/srv/irclogs.ubuntu.com/2010/03/18/#ubuntu-server.txt

Sorell	alex88: glad to see I'm not the only one having issues....	00:08
Sorell	:)	00:08
alex88	Sorell: ubuntu cloud? =) me too..after 4 min i've started eucalyptus-cc..now starting eucalyptus-cloud	00:10
Sorell	alex88:	00:14
Sorell	yeah I'm having issues with addressing	00:14
Sorell	and now I can't SSH in for some reason.... :(	00:14
alex88	where are you installing it?	00:15
Sorell	?	00:15
Sorell	It's like 30min away from me right now	00:16
Sorell	:(	00:16
Sorell	in my bedroom ....	00:16
alex88	lol.. dunno man..have you ever logged into it?	00:16
Sorell	yes	00:17
Sorell	https://71.43.249.21:8443/	00:17
Sorell	furthermore	00:17
Sorell	pasileypc.com	00:17
alex88	and now it has wrong address?	00:17
Sorell	paisleypc.com*	00:17
Sorell	it works when I type in the domain but when I use the address nothing	00:17
Sorell	and I can't ping it for some reason	00:17
Sorell	and nmap can't get any info back	00:18
Sorell	:(	00:18
Sorell	alex88: no I am having an issue with the vms getting IPs	00:19
Sorell	that one should be static	00:19
alex88	oh k, now i'm having troubles starting eucalyptus-cc	00:19
Sorell	:/	00:22
Sorell	that's one thing I havn't had an issue with yet	00:22
jetole	ikonia or anyone else. How do I specify I hostname for all clients using dhcp without manually setting a hostname per each known mac address since in this case I won't know all mac addresses ahead of time. I'm using ISC dhcp3 but I will change this if someone knows a better dhcpd that supports pxe booting	00:23
jetole	for example, when I connect to my ISP I get a hostname like c-1-2-3-4.hsd1.fl.comcast.net. through dhcp when my ip is 1.2.3.4	00:25
Sorell	ping 71.43.249.20	00:36
Sorell	err	00:36
Sorell	sry	00:36
alex88	i'm thinking, if i have about 4-5 pc in my house, can i use one as controller, other as nodes, and when someone open a pc he login to a vm that uses the power of all connected nodes?	00:50
uvirtbot	New bug: #540625 in qemu-kvm (main) "Why was QEMU proper dropped in favor of KVM?" [Undecided,New] https://launchpad.net/bugs/540625	01:02
Razernok	hi	01:30
Razernok	I need some big help	01:30
Razernok	in /etc/hosts	01:30
Razernok	I'm to add a line of	01:30
Razernok	xxx.xxx.xxx.xxx my_domain.com my_machine	01:30
Razernok	how exactly do i write it?	01:30
Razernok	from the installtion guide (xxx.xxx.xxx.xxx is your public IP and “my_domain” is the domain where the panel listen)	01:31
jiboumans	192.168.1.1 www www.example.com	01:31
jiboumans	for example ^	01:31
jetole	Razernok: man 5 hosts	01:32
Razernok	i did earlier 127.0.0.1 my.site.com	01:32
jetole	Razernok: thats right, so is 127.0.0.1 my my.site.com	01:33
jetole	it's whitespace seperate so a space is the same as a tab	01:33
Razernok	what about the my_machine part	01:33
jetole	man 5 hosts	01:34
jetole	type that in bash	01:34
Razernok	huh?	01:34
jetole	and hit enter	01:34
Razernok	bash?	01:34
jetole	console	01:34
* twb hands jetole a stiff drink		01:34
jetole	bash, dash, csh, ksh, sh, etc etc	01:34
jetole	twb: thanks! I need one	01:35
Razernok	huh?	01:35
twb	I think you can't get ksh on Ubuntu, only pdksh	01:35
* jetole shrugs, never tried		01:35
jetole	Razernok: find the console on your system	01:35
jetole	the area where you have a screen and it a prompt and you can type commands	01:35
jetole	you can get it from pressing ctrl+alt+f1 - f6 and use f7 to get the gui back but thats the worst way	01:36
jetole	go to menu -> accessories -> terminal	01:36
jetole	that works on gnome	01:36
Razernok	i had to reinstall ubuntu server after a bug caused it unable to boot	01:37
Razernok	i was making changes like in this guide and after restart it couldn't find some file.	01:37
jetole	I give up	01:37
jetole	I could use a shot of white tequila right now	01:41
jetole	been sick as a dog for over a week and tired of it	01:41
jebba	I did a dist-upgrade on EC2 and i saw it installed a new kernel, but on reboot it didnt use it. The grub stuff is kinda missing (nothing useful under /boot/grub/). Howto reboot into latest kernel?	03:30
jayvee	does EC2 even boot via grub?	03:34
jayvee	I would imagine that it would load the kernel directly	03:34
=== rberger_ is now known as rberger
Sorell	!cloud	03:52
Sorell	Anyone know of a good guide on how the networking works in eucalyptus?	03:53
jebba	jayvee: ya, it appears not to use grub, but I'm not sure how to tell it which kernel to use.	04:03
jayvee	jebba: I'm guessing in the EC2 config for the VM	04:11
jayvee	i.e. not inside the VM itself	04:11
jebba	thx	04:13
jetole	does anyone know how to make preseed exclude a package when it installs? I used the tasksel for server only but I have never needed nano on my servers?	04:56
jetole	*on my servers!	04:56
jetole	agh, and even with server mode it still installed libgtk and openoffice	04:59
jetole	wtf	04:59
