[00:24] Hey guys, I have a hardware question. [00:25] !ask [00:25] Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) [00:27] I have a few servers that have a single 1gb networking adapter and I was wondering if I should buy a new NIC with a multiple RJ45 jack on i or just get one with a single RJ45 head and run it with the motherboard input and the external card input [00:27] also if you have any hardware suggestion I would love them. [00:28] Sorrell: that depends on what you need the extra jacks for [00:28] Sorrell, really depends on what you're trying to do. [00:28] Sorrell, i dont think you need servers with more than one ethernet interface. [00:29] Sorrell, if you are desiring such functionality you should switch to a fabric infrastructure [00:29] I am setting up a DNS server. They will be in that. One will be exterior and one will be internal [00:29] Sorrell, make use of switches. [00:29] Sorrell, MUCH cheaper. [00:32] Sorrell: if you are using bind, there is no need to have different physical interfaces. [00:33] really, I didn't know that. [00:33] Sorrell: you can configure who gets access to which versions of the zone files based on source addresses [00:34] Sorrell: all of my DNS servers have multiple views, but a single interface [00:35] I will have to look into that. Thanks Coder7 and CppIsWeird [00:36] yw. but i think Coder7 knew what you were talking about. :-P [00:38] Sorrell: http://pastebin.com/KBF9unpp [00:38] I know it wasn't a very good explanation. [00:39] that was a snippet of a bind config file [00:39] ty [00:39] all 10.0.0.0/8 and 127.0.0.0/8 addresses get the inside view, everything else gets the outside view [00:40] okay === KenjiPops is now known as FOCer [01:17] im on a windows machine puttying to a linux server. can i use scp to transfer a file from one to the other? [01:21] CppIsWeird, use pscp.exe, it's included in the putty installation if you used that [01:22] ok. [01:22] the actions must be carried out from the windows machine, because windows does not have an SSH daemon [01:22] but you can transfer files in both directions using it [01:23] If pscp.exe isn't included in the putty installation, look for "winscp" on Google. [01:29] what do these things mean [ ] in bash scripting? [01:35] brackets are used for a number of things [01:36] provide some context [01:39] so i was just told to run ". eucarc" and someone called it "sourcing eucarc" can i get a little more explaination please? [01:39] it basically sets a bunch of temporary variables [01:39] you can also run "source eucarc" to do the same thing [01:39] to see what variables they are, less eucarc [01:39] so "sourcing" is not the same as "running" a batch file? or the eucarc is not a "batch" file, its a "source" file? [01:40] bah [01:40] well, there are no batch files [01:40] replace batch with bash and ignore the windows connection [01:40] but eucarc is not being run, so much as parsed [01:40] more like a configuration file than a shell script [01:40] okay. thanks. :-) [01:41] CppIsWeird: Sourcing is basically equivelent to copying and pasting the contents of the file into the shell, it runs the commands in the current shell rather than spawning a new one (which means among other things that variables set in the script persisist in the shell after sourcing it) [01:41] ahh, okay. [01:42] that makes more sense. [01:43] I wonder if there isn't a better solution to the fragmented linux distro support channels on freenode [02:14] hi, is it possible to install a GUI for ubuntu server if i only have SSH remote access? [02:14] how would i access it like remote desktop to that of windows RDP? [02:14] vnc [02:15] you'd start vncserver on the server, and run vncviewer on the client to connect to it. are you sure you need a gui? [02:15] (got a fast link from client to server?) [02:16] hallyn, yup [02:16] i wanted to run vmware on it etc [02:16] hallyn, how would the vnc recognise the system then since its CLI only? [02:17] hi there. somebody have any guide to intall a NAT in ubuntu server? [02:18] Roxyhart0, try http://ubuntuforums.org/showthread.php?t=713874 [02:18] great thanks! [02:18] hallyn, ping [02:20] i am looking at NX wonder if its good [02:22] debugview: sorry, wandered away [02:22] debugview: vnc works quite well, id say just give it a shot [02:23] ok [02:23] hallyn, i dont need to install X and stuff right? [02:23] or whatever KDE/GNome desktop etc [02:24] yoiu don't need kde/gnome, but you'll need to pick some window manager [02:24] fvwm isn't a bad one... [02:24] venerable [02:24] so yes you do need x i suspect [02:24] hallyn, what are your opinions on http://www.nomachine.com? [02:24] * hallyn takes a look [02:25] debugview: ah, nx [02:25] i haven't tried it, have heard good things [02:25] i won't recommend against it by any means [02:25] i just rarely use x remotely for anything... [02:25] oh okie i will try vncserver and see how it goes [02:26] linux journal had a favorable article on NX, which was the first i'd heard of it i believe [02:26] hallyn, sometimes i just hate using CLI for anything :D [02:26] :) [02:27] i am shifting from windows 2008 to a linux variant [02:27] so just trying out [02:29] debugview: i think your first instictmight have been right, NX might be most like what you want [02:29] that leaves the installation portion to be desired :x [02:30] what do you mean exactly? [02:30] you want to minimize your work, or the work on the part of the servers? [02:30] (just curious) [02:31] minimize my work [02:31] i dont mind working with CLI but sometime editing conf files or what [02:31] installing stuff [02:31] i rather cut down the chase [02:32] than trying to tinker around why X doesnt work because Y needs to be modified but Z have yet to be installed so Y cant work etc.. [02:32] a UI would very much cut that portion down [02:33] of course your opinions might differ [02:33] maybe i should do a short blog post on the shortest (imo) way to get a remote gui on ubuntu server... would probably get some arguments :) [02:33] hallyn, please do and pm me your blog url so i can add it to my daily must read blogs list [02:33] better not spam me with popups :< [02:34] if it were me, i would 'apt-get install tightvncserver vncviewer fvwm', start up a vncserver running fvwm (takes roughly 3 steps the first time), and then you're running [02:34] lol - "caching [02:34] " [02:34] ca-ching that is [02:34] let me google what is fvwm [02:34] just an old window manager [02:35] installing gnome-desktop will probably give you exactly what you'd expect from a normal login screen. so if your servers and net link can handle it, do that [02:35] how do i mount a cdrom? [02:35] 'mount /dev/cdrom /mnt/cdrom' [02:35] ty [02:36] hallyn, heh a xeon server would handle that fine :( [02:36] special device /dev/cdrom does not exist? [02:36] CppIsWeird: (you might need to dmesg to check which device was actually assigned) do make sur eit wasn't already auto-mounted by yoru desktop under /media/? [02:36] dmesg| tail, it's probably /dev/sdc1 or somesuch [02:37] hallyn, apt-get install gnome-desktop-environment first yeah? [02:37] debugview: yup [02:38] (had to check aptitude real quick) [02:38] hallyn, i guess it will install X dependencies if its missing? [02:38] never mind, would help if i was in the right ssh window >_< [02:39] CppIsWeird, hehe [02:39] too many servers! they're here to SERVE us! [02:39] destroy them with coffee [02:39] * hallyn has done that... [02:40] debugview: yes, alldependencies should be auto-installed [02:40] debugview: mind you i've not tried it, but if not i'd call it a big bug [02:41] hallyn, ha..cant expect much from linux :x even windows have their quarks [02:42] heh - i expect the world from it :) [02:42] i was trying centos the other day [02:42] and it was a horrible experience [02:43] i had all the dependecies install and yet ./configure keeps saying its not installed :( [02:45] centos is based on pretty old rhel right? [02:46] ok, I need some help. It's a bit specific, but I think I'll be able to explain the general idea. I need to run an .exe (with mono) on 10.04 command line, while also being able to access the user@server1:~$ command line. [02:46] i have got no idea seriously :x [02:46] how do I go about doing this? [02:47] Shapeshiftr, erm open two sessions? [02:47] ..? [02:47] how? [02:47] Shapeshiftr: run 'screen' or 'byobu' (a themed screen) i think [02:48] hrm, i tried screen, but to no avail. [02:48] what about dtach? [02:48] Shapeshiftr: the mono prog should just run persistently in the background? [02:48] 1) How do I switch between screens once on the .exe's command line? 2) will it stay open once I close putty? [02:49] control-a control-c to create a new screen [02:49] then control-a control-d detaches the screen [02:49] ctrl-c closes, right? [02:49] hmm? [02:49] detach? [02:49] sorry, control-a c [02:49] yes, so then you can log out that putty session,b ut teh screen session keeps going, [02:49] and you can log back in, and re-attach [02:49] using 'screen -r' [02:49] yeah screen is basically the easiest to use [02:50] it stops me mostly having to worry about junk like 'nohup' :) [02:50] hehe [02:50] I tried nohup, lol, i think it failed. [02:51] hallyn, btw the gnome-desktop installation is still ongoing [02:51] my server definitely needs bluetooth..rofl [02:51] i am so gonna bluetooth to my server from miles away [02:51] so, I typed in screen, then I started my .exe. now what? [02:51] press Ctrl A [02:51] then Ctrl D [02:51] i've just re-comissioned an 8-yr old laptop, so i'm running a very barebones 'dwm' window manager :) [02:52] to detach back to your command line [02:52] your linux commandline that is [02:52] to resume type screen -r [02:52] ok, now to test. [02:52] :D [02:52] if you have multiple screens you have to specify the number of the screen [02:52] D: [02:52] screen -r 123456 [02:52] no, didn't work? [02:52] btw you can name the session using 'screen -S myname' [02:52] screen -x shows all screens, right? [02:53] Shapeshiftr, define not working... [02:53] crash? etc... [02:53] one sec. [02:53] Shapeshiftr: screen -list [02:53] -x is something different [02:54] hallyn, i wish i have the time to play around with DWM...but i guess it will need lots of configuration doesnt it? [02:55] debugview: i do reconfigure it, but on this laptop am using it stock, it's still very nice. [02:55] There are several suitable screens on: [02:55] 20853.pts-0.server1 (07/05/2010 09:50:30 PM) (Detached) [02:55] 20065.pts-0.server1 (07/02/2010 11:26:48 PM) (Detached) [02:55] 9048.pts-0.server1 (07/02/2010 10:52:47 PM) (Detached) [02:55] Type "screen [-d] -r [pid.]tty.host" to resume one of them. [02:55] hmm. [02:55] type what? [02:55] but you do need to make sure you know the names of the progs you use... often unrelated to the menu entry listing :) [02:55] Shapeshiftr: screen -r 2853 i guess [02:55] I want the 05 one, of course. [02:56] ok, that number? [02:56] Shapeshiftr: yes really i think any unique substring int he name will work [02:56] yeah using a name is easier [02:56] but i usually try one by one till i get the correct one [02:56] its fast anyway [02:57] how do I close a screen, then? [02:57] just exit your application then type exit [02:57] exit the shell [02:57] just like what you normally do when you exit your console [02:57] exit, logout, ctrl+D, etc [02:57] oh, oh, right. [02:57] Shapeshiftr, how's the mono support on linux already? [02:58] the last time i tried it was still buggy [02:58] it's fine, I think. [02:58] the program i'm using was developed with mono support. [02:58] (you can also just do control-a K to kill the screen session) [02:58] maybe i might go back using mono for linux [02:58] yeah mono is what i need to get netflix on linux one day right? [02:58] or java [02:58] lol - or python :) [02:59] hallyn, ok i am done with apt-get install gnome-desktop [02:59] I refuse to use mono on principle alone [02:59] what else do i need to know? [02:59] qman__, meh..man it up and chuck those principles aside :D [02:59] mono does not offer anything for me [03:00] besides, ignoring principles is the exact opposite of "manning up" [03:02] qman__, i kid :< [03:03] hallyn, are there any special "clients" that i need to view gnome desktop remotely after installing it via CLI? [03:04] you need a VNC client [03:04] I recommend tightVNC [03:04] qman__, what's the noob level on that? [03:04] i mean difficulty [03:04] I'm not qualified to gague it [03:05] alright [03:05] since I'm the type who would never bother installing a GUI on ubuntu server [03:05] lucky you :( [03:05] i might