[00:07] <KillMeNow> LMAO guntbert
[00:08] <JanC> guntbert: well, do you also have a slogan for understanding ternary logic?  ;)
[00:10] <KillMeNow> JanC:  isn't that the logic that got us in the economic mess?  hehehehe
[00:10] <JanC> start at http://en.wikipedia.org/wiki/Ternary_computer if you wanna read about it
[00:11] <mdz> smoser, ping
[00:29] <smoser> mdz, here now
[00:43] <Techtronic> hello , i cant login to nagios ...  PAM: user 'nagiosadmin' - not authenticated: Authentication failure .....
[00:44] <Techtronic> what i do wrong ? :/
[00:45] <KillMeNow> http://www.linuxquestions.org/questions/linux-software-2/lost-nagios-admin-password...-help-695402/#post3399240
[00:46] <KillMeNow> that shows how to reset the nagios admin user password
[00:46] <Techtronic> i know pasword
[00:48] <Techtronic> not helped this link
[01:03] <Techtronic> PAM authenticate failure :/
[01:04] <Techtronic> need disable mod_auth_pam.c
[01:04] <KillMeNow> http://ubuntuforums.org/archive/index.php/t-275996.html
[01:04] <KillMeNow> google Techtronic
[01:08] <Techtronic> KillMeNow thanks you saved my night :D
[01:14] <mm_202> Can someone please assist me with an apparmor issue?
[01:14] <mm_202> Im trying to start mysqld and I get this lovely error: 090909 20:12:42  InnoDB: Operating system error number 13 in a file operation.
[01:14] <mm_202> InnoDB: The error means mysqld does not have the access rights to the directory.
[01:15] <KillMeNow> here is the best assistance i could give you mm:  toss apparmor
[01:17] <mm_202> KillMeNow: yes, I fscking hate it.  But the ONLY reason I am reluctant is that it is a public server..
[01:17] <mm_202> My first box that isnt behind a firewall
[01:17] <mm_202> But I guess if someone gets shell access Im screwed anyways
[01:18] <mm_202> How many people here run servers (ubuntu of course) without a firewall?
[01:20] <KillMeNow> i have a public facing Ubuntu box, but it's all IPTabled up
[01:20] <KillMeNow> and i don't use apparmor
[01:20] <KillMeNow> i tried to get it to work, but it's a big stinking pile of poo
[01:21] <KillMeNow> altho i've heard it's easier than SElinux
[01:21] <mm_202> Yeah, my ubuntu servers at home, I killed apparmor on them as well
[01:22] <KillMeNow> as long as you stay up on your patching and don't run anything that could cause you problems like IRC or something
[01:22] <KillMeNow> or if you do i suppose you could run it in a jail
[01:23] <mm_202> Yep, remove apparmor and works great now =)
[01:26] <KillMeNow> big pile of stinking poo
[01:26] <KillMeNow> i think that's what i called it...  yea..
[02:53] <oh_noes> is it possible to remount / as ro from recovery
[02:53] <oh_noes> or do i have to boot a live CD?
[03:05] <twb> oh_noes: sudo mount -o ro,remount /
[03:05] <twb> TIAS
[03:22] <qman__> I haven't run into any problems with apparmor, but it's worlds better than selinux
[03:22] <qman__> since with apparmor, if you're having an issue, you can just remove one profile that's causing it
[03:23] <qman__> with selinux you have to disable it altogether, or find and fix the problem
[03:23] <qman__> and the error messages aren't very friendly
[03:23] <oh_noes> twb: doesnt work ... even after booting into recovery mode it says Device is busy
[03:24] <oh_noes> and 'mount' shows . mounted as full rw
[03:24] <oh_noes> which is where im confused
[03:24] <qman__> apparmor is also a pretty nice alternative approach to jailing services
[03:24] <twb> qman__: I would trust a jail more...
[03:25] <twb> oh_noes: dunno, then, sorry.
[05:40] <error404notfound> whats wrong with this cron: "10 4    * * *           freshclam; clamscan --bell -r --detect-pua=yes --max-dir-recursion=40 --log=/var/log/clamav/$(date +%b%d%Y%H%M%S).log -i /", it says: /bin/sh: Syntax error: end of file unexpected (expecting ")")
[05:42] <qman__> error404notfound, there's no user listed for the job to run as
[05:43] <error404notfound> qman__, no, thats not needed, all crons in root's crontab run without user
[05:43] <error404notfound> there is something else
[05:43] <error404notfound> without user mentioned explicitly*
[05:43] <qman__> I use cron.d and friends, not root's crontab
[05:43] <qman__> makes management easier
[05:43] <error404notfound> i use one crontab :D
[05:44] <foob12> does anyone software based mp3 player that supports socks 5 proxy client funtion
[05:45] <maxagaz> hi
[05:45] <qman__> error404notfound, I think I see it
[05:45] <qman__> --log=/var/log/clamav/$(date +%b%d%Y%H%M%S).log
[05:46] <qman__> because of that space, you need quotes
[05:46] <qman__> though I don't know where you need them
[05:46] <qman__> also, escaping that space may work
[05:47] <error404notfound> hmmm, lemme check
[05:48] <qman__> I thought that should have worked the way you have it
[05:48] <qman__> but since it's in --log=, it may not apply normally
[05:48] <qman__> that's the only place a missing ) makes sense
[05:49] <qman__> I also don't know if dash supports the $() syntax, though I don't see why it shouldn't
[05:56] <error404notfound> qman__, even tried date \+... , still same error
[05:56] <error404notfound> \ before space
[05:59] <qman__> I don't see any notes regarding $() in dash
[05:59] <qman__> try using backticks just to see if it's the same error
[06:03] <qman__> also, any particular reason you're scanning /?
[06:04] <qman__> it's really not necessary, you only need to scan your file shares
[06:04] <twb> foob12: mplayer probably
[06:05] <error404notfound> qman__, i also tried `` and got: /bin/sh: Syntax error: EOF in backquote substitution , and i am scanning because a stupid user uploaded some stuff while i wasnt not around its infected, so just to be safe than sorry i wnat to scan whole "/"
[06:05] <error404notfound> qman__, even if i scan file shares, home dirs, the error in the cron is still there, right?
[06:06] <qman__> yes
[06:06] <jmarsden> error404notfound: man 5 crontab and then escape all the % signs with \ or else cron will turn them into newlines :)
[06:07] <error404notfound> jmarsden, aaaahhhhh :D lemme see
[06:07] <qman__> that would do it
[06:09] <error404notfound> and any comments on http://ubuntuforums.org/showthread.php?t=1262527 ?
[06:10] <qman__> the keys were copied wrong
[06:11] <qman__> it's failing when attempting to parse
[06:11] <jmarsden> error404notfound: Looks like you put a GPG key in a config file, or something along those lines?
[06:11] <qman__> ssh hosts files have just the key, on one line
[06:11] <qman__> no ----BEGIN or anything
[06:11] <error404notfound> jmarsden, i removed the config file altogether.
[06:11] <qman__> one key per line
[06:13] <jmarsden> error404notfound: pastebin the output of ls ~/.ssh ; file ~/.ssh/*     so we can see what the files in there are?
[06:13] <error404notfound> okies
[06:15] <error404notfound> qman__, jmarsden,  http://pastebin.ca/1560766
[06:16] <qman__> waiting for pastebin.ca...
[06:17] <jmarsden> Hmm, my browser is having trouble getting a response from pastebin.ca... trying again...
[06:18] <error404notfound> qman__, jmarsden, http://pastebin.com/m3e38d075
[06:19] <qman__> sure have a lot of files there
[06:19] <qman__> I've only got known hosts files
[06:19] <error404notfound> :D
[06:19] <error404notfound> i work in too many places and dont wanna use same keys for more than one office
[06:19] <qman__> good plan
[06:21] <jmarsden> Yow, there is way too much junk in there to debug.  For testing, can you tar that lot up, save the tarball somewhere safe, then delete all the files from ~/.ssh/ except known_hosts and *one* pair of keys?
[06:22] <jmarsden> Probably id_rsa and id_rsa.pub would be the logical ones to keep
[06:23] <error404notfound> that's a 100% chance that would fix the issue
[06:23] <error404notfound> thats*
[06:23] <jmarsden> OK, so do it and then we can slowly add stuff back until we find the problem.
[06:23] <jmarsden> This is called troubleshooting :)
[06:24] <error404notfound> issue fixed...
