Private directory, with your gpg keys there ;-)	02:29
Resistol	Hi all - I've never worked with a server before, and I have to set one up at my job that will serve about 10 PCs for now - Think a linux server would be as easy to setup/work with as windows server 2003?	02:31
kirkland	Resistol: serve what?	02:31
kirkland	nxvl: okay, i've subscribed to all 3 of those MIRs... you wanna do the same, so that we stay in sync?	02:32
jjesse	Resistol: depends on what you want it to do	02:32
Resistol	For right now, it would really just have shared folders and permissions to take care of, with an office housing about 10 windows pcs	02:32
jjesse	with samba you could do it	02:32
jjesse	though sharing would be natively done w/ windows 2003 server	02:32
Resistol	so it would be a file server, maybe a printer server	02:32
jjesse	depends on if you have an extra license of server 2003 or not	02:33
nxvl	kirkland: yep i will in a minute	02:33
kirkland	Resistol: yup, samba	02:33
nxvl	ppc is still supported?	02:33
Resistol	The thing with windows is the licenses are thousands of dollars, which is crap	02:33
kirkland	nxvl: by the community	02:33
nxvl	kirkland: i mean officialy (that's what we care about)	02:33
jjesse	Resistol: that's why i asked if you had the extra license or not	02:33
kirkland	Resistol: you're looking in the right place, then. Linux is free ;-)	02:34
jjesse	if you odn't then yes you can meet the needs of sharing files and folders out via samba	02:34
kirkland	nxvl: yeah, not for our purposes	02:34
nxvl	kirkland: so only i386 and amd64	02:34
Resistol	thanks guys - here's i guess the more important question then - which linux distro makes setting up a simple server easiest?	02:34
nxvl	didn't it?	02:34
kirkland	nxvl: right	02:34
kirkland	Resistol: well, we're a bit biased here ;-)	02:35
kirkland	Resistol: perhaps this wiki page will help you: https://help.ubuntu.com/community/SettingUpSamba	02:35
Resistol	hah i figured kirkland, i've seen a lot of forums mentioning fedora - but i mean I only have about 4 months experience with linux, and i just used Ubuntu Hardy as a desktop - no server stuff	02:36
kirkland	Resistol: if you're using Ubuntu on the desktop, and it's going well for you, you should be able to handle the server fine too ;-)	02:37
jjesse	if you feel more comfortable with needing a GUI then you could use a hardy desktop install and then could configure samba that way if you wanted to	02:38
Resistol	Thanks kirkland - is the file sharing and permissions stuff all working now in hardy? When I tried the "right click -> share this folder" method using a Hardy Beta version a few months ago, none of it was working right	02:39
nxvl	brb	02:39
Resistol	Oh, and is there a GUI for setting up an FTP server?	02:39
Resistol	I used Serve-U on my windows 98 box about 9 years ago, but haven't touched anything like it since then.	02:41
jjesse	Resistol: with the installation of ubutnu server there is no desktop, no gui	02:41
jjesse	Resistol: so if that is important, you can install ubuntu-server then sudo apt-get install ubuntu-desktop to get all the graphical stuff	02:42
Resistol	thanks jjesse - could i do it the other way around? Start with desktop and add in server after?	02:43
kirkland	Resistol: sure, you can just install the server packages you need	02:43
nxvl	kirkland: i have no ecryptfs-setup-confidential binary	02:47
Resistol	Is it easy to setup virtual machines and "play network admin" ? I think it would help me to practice by having maybe 5 virtual PCs that I could try to create a network for	02:47
nxvl	kirkland: or i need to reboot my computer or something	02:47
Resistol	And can Linux do roaming users?	02:47
Jessica	Hi Folks. I'm trying to get vnc up and running. I've found this: http://www.ubuntu-unleashed.com/2007/10/setup-vnc-server-for-ubuntu-gutsy.html, and it seems to work well except it needs me to start a session -after- i log in. I'd like to be able to connect using VNC, and then login. Can anyone help?	02:47
ajmitch	Jessica: I believe it may be possible to configure gdm to allow remote access with Xvnc	02:53
Jessica	ok, so "sudo gdmsetup"?	02:53
* ajmitch isn't sure how supported that option is, it's been a few years		02:54
ajmitch	yeah, you can look in there	02:54
Kamping_Kaiser	not really a server question is it?	02:54
ajmitch	Kamping_Kaiser: depends, it's setting a system up as a terminal server of sorts	02:55
Jessica	kamp, i'm running it on server. sorry if I'm in the wrong place.	02:55
Kamping_Kaiser	ajmitch, by the time is 'go configure gdm' i dont think heres the place anymore ;) (thats just imo of course ...)	02:56
Jessica	but regardless, think of it this way. I'm one more user you can sway away from Darth Gates... "feel the force, Jessica"....	02:56
nxvl	kirkland: nevermind i was testing on my hardy machine, just found it	02:56
Jessica	so, does one of you nice jedi knights want to help me get it working?	02:57
* ajmitch has given the extent of his outdated knowledge on that topic :)		02:57
Jessica	smiles	02:57
ViTa	hi	03:09
ViTa	enyone talk un spanish?	03:09
kirkland	nxvl: yeah, this is intrepid only	03:12
Kamping_Kaiser	ViTa, #ubuntu-es ?	03:13
kirkland	nxvl: but there's a newer version	03:13
nxvl	kirkland: i have my intrepid image up and running	03:14
kirkland	nxvl: i'm waiting on the debian maintainer to package the -46 version	03:14
nxvl	kirkland: so i'm testin there	03:14
nxvl	testing*	03:14
kirkland	nxvl: cool, there's some better features/fixes in the 46 version	03:15
kirkland	nxvl: check out the git repository	03:15
nxvl	ok	03:15
nxvl	will check	03:15
kirkland	nxvl: you could really just pull those scripts out of the git repo	03:18
kirkland	nxvl: or just wait for the package sync's to happen	03:19
kirkland	nxvl: i emailed the debian packager today	03:19
nxvl	it's a problem to be the only packager in my country	03:29
nxvl	i will be the only one running the Global Bug Jam while teaching the people how to package	03:29
kees	well that's why I got work done today, my virus scanner broke and 4xx'd all my afternoon email. sigh	04:19
nealmcb	kees: it's a feature....	04:20
kees	nealmcb: heh, totally	04:20
ajmitch	I've heard that one before...	04:20
kees	total PEBCAK too.	04:20
emgent	hello	04:45
=== lamont` is now known as lamont
aslan	hey all.... anyone know of an app/script that will diff files on two remote servers?	06:01
owh	aslan: Are both the files on the same server, or are you trying to diff between two servers?	06:06
aslan	owh: between two servers.	06:16
aslan	I had a perl script at one time that did it.	06:16
aslan	but I can't find it again...	06:16
pteague	at work it looks like i'm going to have to use vmware server to set up *buntu as my desktop at work... winders is required as the base OS :( anyways, i was wondering if jeos kernel might cause any problems with being used for the desktop?	06:45
owh	pteague: Interesting question. Never tried it.	06:47
milestone	hi all	06:47
milestone	how can i determin the character encoding of a textfile	06:48
milestone	like iso or utf	06:48
pteague	was just wondering because somebody mentioned to me that server kernel probably wouldn't be a good idea for a desktop due to the differences in the way they handle instructions or something	06:48
owh	pteague: Hmm, well, first of all the JEOS kernel != server kernel. Second, a kernel is generally compiled based on the hardware on which it is expected to run, so you might not expect a web-cam or a graphic tablet on a server, but you would on a workstation. As for handling instructions, I'm not sure what you or "somebody" was trying to say.	06:52
=== _ruben__ is now known as _ruben
=== klaf is now known as afk_away
=== afk_away is now known as klaf
=== klaf is now known as folke
kraut	moin	08:41
CrummyGummy	Hi all, I have a process running /USR/BIN/CRON. Now that file doesn't exist anywhere. Is that normal?	09:40
CrummyGummy	I think I've got a reinstall coming my way.	09:41
InsomniaCity	CrummyGummy: to me that would be a sign my box has potentially been compromised..	09:55
CrummyGummy	InsomniaCity: Thanks, I'm treating it like that at the moment. Somehow my one eth has been renamed as well. Its all very suspicious.	10:00
_ruben	messages with /USR/BIN/CRON in the logs are cronjobs	10:13
CrummyGummy	Messages in ps aux?	10:18
_ruben	most likely the same .. not have that many long-running cronjobs .. so cant double check atm	10:19
CrummyGummy	I'm watching for more but this job has been running since May 6.	10:52
CrummyGummy	_ruben: Your right, its a stuck cron job. Wierd though.	11:00
RockHound	hi everyone ... a little off topic, but how do you manage your ssl certificates sanely?	11:06
=== folke_ is now known as folke
folke	Is there any news about vmware-tools and hardy?	12:22
folke	Or must we still use any-any patch?	12:24
folke	Or perhaps is it more safe to use gutsy	12:32
ivoks	hi all	12:35
sommer	morning ivoks	12:39
ivoks	sommer: it's almost 2PM :p	12:39
sommer	heh, feels like the day is just beginning	12:41
MDFC	ola alguem poderia me ajudar na insalação do ubutu	13:17
ivoks	right...	13:20
MDFC	left	13:20
RockHound	folke: vmware-tools can be used with openvmtools ... vmware server modules is a different story.	13:20
RockHound	ivoks: any news about the openldap update/patch?	13:21
MDFC	do you speak portuguese	13:21
MDFC	good vmware it?s crazy...very crazy	13:21
MDFC	shet...	13:22
MDFC	see...	13:22
MDFC	atention..	13:22
ivoks	RockHound: zul is taking care of it...	13:22
RockHound	thx	13:22
ivoks	RockHound: i'm not sure what's the decission :/	13:23
MDFC	somebody would know here to say as I install ubutu somebody says Portuguese here	13:24
ivoks	MDFC: english only; try ubuntu-br	13:24
MDFC	yes	13:25
MDFC	face thanks a lot plus you saying only in English I do not obtain to understand everything I go to look a room in Portuguese	13:27
ivoks	MDFC: ubuntu-br should be a good start	13:28
MDFC	which its country	13:29
ivoks	brasil	13:29
MDFC	fala em português	13:30
MDFC	ou melhor escreve em português	13:30
MDFC	ok obliged until more seeing	13:31
_ruben	hmm .. iscsi is sweeet .. now to figure out how to properly get them targets automounted :)	13:46
ScottK-palm	What time is ther server team meeting today?	14:00
ivoks	15 UTC	14:00
ivoks	in 2 hours	14:01
* ScottK-palm got called away for $WORK.		14:01
=== jjesse_ is now known as jjesse
* ScottK-palm will read the logs and hopes specs will get discussed even though je's not there.		14:02
ScottK-palm	je's/he's	14:02
lukehasnoname	be there	14:03
lukehasnoname	it's that simple	14:03
* ScottK-palm may be able to get online at the customer site, but definitely don't wait.		14:04
ogra	$WORK is overrated ... just fills your fridge and you have to see how to get rid of all that stuff again :P	14:04
ScottK-palm	Good luck. See you later.	14:05