stop using GUI once i get the hang of it [03:05] it really does not provide any advantages [03:05] tightvncserver - virtual network computing server software [03:05] all the services, configurations, etc will all be done from the command line anyway [03:05] i guess this should be th eone [03:06] you'll just have some gnome-terminals open, doing exactly the same thing you would over SSH [03:06] yeah i know i am just making my life easier, less stressful [03:06] for starters [03:06] debugview: yes, that's the server, then you'll need the client (apt-get install xtightvncviewer) on the remote end [03:07] GUIs have their place, but ubuntu server is not it [03:07] hallyn, yea but i am using windows [03:07] I don't understand how it could be any easier [03:07] so i will get the windows equivalent [03:07] debugview: oh, then. whatever is the windows vnc client :) [03:07] yeah [03:07] qman__, yeah just for starters like i said no harm [03:07] well that's just it, it makes things complicated [03:07] in fact i am learning about CLI just by doing all this installing stuff am i? :D [03:07] X opens a lot of potential security issues [03:08] and uses considerable resources [03:08] hallyn, do i need to configure any files for tightvncserver after installing it? [03:08] the same goes for VNC [03:08] debugview: since you want to run the gnome desktop, i don't think so - it shoudl all jsut do what you want [03:08] don't use VNC over the net, at least not without an SSH tunnel [03:09] that's asking for trouble [03:09] agreed on the ssh tunnel for vnc! was assuming your'e on a local link [03:09] why? its not encrypted? [03:09] heh, no. [03:09] no [03:09] and the authentication is limited to an 8-character password [03:09] read the original paper. it's an academic exercise :) [03:10] cracking it is child's play [03:10] there are bots that search the net for open VNC servers [03:10] just like they search for SSH servers [03:10] lets say i installed the vncserver already [03:10] its using my root password to login right? [03:10] no [03:10] debugview: so on the CLI bit - you said you wanted vmware so i think you must have GUI for that, but i'd suggest you look into libvirt CLI with kvm/qemu [03:10] and you should not have a root password [03:11] if you do, and you want to keep it, there are other things you need to change to secure your system [03:11] * hallyn will abstain from getting into any arguments tonight about sudo vs. having a root password [03:11] that argument aside [03:11] many things are configured to allow root logins [03:11] that should not be [03:11] such as SSH [03:11] heh [03:11] qman__, yeah mine doesnt allow root login [03:12] i have to do a sudo once i login using another account [03:12] you need to disable those if you want to give root a password [03:12] I'd love to discuss mass server management with qman__ sometime [03:12] gosh tightvnc website is so freaking slow [03:12] cant even download their client [03:13] of course, using passwords at all is not really that good of an idea these days [03:13] but you have to draw the line between security and usability somewhere [03:14] well, you have protect your bios/bootloader somehow [03:14] I've yet to see something other than passwords implemented [03:14] that's really a moot point [03:14] if your physical security is compromised, it doesn't really matter what you do [03:14] neither of those is specific to physical security [03:15] s/is/are/ [03:15] * hallyn draws out his broadsword [03:15] sorry, I don't mean to hijack an otherwise mild conversation [03:15] but then you cant login without providing a password [03:15] lol [03:15] we can continue this after helping debugview [03:15] what sort of authentication exists besides password? [03:15] key-based [03:15] but isnt that based on a password to generate the key file too [03:16] no [03:16] no [03:16] it is randomly generated [03:16] and sometimes the key is additionally encrypted with a password -- but, ultimately, the key itself is a far better method of providing remote access [03:16] there are other types but key-based is arguably the strongest and most convenient [03:17] but it's only secure as long as you keep your keys safe [03:17] hallyn, ok i ran the vnc client and i entered my IP and it says connection failed? how do i know if its working on the server side? [03:17] qman__, you mean like the german spy? :x [03:17] I hear russian spies are really good at encryption [03:18] :) [03:18] ps ax | grep vnc [03:18] 22918 pts/0 S+ 0:00 grep --color=auto vnc [03:18] root@27AO33:/home/sysadmin# [03:19] well, unless the daemon does not contain 'vnc' in its name, it's not running [03:19] ok that makes sense..now i will need to figure out how to run this tightvncserver after installing it [03:20] I don't know enough about the server to say for certain, but there may be a configuration preventing it from starting in /etc/default [03:20] how do I delete the contents of a directory? [03:20] like "IS_CONFIGURED=no" [03:20] rm -R ? [03:20] rm [03:20] mmk. [03:21] debugview: did you do 'vncserver' to start a server session? [03:21] Shapeshiftr: do you want to delete the directory AND its contents? or just its contents? [03:21] And, lol, the reason why it wasn't working was because the program didn't have mono support in that revision >_< [03:21] just the contents. [03:21] rm directory/* [03:21] that won't remove hidden files though [03:21] well, rm -r directory/* [03:21] in case there are subdirs [03:21] that's fine, I created the directory. [03:22] and there are subdirs [03:22] hallyn, yeah i did [03:22] so rm -r then [03:22] i did a netstat -an and there is a port listening on 5901 [03:22] the default port for most clients is 5900 [03:22] try specifying 5901 [03:22] sweet, its working [03:23] \o/ [03:23] i am enlightened [03:23] you are living dangerously ;) [03:23] now that you have verified that it works, I suggest you immediately turn it off [03:23] and use SSH tunnels instead [03:23] ok a question that begs to be asked, how do i turn it off? :x [03:23] i know its easy doing kill -9 [03:24] but is there a better way? [03:24] you can do 'vncserver kill :1', but [03:24] that's the last resort way to kill processes [03:24] really what you want is to just prevent access to port 5901 directly using ipfilter i assume [03:24] if you started it by running 'vncserver', do `ps ax | grep vncserver` to get the PID, then kill that PID [03:24] you don't need to stop the server [03:25] really, it should be running as a daemon with an init or upstart script [03:25] oh yeah [03:25] I can't sudo rm -r [03:25] nothing happens. [03:25] root@27AO33:/home/sysadmin# tightvncserver -kill :1 [03:25] Killing Xtightvnc process ID 22930 [03:25] ShadeS, no output means it's working [03:25] err [03:25] Shapeshiftr, ^ [03:25] Shapeshiftr: you sure you want to run it with sudo? [03:26] but I looked at the directory in filezilla, and all the files are still there. [03:26] and, you'll of course need to supply the directory as we instructed [03:26] i did. [03:26] make sure it refreshes [03:26] "rm -r /path/to/directory/*" [03:26] mmhm, giovani [03:26] ok what is this SSH tunnel stuff? does it allows remote desktop like VNC too? [03:26] no [03:26] Shapeshiftr: trust me -- it's a simple command -- you likely didn't run it properly, or, as qman__ points out -- refresh FileZilla [03:26] an SSH tunnel allows you to forward your VNC connection through an encrypted, authenticated channel [03:27] debugview: 'ssh -L 5951:localhost:5901 server.name' and then you can do 'vncviewer localhost:51" [03:27] first, configure your VNC server to only listen on localhost [03:27] ah, refreshing wokrs. [03:27] *works [03:28] sigh [03:28] "Probably, the best way to secure Xvnc server is to allow only loopback connections from the server machine (the -localhost option) and to use SSH tunneling" according to google...i am gonna try it [03:28] yeah, really, giovani >_, [03:29] I'm quite the beginner with command line OSs [03:29] I don't think FileZilla qualifies as a command-line tool [03:29] i am really surprised ubuntu doesnt have a remote desktop built in like windows RDP [03:29] ubuntu desktop does, it has uses VNC [03:29] this is ubuntu server [03:29] debugview: completely different target markets [03:29] they're not competing OSes really [03:30] on ubuntu server, the GUI only complicates things [03:30] especially if you let it install NetworkManager [03:30] gah [03:30] then you're in for a real mess [03:31] just removed that from my new xubuntu install a few hours ago [03:32] xfce's bloat man [03:32] stay away from that [03:32] debugview: 'ssh -L 5951:localhost:5901 server.name' and then you can do 'vncviewer localhost:51" <-- is this for linux only? [03:32] the only kind of ubuntu server that needs X is an LTSP server [03:32] which is a special case [03:32] debugview, that's the command when using the openssh client [03:33] if you're using putty, you have to configure it [03:33] giovani: i did - removed gdm next, and am running dwm [03:33] but had to start somewhere, and server doesn't ahve wireless [03:33] why did you even install xubuntu then? [03:33] just do a minimal install [03:33] you mean the server kernel doesn't [03:34] you don't need to run the server kernel [03:34] i've only got 5 cds available to burn and this old laptop wont' boot off usb [03:34] dwm's pretty old-fashioned [03:34] rock on [03:34] try a newer, more awesome tiling window manager [03:34] xmonad, awesome, stumpwm [03:34] i use wmii ocne in awhile [03:34] the nice thing about dwm is it's simple enough there's no thinking involved at all [03:34] i have considered trying awesome [03:35] xmonad is pretty nice [03:35] I haven't tried any of those === amstan_ is now known as amstan [03:35] I used to use fluxbox back when I ran gentoo [03:35] qman__: what wm do you run? [03:36] hah - stumpwm - i havne't run a lisp wm since i tried gwm in 1996 [03:36] hallyn, does the stuff i run over VNC terminate if i close the vnc session? [03:36] haskell is where it's at [03:36] debugview: not if you terminate the client [03:36] if you terminate the server, then yes - unless you run screen in each terminal under vnc :) [03:36] but stumpwm is pretty clean -- a few people at work use it [03:36] particularly the emacs folks [03:36] giovani: i'm looking (obviously) [03:36] and I've used iceWM, which I rather liked, but it's kind of broken in ubuntu [03:37] hallyn: looking? [03:37] qman__: all the good wms are broken in ubuntu [03:37] on a day to day basis I just use regular ubuntu/gnome [03:37] that's what happens when the user community goes mainstream [03:37] yikes man [03:37] how do you function? [03:37] slowly [03:37] ;) [03:37] my desktop is still running karmic [03:38] because I don't want the mess that is the new UI [03:38] with lots of carpal tunnel with the mouse movement [03:38] xmonad is pretty broken in lucid [03:38] took about 15 minutes to fix it [03:38] dwm work sfine out of the box :) [03:38] hallyn, yeah ssh tunneling work too [03:38] connecting to localhost:5901 [03:38] configs are still nice, but it's not broken [03:38] hallyn: ratpoison worked out of the box [03:39] debugview: cool [03:39] on lucid [03:39] you could try that, it's what stumpwm is based on [03:39] debugview: note that the vnc session port is 5900+index, so server:1 = port 5901 [03:40] but yeah, I just haven't had much time to mess with it [03:40] hallyn, roger [03:40] giovani: mind you i'm happy with dwm atm :) but i'm looking at stumpwm pages out of curiosity [03:40] I got gnome to a tolerable layout and just deal with the slowness [03:40] hallyn: dwm is lame by comparison to anything new [03:40] not customizable to the same level [03:41] * hallyn chuckling [03:42] glad I can provide entertainment :) [03:42] my biggest complaint about it is firefox, though [03:42] it gets worse with every new version [03:42] qman__: what's "it" in this context? [03:42] firefox [03:42] your biggest complaint about firefox is firefox? [03:42] er, the first it, being the gnome setup [03:42] ah [03:43] well firefox is slow no matter what wm you run [03:43] everything else isn't too bad performance wise [03:43] well, i was happy with vimprobable for awhlie, but it broke on 64-bit so i'm using surf. any better browser suggestions? [03:43] I need firefox [03:43] all those extensions I'm addicted to [03:43] yeah [03:43] as terribly bloated and broken as it gets [03:43] nothing else offers the right featurs [03:43] it's still got more functionality than any other [03:44] so I use it [03:44] 'itsalltxt' is the only plugin i'm using these days [03:44] I have like 75 extensions [03:44] use every one of them [03:44] jinkeys [03:44] also, it's the new fad to screw up the tab order, even firefox jumped on it [03:44] don't upgrade to firefox 3.6 [03:44] tab mix plus ftw [03:45] I used to use tabbrowser preferences [03:45] but that one died off [03:45] tab mix plus [03:45] trust me [03:46] my system is to the point where I just have to leave flash and java disabled [03:46] firefox crashes every time it loads one [03:46] I use other browsers to view flash objects [03:46] that sounds abnormal [03:46] it used to just crash sometimes [03:46] try upgrading flash and firefox [03:46] it really works fine for me [03:47] once in a while a crash, yes [03:47] but 3.6+ includes the plugin crash handling iirc [03:47] I've been upgrading this same install since 7.10 [03:47] does lucid have 3.6 in it? [03:47] yes [03:47] ok [03:48] you'll want to use 32-bit of course [03:48] yeah [03:48] adobe has stopped supplying 64-bit flash again [03:48] oddly enough, this is my only 32-bit system left [03:49] it's got a 64-bit processor, but support was bad three years ago [03:49] all of my laptops/desktops are atoms now [03:50] cloud computing ;) [03:50] hallyn, ok i had fun with the gui i guess i can remove gnome-desktop-environment now [03:51] is there a way to purge everything back to where it was before the install? [03:51] sudo apt-get remove gnome-desktop-environment && sudo apt-get autoremove should remove everything that installed as a result of that [03:51] but back to pristine new install condition? not that I'm aware of [03:51] but will leave config files [03:51] use purge instead of remove to delete those [03:51] true [03:51] but it'll still be changed [03:52] changed as in? [03:52] when you install that many packages, things are bound to get changed [03:52] ... [03:52] it's a removal or a purge, not an "undo" [03:52] it's still not working. [03:52] debugview: so you don't need to run vmware? [03:52] I can't connect to the server. [03:52] I've updated to the mono-supported version. [03:52] still no. [03:53] hallyn, i think i will skip it and i will try to install the software manually myself instead of loading windows inside ubuntu server [03:53] excellent [03:54] debugview, can you think why it wouldn' [03:54] t be working? even out of screen? [03:54] Shapeshiftr, what is not working? [03:54] Is there a way to perform secure dynamic dns-update with dhcp3-server on an ad-based dns-server? [03:55] that server i was trying to get up. [03:55] dolittle, "secure dynamic updates" use AD authentication [03:55] that is a feature that is not implemented in any open source DNS/DHCP softwares I know of [03:55] Shapeshiftr: no error msgs in the screen session? [03:56] nope. [03:56] I'm talking to the creator, too, to see if it's a coding issure. [03:56] *issue [03:57] * hallyn out for awhile === dendro-afk is now known as dendrobates [04:15] hey guys - anybody here have some experience with supervisord? === dendrobates is now known as dendro-afk [04:33] So in my auth.log I have seemingly brute force attempts at getting root from shanghai China via SSH2 [04:34] Is there a way to limit attempts from IP to like 2 per day... [04:34] yes [04:35] see the iptables recent module [04:35] if that's difficult to implement with an existing firewall, there is also fail2ban [04:35] of course, disabling password authentication on SSH is even better [04:36] How would one connect then? [04:36] key-based authentication [04:36] Oh so only my cell phone or my netbook could connect.. [04:37] only a device containing a valid key for the user they are attempting to log in with [05:18] Under what circumstances will 8.04's mount believe that an LVM snapshot of its root filesystem is [05:18] mount: unknown filesystem type 'silicon_medley_raid_member' [05:19] The nightly backup has failed that way twice in the last month. (The other nights, it succeeded.) [05:33] Google suggests it's a misbehaving fakeraid controller. The fakeraid should be off, but I've told the proximal monkey to check for a "more off" option in the BIOS. [05:55] New to Ubuntu, Linux, and networking. Setting up home network on server 10.04 with all DHCP. DSL is DHCP. does dynamic DNS allow me to set up static IP in server? [06:00] netwidget: "dyndns" and similar services allow you to have a fixed DOMAIN NAME (e.g. fred.nurk.name) with a (potentially rapidly) changing IP. [06:00] I don't know of any other "dynamic dns" [06:03] So if I registered a domain of say home.lan with dyndns would I then be able to use home.lan say in Bind9 to resolve nameservers and hostnames? [06:04] That is Bind9 configured on the server? [06:07] dyndns replaces running your own bind [06:08] You shouldn't be running bind on a home network unless you're a bearded unix veteran who can't see his toes for the beer gut === gallifrey is now known as alco-ninja === alco-ninja is now known as v [06:20] twb - Thx for the imagery. So if I set up DDNS with domain of home.lan and my servers hostname is servermain, how do I get host computers to find home.lan.servermain? [06:22] You don't, it would be called servermail.home.lan :) [06:24] Note that ".lan" is not (yet) a valid top-level domain, so that'd only be for internal, not public, use. [06:24] jmarsden - I assume you meant servermain.home.lan? [06:25] Indeed. [06:26] twb - Yes it would only be for private LAN. I am trying to simply keep the LAN talking on the client/server level using resolved naming without assigning in ip addresses [06:27] netwidget: well, if it's for internal use, dyndns doesn't make sense. [06:27] Since you're using .lan, I guess you have an OpenWRT router? [06:32] Not sure what the OpenWRT router is but the .lan was just an example. My uses for the home LAN are file server, printer server, web development server (testing). No public access just private access to net. How do I get client computers to see server (by name) and vs versa to mount drives and create mount-points? [06:33] twb: I think netwidget wants a DHCP server to assign IP addresses "dynamically", and to have the host A records auto-added to DNS by the DHCP server. === MTecknology is now known as MTeck [06:38] jmarsden: yeah. That's why I asked about OpenWRT, because it runs dnsmasq and it Just Does That [06:39] jmarsden: so all he'd have had to do is edit /etc/hosts and /etc/ethers on the router and/or configure dhclient3 to have: send host-name "servermain"; [06:39] twb, jmarsden, - I have a basic DSL account (non static), I have a Netopia 3347 modem/router from ISP set to DHCP for WAN and LAN sides. Wireless is turned off because I have a second Linksys WRT300N router sending wireless and is used as a switch for cabled ether. Server is cabled to Lynksis. Linksys is also set to DHCP both sides. [06:39] twb: OK. Without it, he'll need to set up dnsmasq or some equivalent on the server, instead. [06:40] Right [06:40] It's not hard to set up dnsmasq, I just didn't feel like going through it [06:41] jmarsden: the main point is that because dnsmasq serves both DNS and DHCP, it automatically knows how to integrate them -- cf. isc dhcp + bind [06:41] Makes sense. === EvilTrek is now known as Mithos [06:43] Hi, I installed openldap on 9.10 server but when I do "slapadd -l example.ldif" I get this: "Available database(s) do not allow slapadd" here is ldap.conf : http://pastebin.com/fzZPZbcL [06:44] Was planning on moving server to DSL router (direct cable) and run the Lynksys as a nested lan from the server. Don' [06:45] Don't know if that will required port forwarding on the DSL router and wether that will interfere in the dnsmasq? [06:47] netwidget: Your internal machine naming and name resolution are only within your LAN, so the router shoudn't need to care about them. [06:49] Basically your internal DHCP and DNS servers need to care [06:49] But if they're on your all-in-one appliance router, then you're probably screwed [06:50] twb: Well, so you disable them in the router and add them to your server. But yes. [06:51] Yeah. [06:51] Where "screwed" means "do it a different way" [07:08] So than I should install the dnsmasq services on the server and set dhcp range in /etc/dnsmasq.conf? other than configuring the nameservers and resolving hostnames in conf files on server do I just the DHCP ranges of the routers for no conflicts? [07:10] Turn off the DHCP server in the router completely. [07:11] morning [07:15] Are you referring to the DSL router (connection to ISP)? [07:25] jmarsden: Since the Linksys wireless is going to provide wireless connectivity to the LAN, I assume that it needs to have a static IP address from the server and have DHCP turned on for the nested LAN. [07:27] netwidget: Probably; if you can put it into "Access Point Mode" and then set its LAN IP manually, that should be fine. You don't want it doing any routing, if I am understanding you correctly. [07:28] * jmarsden is off to bed... [07:33] jmarsden, twb: Thanks for the help. [07:33] You're welcome. [08:06] grub not finding hdd's; only grub rescue prompt is shown [08:07] taneli: are the disks in a software RAID array? [08:07] yep [08:07] Grub doesn't support that properly [08:08] You need to boot a live CD or similar, and reinstall the grub MBR [08:08] You MAY be able to get it working by swapping the order of disks in the array [08:09] Basically, what happens is that grub is very stupid and records the disk number (according to the BIOS), so when the first disk fails, and the BIOS renumbers the disks, grub MBR loads of /dev/sdb, which is now /dev/sda, and the MBR tries to bootstrap /dev/sdb, which no longer exists. [08:10] nice [08:10] (I'm assuming you're having the same problem as me.) [08:10] propable [08:11] It happens to me about once a month with servers I have in South Africa and Israel, which is a bloody nightmare to fix [08:11] nothing helps to get it stable? [08:11] Fortunately, extlinux doesn't have this problem! [08:12] taneli: like I said, swapping the disk order or putting a blank drive in the first SATA slot *might* help. [08:12] taneli: it depends on how "clever" the BIOS is [08:36] New bug: #602155 in samba (main) "sambadidn't install" [Undecided,New] https://launchpad.net/bugs/602155 [09:56] twb: how can i tell grub, that my / mountpoint is on lvm-partition [10:02] You don't tell grub that [10:02] You tell your RAMDISK that. [10:02] Typically something like root=/dev/mapper/VGraid-LVroot [10:21] taneli: iirc you can't boot off lvm, I think you need a separate /boot partition to use lvm as root [10:21] grub2 *can* boot with /boot on LVM. [10:22] But it's probably a dumb thing to do [10:22] s/probably/usually/ === lifeless_ is now known as lifeless [11:57] I'm netbooting a 10.04 image, using casper to merge the read-only NFS root filesystem with a tmpfs ramdisk [11:58] Most of it's working, but /home (a read-write NFS mount) isn't ever mounted during boot. [11:58] How do I debug upstart enough to find out what's wrong? [11:59] (I suspect it's because an event like "net-device-up" is never generated, because it's up BEFORE init starts.) === jussi is now known as Guest7125 === oubiwann is now known as oubiwann-away [12:15] twb: Are you talking about lucid or karmic? [12:16] In Lucid, my NFS mounted home is up 'late' after boot. I just have to wait a bit before logging in. [12:20] lucid [12:20] alvin: I *need* it to come up before gdm [12:20] Ah, did you use the undocumented 'bootwait' option? [12:20] I don't *think* it comes up at all, let me check. It's hard to tell because plymouth eats /dev/console when gdm starts [12:23] You can check mountall in /var/log/boot.log See bug 504224 [12:23] Launchpad bug 504224 in mountall "NFS mounts at boot time prevent boot or print spurious errors" [Medium,Fix released] https://launchpad.net/bugs/504224 [12:25] The last thing in boot.log is init-bottom (from the ramdisk) [12:27] I'll try nobootwait, anyway. I'll also stick a single in there and disable /etc/init/gdm.conf, so I have a bit more visibility about what's happening [12:28] I *was* getting the 504224 in some other builds, but I don't think I'm getting them now === dendro-afk is now known as dendrobates [12:31] alvin: even with nobootwait, I see it bitching about rpc.statd not running === jussi01 is now known as jussi [12:32] Might be bug 484209 [12:32] Launchpad bug 484209 in nfs-utils "/etc/init/statd.conf: race with portmap startup" [Medium,Fix released] https://launchpad.net/bugs/484209 [12:32] In this current boot, rpc.statd is definitely running when I look for it, and at that time "mount -a" gets me a /home [12:33] I'm running lucid with