[00:08] <Sorell> alex88: glad to see I'm not the only one having issues....
[00:08] <Sorell> :)
[00:10] <alex88> Sorell: ubuntu cloud? =) me too..after 4 min i've started eucalyptus-cc..now starting eucalyptus-cloud
[00:14] <Sorell> alex88:
[00:14] <Sorell> yeah I'm having issues with addressing
[00:14] <Sorell> and now I can't SSH in for some reason.... :(
[00:15] <alex88> where are you installing it?
[00:15] <Sorell> ?
[00:16] <Sorell> It's like 30min away from me right now
[00:16] <Sorell> :(
[00:16] <Sorell> in my bedroom ....
[00:16] <alex88> lol.. dunno man..have you ever logged into it?
[00:17] <Sorell> yes
[00:17] <Sorell> https://71.43.249.21:8443/
[00:17] <Sorell> furthermore
[00:17] <Sorell> pasileypc.com
[00:17] <alex88> and now it has wrong address?
[00:17] <Sorell> paisleypc.com*
[00:17] <Sorell> it works when I type in the domain but when I use the address nothing
[00:17] <Sorell> and I can't ping it for some reason
[00:18] <Sorell> and nmap can't get any info back
[00:18] <Sorell> :(
[00:19] <Sorell> alex88: no I am having an issue with the vms getting IPs
[00:19] <Sorell> that one should be static
[00:19] <alex88> oh k, now i'm having troubles starting eucalyptus-cc
[00:22] <Sorell> :/
[00:22] <Sorell> that's one thing I havn't had an issue with yet
[00:23] <jetole> ikonia or anyone else. How do I specify I hostname for all clients using dhcp without manually setting a hostname per each known mac address since in this case I won't know all mac addresses ahead of time. I'm using ISC dhcp3 but I will change this if someone knows a better dhcpd that supports pxe booting
[00:25] <jetole> for example, when I connect to my ISP I get a hostname like c-1-2-3-4.hsd1.fl.comcast.net. through dhcp when my ip is 1.2.3.4
[00:36] <Sorell> ping 71.43.249.20
[00:36] <Sorell> err
[00:36] <Sorell> sry
[00:50] <alex88> i'm thinking, if i have about 4-5 pc in my house, can i use one as controller, other as nodes, and when someone open a pc he login to a vm that uses the power of all connected nodes?
[01:30] <Razernok> hi
[01:30] <Razernok> I need some big help
[01:30] <Razernok> in /etc/hosts
[01:30] <Razernok> I'm to add a line of
[01:30] <Razernok> xxx.xxx.xxx.xxx my_domain.com my_machine
[01:30] <Razernok> how exactly do i write it?
[01:31] <Razernok> from the installtion guide (xxx.xxx.xxx.xxx is your public IP and “my_domain” is the domain where the panel listen)
[01:31] <jiboumans> 192.168.1.1         www      www.example.com
[01:31] <jiboumans> for example ^
[01:32] <jetole> Razernok: man 5 hosts
[01:32] <Razernok> i did earlier 127.0.0.1 my.site.com
[01:33] <jetole> Razernok: thats right, so is 127.0.0.1 my my.site.com
[01:33] <jetole> it's whitespace seperate so a space is the same as a tab
[01:33] <Razernok> what about the my_machine part
[01:34] <jetole> man 5 hosts
[01:34] <jetole> type that in bash
[01:34] <Razernok> huh?
[01:34] <jetole> and hit enter
[01:34] <Razernok> bash?
[01:34] <jetole> console
[01:34]  * twb hands jetole a stiff drink
[01:34] <jetole> bash, dash, csh, ksh, sh, etc etc
[01:35] <jetole> twb: thanks! I need one
[01:35] <Razernok> huh?
[01:35] <twb> I think you can't get ksh on Ubuntu, only pdksh
[01:35]  * jetole shrugs, never tried
[01:35] <jetole> Razernok: find the console on your system
[01:35] <jetole> the area where you have a screen and it a prompt and you can type commands
[01:36] <jetole> you can get it from pressing ctrl+alt+f1 - f6 and use f7 to get the gui back but thats the worst way
[01:36] <jetole> go to menu -> accessories -> terminal
[01:36] <jetole> that works on gnome
[01:37] <Razernok> i had to reinstall ubuntu server after a bug caused it unable to boot
[01:37] <Razernok> i was making changes like in this guide and after restart it couldn't find some file.
[01:37] <jetole> I give up
[01:41] <jetole> I could use a shot of white tequila right now
[01:41] <jetole> been sick as a dog for over a week and tired of it
[03:30] <jebba> I did a dist-upgrade on EC2 and i saw it installed a new kernel, but on reboot it didnt use it. The grub stuff is kinda missing (nothing useful under /boot/grub/). Howto reboot into latest kernel?
[03:34] <jayvee> does EC2 even boot via grub?
[03:34] <jayvee> I would imagine that it would load the kernel directly
[03:52] <Sorell> !cloud
[03:53] <Sorell> Anyone know of a good guide on how the networking works in eucalyptus?
[04:03] <jebba> jayvee: ya, it appears not to use grub, but I'm not sure how to tell it which kernel to use.
