[00:19] <tsrk_> how can I allow root login via SSH keys but not SSH password?
[00:22] <jmarsden> tsrk_: Since root has no password in Ubuntu, just set up the keys and you are all set :)
[00:23] <tsrk_> jmarsden, lets say (completely hypothetically of course) i had a root password. then, how would i do it? :)
[00:24] <jmarsden> First you get rid of the root pw and then proceed as above.  Failing that, you set PasswordAuthentication no in sshd_config, but that would apply to all users, not just to root.
[00:25] <tsrk_> hmm, could do that, although there's some times i really want to use pws for other users
[00:25] <jmarsden> There is no good reason for a root pw on a Ubuntu machine that I know of, BTW.  So... get rid of it :)
[00:26] <jmarsden> sudo usermod -p '!' root
[00:26] <tsrk_> i'd much rather type "su" than remember some random options for sudo?
[00:27] <jmarsden> And that is higher priority that a sane ssh config to do what you need... well, it is your choice.  sudo su works fine if you really can't remember sudo -s
[00:27] <tsrk_> what's the difference between sudo -s and -i?
[00:28] <jmarsden> -i simulates initial login, -s uses the $SHELL and does not simulate initial login.  man sudo
[00:28] <tsrk_> alright
[00:28] <tsrk_> and what about being secure at the startup console?
[00:28] <tsrk_> i guess i can block that option... but did they fix that?
[00:28] <jmarsden> Please explain how the default is insecure?
[00:29] <tsrk_> i think it used to be that with no root password, when the system was booting you could go into recovery mode and select root shell
[00:31] <jmarsden> I'll try it in a virtual machine... but if you give someone physical access to the server, security is pretty much nonexistent anyway... they can steal the machine, remove a hard drive, boot from a CDROM, etc etc...
[00:32] <tsrk_> there can be a difference between hardware security and software security
[00:32] <tsrk_> first of all they might have console access without being physically in the same location as the machine
[00:32] <tsrk_> (the case 99% of the time where i work)
[00:33] <tsrk_> also, i'll know if someone tampers with hardware, but not necessarily software
[00:33] <giovani> tsrk_: with serial console access, and a grub/lilo password, they shouldn't be able to boot single user
[00:33] <giovani> there should also be a bios password, etc
[00:34] <tsrk_> giovani, that's a good point
[00:34] <tsrk_> giovani, well, some of my machines need to be able to boot w/o a password
[00:34] <giovani> boot?
[00:34] <tsrk_> (there's a bios password for setup, but not boot)
[00:34] <giovani> you don't need a password to boot
[00:34] <giovani> I'm talking about modifying the bios, and modifying startup flags
[00:34] <giovani> this is standard stuff at every company I've ever worked at
[00:34] <giovani> bios and lilo/grub password for modification
[00:35] <tsrk_> will that cover everything?
[00:35] <giovani> clearly physical access to the box means you can pop the jumper and reset the bios
[00:35] <tsrk_> yeah
[00:35] <giovani> that will cover everything remote unless you have an out-of-band management system like IPMI/DRAC/iLO/etc
[00:35] <tsrk_> alright
[00:36] <giovani> so if all you have remote-access wise is serial console
[00:36] <tsrk_> i gotta reboot to check something, but i'll probably be back in  here in a few minutes
[00:36] <giovani> then a boot manager and bios password are all you need
[00:36] <tsrk_> ok
[00:36] <tsrk_> thanks for the help
[00:36] <giovani> np
[00:41] <giovani> so, I haven't installed a new 9.04 server install until today
[00:42] <giovani> when did lilo become the default boot manager?
[00:42] <pmatulis> lilo?
[00:42] <giovani> or did that only happen because I put /boot on LVM and grub is presumed to be less happy with that?
[00:42] <giovani> pmatulis: yep
[00:43] <pmatulis> will need to try that
[00:43] <nick125> I thought grub supported /boot on LVM....
[00:43] <giovani> nick125: it does, afaik
[00:43] <giovani> but not incredibly well
[00:43] <giovani> as in, as of the latest stable, it only supports a single vg
[00:43] <nick125> Ah. Well, there's a reason not to put /boot on LVM :)
[00:44] <giovani> not if lilo supports it perfectly
[00:44] <giovani> or if you use something newer than grub stable
[00:44] <giovani> there's nothing that should prevent a boot manager from using LVM
[00:48] <giovani> anyway, yeah, with some googling it appears ubuntu doesn't believe grub is capable of nicely handling LVM /boot :)
[00:48] <giovani> so it forces you to use lilo
[00:48] <giovani> good to know
[01:01] <pmatulis> tsrk_: did you figure out your no-password-for-root question?
[01:02] <tsrk_> pmatulis, yeah, thanks
[01:02] <pmatulis> tsrk_: what did you do?
[01:03] <tsrk_> just disabled root pw and set up some other security stuff instead
[01:03] <tsrk_> at the bootloader
[01:04] <giovani> disabled root pw?
[01:04] <tsrk_> yeah
[01:04] <jmarsden> sudo usermod -p '!' root
[01:04] <giovani> what do you mean?
[01:04] <tsrk_> set the encrypted pw to !
[01:04] <tsrk_> yeah
[01:04] <tsrk_> what jmarsden said
[01:04] <pmatulis> tsrk_: ah ok, thought you said hypothetically if root had a p/w
[01:04] <giovani> nothing should've been there to begin with
[01:05] <tsrk_> pmatulis, yeah, i hypothetically set the root pw to !
[01:05] <tsrk_> all of this is hypothetical
[01:05] <pmatulis> tsrk_: k, b/c i thought i had an answer for you
[01:05] <giovani> heh, now I'm confused
[01:05] <tsrk_> pmatulis, well lets say hypothetically that it wasn't all hypothetical, what was your answer going to be?
[01:06] <tsrk_> giovani, DW about it :P
[01:06] <jmarsden> giovani: trsk_'s 'hypothetical' server used to have a root pw, because he created one... but now he has removed it :)
[01:06] <pmatulis> tsrk_: adding these 2 lines at the end of /etc/ssh/sshd_config:
[01:06] <pmatulis> Match User root
[01:06] <pmatulis>    PasswordAuthentication no
[01:06] <giovani> jmarsden: is it hypothetical in the sense that his imaginary friend has a problem he can't talk about?
[01:06] <tonyyarusso> Hi, I need to consolidate my contacts information into a central location, so I was thinking of making an address book in an ldap server since most e-mail clients can load that.  Could someone teach me how to do that?
[01:07] <tsrk_> pmatulis, ah, that looks perfect! i might hypothetically have to use that :)
[01:07] <giovani> tonyyarusso: LDAP isn't really appropriate for a single person's contact storage
[01:07] <tonyyarusso> giovani: I'm open to other ideas if you have them.
[01:08] <tonyyarusso> Basically I want something I can load on my Linode and access from all of my computers.
[01:08] <tonyyarusso> Although somewhere down the line I know I'll end up using LDAP (I'm planning to do sysadmin stuff as a career), so it seemed like a reasonable idea to start learning about it now if it would work.
[01:08] <giovani> tonyyarusso: well, #ubuntu-server isn't really the place to learn how to share contacts
[01:09] <giovani> nor is it the place to design an LDAP schema
[01:09] <tonyyarusso> giovani: Well, they would be stored on a server running Ubuntu, so I'm not sure why not.
[01:09] <jmarsden> tonyyarusso: At the low end of the complexity scale, a simple static web page (password protected so only you can see it) could work.
[01:09] <tonyyarusso> jmarsden: I want something that can actually load in the address book features of for example Evolution, so it works in my e-mail client, not something I'd have to go copy and paste from.
[01:10] <giovani> tonyyarusso: because this is about ubuntu-specific issues ... sharing contacts isn't an issue with ubuntu
[01:10] <tonyyarusso> giovani: Again, if you have a better suggestion please let me know what it is.
[01:10] <giovani> there are dozens of contact-sharing solutions
[01:10] <giovani> use google
[01:10] <giovani> I have, and found tons
[01:11] <tonyyarusso> I haven't found any that suited the above description yet - they're all either manual syncing stuff or client-specific (ie Thunderbird extensions, etc.)
[01:12] <giovani> tonyyarusso: then you haven't googled enough
[01:12] <giovani> syncml, groupdav, imap extensions
[01:13] <tonyyarusso> syncml is a manual syncing, not a central repository.
[01:13] <tonyyarusso> Looking at groupdav now.
[01:16] <giovani> there's absolutely nothing about syncml that makes it "manual"
[01:16] <giovani> it's a markup standard
[01:16] <tonyyarusso> "Currently not. The current draft requires that the client keeps an offline cache of the server data. Indeed GroupDAV basically specifies how such a cache is to be kept in sync with a server.
[01:16] <MenZa> !jfgi | giovani
[01:16] <tonyyarusso> Online access is something which should be well covered by the CalDAV protocol and is currently considered out of scope for GroupDAV.
[01:17] <giovani> MenZa: I don't see how that's relevant
[01:17] <giovani> tonyyarusso: this is seriously out-of-scope for #ubuntu-server
[01:17] <MenZa> Generally, saying people "Haven't Googled enough" isn't exactly helpful. Remember the !CoC :)
[01:17] <MenZa> Let's all be nice and happy and help each other.
[01:18] <giovani> MenZa: it's an out-of-scope question, I've made numerous efforts to point him in the direction he should be going for help -- I think it's a perfectly valid response given the situation
[01:18] <tonyyarusso> giovani: Then show me a better channel...  Last I checked LDAP runs on Ubuntu, and you haven't come up with a better way than that, so I'm still hoping somewhere here can teach me some of the basics of ldap on Ubuntu.
[01:18] <tonyyarusso> You pointed me to Google.  That's not help.
[01:19] <giovani> it helped me find the answer to your question
[01:19] <giovani> just because data is stored on an ubuntu server doesn't make it related to ubuntu
[01:19] <MenZa> giovani: If you found the answer, post that instead. :)
[01:19] <giovani> MenZa: I have
[01:19] <tonyyarusso> If you found a real answer, then link it please.  Your other suggestions don't match my criteria, and I stated why.
[01:19] <giovani> MenZa: feel free to read the conversation you're critiqing
[01:19] <MenZa> giovani: All I'm saying is that asking people to Google is borderline to being 'nice'
[01:19] <giovani> tonyyarusso: they have, you've misunderstood their function
[01:20] <MenZa> And by that, I end the discussion.
[01:20]  * MenZa huggles giovani and runs away.
[01:20] <giovani> MenZa: I disagree, particularly when it's an off-topic question
[01:20] <tonyyarusso> I'll re-state the desired behavior:
[01:20] <tonyyarusso> I open Evolution on my laptop.  I go to compose a message, start typing in a contact name, and it auto-completes.
[01:21] <tonyyarusso> Later, I edit another contact, close that machine, and walk away.
[01:21] <giovani> it's out of scope for this channel, have fun
[01:21]  * giovani &
[01:21] <tonyyarusso> I get on my desktop, pull up Thunderbird, type in the second contact's name, and there it is, with the changes made earlier.
[01:22] <matt_keys> I'm running virt-manager locally to connect to kvm host remotely via ssh. When I point it to the iso, either locally or remotely, it has a problem finding it. Does anybody know what I'm doing wrong or a way around this?
[01:24] <jmarsden> tonyyarusso: Have you rejected existing tools such as conduit?  Conduit is GNOME-specific, so not at all relevant in this channel...