_ruben	ah .. changing the order of bootscripts did the trick	14:06
leonel	ogra: the other way is to wait for the fridge stored things evolve an get out by them selves ..	14:11
ogra	uuuh	14:12
ogra	the problem with that is that you cant really use the fridge during that growing period	14:12
leonel	right	14:12
lukehasnoname	It's quiet	14:45
lukehasnoname	too quiet	14:45
lukehasnoname	Watch out, Fox, it's a trap!	14:45
pteague_work	i don't like using windows as a base, but at work i'm currently stuck with it... the box is a core 2 duo... any ideas as to whether i should set up my linux virtual machine under vmware as having 1 cpu or 2?	14:46
lukehasnoname	Does vmware have trouble running multicore VMs?	14:47
_ruben	2 hardly ever gives performance improvement over 1, it actually decreases performance most of the time	14:47
pteague_work	i don't know on vmware with multicore	14:48
_ruben	start with 1 vcpu, and if performance is a problem, you could try with with 2 vcpus, but dont expect wonders or even anything from it	14:49
pteague_work	k, sounds like you know what you're talking about, which was what i was looking for :)	14:49
lukehasnoname	ouch :(	14:50
_ruben	pteague_work: its rather logical ... 1 vcpu : your vm only requires 1 real cpu to be avail .. 2 vcpu : your vm requires 2 real cpus to be available ... available as in free cpu cycles	14:52
_ruben	quite a difference is scheduling overhead	14:52
pteague_work	well here's the issue... at work i'm forced to use windows because somebody else may have to use my machine (i'm not sure how they'll be able to figure out to get vmware out of full screen mode, but that's another issue)... so i'll be using vmware to install ubuntu & then using that as my desktop	14:53
pteague_work	not sure if i'll set up any other virtual machines or not	14:54
Zubbb	hello, someone is using hardy php5 (version 5.2.4-2ubuntu5.1)? it seems like it has a bug interpreting HEREDOC string syntax... can someone try and see if this ( http://pastebin.org/42803 ) runs well on it?	14:55
psufan	is there a command to regenerate the stock ftp or http urls for sources.list	14:56
_ruben	pteague_work: 1 or more vms isnt really the issue (but does mittigate it a bit), the vm will also have to compete with your host os for cpu cycles	14:56
psufan	I want to fire off the command at the last minute during the install in my kickstart	14:57
psufan	else the stupid kickstart or ubuntu installer makes sources.list point to the local pxe boot server which won't be around	14:57
_ruben	psufan: why not just stash the default sources.list on ur http/ftp/nfs/whatever server and copy it over ?	14:57
psufan	i'm afraid of having to document those steps :P	14:58
psufan	but I guess if I got no choice	14:58
_ruben	psufan: im guessing the file's created by the installer, and those commands might not be available in a running system	14:58
CrummyGummy	:q	14:58
CrummyGummy	eish	14:58
_ruben	:q!	14:58
psufan	well I don't know that but it would be easier to give them a working install	14:58
CrummyGummy	wrong window	14:58
lukehasnoname	Would it be beneficial to me to use JeOS on a xen environment? It's touted as omptimized for KVM and VMware.	15:00
_ruben	lukehasnoname: i'd say it does .. it uses a kernel with virtualization in mind, and a very small (disk and memory) footprint	15:01
lukehasnoname	cool, I figured its slim size would help in any case. Now, it still has all server functions available, just a minimized footprint due to less drivers, streamlined kernel?	15:02
_ruben	lukehasnoname: yeah .. and low HZ and stuff	15:04
pteague_work	ah, JeOS... that brings up a question i asked last night... would the kernel be ok to run a desktop? i.e. should i set up my vmware desktop using jeos & 1 of the desktop live CDs?	15:05
_ruben	pteague_work: that'd be a bit of a corner case .. im guessing it'd work, but wouldnt know for sure	15:06
pteague_work	k, i'll stick with the desktop then	15:07
lukehasnoname	Also, xen vs. kvm: Your opinion.	15:07
lukehasnoname	or abstain, but back up your statements if you can	15:08
_ruben	the choice between any virtualization product depends on both personal preference, technical requirements and budget	15:08
lukehasnoname	_ruben: google is my friend. Looking at http://kvm.qumranet.com/kvmwiki/FAQ, kvm supports live migration, which is good. It also seems to be less blky (so it claims).	15:14
lukehasnoname	its advantage is that it's supported (as in advocated) by the core linux community. However, I have a book on xen, soooo... >_>	15:14
lukehasnoname	blky/bulky.	15:15
owh	How quaint, lukehasnoname has a book.	15:16
owh	<grin>	15:16
lukehasnoname	erm, ebook o_o Seriously, I learn better from books that are professionally written and on paper. eBooks are alright, but real books are just better for me. FreeBSD 6 Unleashed, Ubuntu Server Administration, C# 2.0...	15:18
lukehasnoname	Not that I don't have some really helpful ebooks... about 300 of them	15:18
_ruben	lukehasnoname: im more of a vmware person myself, but like already stated: its a matter of personal taste among other things	15:18
* owh put all books into storage before starting a trip around Australia, now all books are on a mobile phone :)		15:19
_ruben	still hoping on getting a decent arrangement with vmware for their esx hosting product .. otherwise we might have to resort to using m$ hyper-v or some shit	15:19
owh	_ruben: I have been a VMware "person" for a while also, but since support seems to be decoupled from the kernel version, I'm beginning to regret it.	15:20
_ruben	owh: not sure what you mean?	15:20
owh	_ruben: Well, from a maintenance perspective it needs to be apt-get installable, but the lag between release is getting ridiculous.	15:21
lukehasnoname	but omgz0rz vmware isn't FOSS!!!111!!one! I would like to keep in line with the "libre" philosophy, whenever practical. Owh: Ya, That's why my paper:ebook ratio is about 1:10. I move a few times a year.	15:21
lukehasnoname	Have either of you TRIED xen or kvm before? Had any experience to reflect on?	15:21
_ruben	tried both, but never on decent hardware .. didnt like them very much	15:21
_ruben	vmware is very strong in its management toolset	15:22
owh	I realise that there are those who install from source, but the skill of developers leaves me with little confidence that their make install doesn't overwrite stuff without notification.	15:22
owh	_ruben: Yes, I'll grant you that.	15:22
* owh suspects that since Ubuntu has gone the kvm route, some stuff will begin to happen there too.		15:22
_ruben	true	15:23
* owh has not yet had a spare moment to actually start looking at kvm in anything other than a cursory fashion.		15:23
cemoi	hi	15:23
_ruben	but xen and kvm are still a bit "tricky" when it comes to virtualize windows systems	15:23
cemoi	don't speking in french here?	15:23
owh	cemoi: CaVa?	15:23
CrummyGummy	Hi again. Any ideas why udev would keep renaming my nics?	15:23
_ruben	only english here	15:23
cemoi	mm	15:24
_ruben	CrummyGummy: under which circumstances does the renaming happen ?	15:24
cemoi	no french suport for the ubuntu server	15:24
cemoi	?	15:24
lukehasnoname	xen has a better name though. The letter "x" represents "coolness". Point taken, owh, and my point as well. kvm is now an official part of the kernel, so it should be supported and documented well.	15:25
owh	cemoi: Well, if you have a question and you're French, then we can help you.	15:25
cemoi	ok thank's a lot	15:25
owh	cemoi: Even if you we're Canadian :)	15:25
owh	cemoi: Or Dutch even.	15:25
cemoi	uu o_O	15:26
cemoi	pas français alors?	15:26
=== folke_ is now known as folke
owh	Nope, je parle une petit Francais, but my keyboard doesn't support it :)	15:26
cemoi	mm ok	15:27
owh	s/petit/petit peu/	15:27
Deeps	!fr	15:27
ubottu	Ce canal est en anglais uniquement. Si vous avez besoin d'aide ou voulez discuter en francais, merci de rejoindre #ubuntu-fr ou #kubuntu-fr	15:27
* _ruben hasnt spoken french since high school, even that hasnt been that long		15:27
owh	C'est bien Deeps :)	15:28
owh	My French is from the same schooling system as yours _ruben :)	15:28
_ruben	owh :)	15:28
owh	And German too :)	15:28
_ruben	german class i dropped the moment i had a chance	15:29
Deeps	je ne parle francais	15:29
_ruben	french was next	15:29
cemoi	mm ok ok	15:29
CrummyGummy	I've update /etc/udev/rules.d/70-persistent-net.rules but it doesn't seem to be assigning the right names to network cards.	15:29
cemoi	I try to learn more about the introduction of quotas on a server webdav es que ubuntu server expect something?	15:29
owh	_ruben: Ditto.	15:29
_ruben	Deeps: indeed, since even that line is wrong :)	15:29
lukehasnoname	Parla vos anglese?	15:29
_ruben	its: je ne parle pas francais	15:29
_ruben	afaik	15:29
* Deeps shrugs		15:29
Deeps	i can understand better than i speak ;)	15:29
_ruben	hehe	15:29
Deeps	my gf's belgian and her family only speaks a bit of english and spanish, so i've had to learn a lot	15:29
Deeps	(cuz they speak french)	15:29
_ruben	belgian's are "odd" that way :)	15:30
Deeps	very easy to understand though	15:30
Deeps	much easier than the french i've found	15:30
Deeps	the accent, at least	15:30
Deeps	from an spanglish perspective, anyway	15:30
cemoi	we don't no?	15:30
cemoi	you don't no sorry	15:30
_ruben	CrummyGummy: nuking that file will have it recreated at next boot .. and shouldnt change unless there's any hardware changes	15:30
owh	cemoi: To get to the point, what issues are you having?	15:31
CrummyGummy	Wow, huge lag.	15:33
CrummyGummy	reading...	15:33
CrummyGummy	I just restarted udev and it renamed eth0_rename to eth0_rename_ren	15:34
CrummyGummy	That should've been eth0 in the first place. The mac address is right.	15:35
cemoi	owh, It can not inherit quotas on the file system by users as an FTP server. The webdav does not support it we can not therefore not limit users in quantities of data through the quotas.	15:35
owh	Anybody got any suggestions for cemoi about this?	15:35
uvirtbot	New bug: #238872 in php5 (main) "php5 fails to interpret a valid script using heredoc string syntax" [Undecided,Confirmed] https://launchpad.net/bugs/238872	15:36
* owh has not played with quota's		15:36
* _ruben never worked with quotas		15:36
_ruben	heh	15:36
owh	I'm intrigued by that bug report.	15:36
_ruben	CrummyGummy: restarting just udev is a tad tricky .. a full reboot usually does a better job at renaming such things	15:36
CrummyGummy	I though I had it fixed. Rebooted and it was back to wierdness.	15:37
cemoi	the problem is that a user just very well overwhelm the disc then it has no limits	15:37
CrummyGummy	http://www.pastebin.ca/1043884	15:38
CrummyGummy	Gonna reboot and see what happens.	15:38
owh	Hmm, well that php bug seems to also not work for me, that's a first :)	15:38
