/srv/irclogs.ubuntu.com/2009/09/10/#ubuntu-server.txt

=== monteith is now known as monteith_afk
KillMeNow	LMAO guntbert	00:07
JanC	guntbert: well, do you also have a slogan for understanding ternary logic? ;)	00:08
KillMeNow	JanC: isn't that the logic that got us in the economic mess? hehehehe	00:10
JanC	start at http://en.wikipedia.org/wiki/Ternary_computer if you wanna read about it	00:10
mdz	smoser, ping	00:11
=== erichammond1 is now known as erichammond
uvirtbot	New bug: #404394 in kvm (universe) "qcow2 corruption regression" [Undecided,New] https://launchpad.net/bugs/404394	00:25
uvirtbot	New bug: #427075 in php5 (main) "libphp5.so segmentation fault - apache2+mediawiki" [Undecided,New] https://launchpad.net/bugs/427075	00:29
smoser	mdz, here now	00:29
Techtronic	hello , i cant login to nagios ... PAM: user 'nagiosadmin' - not authenticated: Authentication failure .....	00:43
Techtronic	what i do wrong ? :/	00:44
KillMeNow	http://www.linuxquestions.org/questions/linux-software-2/lost-nagios-admin-password...-help-695402/#post3399240	00:45
KillMeNow	that shows how to reset the nagios admin user password	00:46
Techtronic	i know pasword	00:46
Techtronic	not helped this link	00:48
Techtronic	PAM authenticate failure :/	01:03
Techtronic	need disable mod_auth_pam.c	01:04
KillMeNow	http://ubuntuforums.org/archive/index.php/t-275996.html	01:04
KillMeNow	google Techtronic	01:04
Techtronic	KillMeNow thanks you saved my night :D	01:08
mm_202	Can someone please assist me with an apparmor issue?	01:14
mm_202	Im trying to start mysqld and I get this lovely error: 090909 20:12:42 InnoDB: Operating system error number 13 in a file operation.	01:14
mm_202	InnoDB: The error means mysqld does not have the access rights to the directory.	01:14
KillMeNow	here is the best assistance i could give you mm: toss apparmor	01:15
mm_202	KillMeNow: yes, I fscking hate it. But the ONLY reason I am reluctant is that it is a public server..	01:17
mm_202	My first box that isnt behind a firewall	01:17
mm_202	But I guess if someone gets shell access Im screwed anyways	01:17
mm_202	How many people here run servers (ubuntu of course) without a firewall?	01:18
KillMeNow	i have a public facing Ubuntu box, but it's all IPTabled up	01:20
KillMeNow	and i don't use apparmor	01:20
KillMeNow	i tried to get it to work, but it's a big stinking pile of poo	01:20
KillMeNow	altho i've heard it's easier than SElinux	01:21
mm_202	Yeah, my ubuntu servers at home, I killed apparmor on them as well	01:21
KillMeNow	as long as you stay up on your patching and don't run anything that could cause you problems like IRC or something	01:22
KillMeNow	or if you do i suppose you could run it in a jail	01:22
mm_202	Yep, remove apparmor and works great now =)	01:23
KillMeNow	big pile of stinking poo	01:26
KillMeNow	i think that's what i called it... yea..	01:26
oh_noes	is it possible to remount / as ro from recovery	02:53
oh_noes	or do i have to boot a live CD?	02:53
twb	oh_noes: sudo mount -o ro,remount /	03:05
twb	TIAS	03:05
qman__	I haven't run into any problems with apparmor, but it's worlds better than selinux	03:22
qman__	since with apparmor, if you're having an issue, you can just remove one profile that's causing it	03:22
qman__	with selinux you have to disable it altogether, or find and fix the problem	03:23
qman__	and the error messages aren't very friendly	03:23
oh_noes	twb: doesnt work ... even after booting into recovery mode it says Device is busy	03:23
oh_noes	and 'mount' shows . mounted as full rw	03:24
oh_noes	which is where im confused	03:24
qman__	apparmor is also a pretty nice alternative approach to jailing services	03:24
twb	qman__: I would trust a jail more...	03:24
twb	oh_noes: dunno, then, sorry.	03:25
error404notfound	whats wrong with this cron: "10 4 * * * freshclam; clamscan --bell -r --detect-pua=yes --max-dir-recursion=40 --log=/var/log/clamav/$(date +%b%d%Y%H%M%S).log -i /", it says: /bin/sh: Syntax error: end of file unexpected (expecting ")")	05:40
=== dendrobates_ is now known as dendrobates
qman__	error404notfound, there's no user listed for the job to run as	05:42
error404notfound	qman__, no, thats not needed, all crons in root's crontab run without user	05:43
error404notfound	there is something else	05:43
error404notfound	without user mentioned explicitly*	05:43
qman__	I use cron.d and friends, not root's crontab	05:43
qman__	makes management easier	05:43
error404notfound	i use one crontab :D	05:43
foob12	does anyone software based mp3 player that supports socks 5 proxy client funtion	05:44
maxagaz	hi	05:45
qman__	error404notfound, I think I see it	05:45
qman__	--log=/var/log/clamav/$(date +%b%d%Y%H%M%S).log	05:45
qman__	because of that space, you need quotes	05:46
qman__	though I don't know where you need them	05:46
qman__	also, escaping that space may work	05:46
error404notfound	hmmm, lemme check	05:47
qman__	I thought that should have worked the way you have it	05:48
qman__	but since it's in --log=, it may not apply normally	05:48
qman__	that's the only place a missing ) makes sense	05:48
qman__	I also don't know if dash supports the $() syntax, though I don't see why it shouldn't	05:49
=== erichammond1 is now known as erichammond
error404notfound	qman__, even tried date \+... , still same error	05:56
error404notfound	\ before space	05:56
qman__	I don't see any notes regarding $() in dash	05:59
qman__	try using backticks just to see if it's the same error	05:59
qman__	also, any particular reason you're scanning /?	06:03
qman__	it's really not necessary, you only need to scan your file shares	06:04
twb	foob12: mplayer probably	06:04
error404notfound	qman__, i also tried `` and got: /bin/sh: Syntax error: EOF in backquote substitution , and i am scanning because a stupid user uploaded some stuff while i wasnt not around its infected, so just to be safe than sorry i wnat to scan whole "/"	06:05
error404notfound	qman__, even if i scan file shares, home dirs, the error in the cron is still there, right?	06:05
qman__	yes	06:06
jmarsden	error404notfound: man 5 crontab and then escape all the % signs with \ or else cron will turn them into newlines :)	06:06
error404notfound	jmarsden, aaaahhhhh :D lemme see	06:07
qman__	that would do it	06:07
error404notfound	and any comments on http://ubuntuforums.org/showthread.php?t=1262527 ?	06:09
qman__	the keys were copied wrong	06:10
qman__	it's failing when attempting to parse	06:11
jmarsden	error404notfound: Looks like you put a GPG key in a config file, or something along those lines?	06:11
qman__	ssh hosts files have just the key, on one line	06:11
qman__	no ----BEGIN or anything	06:11
error404notfound	jmarsden, i removed the config file altogether.	06:11
qman__	one key per line	06:11
jmarsden	error404notfound: pastebin the output of ls ~/.ssh ; file ~/.ssh/* so we can see what the files in there are?	06:13
error404notfound	okies	06:13
error404notfound	qman__, jmarsden, http://pastebin.ca/1560766	06:15
qman__	waiting for pastebin.ca...	06:16
jmarsden	Hmm, my browser is having trouble getting a response from pastebin.ca... trying again...	06:17
error404notfound	qman__, jmarsden, http://pastebin.com/m3e38d075	06:18
qman__	sure have a lot of files there	06:19
qman__	I've only got known hosts files	06:19
error404notfound	:D	06:19
error404notfound	i work in too many places and dont wanna use same keys for more than one office	06:19
qman__	good plan	06:19
jmarsden	Yow, there is way too much junk in there to debug. For testing, can you tar that lot up, save the tarball somewhere safe, then delete all the files from ~/.ssh/ except known_hosts and one pair of keys?	06:21
jmarsden	Probably id_rsa and id_rsa.pub would be the logical ones to keep	06:22
error404notfound	that's a 100% chance that would fix the issue	06:23
error404notfound	thats*	06:23
jmarsden	OK, so do it and then we can slowly add stuff back until we find the problem.	06:23
jmarsden	This is called troubleshooting :)	06:23
error404notfound	issue fixed...	06:24
error404notfound	:D	06:24
error404notfound	jmarsden, i am too lazy to do this alone, so stick with me, i am sooooooo lonely :P :D	06:24
