[00:31] <nhandler> The openvpn package looks like it supports multiple .pid files in the init.d script. What should I do for the status action?
[00:42] <ppires> hi :-)
[00:47] <ppires> anyone around supporting Glassfish adoption?
[01:07] <Kirill> Gah!! Why doesn't DELL offer Ubuntu to come pre-installed on their intro level workstations?!!!!
[01:15] <ppires> Kirill: as long as they don't try to force you to pay for windows it's ok
[01:16] <Kirill> ppires: they do though, I HAVE to go with Vista
[01:16] <ppires> no you don't
[01:16] <ppires> just recline to the EULA
[01:16] <Kirill> ppires: Don't I do that when I've already received the computer?
[01:17] <ppires> afaik no. only when u accept the license the first time u use it
[01:18] <n-iCe> hi
[01:18] <n-iCe> anyone knows how to use chroot?
[01:19] <ppires> n-iCe: just call chroot on your console
[01:19] <Kirill> ppires: that would only work if I recline to the EULA WHILE the order is being processed. Hmm. That's a good idea though
[01:19] <ppires> i don't know how dell does that, but it shouldn't be the way you're describing
[01:19] <n-iCe> I want to jail, some groups users, with ssh access ppires
[01:20] <Kirill> I just signed up for a corporate account with them, guess I'll hit it up with a rep when I get a buzz tomorrow
[01:20] <ppires> n-iCe: check this out http://ubuntuforums.org/showthread.php?t=248724
[01:21] <n-iCe> thanks
[01:23] <ppires> n-iCe: i would recommend you to read the whole thread. it's small :-)
[01:27] <n-iCe_> ppires: ok im checking, thanks!
[01:33] <n-iCe_> ppires: have you configured one before?
[01:36] <ppires> just tried it with a friend
[01:36] <ppires> no actual use
[03:21] <Kirill> has anybody had any good/bad experiences with SonicWall?
[03:40] <kirkland> nhandler: fyi...  bluetooth is going to be a little bit complicated
[03:46] <Kirill> Okay then, ubuntu server vs sonicwall for VPN and firewall. Any takers?
[03:57] <nhandler> kirkland What do you mean?
[04:38] <solexious> [Q] Why do I get "The following packages have been kept back:" when doing an apt-get upgrade?
[04:48] <ScottK-laptop> solexious: [A] Because apt thinks it needs to add or remove a package and it won't do that on upgrade.
[04:48] <ScottK-laptop> solexious: Try apt-get dist-upgrade.
 ty
[04:50] <ScottK-laptop> solexious: You're welcome.
[05:07] <dav123192> I am working on configuring the netfilter firewall via iptables. As far as I can tell, I enabled the correct ports for SAMBA, CUPS, SSH, and going out on HTTP(S) and FTP, as well as DNS in and out (not running a dns server though). Now for somereason I can only acces my server via IP address instead of hostname (mainhub). Any suggestions why? Output of iptables-save is at http://paste.ubuntu.com/3
[05:07] <dav123192> 0194/
[05:08] <dav123192> http://paste.ubuntu.com/30194/ - Link got cut
[06:09] <jonesy> :-D
[06:10]  * jonesy is at oscon, where he found out about this chan
[06:26] <soren> jonesy: Yes, this is indeed where all the cool kids hang out :)
[06:26] <jonesy> :)
[06:27] <jonesy> I've honestly never even deployed an ubuntu server, but have been doing admin-ish work for 10+ years, almost all with various linux distributions.
[06:27] <jonesy> I've used Ubuntu on the desktop on and off since inception.
[06:28] <soren> Well, if you've worked with Debian, you should feel right at home on Ubuntu as well.
[06:28] <jonesy> yup. I've done some debian, but to be honest I didn't like it much. However, the difference with Ubuntu is that they seem to make it really easy to get started with contributing and eventually perhaps fixing/improving things.
[06:29] <soren> We like to think so :)
[06:30] <jonesy> I'm hoping I might start with the installer-related issues I've heard about at this conference. It seems there's some schizophrenia about kickstart/preseed/kickseed/etc.
[06:30] <jonesy> and iirc, ubuntu actually uses Anaconda, which is written in Python, which I have an interest in.
[06:31] <jonesy> ...I've also done tons of automated install setups, and have worked with most of the automated installers for Linux (and Jumpstart for solaris)
[06:31] <soren> "Anaconda"?
[06:32] <jonesy> yeah, when I was here (at oscon) in '06, Jeff Waugh said that Ubuntu actually uses the anaconda installer. No?
[06:32] <soren> No.
[06:32] <jonesy> whoops
[06:32] <soren> We use d-i (debian-installer).
[06:33] <jonesy> hmm. Is anaconda an available package, perhaps in the context of parsing kickstart or something?
[06:33] <soren> To do automated installs, you can "preseed" the installer.
[06:33] <soren> However..
[06:33] <soren> "kickseed" is a piece of software that essentially parses a kickstart file and uses it to preseed d-i.
[06:33] <soren> kickseed has been in the installer for a couple of years now.
[06:34] <jonesy> hm. :-/
[06:34] <nxvl> <- cool kid who hangs around!
[06:34] <soren> jonesy: No, we don't provide anaconda at all.
[06:34]  * soren high-fives nxvl
[06:34] <nxvl> soren: good $Whatever_time_is_in_your_time_zone
[06:34] <jonesy> wow, did I ever misunderstand.
[06:34]  * nxvl high-fives back soren
[06:35] <soren> jonesy: :)
[06:35] <soren> nxvl: We call it morning :)
[06:35] <nxvl> then good morning
[06:35] <nxvl> one never knows in what timezone is the person you are talking with
[06:35] <shelbyscates> hey guys how do i make a process run in the background?
[06:35] <nxvl> specialy when they move so much around the world
[06:36] <jonesy> shelbyscates: ./process &
[06:36] <shelbyscates> so lets say the command is x11vnc... would it be ./x11vnc &?
[06:36] <shelbyscates> or does that work differently for programs? :p
[06:37] <jonesy> shelbyscates: that'll work, though I confess to never running that particular program.
[06:37]  * shelbyscates tries
[06:37] <jonesy> shelbyscates: check the man page to see if there's an option to 'detatch' or 'daemonize' or something like that.
[06:37] <jonesy> seems like there should be for something like that.
[06:38]  * jonesy doesn't have any kind of linux box available atm. 