cemoi	there are people who have servers webdav under ubuntu here?	15:42
uvirtbot	New bug: #238878 in likewise-open (main) "Change likewise-open default Domain separator" [Undecided,New] https://launchpad.net/bugs/238878	15:46
cemoi	mm :,(	15:48
owh	cemoi: Don't despair. Send your question to the ubuntu-server list and see what response you get.	15:49
cemoi	forum exist?	15:49
lukehasnoname	ubuntuforums.org	15:50
cemoi	for servers only	15:51
lukehasnoname	also the mailing list, ubuntu-server@lists.ubuntu.com	15:51
cemoi	this will be equivalent to this but for openoffice	15:51
cemoi	http://workspace.officelive.com/?lc=1036&cloc=fr-FR	15:51
cemoi	ok	15:51
CrummyGummy	_ruben: This is like a lottery. Every time I reboot my if devices are named differently.	15:51
lukehasnoname	a lot of server devs read that list	15:51
_ruben	CrummyGummy: strange	15:51
cemoi	ok ok thank's	15:51
CrummyGummy	It worked last time. The last 2 times its different.	15:52
* owh wonders if there is a log that shows what is renaming things for CrummyGummy		15:57
nealmcb	server team meeting in #ubuntu-meeting now	16:00
CrummyGummy	nealmcb: Are you involved in the commercial side of things?	16:01
ScottK2	Maybe dendrobates will come to the meeting and talk about specs since mathiaz bailed out on us.	16:04
owh	ScottK2: Actually bailed, or just freenode fun?	16:05
ScottK2	All the same to me.	16:05
ScottK2	nijaba claims he's coming.	16:05
owh	Well, one is intentional :)	16:05
CrummyGummy	is #ubuntu-meeting closed?	16:06
lukehasnoname	no	16:06
CrummyGummy	so I can lurk?	16:06
owh	CrummyGummy: You bet	16:06
CrummyGummy	cool	16:06
ogra	you can even speak if you want:)	16:06
CrummyGummy	more cool	16:07
CrummyGummy	aaarg, nuf with the udev renaming already.!!!!	16:07
thefish	anyone here use fwbuilder?	16:23
InsomniaCity	played with it many years ago	16:24
thefish	its really useful most of the time! im getting some pain from it, trying to send a firewall, and its adding ? to the command :/	16:27
InsomniaCity	well, you could always post-process it and strip the ?s	16:30
jero	hi	16:32
jero	does anyone know why apache2 is not honoring "HostnameLookups Off" on 8.04 ?	16:35
jero	thus logging with ip resolved to names	16:36
thefish	InsomniaCity, ye, not ideal though :/	16:36
InsomniaCity	jero: are you doing it in the right vhost/dir/whatever?	16:38
jero	InsomniaCity: it is in the global section	16:38
mathiaz	jdstrand: could you drop by #ubuntu-meeting	16:39
mathiaz	jdstrand: ?	16:39
kees	kirkland: I actually think a more correct fix (for the next upload, I just uploaded your other patch now), would be to do a 2>/dev/null \|\| true on the "." lines	16:48
kees	i.e. . ~/.selected_editor 2>/dev/null \|\| true	16:48
kees	in both places where it's done	16:48
kirkland	kees: interesting.... okay	16:48
kirkland	kees: i was purposefully trying to avoid touching sensible-editor again	16:49
kirkland	kees: but that looks clean too	16:49
kees	that way it'll catch stupid race conditions where -r is true, the file is deleted, and then it sources it.	16:49
kees	yeah, do it for the next upload, or keep it on the TODO list -- getting it into the "best" possible shape is fine even if it takes a few uploads. :)	16:50
kirkland	kees: i have the source in front of me	16:50
kirkland	kees: i'll just debdiff again	16:50
jero	anyone has apache2 running and noticed it does not respect the HostnameLookups directive ?	16:51
matrix	hello	16:52
kirkland	kees: patch attached to the bottom of https://bugs.edge.launchpad.net/ubuntu/+source/debianutils/+bug/238879 fixing the issue you just mentioned	17:04
uvirtbot	Launchpad bug 238879 in debianutils "sensible-editor fails when there is only one alternative" [Low,Fix released]	17:04
kirkland	kees: (potential issue) :-)	17:04
mathiaz	Koon: not problem	17:05
mathiaz	Koon: the color means how long since the last merge IIRC	17:05
mathiaz	Koon: or may the priority of the package	17:05
mathiaz	Koon: anyway - it's not so relevant	17:05
matrix	how can i block avi files with FilesMatch on ubuntu ?	17:05
mathiaz	Koon: I'd suggest that you start by the universe list of outstanding merge	17:06
mathiaz	Koon: and pick a package that you're interested in	17:06
Koon	mathiaz: sure	17:06
mathiaz	Koon: I'll go through the list today and send a selection of packages you could start working on	17:07
mathiaz	Koon: some of the merges are easier than others	17:07
kees	kirkland: doing that in ()'s means the "." would happen in a sub-shell	17:07
kirkland	kees: ew, and not bubble up	17:07
Koon	mathiaz: ok, I'll catch your mail when I start tomorrow	17:08
Koon	see you all tomorrow	17:08
kees	cya Koon	17:08
psufan	is there a command to regenerate the stock ftp or http urls for sources.list	17:09
psufan	I want to fire off the command at the last minute during the install in my kickstart	17:10
psufan	else the stupid kickstart or ubuntu installer makes sources.list point to the local pxe boot server which won't be around	17:10
kirkland	kees: testing it out here, looks like I can just remove the parens	17:10
kirkland	kees: order of operations holds as is	17:10
kees	kirkland: okay, cool	17:13
kirkland	kees: updated patch attached to that bug	17:13
kirkland	kees: thanks for the immediate reviews ;-)	17:13
kees	kirkland: no problemo :)	17:13
kees	kirkland: changelog has "hardy" rather than "intrepid". :P	17:15
kirkland	kees: arrggggggg, sorry	17:16
kirkland	kees: vim really needs to be patched :-/	17:16
kees	vim? "dch -i" :P	17:17
kirkland	kees: attached to bug	17:19
kirkland	kees: well, vim is still highlighting "intrepid" as erroneous	17:19
kirkland	nxvl has a bug and a patch for that one	17:19
kees	kirkland: hm, my vim doesn't do that...	17:26
kirkland	kees: are you running intrepid or hardy?	17:26
kees	intrepid	17:27
kirkland	kees: well, i'm still on hardy on my laptop	17:27
kees	ah-ha, okay	17:27
kirkland	i'll be switching to intrepid soon	17:27
mathiaz	kirkland: you can use chroots to do your work	17:28
kirkland	mathiaz: i set up pbuilder, but I ran into some issues	17:29
kirkland	mathiaz: i need to give that another shot	17:29
mathiaz	kirkland: I'm using schroot	17:29
kees	mk-sbuild-lv! :)	17:29
kirkland	mathiaz: wiki page for setup instructions?	17:30
mathiaz	kees: do you have more than one chroot per release ?	17:30
mathiaz	kees: ie have an intrepid and intrepid-sbuild chroot ?	17:30
mathiaz	kirkland: https://help.ubuntu.com/community/SbuildLVMHowto?highlight=(Sbuild)	17:30
kirkland	mathiaz: ah, yes, sbuild	17:31
kees	mathiaz: I have 1 chroot per release per arch, so i386 and amd64 of dapper, feisty, gutsy, hardy, intrepid	17:31
mathiaz	kees: I've started to use chroots to work in it but found that it lacks some tools	17:31
kees	mathiaz: and the same again in kvm. :P	17:31
mathiaz	kees: so I've started to install the default tools in the chroot -source	17:31
kees	mathiaz: ah-ha, yeah	17:31
mathiaz	kees: but then build dependencies can be wrong and not detected	17:32
kees	mathiaz: since my main machine is intrepid, I just do dev work there	17:32
eix	any idea why I can only see 438MB of RAM when having a 1GB module installed?	17:32
kees	mathiaz: I like that approach. even more disk space used! :P	17:32
eix	well..various modules up to 1GB	17:32
mathiaz	kees: such as - I have debhelper installed in my -sources but I'd like to have sbuild use a minimal chroot	17:32
mathiaz	kees: how do you do dev work for -dapper for ex ?	17:32
mathiaz	kees: or to put it another way - have you ever been bitten by the fact that your -source chroot have more packages than the ones installed on the buildds ?	17:34
eix	this is my "free -m": http://rafb.net/p/zGSQxJ23.html	17:34
kees	mathiaz: almost all the work I do for non-devel is patching, so the deps don't change. if I'm in a situation where I need to repeatedly build stuff, I'll just enter a schroot and install the deps first and do work until I'm done.	17:35
kees	mathiaz: my workflow for those things isn't improved much by having a separate chroot with lots of stuff pre-installed	17:35
mathiaz	kees: ok - but your -intrepid chroot is minimal	17:36
kees	mathiaz: right	17:36
kees	eix: a lot of things could contribute to that. I'd start by finding the "Memory:" line in your dmesg or /var/log/kern.log file	17:37
kees	eix: Memory: 8100612k/9109504k available (2466k kernel code, 204488k reserved, 1309k data, 316k init)	17:37
kees	see if "reserved" is huge	17:37
kees	if that's the case, check your BIOS settings	17:37
kees	beyond that, it's pretty hardware-specific	17:37
eix	kees: let me check that	17:37
kees	eix: also, see "sudo lshw" and look for DIMM entries	17:38
danshearer	hello all. Has the topic of 'should we install syslog-ng as default syslogger' ever come up?	17:38
mathiaz	danshearer: I've looked into that some time ago	17:38
mathiaz	danshearer: I'd rather go with rsyslog	17:38
eix	kees: Memory: 441072k/457664k available (2255k kernel code, 16052k reserved, 1032k data, 384k init, 0k highmem)	17:39
mathiaz	danshearer: syslog-ng syntax is not compatible with sysklog	17:39
mathiaz	danshearer: and the license is a bit of a problem (dual licensed)	17:39
mathiaz	danshearer: the licensing is a minor issue though	17:39
danshearer	mathiaz: not quite so, the license is a problem because it is GPLv2=	17:39
eix	kees: in lshw I can see some UNCLAIMED memory blocks...that looks creepy	17:40
danshearer	mathiaz: so it is difficult to integrate components from projects like Samba	17:40
mathiaz	danshearer: OTOH rsyslog is GPL and the syntax is compatible with the current syslog syntax, which means it's easier to upgrade	17:40
mathiaz	danshearer: GPLv2= for rsyslog ?	17:40
danshearer	mathiaz: I didn't realise rsyslog was a contender, at a quick look it does what I'm looking for	17:40
danshearer	mathiaz: there are two main points I think: backends into databases and very simple active-active failover config	17:41
mathiaz	danshearer: I've looked into rsyslog last year when fedora went with it	17:41
mathiaz	danshearer: there are a couple of threads on the fedora mailing list when they compared syslog-ng and rsyslog	17:41
eix	kees: lshw -> http://rafb.net/p/tWj9yb95.html	17:41
danshearer	mathiaz: I think Ubuntu Server should be shipping as many active-active failovers as possible out of the box	17:42
mathiaz	danshearer: both are available in ubuntu universe	17:42
danshearer	mathiaz: I'll go and look!	17:42
eix	ANY IDEA why I have a disabled CPU and RAM?	17:43
danshearer	mathiaz: btw in the context of syslog active-active means all systems log to all sysloggers, but no duplicates are stored	17:43
eix	ok, the CPU slot is empty - that's ok	17:43
danshearer	mathiaz: and all nodes compare new messages with all other nodes so all nodes should have a complete log	17:43
danshearer	mathiaz: haven't done this with n > 2 though but still it is a very useful very simple facility	17:44
