[00:03] <lamont> ScottK: hey - got an example build for bug 495564?
[00:03] <lamont> that you haven't already retried, that is....]
[00:03] <ScottK> Not sure.  Let me check.
[00:06] <ScottK> lamont: Maybe https://launchpad.net/ubuntu/+source/kdeutils/4:4.3.80-0ubuntu1/+build/1382988
[00:21] <lamont> that looks like the output we've never managed to parse, since it's missing stuff we kinda need
[00:30] <ScottK> lamont: If you can improve the instrumentation to get more data, we've got another KDE upload next week.  That should produce the conditions for this.
[00:34] <lamont> ScottK: the issue is that "but it is not installable" doesn't tell us _why_, or what the corrective action should be.
[00:37] <ScottK> lamont: In these conditions packages used to reliably stay in depwait once they got there to begin with.  IDK what has changed recently.
[00:42] <lamont> ScottK: yeah - what I need to see is what the log looks like in a build with that condition on jaunty, vs on karmic
[00:42] <lamont> rather, karmic vs lucid
[00:42] <lamont> hrm... hardy vs lucid, actually
[01:07] <LyonJT> If i do chmod 777 {folderName} and i want all the files to have the same permissions what do i put?
[01:07] <Ziber> LyonJT: -r
[01:07] <Ziber> or /*
[01:08] <Ziber> either: chmod -R 777 foldername/
[01:08] <Ziber> or chmod 777 foldername/*
[01:10] <twb> Note that you probably don't want files to be executable.
[01:10] <twb> chmod -R a+rwX will make all three octets readable, writable and *maybe* executable.
[01:11] <twb> The uppercase X means that executability is only applied if at least one execute bit is already set.
[01:11] <twb> For example, directories and scripts will go from 755 to 777, but files will go from 644 to 666.
[01:11] <LyonJT> cheers Ziber
[01:12] <twb> Also note that 777 is rarely what you want -- study the meaning of the "sticky" bit for directories, and cf. the permissions on /tmp.
[01:25] <ChrisRut> how secure are user's passwords on Ubuntu-Server? For example is it possible for root to see (in plaintext) the passwd of users on the system?
[01:26] <qman`> no
[01:26] <qman`> passwords are hashed in either md5-crypt or sha256
[01:27] <ChrisRut> isn't md5 cracked (or crackable)?
[01:27] <qman`> sha256 support was added and made default in jaunty
[01:27] <ChrisRut> is there a way to force sha256 on Ubuntu Server 8.04 (hardy)?
[01:27] <qman`> md5 is not cracked, but it is possible to brute force the hashes through rainbow tables
[01:27] <qman`> no
[01:27] <ChrisRut> right, thats what I meant
[01:27] <qman`> it is not supported in hardy
[01:27] <qman`> however
[01:28] <qman`> md5 is still reasonably secure, and the hashes are only readable by root
[01:28] <qman`> so you would have to have a significant compromise first
[01:28] <qman`> before anyone got a shot at your shadow file
[01:28] <qman`> and then they would have to brute force it with a reasonably large cluster for a few months
[01:28] <qman`> providing your passwords are good
[01:28] <qman`> if you have weak passwords, nothing can help you
[01:30] <qman`> if you're concerned about weak passwords, I suggest you brute force it yourself with john the ripper
[01:31] <ChrisRut> k, thanks for the info qman`
[01:32] <twb> qman`: I thought LDAP used SHA1
[01:33] <twb> At least, when using exop
[01:34] <qman`> twb, I don't know about ldap, but the shadow file uses md5
[01:35] <twb> qman`: I was poking re. sha256
[01:35] <twb> ChrisRut: usually a rubber hose is a faster means of getting the passwords.
[01:35] <twb> ChrisRut: and of course with physical access they can do whatever they want
[01:36] <ChrisRut> rubberhose?
[01:36] <qman`> oh, it's actually sha512, my mistake
[01:37] <twb> ChrisRut: http://en.wikipedia.org/wiki/Rubber_hose_cryptanalysis
[01:37] <qman`> # The "sha512" option enables salted SHA512 passwords.  Without this option,
[01:37] <qman`> # the default is Unix crypt.  Prior releases used the option "md5".
[01:37] <qman`> in /etc/pam.d/common-password
[01:37] <ChrisRut> qman`: but that's still only for Jaunty and up right?
[01:37] <qman`> ChrisRut, yes
[01:37] <ChrisRut> :(
[01:38] <ChrisRut> I can't wait for 8.10 (LTS), so that I can start using that.
[01:38] <ChrisRut> err 10.4
[01:38] <qman`> yeah, a lot of great new stuff has come out since 8.04
[01:38] <qman`> definitely looking forward to lucid
[01:39] <ChrisRut> my VPS host only provides LTS images, so 8.10 and up aren't available
[01:40] <twb> !dist-upgrade
[01:40] <twb> !upgrade
[01:41] <ChrisRut> no, can't upgrade... using Virtualmin
[01:41] <ChrisRut> Virtualmin doesn't play nice with non-LTS ubuntu
[01:42] <twb> ChrisRut: sorry, I'm abusing the channel to talk to ubottu
[01:42] <ChrisRut> ohh,you weren't talking to me?
[01:43] <twb> ChrisRut: correct
[01:43] <ChrisRut> ohh my bad
[01:44] <ChrisRut> well, thx for the help qman I appreciate it.
[01:44] <qman`> no problem
[02:07] <Rezagrats> Is there no torrent for server 9.01 amd64 ?
[02:07] <Rezagrats> 9.10*
[02:08] <twb> Rezagrats: why not just do a minimal install, then use apt-bittorrent?
[02:09] <Rezagrats> Twb, i was asking if there was a torrent for amd64 9.10 server edition... 'cause 30KB/s is lame.
[02:09] <twb> Rezagrats: you only need to download 15MB to do the base install
[02:09] <Rezagrats> For the server ?
[02:09] <twb> For anything.
[02:10] <Rezagrats> Link...
[02:10] <twb> Hm, I suppose you'd probably need another 100MB or so over pure HTTP before you could use apt-bittorrent -- I don't think it's supported within d-i.
[02:10] <twb> !mini.iso
[02:11] <twb> Wow, that even has normal links.  I usually just dig it out of dist/main/installer-$arch
[02:11] <Rezagrats> When does 8.04's support end?
[02:11] <twb> Rezagrats: different packages have different support lengths.
[02:12] <Rezagrats> Right, but iirc, 8.04 was the extended support.
[02:12] <twb> http://bazaar.launchpad.net/%7Enijaba/ubuntu-maintenance-check/trunk/ will tell you about individual packages.
[02:13] <twb> 8.04(Hardy Heron)-Maint.til:Ubuntu->2011-04,Server->2013-04,Kubuntu->2009-10
[02:14] <twb> Dunno if that extends to packages in universe.