[06:38] <hads> Ouch
[06:38] <shelbyscates> ok :)
[06:39] <shelbyscates> i guess i could run the command to start vnc over ssh, then log in via vnc and open a terminal window, then enter the same command and close the ssh session :D
[06:39] <shelbyscates> :P
[06:39] <jonesy> shelbyscates: also man 'nohup'
[06:40] <jonesy> shelbyscates: or do "ssh -c"
[06:40] <shelbyscates> ssh -c?
[06:40] <jonesy> if you're just running vnc for the purpose of running a single command, it seems easier to just... run the command, no?
[06:40] <jonesy> maybe I'm misunderstanding
[06:40] <jonesy> what is the problem you're trying to solve?
[06:41] <shelbyscates> nah, its cool
[06:41] <shelbyscates> when i need a vnc server ill just run it from ssh :)
[06:41] <shelbyscates> not that i ever will need one ;)
[06:41] <jonesy> ssh -c will just run the command on the remote host and then log you out.
[06:41] <shelbyscates> thanks guys :D
[06:41] <jonesy> np!
[06:41] <shelbyscates> cya later :)
[06:42] <hads> You need a VNC server when you don't have SSH access :)
[06:42] <jonesy> hmm.
[06:43] <jonesy> I've honestly never seen a shop that allows vnc but not ssh.
[06:43] <jonesy> in fact, I don't currently have a client that allows vnc servers.
[06:44] <jonesy> I don't know if any of them disallow ssh, either. Certainly, shelbyscates' comment seemed to imply that he had both ssh and vnc access :)
[06:44] <jonesy> egads. Hope I was helpful.
[06:48] <hads> I meant when your box breaks and you can't access it via SSH ;)
[06:48] <nxvl> soren: you don't microblog, did you?
[06:49] <soren> nxvl: I wouldn't know how if I wanted to. What is it?
[06:50] <nxvl> twitter, identi.ca?
[06:50] <nxvl> haven't you hear about that
[06:50] <nxvl> is like...
[06:50] <nxvl> IRC for dummies
[06:50] <jonesy> you make your blog's font *really* small.
[06:51] <jonesy> so only folks under like 25 can read it.
[07:33] <soren> jonesy: Oh, I can do that :)
[07:38] <jonesy> :)
[07:38] <jonesy> off to bed for me - night!
[08:43] <nandersson> I'm going to setup a new mail server. Before I've used courier-imap, but it seems that today Dovecot is the "weapon of choice". Is Dovecot where the "action is"?
[08:44] <soren> I would have to say "yes".
[08:44]  * soren likes dovecot a lot
[09:12] <nandersson> soren, Thanks, time to get my hands dirty and get into dovecot + postfix then.
[09:13] <soren> :)
[09:13]  * nandersson likes Postfix
[09:48] <kraut> moin
[10:43] <spikyjt> Hi all - I've just been setting up mail filtering, following the docs in the server guide for 8.04. I've noticed a mistake which I found the solution for. I seem unable to edit the docs. Are these only editable by admins?
[11:01] <_ruben> spikyjt: serverguide (on help.ubuntu.com) is maintained by the server team, not the (global) community .. so thats expected behaviour
[11:01] <_ruben> i think filing a bug on launchpad is the best way to resolve this
[11:36] <spikyjt> _ruben: thanks - I'll do that
[12:17] <incorrect> i have a number of custom packages, i would like to setup falcon, but i am being totally stupid and can't find decent docs for it on google
[13:48] <Ins|de> hi there
[13:48] <Ins|de> i've installed ubuntu server 8.1 right now but i cannot get networking to work
[13:49] <Ins|de> it doesnt work  with static ip neither  dhcp
[13:49] <Ins|de> i followed configuration guide on thye wiki, but it stils not obtaining ip address
[13:49] <Ins|de> can anybody help ?
[13:58] <bicz> i'm using static conf in my box
[13:58] <bicz> what do u need
[14:03] <Ins|de> i prefer static conf
[14:03] <bicz> me 2
[14:04] <Ins|de> but after running ifconfig with static ip i can only ping my ip
[14:04] <bicz> sure
[14:05] <ewook> you forgot the gateway.
[14:05] <bicz> u must use iptables conf to give internet or whateva @ other box's
[14:05] <Ins|de> hwat could it be
[14:05] <Ins|de> hm
[14:05] <Ins|de> do i need to configure iptables first?
[14:06] <Ins|de> but i cannot obtain ip by dhcp
[14:06] <Ins|de> and i got more 2pc's with dhcp attributed ip's working fine
[14:06] <bicz> Ins|de: nope u need configure u'r interfaces
[14:08] <Ins|de> bicz, just configure /etc/network/interfaces file right?
[14:08] <Ins|de> can youtake a look at it ?
[14:08] <bicz> and give some iptables regules
[14:08] <bicz> why not
[14:08] <Ins|de> hmmm
[14:09] <bicz> http://pastebin.ubuntu.com
[14:09] <Ins|de> but.. i'm on my win machine :S
[14:10] <Ins|de> i'm going to lunch, i'll be back :) thanks
[14:10] <bicz> Ins|de: u got to have something like that http://pastebin.ubuntu.com/30278/
[14:13] <Ins|de> bicz, my interfaces was like that, i cannot understand what's going on, maybe routing ? i dont understand much about routing
[14:13] <bicz> Ins|de: there is my iptables config http://pastebin.ubuntu.com/30280/
[14:14] <bicz> but this thing are for gw with 3 eth.. and a modem on eth0 :)
[14:15] <Ins|de> yeah, i see, i have only one ethernet card connected to a router
[14:15] <bicz> mhz
[14:15] <Ins|de> with ip 192.168.10.1, is there any rule i should set ?
[14:16] <bicz> so my conf isn't good for u :)
[14:17] <bicz> nope
[14:17] <bicz> set dns
[14:17] <Ins|de> my dns /etc/resolv.conf is equal to dns address set on win boxes
[14:18] <bicz> and it didn't work?
[14:20] <Ins|de> it doesnt work
[14:20] <Ins|de> host localhost should return any value
[14:20] <Ins|de> right ??
[14:20] <bicz> gud question..
[14:20] <Ins|de> either if disconnected
[14:21] <Ins|de> but it tells me that connectio had failed
[14:21] <bicz> Ins|de: try to paste u0r ifconfig output
[14:23] <Ins|de> i have RX bytes but i TX is zero
[14:23] <Ins|de> packets
[14:53] <pschulz01> Evening.
