/srv/irclogs.ubuntu.com/2009/10/17/#ubuntu-server.txt

Icarr the servers down ?00:25
iflymyhelishighhellooo00:33
Aw0Lare there major differences in packages between the 6month release of Ubuntu server and LTS?00:40
iflymyhelishighProbably not, but its a good idea to install it anyway00:41
iflymyhelishighnewest version is the best00:41
iflymyhelishighI'm trying to install VHCS through apt-get00:42
iflymyhelishighbut its giving me predepends errors00:42
Aw0Liflymyhelishigh: you mean installing LTS instead of the 6mo release?00:42
iflymyhelishighwhichever one is the newest00:42
uvirtbot`New bug: #453599 in whois (main) "Catastrophic error while querying a .biz domain with -H flag" [Undecided,New] https://launchpad.net/bugs/45359900:51
VousDeuxIt would appear that I broke slapd while trying to setup TLS. I've tried 'aptitude --purge remove slapd' but it doesn't appear to remove everything. How do I rid myself completely of slapd so I can install clean?02:29
VousDeuxUh-oh...I think I did a dumb-dumb. A document I found said to delete /etc/default/slapd (which I did), but I also deleted some slapd related files from /var/backup. I reinstalled slapd and It seems to be working now, but it did not recreate the /etc/default/slapd. I have no idea what it was for.02:46
pmatulisVousDeux: 'sudo aptitude purge slapd' should have done the trick03:04
VousDeuxI had to delete files from /var/backup...then it worked, but now I'm missing the /etc/default/slapd file and I'm not sure how to replace it.03:05
pmatulisVousDeux: what version of ubuntu?03:15
=== freeflyi3g is now known as freeflying
VousDeux9.0403:44
VousDeuxSorry...I was collecting end-of-day market data. Thanks for your help.03:44
pmatulisVousDeux: reinstalling slapd should have given you that file03:58
VousDeuxThat's what I would have thought too, but it didn't. I guess I'm not sure it's needed with the cn=config.04:00
pmatulisVousDeux: anyway, this is /etc/default/slapd for jaunty -> http://pastebin.com/f3fc0be8d04:01
VousDeuxOn the other hand, how did it get there in the first place.04:01
VousDeuxAwesome, thanks!04:01
pmatulisVousDeux: using 'apt-file find /etc/default/slapd' gives 'slapd' as package04:02
VousDeuxI sure don't know why it wasn't installed...I tried twice.04:03
pmatulisVousDeux: you should also be able to download the slapd source package and find that file04:03
VousDeuxI've also seen that the slapd install only executed the --configure the first time I install it. After that it doesn't execute anymore even if I do a --purge.04:04
VousDeuxAhhh...that's a good idea.04:04
VousDeuxThanks again!04:04
pmatulisVousDeux: yes, 'apt-get source slapd'04:05
VousDeuxMaybe someday I'll know some of these tips and tricks too :)04:06
pmatulisVousDeux: you could try 'dpkg-reconfigure slapd'04:06
VousDeux...but for now I've spent the last three weeks on trying to figure this thing out and really don't have anything to show for it.04:07
edulacomadrejadoes anyone have an idea for this http://serverfault.com/questions/75430/netcat-connection-refused-on-localhost ?04:07
pmatulisVousDeux: ldap is hard to learn04:07
VousDeuxYeah, that dpkg-reconfigure slapd is what I do, but it's supposed to execute --configure when it's installed.04:07
VousDeuxYeah, and that manual is pretty dry reading too.04:08
VousDeuxgoodnight...thanks again04:12
pmatulisVousDeux: bye04:13
ExuroCan anybody help me change the port ISPConfig listens on?06:51
Exurowhen I set my router to forward port 80 to my webserver, it changes the router admin port to 808006:51
Exurothe port ISP config listens on06:51
uvirtbot`New bug: #365832 in whois (main) "whois command result Timeout" [Undecided,Fix released] https://launchpad.net/bugs/36583209:06
uvirtbot`New bug: #375569 in samba (main) "gnome-screensaver failure - can't access samba password database - not running as root " [Low,Won't fix] https://launchpad.net/bugs/37556909:40