[02:29] <twb> It appears that universe doesn't get support
[02:29] <twb> At least according to u-m-c
[02:30] <jmarsden> twb: That's what I thought, only main is really really officially supported.
[02:30] <twb> jmarsden: yeah, some cowboy tried to tell me different a while back
[03:10] <thewrath> can someone verify that this is right and what directory taht ssl sites need to be put in? http://pastebin.com/m18516607
[03:12] <qman`> thewrath, ssl sites can be placed wherever you want them
[03:13] <qman`> I don't see anything wrong with that configuration off-hand, provided that the files and directories you've specified exist and there isn't an apparmor profile in the way
[03:15] <thewrath> k
[03:15] <thewrath> yea i have it setup that only certain directoresi are ssl
[03:16] <LizardK|ng> is there anything like DVDecrypt for Ubuntu?
[03:17] <thewrath> qman`: it just gives me the indexing
[03:17] <qman`> I don't know what that is, but if you're looking to decrypt DVDs, libdvdread is what you want
[03:17] <thewrath> even though in /var/www-ssl/html i have a index.php and /var/www-ssl i have a index.php
[03:17] <qman`> thewrath, is php installed and working otherwise?
[03:17] <thewrath> yes
[03:18] <thewrath> it does not even list any files
[03:22] <qman`> so an index.php works on another site configuration?
[03:22] <qman`> because I just tested it, and it doesn't require any special permissions
[03:23] <thewrath> got it working
[03:25] <thewrath>  how do i set up for phpmyadmin to only work in https and not http
[03:48] <fbdystang> Hi all! I have samba working on a windows network. I have some questions about samba's print server. Where can the printer be connected? A windows computer over USB, linux server, network? How can I install the printer drivers into the server (maybe CUPS)? Thanks in advance ;)
[04:04] <micahg> Is there an easy way to make logcheck not report on cron entries like it used to not do?
[04:05] <twb> micahg: install locheck-database?
[04:06] <twb> Set your monitoring level appropriately (e.g. workstation vs. server)?
[04:06] <twb> Write appropriate whitelisting entries?
[04:08] <micahg> thanks twb, seems like I might have to edit the rules a little...
[04:53] <fbdystang> How do I install an HP printer on my ubuntu server from command line? thanks
[04:55] <twb> fbdystang: sensible-browser https://127.0.0.1:631/
[04:58] <fbdystang> what is that? it says the connection is untrusted?
[05:00] <AtomicSpark> fbdystang: it's CUPS.
[05:00] <AtomicSpark> you do not have a ssl cert insatlled, so it's marked untrusted.
[05:01] <AtomicSpark> view the cert, and allow it :)
[05:02] <fbdystang> I already have cups installed, but it is command line, not gnome, how do I install from command line?
[05:02] <AtomicSpark> fbdystang: that's cups web interface.
[05:02] <AtomicSpark> You can also go to http://localhost:631/
[05:03] <fbdystang> gotcha
[05:03] <AtomicSpark> hidden cups magic <3
[05:03] <fbdystang> NICE, that's local?
[05:04] <AtomicSpark> Yes.
[05:04] <AtomicSpark> To enable other computers to access the "print server" you need to edit the cups config file and allow other IP addresses.
[05:04] <fbdystang> Dude, thats awesome your the man.
[05:04] <fbdystang> yea, I tried that but to no avail
[05:05] <AtomicSpark> If you change it, you need to reload the cups configuration.
[05:05] <fbdystang> do you mean restart cups?
[05:06] <AtomicSpark> sudo /etc/init.d/cups reload
[05:06] <AtomicSpark> if that doesn't work, use restart instead.
[05:06] <AtomicSpark> reload reloads the configs without breaking connections. tis good on production servers.
[05:06] <AtomicSpark> but i'm not sure if everything supports it. most docs just tell you to restart.
[05:07] <fbdystang> OH, this is just a little old pc that I loaded ubuntu server on to play around with
[05:07] <AtomicSpark> if you're on a newer version of ubuntu, you can 'sudo service cups reload' instead. which is handy.
[05:07] <fbdystang> not a production server
[05:07] <fbdystang> yea, its 9.10
[05:07] <AtomicSpark> but i belive hardy didn't have that. maybe intrepid added it.
[05:07] <AtomicSpark> i actually can only get hardy installed on my proliant, which is why i'm in here. waiting for failure, so i can bug people ;)
[05:08] <fbdystang> haha, nice
[05:09] <AtomicSpark> right now it's being silly and not showing me the keyboard shortcut to get into the array menu because it's low on battery.
[05:09] <AtomicSpark> C-m mayhaps.
[05:09] <fbdystang> OK, so it is asking for a username and password, what is it?
[05:09] <tele9> do you really have to give your correct name and address to an registrar as long as you pay? I understand that you don't technically own a domain if it's not your correct name, however, you could write to the registrar that your name/address changed at a later point in time and give them your real name, if it is really necessary. what do you think?
[05:12] <fbdystang> AtomicSpark: you there?
[05:14] <AtomicSpark> fbdystang: sort of
[05:14] <AtomicSpark> tele9: depends. i'm pretty sure in the us, that would be fraud.
[05:15] <AtomicSpark> tele9: a lot of domain registrars have some sort of... privacy option.
[05:15] <AtomicSpark> tele9: i like nearlyfreespeech.net
[05:15] <AtomicSpark> but it's a pain to pay. no automation.
[05:16] <tele9> AtomicSpark: I'd be also pleased with a service that takes my real name, but doesn't publish it in a whois database. I just want to have something that prevents every idiot on this planet from seeing my private address in a WHOIS. only authorities should be able to see it, no one else.
[05:16] <fbdystang> AtomicSpark: when you get a sec, i am trying to figure out how to log in with a password to CUPS. thanks
[05:16] <AtomicSpark> tele9: yes, nearlyfreespeech has something like that. it costs a penny a day. i'm sure other places have a service like it.
[05:17] <AtomicSpark> tele9: they basically use their info for the whois and any mail you get, they shred.
[05:17] <tele9> AtomicSpark: but I don't own the domain then anymore, do I? according to ICAN, the name in the WHOIS database owns the domain.
[05:17] <AtomicSpark> tele9: you really never own it.
[05:18] <AtomicSpark> tele9: late on one payment, and you're screwed :(
[05:18] <twb> tele9: trying to "hide" your email address from the internet is futile
[05:18] <AtomicSpark> fbdystang: looks like it prompts you using html auth when you try to click a button on this page http://localhost:631/admin
[05:18] <tele9> AtomicSpark: talking about experience?
[05:19] <tele9> twb: not so worried about my email...
[05:19] <twb> tele9: oh, you mean your postal address?
[05:19] <AtomicSpark> tele9: Yes. They charged me $30 to "save" my domain.