[04:11] <jayvee> jebba: I'm guessing in the EC2 config for the VM
[04:11] <jayvee> i.e. not inside the VM itself
[04:13] <jebba> thx
[04:56] <jetole> does anyone know how to make preseed exclude a package when it installs? I used the tasksel for server only but I have never needed nano on my servers?
[04:56] <jetole> *on my servers!
[04:59] <jetole> agh, and even with server mode it still installed libgtk and openoffice
[04:59] <jetole> wtf
[06:23] <altf2o> quick question. I'm on Ubuntu 9.10, using rdiff-backup 1.2.8-1ubuntu2. It works great except for when it encounters files with a question mark in their name. Been searching coming up empty, anyone found a way around this?
[07:15] <jayvee> nice of you guys to drop by
[07:34] <marcus_> hi all. i have set up login via nss_ldap (passwd / groups). getent works fine but login takes extremly long.
[07:34] <marcus_> i have already tried to set up nscd, even with local cache - without a luck.
[08:34] <twb> maintenance-check: Fetching seeds for hardy (this may take a moment) ...
[08:34] <twb> ...is it just me, or does that take like fifteen minutes for everyone?
[08:35]  * jussi01 breathes deeply... ok, my /etc/hosts is ruined and I need to edit it to fix. (some bug in hardy). So I tried to drop to root console in recovery mode, but it asks me for a root password (even though Ive not set one). thoughts on how to fix?
[08:36] <ejat> hi .. just wanna check with u guys ..
[08:36] <ejat> its it confirm nagios.cmd missing in karmic ?
[09:08] <FireCrotch> jussi01: um... set one? or boot into actual single user mode
[09:09] <jussi01> FireCrotch: sorted now... but actual single user mode?
[09:09]  * jussi01 thought that was...
[09:09] <FireCrotch> jussi01: yes... stick "single" at the end of the kernel line in grub
[09:10] <FireCrotch> should take you straight to a root prompt
[09:10] <jussi01> ahh, I didnt realise that. thanks for the tip
[09:11] <FireCrotch> You're welcome :)
[09:12] <twb> I'm still ambivalent about it not asking for a password
[09:12] <FireCrotch> twb: for what? booting into single user mode?
[09:13] <twb> FireCrotch: traditionally single would ask for root's password before giving you root privileges
[09:13] <twb> On Ubuntu you don't have to use init=/bin/sh to break through that.
[09:13] <FireCrotch> Why bother asking for root's password if you can just use init=/bin/sh ?
[09:13] <twb> It's about as secure as a warm blanket, but I think I still miss it.
[09:14] <twb> FireCrotch: well, after you init=/bin/sh, you sometimes have to dance about a bit to get write access to the disk
[09:14] <twb> But I imagine it's hysterical raisins
[09:15] <twb> Probably once upon a time init=/bin/sh wasn't a back door, either.
[09:15] <FireCrotch> twb: your point is? Anyone who knows enough to bypass the password should know enough to get write access
[09:15] <FireCrotch> and if someone is standing at the console, they can just unplug the machine and walk away with it, so why bother securing it any more than that
[09:15] <FireCrotch> or open it up and take the hard drive
[09:16] <FireCrotch> You have that problem with practically any system though
[10:49] <Zider> I have a problem with cryptdisk sometimes only creates /dev/mapper/name and sometimes both that and /dev/mapper/name_unformatted.. is there a known problem with this?
[10:50] <Zider> also, how come the startup process tries to mount the maps before cryptdisk is finished creating them?
[11:49] <SquidNoob> is TPROXY working with ubuntu server 9.10?
[11:55] <jayvee> SquidNoob: probably
[11:56] <jayvee> you having troubles with it?
[12:10] <owh> Is there a way that I can configure vsftpd to force an authenticated user to upload to the directory that the anonymous user can download from?
[12:10] <SquidNoob> jayvee, yes, I'm not sure whether ebtables or iptables is failing, but as I read on google, it does NOT work with debian/ubuntu
[12:10] <SquidNoob> I am using these rules to redirect port 80 from the bridge to port 3129
[12:10] <SquidNoob> iptables -t mangle -N DIVERT
[12:10] <SquidNoob> iptables -t mangle -A DIVERT -j MARK --set-mark 1
[12:10] <SquidNoob> iptables -t mangle -A DIVERT -j ACCEPT
[12:10] <SquidNoob> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
[12:10] <SquidNoob> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
[12:10] <SquidNoob> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
[12:10] <SquidNoob> When I put these rules can not open any website, and port 3129 is not getting anything
[12:11] <SquidNoob> if i do an "#dmesg | grep TPROXY" get:
[12:11] <SquidNoob> [   10.827732] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
[12:11] <SquidNoob> [   10.827738] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
[12:11] <jayvee> oh right, this is IPv6 transparent proxying
[12:12] <jayvee> neat, but I've never touched that before
[12:12] <jayvee> hang on, wait, maybe it's not
[12:12] <jayvee> --ip-protocol 6
[12:12] <jayvee> what's that?
[12:13] <SquidNoob> TCP
[12:14] <SquidNoob> ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target ACCEPT
[12:14] <SquidNoob> dont work too
[12:14] <SquidNoob> sorry for my bad english
[12:18] <Zider> I have a problem with cryptdisk sometimes only creates /dev/mapper/name and sometimes both that and /dev/mapper/name_unformatted.. is there a known problem with this?