=== mdz` is now known as mdz
BilgeHow can I see which ports UDP packets are coming in on?10:39
TeLLuStcpdump or iftop -P10:46
=== zoopster is now known as zoopster-afk
BilgeThanks TeLLuS13:56
BilgeHow can I stop ufw spamming my syslog?13:57
jdstrandBilge: sudo ufw logging off13:57
BilgeNo, I want to see the logs13:58
BilgeJust not in my syslog13:58
jdstrandBilge: iptables/netfilter on linux logs to kern.log13:58
BilgeI don't know what that means13:58
BilgeWhat is netfilter?13:59
jdstrandBilge: it means there is not a way to log ufw/iptables messages somewhere else, other through through the normal /etc/syslog.conf mechanism13:59
jdstrandBilge: they are kernel messages14:00
BilgeWhy wouldn't I want to use the normal syslog.conf mechanism?14:00
BilgeOr did you just assume I was already familiar with it14:00
jdstrandBilge: netfilter is the name of the implementation for filtering packets on linux. iptables is the command to interface with netfilter in the kernel. ufw is an abstraction over iptables to make firewalling easier to use14:01
jdstrandBilge: your question was 'How can I stop ufw spamming my syslog?' My answer is that you can't 'stop it' other than by using syslog.conf14:02
BilgeI want to use syslog.conf to reroute the messages to another log file14:02
jdstrandBilge: you can reduce what is logged by using explicit deny rules in ufw14:02
BilgeCan I do that?14:03
jdstrandBilge: then see 'man syslog.conf' or on 9.10 'man rsyslog.conf'. These are kern.* messages14:03
BilgeYeah I'll be sure to check out the manual if I know I'm going down the right path14:04
jdstrandthese messages logged with the kern facility. that can be 'rerouted' however you want via syslog.conf14:04
BilgeBut is kern.* any message generated in the kernel?14:05
jdstrandyes14:05
BilgeWell I would want to see kernel messages in my syslog, just not UFW blocks14:06
BilgeI'm not really sure why that is tied into the kernel14:06
jdstrandBilge: that is what I'm saying. there is not a way to do that14:06
jdstrandBilge: because it isn't 'ufw' that is blocking the packets, it is the kernel. ufw is just a way to tell the kernel what to block14:06
BilgeI might understand if these were netfilter messages but they are tagged with UFW and I would not expect iptables nor netfilter to know or care about the existence of ufw14:06
jdstrandBilge: ufw is a frontend to iptables, and iptables is the command used to manipulate netfilter14:07
BilgeWhich I understand14:07
BilgeSo if I see messages in my syslog tagged with ufw then it must be generated by ufw directly, I would think14:08
jdstrandBilge: the messages are tagged with UFW so you now that a) ufw is doing the blocking and b) you can add rules to adjust this with ufw14:08
BilgeWhy can't ufw generate log messages that are not tied into kern.*14:09
jdstrandBilge: depending on the version of ufw you are using, you can do various things with logging (or not logging) packets with ufw. see 'man ufw'14:09
jdstrandBilge: because ufw isn't blocking the packets. the kernel is14:09
jdstrandBilge: ufw is just a command to tell the kernel what to do14:09
BilgeYet you can still turn that logging off with ufw logging off?14:09
jdstrandBilge: of course. ufw logging off tells the kernel to not log packets14:10
BilgeSo ideally you would turn kernel logging off and a separate ufw logging loop on14:10
jdstrandBilge: there isn't a way to tell the kernel to log packets, but not use the kern facility14:10
BilgeExcept that such a logging style does not exist14:10
BilgeThis seems like a shortcoming of the implementation to me14:11
BilgeI'll just have to turn the logging off altogether because I am using the earliest version in 8.0414:11
jdstrandif it is a shortcoming, it is of the linux kernel14:11
BilgeIf it were me, I'd have ufw do its own logging14:12