[05:19] <tele9> twb: yes.
[05:19] <twb> Meh.
[05:19] <AtomicSpark> tele9: i believe you can customize the whois for nearlyfreespeech. i forget.
[05:19] <twb> You mean that people actually post shit to your apartment because you happen to have it in WHOIS?
[05:19] <AtomicSpark> tele9: like you can just have their address, but keep your name.
[05:20] <fbdystang> AtomicSpark: exactly, is there a standard root password for the thing?
[05:20] <AtomicSpark> fbdystang: my administrator account works for it.
[05:20] <AtomicSpark> fbdystang: so maybe anyone with sudo access?
[05:20] <AtomicSpark> fbdystang: we dont root on ubuntu :P
[05:21] <AtomicSpark> hold on, my server keeps rebooting and it's annoying.
[05:21] <fbdystang> AtomicSpark: I know, like everything else with ubuntu though, ....ok, I tried with sudo and it didn't work :(
[05:22] <AtomicSpark> fbdystang: tried what with sudo?
[05:22] <AtomicSpark> fbdystang: just enter in *your* username and password when it prompts you.
[05:22] <AtomicSpark> haha! i tried to boot off a blank cd :\
[05:22] <fbdystang> AtomicSpark: yea that's what I meant, it didn't work
[05:22] <fbdystang> NICE
[05:22] <AtomicSpark> you sidetracked me and i never got around to burning ubuntu server.
[05:22] <fbdystang> haha sorry
[05:23] <AtomicSpark> or... it failed to burn. interesting.
[05:23] <fbdystang> what burner you running?
[05:24] <tele9> twb: yup, or do even more. identity theft, etc...
[05:24] <AtomicSpark> ...
[05:24] <AtomicSpark> welp, my desktop asploded. bbl.
[05:25] <fbdystang> ouch
[05:25] <twb> tele9: if you can afford a domain name, you can probably afford a few more dollars for a PO box
[05:26] <twb> Or just abuse your office address or something :-)
[05:26] <tele9> twb: are PO boxes allowed? I don't think so... but a whois guard sounds good to me.
[05:26] <twb> tele9: dunno
[05:27] <twb> I stick to dyndns names because I don't give a shit about my TLD suffix
[05:27] <twb> That and I am poor
[05:27] <twb> $1/mo would mean doing twice as much work
[05:29] <tele9> lol
[05:35] <fbdystang> I have an old HP printer connected to a windows computer which is on the network in samba. Can this printer be connected to the network and printed on by others?
[05:36] <fbdystang> I mean can it be seen by CUPS and my ubuntu server?
[05:36] <AtomicSpark> Yes
[05:36] <fbdystang> REally? how?
[05:37] <fbdystang> I am in the cups webpage admin now
[05:37] <AtomicSpark> I'm not sure.
[05:37] <fbdystang> do I have to log into the web page from that specific windows computer?
[05:37] <AtomicSpark> No.
[05:38] <AtomicSpark> Do you have an option under "other network printers" for Windows Printer via SAMBA?
[05:38] <AtomicSpark> If not, then samba support isn't installed by default on a server and I haven't done that before. Probably just a simple samba-client thing.
[05:38] <fbdystang> yea, "Windows Printer via SAMBA"
[05:39] <AtomicSpark> Wonderful.
[05:39] <fbdystang> I have samba installed, btw did you get your desktop working correctly?
[05:39] <AtomicSpark> So you should be able to use that to add your shared printer on your windows machine.
[05:40] <AtomicSpark> Then other computers can technically use your linux server to print.
[05:40] <tele9> now that I have found a good registrar, what are good name server hosting companies?
[05:40] <AtomicSpark> Here are the docs https://help.ubuntu.com/9.10/serverguide/C/cups.html
[05:40] <AtomicSpark> tele9: i use my registrar. do you have a website? what kind of host? if it's dedicated or vps, you could set your own dns up ;)
[05:41] <tele9> AtomicSpark: setting your own dns up on your vps or dedicated is usually not a good idea. I'd like to keep registrar, name server and web hosting separate.
[05:42] <fbdystang> Right, I have read that. I just am not sure how CUPS will see it because the printer is only attached to windows through a usb, not shared
[05:42] <AtomicSpark> well linode also provides dns. seprate from your vpn.
[05:42] <fbdystang> yet the doc says it will
[05:42] <AtomicSpark> fbdystang: get on your windows machine and share the printer! :)
[05:42] <AtomicSpark> fbdystang: just like you'd share a file or folder.
[05:42] <AtomicSpark> right click, shareing and security, etc.
[05:43] <fbdystang> OK, never done that but I will try
[05:43]  * AtomicSpark downloads karmic iso
[05:44] <AtomicSpark> oh, by the way, where would I file a "bug" about the server info section of ubuntu.com? who maintains it?
[05:44] <AtomicSpark> not having a link to the torrent or other files is :\
[05:45] <fbdystang> I could have sworn I got it from a link a couple of days ago
[05:47] <AtomicSpark> There is a link on the "desktop" pages.
[05:48] <AtomicSpark> compare: http://www.ubuntu.com/GetUbuntu/download http://www.ubuntu.com/getubuntu/download-server
[05:48] <AtomicSpark> under alternative download options of the first link, you can go to torrents, which list the server.
[05:50] <AtomicSpark> at least they had the sense to push 64bit on the server <3
[05:50] <fbdystang> I noticed that :)
[05:51] <AtomicSpark> 08r2 is 64bit only. :3
[05:51] <fbdystang> both pages give same options
[05:51] <fbdystang> I am not seeing what you are talking about
[05:52] <AtomicSpark> First link has "Other download options" section and links?
[05:52] <AtomicSpark> under the version choices.
[05:53] <AtomicSpark> second link just goes on about cloud computings. :P
[05:55] <twb> "Little Johnny just loves to compute his cloud!  It sure it swell!"
[05:56] <fbdystang> AtomicSpark: No, right below the download location is "alternativ download options" which you click on and get the options
[05:57] <fbdystang> there you can switch between 64 32 and 8.04LTS and 9.10
[05:58] <qman`> yes, but there is no link to the torrents
[05:58] <qman`> that is what he's getting at
[05:58] <fbdystang> ok agreed
[05:59] <AtomicSpark> fbdystang:)
[06:00] <AtomicSpark> Happy tomorrow!
[06:00] <qman`> I recall having some trouble finding what I wanted this time around, too
[06:01] <qman`> ended up finding a mirror and browsing the files manually
[06:01] <qman`> I realize they're trying to simplify the page for new users, but that's no excuse for removing important links altogether IMO
[06:03] <AtomicSpark> Anyways, hopefully the karmic server installs and I wont have to grumble about grub failures. :)
[06:03] <fbdystang> why not just download direct?