[06:24] <error404notfound> :D
[06:24] <error404notfound> jmarsden, i am too lazy to do this alone, so stick with me, i am sooooooo lonely :P :D
[06:25] <jmarsden> OK, add back new_id_rsa and new_id_rsa.pub and retest
[06:25] <error404notfound> jmarsden, doing it :D
[06:26] <jmarsden> As in, now you have the error?
[06:27] <jmarsden> Or as in, now you are testing?
[06:27] <error404notfound> misc* is causing the problem
[06:28] <error404notfound> even renaming them doesn't solve the problem, and they are valid ssh keys as i cat them
[06:30] <twb> None of those keys will be used unless you have code in .ssh/config or /etc/ssh/ssh_config telling it to.
[06:30] <error404notfound> okay, this is strange, for one host the misc ones give rise to the error, for other hosts its a different pair, strange..
[06:31] <error404notfound> i dont have a ~/.ssh/config and i havent specific anything in ssh_config, lemme pastebin
[06:32] <error404notfound> http://pastebin.com/m45eb2184
[06:35] <jmarsden> Looks pretty boring to me... nothing in there about using the other keys.  So you have been doing ssh -i whatever    all over the place to get it to use the special keypairs?
[06:43] <error404notfound> jmarsden, i have aliases :P
[06:44] <jmarsden> OK.   I'm doing some testing here... Apparently, if you have lots of keypairs in ~/.ssh, the default is to try all of them... ?  I just did      for i in `seq 1 50` ; do ssh-keygen -f junk$i ; done      and so generated 50 junk keypairs (held down the enter key for all the password prompts).
[06:45] <jmarsden> I have a feeling there was a bug report about this and how to fix it somewhere in Launchpad...
[06:46] <jmarsden> Most likely you can just specify the key for each host in ~/.ssh/config so it only presents one, not all of them?
[06:46] <error404notfound> jmarsden, yup, it tries one by one all keypairs, and thats not what i want, for hosts i dont use "-i" i want it to go to password authentication directly
[06:47] <jmarsden> Well, you should probably set up ~/.ssh/config to tell it that, or something close to that, then.
[06:47] <error404notfound> jmarsden, yes, but for LAN machines, i use passwords, not keys, here at this office i have a 70 node LAN, 5server, for servers=keys, for other = passwords
[06:48] <jmarsden> If you just put Host * IdentifyFile id_rsa  Host server1 IdentityFile whatever_rsa  and so forth lines in ~/.ssh/config it should work fine.
[06:49] <jmarsden> No need for the -i nonsense if you configure SSH right :)
[06:50] <jmarsden> That should be    IdentityFile id_rsa   in there, not IdentifyFile, weird typo
[06:52] <jmarsden> See https://bugs.launchpad.net/bugs/374427 for a similar kind of issue.
[06:52] <error404notfound> jmarsden, okay, what if i want to use same key for multiple hosts? will i need multiple hosts blocks? thats redudant and i will have to add say 30,40 entries :(
[06:54] <jmarsden> I'm not sure, I think as long as you have a Host *  IdentityFile id_rsa in there as a default you can override that with -i if you really want to and like it :)
[06:54] <jmarsden> But IMO 30 or 40 aliases are at least as bad as 30 or 40 lines in a config file :)
[06:54] <jmarsden> And BTW, why do you need 30 or 40 keypairs anyway?
[06:54] <error404notfound> jmarsden, i use one key for 5 servers at this place, one for 8 servers at another, 1 for 3 servers at home and my vps, and etc,
[06:55] <error404notfound> jmarsden, not 30,40 keypairs, 30,40 hosts with which i use keys
[06:55] <jmarsden> I don't know if you can do Host *.somedomain.com in ~/ssh/config, you'd have to experiment.
[06:55] <error404notfound> Say host A and B uses id_rsa, and host C and D id_rsa, would i need 4 hosts blocks?
[06:55] <error404notfound> jmarsden, i can do that.
[06:56] <jmarsden> Looks like you can.  man ssh_config and search for the section titled PATTERNS
[06:58] <k2en> hi
[06:59] <k2en> i'm running hardy as a file server for about 30 clients , both XP and Ubuntu. It was running fine until a few days ago , now it takes the clients a long time to connect and browse the server.
[07:00] <k2en> but i ran top on the server and nothing seem to slow it down
[07:00] <twb> k2en: did you try reading the log files?
[07:01] <k2en> twb, which log files should i check specifically ?
[07:01] <twb> k2en: /var/log/*
[07:01] <twb> k2en: I don't know, specifically.
[07:01] <twb> Though for "network is slow" I would often resort to a simple packet sniff, to find out where in the connection the slowness occurs.
[07:02] <k2en> twb,  ok what do i need for that? etherape?
[07:02] <twb> I normally use tshark (wireshark) or tcpdump.
[07:03] <twb> Primarily because with those I can dump a .pcap file and then analyse it later/elsewhere
[07:03] <jmarsden> k2en: Whatever sniffer you already know how to use.  tcpdump, wireshark, use whatever works for you :)  BTW for "connect and browse", I'd be checking samba log files too... and wondering about DNS/browse master type issues.
[07:03] <twb> jmarsden: ooh, good idea re DNS
[07:03] <k2en> jmarsden, why should i check DNS?
[07:03] <twb> hard-binding name services routinely fuck me w.r.t. that kind of symptom
[07:04]  * twb glares at LDAP
[07:04] <jmarsden> because if hosts can't resolve the server name using DNS they may time out and then retry using NETBIOS or whatever... and that all wastes time...
[07:05] <k2en> jmarsden, i see.that would be a cleint problem then , no?
[07:05] <jmarsden> Not necessarily.  Maybe your DNS server died?  or your winbindd is doing something bad?  or whatever...  Did anything change regarding DNS or the ISP you use or whatever that could be related to this
[07:06] <k2en> jmarsden, no, i'm using different DNS for different boxes, but the problem is with all clients
[07:07] <jmarsden> k2en: Basically, when "connect and browse" is slow, name resolution is a VERY common culprit, so I would suggest you test it instead of telling me it can't possibly be broken.  Just from experience :)
[07:07] <k2en> jmarsden, sure
[07:08] <k2en> jmarsden, how do i check that on the client?/
[07:08] <jmarsden> Use nslookup
[07:08] <jmarsden> Check using ipconfig /all that the XP client is using the DNS server(s) you think it is, too.
[07:09] <jmarsden> Check that the hosts file in C:\WINDOWS\system32\drivers\etc is sane, if you thing someone or something might have messed with that.
[07:09] <k2en> jmarsden, ok, thanks
[07:10] <k2en> the reason i thought its a server problem is that suddently all clients reported a slow down
[07:10] <k2en> but i will check the DNS and hists
[07:10] <k2en> hosts
[07:10] <k2en> also samba logs
[07:10] <jmarsden> Sounds like a network problem of some sort, but may not be the actual SMB service that is the culprit.
[07:11] <jmarsden> I've seen networks go nuts when someone plugs in a Cat5 patch cable ... both ends of it into the same switch :/
[07:12] <k2en> jmarsden, `since my server has a fixed IP ,can i set the client to go directly to IP without a need for DNS?
[07:12] <jmarsden> You can, but that's not really a good idea except for testing.
[07:13] <k2en> i'm pretty sure the ubuntu clients do that
[07:13] <jmarsden> Why, if you have (or *had*) working DNS on this network?
[07:14] <k2en> jmarsden, going to checkthe logs, thanks for info, killing the gui now
[07:14] <jmarsden> OK... BTW, Ubuntu server's do not have a GUI
[07:15] <artillerytx> is there a text based aim client for ubuntu ?
[07:18] <henkjan> artillerytx: irssi + bitlbee
[07:18] <artillerytx> henkjan: is that better than centericq?
[07:25] <henkjan> artillerytx: i've never used centericq.
[07:25] <artillerytx> k cool
[07:25] <henkjan> artillerytx: irssi is een irc client and bitblee a gateway to jabber/msn/aim/icq
[07:25] <artillerytx> i've used irssi
[07:26] <artillerytx> didn't know it has like extensions
[07:32] <jmarsden> artillerytx: bitlbee is not irssi specific, it is a gateway so any IRC client can talk to other kinds of messaging servers.
[07:56] <soren> mdeslaur: lp:~soren/+junk/pyotp
[08:17] <twb> Did I see something recently about infrastructure to install an arbitrary i386 .deb into an amd64 system (i.e. a biarch workaround)?