uvirtbot	New bug: #540693 in spamassassin (main) "does not terminate at computer shutdown" [Undecided,New] https://launchpad.net/bugs/540693	05:01
=== nxvl_ is now known as nxvl
altf2o	quick question. I'm on Ubuntu 9.10, using rdiff-backup 1.2.8-1ubuntu2. It works great except for when it encounters files with a question mark in their name. Been searching coming up empty, anyone found a way around this?	06:23
=== au is now known as 17SAALA2J
jayvee	nice of you guys to drop by	07:15
marcus_	hi all. i have set up login via nss_ldap (passwd / groups). getent works fine but login takes extremly long.	07:34
marcus_	i have already tried to set up nscd, even with local cache - without a luck.	07:34
uvirtbot	New bug: #540747 in apache2 (main) "Apache Web DAV incorrect permissions" [Undecided,New] https://launchpad.net/bugs/540747	08:16
twb	maintenance-check: Fetching seeds for hardy (this may take a moment) ...	08:34
=== jstephan\|w is now known as johe\|w
twb	...is it just me, or does that take like fifteen minutes for everyone?	08:34
* jussi01 breathes deeply... ok, my /etc/hosts is ruined and I need to edit it to fix. (some bug in hardy). So I tried to drop to root console in recovery mode, but it asks me for a root password (even though Ive not set one). thoughts on how to fix?		08:35
ejat	hi .. just wanna check with u guys ..	08:36
ejat	its it confirm nagios.cmd missing in karmic ?	08:36
FireCrotch	jussi01: um... set one? or boot into actual single user mode	09:08
jussi01	FireCrotch: sorted now... but actual single user mode?	09:09
* jussi01 thought that was...		09:09
FireCrotch	jussi01: yes... stick "single" at the end of the kernel line in grub	09:09
FireCrotch	should take you straight to a root prompt	09:10
jussi01	ahh, I didnt realise that. thanks for the tip	09:10
FireCrotch	You're welcome :)	09:11
twb	I'm still ambivalent about it not asking for a password	09:12
FireCrotch	twb: for what? booting into single user mode?	09:12
twb	FireCrotch: traditionally single would ask for root's password before giving you root privileges	09:13
twb	On Ubuntu you don't have to use init=/bin/sh to break through that.	09:13
FireCrotch	Why bother asking for root's password if you can just use init=/bin/sh ?	09:13
twb	It's about as secure as a warm blanket, but I think I still miss it.	09:13
twb	FireCrotch: well, after you init=/bin/sh, you sometimes have to dance about a bit to get write access to the disk	09:14
twb	But I imagine it's hysterical raisins	09:14
twb	Probably once upon a time init=/bin/sh wasn't a back door, either.	09:15
FireCrotch	twb: your point is? Anyone who knows enough to bypass the password should know enough to get write access	09:15
FireCrotch	and if someone is standing at the console, they can just unplug the machine and walk away with it, so why bother securing it any more than that	09:15
FireCrotch	or open it up and take the hard drive	09:15
FireCrotch	You have that problem with practically any system though	09:16
Zider	I have a problem with cryptdisk sometimes only creates /dev/mapper/name and sometimes both that and /dev/mapper/name_unformatted.. is there a known problem with this?	10:49
Zider	also, how come the startup process tries to mount the maps before cryptdisk is finished creating them?	10:50
=== geek is now known as Guest40863
=== Guest40863 is now known as faileas
SquidNoob	is TPROXY working with ubuntu server 9.10?	11:49
jayvee	SquidNoob: probably	11:55
jayvee	you having troubles with it?	11:56
owh	Is there a way that I can configure vsftpd to force an authenticated user to upload to the directory that the anonymous user can download from?	12:10
SquidNoob	jayvee, yes, I'm not sure whether ebtables or iptables is failing, but as I read on google, it does NOT work with debian/ubuntu	12:10
SquidNoob	I am using these rules to redirect port 80 from the bridge to port 3129	12:10
SquidNoob	iptables -t mangle -N DIVERT	12:10
SquidNoob	iptables -t mangle -A DIVERT -j MARK --set-mark 1	12:10
SquidNoob	iptables -t mangle -A DIVERT -j ACCEPT	12:10
SquidNoob	iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT	12:10
SquidNoob	iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129	12:10
SquidNoob	ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT	12:10
SquidNoob	When I put these rules can not open any website, and port 3129 is not getting anything	12:10
SquidNoob	if i do an "#dmesg \| grep TPROXY" get:	12:11
SquidNoob	[ 10.827732] NF_TPROXY: Transparent proxy support initialized, version 4.1.0	12:11
SquidNoob	[ 10.827738] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.	12:11
jayvee	oh right, this is IPv6 transparent proxying	12:11
jayvee	neat, but I've never touched that before	12:12
jayvee	hang on, wait, maybe it's not	12:12
jayvee	--ip-protocol 6	12:12
jayvee	what's that?	12:12
SquidNoob	TCP	12:13
SquidNoob	ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target ACCEPT	12:14
SquidNoob	dont work too	12:14
SquidNoob	sorry for my bad english	12:14