[06:03] <fbdystang> it has grub2 now :)
[06:03] <AtomicSpark> Torrents are good mmk.
[06:03] <qman`> this time of year, no reason not to download direct
[06:03] <qman`> but around launch time, torrents are the only way you'll ever get it
[06:03] <AtomicSpark> Well, I like saving ubuntu money :)
[06:03] <fbdystang> :)
[06:10] <twb> IMO better to download from your local university or ISP mirror
[06:10] <AtomicSpark> Yeah.
[06:11] <AtomicSpark> My ISP doesnt do that.
[06:11] <AtomicSpark> And neither does my college.
[06:11] <twb> Replace them
[06:11] <AtomicSpark> This is the US, we have monopolies
[06:11] <twb> Replace your nation-state
[06:11] <twb> Your constitution even guarantees you the right to do so
[06:12] <qman`> our constitution guarantees a lot of things
[06:12] <qman`> but right now we have some socialists running the place and ignoring it
[06:12] <qman`> give it time
[06:12] <fbdystang> there has to be a university around that does
[06:12] <AtomicSpark> Also, there will be an option soon, i believe it's like "do you want to activate the scusi array" (at least it did in intrepix). I have a real array controller and it's setup to manage it. Do I say yes or no? What does this do exactly?
[06:12] <AtomicSpark> Debian installer isn't very... explaining.
[06:13] <AtomicSpark> s/scusi/scsi
[07:09] <fbdystang> How do I connect CUPS to a shared windows printer?
[07:14] <twb> qman`: it's quaint how you consider socialism to be a BAD thing.
[07:29] <AtomicSpark> Did something change in Karmic? I have my RSA public key in authorized_keys on my server and when loging in, it still prompts for my password and not passphrase. I even recreated my key and used seahorse's wizard. :\
[07:39] <twb> AtomicSpark: ask /var/log/auth.log on the server
[07:39] <twb> AtomicSpark: probably you have incorrect permissions on a relevant file or directory
[07:40] <AtomicSpark> ssh -vv claims my key is failing. not sure why. permissions are intact. debugging in -ot
[07:40] <twb> AtomicSpark: do what I told you
[07:41] <twb> AtomicSpark: the ssh client CANNOT tell you what is wrong
[07:41] <AtomicSpark> Dec 14 01:41:16 proliant sshd[2317]: Error attempting to add filename encryption key to user session keyring; rc = [1]
[07:42] <twb> I don't know what that means.
[07:42] <AtomicSpark> Me either.
[07:42] <AtomicSpark> :P
[07:42] <twb> Maybe your authorized_keys file contains gibberish?
[07:42] <twb> Increase sshd's debugging and restart it
[07:43] <AtomicSpark> One would hope not, i used a fresh .ssh/ dir and seahorse. :\
[07:43] <AtomicSpark> Nevermind, #361984
[07:43] <AtomicSpark> https://bugs.launchpad.net/ubuntu/+bug/361984
[07:44] <AtomicSpark> There's a bot for that. Cute.
[07:45] <AtomicSpark> Well that bug fails, but obvious reason is obvious.
[07:45] <AtomicSpark> My home directory is encrypted, it cant read .ssh if it's not there.
[07:45] <AtomicSpark> So I'll have to put my key into the /etc version.
[07:47] <AtomicSpark> Well that wont work either. Nevermind.
[08:12] <pltn> hello! have anybody any advices what to read about configuring samba4 on ubuntu 9.10 as a domain controller
[08:15] <twb> Samba 4 hasn't been released by the Samba developers.
[08:16] <pltn> but "sudo apt-get install samba4" works
[08:16] <twb> There appear to be alpha builds in Intrepid onwards, but you'd be made to deploy alpha software in a production environment.
[08:16] <pltn> hm...
[08:29] <qman`> twb, since this isn't #politics, I won't really get into it, but I hold freedom and individual rights above all else, and socialism flies in the face of that
[08:31] <jiboumans> good monring
[08:33] <qman`> a good morning indeed, going quite nicely here :)
[08:49] <jiboumans> ttx++ # fixer of bugs
[09:42] <persia> Would this be a good forum to ask questions about etckeeper default config?
[10:12] <jiboumans> persia: if we have the answer, we'll happily give it to you. so go ahead and ask
[10:13] <persia> heh.
[10:13] <persia> So, I use lvm on most of my systems, and end up creating and destroying volumes fairly regularly (snapshots).
[10:14] <persia> etckeeper tries to keep track of all of this, which strikes me as noise, but I'm not sure everyone would perceive it that way.
[10:15] <persia> So I wondered about the feasibility of dropping inclusion of /etc/lvm/backup/* or if someone had a good usecase to keep it.
[10:16] <persia> (but I'm somewhat uncertain if this is really a server thing, or more general)
[10:20] <jiboumans> persia: i'm not sure about best practice in this case. a quick google shows this: http://groups.google.com/group/linux.debian.bugs.dist/browse_thread/thread/82dcdcac33766359
[10:21] <persia> There's also inherently transient stuff like /etc/resolv.conf.  The trick is making sure the default ignore list is correct.  I'm sure everyone has pet stuff they add as an admin, but I'm less confident when it comes to making a change that affects everyone.
[10:22] <persia> Alternately, one could make the argument that some of that stuff doesn't belong there at all :)
[10:40] <Belgarath> anybody know what is the status on xen support in karmic kernels ?
[10:41] <persia> A couple weeks ago I heard it didn't work, but that is unverified hearsay.
[10:52] <Belgarath> persia: it is verified
[10:52] <Belgarath> :P
[10:52] <Belgarath> there is no xen support compiled in the -virtual kernel
[10:53] <Belgarath> and you cannot use older host kernels anymore
[10:53] <Belgarath> due to some changes in mountall
[10:53] <Belgarath> which require newer kernel to be present
[10:55] <persia> Belgarath: I believe the issue was that not enough developers were working on Xen.  If you use it, and you'd be up for making sure it works, I'm sure that it could come back for lucid.
[10:57] <Belgarath> persia: ok, I am following the bug in the launchpad
[10:57] <Belgarath> what more \I can do ?
[10:59] <persia> Not being someone who understands the Xen stack, I'm not sure precisely.
[10:59] <persia> But submitting patches that would make it work, etc. tends to be a good place to start.
[10:59] <persia> Perhaps someone more familiar with Xen can comment on how you can help in more detail.
[10:59] <twb> triaging bug reports is also a good way to get started
[11:00] <persia> Indeed.
[11:01] <Daviey> IMO Xen needs some serious QA.
[11:02] <Daviey> Currently it recieves little, if any
[11:02] <Daviey> Espeically as most issues get raised post-release.
[11:02] <Daviey> such as not having a usable kernel :)
[11:02] <Daviey> kernel oops generating locale in chroot.