danshearer	mathiaz: the trick being not to have an infinite logging loop :-	17:44
kees	eix: I'd guess BIOS settings or motherboard incompatibility.	17:44
eix	kees: yes	17:44
mathiaz	danshearer: well - there is a scalability problem with n > 2	17:44
eix	kees: it's a pretty new server, so I also fear MB incompatibility	17:44
eix	kees: the 2nd 512MB DIMM block is clearly not being seen	17:45
mathiaz	danshearer: I think it makes more sense to store all the logs on all the nodes and than use a tool to do post-processing of logs	17:45
danshearer	mathiaz: sure, in any service. But there are well-known algorithms for addressing this.	17:45
mathiaz	danshearer: when you want to visualize the logs, then you can correlate the events.	17:45
danshearer	mathiaz: and with syslog, n=2 is pretty good and a lot better than most people have today	17:45
mathiaz	danshearer: sure - the algorithms exists, but have problem when scaling to more than 2	17:46
danshearer	mathiaz: and that's the issue "use a tool" is where most people fall down	17:46
mathiaz	danshearer: there is more and more overhead	17:46
kees	eix: check your mobo documentation, you may need to use matched pairs, specific locations, etc, etc.	17:46
danshearer	mathiaz: and given that you can do n=2 for no noticeable cost, why not?	17:46
mathiaz	danshearer: sure	17:46
danshearer	mathiaz: ah, this is in the context of centralised logging though.	17:47
mathiaz	danshearer: I'm not convinced that figuring out an infrastructure so that you log to every node and you make sure that events are stored only once is worth	17:47
danshearer	mathiaz: in my experience most centralised logging gets very messy over time. Even that word 'time' is a big problem!	17:47
psufan	eix	17:47
psufan	is this a i810 or i815 chipset by chance	17:48
psufan	sdram or ddr?	17:48
danshearer	mathiaz: Nevertheless, do you agree that if keeping two logging servers exactly in sync costs nothing, that it is a useful facility?	17:48
mathiaz	danshearer: what do you mean by in sync ? there won't be any duplicates logged ?	17:49
eix	kees: mmh	17:49
mathiaz	danshearer: or that all the messages will be stored on both servers ?	17:49
danshearer	mathiaz: no duplicates, no omissions. syslog is generally udp, but the two servers can talk tcp to each other.	17:49
eix	psufan: my lshw http://rafb.net/p/tWj9yb95.html	17:49
danshearer	mathiaz: in practice in a large and busy network, and given the nature of udp, if you have all devices logging	17:50
danshearer	mathiaz: to both servers, most of the time one of the two (or both) will receive syslog message.	17:50
psufan	nope a64	17:50
eix	psufan: DIMM	17:50
psufan	dimm has been since sdram :P	17:51
psufan	actually there was fpm and edo dimms	17:51
danshearer	mathiaz: the important thing about centralised logging is that you point everything at it, down to printers and physical security systems.	17:51
eix	ok people, thanks - I'll be back tomorrow for this	17:51
psufan	nvidia chipset is NOT a server	17:51
eix	psufan: you say?	17:51
eix	psufan: why?	17:51
mathiaz	danshearer: right - I'd make more sense to make sure the messages are stored at least once, rather then only once	17:51
psufan	cause that wasn't nvidia's target market	17:51
eix	psufan: I really don't know which cheap server this is	17:51
psufan	doesn't support a lot of server stuff like ecc or registered	17:52
eix	psufan: they bought to me, for free	17:52
eix	psufan: but, still, it should work, no?	17:52
psufan	mabye	17:52
eix	psufan: yet this missing RAM is weird	17:52
mathiaz	danshearer: implementing the logic to make sure that messages are stored only once is probably better done in log analysis tools than at the log storage level	17:52
eix	psufan: I will have more informations tomorrow about the BIOS configuration	17:52
eix	I'll probably also look into the mobo manual	17:53
mathiaz	danshearer: /stored/processed/	17:53
psufan	ok	17:53
eix	thanks kees and psufan	17:53
psufan	np	17:53
jo_	hi everybody. could someone of you tell me, whether the packages needed for using a D-Link G-520+ WLAN-Adapter (Chip: TI ACX-111) (probably linux-restricted-modules-386 or parts of it) are installed with the hardy server edition?	17:57
danshearer	mathiaz: then you don't have an active-active failover solution.	17:59
efj	Hi everyone	18:00
efj	I have a question regarding DHCPD configuration	18:00
efj	and multiple subnets :-p	18:00
danshearer	mathiaz: this is part of some thinking I have been doing, trying to answer this question:	18:01
efj	I don't know if anyone knows a bit about this ?	18:01
efj	and could eventually help me ?	18:01
ivoks	efj: will you just ask	18:02
efj	So I got a server running DHCPD	18:02
efj	with 2 subnets declarations	18:02
efj	DHCPD responds on both interfaces	18:02
efj	but provides the right information regarding DNS, routers to only one of them	18:03
efj	let's day that I have 192.168.1.0/24 and 192.168.2.0/24	18:03
efj	with appropriate definition for both of them	18:03
efj	1.0 is the domain home.lan	18:03
=== jjesse_ is now known as jjesse
efj	2.0 is the domain home.wifi	18:03
danshearer	mathiaz: "what services can I very easily roll out in active-active configuration?"	18:03
kees	danshearer: DNS, DHCP	18:04
danshearer	mathiaz: that is, without expensive clusters or other very special-purpose solutions	18:04
danshearer	kees: LDAP	18:04
* kees doesn't know LDAP yet :)		18:04
efj	For 1.0:	18:04
efj	option domain-name "home.lan.";	18:04
mathiaz	danshearer: how-do you define active-active ?	18:04
efj	option broadcast-address 192.168.1.255;	18:04
efj	option routers 192.168.1.1;	18:04
efj	option domain-name-servers 192.168.1.1;	18:04
danshearer	kees: syncrepl	18:04
ivoks	efj: it would be easier if you would paste you config file on pastebin	18:04
efj	option ip-forwarding off;	18:04
efj	for 2.0:	18:04
mathiaz	!pastebin \| efj	18:04
ubottu	efj: pastebin is a service to post multiple-lined texts so you don't flood the channel. The Ubuntu pastebin is at http://paste.ubuntu.com (make sure you give us the URL for your paste - see also the channel topic)	18:04
efj	option domain-name "home.wifi.";	18:04
efj	option broadcast-address 192.168.2.255;	18:04
ivoks	... and not here	18:04
efj	option routers 192.168.2.1;	18:04
efj	option domain-name-servers 192.168.2.1;	18:04
efj	option ip-forwarding off;	18:04
danshearer	mathiaz: the simple way that the boss can understand: when one server goes down the other keeps going, and	18:05
efj	Sorry about that	18:05
danshearer	mathiaz: when the first server comes back there is still no difference in either server, and	18:05
danshearer	mathiaz: it never matters which server you connect to.	18:05
efj	So the thing is that on 1.0, I get the right domain name, gateway and DNS	18:05
ivoks	efj: pastebin	18:06
efj	for 2.0, it answers with the proper IP address, meaning something like 192.168.2.30	18:06
mathiaz	danshearer: right - you can either go for a failover scenario of a load-balancing scenario	18:06
danshearer	mathiaz: One thing you don't want to have to guarantee is that any given transaction will succeed, that's another topic :-)	18:06
efj	but DNS is 1.0, ditto for gateway	18:06
efj	and I just don't know why this keeps happening	18:06
ivoks	mathiaz: are you guys talking about redhat cluster suite? :)	18:06
efj	it also says that it's from the home.lan domain	18:06
mathiaz	ivoks: nope - it started with syslog	18:06
ivoks	efj: for the last time; paste your config on pastebin	18:06
ivoks	mathiaz: oh...	18:07
danshearer	mathiaz: well when it comes to load-balancing you're talking about constructing a robust network with great care	18:07
mathiaz	ivoks: how to provide an high available logging infrastructure	18:07
danshearer	mathiaz: I like to show people that actually a lot of components can be very robust without much thinking at all	18:07
efj	http://paste.ubuntu.com/19100/	18:07
efj	done	18:07
danshearer	mathiaz: like kees says, DNS and DHCP can do this and we don't think about it much, but the concept can be extended to	18:07
ivoks	mathiaz: with two machines with drbd master-master disk, and VIP over the redhat cluster suite? :D	18:07
danshearer	mathiaz: other services and I think more people would if it was (a) easier and (b) better promoted	18:08
mathiaz	danshearer: by load-balancing I mean that all the nodes are active at the same time - by failover I refer to one node being active, the others in stand-by mode	18:08
danshearer	mathiaz: a great way to address (b) is to ship configs ready-to-go :-)	18:08
ivoks	danshearer wants glory for low cost :D	18:08
danshearer	mathiaz: I don't agree with your definitions really, because to me load-balancing implies some degree of selection	18:09
danshearer	mathiaz: with the services I'm talking about there is explicitly no load management logic. Whoever answers first wins.	18:09
mathiaz	danshearer: well - let's call it an active-active and active-passive scenario	18:10
danshearer	mathiaz: I just tell the senior officials in the company "Look, for not much disruption things are more likely to work than before"	18:10
danshearer	mathiaz: Whereas if you introduce a comprehensive solution you have to disturb other parts of the network, or at least introduce more components	18:11
danshearer	mathiaz: that do things like distribute load or guarantee integrity of an individual transaction.	18:11
ivoks	efj: let's take a look	18:11
efj	thanks	18:12
jo_	is there a package list for the ubuntu server install cd?	18:12
ivoks	efj: which dhcp server is this?	18:12
danshearer	mathiaz: Personally it ridiculous that most of the time people have to choose between individual servers and complicated cluster solutions	18:12
mathiaz	jo_: http://releases.ubuntu.com/releases/8.04/ubuntu-8.04-server-i386.list	18:12
efj	dhcp3	18:12
mathiaz	jo_: has the list of all the files on the ubuntu-server cd	18:13
jo_	ok, thanks	18:13
danshearer	mathiaz: whereas you can get what ivoks just said, almost: most of the glory for little extra cost.	18:13
danshearer	make sense?	18:13
efj	I have 2 network interfaces	18:13
mathiaz	danshearer: sure - the next step is to list the services then	18:13
efj	with appropriate definitions	18:13
ivoks	danshearer: redhat cluster suite isn't complicated	18:13
ivoks	danshearer: it even has graphic tool for configuration	18:14
danshearer	mathiaz: That's right. And I was doing that in my head really, and got to syslog, and asked the question I did :-)	18:14
ivoks	danshearer: clusters by default are hard to understand for newbies	18:14
efj	here is my /etc/network/interfaces file: http://paste.ubuntu.com/19103/	18:14
ivoks	efj: so, remind me, what doesn't work?	18:15
danshearer	ivoks: that's my point: a lot of the time there is an inbetween, pragmatic answer	18:15
danshearer	ivoks: and what's more, you can do this service-by-service on existing machines	18:15