[12:21] <jayvee> SquidNoob: I'm afraid I can't help you with the TPROXY module, but have you considered using NAT instead?
[12:21] <jayvee> it's relatively easy to get going.
[12:24] <SquidNoob> jayvee: Unfortunately, nat does not help me, because I need to do IP spoofing with the customer IP, but thanks for your help
[12:32] <ttx> zul, smoser: could you split the remaining EC2 tests between you two ?
[12:33] <ttx> zul, smoser: or should we just get rid of that test, to replace it with a more thorough cloud-config test ?
[13:00] <smoser> ttx, zul_ we should replace that with a cloud-config test. i will work on putting one together and getting tested here in a few minutes.
[13:01] <ttx> smoser: ok
[13:02] <smoser> i did test the ebs root yesterday, and pushed what i had to https://launchpad.net/~smoser/+junk/ec2-test
[13:03] <zul_> smoser: hmmmm?
[13:04] <zul_> smoser: you want me to upload something?
[13:04] <smoser> no. thats just the "test suite" (for lack of a better term) that i use to run 'test-multi'.
[13:04] <smoser> i'll get some test cloud-config stuff together and add it there.
[13:06] <zul> ah nifty
[14:07] <swift> Hi guys, just a query, has the support and upgrades for UBUNTU 6 series LTS expired?
[14:07] <swift> is it over?
[14:09] <AntORG> I think it's 5 years for the server edition
[14:09] <swift> hi guys.. im talking about ubuntu-server 6 series LTS.. is it an eol now?
[14:09] <swift> AntORG.. when had it started?
[14:09] <AntORG> 6.06
[14:10] <swift> 2006
[14:10] <swift> hmm
[14:10] <AntORG> that's june 2006
[14:10] <swift> one year to go then
[14:11] <AntORG> the "version number" of ubuntu gives you information about the year and the month it was released
[14:11] <AntORG> so 8.04 for instance means april of 2008
[14:11] <swift> yeah
[14:11] <swift> ok
[14:12] <swift> thanks
[14:12] <swift> is it possible to upgrade 6.10 edgy to 6.06 LTS?
[14:13] <AntORG> you mean downgrade. It probably is somehow but I wouldn't recommend it.
[14:13] <swift> but edgy is bad as compared to LTS right?
[14:13] <_ruben> downgrades arent supported, edgy should be upgraded to feisty, then gutsy, and then hardy (lts)
[14:14] <_ruben> !edgy
[14:14] <_ruben> eol'ed nearly 2 years ago
[14:14] <AntORG> _ruben that's the reason he wants to downgrade to 6.06 which hasn't reached the eol yet
[14:15] <swift> yes
[14:15] <swift> is it possible?
[14:15] <_ruben> one shouldnt downgrade to "avoid" EOL, one should upgrade
[14:15] <AntORG> and 8.04 isn't an option, because...?
[14:15] <_ruben> upgrades are supported, downgrades are not
[14:15] <_ruben> if a downgrade breaks your system, you do get to keep both pieces though
[14:16] <swift> this is a production system.. and it involes risk to go edgy  to feisty, then gutsy, and then hardy (lts)
[14:16] <_ruben> the risk of downgrading is probably even bigger
[14:16] <swift> ok... so il keep it untouched.. and get a new server
[14:16] <_ruben> and if its a production system, it should've been upgraded ages ago
[14:16] <swift> thanks soo much guys!!!...
[14:17] <swift> yeah..true
[14:17] <swift> i just got introduced to it the other day
[14:17] <swift> boy .. it's an oldtimer
[14:17] <swift> :p
[14:18] <AntORG> create a backup disk image and try upgrading and if it doesn't work out use the backup
[14:20] <thafreak> Is the beta 1 ISO available yet to begin testing?
[14:20] <_ruben> if its got raid1, you could break it and keep 1 half as backup </horror-story-mode>
[14:23] <Jeeves_> !mvo-- # Manpage slacker
[14:24] <Jeeves_> Pff, employed by Canonical, i'm sure...
[14:43] <_ruben> anyone have any experience in using ssd's in their server(s)?
[14:44] <Jeeves_> yes
[14:55] <_ruben> Jeeves_: ran into any issues?
[14:55] <_ruben> i know windows doesnt really "like" ssds until windows 7
[14:56] <_ruben> currently looking at nilfs+ssd .. seems like a killer combo
[14:56] <Jeeves_> _ruben: No issues at all.
[14:56] <Jeeves_> Just more performance
[15:03] <_ruben> Jeeves_: good to hear :)
[15:03] <_ruben> Jeeves_: did you do any special tricks/optimizations?
[15:11] <Jeeves_> _ruben: No, not at all
[15:14] <_ruben> nice
[15:16] <acalvo> any good way to do a service failover over servers? So a secondary server starts if the primary server crashes
[15:16] <jalons> acalvo: heartbeat
[15:17] <acalvo> ok, great (I've thought it was only a load-balancer)
[15:17] <_ruben> heartbeat/pacemaker/corosync/openais
[15:18] <_ruben> heartbeat doesnt load-balance, but is used a lot on loadbalancers to make em redundant :)
[15:18] <acalvo> ok, thanks!
