[01:50] <maw_> is likewise-open the best option for AD authentication/services?
[01:56] <jjesse> maw_: that's what ive heard but never used it
[01:56] <jjesse> so i cant tell you
[01:59] <maw_> ya I briefly tried it and it mostly owrked out of the box
[02:14] <nxvl> kirkland: ping
[02:14] <kirkland> nxvl: hey, how are you?
[02:14] <kirkland> nxvl: got your email, thanks for helping
[02:14] <nxvl> kirkland: fine, did you reveived my e-mail?
[02:14] <nxvl> that's what i was wondering
[02:14] <nxvl> :D
[02:15] <nxvl> so
[02:15] <kirkland> nxvl: so i added a section to https://wiki.ubuntu.com/EncryptedPrivateDirectory , "Getting Involved"
[02:15] <nxvl> any update, branch or page?
[02:15] <nxvl> ice
[02:15]  * nxvl checks
[02:15] <nxvl> nice*
[02:15] <kirkland> nxvl: i'm doing all of my work upstream, with the maintainer's git repo
[02:16] <kirkland> he's responsive (and a friend of mine), i submit patches to the list, he applies to the upstream repo
[02:16] <kirkland> when he rolls a new version, the debian maintainer creates a new debian package
[02:17] <nxvl> sound good
[02:17] <kirkland> nxvl: i'll ping the debian maintainer if it lags a week or so
[02:17] <nxvl> just code not packaging
[02:17] <nxvl> :D
[02:17] <kirkland> nxvl: well, actually, the next thing to do is MIR for ecryptfs-utils
[02:17] <kirkland> nxvl: have you done MIR's before?
[02:17] <jjesse> is a MIR a main inclusion request?
[02:18] <kirkland> jjesse: yes
[02:18] <jjesse> trying to learn the lingo
[02:18] <jjesse> heard that a lot in here
[02:18] <nxvl> we will need to work on some firefox, ssh and gpg packaging for the .$package directories
[02:18] <nxvl> kirkland: i have participate in some
[02:19] <kirkland> nxvl: cool, so i think we need to MIR ecryptfs-utils, and two of its dependencies, trousers and pkcs11-helper
[02:19] <kirkland> nxvl: links on the https://wiki.ubuntu.com/EncryptedPrivateDirectory page
[02:19] <kirkland> nxvl: i have placeholder MIR pages for all 3, not filled out yet
[02:19] <kirkland> nxvl: can you help with that?
[02:20] <nxvl> ok
[02:20] <nxvl> i have 2 hours in a really boring class
[02:20] <nxvl> so i have 2 hours to work on it
[02:20] <nxvl> :D
[02:20]  * nxvl starts
[02:21] <kirkland> nxvl: ;-)
[02:23] <nxvl> kirkland: you have just copy & paste the template, didn't you?
[02:23] <kirkland> nxvl: yup
[02:23] <nxvl> btw, did you got any answer from the hotel about you camera?
[02:24] <ajmitch> more lost/stolen stuff from UDS?
[02:24] <kirkland> nxvl: they don't have it :-(
[02:24] <kirkland> ajmitch: yeah, missing camera, left on the piano on the 3rd floor
[02:25] <ajmitch> it could be worse, like montreal
[02:25]  * ajmitch lost laptop bag during breakfast, left table for only a minute or so
[02:25] <jjesse> ajmitch: sorry to hear about that, that sucks
[02:26] <ajmitch> jjesse: yeah, it was more than 2 years ago now, rather annoying at the time
[02:26] <jjesse> ah missed scroll
[02:26] <jjesse> thought it was breakfast today
[02:26] <ajmitch> nope, my laptop is on the desk beside me here :)
[02:27] <ajmitch> I was just recalling UDS back in montreal
[02:28] <jjesse> wow you have had terrible luck with uds
[02:28] <kirkland> ajmitch: did you have your drive encrypted?
[02:28] <ajmitch> no, so I got gpg keys revoked & replaced
[02:29] <ajmitch> at least I had people around who could sign a new key
[02:29] <ajmitch> this is a good reason for the spec mentioned above :)
[02:29] <kirkland> ajmitch: you would have benefited from an encrypted ~/Private directory, with your gpg keys there ;-)
[02:31] <Resistol> Hi all - I've never worked with a server before, and I have to set one up at my job that will serve about 10 PCs for now - Think a linux server would be as easy to setup/work with as windows server 2003?
[02:31] <kirkland> Resistol: serve what?
[02:32] <kirkland> nxvl: okay, i've subscribed to all 3 of those MIRs...  you wanna do the same, so that we stay in sync?
[02:32] <jjesse> Resistol: depends on what you want it to do
[02:32] <Resistol> For right now, it would really just have shared folders and permissions to take care of, with an office housing about 10 windows pcs
[02:32] <jjesse> with samba you could do it
[02:32] <jjesse> though sharing would be natively done w/ windows 2003 server
[02:32] <Resistol> so it would be a file server, maybe a printer server
[02:33] <jjesse> depends on if you have an extra license of server 2003 or not
[02:33] <nxvl> kirkland: yep i will in a minute
[02:33] <kirkland> Resistol: yup, samba
[02:33] <nxvl> ppc is still supported?
[02:33] <Resistol> The thing with windows is the licenses are thousands of dollars, which is crap
[02:33] <kirkland> nxvl: by the community
[02:33] <nxvl> kirkland: i mean officialy (that's what we care about)
[02:33] <jjesse> Resistol: that's why i asked if you had the extra license or not
[02:34] <kirkland> Resistol: you're looking in the right place, then.  Linux is free ;-)
[02:34] <jjesse> if you odn't then yes you can meet the needs of sharing files and folders out via samba
[02:34] <kirkland> nxvl: yeah, not for our purposes
[02:34] <nxvl> kirkland: so only i386 and amd64
[02:34] <Resistol> thanks guys - here's i guess the more important question then - which linux distro makes setting up a simple server easiest?
[02:34] <nxvl> didn't it?
[02:34] <kirkland> nxvl: right
[02:35] <kirkland> Resistol: well, we're a bit biased here ;-)
[02:35] <kirkland> Resistol: perhaps this wiki page will help you: https://help.ubuntu.com/community/SettingUpSamba
[02:36] <Resistol> hah i figured kirkland, i've seen a lot of forums mentioning fedora - but i mean I only have about 4 months experience with linux, and i just used Ubuntu Hardy as a desktop - no server stuff
[02:37] <kirkland> Resistol: if you're using Ubuntu on the desktop, and it's going well for you, you should be able to handle the server fine too ;-)
[02:38] <jjesse> if you feel more comfortable with needing a GUI then you could use a hardy desktop install and then could configure samba that way if you wanted to
[02:39] <Resistol> Thanks kirkland - is the file sharing and permissions stuff all working now in hardy?  When I tried the "right click -> share this folder" method using a Hardy Beta version a few months ago, none of it was working right
[02:39] <nxvl> brb
[02:39] <Resistol> Oh, and is there a GUI for setting up an FTP server?
[02:41] <Resistol> I used Serve-U on my windows 98 box about 9 years ago, but haven't touched anything like it since then.
[02:41] <jjesse> Resistol: with the installation of ubutnu server there is no desktop, no gui
[02:42] <jjesse> Resistol: so if that is important, you can install ubuntu-server then sudo apt-get install ubuntu-desktop to get all the graphical stuff
[02:43] <Resistol> thanks jjesse - could i do it the other way around?  Start with desktop and add in server after?
[02:43] <kirkland> Resistol: sure, you can just install the server packages you need
[02:47] <nxvl> kirkland: i have no ecryptfs-setup-confidential binary
[02:47] <Resistol> Is it easy to setup virtual machines and "play network admin" ?  I think it would help me to practice by having maybe 5 virtual PCs that I could try to create a network for
[02:47] <nxvl> kirkland: or i need to reboot my computer or something
[02:47] <Resistol> And can Linux do roaming users?
[02:47] <Jessica> Hi Folks.  I'm trying to get vnc up and running.  I've found this:  http://www.ubuntu-unleashed.com/2007/10/setup-vnc-server-for-ubuntu-gutsy.html, and it seems to work well except it needs me to start a session -after- i log in.  I'd like to be able to connect using VNC, and then login.  Can anyone help?
[02:53] <ajmitch> Jessica: I believe it may be possible to configure gdm to allow remote access with Xvnc
[02:53] <Jessica> ok, so "sudo gdmsetup"?
[02:54]  * ajmitch isn't sure how supported that option is, it's been a few years 
[02:54] <ajmitch> yeah, you can look in there
[02:54] <Kamping_Kaiser> not really a server question is it?
[02:55] <ajmitch> Kamping_Kaiser: depends, it's setting a system up as a terminal server of sorts
[02:55] <Jessica> kamp, i'm running it on server.  sorry if I'm in the wrong place.
[02:56] <Kamping_Kaiser> ajmitch, by the time is 'go configure gdm' i dont think heres the place anymore ;) (thats just imo of course ...)
[02:56] <Jessica> but regardless, think of it this way.  I'm one more user you can sway away from Darth Gates...  "feel the force, Jessica"....
[02:56] <nxvl> kirkland: nevermind i was testing on my hardy machine, just found it
[02:57] <Jessica> so, does one of you nice jedi knights want to help me get it working?
[02:57]  * ajmitch has given the extent of his outdated knowledge on that topic :)
[02:57] <Jessica> *smiles*
[03:09] <ViTa> hi
[03:09] <ViTa> enyone talk un spanish?
[03:12] <kirkland> nxvl: yeah, this is intrepid only
[03:13] <Kamping_Kaiser> ViTa, #ubuntu-es ?
[03:13] <kirkland> nxvl: but there's a newer version
[03:14] <nxvl> kirkland: i have my intrepid image up and running
[03:14] <kirkland> nxvl: i'm waiting on the debian maintainer to package the -46 version
[03:14] <nxvl> kirkland: so i'm testin there
[03:14] <nxvl> testing*
[03:15] <kirkland> nxvl: cool, there's some better features/fixes in the 46 version
[03:15] <kirkland> nxvl: check out the git repository
[03:15] <nxvl> ok
[03:15] <nxvl> will check
[03:18] <kirkland> nxvl: you could really just pull those scripts out of the git repo
[03:19] <kirkland> nxvl: or just wait for the package sync's to happen
[03:19] <kirkland> nxvl: i emailed the debian packager today
[03:29] <nxvl> it's a problem to be the only packager in my country
[03:29] <nxvl> i will be the only one running the Global Bug Jam while teaching the people how to package
[04:19] <kees> well that's why I got work done today, my virus scanner broke and 4xx'd all my afternoon email.  *sigh*
[04:20] <nealmcb> kees: it's a feature....
[04:20] <kees> nealmcb: heh, totally
[04:20] <ajmitch> I've heard that one before...
[04:20] <kees> total PEBCAK too.
[04:45] <emgent> hello
[06:01] <aslan> hey all....   anyone know of an app/script that will diff files on two remote servers?
[06:06] <owh> aslan: Are both the files on the same server, or are you trying to diff between two servers?
[06:16] <aslan> owh: between two servers.
[06:16] <aslan> I had a perl script at one time that did it.
[06:16] <aslan> but I can't find it again...
[06:45] <pteague> at work it looks like i'm going to have to use vmware server to set up *buntu as my desktop at work... winders is required as the base OS :(  anyways, i was wondering if jeos kernel might cause any problems with being used for the desktop?
[06:47] <owh> pteague: Interesting question. Never tried it.
[06:47] <milestone> hi all
[06:48] <milestone> how can i determin the character encoding of a textfile
[06:48] <milestone> like iso or utf
[06:48] <pteague> was just wondering because somebody mentioned to me that server kernel probably wouldn't be a good idea for a desktop due to the differences in the way they handle instructions or something
[06:52] <owh> pteague: Hmm, well, first of all the JEOS kernel != server kernel. Second, a kernel is generally compiled based on the hardware on which it is expected to run, so you might not expect a web-cam or a graphic tablet on a server, but you would on a workstation. As for handling instructions, I'm not sure what you or "somebody" was trying to say.
[08:41] <kraut> moin
[09:40] <CrummyGummy> Hi all, I have a process running /USR/BIN/CRON. Now that file doesn't exist anywhere. Is that normal?
