/srv/irclogs.ubuntu.com/2010/11/03/#ubuntu-server.txt

=== _Techie_ is now known as _TechAway_
=== bastidrazor is now known as bastid_raZor
cole	anyone have a 10.10 box (physical) that would be willing to test a script for me on?	00:28
=== _TechAway_ is now known as _Techie_
jdimatteo1	good evening	02:16
jdimatteo1	how can I configure nsswitch.conf to not timeout with the error "YPBINDPROC_DOMAIN: Domain not bound" before logging in as a local user on a client configured with NIS with no connection to the NIS server? I'm trying to make logging in to a local user work without long timeouts when the connection is lost to the NIS server	02:18
jdimatteo1	the problem seems to be with the group line of nsswitch, group: files nis	02:19
twb	jdimatteo1: not using NIS would be the most obvious way	02:19
twb	Listing files before nis SHOULD suffice to allow local users to log in prior to issuing nis requests. pastebin your whole nsswitch.conf.	02:20
jdimatteo1	twb: thanks, but I want NIS to normally work. I am trying to better handle the unusual case where the network connection is not working and someone needs to login as a local user (e.g. root needs to login to update the networking configuration).	02:20
jdimatteo1	twb: one sec regarding pastebin	02:21
twb	There are also a bunch of options you can put in [square brackets] in nsswitch.conf; I think they're documented in the libc or coreutils info pages...	02:22
jdimatteo1	http://pastebin.com/SAqs2uGq	02:24
jdimatteo1	twb: your help is greatly appreciated... this problem just drive me nuts	02:24
jdimatteo1	I'm reviewing man libc now	02:25
twb	jdimatteo1: ah, start with man nsswitch.conf	02:27
twb	Also, are you broadcasting for the YP server, or are you hard-coding its IP?	02:28
jdimatteo1	twb: I already read man nsswitch.conf. from what I understand, [SUCCESS=return] should be the default anyway, and the other statuses (notfound, unavail, tryagain) don't seem any better	02:29
jdimatteo1	twb: I'm sorry, can you please explain what you mean by broadcasting? I have the YP server hostnames set in /etc/yp.conf, and the ypserver IP addresses defined in /etc/hosts. Maybe broadcasting is setup as well, but I'm not sure (I didn't originally configure this NIS configuration)...	02:31
jdimatteo1	twb: does that sufficiently answer your question about broadcasting?	02:31
twb	Hmm?	02:32
twb	I mean do you have "server 1.2.3.4" in /etc/yp.conf (IIRC)	02:32
jdimatteo1	yes, I do. (specifically, I have http://pastebin.com/hi05CCRp)	02:32
twb	If you don't, IIRC it basically causes it to "ask around" (i.e. broadcast) to find a yp server, which probably takes a while	02:32
twb	You can also try turning off / removing nscd	02:33
twb	Also, if Network Manager is installed, get the fuck rid of it. It causes more network problems than anything else short of a backhoe	02:33
jdimatteo1	twd: I'm not familiar with nscd, and I don't think it is installed on my system (e.g. "whereis nscd" shows no path)	02:35
jdimatteo1	twb: I think Network Manager is installed... I agree with you that it is annoying on a server, so I'm uninstalling it now to simplify things	02:36
twb	In 8.04, if you had NIS and NM installed the damn thing would take twenty minutes to netboot	02:37
twb	Er, to boot at all.	02:37
rdw200169	jdimatteo1: i agree, manual is much easier. seems pointless to have any kind of NM on a server ;)	02:37
twb	rdw200169: NM is pointless everywhere	02:37
rdw200169	twb: double-agree	02:38
twb	double-plus-un-good!	02:38
jdimatteo1	:) something we all agree on, thats nice	02:38
rdw200169	i never thought it was that hard to understand /etc/networking/interfaces... but then again, i'm not normal i guess	02:40
twb	Normal users don't DESERVE computers	02:41
* twb is a sysadmin		02:41
Nafallo	you guys still use interfaces?	02:41
* Nafallo uses vtysh for that ;-)		02:41
twb	Nafallo: that's not in Debian.	02:42
jdimatteo1	twb: OMG, that fixed the issue :) now let me update my nsswitch to actually work for shadow too and see if it is completely solved	02:42
twb	jdimatteo1: fucking typical :-/	02:42
Nafallo	twb: quagga	02:44
twb	Oh, yeah, there it is in apt-file	02:44
twb	I haven't switched to IPv6 yet, so I haven't bothered.	02:44
Nafallo	neither have I	02:45
twb	I mean, it's not like I have an AS...	02:45
Nafallo	when I do add IPv6 I'll do dual-stacking though	02:45
Nafallo	I do :-P	02:45
twb	I did think about it, but I decided it wasn't worth the hassle just to improve multi-path routing to my office	02:45
jdimatteo1	twb: I really hardly believe that fixed it... but it really did... seems unbelievable...	02:45
twb	I mean, most outages are caused by telstra not fixing their copper, which will fuck BOTH my ISPs.	02:46
twb	And of course we were talking about NIS clients, which tends to imply leaf nodes on the network, i.e. BGP is not relevant. YMMV, etc.	02:46
_Neytiri_	can i get some help with ldap i am getting this error	03:02
_Neytiri_	root@Pandora-Eywa-DC1:~# ldapadd -x -W -D "cn=admin,dc=xray-hope,dc=local" -f ~/people_group.ldif	03:02
_Neytiri_	Enter LDAP Password:	03:02
_Neytiri_	ldap_bind: Invalid credentials (49)	03:02
_Neytiri_	root@Pandora-Eywa-DC1:~#	03:02
_Neytiri_	it never asked me to set a password when i set it up	03:02
jdimatteo1	twb: fyi, I must have been confused earlier because it turns out network-manager had nothing todo with the issue. I really couldn't believe network-manager caused my NIS issue, so I reverted to saved snapshot of the system, updated the nsswitch file, and the yp timeout errors are no longer occurring... I guess it is getting too late for me, since I'm not sure why it is working now, but I just wanted to point out ne	03:05
jdimatteo1	goodnight all. my problem is fixed and I have no idea why. good enough for me	03:07
=== jdimatteo1 is now known as jdimatteo1_afk
twb	jdimatteo1_afk: still there?	03:15
twb	jdimatteo1_afk: what VM technology are you using (e.g. KVM)? Are you bridging the VMs to the main network, and are you using proxy arp? IME VMs often have trouble with even simple things, like getting UDP to work reliably.	03:15
_Neytiri_	anyone here can tell mow how to get ldap working on ubuntu 10.4	03:18
c0nv1ct	_Neytiri_, set the password in slapd.conf	03:20
_Neytiri_	where do i find that file?	03:20
twb	_Neytiri_: client or server side?	03:20
_Neytiri_	serverside	03:21
c0nv1ct	_Neytiri_, /etc/ldap	03:21
_Neytiri_	slapd.cond doesent exist	03:21
c0nv1ct	you should know where to find that file since you need to edit it to setup your ldap server	03:21
_Neytiri_	.conf*	03:21
_Neytiri_	the only .conf file is a ldap.conf	03:22
c0nv1ct	look in there then, you should see lines for rootdn and rootpw	03:22
twb	_Neytiri_: is slapd installed?	03:22
_Neytiri_	twb, it should be i am following this tutorial http://www.debuntu.org/ldap-server-and-linux-ldap-clients	03:23
c0nv1ct	_Neytiri_, but you just said it never asked to setup a password	03:24
_Neytiri_	slapd is already the newest version.	03:24
_Neytiri_	it didnt	03:24
c0nv1ct	_Neytiri_, look at the 3rd step in the guide you just posted	03:24
_Neytiri_	did that it only asked 3 things	03:25
_Neytiri_	omit ldap config, pure db and allow ldapv2	03:25
c0nv1ct	if you didnt omit the ldap config, you should of been asked those other questions	03:26
c0nv1ct	should have*	03:26
_Neytiri_	i dinty omit it and it never asked me	03:27
_Neytiri_	didnt*	03:27
c0nv1ct	_Neytiri_, have you tried the guide for ldap in the ubuntu server guide?	03:31
c0nv1ct	the one i'm looking at looks nothing like that guide you posted	03:31
_Neytiri_	where do i find that?	03:31
c0nv1ct	doc.ubuntu.com	03:31
c0nv1ct	or help.ubuntu.com actually	03:32
_Neytiri_	i did a remove on everyting i installed from that tutorial and am working off of https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html	03:35
_Neytiri_	where would i set the actual domin name?	03:43
twb	_Neytiri_: you mean the LDAP DN?	03:44
_Neytiri_	ya	03:44
twb	It's just the (root)binddn and rootbindpw in the LDAP client	03:48
twb	And the objects themselves in the LDAP server	03:48
overrider	Usually when i log into my Ubuntu 10.04 Server, at least every other day there is something for me to upgrade using apt-get upgrade. Since about 9 days, it always reports 0 packages can be updated.	04:19
overrider	This is on two different 10.04 Servers the same, can it be or is there something wrong?	04:19
twb	10.04 has been released.	04:20
twb	That means the only updates for it are security updates	04:20
twb	It's actually bad that you were getting updates every other day -- it meant there were lots of vulnerabilities in the original 10.04 release	04:21
overrider	twb: so you mean i also will not receive updates to already installed packages should there be any?	04:21
twb	There are two kinds of updates	04:21
twb	SECURITY updates fix bugs.	04:21
twb	FEATURE updates introduce bugs.	04:22
twb	Released versions of Ubuntu only get the former.	04:22
overrider	What i am saying is, say Dovecot will release a new version of itself. Will that show up when i run apt-get upgrade?	04:22
twb	It will not.	04:22
overrider	Hmmmm	04:22
overrider	What if the update fixes a security hole?	04:23
twb	Then the security team will (usually) backport that security patch to the earlier version.	04:23
twb	There are exceptions to this, such as Mozilla products.	04:23
overrider	Sorry to be numb, somehow i feel nervous that nothing was there to update since days...	04:24
twb	overrider: but change is bad!	04:24
overrider	its 10.04 server lts, and runs apache, dovecot and postfix and the likes.	04:24
fij0	anybody has used kernel direct boot ?	04:24
overrider	twb: yeah sure, just wanted to make sure i still receive the security updates;	04:24
twb	fij0: never heard of it.	04:24
fij0	im trying but the VM donsent boot	04:25
fij0	twb, http://www.mail-archive.com/libvir-list@redhat.com/msg15128.html	04:25
twb	overrider: unfortunately I don't know a way to be confident about that; you could certainly check that -security is still listed in your sources.list, and that "apt-get update" works.	04:25
fij0	twb, you pass to the VM the kernel of the host .........basicaly	04:25
fij0	sorry mi inglish is realy poor	04:26
fij0	english	04:26
twb	I don't see how that could ever work	04:26
fij0	twb, libvirt support that - http://libvirt.org/formatdomain.html	04:26
fij0	twb, it is realy healfull with lvm , so you cant exec the VM in an lv in the host	04:27
fij0	like xen	04:27
twb	Surely it assumes that either you're running a module-less kernel, or that neither host nor guest EVER changes kernel	04:27
twb	Oh, I see what they're saying.	04:27
twb	They just mean the equivalent of qemu -kernel and -initrd -- as opposed to having a bootloader inside the virtual disk.	04:28
fij0	twb, yes	04:28
fij0	twb, work, im sure, but i cant doit :S	04:28
twb	I have done that before with qemu, a lot. I haven't ever done it with libvirt	04:28
twb	All you do is copy the kernel and ramdisk out of the guest's /boot	04:29
twb	You probably shouldn't put the guest's kernel and ramdisk in the host's /boot, though	04:29
twb	In what way is it not working?	04:30
fij0	twb, when is booting , crash and say	04:33
fij0	boot args (cat /proc/cmdline)	04:33
fij0	check rootdelay= (did the system wait long enought?)	04:34
twb	OK, so it can't find the root filesystem.	04:34
fij0	twb, yes	04:34
twb	Please pastebin your libvirt config file (the XML file), and the full boot transcript.	04:34
fij0	twb, the xml - http://pastebin.com.ar/6320	04:36
twb	I don't think the " should be there	04:36
fij0	twb, the /var/log/libvirt/qemu/base.log - http://pastebin.com.ar/6321	04:37
fij0	twb, what quote ?	04:37
twb	Oops, ignore that, it should be there.	04:37
twb	No, I change my mind again, it shouldn't :-)	04:37
twb	Inside <cmdline />, you have a " on each end. Try removing it	04:37
twb	You can see those quotes aren't present in the CMDLINE example at http://libvirt.org/formatdomain.html#elementsOSKernel	04:38
fij0	twb, yes, i dont know why put that :S , anyway , i remove and happend the same thin	04:39
twb	OK, try specifying the root filesystem by device name instead of UUID	04:42
twb	Also, in the fallback initrd you get, try catting /proc/partitions	04:42
twb	And also in there, look at /dev/disk/by-*/	04:42
fij0	sorry but i dont understand	04:43
twb	After it talks about rootdelay, it should give you a busybox shell	04:44
fij0	twb, yes	04:44
twb	OK, in there, run "cat /proc/partitions"	04:45
fij0	252 0 4194304 vda	04:47
twb	OK, so try root=/dev/vda instead of root=UUID=...	04:47
fij0	something like this ? <cmdline>root=/dev/vda ro</cmdline>	04:48
fij0	twb, it work !!! thanks a lot !	04:49
DanInOz	hey sorry for the noob question, i jsut did a fresh install of 10.10 server and i accidently mistyped the proxy server on the installation. How do I reenter the corrent info?	04:50
twb	OK. Either you got the UUID wrong, or you can't rely on udev UUID/NAME labelling.	04:51
twb	fij0: because it's a VM, it should be pretty safe to just use root=/dev/vda forevery	04:51
twb	*forever	04:51
twb	DanInOz: when it fails, hit "back" or "reconfigure" or whatever the option is	04:51
DanInOz	i've already completed the install	04:51
twb	DanInOz: oh, then go to /etc/apt/apt.conf	04:52
DanInOz	yeap, changed that. still uses old setting for some reason	04:52
twb	That shouldn't happen.	04:52
DanInOz	i'll just	04:52
twb	what is the value of $http_proxy?	04:52