[14:54] <hads> Morning
[14:54] <lukehasnoname> Morning
[14:57] <pschulz01> Just found (and installed) phpldapadmin :-)
[15:18] <rbrunhuber> i run chrooted postfix + cyrus with saslauthd so i need a link from /var/spool/postfix/var/run/saslauthd to /var/run/saslauthd
[15:19] <rbrunhuber> would it be possible to add a option to one of the saslauthd config files that triggers the init script to check wether that link exists?
[16:38] <soren> jdstrand: How does the ufw versioning work? I say you jumped from 0.16.2 to 0.18.2.
[16:39] <jdstrand> 0.16.2.x is in hardy. 0.16.3 and higher has been in intrepid
[16:40] <jdstrand> soren: basically, minor bug fixes get a micro version, whereas added functionality gets a minor version
[16:40] <soren> Oh. I see now.
[16:40] <jdstrand> soren: so 0.17 and 0.18 added exciting new stuff
[16:40] <jdstrand> but 0.18.2 not so much
[16:40] <soren> I just somehow thought you went directly from 0.16.2 to 0.18.2, and that confused me a bit :)
[16:41] <jdstrand> soren: apparently, you haven't been upgrading your intrepid boxes with the frequency needed to see all the new ufw versions :)
[16:41] <soren> jdstrand: Or not been paying enough attention. Darn it. What have I been missing out on?
[16:43] <soren> less useless logging, connrate limits..
[16:43] <soren> ...and a bunch of not-so-user-visible-stuff.
[16:43] <jdstrand> soren: 0.17 claim to fame was internationalization support, while 0.18 added the 'limit' command, split the code out for downstreams and better status
[16:43] <soren> Alright. Cool.
[16:44] <soren> ufw has really grown on me.
[16:44] <jdstrand> (0.18 also made ArchLinux happy with setup.py improvements)
[16:44] <jdstrand> soren: you're really gonna like 0.19
[16:45] <jdstrand> soren: it brings port ranges (aka multiport) and dotted netmask support
[16:45] <soren> There are a few things, though.. I can e.g. never remember the proper syntax to allow a certain host access to everything... or something. I forget what it is. I always end up trying three different things, fail, look at the man page for a bit, and then have an epiphany :)
[16:45]  * soren <3 dotted netmasks
[16:46] <jdstrand> soren: so you can do your goofy non-CIDR stuff
[16:47] <jdstrand> soren: 0.19 also does rule normalization, so everything is presented to the user consistently
[16:48] <jdstrand> eg 111.12.34.2/4 now properly evaulates to 96.0.0.0/4
[16:48] <soren> Oh! that's convenient!
[16:48] <jdstrand> convenient, and fixes bug #237446 :)
[16:48] <soren> Heh :)
[16:49] <jdstrand> soren: regarding the syntax-- there is 'simple' and 'extended'. simple is only for ports 'ufw allow http'
[16:50] <jdstrand> soren: 'extended' is where you can get more fine-grained. if you think of it as needed complete clauses, it's easier to remember
[16:50] <jdstrand> soren: eg 'to <ip>' or 'to <ip> port <ports>'
[16:51] <jdstrand> soren: you always need to specify the source or destionation (from/to), but port is optional
[16:52] <jdstrand> soren: you also need only specify one of source or destination
[16:52] <jdstrand> both is obviously a choice too :)
[16:53] <jdstrand> soren: it more or less follows PF syntax, which is used in the BSDs and generally more friendly than iptables, pcap, pix, etc
[16:53] <jdstrand> soren: but sure-- it takes a little getting used to
[16:57] <jdstrand> soren: I recently upgraded a server from sarge to hardy (reinstall), and it had a quite complicated fwbuilder+modifications firewall setup. I was able to get a complete ufw firewall enabled for that machine in minutes (of course, I am somewhat familiar with ufw...)
[16:57] <jdstrand> soren: I was quite pleased with myself actually :)
[16:57]  * jdstrand feels awesomeness swelling inside him, desperately trying to push modesty aside
[17:05] <soren> jdstrand: Heh :)
[17:06] <soren> jdstrand: So to let 1.2.3.4 connect to me on port 9000, I'd.. what?
[17:06] <soren> ufw allow from 1.2.3.4 to port 9000 ?
[17:06] <jdstrand> close
[17:06] <soren> Yes. That's the one I can never get right :)
[17:06] <jdstrand> ufw allow from 1.2.3.4 to any port 9000
[17:06] <soren> any! Right, right.
[17:07] <jdstrand> tbh, I forget the 'any' sometimes myself
[17:07] <jdstrand> 'to <ip>|any' is required
[17:07] <jdstrand> well, to or from
[17:07] <jdstrand> meh-- you know what I'm saying
[17:08] <soren> :)
[17:08] <soren> Does ufw somehow allow me to shove -t nat rules somewhere manually? ISTR it rejected some stuff I put in before.rules because it had a table specified.
[17:09] <soren> ...so I had to have a seperate setup for my -t nat rules.
[17:11] <jdstrand> soren: you can shove it into before.rules-- you just need to make sure that *nat and *filter get COMMITted separately
[17:11] <soren> Ah.
[17:11] <jdstrand> eg:
[17:11] <jdstrand> *nat
[17:11] <jdstrand> :POSTROUTING ACCEPT [0:0]
[17:11] <jdstrand> ...
[17:11] <jdstrand> COMMIT
[17:11] <jdstrand> *filter
[17:11] <jdstrand> ...
[17:11] <jdstrand> COMMIT
[17:13] <soren> Ah.. Gotcha. That'll come in handy.
[17:13] <jdstrand> from https://help.ubuntu.com/8.04/serverguide/C/firewall.html:
[17:13] <jdstrand> Also, when modifying any of the rules files in /etc/ufw, make sure these lines are the last line for each table modified:
[17:13] <soren> I completely missed the fact that these are iptables-save format things.
[17:13] <jdstrand> # don't delete the 'COMMIT' line or these rules won't be processed
[17:13] <jdstrand> COMMIT
[17:13] <jdstrand> (thanks sommer!)
[17:14]  * jdstrand nods
[17:15] <jdstrand> soren: a bug report came in on that recently, I wonder if the 'ufw Masquerading' section could be clearer...
[17:15] <jdstrand> I promptly Invalidated it of course
[17:15] <soren> Good man!