[09:41] <CrummyGummy> I think I've got a reinstall coming my way.
[09:55] <InsomniaCity> CrummyGummy: to me that would be a sign my box has potentially been compromised..
[10:00] <CrummyGummy> InsomniaCity: Thanks, I'm treating it like that at the moment. Somehow my one eth has been renamed as well. Its all very suspicious.
[10:13] <_ruben> messages with /USR/BIN/CRON in the logs are cronjobs
[10:18] <CrummyGummy> Messages in ps aux?
[10:19] <_ruben> most likely the same .. not have that many long-running cronjobs .. so cant double check atm
[10:52] <CrummyGummy> I'm  watching for more but this job has been running since May 6.
[11:00] <CrummyGummy> _ruben: Your right,  its a stuck cron job. Wierd though.
[11:06] <RockHound> hi everyone ... a little off topic, but how do you manage your ssl certificates sanely?
[12:22] <folke> Is there any news about vmware-tools and hardy?
[12:24] <folke> Or must we still use any-any patch?
[12:32] <folke> Or perhaps is it more safe to use gutsy
[12:35] <ivoks> hi all
[12:39] <sommer> morning ivoks
[12:39] <ivoks> sommer: it's almost 2PM :p
[12:41] <sommer> heh, feels like the day is just beginning
[13:17] <MDFC> ola alguem poderia me ajudar na insalação do ubutu
[13:20] <ivoks> right...
[13:20] <MDFC> left
[13:20] <RockHound> folke: vmware-tools can be used with openvmtools ... vmware server modules is a different story.
[13:21] <RockHound> ivoks: any news about the openldap update/patch?
[13:21] <MDFC> do you speak portuguese
[13:21] <MDFC> good vmware it?s crazy...very crazy
[13:22] <MDFC> shet...
[13:22] <MDFC> see...
[13:22] <MDFC> atention..
[13:22] <ivoks> RockHound: zul is taking care of it...
[13:22] <RockHound> thx
[13:23] <ivoks> RockHound: i'm not sure what's the decission :/
[13:24] <MDFC> somebody would know here to say as I install ubutu somebody says Portuguese here
[13:24] <ivoks> MDFC: english only; try ubuntu-br
[13:25] <MDFC> yes
[13:27] <MDFC> face thanks a lot plus you saying only in English I do not obtain to understand everything I go to look a room in Portuguese
[13:28] <ivoks> MDFC: ubuntu-br should be a good start
[13:29] <MDFC> which its country
[13:29] <ivoks> brasil
[13:30] <MDFC> fala em português
[13:30] <MDFC> ou melhor escreve em português
[13:31] <MDFC> ok obliged until more seeing
[13:46] <_ruben> hmm .. iscsi is sweeet .. now to figure out how to properly get them targets automounted :)
[14:00] <ScottK-palm> What time is ther server team meeting today?
[14:00] <ivoks> 15 UTC
[14:01] <ivoks> in 2 hours
[14:01]  * ScottK-palm got called away for $WORK.
[14:02]  * ScottK-palm will read the logs and hopes specs will get discussed even though je's not there.
[14:02] <ScottK-palm> je's/he's
[14:03] <lukehasnoname> be there
[14:03] <lukehasnoname> it's that simple
[14:04]  * ScottK-palm may be able to get online at the customer site, but definitely don't wait.
[14:04] <ogra> $WORK is overrated ... just fills your fridge and you have to see how to get rid of all that stuff again :P
[14:05] <ScottK-palm> Good luck.  See you later.
[14:06] <_ruben> ah .. changing the order of bootscripts did the trick
[14:11] <leonel> ogra: the other way is to wait for the fridge stored things evolve an get out by them selves ..
[14:12] <ogra> uuuh
[14:12] <ogra> the problem with that is that you cant really use the fridge during that growing period
[14:12] <leonel> right
[14:45] <lukehasnoname> It's quiet
[14:45] <lukehasnoname> too quiet
[14:45] <lukehasnoname> Watch out, Fox, it's a trap!
[14:46] <pteague_work> i don't like using windows as a base, but at work i'm currently stuck with it...  the box is a core 2 duo... any ideas as to whether i should set up my linux virtual machine under vmware as having 1 cpu or 2?
[14:47] <lukehasnoname> Does vmware have trouble running multicore VMs?
[14:47] <_ruben> 2 hardly ever gives performance improvement over 1, it actually decreases performance most of the time
[14:48] <pteague_work> i don't know on vmware with multicore
[14:49] <_ruben> start with 1 vcpu, and if performance is a problem, you could try with with 2 vcpus, but dont expect wonders or even anything from it
[14:49] <pteague_work> k, sounds like you know what you're talking about, which was what i was looking for :)
[14:50] <lukehasnoname> ouch :(
[14:52] <_ruben> pteague_work: its rather logical ... 1 vcpu : your vm only requires 1 real cpu to be avail .. 2 vcpu : your vm requires 2 real cpus to be available ... available as in free cpu cycles
[14:52] <_ruben> quite a difference is scheduling overhead
[14:53] <pteague_work> well here's the issue... at work i'm forced to use windows because somebody else may have to use my machine (i'm not sure how they'll be able to figure out to get vmware out of full screen mode, but that's another issue)...  so i'll be using vmware to install ubuntu & then using that as my desktop
[14:54] <pteague_work> not sure if i'll set up any other virtual machines or not
[14:55] <Zubbb> hello, someone is using hardy php5 (version 5.2.4-2ubuntu5.1)? it seems like it has a bug interpreting HEREDOC string syntax... can someone try and see if this ( http://pastebin.org/42803 ) runs well on it?
[14:56] <psufan> is there a command to regenerate the stock ftp or http urls for sources.list
[14:56] <_ruben> pteague_work: 1 or more vms isnt really the issue (but does mittigate it a bit), the vm will also have to compete with your host os for cpu cycles
[14:57] <psufan> I want to fire off the command at the last minute during the install in my kickstart
[14:57] <psufan> else the stupid kickstart or ubuntu installer makes sources.list point to the local pxe boot server which won't be around
[14:57] <_ruben> psufan: why not just stash the default sources.list on ur http/ftp/nfs/whatever server and copy it over ?
[14:58] <psufan> i'm afraid of having to document those steps :P
[14:58] <psufan> but I guess if I got no choice
[14:58] <_ruben> psufan: im guessing the file's created by the installer, and those commands might not be available in a running system
[14:58] <CrummyGummy> :q
[14:58] <CrummyGummy> eish
[14:58] <_ruben> :q!
[14:58] <psufan> well I don't know that but it would be easier to give them a working install
[14:58] <CrummyGummy> wrong window
[15:00] <lukehasnoname> Would it be beneficial to me to use JeOS on a xen environment? It's touted as omptimized for KVM and VMware.
[15:01] <_ruben> lukehasnoname: i'd say it does .. it uses a kernel with virtualization in mind, and a very small (disk and memory) footprint
[15:02] <lukehasnoname> cool, I figured its slim size would help in any case. Now, it still has all server functions available, just a minimized footprint due to less drivers, streamlined kernel?
[15:04] <_ruben> lukehasnoname: yeah .. and low HZ and stuff
[15:05] <pteague_work> ah, JeOS... that brings up a question i asked last night... would the kernel be ok to run a desktop?  i.e. should i set up my vmware desktop using jeos & 1 of the desktop live CDs?
[15:06] <_ruben> pteague_work: that'd be a bit of a corner case .. im *guessing* it'd work, but wouldnt know for sure
[15:07] <pteague_work> k, i'll stick with the desktop then
[15:07] <lukehasnoname> Also, xen vs. kvm: Your opinion.
[15:08] <lukehasnoname> or abstain, but back up your statements if you can
[15:08] <_ruben> the choice between any virtualization product depends on both personal preference, technical requirements and budget
[15:14] <lukehasnoname> _ruben: google is my friend. Looking at http://kvm.qumranet.com/kvmwiki/FAQ, kvm supports live migration, which is good. It also seems to be less blky (so it claims).
[15:14] <lukehasnoname> its advantage is that it's supported (as in advocated) by the core linux community. However, I have a book on xen, soooo... >_>
[15:15] <lukehasnoname> blky/bulky.
[15:16] <owh> How quaint, lukehasnoname has a book.

[15:18] <lukehasnoname> erm, ebook o_o Seriously, I learn better from books that are professionally written and on paper. eBooks are alright, but real books are just better for me. FreeBSD 6 Unleashed, Ubuntu Server Administration, C# 2.0...
[15:18] <lukehasnoname> Not that I don't have some really helpful ebooks... about 300 of them
[15:18] <_ruben> lukehasnoname: im more of a vmware person myself, but like already stated: its a matter of personal taste among other things
[15:19]  * owh put all books into storage before starting a trip around Australia, now all books are on a mobile phone :)
[15:19] <_ruben> still hoping on getting a decent arrangement with vmware for their esx hosting product .. otherwise we might have to resort to using m$ hyper-v or some shit
[15:20] <owh> _ruben: I have been a VMware "person" for a while also, but since support seems to be decoupled from the kernel version, I'm beginning to regret it.
[15:20] <_ruben> owh: not sure what you mean?
[15:21] <owh> _ruben: Well, from a maintenance perspective it needs to be apt-get installable, but the lag between release is getting ridiculous.
[15:21] <lukehasnoname> but omgz0rz vmware isn't FOSS!!!111!!one! I would like to keep in line with the "libre" philosophy, whenever practical. Owh: Ya, That's why my paper:ebook ratio is about 1:10. I move a few times a year.
[15:21] <lukehasnoname> Have either of you TRIED xen or kvm before? Had any experience to reflect on?
[15:21] <_ruben> tried both, but never on decent hardware .. didnt like them very much
[15:22] <_ruben> vmware is *very* strong in its management toolset
[15:22] <owh> I realise that there are those who install from source, but the skill of developers leaves me with little confidence that their make install doesn't overwrite stuff without notification.
[15:22] <owh> _ruben: Yes, I'll grant you that.
[15:22]  * owh suspects that since Ubuntu has gone the kvm route, some stuff will begin to happen there too.
[15:23] <_ruben> true
[15:23]  * owh has not yet had a spare moment to actually start looking at kvm in anything other than a cursory fashion.
[15:23] <cemoi> hi
[15:23] <_ruben> but xen and kvm are still a bit "tricky" when it comes to virtualize windows systems
[15:23] <cemoi> don't speking in french here?
[15:23] <owh> cemoi: CaVa?
[15:23] <CrummyGummy> Hi again. Any ideas why udev would keep renaming my nics?
[15:23] <_ruben> only english here
[15:24] <cemoi> mm
[15:24] <_ruben> CrummyGummy: under which circumstances does the renaming happen ?
[15:24] <cemoi> no french suport for the ubuntu server
[15:24] <cemoi> ?
[15:25] <lukehasnoname> xen has a better name though. The letter "x" represents "coolness". Point taken, owh, and my point as well. kvm is now an official part of the kernel, so it should be supported and documented well.
[15:25] <owh> cemoi: Well, if you have a question and you're French, then we can help you.
[15:25] <cemoi> ok thank's a lot
[15:25] <owh> cemoi: Even if you we're Canadian :)
[15:25] <owh> cemoi: Or Dutch even.
[15:26] <cemoi> uu o_O
[15:26] <cemoi> pas français alors?
[15:26] <owh> Nope, je parle une petit Francais, but my keyboard doesn't support it :)
[15:27] <cemoi> mm ok
[15:27] <owh> s/petit/petit peu/
[15:27] <Deeps> !fr
[15:27]  * _ruben hasnt spoken french since high school, even that hasnt been *that* long
[15:28] <owh> C'est bien Deeps :)
[15:28] <owh> My French is from the same schooling system as yours _ruben :)
[15:28] <_ruben> owh :)
[15:28] <owh> And German too :)
[15:29] <_ruben> german class i dropped the moment i had a chance
[15:29] <Deeps> je ne parle francais
[15:29] <_ruben> french was next
[15:29] <cemoi> mm ok ok
[15:29] <CrummyGummy> I've update /etc/udev/rules.d/70-persistent-net.rules but it doesn't seem to be assigning the right names to network cards.
[15:29] <cemoi> I try to learn more about the introduction of quotas on a server webdav es que ubuntu server expect something?