Zider	I have a problem with cryptdisk sometimes only creates /dev/mapper/name and sometimes both that and /dev/mapper/name_unformatted.. is there a known problem with this?	12:18
jayvee	SquidNoob: I'm afraid I can't help you with the TPROXY module, but have you considered using NAT instead?	12:21
jayvee	it's relatively easy to get going.	12:21
SquidNoob	jayvee: Unfortunately, nat does not help me, because I need to do IP spoofing with the customer IP, but thanks for your help	12:24
ttx	zul, smoser: could you split the remaining EC2 tests between you two ?	12:32
ttx	zul, smoser: or should we just get rid of that test, to replace it with a more thorough cloud-config test ?	12:33
=== MarkB1 is now known as MarkB1_rsn
smoser	ttx, zul_ we should replace that with a cloud-config test. i will work on putting one together and getting tested here in a few minutes.	13:00
ttx	smoser: ok	13:01
smoser	i did test the ebs root yesterday, and pushed what i had to https://launchpad.net/~smoser/+junk/ec2-test	13:02
=== MarkB1_rsn is now known as MarkB1
zul_	smoser: hmmmm?	13:03
zul_	smoser: you want me to upload something?	13:04
smoser	no. thats just the "test suite" (for lack of a better term) that i use to run 'test-multi'.	13:04
smoser	i'll get some test cloud-config stuff together and add it there.	13:04
=== zul_ is now known as zul
zul	ah nifty	13:06
=== bladernr__ is now known as bladernr_
swift	Hi guys, just a query, has the support and upgrades for UBUNTU 6 series LTS expired?	14:07
swift	is it over?	14:07
AntORG	I think it's 5 years for the server edition	14:09
swift	hi guys.. im talking about ubuntu-server 6 series LTS.. is it an eol now?	14:09
swift	AntORG.. when had it started?	14:09
AntORG	6.06	14:09
swift	2006	14:10
swift	hmm	14:10
AntORG	that's june 2006	14:10
swift	one year to go then	14:10
AntORG	the "version number" of ubuntu gives you information about the year and the month it was released	14:11
AntORG	so 8.04 for instance means april of 2008	14:11
swift	yeah	14:11
swift	ok	14:11
swift	thanks	14:12
swift	is it possible to upgrade 6.10 edgy to 6.06 LTS?	14:12
=== luis__lopez is now known as luis_lopez
AntORG	you mean downgrade. It probably is somehow but I wouldn't recommend it.	14:13
swift	but edgy is bad as compared to LTS right?	14:13
_ruben	downgrades arent supported, edgy should be upgraded to feisty, then gutsy, and then hardy (lts)	14:13
_ruben	!edgy	14:14
ubottu	Ubuntu 6.10 (Edgy Eft) was the fifth release of Ubuntu. End Of Life: April 25th, 2008. See !eol for more details.	14:14
_ruben	eol'ed nearly 2 years ago	14:14
AntORG	_ruben that's the reason he wants to downgrade to 6.06 which hasn't reached the eol yet	14:14
swift	yes	14:15
swift	is it possible?	14:15
_ruben	one shouldnt downgrade to "avoid" EOL, one should upgrade	14:15
AntORG	and 8.04 isn't an option, because...?	14:15
_ruben	upgrades are supported, downgrades are not	14:15
_ruben	if a downgrade breaks your system, you do get to keep both pieces though	14:15
swift	this is a production system.. and it involes risk to go edgy to feisty, then gutsy, and then hardy (lts)	14:16
_ruben	the risk of downgrading is probably even bigger	14:16
swift	ok... so il keep it untouched.. and get a new server	14:16
_ruben	and if its a production system, it should've been upgraded ages ago	14:16
swift	thanks soo much guys!!!...	14:16
swift	yeah..true	14:17
swift	i just got introduced to it the other day	14:17
swift	boy .. it's an oldtimer	14:17
swift	:p	14:17
AntORG	create a backup disk image and try upgrading and if it doesn't work out use the backup	14:18
thafreak	Is the beta 1 ISO available yet to begin testing?	14:20
_ruben	if its got raid1, you could break it and keep 1 half as backup </horror-story-mode>	14:20
Jeeves_	!mvo-- # Manpage slacker	14:23
ubottu	Error: I am only a bot, please don't think I'm intelligent :)	14:23
Jeeves_	Pff, employed by Canonical, i'm sure...	14:24
=== luis__lopez is now known as luis_lopez
_ruben	anyone have any experience in using ssd's in their server(s)?	14:43
Jeeves_	yes	14:44
_ruben	Jeeves_: ran into any issues?	14:55
_ruben	i know windows doesnt really "like" ssds until windows 7	14:55
_ruben	currently looking at nilfs+ssd .. seems like a killer combo	14:56
Jeeves_	_ruben: No issues at all.	14:56
Jeeves_	Just more performance	14:56
_ruben	Jeeves_: good to hear :)	15:03
_ruben	Jeeves_: did you do any special tricks/optimizations?	15:03
Jeeves_	_ruben: No, not at all	15:11
_ruben	nice	15:14
acalvo	any good way to do a service failover over servers? So a secondary server starts if the primary server crashes	15:16
jalons	acalvo: heartbeat	15:16
acalvo	ok, great (I've thought it was only a load-balancer)	15:17
_ruben	heartbeat/pacemaker/corosync/openais	15:17
_ruben	heartbeat doesnt load-balance, but is used a lot on loadbalancers to make em redundant :)	15:18
acalvo	ok, thanks!	15:18
=== geek is now known as Guest3931