efj	DHCP clients from network wifi get a proper IP address	18:16
efj	but get 192.168.1.1 as DNS and gateway	18:16
danshearer	my point is thinking practical, backwards-compatible, simple, while also greatly improving networks	18:16
ivoks	doh, too many buzzwords for a non english listener	18:16
efj	instead of 192.168.2.1	18:16
efj	also, they get domain-name="home.lan"	18:16
efj	instead of "home.wifi"	18:16
danshearer	ivoks: what I mean is, there are simple things you can do to existing networks that give you more robustness	18:17
kees	efj: is it possible you have other devices on the wifi serving DHCP?	18:17
danshearer	ivoks: take my earlier question about syslog: many networks have a central syslog server.	18:17
efj	kees: none	18:17
danshearer	ivoks: We can tell them "run this on two servers, and suddenly you have much more reliable solution"	18:18
ivoks	efj: this looks ok to me...	18:18
efj	if I list the interface's information on the client, it is clearly 192.168.2.1 that gives the lease	18:18
ivoks	danshearer: i understand what you want, but this is not very easy to achive with a simple 'click'	18:18
ivoks	efj: is eth2 a wifi interface	18:19
* kees thinks about his attempts to make mailman clustered. what a hoot.		18:19
ivoks	danshearer: there are too many variables...	18:19
danshearer	ivoks: I wasn't worrying about the "click" part for now :-)	18:19
efj	it is an ethernet interface	18:19
efj	connected to an AP	18:19
danshearer	ivoks: I'm not so sure I agree with you, which is why I'm writing down the possibilities :-)	18:19
ivoks	danshearer: for syslog on two machines, the way to do it is easy	18:20
ivoks	danshearer: set up an DRBD (network raid of partitions), create GFS (or even some non-cluster FS)	18:20
danshearer	ivoks: I am speaking of a central syslog service receiving up to 1000 messages per second	18:20
ivoks	danshearer: and setup a vitural IP that will move from one to the other when first one fails	18:20
danshearer	ivoks: DRDB is definitely not the answer, it spreads corruption instantly :-)	18:21
danshearer	ivoks: nope, GFS is absolutely not the answer for someone who wants a simple solution that fits his current needs	18:21
danshearer	ivoks: I'm getting parts of what I'm writing from working networks, thanks for the input, I'll come back with more questions!	18:22
ivoks	sorry, phone	18:22
ivoks	GFS is very simple solutions	18:22
ivoks	OCFS is not, tough :D	18:23
danshearer	ivoks: GFS is simple if that's what you're looking for. At the moment, for most networks, it isn't an option.	18:23
* danshearer interrupt, back later		18:23
ivoks	efj: anyway, this looks ok	18:23
efj	ivoks: thanks for looking at my config	18:23
efj	I somehow don't understand why I get this result	18:24
ivoks	syslog shows no errors when starting dhcpd?	18:24
nealmcb	hmm - I "helped" some folks in Boulder out and did an upgrade of clamav on a dapper machine for the first time in a while. It asked about the config file, and I thought it would be safe to keep the old config file, but it seems that I broke it. They've got it fixed now, but I wonder how often that happens, and what options we have for helping and warning folks about incompatible upgrades.	18:25
ivoks	nealmcb: we offer diff, which you should've check :)	18:26
sommer	heh	18:26
sommer	nealmcb: did you grab the clamav from backport?	18:27
nealmcb	I looked at the diff, but don't recall it saying "!!warning - incompatible upgrade!!"	18:27
sommer	clamav is a beast, especially if you haven't upgraded for a while	18:27
efj	ivoks: no it doesn't	18:29
nealmcb	If it weren't for the fact that they were dealing with a mail problem alread and were tight on time I would have taken more time to look at it then. as it was I just put it on the "look at soon" pile...	18:29
ivoks	nealmcb: well, it saved your old config	18:30
ivoks	so you can still do a diff	18:30
sommer	nealmcb: ya, the big issue with clamav is that they change their library api between versions... it may be getting better since they were bought by sourcefire though	18:30
ivoks	and check what's changed	18:30
sommer	nealmcb: but for packaging questions ScottK knows much more than I do	18:31
nealmcb	ivoks: again, it is fixed now. I'm asking about the human factors of how we can help prevent upgrades from breaking things	18:31
sommer	nealmcb: until clamav has a stable API, I'm not sure... aside from asking to replace the configs	18:34
efj	ivoks: I got it !	18:37
efj	The issue was that the MAC address I gave to the ethernet port of the wifi computer was the wifi one ...	18:37
efj	so there was a match in the first subnet	18:37
efj	not in the second	18:37
ivoks	interesting...	18:38
efj	The thing is that there was an allow unknown-clients clause in the wifi subnet	18:39
efj	meaning that it would respond	18:39
efj	however it seems the match on the hardware address made the thing screw up	18:39
efj	Anyway, thanks for your time	18:40
* ivoks wasn't here during specs talk		18:41
ivoks	but, /me has one spec too :D	18:42
ivoks	https://blueprints.edge.launchpad.net/ubuntu/+spec/migrate-off-ssl-v2	18:43
jjesse	was there another team meeting i missed?	18:45
nealmcb	jjesse: this morning at 15:00 UTC	18:45
jjesse	ah bummer	18:46
nealmcb	we assigned everything to you :)	18:46
jjesse	nealmcb: figured	18:47
jjesse	means more won't get done	18:47
folke	Anyone know the status of vmware-tools and 8.04?	18:58
folke	Is the any-any patch necessary? Or should I stick to 7.10	18:59
mathiaz	kirkland: The MIR items in Outstanding issues should be moved the implementation section	19:06
mathiaz	kirkland: remove the encrypted swap reference as this is out of the scope of the spec	19:07
kirkland	mathiaz: well.... some argue that without encrypted swap, encryption is useless, as passphrases can leak from memory to disk via swap	19:08
kirkland	mathiaz: i'd like to at least mention it, in the interest of full disclosure	19:08
mathiaz	kirkland: right - makes sense then	19:08
kirkland	mathiaz: i disagree with the "useless" argument	19:08
kirkland	mathiaz: but I recognize that encrypted swap is necessary for further (complete?) protection	19:09
kirkland	mathiaz: i'll move the MIR's to Implementation	19:09
mathiaz	kirkland: having a section about testing would start the documentation effort	19:09
kirkland	mathiaz: actually, regarding MIRs, those are still pending, so wouldn't they be considered "Outstanding"?	19:09
kirkland	mathiaz: i was using "Implementation" to track what's been completed	19:10
kirkland	mathiaz: okay, i noted that encrypted swap is beyond the scope, moved down a bit to a separate list	19:11
mathiaz	kirkland: hm... Usually I use implementation to describe what needs to be done	19:11
kirkland	mathiaz: I'll start a testing section now	19:11
mathiaz	kirkland: and then add a big OK when it's implemented	19:11
kirkland	mathiaz: okay, if that's "Implementation", what's "Outstanding"?	19:11
kirkland	mathiaz: i was equating "implementation" with DONE, and "outstanding" with TODO	19:12
nealmcb	seems to me it would "outstanding" from the spec writing standpoint - what is still unclear	19:12
mathiaz	kirkland: see https://wiki.ubuntu.com/AppArmorGutsy	19:13
nealmcb	...unresolved issues....	19:13
ScottK	If anything clamav API instability is getting worse, not better with clamav	19:14
kirkland	mathiaz: hmm, okay. i can follow that guideline, but i think i would prefer separate sections for TODO and DONE, call them what you will	19:15
mathiaz	kirkland: makes sense	19:16
mathiaz	kirkland: the Spec format is not so rigid	19:16
kirkland	mathiaz: i can put two sections under Implementation, if that helps you out	19:16
kirkland	mathiaz: one for DONE and the other for TODO	19:16
kirkland	mathiaz: and I'll copy/cut/paste as I complete such items	19:17
mathiaz	kirkland: what's important is to be able to figure out what needs to be done, and what has been done	19:17
mathiaz	kirkland: wfm	19:17
kirkland	mathiaz: and I'll save Outstanding Issues for things like Encrypted Swap	19:17
kirkland	mathiaz: ie, stuff that's not done, and probably won't be done as part of this effort, but should be tracked for completeness	19:17
ScottK	nealmcb: The Debian/Ubuntu clamav package ships pretty sane defaults. If you change from them, then you do take on having to understand configs on upgrades. It's part of the cost of doing business.	19:17
mathiaz	kirkland: that seems reasonable to me	19:17
ScottK	Stick with the default and the package maintainer handles it for you.	19:18
kirkland	mathiaz: cool, thanks for the review	19:18
nealmcb	ScottK: the issue here was that the new version couldn't parse the old config. would it help to add some comments in the conf file saying in effect "API version x.y - WARNING - IF THIS SHOWS UP IN A DIFF LINE YOU NEED TO FIX THINGS!!"	19:19
mathiaz	kirkland: np :)	19:19
nealmcb	in addition, apt-get upgrade doesn't seem to indicate at the end when things fail during the upgrade	19:20
nealmcb	...like the daemon startup....	19:22
ScottK	nealmcb: That's generally true anytime the diff shows up.	19:25
lukehasnoname	Did soren die?	19:39
Brazen	So what does the server team think of ovirt? I noticed it's not on the Roadmap.	19:51
Brazen	...just asking since it's slow in here.	19:52
Deeps	looks like a vm appliance	19:53
Deeps	being developed and maintained for use in a fedora based vm	19:53
Deeps	looks nice too	19:54
lukehasnoname	I want to check it out at some point... getting that to work with Ubuntu/JeOS and KVM (or xen) would be awesome.	19:55
Deeps	umm, it's an extra vm that you'd run on your vm server (whatever os it is) by the looks of things	19:56
Deeps	whatever linux os, anyway, i guess	19:56
lukehasnoname	ovirt is a vm manager	19:57
lukehasnoname	I thought	19:57
lukehasnoname	>_>	19:57
Brazen	it's a vm manager, but Redhat is distributing a vm with it all set up. I'm pretty sure that is just for testing though, and in production I'm sure it is intended to be installed on bare metal.	19:58
lukehasnoname	http://ovirt.org/documentation.html	19:59
Brazen	Have you (anybody) ever used VMWare ESX Server with Virtual Center? It looks like ovirt is supposed to be the equivalent of Virtual Center.	20:02
Deeps	oh,, i see	20:04
Deeps	Brazen: you could just ask	20:04
Brazen	Deeps: ask what?	20:05
Deeps	20:03:59 [freenode] Brazen [n=chatzill@wsip-70-167-48-6.ks.ks.cox.net] requested CTCP VERSION from Deeps:	20:05
lukehasnoname	Brazen: Ya, I've seen what you're talking about, a nice GUI to manage and watch VMs across physical hosts	20:05
Deeps	oh,chatzilla, nm	20:05
Brazen	It's just really be nice to have easy-to-use gui to manage vms and hosts remotely	20:09
Brazen	I could go on and on, there are a lot of nice features in Virtual Center that would be a boost to open source virtualization.	20:11