[15:29] <owh> _ruben: Ditto.
[15:29] <_ruben> Deeps: indeed, since even that line is wrong :)
[15:29] <lukehasnoname> Parla vos anglese?
[15:29] <_ruben> its: je ne parle pas francais
[15:29] <_ruben> afaik
[15:29]  * Deeps shrugs
[15:29] <Deeps> i can understand better than i speak ;)
[15:29] <_ruben> hehe
[15:29] <Deeps> my gf's belgian and her family only speaks a bit of english and spanish, so i've had to learn a lot
[15:29] <Deeps> (cuz they speak french)
[15:30] <_ruben> belgian's are "odd" that way :)
[15:30] <Deeps> very easy to understand though
[15:30] <Deeps> much easier than the french i've found
[15:30] <Deeps> the accent, at least
[15:30] <Deeps> from an spanglish perspective, anyway
[15:30] <cemoi> we don't no?
[15:30] <cemoi> you don't no sorry
[15:30] <_ruben> CrummyGummy: nuking that file will have it recreated at next boot .. and shouldnt change unless there's any hardware changes
[15:31] <owh> cemoi: To get to the point, what issues are you having?
[15:33] <CrummyGummy> Wow, huge lag.
[15:33] <CrummyGummy> reading...
[15:34] <CrummyGummy> I just restarted udev and it renamed eth0_rename to eth0_rename_ren
[15:35] <CrummyGummy> That should've been eth0 in the first place. The mac address is right.
[15:35] <cemoi> owh, It can not inherit quotas on the file system by users as an FTP server. The webdav does not support it we can not therefore not limit users in quantities of data through the quotas.
[15:35] <owh> Anybody got any suggestions for cemoi about this?
[15:36]  * owh has not played with quota's
[15:36]  * _ruben never worked with quotas
[15:36] <_ruben> heh
[15:36] <owh> I'm intrigued by that bug report.
[15:36] <_ruben> CrummyGummy: restarting just udev is a tad tricky .. a full reboot usually does a better job at renaming such things
[15:37] <CrummyGummy> I though I had it fixed. Rebooted and it was back to wierdness.
[15:37] <cemoi> the problem is that a user just very well overwhelm the disc then it has no limits
[15:38] <CrummyGummy> http://www.pastebin.ca/1043884
[15:38] <CrummyGummy> Gonna reboot and see what happens.
[15:38] <owh> Hmm, well that php bug seems to also not work for me, that's a first :)
[15:42] <cemoi> there are people who have servers webdav under ubuntu here?
[15:48] <cemoi> mm :,(
[15:49] <owh> cemoi: Don't despair. Send your question to the ubuntu-server list and see what response you get.
[15:49] <cemoi> forum exist?
[15:50] <lukehasnoname> ubuntuforums.org
[15:51] <cemoi> for servers only
[15:51] <lukehasnoname> also the mailing list, ubuntu-server@lists.ubuntu.com
[15:51] <cemoi> this will be equivalent to this but for openoffice
[15:51] <cemoi> http://workspace.officelive.com/?lc=1036&cloc=fr-FR
[15:51] <cemoi> ok
[15:51] <CrummyGummy> _ruben: This is like a lottery. Every time I reboot my if devices are named differently.
[15:51] <lukehasnoname> a lot of server devs read that list
[15:51] <_ruben> CrummyGummy: strange
[15:51] <cemoi> ok ok thank's
[15:52] <CrummyGummy> It worked last time. The last 2 times its different.
[15:57]  * owh wonders if there is a log that shows what is renaming things for CrummyGummy
[16:00] <nealmcb> server team meeting in #ubuntu-meeting now
[16:01] <CrummyGummy> nealmcb: Are you involved in the commercial side of things?
[16:04] <ScottK2> Maybe dendrobates will come to the meeting and talk about specs since mathiaz bailed out on us.
[16:05] <owh> ScottK2: Actually bailed, or just freenode fun?
[16:05] <ScottK2> All the same to me.
[16:05] <ScottK2> nijaba claims he's coming.
[16:05] <owh> Well, one is intentional :)
[16:06] <CrummyGummy> is #ubuntu-meeting  closed?
[16:06] <lukehasnoname> no
[16:06] <CrummyGummy> so I can lurk?
[16:06] <owh> CrummyGummy: You bet
[16:06] <CrummyGummy> cool
[16:06] <ogra> you can even speak if you want:)
[16:07] <CrummyGummy> more cool
[16:07] <CrummyGummy> aaarg, nuf with the udev renaming already.!!!!
[16:23] <thefish> anyone here use fwbuilder?
[16:24] <InsomniaCity> played with it many years ago
[16:27] <thefish> its really useful most of the time! im getting some pain from it, trying to send a firewall, and its adding ? to the command :/
[16:30] <InsomniaCity> well, you could always post-process it and strip the ?s
[16:32] <jero> hi
[16:35] <jero> does anyone know why apache2 is not honoring "HostnameLookups Off" on 8.04 ?
[16:36] <jero> thus logging with ip resolved to names
[16:36] <thefish> InsomniaCity, ye, not ideal though :/
[16:38] <InsomniaCity> jero: are you doing it in the right vhost/dir/whatever?
[16:38] <jero> InsomniaCity: it is in the global section
[16:39] <mathiaz> jdstrand: could you drop by #ubuntu-meeting
[16:39] <mathiaz> jdstrand: ?
[16:48] <kees> kirkland: I actually think a more correct fix (for the next upload, I just uploaded your other patch now), would be to do a 2>/dev/null || true on the "." lines
[16:48] <kees> i.e.   . ~/.selected_editor 2>/dev/null || true
[16:48] <kees> in both places where it's done
[16:48] <kirkland> kees: interesting....  okay
[16:49] <kirkland> kees: i was purposefully trying to avoid touching sensible-editor again
[16:49] <kirkland> kees: but that looks clean too
[16:49] <kees> that way it'll catch stupid race conditions where -r is true, the file is deleted, and then it sources it.
[16:50] <kees> yeah, do it for the next upload, or keep it on the TODO list -- getting it into the "best" possible shape is fine even if it takes a few uploads.  :)
[16:50] <kirkland> kees: i have the source in front of me
[16:50] <kirkland> kees: i'll just debdiff again
[16:51] <jero> anyone has apache2 running and noticed it does not respect the HostnameLookups directive ?
[16:52] <matrix> hello
[17:04] <kirkland> kees: patch attached to the bottom of https://bugs.edge.launchpad.net/ubuntu/+source/debianutils/+bug/238879 fixing the issue you just mentioned
[17:04] <kirkland> kees: (potential issue)  :-)
[17:05] <mathiaz> Koon: not problem
[17:05] <mathiaz> Koon: the color means how long since the last merge IIRC
[17:05] <mathiaz> Koon: or may the priority of the package
[17:05] <mathiaz> Koon: anyway - it's not so relevant
[17:05] <matrix> how can i block avi files with FilesMatch  on ubuntu ?
[17:06] <mathiaz> Koon: I'd suggest that you start by the universe list of outstanding merge
[17:06] <mathiaz> Koon: and pick a package that you're interested in
[17:06] <Koon> mathiaz: sure
[17:07] <mathiaz> Koon: I'll go through the list today and send a selection of packages you could start working on
[17:07] <mathiaz> Koon: some of the merges are easier than others
[17:07] <kees> kirkland: doing that in ()'s means the "." would happen in a sub-shell
[17:07] <kirkland> kees: ew, and not bubble up
[17:08] <Koon> mathiaz: ok, I'll catch your mail when I start tomorrow
[17:08] <Koon> see you all tomorrow
[17:08] <kees> cya Koon
[17:09] <psufan> is there a command to regenerate the stock ftp or http urls for sources.list
[17:10] <psufan> I want to fire off the command at the last minute during the install in my kickstart
[17:10] <psufan> else the stupid kickstart or ubuntu installer makes sources.list point to the local pxe boot server which won't be around
[17:10] <kirkland> kees: testing it out here, looks like I can just remove the parens
[17:10] <kirkland> kees: order of operations holds as is
[17:13] <kees> kirkland: okay, cool
[17:13] <kirkland> kees: updated patch attached to that bug
[17:13] <kirkland> kees: thanks for the immediate reviews ;-)
[17:13] <kees> kirkland: no problemo :)
[17:15] <kees> kirkland: changelog has "hardy" rather than "intrepid".  :P
[17:16] <kirkland> kees: arrggggggg, sorry
[17:16] <kirkland> kees: vim really needs to be patched :-/
[17:17] <kees> vim?  "dch -i"  :P
[17:19] <kirkland> kees: attached to bug
[17:19] <kirkland> kees: well, vim is still highlighting "intrepid" as erroneous
[17:19] <kirkland> nxvl has a bug and a patch for that one
[17:26] <kees> kirkland: hm, my vim doesn't do that...
[17:26] <kirkland> kees: are you running intrepid or hardy?
[17:27] <kees> intrepid
[17:27] <kirkland> kees: well, i'm still on hardy on my laptop
[17:27] <kees> ah-ha, okay
[17:27] <kirkland> i'll be switching to intrepid soon
[17:28] <mathiaz> kirkland: you can use chroots to do your work
[17:29] <kirkland> mathiaz: i set up pbuilder, but I ran into some issues
[17:29] <kirkland> mathiaz: i need to give that another shot
[17:29] <mathiaz> kirkland: I'm using schroot
[17:29] <kees> mk-sbuild-lv!  :)
[17:30] <kirkland> mathiaz: wiki page for setup instructions?
[17:30] <mathiaz> kees: do you have more than one chroot per release ?
[17:30] <mathiaz> kees: ie have an intrepid and intrepid-sbuild chroot ?
[17:30] <mathiaz> kirkland: https://help.ubuntu.com/community/SbuildLVMHowto?highlight=(Sbuild)
[17:31] <kirkland> mathiaz: ah, yes, sbuild
[17:31] <kees> mathiaz: I have 1 chroot per release per arch, so i386 and amd64 of dapper, feisty, gutsy, hardy, intrepid
[17:31] <mathiaz> kees: I've started to use chroots to work in it but found that it lacks some tools
[17:31] <kees> mathiaz: and the same again in kvm.  :P
[17:31] <mathiaz> kees: so I've started to install the default tools in the chroot -source
[17:31] <kees> mathiaz: ah-ha, yeah
[17:32] <mathiaz> kees: but then build dependencies can be wrong and not detected
[17:32] <kees> mathiaz: since my main machine is intrepid, I just do dev work there
[17:32] <eix> any idea why I can only see 438MB of RAM when having a 1GB module installed?
[17:32] <kees> mathiaz: I like that approach.  even more disk space used!  :P
[17:32] <eix> well..various modules up to 1GB
[17:32] <mathiaz> kees: such as - I have debhelper installed in my -sources but I'd like to have sbuild use a minimal chroot
[17:32] <mathiaz> kees: how do you do dev work for -dapper for ex ?
[17:34] <mathiaz> kees: or to put it another way - have you ever been bitten by the fact that your -source chroot have more packages than the ones installed on the buildds ?
[17:34] <eix> this is my "free -m": http://rafb.net/p/zGSQxJ23.html
[17:35] <kees> mathiaz: almost all the work I do for non-devel is patching, so the deps don't change.  if I'm in a situation where I need to repeatedly build stuff, I'll just enter a schroot and install the deps first and do work until I'm done.
[17:35] <kees> mathiaz: my workflow for those things isn't improved much by having a separate chroot with lots of stuff pre-installed
[17:36] <mathiaz> kees: ok - but your -intrepid chroot is minimal
[17:36] <kees> mathiaz: right
[17:37] <kees> eix: a lot of things could contribute to that.  I'd start by finding the "Memory:" line in your dmesg or /var/log/kern.log file
[17:37] <kees> eix: Memory: 8100612k/9109504k available (2466k kernel code, 204488k reserved, 1309k data, 316k init)
[17:37] <kees> see if "reserved" is huge
[17:37] <kees> if that's the case, check your BIOS settings
[17:37] <kees> beyond that, it's pretty hardware-specific
[17:37] <eix> kees: let me check that
[17:38] <kees> eix: also, see "sudo lshw" and look for DIMM entries
[17:38] <danshearer> hello all. Has the topic of 'should we install syslog-ng as default syslogger' ever come up?