DanInOz	double check it quick but	04:52
DanInOz	i dunno how to change that ><	04:52
twb	DanInOz: you don't know how to change what?	04:52
DanInOz	like i said, i a a noob haha	04:52
DanInOz	system variables	04:53
twb	I don't know what you mean by "system variables"	04:53
DanInOz	sorry i been reading articles off google trying to fix it I could completely have my wires crossed	04:53
DanInOz	ok i checked apt.conf and it has defiantly saved the change i made	04:54
DanInOz	apt still is trying to use the first value though	04:54
twb	Then check the environment variable $http_proxy.	04:54
DanInOz	how do i do that?	04:55
twb	echo $http_proxy	04:55
DanInOz	it just comes up blank	04:56
twb	Then I don't know where you're getting the "wrong" proxy value from.	04:56
twb	Hm, I suppose you should also check /etc/apt/apt.conf.d/*, but I'm not aware of the installer touching that.	04:56
DanInOz	ok i will look	04:56
twb	Also, I'm assuming you're using either "sudo apt-get" or "sudo aptitude"; if you're using something like synaptic, I can't help you.	04:56
twb	If all else fails, you can try grepping recursively over /etc for the bad proxy string.	04:57
DanInOz	ok thank you :) i'll try those things	04:58
DanInOz	thanks for your patiance!	04:58
* pennyless is away: Gone away for now		05:17
eagles0513875	hey guys i have a quick question for anyone. does it matter waht order i configure dovecot + postfix?	06:47
twb	I shouldn't think so, but I haven't done it.	06:47
eagles0513875	ok :-/	06:49
eagles0513875	prior install i was able to get all incoming email then no outgoing then at a point i couldnt get incoming emails either	06:50
twb	That was weird. I just noticed that all my alternatives-managed files in /usr/bin weren't symlinks.	06:50
eagles0513875	O_o	06:53
eagles0513875	im apprehensive to follow the setup guides for dovecot and postfix again	06:53
eagles0513875	to end up with the same result as before :(	06:53
twb	eagles0513875: so go through your /etc history to find out what changed?	06:53
eagles0513875	already purged and reinstalled just havent configured yet	06:54
eagles0513875	atm not sure what would be worse having postfix not working right or having to deal with a microsoft exchange server	06:55
eagles0513875	hey twb	07:02
eagles0513875	im wondering if the issues i was having could be dovecot related	07:03
eagles0513875	dovecot in lucid is old stable version 1.1.2	07:03
eagles0513875	lates is 2.0.6	07:03
uvirtbot	New bug: #670250 in dovecot (main) "upgrade to latest stable version 2.0.6" [Undecided,New] https://launchpad.net/bugs/670250	07:11
eagles0513875	hehe ^^ i reported that	07:13
eagles0513875	any email experts in here this morning?	07:13
_ruben	try asking more specific questions instead	07:14
twb	_ruben: I'm ignoring him, FWIW	07:15
eagles0513875	_ruben: my question is doesnt it matter what order i confgure postfix or dovecot	07:15
_ruben	it doesnt, you should "glue 'em together" yourself anyway	07:17
eagles0513875	ok	07:18
eagles0513875	interesting	07:18
eagles0513875	thanks	07:18
lifeless	.win 67	07:20
eagles0513875	?	07:21
kaushal	hi	07:23
kaushal	I have been facing issue about collectd MySQL Plugin for configuring Multiple DB,It defaults to root user inspite of other user being hard coded in the config,Please advice	07:23
kaushal	I am using collectd 4.10.1	07:23
noaXess	good morning	07:28
noaXess	have a 8.10 installation.. and saw now, that there are no updates..	07:28
noaXess	can't make updates now, cause on http://ch.archive.ubuntu.com/ubuntu/dists/ there is no intrepid ... grrr	07:29
twb	Isn't 8.10 EOLd by now?	07:33
twb	noaXess: you should probably upgrade to a release that's still supported, see https://help.ubuntu.com/community/UpgradeNotes	07:34
eagles0513875	i think it is twb	07:34
noaXess	twb: EOL i think yes.. but don't i need first update to the latest packages on 8.10?	07:35
kaushal	noaXess: https://wiki.ubuntu.com/Releases	07:35
twb	noaXess: I don't know; read the notes I linked to	07:35
noaXess	ok	07:35
=== _TechAway_ is now known as _Techie_
kaushal	Can some one please help me about my query ?	07:43
twb	Sorry, MySQL is boring	07:44
kaushal	i see	07:44
kaushal	what makes you say so	07:44
twb	Because it's not very good at being a real database (cf. postgres), and it's not very good at being an easy-to-use, lightweight toy database (cf. sqlite).	07:48
twb	Which is the position of every DBA I've ever met; the only people that like it are PHP users, which is kind of an anti-recommendation.	07:49
owh	kaushal: What do you mean when you say hard-coded in the config?	07:59
kaushal	owh: shall i pastebin the collectd.conf ?	08:01
owh	No.	08:01
kaushal	when i run the mysql command i am able to connect	08:01
owh	So, what is the actual problem?	08:02
kaushal	whereas when i use collectd, it maps to root@localhost by default	08:02
kaushal	inspite of setting user other than root user	08:02
kaushal	I could see in the collectd debug log	08:03
twb	IIRC mysql has some broken thing where referring to either "localhost" or "127.0.0.1" actually makes it use a socket instead of a port	08:03
owh	Not having ever used collectd, I suspect you might have a syntax error in your config. Can you increase the vebosity? Did you reload/restart collectd after updating the config?	08:04
owh	twb: You appear to be referring to a network/non-network connection parameter which changed default behaviour for security purposes in v4 of MySQL.I don't think it's relevant.	08:04
twb	OK, that was just a shot in the dark	08:08
twb	The last couple of times someone was in here, that turned out to be the problem	08:08
owh	The problem being described appears to be an authentication issue.	08:09
owh	twb: If you make a shot in the dark, that's fine, but it would be smart to let your audience know that it's a shot in the dark. There's nothing wrong with firing off ideas, but you need to provide some context since not everyone knows everyone in this place.	08:10
twb	sorry	08:10
owh	BRB	08:12
kaushal	I have increased the verbosity	08:16
kaushal	to debug	08:16
kaushal	it still not worked	08:16
kaushal	[2010-11-03 01:17:26] mysql_real_connect failed: Access denied for user 'root'@'localhost' (using password: NO)	08:17
kaushal	[2010-11-03 01:17:26] read-function of plugin `mysql' failed. Will suspend it for 10 seconds.	08:17
kaushal	i get that error	08:17
twb	kaushal: that's from collectd's log?	08:18
kaushal	yes	08:19
kaushal	http://pastebin.ubuntu.com/524931/	08:19
twb	kaushal: that doesn't look like root@localhost	08:21
owh	kaushal: Is that the complete configuration file for collectd?	08:22
kaushal	owh: nope	08:22
owh	Does mysql have a nagios user?	08:22
kaushal	yes	08:22
kaushal	Let me pastebin it again	08:22
owh	Did you reload privileges?	08:23
kaushal	http://pastebin.ubuntu.com/524934/	08:23
kaushal	that will explain the details	08:23
owh	It is possible/probable that you have a syntax error in your config, or that collectd doesn't use the credentials the way you expect.	08:24
kaushal	Do you want me to pastebin the collectd.conf ?	08:25
owh	Is there an /etc/default/collectd file which perhaps overrides stuff?	08:25
kaushal	I have compiled collectd from source	08:26
kaushal	I am using collectd 4.10.1	08:26
owh	Well, at that point you lost all support really. Is there not a ubuntu packaged version?	08:26
kaushal	ok	08:27
kaushal	but it does not support multiple instances	08:27
kaushal	I am using 8.04	08:27
owh	The reason I say that is because when you use a ubuntu package, things are stored in certain places and people like me expect things to be in those places.	08:27
kaushal	ok	08:28
owh	Is multiple instances support a compile option?	08:28
kaushal	nope	08:28
owh	So, you hacked it?	08:28
kaushal	http://collectd.org/wiki/index.php/Plugin:MySQL	08:28
owh	Let me get this straight. You're just trying to collect stats from mysql?	08:30
owh	Does it work for one database?	08:32
kaushal	yes	08:33
owh	Why are you then showing a different socket?	08:35
kaushal	It has been configured like that	08:43
owh	A different socket for a different database?	08:43
kaushal	yes	08:44
owh	What happens if you create two plugin sections, rather than two database sections in the same plugin section?	08:44
kaushal	ok	08:47
kaushal	owh: Let me try it out	08:47
kaushal	Thanks for the hint	08:48
kaushal	will update you now	08:48
kaushal	still the same	08:49
owh	So, why are you doing this with two different sockets again?	08:50
kaushal	Its multiple MySQL Instances	08:51
owh	I think you're going to have to ask the collectd developers about this one.	08:52
kaushal	ok	08:52
kaushal	owh: i can pastebin the collectd.conf	08:52
owh	As I said before, I'm not a user of collectd. I'm asking silly questions to get you to say :"Doh, aha!"	08:53
jmazaredo	i will be installing bacula but it ask me to use dbconfig-common will this erase my other databases?	08:57
kaushal	owh: Thanks for the support	08:57
kaushal	np	08:57
owh	kaushal: Not that we got to an answer, but sometimes that happens :)	08:58
kaushal	yes an attempt is crucial in life	08:58
kaushal	isnt it	08:58
kaushal	Thats much appreciated	08:58
owh	Yup	08:58
kaushal	owh: the irony is that no one responds on #collectd	08:59
kaushal	I have been following it rigorously	08:59
kaushal	for quite some time	08:59
owh	I'd see if there is a mailing list and send an email there.	08:59
kaushal	I have tested it with the older version too and then i used the latest under the impression that it would be working fine	09:00
kaushal	but it did not worked either	09:00
Callum__	ugh, postfix doesn't want to work with clamav-milter at all	09:00
Callum__	give it the right name for the socket = still says socket file doesn't exist, even though it does and clamav-milter is running	09:01
Callum__	postfix/smtpd[8781]: warning: connect to Milter service unix:/var/run/clamav/clamav-milter.ctl: No such file or directory	09:03
Callum__	definitely does exist, and is a valid socket	09:03
twb	Grumble	09:09
twb	I get annoyed every time I see clamav on a server, using up all the free CPU and memory	09:10
twb	I think "if they didn't have Windows desktops, I could get rid of this stupid scanner"	09:10
uvirtbot	New bug: #670289 in rabbitmq-server (main) "Laptop won't shut down with rabbitmq running" [Undecided,New] https://launchpad.net/bugs/670289	09:32
Callum__	twb: our business itself doesn't have any Windows machines, but all of our staff do at home so yeah its required	09:34
twb	Stupid staff	09:34
twb	I jump on their heads!	09:34
Callum__	it frustrates me how little about computers they know >_>	09:35
Callum__	but we don't pay them haha we're a non-profit organisation of course	09:35
twb	They should need a license to use them	09:36
twb	like automobiles and forklifts and handgus	09:36
twb	*handguns	09:37
Callum__	heh	09:39
evelyette	hey: I'm having problems with: https://help.ubuntu.com/10.04/serverguide/C/kerberos-ldap.html does anyone care to help ?	09:59
twb	evelyette: you need to describe the problem first.	10:05
dubphil	Hello	10:12
evelyette	twb, hi	10:23
evelyette	well the problem is with step 5: the command I try to issue says: ldap_bind: Invalid credentials (49)	10:23
evelyette	it's because I don't have cn=admin,cn=config	10:23
twb	Are you on 10.04?	10:24
evelyette	10.10	10:24
evelyette	twb, ^	10:24
twb	Then why aren't you reading the 10.10 server guide?	10:24
evelyette	does it exist?	10:25
evelyette	well it should be the same ...	10:25
twb	TIAS	10:25
evelyette	yes it's the same	10:26
evelyette	so, do you have any idea why that happens	10:26
evelyette	because I've read this: http://www.openldap.org/doc/admin24/slapdconf2.html and there's no mentioning of "cn=admin,cn=config"	10:26
evelyette	so why should that even be there?	10:26
twb	IIRC cn=admin,cn=config is where Ubuntu moved the database config from slapd.conf into the database itself	10:28
twb	I've only dealt with slapd on 8.04, so I don't know much about it	10:28
evelyette	no it's the cn=config ...	10:29
evelyette	not the cn=admin,cn=config	10:29
evelyette	http://www.openldap.org/doc/admin24/config_dit.png	10:29
evelyette	there's cn=module,cn=config and cn=schema,cn=config. ...	10:29
evelyette	but no cn=admin,cn=config	10:29
twb	Dunno, man	10:35
rdw200169	i hated it when they moved to cn=config	10:46
twb	I hated pretty much every change from 8.04 to 10.04	10:53
twb	If joeyh's cuts get off the ground, I will just switch to it and tell the customers I'm running the "reliable" version of ubuntu	10:53
twb	The only reason I adopted ubuntu was because of the "when it's NOT ready" release schedule	10:54
ScottK	twb: Take a look at what's in Debian and not of the security hardening features in Ubuntu first.	11:00
ScottK	w.u.c/Security/Features IIRC	11:01
twb	Yeah, you have a point there	11:01
twb	Poor kees, he tries so hard to get traction there	11:01
twb	I just get so angry when simple stuff like booting from NFS doesn't work in an LTS release because of cyclic dependencies in the upstart jobs	11:02
kinygos	hi...what is a good program to pipe log files to on my ubuntu server? primarily i'd like to feed it logs from apache2 and postgres8.4, and would like the rolled every 24 hours	11:09
qman__	kinygos, this is done by default, though the rotation is usually longer than 24 hours	11:10
kinygos	bugger...it's always the way, i've literally just found an article on LinuxLogFiles on ubunt.com (sorry about that)	11:11