[08:17] <twb> Can it be generalized into unpacking debs from one arbitrary arch into another arbitrary arch?  (Running the postinst is not necessary.)  Plan B is to try dpkg -x.
[08:24] <mushroomblue> no.
[08:25] <mushroomblue> well, maybe.
[08:25] <mushroomblue> the reason it works with x86/x64 is because of a binary compatibility library that AMD released
[08:26] <mushroomblue> I suppose something could be done for other archs, provided someone's written the glue.
[08:26] <mushroomblue> otherwise, no.
[08:27] <mushroomblue> it's a shame the crusoe didn't take off; it might've brought this sorta thing automatically.
[08:33] <twb> mushroomblue: I intend to combine it with qemu's CPU emulators
[08:34] <twb> In the imaginary scenario where my I won't be distracted from this goal by the end of the day
[08:46] <k1en> hi, can anyone take a look at my samba log, i'm running a file server and recently clients have been complaining about a slow down
[08:47] <k1en> http://pastebin.ubuntu.com/268431/
[08:47] <k1en> the main error is " getpeername failed. Error was Transport endpoint is not connected"
[08:54] <jmarsden> k1en: There is a somewhat inconclusive thread at http://lists.samba.org/archive/samba/2005-April/thread.html#104000 which might be relevant?
[08:56] <k1en> i'll try "smb ports = 445"
[08:56] <k1en> another error i get is : "call_trans2qfsinfo: not an allowed info level (0x102) on IPC$"
[08:57] <k1en> i read here that an ugrade might solve it : http://forums.opensuse.org/network-internet/391249-samba-problem-after-upgrade-opensuse-11-a.html#post1847349
[08:58] <k1en> i havent updated my server in months so i'll try it
[09:36] <acalvo> Hi
[09:36] <acalvo> when using winbindd, if I want to use it from another server, I need to install the winbindd program to be able to "talk" to the winbindd server?
[11:56] <cocoa117> is there any NAS appliance available on ubuntu-server? i can just run
[12:00] <twb> cocoa117: you want to buy a NAS unit that ships with Ubuntu pre-installed?
[12:03] <cocoa117> twb, no, i have old machine lying around, want to put ubuntu on it with NAS software (Samba, web management, NFS...)
[12:03] <cocoa117> don't like the NAS hardware, it have limited features
[12:03] <twb> IME all web management blows.
[12:04] <twb> Theoretically ebox is supported, but I wasn't impressed.
[12:05] <cocoa117> so the best still ssh then
[13:01] <mdeslaur> soren: wow...that is...incredibly simple. cool!
[13:25] <apw> kirkland, seems our virutal kernel requires one of grub or lilo to be installed, we are wondering if there is any reason that we cannot also allow grub2 to be an option as we do for all the otehr kernel images
[13:47] <smoser> soren, ping
[13:47] <smoser> good morning erichammond
[13:47] <erichammond> smoser: 'lo
[13:50] <kirkland> apw: i don't know of any reason why not
[13:50] <apw> i was pointed a zul, what timezone is he in
[13:50] <apw> or are you happy to be definiative on that one
[13:50]  * apw can't see any reason either
[13:51] <apw> kirkland, ^^
[13:51] <smoser> erichammond, i think you answered the question, but just to be sure, you're not aware of anyway to generate a manifest that [re]uses another's "<parts count='15'>"
[13:51] <kirkland> apw: zul is in ottawa
[13:52] <kirkland> apw: one hour ahead of me
[13:52] <smoser> it really seems that this shoudl be acheivable, especially given the existance of euca2ools that generate them
[13:52] <kirkland> soren: smoser, can grub2 be used in the ec2 kernel?
[13:53] <apw> the ec2 kernel is different again, this is -virtual
[13:53] <smoser> kirkland, no
[13:53] <smoser> ec2 doesn't use a bootloader
[13:53] <smoser> err, rather they use xen dom0 as the bootloader
[13:53] <apw> i am a little confused that it would care at all that you have or do not have a bootloader
[13:53] <erichammond> smoser: I haven't tried tweaking manifests.  I just use the ec2 AMI tools.
[13:54] <smoser> erichammond, i've tried hacking at the manifest unsuccessfully... but i didn't re-do any of the crypto stuff, so likely the output of mine didn't validate.
[13:54] <apw> i would expect that all the normal consumers of -virtual don't need one at all, and its making sure its installed in the host, so ... its not obvious that it should care at all, ie. any should be ok
[13:55] <smoser> apw, kirkland, i'm missing something here.
[13:55] <erichammond> smoser: ... Yep, I was about to make a comment about the encryption/signing.  You'd need to use Amazon's public key which I suppose is buried in the compiled Java code.
[13:55] <smoser> erichammond, well somewhere/somewhow euca2ools can do it
[13:55] <apw> the kernel flavour -virtual has an install depenancy on a bootloader, it requires grub or lilo to be installed when it installed
[13:56] <smoser> ah.
[13:56] <smoser> i'd say *maybe*.
[13:56] <apw> we want to add grub-pc (grub2) to that list.  as far as i understand the use model you install it in the host anyhow
[13:56] <smoser> the user of -virtual could be
[13:56] <smoser> a.) someone using it on bare metal
[13:56] <smoser> b.) someone using it in xen domU
[13:56] <erichammond> smoser: It shouldn't be that difficult to simply recreate the image (ec2-unbundle) and rebundle it (ec2-bundle-image)
[13:56] <smoser> c.) someone using it in kvm domU booting a disk/bootloader
[13:57] <smoser> d.) someone using int in kvm domU booting with 'kvm -kernel/-initrd'
[13:57] <smoser> for a and c above, you need a bootloader
[13:57] <smoser> erichammond, correct. thats easy.
[13:57] <apw> smoser, but any bootloader is acceptable, so adding grub2 seems reasonable.  yes?
[13:58] <smoser> but then it you have to use a different prefix (or rename the image) to avoid collision on upload to s3
[13:58] <smoser> apw, i would think so, yes.  i have no knowledge or reason to believe that grub2 does not work in kvm guest.
[13:58] <apw> so that sounds like general 'its not mad, lets go for it' all round then
[13:59] <smoser> erichammond, my goal in 'hacking' it was to use the same <part> pieces, and thus be obvious that "this is the same AMI but with changed kernel/ramdisk"
[13:59] <smoser> i think that would be less obvious with rename
[14:00] <erichammond> smoser: Nobody but the image creator can look at the contents of the manifest.
[14:01] <smoser> i wondered how publi that would be. i think i'm old on just re-bundling
[14:02] <smoser> s/publi/public/
[14:02] <erichammond> smoser: I think anybody who cares to the level you are describing can simply run the old AMI with the new AKI+ARI.
[14:02] <smoser> yeah. i think maybe i'm being overly concerned.
[14:02] <smoser> i just know that lots of people don't like changing anything once their app is working.
[14:03] <erichammond> smoser: Yep, I know some of those.  They're still running Gutsy on EC2.
[14:03] <smoser> and such a change in the ami that its built on would possibly force another round of test
[14:03] <smoser> if they could be convinced that the disk contents were identical, but with different kernel, maybe they'd waive those.
[14:04] <erichammond> There's no way for anybody but the creator to know what the AMI contents are or to know that they are the same as any other AMI contents.
[14:05] <erichammond> It's 6am here. I need to grab some sleep.
[14:06] <smoser> erichammond, good night. thanks.
[14:06] <smoser> i'm changing the doc to say we'll rebundle
[14:12] <zul> morning
[14:17] <zul> smoser: i was thinking last night that you might want upload a test image with the kernel modules from the ppa so people can test what they would normally do with an ec2 miage
[14:25] <smoser> zul, test image with kernel  modules?
[14:26] <smoser> i want to get something together today and send out a request for testing. something that wethink would work.
[14:39] <smoser> it would be more useful if "very very soon" was defined with an actual time (as per launchpad's "Launchpad will be going offline for maintenance very very soon." message)
[14:40] <shyam_k`> as i connect to my home router(&modem), i can ping to my router but can't access ping an external site.. i can telnet to my home router(&modem that the isp gave me) and can see that it can ping external sites. What can be the problem?
[14:41] <shyam_k`> where will be the problem? can it be with the router, or the laptop, or even the isp's external node?
[14:43] <shyam_k`> the laptop can ping the router. so i donno if it requires any more than that to get internet that the router has..