[17:38] <mathiaz> danshearer: I've looked into that some time ago
[17:38] <mathiaz> danshearer: I'd rather go with rsyslog
[17:39] <eix> kees: Memory: 441072k/457664k available (2255k kernel code, 16052k reserved, 1032k data, 384k init, 0k highmem)
[17:39] <mathiaz> danshearer: syslog-ng syntax is not compatible with sysklog
[17:39] <mathiaz> danshearer: and the license is a bit of a problem (dual licensed)
[17:39] <mathiaz> danshearer: the licensing is a minor issue though
[17:39] <danshearer> mathiaz: not quite so, the license is a problem because it is GPLv2=
[17:40] <eix> kees: in lshw I can see some UNCLAIMED memory blocks...that looks creepy
[17:40] <danshearer> mathiaz: so it is difficult to integrate components from projects like Samba
[17:40] <mathiaz> danshearer: OTOH rsyslog is GPL and the syntax is compatible with the current syslog syntax, which means it's easier to upgrade
[17:40] <mathiaz> danshearer: GPLv2= for rsyslog ?
[17:40] <danshearer> mathiaz: I didn't realise rsyslog was a contender, at a quick look it does what I'm looking for
[17:41] <danshearer> mathiaz: there are two main points I think: backends into databases and very simple active-active failover config
[17:41] <mathiaz> danshearer: I've looked into rsyslog last year when fedora went with it
[17:41] <mathiaz> danshearer: there are a couple of threads on the fedora mailing list when they compared syslog-ng and rsyslog
[17:41] <eix> kees: lshw -> http://rafb.net/p/tWj9yb95.html
[17:42] <danshearer> mathiaz: I think Ubuntu Server should be shipping as many active-active failovers as possible out of the box
[17:42] <mathiaz> danshearer: both are available in ubuntu universe
[17:42] <danshearer> mathiaz: I'll go and look!
[17:43] <eix> ANY IDEA why I have a disabled CPU and RAM?
[17:43] <danshearer> mathiaz: btw in the context of syslog active-active means all systems log to all sysloggers, but no duplicates are stored
[17:43] <eix> ok, the CPU slot is empty - that's ok
[17:43] <danshearer> mathiaz: and all nodes compare new messages with all other nodes so all nodes should have a complete log
[17:44] <danshearer> mathiaz: haven't done this with n > 2 though but still it is a very useful very simple facility
[17:44] <danshearer> mathiaz: the trick being not to have an infinite logging loop :-
[17:44] <kees> eix: I'd guess BIOS settings or motherboard incompatibility.
[17:44] <eix> kees: yes
[17:44] <mathiaz> danshearer: well - there is a scalability problem with n > 2
[17:44] <eix> kees: it's a pretty new server, so I also fear MB incompatibility
[17:45] <eix> kees: the 2nd 512MB DIMM block is clearly not being seen
[17:45] <mathiaz> danshearer: I think it makes more sense to store all the logs on all the nodes and than use a tool to do post-processing of logs
[17:45] <danshearer> mathiaz: sure, in any service. But there are well-known algorithms for addressing this.
[17:45] <mathiaz> danshearer: when you want to visualize the logs, then you can correlate the events.
[17:45] <danshearer> mathiaz: and with syslog, n=2 is pretty good and a lot better than most people have today
[17:46] <mathiaz> danshearer: sure - the algorithms exists, but have problem when scaling to more than 2
[17:46] <danshearer> mathiaz: and that's the issue "use a tool" is where most people fall down
[17:46] <mathiaz> danshearer: there is more and more overhead
[17:46] <kees> eix: check your mobo documentation, you may need to use matched pairs, specific locations, etc, etc.
[17:46] <danshearer> mathiaz: and given that you can do n=2 for no noticeable cost, why not?
[17:46] <mathiaz> danshearer: sure
[17:47] <danshearer> mathiaz: ah, this is in the context of centralised logging though.
[17:47] <mathiaz> danshearer: I'm not convinced that figuring out an infrastructure so that you log to every node and you make sure that events are stored only once is worth
[17:47] <danshearer> mathiaz: in my experience most centralised logging gets very messy over time. Even that word 'time' is a big problem!
[17:47] <psufan> eix
[17:48] <psufan> is this a i810 or i815 chipset by chance
[17:48] <psufan> sdram or ddr?
[17:48] <danshearer> mathiaz: Nevertheless, do you agree that if keeping two logging servers exactly in sync costs nothing, that it is a useful facility?
[17:49] <mathiaz> danshearer: what do you mean by in sync ? there won't be any duplicates logged ?
[17:49] <eix> kees: mmh
[17:49] <mathiaz> danshearer: or that all the messages will be stored on both servers ?
[17:49] <danshearer> mathiaz: no duplicates, no omissions. syslog is generally udp, but the two servers can talk tcp to each other.
[17:49] <eix> psufan: my lshw http://rafb.net/p/tWj9yb95.html
[17:50] <danshearer> mathiaz: in practice in a large and busy network, and given the nature of udp, if you have all devices logging
[17:50] <danshearer> mathiaz: to both servers, most of the time one of the two (or both) will receive syslog message.
[17:50] <psufan> nope a64
[17:50] <eix> psufan: DIMM
[17:51] <psufan> dimm has been since sdram :P
[17:51] <psufan> actually there was fpm and edo dimms
[17:51] <danshearer> mathiaz: the important thing about centralised logging is that you point *everything* at it, down to printers and physical security systems.
[17:51] <eix> ok people, thanks - I'll be back tomorrow for this
[17:51] <psufan> nvidia chipset is NOT a server
[17:51] <eix> psufan: you say?
[17:51] <eix> psufan: why?
[17:51] <mathiaz> danshearer: right - I'd make more sense to make sure the messages are stored at least once, rather then only once
[17:51] <psufan> cause that wasn't nvidia's target market
[17:51] <eix> psufan: I really don't know which cheap server this is
[17:52] <psufan> doesn't support a lot of server stuff like ecc or registered
[17:52] <eix> psufan: they bought to me, for free
[17:52] <eix> psufan: but, still, it should work, no?
[17:52] <psufan> mabye
[17:52] <eix> psufan: yet this missing RAM is weird
[17:52] <mathiaz> danshearer: implementing the logic to make sure that messages are stored only once is probably better done in log analysis tools than at the log storage level
[17:52] <eix> psufan: I will have more informations tomorrow about the BIOS configuration
[17:53] <eix> I'll probably also look into the mobo manual
[17:53] <mathiaz> danshearer: /stored/processed/
[17:53] <psufan> ok
[17:53] <eix> thanks kees and psufan
[17:53] <psufan> np
[17:57] <jo_> hi everybody. could someone of you tell me, whether the packages needed for using a D-Link G-520+ WLAN-Adapter (Chip: TI ACX-111) (probably linux-restricted-modules-386 or parts of it) are installed with the hardy server edition?
[17:59] <danshearer> mathiaz: then you don't have an active-active failover solution.
[18:00] <efj> Hi everyone
[18:00] <efj> I have a question regarding DHCPD configuration
[18:00] <efj> and multiple subnets :-p
[18:01] <danshearer> mathiaz: this is part of some thinking I have been doing, trying to answer this question:
[18:01] <efj> I don't know if anyone knows a bit about this ?
[18:01] <efj> and could eventually help me ?
[18:02] <ivoks> efj: will you just ask
[18:02] <efj> So I got a server running DHCPD
[18:02] <efj> with 2 subnets declarations
[18:02] <efj> DHCPD responds on both interfaces
[18:03] <efj> but provides the right information regarding DNS, routers to only one of them
[18:03] <efj> let's day that I have 192.168.1.0/24 and 192.168.2.0/24
[18:03] <efj> with appropriate definition for both of them
[18:03] <efj> 1.0 is the domain home.lan
[18:03] <efj> 2.0 is the domain home.wifi
[18:03] <danshearer> mathiaz: "what services can I very easily roll out in active-active configuration?"
[18:04] <kees> danshearer: DNS, DHCP
[18:04] <danshearer> mathiaz: that is, without expensive clusters or other very special-purpose solutions
[18:04] <danshearer> kees: LDAP
[18:04]  * kees doesn't know LDAP yet :)
[18:04] <efj> For 1.0:
[18:04] <efj> 	option domain-name "home.lan.";
[18:04] <mathiaz> danshearer: how-do you define active-active ?
[18:04] <efj> 	option broadcast-address 192.168.1.255;
[18:04] <efj> 	option routers 192.168.1.1;
[18:04] <efj> 	option domain-name-servers 192.168.1.1;
[18:04] <danshearer> kees: syncrepl
[18:04] <ivoks> efj: it would be easier if you would paste you config file on pastebin
[18:04] <efj> 	option ip-forwarding off;	
[18:04] <efj> for 2.0:
[18:04] <mathiaz> !pastebin | efj
[18:04] <efj> 	option domain-name "home.wifi.";
[18:04] <efj> 	option broadcast-address 192.168.2.255;
[18:04] <ivoks> ... and not here
[18:04] <efj> 	option routers 192.168.2.1;
[18:04] <efj> 	option domain-name-servers 192.168.2.1;
[18:04] <efj> 	option ip-forwarding off;	
[18:05] <danshearer> mathiaz: the simple way that the boss can understand: when one server goes down the other keeps going, and
[18:05] <efj> Sorry about that
[18:05] <danshearer> mathiaz: when the first server comes back there is still no difference in either server, and
[18:05] <danshearer> mathiaz: it never matters which server you connect to.
[18:05] <efj> So the thing is that on 1.0, I get the right domain name, gateway and DNS
[18:06] <ivoks> efj: pastebin
[18:06] <efj> for 2.0, it answers with the proper IP address, meaning something like 192.168.2.30
[18:06] <mathiaz> danshearer: right - you can either go for a failover scenario of a load-balancing scenario
[18:06] <danshearer> mathiaz: One thing you don't want to have to guarantee is that any given transaction will succeed, that's another topic :-)
[18:06] <efj> but DNS is 1.0, ditto for gateway
[18:06] <efj> and I just don't know why this keeps happening
[18:06] <ivoks> mathiaz: are you guys talking about redhat cluster suite? :)
[18:06] <efj> it also says that it's from the home.lan domain
[18:06] <mathiaz> ivoks: nope - it started with syslog
[18:06] <ivoks> efj: for the last time; paste your config on pastebin
[18:07] <ivoks> mathiaz: oh...
[18:07] <danshearer> mathiaz: well when it comes to load-balancing you're talking about constructing a robust network with great care
[18:07] <mathiaz> ivoks: how to provide an high available logging infrastructure
[18:07] <danshearer> mathiaz: I like to show people that actually a lot of components can be very robust without much thinking at all
[18:07] <efj> http://paste.ubuntu.com/19100/
[18:07] <efj> done
[18:07] <danshearer> mathiaz: like kees says, DNS and DHCP can do this and we don't think about it much, but the concept can be extended to
[18:07] <ivoks> mathiaz: with two machines with drbd master-master disk, and VIP over the redhat cluster suite? :D
[18:08] <danshearer> mathiaz: other services and I think more people would if it was (a) easier and (b) better promoted
[18:08] <mathiaz> danshearer: by load-balancing I mean that all the nodes are active at the same time - by failover I refer to one node being active, the others in stand-by mode
[18:08] <danshearer> mathiaz: a great way to address (b) is to ship configs ready-to-go :-)
[18:08] <ivoks> danshearer wants glory for low cost :D
[18:09] <danshearer> mathiaz: I don't agree with your definitions really, because to me load-balancing implies some degree of selection
[18:09] <danshearer> mathiaz: with the services I'm talking about there is explicitly no load management logic. Whoever answers first wins.
[18:10] <mathiaz> danshearer: well - let's call it an active-active and active-passive scenario
[18:10] <danshearer> mathiaz: I just tell the senior officials in the company "Look, for not much disruption things are more likely to work than before"
[18:11] <danshearer> mathiaz: Whereas if you introduce a comprehensive solution you have to disturb other parts of the network, or at least introduce more components
[18:11] <danshearer> mathiaz: that do things like distribute load or guarantee integrity of an individual transaction.