kinygos	qman__: thanks for that...i'll check what's going on in my server at the moment :)	11:12
twb	kinygos: what you pipe them into really depends on what you're trying to achieve	11:13
twb	e.g. logcheck and denyhosts both work by reading logfiles, but they do different things	11:14
ScottK	twb: It's clear that the boot work in the last LTS was not well considered for the server use case. That's unfortunate, but I suspect a one off occurrence. If you have suggestions on how to fix it, I'm sure if it's not too invasive, they'd be open for changes.	11:22
kinygos	twb: very good point...thanks :)	11:23
Cope	hey	11:24
twb	ScottK: I realize that specific case was a one-off, but there seem to be a lot of one-offs for server users	11:24
Cope	trying to debootstrap a lucid image for uploading to ec2 as an ami	11:24
Cope	do I need to install the ec2 kernel?	11:24
Cope	in the chroot?	11:25
twb	About the worst thing Debian did to me was the motd fuckup	11:25
ScottK	twb: I think NFS is sufficiently non-obscure that there would be interest in getting it fixed. A large problem is that most server people don't test pre-release.	11:25
twb	Nod.	11:25
twb	I tested 8.04 pretty extensively, but IIRC timing of 10.04 didn't tie in with the contracts I was working late 09 / early 10	11:26
twb	(i.e. I wasn't paid to start developing until June, and that was only because we discovered without warning that 8.04 didn't work with the Atom D510's GPU.)	11:27
Cope	any thoughts on the ami / ec2 kernel?	11:27
Hatrix\|away	I was used to the IOSTAT command and at some debian installations the iostat utility give ma all information in one line, as in (vmstat 1) ... but now on lucid iostat gives me statistics vertically, it's so hard to read changes if you do a iostat 1 ... is there a way to change the format to be on one line again? I did not find anything in the man pages .... or is this a new iostat?	11:28
twb	Hatrix\|away: I've never seen a one-line iostat in linux.	11:30
Hatrix\|away	twb: what is joeyh's cuts?	11:30
twb	Hatrix\|away: Joey Hess is talking about making time-based snapshots of Sid, called "cuts"	11:31
Hatrix\|away	twb: hmm, and for what reason, is this ubuntu related or debian related?	11:31
twb	ref http://kitenet.net/~joey/code/debian/cut/	11:31
twb	Hatrix\|away: I don't understand the question.	11:32
twb	Hatrix\|away: did you mean iostat output like this? http://paste.debian.net/98916/	11:33
Hatrix\|away	twb: yes, exactly	11:33
twb	That's OpenBSD.	11:33
twb	on linux, it looks like this: http://paste.debian.net/98917/	11:33
twb	(And that's FC3, so it has been like that for a while.)	11:34
Hatrix\|away	well, i have it on a debian machine, and was used to it, but all ubuntu machines i have have the long output	11:34
Hatrix\|away	twb: like here: http://inetpro.org/pastebin/10475	11:35
Hatrix\|away	this is a debian 5.0.3	11:36
twb	I don't know how you got that. Try looking at the manpage.	11:36
kinygos	omg....i've just looked in /var/log/auth.log for sshd logins, and it's packed with failed attempts from ip addresses i've not seen!!! am i being naive??	11:36
Hatrix\|away	I did, I am not a linux newbie ... but I did not find out anything	11:36
Hatrix\|away	kinygos: haha, yes, for years i put my ssh logins to different ports (like, bigger 32000), that will not stop a determined person, but stops all those script kiddys and bot-net attacks	11:37
qman__	any SSH server listening on the default port will get hit	11:37
qman__	there are many ways to protect yourself	11:38
kinygos	wow...i think changing port is the first thing to do	11:38
qman__	changing ports can be very inconvenient, and isn't the only way	11:38
Hatrix\|away	twb: ah, please forgive me, I never check the path of this iostat, it's a selfcompiled one from http://linux.inet.hr .... seems the prior admin loved the iostat onliner from bsd that much :-) haha, and I was searching my ASS off in the man pages	11:38
qman__	limiting firewalls and fail2ban will also negate these attacks	11:38
c0nv1ct	i'm a big fan of port knocking for ssh access	11:39
twb	c0nv1ct: with -m pknock, or do you use some lame-ass userland implementation?	11:39
Hatrix\|away	qman__: yes, and that's why I said that I do it this way, of course there are million different ways, i like the port knockers though, but to much trouble for me	11:39
c0nv1ct	twb, lame-ass userland that works fine for me	11:39
twb	Bah.	11:39
twb	If anyone has a working -m hashlimit / -m recent implementation, let me know.	11:40
c0nv1ct	twb, what advantages does -m pknock give?	11:40
qman__	I use a -m recent	11:40
twb	I can get -m recent working, but -m hashlimit just sits on its ass matching every / no packet.	11:40
twb	c0nv1ct: it's in-kernel, so it'll still work when parts of your userland flake out.	11:40
twb	And obviously it means a purely declarative iptables-restore ruleset.	11:41
c0nv1ct	i thought userland knockd just relied on iptables	11:41
twb	The latter is less of an issue if your userland implementation is ipset(8)-based	11:41
twb	c0nv1ct: anything that calls iptables(8) directly is basically wrong and vulnerable to race conditions	11:42
soren	twb: How do you figure that?	11:43
twb	soren: based on the advice of the good folk of #netfilter, i.e. the guys who make iptables	11:43
soren	twb: What would you use instead?	11:43
twb	But also because I've experienced race conditions from scripts that weren't iptables-restore(8) based.	11:43
soren	Oh.	11:44
soren	iptables-restore is atomic?	11:44
twb	<customer> Hey I just restarted the server and the network isn't working so good. <me> hm, looks like you have four copies of most rules because all four ports on the NIC triggered the load-firewall script in your post-up.d	11:44
twb	soren: it's atomic at the table level	11:44
twb	i.e. it doesn't load -t nat and -t filter together, but everything in -t filter is an atom	11:45
soren	Cool.	11:45
twb	ufw uses iptables-restore, too, but in a slightly funny way	11:45
* soren never realised		11:45
c0nv1ct	what does shorewall use? i've started playing with it here a few days ago	11:46
twb	soren: part of the problem is that the kernel api for iptables is actually atomic at the table level no matter what you do	11:46
twb	soren: so iptables -A is actually dumping the entire filter table, making a change, then restoring the whole table again	11:46
soren	twb: "clever"	11:46
twb	Which is OK if you're playing around, but a script shouldn't be doing it.	11:46
twb	c0nv1ct: shorewall's latest major release (4.x?) is iptables-restore oriented	11:47
_ruben	switching from iptables to iptables-restore was quite noticeable for us .. firewall reloads went from 1-2minutes to a few seconds tops	11:49
kinygos	naive question: i only have a dedicated server in the data-centre, no firewall that i can play with...would installing a firewall daemon on my server have a significant impact on performance?	11:51
twb	Plus it's a lot sexier	11:51
twb	#!/usr/sbin/iptables-restore -v FTW	11:51
twb	None of this <<EOF crap	11:51
twb	Just have udev give your interfaces logical names.	11:51
* kinygos feels foolish having just read a bit about ufw		11:56
twb	kinygos: Linux implements the (layer 3) firewall in-kernel; it isn't a daemon.	11:59
twb	Anything you see claiming to be "a firewall" (e.g. ufw, shorewall) is actually just a wrapper around the netfilter/iptables stack, intended to make it easier to use.	11:59
kinygos	twb: the last 20 minutes of dialog here have scared me...am i right in thinking that i should at the very least enable ufw on my server? then look at pknock?	12:01
twb	ufw is a reasonable choice if you only need tcpwrappers-level flexibility	12:02
* kinygos is a developer, not a systadmin...but he's on his own		12:02
twb	i.e. deny all, but allow port X to/from hosts Y and Z	12:02
c0nv1ct	i'm having a hell of a time finding info on pknock	12:02
twb	c0nv1ct: it's part of xtables	12:02
c0nv1ct	twb, is it main line or do i need patches?	12:02
twb	Unfortunately it's currently not mainline :-(	12:02
c0nv1ct	i just skimmed through the netfilter section of my kernel config and didnt see it, so i wondered	12:03
twb	AIUI xtables is the module that provides all the bits the netfilter guys think are cool, but haven't put into mainline yet	12:03
twb	it used to be called patch-o-matic IIRC	12:03
c0nv1ct	thx	12:04
kinygos	twb: just to be sure i understood correctly...ufw is enough if i only want to allow the world to connect on ports 80 and 443, but only my machines to connect on 22?	12:05
twb	kinygos: ufw suffices for that	12:06
kinygos	twb: awesome, thank you very much for your time and consideration :)	12:06
twb	It's something like (from memory), "ufw enable; ufw allow http; ufw allow https; ufw allow ssh from 192.168/16"	12:06
kinygos	rofl....i was about to enable ufw over my ssh connection !!! i only have remote access lol	12:08
kinygos	praise the developer that coded the warning...i could've lost my server completely	12:08
twb	If it has any brains it'll (essentially) be connection-oriented, meaning that most of the time you have to hang up ssh to REALLY shoot yourself in the foot	12:09
c0nv1ct	kinygos, lol, that is one reason i liked `shorewall try`	12:10
kinygos	i actually have to think about this carefully...i don't have direct access to this server...if my local ISP decides to change my ip address (i'm on a home broadband setup), i'll be buggered completely	12:12
kinygos	is it possible to configure my ubuntu-server to boot up with ufw disabled?	12:14
twb	c0nv1ct: iptables-apply ?	12:14
twb	Personally I don't like it because it was written by some ubuntu schmuck, yet it's shipped by upstream with all the upstart references intact...	12:14
twb	Hm, my mistake. It's restarting fail2ban, not upstart.	12:16
twb	Hm, is it just me, or does it confuse exit(126) and exit(127)?	12:17
kinygos	rephrase my question: is it possible to have my server boot up without a certain rule enabled?	12:17
twb	It's just me.	12:17
twb	kinygos: anything is possible	12:17
twb	AFAIK ufw is designed to be all-of-nothing. You give it a ruleset (via "ufw allow" and "ufw deny"), then tell it to be on or off.	12:18
kinygos	twb: so i could potentially turn off the rule relating to ssh on reboot in a start-up script	12:19
twb	That would be a little weird	12:19
twb	kinygos: what are you really trying to achieve?	12:20
c0nv1ct	kinygos, can you have the server rebooted without remote access?	12:20
kinygos	twb: i have no control over the ip address i'm assigned locally by my ISP. if i restrict ssh access to my ip address, i could lose ssh access to my remote server	12:20
kinygos	c0nv1ct: yes, i have a lights-out board	12:20
c0nv1ct	kinygos, because you could just have a reasonable delay before the firewall is enabled	12:20
twb	kinygos: just restrict it to your ISP's /12, and ensure that password-based access is disabled?	12:21
c0nv1ct	that would limit the vulnerability but still leave you an emergency out	12:21
twb	Or you could simply block everything except, say, alioth.debian.org, and then always ssh into your server via alioth	12:21
twb	(Where alioth is some well-known host that isn't actually alioth, because I don't want the alioth admins to come around and break my fingers.)	12:22
kinygos	twb: lol...i was wondering :)	12:23
patdk-wk	why not just use port knocking?	12:23
=== JanC_ is now known as JanC
c0nv1ct	patdk-wk, twb scared us all away from userspace port knocking	12:23
kinygos	c0nv1ct: i like the idea of a delay	12:23
patdk-wk	userspace?	12:23
patdk-wk	dunno, only used it in the kernel	12:24
c0nv1ct	as in knockd	12:24
patdk-wk	na, iptables can do it all by itself	12:24
twb	What I'd really like is just to have exponential backoff in the sshd itself	12:24
twb	But the OpenBSD guys won't accept the patch "because it'd make logins slower"	12:24
twb	Well, duh! That's the point!	12:24
twb	c0nv1ct: xtables has -j TARPIT, too	12:25
jpds	I wish iptables had TARPIT.	12:26
twb	jpds: m-a a-i xtables-addons, iptables -A INPUT -j TARPIT	12:26
kinygos	twb: that is such a blindingly obvious solution	12:26
jpds	twb: Is the patch maintained though?	12:27
twb	I don't remember the precise invocation because I'm not putting cc on my bastion router	12:27
twb	jpds: AFAIK it's the same guys that maintain the rest of netfilter	12:27
patdk-wk	heh port knocking is supported without xtables, all you need is the recent module, and that is on my 8.04 install	12:29
patdk-wk	example: http://www.shorewall.net/PortKnocking.html	12:29
patdk-wk	shows pretty much the raw iptables lines	12:30
twb	That's not a knock sequence	12:31
twb	That's just one knock	12:31
twb	To do a proper sequence of, say, four ports, you'd need four different -m recent --name's	12:32
jpds	twb: http://pastebin.ubuntu.com/525018/	12:32
patdk-wk	heh?	12:32
twb	jpds: er, .35? Are you running a non-LTS release?	12:32
jpds	Maverick on the laptop. :)	12:33
twb	Humph	12:33
twb	But yeah, I'd talk to #netfilter about that. I'm just a user	12:33
twb	jpds: FWIW, compiled perfectly against debian's 2.6.32-5-amd64	12:41
jpds	Yeah, I don't have a box I can test it on at the moment.	12:41
Dark-Sun	hi every1	12:51
Dark-Sun	i have a firewall web panel, it uses perl and works with iptables. i was wondering if is it safe to run the perl script as a daemon using init scripts or not? (web server is apache, server ubuntu 10.04 lts)	12:54