[14:44] <shyam_k`> ah i forgot to say that under such a situtation,.if i reboot the router and reconnect the lap with router, everything works fine
[14:49] <zul_> bah..my internet connection is sucking today
[14:50] <shyam_k`> zul: mine too:(
[14:53] <soren> mdeslaur: I almost finished a C implementation as well, but eventually had to slepe.
[14:53] <soren> mdeslaur: sleep, even.
[14:54] <soren> smoser: You pang, sir?
[14:54] <smoser> si
[14:55] <smoser> a couple things, soren
[14:55] <smoser> a.) i think i give up on the 're-use image parts' (aka hack a manifest with newer aki/ari)
[14:55] <smoser>  at least for the moment it doesn't seem to give much benefit
[14:56] <soren> smoser: Alright.
[14:56] <smoser> above, erichammond pointed out that no one othe rthan the author can see the manifest
[14:56] <soren> smoser: By default, yeah.
[14:56] <smoser> so it doesn't help "prove" anything or give stronger indication than a promise that the disk image didn't change
[14:56] <smoser> i didn't know if there were possibly some keys there or something that you wouldn't want to share it.
[14:57] <smoser> but anyway, i'm not going to bother chasing that right now
[14:57] <soren> smoser: Alright.
[14:57] <mdeslaur> soren: now we need to convince someone to buy us some tokens :P
[14:57] <kirkland> soren: is vmbuilder in LP functional yet?
[14:57] <soren> kirkland: Nope, sorry.
[14:57] <smoser> (wouldn't hvae thought there were keys, but there are things like 'user_encrypted_key' in the xml
[14:57] <soren> kirkland: Haven't gotten far on my todo list today at all, really.
[14:58] <soren> kirkland: My dentist appointment involved a lot of waiting :(
[14:58] <smoser> b.) had you investigated acutally packaging the ec2 kernel builds such that 'apt-get install linux-image-$(uname -r)' would work to get modules for your kernle ?
[14:58] <smoser> i think that doing that would give more consistent usage with the rest of ubuntu, even with building private kernel modules (using linux-headers, config and such)
[14:59] <soren> smoser: Not really. I did most of my thinking on the subject back when there were no network drivers in the default kernels, so apt-get was out of the question.
[14:59] <smoser> i think we'd still want the initrd to house the network drivers
[15:00] <smoser> so they'd be duplicated
[15:00] <soren> smoser: There's also the problem of ABI bumps.
[15:00] <smoser> what problem ?
[15:00] <soren> smoser: Usually, we nuke packages with the old ABI when there's a new one.
[15:00] <soren> smoser: ...which would render the instances using older kernels less functional.
[15:00] <smoser> really. i was unaware that we took such rude stance on that.
[15:01] <soren> smoser: ...since they can't install their modules anymore.
[15:01] <smoser> it definitely would be a show stopper.
[15:01] <kirkland> soren: what can I do to make vmbuilder functional?
[15:01] <soren> kirkland: Install grub1.
[15:01] <soren> kirkland: Or wait >(
[15:01] <kirkland> soren: is there assistance i can offer on vmbuilder?
[15:01] <soren> Er...
[15:01]  * soren switches keyboard layout..
[15:02] <soren> There. >) should have been :)
[15:02] <kirkland> >) looks like a wincing smile
[15:03] <soren> kirkland: I don't think your time would be very well spent trying to work things out in VMBuilder. that part of it is qite  opaque.
[15:03] <smoser> soren, so, i still think that we should try to get 'apt-get install linux-image-$(uname -r)' to work inside a ec2 instance
[15:04] <smoser> to deal with the deletion of old packages, we should make sure "reasonable" modules are loaded in the initrd (or copied through to the guest).
[15:04] <soren> smoser: You should ask the archive admins, really. It's their decision whether they're willing to keep the binary packages around forever.
[15:04] <smoser> but if we're telling people elsewhere "you really shouldn't use these kernels" then we should be sending that message on amazon too
[15:04] <soren> smoser: I don't think that's good enough.
[15:05] <smoser> soren, why not ? as it is right now, there is some limited list of modules that you get. if you want more your on your own
[15:05] <soren> smoser: It will mean that stuff that used to work could suddenly cease to work without any hint or warning.
[15:05] <soren> smoser: Ok, you lost me.
[15:05] <smoser> how is that different from my server system ?
[15:05] <soren> smoser: You server system has the modules *on disk*.
[15:05] <soren> smoser: Restarting it will not remove them.
[15:06] <smoser> yes, but maybe it doesn't have linux-headers (so i can't build a module)
[15:06] <smoser> and i'm unable to get that for my system now because someone deleted them from the archive for me
[15:06] <soren> smoser: If you haven't built it, you're not using it, and are not dependent on it.
[15:06] <soren> smoser: On EC2, you may have been using the modules happily for a long time, along comes and ABI bump, and your modules go missing.
[15:06] <smoser> my documentation on how to do somehing "used to work" and now doesnt
[15:07] <smoser> (the something above is 'build a kernel module')
[15:07] <soren> EC2 is really just very different here. It's *designed* to have people start up instances and blow them away *all* the time.
[15:07] <smoser> maybe i've scripted all that, so its magic (as the kernel-module packages do ... like kqemu or vmware ... )
[15:08] <soren> And if you install a new system in the real world, you'll be using a new kernel.
[15:08] <soren> On EC2 you don't have the liberty to just go and upgade your kernel like you do on your other systems.
[15:08] <soren> upgrade, even.
[15:09] <smoser> i agree that its somewhat different, but not completely.
[15:09] <soren> In short, there's nothing on your server system that will break that apt-get can't fix.
[15:09] <soren> There will be on EC2 if the modules package goes missing due to an ABI bump.
[15:09] <smoser> your argument is that you're "helping" users by allowing them to make full use of kernel's we've deleted for security reasons
[15:10] <soren> smoser: Or other reasons.
[15:10] <smoser> it seems like we're being less proactive in removal/deprecation of old kernel versions on ec2 than we are elsewhere
[15:10] <kirkland> soren: okay, how do i force it to install grub1?
[15:11] <soren> kirkland: On your *host*.
[15:11] <kirkland> soren: oh, really ...  hmmf
[15:11] <soren> smoser: We don't forcibly remove people's kernels on "regular" systems.
[15:12] <soren> smoser: ...or the modules corresponding to old kernels.
[15:13] <smoser> but they are not able to do anything *new* with that old kernel (like build a new driver/filesystem for it) if they had not previously installed all $(uname -r) packages
[15:14] <soren> No, but they can just upgrade!
[15:14] <soren> that's the point.
[15:14] <soren> A quick apt-get, and they're done.
[15:15] <nimrod0> !help
[15:15] <nimrod0> !snmp
[15:15] <nimrod0> !snmpd
[15:15] <nimrod0> is there any good ubuntu tutorial for snmp and mibs ?
[15:16] <smoser> soren, a quick switch of ami would make the ec2 user 'done', no ?
[15:16] <soren> smoser: It's really not necessarily that quick.
[15:16] <soren> smoser: He may have rebundled or whatever.
[15:17] <kirkland> soren: i should be able to run vmbuilder from within a vm (assuming it has enough disk space), right?
[15:17] <soren> kirkland: Sure.
[15:17] <smoser> in the re-bundle case, i agree. but then they could have easily installed those modules before rebundling
[15:17] <soren> smoser: True.
[15:19] <smoser> the only thing i have against the ec2 kernel update proposal (of stuffing all modules into initramdisk and then copying that to /) is that it is not consistent with the way ubuntu works other places.
[15:19] <smoser> i'd suggest that we take that approach for kernel modules that we expect are highly likely to be used
[15:20] <smoser> and for others, provide the package to get the rest, and document that those might go away
[15:21] <smoser> soren, one other question i have on that... why not just 'modprobe' all the modules that were in the initrd as opposed to copying them to /lib/modules/$(uname -r)
[15:21] <smoser> other than memory usage, it'd seem the same (and if you were concerned about that, the user could remove any modules they didn't need)
[15:22] <soren> smoser: Hmm... I guess that could work.
[15:22] <smoser> it just feels to me that the less different 'ubuntu-on-ec2' is, the better
[15:23] <smoser> different than ubuntu-on-otherstuff
[15:23] <soren> Certainly
[15:24] <smoser> i was unaware of our stance on deleting things from the archive until yesterday. it just feels rude to me.