[01:25] <jmarsden> matt_keys: You might find better help in #ubuntu-virt for virtualization-specific questions.
[01:25] <tonyyarusso> jmarsden: Yes.  Conduit again is just a syncing tool that has to be run separately - I want to be directly modifying a central record so I don't have to deal with unnecessary middleman steps.
[01:26] <tonyyarusso> In short, Conduit would be functional, but inefficient and awkward.
[01:28] <jmarsden> OK.  It seems to be the direction Ubuntu is moving in for exactly this kind of functionality. However... you are free to build your own tool if you insist... but #ubuntu-server is probably not a good place to expect a lesson on how to do that.  You can see the Server Guide at https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html for the basics of setting up OpenLDAP on Ubuntu.
[01:28] <matt_keys> jmarsden: Thanks I'll give it a shot.
[02:01] <baffle> tonyyarusso: I think your questions is (somewhat) on topic to be honest; Especially considering the new blueprints for centralized AA in Ubuntu (OpenLDAP/Kerberos).
[02:02] <tonyyarusso> baffle: Thanks.  Any chance you know more about the answer?  ;)
[02:02] <baffle> tonyyarusso: Well, a standard OpenLDAP installation will give you this.
[02:02] <tonyyarusso> There is some really promising talk towards centralization, but of course talk is hard to use.
[02:03] <baffle> tonyyarusso: Yes, I haven't really noticed much work happening to that blueprint; It seems to be targeted for Karmic, but at the way things are moving it seems to be Karmic+1 or +2..
[02:03] <tonyyarusso> baffle: I've been attempting to learn about that, but finding that lots of LDAP guides are rather overwhelming, and was hoping there might be a shortcut of sorts since I have a small, specific goal.
[02:03] <baffle> tonyyarusso: Ofcourse, the *infrastructure* is all there right now.
[02:03] <baffle> tonyyarusso: I've run OpenLDAP/Kerberos auth for many years now.
[02:03]  * tonyyarusso bought a 4-inch think book on the subject - 'tis a slow read
[02:04] <baffle> tonyyarusso: Yes, I've bought the O'Reilly OpenLDAP and a few others as well. To be honest, I learned much more from just looking at the software, reading up on ASN.1 etc.
[02:04] <tonyyarusso> I would hope those sorts of blueprints are in place for the next LTS, which seems to be shaping up to be Karmic+1 based on Debian's move, so here's hoping.
[02:04] <tonyyarusso> ASN.1?
[02:05] <tonyyarusso> baffle: One thing that seems odd is that lots of things talk a lot about designing schemas.  Aren't there some standard ones that most applications use?
[02:05] <baffle> tonyyarusso: Well, yes and no.
[02:06] <baffle> tonyyarusso: There are just guidelines.
[02:06] <baffle> tonyyarusso: You really have to design your own tree.
[02:06] <tonyyarusso> yikes
[02:06] <baffle> tonyyarusso: Everyone seems to do things differently. :)
[02:08] <baffle> tonyyarusso: Sorry, have to be away, in the middle of an incident.
[02:10]  * tonyyarusso goes to read more then
[02:19] <giovani> this is what I said about an hour ago
[02:19] <giovani> designing an ldap schema is all on you
[02:20] <giovani> this is why it's not used as a personal contact store -- and is used for reasonably sized companies that will gain immensely from the effort
[02:31] <baffle> giovani: Well, it works perfectly as a personal contact store.
[02:32] <baffle> giovani: And, to be honest, I think it is a good idea to tackle such an easy project before implementing a huge company wide directory.
[02:52] <giovani> baffle: it's serious overkill, so, "works perfectly" is relative -- and no question you should understand LDAP before rolling it out company wide
[03:07] <twb> I don't think there are too many people who truly understand LDAP :-)
[03:33] <Vigh> I'm running a webserver on jaunty, and whenever Apache is running (~20% CPU load, not using full bandwidth), SSH performs very slowly (i.e. I am SSHing in and commands take a relatively long time to respond) -- any suggestions?
[03:37] <twb> Vigh: set up QoS on your routers.
[03:38] <twb> Vigh: the large http packets are "muscling out" your low-latency ssh packets.
[03:38] <Vigh> twb: not an option, it's running on Amazon's cloud
[03:38] <twb> ask amazon or google about qos on that platform, then
[03:38] <twb> I'm sure it's a widespread issue that someone else has already solved
[03:39] <Vigh> twb: ok, will do -- thanks!
[05:05] <tsrk_> twb, how is amazon's cloud? how's pricing?
[05:08] <twb> tsrk_: I've no idea.
[05:12] <tsrk_> oh :(
[05:21] <tsrk_> what do I need to do to change my server's hostname? I know I should edit /etc/hostname and /etc/hosts, anything else?
[05:22] <twb> tsrk_: edit /etc/hostname and run hostname.
[05:23] <tsrk_> will hostname set /etc/hostname?
[05:23] <twb> No, hostname sets the run-time value.  hostname(8) is called with /etc/hostname's contents at boot.
[05:23] <tsrk_> oh, i see
[05:23] <twb> tsrk_: note that some apps will be completely and utterly fucked by changing the hostname, e.g. an LDAP server
[05:23] <tsrk_> will that update /etc/hosts for me automatically?
[05:24] <tsrk_> oh really?
[05:24] <twb> No, you'll need to change /etc/hosts as well, if you include a hostname in there.
[05:24] <tsrk_> the main things i'm running are openssh, proftpd, and samba
[05:24] <tsrk_> just the default ubuntu thing
[05:24] <twb> OpenSSH is unlikely to care.  I can't speak for ProFTPd or Samba.
[05:24] <tsrk_> ok
[05:24] <twb> Incidentally, I strongly encourage you to replace proftpd with sftp (for write access) and vsftpd (for anonymous read access).
[05:25] <tsrk_> is main.tsrk.us or main a better hostname?
[05:25] <tsrk_> i use openssh's sftp, but proftpd for backup
[05:25] <twb> tsrk_: /etc/hostname contains only the host name, not the FQDN
[05:25] <tsrk_> ok
[05:25] <tsrk_> so a hostname should just be "main'?
[05:26] <twb> That depends on the context.
[05:26] <twb> In the context of /etc/hostname, a hostname is just the name, not the FQDN.
[05:26] <tsrk_> this isn't my FQDN anyway
[05:26] <twb> I would, incidentally, use a more meaningful name than "main".
[05:26] <tsrk_> it doesn't actually have an FQDN
[05:26] <tsrk_> this is just a home server
[05:26] <tsrk_> i have main and test and out
[05:26] <twb> Typically I assign personal names to servers, then use DNS CNAME aliases to provide role names.
[05:26] <tsrk_> those are meaningful to me
[05:27] <tsrk_> hmm
[05:27] <tsrk_> i used to do tsrk1 tsrk2 tsrk3
[05:27] <twb> So e.g. www.lan CNAME ymir.lan
[05:27] <tsrk_> but that just got annoying
[05:28] <jmarsden> See http://www.faqs.org/rfcs/rfc1178.html -- Choosing a host name for your computer
[05:35] <tsrk_> jmarsden, thanks for the link, i read through it and it seemed interesting but i'm not sure i want to name my machines after colors :P
[05:36] <jmarsden> tsrk_: So pick some other scheme... that's just an example :)
[05:36] <tsrk_> i like to name them by what they do
[05:36] <tsrk_> because i'll be reinstalling if they ever do anything else
[05:37] <jmarsden> tsrk_: But then when you consolidate functions life is wierd, or when you have a mail/web/jabber server do you name it mailwebjabber.example.com .. and then you add mysql to it... now what?
[05:38] <jmarsden> Next week someone wants an SNPP server... do you rename mailwebjabber to mailwebjabbersnpp now? :)
[05:38] <tsrk_> on this network i only really have the capacity for one internet-facing server, so i'm calling it out. my main internal server is never above 0.05 load afaik so i feel safe calling it main
[05:38] <tsrk_> this isn't likely to get any of those servers (i don't even know what they are)
[05:38] <tsrk_> but i could safely add jabber to my "out" server
[05:39] <tsrk_> anyway, if i were to run all those services, wouldn't vms be safer?
[05:39] <jmarsden> If you have the RAM, it might be.  But chroots for security-interesting services is usually safe enough.
[05:40] <tsrk_> lol @ "security-interesting"
[05:40] <tsrk_> and ram is getting pretty damn cheap these days
[05:40] <twb> jmarsden: thanks for the RFC
[05:41] <jmarsden> tsrk_: Yes; I have 8GB on my home desktop here, precisely so I can play with VMs :)
[05:41] <jmarsden> twb: No problem.
[05:41] <tsrk_> i think processing power is becoming more the problem
[05:42] <tsrk_> 8gb ram is like $100 now... but processors to saturate that ram aren't cheap
[05:42] <tsrk_> although i heard there's amazing discounts if you work for intel or know someone that does
[05:43] <tsrk_> a guy i work with managed to get two 8-core nehalems for free through intel
[05:43] <jmarsden> Well, I picked up a Q9550 last week for US$169 from Microcenter :)  2.83GHz quad core with 12MB L3... that's a fair bit of CPU power for not much $$
[05:43] <tsrk_> yeah that's pretty good
[05:43] <tsrk_> can run 3 light vms + host OS pretty well?
[05:44] <jmarsden> Yes.
[05:44] <tsrk_> i'm gonna need to switch to a laptop soon though
[05:44] <tsrk_> i'm really trying to wait till they get quad core
[05:45] <jmarsden> Maybe better to get a cheap netbook and ssh into your desktop or server(s) ... also avoids the "oops, I droped it and just blew X thousand dollars" syndrome :)
[05:46] <tsrk_> i have a lenovo s10 for now
[05:46] <tsrk_> it's decent
[05:46] <tsrk_> but i think i'll need more for college
[05:46] <tsrk_> cause i really don't want to bring a desktkop
[05:48] <twb> It really irks me when a single-user laptop has enough CPU and memory to run all of .gov
[05:48] <jmarsden> tsrk_: It all depends what you'll be doing with it.  Maybe leave a desktop at home on a fast Internet connection, or rent a VPS somewhere for your computationally intensive tasks?
[05:48] <twb> "I upgraded my lappy from 4GiB to 8GiB so I can run two eclipse instances at once and still browse in 100 tabs in iceweasel."
[05:49] <jmarsden> Well, some people have money to spend on fancy laptops for those kinds of reasons, I suppose :)
[05:49] <tsrk_> twb, i'm just saying i need more than my s10 with 1gb of ram and 1.6ghz single-core
[05:50] <tsrk_> jmarsden, i think i'll need more local power and especially screen space
[05:50] <tsrk_> i've been looking at the lenovo T-series and they look nice
[05:50] <twb> jmarsden: it just seems retarded when you could put all that power in a colo rack and just run ssh on the laptop-cum-xterm
[05:50] <jmarsden> tsrk_: Understood.  Although a $200 screen for your dorm room would handle the screen space.
[05:51] <jmarsden> twb: Yes, that's definitely more the way I tend to do things.
[05:51] <twb> If I could find a cellphone with HDMI that could run Debian, I'd replace my EeePC with it.
[05:51] <tsrk_> jmarsden, i really don't want to be working on stuff in my dorm room. a laptop gives me nice portability
[05:52] <twb> (Apparently HDMI uptake is low due to royalty fees, and DVI-D isn't used because the connector is relatively huge.)