BilgeIf I wanted it to appear in my syslog I could route it there myself14:12
qman__that's simply not possible due to the way the kernel and netfilter work14:12
jdstrandBilge: the kernel does the logging. there isn't anything ufw can do about that14:13
Bilgeqman__: you mean ufw can't see what is blocked?14:13
qman__no, it can't14:13
BilgeI see14:13
BilgeWell that is a pity14:13
qman__ufw simply configures netfilter14:13
qman__netfilter handles all of that, including packet logs14:13
BilgeSo it is too high level to do its own logging14:13
qman__yes14:13
BilgeBut netfilter is still before the kernel and it can see it14:14
jdstrandBilge: that isn't a limitation of ufw, it is of all firewall frontends on linux14:14
qman__netfilter is _in_ the kernel14:14
qman__so, it's logged through the kernel14:14
qman__you can use syslog to organize the messages14:14
jdstrandBilge: it sounds like you may want to add a specific deny rule to reduce 'spam' in your logs14:15
BilgeNo, I don't want to change the way I use my firewall to influence logging output14:15
jdstrandwell that is fine. but it is an option to turning it off completely14:16
jdstrandfor example, I use:14:16
BilgeAre you suggesting that instead of deny by default I should allow by default14:16
qman__no14:16
BilgeBecause that is a completely different approach14:16
jdstrandsudo ufw deny to 192.168.2.255 port 63114:16
qman__that you should deny by default AND use a specific deny rule to prevent most of the packets from hitting the default deny14:16
jdstrandBilge: not at all14:16
qman__more specifically, use explicit deny rules for what you don't want logged14:17
BilgeAre only default denies logged?14:17
jdstrandBilge: deny by default. then add your allow rules, then add a deny rule for packets you don't want logged14:17
jdstrandBilge: in 8.04 LTS, yes14:17
jdstrandBilge: well, anything against your default policy14:17
BilgeUnfortunately I can't do that because the ones that are logged are all over the place14:17
jdstrandwhich is in your case, deny14:17
BilgeThey're just people spamming every imaginable port and IP trying to gain access14:17
BilgeSo I have just turned it off now14:18
BilgeI need to be able to see clearly the things that matter in my syslog14:18
jdstrandBilge: then it is an administrative decision of whether you want to monitor those denials. it sounds like you don't and 'ufw logging off' is suitable14:18
BilgeIt should be suitable, yes, but my preference, were it trivial, would have been to just reroute them instead14:18
qman__you can change what gets logged to which files in syslog configuration14:19
BilgeSo that if I ever had issues I could grep something relevant out of it14:19
Bilgeqman__: yes, we started off with that, but save for firewall blocks, kernel messages generally ARE important and SHOULD appear in my syslog!14:19
qman__yes, but you can get more specific than just all kernel messages14:20
BilgeSpecific enough to filter only firewall messages?14:21
BilgeI don't know how you know what the type of message is called14:21
BilgeFor example jdstrand said that kernel messages are of type kern.* but I don't know how you're meant to know this14:22
qman__well, unfortunately you can only filter by log level, so you'd have to find out what level ufw is configuring it to use, and filter that level out into a different file14:23
qman__and there would be no guarantee that no other messages would be caught, hopefully they chose a level with little else14:24
qman__rsyslog contains functionality you could use to pull out the ufw messages specifically14:26
qman__but I don't think the one on 8.04 does14:26
jdstrandqman__: I was not aware of that functionality in rsylog. I've made a note of it to look at it in the future14:27
=== andol is now known as andolein
=== andolein is now known as andol