[11:07] <Belgarath> Daviey: to be honest I wouldn't even notice this
[11:08] <Belgarath> but karmic require newer kernel than my host have\
[11:08] <Belgarath> and I wanted to use the gest kernel rahter than host to boot it up
[11:08] <Belgarath> aybe that is why this things do not get attention
[12:18] <PC_Nerd101> Hi,  I'm looking to have a number of server installations on a private network -  all running identical installations including packages etc.  Is there anyway to setup a mirror that only downloads and updates those packages which are requested through it from the LAN...ie-  it doesnt store all 220 og GB, just teh few packages that it is requested of?
[12:21] <jiboumans> PC_Nerd101: this forum thread has some great pointers: http://ubuntuforums.org/showthread.php?t=123640
[12:21] <jiboumans> basically, 'yes you can' and that thread shows 3 or so ways that might be useful to you
[12:34] <dru> hey people....this is a rtfm question: a 0700 filepermission is viewable by the user or is there something im missing here
[12:35] <jpds> dru: It is.
[12:36] <dru> im still trying to make samba users folders inaccessable to other users. accouring to the man samba inherits the filepermissions used by the system. meaning that a file with a 0700 permission shouldnt be viewable to other users. I mus be missing something
[12:38] <soren> dru: "viewable" is slightly ambiguous.
[12:38] <soren> dru: Other users can /see/ the file. They just can't open it and see its contents.
[12:40] <PC_Nerd101> jiboumans: Thanks - I'll look into it :)
[12:41] <dru> can I use "." to make files invisible?
[12:48] <dru> k scratch that
[12:54] <zul> mornnig
[12:55] <jiboumans> morning zul
[12:55] <zul> hey jiboumans
[12:55] <jiboumans> zul: i think we got the needed feeedback on server-lucid-improve-testcases
[12:55] <jiboumans> probably time for a 2nd pass
[12:57] <zul> jiboumans: sure ill take a look at it today
[12:57] <jiboumans> thanks zul
[12:57] <zul> jiboumans: just trying to wake up ;)
[12:57] <jiboumans> zul.insert( coffee )
[12:58] <zul> jiboumans: dude I was surrounded by coffee fields when I grew up...hate the stuff
[12:58] <jiboumans> zul: ok, jumping face first in the snow may have the same effect, if you prefer
[12:59] <zul> jiboumans: meh...im indifferent to it
[13:11] <jiboumans> zul: let us know how the landscape code drop comes along as well please
[13:11] <zul> jiboumans: will do
[13:50] <zul> what do people think about putting php 5.3 in universe?
[13:53] <sommer> +1
[13:58] <soren> zul: Would that leave another version of php in main?
[13:59] <zul> soren: yeah the 5.2.11
[13:59] <soren> zul: There's a separate source package for php 5.3?
[14:00] <zul> soren: i believe so I thought I would throw the idea against the wall and see what people would say
[14:00] <soren> zul: I don't understand the proposition, then. What's so bad about php 5.3 that we prefer 5.2 over it?
[14:01] <soren> fwiw, I don't see this other source package. What's it called?
[14:01] <zul> soren: its still in debian experimental and its not well maintained by debian yet
[14:01] <zul> oh wait it isnt a seperate source package
[14:01] <zul> nm :)
[14:10] <smoser> good morning all.
[14:11] <smoser> soren, zul ttx, could one of you
[14:11] <Cromulent> afternoon
[14:11] <smoser> a.) accept nomination for karmic for bug 494185
[14:11] <smoser> b.) sponsor it for lucid
[14:12] <zul> smoser: i can do it
[14:12] <zul> but it will cost you your first born
[14:13] <zul> just kidding
[14:13] <smoser> zul, thanks. the lucid isn't all that important, as I expect to be working on ec2-init heavlily this week, but please accept the karmic proposal
[14:13] <smoser> zul, and be careful what you wish for on the first born thing
[14:14] <smoser> i would have thought you'd have learned in the past 2 years that that isn't that smart of a request.
[14:15] <zul> smoser: i would have placed an advert on ebay ;)
[14:16] <smoser> ah.
[14:17] <zul> smoser: so you want that debdiff in its entirety?
[14:17] <smoser> yeah, are you questioning the 'include' ?
[14:17] <smoser>    simple-patchsys.mk ?
[14:17] <zul> no the debian/changelog
[14:17] <smoser> i added that because as it is right now there is no patch system for ec2-init in karmic.
[14:17] <zul> its still for karmic
[14:18] <smoser> and i wanted the hardy to be easily based off the karmic
[14:18] <zul> but im uploading that for lucid
[14:18] <smoser> karmic == lucid right now.
[14:18] <smoser> so lucid isn't htat important, but sure.
[14:18] <zul> gotcha
[14:22] <zul> done
[14:29] <ttx_> smoser: how would the karmic SRU affect the cloud images ?
[14:31] <ttx> smoser: it would get caught in a future image respin ?
[14:33] <zul> smoser: also why did you add simple-patchsys.mk?
[14:43] <smoser> ttx, yes, karmic sru affect cloud images. it would get caught in future respin by design
[14:43] <ttx> smoser: ok
[14:44] <smoser> zul, i said why i added the patchsys.mk above, but here again... i did it because right now the hardy deb is based on the karmic and the karmic has no patchsys at all
[14:44] <smoser> so, in the hardy , i have some patches that "hardy-ify" the karmic deb, and they're done via simple-patchsys.
[14:45] <zul> smoser: ttx and I just wanted to clear that up
[14:45] <smoser> you can see that diff at https://launchpad.net/~ubuntu-on-ec2/+archive/ppa/+packages
[14:45] <zul> gotca
[14:45] <smoser> the goal was that a diff of hardy and karmic debs would show only the hardy changes
[14:46] <smoser> and thosw woudl be in pathches as patchsys
[14:48] <smoser> ttx, zul what do i need to do next to get it into karmic?
[14:49] <zul> smoser: file an SRU request
[14:49] <zul> lemme pull that up for you
[14:50] <zul> https://wiki.ubuntu.com/StableReleaseUpdates
[14:50] <smoser> ok
[15:23] <freakynl> hi, can i run php 5.1.x on ubuntu 8.0.4? (is it in repository)? we upgraded a webserver and 3 sites don't run on php 5.2.x. i need to temporarily create an additional server with a php 5.1.x version
[15:29] <soren> freakynl: The only currently supported version of Ubuntu that shipped with php 5.1.x is dapper.
[15:31] <freakynl> soren: thx :) dapper is 7.04 i presume then so -server has security updates until april?