vertx	Does anyone has experience with GlusterFS? I need expandable storage distributed across several servers. Any thoughts/suggestions?	15:21
=== Guest3931 is now known as faileas
swift	guys, does Ubuntu 7 series have an LTS server edition?	15:22
Japje	lts is every 2 years	15:22
Dr_Jekyll	nope - 6.06 and 8.04 and the upcoming 10.04	15:22
Japje	to 6/8/10	15:22
vertx	swift: why don't you use 8.04 instead?	15:23
swift	vertx, I want to upgrade from 6.10Edgy to an LTS version	15:24
faileas	swift: upgrade to 7x then to 8.04	15:24
vertx	swift: then you should use 8.04 or wait until 10.04 is released	15:25
swift	guys, is there any risk involved?	15:26
acalvo	about HA, there is something I don't understand. If I want to have a HA web server distributed in 2 or more server, is load-balancer's job to get the IP and pass the information? or it justs decides to which web server goes the request? I'm concerned about how to make the server available (how to set up the DNS public name to be reachable)	15:26
_ruben	acalvo: depends on what you're trying to achieve: active/active (performance) or active/passive (failover/redundancy)	15:27
acalvo	active/passive	15:27
_ruben	active/passive wont need a loadbalancer	15:28
_ruben	with active/passive there'll be a "floating" ip address which will be active on the active node	15:28
acalvo	and where is the process that decides which server should be taking requests?	15:29
_ruben	acalvo: both nodes talk to eachother, if one stops hearing the other, or if the other says it's going standby, the local node will become active	15:30
acalvo	oh, ok	15:30
acalvo	now seems more reasonable	15:30
acalvo	I've thought that it was necessary to have a specific computer to decide which node was active	15:30
acalvo	thanks _ruben	15:31
_ruben	that's also possible	15:31
acalvo	well, it makes sense to have a 3rd computer which do that job?	15:31
_ruben	it has its pros and cons	15:32
_ruben	the keyword here is quorum .. with 3 nodes there's always a majority/minority .. with just 2 nodes that's not possible	15:32
arch0njw	I am attempting to install tomcat6 on ubuntu server 8.10 and it is saying that package is not found. Am I missing a repository or misspelling the package name?	15:32
jalons	but, fencing adds a lot of overhead	15:33
acalvo	well, I'll start with just 2 nodes	15:34
arch0njw	andol: faileas: I followed the simple setup for ubuntu desktop and that worked fantastically. Thank you for the advice yesterday.	15:34
acalvo	and see what happen	15:34
faileas	yay	15:34
faileas	even if as i recall, my answers weren't that useful XD	15:34
arch0njw	faileas: someone to bounce ideas off is -always- helpful. :)	15:35
jalons	acalvo: I highly suggest additional cat5 or serial runs to each HA node - it's surprising how often a single cable becomes unpluged leading to splitbrain or worse situations	15:37
arch0njw	huh-boy. so it is tomcat5.5, not tomcat6 despite the Ubuntu Server 8.10 wiki saying that tomcat6 can be installed with apt-get from the standard repos.	15:38
acalvo	jalons: I'll take that in mind... I've been having troubles with the only web server we have here (it crashes once a day randomly), so I'll deploy and test a HA with 2 nodes and see what happen. Bad thing is the servers I'm going to use just have 1 rj45...	15:38
mathiaz	hggdh: hi! around?	15:46
mathiaz	hggdh: shall we continue the UEC testing?	15:46
swift	guys, is it ok to have nagios, smokeping setup on an eol server?	15:51
jmazaredo	will two gateway on same network work like the other? i have this problem http://tinypic.com/view.php?pic=vys4ld&s=5	15:53
jetole	does anyone know why libgtk and openoffice (these are just the ones I have noticed) seem to be part of the base install with preseeding, even when you use server as the tasksel	15:53
ttx	arch0njw: tomcat6 is available in 8.10	15:53
ttx	https://launchpad.net/ubuntu/+source/tomcat6	15:53
ttx	(fwiw it's also in 8.04)	15:53
ttx	mathiaz: do you plan to run your magic ISO testing script ?	15:54
mathiaz	ttx: hm - for lucid beta1?	15:55
hggdh	mathiaz: hi, I am here	15:55
mathiaz	ttx: no - I thought zul would take up iso testing	15:55
ttx	mathiaz: he did, was just wondering if you planned to run it or not	15:55
mathiaz	ttx: as I'm working on some puppet WI for beta1 and helping out hggdh for UEC testing	15:55
ttx	mathiaz: ok	15:55
mathiaz	ttx: not for now	15:55
zul	ttx: i did the iso testing yesterday	15:55
ttx	mathiaz,zul: we could use someone for the RAID1 test	15:56
hggdh	BTW -- all -- I would like your comments on the changes I did to the server guided whole disk install	15:56
zul	ttx: k ill take a look	15:56
mathiaz	ttx: IIRC RAID installation are broken	15:56
mathiaz	ttx: cjwatson was working on it at the begining of the week	15:56
ttx	mathiaz: yes they are -- woud be good to have bugs filed for it though	15:56
mathiaz	ttx: not sure if he fixed it in time for beta1	15:56