Bilgejdstrand: do you have something to do with the development of ufw?14:34
jdstrandBilge: yes14:36
jdstrandBilge: I am the author14:36
BilgeHaha oh wow14:36
BilgeBy the way, wasn't it yourself that helped me out with replacing my kernel with the stock Ubuntu kernel?14:37
jdstrandI don't recall. possibly14:37
BilgeWell someone suggested I install linux-image-server and edit my boot conf14:38
jdstrandoh. I don't think that was me14:38
BilgeOK14:38
BilgeWell it worked anyway14:38
BilgeMight have been jmarsden, there's a lot of j names that I get confused by14:38
jdstrandmaintaining one's own kernel outside of Ubuntu packaging is a maintenance headache I would advise only in the most extreme circumstances14:39
BilgeI was doing the reverse14:39
BilgeRestoring the stock kernel14:39
BilgeMy provider forces a modified kernel without modules support onto customers14:39
BilgeBecause it is patched with grsec and some other patches that they think are good14:39
jdstrandah. I misunderstood. still doesn't sound familiar, but glad to hear the Ubuntu kernel is working for you14:40
BilgeWell it does work but if I lock myself out of the box and have to do a remote recovery they I have to use one of their kernels again and depending on how much functionality I am relying on from the Ubuntu kernel, things can get into a mess14:40
BilgeSo the key is not to lock yourself out of the box ;p14:40
jdstrandhehe14:41
BilgeSo about ufw14:41
=== zoopster-afk is now known as zoopster
BilgeI like that I can do allow port/protocol14:41
BilgeBut why can't I do allow to address port/protocol14:41
jdstrandsure you can14:42
BilgeNo, I mean in that format14:42
jdstrandyou just need the extended syntax14:42
jdstrandoh14:42
BilgeThe syntax suddenly becomes so much more verbose14:42
BilgeI don't really see the benefit of having to type really long commands14:42
jdstrandyou don't need to specify everything when using the extended syntax14:42
BilgeNo, I realise that14:42
BilgeBut I can't use the port/protocol format any more14:42
jdstrandthat's true14:43
BilgeIn fact I'd really like to be able to do address:port/protocol14:43
jdstrandthe extended syntax is based on OpenBSD's PF14:43
BilgeAnother problem I have is that I created a rule to permit all udp inbound traffic14:43
Bilgeufw allow proto udp from any14:44
BilgeBut in my udp status, this shows up as:14:44
BilgeAnywhere                   ALLOW   Anywhere14:44
BilgeI have absolutely no way of knowing that's only allowing udp traffic14:44
BilgeBut fortunately it does at least work as intended14:44
BilgeI can see that it is set up correctly only by viewing iptables -L or /var/lib/ufw/rules14:45
jdstrandBilge: that is fixed in a later release14:45
jdstrand$ sudo ufw status14:45
jdstrand...14:45
jdstrandAnywhere/udp               ALLOW       Anywhere/udp14:45
BilgeIs it possible for me to install a newer ufw on 8.04 without messing things up?14:45
jdstrandBilge: yes, but newer versions need iptables 1.4 for certain functionality14:46
BilgeOK but if it finds iptables is not high enough will the other things still work properly14:46
BilgeI mean does it degrade gracefully14:46
jdstrandBilge: ufw will still work and simply tell you that the functionality is not available14:46
BilgeOK, that sounds good14:47
BilgeSo how would I actually get it?14:47
jdstrandBilge: that is the trick14:47
jdstrandyou see, there are tests included in the sources14:47
jdstrandthose tests fail with iptables 1.2 (as in hardy)14:48
BilgeI have 1.3.814:48
jdstrandthe ubuntu packaging aborts the build if the tests fail14:48
jdstrand(ah right, forgot, 1.3.8 in hardy, same problem though)14:48
BilgeWell yes it is still pre 1.414:49
BilgeMaybe I could even upgrade iptables as well?14:49
jdstrandso you have to build with 'DEB_BUILD_OPTIONS=nocheck'14:49
jdstrandI do not recommend upgrading iptables on a hardy machine. it is very involved and error prone14:49