[15:32] <freakynl> oe 6.06 lts then
[15:33] <ScottK> freakynl: Server LTS support is 5 years, so until June 2011
[15:34] <freakynl> that should be plenty of time to have them update their old typo3 install... it's giving me serious headaches. restored it in the same way about 15 times and only worked twice (the front-end that is the back-end is always broken can't save new content)
[15:34] <Doonz> hey guys im trying to download VMware server 2.0 for ubuntu server. DOes anyone know of the direct download link for the file?
[15:35] <freakynl> i find it extremely hmm 'surprising' the same backup only works some times. once i had it running and with no changes it just stopped a day later :/
[15:35] <freakynl> Doonz: afaik it's behind a wrapper that checks session id
[15:35] <Doonz> yeah how can i download it using elinks or wget
[15:35] <freakynl> Doonz: no session id == no download. i tried to download it with wget a couple of times
[15:35] <Doonz> fuck sakes
[15:35] <freakynl> Doonz: don't know how handy you are...
[15:36] <freakynl> Doonz: i got it working once. it wget you can pass a cookies file. i exported it from my browser and copied it over to the server then used it
[15:36] <freakynl> if they added ip check in the mean time it won't work tho'
[15:36] <Doonz> Ill just bitch at their sales deparment
[15:37] <freakynl> Doonz: i don't think you'll make much of an impression as a free user :)
[15:37] <Doonz> Naw it was for proof of concept
[15:37] <Doonz> we were looking at 3million datacenter
[15:37] <freakynl> Doonz: esxi is nicer :)
[15:37] <Doonz> yeah but i need to keep it simple
[15:38] <Doonz> i still need the ok from management who only understand buzz words
[15:38] <freakynl> oh throw in some: power savings, consolidation, ha, vmotion (nice for hardware maintenance) they should be shaking hehe
[15:38] <Doonz> pretty much
[15:41] <freakynl> ScottK: thx :)
[15:47] <MatBoy> damn sudo sucks for scp
[15:50] <smoser> MatBoy, why?
[15:50] <smoser> (scp in general sucks for lots of things)
[15:50] <MatBoy> smoser: I need ssh keys to copy files :S
[15:50] <cjwatson> so use scp -i
[15:50] <MatBoy> you just can't scp a config file with sudo
[15:50] <MatBoy> scp is nice
[15:51] <MatBoy> keys it nicer
[15:51] <MatBoy> also with scripting
[15:51] <smoser> what are you trying to do ?
[15:52] <MatBoy> just SCP-ing some files, that is possible in different ways but I need to use some script for it in the future so keys are nicer than
[15:53] <smoser> kirkland, what options do you give to the installer to do an install in console mode ? i remember you talking about driving that "blind" with cjwatson at uds
[15:54] <cjwatson> MatBoy: you can supply a specific key to scp using the -i option
[15:54] <raked> hello......
[15:54] <smoser> MatBoy, so 'sudo scp user@host:/path/to/file .' ? and that is not respecting keys of current user or root?
[15:55] <cjwatson> MatBoy: this should be enough to cope with scp's default search algorithm not finding your keys because its home directory is different
[15:55] <MatBoy> smoser: your way does not has the good rights
[15:55] <MatBoy> on the target
[15:55] <cjwatson> is the problem keys, or file permissions?
[15:55] <cjwatson> you're not being very clear I'm afraid
[15:55] <kirkland> smoser: well, you have to add "fb=0" on the kernel boot line
[15:56] <smoser> MatBoy, could you give the command that you're running and whats not working ?
[15:56] <smoser> kirkland, thanks. thats what i needed.
[15:56] <kirkland> smoser: this might help if you want that by default:
[15:56] <MatBoy> cjwatson: the permissions for sure but I need to copy files anyway in the future without any password that I want to have in my scripts :) so keys are better
[15:56] <kirkland> smoser: sed -i "s/initrd.gz quiet --/initrd.gz fb=0 -- /" foo.iso
[15:56] <cjwatson> kirkland: technically, isn't that fb=false?
[15:56] <kirkland> cjwatson: i managed to get it working with fb=0
[15:57] <cjwatson> kirkland: undefined behaviour :)
[15:57] <cjwatson> MatBoy: I've given you a solution to your keys problem, I believe
[15:57] <kirkland> cjwatson: heh, well, i wanted that sed line to replace an exact number of characters
[15:57] <kirkland> cjwatson: and fb=false overruns the buffer :-)
[15:58] <kirkland> cjwatson: but it seems to work
[15:58] <cjwatson> ok, just don't be surprised if it breaks in the future ...
[15:58] <kirkland> cjwatson: sed'ing the ISO, though, is undefined/unsupported behavior too
[15:58] <cjwatson> yes, but (amazingly) perhaps less so
[15:58] <kirkland> cjwatson: point me to the code, and I'll make sure that fb=0|fb=false works
[16:02] <cjwatson> kirkland: I'd prefer you didn't. any value other than 'true' and 'false' is firmly out of spec for debconf booleans
[16:02] <kirkland> cjwatson: okay
[16:02] <cjwatson> it happens that currently the test is '= true', but in the future it's just as entitled to be '!= false' if that happens to be more convenient for somebody's code
[16:03] <kirkland> cjwatson: could we revisit a better mechanism for optionally turning the fb off in the server installer?
[16:03] <cjwatson> at some point when I am doing nothing else, maybe ;)
[16:03] <cjwatson> you have something which works for now
[16:03] <kirkland> smoser: okay, see cjwatson's comments, that should be fb=false, rather than fb=0
[16:12] <TeTeT> is there a limit on the number of instances per cluster in UEC? Or is it infinite?
[16:38] <TeTeT> kirkland: ^ any idea?
[16:39] <kirkland> TeTeT: it's a configurable setting, function of how many cores per Node
[16:39] <kirkland> TeTeT: by default, it's 1 instance per core per node
[16:39] <kirkland> TeTeT: so if you have 10 nodes, each with 8 CPUs, it's 80 instances
[16:39] <kirkland> TeTeT: (sort of)
[16:39] <kirkland> TeTeT: you can change MAX_CORES in the /etc/eucalyptus/eucalyptus.conf on the CC
[16:40] <kirkland> TeTeT: *however* ...
[16:40] <TeTeT> kirkland: argh, wrong question, I wanted to ask about nodes per cluster, sorry
[16:40] <kirkland> TeTeT: oh
[16:40] <kirkland> TeTeT: there's technically no limit, however, you need to consider your IP address space
[16:41] <kirkland> TeTeT: if you're doing regular /24 subnets, you can't do more than 255 VM instances per cluster (CC)
[16:41] <kirkland> TeTeT: and the number of instance is a function of your CPUs (see above)
[16:42] <kirkland> TeTeT: i recommend keeping it to <255 instances per cluster
[16:42] <kirkland> TeTeT: so take 255 / #_of_cpus => that should give you the number of recommended nodes
[16:42] <Daviey> kirkland: What happens if MAX_CORES=0 ?