ttx	mathiaz: no he didn't	15:57
jetole	ok, I think I just solved my own question: http://ubuntuforums.org/showthread.php?p=3088943	15:57
mathiaz	ttx: there is a bug about it no?	15:57
ttx	mathiaz: I'll check up with him	15:57
ttx	arrh, who added a test case ?	15:58
ttx	hggdh: you added the "preseeded" test case ?	15:58
arch0njw	ttx: huh. it doesn't show up in the package list for Ubuntu Server.	15:59
mathiaz	ttx: seems so	15:59
ttx	arch0njw: you must be doing something wrong	16:00
arch0njw	sudo apt-get install tomcat6 ...?	16:00
mathiaz	ttx: preseeded testing is probably worth testing	16:00
arch0njw	ttx: that's pretty standard. No package is found.	16:00
mathiaz	ttx: as well as a kickstart install	16:00
EhrN	hi all. I try to install dtc-toaster, someone have success install of this panel?	16:00
ttx	arch0njw: I guess something is wrong in your mirror/apt.sources	16:01
mathiaz	ttx: not for beta1 though	16:01
ttx	mathiaz: agreed, but adding the test now and not completing it makes us look bad	16:01
mathiaz	ttx: http://www.youtube.com/watch?v=dsUXAEzaC3Q ?	16:02
smoser	ttx, i've started instances for each candidate ami with '--user-data-file ud-multipart-01.txt' at http://bazaar.launchpad.net/%7Esmoser/%2Bjunk/ec2-test/files/head%3A/user-data/ and then verified that they did what was expected.	16:11
ttx	smoser: cool	16:11
hggdh	ttx yes, there is a (right now) simple pressed test. I am considering preparing presseds for most, if not all, of the common server installs	16:12
smoser	i put 3 user data tests in that directory, the goal would be to pull those into the 'test-multi.sh' launcher in the dir above it.	16:12
ttx	hggdh: could you complete that test for us ? It would make our beta1 test coverage look better	16:12
ttx	hggdh: also please don't add new testcases at the last minute on milestone release day	16:13
hggdh	ttx there is a caveat: since I have to use an url, questions will be asked until hostname is reached (the url is only loaded after it)	16:13
ttx	hggdh: the testcases should generally be updated before a milestone campaign, not in the middle of it.	16:13
hggdh	ttx: will not do it next time...	16:13
hggdh	ttx: I have already tested the pressed multiple times, will mark it tested	16:14
ttx	hggdh: cool, thanks	16:15
hggdh	ttx: please keep in mind that I did not have much time to work on them, and they were scheduled for beta1	16:16
ttx	hggdh: ah... maybe retargeting them to beta2 makes sense then. We need some adaptations for beta2 anyway (on the cloud image front)	16:16
ttx	hggdh: feel free to add new tests, just make sure you mark them completed as soon as they reach the tracker	16:17
* ttx cannot go to bed until http://iso.qa.ubuntu.com/qatracker/build/ubuntuserver/all shows all tests covered		16:18
jetole	does anyone know how I can set the default editor system wide for all users and all new users that don't exist yet?	16:22
hggdh	ttx: will do. Sorry for the surprise	16:23
hggdh	ttx: all tests I have run so far are marked. All required tests are now covered also	16:25
mathiaz	hggdh: I've already got preseeds for all common test cases	16:25
mathiaz	hggdh: this is what ttx was refering to when he mentioned whether I was running my iso testing scripts	16:26
ttx	\o/ all tests covered !	16:26
hggdh	mathiaz: ah, OK. If you do not mind making the preseeds public, we can add them later	16:26
mathiaz	ttx: good night!	16:27
ttx	mathiaz: nah, I still need to do some uec multi-network tests :P	16:27
hggdh	mathiaz: would the installations we did yesterday qualify for test coverage?	16:27
mathiaz	hggdh: yes - for the topology we tested	16:28
ttx	mathiaz,zul: for perfection, we still need to cover:	16:28
ttx	http://iso.qa.ubuntu.com/qatracker/result/3788/356	16:28
ttx	http://iso.qa.ubuntu.com/qatracker/result/3785/357	16:28
mathiaz	hggdh: https://code.launchpad.net/~mathiaz/+junk/iso_testing_scripts	16:28
mathiaz	hggdh: ^^ these are my iso testing script	16:29
mathiaz	ttx: hm - netbooting	16:29
mathiaz	ttx: well the UEC testing rig uses netbooting	16:29
mathiaz	ttx: but not the mini.iso	16:29
mathiaz	hggdh: oh - and the test we did yesterday wouldn't count for beta1 as we've tested installation from the archive rather than for an iso	16:30
zul	i dont think if have the infrastructure for netbooting	16:31
mathiaz	zul: the test case for netbooting is actually based on the mini.iso	16:32
zul	mathiaz: k	16:33
mathiaz	zul: so you don't need to have a PXE server to run the netboot test case	16:33
zul	heh well once i get through this it will be next	16:33
hggdh	mathiaz: I branched your iso-tests-scripts. I will adpat them for future ISO tests	16:33
mathiaz	hggdh: the scripts are actually tweaked for my own environment	16:34
mathiaz	hggdh: and based around libvirt and qemu	16:34
mathiaz	hggdh: the preseeding part can easily be extracted and reused though	16:34
hggdh	mathiaz: I expected they would be tweaked ;-) this is why I expect to have to adjust them	16:35