jmarsden	OK, add back new_id_rsa and new_id_rsa.pub and retest	06:25
error404notfound	jmarsden, doing it :D	06:25
jmarsden	As in, now you have the error?	06:26
jmarsden	Or as in, now you are testing?	06:27
error404notfound	misc* is causing the problem	06:27
error404notfound	even renaming them doesn't solve the problem, and they are valid ssh keys as i cat them	06:28
twb	None of those keys will be used unless you have code in .ssh/config or /etc/ssh/ssh_config telling it to.	06:30
error404notfound	okay, this is strange, for one host the misc ones give rise to the error, for other hosts its a different pair, strange..	06:30
error404notfound	i dont have a ~/.ssh/config and i havent specific anything in ssh_config, lemme pastebin	06:31
error404notfound	http://pastebin.com/m45eb2184	06:32
jmarsden	Looks pretty boring to me... nothing in there about using the other keys. So you have been doing ssh -i whatever all over the place to get it to use the special keypairs?	06:35
error404notfound	jmarsden, i have aliases :P	06:43
jmarsden	OK. I'm doing some testing here... Apparently, if you have lots of keypairs in ~/.ssh, the default is to try all of them... ? I just did for i in `seq 1 50` ; do ssh-keygen -f junk$i ; done and so generated 50 junk keypairs (held down the enter key for all the password prompts).	06:44
jmarsden	I have a feeling there was a bug report about this and how to fix it somewhere in Launchpad...	06:45
jmarsden	Most likely you can just specify the key for each host in ~/.ssh/config so it only presents one, not all of them?	06:46
error404notfound	jmarsden, yup, it tries one by one all keypairs, and thats not what i want, for hosts i dont use "-i" i want it to go to password authentication directly	06:46
jmarsden	Well, you should probably set up ~/.ssh/config to tell it that, or something close to that, then.	06:47
error404notfound	jmarsden, yes, but for LAN machines, i use passwords, not keys, here at this office i have a 70 node LAN, 5server, for servers=keys, for other = passwords	06:47
jmarsden	If you just put Host * IdentifyFile id_rsa Host server1 IdentityFile whatever_rsa and so forth lines in ~/.ssh/config it should work fine.	06:48
jmarsden	No need for the -i nonsense if you configure SSH right :)	06:49
jmarsden	That should be IdentityFile id_rsa in there, not IdentifyFile, weird typo	06:50
jmarsden	See https://bugs.launchpad.net/bugs/374427 for a similar kind of issue.	06:52
uvirtbot	Launchpad bug 374427 in openssh "doesn't accept multiple keys in id_rsa" [Undecided,Invalid]	06:52
error404notfound	jmarsden, okay, what if i want to use same key for multiple hosts? will i need multiple hosts blocks? thats redudant and i will have to add say 30,40 entries :(	06:52
jmarsden	I'm not sure, I think as long as you have a Host * IdentityFile id_rsa in there as a default you can override that with -i if you really want to and like it :)	06:54
jmarsden	But IMO 30 or 40 aliases are at least as bad as 30 or 40 lines in a config file :)	06:54
jmarsden	And BTW, why do you need 30 or 40 keypairs anyway?	06:54
error404notfound	jmarsden, i use one key for 5 servers at this place, one for 8 servers at another, 1 for 3 servers at home and my vps, and etc,	06:54
error404notfound	jmarsden, not 30,40 keypairs, 30,40 hosts with which i use keys	06:55
jmarsden	I don't know if you can do Host *.somedomain.com in ~/ssh/config, you'd have to experiment.	06:55
error404notfound	Say host A and B uses id_rsa, and host C and D id_rsa, would i need 4 hosts blocks?	06:55
error404notfound	jmarsden, i can do that.	06:55
jmarsden	Looks like you can. man ssh_config and search for the section titled PATTERNS	06:56
k2en	hi	06:58
k2en	i'm running hardy as a file server for about 30 clients , both XP and Ubuntu. It was running fine until a few days ago , now it takes the clients a long time to connect and browse the server.	06:59
k2en	but i ran top on the server and nothing seem to slow it down	07:00
twb	k2en: did you try reading the log files?	07:00
k2en	twb, which log files should i check specifically ?	07:01
twb	k2en: /var/log/*	07:01
twb	k2en: I don't know, specifically.	07:01
twb	Though for "network is slow" I would often resort to a simple packet sniff, to find out where in the connection the slowness occurs.	07:01
k2en	twb, ok what do i need for that? etherape?	07:02
twb	I normally use tshark (wireshark) or tcpdump.	07:02
twb	Primarily because with those I can dump a .pcap file and then analyse it later/elsewhere	07:03
jmarsden	k2en: Whatever sniffer you already know how to use. tcpdump, wireshark, use whatever works for you :) BTW for "connect and browse", I'd be checking samba log files too... and wondering about DNS/browse master type issues.	07:03
twb	jmarsden: ooh, good idea re DNS	07:03
k2en	jmarsden, why should i check DNS?	07:03
twb	hard-binding name services routinely fuck me w.r.t. that kind of symptom	07:03
* twb glares at LDAP		07:04
jmarsden	because if hosts can't resolve the server name using DNS they may time out and then retry using NETBIOS or whatever... and that all wastes time...	07:04
k2en	jmarsden, i see.that would be a cleint problem then , no?	07:05
jmarsden	Not necessarily. Maybe your DNS server died? or your winbindd is doing something bad? or whatever... Did anything change regarding DNS or the ISP you use or whatever that could be related to this	07:05
k2en	jmarsden, no, i'm using different DNS for different boxes, but the problem is with all clients	07:06
jmarsden	k2en: Basically, when "connect and browse" is slow, name resolution is a VERY common culprit, so I would suggest you test it instead of telling me it can't possibly be broken. Just from experience :)	07:07
k2en	jmarsden, sure	07:07
k2en	jmarsden, how do i check that on the client?/	07:08
jmarsden	Use nslookup	07:08
jmarsden	Check using ipconfig /all that the XP client is using the DNS server(s) you think it is, too.	07:08
jmarsden	Check that the hosts file in C:\WINDOWS\system32\drivers\etc is sane, if you thing someone or something might have messed with that.	07:09
k2en	jmarsden, ok, thanks	07:09
k2en	the reason i thought its a server problem is that suddently all clients reported a slow down	07:10
k2en	but i will check the DNS and hists	07:10
k2en	hosts	07:10
k2en	also samba logs	07:10
jmarsden	Sounds like a network problem of some sort, but may not be the actual SMB service that is the culprit.	07:10
jmarsden	I've seen networks go nuts when someone plugs in a Cat5 patch cable ... both ends of it into the same switch :/	07:11
k2en	jmarsden, `since my server has a fixed IP ,can i set the client to go directly to IP without a need for DNS?	07:12
jmarsden	You can, but that's not really a good idea except for testing.	07:12
k2en	i'm pretty sure the ubuntu clients do that	07:13
jmarsden	Why, if you have (or had) working DNS on this network?	07:13
k2en	jmarsden, going to checkthe logs, thanks for info, killing the gui now	07:14
jmarsden	OK... BTW, Ubuntu server's do not have a GUI	07:14
=== imchrislabeard is now known as artillerytx
artillerytx	is there a text based aim client for ubuntu ?	07:15
henkjan	artillerytx: irssi + bitlbee	07:18
artillerytx	henkjan: is that better than centericq?	07:18
henkjan	artillerytx: i've never used centericq.	07:25
artillerytx	k cool	07:25
henkjan	artillerytx: irssi is een irc client and bitblee a gateway to jabber/msn/aim/icq	07:25
artillerytx	i've used irssi	07:25
artillerytx	didn't know it has like extensions	07:26
jmarsden	artillerytx: bitlbee is not irssi specific, it is a gateway so any IRC client can talk to other kinds of messaging servers.	07:32
uvirtbot	New bug: #427190 in php5 (main) "php pages on localhost try to download instead of render in firefox most of the time" [Undecided,Incomplete] https://launchpad.net/bugs/427190	07:55
soren	mdeslaur: lp:~soren/+junk/pyotp	07:56
twb	Did I see something recently about infrastructure to install an arbitrary i386 .deb into an amd64 system (i.e. a biarch workaround)?	08:17
twb	Can it be generalized into unpacking debs from one arbitrary arch into another arbitrary arch? (Running the postinst is not necessary.) Plan B is to try dpkg -x.	08:17