[05:52] <twb> jmarsden: it's also a pain in the arse to lug a 3kg A4 laptop when a 500g A5 one would suffice.
[05:53] <jmarsden> twb: I think Apple has some weird mini-DVI connector to try and work around that connector issue, maybe it will eventually become a "standard"?
[05:53] <twb> jmarsden: well, HDMI is backward-compatible with DVI-D
[05:54] <jmarsden> tsrk_: When I went to college (1980 to 1983), noone had computers useful for real work at all, we all used the campus mainframes :)
[05:55] <tsrk_> jmarsden, well, now they even expect me to buy maple for a basic calculus class
[05:55] <tsrk_> btw, will a netbook run that?
[05:57] <jmarsden> I think there's a few free alternatives, if you want to cause a few raised eyebrows :)
[05:57] <twb> tsrk_: apps run in the server room, not on your netbook.  That's the whole point.
[05:57] <tsrk_> twb, graphical ones?
[05:57] <twb> jmarsden: IME it's easier to just change uni when they start demanding you learn with proprietary tools that have mature FOSS alternatives.
[05:57] <twb> tsrk_: sure.
[05:57] <tsrk_> twb, i don't have that kinda bandwidth here :(
[05:58] <twb> tsrk_: you don't have ISDN or ADSL1 at home?
[05:58] <jmarsden> tsrk_: Have you played with mathomatic or maxima for example?
[05:58] <tsrk_> jmarsden, i've used maxima some
[05:58] <tsrk_> it seemed somewhat useful, but a lot of the stuff i think is maple specific
[05:59] <tsrk_> i might be able to do it in maxima but it'd take extra effort
[05:59] <tsrk_> and if i'm using maple on tests etc... i should really use it all the time
[05:59] <jmarsden> That should be fine, and should run on a 1.6GHz netbook... you'd have to translate from maple, and the exta effort woudl make surfe you actually learned the underlying principles, I'd think?
[05:59] <twb> jmarsden: unfortunately unis no longer test understanding
[06:00] <tsrk_> twb, yeah, i'm starting to think that this is more of a class on how to use maple than math
[06:00] <tsrk_> but i guess i'll see
[06:00] <tsrk_> this isn't for uni though
[06:00] <twb> polytechnic, whatever
[06:00] <tsrk_> it's a community college (replacement for high-school class)
[06:00] <jmarsden> twb: Agreed, but that doesn't mean you should avoid understanding ... you just ahve to reconvert the courses to ensure they teach you want you really wanted to learn.
[06:01] <twb> jmarsden: that being the case, there's no point going to school at all.
[06:01] <jmarsden> I can't see the value of teaching someone basic calculus with a program at that level.
[06:01] <jmarsden> twb: well, only that others recognize the degree you get at the end, basically.
[06:01] <twb> jmarsden: the whole point of school is to provide regular, objective assessment, so you know what to revise
[06:01] <twb> jmarsden: eh, you can just forge those
[06:02] <tsrk_> thanks for the ideas :)
[06:02] <jmarsden> I wouldn't know about that :)
[06:02] <twb> Consider: do you really want to work for an employer who cares more about accreditation (in maple, not math) than about your actual competence?
[06:03] <twb> I got my last job management going "hey, I think I've seen you at the local LUG.  You were pretty helpful."
[06:03] <twb> s/job/job by/
[06:04] <jmarsden> twb: That's slightly unusual.  More common is that you need to get past the keyword screening secretarial staff to even get your resume (never mind yourself) in front of someone capable of evaluating your actual competence.
[06:04] <twb> Bleh.  Such places probably have a dress code and evil shit like that
[06:05] <tsrk_> twb, those places also give you more monies
[06:06] <twb> Meh.  They'd have to pay a lot more for the privilege of making me dress up funny and turn up at 9AM every day
[06:06] <jmarsden> Not always... Hewlett Packard (for whom I once worked) had no timeclocks and no dress code for us techies... but the recruitment process to get in the door of their R&D dept. was... somewhat bureaucratic.
[06:07] <tsrk_> well, i'll do what it takes
[06:12] <awlt> I want to expedite running vmbuilder within a corp network, so it makes sense to have a local apt-mirror to avoid being reliant on the internet.  So apt-mirror provides the standard stuff, but what about my own corporate artifacts that won't reside on the internet? Can they be added to an apt-mirror, or do I need something else? (Do I need to run my own corporate PPA? Is that the right strategy?)
[06:17] <twb> awlt: you mean "how can I make a private apt repo"?
[06:17] <awlt> I think so, yes.
[06:18] <tsrk_> i am i still connected?
[06:19] <twb> awlt: it's dead easy, I just forget the command
[06:19] <twb> thingy-scanpackages
[06:21] <awlt> dpkg-scanpackages?
[06:24] <twb> ya
[06:25] <awlt> I still need the apt-mirror, right?  There isn't a solution that is both a private apt repo and proxy?
[06:26] <jmarsden> Right, just use both together.
[06:28] <twb> In theory you can make a debmirror, then copy your own debs into it and generate new a Packages file.  But that's super sucky, so don't do it
[06:29] <awlt> I want to avoid the super sucky strategy, that is why I am asking.  ;-)
[06:44] <jeeves_Moss> is there an easy way to send e-mail form the CLI (using mailx) through a gmail account?
[06:45] <twb> msmtp-mta can use gmail as its smarthost
[06:45] <twb> mailx then just sees the /usr/sbin/sendmail symlink
[06:45] <jeeves_Moss> twb, ?  can you give me a link for a "howto"?
[06:46] <twb> You WILL need to store the gmail password in cleartext in /etc/msmtp or ~/.netrc, or be prompted for it each time.
[06:46] <twb> http://twb.ath.cx/Preferences/.msmtprc
[06:47] <jeeves_Moss> twb, that's fine.  I'm looking to test it on a local system before I deploy it.  I'm concered about the cert from gmail (since they use TSL I think), and I need to be able to e-mail a list of people (the systems admin group)
[06:48] <twb> aptitude install ca-certificates
[06:48] <jeeves_Moss> twb, I don't mean to be rude/dumb, but could you give me a hand to set this up so I can write it down and get past the "pit falls"?
[06:48] <twb> jeeves_Moss: start by "aptitude install msmtp-mta ca-certificates"
[06:49] <jeeves_Moss> twb, ok, one sec.  (thanks again BTW)
[06:51] <jeeves_Moss> twb, ok, we're good.  next?
[06:51] <twb> Now try /usr/sbin/sendmail -oi -t -d -v <test.msg
[06:52] <twb> Expect it to complain in some fashion; pastebin the output
[06:52] <jeeves_Moss> it's giving me that test.msg "no such file or directory"
[06:52] <twb> You need to write a file test.msg
[06:53] <twb> It will contain the headers (e.g. "To: fred@example.net"), a blank line, then the message body.
[06:53] <jeeves_Moss> ohhhh, sorry.  one sec
[06:54] <jeeves_Moss> ok, so how should the file be constructed?
[06:54] <twb> 15:54 <twb> It will contain the headers (e.g. "To: fred@example.net"), a blank line, then the message body.
[06:55] <jeeves_Moss> http://pastebin.ca/1532185
[06:56] <jeeves_Moss> twb, will this let me write an e-mail to a group of people from one file?
[06:56] <twb> jeeves_Moss: what we are setting up is the ability for you to send arbitrary emails through your existing gmail account.
[06:57] <jeeves_Moss> twb, I need to be able to send e-mails locally (say if a service goes down or when I cron job finished) through my gmail account
[06:57] <twb> If an email is only delivered locally, then by definition it doesn't pass through gmail
[06:58] <twb> If you need local delivery, msmtp will not suffice; you'll need something larger, like postfix.
[06:58] <twb> For example if you want to be able to email other users on the local host, while the local host isn't connected to Internet.
[06:59] <jeeves_Moss> twb, ok, well, I need to be able to send it through the gmail account.  it's because the e-mails are actully sending a txt to a cell phone (unless there is an easier way to send a txt msg from the CLI)
[06:59] <gnuyoga> jeeves_Moss: if u r looking at local email delivery system, then u need local email server. else if u just want to send an email out using existing gmail account u need to follow  twd
[06:59] <twb> I'm not familiar with email to SMS bridges.
[06:59] <twb> !u
[07:00] <jeeves_Moss> twb, if you send an e-mail to <phonenumber>@fido.ca then it will send the contents of the email as a text to the cell
[07:00] <twb> By "a text" I presume you mean SMS?
[07:01] <jeeves_Moss> twb, yes, sorry
[07:01] <jeeves_Moss> twb, basically, I need to be able to send SMS messages from the CLI
[07:02] <twb> Do you own or pay for service on fido.ca?
[07:02] <twb> I thought gratis mail->sms bridges were extinct.
[07:02] <jeeves_Moss> no, that's why I went the gmail is a free way of doing it
[07:02] <twb> But gmail isn't fido.ca
[07:02] <jeeves_Moss> (since all you do is send an e-mail to <phone_number>@fido.ca
[07:03] <jeeves_Moss> and if it's bell, then it's <phone_number>@txt.bell.ca
[07:04] <jeeves_Moss> twb, that's why I wondered how to send an e-mail through gmail from the CLI
[07:05] <twb> jeeves_Moss: surely what you really mean, then, is "I need to be able to send email to N@fido.ca from the CLI."
[07:05] <jeeves_Moss> twb, yes.
[07:05] <twb> I would normally use the ISP's smarthost rather than gmail's, if only because it'll be faster.
[07:06] <jeeves_Moss> twb, but when I tried it from my main domain, I was unable to receive it, but when I sent it from the gmail account, it worked
[07:06] <twb> jeeves_Moss: that's probably because your own domain isn't set up properly to send mail
[07:06] <jeeves_Moss> twb, this is why I thought that gmail would be the better option (or currently from testing, the only option)
[07:07] <jeeves_Moss> twb, my mail domain works fine for regular send/receive
[07:07] <twb> I doubt that.
[07:07] <twb> Probably you are receiving with IMAP or POP3, and sending all mail to a smarthost relay
[07:07] <jeeves_Moss> ok, one sec, I'll test it
[07:07] <twb> i.e. you are not participating in mail directly.
[07:08] <twb> So what I'm saying is, just send CLI mail using that smarthost as well.  It doesn't have to be the gmail smarthost.
[07:08] <jeeves_Moss> the mail e-mail server on our main domain is not local to this box I'm testing on.  it's in Michigan, and i'm on Vancouver island
[07:09] <twb> Well, anyway, it doesn't really matter what smarthost you use, the procedure is still the same.
[07:09] <jeeves_Moss> hummm, one sec
[07:09] <twb> You need to tell /etc/msmtprc or ~/.msmtprc to use the smarthost.
[07:09] <jeeves_Moss> one sec.  testing something
[07:10] <jeeves_Moss> ok, my domain won't send to the phone, and hotmail won't send to the phone
[07:12] <jeeves_Moss> ok, I stand corrected.  I CAN send to my phone from hotmail (there's just a HUGE delay)
[08:01] <jeeves_Moss> can anyone point me in a good direction to send e-mail through gmail from the CLI?
[08:17] <pwnguin> anyone know what happens if you boot Ubuntu with two identical, non-raided disks?