[17:15] <soren> :)
[17:40] <rbrunhuber> can anyone please give me a hand with openldap? It seems totally broken in ubuntu!
[17:44] <soren> rbrunhuber: Ask your question/explain your problem.
[17:44] <soren> It's impossible to know up front if we can help you when we don't know what your problem is.
[17:45] <soren> Well... That's not entirely true. If we know nothing at all about LDAP or Ubuntu or computers even, we could just say "no" without further ado...
[17:45] <soren> It just so happens that we do know quite a bit about computers, Ubuntu and even LDAP, so you might be in luck!
[17:45]  * soren is rambling
[17:45] <rbrunhuber> ok: slapd and libldap are version 2.4.9 but ldap-utils is still at 2.4.7 so dependencies are broken.
[17:46] <rbrunhuber> second: except from luma no client is able to connect to openldap server if tls is enable.d
[17:46] <soren> ldap-utils is 2.4.9-0ubuntu0.8.04 in hardy-updates.
[17:47] <soren> You seem to not be entirely up-to-date.
[17:48] <soren> rbrunhuber: I'm not sure about your second issue. ISTR there being something about CA's that need to be set properly for everything to be happy. What specifically fails to work?
[17:48]  * soren curses tmpfs for not support O_DIRECT, by the way.
[17:51] <rbrunhuber> soren: let's put it this way: my ca cert is the standard ca cert from cacert.org shipping with ubuntu.
[17:52] <rbrunhuber> soren: my keys are issued by cacert.org and are valid. the cn matches my servername.
[17:53] <rbrunhuber> soren: what do you mean with ISTR?
[17:53] <soren> Yes..... What specifically fails to work?
[17:53] <soren> "I Seem To Remember"
[17:55] <rbrunhuber> ldapsearch -H ldap://myhostname:389/ -x -ZZ fails with ldap_start_tls: Connect error (-11)
[17:56] <rbrunhuber> soren: if I add -d 5 there is an error TLS: peer cert untrusted or revoked (0x42)
[17:56] <rbrunhuber> which is just plain wrong the certificate is(!) valid and trusted
[18:00] <soren> Perhaps it looks in a different place for the CA certs?
[18:00] <soren> You could try stracing it and see.
[18:01] <sommer> rbrunhuber: you might also check the permissions on the cert and key... the openldap user needs read access
[18:03] <soren> Well.. The user executing the application that is failing will need read access.
[18:04] <sommer> err, yep that makes more sense :)
[18:08]  * soren kicks parted
[18:13] <ppires> anyone around supporting Glassfish adoption?
[18:17] <rbrunhuber> sommer: i triple checked this already. but slapd fails miserably if there is no readaccess.
[18:18] <kees> what does your current mdadm mountfail hook script look like?
[18:18] <kees> kirkland: ^^
[18:19] <kirkland> good question...
[18:19] <kirkland> kees: let me recover from my backed up image
[18:21] <sommer> rbrunhuber: are there any other errors if you start slapd with -d -1 ?
[18:22] <rbrunhuber> sommer: no
[18:23] <sommer> rbrunhuber: can you pastebin the relavent lines?
[18:24] <kirkland> kees: mdadm looks like: http://pastebin.ubuntu.com/30327/
[18:24] <rbrunhuber> of what? slapd -d -1?
[18:24] <sommer> rbrunhuber: yes
[18:26] <kees> kirkland: perhaps alone with the 'exit 0' part, it needs to remove itself?
[18:26] <kees> s/alone/along/
[18:26] <rbrunhuber> sommer:  one moment please
[18:26] <kirkland> kees: yeah, isn't that bit in your documentation ?  :-)
[18:27] <kees> kirkland: yeah, I'll need to set up a test environment to really nail it down.  let me know if it continues to elude you.
[18:28] <kirkland> kees: just give me a bit
[18:33] <kirkland> kees: ah, there it is....
[18:33] <kirkland> while [ "$giveup" -lt 1 ]; do ....
[18:33] <kirkland> kees: the only option is giving up :-)
[18:33] <rbrunhuber> sommer: it is just so overwhelming much output, so what is "relevant"?
[18:35] <sommer> rbrunhuber: there should be lines with specific errors, probably related to tls
[18:39] <sommer> rbrunhuber: also what tls options have you configured in slapd.conf?
[18:42] <rbrunhuber> sommer: TLSCACertificateFile TLSCertificateFile TLSCertificateKeyFile
[18:44] <sommer> rbrunhuber: just as a test what happens if you comment the TLSCACertificateFile option and start slapd?
[18:44] <kirkland> kees: http://pastebin.ubuntu.com/30334/
[18:44] <kirkland> kees: that one has the indentation
[18:44] <kirkland> kees: and, i think the fix is in the else ... break construct
[18:47] <RoAkSoAx> kirkland, we can keep adding apps to https://wiki.ubuntu.com/InitScriptStatusActions right? (like lighttpd)
[18:47] <kirkland> RoAkSoAx: please!
[18:47] <kirkland> RoAkSoAx: you might note if it's in main/universe
[18:47] <kirkland> RoAkSoAx: obviously, we'll prioritize main ones higher
[18:48] <kirkland> RoAkSoAx: but yeah, go nuts :-)
[18:48] <kees> kirkland: hah.  oops, well, my newer loop should fix that, I think.
[18:48] <RoAkSoAx> kirkland, haha ok cool :)
[18:48] <kees> kirkland: rockin'
[18:48] <kirkland> kees: oh?  you have an update?
[18:48] <rbrunhuber> sommer: I do not know what happened know but even gq is working with tls now!
[18:48] <rbrunhuber> sommer: And I demand validating the server certificate
[18:50] <sommer> rbrunhuber: so it's working now?
[18:51] <rbrunhuber> sommer: yes it's working now.
[18:51] <sommer> rbrunhuber: party!
[18:52] <sommer> rbrunhuber: buth that means there may be a bug with the TLSCACertificateFile... doh
[18:52] <sommer> at least with that option
[18:52] <rbrunhuber> sommer: no i did not remove the option.
[18:53] <sommer> rbrunhuber: really?  and its magically working now?
[18:53] <rbrunhuber> sommer: not so magically. bad things happened... . Someone named the cacert.org ca certificate root.pem
[18:54] <rbrunhuber> on my server i have symlink to it but it was broken.