[15:21] <vertx> Does anyone has experience with GlusterFS? I need expandable storage distributed across several servers. Any thoughts/suggestions?
[15:22] <swift> guys, does Ubuntu 7 series have an LTS server edition?
[15:22] <Japje> lts is every 2 years
[15:22] <Dr_Jekyll> nope - 6.06 and 8.04 and the upcoming 10.04
[15:22] <Japje> to 6/8/10
[15:23] <vertx> swift: why don't you use 8.04 instead?
[15:24] <swift> vertx, I want to upgrade from 6.10Edgy to an LTS version
[15:24] <faileas> swift: upgrade to 7x then to 8.04
[15:25] <vertx> swift: then you should use 8.04 or wait until 10.04 is released
[15:26] <swift> guys, is there any risk involved?
[15:26] <acalvo> about HA, there is something I don't understand. If I want to have a HA web server distributed in 2 or more server, is load-balancer's job to get the IP and pass the information? or it justs decides to which web server goes the request? I'm concerned about how to make the server available (how to set up the DNS public name to be reachable)
[15:27] <_ruben> acalvo: depends on what you're trying to achieve: active/active (performance) or active/passive (failover/redundancy)
[15:27] <acalvo> active/passive
[15:28] <_ruben> active/passive wont need a loadbalancer
[15:28] <_ruben> with active/passive there'll be a "floating" ip address which will be active on the active node
[15:29] <acalvo> and where is the process that decides which server should be taking requests?
[15:30] <_ruben> acalvo: both nodes talk to eachother, if one stops hearing the other, or if the other says it's going standby, the local node will become active
[15:30] <acalvo> oh, ok
[15:30] <acalvo> now seems more reasonable
[15:30] <acalvo> I've thought that it was necessary to have a specific computer to decide which node was active
[15:31] <acalvo> thanks _ruben
[15:31] <_ruben> that's also possible
[15:31] <acalvo> well, it makes sense to have a 3rd computer which do that job?
[15:32] <_ruben> it has its pros and cons
[15:32] <_ruben> the keyword here is quorum .. with 3 nodes there's always a majority/minority .. with just 2 nodes that's not possible
[15:32] <arch0njw> I am attempting to install tomcat6 on ubuntu server 8.10 and it is saying that package is not found.  Am I missing a repository or misspelling the package name?
[15:33] <jalons> but, fencing adds a lot of overhead
[15:34] <acalvo> well, I'll start with just 2 nodes
[15:34] <arch0njw> andol: faileas: I followed the simple setup for ubuntu desktop and that worked fantastically.  Thank you for the advice yesterday.
[15:34] <acalvo> and see what happen
[15:34] <faileas> yay
[15:34] <faileas> even if as i recall, my answers weren't that useful XD
[15:35] <arch0njw> faileas: someone to bounce ideas off is -always- helpful.  :)
[15:37] <jalons> acalvo: I highly suggest additional cat5 or serial runs to each HA node - it's surprising how often a single cable becomes unpluged leading to splitbrain or worse situations
[15:38] <arch0njw> huh-boy.  so it is tomcat5.5, not tomcat6 despite the Ubuntu Server 8.10 wiki saying that tomcat6 can be installed with apt-get from the standard repos.
[15:38] <acalvo> jalons: I'll take that in mind... I've been having troubles with the only web server we have here (it crashes once a day randomly), so I'll deploy and test a HA with 2 nodes and see what happen. Bad thing is the servers I'm going to use just have 1 rj45...
[15:46] <mathiaz> hggdh: hi! around?
[15:46] <mathiaz> hggdh: shall we continue the UEC testing?
[15:51] <swift> guys, is it ok to have nagios, smokeping setup on an eol server?
[15:53] <jmazaredo> will two gateway on same network work like the other? i have this problem http://tinypic.com/view.php?pic=vys4ld&s=5
[15:53] <jetole> does anyone know why libgtk and openoffice (these are just the ones I have noticed) seem to be part of the base install with preseeding, even when you use server as the tasksel
[15:53] <ttx> arch0njw: tomcat6 is available in 8.10
[15:53] <ttx> https://launchpad.net/ubuntu/+source/tomcat6
[15:53] <ttx> (fwiw it's also in 8.04)
[15:54] <ttx> mathiaz: do you plan to run your magic ISO testing script ?
[15:55] <mathiaz> ttx: hm - for lucid beta1?
[15:55] <hggdh> mathiaz: hi, I am here
[15:55] <mathiaz> ttx: no - I thought zul would take up iso testing
[15:55] <ttx> mathiaz: he did, was just wondering if you planned to run it or not
[15:55] <mathiaz> ttx: as I'm working on some puppet WI for beta1 and helping out hggdh for UEC testing
[15:55] <ttx> mathiaz: ok
[15:55] <mathiaz> ttx: not for now
[15:55] <zul> ttx: i did the iso testing yesterday
[15:56] <ttx> mathiaz,zul: we could use someone for the RAID1 test
[15:56] <hggdh> BTW -- all -- I would like your comments on the changes I did to the server guided whole disk install
[15:56] <zul> ttx: k ill take a look
[15:56] <mathiaz> ttx: IIRC RAID installation are broken
[15:56] <mathiaz> ttx: cjwatson was working on it at the begining of the week
[15:56] <ttx> mathiaz: yes they are -- woud be good to have bugs filed for it though
[15:56] <mathiaz> ttx: not sure if he fixed it in time for beta1
[15:57] <ttx> mathiaz: no he didn't
[15:57] <jetole> ok, I think I just solved my own question: http://ubuntuforums.org/showthread.php?p=3088943
[15:57] <mathiaz> ttx: there is a bug about it no?