[08:17] <pwnguin> ie imaged data
[08:23] <jeeves_Moss> pwnguin, it depends on what the first disk on the chain is, and where the boot loader is
[08:32] <psteyn> Hi. when I run php -v it says 'with Suhosin-Patch'
[08:33] <psteyn> but when I try and do apt-get install php5-suhosin it shows as a new install
[08:33] <psteyn> what gives?
[08:37] <pwnguin> jeeves_Moss: lets say one's sata and the other's sata in a usb enclosure
[08:38] <soren> pwnguin: I'm not sure what kind of answer you're looking for. It'll boot up and run.
[08:38] <jeeves_Moss> pwnguin, well, once again, it depends on how you have the boot device selection
[08:38] <pwnguin> hmm
[08:39] <pwnguin> soren: if the UUID's are identical...
[08:39] <jeeves_Moss> my netbook defaults to booting from USB, but I can choose where it boots
[08:39] <pwnguin> basically, im looking at the pitfalls of applying jwz's backup trick to Ubuntu
[08:39] <soren> pwnguin: It's not going to magically pretend like they're RAID1'ed, if that's what you're asking.
[08:40] <pwnguin> soren: no, but im wondering if it will just give up or decide randomly
[08:40] <soren> Decide randomly.
[08:40] <soren> ..but work.
[08:40] <pwnguin> "work"
[08:41] <soren> Work.
[08:41] <pwnguin> in the case of a cron rsync
[08:41] <pwnguin> it'll work, but you could randomly land on the nightly backup and miss whatever since last run
[08:42] <soren> Yes, if you reboot it migt use the other disk and work with that.
[08:43] <pwnguin> thats kinda what i thought i'd do
[08:45] <pwnguin> for reference, here's the general plan, applied to OSX
[08:45] <pwnguin> http://jwz.livejournal.com/801607.html
[08:45] <pwnguin> but i think it's a non-started and I'll look at other stuff
[08:46] <pwnguin> non-starter even
[08:49] <baffle> jmarsden: Apple uses Displayport and mini-displayport. My Lenovo W500 also has Displayport. I've noticed that displays are starting to come with that connector now as well.
[09:02] <soren> pwnguin: I actually used to do something just like that.
[09:03] <soren> pwnguin: The disks just didn't share their UUID.
[09:04] <soren> pwnguin: This was long before UUID booting came around, so the boot loaders on each drive just pointed at /dev/hda. In case of failure, I'd swap the disks and it'd boot from the new /dev/hda.
[09:10] <pwnguin> soren: honestly, i put it on hold after i realized i'd need to sync the MBR
[09:11] <pwnguin> the UUID thing i thing is also going to put a stake through it
[09:14] <soren> pwnguin: With grub, that's easy. Just install it once, and you're done. menu.lst will be kept in sync by the rsync thing.
[09:15] <twb> soren: apparently this is coming for extlinux, too
[09:15] <pwnguin> it was more i didn't want to look up the command to install grub to a specific disk, but yea
[09:15] <soren> twb: "this"?
[09:15] <twb> an auto-updated menu.lst
[09:15] <twb> http://bugs.debian.org/541293
[09:16] <pwnguin> technically, you could just do a find and replace on the menu.list and fstab
[09:16] <twb> Or rather extlinux.conf.
[09:17] <soren> extlinux?
[09:17] <pwnguin> looks like an alternative bootloader
[09:17] <pwnguin> ?
[09:17] <twb> extlinux is a bootloader that isn't shit
[09:17] <twb> Never mind.
[09:18] <twb> As to backing up the OS from one machine to another, you can use tune2fs to make the UUIDs match, and similar techniques for swap, LVM and mdadm UUIDs.  You need to edit the MACs in /etc/udev/rules/*persistent-net*, though.
[09:19] <pwnguin> i have to admit, the main use case for this is having a live, connected backup disk on the same machine
[09:19] <soren> I really wouldn't recommend making the UUID's match.
[09:19] <twb> I've also had... exciting times with whitebox cases where the primary SATA disk in a RAID1 dies, and the bootloader on the second disk doesn't work because it's trying to talk to (hd0) instead of (hd1) -- or vice-versa, because some BIOSes will automatically present sdb as sda to the OS :-/
[09:19] <twb> soren: sorry, I do this when the disks are in separate machines, not in the same box
[09:20] <soren> twb: Even then.
[09:20] <soren> twb: What's the point?
[09:20] <pwnguin> taking something that has "universally unique" in the name and making it locally not unique sounds like a bad idea
[09:20] <twb> soren: the point is not having to edit fstab and every other damn reference to the UUIDs after every sync
[09:20] <twb> soren: in particular, if your latest sync dies halfway, you KNOW that fstab will refer to the correct UUIDs.
[09:20] <soren> twb: Why would you sync fstab between two different systems?
[09:20] <twb> soren: because your second system is a BCP failover for the first one
[09:21] <soren> Who cares if the fstab matches if all the data does?
[09:21] <twb> soren: because you want it to boot up without having to talk some fuckwit in Africa through manually fixing fstab from a livecd
[09:22] <soren> That's the entire point. Just leave the fstab be and you're don't have to.
[09:23] <twb> Erm, but the root filesystem during backup isn't the root filesystem you're backing up.
[09:23] <twb> It's not a load balancing system, it's a BCP system
[09:23] <pwnguin> the problem is menu.lst
[09:23] <pwnguin> you can't exclude it, because it points to the kernel
[09:23] <pwnguin> but you can't leave it alone, because it includes a UUID
[09:24] <twb> pwnguin: here, IIRC it points to an LVM volume
[09:24] <twb> Yeah, it does.
[09:24] <soren> twb: I'm not what you mean by BCP system?
[09:25] <twb> soren: BCP is business continuity planning
[09:25] <pwnguin> this is a technology?
[09:25] <soren> twb: Ok... I'm still not getting it, I must admin.
[09:25] <soren> admit.
[09:25] <twb> Only in the way that, say, Human Resources is a technology
[09:26] <pwnguin> it's a failover cluster, i think is the term of art
[09:26] <LiraNuna> what does 'passwd: Authentication token manipulation error' means?
[09:26] <twb> business continuity is about "oh fuck, a mission-critical service is down.  If it's not back up in four hours, we will be bankrupt."
[09:26] <soren> twb: The fact that it's meant to be used as a drop-in replacement doesn't mean that you can't be clever with fstab.
[09:26] <LiraNuna> auto.log says 'pam_mysql - only super user is allowed to change authentication token.'
[09:26] <LiraNuna> any idea why?
[09:26] <soren> twb: Besides, if you're using lvm, you don't need UUID's anyway.
[09:27] <twb> soren: /boot, at least, isn't on LVM.
[09:27] <soren> twb: Point.
[09:27] <twb> The main reason I use UUIDs in fstab is because that's what the target Ubuntu server uses by default.
[09:27] <twb> AFAICT you're right, that using LVM LV names would also work fine
[09:27] <soren> twb: True. It does so, because it's the safe choice.
[09:28] <pwnguin> LVM isn't safe?
[09:28] <soren> Well...
[09:28] <soren> It's the safe choice until someone *on purpose* duplicates their universally unique ID's.
[09:29] <soren> pwnguin: Someone might plug in a hard drive with a lvm vg on it with the same name.
[09:29] <pwnguin> heh
[09:29] <soren> pwnguin: lvm names aren't unique, but they are consistent, which is /usually/ the problem UUID's are meant to solve.
[09:29] <pwnguin> LiraNuna: i would guess pam_mysql is trying to change the password and PAM is not having any of it
[09:29]  * soren runs to get his laptop power supply.
[09:29] <twb> soren: duplicating UUIDs is only a problem if you ever put both duplicates into the same system
[09:30] <pwnguin> which is kinda my goal
[09:30] <LiraNuna> pwnguin, sys users can change their password without being root
[09:30] <twb> pwnguin: yeah, sorry, I ran off on a tangent.  My implementation uses two complete systems, rather than just having a failover HDD
[09:30] <pwnguin> LiraNuna: not on the pam stack
[09:30] <pwnguin> its' about the provided password, not the hash stored in shadow
[09:31] <LiraNuna> pwnguin, no password is being provided
[09:31] <twb> Is LiraNuna's problem that pam_mysql only supports the auth part, and not the session/account/thingy parts?
[09:31] <LiraNuna> pwnguin, http://pastie.org/585636
[09:31] <pwnguin> twb: im just making sure i can nail this trivial rsync thing down, cuz i really like the idea of having a hot spare
[09:32]  * soren mumbles something about raid.
[09:32]  * pwnguin mumbles something about historic value
[09:32] <pwnguin> raid will dutifully delete both copies of a file when asked to do so
[09:32] <LiraNuna> rdiff-backup
[09:33] <pwnguin> LiraNuna: that's on my list
[09:33] <pwnguin> personally, i'm backing up to a NAS with mirror raid
[09:34] <pwnguin> i'll probably end up with something like deja dup
[09:34] <soren> pwnguin: I've seen people use RAID1 with an external drive that they plug in once a day, sync up, and unplug again.
[09:34] <pwnguin> heh
[09:34] <twb> pwnguin: there is a difference between a backup (RAID) and an archive.
[09:35] <pwnguin> twb: i know this.
[09:35] <soren> You don't have physically unplug the disk, you can just to the mdadm magic to pretend like you did... and that's scriptable.
[09:35] <pwnguin> for example: i have a desktop. it backs up to a NAS. the NAS has two drives in mirror
[09:36] <twb> Personally for in-system disks, I would have a RAID1 or RAID5, and then ON TOP of that utilize hard-linking to make incremental archives.
[09:36]  * soren is a RAID1+Bacula sort of person
[09:36] <pwnguin> there's about a billion backup packages in Ubuntu
[09:37] <pwnguin> i checked and graphed some inheritance
[09:37] <twb> Where basically the archive just does a glorified cp -al current $today
[09:37] <twb> as a cron job
[09:37] <soren> Bacula backs up to a local file based archive which is synced to Amazon S3 and removed locally.
[09:37] <pwnguin> bacula seems a bit enterprisey
[09:37] <soren> pwnguin: 'tis.
[09:40] <pwnguin> sbackup looked interesting
[09:40] <pwnguin> but is hellaciously buggy
[09:41] <LiraNuna> in http://pam-mysql.sourcearchive.com/documentation/0.6.2-1/pam__mysql_8c-source.html line 02236, it checks if user is root
[09:42] <pwnguin> LiraNuna: do you know how your PAM stack is currently configured?
[09:42] <pwnguin> (ie do you really want users in mysql?)
[09:42] <LiraNuna> yes
[09:42] <twb> I have always been too lucid to learn bacula or amanda.
[09:42] <LiraNuna> it first checks if sys user exists, then resorts to mysql
[09:42] <twb> mysql is a bloody toy database
[09:42] <twb> Might as well use sqlite
[09:43] <LiraNuna> I'll need to manage thousand of users on one machine
[09:43] <twb> LiraNuna: even flat files can manage a mere thousand users
[09:43] <pwnguin> generally ldap is optimized for that
[09:43] <twb> For unix auth, LDAP and kerberos is the future
[09:43] <pwnguin> but probably, mysql is handy for network auth
[09:43] <pwnguin> anyways
[09:43] <LiraNuna> twb, yes, but I also need other processes logging in using same credentials
[09:43] <twb> pwnguin: if you want handy and don't care about robustness or security, I would say NIS over mysql ;-)
[09:44] <pwnguin> my impression is that the error you are recieving is that the mysql module is attempting to modify the password token
[09:44] <LiraNuna> FTP, mail etc
[09:44] <twb> LiraNuna: all of which should be using pam, and so can use pam_krb or pam_ldap
[09:44] <LiraNuna> pwnguin, look at the source at http://pam-mysql.sourcearchive.com/documentation/0.6.2-1/pam__mysql_8c-source.html line 02236
[09:44] <pwnguin> you type in a password, pam converts it to a token
[09:45] <twb> I'm not saying that kerberos and ldap are *easy*, but they are robust, secure and scalable.