twb	Dark-Sun: that really depends on what the code actually does	12:56
Dark-Sun	twb: not a big deal, reads a text file (iptables's parameters), executes iptables based on that once a while.	12:57
twb	Ah, I see you weren't around for the recent iptables discussion	12:57
twb	I'll /msg you a transcript.	12:57
Dark-Sun	twb: no	12:57
dubphil	Dark-Sun : why the hell using perl for this ?	12:57
_ruben	hm, backporting haproxy from maverick to hardy aint gonna be trivial	12:58
Dark-Sun	dubphil: it was an exercise for the collage. guess it's too bad in the real world, isn't it?	13:00
dubphil	Dark-sun the straighter is the safer	13:01
Dark-Sun	twb: what's wrong with iptables?	13:01
Dark-Sun	dubphil: and what do u mean by "straighter"? shell script?	13:02
dubphil	Dark-Sun: yes of course, stacking block is the way to introduce security holes	13:03
RoyK	dubphil: perl is pretty safe, you know, even if you like it or not	13:04
Dark-Sun	dubphil: that's right. but market demand is on GUIs.	13:04
dubphil	RoyK: yes but security depends on the way you code not on the language itself	13:05
ScottK	Right. It's possible to write php in almost any language if you work at it.	13:06
Dark-Sun	agree. my code isn't safe at all! :( i'm on to secure it.	13:06
Dark-Sun	guys, please, now i may add it to init scripts beside apache ro i should take care of it?	13:07
dubphil	giving apache the ability to start or stop the firewall, great !	13:09
RoyK	dubphil: indeed	13:09
Dark-Sun	dubphil: oh, hell no! apache can't do anything to the script.	13:09
Dark-Sun	script should being run as root.	13:10
dubphil	Dark-Sun: sorry I didnot understand what you ment before then	13:10
Dark-Sun	dubphil: np, i was just talking about execution at the startup before any user does login.	13:11
ivoks	ttx: how's your new position? :)	13:12
Dark-Sun	if i add it to rc.local it would be like that, right?	13:12
ttx	ivoks: so far, not very different :)	13:12
ivoks	:)	13:12
dubphil	Dark-Sun: you can tweak this by giving a priority	13:13
Dark-Sun	dubphil: humm.. and how may i do it?	13:13
dubphil	man update-rc.d	13:13
Dark-Sun	dubphil: that's what i call a real nice answer. thanks dude ;)	13:14
dubphil	look at the NN or SS and KK	13:14
=== MagicFab is now known as Guest14201
dubphil	anyone using logcheck here ?	13:23
twb	dubphil: I am.	13:23
twb	What's your real question?	13:23
dubphil	twb: I have put this in my ignore.d.server/local file : ^\w{3} [ :0-9]{11} hostname fetchmail\[[0-9]+\]: Query status=3 (AUTHFAIL) and it is always in my logs reported by logcheck, any idea why it is not taking in account ?	13:26
twb	dubphil: did you follow the logcheck documentation for creating new entries?	13:26
twb	dubphil: In particular, using egrep to test it, and the difference between normal and security local overrides?	13:27
\sh	hmmm..does someone run couchdb behind an apache reverse proxy ? I see some very strange things happening with futon but no error in logfiles...	13:28
dubphil	twb: perhaps not so, but because I had some other regex that where working I didnot understand why this one wouldn't	13:28
dubphil	so I will check the doc	13:29
twb	dubphil: I suspect because it has AUTH in it, you need to whitelist it in the security area	13:29
twb	Er, s/security/violations/	13:30
dubphil	twb: ok I did it in ignore.d.paranoid without much success, ok I test it in violations.ignore.d	13:31
twb	The other way, of course, is to actually fix the software so it doesn't generate that error	13:36
hackeron	hey, I have a /var/crash/linux-image-2.6.32-24-generic.0.crash - how do I get a traceback out of this file?	13:37
dubphil	twb: I use fetchmail to retrieve all my emails from the junk isps so their mailserver are not so reliable	13:38
twb	Dammit. I just stepped through pbuilder --create --distribution, only to realize I forgot --architecture i386.	13:41
dubphil	twb: arf how long it takes ?	13:43
twb	maybe twenty minutes	13:43
hackeron	anyone? I have a /var/crash/linux-image-2.6.32-24-generic.0.crash - how do I get a traceback out of this file?	13:48
dubphil	hackeron: how did you get this file ?	13:51
hackeron	dubphil: apt-get install linux-crashdump and wait for it to crash (which I assume is caused by the dvr card)	13:52
jdstrand	twb: fyi, ufw upstream does not install an upstart job, or a sysv initscript for that matter. it states in the README that if installing from source you have to figure out how to integrate it into your system. it does ship an example upstart job and initscript	13:53
twb	jdstrand: re upstart & upstart, I was talking about iptables-apply	13:53
jdstrand	ah	13:53
twb	But it actually restarts fail2ban, via init.d	13:54
jdstrand	missed the context from backscroll	13:54
twb	jpds: GODDAMMIT, you're right, xtables-addons doesn't build for me on lucid. Stupid ubuntu	13:56
jpds	twb: Built for me on a virtual machine.	13:58
rdw200169	who needs ufw anyway? this is -server we're doing here, not some easy-fied user stuff, why not just learn iptables... its not much different	13:59
jpds	(Lucid one that is).	13:59
twb	Hm, it seems to be getting pissed because the host arch is amd64, but the chroot is i386	13:59
hackeron	dubphil: https://wiki.ubuntu.com/Kernel/CrashdumpRecipe says to do apport-retrace --stdout --rebuild-package-info /var/crash/linux-image-2.6.32-24-generic.0.crash but I just get IndexError: list index out of range	14:00
dubphil	hackeron: sorry I will not be of help on this anyone to help hackeron ?	14:01
twb	http://pastebin.com/nafC2C4Z is what I'm getting	14:07
=== ivoks is now known as ivoks-afk
twb	Ah, the trick is to run "linux32 m-a ..." instead of just "m-a ..."	14:15
hallyn	jdstrand: libvirt compiled locally, but not in my ppa, so i guess hold off on that merge request for a bit :(	14:31
soren	twb: Yeah, the kernel build is kinda picky with the personality.	14:33
twb	Heh, shows how dumb I am -- I hadn't even noticed -j TARPIT needed -p tcp	14:33
jdstrand	hallyn: ok	14:39
patdk-wk	twb, your just funny :) you can't tarpit udp :)	14:43
twb	patdk-wk: or, say, -p ah	14:45
patdk-wk	ok, none-window-based-protocols :)	14:46
twb	Actually only -p 6 is supported at this time	14:51
twb	Others may be theoretically possible, of course	14:51
twb	(Patches welcome, I expect.)	14:51
ScottK	kirkland: RE packageselection-server-n-install-flavors - I thought for SSH we ended up on the idea of an installer question, but default to not installed so it doesn't have system policy implications.	14:51
kirkland	ScottK: nope, I took the action item to take this to the tech board	14:52
ScottK	I know we said that at one point, but I thought there was more discussion afterwards.	14:52
ScottK	Simply having the installer question solves the "Oops, I forgot" problem.	14:53
ScottK	SpamapS or ttx: ^^^ do you recall this?	14:53
kirkland	ScottK: installer question, yes, cursor hovering over "yes, install", but giving sufficiently ominous text that would convince the paranoid to move the cursor to "no, don't install"	14:53
kirkland	ScottK: that part I remember	14:54
ScottK	Right, I recall more after. Just as the session was ending.	14:54
ttx	ScottK: we went back and forth on the subject, I tend to recall the same thing you did, but maybe it was hallway discussions just after	14:55
ScottK	Could be.	14:56
ttx	Maybe raising an RFC on ubuntu-dev before going to the TB would be a good idea	14:56
ScottK	kirkland: I'd suggest adding the question with default No for Natty and then re-assess.	14:56
ScottK	We mostly need to get this right for the next LTS, so there's no need to push it too hard in this cycle.	14:56
kirkland	ScottK: why?	14:56
ScottK	Because adding a question that defaults to no will be completely non-controversial. Let's do that step first and assess if more is needed.	14:57
kirkland	ScottK: in that case, we can just add the question, no permission needed if we default to no; and then simultaneously ask for permission to change that default to hovering over "yes"	15:01
kirkland	ScottK: i don't see the point in wasting any more Ubuntu cycles with the default set to something sub optimal	15:01
ScottK	I think the case would be stronger if we could say "We tried defaulting to no for one cycle and people still have problems."	15:01
ScottK	kirkland: Part of the problem is that lots of people will consider a yes default sub-optimal.	15:02
kirkland	ScottK: and they will be in a minority	15:02
kirkland	"are"	15:02
kirkland	If you're installing a server, you need SSH, except in very specific circumstances, in which case you hit "<tab><enter>"	15:03
kirkland	instead of "<enter>"	15:03
ScottK	If ssh is installed by default, we will need process for dealing with short notice ISO respins if security issues in the package happen again.	15:05
kirkland	ScottK: it wouldn't be "installed by default" ... it would take a conscious decision to hit <enter> while hovering over the button that says, "yes, i want to install ssh on this server and open port 22"	15:12
kirkland	smoser: you might want to change the approver of https://blueprints.launchpad.net/ubuntu/+spec/cloud-server-n-desktop-images to robbiew	15:12
ScottK	If the question defaults to yes, it's installed by default.	15:13
kirkland	ScottK: "by default" means that you're not asked whether you want it or not; like the -server kernel is installed "by default"	15:13
ScottK	I don't think you can assume a user always sees all questions.	15:14
kirkland	ScottK: that's what I came into the session asking for, but we compromised on pulling the ssh-server part out of the tasksel, and giving it special treatment, devoting a question directly to it	15:14
smoser	kirkland, done	15:14
soren	ScottK: We choose which questions to ask.	15:14
ScottK	kirkland: I think a question is great, I just want it to default to no.	15:15
kirkland	ScottK: we also agreed that if users are preseeding, then the default is "no"	15:15
ScottK	OK.	15:15
kirkland	ScottK: if the default is "no", i refuse to put any effort into adding a question to the installer	15:15
smoser	i probably have to change all of those.	15:15
kirkland	ScottK: completely defeats the point	15:15
kirkland	smoser: yeah	15:15
kirkland	ScottK: there's already such a question, in the tasksel	15:16
kirkland	ScottK: its sufficiently buried already	15:16
ScottK	kirkland: I disagree. The point is people forget to add the task, so it needs to be more obvious. A question solves the problem IMO.	15:16
kirkland	ScottK: and we'll continue to have an inanely "safe" default, at the expense of the vast majority of server users would benefit from us taking an intelligent stand, rather than an unreasonably staunchly conservative stand	15:17
* patdk-wk likes selecting it from tasksel, and wouldn't like a seperate question		15:18
kirkland	ScottK: it's like defaulting the networking stack to "disabled" by default, just to make sure someone doesn't accidently enable networking	15:18
patdk-wk	either auto install, or in tasksel is good for me (a user)	15:18
mathiaz	ttx: o/	15:18
mathiaz	ttx: how are you doing today?	15:18
ScottK	kirkland: I see your point, but I think presenting the question is a sufficient solution. We'll have to disagree then.	15:19
kirkland	patdk-wk: thank you for your input.	15:19
kirkland	ScottK: fair enough; if i'm going to spend any time on this at all, i'm working to have a sane default, which is "SSH is an essential tool installed on most servers which are installed interactively; let's make this intuitive"	15:21
patdk-wk	I'm more under the understanding, if someone is security critical, they would inspect the installed packages, and remove anything not needed, or have their own preseed file they use instead	15:21
SpamapS	ScottK: here now.. I do recall that there was a desire to put it in the first stage of the installer, and that there was considerable resistance to putting any "scary" language in the installer.	15:21
kirkland	ScottK: if you're going to somehow veto that, then I'm not going to spend any effort on this and will abandon the idea entirely	15:22
cradek	(as just another user with 2c) it is a minor pain to have to remember to install sshd on each desktop machine I install. I have no machines without ssh servers. I am surprised that it is not default on a server install. I am surprised it is controversial.	15:22
ScottK	kirkland: I don't have any veto power.	15:22
pkstef	would anyone have any tips for setting up ubuntu-server as a personal seedbox?	15:22
soren	What does a seedbox do?	15:23
\sh	patdk-wk: someone security critical would adjust the ssh default config to not listen on all interfaces/ips etc. and imho most server admins are installing sshd by default, or they do have another method of accessing the box remotely	15:23
SpamapS	kirkland: I'm 100% behind ScottK here. Security sits on the other extreme of the scale that ends with Convenience. We can tick it a little back toward convenience with a well thought out check box... going further means a bit too much exposure IMO.	15:23
pkstef	downloads torrents then i can ftp them from a different location	15:24
marrusl	I am also pro enabling sshd. you should be setting up in a pretty secure environment in the first place.	15:24
kamusin	sorry for ask here but I am looking for a canonical sysadmin (our LocoContact need help)	15:24
ScottK	kirkland: Fundamentally, I think it's the Ubuntu Security team you have to convince (and at least one of them is a TB member - so doubly so for kees).	15:24