mathiaz	hggdh: https://code.launchpad.net/~mathiaz/+junk/iso-testing-cfg	16:36
mathiaz	hggdh: ^^ this is actually the configuration with the latest version of the preseeds	16:36
hggdh	mathiaz: thank you. Branched	16:37
zul	ttx: oh you did the raid1 install	16:49
zul	i got the same thing	16:49
ttx	zul: well, I reported the bug secondhand	16:50
ttx	zul: so it's good you covered it	16:50
zul	ttx: i was able to reproduce it	16:50
ttx	cjwatson: when you have the time, please comment on feasibility of https://bugs.launchpad.net/ubuntu/+source/eucalyptus/+bug/540167 : can we have the tasks available for the UEC installer while not being displayed by the Server installer tasksel ?	16:55
zul	mathiaz: there is already a fix in the queue for munin	17:00
mickster04	hey guys, im tryin to set up a vpn server, im not sure why it isnt working:/ i get error 800 on windows but my ubuntuinstall on my laptop doesnt work either	17:15
mathiaz	zul: for bug 538902?	17:17
mickster04	well it kinda works, in that i can connect to it, but i cant acces the internet thru it:/	17:33
stas	hi guys, anybody can recommend some better replacement for nscd	17:33
cemc	can I get some stats/status oout of my openntpd ?	17:34
warlock_mza	hi guys, I need an init script for hostapd but I want to keep things clean. Should I add post-up to network/interfaces ? write an /etc/init/hostapd.conf ? or just update-rc.d to add to startup ?	17:34
warlock_mza	do both the event driven /etc/init/ systeym + the /etc/init.d scripts work in parallel ?	17:36
=== RoAk is now known as RoAkSoAx
mickster04	well this channel is good :P	17:43
pmatulis	warlock_mza: yes	17:46
warlock_mza	pmatulis, hey that might be too specific :-)	17:46
pmatulis	warlock_mza: sorry?	17:47
warlock_mza	pmatulis, nm	17:47
zul	mathiaz: yep	18:00
mathiaz	zul: if you upload a fix could you leave a note in the relevant bug to avoir duplication	18:01
mathiaz	zul: especially during freezes	18:01
zul	mathiaz: sure sorry about that	18:01
mathiaz	zul: since LP won't update the bug right away	18:02
hggdh	mathiaz: whenever you have time we can go back to the UEC whatchamacallit	18:09
hggdh	mathiaz: or, if you do not mind, I can get back there and keep on from where we stopped, and ping you if needed	18:11
mathiaz	hggdh: please go ahead with testing	18:11
mathiaz	hggdh: I don't use the test rig right now	18:11
mathiaz	hggdh: I'd suggest you keep going through the test case	18:12
mathiaz	hggdh: if you have any question I'll answer them	18:12
hggdh	mathiaz: deal	18:13
SquidNoob	someone has managed to run ebtables in ubuntu server? I think it's impossible: (	18:34
=== dendrobates is now known as dendro-afk
=== dendro-afk is now known as dendrobates
hggdh	kirkland: on testdrive, if a DISK_FILE is provided, should it be formatted (as it is right now) or just used as-is? I would vote for using as-is ;-)	19:49
arch0njw	I have Ubuntu Server 8.04 running on an ESX VM. I tried to install vmware tools and it barked furiously -- even after I got the headers installed. Anyone here have a handy link to point me to for a tried-and-true set of steps to get vmware tools working?	19:59
kees	mathiaz, ttx: can you guys look at bug 292971 for lucid and maybe hardy?	20:07
mathiaz	kees: is that a security issue?	20:11
mathiaz	kees: or is just an important bug to fix?	20:11
vadi01	guys have a problem with the ubuntu server. apache refuses to load javascript to LAN users but WAN users can load them when they access the server home page	20:24
kees	mathiaz: just an important bugfix (i.e. after enough time, they can't use the system due to leaked memory use)	20:24
vadi01	any idea why? or is there a specifig permission i need to set for this	20:24
mathiaz	kees: ok - thanks	20:25
sherr	vadi01: have you compared the page source (same page) between WAN and LAN? maybe there's something stripping things out between server and LAN user?	20:25
mathiaz	smoser: how horrible is it to copy your aws credentials to a running EC2 instance?	20:26
smoser	i personally dont htink its too bad.	20:26
smoser	but i'm not kees	20:26
kees	mathiaz: just don't make new AMIs with that stuff on the image. :) lots of people do that :(	20:27
smoser	mathiaz, if you think about it, the most likely entity to gain access to your credentials is a AWS employee, who could have just got them from AWS	20:27
vadi01	sherr: yea see this http://img.flashtux.org/img132b4dc2d3efx5408c1fc.jpg	20:27
mathiaz	smoser: right	20:27
smoser	second most likely person is someone running an instance on the same hardware that exploits xen	20:27
vadi01	sherr: illegal characters is the main problem	20:27
smoser	and gets access to your memory	20:27
mathiaz	smoser: what I'm looking for is to be able to get the list instanceID that are currently running under my account	20:27
smoser	then also possible i guess is if storage is not cleaned sufficiently between users, someone could find your data on their block device.	20:28