Brazen	There is another project called Enomalism, but ovirt has, imo, a much better looking interface, and it's an advantage to ovirt being backed by a known, reliable organization like Redhat.	20:13
lukehasnoname	ok, I was mistaken about oVirt, and now I am not so fond of it. I thought it was a web program, not something I'd have to dedicate a machine to.	20:17
Brazen	lukehasnoname: how would rather have it? I don't see why you couldn't install it on a machine that is ALSO a vm host, but I would prefer to put it on a dedicated machine. I could just be used to how Virtual Center does it, though.	20:19
lukehasnoname	well, hmm. I guess I expected it to have less requirements than what it's asking for. In the "bundled" install, it requires the "admin node" (the one hosting the oVirt vm) to have two network cards, with a dedicated NIC for the oVirt network	20:21
Brazen	uh, I missed that part.	20:23
Brazen	two nics	20:23
Deeps	vlan	20:23
Deeps	virtual nic	20:23
Brazen	yeah, that's my thought	20:23
Brazen	VMWare wants you two have two nics, too, with one dedicated to VMotion	20:25
kirkland	mathiaz: testing section added to https://wiki.ubuntu.com/EncryptedPrivateDirectory	20:26
JaxxMaxx__	well, I guess that guarantees some bandwidth...	20:26
kirkland	mathiaz: after tomorrow's sync with Debian, let me do a couple of sniff-tests, then I think you can point people to that in your blog for testing	20:26
Brazen	I actually have two nics, in all my vm servers, but I bind them and use LAG on the switch for redundancy, then use vlans to split it into virtual nics	20:26
lukehasnoname	AhHhHhHh	20:27
lukehasnoname	goes to PM	20:27
JaxxMaxx__	if I wanted to let www-data (apache2) have read access to the syslog, what permissions would I have to change/add ?	20:30
\sh	JaxxMaxx__: read permissions for others	20:31
mindframe-	i would create a syslog group and add www-data to that group... set read only for that group	20:32
mathiaz	JaxxMaxx__: you can also put the www-data user in the adm group	20:32
mindframe-	640 most likely	20:32
mathiaz	kirkland: great - reading through the testing instructions, why do you need to enter a mount passphrase ? Could it be set to a automatically generated passphrase ?	20:33
mathiaz	kirkland: since the user doesn't need to remember it and it's is strongly suggested to use some long, difficult to guess passphrase	20:34
mathiaz	kirkland: would it make sense to generate the passphrase automatically (or at least provide a default)	20:35
mathiaz	kirkland: so that we're sure that the passphrase is some long, difficult to guess	20:35
kirkland	mathiaz: yes, true, but, remember the remote backup case	20:36
kirkland	mathiaz: where you're just rsyncing your encrypted data to offsite storage	20:36
kirkland	mathiaz: you want to restore that data, and mount it again elsewhere	20:36
kirkland	mathiaz: you need the mount passphrase	20:36
kirkland	mathiaz: let me put it another way....	20:37
kirkland	mathiaz: if you lose the mount passphrase, and you don't remember it, you cannot access your data	20:37
mindframe-	are you guys working a full disk encryption option into the intaller?	20:37
kirkland	mathiaz: i should probably update that line in the wiki to be more clear	20:37
kirkland	mathiaz: it's misleading, perhaps, as is	20:38
kirkland	mindframe-: no, a per-user encrypted directory in ~/Private	20:38
mindframe-	oh	20:38
mindframe-	neat	20:38
kirkland	mindframe-: https://wiki.ubuntu.com/EncryptedPrivateDirectory	20:38
mathiaz	kirkland: hm... isn't that the same use case your private ssh key protected by a passphrase ?	20:38
kirkland	mindframe-: full disk encryption is more or less provided by LVM+LUKS in the installer	20:39
mathiaz	kirkland: because you'd have to remember two things - and the hardest one to remember, you'd never use it	20:39
mindframe-	yeah i wasnt sure if the server installer had it as well	20:39
kirkland	mathiaz: well, there's a big difference in my mind... with ssh, you need to create a new key and give it out to everyone, if you forget your passphrase	20:39
kirkland	mathiaz: in this situation, you may have valuable data/pictures/keys tied up in an encrypted directory never to be accessed again	20:40
kirkland	mathiaz: that amounts to data loss	20:40
mathiaz	kirkland: well - I'm not an expert in that area. So what about providing a default long, difficult to guess passphrase	20:40
mathiaz	kirkland: so that people can write it down before creating the directory ?	20:40
mathiaz	kirkland: My point is that asking user to come up with a long hard to guess passphrase doesn't work well.	20:41
mindframe-	i think it should force a minimum complexity/length and have the user create it	20:41
kirkland	mathiaz: hmm, well, the prompt just says, "Enter your mount passphrase"	20:42
kirkland	mathiaz: it's my own commentary in that wiki page that suggests that it should be long/difficult	20:42
mindframe-	people will complain that it's too hard to remember their 20 digit alphanumeric passphrase	20:42
kirkland	mathiaz: i'm fixing that in the wiki now	20:42
InsomniaCity	passpoem	20:42
kees	mathiaz: I've fixed the ECHO problem in flex, so hopefully we shouldn't see those errors any more.	20:42
InsomniaCity	20 stanzas long	20:42
mindframe-	heh	20:42
mathiaz	kees: \o\ /o/ \o/	20:43
kees	heh	20:43
mathiaz	kees: /o\	20:43
mathiaz	kees: (h5)	20:44
mathiaz	kirkland: hm.. what is the passphrase used for ?	20:44
mathiaz	kirkland: to unlock the private key used to encrypt the data ?	20:44
kirkland	mathiaz: refresh your view of that wiki page, i fixed the text there	20:45
kirkland	mathiaz: the mount passphrase is the key to the encrypted mountpoint	20:45
kirkland	mathiaz: that passphrase is encrypted/decrypted by PAM when you login to the system	20:45
kirkland	mathiaz: so if you change your system passphrase, PAM only needs to rewrap your mount passphrase	20:46
kirkland	mathiaz: and not comprehensively re-encrypt every file in the mountpoint	20:46
mathiaz	kirkland: so why not use the login password directly ?	20:46
mathiaz	kirkland: right	20:46
kirkland	mathiaz: same reason as above....	20:46
kirkland	mathiaz: re-encrypting a huge directory on password change would suck	20:47
kirkland	mathiaz: we could default the login and mount passphrases to be the same thing	20:47
mathiaz	kirkland: to me that looks similar to my ssh key, where I use ssh-keygen to generate the private key ( => mount passphrase) and then protect it with a passphrase ( => Login password)	20:47
mathiaz	kirkland: could a similar workflow be implemented ?	20:48
kirkland	mathiaz: perhaps we can do that, if we can inform users to backup their ~/.ecryptfs/wrapped-passphrase to offsite storage (and trust that they do so)	20:51
kirkland	mathiaz: in case a user inadvertently deletes ~/.ecryptfs/wrapped-passphrase, access to their data in Private/ is gone. permanently	20:52
kirkland	mathiaz: if it was a randomly generate mount passphrase and they don't remember it, or have a backup	20:52
mathiaz	kirkland: well - I think you have the same issue with gnupg - you're not asked to generate your private key	20:53
kirkland	mathiaz: if we can trust our users (and paying customers) to follow instructions and make an offsite backup of ~/.ecryptfs/wrapped-passphrase, then perhaps that's okay	20:53
mathiaz	kirkland: if you loose your gpg key, you won't be able to recover your data	20:53
mathiaz	kirkland: so your point for asking the user to enter a passphrase is that they will see at least once the passprhase	20:54
mathiaz	kirkland: and hopefully remember it	20:55
kirkland	mathiaz: and will have at least somewhat consciously chosen it	20:55
mathiaz	kirkland: whereas if the passphrase a automatically generated and if it lost, every thing is lost.	20:55
kirkland	mathiaz: true.	20:55
mathiaz	kirkland: consciously chosen -> weak passphrase	20:56
kirkland	mathiaz: wrt to ssh keys, that simply means you can't sign your ssh connections any more	20:56
kirkland	mathiaz: wrt to ecryptfs, that means you can't access your data	20:56
kirkland	mathiaz: which would be the same with gnupg	20:56
mathiaz	kirkland: exactly - and gnupg doesn't ask you to enter your private key	20:57
kirkland	mathiaz: except the amount of data people encrypt with gnupg pales in comparison to the amount of data they can trivially copy into ~/Private	20:57
kirkland	mathiaz: personally, i use gpg -c (passphrase) for anything I'm backing up	20:57
kirkland	mathiaz: in that I'll always remember my passphrase(s)	20:57
mathiaz	kirkland: right - but that's the isn't an easy way to encrypt stuff with gnupg	20:57
kirkland	mathiaz: really? echo foo \| gpg -c	20:57
mathiaz	kirkland: I'm refering to the target users of the Private directory.	20:58
mathiaz	kirkland: I know you (and I) can do it easily	20:58
kirkland	mathiaz: ;-)	20:58
mathiaz	kirkland: that's why I question the necessaty to enter a mount passphrase wrt to the target audience	20:59
kirkland	mathiaz: i agree that your suggestion would certainly increase the security of the matter	20:59
kirkland	mathiaz: and would definitely make it easier on the target audience when executing normal usage vectors	21:00
mathiaz	kirkland: Ubuntu - linux for human beings	21:00
kirkland	mathiaz: we would definitely need a GIANT FLASHING WARNING that your .ecryptfs/ directory needs to be backed up offsite, or you will not be able to access your data in ~/Private if you ever lose it	21:00
kirkland	kees: jdstrand: can one or both of you weigh in?	21:01
mathiaz	kirkland: right - that would probably part of the documentation	21:01
kees	kirkland: flashing warning? Hrm, docs certainly, but I can't think of a non-annoying way to do it other than docs.	21:04
kirkland	kees: oh, i meant more fundamentally to the handling of this....	21:04
kees	kirkland: which part? (scroll back is long...)	21:05
kirkland	kees: jdstrand: here's the nutshell....	21:05
kirkland	kees: jdstrand: the ecryptfs ~/Private directory must be mounted with a passphrase (or key). i'm using a pam module to use the login password to "unwrap" that mount passphrase	21:06
kees	(that sounds like how luks works)	21:06
kirkland	kees: jdstrand: when setting up the mount, i ask the user for both a login and a mount passphrase	21:06
kirkland	kees: jdstrand: mathiaz has suggested randomly generating the mount passphrase	21:06
kirkland	kees: jdstrand: my concern with that is that if the user loses .ecryptfs/wrapped-passphrase, there is no way to recover their encrypted data	21:07
kirkland	(assuming the encryption is any good)	21:07
kees	I think prompting for a passphrase that will never be used isn't a good idea.	21:08
kirkland	kees: jdstrand: on the normal usage vector, this makes things easier... user only needs to remember login passphrase, we can generate a long/hard mount passphrase	21:08