Pici	kamusin: Try #canonical-sysadmin	15:24
SpamapS	kirkland: I also recall that another discussion was centered around enabling it after the second stage and after updates have been applied.	15:25
kamusin	Pici, ;)	15:25
\sh	what I would like to see during an interactive server setup is to provide a ssh user key to install by default and sshd should default to key auth	15:25
pkstef	?/	15:25
kirkland	ScottK: i have discussed this at length with kees, having filed the blueprint after in-person discussions with him in September	15:25
ScottK	OK.	15:25
ScottK	I like \sh's idea.	15:25
soren	How would that work? You would type in your public key?	15:26
ScottK	USB stick?	15:26
\sh	soren: or use an usb device and d-i will recognize it and push it to the installation target	15:26
SpamapS	\sh: you mean provide a means for the user to upload a public key right?	15:27
\sh	SpamapS: yepp	15:27
* diplo also likes that idea		15:27
\sh	SpamapS: something like RH or SLES did for third party kernel modules during server install	15:28
SpamapS	\sh: cloud-init can do it by grabbing it from an LP account. It would be cool to be able to say in the installer "Grab my SSH keys from: x, y, z"	15:28
SpamapS	This is why I like the 2 stage install idea so much.	15:28
\sh	SpamapS: yes..but think about that during interactive server setup you mostly don't need any network connection...	15:29
SpamapS	Garners respect from experts by giving them "just the base system" quickly, but enables new users by guiding them into things like this.	15:29
ttx	mathiaz: well well	15:29
patdk-wk	oh ya, grabbing a public key from x,y,z is very secure :)	15:29
* patdk-wk waits for x,y,z to be redirected		15:29
marrusl	Isn't the issue about defaults?	15:29
marrusl	rather than cool features.	15:30
mathiaz	ttx: would you mind triagging all the New,Undecided bugs for today Wednesday (as you used to) ?? ;)	15:30
ttx	mathiaz: hmmm	15:30
\sh	patdk-wk: we don't talk about public infrastructure x.y.z...it's more likely that you setup your server interactivly on local infrastructures..	15:30
SpamapS	patdk-wk: x,y,z is on SSL and the key would be shown to the user, duh. ;) Thats why we have OCSP and CRL's	15:30
kirkland	ScottK: kees said that as long as the user knows they're installing SSH, then it's fine by him; hence the question in the installer	15:30
ScottK	OK.	15:30
ttx	mathiaz: as soon as I get to the "free time" I'm supposed to have in that new position, I will.	15:31
\sh	patdk-wk: regarding cloud installs this is a totally different matter...	15:31
SpamapS	wait, maybe I agreed with the wrong person. Did somebody NOT want the question in the installer?	15:31
patdk-wk	ya, cloud is different	15:31
mathiaz	ttx: :D	15:31
ScottK	SpamapS: The only arguement was over default.	15:31
SpamapS	Default no	15:31
\sh	patdk-wk: and most admins who are deploying their servers with automatic tools, they don't rely on d-i or tasksel, they deploy their users automatically and provide most of the times user keys by default	15:32
SpamapS	In fact, IMO, checkboxes that are defaulted on are almost always subversive. Its like asking people double-negative questions.	15:32
patdk-wk	\sh, yes, but we aren't talking about that	15:32
kirkland	SpamapS: i believe ScottK and I are in agreement that an installer question about SSH would be an improvement over the one buried in tasksel	15:32
ScottK	SpamapS: I agree, but kirkland feels strongly the other way.	15:32
ScottK	kirkland: Absolutely.	15:32
kirkland	SpamapS: the only disagreement I think there is between ScottK and i is whether <yes, install SSH> or <no, don't install SSH> is highlighted by default in the installer	15:33
SpamapS	Also would this checkbox do what we also discussed, which is to install it post-updates only?	15:33
kirkland	SpamapS: a 2-stage installer is probably 2+ Ubuntu releases away, IMHO	15:34
\sh	patdk-wk: fetching keys from a remote public site is always a security risk...and I woudln't want it..but fetching it from an USB device or from a local network location, this could be a good thing, especially regarding admins who are using preseeding or kickstarting ;)	15:34
SpamapS	kirkland: If highlighted means having to hit a key other than enter to leave it off then I am dubious as to why we are bothering to ask.	15:34
kirkland	SpamapS: adding a question to the installer is something we can do in a day or two, and vastly improve the ubuntu server install experience for thousands of users	15:34
patdk-wk	\sh, if I was preseeding, I would just have my own ubuntu package that contained my key, most likely, or make a package that installed it	15:35
mdeslaur	The security team's stance is adding a checkbox to install ssh is okay, as long as it defaults to off	15:35
SpamapS	kirkland: add the question yes! highlight "No" and include 2 other answers.. "Yes enable SSH" and "Tell me more" with scary language behind that.	15:35
jdstrand	no scary language	15:35
SpamapS	jdstrand: BOO!	15:35
jdstrand	:)	15:35
SpamapS	or rather	15:35
SpamapS	BOO I scare you, not BOOOO your idea sucks. ;)	15:35
kirkland	mdeslaur: is that a unanimous decision?	15:36
\sh	patdk-wk: well, people are leaving the companies, so keys are changing, a package needs to be newly build everytime that happens...user assets in your assetmanagement are much better and faster, and you can add some magic to it to provide keys or other user settings which could be useful during preseeding	15:36
SpamapS	kirkland: On the 2-stager.. why is that so far away? What do we have to do to strip things out of the main installer and change motd?	15:36
mdeslaur	kirkland: as per the last discussion we had, yes. I can re-confirm with everyone if you'd like.	15:37
kirkland	mdeslaur: please do; would be nice if that discussion happened here	15:37
jdstrand	I'm not sure it has to be unanimous	15:37
mdeslaur	kirkland: ok, wait until kees and sbeattie arrive, and we'll discuss it	15:38
jdstrand	but regardless, mdeslaur stated my opinion as well	15:38
kirkland	SpamapS: because if there's this much disagreement about 1 page in the installer, imagine the complexity in rewriting it	15:38
SpamapS	kirkland: Fair enough. I don't think we can change much at all after this release though, so I'd almost rather see it changed radically in Natty according to what we discussed, and then let the response to that guide us on "O minus 1" so we get that right and change nothing in O.	15:39
SpamapS	kirkland: Also I don't think the "off by default but highlighted" option was clear while we were all talking. the "let the user choose" was though.	15:40
SpamapS	I do like a checkbox. I want it to stay off if the user just powers through the install though.	15:41
mdeslaur	Utimately, it changes the "no open ports by default" policy, which means it needs to pass tech board approval anyway	15:41
marrusl	I think one issue is initial experiences. people just trying ubuntu server or coming over from rhel/sles just expect it to be there. and the tasksel is too easy to miss.	15:41
SpamapS	whoa.. I just discovered "cmd-A" .. my windows .. they're.. flying around.	15:41
kirkland	mdeslaur: that policy is a mirage -> avahi	15:41
SpamapS	does avahi respond to unicast from other networks?	15:41
jdstrand	kirkland: it isn't a mirage	15:42
* SpamapS actually doesn't know		15:42
jdstrand	kirkland: avahi is the exception that the TB voted on	15:42
jdstrand	kirkland: just like you want an exception	15:42
kirkland	jdstrand: yes, and I volunteered to take SSH to the TB for an exception too	15:42
jdstrand	there is also language that the security team must approve it as well	15:42
gholms\|work	How are canonical's stock EC2 images created? All the docs that I've seen so far involve rebundling the stock ones, not building them from scratch.	15:43
jdstrand	with something as important as a login port hanging out there for anyone in the world to try to login with, I think the discussion with the security team should have been in the open. not with just one member somewhere else	15:43
jdstrand	if it was in the open and I missed it, I apologize	15:44
SpamapS	gholms\|work: smoser can answer that pretty easily.	15:44
SpamapS	smoser: ^^ how do we make the EC2 images?	15:44
jdstrand	but at UDS, the members of the security team that attended that session for that bp said 'no'	15:44
smoser	gholms\|work, https://wiki.ubuntu.com/UEC/Images/Publishing has most of hte info	15:44
\sh	marrusl: well, they you could say this: "people coming from RHEL/SLES are expecting a 'root' user to be there" ;)	15:47
\sh	s/they/then/	15:47
marrusl	\sh, touche.	15:48
marrusl	Still, it's not like we're talking about telnet here.	15:48
kirkland	marrusl: you'd think I was ....	15:50
gholms\|work	smoser: Are things like package selection, mirror locations, and whatnot all hardcoded? Where does the actual configuration take place?	15:50
\sh	marrusl: but we are talking about defaults of an interactive setup...as said, most serious server admins in enterprise environments won't use any interactive setup, but devs on vmware boxes to test a new release or admins to test new ubuntu releases...(before they start to deploy a new release automatically) ;)	15:50
gholms\|work	User configuration...	15:51
marrusl	\sh, disagreed. most serious server admins won't do that large scale, but many will use interactive setup during testing and prototyping.	15:51
SpamapS	So you make it enabled by default. But then you a) leave password auth turned off, or b) risk compromise through brute force attack...	15:51
kirkland	This is why the Ubuntu Desktop succeeds -- because they make sensible defaults and have the guts to make bold decisions	15:52
marrusl	\sh, well I guess we are agreeing to an extent there.	15:52
SpamapS	option a means you need to get keys to the box somehow (some interesting possibilities there actually)	15:52
\sh	marrusl: that's what I said :)	15:52
SpamapS	option b means you also need denyhosts, or iptables rules, or any number of things that don't work in some environments..	15:52
mdeslaur	kirkland: our bold decision is to not have openssh turned on by default, when other do	15:52
mdeslaur	s/other/others/	15:52
smoser	gholms\|work, cloud-init handles first boot configuration	15:53
gholms\|work	How about grub configuration?	15:54
\sh	SpamapS: you could even ask for an IP from where you are allowed to connect to the ssh port...there are many possibilities	15:54
smoser	gholms\|work, well, it depends. the code is all there in those repos listed from the link i gav eabove.	15:55
patdk-wk	hmm, ssh access to grub	15:55
SpamapS	\sh: yes, that would work. More options, though, is something others worked very hard to eliminate from the installer.	15:55
smoser	in image creation, we kind of hack in a grub2 config and a grub1 path. grub1 is used by pv-grub on ec2, and grub2 is used by the 'loader' path on UEC.	15:55
SpamapS	patdk-wk: Actually that would be unbelievably helpful	15:56
smoser	on first boot, cloud-init figures out where it is running and seeds grub2 debconf so that the user isn't prompted in the future when update-grub runs	15:56
kirkland	jdstrand: mdeslaur: so just to be clear, we're disagreeing over the placement of the cursor in the interactive server install, whether it's hovering over <yes> or <no>?	15:58
=== khussein_ is now known as khussein
mdeslaur	kirkland: yes. We want the person installing to make a deliberate choice to open ssh. (and, of course, this is only our opinion...tech board ultimately decides...)	16:00
\sh	SpamapS: it's always the difference between easiness and security...most of the time security is not the top priority ;)	16:11
jdstrand	I'm not sure of the benefits of making it that much easier. sure, yank it out of tasksel and present a clear question so people know ssh is enabled or not. make it preseedable. this way people don't miss it and we don't open a port be default or fail compliance tests, etc	16:13
SpamapS	\sh: right, so its important to illuminate risks and never put anybody in harm's way without at least giving them a sword and shield in the fight. :)	16:14
ads	re	16:14
ads	ok, third channel ...	16:14
ads	Ok, who's responsible for the PHP mess in Ubuntu? ;-)	16:14
gholms\|work	smoser: So on Eucalyptus it uses grub1 to load grub2? What eki/eri do you have to use for that?	16:14
ads	I can't get PHP to log parse errors even though I configured every known option and phpinfo() tells me all options are switched on.	16:15
gholms\|work	Just one with grub2, or...?	16:15
smoser	gholms\|work, on eucalyptus, in maverick, there are patches in the ubuntu eucalyptus package that handle it	16:15
SpamapS	ads: we're all responsible for it in some way.. unless we already filed that bug report. ;)	16:15
ads	;-)	16:16
* gholms\|work wishes deb sources had discrete patches		16:16
smoser	the basic logic is "if a 'kernel' is a multiboot image, then put it on a floppy disk, boot from the floppy"	16:16
SpamapS	ads: you're running it via libapache2-mod-php5 I presume?	16:16
ads	SpamapS: version 5.3.2-1ubuntu4.5, yes	16:16
smoser	then, we publish multiboot images with our uec-images tarballs (named '-loader') that can be registered. those -loader files basically multiboot off of (hd0,0)/boot/grub/grub.cfg	16:17
gholms\|work	smoser: Is that all there to work around the lack of pvgrub?	16:17
smoser	gholms\|work, well, it provides the same function. and generally the same flow.	16:19