[18:54] <sommer> oooooooohhhhh... that makes sense, heh
[18:54] <rbrunhuber> i still consider this a bug. why can anyone name a certificate root.pem?
[18:55] <sommer> rbrunhuber: there last name is root?
[18:55] <sommer> rbrunhuber: I'm here all week :)
[18:55] <sommer> what should it be named if not root.pem?
[18:55] <rbrunhuber> sommer: cacert.org.pem?
[18:55] <rbrunhuber> it is sitting in /etc/ssl/certs/
[18:56] <sommer> that would be more discriptive, heh
[18:57] <rbrunhuber> sommer: i have a suggestion for saslauthd are you the "right" one for this?
[18:57] <sommer> rbrunhuber: I show that file as a symlink:  /etc/ssl/certs/root.pem -> /usr/share/ca-certificates/cacert.org/root.crt
[18:58] <rbrunhuber> sommer: I know now.
[18:58] <sommer> rbrunhuber: probably not, but some else in the channel may know more about saslauthd
[18:59] <rbrunhuber> How about adding a option to saslauthd where it configures itself for "chroot" setups?
[18:59] <sommer> rbrunhuber: heh, as related to postfix?
[18:59] <rbrunhuber> sommer: yes
[19:00] <sommer> rbrunhuber: ya, that's been discussed, or it's been discussed that it can cause issues, but I'm not sure what the end result was/is
[19:00] <sommer> rbrunhuber: it's probably worth filing a wish list bug about, at least to track the progress if nothing else
[19:01] <rbrunhuber> sommer: that is a good idea. And i makes explaining things easyier than writing lines and lines in irc
[19:02] <sommer> yeppers, and folks that aren't online at the moment will have a chance to comment
[19:02] <rbrunhuber> sommer: who is not online at the moment is not even worth to comment ;-).
[19:03] <sommer> heh, it's after 5:00 on a friday in some parts of the world... that makes it party time :)
[19:04] <kirkland> kees: whoop!
[19:04] <kirkland> kees: the latest initramfs-tools (with the else ... break works like a charm!)
[19:04] <lukehasnoname> I want to believe the truth is out there
[19:04] <kees> kirkland: \o/
[19:06] <kirkland> kees: here's what initramfs-tools patch looks like: http://pastebin.ubuntu.com/30347/
[19:06] <kirkland> kees: i edited the changelog entry too...  see what you think
[19:07] <kees> kirkland: that still shows the old giveup syntax...
[19:07] <kirkland> kees: hmm, i must have missed an update from you....
[19:08] <kees> kirkland: I thought you said "break works like a charm"?
[19:08] <kirkland> kees: it does
[19:08] <kirkland> kees:
[19:08] <kirkland> +			# The root device showed up, whoop!
[19:08] <kirkland> +			break
[19:09] <kees> kirkland: http://people.ubuntu.com/~kees/intrepid/initramfs-tools_0.92bubuntu7.debdiff
[19:10] <kees> that's what I had
[19:10] <kees> your break is probably an important element regardless.  :)
[19:10]  * kirkland goes play with filterdiff :/
[19:10] <kees> but the usplash timeout reset needs to happen
[19:11] <kees> oh, wait, it's already in there
[19:11] <kees> stupid indenting.  :)
[19:11] <kees> kirkland: can you paste the whole current "local" file?
[19:11] <kees> I think you're fine
[19:11] <kirkland> kees: yeah, you bet
[19:12] <kirkland> kees: http://pastebin.ubuntu.com/30349/
[19:14] <kees> kirkland: hrm.  if the rootdev shows up during the wait, this won't work.
[19:15] <kees> hrmpf
[19:15] <kirkland> kees: why's that?
[19:16] <kees> kirkland: imagine entering the while, then the if, and during the sleep 0.1 loop, the device shows up.  when we exit the sleep while, exit the if, run the failure handlers, etc
[19:17] <kirkland> kees: so we need another break
[19:17] <kees> yeah, I'm trying to figure out the best way to handle the 3 places the rootfs is tested
[19:20] <kirkland> kees: how about this....
[19:21] <kirkland> kees: while [ "$giveup" -lt 1 && "$rootfound" -lt 1 ]  ....
[19:22] <kirkland> kees: and instead of my break, i'll set rootfound=1
[19:22] <kirkland> kees: and if we break out of the innermost while, we "continue" to skip out of the bottom bits
[19:23] <kirkland> kees: and let the if [ $ROOT ] ... handle it
[19:24] <kees> kirkland: http://people.ubuntu.com/~kees/intrepid/local
[19:24] <kirkland> kees: :-)  root_missing vs. rootfound
[19:24] <kirkland> who's the optimist here ....  :-P
[19:25] <kees> kirkland: well, I wanted to very carefully not change the logic, and remove the duplication of code.  the same test was already happening in 3 places, and I couldn't add a 4th without making a function.  :)
[19:26] <kirkland> kees: this certainly looks cleaner
[19:26] <kees> hrm, and that really should be while root_missing
[19:26] <kirkland> kees: yes
[19:26] <kees> one sec, reworking again...
[19:26] <kirkland> kees: you don't have any breaks :-)
[19:27] <kees> I have one, but it's not useful if root is found.  :)
[19:28] <kirkland> kees: right
[19:28] <kees> http://people.ubuntu.com/~kees/intrepid/local
[19:28] <kees> how's that look?
[19:29] <kirkland> kees: one minute, let me read comprehensively
[19:30] <kees> updated it again -- combined the root_missing and tryhooks if test
[19:31] <kirkland> kees: i like the root_missing() function
[19:31] <kirkland> kees: more readable, for sure
[19:31] <kees> yeah.
[19:33] <kirkland> kees: might be nice to write a function for if [ -x /sbin/usplash_write ]
[19:34] <kirkland> kees: that's used a few times
[19:34] <kirkland> kees: attempt_usplash_write()
[19:34] <kirkland> kees: do the -x test, always return true
[19:35] <kirkland> well, it's only 2 calls
[19:36] <kirkland> kees: okay, looks good to me
[19:36] <kirkland> kees: i'm going to add the attempt_usplash_write() function and test
[19:37] <kees> kirkland: I'd prefer avoiding additional deltas that are semi-unrelated.
[19:37] <kirkland> kees: okay, no prob
[19:39] <kirkland> kees: I'll go test this one
[19:41] <kirkland> kees: http://pastebin.ubuntu.com/30354/
[19:43] <kirkland> kees: poo....