all patches from -security applied, so hopefully bugs marked as "fixed" shouldn't affect me... === oubiwann-away is now known as oubiwann [12:39] I don't think 'fixed' means that there is an actual fix in the repositories. All these bugs apply to me too. NFS has been flaky for some releases now. [12:40] * twb rants [12:40] The point of avoiding non-LTS releases is that Ubuntu fixes stuff like this by the time I get here [12:43] Well, in my experience, Lucid IS more stable than the two previous releases, but most certainly not more stable than hardy. Technologies like mdadm, lvm and NFS show regressions. Maybe I'm ranting too, but I'm not sure about the direction ubuntu is taking. [12:43] The direction of "annoy twb" [12:43] Just because it's a desktop distro they think it's OK to put desktop users first... [12:45] twb: btw, the problem was a lvm-snapshot. after removing the snapshot the server got back up as expected [12:46] taneli: oh, not that bloody issue [12:46] that's pretty much fixed [12:46] taneli: anything that looks for a UUID will see both snapshot and origin as matching. [12:46] Maybe grub was too dumb to prefer the origin [12:47] twb: the funny part is: it wasn't a snapshot of my Volgroup-root, but totally different lv [12:47] taneli: OK, then I don't know [12:54] the snapshot/grub2 problem exists in debian as well and a fix has been released. please see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574863 [12:54] Debian bug 574863 in grub-pc "grub-pc: grub-probe unable to find mapping for /boot on LVM with a snapshot LV" [Grave,Fixed] [12:57] pmatulis: ty [13:04] OK, if I patch all the upstart jobs to dump their scriplets to /var/log, I can see mountall.conf invoking mountall --daemon, which is what appears to run mount and appears to be bitching about rpc.statd not running. [13:04] mountall-net.conf looks for the mountall daemon in order to send a -USR1 to it, but by that time there's no such process -- mountall --daemon has already exited. [13:05] Let's try patching a spinlock into mountall-net... [13:08] No joy; "status mountall" doesn't give a nonzero status for "I've already finished". [13:09] And "status mountall" did completely the wrong thing; it started plymouth (despite "splash" being absent from the boot parameters) and similar nonsense. [13:17] twb: i'm not following what you're doing but is there a bug about it? [13:20] pmatulis: there's no bug report [13:21] twb: why don't you file one? [13:21] Because it's a massive pain in the arse to use launchpad, so I only do it when there's no alternative [13:21] i.e. when I've found and solved the problem and it's ubuntu-specific and now I just need my patch accepted into the archive. [13:23] I'm booting with boot=casper and netboot=nfs, which works in 10.04 as it did in 8.04, except that my -olock,rw NFS mounts /home and /srv filesystems aren't mounted. They're mounted if I manually invoke "mount -a" after booting with single. They're listed in fstab immediately after it's generated, at boot, in /usr/share/initramfs-tools/casper-bottom/12fstab [13:23] s/listed/appended to/ [13:25] If I prevent gdm starting, on vt7 I can see complaints about rpc.statd not running (which is needed for NFS locking), and tracing /etc/init/mountall-net.conf shows that when it starts, the mountall(8) program isn't running. === luist__ is now known as luist [13:26] twb: you seem to have a good grip on the matter. i'm still not sure why you think reporting the last few comments on LP is such a big deal [13:27] Because it wants me to either use a browser and "log in", or to manually compose the email (cf. reportbug). [13:28] Basically, I don't want to reward Ubuntu for breaking reportbug on their distro [13:30] * twb RTFS' mountall(8) [13:31] Or, I would, if it was part of upstart... [13:32] Ah, mountall is its own package, and isn't in Debian. [13:39] Hm, what's the technique for making /tmp a tmpfs in 10.04? [13:39] Never mind, looks like it was /etc/fstab before, so changes to the init process won't affect that [13:45] kirkland, about ? [13:45] apw: yup [13:45] smoser: ping debian has a newer python-boto fyi [13:45] i have a lucid system which i am trying to start existing VM's (qemu/kvm) and am getting an apparmour error all of a sudden [13:46] kirkland, any ideas what the heck causes that ? [13:46] 'error: error calling aa_change_profile() [13:46] from libvirt [13:46] jdstrand: ^ [13:46] wild stab in the dark... apparmor? :) [13:46] zul, heh .. yeah ... but .... yeah ... but ... yeah ... but ... no [13:46] apw: jdstrand will be able to answer you effortlessly; i'll play 20 questions to get there [13:47] shame he is not on my timezone [13:47] Huh, I read aa as libcaca [13:48] apparmor makes much more sense :-) [13:49] "#include " [13:49] Is that "nih" as in "not invented here"? [13:49] kirkland, crap cannot make new VMs either [13:49] * apw is going to reboot just in case [13:49] Ha, it is. [13:50] Looks like another glib-esque "I like C but I wish it had [...]" [13:53] 21:20 Ah, did you use the undocumented 'bootwait' option? [13:53] alvin: reading mountall.c, I think I misread you. Are you talking about a mount option (as opposed to a /proc/cmdline option)? [13:53] hello [13:54] hello [13:54] twb: Yes, _netdev doesn't work and I used bootwait, because otherwise the boot will stall and/or /home will not be there when I want to log on. [13:54] twb: It's a mount option [13:54] * twb tries [13:55] have setup up a website on ubuntu but can't get to the site from outside the local network [13:55] New bug: #601501 in apache2 (main) "Apache should tap into the shared-mime-info database" [Undecided,New] https://launchpad.net/bugs/601501 [13:56] i've been trying to get openldap up and running unsuccessfully following the server guide [13:56] i'm trying to start over, so i did aptitude remove --purge slapd ldap-utils [13:56] i noticed that there were still files in /etc/ldap , so i removed the directory manually [13:57] after re-installing the packages according to the guide, it seems i'm missing some usually included schema files; my /etc/ldap/schema is empty [13:58] panfist: isn't that in schema.d? [13:58] Oh, no. [13:58] It isn't [13:58] good morning all [13:59] good morning [14:00] ok now i'm scared...because dpkg -S cosine says that the package slapd contains /etc/ldap/schema/cosine.ldif and cosine.schema , but when i do sudo apt-get install slapd ... those files are not installed [14:01] kirkland, ok seems its a 2.6.35 issue ... would you expect kvm lucid userspace to work with 2.6.35 kernels [14:01] <_chris__> heja [14:02] <_chris__> i added a crontab , can i somehow see if it was executed ? [14:02] <_chris__> syslog ? [14:02] apw: um, yeah, it damn well better ... hallyn, do you know anything about this? [14:02] hallyn: have you tried kvm in 2.6.35? [14:03] _chris__: Check /var/log/auth.log [14:04] <_chris__> Pici, ah ok i see thanks [14:06] i've installed slapd every which way but i'm not getting files that are supposed to be included according to this http://packages.ubuntu.com/lucid/amd64/slapd/filelist === dendrobates is now known as dendro-afk [14:13] alvin: OK, so if I add bootwait, the system just hangs around forever and I never get a root shell [14:15] panfist: does `dpkg -L slapd` produce any output? [14:16] joschi: it's openldap-server, IIRC [14:16] yes. actually, dpkg -L slapd|grep schema shows exactly the files that are not on my system [14:16] panfist: install debsums and/or cruft and ask them if your package is tits-up? [14:17] twb: unfortunately, that doesn't surprise me. There is a bug in karmic (should be fixed in lucid) that prevented booting when NFS mounts were not mounted fast enough (due to network, etc,...) That's bug 470776 [14:17] Launchpad bug 470776 in mountall "retry remote devices when parent is ready after SIGUSR1" [Medium,Fix released] https://launchpad.net/bugs/470776 [14:17] well...it shows the files that i want [14:17] Oh, my mistake. Apparently it is "slapd". [14:17] twb: you probably mixed that up with openldap-utils [14:18] alvin: hmm, maybe I should put my spinlock back into mountall-net (which generates the SIGUSR1)? [14:18] twb: another (fixed in lucid) one is that you can't mount NFS drives at boot when you have a static network configuration. I switched all servers to DHCP and haven't switched back yet. [14:18] alvin: it's all fixed DHCP here [14:18] twb: I don't know much about the internal workings, sorry. Just experiencing a lot of trouble and looking for workarounds. [14:19] (That is, dnsmasq only responds if you're whitelisted in /etc/ethers) [14:19] twb: here also [14:19] alvin: no worries; you've been a lot of help already, I was a bit too obtuse to catch on [14:20] panfist: are the files still missing when you reinstall slapd? [14:20] yes [14:20] joschi: a reinstall won't replace conffiles, at least [14:20] The other stuff should come back [14:20] panfist: `aptitude purge slapd && aptitude install slapd` should do the trick [14:21] specifically, i purged it before and saw there were still files in /etc/ldap so i manually removed the dir, now reinstalling doesn't seem to be complete [14:22] I had a similar problem with postgresql some time ago [14:22] joschi: you should check that he has a backup before recommending something that radical [14:22] e.g. maybe he's logging in with LDAP still [14:22] twb: hm, I don't think slapd works correctly when the schema files are missing [14:23] Maybe it hasn't restarted since [14:23] Just saying: be paranoid [14:23] twb: at least some base files like core.schema/core.ldif *must* exist [14:24] joschi how the hell did you know that would work? i could have sworn i have executed those commands over and over, not in that exact order i guess [14:24] Repeat grumble about having to realign the LCD's ADC all the time due to "helpful" framebuffer console [14:24] panfist: educated guess ;) [14:24] panfist: aptitude will (well, in most of the cases) reinstall config files after a package was purged [14:25] so apt-get skips those after a package was purged? isn't that a bug? [14:26] panfist: you've probably run `apt-get remove slapd` instead of `apt-get remove --purge slapd` which will also remove the config files [14:26] alvin: hum, 470776 claims to be fixed in mountall 2.0, and I have 2.14 [14:26] oh, I see there's a "purge" action in apt-get too. so forget my last comment, panfist [14:27] i can verify in my history, i did `sudo aptitude remove --purge` [14:28] i dunno if that's the same as `aptitude purge` [14:28] hi, what is the magic key press to get the grub menu these days? [14:30] hold shift during boot [14:31] Hope that your USB keyboard is initialized before GRUB, etc. [14:31] hmm shift not working, [14:31] No, wait, the problem I was having was that the USB keyboard definitely WASN'T enabled in the bios, and the onboard keyboard was nearly dead [14:32] this is via a RAC [14:32] oh grief i hate grub2 [14:32] Tell me about it [14:33] i'm stuck on the initial configuration of ldap according to the server guide https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html [14:33] Like os-prober's "oh hai, you updated your kernel while your USB rescue key was inserted, so I have added its boot entries to the list" [14:33] i've done a find and replace of dc=example with dc=myexample and dc=com with dc=lan ; [14:33] ah /etc/default [14:33] when i get to the part where i add frontend.example.com.ldif , i get a `ldap_add: Naming violation (64)` [14:34] hmmmmmmm could my mistake be in not changing the file names from example.com to my domain name? i don't see how the file names would be relevant in this part of the configuration [14:34] twb: I presume you are looking at the mountall source. Isn't bug 470776 fixed in your version? I thought it was. It was a major problem for me. It still is in karmic, but it's gone in Lucid. [14:34] Launchpad bug 470776 in mountall "retry remote devices when parent is ready after SIGUSR1" [Medium,Fix released] https://launchpad.net/bugs/470776 [14:34] panfist: no, the file names do not matter. their content does on the other hand ;) [14:35] i've pasted the contents here [14:35] http://dpaste.com/215112/ [14:35] alvin: I'm not sure if it's fixed [14:35] Just because a patch is made doesn't mean the patch fixes the problem ;-) [14:35] panfist: have you created the backend configuration? [14:36] e.g. created dn: olcDatabase=hdb,cn=config [14:36] yeah, the command to add the backend completed successfully [14:37] `sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif` [14:37] nevermind....i executed the wrong command that takes the