mushroomblue	no.	08:24
mushroomblue	well, maybe.	08:25
mushroomblue	the reason it works with x86/x64 is because of a binary compatibility library that AMD released	08:25
mushroomblue	I suppose something could be done for other archs, provided someone's written the glue.	08:26
mushroomblue	otherwise, no.	08:26
mushroomblue	it's a shame the crusoe didn't take off; it might've brought this sorta thing automatically.	08:27
twb	mushroomblue: I intend to combine it with qemu's CPU emulators	08:33
twb	In the imaginary scenario where my I won't be distracted from this goal by the end of the day	08:34
k1en	hi, can anyone take a look at my samba log, i'm running a file server and recently clients have been complaining about a slow down	08:46
k1en	http://pastebin.ubuntu.com/268431/	08:47
k1en	the main error is " getpeername failed. Error was Transport endpoint is not connected"	08:47
jmarsden	k1en: There is a somewhat inconclusive thread at http://lists.samba.org/archive/samba/2005-April/thread.html#104000 which might be relevant?	08:54
k1en	i'll try "smb ports = 445"	08:56
k1en	another error i get is : "call_trans2qfsinfo: not an allowed info level (0x102) on IPC$"	08:56
k1en	i read here that an ugrade might solve it : http://forums.opensuse.org/network-internet/391249-samba-problem-after-upgrade-opensuse-11-a.html#post1847349	08:57
k1en	i havent updated my server in months so i'll try it	08:58
=== Ng_ is now known as Ng
acalvo	Hi	09:36
acalvo	when using winbindd, if I want to use it from another server, I need to install the winbindd program to be able to "talk" to the winbindd server?	09:36
cocoa117	is there any NAS appliance available on ubuntu-server? i can just run	11:56
twb	cocoa117: you want to buy a NAS unit that ships with Ubuntu pre-installed?	12:00
cocoa117	twb, no, i have old machine lying around, want to put ubuntu on it with NAS software (Samba, web management, NFS...)	12:03
cocoa117	don't like the NAS hardware, it have limited features	12:03
twb	IME all web management blows.	12:03
twb	Theoretically ebox is supported, but I wasn't impressed.	12:04
cocoa117	so the best still ssh then	12:05
mdeslaur	soren: wow...that is...incredibly simple. cool!	13:01
apw	kirkland, seems our virutal kernel requires one of grub or lilo to be installed, we are wondering if there is any reason that we cannot also allow grub2 to be an option as we do for all the otehr kernel images	13:25
smoser	soren, ping	13:47
smoser	good morning erichammond	13:47
erichammond	smoser: 'lo	13:47
kirkland	apw: i don't know of any reason why not	13:50
apw	i was pointed a zul, what timezone is he in	13:50
apw	or are you happy to be definiative on that one	13:50
* apw can't see any reason either		13:50
apw	kirkland, ^^	13:51
smoser	erichammond, i think you answered the question, but just to be sure, you're not aware of anyway to generate a manifest that [re]uses another's "<parts count='15'>"	13:51
kirkland	apw: zul is in ottawa	13:51
kirkland	apw: one hour ahead of me	13:52
smoser	it really seems that this shoudl be acheivable, especially given the existance of euca2ools that generate them	13:52
kirkland	soren: smoser, can grub2 be used in the ec2 kernel?	13:52
apw	the ec2 kernel is different again, this is -virtual	13:53
smoser	kirkland, no	13:53
smoser	ec2 doesn't use a bootloader	13:53
smoser	err, rather they use xen dom0 as the bootloader	13:53
apw	i am a little confused that it would care at all that you have or do not have a bootloader	13:53
erichammond	smoser: I haven't tried tweaking manifests. I just use the ec2 AMI tools.	13:53
smoser	erichammond, i've tried hacking at the manifest unsuccessfully... but i didn't re-do any of the crypto stuff, so likely the output of mine didn't validate.	13:54
apw	i would expect that all the normal consumers of -virtual don't need one at all, and its making sure its installed in the host, so ... its not obvious that it should care at all, ie. any should be ok	13:54
smoser	apw, kirkland, i'm missing something here.	13:55
erichammond	smoser: ... Yep, I was about to make a comment about the encryption/signing. You'd need to use Amazon's public key which I suppose is buried in the compiled Java code.	13:55
smoser	erichammond, well somewhere/somewhow euca2ools can do it	13:55
apw	the kernel flavour -virtual has an install depenancy on a bootloader, it requires grub or lilo to be installed when it installed	13:55
smoser	ah.	13:56
smoser	i'd say maybe.	13:56
apw	we want to add grub-pc (grub2) to that list. as far as i understand the use model you install it in the host anyhow	13:56
smoser	the user of -virtual could be	13:56
smoser	a.) someone using it on bare metal	13:56
smoser	b.) someone using it in xen domU	13:56
erichammond	smoser: It shouldn't be that difficult to simply recreate the image (ec2-unbundle) and rebundle it (ec2-bundle-image)	13:56
smoser	c.) someone using it in kvm domU booting a disk/bootloader	13:56
smoser	d.) someone using int in kvm domU booting with 'kvm -kernel/-initrd'	13:57
smoser	for a and c above, you need a bootloader	13:57
smoser	erichammond, correct. thats easy.	13:57
apw	smoser, but any bootloader is acceptable, so adding grub2 seems reasonable. yes?	13:57
smoser	but then it you have to use a different prefix (or rename the image) to avoid collision on upload to s3	13:58
smoser	apw, i would think so, yes. i have no knowledge or reason to believe that grub2 does not work in kvm guest.	13:58
apw	so that sounds like general 'its not mad, lets go for it' all round then	13:58
smoser	erichammond, my goal in 'hacking' it was to use the same <part> pieces, and thus be obvious that "this is the same AMI but with changed kernel/ramdisk"	13:59
smoser	i think that would be less obvious with rename	13:59
erichammond	smoser: Nobody but the image creator can look at the contents of the manifest.	14:00
smoser	i wondered how publi that would be. i think i'm old on just re-bundling	14:01
smoser	s/publi/public/	14:02
erichammond	smoser: I think anybody who cares to the level you are describing can simply run the old AMI with the new AKI+ARI.	14:02
smoser	yeah. i think maybe i'm being overly concerned.	14:02
smoser	i just know that lots of people don't like changing anything once their app is working.	14:02
erichammond	smoser: Yep, I know some of those. They're still running Gutsy on EC2.	14:03
smoser	and such a change in the ami that its built on would possibly force another round of test	14:03
smoser	if they could be convinced that the disk contents were identical, but with different kernel, maybe they'd waive those.	14:03
erichammond	There's no way for anybody but the creator to know what the AMI contents are or to know that they are the same as any other AMI contents.	14:04
erichammond	It's 6am here. I need to grab some sleep.	14:05
smoser	erichammond, good night. thanks.	14:06
smoser	i'm changing the doc to say we'll rebundle	14:06
zul	morning	14:12
zul	smoser: i was thinking last night that you might want upload a test image with the kernel modules from the ppa so people can test what they would normally do with an ec2 miage	14:17
smoser	zul, test image with kernel modules?	14:25
smoser	i want to get something together today and send out a request for testing. something that wethink would work.	14:26
smoser	it would be more useful if "very very soon" was defined with an actual time (as per launchpad's "Launchpad will be going offline for maintenance very very soon." message)	14:39
shyam_k`	as i connect to my home router(&modem), i can ping to my router but can't access ping an external site.. i can telnet to my home router(&modem that the isp gave me) and can see that it can ping external sites. What can be the problem?	14:40
shyam_k`	where will be the problem? can it be with the router, or the laptop, or even the isp's external node?	14:41
shyam_k`	the laptop can ping the router. so i donno if it requires any more than that to get internet that the router has..	14:43
shyam_k`	ah i forgot to say that under such a situtation,.if i reboot the router and reconnect the lap with router, everything works fine	14:44
zul_	bah..my internet connection is sucking today	14:49