BilgeI feared as much14:49
jdstrandit has been long on my todo list to better support iptables 1.3 in the test suite14:50
jdstrandall that said, it is not hard to build your own package:14:50
jdstrand$ sudo apt-get build-dep ufw14:50
jdstrand$ sudo apt-get source ufw=0.29-4ubuntu114:50
jdstrand$ cd ./ufw-0.2914:51
jdstrand$ DEB_BUILD_OPTIONS=nocheck debuild14:51
jdstrandof course, you'll need the 9.10 deb-src lines in sources.list for 'apt-get source' to work14:51
BilgeI can get them14:52
jdstrandone of these days, I am going to fix the shortcoming in the test suite so that ufw can be built more easily in hardy-backports14:52
BilgeCan I append them or do I need to replace existing lines14:52
jdstrandactually, the packaging will also need to be adjusted14:52
jdstrandbefore the debuild, you'll need to adjust debian/control from:14:53
jdstrandDepends: debconf, ${python:Depends}, ${misc:Depends}, iptables (>= 1.4.0), ucf14:54
jdstrandto14:54
jdstrandDepends: debconf, ${python:Depends}, ${misc:Depends}, ucf14:54
jdstrandBilge: I also haven't tested the upstart stuff on hardy14:55
jdstrandBilge: you may want the version in jaunty instead14:55
BilgeI don't know what upstart is14:55
jdstrandBilge: upstart is a replacement for sysv init that is used on Ubuntu14:56
jdstrandBilge: ufw in 9.10 uses it14:56
jdstrandufw in 9.04 and earlier uses sysvinit14:56
BilgeOh good, a replacement14:56
BilgeThat sysv stuff did seem a bit crappy14:57
jdstrandupstart has been in Ubuntu for many, many releases14:57
jdstrandbut only lately has it been a priority to get other services to use it14:57
jdstrandit has to do with the boot performance enhancements in 9.1014:57
jdstrandyou could fiddle with debian/rules to not use upstart and build ufw without it14:58
BilgeI look forward to upgrading my distroy when the new LTS arrives next year14:58
Bilgedistro*14:58
jdstrandbut if you aren't comfortable with that, then just use the 9.04 version14:58
BilgeDo you recall if the 9.04 version fixes the bug I mentioned in ufw status?14:59
* jdstrand adds to his todo list to look at ufw backporting on hardy again14:59
jdstrandufw (0.23) intrepid; urgency=low14:59
jdstrand* show protocol in status when no ports are specified (LP: #263308)14:59
BilgeFor allowing all inbound udp14:59
BilgeOK so I could even use 8.1014:59
jdstrandyes15:00
jdstrandI have to go now though15:00
jdstrandhave fun and good luck!15:00
BilgeThanks for your help and time15:00
BilgeCan I publish the steps on a blog or something?15:00
jdstrandsure15:00
BilgeI look forward to the backport15:00
jdstrandplease put appropriate warnings in place and that it isn't officially supported15:00
BilgeOf course15:01
jdstrandwell, I would support it as an upstream, but not in Ubuntu15:01
jdstrandI am definitely interested in bugs in ufw on earlier python versions and iptables15:02
jdstrandanyway, really gotta go15:02
Bilgeupstart sounds really good15:08
UnixDawghey there17:32
UnixDawgI need some help with missing php-extensions17:32
UnixDawgphp5-xml php5-json php5-xmlwriter php5-xmlreader php5-posix php5-iconv php5-hash php5-simplexml php5-pcre php5-filter php5-dom php5-session php5-spl17:32
UnixDawgI need them for my project17:33
UnixDawgbut non are in the repos17:33
UnixDawganyone alive ?17:35
UnixDawgI have the php 5.2.4 src17:38
UnixDawgbut I need the modules to build for deb17:38
uvirtbot`New bug: #445154 in backuppc (main) "package backuppc 3.1.0-4ubuntu1.1 failed to install/upgrade: subprocess post-installation script returned error exit status 1" [Low,Confirmed] https://launchpad.net/bugs/44515418:11
aubreheola18:40
aubrehola18:41
[diablo]evening all19:14
[diablo]guys, anyone know if there LXC support in either 8.10, 9.04 or 9.10 please?19:15
netbraincan anyone tell me what is going on with xen? is xen being phased out in ubuntu?19:47