[16:42] <kirkland> TeTeT: if you want more than that, you need to reconfigure your IP networking to handle a bigger subnet
[16:43] <lau> hello what is the purpose of the mail group in /etc/group ?
[16:43] <kirkland> Daviey: dunno ... I suspect that your cluster then serves no instances :-)
[16:43] <Daviey> kirkland: awesome :)
[16:45] <rickspencer3> smoser, thanks for the desktop in the cloud work!!
[16:45] <rickspencer3> I'll check it out as soon as I get a chance
[16:45] <smoser> good deal
[16:45] <TopKatz> hello -  I using a hardware raid card.  I'm wondering how I'm suposed to handle a kernel/eader upgrade with the cards drivers.  Right now I reboot the system after update, and have to reinstall the drivers, using make install.  I feel Im doing this wrong, as the raid has to come up with no drivers first.  Can I jsut do the make install before reboot, but after header update.  Should the make install build against the new header
[16:45] <TopKatz> before reboot?
[16:46] <TeTeT> kirkland: thanks
[16:46] <kirkland> TeTeT: np
[16:48] <TeTeT> kirkland: is the cc issuing the wake up for powersave or the clc?
[16:50] <kirkland> TeTeT: CC
[16:50] <kirkland> TeTeT: each CC can have a different scheduling policy, actually
[16:50] <kirkland> TeTeT: ROUNDROBIN | GREEDY | POWERSAVE
[16:51] <TeTeT> kirkland: ok
[16:51] <kirkland> TeTeT: we played with this quite a bit last week; worked pretty well
[16:54] <TeTeT> kirkland: great to read :)
[17:04] <TeTeT> kirkland: would love to know how to separate the cc and clc. but i guess it will be much easier with 10.04
[17:04] <kirkland> TeTeT: hard to do in retrospect
[17:04] <kirkland> TeTeT: pretty straightforward from scratch
[17:04] <kirkland> TeTeT: you just install ubuntu servers
[17:04] <kirkland> TeTeT: and then add the eucalyptus packages
[17:05] <kirkland> TeTeT: https://help.ubuntu.com/community/UEC/PackageInstall
[17:06] <TeTeT> kirkland: I've done that in the past, but the clc refused to start then, I think I filed a bug on this, but it got converted to a question
[17:07] <cjwatson> converted to a question> argh bug triagers
[17:08] <cjwatson> TeTeT: should indeed be easier in lucid since we're actively trying to support this, which we weren't previously
[17:08] <TeTeT> cjwatson: that's what I thought. But I guess it's too early for Lucid to test this?
[17:08]  * kirkland wishes launchpad answers/questions would go away
[17:09] <cjwatson> TeTeT: it's not quite all in place yet, but it's definitely worth a try; a good chunk of relevant code landed just after alpha 1 and is in daily builds
[17:09] <cjwatson> assuming you have a scratch cloud, anyway
[17:10] <TeTeT> cjwatson: I have space on the disk, so I create a separate install
[17:10] <TeTeT> cjwatson: I'll probably start testing tomorrow if stuff is already in place
[17:11] <cjwatson> in particular the foundations-lucid-uec-installer-enhancement spec is (allegedly) implemented
[17:12] <cjwatson> some autoregistration stuff will be in tomorrow's build
[17:18] <MatBoy> I still have the issue when I do a scp -i that I don't have permissions on the remote files
[17:18] <smoser> soren, i think we've talked about this before, or at least how we could re-use a image with a different kernel... ec2-register now takes '--kernel' and '--ramdisk' it previously did not.
[17:19] <smoser> interestingly (to me at least) it also includes "--root-device-name ROOTDEVICENAME"... which might be a way to influence kernel command line
[17:20] <smoser> ie: --root-device-name "/dev/sda1 console=/dev/null other-option-here"
[17:23] <sub> so you want to use string injection as a 'feature'?
[17:25] <smoser> sub, yes.
[17:26] <smoser> at least it could be.
[17:26] <smoser> we've stuggled with 2 objectives in the past
[17:26] <smoser> a.) have images that run on UEC and EC2
[17:26] <smoser> b.) be able to determine which we're running on
[17:27] <smoser> if i can pass a kernel command line parameter via the above, then i could register all our images with "ec2" paramter and use that to indicate where they're coming from
[17:27] <sub> IMHO that sounds like a bad idea, to rely on a "bug" to introduce functionality
[17:27] <smoser> errr where they're booting
[17:28] <sub> what happens if that gets patched?
[17:28] <smoser> you're probably correct. although its not really a bug.
[17:28] <sub> string injection is absolutely a bug
[17:28] <MatBoy> I just think I need to set a passwordfor the root account, that will solve everything
[17:30] <cjwatson> MatBoy: the authentication method in use has absolutely no effect on file permissions
[17:30] <cjwatson> MatBoy: have you tried scp's -p option
[17:30] <cjwatson> ?
[17:30] <cjwatson>      -p      Preserves modification times, access times, and modes from the
[17:30] <cjwatson>              original file.
[17:30] <cjwatson> MatBoy: or you could use sftp if you want more flexible control.
[17:31] <smoser> sub, i agree that its probably a bug / un-realized feature in some cases. but if the point is to specify the root device to the kernel, then using it as 'root=/ec2/sda1' would basically have to be allowed.  It wouldn't make good sense from the hypervisor platform to dictate what devices can be named in the guest.
[17:31] <sub> no, that part is fine, i was more concerned about trying to add other options afterwards
[17:31] <sub> maybe i misread?
[17:32] <sub> which is entirely possible
[17:32] <smoser> well, yes, i did imply that was probably possible.
[17:32] <smoser> but theres no real way to differenciate in a hypervisor between "yes thats a valid root device" and "they're trying to inject stuff"
[17:33] <smoser> as you can't know what the guest is going to name things
[17:33] <smoser> maybe "/dev/sda1 ec2" is actually what my guest names the first scsi partition when running on ec2
[17:33] <sub> what if they wrap the arg you're providing in quotes?
[17:33] <smoser> mostly hypothetical here. anyway.
[17:33] <smoser> i can easily enough ignore the quotes in the guest
[17:34] <smoser> and afaik the kernel command line parsers basically dont use quotes
[17:34] <sub> well
[17:34] <smoser> in fact wrapping them in quotes would probably break current behavior
[17:35] <sub> my only real concern is what happens if Amazon drops support for that? unbootable VMs?
[17:35] <smoser> ie: root="/dev/sda1"
[17:35] <smoser> would probably fail in many cases
[17:35] <smoser> well you "register" an image that is mostly permenant. so if they dropped support for reading the data that was registered to the image, they'd be breaking existing customers.
[17:36] <smoser> and changing the platform's behavior for existing images, which in general would be a bad idea.