=== zul_ is now known as zul
shyam_k`	zul: mine too:(	14:50
soren	mdeslaur: I almost finished a C implementation as well, but eventually had to slepe.	14:53
soren	mdeslaur: sleep, even.	14:53
soren	smoser: You pang, sir?	14:54
smoser	si	14:54
smoser	a couple things, soren	14:55
=== monteith_afk is now known as monteith
smoser	a.) i think i give up on the 're-use image parts' (aka hack a manifest with newer aki/ari)	14:55
smoser	at least for the moment it doesn't seem to give much benefit	14:55
soren	smoser: Alright.	14:56
smoser	above, erichammond pointed out that no one othe rthan the author can see the manifest	14:56
soren	smoser: By default, yeah.	14:56
smoser	so it doesn't help "prove" anything or give stronger indication than a promise that the disk image didn't change	14:56
smoser	i didn't know if there were possibly some keys there or something that you wouldn't want to share it.	14:56
smoser	but anyway, i'm not going to bother chasing that right now	14:57
soren	smoser: Alright.	14:57
mdeslaur	soren: now we need to convince someone to buy us some tokens :P	14:57
kirkland	soren: is vmbuilder in LP functional yet?	14:57
soren	kirkland: Nope, sorry.	14:57
smoser	(wouldn't hvae thought there were keys, but there are things like 'user_encrypted_key' in the xml	14:57
soren	kirkland: Haven't gotten far on my todo list today at all, really.	14:57
soren	kirkland: My dentist appointment involved a lot of waiting :(	14:58
smoser	b.) had you investigated acutally packaging the ec2 kernel builds such that 'apt-get install linux-image-$(uname -r)' would work to get modules for your kernle ?	14:58
smoser	i think that doing that would give more consistent usage with the rest of ubuntu, even with building private kernel modules (using linux-headers, config and such)	14:58
soren	smoser: Not really. I did most of my thinking on the subject back when there were no network drivers in the default kernels, so apt-get was out of the question.	14:59
smoser	i think we'd still want the initrd to house the network drivers	14:59
smoser	so they'd be duplicated	15:00
soren	smoser: There's also the problem of ABI bumps.	15:00
smoser	what problem ?	15:00
soren	smoser: Usually, we nuke packages with the old ABI when there's a new one.	15:00
soren	smoser: ...which would render the instances using older kernels less functional.	15:00
smoser	really. i was unaware that we took such rude stance on that.	15:00
soren	smoser: ...since they can't install their modules anymore.	15:01
smoser	it definitely would be a show stopper.	15:01
kirkland	soren: what can I do to make vmbuilder functional?	15:01
soren	kirkland: Install grub1.	15:01
soren	kirkland: Or wait >(	15:01
kirkland	soren: is there assistance i can offer on vmbuilder?	15:01
soren	Er...	15:01
* soren switches keyboard layout..		15:01
soren	There. >) should have been :)	15:02
kirkland	>) looks like a wincing smile	15:02
soren	kirkland: I don't think your time would be very well spent trying to work things out in VMBuilder. that part of it is qite opaque.	15:03
smoser	soren, so, i still think that we should try to get 'apt-get install linux-image-$(uname -r)' to work inside a ec2 instance	15:03
smoser	to deal with the deletion of old packages, we should make sure "reasonable" modules are loaded in the initrd (or copied through to the guest).	15:04
soren	smoser: You should ask the archive admins, really. It's their decision whether they're willing to keep the binary packages around forever.	15:04
smoser	but if we're telling people elsewhere "you really shouldn't use these kernels" then we should be sending that message on amazon too	15:04
soren	smoser: I don't think that's good enough.	15:04
smoser	soren, why not ? as it is right now, there is some limited list of modules that you get. if you want more your on your own	15:05
soren	smoser: It will mean that stuff that used to work could suddenly cease to work without any hint or warning.	15:05
soren	smoser: Ok, you lost me.	15:05
smoser	how is that different from my server system ?	15:05
soren	smoser: You server system has the modules on disk.	15:05
soren	smoser: Restarting it will not remove them.	15:05
smoser	yes, but maybe it doesn't have linux-headers (so i can't build a module)	15:06
smoser	and i'm unable to get that for my system now because someone deleted them from the archive for me	15:06
soren	smoser: If you haven't built it, you're not using it, and are not dependent on it.	15:06
soren	smoser: On EC2, you may have been using the modules happily for a long time, along comes and ABI bump, and your modules go missing.	15:06
smoser	my documentation on how to do somehing "used to work" and now doesnt	15:06
smoser	(the something above is 'build a kernel module')	15:07
soren	EC2 is really just very different here. It's designed to have people start up instances and blow them away all the time.	15:07
smoser	maybe i've scripted all that, so its magic (as the kernel-module packages do ... like kqemu or vmware ... )	15:07
soren	And if you install a new system in the real world, you'll be using a new kernel.	15:08
soren	On EC2 you don't have the liberty to just go and upgade your kernel like you do on your other systems.	15:08
soren	upgrade, even.	15:08
smoser	i agree that its somewhat different, but not completely.	15:09
soren	In short, there's nothing on your server system that will break that apt-get can't fix.	15:09
soren	There will be on EC2 if the modules package goes missing due to an ABI bump.	15:09
smoser	your argument is that you're "helping" users by allowing them to make full use of kernel's we've deleted for security reasons	15:09
soren	smoser: Or other reasons.	15:10
smoser	it seems like we're being less proactive in removal/deprecation of old kernel versions on ec2 than we are elsewhere	15:10
kirkland	soren: okay, how do i force it to install grub1?	15:10
soren	kirkland: On your host.	15:11
kirkland	soren: oh, really ... hmmf	15:11
soren	smoser: We don't forcibly remove people's kernels on "regular" systems.	15:11
soren	smoser: ...or the modules corresponding to old kernels.	15:12
smoser	but they are not able to do anything new with that old kernel (like build a new driver/filesystem for it) if they had not previously installed all $(uname -r) packages	15:13
soren	No, but they can just upgrade!	15:14
soren	that's the point.	15:14
soren	A quick apt-get, and they're done.	15:14
nimrod0	!help	15:15
ubottu	Please don't ask to ask a question, simply ask the question (all on ONE line, so others can read and follow it easily). If anyone knows the answer they will most likely reply. :-)	15:15
nimrod0	!snmp	15:15
ubottu	Sorry, I don't know anything about snmp	15:15
nimrod0	!snmpd	15:15
ubottu	Sorry, I don't know anything about snmpd	15:15
nimrod0	is there any good ubuntu tutorial for snmp and mibs ?	15:15
smoser	soren, a quick switch of ami would make the ec2 user 'done', no ?	15:16
soren	smoser: It's really not necessarily that quick.	15:16
soren	smoser: He may have rebundled or whatever.	15:16
kirkland	soren: i should be able to run vmbuilder from within a vm (assuming it has enough disk space), right?	15:17
soren	kirkland: Sure.	15:17
smoser	in the re-bundle case, i agree. but then they could have easily installed those modules before rebundling	15:17
soren	smoser: True.	15:17
smoser	the only thing i have against the ec2 kernel update proposal (of stuffing all modules into initramdisk and then copying that to /) is that it is not consistent with the way ubuntu works other places.	15:19
smoser	i'd suggest that we take that approach for kernel modules that we expect are highly likely to be used	15:19
smoser	and for others, provide the package to get the rest, and document that those might go away	15:20
smoser	soren, one other question i have on that... why not just 'modprobe' all the modules that were in the initrd as opposed to copying them to /lib/modules/$(uname -r)	15:21
smoser	other than memory usage, it'd seem the same (and if you were concerned about that, the user could remove any modules they didn't need)	15:21
soren	smoser: Hmm... I guess that could work.	15:22