[15:25] <smoser> i guess you could presumably build from source
[15:25] <soren> smoser: We never delete stuff that was in he archive at release time.
[15:25] <soren> smoser: -updates and -security (and -proposed) are different, though.
[15:25] <smoser> right.
[15:28] <soren> As to making ubuntu-on-ec2 as much like ubuntu-on-everything-else as possible, I'm not completely sure whether having a boatload of modules installed at boot time that are nowhere to be found on the filesystem is more like everything else than an approach that, after ec2-init has done its magic, leaves a filesystem with modules ready to be loaded, just like everywhere else.
[15:29] <soren> I think I could be convinced either way at this point.
[15:29] <smoser> fair
[15:29] <smoser> i think from a documentation perspective, installing a linux-headers- and linux-image- package is nicely consistent
[15:30] <smoser> i really would like for that to "just work" as it does elsewhere.
[15:30] <smoser> hopefully existing files (copied from the initrd) to /lib/modules/$(uname -r) wouldn't cause install failure
[15:30] <nimrod0> anyone has a good guide to setup snmpd on ubuntu server as the default install generates just a handfull of values and no cpu or memory valuest
[15:31] <nimrod0> s/valuest/values
[15:31] <soren> smoser: They won't.
[15:31] <smoser> the 'for x in list-of-modules; do modprobe $x; done' just seemed easier than tmpfs and copying
[15:32] <smoser> and would "just work" without the root filesytsem doing anything
[15:32] <smoser> (if someone used our kernels/initrd for non-ubuntu ami)
[15:43] <cocoa117> is the stricky bit only work for other user? "chmod u=rwx,g=rwxt,o= test2" always give me drwxrwx---. i thought it supports to be drwxrwt---, anyone?
[15:44] <soren> cocoa117: replace your t with and s, and you should be good.
[15:44] <soren> cocoa117: what are you trying to achieve, exactly?
[15:48] <cocoa117> soren, so only owner can delete file, while others can still edit it
[15:48] <genii> !info eucalyptus
[15:48] <genii> Hm
[15:56] <soren> cocoa117: Then you still want o=t.
[15:56] <soren> cocoa117: g=s is something completely different
[15:56] <cocoa117> so it has to be chmod u=rwx,g=rwx,o=rwxt test2
[15:57] <cocoa117> soren, so it has to be chmod u=rwx,g=rwx,o=rwxt test2
[15:58] <soren> cocoa117: You don't need o=rwx
[15:58] <soren> cocoa117: o=t will do.
[15:58] <cocoa117> i c
[15:58] <cocoa117> soren, does that mean, other user can't read/write/execute the folder
[16:00] <soren> cocoa117: Yes.
[16:00] <cocoa117> soren, thanx
[16:00] <soren> cocoa117: I presume that's what you want given you tried o= to begin with.
[16:01] <cocoa117> soren, it is, only owner and group allow to access it
[16:10] <mxzypltk> VirtualD:  did you have a chance to load the latest e1000e module last night?
[16:43] <smoser> erichammond, awake?
[16:48] <thebishop> i'm trying to install a telnetd server.  I can access it with "telnet localhost", but when i try to access from a remote server it doesn't connect.  I'm assuming this is a firewall issue, but i'm not sure.  Any ideas?
[16:49]  * soren needs to go and buy food..
[16:50] <twb> I hope you have a good reason for installing an insecure service like telnet.
[16:53] <blue-frog> thebishop: you certainly need to do some PAT to redirect port 23
[16:54] <thebishop> twb, unfortunately, i do :(
[16:54] <thebishop> blue-frog, do I need to redirect?  I just want to open 23 to the outside world
[16:55] <blue-frog> your server is directly on the internet or behind a router?
[16:55] <thebishop> it seems to be open to itself
[16:55] <hjmf> the-dude: wouldn't be better to use some kind of ssh tunnel to at least encrypt your telnet traffic
[16:56] <hjmf> ?
[16:56] <hjmf> sorry I meant thebishop ^^
[16:56] <blue-frog> thebishop: as twb highlighted I assume that your are either trolling or looking for problems with your server
[16:56] <thebishop> it's neither.  I have a legit need for telnet.  I don't have a choice unfortunately, and I know it's a bad idea
[16:57] <blue-frog> thebishop: so do you have a router in between internet and your server?
[16:57] <hjmf> at least you can tunnel that traffic; it wouldn't be hard to do it
[16:57] <thebishop> blue-frog, it has a static ip on the internet.  it's a virtual server running from a web hosting service
[16:58] <thebishop> i'd like to get basic functionality working before i try to secure it
[16:58] <blue-frog> thebishop: then there is a good chance for your webhoster to refuse any connection to 23
[16:58] <thebishop> i've got a ridiculously irrational person breathing down my back about it
[16:58] <thebishop> blue-frog, that's an interesting suggestion
[16:59] <thebishop> blue-frog, maybe i can bind telnet to another port?
[16:59] <blue-frog> if you like to. use netcat
[17:01] <thebishop> well, suppose it's not my host
[17:01] <thebishop> i don't have a lot of experience with iptables to diagnose if that's dropping port 23 packages
[17:01] <thebishop> *packets
[17:01] <blue-frog> thebishop: well.. better asking god than his saints, no?
[17:01] <thebishop> blue-frog, this host provides NO live support
[17:02] <thebishop> again, not my decision...
[17:08] <smoser> kirkland, maybe you know.  i want to "file a bug against ec2 images" with this url http://bugs.launchpad... that will automatically tag the created bug with 'ec2-images'. is that possible ?
[17:09] <kirkland> smoser: point me to a sample url of a tagged bug
[17:09] <smoser> https://bugs.launchpad.net/ubuntu-on-ec2/+bug/419306 is tagged with ec2-images and uec-images
[17:16] <kirkland> smoser: i tried a few things, unsuccessfully
[17:16] <kirkland> smoser: ask in #launchpad
[17:17] <smoser> i did
[17:17] <jjohansen> smoser: bug #427288
[17:17] <smoser> then tried you, as launhcpad superfly
[17:17] <smoser> i just found : https://bugs.launchpad.net/ubuntu/+filebug?field.tags=ec2-images works
[17:18] <jjohansen> smoser: there are 2 ways to deal with this apparently zul's kernel patch that disables xen from setting the cs segment and an alternate libc
[17:20] <smoser> jjohansen, you have thoughts ? i dont think we want alternate libc unless there is good/very-good reason
[17:20] <jjohansen> smoser: I am trying to asses which is the best route to go with, how objectionable is the alternate libc
[17:21] <jjohansen> smoser: the kernel patch essentially disables xen's ability to do segment based protection
[17:21] <smoser> i dont think we need to name call (assess)
[17:22] <jjohansen> so the kernel patch could be consider as a security issue
[17:23] <smoser> this is so much fun
[17:23] <jjohansen> perhaps I should ping kees and get his take as well
[17:23] <mathiaz> zul_: hi - re bug 424789
[17:24] <mathiaz> zul_: you don't need to ask for a FFe if there aren't new features
[17:24] <mathiaz> zul_: if the new upstream revision is just a bug fix release, then you can just upload it
[17:24] <mathiaz> zul_: if there are new features, they should be documented in the FFe request
[17:24] <RoyK> hi. with ufw, can I reorder the rules without removing and re-adding them?
[17:25] <RoyK> this is 8.04.3 LTS
[17:25] <jdstrand> RoyK: not via the cli command. later versions of ufw support 'insert' though (not 8.04)
[17:25] <jdstrand> RoyK: but you can edit /var/lib/ufw/*rules
[17:26] <jdstrand> RoyK: just be careful to move the whole stanze to the right spot
[17:26] <RoyK> perhaps time to update to something newer
[17:26] <jdstrand> stanza
[17:26] <jdstrand> RoyK: well, later versions of ufw don't let you reorder then, but you can remove a rule and insert it somewhere else
[17:26]  * jdstrand can't type
[17:27] <jdstrand> s/reorder then/reorder them/
[17:27] <RoyK> jdstrand: I see
[17:27] <RoyK> still, this is a private server, so keeping it on 8.04 isn't really that necessary
[17:27] <jdstrand> RoyK: take a look in /var/lib/ufw/user.rules-- it should be pretty straight forward
[17:27] <jdstrand> RoyK: back it up first just in case ;)
[17:27] <RoyK> jdstrand: is that just iptables stuff?