kees	if they corrupt their filesystem and lose that file, they're going to be toast anyway	21:08
kees	I would agree about the randomized mount passphrase -- this is was LUKS does AIUI, so best to stick with one "way" of handling things.	21:09
kirkland	kees: jdstrand: mathiaz: okey doke, good enough for me	21:09
lukehasnoname	Brazen: Enomalism looks freaking amazing	21:11
* lukehasnoname reads more about it		21:12
Brazen	yeah, it's feature set looks good, but ovirt is backed by Redhat, so I expect it get more recognition, the interface looks nicer, and it will likely get all the same features as Enomalism.	21:14
kees	I'm committing a giant merge of apparmor to current svn. we can't upload it to intrepid yet because the AA kernel module is the wrong version (2.1 vs 2.3)	21:14
kees	mathiaz: ^^	21:14
mathiaz	kees: wfm	21:14
ScottK	kees: Are you aware we have an issue with apparmor and akonadi?	21:14
lukehasnoname	Brazen: Maybe I didn't see the right screens of oVirt, but Enomalism looks fine to me. Opinion, I know. Being backed by Redhat almost makes me more skeptical. I understand your point, but I wonder if it will have an intentionally low amount of .deb documentation.	21:15
mathiaz	ScottK: the bug has an answer to the problem	21:16
* lukehasnoname didn't see the right screens of ovirt.		21:16
ScottK	mathiaz: OK.	21:16
lukehasnoname	oVirt needs higher res screenshots, but it looks clean as well.	21:16
Brazen	lukehasnoname: I think that will depend on whether or not the Debian (Ubuntu) community embraces it.	21:16
lukehasnoname	Perhaps we can integrate oVirt and eBox (or similar) into a mega-super-enterprise level server management tool. couch scottk cough	21:17
lukehasnoname	cough not couch, cough, cough	21:17
Brazen	lukehasnoname: and a lot of high-quality stuff comes out of RedHat. libvirt and virt-manager, which are embraced by Ubuntu, to name a few.	21:18
Brazen	lukehasnoname: I really don't like ebox though :-(	21:18
a13x	please help people, i am not able to set up ubuntu server	21:18
lukehasnoname	I haven't had experience with it, but I do know a lot of people are suggesting using eBox as the basis for Ubuntu's server gui	21:18
lukehasnoname	X based is out of the question, and webmin doesn't have as much popularity here, apparently	21:19
a13x	when i test the cd it tells me that some random file (may be different every time) is corrupted	21:19
lukehasnoname	whats up a13x	21:19
a13x	i tried to redownload	21:19
lukehasnoname	md5 check the ISO, reburn the CD at slower speed?	21:19
lukehasnoname	Or if the server is non-critical, continue with install.	21:20
a13x	i tried regular cd, cd-rw, dvd	21:20
lukehasnoname	>_>	21:20
a13x	tried 3 different cd roms	21:20
Brazen	lukehasnoname: yes, yes they are. I still like Webmin better though. Personally, I think a fork of Webmin, to fix the config file issues, would be better, but I'm no developer.	21:20
a13x	3 different ide cables	21:20
a13x	md5 checksum checks out	21:20
ScottK	lukehasnoname: I've got more than I can handle on my plate already.	21:20
Brazen	a13x: what is the problem you are having?	21:20
lukehasnoname	a13x: download iso from different source	21:20
a13x	i tried using a cd that i KNOW works	21:21
lukehasnoname	Scottk: What are you working on, if I may ask.	21:21
Brazen	a13x: does it not boot the cd?	21:21
a13x	no, it boots	21:21
a13x	when i run a check	21:21
Brazen	a13x: oops, I see, farther up...	21:21
lukehasnoname	OO! Idea! An ubuntu social networking site to replace the personal profiles on wiki.ubuntu.com	21:21
a13x	it tells me that some random file is corrupt	21:21
a13x	and its different every time	21:21
a13x	or almost every time	21:22
InsomniaCity	lukehasnoname: ooh! with rounded corners! and tagging! and screenshots!	21:22
a13x	i ran memtest86, no problem there	21:22
a13x	but its like random file corruption	21:22
Brazen	a13x: I would try burning it at lower speeds. I burn everything at 4x.	21:22
a13x	i verified cds after recording	21:22
ScottK	lukehasnoname: For Ubuntu, https://wiki.ubuntu.com/ServerFlavorSpec, getting clamav and spamassassin into main, motu-release and motu-sru teams, Kubuntu development, plus I maintain a bunch of packages.	21:23
a13x	i recorded my cd-rw at 4x (tried 2x and it wasn't supported by the drive)	21:23
lukehasnoname	InsomniaCity: Don't get sassy.	21:23
lukehasnoname	heh	21:23
a13x	i never had this type of problem before	21:23
Brazen	a13x: I think I remember having this exact same issue, and had to replace my burner.	21:23
lukehasnoname	Scottk: Who's working on the server admin project?	21:24
a13x	ok, heh, tried 2 different burners	21:24
ScottK	lukehasnoname: Dunno. I've got way more than I can do on my plate as a volunteer.	21:24
* ScottK looks around for some funding ...		21:24
a13x	if its the burner then why is different file gets corrupted	21:24
Brazen	? oh. you got me then.	21:24
a13x	its almost random	21:24
lukehasnoname	I thought you worked for Canonical	21:24
Brazen	a13x: Try blowing on it? *Sorry, bad NES joke.	21:25
a13x	i even tried that	21:25
a13x	...	21:25
Brazen	haha, yeah I still try that sometimes, too :D	21:26
a13x	this problem is driving me crazy, what is my next step?	21:26
lukehasnoname	ScottK: Set up an NPO to fund open source development	21:26
lukehasnoname	something witha good name	21:27
lukehasnoname	like "Free Software Foundation"	21:27
Brazen	and grow a beard	21:27
a13x	is there a net install version of ubuntu server?	21:27
lukehasnoname	I bet.	21:27
lukehasnoname	a13x: I bet	21:28
lukehasnoname	Check for minimal installs in the cdimage site.	21:28
a13x	url?	21:28
lukehasnoname	a13x: Searching	21:29
Brazen	a13x: https://help.ubuntu.com/community/Installation	21:29
a13x	thanks a lot	21:30
kirkland	mathiaz: kees: mhalcrow is here from ecryptfs	21:30
kees	yay upstream! :)	21:30
kirkland	mathiaz: kees: mhalcrow believes strongly in a chosen mountpassphrase	21:30
kirkland	kees: ;-)	21:31
mhalcrow	Adding dependencies on extra files as an absolute prerequisite to recovering eCryptfs encrypted data is asking for trouble.	21:31
lukehasnoname	gj brazen	21:31
* delcoyote hi		21:31
Brazen	a13x: lukehasnoname: no problem, don't know the cd wouldn't work, but maybe with stuff in that link you can get around it.	21:31
kees	kirkland: you just wanted my opinion. ;)	21:31
kirkland	kees: ;-) yeah, no offense	21:32
kirkland	kees: i'm just trying to implement this in a way that keeps Ubuntu from going to far off the mark from upstream	21:32
kees	kirkland: if we prompt for a passphrase that only gets used in extreme situations, then that should be explained during the prompting "do not lose this passphrase" etc etc	21:32
mhalcrow	Exactly.	21:32
mhalcrow	Just makes sure the user has this secret value stowed away in a secure recoverable location.	21:33
kees	kirkland: cool -- I'm happy to throw in a tie-breaking vote, but if there's a "right" way to do it, go for it.	21:33
Brazen	a13x: lukehasnoname: for a little shameless self-promotion, I looked up that link here: http://forums.anandtech.com/messageview.aspx?catid=34&threadid=2073143	21:33
kirkland	mathiaz: are you around?	21:33
* lukehasnoname likes enomalism because it's purely web based and seems well documented. Damn, if only he had internet at home!		21:33
mhalcrow	It can be auto-generated, but just make sure the user has it stored in a separate, secure, reliable location from the encrypted data too.	21:33
mhalcrow	A user-selected passphrase is much less likely to leave the user with unrecoverable backups, for instance.	21:34
kirkland	mhalcrow: so that's exactly what the suggestion was, to flash a message to the user telling them that they MUST have a remote backup of .ecrypfs/* to ensure that their ~/Private data is recoverable	21:35
mhalcrow	Yes. But only if the wrapped value is not user-selected. However, can we realistically expect users to remember that message and act on it dutifully?	21:35
jdstrand	kirkland: I think I mentioned this another day-- I like the idea of a strong random password for encryptfs	21:35
jdstrand	ecrypts	21:36
mhalcrow	The chain of secrets is only as strong as its weakest link.	21:36
mhalcrow	The login passphrase would be the weakest link in that regard.	21:36
mhalcrow	Having the user select his own mount passphrase introduces an opportunity for the user to select a passphrase that is weaker than the login passphrase.	21:37
mhalcrow	Is that worth the unrecoverable backups that are likely to result?	21:37
mhalcrow	(if the mount passphrase is auto-generated, that is)	21:38
kirkland	mhalcrow: well, we won't remove the opportunity for users to select their mount passphrase	21:38
kirkland	mhalcrow: this is really more of a question about what the default behavior should be	21:38
kirkland	mhalcrow: understanding that 95% of all Ubuntu users will take the default behavior	21:38
mhalcrow	Maybe there can be a "generate a passphrase for me" button.	21:38
mhalcrow	Next to the textfield.	21:39
kirkland	mhalcrow: well, i was thinking more like: "Enter your mount passphrase: [leave blank to generate a random one]"	21:39
Brazen	lukehasnoname: well, I'll for sure give a look when it goes gold release.	21:39
kirkland	mhalcrow: but i think that's functionally equivalent, right?	21:40
mathiaz	kirkland: yes my friend !	21:40
kirkland	mhalcrow: and a command line option for automating it	21:40
mhalcrow	kirkland: I would make the user either enter a passphrase or click a button to generate, and then show the generated passphrase to the user and tell him to write it down and store it in a secure location.	21:40
Brazen	lukehasnoname: I also have to admin, I'm a little partial to a project using RubyOnRails, also, because Ruby is the only programming language I know, so it's something I could actually contribute to.	21:41
mhalcrow	I would not just generate a secret value and use it under the user's nose.	21:41
kirkland	mathiaz: mhalcrow is here (upstream for ecryptfs) to defend his opinion that a conscious mount passphrase is better than a random one	21:41
* mathiaz reads the backlog		21:41
Brazen	lukehasnoname: oops, I meant "admit" not "admin"	21:41
mhalcrow	Well, what I am saying is that a passphrase that the user has stored safely away is better than an unknown secret value tucked away in a .*/ directory.	21:41
kirkland	mhalcrow: ecryptfs-setup-confidential prints ALL values to screen before running its guts	21:42
kirkland	mhalcrow: including both mount and login passphrases	21:42
mhalcrow	Whatever encourages the user to keep that secret value written down on paper and locked in a desk drawer is what I would suggest.	21:42
kirkland	mhalcrow: okay, i can enhance the echo'ing part of the script accordingly	21:43
kirkland	mhalcrow: you have one patch from me changing s/Confidential/Private/	21:43