[09:45] <LiraNuna> twb, buzzword buzzword buzzword :)
[09:45] <LiraNuna> j/just kidding
[09:46] <pwnguin> anyways, some crazy pam stacks might fiddle with the password between modules
[09:46] <LiraNuna> pwnguin, this behavior is built into the source so users can't their own password
[09:46] <pwnguin> can't what their own password?
[09:47] <LiraNuna> +set
[09:47] <LiraNuna> my bad, it's getting late
[09:47] <LiraNuna> pwnguin, all I have is pam_unix, pam_mysql and pam_deny
[09:49] <pwnguin> well, pam source code is out of my expertise
[09:49] <pwnguin> and it's 3am
[09:49] <LiraNuna> it's quite readable
[09:50] <pwnguin> except i dont know the call patterns
[09:50] <LiraNuna> if(guid() != 0 /* NOT ROOT */ ) error("only root ...);
[09:50] <LiraNuna> line 2236
[09:50] <LiraNuna> I'm just wondering if it's a desired behavior
[09:52] <twb> LiraNuna: if you have pam_unix before pam_mysql, that is the problem
[09:52] <twb> LiraNuna: pastebin the non-comment, non-blank lines from /etc/pam.d/common-*
[09:52] <LiraNuna> twb, was about to do that
[09:53] <pwnguin> hmm. my laptop's downstairs
[09:53] <pwnguin> but i recall needing to do something to pass the password
[09:53] <twb> pwnguin: pam is extremely not fun if you don't grok it deeply
[09:54] <twb> pwnguin: I guess you're thinking of use_first_pass
[09:54] <pwnguin> yea
[09:54] <LiraNuna> twb, http://pastie.org/585646
[09:54] <pwnguin> twb: i had a coworker totally nuke a VMware esx server
[09:55] <pwnguin> apparently he tried copying over pam lib files
[09:55] <pwnguin> to "fix" a problem
[09:55] <LiraNuna> were they different arch? :D
[09:55] <pwnguin> afaik, vmware doesn't do multiarch
[09:55] <pwnguin> but the disk was full
[09:55] <pwnguin> leading to very empty pam_unix
[09:55] <LiraNuna> ouch
[09:56] <pwnguin> oh i think i know what happened
[09:56] <pwnguin> the disk was full
[09:56] <pwnguin> the new vsphere stuff has a new user
[09:56] <pwnguin> for VM migration
[09:57] <pwnguin> because the disk was full it was failing to log in
[09:57] <pwnguin> and apparently his first idea to fix broken login was copy the library packages from a known good server
[09:57] <LiraNuna> twb, any idea of the correct order?
[09:59] <pwnguin> see, this is why pam code is unreadable
[09:59] <pwnguin> pam_sm_chauthtok - service provider implementation for pam_chauthtok
[09:59] <pwnguin> chauthtok stands for CHANGE auth tok, not check
[10:00] <LiraNuna> chmod = CHANGE modes
[10:00] <LiraNuna> chown = CHANGE owner
[10:00] <LiraNuna> chgrp = CHANGE owner
[10:00] <LiraNuna> I see a pattern here
[10:00] <pwnguin> probably not a good idea to guess
[10:00] <LiraNuna> makes sense to me
[10:00] <LiraNuna> ck would be check
[10:01] <pwnguin> chk is a frequent mneumonic
[10:01] <LiraNuna> fsck
[10:01] <twb> Sorry, I was elsewhere
[10:02] <twb> LiraNuna: you realize you just handed us a copy of your mysql root password
[10:02] <LiraNuna> twb, haha it's in a VM
[10:02] <LiraNuna> twb, I don't care, since it's in a toy VM :)
[10:02] <LiraNuna> else I'd mask them
[10:02] <twb> LiraNuna: my unerstanding is that pam_mysql doesn't have account/auth/session support, only password.
[10:02] <twb> This is based on the apt package description
[10:03] <LiraNuna> I was following this - http://www.spencerstirling.com/computergeek/mysqluser.html
[10:03] <LiraNuna> twb, libnss-mysql handles the rest
[10:03] <twb> LiraNuna: er, no it doesn't.
[10:03] <twb> LiraNuna: libnss provides name resolution, not session stuff
[10:03] <LiraNuna> oh?
[10:03] <twb> libnss basically just means getent(1) works
[10:03] <LiraNuna> my bad
[10:03] <LiraNuna> ah, right, id -> name
[10:04] <twb> I'm actually surprised that ANYONE can reset their mysql password via passwd(1)
[10:04] <LiraNuna> mysql password?
[10:04] <LiraNuna> you mean a password that is stored in the database?
[10:04] <twb> LiraNuna: I mean the password that's in the mysql relation
[10:04] <LiraNuna> root can do that, if I do sudo passwd username it will UPDATE the field
[10:05] <LiraNuna> using md5crypt
[10:05] <twb> Anyways, your pam.d common entries look OK to me
[10:05] <LiraNuna> will also update the lastchange field to current unix time
[10:05] <twb> (Assuming pam_mysql is a well-behaved and complete implementation, which I'm not convinced it is.)
[10:06] <LiraNuna> twb,  look at the source at http://pam-mysql.sourcearchive.com/documentation/0.6.2-1/pam__mysql_8c-source.html line 2236
[10:06] <pwnguin> its pretty clear
[10:06] <pwnguin> on that part
[10:06] <twb> LiraNuna: ah, heh
[10:07] <LiraNuna> should I patch it?
[10:07] <LiraNuna> I don't think it's correct behavior
[10:07] <twb> Not without understanding the implications
[10:07] <twb> Remember when someone tried to fix up entropy in ssl/ssh?
[10:07] <LiraNuna> haha
[10:07] <pwnguin> getuid != 0? DENIED
[10:08] <twb> Bootstrapping and security are things you Should Not Fuck With.
[10:08] <LiraNuna> pwnguin, question is why
[10:08] <twb> LiraNuna: ask the devs
[10:08] <pwnguin> LiraNuna: no, the question is why sudo works
[10:08] <LiraNuna> sudo executes with root
[10:08] <LiraNuna> privs
[10:08] <pwnguin> sudo executes with effective root privs, no?
[10:09] <pwnguin> geteuid() vs getuid()
[10:09] <LiraNuna> yes, sudo id
[10:09] <LiraNuna> $ sudo id
[10:09] <LiraNuna> uid=0(root) gid=0(root) groups=0(root)
[10:10] <pwnguin> passwd is probably a setuid program
[10:10] <LiraNuna> euid will be the used invoking that
[10:10] <LiraNuna> user*
[10:11]  * LiraNuna emails the developer
[10:11] <twb> pwnguin: sudo is setuid, then it relinquishes privileges later.
[10:11] <twb> passwd is also setuid
[10:11] <LiraNuna> thing is sudo passwd does store the password in the db
[10:12] <LiraNuna> so I really question that check
[10:12] <twb> LiraNuna: because passwd sees euid=0
[10:12] <twb> Or rather pam_mysql, via passwd, does
[10:12] <pwnguin> twb: pam_mysql does getuid()
[10:12] <LiraNuna> ^
[10:12] <twb> Huh.
[10:13] <twb> Oh well, again I would go pester the pam_mysql devs
[10:13] <LiraNuna> on it
[10:13] <pwnguin> http://pam-mysql.sourcearchive.com/documentation/0.6.2-1/pam__mysql_8c-source.html
[10:13] <pwnguin> 02235       if (getuid() != 0) {
[10:14] <jeeves_Moss> I'm getting "TLS certificate verification failed: the certificate hasn't got a known issuer" from mailx when I try to send through gmail.  what am I doing wrong?
[10:15] <LiraNuna> 'Use geteuid() instead of getuid() to check if the current user is uthorized to change the password (PR #1338667). '
[10:15] <LiraNuna> http://pam-mysql.sourceforge.net/
[10:15] <LiraNuna> apparently that release isn't in debian/ubuntu
[10:15] <pwnguin> damn im good
[10:15] <LiraNuna> hehe
[10:16] <pwnguin> probably, you want to look at the source to what you are using
[10:16] <pwnguin> apt-get source
[10:16] <LiraNuna> it's the old version
[10:16] <pwnguin> maybe even apply the patches
[10:16] <LiraNuna> as per apt-cache policy
[10:16] <pwnguin> dont trust version numbers
[10:16] <LiraNuna> pwnguin, he removed the check for guid() on that version
[10:17] <LiraNuna> the source is way different
[10:18] <pwnguin> its entirely possible that the debian package is patching the tarball
[10:20] <pwnguin> well, its late
[10:20] <pwnguin> gnite
[10:20] <LiraNuna> the source night
[10:20] <LiraNuna> thanks for the help
[10:27] <jeeves_Moss> LiraNuna, still in here?
[10:27] <LiraNuna> yes
[10:27] <jeeves_Moss> are you any good with certs?
[10:27] <jeeves_Moss> I'm having issues with the "howto" @ http://www.ericstockwell.com/
[10:28] <LiraNuna> sorry, I don't know much about smtp auth
[10:28] <LiraNuna> I failed setting it up myself :/
[10:28] <jeeves_Moss> I get that it can't find the file (and I can't "locate" it either)
[10:28] <LiraNuna> sudo updatedb
[10:28] <LiraNuna> then locate again
[10:29] <jeeves_Moss> tried that
[10:29] <jeeves_Moss> the file phsyically isn't in the ZIP
[10:30] <LiraNuna> sorry, it's too late and I lack the knowledge to help
[10:30] <jeeves_Moss> then I get send-mail: TLS certificate verification failed: the certificate hasn't got a known issuer
[10:30] <LiraNuna> oh
[10:30] <LiraNuna> did you self sign it?
[10:31] <jeeves_Moss> no, I followed the instructions in the howto.  I don't want to receive, I just want to use the SMTP server
[10:32] <LiraNuna> "Scriptable sendmail via Gmail in Ubuntu 8.04*" ?
[10:33] <jeeves_Moss> yep
[10:33] <LiraNuna> you're probably looking for http://www.marksanborn.net/linux/send-mail-postfix-through-gmails-smtp-on-a-ubuntu-lts-server/
[10:33] <jeeves_Moss> http://www.ericstockwell.com/
[10:33] <jeeves_Moss> not using postfix though
[10:34] <LiraNuna> oh
[10:34] <LiraNuna> I don't know how to configure/use any other mail server
[10:35] <jeeves_Moss> it's not using a local server, it's just connecting to gmail's SMTP
[10:36] <Jeeves_> Does gmail's SMTP include ads in your sent messages yet?
[10:38] <jeeves_Moss> Jeeves_, no.
[10:41] <Jeeves_> Hmm
[10:42] <henkjan> google smtp servers annoy your mxservers first with 20 seconds ads before delivering mail? :)
[10:46] <Jeeves_> :)
[10:46] <Jeeves_> Ads in you logs :)
[11:57]  * jpds hugs lamont.