RoAkSoAx	mathiaz, i attached missing info to bug #531978. :)	20:29
mathiaz	kees: I'm currently experimenting with puppet	20:29
mathiaz	kees: and I'm looking for a way to semi-automate the client registration	20:29
mathiaz	kees: the idea being that the client sends its instanceId as part of the certname, and then the puppetmaster checks if that instanceId is actually running under the same account	20:30
soren	kirkland: Is there a way to adjust how aggressively ksm should scan for duplicate pages?	20:30
mathiaz	kees: so if the instanceId is a known running instanceId the registration proceeds	20:30
mathiaz	kees: how does that seem?	20:30
DrNick_	evening. is anyone fairly well versed in samba Active Directory authentication via likewise-open?	20:33
smoser	mathiaz, http://www.shlomoswidler.com/2009/08/how-to-keep-your-aws-credentials-on-ec2.html	20:33
smoser	that has some info.	20:33
kirkland	soren: i think there is ... dig around /sys	20:34
kirkland	soren: ls /sys/kernel/mm/ksm/	20:35
kirkland	soren: adjust /sys/kernel/mm/ksm/sleep_millisecs i think	20:35
soren	kirkland: Yeah, that seems to be the only knob I can turn	20:35
soren	20 msecs between each complete scan..	20:35
soren	That sounds like a very agressive default.	20:35
soren	perf top tells me that something like 20% of my cpu time is spent scanning for shareable pages.	20:36
soren	That's a lot in my book.	20:36
kees	mathiaz: /me ponders	20:37
soren	kirkland: Are you seeing similar behaviour? It's not that I can feel the machine being heavily loaded by it, I just wondered why my fan was on all the time, and then noticed this.	20:40
erichammond	mathiaz: I think it's fairly bad to copy AWS keys to an instance, but I do it because there is no good way to perform certain functions without them.	20:45
mathiaz	erichammond: right - I've outlined my use case above	20:46
mathiaz	erichammond: as I'd like to automate as much as possible the enrollement of puppet client	20:46
mathiaz	erichammond: clients	20:46
erichammond	mathiaz: You want the list of all instance ids or the instance id of the currently running server?	20:47
mathiaz	erichammond: the list of all instance ids	20:47
erichammond	What does "known running instanceId" mean? known to whom?	20:47
mathiaz	erichammond: as I'm using the instance id of the puppet client in the certname	20:47
mathiaz	erichammond: known to my account	20:47
erichammond	oh, so the server is checking	20:47
erichammond	puppet server	20:47
mathiaz	erichammond: yes - puppetmaster checks if the instance id of the requested csr is an instance id part of the aws account	20:48
erichammond	could the client lie about its instance id and fool the server?	20:48
mathiaz	erichammond: yes	20:48
mathiaz	erichammond: however it would have to lie about an instance id that is part of the running instances for the specific account	20:49
mathiaz	erichammond: the puppetmaster will only sign the request (and issue the certificate) if the instance id is part of the running instances	20:49
mathiaz	erichammond: the underlying assumption here is that the instanceId are more or less randomly generated by amazon	20:50
erichammond	mathiaz: No, they are very sequential (with some scrambling)	20:50
erichammond	and easy to guesss	20:50
erichammond	or guess	20:50
erichammond	mathiaz: If you're willing to trust Amazon security groups, then it's pretty easy to only allow connections to puppetmaster from other instances in the same account.	20:51
mathiaz	erichammond: right - that have to be part of the same security group	20:52
erichammond	well you can specify the security group. I.e., security group "puppetmaster" allows connections from security group "puppetclient"	20:52
mathiaz	erichammond: can an instance be part of multiple security groups?	20:53
erichammond	yes	20:53
kirkland	soren: talk to aliguori about that ... he thought it was pretty aggressive	20:53
mathiaz	erichammond: can an instance be removed from a security group while running?	20:54
erichammond	each security group adds permissions (they can't take away)	20:54
soren	kirkland: Will do.	20:54
kirkland	soren: we can change twiddle that knob if necessary	20:54
erichammond	The security groups assigned to an instance cannot be changed after an instance is started, but the permissions associated with each security group can be changed.	20:54
kirkland	soren: and yes, 20ms does sound pretty frequent	20:54
mathiaz	erichammond: hm - ok	20:55
erichammond	(checking to see if that's still true)	20:55
erichammond	yep, I don't see any security group option in ec2-modify-instance-attribute. Sometimes that command seems to have new things added without me hearing about them :)	20:56
mathiaz	erichammond: allright - so using the instanceId doesn't really help here	20:56
mathiaz	erichammond: as it increases sequentially	20:56
soren	kirkland: Yeah. it's so short you almost wonder why it waits at all.	20:57