[18:11] <ivoks> efj: let's take a look
[18:12] <efj> thanks
[18:12] <jo_> is there a package list for the ubuntu server install cd?
[18:12] <ivoks> efj: which dhcp server is this?
[18:12] <danshearer> mathiaz: Personally it ridiculous that most of the time people have to choose between individual servers and complicated cluster solutions
[18:12] <mathiaz> jo_: http://releases.ubuntu.com/releases/8.04/ubuntu-8.04-server-i386.list
[18:12] <efj> dhcp3
[18:13] <mathiaz> jo_: has the list of all the files on the ubuntu-server cd
[18:13] <jo_> ok, thanks
[18:13] <danshearer> mathiaz: whereas you can get what ivoks just said, almost: *most* of the glory for *little* extra cost.
[18:13] <danshearer> make sense?
[18:13] <efj> I have 2 network interfaces
[18:13] <mathiaz> danshearer: sure - the next step is to list the services then
[18:13] <efj> with appropriate definitions
[18:13] <ivoks> danshearer: redhat cluster suite isn't complicated
[18:14] <ivoks> danshearer: it even has graphic tool for configuration
[18:14] <danshearer> mathiaz: That's right. And I was doing that in my head really, and got to syslog, and asked the question I did :-)
[18:14] <ivoks> danshearer: clusters by default are hard to understand for newbies
[18:14] <efj> here is my /etc/network/interfaces file: http://paste.ubuntu.com/19103/
[18:15] <ivoks> efj: so, remind me, what doesn't work?
[18:15] <danshearer> ivoks: that's my point: a lot of the time there is an inbetween, pragmatic answer
[18:15] <danshearer> ivoks: and what's more, you can do this service-by-service on existing machines
[18:16] <efj> DHCP clients from network wifi get a proper IP address
[18:16] <efj> but get 192.168.1.1 as DNS and gateway
[18:16] <danshearer> my point is thinking practical, backwards-compatible, simple, while also greatly improving networks
[18:16] <ivoks> doh, too many buzzwords for a non english listener
[18:16] <efj> instead of 192.168.2.1
[18:16] <efj> also, they get domain-name="home.lan"
[18:16] <efj> instead of "home.wifi"
[18:17] <danshearer> ivoks: what I mean is, there are simple things you can do to existing networks that give you more robustness
[18:17] <kees> efj: is it possible you have other devices on the wifi serving DHCP?
[18:17] <danshearer> ivoks: take my earlier question about syslog: many networks have a central syslog server.
[18:17] <efj> kees: none
[18:18] <danshearer> ivoks: We can tell them "run this on two servers, and suddenly you have much more reliable solution"
[18:18] <ivoks> efj: this looks ok to me...
[18:18] <efj> if I list the interface's information on the client, it is clearly 192.168.2.1 that gives the lease
[18:18] <ivoks> danshearer: i understand what you *want*, but this is not very easy to achive with a simple 'click'
[18:19] <ivoks> efj: is eth2 a wifi interface
[18:19]  * kees thinks about his attempts to make mailman clustered.  what a hoot.
[18:19] <ivoks> danshearer: there are too many variables...
[18:19] <danshearer> ivoks: I wasn't worrying about the "click" part for now :-)
[18:19] <efj> it is an ethernet interface
[18:19] <efj> connected to an AP
[18:19] <danshearer> ivoks: I'm not so sure I agree with you, which is why I'm writing down the possibilities :-)
[18:20] <ivoks> danshearer: for syslog on two machines, the way to do it is easy
[18:20] <ivoks> danshearer: set up an DRBD (network raid of partitions), create GFS (or even some non-cluster FS)
[18:20] <danshearer> ivoks: I am speaking of a central syslog service receiving up to 1000 messages per second
[18:20] <ivoks> danshearer: and setup a vitural IP that will move from one to the other when first one fails
[18:21] <danshearer> ivoks: DRDB is definitely not the answer, it spreads corruption instantly :-)
[18:21] <danshearer> ivoks: nope, GFS is absolutely not the answer for someone who wants a simple solution that fits his current needs
[18:22] <danshearer> ivoks: I'm getting parts of what I'm writing from working networks, thanks for the input, I'll come back with more questions!
[18:22] <ivoks> sorry, phone
[18:22] <ivoks> GFS is very simple solutions
[18:23] <ivoks> OCFS is not, tough :D
[18:23] <danshearer> ivoks: GFS is simple if that's what you're looking for. At the moment, for most networks, it isn't an option.
[18:23]  * danshearer interrupt, back later
[18:23] <ivoks> efj: anyway, this looks ok
[18:23] <efj> ivoks: thanks for looking at my config
[18:24] <efj> I somehow don't understand why I get this result
[18:24] <ivoks> syslog shows no errors when starting dhcpd?
[18:25] <nealmcb> hmm - I "helped" some folks in Boulder out and did an upgrade of clamav on a dapper machine for the first time in a while.  It asked about the config file, and I thought it would be safe to keep the old config file, but it seems that I broke it.  They've got it fixed now, but I wonder how often that happens, and what options we have for helping and warning folks about incompatible upgrades.
[18:26] <ivoks> nealmcb: we offer diff, which you should've check :)
[18:26] <sommer> heh
[18:27] <sommer> nealmcb: did you grab the clamav from backport?
[18:27] <nealmcb> I looked at the diff, but don't recall it saying "!!warning - incompatible upgrade!!"
[18:27] <sommer> clamav is a beast, especially if you haven't upgraded for a while
[18:29] <efj> ivoks: no it doesn't
[18:29] <nealmcb> If it weren't for the fact that they were dealing with a mail problem alread and were tight on time I would have taken more time to look at it then.  as it was I just put it on the "look at soon" pile...
[18:30] <ivoks> nealmcb: well, it saved your old config
[18:30] <ivoks> so you can still do a diff
[18:30] <sommer> nealmcb: ya, the big issue with clamav is that they change their library api between versions... it may be getting better since they were bought by sourcefire though
[18:30] <ivoks> and check what's changed
[18:31] <sommer> nealmcb: but for packaging questions ScottK knows much more than I do
[18:31] <nealmcb> ivoks: again, it is fixed now.  I'm asking about the human factors of how we can help prevent upgrades from  breaking things
[18:34] <sommer> nealmcb: until clamav has a stable API, I'm not sure... aside from asking to replace the configs
[18:37] <efj> ivoks: I got it !
[18:37] <efj> The issue was that the MAC address I gave to the ethernet port of the wifi computer was the wifi one ...
[18:37] <efj> so there was a match in the first subnet
[18:37] <efj> not in the second
[18:38] <ivoks> interesting...
[18:39] <efj> The thing is that there was an allow unknown-clients clause in the wifi subnet
[18:39] <efj> meaning that it would respond
[18:39] <efj> however it seems the match on the hardware address made the thing screw up
[18:40] <efj> Anyway, thanks for your time
[18:41]  * ivoks wasn't here during specs talk
[18:42] <ivoks> but, /me has one spec too :D
[18:43] <ivoks> https://blueprints.edge.launchpad.net/ubuntu/+spec/migrate-off-ssl-v2
[18:45] <jjesse> was there another team meeting i missed?
[18:45] <nealmcb> jjesse: this morning at 15:00 UTC
[18:46] <jjesse> ah bummer
[18:46] <nealmcb> we assigned everything to you :)
[18:47] <jjesse> nealmcb: figured
[18:47] <jjesse> means more won't get done
[18:58] <folke> Anyone know the status of vmware-tools and 8.04?
[18:59] <folke> Is the any-any patch necessary? Or should I stick to 7.10
[19:06] <mathiaz> kirkland: The MIR items in Outstanding issues should be moved the implementation section
[19:07] <mathiaz> kirkland: remove the encrypted swap reference as this is out of the scope of the spec
[19:08] <kirkland> mathiaz: well.... some argue that without encrypted swap, encryption is useless, as passphrases can leak from memory to disk via swap
[19:08] <kirkland> mathiaz: i'd like to at least mention it, in the interest of full disclosure
[19:08] <mathiaz> kirkland: right - makes sense then
[19:08] <kirkland> mathiaz: i disagree with the "useless" argument
[19:09] <kirkland> mathiaz: but I recognize that encrypted swap is necessary for further (complete?) protection
[19:09] <kirkland> mathiaz: i'll move the MIR's to Implementation
[19:09] <mathiaz> kirkland: having a section about testing would start the documentation effort
[19:09] <kirkland> mathiaz: actually, regarding MIRs, those are still pending, so wouldn't they be considered "Outstanding"?
[19:10] <kirkland> mathiaz: i was using "Implementation" to track what's been completed
[19:11] <kirkland> mathiaz: okay, i noted that encrypted swap is beyond the scope, moved down a bit to a separate list
[19:11] <mathiaz> kirkland: hm... Usually I use implementation to describe what needs to be done
[19:11] <kirkland> mathiaz: I'll start a testing section now
[19:11] <mathiaz> kirkland: and then add a big OK when it's implemented
[19:11] <kirkland> mathiaz: okay, if that's "Implementation", what's "Outstanding"?
[19:12] <kirkland> mathiaz: i was equating "implementation" with DONE, and "outstanding" with TODO
[19:12] <nealmcb> seems to me it would "outstanding" from the spec writing standpoint - what is still unclear
[19:13] <mathiaz> kirkland: see https://wiki.ubuntu.com/AppArmorGutsy
[19:13] <nealmcb> ...unresolved issues....
[19:14] <ScottK> If anything clamav API instability is getting worse, not better with clamav
[19:15] <kirkland> mathiaz: hmm, okay.  i can follow that guideline, but i think i would prefer separate sections for TODO and DONE, call them what you will
[19:16] <mathiaz> kirkland: makes sense
[19:16] <mathiaz> kirkland: the Spec format is not so rigid
[19:16] <kirkland> mathiaz: i can put two sections under Implementation, if that helps you out
[19:16] <kirkland> mathiaz: one for DONE and the other for TODO
[19:17] <kirkland> mathiaz: and I'll copy/cut/paste as I complete such items
[19:17] <mathiaz> kirkland: what's important is to be able to figure out what needs to be done, and what has been done
[19:17] <mathiaz> kirkland: wfm
[19:17] <kirkland> mathiaz: and I'll save Outstanding Issues for things like Encrypted Swap
[19:17] <kirkland> mathiaz: ie, stuff that's not done, and probably won't be done as part of this effort, but should be tracked for completeness
[19:17] <ScottK> nealmcb: The Debian/Ubuntu clamav package ships pretty sane defaults.  If you change from them, then you do take on having to understand configs on upgrades.  It's part of the cost of doing business.
[19:17] <mathiaz> kirkland: that seems reasonable to me
[19:18] <ScottK> Stick with the default and the package maintainer handles it for you.
[19:18] <kirkland> mathiaz: cool, thanks for the review
[19:19] <nealmcb> ScottK: the issue here was that the new version couldn't parse the old config.  would it help to add some comments in the conf file saying in effect "API version x.y - WARNING - IF THIS SHOWS UP IN A DIFF LINE YOU NEED TO FIX THINGS!!"
[19:19] <mathiaz> kirkland: np :)
[19:20] <nealmcb> in addition, apt-get upgrade doesn't seem to indicate at the end when things fail during the upgrade
[19:22] <nealmcb> ...like the daemon startup....
[19:25] <ScottK> nealmcb: That's generally true anytime the diff shows up.
[19:39] <lukehasnoname> Did soren die?
[19:51] <Brazen> So what does the server team think of ovirt?  I noticed it's not on the Roadmap.
[19:52] <Brazen> ...just asking since it's slow in here.
[19:53] <Deeps> looks like a vm appliance
[19:53] <Deeps> being developed and maintained for use in a fedora based vm
[19:54] <Deeps> looks nice too
[19:55] <lukehasnoname> I want to check it out at some point... getting that to work with Ubuntu/JeOS and KVM (or xen) would be awesome.
[19:56] <Deeps> umm, it's an extra vm that you'd run on your vm server (whatever os it is) by the looks of things
[19:56] <Deeps> whatever linux os, anyway, i guess
[19:57] <lukehasnoname> ovirt is a vm manager
[19:57] <lukehasnoname> I thought
[19:57] <lukehasnoname> >_>
[19:58] <Brazen> it's a vm manager, but Redhat is distributing a vm with it all set up.  I'm pretty sure that is just for testing though, and in production I'm sure it is intended to be installed on bare metal.