frontend ldif file as the argument [14:38] OK, how does mountall(8) know it needs rpc.statd for /home... [14:38] Rather: s/how// [14:38] nevermind my nevermind....i executed the correct command and i get the same error message, a naming violation === dendro-afk is now known as dendrobates [14:41] kirkland: no i have not [14:42] twb: Interesting question. I think bug 547139 describes that issue. [14:42] Launchpad bug 547139 in nfs-utils "mountall tries to mount NFS filesystem before statd starts" [Undecided,Won't fix] https://launchpad.net/bugs/547139 [14:42] hallyn: jdstrand: apw is reporting some kvm/libvirt/apparmor issues with 2.6.35 [14:42] alvin: that was the third hit :-) [14:42] wait what is stock maverick kernel? [14:42] panfist: check the configuration DIT (cn=config...) with ldapsearch [14:43] kirkland, hallyn, jdstrand, yep booting same machine back to the latest lucid kernel resolves the issues [14:43] apw: what's Maverick's target kernel version? [14:43] apw: 2.6.35 i presume/ [14:43] "Since you say the NFS filesystem does eventually get mounted" [14:43] kirkland, indeed so [14:43] alvin: I don't have that behaviour [14:44] well then yeah, i've used kvm there [14:44] Unless "eventually" means hours, not minutes [14:44] kirkland, this of course gives us interesting issues with the lts backports kernel for server [14:44] with no problems [14:44] I do. I have to wait a while, but eventually the NFS filesystem gets mounted. Mind you, in Karmic it was much worse. booting without manual intervention was impossible. [14:44] kirkland: apw: is there a bug with more details? [14:44] you could try the undocumented 'nobootwait' option [14:44] hallyn: well, i presume apw is testing a preview kernel that's not in Maverick yet [14:45] right, i can d/l kernel and bisect so long as it's in maverick git tree [14:45] hallyn, not as yet [14:45] twb: nobootwait should start your system and eventually, your mounts will be there. The downside is, that services that depend on the mount points being there will fail. [14:46] alvin: presumably nobootwait *or* bootwait is the default, right? [14:46] I think so [14:46] I tried with neither, and with "bootwait" [14:46] Hmm, nobootwait is probably the default [14:47] In the first case, I get a shell and /home isn't mounted after an hour; in the latter case it hangs, I get no shell, and it isn't back after at least five minutes. [14:47] man mount only lists _netdev [14:47] alvin: probably because mount(8) was written by util-linux or Debian, and bootwait is some Ubuntu nonsense [14:48] Well, I've read that debian will eventually adopt upstart, so they'll probably change the manual :-). upstart is doing a good job on my phone, but on ubuntu-server, I have to wrestle with it. [14:49] I doubt it [14:49] twb: Is /var/log/boot.log saying something about /home ? [14:49] joschi ldapsearch with no arguments returns something like #filter: (objectclass=*); search: 2; result: 32 No such object [14:50] alvin: with -obootwait, I don't get a shell, so I can't check [14:50] ldapsearch cn=config returns the same results except #filter: cn=config [14:50] (There are volatile units, so /var/log in't preserved after a boot.) [14:50] twb: Hmm, a console that shows boot messages would be nice too. [14:50] Well, I got that by throwing out gdm for a while [14:51] and it's saying nothing about NFS mounts? [14:51] Stuff like: mount error(101): Network is unreachable [14:51] It's bitching about rpc.statd not being ready [14:51] Like always [14:52] Not even "mountall: mount /home [951] terminated with status 32"? [14:52] Lemme reproduce it again [14:52] I don't see the rpc.statd errors in boot.log here. Let me check some other machines [14:53] mount /home [675] failed with status 32 [14:54] Hmm, 'failed'. Not 'terminated' [14:54] Lemme check again [14:54] I'm transcribing because the machine's way over >there< [14:54] My logs are full with 'terminated' messages, but the filesystems do get mounted [14:55] mountall: mount /home [675] terminated with status 32 [14:55] I get *one* [14:55] Then it sits there forever spinning its nipple-nuts [14:55] * Pici blinks [14:55] Aha, there is a difference. I get each 'terminated' message twice (besides DNS resolution errors) [14:58] Hmmm, false alarm. I just checked a lot of other machines. The messages appear between 1 and 3 times for each NFS filesystem. [14:58] but no rpc errors [14:58] panfist: http://www.zytrax.com/books/ldap/ch6/slapd-config.html is a good introduction IMHO [14:59] panfist: http://www.zytrax.com/books/ldap/ in general [14:59] alvin: sticking --verbose in boot (per #upstart) shows me what events are arriving, which should help significantly [15:00] thank you joschi... brb, reading [15:04] OK, why isn't netconsole working? [15:04] netconsole=@/,@10.128.0.1/ [15:09] ARGH, because it's compiled as a module and probably modules can't be accessed before mountall goes stupid [15:11] I'll just roll a new ramdisk with that manually insmodding.... [15:12] OK, that'll work [15:13] hi, im running a (hardy) server with multiple vhosts, i have one vhost (a subdomain) proxied to another machine, wich works fine for http, but: how can i proxy ftp request to that subdomain too? [15:14] tried mod-proxy-ftp but the ftp server on the server seems to fetch all ftp requests [15:14] 1 ip only [15:15] smt-mobil: that's because there's no mod_proxy_ftp in apache httpd ;) [15:15] smt-mobil: http://www.ftpproxy.org/ should help. there's also a package for this in hardy [15:15] http://mywiki.wooledge.org/FtpMustDie [15:16] smt-mobil: but remember that FTP doesn't know a Host header like HTTP/1.1 [15:17] i know that, if it would know it, it would be quite easy, and there is a module called mod_proxy_ftp [15:19] hmm i guess i will have to use another port for that and forward it right away to the other machine [15:21] joschi: but FTP can act as an open relay [15:21] joschi: so you'd just set up a local FTP server that acted as an open relay from the LAN to the internet, but not vice-versa [15:22] twb: ? [15:23] Er, yeah, ignore that. It'd require the FTP client to be clever === Guest16812 is now known as lau [15:30] is it possible to use ec2-bundle-vol in order to create an ubuntu ami image of a current ubuntu running machine ? [15:31] or do I need first an ami running machine ? [16:04] Does anyone know why my libvirtd would consume this much memory? [16:04] 1599 root 20 0 1139m 847m 2948 S 0 10.6 8:06.92 /usr/sbin/libvirtd -d [16:07] hm, yes, having odd apparmor refusal trying to create a VM with virt-manager [16:07] (in maverick) [16:07] * hallyn installs auditd to help himself out [16:09] hallyn: is this a getattr denial? [16:09] hey guys [16:09] pasting [16:09] i'm becoming lame, i used to know how to do this, but obviously i'm doing it wrong, i want this setup i want my machine to work as a gateway for my phone, i want all traffic originating from my phone to be proxied by the tor and polipo setup i've got, i want to make some iptables rules to make dports 80 and 443 coming from to be i belive redirected to the 8118 port and i want to take responses aka secondary connectio [16:09] ns or an [16:09] ything back to my phone, how can i achieve thi [16:12] jdstrand: i think so, but i realized i haven't upgraded in a few days, so am waiting on upgrade, will reboot and re-test [16:13] jdstrand: btw, 0.8.2 should be tagged now [16:13] (havent' seen much activity about how it's going) [16:13] hallyn: if you see a getattr denial, that is a know issue... I think fixed in the latest maverick kernels === dendrobates is now known as dendro-afk [16:13] jdstrand: ok cool then after reboot it should just work :) [16:13] hallyn: oh, you asked about me merging 0.8.2. I haven't thought about it at all. if it is required, we can look at it [16:13] anyone? i've tried iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8118 didn't worked, and also iptables -t nat -A POSTROUTING -s -p tcp --dport 80 -j DNAT :8118,. either [16:15] hallyn, kirkland, finally got booted back into that kernel ... bug filed: [16:15] https://bugs.edge.launchpad.net/ubuntu/+source/virt-manager/+bug/602308 [16:16] Launchpad bug 602308 in virt-manager "virt-manager cannot start VMs on lucid with v2.6.35 maverick kernel" [Undecided,New] [16:16] apw: thanks [16:16] jdstrand: ^ looks to be apparmor/libvirt issues [16:16] an hour for the fsck after a crash held me up [16:19] I tried the ec2-bundle-vol with the --no-inherit option but get rsync execution failed any idea ? [16:19] I am trying to create an ami image from a kvm running machine === dendro-afk is now known as dendrobates [16:22] any of you, knows how to setup those iptables rules??? [16:24] New bug: #602308 in virt-manager (main) "virt-manager cannot start VMs on lucid with v2.6.35 maverick kernel" [Undecided,New] https://launchpad.net/bugs/602308 [16:26] jdstrand: after upgrade i still have the problem (checking apw's bug to see if it is the same) [16:26] yup, same thing! [16:27] (so i marked it confirmed) [16:27] jdstrand: i'm leaving soon for lunch, but i'll look at bug 6023808 in detail this afternoon if you don't get a chance or want to [16:28] hallyn, fun! [16:29] hallyn: you might ask jj about it if it is a kernel bug [16:36] will do (though he seems to be out) [16:36] * hallyn back later [16:55] hallyn, jdstrand: libvirt bug is a dupe of #599450 [16:57] mdeslaur: I asked that initially, but thought it was fixed in the latest kernel? I guess by your bug's status it is not [16:57] kirkland: that is most likely a kernel issue [16:57] kirkland: (which is known) [16:57] jdstrand: k -- reassign the bug to the kernel package? [16:57] jdstrand: cool [16:57] jdstrand: it's apw reporting it [16:58] kirkland: we need hallyn to confirm it is a dupe of #599450 [17:07] is the sun-java-jre in the ubuntu repos the server version? [17:35] hi guys [17:35] can someone help me with a tomcat thing? [17:35] just need to set ip restrictions [17:36] from what I read on the net, [17:36] I need to edit /etc/tomcat6/context.xml [17:36] and set ...valves.RemoteAddrValve [17:37] allow="x.x.x.x" [17:37] the thing is even when I set it to allow my ip, i'm still blocked [17:38] i'm currently testing the block="x.x.x.x", just to check if tomcat is working properly [17:38] (using ubuntu 10.04 btw) [17:42] jiboumans, ttx: I may be late today to the meeting, have to get to my bank and work out a fraud against my bank account [17:42] hggdh: ack - we'll push the agenda item back if need be [17:42] good luck [17:43] jiboumans: thank you, I will need luck :-( [17:48] can someone walk through a printer install and share over a local network with me? [17:53] does anyone know if you have to do anything special to get a netboot(ed) ubuntu to output to an ILO console? I have console=ttyS1,115200n8 in the pxe cfg default file [17:53] but there is no output on the ILO terminal [17:55] i'm trying to set up openldap server according to the server guide here... https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html [17:57] can somone recommend a good irc server? [17:57] to host an internal one [17:57] i can set it up fine if i use dc=example,dc=com like in the docs, but as soon as i replace that with dc=foo,dc=bar i can't get passed the 6th command in the guide (sudo ldapadd ... frontend.ldif) === dendrobates is now known as dendro-afk [18:08] he, no one is able to help... [18:10] LowValueTarget: can you elaborate on the purpose? [18:11] giovani: I want a secure, internal means of a "chatroom" for our support engineers. Figured IRC on an internal network would be best. [18:11] there may be better solutions [18:15] jabber [18:18] cloakable: jabber allow group chat? === dendro-afk is now known as dendrobates [18:20] LowValueTarget: yes [18:23] printers anyone? [18:32] the problem i'm having is that the guide on https://help.ubuntu.com/10.04/serverguide/C/cups.html doesn't match up with what i'm seeing after i install cups [18:36] Krazyderek: it may need an update [18:36] i just installed it though [18:36] Krazyderek: can you be specific? It makes it easier if you phrase things in the form of an open ended question. [18:37] after i sudo apt-get install cups everything goes fine, then i use nano to add the serveradmin email address [18:37] there is no line for it so i just creat one in the .conf file [18:39] when i start apache i get this warning: * Restarting web server apache2 [Tue Jul 06 17:36:46 2010] [warn] NameVirtualHost *:80 has no VirtualHosts is it something to worry aboiut? [18:39] luist: do you mean for there to be name-based virtual hosts on your server? [18:40] SpamapS, hm... i