SpamapS	ads: ok, so you just want to set something like 'error_log=syslog' and error_reporting=E_ALL right ?	16:20
gholms\|work	smoser: How do you decide whether something is a multiboot kernel?	16:20
smoser	its just more flexible. outside of the floppy hack, its fairly clean. we promise to the image creator, that if a kenrel is a multiboot image, then it will be loaded specially.	16:20
smoser	gholms\|work, its fairly determinable.	16:20
ads	SpamapS: display_errors is On, display_startup_errors is On, error_reporting is set to E_ALL	16:20
smoser	http://bazaar.launchpad.net/~ubuntu-virt/ubuntu/maverick/eucalyptus/2.0/annotate/head%3A/debian/patches/22-uec-multiboot-kvm.patch is the patch	16:21
ads	SpamapS: when I set error_log PHP does not even touch this file.	16:21
SpamapS	ads: display errors doesn't "log" errors .. so you want them on the page?	16:21
gholms\|work	smoser: What does upstream think of it?	16:21
SpamapS	ads: did you look in /var/log/apache2/error.log ?	16:21
ads	SpamapS: this was a test. In case of an parse error I just get a white website with no content at all.	16:21
ads	SpamapS: I did, nothing.	16:21
smoser	eucalyptus is generally in favor, and we hope to have it (or something like it) into 2.1. Daviey <---	16:21
smoser	gholms\|work, fwiw, the easiest solution woudl have been to just let kvm load the multiboot image	16:22
ads	SpamapS: basically I want to see my parse errors, that's all. This is my own dev system, no production system.	16:22
smoser	but due to a bug/missing feature, that wasn't really possible	16:22
gholms\|work	smoser: If it's running on kvm, sure.	16:22
smoser	https://bugs.launchpad.net/ubuntu/+source/seabios/+bug/611142	16:22
uvirtbot	Launchpad bug 611142 in qemu-kvm "seabios should have native scsi support" [Wishlist,New]	16:22
ads	SpamapS: and no, parse errors don't go into the apache logfile.	16:23
ads	SpamapS: It seems like php is just hiding them.	16:23
\sh	ads: you did set it in /etc/php5/apache2/php.ini ? (asking just to be sure)	16:24
SpamapS	and restart apache	16:25
ads	\sh: yes - and I checked the actual values with phpinfo()	16:25
ads	SpamapS: yes	16:25
ads	Hell, I'm using PHP since version 3.something, configured a lot boxes, but never seen such a behaviour	16:26
SpamapS	ads: and cli php does what you'd expect?	16:27
ads	Let's test	16:27
ads	No. I get some startup warnings about deprecated stuff (because I have E_ALL), but I get no error message. The php file just contains one invalid line (random chars)	16:28
\sh	Anyways..../me needs to go home now...and care for my baby ;)	16:28
SpamapS	ads: this is lucid, yes?	16:31
SpamapS	(10.04)	16:31
ads	yes	16:32
SpamapS	ads: with the default install I get parse errors in /var/log/apache2/error.log	16:34
SpamapS	[Wed Nov 03 09:33:49 2010] [error] [client 127.0.0.1] PHP Parse error: syntax error, unexpected ';', expecting T_STRING or T_VARIABLE or '$' in /var/www/test.php on line 1	16:34
SpamapS	ads: and most things in phpinfo() show "No value"	16:35
ads	SpamapS: I would expect the same. Same configuration works on several boxes, just not on this one.	16:35
SpamapS	ads: which means we're just using the SAPI default	16:35
SpamapS	ads: can you post your phpinfo() somewhere?	16:36
Steve[cug]	does anyone happen to know if rsyslog supports ip spoofing like syslog-ng does?	16:36
ads	SpamapS: let me extract the details	16:36
SpamapS	Steve[cug]: thats just.. evil! ;)	16:36
Steve[cug]	what?	16:36
SpamapS	Steve[cug]: changing the IP of packets just because you can. ;)	16:36
Steve[cug]	lol	16:36
Steve[cug]	I need to send the messages to the correlation engine, and the only way for the engine to pick everything up properly is if i spoof the packet	16:37
SpamapS	Sounds like a crappy engine. ;)	16:37
Steve[cug]	:-p actually its prolly one of the best engines out there IMHO, but it doesnt expect to be the endpoint of another syslog aggregater	16:38
SpamapS	Steve[cug]: that always was syslog-ng's big crusade wasn't it?	16:41
ads	SpamapS: http://pgsql.privatepaste.com/ae7ea92913/w3e4rtfzg	16:43
Steve[cug]	SpamapS: to be a large aggregator...yes.	16:43
Steve[cug]	unfortunately for reasons unknwon to me I was asked if we could use rsyslog instead...as I have to recompile the syslog-ng package to enable ip spoofing	16:44
SpamapS	Steve[cug]: is syslog the only way you can get things into the engine? Maybe it has other ways of taking data that are more suitable to rsyslog.	16:51
Steve[cug]	SpamapS: its the only way we can get many things	16:51
Steve[cug]	so yes	16:51
SpamapS	ads: weird!	16:51
SpamapS	Steve[cug]: but I mean, could it take the source from the content of the message rather than the source IP address?	16:52
SpamapS	Steve[cug]: I wonder if this might help.. http://www.rsyslog.com/doc/property_replacer.html	16:53
=== Hatrix76 is now known as Hatrix
=== Hatrix is now known as Hatrix\|away
ScottK	JamesPage: The existing binary can be moved to Main, so rebootstrapping isn't required.	17:15
kinygos	apologies for the noob question....is it possible to configure fail2ban to not unban an address? or should i just the ban time to a big number?	17:16
ads	re	17:19
ads	SpamapS: you name it!	17:19
patdk-wk	kinygos, comment out actionunban?	17:20
zul	SpamapS: ping [cilnt-fewbar] MySQL: investigate and resolve conflicts between mariadb and mysql's libmysqlclient: TODO <-- good luck on that ;)	17:22
ads	zul: fg	17:23
kinygos	patdk-wk: i don't have an actionunban or anything that looks like it...i'll google	17:23
patdk-wk	did you check out the actions directory?	17:23
kinygos	patdk-wk: awesome :) thank you very much for your help	17:25
SpamapS	zul: what could they possibly be doing in their client library that doesn't make it necessarily a new libname ?	17:25
SpamapS	zul: my thinking is, if they've changed the API fundamentally, they should fork and not call themselves libmysqlclient	17:25
zul	SpamapS: binary compat is a bit big thing for them...but i agree with you	17:25
SpamapS	zul: riddle me this, can libraries be managed via alternatives?	17:26
zul	SpamapS: doubt it	17:26
SpamapS	yeah it would probably be a bad idea even if they ABI was compatible.	17:27
ScottK	SpamapS: It would be useful if mysql were packaged so that multiple versions could be installed along side for transition purposes (e.g. like postgresql). If this were done, it would probably be easy enough to extend it to cover mysql-fork-of-the-day.	17:32
SpamapS	ScottK: looks like what they've done is just call it something else. http://www.percona.com/downloads/Percona-Server-5.1/Percona-Server-5.1.51-11.5/deb/lucid/x86_64/	17:35
ScottK	OK.	17:35
SpamapS	ScottK: not sure what maria is doing..	17:35
SpamapS	But really they all want ownership of port 3306 .. so I'm not sure how they can really coexist. ;)	17:36
patdk-wk	heh, I do it just fine :)	17:36
SpamapS	True you can set a policy to not mess with those services, and then manually configure their listen ports/restart them/etc.	17:38
SpamapS	I kind of like the approach mtaylor was talking about doing for drizzle.. where it installs all of the software just fine, and the default configs come in packages that conflict with one another.	17:38
SpamapS	I haven't looked close enough at pgsql, but I think thats what it does too.	17:39
ScottK	There's a postgresql-common package that manages it.	17:43
ScottK	(IIRC, something like that, YMMV)	17:43
SpamapS	no IANAL?	17:43
ScottK	TANSTAAFL too	17:44
=== aliverius_ is now known as aliverius
Wise_	how do I move folders exactly? just mv tells me "directory not empty" mv -R or -r tells me invalid option	18:22
Wise_	:\|	18:22
=== zhobbs__ is now known as zhobbs
krycek_	does ubuntu 10.10 support Dell Poweredge T410 server? in the ubuntu page says it supports R410. But it almost the same machine.	18:25
RoyK	krycek_: isn't the difference between the two just that T- is tower and R- is rack?	18:25
krycek_	should be, i guess	18:26
krycek_	but there is no reference of T410 in the ubuntu page	18:26
RoyK	krycek_: just try it, if you have the box, that is	18:26
krycek_	not yet	18:26
RoyK	krycek_: also, testing 10.04 first might be worth a thought as well, since 10.10 isn't LTS	18:27
* RoyK only uses LTS releases on servers unless he's forced to do otherwice		18:28
krycek_	what will be the next LTS?	18:29
Pici	12.04	18:29
RoyK	12.04	18:29
RoyK	krycek_: that is, there are new sub-releases every now and then	18:29
RoyK	10.04.1 is the latest	18:29
krycek_	hmm... ok	18:30
krycek_	tkz	18:30
RoyK	LTS releases are supported for 5 years, non-LTS for 18 months	18:30
RoyK	and IMHO most servers won't need cutting (or bleeding) edge versions for the most part	18:32
uvirtbot	New bug: #670541 in mysql-5.1 (main) "Upgrade mysql5.0 -> 5.1 fails due to error on postrm script. " [Undecided,New] https://launchpad.net/bugs/670541	18:32
RoyK	krycek_: what sort of server is it you're setting up?	18:32
krycek_	web, dns, mail	18:32
krycek_	and some databases for some apps used here in the company	18:33
RoyK	I'd stick to 10.04 for that	18:33
krycek_	any recommended material for first time admins?	18:33
RoyK	krycek_: and if someone needs the mysql 6 pre alpha something, use a VM for that to isolate it	18:33
RoyK	!guide	18:34
krycek_	no need for mysql 6	18:34
krycek_	!guide	18:34
RoyK	https://help.ubuntu.com/10.04/serverguide/C/index.html	18:34
Pici	!guide is <alias> serverguide	18:34
ubottu	I'll remember that, Pici	18:34
RoyK	stupid bot didn't know that...	18:34
Pici	now it does.	18:34
RoyK	k	18:34
RoyK	!guide	18:34
ubottu	The Ubuntu server guide may be found at http://help.ubuntu.com/10.04/serverguide/C/	18:34
RoyK	danke	18:35
Pici	\o/	18:35
krycek_	hehe, thanks	18:35
krycek_	do you recommend to use another box to take care of the firewall/routing part? or using just one box for all is ok?	18:36
RoyK	krycek_: depends on your needs - it's generally a good idea to use a separate box for firewalling, and if you're a newbie, something like pfSense might be worth a try	18:37
RoyK	it's really light-weight, all GUI and is easy to setup/manage	18:37
krycek_	pfSense, I'll take a look into that	18:38
RoyK	and based on freebsd, so if you're picky of the OS, maybe something linux-based might be better, but still, pfSense is very well tested	18:38
krycek_	you are very helpfull, RoyK , thanks again	18:38
RoyK	:)	18:38
RoyK	lol - pfSense can be setup to block windoze machines by passive fingerprinting :D	18:41
pmatulis	RoyK: runs openbsd's PF?	18:42
RoyK	*bsd pf, I guess	18:42
pmatulis	RoyK: right, that's from OpenBSD. ported to FreeBSD	18:43
RoyK	pmatulis: I don't know too much about the details - check if there's another channel available if you want to dig into that...	18:43
pmatulis	RoyK: no need to dig	18:43
RoyK	:)	18:43
* pmatulis runs OpenBSD at home (and uses PF quite a bit)		18:45
* RoyK hasn't install obsd for _years_		18:46
=== NG_ is now known as ng_
krycek_	for a newbie is it ubuntu the right distro? or CentOS should be easier?	18:51
joesuffceren	I need a little help with NTP. I am trying to get my ubuntu box to sync with my Windows domain controller. (I have also tried using us.pool.ntp.org servers with the same results described below). I can use ntpdate -u to sync the time just fine, but when I set them up as server entries in ntp.conf, they don't work	18:51
RoyK	krycek_: I wouldn't recommend centos or that sort of thing - ubuntu has everything you'll need	18:51
krycek_	I ask because I've just read: http://www.twincling.org/node/689	18:52
joesuffceren	ntpq -p shows my servers that I configure in ntp.conf, but none of them ever has an asterisk beside it, which, if I understand, means it's not actually syncing with them	18:52
krycek_	and he says: CentOS provided the fastest configuration time, lowest learning curve, better ROI, superior package management system, and a good fuzzy feeling of stability.	18:52
RoyK	krycek_: I somehow think the person that wrote that is a centosist without much regard for technology	18:52
krycek_	hehe	18:53
RoyK	krycek_: we have about a hundred servers, most of them on solaris and different linux distros - we're moving most of those to ubuntu, for good reason	18:53
krycek_	it's a very hard decicion for a web developer to make hehehe	18:53
RoyK	for a web developer, you won't find much difference between the two, except that there are perhaps 10x more packages available in ubuntu, meaning if you need this or that apache extension, or this or that special library, you just install it instead of having to compile it from source	18:54
RoyK	or find some obscure package at some site somewhere	18:54
Steve[cug]	krycek_: I typically handle it this way... Ubuntu LTS for any server except when a software vendor requires I run RHEL	18:55
RoyK	krycek_: also, centos is not officially supported, and if you're paranoid, you can get ubuntu support from Canonical quite cheaply	18:56
* RoyK hands Steve[cug] a beer		18:56
Steve[cug]	RoyK: ;)	18:56
RoyK	Steve[cug]: that's exactly what we are doing	18:56
Steve[cug]	I like Ubuntu/Debian's method of handling packages a lot better then RHEL/CentOS/SLES	18:57
krycek_	ok then, I'll use your expertise and use ubuntu LTS	18:57
RoyK	Steve[cug]: except some rare cases where this or that developer or researcher needs a special distro	18:57
Steve[cug]	krycek_: yeah stick to LTS's for servers	18:57
Steve[cug]	RoyK: oh we dont allow for that	18:57