smoser	it just feels to me that the less different 'ubuntu-on-ec2' is, the better	15:22
smoser	different than ubuntu-on-otherstuff	15:23
soren	Certainly	15:23
smoser	i was unaware of our stance on deleting things from the archive until yesterday. it just feels rude to me.	15:24
smoser	i guess you could presumably build from source	15:25
soren	smoser: We never delete stuff that was in he archive at release time.	15:25
soren	smoser: -updates and -security (and -proposed) are different, though.	15:25
smoser	right.	15:25
soren	As to making ubuntu-on-ec2 as much like ubuntu-on-everything-else as possible, I'm not completely sure whether having a boatload of modules installed at boot time that are nowhere to be found on the filesystem is more like everything else than an approach that, after ec2-init has done its magic, leaves a filesystem with modules ready to be loaded, just like everywhere else.	15:28
soren	I think I could be convinced either way at this point.	15:29
smoser	fair	15:29
smoser	i think from a documentation perspective, installing a linux-headers- and linux-image- package is nicely consistent	15:29
smoser	i really would like for that to "just work" as it does elsewhere.	15:30
smoser	hopefully existing files (copied from the initrd) to /lib/modules/$(uname -r) wouldn't cause install failure	15:30
nimrod0	anyone has a good guide to setup snmpd on ubuntu server as the default install generates just a handfull of values and no cpu or memory valuest	15:30
nimrod0	s/valuest/values	15:31
soren	smoser: They won't.	15:31
smoser	the 'for x in list-of-modules; do modprobe $x; done' just seemed easier than tmpfs and copying	15:31
smoser	and would "just work" without the root filesytsem doing anything	15:32
smoser	(if someone used our kernels/initrd for non-ubuntu ami)	15:32
cocoa117	is the stricky bit only work for other user? "chmod u=rwx,g=rwxt,o= test2" always give me drwxrwx---. i thought it supports to be drwxrwt---, anyone?	15:43
soren	cocoa117: replace your t with and s, and you should be good.	15:44
soren	cocoa117: what are you trying to achieve, exactly?	15:44
uvirtbot	New bug: #427236 in eucalyptus (main) "high memory usage by CC" [Undecided,New] https://launchpad.net/bugs/427236	15:46
cocoa117	soren, so only owner can delete file, while others can still edit it	15:48
genii	!info eucalyptus	15:48
ubottu	Package eucalyptus does not exist in jaunty	15:48
genii	Hm	15:48
soren	cocoa117: Then you still want o=t.	15:56
soren	cocoa117: g=s is something completely different	15:56
cocoa117	so it has to be chmod u=rwx,g=rwx,o=rwxt test2	15:56
cocoa117	soren, so it has to be chmod u=rwx,g=rwx,o=rwxt test2	15:57
soren	cocoa117: You don't need o=rwx	15:58
soren	cocoa117: o=t will do.	15:58
cocoa117	i c	15:58
cocoa117	soren, does that mean, other user can't read/write/execute the folder	15:58
soren	cocoa117: Yes.	16:00
cocoa117	soren, thanx	16:00
soren	cocoa117: I presume that's what you want given you tried o= to begin with.	16:00
cocoa117	soren, it is, only owner and group allow to access it	16:01
mxzypltk	VirtualD: did you have a chance to load the latest e1000e module last night?	16:10
smoser	erichammond, awake?	16:43
thebishop	i'm trying to install a telnetd server. I can access it with "telnet localhost", but when i try to access from a remote server it doesn't connect. I'm assuming this is a firewall issue, but i'm not sure. Any ideas?	16:48
* soren needs to go and buy food..		16:49
twb	I hope you have a good reason for installing an insecure service like telnet.	16:50
blue-frog	thebishop: you certainly need to do some PAT to redirect port 23	16:53
thebishop	twb, unfortunately, i do :(	16:54
thebishop	blue-frog, do I need to redirect? I just want to open 23 to the outside world	16:54
blue-frog	your server is directly on the internet or behind a router?	16:55
thebishop	it seems to be open to itself	16:55
hjmf	the-dude: wouldn't be better to use some kind of ssh tunnel to at least encrypt your telnet traffic	16:55
hjmf	?	16:56
hjmf	sorry I meant thebishop ^^	16:56
blue-frog	thebishop: as twb highlighted I assume that your are either trolling or looking for problems with your server	16:56
thebishop	it's neither. I have a legit need for telnet. I don't have a choice unfortunately, and I know it's a bad idea	16:56
blue-frog	thebishop: so do you have a router in between internet and your server?	16:57
hjmf	at least you can tunnel that traffic; it wouldn't be hard to do it	16:57
thebishop	blue-frog, it has a static ip on the internet. it's a virtual server running from a web hosting service	16:57
thebishop	i'd like to get basic functionality working before i try to secure it	16:58
blue-frog	thebishop: then there is a good chance for your webhoster to refuse any connection to 23	16:58
thebishop	i've got a ridiculously irrational person breathing down my back about it	16:58
thebishop	blue-frog, that's an interesting suggestion	16:58
thebishop	blue-frog, maybe i can bind telnet to another port?	16:59
blue-frog	if you like to. use netcat	16:59
thebishop	well, suppose it's not my host	17:01
thebishop	i don't have a lot of experience with iptables to diagnose if that's dropping port 23 packages	17:01
thebishop	*packets	17:01
blue-frog	thebishop: well.. better asking god than his saints, no?	17:01
thebishop	blue-frog, this host provides NO live support	17:01
thebishop	again, not my decision...	17:02
smoser	kirkland, maybe you know. i want to "file a bug against ec2 images" with this url http://bugs.launchpad... that will automatically tag the created bug with 'ec2-images'. is that possible ?	17:08
kirkland	smoser: point me to a sample url of a tagged bug	17:09
smoser	https://bugs.launchpad.net/ubuntu-on-ec2/+bug/419306 is tagged with ec2-images and uec-images	17:09
uvirtbot	Launchpad bug 419306 in python-boto "boto.utils.get_instance_userdata() hangs for a long time if no userdata is provided" [High,Fix released]	17:09
kirkland	smoser: i tried a few things, unsuccessfully	17:16
kirkland	smoser: ask in #launchpad	17:16
smoser	i did	17:17
jjohansen	smoser: bug #427288	17:17
uvirtbot	Launchpad bug 427288 in linux "Karmic i386 EC2 kernel emulating unsupported memory accesses" [Undecided,New] https://launchpad.net/bugs/427288	17:17
smoser	then tried you, as launhcpad superfly	17:17
smoser	i just found : https://bugs.launchpad.net/ubuntu/+filebug?field.tags=ec2-images works	17:17
jjohansen	smoser: there are 2 ways to deal with this apparently zul's kernel patch that disables xen from setting the cs segment and an alternate libc	17:18
smoser	jjohansen, you have thoughts ? i dont think we want alternate libc unless there is good/very-good reason	17:20
jjohansen	smoser: I am trying to asses which is the best route to go with, how objectionable is the alternate libc	17:20
jjohansen	smoser: the kernel patch essentially disables xen's ability to do segment based protection	17:21
smoser	i dont think we need to name call (assess)	17:21
jjohansen	so the kernel patch could be consider as a security issue	17:22
smoser	this is so much fun	17:23
jjohansen	perhaps I should ping kees and get his take as well	17:23
mathiaz	zul_: hi - re bug 424789	17:23
uvirtbot	Launchpad bug 424789 in php5 "PHP random segfaults on session_start();" [Undecided,In progress] https://launchpad.net/bugs/424789	17:23
mathiaz	zul_: you don't need to ask for a FFe if there aren't new features	17:24
mathiaz	zul_: if the new upstream revision is just a bug fix release, then you can just upload it	17:24
mathiaz	zul_: if there are new features, they should be documented in the FFe request	17:24
RoyK	hi. with ufw, can I reorder the rules without removing and re-adding them?	17:24
RoyK	this is 8.04.3 LTS	17:25
jdstrand	RoyK: not via the cli command. later versions of ufw support 'insert' though (not 8.04)	17:25
jdstrand	RoyK: but you can edit /var/lib/ufw/*rules	17:25
jdstrand	RoyK: just be careful to move the whole stanze to the right spot	17:26
RoyK	perhaps time to update to something newer	17:26
jdstrand	stanza	17:26
uvirtbot	New bug: #427141 in mysql-dfsg-5.0 (main) "mysql update does not install" [Medium,Incomplete] https://launchpad.net/bugs/427141	17:26