[17:28] <addisonj> hmm, curious about incremental backups, whats the best solution?
[17:28] <jdstrand> RoyK: iptables-restore syntax, yes
[17:28] <jdstrand> RoyK: with a little accounting via comments
[17:28] <RoyK> I see. I've been using iptables for years - I just fell back to ufw of good old laziness
[17:28] <jdstrand> RoyK: keep the comment and the rule together and it'll go fine
[17:29] <jdstrand> RoyK: laziness or 'smartness'? if ufw does what you need, use it! :)
[17:34] <smoser> jjohansen, it appears your kernels have interest beyond ubuntu. one of the users on that bug is using your kernel with fedora user space
[17:35] <jjohansen> heh, the more testing the better :)
[17:38] <cocoa117> if user belong to admin group, it have privilege to ignore the sticky bit set on the folder?
[17:58] <qman__> cocoa117, no, that just allows them to use sudo
[17:58] <qman__> if they use sudo, they can override a sticky bit
[17:59] <cocoa117> qman__, i found the problem, the folder belong to ower, if i change it to root, the user behaviour same as others
[17:59] <cocoa117> qman__, thanx for the help
[18:56] <Steve[work]> afternoon everyone
[18:56] <KillMeNow> howdy Steve
[19:06] <modeller_wahkor1> hello
[19:06] <modeller_wahkor1> I have some question abouut proxy.
[19:07] <erichammond> smoser: Just got up; now I'll be offline for a few hours and then online but working.  I can't monitor all the chatter on this channel.  If there's any way you could discuss ec2 things on #ubuntu-ec2 I could keep up with it all and give feedback.
[19:11] <szczym> i have problem with no output from lsusb in interepid server - its been working 5 minutes ago
[19:11] <erichammond> smoser, soren, mdz, zul, jjohansen: Remember that we're not just building kernels to work with the AMIs which Canonical builds.  These kernels must also work with Ubuntu AMIs that users build themselves.  It would also make Canonical a hero if the kernels happened to work well with other Linux distros (the current tester is using Fedora 11).  That last is obviously not a requirement, but if a simple decision makes it more possible w
[19:13] <erichammond> I saw some talk about copying kernel modules into / from initrd.  At first glance, seems like a cool idea.  I don't know the startup time impact, but remember that seconds count.
[19:14] <smoser> erichammond, absolutely we want to support re-bundled ubuntu ami images.  and i think we don't want to do things that make other distro use of the kernel/initrds more difficult unless there is some good reason
[19:14] <smoser> erichammond, startup time probably absolutely trivial
[19:14] <smoser> as copy from initrd to tmpfs is memory->memory of something on the order of small number of megabytes
[19:15] <smoser> and then in user space, that same copy but to / (whatever sda1 is backed by)
[19:15] <soren> smoser: Well.. I have >100MB of modules on my system.
[19:16] <soren> smoser: But still, copying 100 MB from memory to memory is cheap.
[19:16] <smoser> yeah... the -virtual kernel is significantly smaller, though. and thats what we'd be shooting for
[19:16] <soren> smoser: Oh, right, right. My bad.
[19:17] <smoser> additionally you could background the copy, its not terribly likely to fail. anything that needed it could block on waiting for a 'finished' file in /lib/modules/$(uname -r) or whatever. if it happened to be slow
[19:18] <kees> mathiaz: did you create the ubuntu-server meeting on The Fridge ?
[19:18] <kees> mathiaz: I'm trying to follow the instructions for the security team, but it doesn't show up
[19:21] <erichammond> smoser: I'm not a fan of the background copy idea.  Kernel modules are often needed on boot and boot failures are difficult to debug on EC2.  Background copy could even make the boot failures sporadic based on timing.  Requiring users to wait would require educating users which has a high percentage of failure due to the impossibility of making users find and read documentation.
[19:21] <erichammond> gotta run
[19:21] <mathiaz> kees: hm - a looong time ago
[19:22] <kees> mathiaz: I see it in the iCal, but it doesn't show up on the fridge web site
[19:22] <erichammond> In case I haven't mentioned it yet, I am thrilled to see so much progress on the kernel lately. Thanks, folks.
[19:22] <mathiaz> kees: are you following https://wiki.ubuntu.com/Fridge/Calendar ?
[19:22] <kees> yeah
[19:22] <smoser> we'd modprobe modules needed to boot (at least on ubuntu images) from inside the initrd.
[19:22] <kees> except that I can't find "Check the box that says 'Guests can modify event' "
[19:23] <kees> oh nm, I found it.  it's checked
[19:26] <slestak> can someone tell me the rationale for ubuntu including dnsmasq in the desktop package selection?
[19:27] <slestak> i mean there is no dnsmasq.conf, so i dont think it is doing anything as a dhcp or dns cache without having some sort of configuration
[19:28] <giovani> slestak: since when is it in the desktop metapackage?
[19:28] <slestak> i do not know, it is installed on every jaunty machine i have
[19:29] <slestak> i didnt install it, so it had to come in with the instal lmedia
[19:29] <giovani> ok, first -- #ubuntu is more appropriate
[19:29] <giovani> since this isn't a server discussion
[19:29] <giovani> but dnsmasq is in universe
[19:29] <giovani> I didn't think universe was even enabled by default
[19:29] <slestak> giovani: ok, sorry for being offtopic.  intersting.
[19:30] <szczym> according to my problem with no output from libusb i upgraded usbutils becouse of that: https://bugs.launchpad.net/ubuntu/+source/usbutils/+bug/159189 and still no output from lsusb, could some one help me please ?
[19:30] <slestak> giovani: i came here since i considered the product a server oriented choice, I'll check elsewhere.  thx
[19:30] <giovani> szczym: it's not a direct dependency of ubuntu-desktop
[19:31] <kees> dnsmasq has been in main since hardy
[19:31] <giovani> slestak: well ... but you're asking about the desktop metapackage, not about how to use dnsmasq
[19:31] <giovani> kees: no, it's in universe
[19:31] <kees> dnsmasq | 2.41-2ubuntu2.2 | hardy-security/main
[19:31] <kees> dnsmasq | 2.45-1ubuntu1.1 | intrepid-security/main
[19:31] <kees> dnsmasq | 2.47-3ubuntu0.1 | jaunty-security/main
[19:31] <kees> dnsmasq | 2.50-1          | karmic/main
[19:31] <szczym> giovani: im running 8.10 server
[19:31] <giovani> http://packages.ubuntu.com/jaunty/dnsmasq
[19:32] <giovani> it says universe there
[19:32] <giovani> szczym: you said you were talking about the desktop metapackage ... not a server
[19:33] <szczym> giovani: where i could found a fix for server version lsusb ?
[19:33] <giovani> szczym: sorry, I didn't mean to direct that towards you -- you had a similar length name containing nearly random-looking characters starting with s as slestak
[19:33] <kees> giovani: the binary package "dnsmasq" is in universe, yes.  dnsmasq-base is in main, so the source package "dnsmasq" is in main
[19:33] <martinjh99> Do I have to do anything else to enable mod_rewrite for things like gallery2 and drupal?  I did a2enmod mod_rewrite and restarted the server and nothing seems to work...
[19:33] <kees> giovani: why it's installed, I'm not sure
[19:33] <giovani> kees: ok, that's not dnsmasq though
[19:33] <giovani> that's dnsmasq-base
[19:34] <kees> giovani: try apt-get remove dnsmasq and see what else it tries to remove?
[19:34] <giovani> kees: it's not my question/issue, direct it at slestak
[19:34] <slestak> i will try that, im the one obsessing over this
[19:35] <kees> slestak: heh, okay
[19:35] <slestak> i was about to install dnsmasq on a 9.04 machine, and saw that it was already present.  then i checked some of my other machines and it was installed (although not configured) everywhere
[19:35] <szczym> giovani: ok, sorry, mistake. but do you have any clue about that lsusb issue ? where i could look for help ?
[19:35] <martinjh99> never mind - Found a forum post about it...
[19:35] <giovani> szczym: no, I would've replied to your requests for help if I did
[19:36] <szczym> giovani: sorry
[19:41] <martinjh99> Followed the instructions here for enabling mod_rewrite and restarted the sever and it hasn't seemed to work... Anyone know how to enable?
[19:41] <martinjh99> http://ubuntuforums.org/showthread.php?t=377410
[19:47] <martinjh99> anybody here ;)?