[19:43] <kirkland> kees: Kernel panic - not syncing
[19:44] <kirkland> kees: this was on my first test, regression testing, booting with a perfectly sync'd 2 disks
[19:45] <kees> hmpf
[19:46] <kirkland> kees: let me diff my last working local from yours ....
[19:48] <kirkland> kees: http://pastebin.ubuntu.com/30356/
[19:48] <kirkland> kees: that's the diff from my last good, working copy, and your latest
[19:49] <kees> kirkland: I guess just take it piecemeal.  maybe the root_missing stuff isn't as sane as we thought?
[19:50] <kirkland> kees: well, i can wrap my head around stuff like the infinite loop i saw earlier... but a kernel panic?
[19:51] <kees> kirkland: dunno?
[19:52] <kirkland> kees: oh....
[19:52] <kirkland> kees: your root_missing isn't precisely the same thing ....
[19:53] <kirkland> kees: the first place you use it, you're replacing:
[19:53] <kirkland> [ ! -e "${ROOT}" ] || ! $(get_fstype "${ROOT}" >/dev/null) || ! /sbin/udevadm settle
[19:53] <kirkland> kees: the second time, the same thing...
[19:53] <kirkland> kees: the third time, however....
[19:53] <kirkland> you've replaced
[19:53] <kirkland> [ ! -e "${ROOT}" ] || ! /lib/udev/vol_id "${ROOT}" >/dev/null 2>&1 || ! /sbin/udevadm settle
[19:54] <kirkland> get_fstype vs. vol_id
[19:58] <Tarrence> Is there a Ubuntu Server web based management GUI available? Or a Mac OS X application?
[19:59] <kees> kirkland: eeek!
[20:00] <kirkland> kees: okay, i'm taking your patch piecemeal
[20:00] <kirkland> kees: i'll add just the root_missing() function
[20:00] <kees> kirkland: wait a second...
[20:00] <kees> get_fstype just calls vol_id
[20:00] <kirkland> get_fstype calls vol_id
[20:00] <kirkland> kees: and a bit more
[20:01] <kirkland> kees: i'm going to just drop in your root_missing() function, and it's 3 calls
[20:01] <kees> kirkland: yeah, go for it, I have to shift attention
[20:01] <kirkland> kees: sure
[20:03] <kirkland> kees: perhaps root_missing needs a "local ROOT" ?
[20:04] <kirkland> kees: nevermind, sorry
[20:04] <kirkland> opposite of what we want
[20:14] <Tarrence> Is there a Ubuntu Server web based management GUI available? Or a Mac OS X application?
[20:47] <kirkland> Tarrence: perhaps ebox, or webmin
[20:54] <kirkland> kees: figured out the kernel panic
[20:55] <kirkland> kees: return [ ! -e "${ROOT}" ] || ! $(get_fstype "${ROOT}" >/dev/null) || ! /sbin/udevadm settle
[20:55] <kirkland> is busted
[20:55] <kirkland> kees: s/return//
[20:57] <kirkland> (happy Drupal'ing)  :-)
[21:00] <kees> kirkland: ah-ha, yeah, good catch.
[21:00] <kirkland> kees: okay, i'm running through my full gamut of tests
[21:00] <kirkland> kees: but I think we're nearing the finish line
[21:01] <kees> \o/
[21:01] <kirkland> kees: who should I talk to about the mdadm conf/config/conffile bit ?
[21:01] <kirkland> kees: the postint bit works well for initial purposes
[21:01] <kirkland> kees: but doesn't pose the debconf question
[21:02] <kees> kirkland: start with jdstrand (since he knows debconf), then maybe move to soren/mathiaz for preseed/server-install questions, and then evand, and finally cjwatson.
[21:02] <kees> kirkland: yeah, it's good for testing.
[21:04] <kirkland> jdstrand: how much longer are you around today?  debconf questions...
[21:06] <kees> kirkland: if you want to get this stuff uploaded, I'd actually remove the postinst bit you've got, just to avoid a conffile ever getting onto disk before you've got a settled solution.
[21:06] <kirkland> kees: good call
[21:07] <kirkland> kees: assuming these tests pass, are you willing to upload, or do you want me to pass all of this by luke/colin first?
[21:08] <kees> kirkland: who is the "approver" on the spec?
[21:08]  * kirkland checks...
[21:08] <kirkland> kees: Rick Clark
[21:08] <kirkland> https://blueprints.edge.launchpad.net/ubuntu/+spec/boot-degraded-raid
[21:09] <kees> hrm, okay.  I think if luke is happy, we can push it.
[21:12] <RoAkSoAx> kirkland, what's the difference in having lsb-base (>= 3.2-14) under Build-Depends instead of Depends ?
[21:12] <kirkland> RoAkSoAx: it should be under Depends
[21:13] <kirkland> RoAkSoAx: build-time dependency, versus run-time
[21:13] <kirkland> RoAkSoAx: it's needed to *run*, not so much to *build*
[21:13] <RoAkSoAx> kirkland, because xinetd has lsb-base under Build-Depends
[21:13] <kirkland> RoAkSoAx: that sounds like a mistake
[21:14] <RoAkSoAx> kirkland, ok so gonna change it then :)
[21:14] <kirkland> RoAkSoAx: to be safe....
[21:14] <kirkland> RoAkSoAx: add it to the Depends
[21:14] <kirkland> RoAkSoAx: for some reason (I can't imagine...) but it might be needed to build too
[21:15] <kirkland> kees: no-go ...  :-/
[21:15] <RoAkSoAx> kirkland, so I leave Build-Depends as it originally was: lsb-base and under Depends i add: lsb-base (>=3.2-14)
[21:16] <kirkland> RoAkSoAx: I think that's fine
[21:16] <Smaug> is there a simple way to restrict a user to their home directory?
[21:16] <kirkland> RoAkSoAx: in practice, lsb-base is pretty much *always* there
[21:16] <kirkland> RoAkSoAx: as practically every init script uses it
[21:18] <RoAkSoAx> kirkland, and what about those apps that doesn't have lsb-base as a depends? becaus i've tryid with nginx and after adding everything, it showed a message that said something like: status_of_proc was not recognized or something like that
[21:18] <kirkland> RoAkSoAx: those absolutely need lsb-base >= 3.2-14!!!