[19:59] <lukehasnoname> http://ovirt.org/documentation.html
[20:02] <Brazen> Have you (anybody) ever used VMWare ESX Server with Virtual Center?  It looks like ovirt is supposed to be the equivalent of Virtual Center.
[20:04] <Deeps> oh,, i see
[20:04] <Deeps> Brazen: you could just ask
[20:05] <Brazen> Deeps: ask what?
[20:05] <Deeps> 20:03:59 [freenode] Brazen [n=chatzill@wsip-70-167-48-6.ks.ks.cox.net] requested CTCP VERSION from Deeps:
[20:05] <lukehasnoname> Brazen: Ya, I've seen what you're talking about, a nice GUI to manage and watch VMs across physical hosts
[20:05] <Deeps> oh,chatzilla, nm
[20:09] <Brazen> It's just really be nice to have easy-to-use gui to manage vms and hosts remotely
[20:11] <Brazen> I could go on and on, there are a lot of nice features in Virtual Center that would be a boost to open source virtualization.
[20:13] <Brazen> There is another project called Enomalism, but ovirt has, imo, a much better looking interface, and it's an advantage to ovirt being backed by a known, reliable organization like Redhat.
[20:17] <lukehasnoname> ok, I was mistaken about oVirt, and now I am not so fond of it. I thought it was a web program, not something I'd have to dedicate a machine to.
[20:19] <Brazen> lukehasnoname: how would rather have it?  I don't see why you couldn't install it on a machine that is ALSO a vm host, but I would prefer to put it on a dedicated machine.  I could just be used to how Virtual Center does it, though.
[20:21] <lukehasnoname> well, hmm. I guess I expected it to have less requirements than what it's asking for. In the "bundled" install, it requires the "admin node" (the one hosting the oVirt vm) to have two network cards, with a dedicated NIC for the oVirt network
[20:23] <Brazen> uh, I missed that part.
[20:23] <Brazen> two nics
[20:23] <Deeps> vlan
[20:23] <Deeps> virtual nic
[20:23] <Brazen> yeah, that's my thought
[20:25] <Brazen> VMWare wants you two have two nics, too, with one dedicated to VMotion
[20:26] <kirkland> mathiaz: testing section added to https://wiki.ubuntu.com/EncryptedPrivateDirectory
[20:26] <JaxxMaxx__> well, I guess that guarantees some bandwidth...
[20:26] <kirkland> mathiaz: after tomorrow's sync with Debian, let me do a couple of sniff-tests, then I think you can point people to that in your blog for testing
[20:26] <Brazen> I actually have two nics, in all my vm servers, but I bind them and use LAG on the switch for redundancy, then use vlans to split it into virtual nics
[20:27] <lukehasnoname> AhHhHhHh
[20:27] <lukehasnoname> *goes to PM*
[20:30] <JaxxMaxx__> if I wanted to let www-data (apache2) have read access to the syslog, what permissions would I have to change/add ?
[20:31] <\sh> JaxxMaxx__: read permissions for others
[20:32] <mindframe-> i would create a syslog group and add www-data to that group... set read only for that group
[20:32] <mathiaz> JaxxMaxx__: you can also put the www-data user in the adm group
[20:32] <mindframe-> 640 most likely
[20:33] <mathiaz> kirkland: great - reading through the testing instructions, why do you need to enter a mount passphrase ? Could it be set to a automatically generated passphrase ?
[20:34] <mathiaz> kirkland: since the user doesn't need to remember it and it's is strongly suggested to use some long, difficult to guess passphrase
[20:35] <mathiaz> kirkland: would it make sense to generate the passphrase automatically (or at least provide a default)
[20:35] <mathiaz> kirkland: so that we're sure that the passphrase is some long, difficult to guess
[20:36] <kirkland> mathiaz: yes, true, but, remember the remote backup case
[20:36] <kirkland> mathiaz: where you're just rsyncing your encrypted data to offsite storage
[20:36] <kirkland> mathiaz: you want to restore that data, and mount it again elsewhere
[20:36] <kirkland> mathiaz: you need the mount passphrase
[20:37] <kirkland> mathiaz: let me put it another way....
[20:37] <kirkland> mathiaz: if you lose the mount passphrase, and you don't remember it, you cannot access your data
[20:37] <mindframe-> are you guys working a full disk encryption option into the intaller?
[20:37] <kirkland> mathiaz: i should probably update that line in the wiki to be more clear
[20:38] <kirkland> mathiaz: it's misleading, perhaps, as is
[20:38] <kirkland> mindframe-: no, a per-user encrypted directory in ~/Private
[20:38] <mindframe-> oh
[20:38] <mindframe-> neat
[20:38] <kirkland> mindframe-: https://wiki.ubuntu.com/EncryptedPrivateDirectory
[20:38] <mathiaz> kirkland: hm... isn't that the same use case your private ssh key protected by a passphrase ?
[20:39] <kirkland> mindframe-: full disk encryption is more or less provided by LVM+LUKS in the installer
[20:39] <mathiaz> kirkland: because you'd have to remember two things - and the hardest one to remember, you'd never use it
[20:39] <mindframe-> yeah i wasnt sure if the server installer had it as well
[20:39] <kirkland> mathiaz: well, there's a big difference in my mind...  with ssh, you need to create a new key and give it out to everyone, if you forget your passphrase
[20:40] <kirkland> mathiaz: in this situation, you may have valuable data/pictures/keys tied up in an encrypted directory never to be accessed again
[20:40] <kirkland> mathiaz: that amounts to data loss
[20:40] <mathiaz> kirkland: well - I'm not an expert in that area. So what about providing a default long, difficult to guess passphrase
[20:40] <mathiaz> kirkland: so that people can write it down before creating the directory ?
[20:41] <mathiaz> kirkland: My point is that asking user to come up with a long hard to guess passphrase doesn't work well.
[20:41] <mindframe-> i think it should force a minimum complexity/length and have the user create it
[20:42] <kirkland> mathiaz: hmm, well, the prompt just says, "Enter your mount passphrase"
[20:42] <kirkland> mathiaz: it's my own commentary in that wiki page that suggests that it should be long/difficult
[20:42] <mindframe-> people will complain that it's too hard to remember their 20 digit alphanumeric passphrase
[20:42] <kirkland> mathiaz: i'm fixing that in the wiki now
[20:42] <InsomniaCity> passpoem
[20:42] <kees> mathiaz: I've fixed the ECHO problem in flex, so hopefully we shouldn't see those errors any more.
[20:42] <InsomniaCity> 20 stanzas long
[20:42] <mindframe-> heh
[20:43] <mathiaz> kees: \o\ /o/ \o/
[20:43] <kees> heh
[20:43] <mathiaz> kees: /o\
[20:44] <mathiaz> kees: (h5)
[20:44] <mathiaz> kirkland: hm.. what is the passphrase used for ?
[20:44] <mathiaz> kirkland: to unlock the private key used to encrypt the data ?
[20:45] <kirkland> mathiaz: refresh your view of that wiki page, i fixed the text there
[20:45] <kirkland> mathiaz: the mount passphrase *is* the key to the encrypted mountpoint
[20:45] <kirkland> mathiaz: that passphrase is encrypted/decrypted by PAM when you login to the system
[20:46] <kirkland> mathiaz: so if you change your system passphrase, PAM only needs to rewrap your mount passphrase
[20:46] <kirkland> mathiaz: and not comprehensively re-encrypt every file in the mountpoint
[20:46] <mathiaz> kirkland: so why not use the login password directly ?
[20:46] <mathiaz> kirkland: right
[20:46] <kirkland> mathiaz: same reason as above....
[20:47] <kirkland> mathiaz: re-encrypting a huge directory on password change would *suck*
[20:47] <kirkland> mathiaz: we could default the login and mount passphrases to be the same thing
[20:47] <mathiaz> kirkland: to me that looks similar to my ssh key, where I use ssh-keygen to generate the private key ( => mount passphrase) and then protect it with a passphrase ( => Login password)
[20:48] <mathiaz> kirkland: could a similar workflow be implemented ?
[20:51] <kirkland> mathiaz: perhaps we can do that, if we can inform users to backup their ~/.ecryptfs/wrapped-passphrase to offsite storage (and trust that they do so)
[20:52] <kirkland> mathiaz: in case a user inadvertently deletes ~/.ecryptfs/wrapped-passphrase, access to their data in Private/ is gone.  permanently
[20:52] <kirkland> mathiaz: if it was a randomly generate mount passphrase and they don't remember it, or have a backup
[20:53] <mathiaz> kirkland: well - I think you have the same issue with gnupg - you're not asked to generate your private key
[20:53] <kirkland> mathiaz: if we can trust our users (and paying customers) to follow instructions and make an offsite backup of ~/.ecryptfs/wrapped-passphrase, then perhaps that's okay
[20:53] <mathiaz> kirkland: if you loose your gpg key, you won't be able to recover your data
[20:54] <mathiaz> kirkland: so your point for asking the user to enter a passphrase is that they will see at least *once* the passprhase
[20:55] <mathiaz> kirkland: and hopefully remember it
[20:55] <kirkland> mathiaz: and will have at least somewhat consciously chosen it
[20:55] <mathiaz> kirkland: whereas if the passphrase a automatically generated and if it lost, every thing is lost.
[20:55] <kirkland> mathiaz: true.
[20:56] <mathiaz> kirkland: *consciously* chosen -> weak passphrase
[20:56] <kirkland> mathiaz: wrt to ssh keys, that simply means you can't sign your ssh connections any more
[20:56] <kirkland> mathiaz: wrt to ecryptfs, that means you can't access your data
[20:56] <kirkland> mathiaz: which would be the same with gnupg
[20:57] <mathiaz> kirkland: exactly - and gnupg doesn't ask you to enter your private key
[20:57] <kirkland> mathiaz: except the amount of data people encrypt with gnupg pales in comparison to the amount of data they can trivially copy into ~/Private
[20:57] <kirkland> mathiaz: personally, i use gpg -c (passphrase) for anything I'm backing up
[20:57] <kirkland> mathiaz: in that I'll always remember my passphrase(s)
[20:57] <mathiaz> kirkland: right - but that's the isn't an easy way to encrypt stuff with gnupg
[20:57] <kirkland> mathiaz: really?   echo foo | gpg -c
[20:58] <mathiaz> kirkland: I'm refering to the target users of the Private directory.
[20:58] <mathiaz> kirkland: I know you (and I) can do it easily
[20:58] <kirkland> mathiaz: ;-)
[20:59] <mathiaz> kirkland: that's why I question the necessaty to enter a mount passphrase wrt to the target audience
[20:59] <kirkland> mathiaz: i agree that your suggestion would certainly increase the security of the matter
[21:00] <kirkland> mathiaz: and would definitely make it easier on the target audience when executing normal usage vectors
[21:00] <mathiaz> kirkland: Ubuntu - linux for human beings
[21:00] <kirkland> mathiaz: we would definitely need a GIANT FLASHING WARNING that your .ecryptfs/ directory needs to be backed up offsite, or you will not be able to access your data in ~/Private if you ever lose it
[21:01] <kirkland> kees: jdstrand: can one or both of you weigh in?
[21:01] <mathiaz> kirkland: right - that would probably part of the documentation
[21:04] <kees> kirkland: flashing warning?  Hrm, docs certainly, but I can't think of a non-annoying way to do it other than docs.
[21:04] <kirkland> kees: oh, i meant more fundamentally to the handling of this....
[21:05] <kees> kirkland: which part?  (scroll back is long...)
[21:05] <kirkland> kees: jdstrand: here's the nutshell....
[21:06] <kirkland> kees: jdstrand: the ecryptfs ~/Private directory must be mounted with a passphrase (or key).  i'm using a pam module to use the login password to "unwrap" that mount passphrase
[21:06] <kees> (that sounds like how luks works)
[21:06] <kirkland> kees: jdstrand: when setting up the mount, i ask the user for both a login and a mount passphrase
[21:06] <kirkland> kees: jdstrand: mathiaz has suggested randomly generating the mount passphrase
[21:07] <kirkland> kees: jdstrand: my concern with that is that if the user loses .ecryptfs/wrapped-passphrase, there is no way to recover their encrypted data
[21:07] <kirkland> (assuming the encryption is any good)
[21:08] <kees> I think prompting for a passphrase that will never be used isn't a good idea.