[11:59] <lamont> jpds: what did I do?
[12:00] <jpds> lamont: new nmap :)
[12:01] <jpds> Thanks for that.
[12:02] <lamont> ah, yeah... finally got my head above water long enough to upload that last night
[12:14] <acalvo> hi
[12:14] <acalvo> what could it mean if running a ping based on the hostname or a route command takes so long to show results?
[12:15] <alexm> acalvo: dns problems?
[12:15] <acalvo> yes, could it be, because a ping based on the ip works without problems
[12:15] <acalvo> but I cannot access my external lan
[12:15] <acalvo> so I've thought that maybe there was some other error
[12:20] <alexm> the dns query going to root servers currently unavailable for you could explain that delay i guess
[12:27] <acalvo> makes sense
[12:27] <acalvo> but I don't understand why it's giving this errors
[12:27] <acalvo> since I'm cloning a current network, with new servers
[12:27] <acalvo> the only thing I've change is the ip range
[12:27] <acalvo> and static ips
[12:28] <acalvo> and it won't allow me access the external lan
[12:28] <acalvo> sounds like a firewall problem
[12:28] <acalvo> but I've rechecked it more than 20 times
[12:28] <acalvo> and seems fine
[12:34] <Faust-C> acalvo, in situations like that i would really look at firewall logs again
[12:34] <Faust-C> acalvo, for instance im in a similar situation youre in
[12:35] <Faust-C> my firewall rules allow VLAN to VLAN, any protocol, however you must explicitly allow certain services (ports), at least w/ pfsense anyways
[12:35] <Faust-C> brb
[12:35] <acalvo> I know
[12:35] <acalvo> and I've already checked them
[12:36] <acalvo> and firewall logs doesn't even show any package coming form this lan
[12:36] <acalvo> I'm starting to wonder if could be something related to VMWares ESXi
[12:42] <embix> hi there
[12:44] <embix> is it possible to use the "old-fashioned" slapd.conf instead cn=config with ubuntu server 9.04?
[12:53] <roxy> Hi there...somebody know how i can backup my ldap data?
[12:53] <embix> ldif dump?
[13:00] <alexm> acalvo: sorry, i have no experience with vmware esxi
[13:01] <acalvo> aleks: don't worry, thank you!!!ç
[13:01] <alexm> try tracerouting or ping -R to see where the packets disappear
[13:02] <alexm> and maybe etherape or any other graphical network monitor will help too, just in case you forgot something
[13:03] <acalvo> alexm: the bad thing is that now I cannot install anything, since I don't have internet
[14:03] <Jeeves_> kees: You awake?
[15:10] <clusty> hey
[15:12] <clusty> I would like to be able to address all PC's from the local network by hostname rather then IP
[15:12] <clusty> i managed to do this ages ago: for each PC to advertise his hostname when asking for a dhcp address
[15:13] <clusty> any clues how to go about it?
[15:14] <Guest11311> Good day, is this the right place to inquire about troubleshooting mailman configuration on Ubuntu?
[15:14] <pmatulis> clusty: investigate dnsmasq
[15:15] <clusty> pmatulis, so the solution is on the server side or client side?
[15:15] <pmatulis> clusty: server
[15:15] <clusty> pmatulis, i remember having modified just the dhcp client conf before
[15:18] <soren> clusty: Just because the dhcp client tells the dhcp server its hostname doesn't mean that the dhcp server will pass it on to the DNS server.
[15:18] <soren> clusty: It just so happens that dnsmasq is a combined dhcp and dns server.
[15:19] <soren> clusty: Your other option is avahi.
[15:19] <clusty> thanks
[15:19] <clusty> i am trying to figure out how did i set up the dns thing now
[15:23] <Guest11311> Would anyone be willing to help me resolving mailman configuration issues?
[15:24] <Steve[mbp]> morning everyone
[15:24] <clusty> Guest11311, that is unproductive
[15:24] <clusty> Guest11311, say what's hurting
[15:24] <clusty> Guest11311, to quote the guidelines: "don't ask if you can ask. just ask"
[15:24] <clusty> or similar :D
[15:26] <clusty> soren, could you give me a hand on how to set up the whole thing with bind and dnsd ?
[15:27] <clusty> soren, there will be a lot of unhappy people if i screw this one up
[15:28] <Guest11311> I've finished installing and configuring mailman as per https://help.ubuntu.com/community/Mailman, however the web interface reports no mailing lists running and says "Error:  you are not authorized to create new mailing lists" whenever I try to create one through the web interface instead of the command line.
[15:29] <Jeeves_> soren: Do you know why Ubuntu hasn't built a new kernel yet after the null-pointer bug?
[15:37] <mathiaz> zul: hey - could you write up a MIR for squid-langpack?
[15:37] <mathiaz> zul: https://bugs.launchpad.net/bugs/396472
[15:37] <uvirtbot`> Launchpad bug 396472 in squid "Please merge squid (2.7.STABLE6-2)(main) from debian unstable(main)" [Undecided,Fix released]
[15:37] <zul> mathiaz, sure
[15:54] <soren> clusty: I could, but I'm confident teh intarwebz is a better ressource for this than I am. I've not done anything like that in almost 10 years.
[15:55] <clusty> soren, ok. will dig in. the whole DNS thing is still a bit scary. I guess i might as well read about it now :D
[15:59] <soren> clusty: Back then it was a bit of a hack. IIRC, I periodically went through the leases file and turned it into bind db entries. I'm sure there's better ways of doing it now.
[16:17] <uvirtbot`> New bug: #414865 in samba (main) "mount.cifs does not handle umlauts in usernames correctly" [Undecided,New] https://launchpad.net/bugs/414865
[16:19] <soren> umlauts in usernames? *sigh* Who would do that anyway?
[16:19] <clusty> ze germanz
[16:19] <clusty> :D
[16:19] <soren> Probably :)
[16:33] <Jeeves_> 16:29 < Jeeves_> soren: Do you know why Ubuntu hasn't built a new kernel yet after the null-pointer bug?
[16:33] <soren> Jeeves_: No clue.
[16:38] <Jeeves_> hmm
[16:42] <mathiaz> ttx: did you advocate http://revu.ubuntuwire.com/p/libopendrim?
[16:42] <mathiaz> ttx: it seems so
[16:42] <ttx> mathiaz: looking
[16:42] <ttx> yes
[16:42] <mathiaz> ttx: ok - I'll upload the package then
[16:57] <embix1> trouble with open ldap: "ldap_add: Server is unwilling to perform, additional info: no global superior knowledge" I have a fresh ldap, he doesnt like me to extend the tree
[18:00] <jmedina> embix: how are you adding the data?
[18:00] <jmedina> ldif?
[18:01] <zul> mathiaz:can you update the seeds for mysql 5.1
[18:08] <embix> jup
[18:08] <embix> the main problem is to setup the database in the cn=config way
[18:09] <embix> the slapd is not yet responsible for the suffix given in the .ldif
[18:23] <kees> Jeeves_: am now
[18:29] <Jeeves_> kees: Hi
[18:29] <Jeeves_> You're security-guru, right? :)
[18:32] <embix> problem solved, the dn was wrong...
[18:36] <mathiaz> zul: no need. mysql-server is already seeded in server-ship
[18:36] <zul> cool
[18:36] <kees> Jeeves_: I do security work, yeah.
[18:36] <jdstrand> kees is being modest :)
[18:37]  * kees worries if he thinks he's a guru, he'll have to sit on a mountain-top and meditate.  :)
[18:37] <Jeeves_> kees: Any clue on a new kernel for ubuntu due to the null-pointer bug published last week?
[18:38] <jdstrand> it is probably good if one doesn't think of oneself as a guru... but that won't stop us from thinking so ;)
[18:38] <kees> Jeeves_: yeah, it's building now, should publish later today.
[18:38] <Jeeves_> Coolio
[18:38] <kees> Jeeves_: most ubuntu installs will be safe, though, due to /proc/sys/vm/mmap_min_addr being above 0
[18:39] <Jeeves_> I'm mostly interested in the server-stuff
[18:41] <kees> Jeeves_: just check your /proc/sys/vm/mmap_min_addr value.  Dapper doesn't have it, which makes it vulnerable, which is why we're trying to get the kernels out asap
[18:42] <Jeeves_> ah ok
[19:33] <albatross> Anyone who can spare a moment? I', having trouble with chmod...
[19:34] <embix> what is the problem?
[19:34] <albatross> When i upload files via ftp they automaticly get chmod 600
[19:34] <KillMeNow> chmod is pretty simple
[19:34] <albatross> i want then to be 755
[19:34] <KillMeNow> vsftpd?
[19:34] <albatross> yes
[19:35] <KillMeNow> it's in the vsftpd config
[19:35] <embix> usually it depends on the ftp config
[19:35] <albatross> ok? Hav'nt found any info in the config-file.
[19:36] <albatross> Know what corrections have to be done?
[19:36] <KillMeNow> http://vsftpd.beasts.org/vsftpd_conf.html
[19:36] <embix> what ftp server do you use
[19:36] <embix> ?
[19:37] <pmatulis> albatross: yes, search for chown_upload_mode
[19:37] <pmatulis> that seems to be for anonymous uploads however
[19:38] <albatross> hmm.. have disabled anon
[19:38] <KillMeNow> chmod_enable     When enabled, allows use of the SITE CHMOD command. NOTE! This only applies to local users. Anonymous users never get to use SITE CHMOD
[19:38] <albatross> ok
[19:38] <albatross> good.
[19:38] <albatross> found it
[19:38] <albatross> tnx
[19:42] <Kamilion> Where does debian-installer load storage controller modules from when Detect Disks asks for modules and 'none of the above' is selected?
[19:56] <pmatulis> Kamilion: try #ubuntu-installer
[19:58] <Kamilion> Thanks.
[20:32] <HellMind> chroot can be used as a virtualization method?
[20:38] <dorvan83> hi to all!
[20:39] <dorvan83> one question... in a default kernel of ubuntu server for an amd64 arch what is the default dimension of entropy pool? is possibible increase it?
[20:40] <dorvan83> possible*
[20:42] <dorvan83> also, anyone here is the maintainer of high-availability for ubuntu-server?
[20:47] <giovani> dorvan83: if you want higher entropy, you probably just want to use a TRNG
[20:52] <dorvan83> giovani: i had problem with a software, corrected by developers adding a input from keyboard to incrase the entropy because on ubuntu-server seems to have a little entropy (PRNG) than other distros (redhat and novell for example)
[20:52] <giovani> dorvan83: I highly doubt that the RNG code is different between Ubuntu and RedHat)
[20:52] <dorvan83> yes, me also.
[20:53] <giovani> you can provide more entropy to the linux kernel prng by typing and accessing things on disk
[20:53] <giovani> disk i/o, and keyboard/mouse input are the three main sources of random data for the /dev/random device
[20:53] <dorvan83> but seems the pool can be set lower?
[20:53] <giovani> what do you mean "set lower"?
[20:54] <dorvan83> 512-4096
[20:54] <HellMind> guys Is there a way chrrot with the minimal necesary files?
[20:54] <HellMind> I mean with the minimun environmental files
[20:54] <giovani> dorvan83: what does that number represent?