think so... im running gitorious [18:43] luist: do you have tags in your configs? [18:43] mdeslaur: kirkland: it looks mostly the same. only diff is that on my system all the failures were for '/', not for longer pathnames. [18:44] mdeslaur: kirkland: apw: oh, yeah there are a very few other pathnames in mine, so confirmed it's a dupe [18:44] i'm trying to set up openldap server according to the server guide here... https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html [18:44] i can set it up fine if i use dc=example,dc=com like in the docs, but as soon as i replace that with dc=foo,dc=bar i can't get passed the 6th command in the guide (sudo ldapadd ... frontend.ldif) [18:44] hallyn, sounds good feel free to dup it over [18:45] SpamapS, yes... [18:45] done [18:45] panfist: Are you editing that file correctly? it contains references to dc=example,dc=com [18:46] i saved the html, did a global replace for dc=example -> dc=foo, dc=com -> dc=bar, and example.com -> foo.bar [18:46] then i loaded the edited html back in my browser and worked from there [18:46] Hmmm [18:46] i thought such a global find and replace would be pretty much fool proof [18:47] * cloakable bites tongue [18:47] SpamapS, http://pastie.org/1033012 this is it [18:47] Don't be lazy, have a look through the ldif, and learn how it works :P [18:48] i dunno how much you know about openldap, but if i did an aptitude purge slapd, rm -R /etc/ldap and start over, would that get rid of any configuration from the last go-around? [18:48] i.e. would that truly be starting from scratch? [18:49] i've gone over both the backend and frontend ldifs, and while i wouldn't say i'm really know what's going on, i don't see anything that would raise any flags. i'm also reading this http://www.zytrax.com/books/ldap/ in the meantime [18:49] if man cups says browsing options are yes and no, and the default is off, then is no = off? [18:49] panfist: also, rm -r /var/lib/ldap [18:49] i'll try that [18:50] panfist: depending on if you want to get rid of the database too [18:50] my /etc/apt/preferences looks like http://paste.ubuntu.com/459929/ [18:51] sudo apt-cache policy returns lxc -> 0.6.5-1 (the lucid version) [18:51] luist: the bits after VirtualHost have to match the bits after NameVirtualHost [18:51] but I want to keep lxc -> 0.6.3-1 (the karmic version) [18:51] luist: so you need to either change it to NameVirtualHost *, or VirtualHost *:80 [18:51] when I sudo aptitude full-upgrade , lxc prompt for upgrade [18:52] what did I miss ? [18:54] SpamapS, ok... *:80 fixed it :) [18:55] luist: ^5 === dendrobates is now known as dendro-afk [19:08] damn i should update mysql-cluster [19:11] New bug: #602379 in openssh (main) "package openssh-server 1:5.3p1-3ubuntu4 failed to install/upgrade: subprocess new pre-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/602379 [19:23] jjohansen: running the maverick kernel on lucid is a good idea? [19:23] yeah [19:24] it is going to be supportted, there is a backports ppa give me a minute to find it [19:30] ttx: o/ - how is bordeaux doing? [19:30] It's doing well ! [19:30] City center is nice on those summer days [19:31] ttx: :) [19:37] hi ttx [19:37] zul: o/ [19:41] jdstrand, are you around? [19:41] i [19:41] smoser: yes [19:41] i'm looking for some crypto understanding [19:43] rot13 ftw [19:44] jdstrand, are you at all familiarl with what a eucalyptus/ec2 manifest looks like or contains ? [19:44] http://pastebin.com/Q55wxrq1 [19:45] smoser: I'm not, no, but I am looking at it [19:45] well, heres an over view of what i understand/know. [19:45] you crate a tarfile (generically payload). === dendro-afk is now known as dendrobates [19:46] then ec2-bundle-image, which tars, chunks, and encrypts it [19:47] i think it stores the key and initialization vector for decryption in the manifest file [19:47] encrypted with both the user's key and amazon's public key [19:47] so, now my question [19:47] we upload these things, and they only contain our filesystem images. [19:48] i want to share those filesytem images. [19:48] since i'm already storing this in s3, i'd like to re-use those bundled files. [19:48] (does my understanding above make sense ?) [19:51] who hollard my name [19:52] jdstrand, ^ [19:52] smoser: yeah, I was looking at it [19:53] :) [19:53] sorry. sorry to nag [19:53] darn, it was difficult even to get money at the branch :-( [19:54] smoser: I don't feel like I understand what they are doing well enough. you hinted at public key crypto, but I see AES-128-CBC which aiui is used in symmetric key setups (ie, shared secret) [19:55] kees, mdeslaur, sbeattie: are you guys familiar with the eucalyptus encryption stuff ^ [19:56] not really, but I'm taking a look [19:56] fwiw, most of what i've learned is from reading euca2ools source [19:58] smoser: what's your question? [19:59] ok. my question is [19:59] a.) would there be security consequences to making our manifests and payload data public [20:00] (i'm fairly sure the answer is 'no', as ec2-upload-bundle has a '--acl public-read' flag) [20:01] b.) given what is there, is there a way that I could re-use the published manifests (such as that pastebin) to allow users other than Canoincal user and amazon to read the payload. [20:02] smoser: I hope not, since the first thing google gives me when searching for "ec2_encrypted_key" is the manifest you pasted an hour ago :) [20:02] awesome. [20:03] in fear of that i ramdomly changed some of the encrypted_key and encrypted_iv data [20:04] smoser: to answer that, I would need to know why they're encrypted in the first place. I can't answer your question. [20:04] our images themselves have no reason to be encrypted [20:04] smoser: they are only encrypted in case the image contains confidential data? [20:04] but you can publish private AMIs that would then live in S3. [20:04] i think so, yes. [20:05] smoser: where does the manifest file live? [20:05] next to the parts in s3 [20:05] bucket [20:05] ie: bucket/name.manifest.xml bucket/name.part.00 [20:05] ... [20:06] and the AES key used to decrypt the image is itself encrypted using your key and amazon's public key? [20:06] which, by default, is set only to be readable by the owner and 'za-read' , which is the EC2 user that then provisions the system. [20:06] mdeslaur, thats what i think, yeah. [20:06] mdeslaur: Yes. Either the author or the Amazon system can decrypt the image. [20:06] one way or another , there are 2 parties privey to the data there. you , and amazon. [20:07] with their corresponding private keys. [20:07] smoser: There was a presentation at a security conference a year or two ago which talked about possible attacks on ssh host keys if the EC2 image is publicly available. I chatted for a while with the authors to make sure that my AMIs were not affected (the images were not public) but I don't know if it is an issue for the AMIs published by Canonical. [20:07] erichammond, you have any more information on that ? [20:07] smoser: so, how were you expecting to share this with other if the AES key is encrypted with your host key? [20:08] smoser: Looking [20:08] i cant see how that would be the case. [20:08] but, as obvious to most, i'm quite illiterate [20:08] mdeslaur, i could share the key, or use a constant key. [20:09] i dont care about the contents of the payload. i *want* to make them public (i think) [20:09] smoser: but then everyone's payload is encrypted with the same key [20:09] smoser: that might be an issue [20:09] smoser: It had to do with knowing the starting state of the machine and the general time at which the system started. Given this, they thought that it might be possible to substantially reduce the key space. [20:09] "everyone's payload" ? [20:09] smoser: also, you would have to remove the AES key that is encrypted with your host key [20:10] smoser: well, what would people be doing with these images? [20:10] ok. maybe better explanation. [20:11] right now, we upload these images to ec2 as "bundles" (with manifest ... encrypted as described above). [20:11] we also publish (on uec-images.ubuntu.com) the image so people can download them. [20:12] but, we're already paying for storage in 4 regions (in order to create amis that people can run) on EC2. [20:12] i'd like to just let people get at that data so they can "download" that way [20:12] also, i would use them in the publication of our EBS images. [20:13] Ok so I am getting repeat brute-force attacks on my server trying to guess the root password... I want to set up RSA key identification. I'm kinda of new to this though... I have to run ssh-keygen on the server right? and then copy one of the keys to any client machine that wants to connect right? [20:14] i just tried installing ubuntu-xen-server and it says it cant be installed because one of its dependencies cannot be found, xen-tools. [20:14] smoser: http://www.slideshare.net/astamos/cloud-computing-security around pages 62-68. [20:15] smoser: The authors were accessible and may have done further research. [20:16] erichammond: I haven't read that, but if it is anything like the blackhat one I saw last year, this is a different problem. ie, with an EC2 image, the instances are all identical and often starting on the same host, without anything special going on with the rng [20:17] hmm.. [20:17] slide 66 [20:17] "random.seed" [20:17] what is that ? [20:18] oh, hehe [20:18] that was the one I saw at blackhat ;) [20:19] !rsa [20:22] smoser: it is the seed file used to reseed the system after a reboot [20:22] smoser: err... s/system/rng/ [20:22] path ? [20:22] oh. i se [20:22] smoser: in lucid it is /var/lib/urandom/random-seed [20:22] smoser: which is used by /etc/init.d/urandom [20:23] the point in the paper is that between the seed always being the same in an image, and the hardware being idential, and the same host being used on multiple guests, your entropy pool is reduced [20:23] afaik, it is still a theoretical attack, but makes sense [20:24] Can I suggest adding https://help.ubuntu.com/community/SSH/OpenSSH/Keys to ubottu under !rsa [20:25] very interesting about the random generation [20:26] (fyi, 'man random' talks about how the seed is used) [20:29] smoser, jdstrand: It seems that potential security risks could be reduced by setting the random-seed (randomly) when the public image is copied to create a new AMI. Then the contents of that AMI should not be available to the public. The random-seed will be changed once the system boots and the user is able to access it. [20:30] There may still be some issues with EBS boot as users might be able to "stop" the instance before it finishes booting (not sure if this is possible) and look at the contents of the EBS volume. === dendrobates is now known as dendro-afk === dendro-afk is now known as dendrobates [20:37] erichammond: ultimately without good local random number support, you have to assume you are at a moderate level of communication security. [20:39] i'm trying to set up openldap server according to the server guide here... https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html [20:39] i can set it up fine if i use dc=example,dc=com like in the docs, but as soon as i replace that with dc=foo,dc=bar i can't get passed the 6th command in the guide (sudo ldapadd ... frontend.ldif) [20:45] panfist: can you pastebin exactly what commands you're running, and the output? [20:46] is it possible to copy the stuff that's already entered into my terminal into a text file? (not just history but the output too?) [20:47] yes [20:47] select and copy [20:47] text console [20:47] select how? [20:47] meaning not an xterm/ssh session from an xterm? [20:47] there is no x [20:47] i just tried installing ubuntu-xen-server and it says it cant be installed because one of its dependencies cannot be found, xen-tools. [20:47] then no [20:47] you should be sshing in [20:47] from a desktop [20:47] so you have control over the terminal [20:48] i see [20:48] let me see what i can do [20:49] what about gnu screen copy mode? i'm looking into it [20:51] erichammond, i surely want to get to the point where our images are publicly available (as we do with the uec-images.ubuntu.com) [20:52] and, jdstrand , erichammond , fwiw: [20:52] $ ls /mnt//var/lib/urandom/random-seed [20:52] ls: cannot access /mnt//var/lib/urandom/random-seed: No such file or directory [20:53] where /mnt is an image from uec-images [20:54] smoser: Right, it's not installed on the default image which is just as much a known starting point as having a large, fixed set of data on a public image. [20:54] i'm not sure that i