Steve[cug]	you have a choice...Ubuntu, RHEL, or SLES (only for Telecom)	18:57
krycek_	do you own a hosting company?	18:58
RoyK	Steve[cug]: we need to sometimes - some projects use developers or scientists from other countries developing intstrument apps for certain distros - for those cases we have a few fedora machines. But then, I've managed to talk at least one of these groups to use ubuntu instead	18:59
Steve[cug]	most of my infrastructure is Ubuntu, some of our vendor stuff requires RHEL, so we have a small smattering of RHEL boxes, and Telecom uses SLES because the company we use for Voip is a german one	18:59
RoyK	krycek_: I work for nilu.no - dunno what Steve[cug] does	18:59
Steve[cug]	I work for a mid-size insurance co	18:59
RoyK	krycek_: but still - if you need something that's not in 10.04, just setup a VM and install whatever you might need on that	19:00
* RoyK hands krycek_ some MSDOS 6.22 floppies		19:00
krycek_	using what? KVM?	19:00
RoyK	kvm is the preferred, yes	19:00
RoyK	and using virt-install it's quite simple to use	19:00
RoyK	just like your average windoze app	19:00
RoyK	:)	19:01
Steve[cug]	RoyK: but KVM isnt always the best option unfortyunately	19:01
Steve[cug]	*unfortunately	19:01
RoyK	Steve[cug]: imho it works well enough for most platforms	19:01
Steve[cug]	poor krycek_, we are confusing him	19:02
RoyK	Steve[cug]: what else? xen?	19:02
RoyK	:)	19:02
krycek_	I'm looking for a VPS provider, do you have any one to recommend?	19:02
Steve[cug]	RoyK: KVM sucks for large bandwith needs. I need to use Xen in those cases	19:02
krycek_	Steve[cug], what would be the second option?	19:02
krycek_	ok	19:02
Steve[cug]	krycek_: depends on how much hand-holding you need IMHO	19:02
RoyK	krycek_: with a new server, you can easily run the VMs in-house	19:02
RoyK	krycek_: just use KVM	19:03
RoyK	krycek_: if that becomes a problem, try something else, but mostly, it'll work well	19:03
Steve[cug]	krycek_: KVM is highly preferred because unless you in an edge-case (like my stuff tends to be) running a vanilla kernel ala KVM is much more beneficial than Xen's highly modified kernel	19:03
Steve[cug]	s/you/your/g	19:03
RoyK	Steve[cug]: I'm not sure if that's the case with paravirtualized block devices, as those you have on 10.04 guests	19:04
krycek_	all right, but i dont think i'll need to use it	19:05
krycek_	at least for now	19:05
RoyK	krycek_: just use kvm if you need virtualization - you'll find out quickly if it fits your needs	19:05
Steve[cug]	RoyK: Xen has near-native networking performance, KVM (and VMWare) still take a heafty hit...esp when you are virtualizing passive network sensors ;)	19:05
RoyK	well, I'm not :P	19:06
Steve[cug]	well I am ^_^	19:06
Steve[cug]	:-p	19:06
RoyK	Steve[cug]: then you're confusing a newbie :þ	19:06
=== ng_ is now known as NG_
Steve[cug]	i kow....it's what im good at. I did say that unless you in an edge case, KVM is the way to go	19:06
krycek_	let's hope for no edge cases then :)	19:07
RoyK	krycek_: if you're new at this, it'll take some years before you reach that point	19:07
Steve[cug]	now if only LXC didnt still suck in userland, then we wouldnt need heavily modified kernels for virt or containers anymore	19:07
RoyK	LXC?	19:08
Steve[cug]	krycek_: yeah, I'm a network Security Engineer, so I play with edge cases all the time	19:08
Steve[cug]	LXC == OpenVZ in vanilla kernels	19:08
RoyK	k	19:08
Steve[cug]	OpenVZ is a huge ugly patch on the kernels	19:09
RoyK	krycek_: just to summarize this discussion - use KVM for virtualization - if or when something goes wrong, ask again	19:09
krycek_	k, i'll	19:09
krycek_	RoyK, what you company does exactly?	19:10
krycek_	i dont understand that language	19:10
Steve[cug]	yes	19:10
RoyK	krycek_: press the English link at the top left corner :)	19:10
Steve[cug]	lol	19:11
krycek_	there it is, usually it is the top right corner ;p	19:11
RoyK	basically NILU is Norwegian institute for air research, which means pollution measurments, cliate modeling, health research and a few more things	19:12
krycek_	suddently it all makes sense	19:12
RoyK	not my fault - those windoze guys doing the web stuff aren't my cup of tea	19:13
Steve[cug]	agreed	19:13
Steve[cug]	esp when they mostly just use apache on wintel :-p	19:14
Steve[cug]	IIS shudders is just horrid	19:14
RoyK	it's quite nice to use against people you don't like, as in, hey, this IIS server has a problem, we can't have any downtime, though, can you try to fix it?	19:15
kinygos	lol	19:15
Steve[cug]	lol	19:15
krycek_	pfSense looks nice²	19:17
RoyK	there should have been an ARM port for it, though	19:19
krycek_	maybe it is in their roadmap	19:20
RoyK	doesn't look like it http://doc.pfsense.org/index.php/Does_pfSense_support_non-i386_hardware_platforms%3F	19:20
krycek_	damnit	19:21
RoyK	anyway - atom systems doesn't cost too much these days	19:21
RoyK	and it really doesn't matter to me what the arch is, so long as it works	19:21
kinygos	i've configured apache2 to generate my web app logs outside of /var/log...what would be the best practice way of rotating them? using logrotate or piping them to rotatelogs?	19:22
RoyK	I'd use logrotate, but then, that's only my choice	19:23
kinygos	RoyK: do you know if it's possible for me to just point logrotate at my app's log directory, or do i need to do anything exotic?	19:24
RoyK	kinygos: take a look at the files under /etc/logrotate.d	19:25
RoyK	it's quite easy to configure that	19:25
kinygos	RoyK: i did, found an apache2 one...do i just create a copy of it for my app, with my app log directory?	19:26
Steve[cug]	you may need to modify the apparmor settings for logrotate as well	19:26
RoyK	Steve[cug]: really?	19:27
* kinygos just looked at the AppArmor man page and his mind is boggling		19:28
Steve[cug]	lol, its not that bad	19:28
RoyK	kinygos: just try with logrotate - if it fails, cron will email root	19:28
sbeattie	There's no apparmor policy for logrotate by default, in any event.	19:28
RoyK	that's what I thought	19:28
Steve[cug]	good to know	19:29
Steve[cug]	I just always check just to be safe	19:29
Steve[cug]	hence i said you may need to :-p	19:29
RoyK	Steve[cug]: I'd say, better keep quiet unless you know something's going to fail - there's a lot of newbies that may panic (or at least get distressed) if a lot of new things come up	19:30
RoyK	and if things fail, they'll tell us anyway	19:31
kinygos	lol...my brain is fuzzing...i set out to configure rotating logs on my web app, starting learning about LinuxLogFiles (excellent do on help.ubuntu.com)...realised i had numerous spurious attempts to log in on ssh to my server...so had to learn about portknocking, the iptables config on my server, and generally battoning down the ssh hatches...configured fail2bin...and now i've got to learn about cron...	19:32
* kinygos is a total noob		19:32
Steve[cug]	thats one way to handle it. i've typically noticed that trying to cover all of the bases so that if it fails, they dont spend forever pulling their hair out thinking they did something wrong when it really wasnt their fault.	19:32
kinygos	bloody great fun learning this stuff though	19:33
RoyK	kinygos: fail2ban or denyhosts are good packages to block bots	19:33
SpamapS	kinygos: you seem to be having fun though. :)	19:33
RoyK	I think I'd recommend denyhosts since it works by distributing "bad" IPs	19:33
kinygos	lol...i meant fail2ban...and it is awesome :)	19:33
RoyK	denyhosts is even better, though a bit more nazi on the rules (by default)	19:33
SpamapS	Its also a reasonly good idea these days to just run SSH on an alternate port. :-P	19:34
_ruben	security through obscurity ftw!	19:34
kinygos	at the same time, i'm developing an e-commerce web application that has to go live before christmas this year	19:34
Steve[cug]	SpamapS: I disagree with that, security through obscurity is no security at all	19:34
SpamapS	denyhosts seems to catch about half of the ips that are brute forcing.	19:34
RoyK	SpamapS: not really - I always run on 22, but then, using denyhosts, people won't get much chance to brute their way in	19:34
kinygos	i read about running ssh on a different port, and there's a lot of people that think it's not worth the inconvenience	19:35
SpamapS	Steve[cug]: its not security at all, its convenience, for me to not have to attend to so many red flags in my logwatch. ;)	19:35
RoyK	kinygos: I agree	19:35
SpamapS	i have boxes on both setups	19:35
* kinygos is googling denyhosts :)		19:35
X-Sleepy-X	how can i install 10.04 or 10.10 server on my armada e500 with 64 mb of ram	19:35
RoyK	kinygos: apt-get install ......	19:35
Steve[cug]	one of the best ways to lock down SSH is to just stick to the simplistics. Disable interactive and password auth and sticking to just ssh keys, disabling root logins, and getting sudo setup with least priviledged access	19:36
SpamapS	on a CentOS box I admin that does have port 22 open.. $ sudo grep "Failed password" /var/log/secure*\|wc -l	19:36
RoyK	kinygos: after moving to fail2ban/denyhosts I haven't had a single breakin except for some password that got leaked some time back, and that guy came in with ftp	19:36
SpamapS	81	19:36
kinygos	RoyK: wow...now that is what i like to hear :)	19:36
SpamapS	$ sudo grep "refused connect from" /var/log/secure*\|wc -l	19:36
SpamapS	227	19:36
SpamapS	so I guess these days deny hosts is doing better than 50% :)	19:37
RoyK	SpamapS: :)	19:37
SpamapS	65248 /etc/hosts.deny	19:37
Steve[cug]	port knocking and non-std ports are just more trouble than they are worth, esp when running through more restricted networks	19:37
Steve[cug]	>.<	19:37
SpamapS	Steve[cug]: unless of course you are on a network that restricts port 22. ;)	19:38
kinygos	the daemon to monitor the port knocks is a single point of failure	19:38
RoyK	SpamapS: wc -l ?	19:38
Steve[cug]	SpamapS: true, but typically that isnt restricted because of FTPS	19:39
SpamapS	RoyK: yeah	19:39
RoyK	that's quite a few :þ	19:39
SpamapS	RoyK: thats denyhosts :)	19:39
SpamapS	I need to look into just configuring it to feed into iptables and just block all traffic. I don't see why I'd want to receive anything from these loathesome zombies. ;)	19:40
* SpamapS heads to lunch		19:40
RoyK	damn - I'm <300 on my private boxes - not that much traffic on those, though	19:40
zul	you have to be careful with denyhosts you dont want to lock yourself out	19:41
kinygos	right...i've gotta go watch the arsenal game with my son...i may have questions about denyhosts when i return...thanks for your help everyone :)	19:41
Steve[cug]	zul: exactly	19:41
Steve[cug]	I have seen peopl to that on VPSs, quite funnly really	19:41
kinygos	and that's what i was worried about zul...i only have remote access to this server	19:41
Steve[cug]	*people	19:41
RoyK	kinygos: enjoy the game :)	19:42
SpamapS	I (shock) whitelisted my whole class C. Everybody in my neighborhood in Los Angeles MIGHT be able to brute force my SSH passwords! Oh noes	19:42
Steve[cug]	lol	19:42
Steve[cug]	SpamapS: thats ofcourse assuming that your DHCP range is restricted to that class C	19:42
RoyK	the 192.168.x.x/24 for the open WLAN?	19:43
Steve[cug]	lol	19:43
Steve[cug]	prolly more like thatever public block he is on	19:44
Steve[cug]	*whatever	19:44
_ruben	ssh passwords, yuck	19:45
RoyK	_ruben: keys can be lost too, you know	19:48
_ruben	i wonder if (open)sshd can be configured to require both a key and the local passwd	19:49
Steve[cug]	_ruben: actually I got a Yubikey that I use on my stuff.....works great. then SSH keys aren't really needed	19:50
Steve[cug]	just need to make sure you have a coupld of keys incase you loose one setup in the system	19:50
RoyK	_ruben: I guess that's just a matter of PAM magick	19:51
makomi	hi, anybody use netatalk with mac clients?	20:02
TuxM	install trouble: text during installation all scrambled. tried various boot options but to no avail... any suggestions?	20:02
makomi	if i select on my mac the afp server i see in logfile of netatalk: "AFP/TCP session from IP" and the next line "server_client PID done"	20:04
makomi	how could I use the credentials from my mac to connect to netatlak automatically?	20:04
RoyK	makomi: I think the preferred way of sharing to Mac's is using samba or NFS these days - AFP is a little oldish	20:06
makomi	but it´s comfortable thru avahi :)	20:07
makomi	but i could use avahi with smb	20:07
Steve[cug]	samba + avahi is the way to go	20:07
TuxM	install trouble: text during installation all scrambled. tried various boot options but to no avail... any suggestions?	20:11
RoyK	TuxM: try vga16fb.modeset=0	20:13
RoyK	kernel commandline	20:13
RoyK	or grub, even	20:13
TuxM	RoyK: You're my hero, kernel gave a message: modeset unknow command (or something like that) but it now works! thanks a million	20:16
RoyK	:)	20:17
RoyK	I got that from some list - trying to install ubuntu on Hyper-V was terrible - screen updates took for ever - that command did it	20:18
TuxM	it also works like a charm on this old VIA motherboard	20:18
RoyK	it should work with anything, really, since it basically turns off the framebuffer and uses the old ASCII thing instead	20:19
TuxM	i tried the fb=false parameter, but that didn't work...	20:20
RoyK	TuxM: I know	20:23
ScottK	kirkland: I think marking the entire spec obsolete is an over-reaction.	20:30
kirkland	ScottK: would you like me to assign it to you?	20:31
ScottK	kirkland: Was the ssh part of the spec the only part you were willing to work on?	20:31