[20:54] <giovani> HellMind: yes, you copy them
[20:55] <giovani> what's "necessary" depends on your individual needs
[20:55] <HellMind> but how do I know which files ar needed?
[20:55] <HellMind> I want to run a quake3 server
[20:55] <giovani> that depends on your needs
[20:55] <giovani> I have no idea what quake3 needs
[20:55] <giovani> I told you the other day to use ldd to find out what libraries the binary might be calling
[20:55] <giovani> other than that ... it's not easy
[20:55] <dorvan83> giovani: the entropy pool size
[20:55] <HellMind> but its only a gameserver
[20:56] <HellMind> ahhhhhhhhhhhhhhhh
[20:56] <HellMind> giovani now I understand :D
[20:56] <giovani> HellMind: what does that have to do with this?
[20:56] <HellMind> sorry man
[20:57] <giovani> dorvan83: dorvan83 that's set in the same place in every distro
[20:57] <giovani> /proc/sys/kernel/random/poolsize
[20:57] <giovani> it's set to 4096 by default in Ubuntu Server 9.04
[20:57] <giovani> but you can't modify it without recompiling iirc
[20:58] <HellMind> giovani ldd q3ded ->   not a dynamic executable
[20:58] <giovani> HellMind: then it
[20:58] <giovani> it's self-contained
[20:58] <HellMind> then what I need :S?
[20:58] <giovani> I don't know -- I've told you that
[20:58] <giovani> there's no way for us to know what you'll need
[20:58] <dorvan83> giovani: ah great. i don't know the kernel parameter name. thanks
[20:58] <giovani> there are tons of factors
[20:58] <dorvan83> solved
[20:59] <HellMind> giovani but how can I know
[20:59] <giovani> dorvan83: it's not editable -- this is compiled into the kernel, and not Ubuntu-specific
[20:59] <giovani> HellMind: I don't know -- I have no clue what you need
[20:59] <HellMind> -_-
[21:01] <HellMind> giovani how can I run the q3ded chrooted to see some error or check if itsworks?
[21:02] <giovani> HellMind: we've already explained how to use chroot
[21:02] <HellMind> I know but I want a way to debug it
[21:03] <giovani> debug what?
[21:03] <giovani> I don't know how to debug quake3 ... that's specific to quake3
[21:03] <HellMind> I wanto to start quake3 chrooted without a bash
[21:04] <giovani> HellMind: we've been over how to do that
[21:05] <HellMind> I found start-stop-daemon can chroot
[21:05] <HellMind> chroot $CHROOT /start $1 ?
[21:08] <Psi-Jack_> Ubuntu-9.04-server still comes with syslog standard, eh? Not syslog-ng or another alternative?
[21:09] <pmatulis> Psi-Jack_: that's right
[21:11] <Psi-Jack_> What's a good logger that supports sending to a remote server?
[21:11] <Psi-Jack_> syslog-ng is one I know, but anyone have any other recs?
[21:11] <pmatulis> Psi-Jack_: sysklog, the normal one
[21:12] <Psi-Jack_> I want filtering abilities like syslog-ng has, sysklogd only filters strictly by the very basic log event types.
[21:12] <giovani> so use syslog-ng :)
[21:13] <Psi-Jack_> Hmmm.. What about rsyslog? That's one I've not heard of before, but has a lot on it's plate up front.
[21:14] <pmatulis> Psi-Jack_: go for rsyslog then
[21:14] <giovani> I've only used rsyslog for ssl stuff
[21:14] <pmatulis> Psi-Jack_: it's the default in ubuntu starting next october
[21:14] <giovani> since it does it out of the box
[21:15] <Psi-Jack_> rsyslog is?
[21:15] <pmatulis> Psi-Jack_: yes
[21:15] <Psi-Jack_> Cool beans. That tells me right away, it's good. ;)
[21:15] <pmatulis> Psi-Jack_: yes, lots of filtering capabilities
[21:15] <pmatulis> Psi-Jack_: it also doesn't have the dual-license stuff like syslog-ng
[21:16] <Psi-Jack_> Heck, more than that, filtering, logging to sql, tcp, ssl, etc, and even a php log event viewer.
[21:16] <HellMind> giovani let say I want to run pwd in a chrooted environment using the less libs files as possible
[21:16] <pmatulis> Psi-Jack_: yes
[21:16] <giovani> yeah, uh, a php anything isn't a plus
[21:16] <Psi-Jack_> Heh
[21:16] <nick125> Hahah
[21:17] <Psi-Jack_> I was soo dreading the idea of using splunk.
[21:17] <Psi-Jack_> This may be the better alternative. ;)
[21:17] <giovani> why?
[21:17] <giovani> splunk is an awesome tool
[21:17] <giovani> I'm just about to roll it out at work
[21:17] <Psi-Jack_> EEh.. It's... Alright. but, for what I want, all I /need/ is a log viewer. Not a burden of excessiveness.
[21:18] <giovani> oh ... well splunk isn't a "log viewer"
[21:18] <giovani> so don't discredit it
[21:18] <Psi-Jack_> yeah.
[21:18] <giovani> it's just not appropriate for the job you need
[21:18] <Psi-Jack_> Well, they also lied while calling it marketting, too. So
[21:18] <giovani> ?
[21:18] <Psi-Jack_> It's Free! .... but has a 500mb/day limit.
[21:18]  * nick125 has come to the conclusion that there isn't such a thing as a simple open source CRM..
[21:18] <giovani> nick125: nope, they all suck
[21:19] <nick125> I mean, all I want to do is have a client database and a way to put "notes" on the account for appointments. THATS IT.
[21:19] <giovani> then pay someone to write something that simple
[21:20] <giovani> the problem with CRMs is ... no business is the same
[21:20] <giovani> and trying to create a universal client-management tool is impossible
[21:20] <nick125> Yeah, that's what I've found out.
[21:20] <Psi-Jack_> Whoah, rsyslog even support snmp?
[21:21] <nick125> If I wasn't so lazy^Wbusy, I'd write something in Django....
[21:28] <psteyn> Hi guys.  I get this error in a command line php script: Fatal error: Allowed memory size of 67108864 bytes exhausted.  So, I then changed the memory_limit to 128M in all the php.ini files I found in /etc/php5/*
[21:28] <psteyn> But it STILL gives me that same error as if the memory limit wasn't changed.  I then ran php -i | grep memory and it reported 128M, then I tried again and still got the same error
[21:28] <psteyn> I have no idea what to do now, please help
[21:29] <giovani> psteyn: when you got the error after making the change, did it still report 67108864 bytes? or a new, higher number?
[21:30] <psteyn> giovani: still the same number
[21:30] <giovani> psteyn: you sure the same php process isn't still running?
[21:30] <psteyn> which is what makes it so weird
[21:30] <giovani> ps aux | grep php
[21:30] <psteyn> I've restarted apache anyway, but as I said it's a command line php script, so once it's done it's done
[21:31] <giovani> run ps aux | grep php anyway, please
[21:32] <psteyn> sure, sec
[21:33] <psteyn> # ps -aef | grep php
[21:33] <psteyn> root     22761 22750  0 22:28 pts/2    00:00:00 grep php
[21:33] <giovani> are you absolutely positive that you only have one php installation?
[21:33] <giovani> or that you editing the *right* php.ini
[21:34] <giovani> sudo updatedb && locate php.ini
[21:35] <psteyn> giovani: dead sure
[21:35] <giovani> so run the command above
[21:35] <giovani> and pastebin the output
[21:36] <giovani> to make sure you don't have multiple php.inis
[21:36] <psteyn> even used php -c to the patch of the config, and did a  var_dump(ini_get('memory_limit')); in the same shell and it confirmed 128M
[21:36] <psteyn> giovani: I have multiple ones, one for cli one for apache, etc.  but I've increased all of them
[21:36] <psteyn> lemme run that command anyway
[21:36] <giovani> this sounds like a #php issue if you've really exhausted all normal troubleshooting
[21:37] <giovani> either it's a per-process limit or something
[21:37] <giovani> or you've made an error
[21:41] <psteyn> where can I see the per process limit
[21:41] <psteyn> nah, I'm migrating this script from centos to ubuntu-server using default and up to date php from ubuntu server
[21:42] <psteyn> no error with script
[21:42] <giovani> I didn't mean an error with the script
[21:42] <giovani> anyway, hit up #php
[21:43] <psteyn> giovani: already there...they are also stumpped so far
[21:46] <psteyn> rofl, one if its include files have: ./update_cache.php:ini_set('memory_limit','64M');
[21:46] <psteyn> :)
[21:46] <psteyn> thanks anyway dude
[21:47] <psteyn> cheers
[21:51] <clusty> hey
[21:51] <clusty> i am trying to get DNS resolved forthe local network also
[21:52] <clusty> my problem is that the DNS request gets forwarded to my ISP, which responds with the standard domain not found page (ip address of the place where the page is stored)
[21:53] <clusty> can some1 help me fix this? I could post my bind and dhcp config files
[21:53] <giovani> clusty: I'm unclear on what your problem is -- try restating it
[21:53] <clusty> giovani, so. i say for example: ping 192.168.0.128
[21:54] <sgsax> clusty: your ISP has no idea what 192.168.x.x is, that's a private subnet
[21:54] <clusty> http://pastebin.com/m39317b15
[21:55] <clusty> sorry my bad
[21:55] <clusty> ping algo01
[21:55] <clusty> should reply: 192.168.0.128
[21:55] <sgsax> if you want to resolve IPs on your private subnet, you need to have your own internal DNS solution
[21:55] <clusty> sgsax, doing that
[21:55] <clusty> sgsax, have my own bind and dhcpd
[21:55] <giovani> clusty: cat /etc/resolv.conf
[21:55] <clusty> sgsax, the machine is acting as a router and DNS
[21:56] <Bilge> derp
[21:56] <jmedina> hwat about search in resolv.conf?
[21:56] <sgsax> clusty: the output in your pastebin looks correct to me
[21:56] <clusty> nameserver 192.168.178.1
[21:56] <clusty> ooops
[21:56] <clusty> i should put resolve 192.168.0.1 first probably
[21:57] <HellMind> guys
[21:57] <HellMind> help on chrooting
[21:57] <sgsax> yeah, because othwersie it will only get a request if the earlier ones timeout or error out
[21:57] <giovani> heh
[21:57] <HellMind> giovani I want to run ls in an tiny-as environment
[21:57] <HellMind> I tried to copy some libs
[21:57] <clusty> giovani, nameserver 192.168.0.1
[21:57] <clusty> nameserver 192.168.178.1
[21:57] <clusty> ny current resolv.conf
[21:58] <HellMind> but its say bash not found, I copied bash libs too
[21:58] <clusty> now I am getting redirected to openDNS
[21:58] <HellMind> but the same error
[21:58] <HellMind> I cant find this lib linux-vdso.so.1
[21:58] <sgsax> clusty: if you are running nscd, you'll need to restart it to flush the cache
[21:58] <HellMind> Do I need it?
[21:58] <clusty> sgsax, i am running bind and dhcpd
[21:58] <clusty> sgsax, i restart both?
[21:58] <clusty> sgsax, do i also refresh algo01 ?
[21:58] <sgsax> clusty: you shouldn't have to restart either
[21:58] <jmedina> clusty: can you resolve your domain and hosts in dns server?