[15:57] <ttx> mathiaz: I'll check up with him
[15:58] <ttx> arrh, who added a test case ?
[15:58] <ttx> hggdh: you added the "preseeded" test case ?
[15:59] <arch0njw> ttx: huh.  it doesn't show up in the package list for Ubuntu Server.
[15:59] <mathiaz> ttx: seems so
[16:00] <ttx> arch0njw: you must be doing something wrong
[16:00] <arch0njw> sudo apt-get install tomcat6 ...?
[16:00] <mathiaz> ttx: preseeded testing is probably worth testing
[16:00] <arch0njw> ttx:  that's pretty standard.  No package is found.
[16:00] <mathiaz> ttx: as well as a kickstart install
[16:00] <EhrN> hi all. I try to install dtc-toaster, someone have success install of this panel?
[16:01] <ttx> arch0njw: I guess something is wrong in your mirror/apt.sources
[16:01] <mathiaz> ttx: not for beta1 though
[16:01] <ttx> mathiaz: agreed, but adding the test now and not completing it makes us look bad
[16:02] <mathiaz> ttx: http://www.youtube.com/watch?v=dsUXAEzaC3Q ?
[16:11] <smoser> ttx, i've started instances for each candidate ami with '--user-data-file ud-multipart-01.txt' at http://bazaar.launchpad.net/%7Esmoser/%2Bjunk/ec2-test/files/head%3A/user-data/ and then verified that they did what was expected.
[16:11] <ttx> smoser: cool
[16:12] <hggdh> ttx yes, there is a (right now) simple pressed test. I am considering preparing presseds for most, if not all, of the common server installs
[16:12] <smoser> i put 3 user data tests in that directory, the goal would be to pull those into the 'test-multi.sh' launcher in the dir above it.
[16:12] <ttx> hggdh: could you complete that test for us ? It would make our beta1 test coverage look better
[16:13] <ttx> hggdh: also please don't add new testcases at the last minute on milestone release day
[16:13] <hggdh> ttx there is a caveat: since I have to use an url, questions will be asked until hostname is reached (the url is only loaded after it)
[16:13] <ttx> hggdh: the testcases should generally be updated before a milestone campaign, not in the middle of it.
[16:13] <hggdh> ttx: will not do it next time...
[16:14] <hggdh> ttx: I have already tested the pressed multiple times, will mark it tested
[16:15] <ttx> hggdh: cool, thanks
[16:16] <hggdh> ttx: please keep in mind that I did not have much time to work on them, and they were scheduled for beta1
[16:16] <ttx> hggdh: ah... maybe retargeting them to beta2 makes sense then. We need some adaptations for beta2 anyway (on the cloud image front)
[16:17] <ttx> hggdh: feel free to add new tests, just make sure you mark them completed as soon as they reach the tracker
[16:18]  * ttx cannot go to bed until http://iso.qa.ubuntu.com/qatracker/build/ubuntuserver/all shows all tests covered
[16:22] <jetole> does anyone know how I can set the default editor system wide for all users and all new users that don't exist yet?
[16:23] <hggdh> ttx: will do. Sorry for the surprise
[16:25] <hggdh> ttx: all tests I have run so far are marked. All required tests are now covered also
[16:25] <mathiaz> hggdh: I've already got preseeds for all common test cases
[16:26] <mathiaz> hggdh: this is what ttx was refering to when he mentioned whether I was running my iso testing scripts
[16:26] <ttx> \o/ all tests covered !
[16:26] <hggdh> mathiaz: ah, OK. If you do not mind making the preseeds public, we can add them later
[16:27] <mathiaz> ttx: good night!
[16:27] <ttx> mathiaz: nah, I still need to do some uec multi-network tests :P
[16:27] <hggdh> mathiaz: would the installations we did yesterday qualify for test coverage?