jmarsden[diablo]: rmadison lxc shows there is support in karmic:    lxc |    0.6.3-1 | karmic/universe | source, amd64, i38619:48
jmarsdennetbrain: rmadison xen-3.3 seems to show support in karmic:  xen-3.3 | 3.3.0-1ubuntu11 |        karmic | source19:50
netbrainjmarsden: linux-image-xen?19:53
jmarsdennetbrain: That was only in Hardy, IIRC... the approach to packaging xen has changed since then, I think.19:54
netbrainjmarsden: so xen should actually work better in karmic?19:56
jmarsdenI can't guarantee that :)  But there should still be xen support, as far as I know it is not being "phased out".  Obviously KVM is the officially supported virtualization approach these days, so that gets more attention.19:57
jmarsdenYou may get more detailed info if you ask in #ubuntu-virt19:57
netbrainjmarsden: thank you19:58
jmarsdennetbrain: No problem.19:59
uvirtbot`New bug: #454164 in likewise-open5 (universe) "likewise-open5-eventlog doesn't properly install" [Undecided,New] https://launchpad.net/bugs/45416420:06
[diablo]jmarsden, sorry back now... mmm but at kernel level, its patched?20:10
=== Abracadabr4 is now known as Abracadabra
jmarsden[diablo]: I think you still need to get a Xen dom0 kernel from Debian20:32
[diablo]xen? you think?20:33
[diablo]I read somewhere that LXC was going into the upstream kernel20:34
jmarsdenhttps://help.ubuntu.com/community/Xen points to http://www.chrisk.de/blog/2008/12/how-to-run-xen-in-ubuntu-intrepid-without-compiling-a-kernel-by-yourself/  but that may be slightly out of date now...20:36
jmarsdenLXC... I don't know what the status of getting that into the official kernel source tree is (nor Xen into the official kernel source tree, for that matter).  Would be nice to see :)20:37
[diablo]nod20:37
[diablo]chroot is a touch outdated when you look at the likes of OpenVZ, and LXC etc20:37
[diablo]not saying that it does not suffice for a lot of stuff, but containers can be nicer20:38
[diablo]I guy in ##kernel tells me its there20:40
[diablo]nice20:40
UnixDawghey guys21:04
UnixDawgneed some help if you have  a min21:05
=== Abracadabr4 is now known as Abracadabra
jmarsden!ask | UnixDawg21:11
ubottuUnixDawg: Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-)21:11
iarpi'm having a problem with LVM, i added 2 hdd's to a volume group and expanded it and it says it's the proper size to go across all drives, but ubuntu server 9.04 still reports the old size22:51
LyonJTWhats the equivelent to active directory on linux?22:59
jmarsdeniarp: You may be confusing filesystem size with partition size.  Now you have a large partition you probably need to resize the filesystem to fill it?22:59
iarpjmarsden: i get so lost using lvm, that maybe my problem, althought i thought lvm would've resized the filesystem23:01
jmarsdenLyonJT: There are several directory services for Linux.  One is the 389 directory service, see http://directory.fedoraproject.org/23:01
jmarsdeniarp: Why? lvm itself has no idea what kind of filesystem is there on that chunk of disk space...23:01
iarpi'm somewhat new to ubuntu, whats best to use to expand the filesystem23:03
LyonJTcheers jmarsden23:05
LyonJTjmarsden: can you run 389 on a ubuntu server or does it have to be fedora23:06
jmarsdenLyonJT: You can run it on Ubuntu.  I think it is officially packaged for Karmic 9.10, which will be released in a few days, but you can find packages of it for Ubuntu in a PPA.23:07
=== Abracadabr4 is now known as Abracadabra
LyonJTThanks mate23:07
jmarsdeniarp: resize2fs .  See http://www.howtoforge.com/linux_resizing_ext3_partitions for some ideas, although that may be a bit old.23:07
iarpty23:08
jmarsdenLyonJT: No problem.23:08
=== AdamSchackart is now known as PlainFlavored
stashi, anybody using apt-mirror tool?23:49

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!