[21:59] <clusty> jmedina, did not understand the question
[21:59] <sgsax> clusty: try "dig @192.168.0.1 algo01"
[21:59] <sgsax> that will force a query against your dns
[21:59] <jmedina> you need the DNS prefix in your resolv.conf in order to resolve hosts using the short name
[22:00] <clusty> sgsax, http://pastebin.com/m663cfb6f
[22:00] <HellMind> giovani!
[22:00] <jmedina> something like "search mydomain.tld"
[22:00] <clusty> jmedina, i am a total noob when it comes to DNS. i copied from all the nets untill i got DNS working
[22:01] <clusty> jmedina, that was the disclaimer :D
[22:01] <jmedina> clusty: try: "rndc querylog" on your dns server so you can debug client queryes
[22:01] <clusty> jmedina, does nothing
[22:01] <jmedina> clusty: again, can you resolve algo01 hostname from your dns server?
[22:02] <clusty> jmedina, i am trying now from that mchine
[22:02] <sgsax> clusty: if you don't add the line jmedina suggested, you'll need to include the fqdn of your host in your dig query
[22:02] <jmedina> something like "dig  @localhost algo01"
[22:02] <clusty> jmedina, there are just 2 linux machines: DNS box and algo01
[22:02] <giovani> sgsax: he'll need it either way
[22:02] <jmedina> if not, try "dig  @localhost algo01.yourdomain.tld"
[22:02] <giovani> dig doesn't respect /etc/resolv.conf
[22:02] <giovani> it issues a plain ol query as you write it
[22:02] <sgsax> giovani: ah, didn't realize that
[22:02] <giovani> nslookup will, however, respect the search line in /etc/resolv.conf
[22:03] <clusty> should i post my DNS and bind configs?
[22:03] <jmedina> clusty: you better post dig output
[22:04] <clusty> jmarsden, http://pastebin.com/m70f2c099
[22:04] <clusty> your dig
[22:04] <jmedina> algorithmica <--- is that the server machine or client=
[22:04] <jmedina> ?
[22:04] <HellMind> I need a chrooting guide of ubuntu-server without debootstrap
[22:05] <sgsax> clusty: ok, so that says the server at 192.168.0.1 thinks the IP for algo01 is 67.215.65.132
[22:05] <sgsax> you are expecting the 192.168.x.x address instead?
[22:05] <clusty> sgsax, that is openDNS
[22:05] <clusty> i think
[22:05] <clusty> yes
[22:05] <clusty> 192.168.0.128 should be the answer
[22:06] <sgsax> ok, is your bind set up to be authoritative for that subnet?
[22:06] <sgsax> or zone
[22:06] <clusty> http://pastebin.com/m446da65d
[22:06] <clusty> dhcpd.conf
[22:07] <sgsax> this is not a dhcp issue
[22:07] <sgsax> unless you are pushing out the wrong resolver info
[22:07]  * giovani smacks head against wall very hard
[22:07] <clusty> sgsax, sec lemme give you bind.conf
[22:07] <clusty> named.conf
[22:07]  * sgsax offers giovani ice and whiskey
[22:07] <clusty> as of
[22:07] <jmedina> clusty: have fun, I have to go out and rescue a customer's server :S
[22:08] <clusty> jmarsden, :D
[22:08] <clusty> sgsax, http://pastebin.com/m217a7097
[22:08] <clusty> named.conf
[22:08]  * jmedina hopes jmarsden donest have IRC notifications enabled :)
[22:08] <sgsax> clusty: I do see in your dhcpd.conf that you are handing out addresses from a general pool
[22:08] <sgsax> this means you also need proper dynamic dns setup locally
[22:09] <clusty> http://pastebin.com/m7e8542b
[22:09] <sgsax> either that or you have to issue specific IPs to known MACs
[22:09] <clusty> named.conf.local
[22:09] <clusty> sgsax, that is exactly what i do not want to do
[22:09] <clusty> sgsax, i want dynamic ip's
[22:09] <sgsax> that's fine, but you need dynamic dns running internally
[22:10] <clusty> sgsax, and still be able to address them by name. so far we have 3 machines and it bearable.
[22:10] <clusty> sgsax, we just got 10 servers which makes it imposibble to track it properly unless DNS works on local net
[22:10] <sgsax> your external dynamic dns will always point your router
[22:10] <KillMeNow> clusty, it sounds like you want to dynamically update your local DNS resolver with new DHCP hostnames and such?
[22:10] <clusty> sgsax, yes
[22:10] <clusty> KillMeNow, yes
[22:10] <sgsax> so it will never be able to resolve your internal private subnet IPs
[22:11] <clusty> KillMeNow, i told dhcpd to dynamically ipdate local thing
[22:11] <clusty> sgsax, ok. so forwarding dns requests does not work with dynamically updating local ones?
[22:11] <clusty> sgsax, mutually exclusive?
[22:11] <sgsax> correct
[22:12] <clusty> sgsax, what do you suggest i do?
[22:12] <sgsax> all the external dynamic dns server will do for you is get the new IP for your router when it changes
[22:12] <clusty> sgsax, i think there is a small misudnerstanding
[22:13] <clusty> sgsax, they are not accesible from outside
[22:13] <KillMeNow> http://www.cahilig.org/debian-and-ubuntu-ddns-bind9-and-dhcp
[22:13] <sgsax> clusty: no I understand that
[22:14] <clusty> sgsax, so there is nothing of sorts: whenever there is no "." in the request assume local net
[22:14] <clusty> else forward to the ISP ?
[22:14] <sgsax> clusty: not as far as the external dns is concerned, no
[22:14] <sgsax> external dns knows nothing about any hosts behind your router
[22:14] <sgsax> it see everything as coming from your router
[22:14] <sgsax> that's how NAT works
[22:15] <sgsax> so you need ddns behind your router to take care of resolving all hosts behind the router
[22:15] <giovani> clusty: no, you don't do it that way
[22:15] <giovani> you use a search domain in /etc/resolv.conf
[22:15] <giovani> and then put the FQDNs in your local DNS
[22:15] <sgsax> the link from KillMeNow looks very thorough
[22:16] <clusty> it is
[22:16] <clusty> feels nice and thorough
[22:16] <sgsax> have a go at that, see what it gets you
[22:21] <LiraNuna> " A. You can use "passwd" program for that purpose. Note that pam-mysql doesn't permit password change without the root privilege (pid=0). "
[22:21] <LiraNuna> pwnguin ^
[22:23] <clusty> sgsax, thanks a bunch. i might cleanup all the junk with that one
[22:26] <uvirtbot`> New bug: #415053 in bacula (universe) "install bacula" [Undecided,New] https://launchpad.net/bugs/415053
[22:32] <pwnguin> LiraNuna: well yea, that confirms your theory, but doesn't say much about why
[22:32] <LiraNuna> yeah
[22:32] <LiraNuna> normal users /should/ be able to change their password, right?
[22:33] <pwnguin> usually, yes
[22:33] <pwnguin> just another sign that this pam-mysql idea is not sane
[22:40] <HellMind> #debian guys are punks
[22:41] <andol> HellMind: Don't visit that channel then? :)
[22:41] <howie>  what do i have to do to virtual host a second website on my server?
[22:42] <HellMind> I got ubuntu and debian
[22:42] <HellMind> it seems if you use debian you cant use any os -_-
[22:43] <KillMeNow> http://ubuntu-tutorials.com/2008/01/09/setting-up-name-based-virtual-hosting/
[22:43] <KillMeNow> it's for a bit older version, but still holds fairly true
[22:48] <howie> KillMeNow: ty ill take a look
[23:11] <mathiaz> bdmurray: hey - I've tried to modify the multi-package-bug-fixed-released script you gave me to get a list of bugs nominated
[23:11] <mathiaz> bdmurray: I'm using the following query:
[23:11] <mathiaz> bdmurray: for task in target_package.searchTasks(order_by='-date_last_updated',status=['Fix Released'], omit_targeted=False):
[23:12] <mathiaz> bdmurray: how can I check if a bug is nominated for a release?
[23:14] <bdmurray> mathiaz: nominated, not targetted correct?
[23:14] <mathiaz> bdmurray: correct
[23:15] <mathiaz> bdmurray: I'd like to a list of bug that have been nominated so that we can go through it and accept/decline them
[23:15] <mathiaz> bdmurray: the advanced search page doesn't give all of them unfortunately
[23:16] <mathiaz> bdmurray: next step is to use a script to gather such data
[23:20] <quizme> hi, how can i restart a process after reboot?
[23:21] <KillMeNow> like this:  /etc/init.d/servicename restart
[23:21] <KillMeNow> so like:  /etc/init.d/apache2 restart
[23:21] <KillMeNow> what are you wanting to restart?
[23:23] <bdmurray> mathiaz: something like jaunty = ubuntu.getSeries(name_or_version='jaunty') and package.searchTasks(nominated_for=jaunty,status=['Fix Released'])
[23:23] <quizme> killmenow: glassfish
[23:23] <quizme> killmenow: it's a java app server to run my website
[23:23] <bdmurray> mathiaz: I'm pretty sure that will work
[23:23] <KillMeNow> ahhh
[23:23] <mathiaz> bdmurray: great thanks
[23:23] <KillMeNow> so you glassfish runs on tomcat?
[23:23] <quizme> killmenow: i'm using apache
[23:24] <quizme> killmenow: and doing a mod_proxy thing
[23:24] <quizme> killmenow: not sure about tomcat
[23:24] <KillMeNow> ok
[23:24] <KillMeNow> well i've never used glassfish
[23:24] <quizme> i just want restart glass fish after the machine reboots
[23:24] <quizme> so that my site doesn't go down
[23:24] <bdmurray> mathiaz: I'm more sure now that it'll work ;-)
[23:25] <quizme> if u make an init.d script will it auto restart after reboot ?
[23:25] <KillMeNow> yea
[23:25] <KillMeNow> if there isn't one already
[23:26] <KillMeNow> then you can either link it to the appropriate rc.d level or if you have chkconfig installed
[23:26] <KillMeNow> you can do a chkconfig --list <servicename>
[23:26] <KillMeNow> and set the boot time start level
[23:26] <mathiaz> bdmurray: is there a query to get the list of all supported distros?
[23:26] <KillMeNow> http://docs.sun.com/app/docs/doc/820-4341/abdeb?a=view
[23:27] <KillMeNow> take a look at that, looks like Sun has a doc on automatic restart
[23:27] <quizme> killmenow is there a simpler way besides init.d cuz i think i did it the simpler way last time
[23:27] <quizme> killmenow: i now it's working on my old server i just don't know whwere i put that script.
[23:30] <KillMeNow> sorry, again i never used Glassfish
[23:30] <KillMeNow> but if it is working on your old server, you can always try to do a locate
[23:32] <bdmurray> mathiaz: do you supported series?
[23:33] <chris___> hi - has anyone upgraded Hardy to apache 2.2.13?
[23:33] <mathiaz> bdmurray: hm - right now I need to hardcode the list of supported series (dapper, hardy, intrepid, jaunty)
[23:33] <mathiaz> bdmurray: I'd like to dynamically get that list from LP
[23:33] <bdmurray> mathiaz:
[23:34] <bdmurray> for s in ubuntu.series:    print s,s.active
[23:34] <bdmurray> mathiaz: I'm mostly just reading https://edge.launchpad.net/+apidoc/#distribution
[23:34] <mathiaz> bdmurray: ok - thanks
[23:34] <bdmurray> no problem
[23:36] <quizme> how do i run a command after reboot ?