[16:28] <mathiaz> hggdh: yes - for the topology we tested
[16:28] <ttx> mathiaz,zul: for perfection, we still need to cover:
[16:28] <ttx> http://iso.qa.ubuntu.com/qatracker/result/3788/356
[16:28] <ttx> http://iso.qa.ubuntu.com/qatracker/result/3785/357
[16:28] <mathiaz> hggdh: https://code.launchpad.net/~mathiaz/+junk/iso_testing_scripts
[16:29] <mathiaz> hggdh: ^^ these are my iso testing script
[16:29] <mathiaz> ttx: hm - netbooting
[16:29] <mathiaz> ttx: well the UEC testing rig uses netbooting
[16:29] <mathiaz> ttx: but not the mini.iso
[16:30] <mathiaz> hggdh: oh - and the test we did yesterday wouldn't count for beta1 as we've tested installation from the archive rather than for an iso
[16:31] <zul> i dont think if have the infrastructure for netbooting
[16:32] <mathiaz> zul: the test case for netbooting is actually based on the mini.iso
[16:33] <zul> mathiaz: k
[16:33] <mathiaz> zul: so you don't need to have a PXE server to run the netboot test case
[16:33] <zul> heh well once i get through this it will be next
[16:33] <hggdh> mathiaz: I branched your iso-tests-scripts. I will adpat them for future ISO tests
[16:34] <mathiaz> hggdh: the scripts are actually tweaked for my own environment
[16:34] <mathiaz> hggdh: and based around libvirt and qemu
[16:34] <mathiaz> hggdh: the preseeding part can easily be extracted and reused though
[16:35] <hggdh> mathiaz: I expected they would be tweaked ;-) this is why I expect to have to adjust them
[16:36] <mathiaz> hggdh: https://code.launchpad.net/~mathiaz/+junk/iso-testing-cfg
[16:36] <mathiaz> hggdh: ^^ this is actually the configuration with the latest version of the preseeds
[16:37] <hggdh> mathiaz: thank you. Branched
[16:49] <zul> ttx: oh you did the raid1 install
[16:49] <zul> i got the same thing
[16:50] <ttx> zul: well, I reported the bug secondhand
[16:50] <ttx> zul: so it's good you covered it
[16:50] <zul> ttx: i was able to reproduce it
[16:55] <ttx> cjwatson: when you have the time, please comment on feasibility of https://bugs.launchpad.net/ubuntu/+source/eucalyptus/+bug/540167 : can we have the tasks available for the UEC installer while not being displayed by the Server installer tasksel ?
[17:00] <zul> mathiaz: there is already a fix in the queue for munin
[17:15] <mickster04> hey guys, im tryin to set up a vpn server, im not sure why it isnt working:/ i get error 800 on windows but my ubuntuinstall on my laptop doesnt work either
[17:17] <mathiaz> zul: for bug 538902?
[17:33] <mickster04> well it kinda works, in that i can connect to it, but i cant acces the internet thru it:/
[17:33] <stas> hi guys, anybody can recommend some better replacement for nscd
[17:34] <cemc> can I get some stats/status oout of my openntpd ?
[17:34] <warlock_mza> hi guys, I need an init script for hostapd but I want to keep things clean. Should I add post-up to network/interfaces ? write an /etc/init/hostapd.conf ? or just update-rc.d to add to startup ?
[17:36] <warlock_mza> do both the event driven /etc/init/ systeym + the /etc/init.d scripts work in parallel ?
[17:43] <mickster04> well this channel is good :P
[17:46] <pmatulis> warlock_mza: yes
[17:46] <warlock_mza> pmatulis, hey that might be too specific :-)
[17:47] <pmatulis> warlock_mza: sorry?
[17:47] <warlock_mza> pmatulis, nm
[18:00] <zul> mathiaz: yep
[18:01] <mathiaz> zul: if you upload a fix could you leave a note in the relevant bug to avoir duplication
[18:01] <mathiaz> zul: especially during freezes
[18:01] <zul> mathiaz: sure sorry about that
[18:02] <mathiaz> zul: since LP won't update the bug right away
[18:09] <hggdh> mathiaz: whenever you have time we can go back to the UEC whatchamacallit
[18:11] <hggdh> mathiaz: or, if you do not mind, I can get back there and keep on from where we stopped, and ping you if needed
[18:11] <mathiaz> hggdh: please go ahead with testing
[18:11] <mathiaz> hggdh: I don't use the test rig right now
[18:12] <mathiaz> hggdh: I'd suggest you keep going through the test case
[18:12] <mathiaz> hggdh: if you have any question I'll answer them
[18:13] <hggdh> mathiaz: deal
[18:34] <SquidNoob> someone has managed to run ebtables in ubuntu server? I think it's impossible: (
[19:49] <hggdh> kirkland: on testdrive, if a DISK_FILE is provided, should it be formatted (as it is right now) or just used as-is? I would vote for using as-is ;-)
[19:59] <arch0njw> I have Ubuntu Server 8.04 running on an ESX VM. I tried to install vmware tools and it barked furiously -- even after I got the headers installed.  Anyone here have a handy link to point me to for a tried-and-true set of steps to get vmware tools working?
[20:07] <kees> mathiaz, ttx: can you guys look at bug 292971 for lucid and maybe hardy?
[20:11] <mathiaz> kees: is that a security issue?
[20:11] <mathiaz> kees: or is just an important bug to fix?
[20:24] <vadi01> guys have a problem with the ubuntu server. apache refuses to load javascript to LAN users but WAN users can load them when they access the server home page
[20:24] <kees> mathiaz: just an important bugfix (i.e. after enough time, they can't use the system due to leaked memory use)
[20:24] <vadi01> any idea why? or is there a specifig permission i need to set for this
[20:25] <mathiaz> kees: ok - thanks
[20:25] <sherr> vadi01: have you compared the page source (same page) between WAN and LAN? maybe there's something stripping things out between server and LAN user?
[20:26] <mathiaz> smoser: how horrible is it to copy your aws credentials to a running EC2 instance?
[20:26] <smoser> i personally dont htink its too bad.