[17:36] <smoser> you definitely raise valid concerns though
[17:42] <sub> yeah, i guess it would be bad to 'de-register' certain info
[17:49] <bep> I did a fresh minimal server install and installed xorg and when I try to launch a session I get "X: user not authorized to run the X server, aborting.". Is there a group I need to be added to or something?
[18:25] <TopKatz>  after you update a systems headers, if I rebuild a driver, and make install it, before I have rebooted the system.  Will the driver be built agains the new headers?
[18:41] <resno> does using squid for proxy and site caching make an noticeable difference in speed?
[18:41] <resno> for users on a netowkr?
[18:43] <arj> yes
[18:44] <arj> but you should benchmark to find out how it affects your network
[18:44] <arj> because it might be slower or faster
[18:46] <zul> kees: ping when you are around
[18:47] <resno> arj: would it be enough to be worth the hassle?
[19:14] <smoser> kirkland, have you done an install of lucid into kvm ?
[19:14] <smoser> i just got through one using '-hda' and grub is hanging (used alpha1 iso)
[20:12] <kees> zul: late pong, was this about the stuff in privmsg?
[20:14] <zul> kees: yep
[20:16] <smoser> kirkland, ping
[20:38] <obscure> Hey, I have 2 drives in my Ubuntu server, one is only seen in df-h, how can I format the other to be seen in the list as well?
[20:41] <arj> partition it
[20:41] <arj> mkfs
[20:41] <arj> mounbt
[20:41] <arj> mount*
[20:41] <arj> add to /etc/fstab
[20:41] <kirkland> smoser: yo
[20:41] <smoser> have you successfully booted lucid with -console in kvm ?
[20:42] <smoser> i can't seem to get parameters in grub that dont switch to 640x480 mode
[20:43] <kirkland> smoser: I did with the Nov 27 ISO
[20:43] <kirkland> smoser: i'll try today's
[20:44] <smoser> even after install, it just wants to switch. kvm cmdline is: kvm -drive if=virtio,boot=on,file=lucid-server-20091214.img -console.
[20:44] <smoser> kernel command line that i'm trying now is:
[20:44] <smoser> BOOT_IMAGE=//vmlinuz-2.6.32-7-server root=/dev/mapper/ubuntu-root ro quiet fb=false nomodeset
[20:45] <obscure> thank arj
[20:45] <obscure> thanks*
[20:45] <vomjom> so i'm using the ubuntu karmic image on ec2, but it doesn't seem to have ext4 support
[20:45] <vomjom> is there a simple way to get it?
[20:46] <obscure> arj: partition it with cfdisk?
[20:47] <arj> if there are no partitions yeah
[20:47] <arj> cfdisk is fine
[20:48] <smoser> vomjom, you're correct that there is no ext4 support (bug 428692)
[20:49] <smoser> there isn't a lot that can be done at the moment. you could boot with a lucid kernel
[20:49] <vomjom> smoser, ok, thanks
[20:49] <smoser> (run-instances --kernel xxx)
[20:49] <smoser> but that may or may not have issues with the registered ramdisk for the image
[20:50] <smoser> vomjom, it should be possible to build ext4 support as a module and load it, but that might be more than you're wanting
[20:50] <smoser> lucid kernels do have ext4 support
[20:51] <smoser> and we may service that bug in karmic
[20:54] <aquarius> I've tried to upgrade my Ubuntu server from jaunty to karmic, and it says "After your package information was updated the essential package 'ubuntu-minimal' can not be found anymore.". There are bugs about this, which suggest that I should try "do-release-upgrade --proposed", but that hasn't helped
[20:55] <aquarius> what should I try next?
[22:03] <soren> smoser: I don't understand how that even makes sense. Did they extend the RegisterImage api call to accept kernel and ramdisk images.
[22:04] <smoser> yes
[22:04] <smoser> and 'root'
[22:05] <smoser> i know , its wierd. but its there in the documentation
[22:05] <smoser> http://docs.amazonwebservices.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-RegisterImage.html
[22:52] <photon> which is the most secure ubuntu server version 8.04.2 LTS or one of the newer versions?
[23:15] <unit3> photon: that's like asking "which movie is the best". It depends on what you're trying to accomplish. Generally the security issues are more stable, known, and well defined in the LTS release, so that's probably what you're after.
[23:16] <unit3> and note that hardy is up to a .3 minor release now, I believe, not .2.
[23:17] <photon> ok
[23:17] <ScottK> photon: There has been a lot of work done on hardening since Hardy was released, so from a security perspective along, 9.10 is the best.
[23:25] <unit3> ScottK: there's also a lot of new issues in new packages that haven't been as fully tested. it's a tradeoff. 9.10 certainly isn't as bug-free as 8.04.x, and bugs can often be translated into security problems.
[23:26] <jdstrand> unit3: ScottK was speaking to proactive security features, such as compiler, libc and kernel hardeing, along with more apparmor profiles
[23:26] <ScottK> unit3: Certainly a possibility, OTOH a lot of bugs have been fixed since Hardy's release.
[23:27] <unit3> jdstrand: yep, I'm just saying that while that has taken place, there's also the opportunity for new problems that haven't been as widely documented and dealt with as in the LTS release.
[23:27] <jdstrand> 9.10 is much better in terms of proactive features, and 10.04 LTS will be better still
[23:27] <ScottK> Also as jdstrand says.  Those changes also help mitigate risk of unknown bugs.
[23:27] <unit3> for instance, on at least two of my servers, apparmor prints that it's respecting the apparmor.d/ignore and apparmor.d/complain directories, but it's lies, and you have to do a full apparmor restart manually once the system is booted to get those to take effect.
[23:27] <unit3> which leads to unpredictable results in a layer that's supposed to be securing you.
[23:28] <unit3> unpredictable = bad for security, IMO. ;)
[23:28] <jdstrand> unit3: I suggest files bugs on that
[23:29] <unit3> Will do, just haven't had much time lately. Now might be good though, since I'm thinking about it.
[23:29] <jdstrand> I've certainly not seen it
[23:29] <jdstrand> please do, that is definitely something we would want to address
[23:30] <unit3> Yeah, I'd assume so. I'm not seeing it everywhere, so I'm assuming it must be a config conflict with something else happen at boot time.
[23:31] <unit3> but it's consistent on this system, and so it is a good example of "new proactive features vs well tested" for security, I think. :)
[23:45] <unit3> ok, narrowing my testing for the report, it looks like it loads "ignore" rules as "complain" on default instead of full ignore. That's less serious, but still annoying, since it fills my logs with cruft.
[23:53] <unit3> 496770
[23:53] <kees> interesting. i'll try to reproduce that.
[23:57] <unit3> Please do. I suspect it's some weird config on this server, since it has been upgraded constantly since 7.something.
[23:57] <unit3> but I can't imagine what it'd be, since apparmor's pretty self contained.