[20:05] <smoser> jdstrand, you know of a way to replace passwd entry in /etc/shadow with '!' (other than with awk or sed)... more looking for a 'chpasswd' like option that would just allow indication that this users password should be not set
[20:06] <Hypnoz> you can set their default shell to /bin/false in /etc/passwd
[20:07] <jdstrand> smoser: would 'passwd -l' fit the bill?
[20:07] <smoser> i dont want to prevent login, only password based login, Hypnoz
[20:07] <smoser> thats what i need, jdstrand. thanks.
[20:07] <Hypnoz> ah good find
[20:07] <smoser> a big 'duh' to me for not considering 'passwd'
[20:08] <mushroomblue> is there a way to make sudo ask for the root password?
[20:08] <jdstrand> :)
[20:08] <jdstrand> mushroomblue: rootpw
[20:08] <mushroomblue> I really hate having superusers by default.
[20:08] <jdstrand> mushroomblue: see 'man sudoers'
[20:08] <smoser> mushroomblue, really only the first user is superuser, no? default adduser doesn't put the user in admin
[20:09] <jdstrand> mushroomblue: you'll of course need to actually set a password for the root user
[20:09] <mushroomblue> right.
[20:09] <smoser> if the user is not found in sudoers than they'll be prompted for root passwd
[20:09] <jdstrand> smoser: they are prompted for their own password
[20:09] <jdstrand> unless you use 'rootpw'
[20:10] <Hypnoz> he's right, man sudoers and search for rootpw
[20:11] <smoser> ah... i thought that default if not found was just to propmt for root passwd
[20:12] <smoser> rather than just asking them for their password and then saying "no"
[20:12] <jdstrand> smoser: wait, I think I misunderstood your statement
[20:12] <Hypnoz> it gives some goofy message like "user not found in sudoers, reported to administrator"
[20:13] <jdstrand> smoser: if the user is not in sudoers (eg not in the 'admin' group), you are prompted for the root password
[20:13] <jdstrand> rootpw is for forcing users in sudoers to use a rootpw instead of their own
[20:14] <smoser> jdstrand, i think you're wrong.
[20:14] <smoser> :)
[20:14]  * jdstrand should have read smoser's comment more closely
[20:14] <smoser> at least in my test just now
[20:14] <smoser> i have a user 'test', which is not in admin, and not mentioned at all in /etc/sudoers
[20:14] <jdstrand> well, I just tried here
[20:14] <smoser> if i become that user, and then type 'sudo ls'
[20:14] <acemo> virtualmin gives the error: The Suexec command on your system is configured to only run scripts under /var/www, but the Virtualmin base directory is /home. CGI and PHP scripts run as domain owners will not be executed. should i just disable suexec or move the virtualmin base directory to /var/www?
[20:14] <smoser> $ sudo ls
[20:14] <smoser> [sudo] password for test:
[20:14] <smoser> test is not in the sudoers file.  This incident will be reported.
[20:16] <Hypnoz> yep. If they're not in the sudoers they aren't allowed to sudo. But I think you can add to sudoers with the "rootpw" option like jdstrand was saying
[20:16] <jdstrand> smoser: wouldn't you know, the user I tested *was* in the sudoers file and had rootpw (even though there isn't a root passwd set). Isn't that goofy... goes to fix that
[20:16] <jdstrand> so I was both right and wrong :P
[20:16]  * jdstrand will go back into his hole now
[20:16] <smoser> it is kind of silly to prompt the user for their password and then say "ha ha, you cant do it anyway"
[20:17] <jdstrand> smoser: I stand by my first 'rootpw' statement :)
[20:17] <smoser> yes. i think that is correct.
[20:17] <smoser> (and you verified :)
[20:17] <mushroomblue> hrm.
[20:17] <jdstrand> that was a truly ancient entry in my sudoers file...
[20:18] <Hypnoz> smoser, linux seems like it doesn't like to give away info, so I would guess that it doesn't tell you the account isn't in sudoers until you type the right password, maybe to slow down hackers finding sudo accounts
[20:19] <smoser> Hypnoz, yeah, that is reasonable.
[20:22] <smoser> jdstrand, just fyi, it appears that chpasswd will also take a '!' token to indicate disable
[20:23] <jdstrand> smoser: be careful with that one-- lest you introduce http://www.ubuntu.com/usn/usn-670-1
[20:23] <jdstrand> but yes
[20:26] <mushroomblue> another question. is it possible to make a user sudo to another user by default?
[20:26] <mushroomblue> i.e. I want an unprivileged user able to sudo to another user with admin privs, then sudo to root
[20:26] <pwnguin> what's that gain?
[20:27] <mdz> smoser, soren, zul, jjohansen: I'm not sure i'm entirely in agreement with erichammond with regard to supporting arbitrary AMIs.  That's not something we should break without consideration, but our first priority should be to provide a complete, official stack
[20:27] <zul> mdz: agreed
[20:27] <mushroomblue> pwnguin: ultra-paranoid. box has been compromised a few times, and I want to make their job as hard as possible.
[20:28] <guntbert> mushroomblue: if you want to play with sudo - please read man sudo and man sudoers
[20:28] <mushroomblue> I was previously using NX to solve some of this.
[20:28] <mushroomblue> guntbert: I am. :)
[20:28] <mushroomblue> thanks, tho.
[20:29] <smoser> mdz, i think everyone is in agreement there.
[20:29] <smoser> its just "nice to have"
[20:29] <smoser> "wishlist"
[20:36] <mdz> smoser, zul, ok, sorry I missed the original discussion. eric seems to have disconnected
[20:36] <mdz> smoser, could you follow up by email to make sure we close the loop?
[20:37] <smoser> mdz, i thought the above was fairly clear from him
[20:37] <smoser> " It would also make Canonical a hero if the kernels happened to work well with other Linux distros (the current tester is using Fedora 11).  That last is obviously not a requirement, but if a simple decision makes it more possible "
[20:38] <smoser> 'happened to work well' and 'not a requirement'...
[20:39] <mdz> smoser, oh, ok, thanks
[20:39] <mdz> smoser, I had scanned the beginning of my scrollback and it looked like he had left already
[20:39] <mdz> that looks fine
[20:40] <smoser> kirkland, do man pages search no longer work at http://people.canonical.com/~kirkland/search.html
[20:40] <smoser> or, rather, they dont seem to work for me.
[21:05] <kirkland> smoser: hmm, you're right
[21:05] <kirkland> smoser: i'll have a look at that
[21:16] <qman__> mushroomblue, be aware that if you set a root password and you run sshd, you will probably want to change the sshd config to disable root logons
[21:17] <qman__> the default setting allows root logons, but since root doesn't have a password, root can't log on
[21:18] <mushroomblue> qman__: already done. thanks. :)
[21:27] <erichammond> mdz: (scanned the logs)  I agree with smoser that you and I are in agreement :)
[21:28] <erichammond> smozer: When I say "images built by users" I'm not just talking about rebundled Canonical images, but also images built with vmbuilder (and for the time being, with ec2ubuntu-build-ami which many folks are using and which I can update as needed to work short term with the new kernels).
[21:30] <erichammond> There are also some commercial services which let users build Ubuntu images including CohesiveFT's elasticserver.org and rBuilder at rpath.org
[21:45] <mathiaz> zul_: these are the dependencis that get pulled in when installing puppet - http://paste.ubuntu.com/268775/
[21:46] <mathiaz> zul_: are these the one you were looking at when filling the MIR for puppet?
[22:04] <Hypnoz1> Sun has these new NAS arrays, the 7000 series, the firmware on them is awful. Heads on them randomly fail over, disks randomly go offline. Steer clear, they are a good price but you get what you pay for...
[22:05] <Hypnoz1> Sun is trying though, they're releasing updates constantly. I'm sure in a year or two the things will be solid
[22:05] <Hypnoz1> but I feel like a damn beta tester for their product
[22:19] <addison> hmm, what method of backup do you all prefer
[22:21] <KillMeNow> Hypnoz1:  you actually PAID them to beta test their product
[22:21] <KillMeNow> addison:  depends on your server
[22:21] <KillMeNow> what types of files you're backing up
[22:21] <KillMeNow> etc etc
[22:22] <addison> well, one server is actually running moodle, mysql db and then just the data frontend
[22:22] <Hypnoz1> haha yes we did. I am starting to realize why sun stock is worthless
[22:33] <kirkland> jbernard_: howdy
[22:33] <jbernard_> kirkland: hey man!