[20:26] <smoser> but i'm not kees
[20:27] <kees> mathiaz: just don't make new AMIs with that stuff on the image.  :)  lots of people do that  :(
[20:27] <smoser> mathiaz, if you think about it, the most likely entity to gain access to your credentials is a AWS employee, who could have just got them from AWS
[20:27] <vadi01> sherr: yea see this http://img.flashtux.org/img132b4dc2d3efx5408c1fc.jpg
[20:27] <mathiaz> smoser: right
[20:27] <smoser> second most likely person is someone running an instance on the same hardware that exploits xen
[20:27] <vadi01> sherr: illegal characters is the main problem
[20:27] <smoser> and gets access to your memory
[20:27] <mathiaz> smoser: what I'm looking for is to be able to get the list instanceID that are currently running under my account
[20:28] <smoser> then also possible i guess is if storage is not cleaned sufficiently between users, someone could find your data on their block device.
[20:29] <RoAkSoAx> mathiaz, i attached missing info to bug #531978. :)
[20:29] <mathiaz> kees: I'm currently experimenting with puppet
[20:29] <mathiaz> kees: and I'm looking for a way to semi-automate the client registration
[20:30] <mathiaz> kees: the idea being that the client sends its instanceId as part of the certname, and then the puppetmaster checks if that instanceId is actually running under the same account
[20:30] <soren> kirkland: Is there a way to adjust how aggressively ksm should scan for duplicate pages?
[20:30] <mathiaz> kees: so if the instanceId is a known running instanceId the registration proceeds
[20:30] <mathiaz> kees: how does that seem?
[20:33] <DrNick_> evening. is anyone fairly well versed in samba Active Directory authentication via likewise-open?
[20:33] <smoser> mathiaz, http://www.shlomoswidler.com/2009/08/how-to-keep-your-aws-credentials-on-ec2.html
[20:33] <smoser> that has some info.
[20:34] <kirkland> soren: i think there is ... dig around /sys
[20:35] <kirkland> soren: ls /sys/kernel/mm/ksm/
[20:35] <kirkland> soren: adjust /sys/kernel/mm/ksm/sleep_millisecs i think
[20:35] <soren> kirkland: Yeah, that seems to be the only knob I can turn
[20:35] <soren> 20 msecs between each complete scan..
[20:35] <soren> That sounds like a very agressive default.
[20:36] <soren> perf top tells me that something like 20% of my cpu time is spent scanning for shareable pages.
[20:36] <soren> That's a lot in my book.
[20:37] <kees> mathiaz: /me ponders
[20:40] <soren> kirkland: Are you seeing similar behaviour? It's not that I can feel the machine being heavily loaded by it, I just wondered why my fan was on all the time, and then noticed this.
[20:45] <erichammond> mathiaz: I think it's fairly bad to copy AWS keys to an instance, but I do it because there is no good way to perform certain functions without them.
[20:46] <mathiaz> erichammond: right - I've outlined my use case above
[20:46] <mathiaz> erichammond: as I'd like to automate as much as possible the enrollement of puppet client
[20:46] <mathiaz> erichammond: *clients*
[20:47] <erichammond> mathiaz: You want the list of all instance ids or the instance id of the currently running server?
[20:47] <mathiaz> erichammond: the list of all instance ids
[20:47] <erichammond> What does "known running instanceId" mean?  known to whom?
[20:47] <mathiaz> erichammond: as I'm using the instance id of the puppet *client* in the certname
[20:47] <mathiaz> erichammond: known to my account
[20:47] <erichammond> oh, so the server is checking
[20:47] <erichammond> puppet server
[20:48] <mathiaz> erichammond: yes - puppetmaster checks if the instance id of the requested csr is an instance id part of the aws account
[20:48] <erichammond> could the client lie about its instance id and fool the server?
[20:48] <mathiaz> erichammond: yes
[20:49] <mathiaz> erichammond: however it would have to lie about an instance id that is *part* of the running instances for the specific account
[20:49] <mathiaz> erichammond: the puppetmaster will only sign the request (and issue the certificate) if the instance id is part of the running instances
[20:50] <mathiaz> erichammond: the underlying assumption here is that the instanceId are more or less randomly generated by amazon
[20:50] <erichammond> mathiaz: No, they are very sequential (with some scrambling)
[20:50] <erichammond> and easy to guesss
[20:50] <erichammond> or guess
[20:51] <erichammond> mathiaz: If you're willing to trust Amazon security groups, then it's pretty easy to only allow connections to puppetmaster from other instances in the same account.
[20:52] <mathiaz> erichammond: right - that have to be part of the same security group
[20:52] <erichammond> well you can specify the security group.  I.e., security group "puppetmaster" allows connections from security group "puppetclient"
[20:53] <mathiaz> erichammond: can an instance be part of multiple security groups?
[20:53] <erichammond> yes
[20:53] <kirkland> soren: talk to aliguori about that ... he thought it was pretty aggressive
[20:54] <mathiaz> erichammond: can an instance be removed from a security group while running?
[20:54] <erichammond> each security group *adds* permissions (they can't take away)
[20:54] <soren> kirkland: Will do.
[20:54] <kirkland> soren: we can change twiddle that knob if necessary
[20:54] <erichammond> The security groups assigned to an instance cannot be changed after an instance is started, but the permissions associated with each security group can be changed.