ScottK	I'd be willing to discuss getting the ssh question implemented in D-I with cjwatson or someone else appropriate, but I'm not qualified to do the implementation.	20:32
kirkland	ScottK: the rest of my suggestions in that spec were killed as well (minimal install + better deluxe install)	20:32
kirkland	ScottK: that doesn't leave a whole lot left	20:32
kirkland	ScottK: in terms of what I had hoped to do with that spec	20:33
cjwatson	I don't really want a separate question for it, TBH - you're already asked a question in the server install that includes installing openssh-server as one of its options	20:33
cjwatson	(if I'm understanding this correctly)	20:33
ScottK	kirkland: I thought that evolved into the idea of base install, reboot, and then add goodies as desired through some easy method (like ubuntu-init instead of cloud-init). Was that another spec?	20:34
ScottK	cjwatson: The problem we have is that ssh-server gets a bit lost in tasksel so people forget it. Having an explicit question in the installer was a compromise thought between leaving it where it was (often forgotten) and installed by default (which a number of people didn't like)	20:36
cjwatson	that seems a bit like an arms race to me, TBH	20:37
cjwatson	we could perhaps adjust sorting in tasksel	20:37
cjwatson	that's probably relatively simple, file a bug on Ubuntu tasksel if you want that	20:37
ScottK	Perhaps, but ssh-server is a bit unique in that we (fsvo we) don't want it by default, but if it's forgotten it can leave people without access to a server.	20:37
kirkland	ScottK: mathiaz suggested the 2-stage-installer in this session; that was never my goal in this spec; if we want a 2-stage server installer, that probably deserves a new spec of its own	20:37
ScottK	I don't know of any other packages that fit those criteria.	20:38
ScottK	kirkland: OK. I'm mixing the sessions then.	20:38
kirkland	ScottK: no, it was the same session; your memory is correct	20:38
ScottK	Oh. OK.	20:38
cjwatson	sorting> I meant just putting openssh-server at the top of the list so that it isn't so easily forgotten	20:39
kirkland	cjwatson: I'm arguing that a server isn't much of a modern server without SSH, in the real world; we have made an exception for avahi on the desktop in the interest of usability; I proposed in this session that we pursue a similar exception for SSH on the Ubuntu Server as "the critical application required to get to your server after you've installed the darn thing"	20:40
kirkland	cjwatson: we do, by the way, install SSH and open a host of ports for Eucalyptus, if you click, "Install UEC"	20:40
cjwatson	oh damn, I really didn't want to get into this now. IMO the security team has had their say on this and that carries a lot of weight for me	20:40
ScottK	kirkland: WRT avahi, I'd argue that was an error even for desktops and not a great precedent to follow for servers.	20:41
cjwatson	UEC is a very special case	20:41
soren	I wish we some day will actually decide to do to Ubuntu Server what we did to Ubuntu Desktop.	20:41
kirkland	cjwatson: yup, they have; which is why i just killed the spec	20:41
ScottK	cjwatson: We can defer the discussion to a later time.	20:41
kirkland	soren: make it friendly and usable?	20:41
soren	kirkland: Yes.	20:41
cjwatson	anyway, this discussion implies to me that at least we ought to change the sorting. that's easy to do. can somebody please file a bug on Ubuntu tasksel for that?	20:42
soren	I'm sure lots of then existing linux users disagreed with what we did to Ubuntu on the desktop.	20:42
ScottK	Sure.	20:42
soren	Yet we decided to actually change things and be bold.	20:43
soren	It worked out pretty darned well, IMO.	20:43
ScottK	cjwatson: Bug #670611	20:44
uvirtbot	Launchpad bug 670611 in tasksel "List SSH server first in tasksel" [Undecided,New] https://launchpad.net/bugs/670611	20:44
cjwatson	thanks	20:44
ScottK	You're welcome.	20:44
soren	Have a "I'm new to this, please help me along a bit" option on the boot splash next to a "I don't care about your new fangled stuff. I'm old school" option would be fine.	20:44
cjwatson	soren: I think the pool of available Linux users who weren't being reached was a great deal larger on the desktop	20:44
cjwatson	and the risk of pissing off established people rather smaller	20:45
kirkland	soren: https://blueprints.launchpad.net/ubuntu/+spec/packageselection-server-n-install-flavors <--- that's what i was suggesting there, two options in the splash menu, one ultra-minimal, the other "deluxe"	20:45
kirkland	soren: ultra-minimal geared at old school admins who want to apt-get install from a base install; deluxe adding a lot more bells and whistles, friendlies, helpers and niceties	20:46
soren	cjwatson: A hypothesis that has yet to be tested properly.	20:47
soren	kirkland: Look through the ubutnu-server ml archives and you will see lots of long, long, long e-mails about similar things.	20:47
cjwatson	the idea that I'll survive if I jump out of Millbank is also a hypothesis that has yet to be tested properly, but I'm not really keen to commit to it. :-)	20:47
cjwatson	and BTW I think the risks associated with giving people unfamiliar with Linux an SSH server are rather greater than the risks of giving uneducated desktop users an open Avahi port; I disagree that those two are remotely similar	20:48
kirkland	cjwatson: the similarity is that an exception was evaluated and granted	20:49
cjwatson	except in this case it was evaluated and denied ...	20:49
kirkland	for open network port, by default	20:49
cjwatson	(for server, not for UEC - UEC is wildly different)	20:49
JanC	IMO server deluxe should have SSH running by default, with ufw connect-rate-limiting port 22 by default too of course ;)	20:54
soren	I'm not completely decided on the ssh-by-default question. It was just an example of "hey, let's try to actually change something" that was thwarted by "no, that's not how we did it 10 years ago, why should we do it now?" sort of arguments.	20:54
ScottK	soren: I don't think that's what the argument against it was at all and to characterize it as such is unfair. I could equally accurately characterize those in favor arguing that only usability matters and security is irrelevant. I don't think either is true.	20:55
CarlFK	where is the server version of http://archive.ubuntu.com/ubuntu/dists/maverick/main/installer-amd64/current/images/netboot/ubuntu-installer/amd64/	20:56
soren	ScottK: Sorry, I wasn't in the session at UDS, but it sounds to me to have been suggested as part of a set of changes that were rejected wholesale with those sorts of arguments.	20:56
soren	ScottK: If that's not the case... good! It's tiring.	20:56
ScottK	soren: I think it was more nuanced than that. I thought adding a question to the installer was a reasonable compromise as it would ~cure it being forgotten.	20:57
soren	Boot splash.	20:57
soren	"Yes, I'm in favour of shininess" mode vs "Stubborn, old curmudgeon" mode. Right there.	20:58
ScottK	Server boot experience needs work. Not sure we got an actual spec on it though.	20:58
soren	I have plenty of situations where I'd choose the latter, don't get me wrong.	20:59
soren	ScottK: Not recently.	20:59
soren	It got old suggesting the same stuff over and over.	20:59
* soren stops ranting for the day		20:59
soren	On this subject, at least.	20:59
ScottK	Where we landed in Lucid and mostly carried forward into Maverick pleases approximately no one for servers IMO.	20:59
ivoks	a lot of work	21:00
ScottK	A bit betwixt and between with a large sprinkling of unreliablity.	21:00
kirkland	cjwatson: on the user account creation page, we could ask for a Launchpad ID, noting that if a) you have an LP ID, and b) you have a public SSH key on LP, and c) this machine is internet connected, then this machine would install SSH on the system, with SSH key auth only, and import your ssh key	21:00
ivoks	install-over-ipmi is unusable cause of all those flashy things	21:00
kirkland	cjwatson: using ssh-import-id to securely retrieve said keys	21:01
ScottK	kirkland: Doesn't that lean into the risk of being perceived as requiring registration? IIRC robbiew said no on anything that did that?	21:03
* kirkland consider jumping out of cjwatson's window to test his hypothesis for him		21:04
kirkland	ScottK: it's totally opt-in; nothing required; just type in a URL in that field where your pubkey can be found, or for convenience, an easy to remember LP id	21:05
ivoks	do not connect it to LP by default	21:05
ivoks	that's a killer feature for ubuntu server, feature that will kill it	21:05
kirkland	ScottK: to prevent MiM attack, you'd need SSL and a good cert, mind you	21:05
* robbiew reads up		21:06
ScottK	kirkland: I think that sounds reasonable. I'd also like it to take a USB stick.	21:06
ScottK	(as in my case SSL cert validation is rather difficult to arrange during install)	21:06
owh	I've just had a router decide for itself that when I told it that all traffic from a particular host needed to go to a particular WAN port, I was just kidding. Is there a way that I can force my server to cease sending traffic if it's going out via the wrong link?	21:08
kirkland	ivoks: it's not required	21:08
ivoks	kirkland: i doubt many people will use it	21:09
ivoks	kirkland: it's like telling the LP that you are installing the server	21:09
ivoks	that's how people will see it	21:09
kirkland	ivoks: it's not at all like that	21:09
ivoks	i know	21:09
ivoks	but, that would be perception	21:10
ScottK	Give a USB stick option and I think it's fine.	21:10
ScottK	(with the LP/wherever your key is option too)	21:10
ivoks	leave an lp option, but don't isolate it	21:10
ivoks	instead of area for LP ID, put a single text area for everything	21:11
ivoks	lp:id or usb:file.name url:http://blablabla	21:11
ivoks	that way you'd get more usage of LP, imho	21:11
ScottK	And reduced risk of inference that LP was required.	21:12
ivoks	exactly	21:12
patdk-wk	why url:http:	21:13
ivoks	or http: ftp:	21:13
patdk-wk	url is http://...., or usb:filename...., ...	21:13
patdk-wk	I would see everyone screwing up if you had to type url before a url	21:13
ivoks	i agree	21:13
ivoks	it was just to make distinction	21:14
krycek_	any other solution like pfSense? pfSense project looks dead (more than an year in beta)	21:53
baggar11	krycek_: clearOS, zentyal	21:53
krycek_	which one do you use, baggar11 ?	21:56
baggar11	i use a hardware solution	21:56
* RoyK just uses core memory		21:57
RoyK	krycek_: pfsense works well, even if it's a year old	21:58
baggar11	there is also monowall too	21:59
krycek_	it's good to take a look in the others just to make sure	21:59
krycek_	i have to go now... thanks for all the tips	22:00
raubvogel	How is lvm autoloaded in 10.04?	22:49
mconigliaro	can anyone tell me whether do-release-upgrade will upgrade you to the next version or the latest version?	22:52
mconigliaro	i want to upgrade some machines from 9.10 to 10.04 LTS	22:52
raubvogel	mconigliaro, AFAIk to get to 10.10 you would need first to get to 10.04, so that should cover you.	22:55
mconigliaro	ok, cool	22:55
mconigliaro	raubvogel: thanks	22:55
raubvogel	Also, there is some setting to only use the LTS upgrades	22:55
mconigliaro	well, i guess i'll find out for sure in a second ;-)	22:55
mconigliaro	oh, thats interesting	22:55
mconigliaro	well, i mostly want to go to 10.04 just because i haven't gotten a chance to test 10.10 yet	22:56
mconigliaro	but that setting is something ill have to look into	22:56
raubvogel	edit /etc/update-manager/release-upgrades and set Prompt=lts	22:56
raubvogel	Stolen from https://help.ubuntu.com/community/LucidUpgrades	22:56
raubvogel	Just something to think about	22:57
mconigliaro	ah, perfect	22:58
mconigliaro	i see that's already set on my 10.04 machines	22:58
mconigliaro	thanks again	22:58
raubvogel	Cool	22:58
jeeves_moss	when running a cron job as a user, what would cause a premissions error when using wget?	23:21
ChmEarl	raubvogel, got answer about auto-lvm? dm-mod needs to be in /etc/initramfs-tools/modules	23:24
ChmEarl	raubvogel, rather make it dm_mod	23:25
ChmEarl	raubvogel, then of course, update-initramfs -u -k all	23:28
cjwatson	CarlFK: there's no separate server version - the installer has the same core	23:44
cjwatson	CarlFK: you could grab the server preseed file off the server CD	23:45
CarlFK	is this boot parameters? "different Kernel options" somewhat described on https://help.ubuntu.com/10.10/serverguide/C/preparing-to-install.html#intro-server-differences	23:46
cjwatson	we use the generic kernel during installation on server too	23:47
cjwatson	differences are controlled by installer boot parameters, yes	23:48
CarlFK	thanks. someone here was suggesting that there were different compile options. didn't sit well with me.	23:48
cjwatson	the kernel you get after installation is configured differently, certainly	23:49
cjwatson	I don't think I would characterise it as "different compile options" as such	23:49
cjwatson	(to me, that means compiler flags)	23:49
CarlFK	differently configured at boot time, right	23:50
CarlFK	um, it has been years. sense I compiled a kernel.. what does "make menu config" write the settings to?	23:51
cjwatson	CarlFK: .config	23:55
CarlFK	thats right. so is that same or different for -server kernel?	23:56

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!