erichammond	Can't puppet use a shared secret?	20:57
mathiaz	erichammond: hm - yes it could	20:57
mathiaz	erichammond: the idea here is to use the certname to convey the shared secret	20:57
mathiaz	erichammond: the instanceId being a kind of share secret	20:58
mathiaz	erichammond: the attach scenario I'm trying to protect against is a root compromise of a puppet client	20:58
erichammond	oh	20:58
mathiaz	erichammond: that should not lead to easy access to other puppet manifests	20:58
erichammond	how does the puppetmaster know what kind of system the client should be configured as?	20:59
mathiaz	erichammond: while still being able to automate the registration process	20:59
mathiaz	erichammond: that's another part of the problem that comes later	20:59
mathiaz	erichammond: the first step is to issue a certificate to the requesting client	21:00
mathiaz	erichammond: making sure that the client is expected to be asking a certificate	21:00
erichammond	mathiaz: My company has been using puppet on EC2 and we've faced some similar issues about how to shoehorn puppet concepts into dynamically created instances. I don't think we've completely resolved them. I'm looking at chef to see if it might be a better fit.	21:04
mathiaz	erichammond: well - I've got some ideas how to do that	21:05
mathiaz	erichammond: the key part though is which components you use to create the instances	21:05
erichammond	At the moment, we've dropped having a centralized (and single point of failure) puppetmaster. Each new instance bootstraps itself as its own puppetmaster and then runs.	21:06
mathiaz	erichammond: if the component that runs new instances is flexible enough you can ask the puppetmaster to generate a certificate for the client and send it to the instance	21:06
mathiaz	erichammond: how do you send the manifest?	21:06
mathiaz	erichammond: do you ship the whole site configuration to each instance?	21:07
erichammond	mathiaz: My co-worker did most of the work. I believe it picks it up from a private S3 URL.	21:07
mathiaz	erichammond: ok	21:07
erichammond	mathiaz: Yes, the whole puppet.	21:07
erichammond	At the moment, the S3 URL expires so attackers cannot access it a bit after startup, but that's probably going to change as we get more into spot instances and auto scaling.	21:08
erichammond	This approach does not solve your requirement of restricting access to certain manifests from a root compromised machine.	21:09
mathiaz	erichammond: are you using Ec2 Auto-Scaling?	21:19
mathiaz	erichammond: or you've got your own auto-scaling system?	21:19
erichammond	mathiaz: We are not auto scaling at the moment. We plan to add it as we grow.	21:27
jnss	when was the last kernel update	22:07
jnss	or whatever update required you to reboot	22:07
mickster04	jnss i think server is desinged not to be needed to reboot	22:11
mickster04	howelse are you gona get 365+ days of uptime:D	22:12
njbair	why is sshd started and then restarted when ubuntu boots?	22:12
jnss	yeah that is true mickster04	22:12
jnss	but kernel security updates require reboots ;(	22:12
mickster04	well i havent gotten one of those in 40+ days i know that	22:12
njbair	nothing like when somebody brags about their uptime, then has to restart after like 6 months only to find that half of their services aren't starting properly	22:13
mickster04	njbair: yeah, im worried about having to reboot	22:13
njbair	I reboot monthly, if for no other reason than to avoid that kind of thing	22:14
njbair	also, for the 5 minutes it takes, whose server can't afford a regular reboot?	22:15
jnss	bragging is still nice	22:15
mickster04	yeah	22:16
jnss	a ni uptime usually denotes bsd	22:16
njbair	actually, it usually denotes an under-utilized machine	22:16
njbair	"Turn it up till it breaks, then back off a little bit." that's my motto!	22:17
mickster04	yeah mine isnt used much:D but what it does it does well	22:17
* jnss runs centos		22:18
jnss	that thing has an old kernel	22:18
njbair	mickster04, my home server does web, nfs, squid, svn, ssl, all on a mini-itx	22:18
jnss	but i am told an update was issued a few hours ago	22:18
jnss	mini itx? what model	22:18
njbair	VIA EPIA MII	22:18
njbair	I just found out the board has built-in hardware crypto	22:19
mickster04	njbair: web, squid, samba ssh all on a fit-pc2:D	22:19
njbair	I reconfigured openssl to use VIA Padlock and ran some benchmarks, it's ridiculously faster	22:19
=== AntORG_ is now known as AntORG
jnss	it's pretty insecure though	22:24
jnss	referring tot he number generator	22:24
jnss	do you know the watt draw of your itx?	22:25
=== erichammond1 is now known as erichammond
=== Authority_ is now known as Authority
jetole	does anyone know how to test commands that you run in preseed	23:58
jetole	mine fails and I have tested it pretty thuroughly outside of the preseed run	23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!