[21:08] <kirkland> kees: jdstrand: on the normal usage vector, this makes things easier...  user only needs to remember login passphrase, we can generate a long/hard mount passphrase
[21:08] <kees> if they corrupt their filesystem and lose that file, they're going to be toast anyway
[21:09] <kees> I would agree about the randomized mount passphrase -- this is was LUKS does AIUI, so best to stick with one "way" of handling things.
[21:09] <kirkland> kees: jdstrand: mathiaz: okey doke, good enough for me
[21:11] <lukehasnoname> Brazen: Enomalism looks freaking amazing
[21:12]  * lukehasnoname reads more about it
[21:14] <Brazen> yeah, it's feature set looks good, but ovirt is backed by Redhat, so I expect it get more recognition, the interface looks nicer, and it will likely get all the same features as Enomalism.
[21:14] <kees> I'm committing a giant merge of apparmor to current svn.  we can't upload it to intrepid yet because the AA kernel module is the wrong version (2.1 vs 2.3)
[21:14] <kees> mathiaz: ^^
[21:14] <mathiaz> kees: wfm
[21:14] <ScottK> kees: Are you aware we have an issue with apparmor and akonadi?
[21:15] <lukehasnoname> Brazen: Maybe I didn't see the right screens of oVirt, but Enomalism looks fine to me. Opinion, I know. Being backed by Redhat almost makes me more skeptical. I understand your point, but I wonder if it will have an intentionally low amount of .deb documentation.
[21:16] <mathiaz> ScottK: the bug has an answer to the problem
[21:16]  * lukehasnoname didn't see the right screens of ovirt.
[21:16] <ScottK> mathiaz: OK.
[21:16] <lukehasnoname> oVirt needs higher res screenshots, but it looks clean as well.
[21:16] <Brazen> lukehasnoname: I think that will depend on whether or not the Debian (Ubuntu) community embraces it.
[21:17] <lukehasnoname> Perhaps we can integrate oVirt and eBox (or similar) into a mega-super-enterprise level server management tool. *couch scottk cough*
[21:17] <lukehasnoname> *cough not couch, cough, cough*
[21:18] <Brazen> lukehasnoname: and a lot of high-quality stuff comes out of RedHat.  libvirt and virt-manager, which are embraced by Ubuntu, to name a few.
[21:18] <Brazen> lukehasnoname: I really don't like ebox though :-(
[21:18] <a13x> please help people, i am not able to set up ubuntu server
[21:18] <lukehasnoname> I haven't had experience with it, but I do know a lot of people are suggesting using eBox as the basis for Ubuntu's server gui
[21:19] <lukehasnoname> X based is out of the question, and webmin doesn't have as much popularity here, apparently
[21:19] <a13x> when i test the cd it tells me that some random file (may be different every time) is corrupted
[21:19] <lukehasnoname> whats up a13x
[21:19] <a13x> i tried to redownload
[21:19] <lukehasnoname> md5 check the ISO, reburn the CD at slower speed?
[21:20] <lukehasnoname> Or if the server is non-critical, continue with install.
[21:20] <a13x> i tried regular cd, cd-rw, dvd
[21:20] <lukehasnoname> >_>
[21:20] <a13x> tried 3 different cd roms
[21:20] <Brazen> lukehasnoname: yes, yes they are.  I still like Webmin better though.  Personally, I think a fork of Webmin, to fix the config file issues, would be better, but I'm no developer.
[21:20] <a13x> 3 different ide cables
[21:20] <a13x> md5 checksum checks out
[21:20] <ScottK> lukehasnoname: I've got more than I can handle on my plate already.
[21:20] <Brazen> a13x: what is the problem you are having?
[21:20] <lukehasnoname> a13x: download iso from different source
[21:21] <a13x> i tried using a cd that i KNOW works
[21:21] <lukehasnoname> Scottk: What are you working on, if I may ask.
[21:21] <Brazen> a13x: does it not boot the cd?
[21:21] <a13x> no, it boots
[21:21] <a13x> when i run a check
[21:21] <Brazen> a13x: oops, I see, farther up...
[21:21] <lukehasnoname> OO! Idea! An ubuntu social networking site to replace the personal profiles on wiki.ubuntu.com
[21:21] <a13x> it tells me that some random file is corrupt
[21:21] <a13x> and its different every time
[21:22] <a13x> or almost every time
[21:22] <InsomniaCity> lukehasnoname: ooh! with rounded corners! and tagging! and screenshots!
[21:22] <a13x> i ran memtest86, no problem there
[21:22] <a13x> but its like random file corruption
[21:22] <Brazen> a13x: I would try burning it at lower speeds.  I burn everything at 4x.
[21:22] <a13x> i verified cds after recording
[21:23] <ScottK> lukehasnoname: For Ubuntu, https://wiki.ubuntu.com/ServerFlavorSpec, getting clamav and spamassassin into main, motu-release and motu-sru teams, Kubuntu development, plus I maintain a bunch of packages.
[21:23] <a13x> i recorded my cd-rw at 4x (tried 2x and it wasn't supported by the drive)
[21:23] <lukehasnoname> InsomniaCity: Don't get sassy.
[21:23] <lukehasnoname> heh
[21:23] <a13x> i never had this type of problem before
[21:23] <Brazen> a13x: I think I remember having this exact same issue, and had to replace my burner.
[21:24] <lukehasnoname> Scottk: Who's working on the server admin project?
[21:24] <a13x> ok, heh, tried 2 different burners
[21:24] <ScottK> lukehasnoname: Dunno.  I've got way more than I can do on my plate as a volunteer.
[21:24]  * ScottK looks around for some funding ...
[21:24] <a13x> if its the burner then why is different file gets corrupted
[21:24] <Brazen> ? oh.  you got me then.
[21:24] <a13x> its almost random
[21:24] <lukehasnoname> I thought you worked for Canonical
[21:25] <Brazen> a13x: Try blowing on it?  *Sorry, bad NES joke.
[21:25] <a13x> i even tried that
[21:25] <a13x> ...
[21:26] <Brazen> haha, yeah I still try that sometimes, too :D
[21:26] <a13x> this problem is driving me crazy, what is my next step?
[21:26] <lukehasnoname> ScottK: Set up an NPO to fund open source development
[21:27] <lukehasnoname> something witha good name
[21:27] <lukehasnoname> like "Free Software Foundation"
[21:27] <Brazen> and grow a beard
[21:27] <a13x> is there a net install version of ubuntu server?
[21:27] <lukehasnoname> I bet.
[21:28] <lukehasnoname> a13x: I bet
[21:28] <lukehasnoname> Check for minimal installs in the cdimage site.
[21:28] <a13x> url?
[21:29] <lukehasnoname> a13x: Searching
[21:29] <Brazen> a13x: https://help.ubuntu.com/community/Installation
[21:30] <a13x> thanks a lot
[21:30] <kirkland> mathiaz: kees: mhalcrow is here from ecryptfs
[21:30] <kees> yay upstream!  :)
[21:30] <kirkland> mathiaz: kees: mhalcrow believes strongly in a chosen mountpassphrase
[21:31] <kirkland> kees: ;-)
[21:31] <mhalcrow> Adding dependencies on extra files as an absolute prerequisite to recovering eCryptfs encrypted data is asking for trouble.
[21:31] <lukehasnoname> gj brazen
[21:31]  * delcoyote hi
[21:31] <Brazen> a13x: lukehasnoname: no problem, don't know the cd wouldn't work, but maybe with stuff in that link you can get around it.
[21:31] <kees> kirkland: you just wanted my opinion.  ;)
[21:32] <kirkland> kees: ;-)  yeah, no offense
[21:32] <kirkland> kees: i'm just trying to implement this in a way that keeps Ubuntu from going to far off the mark from upstream
[21:32] <kees> kirkland: if we prompt for a passphrase that only gets used in extreme situations, then that should be explained during the prompting "do not lose this passphrase" etc etc
[21:32] <mhalcrow> Exactly.
[21:33] <mhalcrow> Just makes sure the user has this secret value stowed away in a secure recoverable location.
[21:33] <kees> kirkland: cool -- I'm happy to throw in a tie-breaking vote, but if there's a "right" way to do it, go for it.
[21:33] <Brazen> a13x: lukehasnoname: for a little shameless self-promotion, I looked up that link here: http://forums.anandtech.com/messageview.aspx?catid=34&threadid=2073143
[21:33] <kirkland> mathiaz: are you around?
[21:33]  * lukehasnoname likes enomalism because it's purely web based and seems well documented. Damn, if only he had internet at home!
[21:33] <mhalcrow> It can be auto-generated, but just make sure the user has it stored in a separate, secure, reliable location from the encrypted data too.
[21:34] <mhalcrow> A user-selected passphrase is much less likely to leave the user with unrecoverable backups, for instance.
[21:35] <kirkland> mhalcrow: so that's exactly what the suggestion was, to flash a message to the user telling them that they MUST have a remote backup of .ecrypfs/* to ensure that their ~/Private data is recoverable
[21:35] <mhalcrow> Yes. But only if the wrapped value is not user-selected. However, can we realistically expect users to remember that message and act on it dutifully?
[21:35] <jdstrand> kirkland: I think I mentioned this another day-- I like the idea of a strong random password for encryptfs
[21:36] <jdstrand> ecrypts
[21:36] <mhalcrow> The chain of secrets is only as strong as its weakest link.
[21:36] <mhalcrow> The login passphrase would be the weakest link in that regard.
[21:37] <mhalcrow> Having the user select his own mount passphrase introduces an opportunity for the user to select a passphrase that is weaker than the login passphrase.
[21:37] <mhalcrow> Is that worth the unrecoverable backups that are likely to result?
[21:38] <mhalcrow> (if the mount passphrase is auto-generated, that is)
[21:38] <kirkland> mhalcrow: well, we won't remove the opportunity for users to select their mount passphrase
[21:38] <kirkland> mhalcrow: this is really more of a question about what the default behavior should be
[21:38] <kirkland> mhalcrow: understanding that 95% of all Ubuntu users will take the default behavior
[21:38] <mhalcrow> Maybe there can be a "generate a passphrase for me" button.
[21:39] <mhalcrow> Next to the textfield.
[21:39] <kirkland> mhalcrow: well, i was thinking more like: "Enter your mount passphrase: [leave blank to generate a random one]"
[21:39] <Brazen> lukehasnoname: well, I'll for sure give a look when it goes gold release.
[21:40] <kirkland> mhalcrow: but i think that's functionally equivalent, right?
[21:40] <mathiaz> kirkland: yes my friend !
[21:40] <kirkland> mhalcrow: and a command line option for automating it
[21:40] <mhalcrow> kirkland: I would make the user either enter a passphrase or click a button to generate, and then show the generated passphrase to the user and tell him to write it down and store it in a secure location.
[21:41] <Brazen> lukehasnoname: I also have to admin, I'm a little partial to a project using RubyOnRails, also, because Ruby is the only programming language I know, so it's something I could actually contribute to.
[21:41] <mhalcrow> I would not just generate a secret value and use it under the user's nose.
[21:41] <kirkland> mathiaz: mhalcrow is here (upstream for ecryptfs) to defend his opinion that a conscious mount passphrase is better than a random one
[21:41]  * mathiaz reads the backlog
[21:41] <Brazen> lukehasnoname: oops, I meant "admit" not "admin"
[21:41] <mhalcrow> Well, what I am saying is that a passphrase that the user has stored safely away is better than an unknown secret value tucked away in a .*/ directory.
[21:42] <kirkland> mhalcrow: ecryptfs-setup-confidential prints ALL values to screen before running its guts
[21:42] <kirkland> mhalcrow: including both mount and login passphrases
[21:42] <mhalcrow> Whatever encourages the user to keep that secret value written down on paper and locked in a desk drawer is what I would suggest.
[21:43] <kirkland> mhalcrow: okay, i can enhance the echo'ing part of the script accordingly
[21:43] <kirkland> mhalcrow: you have one patch from me changing s/Confidential/Private/
[21:43] <kirkland> mhalcrow: i'll work on another one to modify the mount passphrase generation and instructions to the user accordingly
[21:44] <kirkland> mhalcrow: one more thing, speaking of weakest link in the chain....