kirkland	mhalcrow: i'll work on another one to modify the mount passphrase generation and instructions to the user accordingly	21:43
kirkland	mhalcrow: one more thing, speaking of weakest link in the chain....	21:44
kirkland	mhalcrow: what about making mount passphrase = login passphrase (by default) ?	21:44
mhalcrow	That's fine, but users may change their login passphrases at will.	21:44
mhalcrow	That is an easy way to introduce confusion.	21:44
mhalcrow	Since the wrapped passphrase will remain the original login passphrase from when the machine was first configured.	21:45
kirkland	mhalcrow: hmm, okay	21:46
kirkland	mathiaz: any questions for mhalcrow?	21:46
mhalcrow	Once users start encrypting their data and copying their data around to different media and machines, they must have a notion of "the secret to get to my data" and "the secret to login to my machine."	21:46
mathiaz	not really - I think we aggree on most of the points	21:47
mathiaz	The reason to have a long and difficult to guess password is to make the encrypted data stronger.	21:47
mhalcrow	Really, passphrases are a necessary evil that do not work against a sufficiently equipped attacker.	21:48
lukehasnoname	Brazen: Ya, I've heard RoR is handy. I'm pretty rusty on most languages nowadays, I used to know PHP damn well.	21:48
mhalcrow	That's why eCryptfs has key modules (OpenSSL, TPM, etc.)	21:48
mathiaz	IMO asking the user to generate a passphrase is too much. generating one that can be kept around is a good option.	21:49
kirkland	mhalcrow: mathiaz: what if we offered to email the user their wrapped-passphrase?	21:49
kirkland	mhalcrow: mathiaz: it's already encrypted	21:49
mathiaz	kirkland: there isn't a MTA installed by default on a desktop	21:50
jdstrand	email?	21:50
kirkland	mathiaz: that is, if an MTA is found on the system, and the user has an email address, and wants an emailed copy	21:50
jdstrand	no no	21:50
kirkland	jdstrand: mathiaz: okay, we just have to trust that users are going to backup this wrapped-passphrase file	21:50
jdstrand	kirkland: I have only kept half an eye on this, but what is wrong with displaying the passphrase to the user at setup?	21:50
mathiaz	I think either printing the passphrase or which files should be backuped.	21:51
mhalcrow	That's what I recommend.	21:51
mhalcrow	The user should know what the mount passphrase is.	21:51
kirkland	mathiaz: mhalcrow: jdstrand: okay, we're in agreement then	21:51
jdstrand	kirkland: eg 'Your encrypted files are in foo, your encryption passphrase is bar, please keep track of these offline in case of problems'	21:51
kirkland	generate a random passphrase, show to the user and encourage that they record it, and backup wrapped-passphrase to offsite media	21:51
ScottK	Maybe even offer to write it to a memory stick for them?	21:52
mathiaz	kirkland: wfm - show the generated passphrase and list the file that should be kept safely.	21:52
kirkland	mathiaz: cool	21:52
kirkland	mhalcrow: thanks for joining	21:52
kirkland	mhalcrow: you're welcome to hang around, or join us again sometime ;-)	21:52
mhalcrow	No problem. Just expect users to forget and lost keys, and be prepared to tell them that they're screwed. ;-)	21:53
InsomniaCity	wait... you expect users to READ!?	21:53
kirkland	i'll just open a bug in Launchpad describing the problem and marking all of the bug reports duplicates there of ;-)	21:53
mhalcrow	Losing your crypto key is necessarily a "no-fix" situation.	21:54
kirkland	mhalcrow: right, mathiaz asked how this was different from losing gpg keys or ssh keys	21:54
kirkland	mhalcrow: the main difference i saw was that your data is essentially gone in this situation	21:55
mhalcrow	It's not; it's just easier for users to run into the problem, since the encryption is so transparent and integrated.	21:55
mhalcrow	Plan 'B' is for Canonical to offer key escrow services.	21:57
kirkland	LoL :-)	21:57
mhalcrow	But I don't think I want to open that can of worms. ;-)	21:57
mhalcrow	Just tell users to downgrade to a previous version of OpenSSL and use the OpenSSL key module. That should take care of it.	21:58
mhalcrow	I'm actually not entirely joking wrt key escrow. Some business users would probably go for that.	21:59
mhalcrow	As protection against their own bureaucracy, at a minimum.	21:59
kirkland	mhalcrow: you have a recommended length for random passphrase?	21:59
kirkland	mhalcrow: 1024 bytes of hex digits sound reasonable to you?	21:59
mhalcrow	The same number of bits as the symmetric key length.	22:00
mhalcrow	128 is sufficient.	22:00
kirkland	mhalcrow: 128 characters of hex digits?	22:00
mhalcrow	Too long; there are 4 bits per hex digit	22:00
mhalcrow	32 hex digits	22:00
kirkland	mhalcrow: head -c 128 /dev/urandom \| md5sum \| awk '{print $1}'	22:01
kirkland	mhalcrow: work for you?	22:01
mhalcrow	Sure.	22:01
mhalcrow	Although md5 output isn't as uniformly distributed as previously thought.	22:02
mhalcrow	Just grabbing raw /dev/urandom should be a little more random.	22:02
kirkland	mhalcrow: that's going to be far to messy to print out (and write down)	22:03
mathiaz	kirkland: uuidgen \| sed 's/-//g'	22:03
kirkland	mhalcrow: ^ ?	22:03
mhalcrow	I don't know how uuidgen does its magic; I really only trust the kernel rng these days.	22:04
mathiaz	kirkland: or add the -r switch to make sure it's random	22:04
kirkland	mhalcrow: i was md5summing it to make it printable and readable (rememberable?)	22:04
mhalcrow	Right, but md5 is not collision-resistant.	22:05
mathiaz	-r requires a high quality random number generator, such as /dev/random	22:05
kirkland	mathiaz: okay	22:05
kirkland	mathiaz: that sounds reasonable	22:05
mhalcrow	Okay; then use uuidgen if can produce good random values. But I won't officially endorse it until I've inspected its code.	22:05
a13x	i am back, ubuntu mini cd failed, random download errors, "Loading libntfs-3g23-udeb failed for unknown reason"	22:05
kirkland	mhalcrow: fair enough	22:05
mathiaz	mhalcrow: it's part of the e2fsprogs package	22:06
kirkland	mathiaz: can you point us to other high-security things that uuidgen is used for?	22:06
* ScottK concludes that a13x's hardware is cursed.		22:06
kirkland	mhalcrow: do you have something else you recommend I pipe /dev/urandom through to make it readable?	22:06
mhalcrow	od?	22:06
a13x	memtest86 didn't fail	22:06
mathiaz	kirkland: nope - I've just uuidgen to get some random strings	22:07
kirkland	mathiaz: gotcha	22:07
mathiaz	kirkland: I have no clue whether it's good at it (from a cryptographic point of view)	22:07
kirkland	mathiaz: okay, we'll stick with /dev/urandom then	22:07
Brazen	re: key escrow: What about a system where businesses can maintain their own key escrow, something like certificate signing?	22:08
a13x	i think something is wrong with the distribution, i am going to try debian	22:12
kirkland	mhalcrow: what do you think of: `head -c 15 /dev/urandom \| od \| sed "s/^0000000//" \| sed "s/\s*//g" \| head -n 1`	22:13
Brazen	a13x: try one of the "Installation without a CD" methods on that page.	22:13
JaxxMaxx__	Hmmm. Is there an easy way to figure out why my apache2 is not starting properly upon reboots? I have to use the script in /etc/init.d/apache2 to launch it manually after a reboot -now	22:14
mhalcrow	kirkland: Those are octet vals	22:14
mhalcrow	od -x	22:15
mhalcrow	octal	22:15
mhalcrow	Use the -x flag to get hex	22:15
kirkland	mhalcrow: okay	22:15
lukehasnoname	a13x	22:16
kirkland	mhalcrow: head -c 15 /dev/urandom \| od -x \| sed "s/^0000000//" \| sed "s/\s*//g" \| head -n 1	22:16
lukehasnoname	try FreeBSD	22:16
lukehasnoname	amuse me	22:16
kirkland	mhalcrow: that's 32 hex digits, 128 bits	22:16
a13x	i tried mini cd	22:16
mhalcrow	kirkland: That only takes 120 bytes from /dev/urandom, no?	22:17
mhalcrow	bits	22:17
a13x	Brazen: i tried mini cd and i got download errors, i think this is hopeless	22:17
kirkland	mhalcrow: -c 16, sorry, typo on my part	22:17
kirkland	mhalcrow: head -c 16 /dev/urandom \| od -x \| head -n 1 \|sed "s/^0000000//" \| sed "s/\s*//g"	22:17
mhalcrow	kirkland: That looks good to me.	22:18
kirkland	mhalcrow: cool	22:18
lukehasnoname	a13x: Try Debian or OpenBSD	22:18
a13x	burning debian now	22:18
vikram	Is there like a turn key switch to get SELinux enabled instead of apparmor?	22:19
vikram	or do we have to do it the hard way?	22:19
vikram	can i just boot with selinux=1?	22:19
vikram	(obviously i'll have compiled policies ready to go)	22:20
kirkland	vikram: you have to install the selinux kernel	22:20
vikram	the server kernel doesnt have selinux?	22:20
kirkland	vikram: the server kernel has apparmor	22:20
vikram	seems to have selinux	22:21
vikram	grep selinux /boot/System*	22:21
mathiaz	vikram: assuming your using hardy - https://wiki.ubuntu.com/HardySELinux	22:21
mathiaz	vikram: both selinux and apparmor are available in the hardy kernels	22:22
kirkland	vikram: i stand corrected.... sorry	22:22
lukehasnoname	pvvn3d	22:23
kees	kirkland: all the LSMs are compiled in -- one just has to select the one they want at boot time.	22:26
kees	vikram: sudo apt-get install selinux should get you on your way. :)	22:26
kirkland	kees: learn something new every day ;-)	22:27
kees	hehe	22:27
mhalcrow	kirkland: You may want a utility that dumps the wrapped passphrase to stdout, for maintenance purposes.	22:28
kirkland	mhalcrow: agreed	22:29
vikram	I only want the kernel selinux policies, i've got my own userspace stuff, tools, compilers, policies etc...	22:29
kirkland	mhalcrow: we'll need something like that if we set this up automatically in the installer, say	22:29
vikram	thanks	22:29
kirkland	mathiaz: mhalcrow: jdstrand: kees: how's this for syntax? http://ubuntu.pastebin.com/m47eda7eb	22:36
a13x	debian: failed to copy file form CD-ROM. Retry?	22:36
a13x	i am going to shoot myself	22:36
kees	kirkland: hahah sure, that works. :)	22:37
kees	perhaps explain why they need to store it, etc.	22:37
kirkland	kees: yeah	22:38
kirkland	mathiaz: mhalcrow: jdstrand: kees: http://ubuntu.pastebin.com/m3d9366cc better?	22:43
kees	sure, good for now.	22:44
lukehasnoname	your IDE bus is messed up?	22:44
lukehasnoname	a13x that is	22:44
lukehasnoname	...	22:50
mathiaz	kirkland: wfm - now you just need to i18n it ;)	22:51
kirkland	mathiaz: later	22:51
lukehasnoname	I g2g, see you guys later. a13x, it is a hardware problem of some kind, I can't see it being anything else. Try a non-deb distro if you want to be sure, but that's just weird.	22:56
a13x	hair pulling does not come close to describing this problem	22:59
uvirtbot	New bug: #234367 in apache2 (main) "If many queries come in too quickly, apache2 freezes." [Undecided,New] https://launchpad.net/bugs/234367	23:33
ScottK	^^^ Happens to me too.	23:37
uvirtbot	ScottK: Error: "^^" is not a valid command.	23:37
ScottK	Oops.	23:37

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!