[21:18] <kirkland> RoAkSoAx: that's what has the magic status_of_proc() function ;-)
[21:19] <RoAkSoAx> kirkland, haha ok, i'll work on nginx and show it to you
[21:25] <Smaug> ..fine then, new question.  i have a website in home/name/public_html/website/    if I change the permissons on directory "name" from 755 to 750, would that have any affect on the websites inside it?
[21:28] <Smaug> yo dudes
[21:28] <RoAkSoAx> kirkland, xinetd is in main right?
[21:29] <kirkland> RoAkSoAx: apt-cache show xinetd | grep Filename
[21:35] <RoAkSoAx> kirkland, how does it look?: http://pastebin.ubuntu.com/30380/
[21:37] <kirkland> RoAkSoAx: looks good to me ;-)
[21:40] <kirkland> kees: okay, found another problem with your code
[21:40] <kirkland>                 if root_missing && ! try_failure_hooks; then
[21:40] <kirkland>                         break
[21:40] <kirkland>                 fi
[21:41] <kirkland> to get it to actually boot a degraded raid, i have to change that to
[21:41] <kirkland>                 if ! try_failure_hooks; then
[21:41] <kirkland>                         break
[21:41] <kirkland>                 fi
[21:41] <kirkland> kees: i think you added the root_missing check in case the device showed back up....
[21:41] <kirkland> kees: but it has an inadvertent mal-effect
[21:43] <kees> kirkland: but without that it will run fail hooks even if the root appears during the timeout
[21:44] <kirkland> kees: i think we're going to have to make root_missing smarter then....
[21:44] <kirkland> kees: i'm having a hard time articulating the problem ....
[21:45] <kirkland> kees: but this causes the failure hooks not to run at all
[21:45] <kees> what problem is being caused by doing the root_missing check?
[21:45] <kees> kirkland: in the case of finding the rootfs, that's correct.
[21:46] <kirkland> kees: so i tell it to bootdegraded
[21:46] <kirkland> kees: and it drops me to a busybox shell
[21:47] <kirkland> kees: where md0 has sda1 marked as a spare, and not activated
[21:48]  * kirkland continues to be aggravated by the fact that you can't copy-and-paste from a KVM :-/
[21:49] <kees> kirkland: dunno but I'm very sure we don't want to run the failhooks when the rootfs already exists.  :)
[21:50] <kirkland> kees: let me grab a screen shot
[21:56] <RoAkSoAx> kirkland, why do you think nginx show's me this: http://pastebin.ubuntu.com/30395/ ?
[21:58] <kirkland> kees: http://people.ubuntu.com/~kirkland/Screenshot.png
[21:58] <kirkland> kees: looks like it finds a filesystem that it likes, but it's not quite good enough
[21:59] <kirkland> RoAkSoAx: is that init script sourcing . /lib/lsb/init-functions ?
[21:59] <RoAkSoAx> let me check xD
[22:00] <kees> kirkland: I'd just start adding lots and lots of text debug output to everything, and turn off splash while booting.
[22:00] <kirkland> kees: as if I would have splash running :-P
[22:00] <kees> heh
[22:01] <kirkland> kees: basically, root_missing is succeeding in a situation where it *should not*
[22:01] <kirkland> kees: rather, it's finding what it thinks is a suitable root device, but isn't really
[22:01] <kees> kirkland: if you replace the root_missing call with the prior lists of tests, does it behave correctly?
[22:02] <kirkland> kees: no
[22:02] <kirkland> kees: but not performing that check gets the failure hooks to actually run at the bottom of the loop
[22:02] <kirkland> kees: which starts the raid
[22:03] <RoAkSoAx> kirkland, it wasn't, i added it (just above the case "$1"...), but, where should it exactly go, or that does not make any difference.
[22:03] <kees> kirkland: I'd need a few hours to build up a test environment.  Can you document the test-cases you're using?  I think we're very close, but just some small shell glitch is biting it (which is why I suggested extensive debug output to verify each assumption)
[22:04] <kirkland> kees: yeah, don't worry about setting us a test env, though I will document it
[22:04]  * kees nods
[22:04] <kirkland> kees: i'm going to digg deeper into [ ! -e "${ROOT}" ] || ! $(get_fstype "${ROOT}" >/dev/null) || ! /sbin/udevadm settle
[22:04] <kirkland> kees: one of those is TRUE in a situation where it should not be
[22:05] <kirkland> kees: i mean, in a situation where we want to run the failure hooks anyway
[22:05] <kirkland> RoAkSoAx: it does make a difference
[22:05] <kirkland> RoAkSoAx: grep for it in your /etc/init.d
[22:05] <kirkland> RoAkSoAx: *most* scripts should use it...  look where those call it
[22:10] <RoAkSoAx> kirkland, done.. oh this is fun :) xD
[22:17] <kirkland> RoAkSoAx: glad you're enjoying ;-)
[22:20] <RoAkSoAx> kirkland, yeah!! at least i have something to do during the day... since i don't have anything else to do :P
[22:30] <kirkland> kees: okay, so here's the problem....  /dev/md0 shows up, but it's not ready to roll
[22:30] <kees> kirkland: sounds like the vol_id stuff isn't being run.
[22:30] <kirkland> kees: which makes the -e /dev/md0 succeed, and the root_missing
[22:31] <kirkland> kees: i agree with that
[22:31] <kirkland> kees:
[22:31] <kirkland>         eval $(fstype "${FS}" 2> /dev/null)
[22:31] <kirkland>         if [ "$FSTYPE" = "unknown" ] && [ -x /lib/udev/vol_id ]; then
[22:31] <kirkland>                 FSTYPE=$(/lib/udev/vol_id -t "${FS}" 2> /dev/null)
[22:31] <kirkland>         fi
[22:31] <kirkland> if I run "fstype /dev/md0"
[22:32] <kirkland> while it's in a "not-ready" state, FSTYPE is null, and not "unknown"
[22:33] <kees> that feels like a separate bug you just happened to hit...
[22:33] <kirkland> kees: yup, i see it clearly
[22:33] <kees> (i.e. a change in the behavior of fstype)
[22:33] <kirkland>         if [ -z "${FSTYPE}" ]; then
[22:33] <kirkland>                 FSTYPE="unknown"
[22:33] <kirkland>         fi
[22:33] <kirkland> that's lower
[22:33] <kirkland> i think FSTYPE="unknown" should be initialized as such at the top of that function
[22:33] <kirkland> lemme try that....
[22:34] <kees> kirkland: where does "fstype" the function/tool get defined/installed?