[20:54] <kirkland> soren: and yes, 20ms does sound pretty frequent
[20:55] <mathiaz> erichammond: hm - ok
[20:55] <erichammond> (checking to see if that's still true)
[20:56] <erichammond> yep, I don't see any security group option in ec2-modify-instance-attribute.  Sometimes that command seems to have new things added without me hearing about them :)
[20:56] <mathiaz> erichammond: allright - so using the instanceId doesn't really help here
[20:56] <mathiaz> erichammond: as it increases sequentially
[20:57] <soren> kirkland: Yeah. it's so short you almost wonder why it waits at all.
[20:57] <erichammond> Can't puppet use a shared secret?
[20:57] <mathiaz> erichammond: hm - yes it could
[20:57] <mathiaz> erichammond: the idea here is to use the certname to convey the shared secret
[20:58] <mathiaz> erichammond: the instanceId being a kind of share secret
[20:58] <mathiaz> erichammond: the attach scenario I'm trying to protect against is a root compromise of a puppet client
[20:58] <erichammond> oh
[20:58] <mathiaz> erichammond: that should *not* lead to easy access to other puppet manifests
[20:59] <erichammond> how does the puppetmaster know what kind of system the client should be configured as?
[20:59] <mathiaz> erichammond: while still being able to automate the registration process
[20:59] <mathiaz> erichammond: that's another part of the problem that comes later
[21:00] <mathiaz> erichammond: the first step is to issue a certificate to the requesting client
[21:00] <mathiaz> erichammond: making sure that the client is *expected* to be asking a certificate
[21:04] <erichammond> mathiaz: My company has been using puppet on EC2 and we've faced some similar issues about how to shoehorn puppet concepts into dynamically created instances.  I don't think we've completely resolved them.  I'm looking at chef to see if it might be a better fit.
[21:05] <mathiaz> erichammond: well - I've got some ideas how to do that
[21:05] <mathiaz> erichammond: the key part though is which components you use to *create* the instances
[21:06] <erichammond> At the moment, we've dropped having a centralized (and single point of failure) puppetmaster.  Each new instance bootstraps itself as its own puppetmaster and then runs.
[21:06] <mathiaz> erichammond: if the component that runs new instances is flexible enough you can ask the puppetmaster to generate a certificate for the client and send it to the instance
[21:06] <mathiaz> erichammond: how do you send the manifest?
[21:07] <mathiaz> erichammond: do you ship the whole site configuration to each instance?
[21:07] <erichammond> mathiaz: My co-worker did most of the work.  I believe it picks it up from a private S3 URL.
[21:07] <mathiaz> erichammond: ok
[21:07] <erichammond> mathiaz: Yes, the whole puppet.
[21:08] <erichammond> At the moment, the S3 URL expires so attackers cannot access it a bit after startup, but that's probably going to change as we get more into spot instances and auto scaling.
[21:09] <erichammond> This approach does not solve your requirement of restricting access to certain manifests from a root compromised machine.
[21:19] <mathiaz> erichammond: are you using Ec2 Auto-Scaling?
[21:19] <mathiaz> erichammond: or you've got your own auto-scaling system?
[21:27] <erichammond> mathiaz: We are not auto scaling at the moment.  We plan to add it as we grow.
[22:07] <jnss> when was the last kernel update
[22:07] <jnss> or whatever update required you to reboot
[22:11] <mickster04> jnss i think server is desinged not to be needed to reboot
[22:12] <mickster04> howelse are you gona get 365+ days of uptime:D
[22:12] <njbair> why is sshd started and then restarted when ubuntu boots?
[22:12] <jnss> yeah that is true mickster04
[22:12] <jnss> but kernel security updates require reboots ;(
[22:12] <mickster04> well i havent gotten one of those in 40+ days i know that
[22:13] <njbair> nothing like when somebody brags about their uptime, then has to restart after like 6 months only to find that half of their services aren't starting properly
[22:13] <mickster04> njbair: yeah, im worried about having to reboot
[22:14] <njbair> I reboot monthly, if for no other reason than to avoid that kind of thing
[22:15] <njbair> also, for the 5 minutes it takes, whose server can't afford a regular reboot?
[22:15] <jnss> bragging is still nice
[22:16] <mickster04> yeah
[22:16] <jnss> a ni uptime usually denotes bsd
[22:16] <njbair> actually, it usually denotes an under-utilized machine
[22:17] <njbair> "Turn it up till it breaks, then back off a little bit." that's my motto!
[22:17] <mickster04> yeah mine isnt used much:D but what it does it does well
[22:18]  * jnss runs centos
[22:18] <jnss> that thing has an old kernel
[22:18] <njbair> mickster04, my home server does web, nfs, squid, svn, ssl, all on a mini-itx
[22:18] <jnss> but i am told an update was issued a few hours ago
[22:18] <jnss> mini itx? what model
[22:18] <njbair> VIA EPIA MII
[22:19] <njbair> I just found out the board has built-in hardware crypto
[22:19] <mickster04> njbair: web, squid, samba ssh all on a fit-pc2:D
[22:19] <njbair> I reconfigured openssl to use VIA Padlock and ran some benchmarks, it's ridiculously faster
[22:24] <jnss> it's pretty insecure though
[22:24] <jnss> referring tot he number generator
[22:25] <jnss> do you know the watt draw of your itx?
[23:58] <jetole> does anyone know how to test commands that you run in preseed
[23:59] <jetole> mine fails and I have tested it pretty thuroughly outside of the preseed run