understand the attack. [20:55] It is generated during boot time using theoretically non-random information and then that is used to generate the ssh host key. [20:55] that random seed initially be created by a (possibly bad) random number generator [20:55] If an attacker can guess the ssh host key, then there is a mitm attack and ssh sessions are no longer secure. [20:56] ah. so if that non-random information is bad enough, the seed could be guessed. [20:56] which could reduce the space from which the host key was generated. [20:56] smoser: exactly. [20:57] smoser: If, when you build the AMI for EC2, you start with the uec image and then set a random-seed which only you know before registering the AMI, then Ubuntu on EC2 would be more secure. === io is now known as steffan [20:58] i dont follow that [20:58] smoser: But this requires that you not let the public download the contents of the AMIs. The public should only be allowed to run them. [20:59] as, if there is no random seed in the image, it is at least partially unknown. i'm guessing created by timestamp or something. [20:59] so that, given X instances, only some portion of them will have a given ramdom-seed. [20:59] but, if i create the same random-seed file in all our images, then *all* will have that. [21:00] smoser: Even when there is a random seed, it is modified by the boot time info. [21:00] No random seed = known public random seed. [21:00] Private random seed is secure. [21:02] Er, I hesitate to say anything is completely secure, but based on my understanding it is *more* secure :-) [21:02] hm... right. there is obvioulsy a reason its being kept [21:02] what is being kept? [21:03] well, random-seed is being kept. in "normal operation" to seed the random number generator [21:03] as putting some random-ish value there is better than essentially '0' at boot time all the time. [21:04] The more sources of randomness you can inject into the system, the more random the result. It is kept between boots so that some randomness from the last time the system was run can be included into the current boot. [21:04] right [21:04] thats what i was saying. [21:04] Unfortunately, if it is known then it does not help add any randomness, so the only source of randomness available to the instance is the boot time. [21:04] its being kept, because its considered better to keep it. [21:04] right. [21:05] You've got far better security experts at your disposal than me. I just raise this point for it to be investigated and thought about for improving the EC2 images. [21:05] Also as it might affect your decision to make the AMIs downloadable. [21:05] yeah. it is affecting my decision. :) [21:06] but i would really like for them to be downloadable. [21:06] basically, i was going through, and trying to reduce my "publish to ec2" time. [21:06] I'm happy with the availability of the UEC images for use with EC2. [21:06] which consists of instance-store and ebs volume publish. [21:07] the ebs volume was pulling from the uec-images, which is horrifically in ap-southeast-1 [21:07] Once you sort out the security issues you might publish a best practice document describing how folks can generate their own random-seed before registering an AMI (if it turns out that is the best option). [21:07] and i thought "Wait, i've already *got* the data over there in the form of the instance-store bundle" [21:08] I wonder if EGD would be useful in this case [21:08] smoser: Since it's your account, you can download and decrypt the AMI bundle. [21:09] smoser: See ec2-download-bundle and ec2-unbundle [21:09] yes, by pushing my key to the instance [21:09] true [21:09] which is worse :) [21:09] this affects puppet too [21:09] puppet instances have to generate unique client certs to auth to the puppet master [21:10] Glad to hear you're sensitive about protecting the Ubuntu AWS keys those as they affect the entire user base if compromised. [21:10] SpamapS, why would egd be any better than /dev/random ? [21:11] smoser: it pulls from sources that are at least a little less predictible than the virtual interrupts cited as problematic in the slide deck linked earlier [21:11] the problem with egd is the system really has to be busy [21:11] but early in first boot, there would be no randomness [21:12] ie 'w' and 'last' and 'vmstat' would be very un-random at that point. [21:12] so its fine if your AMI starts up your web app and starts serving traffic, but not so much if you need to start out by ssh'ing in and doing something. ;) [21:12] i must be missing something. [21:13] why would EGD be superior to /dev/random [21:13] another source of randomness which sounds nuts but its not is to join the tor network. ;) [21:13] unless /dev/random was known-broken (and harder to service) === erichammond1 is now known as erichammond [21:14] smoser: the jitter on a virtual instance IRQ is probably a lot more uniform than the IRQ's from an actual system booting up [21:14] ah. ok. so you could be seeding the EGD with possibly higher level sources of randomness than the kernel would have. [21:14] http://true-random.com/ lets ask Amazon to put some of these in their dom0's ;) [21:14] smoser: Rackspace could offer that as a value add. :) [21:15] fwiw, the there was a thread on lkml (i think) suggesting the use of network data would reduce the randomness [21:15] as it could be then seeded by someone throwing well defined network traffic at the instance. [21:15] anwyay [21:15] this is all well over my head , or what i care to learn at the moment. [21:17] this has been a problem on all kinds of devices [21:17] i suggested once (maybe someone would point out a reason that it would be a bad idea) was a virt-random module that basically passed through /dev/random requests in a guest to the host. [21:17] I don't know how smart phones are doing it now, but Palm Treo's would always warn you that their crypto sucked. [21:17] so that the idea of "the guest has no suitable randomness" would be false [21:17] and that you could install whatever source of "more real random" you wanted in the host [21:18] you just need to have something locally that will get you 4kbit of "better than average" randomness. [21:19] another way to do it is to use perfect forward secrecy methods of communication to use the bad key only for the purposes of obtaining a higher quality key.. [21:19] giovani here's my success with dc=example,dc=com http://dpaste.com/215242/ [21:19] but that won't protect you if there is a permanent man in the middle. [21:20] * SpamapS really hates the security rabbit hole sometimes [21:20] giovani and here's my failure with dc=foo,dc=bar http://dpaste.com/215243/ [21:20] sorry if it's ugly [21:21] sort of mitigates it completely if you just restrict SSH in your default profile though. [21:21] both examples show me purging the package, removing /var/lib/ldap, reinstalling and following the guide through to ldapadd ... frontend.ldif [21:23] panfist: well, you'll need to pastebin your ldifs as well -- because that's likely where the problem is [21:23] backend/frontend*.ldif, that is [21:24] the ldifs are copy-pasted directly from the site, and you can see it works at first, then in the second i have included in the pastebin the sed command i used to change the files from dc=example,dc=com to dc=foo,dc=bar [21:24] i can pastebin the actualy files...1 sec [21:26] backend.foo.bar.ldif http://dpaste.com/215246/ [21:27] frontend http://dpaste.com/215247/ [21:28] * cloakable has found your problem [21:28] dn: cn=example,ou=groups,dc=foo,dc=bar [21:28] objectClass: posixGroup [21:28] cn: example [21:28] gidNumber: 1000 [21:29] Actually, hmm. [21:29] No, that seems to be correct [21:29] * cloakable misread the dn [21:30] i thought there might be a problem with my choice of dc...one of my original DCs was over 8 charactrs but i repeated my experiment actually using dc=foo,dc=bar with the same problem [21:30] then i went to go read the RFC that describes the rules for domain names in LDAP and i didn't see anything wrong there [21:35] RFC 2247 and RFC 2377 [21:40] sooo where should i go to 'escalate' this? the forums? file a bug report? [21:47] anyone here using an offsite backup service? [21:47] i just tried installing ubuntu-xen-server and it says it cant be installed because one of its dependencies cannot be found, xen-tools. [21:47] peeps[work]: yes [21:47] giovani, which one do you use, and how do you like it? [21:48] peeps[work]: I'm using s3 at home -- it works fine, it's cheap given the replication you're getting [21:48] no minimum fees -- so when I have like 1GB to back up, it costs me a few cents a month [21:49] giovani so i guess you gave up on my problem? any advice where I can go from here? [21:50] panfist: I didn't 'give up' -- just swamped at work -- I didn't see anything wrong, although I've never tried using "invalid" TLDs in an LDAP dc -- it's probably fine, but, it would be worth trying with dc=foo,dc=com [21:50] other than that, I don't know -- sorry [21:50] i appreciate your time. i'll give that a try next. [21:51] panfist: yeah, sorry to make you jump through hoops only to give you a non-answer :\ [21:51] I searched a bit to see if anyone was using 'invalid' tlds in production [21:52] but couldn't find anything but examples, which aren't necessarily being used [21:52] well i already have the dc=foo,dc=com files, it will only take me a moment [21:52] true [21:52] this ldap server is going to be for a sneakernet so i didn't even think about using a valid TLD [21:53] panfist: yeah, I don't think it's likely to be the issue -- but it's worth trying [21:56] didn't work [21:56] is there a particular forum you'd recommend that I post this on? i posted the issue before, but without very detailed terminal output with no results on the ubuntu server board [21:57] panfist: well I'd recommend heading to the ldap channels on freenode [21:57] where you'll get ldap experts [21:57] rather than people who have just used ldap as a small part of their job [21:57] twice i have ventured in there and the advice i get is "don't follow the how-to, learn ldap from scratch" [21:58] ah [21:58] i'll try again and see what happens. again, thank you very much for your time [21:58] sorry I couldn't be of more help [21:58] or any, really [21:58] at least now i have the proper output to show exactly what my problem is [21:59] panfist: it's likely that these scripts, or something specific to the howto is to blame [21:59] so they're probably right about learning it from scratch [21:59] panfist: the ldap base dn doesn't have any (whatsoever) implications regarding being a TLD or not... === steffan is now known as io [22:06] anyone run zabbix-server-mysql? [22:15] Does ssh-copy-id copy the public key or the private key? I assume the public key... [22:16] n/m i guess it copies whichever one you tell it to :P [22:17] q [22:19] p1l0t: According to the manpage ssh-copy-id does not copy the private key. [22:20] I wasn't aware of that command. I've been using one I wrote a very long time ago which I named "ssh-trustme" :) [22:20] lol a great name [22:35] i just tried installing ubuntu-xen-server and it says it cant be installed because one of its dependencies cannot be found, xen-tools. if i install xen-tools from source will the ubuntu-xen-server package see this and install? [22:39] if i install xen-tools from source will the ubuntu-xen-server package see this and install? === lifeless_ is now known as lifeless [22:46] CppIsWeird, not unless you compile it into a package, name the package xen-tools, and give it a version number the ubuntu-xen-server depends on [22:48] if you must compile from source, you're better off installing the distribution package first, and then installing the source version to /usr/local or /opt or something [22:49] CppIsWeird: my understanding is that xen support has been almost dropped from ubuntu [22:49] in favor of KVM [22:50] what appens with xen? [22:50] * jmedina uses xen everyday in ubuntu server [22:50] jmedina: it's not actively supported anymore, it appears [22:50] https://bugs.launchpad.net/ubuntu/+source/xen-tools/+bug/538917 [22:50] Launchpad bug 538917 in xen-tools "xen-tools is not available in lucid" [Undecided,New] [22:51] that was from months ago [22:51] and xen-tools still isn't in lucid [22:51] it gets left up to universe/multiverse, I guess [22:51] if someone wants to update the packages, they'll update, otherwise nothing will happen [22:51] but it is so easy to install xen-tools, you dont even need to compile, they are only bash and perl scripts [22:52] here the steps [22:52] http://tuxjm.net/docs/Administracion_de_Servidores_Virtuales_con_Xen_y_GNU_Linux/html-multiples/ch04s06.html#id608240 [22:52] it works in hardy and lucid [22:52] jmedina: well, the fact that it's a depend, and missing implies that support is dropping [22:52] yeah [22:52] and that it may be completely untested, since you can't even properly install it through apt-get [22:52] the fact that the package is missing means that you can't just apt-get install it [22:53] ah ok I understan [22:53] for lucid I prefer to compile xen 4.0.x and kernel 2.6.31.13 with PVOPS [22:53] it is not that hard [22:54] I alwasy compiled xen by hand, since dapper [22:54] yeah, the point is simply this: working != supported [22:54] but I never was, well only by community [22:54] giovani, i'm still looking into amazon s3. are there any particular tools you use to keep your data synced up, or do you upload files manually or what? [22:55] for this "unsupported" things I prefer to go upstream [22:55] I like KVM but my customers still have a lot of servers withouth hardware virt support [22:59] peeps[work]: there's an rsync based tool. but I forgot the name (of course). It'll encrypt your backups and all (incremental, full, differential - if scripted properly from the command line...) [23:01] peeps[work]: duplicity :) [23:02] peeps[work]: (if you want to look into an alternative from S3 you might want to use rackspace and their cloudfiles storage. Not quite as cheap but your trust level might be better with them - and no, I'm not an employee nor affiliate of rackspace...) [23:15] So RSA authentication now works... All I have to do is turn off password authentication for SSH [23:17] somewhere in sshd_config I imagine... [23:19] PasswordAuthentication no /*without the # maybe*/ [23:19] p1l0t: sudo grep -ri password /etc/ssh/sshd_config [23:19] serverhorror: thanks [23:20] or rather without sudo. sshd_config is IIRC world readable. Though I have no idea why that actually is the default... [23:20] Hello everyone === serverhorror is now known as everyone [23:20] hello KeyBoardx86 === everyone is now known as serverhorror [23:22] Is anyone here that it migh help me with a good tutorial to setup a Ubuntu Server as a PDC, right now I'm using a Windows 2008 server running DHCP Server, DNS Server and Active Directory , and I would like to change to Ubuntu server with the same services [23:22] KeyBoardx86, good luck with that [23:22] samba 3 is on a hybrid windows NT/2003 level [23:22] KeyBoardx86: impossible, samba can't act as an AD yet [23:23] wait for samba 4 [23:23] Does it really need to be a PDC? You could do all the other things anyway [23:24] PDC _is_ perfectly fine. What you can't get from it is the actual AD stuff.... (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id2564237) [23:25] yeah [23:25] basically, it runs Windows NT style domains [23:25] Well what I would like to do is a server that can act as Windows 2008 server [23:25] but supports all the other features on a level with 2003/2008 [23:25] KeyBoardx86: define "Windows 2008 Server" [23:26] 'cuz right now I have 3 server, 1 is running Untangle, the other 2 runs Windows. (one is a PDC server and the other one is a File Server) [23:26] you need to specify what features you need, specifically [23:26] KeyBoardx86: You can do dhcp, dns and share folders and whatnot [23:26] KeyBoardx86: are you refering to a file/print server? if so. Just install samba point it to the "real" windows server to handle authNZ and be done. Otherwise: impossible... [23:26] if you use group policy at all, you're SOL [23:26] ok , let me try to specify, sorry for my english .. I'm from Colombia [23:27] in the first server (Windows 2008 that is acting as PDC server ) I'm running, Active Directory, DHCP Server and DNS Server... [23:27] Your english is fine [23:27] yes, but what are you using AD for? what features do you need? [23:28] that's the one that I want to replace with Ubuntu Server but I'm afraid that I will not able to add the second Windows Server (that is acting as File Server) [23:28] KeyBoardx86: (My Opinion) Honestly, if you do have Active Directory in place with Windows stay with that for the AD/DNS part. Use Samba for file/printer/whatnot sharing. But keep the Active Directory on Windows - that'll save you a lot of headaches (and possibly your job) [23:28] I'm using AD to create the organizations and users [23:28] then, the short answer is, it can't be replaced with linux (yet) [23:28] serverhorror, thx for the advise [23:29] mmm Ok... gotta [23:29] samba 4 will be able to do that [23:29] but it's still in alpha stages [23:29] incomplete, buggy, unsupported [23:29] samba 4 will be abel to act as AD? [23:29] mathiaz: https://launchpad.net/~kernel-ppa/+archive/ppa [23:30] yes [23:30] cool, well so I believe I have to wait for that [23:30] does anyone here have heard about eBox? [23:31] !ebox [23:31] ebox is a web-based GUI interface for administering a server. It is designed to work with Ubuntu/Debian style configuration management. See https://help.ubuntu.com/community/eBox [23:31] so eBox an webmind will be the same almost? [23:32] !webmind [23:33] !webmin [23:33] webmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system. See !ebox instead. [23:33] KeyBoardx86: only mention I found is in the ubuntu server guide. But I don't have an especially high opinion on those GUI interfaces to manage a server....seems all so cpanel like. I rather go with puppet and the recipes crafted to the requirements _I_ (read: my company has) have... [23:34] Does Ubuntu-server comes with its own GUI Interface? [23:34] yes, I am also not fond of these types of systems [23:34] no [23:34] hey [23:34] qman__: no? [23:34] you can install one, but there is no point [23:34] Ok, well guys thx anyway for all the information... [23:34] qman__: well...that depends :) [23:35] so I might need to wait for Samba 4 [23:35] i cannot access my smb share (bad password). do i still need to set a separate smb psswd? [23:35] i thought these days it used the unix password [23:35] serverhorror, he asked if it comes with one, and it does not [23:36] clusty: depending on your configuration, (smb passdb backend - but the way you phrase your question the answer for your problem is probably yes, see "man smbpasswd") [23:36] clusty, you have to set one with smbpasswd [23:36] it synchronizes it with the unix password [23:36] but it doesn't automatically create it [23:36] qman__: right, but the server doesn't come with ldap/krb either :) [23:36] qman__: as in if smbpasswd will change my unix password [23:36] ? [23:36] no [23:37] once an smbpasswd is set [23:37] every time you change your unix password, it will change your smbpasswd too [23:38] thanks [23:38] that was it [23:38] qman__: does it do it through PAM? [23:38] libpamsmbpass [23:38] is what provides the feature [23:39] great [23:39] thanks [23:39] smbpasswd...it does that? I guess I really need to (a) streamline our server OSs and (b) reread all the (config) manpages. *sigh* again it's been only 2 or 3 years since I last updated the basic stuff :) [23:40] it is possible to build a AD-like solution with lucid [23:40] truthfully, I'm surprised we still have this problem [23:40] but it won't create an smb password for you [23:40] it will only update one [23:40] you can integrate samba+openldap for domain controller using NTLM (almost deprecated in win7) and then you run kerberos to do SSO [23:41] almost everything is in the server guide [23:41] it is actually deprecated [23:41] you have to change some security settings in the policy and registry [23:41] if you want someehing easiers trye zivios [23:41] qman__: probabyl because it wouldn't make any sense to initially set a password for uses having a hash in /etc/shadow upon installing samba [23:41] s/uses/users [23:42] qman__: yeap, I have some squid3+AD systems, and they all use AD integration using samba+winbind+kerberos [23:42] serverhorror, that's true, but users added after the fact don't get smb passwords, or at least didn't last time I set one up [23:43] qman__: can't comment on that. I can't even remember whether our ldap server initially was woody or sarge :) (yeah, sorry it's debian I'm looking for a corner to hide in our office...) :) [23:44] jmedina, yeah, I had a windows 2000 printer server because I couldn't get samba to make the magic print$ share work right, and soon as I got a windows 7 client, it was an event getting it to play nice [23:45] qman__: hmmm I've recently tried to write an article for linuxgazette.com. And I have a print$ config (with all the whizzbang Printer Config Windows Wizard in XP/Vista/7 working....) [23:45] qman__: but it's 0045am here. If you want me to I could send you a paste of the config parts plus some comments "tomorrow" depending on the time zone of course :) [23:45] I think it had more to do with the specific printer drivers than the share configuration [23:46] do you guys have experience with making samba advertise it's shares via avahi? [23:47] nope sorry [23:47] I don't really know anything about avahi [23:47] made it advertise AFP [23:47] I just know how to disable it [23:47] :D [23:47] mine all just show up as windows shares [23:47] for once i need avahi [23:47] I just know that I usually kills everything I use with .local (or .localdomain or something like that) [23:48] only thing to do, is to figure out how to make my DNS zone file proper :D [23:48] thanks for your help [23:49] I once had to get a windows AD DNS zone up on a BIND server, because the windows server crashed [23:49] the zone was invalid, had to fix a few records [23:49] hmmm why would I even want to deal with "if the primary (or unique) key does not exist: insert the new row _or_ if the primary (or unique) key does exist: do nothing" <- couldn't i just insert, and if it chokes ignore that stuff? (sorry some blog post just came up) [23:50] only if you can be certain that an invalid insert won't change anything [23:50] now, and forever into the forseeable future [23:51] serverhorror: guess it's uncool not handling an error [23:51] cause your insert could choke cause server is down [23:51] qman__: the way I read those 2 requirements, the second could never happen, since it would violate a unique constraint. Thus throwing some error back to the application. So I simply insert and if my database tells me constraint violation I'll just catch that exception and do whatever is appropriate... [23:52] clusty: what happened to "it's better to ask for forgiveness than for permission" (something like that - not a native english speaker so I might as well missquote) [23:53] clusty: and hopefully any sane language will let me (somehow) differentiate between a host unreachable, port unreachable, no route and/or uniq constraint violation.... [23:54] don't know about PHP thou... :) [23:54] serverhorror: well if we are speaking hyphothetical, you could run a big fat sql script [23:54] you don't it choking in the middle [23:54] hmm yeah right that's a point :) [23:54] but I have rollbacks and transactions :) [23:55] Hi [23:55] i know for a fact PG can ignore errors and just go on [23:55] Does anyone have time for a dist upgrade question? === serverhorror is now known as anyone [23:55] oettinger: definitely maybe === anyone is now known as serverhorror [23:56] :) sounds good. [23:56] I just did a "sudo do-release-upgrade" on our web/database server [23:56] It looks like everything went well (so Yay ubuntu). But... [23:57] .oO(drumroll) [23:57] I was hoping that my php would be upgraded to 5.3.x [23:57] but a phpinfo() and "$ php -version" still shows 5.2.x [23:58] apt-cache policy php5 php # will tell you where it installs from. And apache needs to _restart_ to get the new php version [23:58] my one server running lucid is on php 5.3.2 [23:58] and that was upgraded from hardy [23:59] jacob@trabant:~$ apt-cache policy php5 [23:59] php5: [23:59] Installed: (none) [23:59] Candidate: 5.2.10.dfsg.1-2ubuntu6.4 [23:59] Version table: [23:59] 5.2.10.dfsg.1-2ubuntu6.4 0 [23:59] 500 ftp://mirror.hetzner.de karmic-updates/main Packages [23:59] 500 ftp://mirror.hetzner.de karmic-security/main Packages [23:59] 5.2.10.dfsg.1-2ubuntu6 0 [23:59] 500 ftp://mirror.hetzner.de karmic/main Packages [23:59] !flood | oettinger [23:59] oettinger: For posting multi-line texts into the channel, please use http://paste.ubuntu.com | To post !screenshots use http://tinyurl.com/imagebin | !pastebinit to paste directly from command line | Make sure you give us the URL for your paste - see also the channel topic. [23:59] no flood kick? [23:59] nope. But a warning i think :) (irc noob)