[22:34] <kirkland> have i told you that test iterations of this sucks?  :-)
[22:34] <kees> yeah.
[22:34] <kees> :(
[22:34] <kirkland> kees: its in /bin/fstype in the initramfs
[22:35] <kees> hunh.
[22:35] <kees> I wonder what that is....
[22:35] <kees> what does it output in the failed state?
[22:35]  * kirkland curses the lack of cut-n-paste
[22:36] <kirkland> fstype /dev/md0
[22:36] <kees> ah, it's in klibc
[22:36] <kirkland>  /dev/md0: error 0
[22:36] <kirkland> kees: and it does not set those env variables (FSTYPE, FS)
[22:36] <kees> evil!
[22:37] <kirkland> kees: fstype /dev/sda
[22:37] <kirkland> FSTYPE=unknown
[22:37] <kirkland> FSSIZE=0
[22:37] <kirkland> kees: fstype /dev/sda1
[22:37] <kirkland> FSTYPE=ext3
[22:37] <kirkland> FSSIZE=2089091072
[22:37] <kirkland> (which is actually a Linux RAID member)
[22:37] <kirkland> seems bad that it doesn't detect that
[22:38] <kees> that's okay, that's vol_id's job.
[22:38] <kirkland> kees: okay, here's what I changed....
[22:38] <kirkland> kees: http://pastebin.ubuntu.com/30402/
[22:40] <kirkland> kees: haha
[22:40] <kees> kirkland: I would move the -z check between the eval and the if in the case that fstype ever tries to spit out 'FSTYPE='
[22:41] <kees> rather than setting a default
[22:42] <kirkland> kees: oh, in case fstype nulls out FSTYPE?
[22:42] <kees> right
[22:43] <kees> oh!  yeah, I know why this suddenly became a problem -- it's the race between mdadm doing the degraded start and the next while check.  riiight.
[22:43] <kees> anyway, good to get fixed regardless.
[22:43] <ScottK> kees: Thanks for the openssl upload.  Better you than me. ;-)
[22:44] <kirkland> kees: FSCKing A!!!!!!!!!!!!!!!!!!!!1
[22:45] <kees> ScottK: heh, yeah.  I figured I'd take the heat.  I break all sorts of other security things, so why not?  ;)
[22:45] <kees> kirkland: I hope that's the sound of success?? :)
[22:45] <kirkland> kees: yes, it is
[22:45] <kees> \m/
[22:46] <kirkland> kees: I just may have to finish this over a beer!  :-)
[22:46] <kees> or maybe I should say  [U_]
[22:46] <kees> kirkland: heheh rockin'
[22:46] <kirkland> kees: you may say [U_]
[22:46] <kees> :)
[22:52] <kirkland> kees: here's what the debdiff is looking like now ... http://pastebin.ubuntu.com/30406/
[22:54] <kees> kirkland: cool! minor suggestions: move the comment on the first root_missing while loop back above the while to avoid the diff, and check white-space on the FSTYPE functions, I think they were tabs before, not spaces.
[22:54] <kirkland> kees: k
[22:57] <kirkland> kees: http://pastebin.ubuntu.com/30409/
[22:58] <kees> kirkland: oh! crap, the -z test is needed above and below.  :(
[22:58] <kees> (in the case that vol_id breaks it)
[22:59] <kees> everything else rocks
[22:59] <kirkland> kees: ah, right
[23:02] <kirkland> kees: http://pastebin.ubuntu.com/30410/
[23:03] <kees> kirkland: ship it!  :)
[23:04] <kirkland> kees: let me comprehensively test it :-)
[23:04] <kirkland> kees: but i'm cracking open a beer :-)
[23:04] <kees> :)
[23:05] <kirkland> kees: my wiki notifications say that you've been busy auditing :-)
[23:08] <kees> kirkland: sure have been.
[23:09] <kirkland> kees: okay, [UU] booted fine (regression testing) CHECK
[23:10] <kirkland> kees: dropped disk sdb, after timeout, dropped to busybox (default behavior)
[23:10] <kirkland> CHECK
[23:12] <kirkland> kees: dropped disk sdb, gave kernel bootdegraded=true, after timeout, booted degraded raid
[23:12] <kirkland> kees: dude, we are MONEY!!!
[23:12]  * kees hugs kirkland
[23:12] <kees> beer o'clock!  :)
[23:12] <kirkland> kees: i'll attach an updated patch to the bug
[23:13] <kirkland> you're 13 minutes behind me :-)
[23:13] <kees> kirkland: heh, well, it's 1.75 hrs to beer o'clock for real here, but it's celebration o'clock.  :)
[23:14] <kirkland> kees: true, you're technically 2 hours behind me :-)
[23:14] <kirkland> kees: do my changelogs in that last pastebin look good?
[23:15] <kees> kirkland: I would break the scripts/local into several "   - blah..." sections for each logically separate thing (fstype fix, root_missing rework, fail handler rework)
[23:15] <kirkland> kees: k, let me do that...
[23:16] <kees> once you've got that, mdadm, and lvm2 ready to fly, I'll install locally for a little extra regression testing too.
[23:17] <kirkland> kees: okay, i'll push to my ppa
[23:19] <kirkland> kees: bollocks.... is initramfs a bzr-managed package?
[23:22] <kees> kirkland: hm, no, seems to be debian-git managed.
[23:22] <kees> (we just patch on top of it)
[23:23] <kirkland> kees: hmpf, sorry, i on a weird page in Launchpad
[23:25] <kirkland> kees: changelog: http://pastebin.ubuntu.com/30416/
[23:26] <kees> s/to replaced//
[23:27] <kirkland> kees: got it.
[23:33] <kirkland> kees: initramfs-tools_0.92bubuntu7~ppa10 uploaded to my PPA, if you want to test
[23:33] <kirkland> kees: along with mdadm - 2.6.7-3ubuntu2~ppa9
[23:33] <kirkland> kees: (you'll need them both)
[23:33] <kees> rockin'
[23:38] <kirkland> kees: i'm yanking the config file bits out of my mdadm patch
[23:38] <kirkland> kees: saving them off somewhere ;-)
[23:39] <kirkland> kees: I'm going to post my test instructions in the wiki Spec page
[23:45] <kirkland> kees: okay, updated patches attached to https://bugs.edge.launchpad.net/ubuntu/+source/mdadm/+bug/120375
[23:46]  * kirkland goes write test instructions