jdstrand	RoyK: well, later versions of ufw don't let you reorder then, but you can remove a rule and insert it somewhere else	17:26
* jdstrand can't type		17:26
jdstrand	s/reorder then/reorder them/	17:27
RoyK	jdstrand: I see	17:27
RoyK	still, this is a private server, so keeping it on 8.04 isn't really that necessary	17:27
jdstrand	RoyK: take a look in /var/lib/ufw/user.rules-- it should be pretty straight forward	17:27
jdstrand	RoyK: back it up first just in case ;)	17:27
RoyK	jdstrand: is that just iptables stuff?	17:27
addisonj	hmm, curious about incremental backups, whats the best solution?	17:28
jdstrand	RoyK: iptables-restore syntax, yes	17:28
jdstrand	RoyK: with a little accounting via comments	17:28
RoyK	I see. I've been using iptables for years - I just fell back to ufw of good old laziness	17:28
jdstrand	RoyK: keep the comment and the rule together and it'll go fine	17:28
jdstrand	RoyK: laziness or 'smartness'? if ufw does what you need, use it! :)	17:29
smoser	jjohansen, it appears your kernels have interest beyond ubuntu. one of the users on that bug is using your kernel with fedora user space	17:34
jjohansen	heh, the more testing the better :)	17:35
cocoa117	if user belong to admin group, it have privilege to ignore the sticky bit set on the folder?	17:38
qman__	cocoa117, no, that just allows them to use sudo	17:58
qman__	if they use sudo, they can override a sticky bit	17:58
cocoa117	qman__, i found the problem, the folder belong to ower, if i change it to root, the user behaviour same as others	17:59
cocoa117	qman__, thanx for the help	17:59
uvirtbot	New bug: #426968 in kvm (universe) "kvm qemu slow to start first time after boot" [Low,Incomplete] https://launchpad.net/bugs/426968	18:38
uvirtbot	New bug: #293361 in samba (main) "not possible to browse or open cifs/smb files from netapp server" [Undecided,Incomplete] https://launchpad.net/bugs/293361	18:39
Steve[work]	afternoon everyone	18:56
KillMeNow	howdy Steve	18:56
modeller_wahkor1	hello	19:06
modeller_wahkor1	I have some question abouut proxy.	19:06
erichammond	smoser: Just got up; now I'll be offline for a few hours and then online but working. I can't monitor all the chatter on this channel. If there's any way you could discuss ec2 things on #ubuntu-ec2 I could keep up with it all and give feedback.	19:07
szczym	i have problem with no output from lsusb in interepid server - its been working 5 minutes ago	19:11
erichammond	smoser, soren, mdz, zul, jjohansen: Remember that we're not just building kernels to work with the AMIs which Canonical builds. These kernels must also work with Ubuntu AMIs that users build themselves. It would also make Canonical a hero if the kernels happened to work well with other Linux distros (the current tester is using Fedora 11). That last is obviously not a requirement, but if a simple decision makes it more possible w	19:11
erichammond	I saw some talk about copying kernel modules into / from initrd. At first glance, seems like a cool idea. I don't know the startup time impact, but remember that seconds count.	19:13
smoser	erichammond, absolutely we want to support re-bundled ubuntu ami images. and i think we don't want to do things that make other distro use of the kernel/initrds more difficult unless there is some good reason	19:14
smoser	erichammond, startup time probably absolutely trivial	19:14
smoser	as copy from initrd to tmpfs is memory->memory of something on the order of small number of megabytes	19:14
smoser	and then in user space, that same copy but to / (whatever sda1 is backed by)	19:15
soren	smoser: Well.. I have >100MB of modules on my system.	19:15
soren	smoser: But still, copying 100 MB from memory to memory is cheap.	19:16
smoser	yeah... the -virtual kernel is significantly smaller, though. and thats what we'd be shooting for	19:16
soren	smoser: Oh, right, right. My bad.	19:16
smoser	additionally you could background the copy, its not terribly likely to fail. anything that needed it could block on waiting for a 'finished' file in /lib/modules/$(uname -r) or whatever. if it happened to be slow	19:17
kees	mathiaz: did you create the ubuntu-server meeting on The Fridge ?	19:18
kees	mathiaz: I'm trying to follow the instructions for the security team, but it doesn't show up	19:18
erichammond	smoser: I'm not a fan of the background copy idea. Kernel modules are often needed on boot and boot failures are difficult to debug on EC2. Background copy could even make the boot failures sporadic based on timing. Requiring users to wait would require educating users which has a high percentage of failure due to the impossibility of making users find and read documentation.	19:21
erichammond	gotta run	19:21
mathiaz	kees: hm - a looong time ago	19:21
kees	mathiaz: I see it in the iCal, but it doesn't show up on the fridge web site	19:22
erichammond	In case I haven't mentioned it yet, I am thrilled to see so much progress on the kernel lately. Thanks, folks.	19:22
mathiaz	kees: are you following https://wiki.ubuntu.com/Fridge/Calendar ?	19:22
kees	yeah	19:22
smoser	we'd modprobe modules needed to boot (at least on ubuntu images) from inside the initrd.	19:22
kees	except that I can't find "Check the box that says 'Guests can modify event' "	19:22
kees	oh nm, I found it. it's checked	19:23
slestak	can someone tell me the rationale for ubuntu including dnsmasq in the desktop package selection?	19:26
slestak	i mean there is no dnsmasq.conf, so i dont think it is doing anything as a dhcp or dns cache without having some sort of configuration	19:27
giovani	slestak: since when is it in the desktop metapackage?	19:28
slestak	i do not know, it is installed on every jaunty machine i have	19:28
slestak	i didnt install it, so it had to come in with the instal lmedia	19:29
giovani	ok, first -- #ubuntu is more appropriate	19:29
giovani	since this isn't a server discussion	19:29
giovani	but dnsmasq is in universe	19:29
giovani	I didn't think universe was even enabled by default	19:29
slestak	giovani: ok, sorry for being offtopic. intersting.	19:29
szczym	according to my problem with no output from libusb i upgraded usbutils becouse of that: https://bugs.launchpad.net/ubuntu/+source/usbutils/+bug/159189 and still no output from lsusb, could some one help me please ?	19:30
uvirtbot	Launchpad bug 159189 in usbutils "lsusb : Fix or remove -t option" [Low,Fix released]	19:30
slestak	giovani: i came here since i considered the product a server oriented choice, I'll check elsewhere. thx	19:30
giovani	szczym: it's not a direct dependency of ubuntu-desktop	19:30
kees	dnsmasq has been in main since hardy	19:31
giovani	slestak: well ... but you're asking about the desktop metapackage, not about how to use dnsmasq	19:31
giovani	kees: no, it's in universe	19:31
kees	dnsmasq \| 2.41-2ubuntu2.2 \| hardy-security/main	19:31
kees	dnsmasq \| 2.45-1ubuntu1.1 \| intrepid-security/main	19:31
kees	dnsmasq \| 2.47-3ubuntu0.1 \| jaunty-security/main	19:31
kees	dnsmasq \| 2.50-1 \| karmic/main	19:31
szczym	giovani: im running 8.10 server	19:31
giovani	http://packages.ubuntu.com/jaunty/dnsmasq	19:31
giovani	it says universe there	19:32
giovani	szczym: you said you were talking about the desktop metapackage ... not a server	19:32
szczym	giovani: where i could found a fix for server version lsusb ?	19:33
giovani	szczym: sorry, I didn't mean to direct that towards you -- you had a similar length name containing nearly random-looking characters starting with s as slestak	19:33
kees	giovani: the binary package "dnsmasq" is in universe, yes. dnsmasq-base is in main, so the source package "dnsmasq" is in main	19:33
martinjh99	Do I have to do anything else to enable mod_rewrite for things like gallery2 and drupal? I did a2enmod mod_rewrite and restarted the server and nothing seems to work...	19:33
kees	giovani: why it's installed, I'm not sure	19:33
giovani	kees: ok, that's not dnsmasq though	19:33
giovani	that's dnsmasq-base	19:33
kees	giovani: try apt-get remove dnsmasq and see what else it tries to remove?	19:34
giovani	kees: it's not my question/issue, direct it at slestak	19:34
slestak	i will try that, im the one obsessing over this	19:34