[22:33] <kirkland> jbernard_: okay, so you're interested in working on alfresco
[22:34] <kirkland> jbernard_: currently, iamfuzz is the canonical engineer who's been working on getting alfresco-community into the canonical partner archive
[22:34] <jbernard_> kirkland: yep, im wondering what it takes to get it from the partner archive into universe
[22:34] <kirkland> jbernard_: we'd like to get it into multiverse, for karmic, ideally
[22:34] <kirkland> jbernard_: gotcha...
[22:34] <kirkland> jbernard_: okay, so we're currently waiting on a few licensing clarifications from alfresco, to make sure that we have the rights to redistribute all of the included jars
[22:35] <kirkland> jbernard_: i expect we'll get a new tarball from alfresco by monday
[22:35] <kirkland> jbernard_: the other thing is sun-jdk has been dropped from karmic
[22:35] <kirkland> jbernard_: alfresco says that they need sunjdk, we've asked for a list of issues that they have with openjdk
[22:35] <jbernard_> kirkland: do we expect to have the licensing ambiguities clear up in that release?
[22:35] <kirkland> jbernard_: we're waiting to hear back on that one
[22:35] <kirkland> jbernard_: yes, the licensing issues are relatively straightforward, i don't see a problem
[22:36] <kirkland> jbernard_: step two will be ensuring that it builds and runs against openjdk
[22:36] <kirkland> jbernard_: step three will probably extend beyond karmic, and into karmic+1
[22:36] <jbernard_> kirkland: yes, sunjdk is removed for karmic, as i recall
[22:37] <kirkland> jbernard_: ideally, alfresco would *not* include all these jars, but instead depend on packaged versions of each in ubuntu, distributed like any other package
[22:37] <kirkland> jbernard_: the way we handle this same situation for thousands of C and Python packages ;-)
[22:37] <kirkland> jbernard_: see the work ttx did on eucalyptus in the last two cycles
[22:38] <jbernard_> kirkland: are the sub-packages required for karmic?
[22:38] <kirkland> jbernard_: it's impossible to accomplish by karmic
[22:38] <kirkland> jbernard_: this part is a karmic+1 target for delivery
[22:38] <jbernard_> kirkland: so just openjdk verification/debugging
[22:38] <kirkland> jbernard_: but there's nothing wrong with starting on that after the openjdk task is done
[22:38] <kirkland> jbernard_: right
[22:38] <kirkland> jbernard_: meet iamfuzz
[22:39] <kirkland> jbernard_: iamfuzz  is the canonical engineer who's been working on alfresco up until now
[22:39] <kirkland> jbernard_: he's done a good job laying the foundation
[22:39] <iamfuzz> jbernard_, Hi there, glad to have someone helping out on testing
[22:39] <kirkland> and there's plenty more work to do ;-)
[22:39] <iamfuzz> indeed
[22:39] <iamfuzz> especially the JAR work for karmic+1
[22:39] <jbernard_> iamfuzz: hello, im interested in helping out
[22:40] <iamfuzz> I went through all the JARs we don't have and will be sending out a list on Monday
[22:40] <kirkland> iamfuzz: i'm hoping jbernard_ can help prune some of those jars out, package them individually, and make runtime dependencies out of them
[22:40] <kirkland> iamfuzz: can we start capturing all of this in a wiki page or something?
[22:40] <jbernard_> iamfuzz: can you copy me on that list?
[22:40] <kirkland> iamfuzz: now that there are a few cooks in the kitchen?
[22:40] <iamfuzz> kirkland, will do, Jared is supposed to send me a definitive list to compare against my work
[22:41] <iamfuzz> jbernard_, will do, what's your email?
[22:41] <jbernard_> iamfuzz: bernardj@gmail.com
[22:41] <iamfuzz> jbernard_, I'll go ahead and send a link to the PPA I'm uploading to now (it'll be a bit as my upstream is circa 1996ish)
[22:41] <kirkland> iamfuzz: you could create an ubuntu-alfresco team in LP, if you so desire ;-)
[22:42] <iamfuzz> kirkland, we have one, it's alfresco-isv
[22:42] <kirkland> iamfuzz: ah
[22:43] <jbernard_> iamfuzz: so monday the tarball should arive with the licensing cleared up, an we can begin verifying it on openjdk, is that basically the plan?
[22:44] <jbernard_> iamfuzz: have you done any openjdk testing with the current partner deb?
[22:45] <iamfuzz> jbernard_, basically, I just sent you an email about it.
[22:46] <iamfuzz> aside from the licensing stuff, the package should run fine now
[22:46] <jbernard_> got it
[22:46] <iamfuzz> and no, very little testing against openjdk as I just found out yesterday Sun java is out
[22:46] <iamfuzz> I did compile against it and it compiled fine, but would still only run against sun-java-6
[22:47] <iamfuzz> however, this was the openjdk in Hardy, so it could work fine now
[22:47] <jbernard_> does there exist any kind of testing framework?
[22:47] <iamfuzz> yes, some automated, some not.  We are to receive that on monday as well
[22:47] <jbernard_> awesome
[22:48] <iamfuzz> we're ina  bit of scramble mode since I found out about sun-java being booted
[22:48] <jbernard_> i can imagine :)
[22:48] <kirkland> jbernard_: fyi, openjdk in karmic >> hardy
[22:48] <iamfuzz> I was under the impressionw e would just release against it for karmic and then do everything proper like in universe for karmic+1
[22:48] <iamfuzz> but that all changed :-)
[22:49] <jbernard_> does it make sense to test the current partner deb against openjdk now, or just wait for the release on monday?
[22:49] <iamfuzz> kirkland, jbernard_ I'm off all next week as well :-)
[22:49] <iamfuzz> just to add to the fun
[22:50] <kirkland> jbernard_: i'd suggest starting with the upload iamfuzz  is pushing to his ppa right now
[22:50] <iamfuzz> jbernard_, whichever way you want to do it, but don't test the partner DEB, it bundles swftools, use the one I'm uploading now to my PPA
[22:50] <kirkland> iamfuzz: correct me if i'm wrong, but i expect that upload to be more recent than the one in partner
[22:50] <iamfuzz> kirkland, yes, mainly just the removing of swftools
[22:51] <jbernard_> iamfuzz: ok, will do
[22:51] <kirkland> mathiaz: around?
[22:51] <mathiaz> kirkland: yeeeesss!!!!
[22:51] <mathiaz> kirkland: are you around?
[22:51] <kirkland> mathiaz: what's supposed to provide /etc/mysql/debian.cnf ?
[22:51] <kirkland> mathiaz: you bet ;-)
[22:52] <mathiaz> kirkland: zhee unmissable mysql-zerver-5.1 peickage!
[22:52] <mathiaz> kirkland: well - it's a generated file
[22:52] <mathiaz> kirkland: by the post install script
[22:52] <kirkland> mathiaz: hrm
[22:53] <mathiaz> kirkland: there is a special user added to mysql - debian-sys-maint that used by the init script to check the status
[22:53] <mathiaz> kirkland: and shutdown mysql correctly
[22:53] <kirkland> mathiaz: okay
[22:53] <kirkland> mathiaz: i'm trying to get wordpress working
[22:53] <mathiaz> kirkland: /etc/mysql/debian.cnf is used to store the credential of said user
[22:54] <kirkland> mathiaz: its setup script is failing, looking for that .cnf file, which doesn't exist
[22:54] <kirkland> mathiaz: and mysql-server isn't installed
[22:54] <kirkland> mathiaz: i'm trying that now
[22:54] <mathiaz> kirkland: is mysql-server-5.{0|1} installed?
[22:54] <mathiaz> kirkland: mysql-server is just a meta-package that pulls in the latest mysql-server
[22:54] <kirkland> mathiaz: nope. installing that now
[22:55] <kirkland> mathiaz: i'm installing 5.1
[22:55] <mathiaz> kirkland: right - that should help
[22:55] <kirkland> mathiaz: okay
[22:55] <mathiaz> kirkland: are you using the workpress package?
[22:56] <ahe> i just got curious about the alfresco appliance
[22:56] <ahe> what do you plan to build around alfresco to give it the blackbox feel of an appliance?
[22:57] <KillMeNow> don't forget to install php5-mysql
[23:06] <soren> kirkland: Man, grub2 is complicated!
[23:07] <soren> kirkland: ...for a Xen image it shoudln
[23:07] <soren> t matter, though?