[21:44] <kirkland> mhalcrow: what about making mount passphrase = login passphrase (by default) ?
[21:44] <mhalcrow> That's fine, but users may change their login passphrases at will.
[21:44] <mhalcrow> That is an easy way to introduce confusion.
[21:45] <mhalcrow> Since the wrapped passphrase will remain the original login passphrase from when the machine was first configured.
[21:46] <kirkland> mhalcrow: hmm, okay
[21:46] <kirkland> mathiaz: any questions for mhalcrow?
[21:46] <mhalcrow> Once users start encrypting their data and copying their data around to different media and machines, they must have a notion of "the secret to get to my data" and "the secret to login to my machine."
[21:47] <mathiaz> not really - I think we aggree on most of the points
[21:47] <mathiaz> The reason to have a long and difficult to guess password is to make the encrypted data stronger.
[21:48] <mhalcrow> Really, passphrases are a necessary evil that do not work against a sufficiently equipped attacker.
[21:48] <lukehasnoname> Brazen: Ya, I've heard RoR is handy. I'm pretty rusty on most languages nowadays, I used to know PHP damn well.
[21:48] <mhalcrow> That's why eCryptfs has key modules (OpenSSL, TPM, etc.)
[21:49] <mathiaz> IMO asking the user to generate a passphrase is too much. generating one that can be kept around is a good option.
[21:49] <kirkland> mhalcrow: mathiaz: what if we offered to email the user their wrapped-passphrase?
[21:49] <kirkland> mhalcrow: mathiaz: it's already encrypted
[21:50] <mathiaz> kirkland: there isn't a MTA installed by default on a desktop
[21:50] <jdstrand> email?
[21:50] <kirkland> mathiaz: that is, if an MTA is found on the system, and the user has an email address, and wants an emailed copy
[21:50] <jdstrand> no no
[21:50] <kirkland> jdstrand: mathiaz: okay, we just have to *trust* that users are going to backup this wrapped-passphrase file
[21:50] <jdstrand> kirkland: I have only kept half an eye on this, but what is wrong with displaying the passphrase to the user at setup?
[21:51] <mathiaz> I think either printing the passphrase or which files should be backuped.
[21:51] <mhalcrow> That's what I recommend.
[21:51] <mhalcrow> The user should know what the mount passphrase is.
[21:51] <kirkland> mathiaz: mhalcrow: jdstrand: okay, we're in agreement then
[21:51] <jdstrand> kirkland: eg 'Your encrypted files are in foo, your encryption passphrase is bar, please keep track of these offline in case of problems'
[21:51] <kirkland> generate a random passphrase, show to the user and encourage that they record it, and backup wrapped-passphrase to offsite media
[21:52] <ScottK> Maybe even offer to write it to a memory stick for them?
[21:52] <mathiaz> kirkland: wfm - show the generated passphrase and list the file that should be kept safely.
[21:52] <kirkland> mathiaz: cool
[21:52] <kirkland> mhalcrow: thanks for joining
[21:52] <kirkland> mhalcrow: you're welcome to hang around, or join us again sometime ;-)
[21:53] <mhalcrow> No problem. Just expect users to forget and lost keys, and be prepared to tell them that they're screwed. ;-)
[21:53] <InsomniaCity> wait... you expect users to READ!?
[21:53] <kirkland> i'll just open a bug in Launchpad describing the problem and marking all of the bug reports duplicates there of ;-)
[21:54] <mhalcrow> Losing your crypto key is necessarily a "no-fix" situation.
[21:54] <kirkland> mhalcrow: right, mathiaz asked how this was different from losing gpg keys or ssh keys
[21:55] <kirkland> mhalcrow: the main difference i saw was that your data is essentially gone in this situation
[21:55] <mhalcrow> It's not; it's just easier for users to run into the problem, since the encryption is so transparent and integrated.
[21:57] <mhalcrow> Plan 'B' is for Canonical to offer key escrow services.
[21:57] <kirkland> LoL  :-)
[21:57] <mhalcrow> But I don't think I want to open that can of worms. ;-)
[21:58] <mhalcrow> Just tell users to downgrade to a previous version of OpenSSL and use the OpenSSL key module. That should take care of it.
[21:59] <mhalcrow> I'm actually not entirely joking wrt key escrow. Some business users would probably go for that.
[21:59] <mhalcrow> As protection against their own bureaucracy, at a minimum.
[21:59] <kirkland> mhalcrow: you have a recommended length for random passphrase?
[21:59] <kirkland> mhalcrow: 1024 bytes of hex digits sound reasonable to you?
[22:00] <mhalcrow> The same number of bits as the symmetric key length.
[22:00] <mhalcrow> 128 is sufficient.
[22:00] <kirkland> mhalcrow: 128 characters of hex digits?
[22:00] <mhalcrow> Too long; there are 4 bits per hex digit
[22:00] <mhalcrow> 32 hex digits
[22:01] <kirkland> mhalcrow: head -c 128 /dev/urandom | md5sum | awk '{print $1}'
[22:01] <kirkland> mhalcrow: work for you?
[22:01] <mhalcrow> Sure.
[22:02] <mhalcrow> Although md5 output isn't as uniformly distributed as previously thought.
[22:02] <mhalcrow> Just grabbing raw /dev/urandom should be a little more random.
[22:03] <kirkland> mhalcrow: that's going to be far to messy to print out (and write down)
[22:03] <mathiaz> kirkland: uuidgen | sed 's/-//g'
[22:03] <kirkland> mhalcrow: ^ ?
[22:04] <mhalcrow> I don't know how uuidgen does its magic; I really only trust the kernel rng these days.
[22:04] <mathiaz> kirkland: or add the -r switch to make sure it's random
[22:04] <kirkland> mhalcrow: i was md5summing it to make it printable and readable (rememberable?)
[22:05] <mhalcrow> Right, but md5 is not collision-resistant.
[22:05] <mathiaz> -r requires a high quality  random  number  generator,  such  as /dev/random
[22:05] <kirkland> mathiaz: okay
[22:05] <kirkland> mathiaz: that sounds reasonable
[22:05] <mhalcrow> Okay; then use uuidgen if can produce good random values. But I won't officially endorse it until I've inspected its code.
[22:05] <a13x> i am back, ubuntu mini cd failed, random download errors, "Loading libntfs-3g23-udeb failed for unknown reason"
[22:05] <kirkland> mhalcrow: fair enough
[22:06] <mathiaz> mhalcrow: it's part of the e2fsprogs package
[22:06] <kirkland> mathiaz: can you point us to other high-security things that uuidgen is used for?
[22:06]  * ScottK concludes that a13x's hardware is cursed.
[22:06] <kirkland> mhalcrow: do you have something else you recommend I pipe /dev/urandom through to make it readable?
[22:06] <mhalcrow> od?
[22:06] <a13x> memtest86 didn't fail
[22:07] <mathiaz> kirkland: nope - I've just uuidgen to get some random strings
[22:07] <kirkland> mathiaz: gotcha
[22:07] <mathiaz> kirkland: I have no clue whether it's good at it (from a cryptographic point of view)
[22:07] <kirkland> mathiaz: okay, we'll stick with /dev/urandom then
[22:08] <Brazen> re: key escrow:  What about a system where businesses can maintain their own key escrow, something like certificate signing?
[22:12] <a13x> i think something is wrong with the distribution, i am going to try debian
[22:13] <kirkland> mhalcrow: what do you think of: `head -c 15 /dev/urandom | od | sed "s/^0000000//" | sed "s/\s*//g" | head -n 1`
[22:13] <Brazen> a13x: try one of the "Installation without a CD" methods on that page.
[22:14] <JaxxMaxx__> Hmmm.  Is there an easy way to figure out why my apache2  is not starting properly upon reboots?  I have to use the script in /etc/init.d/apache2   to launch it manually after a  reboot -now
[22:14] <mhalcrow> kirkland: Those are octet vals
[22:15] <mhalcrow> od -x
[22:15] <mhalcrow> octal
[22:15] <mhalcrow> Use the -x flag to get hex
[22:15] <kirkland> mhalcrow: okay
[22:16] <lukehasnoname> a13x
[22:16] <kirkland> mhalcrow: head -c 15 /dev/urandom | od -x | sed "s/^0000000//" | sed "s/\s*//g" | head -n 1
[22:16] <lukehasnoname> try FreeBSD
[22:16] <lukehasnoname> amuse me
[22:16] <kirkland> mhalcrow: that's 32 hex digits, 128 bits
[22:16] <a13x> i tried mini cd
[22:17] <mhalcrow> kirkland: That only takes 120 bytes from /dev/urandom, no?
[22:17] <mhalcrow> bits
[22:17] <a13x> Brazen: i tried mini cd and i got download errors, i think this is hopeless
[22:17] <kirkland> mhalcrow: -c 16, sorry, typo on my part
[22:17] <kirkland> mhalcrow: head -c 16 /dev/urandom | od -x | head -n 1 |sed "s/^0000000//" | sed "s/\s*//g"
[22:18] <mhalcrow> kirkland: That looks good to me.
[22:18] <kirkland> mhalcrow: cool
[22:18] <lukehasnoname> a13x: Try Debian or OpenBSD
[22:18] <a13x> burning debian now
[22:19] <vikram> Is there like a turn key switch to get SELinux enabled instead of apparmor?
[22:19] <vikram> or do we have to do it the hard way?
[22:19] <vikram> can i just boot with selinux=1?
[22:20] <vikram> (obviously i'll have compiled policies ready to go)
[22:20] <kirkland> vikram: you have to install the selinux kernel
[22:20] <vikram> the server kernel doesnt have selinux?
[22:20] <kirkland> vikram: the server kernel has apparmor
[22:21] <vikram> seems to have selinux
[22:21] <vikram> grep selinux /boot/System*
[22:21] <mathiaz> vikram: assuming your using hardy - https://wiki.ubuntu.com/HardySELinux
[22:22] <mathiaz> vikram: both selinux and apparmor are available in the hardy kernels
[22:22] <kirkland> vikram: i stand corrected....  sorry
[22:23] <lukehasnoname> pvvn3d
[22:26] <kees> kirkland: all the LSMs are compiled in -- one just has to select the one they want at boot time.
[22:26] <kees> vikram: sudo apt-get install selinux should get you on your way.  :)
[22:27] <kirkland> kees: learn something new every day ;-)
[22:27] <kees> hehe
[22:28] <mhalcrow> kirkland: You may want a utility that dumps the wrapped passphrase to stdout, for maintenance purposes.
[22:29] <kirkland> mhalcrow: agreed
[22:29] <vikram> I only want the kernel selinux policies, i've got my own userspace stuff, tools, compilers, policies etc...
[22:29] <kirkland> mhalcrow: we'll need something like that if we set this up automatically in the installer, say
[22:29] <vikram> thanks
[22:36] <kirkland> mathiaz: mhalcrow: jdstrand: kees: how's this for syntax?  http://ubuntu.pastebin.com/m47eda7eb
[22:36] <a13x> debian: failed to copy file form CD-ROM. Retry?
[22:36] <a13x> i am going to shoot myself
[22:37] <kees> kirkland: hahah  sure, that works.  :)
[22:37] <kees> perhaps explain *why* they need to store it, etc.
[22:38] <kirkland> kees: yeah
[22:43] <kirkland> mathiaz: mhalcrow: jdstrand: kees: http://ubuntu.pastebin.com/m3d9366cc  better?
[22:44] <kees> sure, good for now.
[22:44] <lukehasnoname> your IDE bus is messed up?
[22:44] <lukehasnoname> a13x that is
[22:50] <lukehasnoname> ...
[22:51] <mathiaz> kirkland: wfm - now you just need to i18n it ;)
[22:51] <kirkland> mathiaz: later
[22:56] <lukehasnoname> I g2g, see you guys later. a13x, it is a hardware problem of some kind, I can't see it being anything else. Try a non-deb distro if you want to be sure, but that's just weird.
[22:59] <a13x> hair pulling does not come close to describing this problem
[23:37] <ScottK> ^^^ Happens to me too.
[23:37] <ScottK> Oops.