kees	slestak: heh, okay	19:35
slestak	i was about to install dnsmasq on a 9.04 machine, and saw that it was already present. then i checked some of my other machines and it was installed (although not configured) everywhere	19:35
szczym	giovani: ok, sorry, mistake. but do you have any clue about that lsusb issue ? where i could look for help ?	19:35
martinjh99	never mind - Found a forum post about it...	19:35
giovani	szczym: no, I would've replied to your requests for help if I did	19:35
szczym	giovani: sorry	19:36
martinjh99	Followed the instructions here for enabling mod_rewrite and restarted the sever and it hasn't seemed to work... Anyone know how to enable?	19:41
martinjh99	http://ubuntuforums.org/showthread.php?t=377410	19:41
martinjh99	anybody here ;)?	19:47
smoser	jdstrand, you know of a way to replace passwd entry in /etc/shadow with '!' (other than with awk or sed)... more looking for a 'chpasswd' like option that would just allow indication that this users password should be not set	20:05
Hypnoz	you can set their default shell to /bin/false in /etc/passwd	20:06
jdstrand	smoser: would 'passwd -l' fit the bill?	20:07
smoser	i dont want to prevent login, only password based login, Hypnoz	20:07
smoser	thats what i need, jdstrand. thanks.	20:07
Hypnoz	ah good find	20:07
smoser	a big 'duh' to me for not considering 'passwd'	20:07
mushroomblue	is there a way to make sudo ask for the root password?	20:08
jdstrand	:)	20:08
jdstrand	mushroomblue: rootpw	20:08
mushroomblue	I really hate having superusers by default.	20:08
jdstrand	mushroomblue: see 'man sudoers'	20:08
smoser	mushroomblue, really only the first user is superuser, no? default adduser doesn't put the user in admin	20:08
jdstrand	mushroomblue: you'll of course need to actually set a password for the root user	20:09
mushroomblue	right.	20:09
smoser	if the user is not found in sudoers than they'll be prompted for root passwd	20:09
jdstrand	smoser: they are prompted for their own password	20:09
jdstrand	unless you use 'rootpw'	20:09
Hypnoz	he's right, man sudoers and search for rootpw	20:10
smoser	ah... i thought that default if not found was just to propmt for root passwd	20:11
smoser	rather than just asking them for their password and then saying "no"	20:12
jdstrand	smoser: wait, I think I misunderstood your statement	20:12
Hypnoz	it gives some goofy message like "user not found in sudoers, reported to administrator"	20:12
jdstrand	smoser: if the user is not in sudoers (eg not in the 'admin' group), you are prompted for the root password	20:13
jdstrand	rootpw is for forcing users in sudoers to use a rootpw instead of their own	20:13
smoser	jdstrand, i think you're wrong.	20:14
smoser	:)	20:14
* jdstrand should have read smoser's comment more closely		20:14
smoser	at least in my test just now	20:14
smoser	i have a user 'test', which is not in admin, and not mentioned at all in /etc/sudoers	20:14
jdstrand	well, I just tried here	20:14
smoser	if i become that user, and then type 'sudo ls'	20:14
acemo	virtualmin gives the error: The Suexec command on your system is configured to only run scripts under /var/www, but the Virtualmin base directory is /home. CGI and PHP scripts run as domain owners will not be executed. should i just disable suexec or move the virtualmin base directory to /var/www?	20:14
smoser	$ sudo ls	20:14
smoser	[sudo] password for test:	20:14
smoser	test is not in the sudoers file. This incident will be reported.	20:14
Hypnoz	yep. If they're not in the sudoers they aren't allowed to sudo. But I think you can add to sudoers with the "rootpw" option like jdstrand was saying	20:16
jdstrand	smoser: wouldn't you know, the user I tested was in the sudoers file and had rootpw (even though there isn't a root passwd set). Isn't that goofy... goes to fix that	20:16
jdstrand	so I was both right and wrong :P	20:16
* jdstrand will go back into his hole now		20:16
smoser	it is kind of silly to prompt the user for their password and then say "ha ha, you cant do it anyway"	20:16
jdstrand	smoser: I stand by my first 'rootpw' statement :)	20:17
smoser	yes. i think that is correct.	20:17
smoser	(and you verified :)	20:17
mushroomblue	hrm.	20:17
jdstrand	that was a truly ancient entry in my sudoers file...	20:17
Hypnoz	smoser, linux seems like it doesn't like to give away info, so I would guess that it doesn't tell you the account isn't in sudoers until you type the right password, maybe to slow down hackers finding sudo accounts	20:18
smoser	Hypnoz, yeah, that is reasonable.	20:19
smoser	jdstrand, just fyi, it appears that chpasswd will also take a '!' token to indicate disable	20:22
jdstrand	smoser: be careful with that one-- lest you introduce http://www.ubuntu.com/usn/usn-670-1	20:23
jdstrand	but yes	20:23
mushroomblue	another question. is it possible to make a user sudo to another user by default?	20:26
mushroomblue	i.e. I want an unprivileged user able to sudo to another user with admin privs, then sudo to root	20:26
pwnguin	what's that gain?	20:26
mdz	smoser, soren, zul, jjohansen: I'm not sure i'm entirely in agreement with erichammond with regard to supporting arbitrary AMIs. That's not something we should break without consideration, but our first priority should be to provide a complete, official stack	20:27
zul	mdz: agreed	20:27
mushroomblue	pwnguin: ultra-paranoid. box has been compromised a few times, and I want to make their job as hard as possible.	20:27
guntbert	mushroomblue: if you want to play with sudo - please read man sudo and man sudoers	20:28
mushroomblue	I was previously using NX to solve some of this.	20:28
mushroomblue	guntbert: I am. :)	20:28
mushroomblue	thanks, tho.	20:28
smoser	mdz, i think everyone is in agreement there.	20:29
smoser	its just "nice to have"	20:29
smoser	"wishlist"	20:29
mdz	smoser, zul, ok, sorry I missed the original discussion. eric seems to have disconnected	20:36
mdz	smoser, could you follow up by email to make sure we close the loop?	20:36
smoser	mdz, i thought the above was fairly clear from him	20:37
smoser	" It would also make Canonical a hero if the kernels happened to work well with other Linux distros (the current tester is using Fedora 11). That last is obviously not a requirement, but if a simple decision makes it more possible "	20:37
smoser	'happened to work well' and 'not a requirement'...	20:38
mdz	smoser, oh, ok, thanks	20:39
mdz	smoser, I had scanned the beginning of my scrollback and it looked like he had left already	20:39
mdz	that looks fine	20:39
smoser	kirkland, do man pages search no longer work at http://people.canonical.com/~kirkland/search.html	20:40
smoser	or, rather, they dont seem to work for me.	20:40
kirkland	smoser: hmm, you're right	21:05
kirkland	smoser: i'll have a look at that	21:05
qman__	mushroomblue, be aware that if you set a root password and you run sshd, you will probably want to change the sshd config to disable root logons	21:16
qman__	the default setting allows root logons, but since root doesn't have a password, root can't log on	21:17
mushroomblue	qman__: already done. thanks. :)	21:18
erichammond	mdz: (scanned the logs) I agree with smoser that you and I are in agreement :)	21:27
erichammond	smozer: When I say "images built by users" I'm not just talking about rebundled Canonical images, but also images built with vmbuilder (and for the time being, with ec2ubuntu-build-ami which many folks are using and which I can update as needed to work short term with the new kernels).	21:28
erichammond	There are also some commercial services which let users build Ubuntu images including CohesiveFT's elasticserver.org and rBuilder at rpath.org	21:30
=== ajmitch_ is now known as ajmitch
mathiaz	zul_: these are the dependencis that get pulled in when installing puppet - http://paste.ubuntu.com/268775/	21:45
mathiaz	zul_: are these the one you were looking at when filling the MIR for puppet?	21:46
=== palt_ is now known as palt
Hypnoz1	Sun has these new NAS arrays, the 7000 series, the firmware on them is awful. Heads on them randomly fail over, disks randomly go offline. Steer clear, they are a good price but you get what you pay for...	22:04
Hypnoz1	Sun is trying though, they're releasing updates constantly. I'm sure in a year or two the things will be solid	22:05
Hypnoz1	but I feel like a damn beta tester for their product	22:05
addison	hmm, what method of backup do you all prefer	22:19
KillMeNow	Hypnoz1: you actually PAID them to beta test their product	22:21
KillMeNow	addison: depends on your server	22:21
KillMeNow	what types of files you're backing up	22:21
KillMeNow	etc etc	22:21
addison	well, one server is actually running moodle, mysql db and then just the data frontend	22:22
Hypnoz1	haha yes we did. I am starting to realize why sun stock is worthless	22:22
kirkland	jbernard_: howdy	22:33
jbernard_	kirkland: hey man!	22:33
kirkland	jbernard_: okay, so you're interested in working on alfresco	22:33
kirkland	jbernard_: currently, iamfuzz is the canonical engineer who's been working on getting alfresco-community into the canonical partner archive	22:34
jbernard_	kirkland: yep, im wondering what it takes to get it from the partner archive into universe	22:34
kirkland	jbernard_: we'd like to get it into multiverse, for karmic, ideally	22:34
kirkland	jbernard_: gotcha...	22:34
kirkland	jbernard_: okay, so we're currently waiting on a few licensing clarifications from alfresco, to make sure that we have the rights to redistribute all of the included jars	22:34
kirkland	jbernard_: i expect we'll get a new tarball from alfresco by monday	22:35
kirkland	jbernard_: the other thing is sun-jdk has been dropped from karmic	22:35
kirkland	jbernard_: alfresco says that they need sunjdk, we've asked for a list of issues that they have with openjdk	22:35
jbernard_	kirkland: do we expect to have the licensing ambiguities clear up in that release?	22:35
kirkland	jbernard_: we're waiting to hear back on that one	22:35
kirkland	jbernard_: yes, the licensing issues are relatively straightforward, i don't see a problem	22:35
kirkland	jbernard_: step two will be ensuring that it builds and runs against openjdk	22:36
kirkland	jbernard_: step three will probably extend beyond karmic, and into karmic+1	22:36
jbernard_	kirkland: yes, sunjdk is removed for karmic, as i recall	22:36
kirkland	jbernard_: ideally, alfresco would not include all these jars, but instead depend on packaged versions of each in ubuntu, distributed like any other package	22:37
kirkland	jbernard_: the way we handle this same situation for thousands of C and Python packages ;-)	22:37
kirkland	jbernard_: see the work ttx did on eucalyptus in the last two cycles	22:37
jbernard_	kirkland: are the sub-packages required for karmic?	22:38
kirkland	jbernard_: it's impossible to accomplish by karmic	22:38
kirkland	jbernard_: this part is a karmic+1 target for delivery	22:38
jbernard_	kirkland: so just openjdk verification/debugging	22:38
kirkland	jbernard_: but there's nothing wrong with starting on that after the openjdk task is done	22:38
kirkland	jbernard_: right	22:38
kirkland	jbernard_: meet iamfuzz	22:38
kirkland	jbernard_: iamfuzz is the canonical engineer who's been working on alfresco up until now	22:39
kirkland	jbernard_: he's done a good job laying the foundation	22:39
iamfuzz	jbernard_, Hi there, glad to have someone helping out on testing	22:39
kirkland	and there's plenty more work to do ;-)	22:39
iamfuzz	indeed	22:39
iamfuzz	especially the JAR work for karmic+1	22:39
jbernard_	iamfuzz: hello, im interested in helping out	22:39
iamfuzz	I went through all the JARs we don't have and will be sending out a list on Monday	22:40
kirkland	iamfuzz: i'm hoping jbernard_ can help prune some of those jars out, package them individually, and make runtime dependencies out of them	22:40
kirkland	iamfuzz: can we start capturing all of this in a wiki page or something?	22:40
jbernard_	iamfuzz: can you copy me on that list?	22:40
kirkland	iamfuzz: now that there are a few cooks in the kitchen?	22:40
iamfuzz	kirkland, will do, Jared is supposed to send me a definitive list to compare against my work	22:40
iamfuzz	jbernard_, will do, what's your email?	22:41
jbernard_	iamfuzz: bernardj@gmail.com	22:41
iamfuzz	jbernard_, I'll go ahead and send a link to the PPA I'm uploading to now (it'll be a bit as my upstream is circa 1996ish)	22:41
kirkland	iamfuzz: you could create an ubuntu-alfresco team in LP, if you so desire ;-)	22:41
iamfuzz	kirkland, we have one, it's alfresco-isv	22:42
kirkland	iamfuzz: ah	22:42
jbernard_	iamfuzz: so monday the tarball should arive with the licensing cleared up, an we can begin verifying it on openjdk, is that basically the plan?	22:43
jbernard_	iamfuzz: have you done any openjdk testing with the current partner deb?	22:44
iamfuzz	jbernard_, basically, I just sent you an email about it.	22:45
iamfuzz	aside from the licensing stuff, the package should run fine now	22:46
jbernard_	got it	22:46
iamfuzz	and no, very little testing against openjdk as I just found out yesterday Sun java is out	22:46
iamfuzz	I did compile against it and it compiled fine, but would still only run against sun-java-6	22:46
iamfuzz	however, this was the openjdk in Hardy, so it could work fine now	22:47
jbernard_	does there exist any kind of testing framework?	22:47
iamfuzz	yes, some automated, some not. We are to receive that on monday as well	22:47
jbernard_	awesome	22:47
iamfuzz	we're ina bit of scramble mode since I found out about sun-java being booted	22:48
jbernard_	i can imagine :)	22:48
kirkland	jbernard_: fyi, openjdk in karmic >> hardy	22:48
iamfuzz	I was under the impressionw e would just release against it for karmic and then do everything proper like in universe for karmic+1	22:48
iamfuzz	but that all changed :-)	22:48
jbernard_	does it make sense to test the current partner deb against openjdk now, or just wait for the release on monday?	22:49
iamfuzz	kirkland, jbernard_ I'm off all next week as well :-)	22:49
iamfuzz	just to add to the fun	22:49
kirkland	jbernard_: i'd suggest starting with the upload iamfuzz is pushing to his ppa right now	22:50
iamfuzz	jbernard_, whichever way you want to do it, but don't test the partner DEB, it bundles swftools, use the one I'm uploading now to my PPA	22:50
kirkland	iamfuzz: correct me if i'm wrong, but i expect that upload to be more recent than the one in partner	22:50
iamfuzz	kirkland, yes, mainly just the removing of swftools	22:50
jbernard_	iamfuzz: ok, will do	22:51
kirkland	mathiaz: around?	22:51
mathiaz	kirkland: yeeeesss!!!!	22:51
mathiaz	kirkland: are you around?	22:51
kirkland	mathiaz: what's supposed to provide /etc/mysql/debian.cnf ?	22:51
kirkland	mathiaz: you bet ;-)	22:51
mathiaz	kirkland: zhee unmissable mysql-zerver-5.1 peickage!	22:52
mathiaz	kirkland: well - it's a generated file	22:52
mathiaz	kirkland: by the post install script	22:52
kirkland	mathiaz: hrm	22:52
mathiaz	kirkland: there is a special user added to mysql - debian-sys-maint that used by the init script to check the status	22:53
mathiaz	kirkland: and shutdown mysql correctly	22:53
kirkland	mathiaz: okay	22:53
kirkland	mathiaz: i'm trying to get wordpress working	22:53
mathiaz	kirkland: /etc/mysql/debian.cnf is used to store the credential of said user	22:53
kirkland	mathiaz: its setup script is failing, looking for that .cnf file, which doesn't exist	22:54
kirkland	mathiaz: and mysql-server isn't installed	22:54
kirkland	mathiaz: i'm trying that now	22:54
mathiaz	kirkland: is mysql-server-5.{0\|1} installed?	22:54
mathiaz	kirkland: mysql-server is just a meta-package that pulls in the latest mysql-server	22:54
kirkland	mathiaz: nope. installing that now	22:54
kirkland	mathiaz: i'm installing 5.1	22:55
mathiaz	kirkland: right - that should help	22:55
kirkland	mathiaz: okay	22:55
mathiaz	kirkland: are you using the workpress package?	22:55
ahe	i just got curious about the alfresco appliance	22:56
ahe	what do you plan to build around alfresco to give it the blackbox feel of an appliance?	22:56
KillMeNow	don't forget to install php5-mysql	22:57
soren	kirkland: Man, grub2 is complicated!	23:06
soren	kirkland: ...for a Xen image it shoudln	23:07
soren	t matter, though?	23:07

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!